The control was properly designed - requiring written authorization before system processing is sound control design. However, it is not operating effectively because managers are not following the written documentation requirement. Without written approval, there is no auditable evidence that proper authorization occurred, creating a gap in the control's operating effectiveness. Option A incorrectly accepts verbal approvals as equivalent to the designed written control. Option B is directionally correct but understates the specific problem, which is both the absence of written evidence and the inability to audit the authorization trail. Option C incorrectly concludes the design is also flawed.

The receiving report is a critical control in the three-way match process because it confirms that goods were actually received before payment is authorized. An 11% gap means that for roughly one in nine transactions, the company has no documented confirmation of receipt. This creates a real risk of paying for undelivered goods or fictitious invoices. Option A applies an arbitrary threshold without considering the purpose of the control. Option B requires a realized loss to classify a deficiency, which is incorrect - risk potential determines deficiency status. Option D incorrectly treats the approval control as compensating for missing receipt confirmation; they serve different verification purposes.

A well-designed control system uses preventive controls as the first line of defense because they stop errors and irregularities before they enter financial records. Detective and corrective controls are essential complements, but they cannot fully substitute for prevention because: detection always occurs after the fact, some errors may not be detected, and correction is more costly than prevention. Over-reliance on detective controls means the financial reporting process depends on finding and fixing errors rather than preventing them. Option A incorrectly ranks detective controls above preventive. Option B assumes 100% correction effectiveness, which is unrealistic. Option C's 100% detection rate assumption is not achievable in practice.

Effective monitoring requires an appropriate degree of independence. When management reviews its own variances, department heads self-assess their own controls, and the internal audit function lacks independence, the monitoring system has a structural limitation: those doing the monitoring have a potential conflict of interest in identifying and reporting problems in their own areas. COSO emphasizes that the objectivity of the evaluator is critical to monitoring effectiveness. The degree of independence needed varies with the significance of the risk, but some level of independence is essential for credible monitoring. Options A and C incorrectly treat process proximity as an advantage that outweighs independence concerns. Option B understates the breadth of monitoring needed.

Effective board oversight requires independent verification of control effectiveness, not merely management's representation. When management is both responsible for implementing controls and the sole source of information about their effectiveness, there is an inherent conflict of interest. The board's oversight function requires it to obtain some independent assurance - through internal audit, external audit, or other means - to challenge and verify management's self-assessment. Option A confuses operational knowledge with independent objectivity. Option B is incorrect; SEC rules require rigorous internal control assessment and attestation, not unchallenged self-reporting. Option D understates the board's governance responsibility for internal control oversight.

A 15% exception rate for a journal entry authorization control is a meaningful operating effectiveness failure. Journal entries above $50,000 represent high-risk transactions; the authorization requirement exists specifically to prevent unauthorized or erroneous entries with significant financial impact. A 15% bypass rate means that one in six high-value journal entries circumvents the control. Options A and B apply subjective tolerance percentages that have no basis in control evaluation standards. Option C is incorrect; the issue is that the control activity itself is not being followed, not merely that a monitoring mechanism failed to catch exceptions.

IT general controls provide the environment in which application controls operate. If the change management process does not prevent unauthorized program modifications, then application controls may have functioned correctly at the time of testing but could be altered afterward without detection. This is a fundamental principle of IT audit: weak ITGCs reduce the reliability of application control testing results because the tested controls may not represent the controls actually operating in the system over the full period. Option A and B ignore this dependency relationship. Option D treats sample size as a substitute for addressing the ITGC weakness.

The information and communication component of COSO requires that relevant information - including information about control deficiencies and failures - be communicated throughout the organization to those who need it to fulfill their control responsibilities. This includes upward communication to the board about significant control failures. Accurate financial reporting satisfies only the external reporting aspect of information and communication; the internal flow of control-relevant information is equally important. Option A narrowly focuses on one output of the information system. Option B incorrectly limits the audience for control information. Option C incorrectly separates exception reporting from information and communication, when both components are involved.

The effectiveness of a whistleblower hotline cannot be measured solely by the volume of reports received. Zero reports in the first six months may indicate: employees are unaware the hotline exists; employees fear retaliation despite stated protections; employees do not trust that reports are truly anonymous; or the hotline process is inaccessible. A genuinely effective hotline requires employee awareness, credible anonymity protections, and a demonstrated culture in which reports are taken seriously without retaliation. Management must assess these conditions rather than treating silence as evidence of a healthy control environment. Option A accepts an unsupported inference. Option C incorrectly limits hotline relevance to public companies. Option D is a valid timing concern but does not identify the most fundamental analytical issue.

A detective control identifies errors or irregularities after they have occurred. Daily cash counts reconciled to the GL detect discrepancies by comparing physical cash to recorded amounts - a post-event check. The combination safe (Option B) prevents unauthorized access - a preventive control. Dual custody (Option C) prevents unauthorized transfers by requiring two parties - preventive. Mandatory vacation (Option D) reduces fraud opportunities by forcing rotation - preventive, as it deters and uncovers ongoing schemes through coverage by others.