nerdexam
ExamsCAS-002Questions#594
CompTIA

CAS-002 · Question #594

CAS-002 Question #594: Real Exam Question with Answer & Explanation

The correct answer is B: The manager should only be able to review the data and approve purchase orders.. Permitting a single individual to both enter financial data and approve transactions violates separation of duties, a fundamental internal control designed to prevent fraud and unauthorized activity.

Question

The internal audit department is investigating a possible breach of security. One of the auditors is sent to interview the following employees: Employee A. Works in the accounts receivable office and is in charge of entering data into the finance system. Employee B. Works in the accounts payable office and is in charge of approving purchase orders. Employee C. Is the manager of the finance department, supervises Employee A and Employee B, and can perform the functions of both Employee A and Employee B. Which of the following should the auditor suggest be done to avoid future security breaches?

Options

  • AAll employees should have the same access level to be able to check on each others.
  • BThe manager should only be able to review the data and approve purchase orders.
  • CEmployee A and Employee B should rotate jobs at a set interval and cross-train.
  • DThe manager should be able to both enter and approve information.

Explanation

Permitting a single individual to both enter financial data and approve transactions violates separation of duties, a fundamental internal control designed to prevent fraud and unauthorized activity.

Common mistakes.

  • A. Granting all employees identical access eliminates role-based controls entirely, violates the principle of least privilege, and would make unauthorized activity harder to detect or attribute.
  • C. Job rotation is a useful detective and corrective control but does not resolve the active separation of duties violation where one person retains concurrent entry and approval rights.
  • D. Allowing the manager to both enter and approve information preserves the existing control weakness and increases the risk of undetected insider fraud.

Concept tested. Separation of duties in financial access control

Reference. https://csrc.nist.gov/glossary/term/separation_of_duty

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice