Compensating Control
Domain 5 — Protection of Information Assets
Definition
A compensating control is an alternative control implemented when a primary control cannot be applied due to technical or business constraints. It mitigates the same risk to an acceptable level through a different mechanism. IS auditors evaluate compensating controls to ensure they provide equivalent coverage — for example, if automated preventive controls are infeasible, detective controls with timely monitoring may be acceptable.
Real-World Audit Scenario
At a manufacturing client, the legacy inventory system could not enforce segregation of duties — the same operator had to create purchase orders and receive goods because there was only one person trained on the system. We could not implement a technical SoD control without replacing the entire ERP. Instead, we recommended a compensating control: a daily report of any employee who had both created a purchase order and received goods against it, reviewed by the inventory manager every morning. This detective control reduced the risk window from indefinite to 24 hours.
Common Exam Trap
The exam may present a scenario where the ideal control is not feasible. The correct answer is a compensating control with timely monitoring — not "accept the risk" or "replace the system immediately."
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →