Which action is NOT an effective compensating control when segregation of duties cannot be implemented?

Restricting system access to only one user is not an effective compensating control when segregation of duties cannot be implemented because it can lead to a single point of failure and increased risk of fraud or error. By giving only one user access to critical functions, you reduce the opportunities for checks and balances that come from having multiple individuals involved in processes. Segregation of duties is designed to ensure that no single individual has control over all aspects of a transaction, which inherently limits the potential for unintentional mistakes or malicious actions. Effective compensating controls, on the other hand, should promote oversight, accountability, and transparency, which is lacking in a one-user scenario.

In contrast, actions such as logging changes, conducting regular access reviews, and implementing additional management oversight are all essential practices that help to monitor activities and provide a level of control despite the limitations posed by lack of segregation. These methods ensure that there is a record of actions taken, regular evaluations of who has access to what, and that there is an additional layer of scrutiny from management, all of which contribute to stronger governance and risk management.