Choice "B" is correct. Since Jose is the system programmer, he can more than likely override any system security and provide himself with unlimited access to application programs and data and would likely be able to hide such access. One employee acting as both a system programmer and an application programmer is a serious internal control weakness that is very difficult to overcome.
Choice "c" is incorrect. Jose has write (update) access to application programs in his function as application programmer. However, his function as system programmer will more than likely allow him to hide such access if he were to choose to do so. One employee acting as both a system programmer and an application programmer is a serious internal control weakness that is very difficult to overcome.
Choice "a" is incorrect. AB&C's accounting system may log all transactions that are entered. However, Jose's access as a system programmer may allow him to bypass this transaction logging and change data in other ways (for example, by "data fixes"). This feature, while potentially a good idea, is not a compensating strength for the weakness that Jose is both an application programmer and a system programmer (although it may be a compensating strength for other weaknesses) and will probably not provide sufficient security. In addition, it is a fact of life that transaction logs are seldom actively monitored.
Choice "d" is incorrect. AB&C's accounting system may log all access attempts to application programs. However, Jose's access as a system programmer may allow him to bypass this access logging and change programs in other ways. This feature, while a good idea and a feature of all automated program security systems, is not a compensating strength for the weakness that Jose is both an application programmer and a system programmer (although it may be a compensating strength for other weaknesses) and will probably not provide sufficient security.
