Free CPA AUD (Auditing & Attestation) Assessing Risk and Developing a Planned Response Practice Questions

B is correct. IT general controls (ITGCs) are policies and procedures that relate to many applications and support the effective functioning of application controls. Access management — including role-based authentication and periodic access reviews — is a fundamental ITGC category.
A is incorrect. A three-way match is an application control (or a manual control within a business process) that operates within the purchasing/disbursements cycle. It is not an IT general control.
C is incorrect. Manual review of aging reports is a manual detective control within the revenue cycle. It does not relate to the IT environment broadly and is not an ITGC.
D is incorrect. Requiring dual signatures on checks is a manual authorization control within the disbursement process. This is a business process control, not an IT general control.

A is correct. Under COSO, the risk assessment component involves management's process for identifying and analyzing risks relevant to achieving the entity's objectives, including financial reporting objectives. This includes evaluating the likelihood and significance of risks and determining how they should be managed. Board review of financial results against budget (B) is a monitoring activity. Establishing a code of conduct (C) is part of the control environment component. An automated validation control in the payroll application (D) is a control activity (specifically, an application control).

A is correct. Under AU-C 600, the group engagement partner is responsible for the direction, supervision, and performance of the group audit engagement. This includes determining the type of work to be performed at each component (full audit, specified procedures, or analytical procedures) based on the component's significance, evaluating the competence and objectivity of component auditors, establishing communications, and reviewing component auditors' work. Performing all work centrally (B) is impractical and not required. Accepting work solely based on network membership (C) does not satisfy the group engagement partner's responsibility to evaluate competence and objectivity. Limiting to parent company records (D) would fail to obtain sufficient evidence about the group financial statements.