The COSO Internal Control - Integrated Framework comprises five components: (1) control environment, which sets the tone of the organization; (2) risk assessment, identifying and analyzing risks to objectives; (3) control activities, the policies and procedures that help ensure directives are carried out; (4) information and communication, supporting the identification, capture, and exchange of information; and (5) monitoring activities, evaluating whether each component functions as intended. Option B describes control types, not COSO components. Option C describes a generic risk management cycle. Option D describes elements of the COSO ERM framework, which has more components.

Segregation of duties requires that authorization, custody, and recordkeeping functions be assigned to different individuals. Allowing one person to both approve invoices (authorization) and issue payment checks (custody/execution) eliminates a key check and creates a risk of unauthorized or fraudulent payments. Option A describes a different control category related to physical access. Option C describes documentation controls, which are separate from the segregation issue. Option D addresses audit trail requirements, which are distinct from who performs each step.

The purchase order is an authorization control - it documents that an appropriately authorized person approved the transaction before goods or services were acquired. Processing payments without a purchase order bypasses this authorization step, allowing disbursements that may not have been properly approved. Option A is incorrect; this is a process control failure, not specifically an IT general control issue. Option B mischaracterizes the issue as a compensating control failure. Option D incorrectly minimizes the financial reporting impact, since unauthorized disbursements create a risk of improper expense recording.

IT general controls (ITGCs) include logical access controls, change management, and computer operations controls. Unrestricted ability to modify transaction records without any logging or review is a fundamental logical access control failure. Because accounting systems process and store financial data, this weakness could allow unauthorized adjustments to the financial records, directly affecting financial reporting reliability. Option A misidentifies the function affected. Option B confuses logical access with physical access. Option D incorrectly narrows the impact to HR records.

Risk appetite is the broad-based amount and type of risk a company is willing to accept in pursuit of its mission and objectives. It reflects management's philosophy and operating style and guides decisions about which risks to take and which to avoid. Option B describes solvency risk tolerance, not risk appetite as defined in ERM. Option C describes residual risk, which is what remains after risk responses are applied. Option D describes likelihood, which is one component of risk assessment.

Risk prioritization requires evaluating both dimensions - likelihood and impact - and potentially their product (expected value or expected loss). A low-likelihood, high-impact event may represent existential risk to the organization and warrant priority mitigation even if it occurs rarely. Conversely, a high-frequency, low-impact risk may be efficiently managed through acceptance if expected losses are tolerable. Strategic significance (could the high-impact risk threaten core objectives?) adds another dimension beyond expected value. Options A and C apply rigid priority rules that ignore the opposing dimension. Option D abandons risk management rather than optimizing it.

When a single individual performs mutually incompatible financial reporting functions - posting, approving, and preparing financial statements - with no compensating review, the risk of undetected misstatement is significant. This combination eliminates multiple layers of oversight and is the type of scenario that meets the definition of a material weakness: a reasonable possibility that a material misstatement would not be prevented or detected. Option A is incorrect; severity is assessed on risk potential, not whether a misstatement has occurred. Option B understates the severity. Option D incorrectly normalizes this concentration of incompatible functions.

ESG disclosure is an increasingly regulated area, with the SEC and other regulators expanding requirements around climate-related and sustainability disclosures. Even where disclosure remains voluntary, institutional investors and proxy advisory firms scrutinize ESG data. Inaccurate or unverified ESG disclosures can result in regulatory action, reputational damage, loss of investor confidence, and potential securities liability. Option A is incorrect; even voluntary disclosures carry liability risk if materially false or misleading. Option C is incorrect; ESG risks can be material, particularly for companies in carbon-intensive or resource-dependent industries. Option D is a disproportionate response that would likely increase scrutiny.

Independent testing by a QA team separate from the developers who wrote the code is a critical control in application change management. Without it, developers could introduce intentional or unintentional errors into production applications. Because accounting applications process transactions that feed into financial statements, application integrity directly affects financial reporting reliability. This is an IT general control weakness that elevates the risk of material misstatement. Option A is incorrect; developer-only sign-off is widely recognized as insufficient segregation. Option B is incorrect; IT application weaknesses directly affect financial reporting. Option D eliminates a preventive control framework in favor of detective-only controls, which is not a sound approach.

The 2017 COSO ERM - Integrating with Strategy and Performance framework organizes enterprise risk management into five components: governance and culture (sets tone and oversight structures), strategy and objective-setting (aligns risk appetite with strategic direction), performance (identifies and assesses risks that affect achievement of objectives), review and revision (evaluates how well the ERM framework is performing over time), and information, communication, and reporting (supports risk-informed decision making across the entity). Option B confuses the ERM framework with the COSO Internal Control - Integrated Framework, which has five different components. Option C is a near-miss: it omits culture from the first component and substitutes 'monitoring' for the distinct review and revision and reporting functions defined in the 2017 framework. Option D is an incomplete and overly narrow description that omits the governance, strategy, and performance dimensions central to the ERM framework.