Free CPA AUD (Auditing & Attestation) Practice Questions

B is correct. IT general controls (ITGCs) are policies and procedures that relate to many applications and support the effective functioning of application controls. Access management — including role-based authentication and periodic access reviews — is a fundamental ITGC category.
A is incorrect. A three-way match is an application control (or a manual control within a business process) that operates within the purchasing/disbursements cycle. It is not an IT general control.
C is incorrect. Manual review of aging reports is a manual detective control within the revenue cycle. It does not relate to the IT environment broadly and is not an ITGC.
D is incorrect. Requiring dual signatures on checks is a manual authorization control within the disbursement process. This is a business process control, not an IT general control.

A is correct. Under COSO, the risk assessment component involves management's process for identifying and analyzing risks relevant to achieving the entity's objectives, including financial reporting objectives. This includes evaluating the likelihood and significance of risks and determining how they should be managed. Board review of financial results against budget (B) is a monitoring activity. Establishing a code of conduct (C) is part of the control environment component. An automated validation control in the payroll application (D) is a control activity (specifically, an application control).

A is correct. Under AU-C 700 and AU-C 706, when comparative financial statements include a prior period that was reviewed rather than audited, the current auditor includes an other-matter paragraph in the report. This paragraph states that the prior period financial statements were reviewed by another practitioner (or the same firm), describes that a review is substantially less in scope than an audit, and states that no opinion is expressed on the prior period. This informs users about the different levels of assurance for each period. Re-auditing the prior year (A) is not required; the standards accommodate different levels of service across comparative periods. Issuing an opinion covering both years (B) is inappropriate because the auditor did not perform audit procedures on the prior period and cannot assume responsibility for review-level work. Professional standards do not prohibit presenting audited and reviewed periods together (D); they require appropriate disclosure of the different service levels.