CPA AUD: Risk Assessment and Planned Response

CPA means Certified Public Accountant. AUD means Auditing and Attestation. This topic page isolates the planning and risk-response part of AUD before you return to mixed practice.

Topic snapshot

What this topic tests

This topic tests whether you can turn engagement facts into a risk assessment and audit response. Good answers usually identify the account, assertion, risk driver, control implication, and planned procedure before choosing an option.

Common traps

• spotting a risk but attaching it to the wrong assertion
• treating preliminary analytics as final evidence instead of a planning signal
• lowering control risk without evidence that controls are designed and operating effectively
• responding to fraud risk with a generic procedure instead of a procedure tied to the risk and assertion

How to reason through these questions

Use a four-step checklist: identify the financial-statement area, name the assertion, decide whether the risk is inherent, control, fraud, or financial-statement-level, then choose the response that directly addresses that risk. If an answer sounds reasonable but does not address the assertion in the stem, reject it.

Sample questions

These questions are original Mastery Exam Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Assessing Risk and Developing a Planned Response

An engagement team is planning the integrated audit of the financial statements and internal control over financial reporting for Delta Manufacturing, an SEC issuer. The planning file includes these governance notes:

• The audit committee formally appoints and compensates the external auditor and preapproves audit and permitted nonaudit services.
• The CFO receives all accounting hotline complaints and forwards only those the CFO considers substantiated to the audit committee.
• The audit committee has not met privately with the external auditor in the past two years, although management attends quarterly audit committee meetings.

Which interpretation should most affect the auditor’s planning?

• A. The auditor should conclude that appointment and preapproval activities fully satisfy Sarbanes-Oxley responsibilities, so the other facts have no planning effect.
• B. The auditor should reduce planned substantive procedures because audit committee preapproval provides evidence that internal control over financial reporting is effective.
• C. The auditor should treat the complaint filtering and limited direct interaction as governance concerns that may affect the control environment and planned audit committee communications.
• D. The auditor should direct required planning communications primarily to the CFO because the CFO screens complaints and attends audit committee meetings.

Best answer: C

What this tests: Assessing Risk and Developing a Planned Response

Explanation: For an SEC issuer, the audit committee has key Sarbanes-Oxley oversight responsibilities, including auditor oversight and procedures for accounting complaints. Management filtering hotline complaints and lack of private auditor interaction are governance concerns that can affect the auditor’s understanding of the control environment and planned communications.

Audit planning includes understanding the entity’s governance structure and how those charged with governance oversee financial reporting. In an issuer engagement, Sarbanes-Oxley emphasizes the audit committee’s direct responsibility for the external auditor and for procedures addressing accounting and auditing complaints. Although Delta’s audit committee performs some required functions, the CFO’s filtering of hotline complaints may limit the committee’s oversight of financial reporting concerns. The lack of private interaction with the auditor also suggests limited direct governance communication. These facts do not automatically determine the audit opinion, but they should influence risk assessment, control environment considerations, and the auditor’s plan for direct communications with the audit committee.

• Appointment and preapproval are important, but they do not make management-filtered complaints irrelevant.
• Audit committee preapproval is not substantive evidence that ICFR is effective.
• The CFO’s involvement does not replace the audit committee as the appropriate governance body for required auditor communications.

For an issuer, audit committee oversight includes direct auditor oversight and complaint procedures, so management filtering and limited direct access are relevant planning risk factors.

Question 2

Topic: Assessing Risk and Developing a Planned Response

An audit firm has completed client continuance procedures and signed the engagement letter for a recurring audit of Rylee Components, a nonissuer. In prior years, Rylee was a small, single-location manufacturer that issued income tax basis financial statements. During the current year, Rylee acquired an online distributor, converted to U.S. GAAP reporting for a new bank loan, implemented a new inventory and revenue system, and agreed to provide audited financial statements to the bank 45 days after year-end. The prior-year audit was staffed by two first-year associates, and no current-year detailed audit plan has been finalized. What should the engagement partner do next in establishing the overall audit strategy?

• A. Obtain management’s representation letter about the GAAP conversion before deciding whether additional audit resources are needed.
• B. Reassess the audit’s scope, timing, direction, preliminary risks, and resource needs, including whether more experienced staff or IT assistance are needed.
• C. Begin substantive testing of revenue and inventory immediately to meet the bank’s reporting deadline.
• D. Reuse the prior-year overall audit strategy and assign the same staff because Rylee remains a nonissuer.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The partner should first update the overall audit strategy for the significant current-year changes. The acquisition, GAAP conversion, new system, accelerated deadline, and prior staffing level all affect the scope, timing, direction, and resources needed for the audit.

The overall audit strategy sets the scope, timing, and direction of the audit and guides development of the detailed audit plan. It should consider the entity’s size and complexity, the applicable reporting framework, significant risk factors, reporting deadlines, and the nature and extent of engagement resources. Here, Rylee is no longer comparable to the prior-year audit: it has acquired a new business, changed from income tax basis to U.S. GAAP, implemented a new system affecting revenue and inventory, and accepted a tight reporting deadline. Those facts may require experienced personnel, different timing, IT involvement, and expanded risk assessment before detailed procedures are finalized.

• Reusing the prior-year strategy ignores major changes in complexity, reporting framework, systems, and timing.
• Beginning substantive testing immediately skips the planning analysis needed to determine appropriate audit responses.
• A management representation letter is generally obtained near the end of the audit and does not replace planning or staffing decisions.

The overall audit strategy should be updated for changes in reporting framework, complexity, risk, deadline, and staffing before the detailed audit plan is finalized.

Question 3

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a nonissuer manufacturer, the audit team notes that, shortly before year end, a major competitor introduced a lower-priced substitute product. The client’s sales orders for its similar product declined sharply, and finished goods inventory for that product increased. The prior-year audit found no issues with the client’s physical inventory counts. Which planned audit response most directly addresses the audit risk created by this external business condition?

• A. Expand inventory valuation procedures by testing management’s excess and obsolete inventory estimate using subsequent sales, current selling prices, and order cancellation information.
• B. Expand revenue cutoff testing around year end for shipments of the affected product.
• C. Confirm additional customer receivable balances related to sales of the affected product.
• D. Increase observation of physical inventory counts and test additional count sheets for the affected finished goods inventory.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: A competitor’s lower-priced substitute and declining customer orders point to possible inventory obsolescence or overvaluation. The planned response should focus on the valuation assertion by testing whether inventory cost exceeds expected recoverable amounts.

External business conditions affect inherent risk and should drive the nature, timing, or extent of planned procedures. Here, the relevant condition is a market decline for the client’s product, evidenced by a cheaper substitute, reduced orders, and rising finished goods inventory. That combination increases the risk that inventory is obsolete, slow-moving, or recorded above net realizable value. The most direct response is to expand procedures over inventory valuation, including testing management’s write-down or reserve using subsequent sales, current prices, and order cancellation evidence. The stem does not indicate a problem with physical existence, revenue cutoff, or customer credit quality.

• Increasing inventory count observation addresses existence and quantity, not the market-driven valuation risk described.
• Expanding revenue cutoff testing would address whether sales were recorded in the proper period, not whether unsold inventory is overvalued.
• Confirming receivables may provide evidence about existence of receivables, but the stated external condition most directly affects inventory valuation.

The external price and demand decline primarily increases the risk that finished goods are recorded above net realizable value.

Question 4

Topic: Assessing Risk and Developing a Planned Response

During planning for a calendar-year audit, the audit team reviews a journal-entry visualization for revenue. The visualization highlights the following cluster:

Which planned audit procedure is most directly responsive to the risk indicator shown?

• A. Test automated invoice-number sequence controls for system-generated sales transactions throughout the year.
• B. Select the highlighted manual entries and inspect supporting revenue evidence, reversal activity, and cutoff documentation to determine whether revenue and receivables were properly recorded.
• C. Compare total annual revenue with the prior year and investigate only if the overall variance exceeds planning materiality.
• D. Obtain a written management representation that all manual journal entries were reviewed and approved before posting.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The visualization identifies a targeted risk: manual, period-end revenue entries that were largely reversed after year-end. The planned response should directly test those entries for occurrence, cutoff, and proper recording rather than rely on broad analytics or unrelated control testing.

Data analytic outputs should be translated into audit procedures that address the specific risk indicators they reveal. Here, the risk is not merely that revenue changed overall; it is that unusual manual entries increased revenue and receivables at year-end and were reversed shortly after year-end. That pattern may indicate management override or improper cutoff. A directly responsive procedure is to select the flagged entries and examine contracts, invoices, shipping or delivery evidence, approval support, subsequent reversals, and related receivable collectibility as needed.

• Overall revenue comparisons are too broad and could miss a material cluster of improper entries.
• Testing automated sales invoice sequence controls does not address manual journal entries that may bypass normal sales processing controls.
• Management representations may support other evidence, but they are not sufficient appropriate evidence for unusual manual revenue entries.

The clustered manual revenue entries with rapid reversals indicate a specific risk of improper period-end revenue recognition that calls for targeted substantive testing.

Question 5

Topic: Assessing Risk and Developing a Planned Response

During planning for a nonissuer audit, the engagement team notes that the client manufactures consumer electronics. A new low-cost competitor entered the market in the fourth quarter, finished goods inventory increased 35% from the prior year, and management reduced selling prices after year end to clear older models. No significant changes were made to physical inventory count controls. Which planned audit response most directly addresses the risk created by these external business conditions?

• A. Increase test counts at the physical inventory observation to obtain more evidence about the existence of finished goods.
• B. Shift audit effort from inventory to revenue cutoff because reduced prices primarily indicate a period-end sales cutoff risk.
• C. Decrease inventory testing because subsequent price reductions provide independent evidence that the goods were sold after year end.
• D. Expand substantive testing of inventory valuation by comparing recorded costs with subsequent selling prices and reviewing inventory aging for obsolete items.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The external market change and buildup of older finished goods primarily affect inventory valuation, not just existence. The appropriate planned response is to increase procedures addressing lower of cost and net realizable value, including subsequent sales prices and obsolescence indicators.

External business conditions can increase inherent risk in specific financial statement areas and should affect the nature, timing, or extent of planned procedures. Here, a new low-cost competitor, excess finished goods, and post-year-end price reductions suggest that inventory may be obsolete or may have a net realizable value below recorded cost. The auditor should respond by planning substantive procedures focused on valuation, such as reviewing inventory aging, evaluating management’s obsolescence reserves, and comparing cost to subsequent selling prices. Because count controls have not changed, the facts do not primarily point to a new existence risk.

• Increasing physical test counts addresses existence, but the decisive risk is valuation from price pressure and aging inventory.
• Decreasing testing misuses subsequent sales evidence; lower selling prices may indicate a needed write-down.
• Revenue cutoff is not the primary risk indicated by excess inventory and market price declines.

The market-price decline and excess inventory increase inherent risk that inventory is not stated at the lower of cost and net realizable value.

Question 6

Topic: Assessing Risk and Developing a Planned Response

During a walkthrough of revenue processing, the auditor obtains the following IT infrastructure information:

Which interpretation is most appropriate for planning the audit response?

• A. The auditor can focus on the ERP general ledger because rejected interface records do not affect revenue until they are accepted by the ERP.
• B. The interface and related item-code table changes are relevant to understanding revenue transaction processing because they affect whether shipments are completely and accurately converted into invoices.
• C. The small number of rejected records indicates that interface controls are operating effectively and no further understanding of the interface is needed.
• D. The cloud hosting arrangement eliminates the need to understand application interfaces because the ERP provider is responsible for system availability.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The best interpretation is that the interface is a key part of the revenue transaction flow. Since shipments originate outside the ERP and revenue is generated only after import, the auditor needs to understand the automated transfer, exception handling, and related item-code changes when assessing risk.

In planning an audit, the auditor obtains an understanding of how significant classes of transactions are initiated, processed, corrected, transferred, and reported. Here, shipment-based invoices cannot be entered directly in the ERP; they depend on a custom shipping application, a daily interface, and ERP import logic. The rejected records and developer update to the item-code table show that interface exceptions and master data changes can affect whether shipments become invoices and whether amounts are recorded accurately. Cloud hosting and packaged ERP status do not remove the need to understand these transaction-flow dependencies.

• Focusing only on the ERP general ledger ignores the upstream custom application that initiates revenue transactions.
• Cloud hosting may affect infrastructure and service-provider considerations, but it does not replace understanding interfaces and transaction processing.
• A low number of rejected records does not, by itself, prove controls are effective or make the interface irrelevant to risk assessment.

Because revenue entries depend on an automated interface from a custom application to the ERP, interface processing and related master data changes are relevant to risks of completeness and accuracy.

Question 7

Topic: Assessing Risk and Developing a Planned Response

An auditor is performing a planning walkthrough of a nonissuer’s sales order process. The control objective is that only orders from valid, approved customers are accepted for processing. Assume no other procedures have been performed.

Walkthrough facts:

• The ERP rejects any sales order with a customer number that is not active in the approved customer master file. The auditor observed the system reject an inactive customer number, inspected the configured edit rule, and traced one accepted order to an active customer in the master file.
• A daily exception report of rejected and overridden orders is automatically emailed to the sales supervisor. The supervisor stated that she reviews it, but there is no sign-off, documented follow-up criteria, or observed review.
• Sales representatives may request new customer setup, and the credit manager approves the setup after the first order has been entered.
• The controller reviews monthly revenue trends by region 15 days after month-end.

Which conclusion is most appropriate based on these walkthrough facts?

• A. The ERP customer-master edit check is effectively designed and placed in operation, but the walkthrough alone does not establish operating effectiveness throughout the period.
• B. The new customer setup approval is effectively designed because the credit manager approves the customer after order entry.
• C. The supervisor’s exception report review is effectively designed and placed in operation because the report is generated and emailed automatically each day.
• D. The controller’s monthly revenue trend review is a transaction-level control that is effectively designed to prevent invalid orders from being accepted.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The walkthrough supports a conclusion that the automated ERP edit check exists, is configured, and was observed in operation. However, a walkthrough of one transaction or current configuration does not, by itself, prove that the control operated effectively throughout the audit period.

In a walkthrough, the auditor obtains an understanding of the process and evaluates whether controls are suitably designed and have been placed in operation. The automated customer-master edit check directly addresses the control objective because it prevents acceptance of orders for inactive or unapproved customers. Observing the system reject an inactive customer number, inspecting the edit rule, and tracing an accepted order to the active master file support design and implementation. That is different from testing operating effectiveness, which would require evidence that the control operated consistently during the relevant period, often including change controls and other IT general controls for automated controls.

• Automatic emailing of an exception report does not prove that the manual review is suitably designed or actually performed.
• Approval after order entry does not prevent acceptance of orders from unapproved customers.
• A monthly trend review is a higher-level detective procedure, not a timely transaction-level control preventing invalid order acceptance.

The observed configuration and rejection demonstrate design and implementation of the automated edit check, while period-long operating effectiveness requires additional testing.

Question 8

Topic: Assessing Risk and Developing a Planned Response

An auditor is performing a walkthrough of revenue controls for the objective that sales invoices use authorized prices. The auditor notes the following facts:

• The billing system automatically populates invoices with approved list prices, but sales clerks can overwrite the price before posting.

• The only detective control over price changes is a daily price-override report; the documented control requires the sales manager to initial the report.

• During the walkthrough, the sales manager initialed the report after scanning the total number of overrides but did not compare overrides with approved discounts or investigate line items. Which conclusion should the auditor reach about the price-override control?

• A. The walkthrough provides sufficient evidence to rely on the control’s operating effectiveness for the audit period.

• B. The manager’s initials show that the manual review is effectively designed and placed in operation.

• C. The ERP pricing control is effectively designed because the system automatically populates approved prices before posting.

• D. The report-initialing activity was placed in operation, but it is not effectively designed to identify unauthorized price overrides.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: A walkthrough can show whether a control activity exists and has been placed in operation, but the auditor must also assess whether the control is suitably designed. Here, the manager’s initials show the activity occurred, but the activity would not detect unauthorized overrides because no comparison or investigation is performed.

When evaluating control design, the auditor considers whether the control, if performed as described, would prevent, or detect and correct, a relevant misstatement. Manual review controls generally need defined review criteria, sufficient precision, and follow-up of exceptions. In this scenario, sales clerks can override system prices, so the automatic population of list prices does not fully address the risk. The only detective activity is initialing a report after scanning totals, with no comparison to approved discounts and no investigation of individual overrides. That activity was placed in operation because the auditor observed it, but it is not effectively designed to identify unauthorized price changes.

• Automatic list pricing is incomplete because clerks can overwrite the price before posting.
• Initials alone do not demonstrate a precise review against authorized discounts.
• Observing one walkthrough occurrence does not provide evidence of operating effectiveness throughout the audit period.

Initialing occurred, but the activity lacks a sufficiently precise comparison or follow-up process to detect unauthorized price changes.

Question 9

Topic: Assessing Risk and Developing a Planned Response

During audit planning for a nonissuer, the controller describes the company’s COSO-based internal control system as “the accounting department’s approval and reconciliation procedures, which should guarantee that the financial statements are accurate and that the company complies with all laws.” How should the auditor characterize internal control under the COSO framework?

• A. A compliance program that provides absolute assurance that laws and regulations are followed when all five COSO components are present.
• B. A set of accounting department procedures designed only to assure reliable external financial reporting when controls operate as prescribed.
• C. A collection of control activities, such as approvals and reconciliations, that substitutes for management’s risk assessment and monitoring responsibilities.
• D. A process effected by the board, management, and other personnel to provide reasonable assurance about operations, reporting, and compliance objectives through five interrelated components, subject to inherent limitations.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The controller’s description is too narrow and overstates what internal control can accomplish. Under COSO, internal control is a broad process involving the board, management, and personnel, designed to provide reasonable—not absolute—assurance about operations, reporting, and compliance objectives.

The COSO framework defines internal control as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding achievement of objectives in three categories: operations, reporting, and compliance. It consists of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring activities. Approvals and reconciliations are examples of control activities, but they are only one component. Internal control also has inherent limitations, such as human judgment errors, breakdowns, management override, collusion, and cost-benefit constraints. Therefore, it cannot guarantee accurate financial statements or full legal compliance.

• Treating internal control as only accounting department procedures is too narrow because COSO involves the entire organization and multiple objective categories.
• Describing internal control as providing absolute assurance is incorrect because inherent limitations remain even in a well-designed system.
• Equating internal control with control activities alone ignores risk assessment, monitoring, and the other COSO components.

COSO defines internal control broadly as a reasonable-assurance process tied to operations, reporting, and compliance objectives, not as a guarantee.

Question 10

Topic: Assessing Risk and Developing a Planned Response

During planning for a nonissuer audit, the manager copied the prior-year overall audit strategy without changes. The planning facts are:

Which correction to the overall audit strategy is most appropriate?

• A. Retain the prior strategy but lower overall materiality because current-year revenue increased.
• B. Revise the strategy to expand audit scope and timing, assign more experienced personnel, and consider a specialist or component auditor for the subsidiary and inventory estimates.
• C. Keep the same timing and staffing but add more year-end cash and revenue cutoff procedures.
• D. Withdraw from the engagement because the acquisition and U.S. GAAP reporting make audit risk unacceptable.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The overall audit strategy must respond to major changes in reporting framework, size, complexity, risk, timing, and staffing needs. A consolidated U.S. GAAP audit with a foreign subsidiary and significant estimates requires broader planning and more appropriate resources than the prior cash basis audit.

The overall audit strategy establishes the audit’s scope, timing, and direction. It should consider the reporting framework, industry and entity complexity, locations or components, significant risks, deadlines, and the nature and availability of engagement team resources. Here, the client changed from cash basis to consolidated U.S. GAAP financial statements, acquired a foreign subsidiary, and now has significant inventory estimates. Those changes increase complexity and likely require more experienced staff, additional planning time, closer supervision, and possible use of a specialist or component auditor. The correction is not merely to add a few procedures; the strategy itself must be updated before the detailed audit plan is finalized.

• Lowering materiality addresses only one planning judgment and does not respond to the broader changes in scope, framework, complexity, and staffing.
• Adding cash and revenue cutoff work is a detailed procedure response and misses the consolidation, foreign subsidiary, and estimate risks.
• Withdrawal overstates the required response; increased complexity normally requires a revised strategy and adequate resources, not automatic disengagement.

The current-year changes affect scope, reporting objectives, risk, timing, and team capabilities, so the overall strategy should be revised rather than copied from the prior year.

Continue with full practice

Use the CPA AUD Practice Test page for the full practice route, mixed-topic practice, timed mock exams, and explanations.

Related focused pages

• Free CPA AUD Full-Length Practice Exam
• CPA AUD: Ethics and Professional Responsibilities
• CPA AUD: Audit Procedures and Evidence
• CPA AUD: Forming Conclusions and Reporting

Free review resource

Read the CPA AUD guide on CPAExamsMastery.com, then return to Mastery Exam Prep for timed practice.