2.  Based on the case described, for a financial audit, which conclusion would the prudent CITP not draw
               regarding the audit program?
                   a.  Because of the level of complexity, a professional IT auditor is relevant as an integral part of
                       the audit team during the planning process.
                   b.  Because application development is taking place, a flowchart of the relevant financial
                       applications is relevant to the IT audit tasks.
                   c.  Because of the controls around application development, IR associated with custom software
                       has been mitigated.
                   d.  Because of the nature of application development, it is necessary to test all IT projects rather
                       than simply evaluating a small sample of major projects.

            3.  Based on the case described, how would you assess the controls around application development
               and the fact that there is limited SoD?

                   a.  There is no control deficiency.
                   b.  There is a control deficiency.
                   c.  There is a significant deficiency.
                   d.  There is a material weakness.

            4.  Based on this case, for a financial audit, which control is not designed to mitigate the IR of custom
               applications?

                   a.  IT director reviewing significant changes.
                   b.  Segregating the two employees on a project by development and testing.
                   c.  Identifying and analyzing risk resulting from changes that will be required.
                   d.  Performing a physical inventory count.

            5.  Based on the guidance from Statements on Auditing Standards (SAS) about the concepts underlying
               the standards of fieldwork, which is the auditor required to do?

                   a.  Draw no conclusions, but simply gather evidence.
                   b.  Adequately plan the audit, which includes understanding the entity and all of its internal
                       controls.
                   c.  Gather information on the entity’s environment, including internal control, to assess the RMM.
                   d.  Evaluate the entity’s long-term strategy.

            6.  In using CAATs, suppose it is decided that depreciation amounts performed by automated
               applications should be tested. Which is the best category for this test?

                   a.  Selecting audit samples.
                   b.  Summarizing data and performing analyses.
                   c.  Comparing data on separate files.
                   d.  Testing calculations and making computations.

            7.  Which is true if several control deficiencies of small risk are present?

                   a.  The auditor should aggregate the deficiencies to determine whether they represent a material
                       weakness.
                   b.  The auditor may place reliance on the client’s level of control.
                   c.  The auditor must qualify the audit opinion.
                   d.  The auditor cannot rely on the client’s system of control to reduce the amount of substantive
                       procedures performed.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-59