CISA Exam - Question 1397

This is B. We are talking about access controls. B is the only one that is referencing access controls for the accounts payable staff to modify the vendor account details.

justification after reading the CISA Review Manual: It emphasizes that updating vendor bank details should be segregated from payment processing to prevent fraud (e.g., unauthorized changes to divert payments). If accounts payable staff can modify vendor banking information, it creates a risk of collusion or fraudulent transactions without detection. Privilege Creep and Authorization: The manual highlights the importance of enforcing the Principle of Least Privilege (POLP). Granting unnecessary access to sensitive functions (e.g., vendor bank details) violates POLP and increases the attack surface. Risk of Fraud: Uncontrolled access to vendor banking details directly enables financial misappropriation. The manual states that compensating controls are critical when SoD cannot be fully enforced, but such access without oversight is a severe control gap

A. Payment files are stored on a shared drive in a writable format prior to processing. It means that i can possibly modify the file before finance processing. B is required for finance operation.

B. Accounts payable staff have access to update vendor bank account details. This is because allowing accounts payable staff to update vendor bank account details poses a significant risk of fraud or error. It can lead to unauthorized changes, which might result in payments being diverted to incorrect or fraudulent accounts. This risk is higher compared to the other options, which, while concerning, do not pose as direct a threat to financial integrity and security.