Question

If an auditor decides to assess control risk as low based on IT application control procedures, which of the following would not be part of the auditor's strategy for testing controls?

1) Testing the effectiveness of IT general control procedures.
2) Testing the effectiveness of management review controls used to monitor the results of operations.
3) Testing the effectiveness of manual follow-up procedures.
4) Testing the effectiveness of the application with test data.

Answer 1

Testing the effectiveness of manual follow-up procedures 1) would not be part of the auditor's strategy for testing controls if control risk is assessed as low based on IT application control procedures.

Step-by-step explanation:

If an auditor decides to assess control risk as low based on IT application control procedures, testing the effectiveness of manual follow-up procedures would not be part of the auditor's strategy for testing controls. Testing the effectiveness of manual follow-up procedures falls under detective controls, which are used to identify and correct errors after they have occurred, rather than preventing them in advance.

The auditor's strategy for testing controls would involve testing the effectiveness of IT general control procedures, management review controls, and the application with test data. IT general control procedures are designed to provide reasonable assurance that information systems operate effectively and securely, management review controls are used to monitor the results of operations, and testing the application with test data checks the accuracy and functionality of the system.