Auditors test IT generalSystem of controls that relate to the overall integrity of an IT system. Controls include policies, procedures, and practices designed to provide reasonable assurance that specific objectives will be achieved. and applicationControls designed to ensure the quality, privacy, and security of data used by applications. They include input, processing, and output controls. controls to assess the risk of misstatementThe risk that an entity's financial statements contain one or more material misstatements. It is the product of inherent risk and control risk.. Using the test data approachAudit procedure in which simulated data is entered into a client's computer application to verify transactions are processed correctly., simulated data is entered into a client's computer application to verify transactions are processed correctly. Control weaknessesA condition that exists because an entity's internal control is either not designed properly or is not operating as designed. are found by comparing the simulated results with the expected outcome. For example, an auditor might simulate data to make sure controls reject entries missing key information, such as employee identification numbers (Choice D).

The test data approach is least likely to be used for functions performed outside of a computer application. Control and distribution of unclaimed payroll checks requires human involvement. An auditor would be more concerned about physical custody than IT controls.

(Choices A and C) Auditors can simulate payroll transactions to determine if payments are calculated correctly. A test employee could be entered into the computer program to verify the corresponding payroll check was based on the correct number of hours or proper tax withholdings.

Things to remember:
Under a test data approach, simulated data is entered into a client's computer application to verify transactions are processed correctly. Auditors compare test results with the expected outcome to find control weaknesses.