Page 159 - CITP Review
P. 159
Solutions
Chapter 1
Knowledge check solutions
1.
a. Incorrect. The fact that the fixed assets are IT is not IT risk.
b. Incorrect. The fact that the controller performs manual procedures is an example of
“downstream” compensating control. It is not an IT risk, but rather a compensating
control for the lack of SoD.
c. Correct. The aspect of this case that demonstrates IT risk is the use of a spreadsheet to
perform a significant accounting class of transactions: property ledger.
d. Incorrect. The lack of SoD is not IT risk.
2.
a. Incorrect. The IT risk associated with the spreadsheet is adequately mitigated by the
controller’s downstream controls.
b. Incorrect. There are no IT controls described as being deployed.
c. Incorrect. The reconciliation of the two ledgers is performed by the same person doing
the rest of the property ledger. There is still a SoD problem if that is all that is considered,
and the risk is not mitigated.
d. Correct. The high IR due to lack of SoD is adequately mitigated by downstream manual
controls executed by the controller. This conclusion is based on the design of those controls
to detect any errors timely, and the operating effectiveness of the manual control.
3.
a. Incorrect. Management’s assertion may be stated as of a specific point in time.
b. Incorrect. Management’s assertion may be to a specific period of time.
c. Incorrect. Management’s assertion must include their description in accordance with the
description criteria.
d. Correct. Management’s opinion that the description is presented in accordance with the
description criteria is not a component of management’s assertion. It is part of the
practitioner’s report. It is one of the assurances the engagement is designed to
determine.
© 2019 Association of International Certified Professional Accountants. All rights reserved. Solutions 1
