Certified Information Systems Auditor Practice Exam

The best compensating control in the scenario where both IT and accounting functions are performed by the same user is the examination of computer log files that show individual transactions. This choice is effective because it provides a direct and objective measure of the activities performed by the user. By reviewing detailed logs, supervisors can track and verify each transaction's legitimacy and accuracy, ensuring that there is accountability and transparency in operations.

Examining individual transaction logs allows for the detection of anomalies or irregular activities that may indicate either errors or unauthorized actions. This type of monitoring mitigates the risks associated with segregation of duties, which is a crucial control for preventing fraud or mistakes when a single user has access to both the IT and accounting systems.

The other options focus on broader or less immediate forms of control. Monthly financial audits by external auditors are valuable, but they occur infrequently and would not provide real-time oversight of user actions. Periodic management reviews of user performance might highlight some issues but may not specifically address risks in the IT and accounting processes. Internal policy compliance checks are important for adherence to established guidelines but do not offer the same level of detailed analysis as transaction log reviews. Therefore, while each of these controls plays a role in overall risk management, examining computer log files stands out as