Free CPA AUD Full-Length Practice Exam: 78 Questions

May 1, 2026

Try 78 free Certified Public Accountant Auditing and Attestation (CPA AUD) questions across the AUD blueprint areas, with answers and explanations, then continue in Mastery Exam Prep.

On this page

This free full-length Certified Public Accountant Auditing and Attestation (CPA AUD) multiple-choice diagnostic includes 78 original Mastery Exam Prep questions across the AUD blueprint areas.

The CPA AUD section also involves task-based simulations and exhibit-heavy work, so use this page as a multiple-choice diagnostic rather than a complete simulation of every item type. The questions are original practice questions and are not official exam questions.

Practice count note: exam sponsors can describe total questions, scored questions, task-based simulations, duration, or unscored/pretest-item rules differently. Always confirm current exam-day rules with the sponsor.

For concept review before or after this diagnostic, use the CPA AUD guide on CPAExamsMastery.com.

Before you start

CPA means Certified Public Accountant. AUD means Auditing and Attestation. This page is useful when you want one uninterrupted AUD multiple-choice diagnostic before moving into the full practice route.

Use the score as a diagnostic signal, not as a guarantee. AUD also involves task-based simulations and exhibit-heavy work, so a high score here should be paired with continued review of audit-document interpretation, evidence evaluation, and reporting judgment.

How to use your result

Diagnostic result	Practical next step
Below 70%	Return to topic drills. Start with the topic that produced the most misses, then retake mixed sets after the explanations make sense.
70-79%	Review every miss and classify it as ethics, risk assessment, evidence, or reporting. Drill the weak category before another full timed attempt.
80%+	Move to timed mixed practice and focus on pacing, careful stem reading, and avoiding overconfidence on familiar audit wording.
Repeated 75%+ on unseen timed attempts	Schedule or proceed when you can explain why each best answer fits. More repetition should build judgment, not memorization.

Miss pattern to next drill

If your misses cluster around…	What to drill next
independence, confidentiality, due care, or engagement acceptance	Ethics and professional-responsibility questions . Separate the rule, threat, safeguard, documentation, and communication requirement.
risk of material misstatement, fraud, materiality, or assertions	Risk-assessment questions . Name the assertion and risk driver before choosing the planned response.
confirmations, inspection, recalculation, sampling, analytics, or data reliability	Audit-evidence questions . Ask whether the procedure is sufficient, appropriate, and tied to the assertion.
modified opinions, going concern, subsequent events, ICFR, or report wording	Conclusion and reporting questions . Decide materiality, pervasiveness, correction status, disclosure quality, and scope before choosing the report effect.
timing pressure or repeated recognition of familiar stems	Timed mixed practice in the full route. Use larger unseen sets so practice builds audit judgment instead of answer memorization.

Use the CPA AUD practice route for timed mocks, topic drills, progress tracking, explanations, and full practice.

Try CPA AUD on Web View full CPA AUD practice page

Exam snapshot

Item	Detail
Issuer	American Institute of Certified Public Accountants (AICPA)
Exam route	CPA AUD
Official exam name	CPA AUD — Auditing and Attestation
Full-length set on this page	78 questions
Exam time	240 minutes
Topic areas represented	4

Full-length exam mix

Topic	Approximate official weight	Questions used
Ethics, Professional Responsibilities and General Principles	20%	16
Assessing Risk and Developing a Planned Response	30%	23
Performing Further Procedures and Obtaining Evidence	35%	27
Forming Conclusions and Reporting	15%	12

Practice questions

Questions 1-25

Question 1

Topic: Ethics, Professional Responsibilities and General Principles

During an audit of a nonissuer, an associate is testing revenue cutoff for sales recorded near year-end. A December 30 invoice was recorded as current-year revenue, and the sales terms state that title transfers when the goods are shipped. The warehouse shipping log shows shipment on January 3, but the controller says the log is often updated late and provides only an internal email stating that the order was “ready to ship” on December 31. Which action should the associate take?

A. Accept the controller’s explanation because management’s knowledge of warehouse procedures is sufficient to resolve the cutoff question.
B. Document the matter only as a possible control deficiency because the invoice date supports current-year revenue recognition.
C. Propose an immediate adjustment to reverse the sale because the shipping log contradicts the invoice date.
D. Perform additional procedures to resolve the inconsistency, such as obtaining carrier documentation, and evaluate whether an adjustment is needed if shipment before year-end is not supported.

Best answer: D

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The shipping log conflicts with the recorded sale, and management’s explanation is not adequately corroborated. Appropriate professional skepticism calls for a questioning evaluation of the evidence and additional procedures to resolve whether shipment occurred before year-end.

Professional skepticism does not mean automatically disbelieving management, but it does require the auditor to be alert to contradictory audit evidence and to avoid accepting incomplete support at face value. Here, the terms make the shipping date critical to revenue cutoff. The invoice date alone does not establish shipment, and the internal email that the order was “ready to ship” does not prove that title transferred before year-end. The auditor should seek more persuasive evidence, such as a bill of lading, carrier record, tracking documentation, or other corroborating evidence, and then evaluate whether a cutoff adjustment is necessary.

Accepting the controller’s explanation overrelies on management and does not resolve the contradictory shipping evidence.
Immediately reversing the sale may be premature because the auditor should first obtain additional evidence to determine what occurred.
Treating the issue only as a control deficiency ignores the possible financial statement misstatement in revenue cutoff.

Professional skepticism requires the auditor to investigate contradictory or incomplete evidence rather than rely solely on an uncorroborated management explanation.

Question 2

Topic: Performing Further Procedures and Obtaining Evidence

During the audit of a nonissuer, the allowance for credit losses is a significant accounting estimate. Management’s worksheet applies supported loss rates to each aging bucket. The auditor agreed the aging report to the accounts receivable subsidiary ledger and found that the worksheet’s total expected loss formula includes only the current, 1-30, 31-60, and 61-90 day buckets; it omits the over-90-day bucket, which is material and has the highest supported loss rate. Management recorded the allowance based on the worksheet total. What is the best audit response?

A. Accept the recorded allowance because the loss rates used in the worksheet were supported by historical write-offs and current conditions.
B. Replace management’s estimate with the prior-year allowance percentage because the current-year worksheet contains a formula error.
C. Expand confirmations of over-90-day receivables before evaluating whether the allowance calculation is misstated.
D. Request that management correct the formula to include the over-90-day bucket, reperform the revised calculation, and evaluate any resulting proposed adjustment.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: A formula omission in a significant estimate is a calculation error that directly affects the recorded allowance. The auditor should have management correct the calculation, reperform it, and evaluate whether an adjustment is necessary.

For significant accounting estimates, the auditor should test both the reasonableness of assumptions and the mathematical accuracy and completeness of management’s calculation. Here, the loss rates were supported, and the aging data was agreed to the subsidiary ledger, but the worksheet omitted a material aging bucket from the total formula. Because the recorded allowance is based on that flawed total, the auditor should obtain a corrected calculation, reperform the computation, and determine the effect on the financial statements. The issue is not solved merely by having reasonable assumptions, because a supported input was excluded from the estimate.

Accepting the allowance ignores a known calculation error affecting a material input.
Using the prior-year percentage overcorrects the issue and bypasses management’s current supported estimate.
Confirming receivables addresses existence more than valuation and does not correct the allowance formula omission.

The auditor should validate the estimate calculation by correcting the omitted supported input, reperforming the calculation, and evaluating the misstatement effect.

Question 3

Topic: Assessing Risk and Developing a Planned Response

An audit firm has completed client continuance procedures and signed the engagement letter for a recurring audit of Rylee Components, a nonissuer. In prior years, Rylee was a small, single-location manufacturer that issued income tax basis financial statements. During the current year, Rylee acquired an online distributor, converted to U.S. GAAP reporting for a new bank loan, implemented a new inventory and revenue system, and agreed to provide audited financial statements to the bank 45 days after year-end. The prior-year audit was staffed by two first-year associates, and no current-year detailed audit plan has been finalized. What should the engagement partner do next in establishing the overall audit strategy?

A. Obtain management’s representation letter about the GAAP conversion before deciding whether additional audit resources are needed.
B. Begin substantive testing of revenue and inventory immediately to meet the bank’s reporting deadline.
C. Reuse the prior-year overall audit strategy and assign the same staff because Rylee remains a nonissuer.
D. Reassess the audit’s scope, timing, direction, preliminary risks, and resource needs, including whether more experienced staff or IT assistance are needed.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The partner should first update the overall audit strategy for the significant current-year changes. The acquisition, GAAP conversion, new system, accelerated deadline, and prior staffing level all affect the scope, timing, direction, and resources needed for the audit.

The overall audit strategy sets the scope, timing, and direction of the audit and guides development of the detailed audit plan. It should consider the entity’s size and complexity, the applicable reporting framework, significant risk factors, reporting deadlines, and the nature and extent of engagement resources. Here, Rylee is no longer comparable to the prior-year audit: it has acquired a new business, changed from income tax basis to U.S. GAAP, implemented a new system affecting revenue and inventory, and accepted a tight reporting deadline. Those facts may require experienced personnel, different timing, IT involvement, and expanded risk assessment before detailed procedures are finalized.

Reusing the prior-year strategy ignores major changes in complexity, reporting framework, systems, and timing.
Beginning substantive testing immediately skips the planning analysis needed to determine appropriate audit responses.
A management representation letter is generally obtained near the end of the audit and does not replace planning or staffing decisions.

The overall audit strategy should be updated for changes in reporting framework, complexity, risk, deadline, and staffing before the detailed audit plan is finalized.

Question 4

Topic: Ethics, Professional Responsibilities and General Principles

During the audit of a nonissuer software company, the engagement team evaluated whether a $1.2 million year-end license sale should be recognized as revenue. Management asserted that the contract was final, but the audit team found an internal sales email suggesting the customer could cancel after a pilot period. The team later inspected the signed contract, obtained confirmation from the customer, and concluded that no cancellation right existed. Which audit documentation is most appropriate?

A. A copy of management’s representation that all revenue transactions were recorded in accordance with GAAP.
B. A note stating that the audit team agreed with management after reviewing the signed contract.
C. A schedule showing that the $1.2 million sale was mathematically included in the revenue lead sheet.
D. A memo describing the revenue judgment, the contradictory sales email, the procedures performed to resolve it, and the basis for the final conclusion.

Best answer: D

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The best documentation captures the significant judgment, the conflicting evidence, the audit work performed, and the rationale for the conclusion. This supports professional skepticism by showing how the team addressed evidence that initially contradicted management’s assertion.

Audit documentation for significant findings or issues should be sufficient for an experienced auditor to understand the matter, the evidence obtained, and the basis for the auditor’s conclusion. When contradictory evidence exists, the documentation should not ignore it; it should explain how the team evaluated and resolved it. Here, the sales email raised doubt about revenue recognition, so the workpaper should connect that contradiction to the signed contract, customer confirmation, and final conclusion that no cancellation right existed.

A management representation alone is not sufficient because it does not show how the contradictory sales email was evaluated.
A lead sheet tie-out supports mathematical inclusion, not the professional judgment about revenue recognition.
A brief note agreeing with management is incomplete because it omits the contradictory evidence and the reasoning used to resolve it.

Significant professional judgments should be documented with the contradictory evidence considered, how it was resolved, and the conclusion reached.

Question 5

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a nonissuer manufacturer, the engagement team identifies an increased risk of material misstatement related to inventory obsolescence. Which item of audit evidence best supports the conclusion that the risk is driven by an internal business risk rather than an external economic risk?

A. A sales manager states that competitors have been discounting similar products aggressively in the current quarter.
B. Board-approved product strategy minutes and engineering change orders show that management replaced a legacy product line, leaving $4.2 million of prior-version components with no approved use in current production.
C. An industry report shows that overall demand for durable goods declined during the year because consumer financing rates increased.
D. Supplier price lists show that market prices for several raw materials declined after year-end.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The strongest support is evidence showing that management’s own strategic and operational decisions created obsolete inventory. Board minutes and engineering change orders are internal source documents that directly connect the valuation risk to internal business factors.

When assessing risks of material misstatement, auditors distinguish internal business risks from external economic risks. Internal business risks arise from the entity’s objectives, strategies, operations, governance decisions, systems, or technology use. Here, management’s decision to replace a product line and the resulting engineering changes directly explain why prior-version components may be obsolete. External economic conditions, such as interest rates, market price changes, or competitor discounting, may also affect valuation, but they do not support the specific conclusion that the risk is internally driven.

Industrywide demand decline due to financing rates supports an external economic risk, not an internal business risk.
Raw material price declines may affect lower-of-cost-and-net-realizable-value testing, but they are market-driven rather than internal.
Competitor discounting is external and a verbal statement is less direct support for internal obsolescence.

This evidence links the obsolescence risk to management’s internal strategy and product-design decisions.

Question 6

Topic: Assessing Risk and Developing a Planned Response

During planning for a financial statement audit, an auditor evaluates a control over program changes to the revenue application. The workpaper note states:

Developers submit change tickets in the service desk system.
The application owner must electronically approve each change before it can be released.
Developers do not have access rights to migrate code to production.
A release manager who is not a developer migrates only approved changes.
The auditor inspected the service desk configuration and one current-period change ticket showing application-owner approval before release.

How should the auditor characterize this control based on the note?

A. Suitably designed and placed in operation, but not yet tested for operating effectiveness.
B. Neither suitably designed nor placed in operation because substantive procedures over revenue have not been performed.
C. Placed in operation, but not suitably designed because the approval is electronic rather than manual.
D. Suitably designed, but not placed in operation because a full operating-effectiveness sample was not tested.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The control has an appropriate design because it requires owner approval and segregates development from production migration. Inspection of system configuration and a current-period ticket supports that the control was placed in operation, although it does not prove operating effectiveness over the period.

Design and implementation evaluation is different from testing operating effectiveness. A control is suitably designed if it is capable, individually or with other controls, of preventing or detecting and correcting a relevant misstatement risk. Here, the design addresses unauthorized program changes by requiring application-owner approval and preventing developers from moving code to production. A control is placed in operation when the auditor obtains evidence that it exists and the entity is using it. Inspecting the configured approval requirement and a current-period approved ticket supports implementation. However, the note does not establish whether the control operated effectively throughout the audit period, which would require further testing if the auditor plans to rely on it.

A full sample is not required merely to determine whether the control was placed in operation.
Electronic approval can be valid audit evidence; a handwritten signature is not required for suitable design.
Substantive procedures over revenue do not determine whether this IT general control is designed and implemented.

The note shows the control could prevent unauthorized changes and provides evidence that it exists and has been used in the current period.

Question 7

Topic: Assessing Risk and Developing a Planned Response

A CPA is planning the audit of a nonissuer manufacturing company. The audit senior prepared the following risk-assessment excerpt:

Risk-assessment fact	Current-year observation
Financing	The company is close to violating a debt covenant based on year-end EBITDA.
Compensation	The CEO and CFO receive significant bonuses if EBITDA meets the annual budget.
Governance	The audit committee met once during the year and did not review significant accounting estimates.
Accounting environment	The controller resigned after objecting to several CEO-approved manual journal entries recorded near year-end.
Prior audit results	Last year’s audit identified no material misstatements.

Which conclusion about the risk of material misstatement is best supported by the excerpt?

A. Risk of material misstatement should be reduced because the controller resigned before the audit report date.
B. Risk of material misstatement is not elevated at the financial statement level because the prior-year audit found no material misstatements.
C. Risk of material misstatement should be limited to the valuation assertion for accounting estimates because the audit committee did not review estimates.
D. Risk of material misstatement at the financial statement level is elevated due to pervasive fraud risk factors involving pressure, oversight, and management override.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The exhibit shows multiple pervasive fraud risk factors: covenant pressure, bonus incentives, weak oversight, and concerns about CEO-approved manual entries. These factors affect the control environment and management override risk, so the risk assessment should be elevated at the financial statement level.

Financial statement-level risks are risks that may have a pervasive effect on the financial statements rather than being confined to one account balance or assertion. Incentives to meet EBITDA, ineffective governance, and possible management override through year-end manual journal entries all suggest broader susceptibility to intentional misstatement. A clean prior-year audit does not eliminate current-year risk when conditions have changed. The resignation of the controller after objecting to entries heightens, rather than reduces, concern about management integrity and override. The auditor should use this assessment to design overall responses, such as increased professional skepticism, more experienced staff, and heightened attention to journal entries and estimates.

Limiting the risk to estimate valuation is too narrow because the facts point to pervasive management override and control environment concerns.
Relying on the prior-year audit result ignores current-year incentives, weak oversight, and suspicious year-end entries.
Treating the controller’s resignation as risk-reducing is incorrect; the resignation after objections is a warning sign.

The facts indicate incentives, weak governance, and possible management override, which can affect the financial statements pervasively.

Question 8

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a nonissuer manufacturer, the auditor learns that senior management’s annual bonuses vest only if revenue increases by at least 8%. Two days before year-end, the CFO emailed sales staff to “invoice all pending orders now; customer acceptance paperwork can catch up in January.” The audit team has not yet tested any related invoices. How should the auditor treat this information?

A. Classify it only as a control weakness because the CFO appears able to influence the invoicing process.
B. Record a known misstatement for all pending orders invoiced before year-end.
C. Identify it as a fraud risk indicator related to potential improper revenue recognition and design responsive procedures for revenue occurrence and cutoff.
D. Treat it as an ordinary business risk because management compensation depends on revenue growth.

Best answer: C

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The facts indicate a fraud risk factor, not merely a business objective or control issue. Management has a revenue-based incentive and directed staff to invoice before customer acceptance, creating a specific risk of intentional premature revenue recognition.

Fraud risk indicators include incentives or pressures, opportunities, and attitudes or rationalizations that may lead to fraudulent financial reporting. Here, management’s bonus depends on meeting a revenue target, and the CFO’s instruction suggests revenue may be recorded before the earnings process is complete. Because the team has not tested the invoices, the auditor should not yet conclude that a known misstatement exists. The proper planning response is to identify a fraud risk, especially for revenue occurrence and cutoff, and design further procedures responsive to that risk.

Treating the compensation plan as only an ordinary business risk ignores the CFO’s instruction to invoice before acceptance.
Classifying the matter only as a control weakness misses the intentional financial reporting concern suggested by the facts.
Recording a known misstatement is premature because the invoices have not yet been tested.

The bonus threshold and instruction to invoice before customer acceptance indicate pressure and possible intentional premature revenue recognition.

Question 9

Topic: Performing Further Procedures and Obtaining Evidence

During a Uniform Guidance audit, an auditor tests procurement transactions for a major federal program. One selected transaction lacks evidence that the required suspension and debarment verification was performed before the vendor was paid. Management states that the verification was likely performed but cannot immediately locate the documentation. Which follow-up procedure is most appropriate?

A. Remove the transaction from the sample and replace it with another transaction.
B. Perform additional procedures to determine the nature and cause of the exception and whether similar transactions were affected.
C. Issue an adverse opinion on compliance for the major program.
D. Conclude that all payments to the vendor are known questioned costs.

Best answer: B

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The auditor should first follow up to determine whether the missing verification represents actual noncompliance and whether it is isolated or indicates a broader problem. That may include inspecting additional records, inquiring further, and testing similar transactions as needed.

In Uniform Guidance compliance testing, an apparent exception is not ignored or automatically projected into the most severe reporting consequence. The auditor should obtain additional evidence to understand the nature and cause of the exception, determine whether noncompliance occurred, assess whether the matter is isolated or systemic, and evaluate the effect on questioned costs, internal control over compliance, and the major program opinion. The follow-up work should be targeted to the applicable compliance requirement and the population affected.

Treating all vendor payments as known questioned costs overstates the conclusion before determining which costs, if any, are unsupported or unallowable.
Issuing an adverse compliance opinion is premature without evaluating severity and pervasiveness.
Replacing the sample item improperly avoids an identified potential exception rather than evaluating it.

A possible compliance exception should be followed up by obtaining evidence about its cause, validity, and possible pervasiveness before concluding on reporting effects.

Question 10

Topic: Ethics, Professional Responsibilities and General Principles

A CPA is completing the audit of a nonissuer’s financial statements. The CPA concludes that a recorded revenue transaction is materially misstated under the applicable financial reporting framework. The CFO refuses to adjust the financial statements, says the audit committee should not be told, and offers to sign a management representation letter supporting the accounting. The client’s bank loan officer calls the CPA directly to ask whether the audit identified any problems; the client has not authorized the CPA to discuss the audit with the bank, and no legal requirement to disclose exists. Which response best maintains integrity and complies with applicable professional standards?

A. Inform the bank loan officer about the material misstatement because the bank is expected to rely on the audited financial statements.
B. Issue an unmodified opinion if management signs a written representation accepting responsibility for the revenue recognition decision.
C. Refuse to issue an unmodified opinion unless the misstatement is corrected, communicate the unresolved matter to those charged with governance, and decline to discuss the audit with the bank absent client authorization or a legal/professional requirement.
D. Issue an unmodified opinion with an emphasis-of-matter paragraph describing the disputed revenue and avoid involving the audit committee.

Best answer: C

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The CPA may not subordinate professional judgment to management or ignore a known material misstatement. The appropriate response is to require correction or modify the audit response, communicate with those charged with governance, and protect confidential client information unless disclosure is authorized or required.

Integrity requires a CPA to be honest and not knowingly associated with materially misstated information. A management representation letter is evidence, but it does not override contradictory audit evidence or cure a material departure from the reporting framework. If management refuses to correct a material misstatement, the auditor should communicate the matter to those charged with governance and determine the effect on the auditor’s report or whether withdrawal is necessary. Separately, the AICPA confidentiality rule generally prohibits disclosing confidential client information to a third party, such as a bank officer, without client consent unless an exception applies, such as a valid legal requirement or a professional standards obligation.

A management representation cannot overcome known audit evidence showing a material misstatement.
Directly warning the bank may seem protective, but it violates confidentiality absent authorization or another recognized exception.
An emphasis-of-matter paragraph is not a substitute for correcting a material misstatement or modifying the opinion, and the audit committee cannot be bypassed.

This response preserves the CPA’s integrity, follows audit communication and reporting responsibilities, and respects the confidentiality rule.

Question 11

Topic: Ethics, Professional Responsibilities and General Principles

A CPA is the audit manager for a nonissuer audit. The client’s controller, a former college roommate of the CPA, asks the CPA to drop a proposed adjustment reclassifying a material debt balance from long-term to current. The controller says the client may move its tax work to another firm if the audit is delayed, and the audit evidence supports the reclassification. Which action best preserves the CPA’s objectivity?

A. Drop the adjustment if a different firm partner handles the tax work so that the audit team is not directly affected by the fee concern.
B. Ask to be removed from the engagement without telling the engagement partner why the proposed adjustment was dropped.
C. Maintain the proposed adjustment based on the evidence, inform the engagement partner of the pressure, and follow firm escalation procedures if management refuses.
D. Accept the controller’s written representation that the classification is reasonable because management is responsible for the financial statements.

Best answer: C

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The CPA must base the audit position on sufficient appropriate evidence and avoid subordinating judgment to the client. The friendship, threatened loss of fees, and deadline pressure create threats to objectivity, so the CPA should escalate and maintain the evidence-supported adjustment.

Under the AICPA Code, objectivity requires a CPA to remain impartial and not knowingly misrepresent facts or subordinate professional judgment. Here, the audit evidence supports a material debt reclassification, so dropping the adjustment because of a personal relationship or threatened loss of tax work would impair objectivity. The appropriate response is to maintain the evidence-based conclusion, communicate the pressure within the engagement team, and use the firm’s consultation or escalation procedures. If management refuses to correct a material misstatement, the engagement partner would consider the reporting implications, but the manager’s immediate ethical responsibility is not to yield to the pressure.

A management representation cannot replace audit evidence supporting a material classification issue.
Separating the tax partner may address part of a fee-threat concern, but it does not justify omitting an evidence-supported audit adjustment.
Quietly leaving the engagement does not address the dropped adjustment and fails to communicate a significant objectivity threat.

Objectivity is preserved by not subordinating professional judgment to client pressure, personal familiarity, or fee concerns.

Question 12

Topic: Assessing Risk and Developing a Planned Response

An audit senior is reviewing a staff note prepared during planning under the COSO framework: “Internal control consists of control activities that ensure the company’s financial statements are correct. The client has approvals and reconciliations, so internal control is effective.” The audit team has not yet documented the control environment, risk assessment, information and communication, monitoring, or inherent limitations. What should the senior do next?

A. Revise the documentation to define internal control as a process effected by the board, management, and personnel; address all five COSO components; and note that controls provide reasonable, not absolute, assurance for operations, reporting, and compliance objectives.
B. Limit the COSO evaluation to control activities because financial reporting objectives are the audit team’s primary concern.
C. Disregard internal control and proceed directly to substantive testing because collusion and management override can defeat controls.
D. Assess control risk as low and reduce substantive procedures because approvals and reconciliations have been documented.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The staff note is incomplete and overstates what internal control can accomplish. Under COSO, internal control is a process involving people, five components, multiple objectives, and only reasonable assurance because inherent limitations exist.

COSO defines internal control as a process effected by the board of directors, management, and other personnel that is designed to provide reasonable assurance about achieving objectives related to operations, reporting, and compliance. The five components are control environment, risk assessment, control activities, information and communication, and monitoring activities. In planning an audit, the team should obtain and document an understanding that reflects these elements before drawing conclusions about risk or reliance. Controls can reduce risk, but they cannot eliminate it because of inherent limitations such as human judgment, mistakes, collusion, management override, and cost-benefit constraints.

Assessing control risk as low is premature because the team has not completed its COSO-based understanding or tested operating effectiveness.
Limiting the evaluation to control activities omits four COSO components and narrows the framework incorrectly.
Disregarding controls misapplies inherent limitations; limitations mean reasonable assurance, not that internal control is irrelevant.

COSO defines internal control broadly as a process designed to provide reasonable assurance over operations, reporting, and compliance through five interrelated components subject to inherent limitations.

Question 13

Topic: Assessing Risk and Developing a Planned Response

An auditor is planning a financial statement audit of a nonissuer manufacturer and is evaluating controls over purchase authorization. The auditor documented the following process-summary excerpt:

Control feature	Workpaper note
ERP approval rule	A single purchase order over $75,000 requires CFO approval before issuance.
Monitoring control	The purchasing director initials a monthly report of purchase orders between $70,000 and $75,000.
Exception observed	Three related purchase orders for the same vendor, each for $74,500, were created on the same day after the CFO directed the purchasing clerk to split one requisition. The monthly report was initialed as reviewed.

Which conclusion is best supported by the exhibit?

A. The documented review establishes operating effectiveness, so no additional procedures are needed for purchases near the threshold.
B. The controls are subject to inherent limitations, so the auditor should consider the effect of possible override and human review failure on risk assessment and planned procedures.
C. The occurrence of split purchases requires the auditor to disclaim an opinion on the financial statements.
D. The ERP approval threshold prevents all unauthorized purchase activity below $75,000, so risk for those purchases is negligible.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: Internal control provides reasonable assurance, not absolute assurance. The exhibit shows classic inherent limitations: a manager directed a workaround of the approval threshold, and the manual monitoring review did not detect or address the split purchases.

Under the COSO framework, internal control is designed to reduce risk to an acceptable level, but it cannot eliminate risk. Inherent limitations include management override, collusion, human error, poor judgment, and cost-benefit constraints. Here, the ERP approval rule appears to address large purchase approvals, and a monitoring control exists for purchases just below the threshold. However, the CFO directed the clerk to split one requisition into three purchase orders, and the purchasing director’s manual review was initialed despite not identifying the issue. The appropriate audit implication is to consider how these limitations affect the assessed risks and planned audit response, rather than assuming the controls are fully effective.

A documented review does not by itself prove operating effectiveness; the observed exception suggests the review may not detect relevant issues.
An automated threshold control can be bypassed by splitting transactions or override, so purchases below the threshold are not automatically low risk.
A financial statement opinion is not disclaimed solely because control limitations or exceptions exist; reporting effects depend on audit evidence and identified misstatements or scope limitations.

The exhibit shows that approval thresholds and manual monitoring can be circumvented by override and can fail through human review limitations.

Question 14

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a manufacturer, the engagement team is evaluating whether to design expanded procedures over inventory obsolescence and net realizable value. Which evidence best supports a conclusion that the inventory valuation assertion has an increased risk of material misstatement?

A. Cycle count results showing that quantities on hand agreed to perpetual inventory records for selected finished goods.
B. An auditor-prepared aging analysis, reconciled to the inventory subledger and general ledger, showing that 35% of finished goods have had no sales activity for more than 18 months.
C. The prior-year audit file showing no proposed adjustments related to inventory valuation.
D. A signed management representation stating that no inventory items are obsolete or impaired at year end.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The strongest planning evidence is current, auditor-prepared information that directly relates to inventory obsolescence. A reconciled aging analysis showing substantial slow-moving finished goods supports a higher assessed risk for the valuation assertion and justifies expanded procedures.

When preparing or evaluating an engagement plan, the auditor should link identified risks to the relevant assertion and planned response. For inventory obsolescence, evidence about slow-moving, excess, or unsalable items is directly relevant to valuation and net realizable value. An auditor-prepared aging analysis that is reconciled to the underlying inventory records and general ledger is more persuasive than management’s unsupported assertion and more relevant than evidence about physical quantities. This type of planning evidence supports designing additional procedures such as testing subsequent sales, reviewing markdowns, inspecting aged items, and evaluating management’s reserve methodology.

A management representation may be necessary, but it is not sufficient by itself to support a planning conclusion about valuation risk.
Cycle count agreement supports inventory existence or record accuracy, not whether inventory is obsolete or overvalued.
Prior-year results may inform planning, but they do not provide current-year evidence about slow-moving or impaired inventory.

An auditor-prepared, reconciled aging analysis directly supports increased valuation risk because slow-moving finished goods may be obsolete or carried above net realizable value.

Question 15

Topic: Performing Further Procedures and Obtaining Evidence

A nonissuer client holds two investments measured at fair value at year-end: publicly traded common stock with a quoted closing price in an active market, and a private debt security valued by management using a discounted cash flow model with significant unobservable inputs. Which distinction should most directly affect the auditor’s procedures over fair value measurement and disclosure?

A. The private debt security should be audited at amortized cost because unobservable inputs cannot provide sufficient appropriate evidence for fair value.
B. Both investments require the same audit approach because all fair value measurements are audited by recalculating management’s recorded amount.
C. The publicly traded stock may be tested primarily to quoted market data, while the private debt security requires evaluation of the valuation method, significant assumptions, underlying data, and related fair value hierarchy disclosures.
D. The publicly traded stock requires confirmation with the exchange, while the private debt security requires only management’s written representation about fair value.

Best answer: C

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The key distinction is the observability of fair value inputs. A quoted price in an active market provides strong, direct evidence, whereas a model-based fair value using unobservable inputs requires more extensive audit work on the model, assumptions, source data, and disclosures.

Fair value evidence varies in reliability depending on the nature of the inputs. For an investment traded in an active market, the auditor can often obtain persuasive evidence by agreeing the recorded fair value to quoted market prices as of the measurement date. For a private security valued with a discounted cash flow model, the auditor must address greater estimation uncertainty by evaluating whether the valuation technique is appropriate, whether significant assumptions such as discount rates and projected cash flows are reasonable, whether underlying data are reliable, and whether required disclosures, including fair value hierarchy classification, are appropriate.

Confirming with an exchange is not normally the decisive procedure, and management representations alone are not sufficient evidence for a significant estimate.
Recalculation alone is insufficient when the issue is whether management’s model and assumptions are reasonable.
Unobservable inputs do not preclude fair value measurement, but they increase the need for persuasive audit evidence and appropriate disclosure.

Observable active-market prices generally provide more direct evidence, while model-based fair values require testing management’s method, inputs, assumptions, data, and disclosures.

Question 16

Topic: Assessing Risk and Developing a Planned Response

During planning of a nonissuer audit, the engagement team learns that the client sold a warehouse to its chief executive officer three days before year-end. The sale is outside the client’s normal operations, includes seller financing, and generated a material gain. What is the most appropriate planning response?

A. Identify the transaction as a significant unusual related-party transaction and plan procedures to understand its business purpose, terms, authorization, accounting, and disclosure.
B. Defer planning for the transaction until management prepares the final related-party footnote.
C. Limit planned procedures to confirming the seller-financing receivable with the chief executive officer.
D. Treat the transaction as part of the ordinary revenue cycle because title transferred before year-end.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The sale involves an executive officer, occurred near year-end, is outside normal operations, and produced a material gain. Those facts indicate a related-party and significant unusual transaction that should affect risk assessment and the planned audit response.

In planning an audit, the auditor should give special attention to related parties, executive officer transactions, and significant unusual transactions, particularly when they are material or occur near year-end. The auditor should plan procedures to understand the transaction’s business purpose, inspect agreements, evaluate authorization and terms, and assess whether the accounting and disclosures are appropriate. Confirmation of a receivable may provide evidence about existence or terms, but it is not enough by itself to address the broader risks of management bias, non-arm’s-length terms, or incomplete disclosure.

Treating the sale as ordinary revenue ignores that it is outside normal operations and involves the CEO.
Waiting for the final footnote is inappropriate because planning should identify and respond to the risk early.
Confirming the receivable addresses only one evidence point and does not cover business purpose, authorization, gain recognition, or disclosure.

A material, unusual year-end transaction with an executive officer creates related-party and significant-risk planning implications requiring targeted audit procedures.

Question 17

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is testing a nonissuer’s year-end warranty liability. The auditor recalculated the liability using management’s warranty policy and the sales report provided by management, and the recalculation supports the recorded balance. However, subsequent cash disbursements and correspondence with the third-party repair provider indicate significantly higher warranty claims related to pre-year-end sales. Which additional procedure is most appropriate?

A. Reconcile the sales report and warranty claims used in the recalculation to source records and subsequent repair-provider activity, and investigate the differences.
B. Reduce substantive testing because the recalculation provides mathematical evidence about the recorded balance.
C. Obtain a written management representation that the warranty liability is complete and use it as the primary evidence for the balance.
D. Conclude that the recorded liability is fairly stated because the auditor’s recalculation agreed with management’s recorded amount.

Best answer: A

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The auditor cannot ignore evidence that conflicts with a recalculation. The appropriate response is to investigate and perform additional procedures to resolve the inconsistency before concluding on the warranty liability.

Recalculation provides evidence about mathematical accuracy, but it depends on the completeness and accuracy of the inputs used. When recalculation results conflict with other evidence, such as subsequent payments or third-party correspondence, the auditor should determine the cause of the inconsistency. That often involves tracing data to source records, reconciling to independent or external evidence, and evaluating whether the original data were incomplete, inaccurate, or not relevant to the period under audit. A management representation may supplement other evidence, but it does not resolve contradictory evidence by itself.

Relying solely on the recalculation fails because the inputs may be incomplete or unreliable.
A written management representation is not sufficient appropriate evidence when other evidence is contradictory.
Reducing substantive testing is inappropriate because the inconsistency increases the need for additional evidence.

Conflicting audit evidence requires the auditor to perform additional procedures to resolve the inconsistency and evaluate the reliability of the evidence used.

Question 18

Topic: Performing Further Procedures and Obtaining Evidence

During further procedures over revenue cutoff for a nonissuer wholesaler, an audit data analytic compared sales invoices, shipment dates, and post-year-end credit memos. The client recognizes revenue when goods are shipped.

ADA output item	Result
Invoice population reconciled to sales ledger	$0 difference
Average monthly sales, January-November	$4.8 million
December sales	$8.9 million
December 29-31 invoices with shipment dates of January 2-8	$1.6 million
January credit memos linked to December 29-31 invoices	$1.2 million

The staff documented “no exception” because the invoice population reconciled to the sales ledger. Which correction to the audit response is most appropriate?

A. Flag the year-end invoices shipped after December 31 as cutoff exceptions and propose an adjustment to remove revenue and receivables for amounts not shipped by year end.
B. Expand testing of customer credit approvals because the January credit memos indicate a credit-risk issue.
C. Clear the output because the invoice population reconciles to the sales ledger without difference.
D. Modify the audit opinion because the December sales increase and January credit memos indicate a pervasive revenue misstatement.

Best answer: A

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The reconciliation to the sales ledger supports population agreement, but it does not resolve whether revenue was recorded in the proper period. The ADA output shows invoices recorded before year end even though shipment occurred after year end, creating a cutoff exception under the client’s revenue policy.

Audit data analytic outputs should be used to identify notable relationships and exceptions, not merely to confirm that summarized data agrees to the general ledger. Here, the key relationship is between invoice date and shipment date. Because the client recognizes revenue when goods are shipped, invoices dated December 29-31 but shipped January 2-8 were recorded too early unless other evidence changes that conclusion. The proper audit response is to treat those items as cutoff exceptions and propose an adjustment for revenue and receivables not earned by December 31. The January credit memos further support targeted follow-up, but the most direct correction is the cutoff adjustment for the identified shipped-after-year-end invoices.

Reconciling the invoice population to the ledger addresses agreement of data, not the cutoff assertion.
Customer credit approval testing targets authorization and collectibility, not whether revenue was recorded in the correct period.
An opinion modification is premature; the auditor should first evaluate and propose correction of the identified misstatement.

The ADA output identifies a cutoff anomaly because the client recognizes revenue on shipment and $1.6 million of year-end invoices were shipped after year end.

Question 19

Topic: Assessing Risk and Developing a Planned Response

During planning of an audit of a nonissuer, the audit team documents the following issue: The client’s ERP system automatically calculates sales discounts and posts revenue and accounts receivable. The draft audit strategy relies on these automated application controls to assess control risk below maximum for revenue occurrence and accuracy and to reduce year-end substantive testing. However, the IT walkthrough shows that user-access changes are not reviewed, terminated users retain ERP access for up to 60 days, and no compensating monitoring controls have been identified. What is the best correction to the draft audit strategy?

A. Assess control risk at maximum for the affected revenue assertions, do not rely on the affected automated controls, and increase substantive revenue procedures at or near year-end.
B. Keep control risk below maximum because the automated controls are properly designed, but add a management representation about ERP access controls.
C. Perform additional walkthroughs of sales transactions while keeping the planned reduction in substantive revenue testing.
D. Modify the auditor’s report for a scope limitation because the IT general control deficiency prevents completion of the audit.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The access-control weakness affects whether the auditor can rely on automated application controls. Because no compensating controls were identified, the audit strategy should increase control risk for the affected assertions and expand substantive procedures rather than reduce them.

IT general controls support the continued operation and reliability of automated application controls. If user access is not properly controlled, unauthorized or inappropriate changes or transactions could affect revenue processing, so the auditor cannot simply rely on automated discount and posting controls as planned. When controls are not suitably designed, implemented, or supported by effective IT general controls, the auditor should assess control risk higher, often at maximum for the affected assertions, unless effective compensating controls are identified and tested. The planned audit response should then shift toward more persuasive substantive procedures, such as increased detailed testing and procedures performed closer to year-end.

Keeping control risk below maximum based only on control design ignores the failed IT general control environment.
Additional walkthroughs may improve understanding, but they do not provide a basis to reduce substantive testing when access controls are ineffective.
A reporting modification is premature; the appropriate planning response is to revise risk assessment and procedures, not automatically modify the opinion.

Weak IT general controls over access undermine reliance on related automated controls, requiring a higher control risk assessment and expanded substantive procedures.

Question 20

Topic: Ethics, Professional Responsibilities and General Principles

A CPA firm is engaged to audit a 401(k) plan’s financial statements to be filed with the plan’s Form 5500 under ERISA. During the plan year and the audit period, the firm’s employee benefit plan services group maintained the plan’s participant account balances and transaction records as the plan recordkeeper. The firm proposes assigning a separate audit team and having plan management review all audit work. How should this relationship be characterized?

A. A control deficiency in the plan’s recordkeeping process that should be communicated to those charged with governance but does not affect auditor independence.
B. A prohibited relationship that impairs the firm’s independence under Department of Labor rules, requiring the firm not to serve as the plan’s independent auditor.
C. A scope limitation that permits the firm to continue the audit if it issues a qualified opinion or disclaimer of opinion.
D. A significant threat that may be reduced to an acceptable level by applying safeguards under the Government Auditing Standards conceptual framework.

Best answer: B

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: Department of Labor independence rules for employee benefit plan audits prohibit an auditor from maintaining the plan’s financial records. Because the CPA firm acted as the plan recordkeeper, it is not independent for the ERISA plan audit and should not serve as the independent qualified public accountant.

Employee benefit plan audits filed under ERISA are subject to Department of Labor independence requirements in addition to general professional standards. A firm that maintains the financial records of the plan, such as participant account balances and transaction records, has a prohibited relationship with the plan. This is not merely a threat to be evaluated with safeguards; it directly impairs independence for the plan audit. Using a separate audit team or obtaining management review does not remove the prohibited relationship. The appropriate engagement response is to decline or withdraw from serving as the plan’s independent auditor.

Safeguards under a conceptual framework do not cure a Department of Labor prohibited relationship for an ERISA plan audit.
The issue is auditor independence, not merely a recordkeeping control deficiency.
Lack of independence is not a scope limitation that can be solved by modifying the audit opinion.

Maintaining the plan’s financial records is a prohibited relationship for an ERISA plan auditor and cannot be cured by separate staffing or management review.

Question 21

Topic: Assessing Risk and Developing a Planned Response

An auditor is planning substantive procedures for a nonissuer manufacturer. Revenue is a significant class of transactions. The company’s terms are FOB shipping point, and revenue should be recognized when goods are shipped. The auditor identifies a risk that December sales invoices may have been recorded before shipment to meet a revenue target. Which procedure best addresses the relevant assertion for this risk?

A. Inspect evidence that sales orders were approved by the credit department before shipment.
B. Compare monthly revenue and gross margin percentages with prior-year amounts and investigate unusual fluctuations.
C. Select sales invoices recorded in late December and inspect related bills of lading to determine whether shipment occurred on or before year-end.
D. Select bills of lading dated in late December and trace them to the sales journal to determine whether they were invoiced.

Best answer: C

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The identified risk is that recorded December revenue may not have been earned because shipment had not occurred. Selecting recorded sales and vouching them to shipping documents directly addresses occurrence and cutoff for revenue recorded near year-end.

When revenue recognition depends on shipment, the relevant evidence for recorded year-end sales is documentation showing when goods were actually shipped. Because the risk is overstatement—sales recorded before shipment—the auditor should start with recorded sales invoices and vouch them to bills of lading or shipping logs. This direction tests whether recorded transactions occurred and were recorded in the correct period. Starting from shipping documents and tracing to the sales journal would primarily test completeness, not overstatement. Control approvals and analytical procedures may provide useful information, but they do not directly test whether the specific recorded sales met the shipment condition for recognition.

Tracing bills of lading to the sales journal addresses whether shipped goods were billed and recorded, which is a completeness concern.
Inspecting credit approval is a test of a control or authorization attribute, not direct substantive evidence of shipment and cutoff.
Comparing revenue and margin trends is an analytical procedure that may identify unusual relationships but is less direct than vouching recorded sales to shipping evidence.

Vouching recorded year-end sales to shipping evidence directly tests whether recorded revenue occurred and was recognized in the proper period.

Question 22

Topic: Ethics, Professional Responsibilities and General Principles

A CPA firm is asked by a nonissuer client to report on management’s assertion that the company met specified criteria for the percentage of recycled content in its products during the year. Management accepts responsibility for the assertion and the criteria. The client wants the CPA to obtain sufficient appropriate evidence and express an opinion on whether the assertion is fairly stated. Which engagement classification is most appropriate?

A. An examination attestation engagement under the SSAEs
B. An agreed-upon procedures engagement under the SSAEs
C. A review engagement under SSARS
D. An audit of historical financial statements under GAAS

Best answer: A

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: This is an attestation examination because the CPA is engaged to express an opinion on management’s assertion about subject matter other than historical financial statements. The subject matter is measured against specified criteria, and management is responsible for the assertion.

In an attestation examination, a practitioner obtains sufficient appropriate evidence to provide reasonable assurance and express an opinion on subject matter or an assertion that is the responsibility of another party. Here, the recycled-content assertion is nonfinancial subject matter, management accepts responsibility for it, specified criteria exist, and the requested report is an opinion. Those facts point to an examination engagement under the SSAEs. A financial statement audit would address historical financial statements under GAAS. A SSARS review applies to historical financial statements and provides limited assurance, not an opinion on nonfinancial subject matter. An agreed-upon procedures engagement reports procedures performed and findings, not an overall opinion.

A financial statement audit is tempting because it includes evidence and an opinion, but the subject matter is not historical financial statements.
A SSARS review is incorrect because the client requested an opinion, not limited assurance on financial statements.
An agreed-upon procedures engagement is incorrect because it reports findings from specified procedures rather than an overall opinion.

The CPA would report with an opinion on nonfinancial subject matter that is management’s responsibility and measured against suitable criteria.

Question 23

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is testing Brightline Co.’s year-end customer rebate accrual. Based on the workpaper note, which additional procedure should the auditor perform next to address the conflicting evidence?

Workpaper note:

Recorded year-end rebate accrual: $420,000, based on 2% of eligible sales.
The auditor recalculated management’s schedule at 2% and agreed the amount to the general ledger.
During subsequent-disbursements testing, 6 of 20 January rebate payments were made at 4% of Q4 sales to national distributors.
The sales vice president stated that certain national distributors received a revised rebate rate late in the year, but accounting has not provided the revised agreements.
A. Obtain an additional management representation that no unrecorded rebate obligations exist.
B. Conclude the recorded accrual is reasonable because the auditor’s recalculation agreed to the general ledger.
C. Treat the matter only as a potential control deficiency and stop substantive testing of the accrual.
D. Inspect the revised distributor agreements and recalculate the rebate accrual for all affected Q4 eligible sales.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The recalculation agreed to management’s schedule only because it used the same 2% assumption. Subsequent payments and inquiry indicate some agreements may require a 4% rate, so the auditor needs additional corroborating evidence and a revised recalculation for the affected population.

When audit evidence from recalculation, reperformance, or tests of details conflicts with other evidence, the auditor should not simply accept the favorable result. The inconsistency must be investigated and resolved by performing additional procedures. Here, the auditor’s recalculation proves only that the client’s schedule is mathematically accurate at 2%. It does not establish that 2% is the correct contractual rate for all distributors. January payments at 4% and the sales vice president’s statement suggest that a portion of the year-end obligation may be understated. Inspecting the revised agreements and recalculating the accrual for the affected Q4 sales directly addresses the source and amount of the possible misstatement.

Agreement to the general ledger supports mathematical accuracy, not completeness or correctness of the underlying rebate terms.
A management representation is not a substitute for available corroborating evidence when inconsistent audit evidence exists.
A possible control deficiency may also need evaluation, but it does not eliminate the need to complete substantive procedures on the accrual.

The auditor should resolve the inconsistency by obtaining corroborating evidence and recalculating the amount using the terms that may apply.

Question 24

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is evaluating the allowance for expected credit losses for a nonissuer. Management changed the loss-rate model from a 5-year historical average to a 12-month average, which reduced the allowance materially. Management states that the shorter period better reflects improved credit quality. Which item of audit evidence best supports a conclusion that the estimate includes an indicator of management bias?

A. An aging analysis shows total receivables increased by 8% over the prior year while sales increased by 9%.
B. A recalculation shows the spreadsheet correctly multiplied management-selected loss rates by year-end receivable balances.
C. The auditor’s comparison of customer-level loss data shows management omitted the most recent quarter’s charge-offs and delinquencies from the 12-month data set, although those accounts met the model’s stated inclusion criteria and would have increased the loss rate.
D. A management representation states that the 12-month period is the best estimate of current economic conditions.

Best answer: C

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The strongest support for management bias is evidence that management selectively excluded unfavorable data from the estimate. Omitting charge-offs and delinquencies that met the model’s criteria suggests biased data selection, not merely a reasonable change in method.

When auditing estimates, the auditor evaluates whether management’s methods, assumptions, data, and disclosures are reasonable and free from indicators of bias. A change in method is not automatically biased, but it becomes suspicious when management applies the method selectively or excludes relevant data without support. Here, the omitted recent charge-offs and delinquencies directly affect the loss-rate estimate, meet the model’s own inclusion criteria, and would increase the allowance. That evidence supports a conclusion that management’s data selection may be biased toward understating the allowance.

A management representation may be required, but it is not sufficient persuasive evidence about whether the selected period is unbiased.
A recalculation supports mathematical accuracy, not whether the selected data or assumptions are appropriate.
Similar growth in receivables and sales does not address whether management selectively excluded unfavorable credit-loss data.

Selective exclusion of unfavorable data that should have been included under the model is strong evidence of biased data selection in the estimate.

Question 25

Topic: Forming Conclusions and Reporting

A CPA firm is engaged to report on a customer’s compliance with selected provisions of a supply contract. The engagement partner concludes that the report should be an agreed-upon procedures report, rather than an examination, review, audit, or compilation report. Which item in the engagement file best supports that conclusion?

A. A draft report stating that the CPA is not independent and does not express an opinion, conclusion, or any assurance on the financial information.
B. A management representation letter stating that the compliance schedule is fairly presented in accordance with the contract terms.
C. A signed engagement letter stating the specified procedures to be performed, the intended users’ responsibility for the sufficiency of those procedures, and that the CPA will report findings without providing an opinion or conclusion.
D. An analytical comparison showing that contract charges this year are consistent with prior-year charges.

Best answer: C

What this tests: Forming Conclusions and Reporting

Explanation: The strongest support is documentation that the CPA will perform specified procedures agreed to by the relevant users and report only the resulting findings. That reporting model distinguishes agreed-upon procedures from assurance reports and from compilations.

In an agreed-upon procedures engagement, the practitioner performs procedures that are specified in advance and objectively described, then reports the procedures performed and the findings obtained. The practitioner does not provide an opinion, a conclusion, or assurance; users evaluate the findings for themselves. An examination or audit provides reasonable assurance, a review provides limited assurance, and a compilation presents information without performing agreed procedures or reporting findings. Therefore, the engagement letter describing specified procedures, user responsibility for their sufficiency, and no assurance best supports the AUP reporting conclusion.

Management’s assertion about fair presentation may support the subject matter, but it does not identify the reporting model.
Analytical consistency is possible evidence from a procedure, but it does not show that the engagement is an agreed-upon procedures engagement.
A report disclosing lack of independence and no assurance is more consistent with a compilation-type reporting issue, not AUP reporting.

An agreed-upon procedures engagement is characterized by performing specified procedures and reporting findings without providing assurance.

Questions 26-50

Question 26

Topic: Assessing Risk and Developing a Planned Response

An audit senior reviews a staff workpaper that maps a client issue to the COSO framework:

“The company implemented a new online order-entry system during the year. Management did not evaluate how automated pricing, order completeness, or the interface to the general ledger changed risks to reliable financial reporting. Staff mapped the issue to the Information and Communication component and recommended sending employees a notice about the new system.”

Which revision best corrects the workpaper?

A. Map the issue to Control Activities and require a supervisor to approve every online order before processing.
B. Map the issue to Monitoring Activities and require internal audit to perform quarterly testing of the system interface.
C. Keep the issue under Information and Communication and expand the recommendation to notify customers and vendors about the new system.
D. Map the issue to the Risk Assessment component and the principle of identifying and assessing significant changes; management should update its assessment of financial reporting risks from the new system.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The deficiency is that management did not consider how a significant operational and IT change affected financial reporting risks. Under COSO, that belongs in the Risk Assessment component, specifically the principle addressing identification and assessment of significant changes.

COSO’s internal control framework has five components supported by principles. Risk Assessment includes identifying and analyzing risks to achieving objectives and considering changes that could significantly affect internal control. A new online order-entry system can affect pricing, order completeness, and the general ledger interface, all of which can change risks relevant to reliable financial reporting. The best correction is to reclassify the issue from Information and Communication to Risk Assessment and focus management’s response on updating its risk assessment and related control design considerations. Communicating the change or testing controls may be useful later, but those responses do not correct the misidentified COSO component and principle.

Notifying customers, vendors, or employees addresses communication, but the stated problem is the lack of risk evaluation from a significant system change.
Requiring approval of every order jumps to a control activity and may overstate the needed response without first assessing the changed risks.
Quarterly internal audit testing is a monitoring response, but monitoring does not substitute for management’s initial risk assessment of the new system.

A major system change that management has not evaluated is a COSO risk assessment issue involving identification and assessment of significant change.

Question 27

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a nonissuer wholesaler, the engagement team identifies an elevated risk that year-end revenue may be recorded from system-generated sales invoices before the related goods are shipped. The company’s policy is to recognize revenue when goods are shipped and a bill of lading is issued. Which planned audit procedure best responds to this assessed risk?

A. Select recorded sales invoices dated near year-end and inspect related bills of lading to verify that shipment occurred on or before the revenue recognition date.
B. Confirm selected year-end accounts receivable balances with customers and agree replies to the aged trial balance.
C. Compare monthly gross margin percentages for the current year with prior-year percentages and investigate unusual fluctuations.
D. Select bills of lading dated near year-end and trace them to recorded sales invoices in the sales journal.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The risk is that revenue was recorded too early, before shipment occurred. The planned response should start with recorded sales and obtain evidence that shipment had occurred by the recognition date.

When the assessed risk is overstatement of revenue or premature cutoff, the auditor generally tests from the recorded accounting population back to source documents that support occurrence and timing. Here, sales invoices near year-end are the recorded revenue items at risk. Inspecting the related bills of lading provides evidence about whether the goods were shipped before revenue was recognized. Tracing from shipping documents to invoices primarily tests completeness, not whether recorded revenue is overstated. Analytical procedures and receivable confirmations may provide useful evidence, but they do not as directly address whether specific recorded sales were recognized before shipment.

Tracing bills of lading to invoices addresses whether shipments were recorded, which is a completeness direction test.
Gross margin analytics may identify unusual trends but are less precise for the specific cutoff risk.
Receivable confirmations support existence of receivables, but they may not establish that shipment occurred before revenue recognition.

Vouching recorded revenue to shipping evidence directly addresses the risk of overstated revenue or improper cutoff.

Question 28

Topic: Performing Further Procedures and Obtaining Evidence

An audit staff member is preparing a purchase-disbursement data file for further audit procedures. The client provided a field named vendor_risk_score with values 1, 2, 3, and 4, where 1 = low risk, 2 = moderate risk, 3 = high risk, and 4 = critical risk. The staff member calculated the average vendor_risk_score by purchasing agent and plans to treat a difference of 1.0 in the average as meaning the same increase in risk for every agent. What is the best correction to the staff member’s treatment of this field?

A. Treat vendor_risk_score as an ordinal, discrete field and use category counts, percentages, or rank-based comparisons rather than assuming equal numeric intervals.
B. Treat vendor_risk_score as a nominal field and remove the ordering among low, moderate, high, and critical risk.
C. Treat vendor_risk_score as a ratio, continuous field because the values are numeric and have a lowest value of 1.
D. Treat the average risk score as sufficient audit evidence and eliminate other procedures over high-risk vendors.

Best answer: A

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The field is coded with ordered categories, not measurements with equal units. The best correction is to treat it as ordinal and discrete, using procedures that preserve the ranking without assuming equal intervals between risk levels.

Measurement scale matters when preparing audit data because it affects which transformations and analyses are valid. A numeric code does not automatically make a field interval or ratio data. Here, the values 1 through 4 represent ordered categories of vendor risk, so they are ordinal and discrete. The categories can be ranked from low to critical, but the difference between low and moderate risk is not necessarily equivalent to the difference between high and critical risk. Audit procedures should therefore use category distributions, stratification, filtering, or rank-based analysis rather than relying on averages as though each step were an equal unit of risk.

Treating the field as ratio and continuous overstates what the numeric codes represent; the codes are categories, not measured quantities.
Treating the field as nominal ignores the meaningful order from low risk to critical risk.
Treating an average risk score as sufficient audit evidence overstates the evidential value of a data-preparation choice and would not replace necessary audit procedures.

The risk codes have a meaningful order but do not establish equal distances between categories, so ordinal treatment is more appropriate.

Question 29

Topic: Performing Further Procedures and Obtaining Evidence

During an audit, management provides an AI-generated schedule used to support its year-end sales returns reserve. The AI tool imports current-year sales and post-year-end returns from the ERP, matches returns to original sales by invoice number, and applies reserve percentages by product line. Management personnel can change input files and override the percentages before exporting the schedule. The auditor has separately evaluated the reasonableness of the reserve percentages and now needs evidence about the reliability of the AI-generated schedule. Which item best supports the auditor’s conclusion that the schedule is reliable for use as audit evidence?

A. A signed management representation stating that the AI tool was vendor-developed, used consistently, and reviewed by the controller before the schedule was provided to the auditor.
B. A comparison showing that the current-year AI-generated reserve percentage is close to the prior-year audited reserve percentage.
C. A PDF export from the AI tool showing the report generation date, the tool’s confidence score, and no system error messages.
D. An auditor-obtained read-only export of the sales and returns data that reconciles to the general ledger, evidence that no unapproved input or AI-rule overrides occurred, and the auditor’s reperformance of the matching and reserve calculations without exception.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The strongest support combines reliable source data, evidence about possible management intervention, and auditor reperformance of the AI-generated output. Because management can alter inputs and override rules, the auditor needs evidence beyond representations or report metadata.

When an auditor uses information produced by the entity, including schedules generated with technology or AI, the auditor should evaluate whether the information is sufficiently reliable for the intended audit purpose. That includes considering the source and completeness of input data, whether the information was changed or biased by management, and whether the processing produced accurate results. An auditor-obtained read-only export reconciled to the general ledger supports authenticity and completeness of the underlying data. Logs or control evidence addressing unapproved overrides responds to susceptibility to management bias. Reperformance of matching and calculations provides direct evidence that the AI output was processed accurately.

A management representation may be useful, but it is not sufficiently independent and does not test inputs, overrides, or calculations.
A PDF with a timestamp and confidence score may identify the report but does not establish that the underlying data or processing is reliable.
Similarity to a prior-year reserve may support overall plausibility, but it does not validate the current-year AI-generated schedule.

This evidence directly addresses source-data authenticity, management override risk, and the accuracy of the AI tool’s processing.

Question 30

Topic: Ethics, Professional Responsibilities and General Principles

During fieldwork for a nonissuer audit, a CPA firm discovers that the firm, not an individual employee, directly owns common stock of the audit client. The firm concludes that the financial interest creates an independence threat that cannot be eliminated or reduced to an acceptable level, and the firm is able to withdraw from the engagement. Under the AICPA independence framework, which engagement response is appropriate?

A. Withdraw from the audit engagement and do not issue an audit opinion.
B. Continue the audit after obtaining written consent from management and those charged with governance.
C. Complete the audit and issue a disclaimer of opinion solely because the firm lacks independence.
D. Issue an unmodified audit report with an emphasis-of-matter paragraph disclosing the financial interest.

Best answer: A

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: Independence is required to perform and report on an audit. Because the firm itself holds a direct financial interest in the audit client and no safeguard can reduce the threat to an acceptable level, the appropriate response is to withdraw and not issue an audit opinion.

Under the AICPA independence conceptual framework, a CPA evaluates threats to independence and applies safeguards when available. If a threat cannot be eliminated or reduced to an acceptable level, independence is impaired. A direct financial interest in an audit client held by the firm is a severe self-interest threat and is not cured by disclosure, client consent, or a report paragraph. When the impairment exists during the engagement and the firm can withdraw, the firm should discontinue the attest engagement rather than continue as though the report can be modified to make the impairment acceptable.

Written consent from management or those charged with governance does not cure an independence impairment.
An emphasis-of-matter paragraph highlights financial statement matters; it is not a remedy for auditor independence.
A disclaimer may be relevant in limited circumstances when an auditor must report despite lack of independence, but here the firm can withdraw.

A firm-level direct financial interest impairs independence, and an attest engagement should be discontinued when the threat cannot be reduced to an acceptable level.

Question 31

Topic: Forming Conclusions and Reporting

A CPA firm is engaged under AICPA attestation standards to perform agreed-upon procedures on a nonissuer’s royalty schedule. The engagement letter identifies two procedures: compare selected sales amounts to the general ledger and recompute the royalty percentage. The letter states that the firm will not provide an opinion or conclusion. After completing the procedures with no exceptions, management asks the firm to add the statement, “Nothing came to our attention that the royalty schedule is misstated.” What should the CPA firm do next?

A. Add the requested statement because no exceptions were found during the agreed-upon procedures engagement.
B. Decline to add the requested statement and issue a report that describes the agreed-upon procedures performed and the related findings.
C. Issue a compilation report on the royalty schedule because the firm is not providing assurance.
D. Express an examination opinion that the royalty schedule is fairly stated because the procedures were completed without exceptions.

Best answer: B

What this tests: Forming Conclusions and Reporting

Explanation: The requested wording is negative assurance, which is characteristic of a review, not an agreed-upon procedures report. In an AUP engagement, the practitioner reports the procedures performed and the findings obtained, but does not express an opinion or conclusion.

Agreed-upon procedures reporting is different from examination, review, audit, and compilation reporting. In an AUP engagement, the practitioner performs procedures that are specified in the engagement and reports the results as factual findings. Even if no exceptions are found, the report should not say that nothing came to the practitioner’s attention or that the subject matter is fairly stated. Those statements imply assurance beyond the scope of an AUP engagement. The proper next step is to keep the report within the agreed-upon procedures format unless the engagement is changed and sufficient appropriate work is performed under another type of engagement.

Adding negative assurance would improperly turn the AUP report into review-style reporting.
A compilation report addresses presenting information without assurance, but it does not report agreed procedures and findings.
An examination opinion would require an examination engagement and sufficient evidence to support reasonable assurance.

An agreed-upon procedures report presents procedures and findings without providing negative assurance, an opinion, or a conclusion.

Question 32

Topic: Ethics, Professional Responsibilities and General Principles

A CPA is evaluating whether to continue as auditor of a nonissuer. Management will sign an engagement letter only if it omits management’s acknowledgment of responsibility for designing, implementing, and maintaining internal control relevant to the preparation and fair presentation of the financial statements. The audit is not required by law or regulation. Given these facts, what should the CPA do next?

A. Continue the engagement and describe management’s refusal in an emphasis-of-matter paragraph.
B. Decline to continue the audit engagement unless management agrees to the required acknowledgment of responsibility.
C. Continue the engagement and expand substantive procedures to compensate for the omitted acknowledgment.
D. Continue the engagement but obtain the acknowledgment from those charged with governance after the audit report date.

Best answer: B

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: Before accepting or continuing an audit, the auditor must obtain management’s agreement that it acknowledges certain responsibilities. If management refuses a required acknowledgment and the audit is not legally required, the auditor should not accept or continue the engagement.

Audit preconditions include management’s use of an acceptable financial reporting framework and management’s agreement to acknowledge its responsibilities. Those responsibilities include preparation and fair presentation of the financial statements, design and maintenance of relevant internal control, and providing the auditor access to information and persons needed for the audit. This acknowledgment is not merely a report disclosure issue or an audit procedure to be replaced by more testing. Because management refuses to acknowledge responsibility for internal control and the engagement is not required by law or regulation, the CPA should decline to continue unless management agrees to the required term.

Describing the refusal in an emphasis-of-matter paragraph is inappropriate because the issue prevents proper engagement continuance rather than merely requiring report emphasis.
Expanding substantive procedures does not replace management’s required acknowledgment of responsibility.
Obtaining the acknowledgment after the report date is out of sequence; the agreement is needed before accepting or continuing the engagement.

Management’s agreement to acknowledge its responsibilities is an audit precondition, so the CPA should not continue the engagement if management refuses.

Question 33

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is testing the operating effectiveness of a control requiring documented credit manager approval before shipment for sales to new customers over $25,000. In a sample of 40 transactions, one shipment occurred before the approval was documented. The auditor verified that the invoice amount was accurate, the receivable was properly recorded, and the customer subsequently paid in full. Given these facts, what should the auditor do next?

A. Project a zero-dollar misstatement to the sales population and conclude the sample supports the account balance.
B. Treat the item as a passed control because no monetary misstatement or collection problem occurred.
C. Propose an audit adjustment to reduce sales and accounts receivable for the transaction amount.
D. Record the item as a control exception and evaluate its cause and effect on planned reliance on the control.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The finding relates to whether the control operated as designed, not whether the recorded dollar amount was misstated. Missing required approval is a control exception that must be evaluated for its cause and effect on control reliance, even if the transaction was recorded correctly and collected.

A test of controls evaluates whether a specified control was properly designed and operated effectively. Here, the control required documented credit manager approval before shipment. Because one shipment occurred before the required approval was documented, the auditor identified a control deviation. The fact that the invoice was accurate, the receivable was recorded properly, and the customer paid in full may indicate there is no monetary misstatement in that transaction, but it does not eliminate the control exception. The auditor should consider the nature and cause of the deviation, the deviation rate compared with the tolerable deviation rate, and whether planned reliance on the control remains appropriate. Any needed changes to substantive procedures would follow from that evaluation.

Treating the item as passed confuses substantive results with control operation.
Projecting a zero-dollar misstatement addresses tests of details, not the test-of-controls objective.
Proposing an adjustment is inappropriate because the facts indicate no identified monetary misstatement.

The missing required approval is a control deviation even though related substantive testing did not identify a monetary misstatement.

Question 34

Topic: Forming Conclusions and Reporting

A CPA is engaged to compile annual financial statements for a nonissuer under U.S. GAAP. The CPA’s spouse is the client’s controller. Management elects to omit substantially all note disclosures, and the CPA concludes the omission is not intended to mislead users. Which reporting treatment is appropriate?

A. Issue a compilation report that discloses the CPA is not independent and states that management elected to omit substantially all disclosures required by U.S. GAAP.
B. Issue a compilation report without referring to independence because a compilation provides no assurance.
C. Issue a review report with a qualified conclusion for the omitted disclosures.
D. Withdraw from the compilation because independence is required for all compilation engagements.

Best answer: A

What this tests: Forming Conclusions and Reporting

Explanation: The appropriate report is still a compilation report, but it must address both key facts. Lack of independence does not prohibit a compilation, but it must be disclosed, and management’s election to omit substantially all GAAP disclosures requires explanatory language in the report.

In a SSARS compilation engagement, the accountant assists management in presenting financial statements and issues a compilation report that provides no assurance. Independence is not required to perform a compilation; however, if the accountant is not independent, the compilation report must disclose that fact. Also, when management elects to omit substantially all disclosures required by the applicable financial reporting framework, the accountant may report on the statements if the omission is not intended to mislead users, but the report should state that management elected to omit those disclosures and that the statements are not designed for users who are not informed about such matters.

Omitting any independence reference is incorrect because nonindependence must be disclosed in a compilation report.
Withdrawing solely because of impaired independence is unnecessary; independence is not required for a compilation.
A review report is inappropriate because the engagement is a compilation and no review procedures or limited assurance conclusion are being provided.

A compilation may be performed when the accountant is not independent if the report discloses the lack of independence, and omitted GAAP disclosures require appropriate report language.

Question 35

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is auditing a nonissuer’s December 31, 20X5 financial statements under GAAS. The auditor completed fieldwork and dated the auditor’s report March 5, 20X6, but the report has not been released. On March 9, management informs the auditor that a lawsuit filed before year-end for an alleged breach occurring before year-end was settled for $1.2 million. The client had accrued $700,000 at December 31 based on counsel’s estimated loss range, and the additional $500,000 is material. Management agrees to revise the financial statements to increase the liability and disclose the settlement. By March 10, the auditor has performed additional procedures only on the settlement and related revision. Which interpretation is best?

A. The settlement is outside the auditor’s responsibility because it was identified after the auditor’s report date but before report release.
B. The auditor must redated the entire report March 10 and perform all subsequent-events procedures through March 10 because dual dating is not permitted.
C. The settlement is a nonrecognized subsequent event, so note disclosure alone is sufficient and the original March 5 report date should remain unchanged.
D. The settlement is a recognized subsequent event, and the auditor may dual-date the report March 5, except for the lawsuit note and related adjustment, as to which the date is March 10.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The lawsuit arose from conditions that existed at December 31, so the later settlement provides evidence about the amount of a year-end liability. Because the auditor performed additional procedures only for this matter, dual dating is appropriate to avoid taking responsibility for all subsequent events through March 10.

Subsequent events that provide additional evidence about conditions existing at the balance sheet date generally require recognition in the financial statements. Here, the lawsuit was filed before year-end and related to an alleged breach before year-end; the post-report-date settlement refines the amount of the existing loss contingency. Because management revises the financial statements, the auditor must perform procedures on the revision. When the auditor limits those additional procedures to the specific subsequent event, the auditor may dual-date the report, using the original report date except for the revised note and adjustment, which are dated as of the completion of the related procedures.

Treating the settlement as disclosure-only misclassifies an event that confirms a year-end liability.
Ignoring the settlement is inappropriate because the auditor became aware of it before report release.
Redating the entire report is an option only if the auditor extends subsequent-events procedures through the new date; dual dating is permitted when procedures are limited.

The settlement provides additional evidence about a year-end condition, and dual dating limits the auditor’s subsequent-events responsibility to the revised matter.

Question 36

Topic: Forming Conclusions and Reporting

An auditor is completing a nonissuer audit of a county’s basic financial statements prepared under U.S. GAAP. The audit evidence supports an unmodified opinion on the basic financial statements, and there were no scope limitations. The applicable accounting framework requires management’s discussion and analysis (MD&A) to accompany the basic financial statements as required supplementary information, but management omitted the MD&A and refuses to present it. What is the best interpretation of the reporting effect?

A. The auditor should issue an unmodified opinion on the basic financial statements and add an other-matter paragraph describing the omitted required supplementary information.
B. The auditor should disclaim an opinion on the basic financial statements because the auditor could not perform limited procedures on the omitted MD&A.
C. The auditor should issue the report without mentioning the omission because required supplementary information is outside the basic financial statements.
D. The auditor should qualify the opinion on the basic financial statements because the omitted MD&A is required by the framework.

Best answer: A

What this tests: Forming Conclusions and Reporting

Explanation: Required supplementary information is not part of the basic financial statements, so its omission does not by itself require a modified opinion on those statements. Because the framework requires the MD&A, the auditor must call attention to the omission in an other-matter paragraph.

When required supplementary information is omitted, the auditor reports the omission but does not treat it as a misstatement of the audited basic financial statements. The auditor’s opinion remains unmodified if sufficient appropriate audit evidence supports fair presentation of the basic financial statements and there is no audit scope limitation. The reporting response is to include an other-matter paragraph explaining that management omitted information the applicable framework requires to supplement the basic financial statements and that the auditor’s opinion on the basic financial statements is not affected by the omission.

Qualifying the basic financial statement opinion incorrectly treats MD&A as part of the audited basic financial statements.
Disclaiming the basic financial statement opinion confuses omitted RSI with a scope limitation on the audit of the basic financial statements.
Saying nothing ignores the required auditor communication when required supplementary information is omitted.

Omitted required supplementary information is reported in an other-matter paragraph and does not modify the opinion when the basic financial statements are fairly presented.

Question 37

Topic: Assessing Risk and Developing a Planned Response

During planning for a nonissuer audit, an auditor documented the following IT general control over access changes to the sales application:

Item	Workpaper note
Control objective	Access changes are authorized by the application owner and accurately recorded.
Control description	The IT security administrator can create and modify user access. Each Friday, the same administrator prints a system report of all access changes and initials it after comparing the changes to help-desk tickets. The tickets identify the requestor and user ID, but application owner approval is not required or documented.
Procedures performed	The auditor inquired of the administrator and inspected the prior Friday’s initialed report.
Draft conclusion	The control is suitably designed and has been placed in operation.

Which correction should the auditor make to the draft conclusion?

A. Revise the conclusion to state that the control has been placed in operation but is not suitably designed because the review does not verify access changes against approved requests by an appropriate owner.
B. Retain the conclusion because inspection of an initialed weekly report is sufficient to establish both suitable design and implementation.
C. Revise the conclusion to state that the control is suitably designed but has not been placed in operation until multiple weekly reports have been sampled.
D. Recommend testing password complexity settings instead because the primary design issue relates to authentication rather than access-change authorization.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The observed initialed report supports that the control was placed in operation as described. However, the design does not meet the stated objective because the review is not tied to documented application owner approval of access changes.

Design and implementation testing is different from testing operating effectiveness. A control is suitably designed if, assuming it operates as prescribed, it would prevent, or detect and correct, the relevant misstatement or control failure. Here, the objective is authorization of access changes by the application owner. Comparing changes to help-desk tickets that do not include required owner approval does not establish authorization, especially when the reviewer is the same person who can make access changes. The auditor’s inquiry and inspection of an initialed report provide evidence that the control exists and has been placed in operation, but the design conclusion should be revised because the control would not achieve its stated objective.

Keeping the original conclusion confuses evidence of performance with suitable design.
Requiring multiple weekly reports would be relevant to operating effectiveness, not whether the control was placed in operation.
Password complexity relates to authentication, not the authorization of access changes in this control.

Inquiry and inspection support implementation, but the described review does not address the authorization objective.

Question 38

Topic: Performing Further Procedures and Obtaining Evidence

Near completion of a nonissuer audit, the auditor performs final analytical procedures after proposed adjustments have been recorded. The auditor’s understanding is that the client had no change in credit terms, but an October billing-system conversion caused invoice errors and delayed collections through year-end.

Relationship	Prior year audited	Current year preliminary
Credit sales	$40.0 million	$42.0 million
Accounts receivable	$8.4 million	$8.8 million
Receivables over 90 days past due	7% of receivables	18% of receivables
Allowance for doubtful accounts	3.4% of receivables	2.1% of receivables

Which interpretation is most appropriate?

A. The increase in receivables over 90 days past due is sufficient by itself to conclude that the financial statements are materially misstated.
B. The lower allowance percentage is inconsistent with the increase in past-due receivables and should be investigated before forming the overall audit conclusion.
C. The small increase in accounts receivable is consistent with the small increase in credit sales, so no further consideration of collectibility is necessary.
D. The billing-system conversion explains the aging deterioration, so the allowance percentage decrease supports management’s estimate.

Best answer: B

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: Final analytical procedures are used near the end of the audit to evaluate whether the financial statements are consistent with the auditor’s understanding. Here, increased aging deterioration combined with a lower allowance percentage is an unexpected relationship that requires follow-up.

At the overall review stage, analytical procedures help the auditor identify unusual or unexpected relationships that may indicate an unrecognized misstatement or an incomplete understanding of the entity. The client’s delayed collections and higher percentage of receivables over 90 days past due would ordinarily suggest increased collectibility risk. A decrease in the allowance as a percentage of receivables moves in the opposite direction and is not adequately explained by the facts provided. The auditor should obtain and evaluate management’s explanation and perform additional procedures as needed before concluding whether the financial statements are fairly presented.

A proportional increase in receivables and sales does not address the deteriorated aging and lower allowance percentage.
Final analytics alone generally do not establish that a material misstatement exists; they identify matters requiring evaluation.
The billing conversion may explain slower collections, but it does not explain why the allowance percentage decreased when collectibility risk increased.

Final analytical procedures should identify whether financial statement relationships are inconsistent with the auditor’s understanding and require further evaluation.

Question 39

Topic: Assessing Risk and Developing a Planned Response

An auditor is assessing the design of controls in a nonissuer client’s revenue cycle. Management states the following control objective: “Exempt sales are processed only when a valid sales tax exemption certificate is on file for the customer.” The auditor concludes that this objective is primarily a compliance objective. Which item of evidence best supports that conclusion?

A. A recalculation showing invoice prices and quantities agree to the approved price list and shipping record
B. A sequence check showing all prenumbered shipping documents were included in the daily billing run
C. A warehouse access log showing only authorized employees entered the finished goods storage area
D. A billing-system rule showing exempt tax codes are rejected unless a current exemption certificate is recorded for the customer

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The stated objective concerns whether exempt sales comply with sales tax rules by requiring valid exemption certificates. Evidence that the billing system rejects exempt tax treatment without a current certificate best supports classification as a compliance objective.

Control objectives may relate to broad COSO categories, such as operations, reporting, and compliance, or to transaction-level objectives, such as completeness, accuracy, authorization, and safeguarding. A compliance objective focuses on adherence to laws, regulations, or contractual requirements. Here, the key concern is not whether all sales are billed, whether invoice amounts are accurate, or whether assets are protected. The concern is whether the entity processes tax-exempt sales only when the required exemption documentation exists. A system rule preventing exempt tax codes without a current certificate directly supports that compliance classification.

A sequence check over shipping documents supports completeness of billing, not compliance with sales tax documentation requirements.
Recalculating invoice prices and quantities supports accuracy, not whether exempt sales meet regulatory requirements.
Warehouse access logs support safeguarding of inventory, not compliance with sales tax exemption rules.

This evidence links the control objective to adherence with sales tax requirements for exempt transactions.

Question 40

Topic: Assessing Risk and Developing a Planned Response

During planning for a nonissuer audit, the engagement team reviewed management’s documentation of internal control over financial reporting. Based on the workpaper note, which COSO component and principle are most specifically illustrated by management’s separate discussion of incentives and opportunities for fraudulent revenue recognition?

Workpaper note:

Management conducts a quarterly meeting with accounting, sales, and IT process owners to update the financial reporting risk register. For each financial reporting objective, the group identifies events that could prevent the objective from being achieved and assesses likelihood and impact. The agenda requires a separate discussion of incentives and opportunities for fraudulent revenue recognition before control owners design or modify responses.

A. Control Activities — selects and develops policies and procedures to mitigate risks
B. Monitoring Activities — evaluates and communicates internal control deficiencies
C. Control Environment — demonstrates commitment to integrity and ethical values
D. Risk Assessment — considers the potential for fraud in assessing risks to objectives

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The exhibit most directly describes risk assessment, not the design or monitoring of controls. COSO includes a specific Risk Assessment principle requiring the organization to consider the potential for fraud when assessing risks to achieving objectives.

Under COSO, internal control is organized into five components, each supported by principles. The Risk Assessment component includes identifying and analyzing risks to objectives and specifically considering the potential for fraud. The workpaper note states that management updates a financial reporting risk register, evaluates likelihood and impact, and separately discusses incentives and opportunities for fraudulent revenue recognition. Those facts support a conclusion about the Risk Assessment component and the fraud-risk principle. The later design or modification of control responses may involve control activities, but the described activity is the assessment that precedes those responses.

A commitment to integrity and ethical values would involve tone at the top, standards of conduct, or accountability, not merely a fraud-risk discussion.
Selecting and developing policies and procedures is a control activities concept, but the exhibit describes risk identification and analysis before responses are designed.
Monitoring focuses on evaluating whether controls are present and functioning and communicating deficiencies; updating the risk register is not primarily a monitoring activity.

The separate evaluation of fraud incentives and opportunities directly supports COSO’s Risk Assessment principle of considering fraud risk.

Question 41

Topic: Ethics, Professional Responsibilities and General Principles

An engagement manager is reviewing the required communications workpaper for a nonissuer audit under U.S. GAAS before the auditor’s report is released. The audit committee is those charged with governance.

Communication item	Draft status
Planned scope and timing	Communicated at planning
Significant findings from the audit	No items noted
Significant deficiencies or material weaknesses	No items noted

Completion notes:

Management recorded a proposed year-end cutoff adjustment that reduced revenue by a material amount.
Management declined a $12,000 balance sheet reclassification; the clearly trivial amount is $25,000.
The CFO delayed providing legal invoices for several weeks, but the audit team ultimately obtained sufficient appropriate evidence.
No control deficiencies were identified.

Given these facts, what should the engagement manager do next?

A. Communicate only the $12,000 uncorrected reclassification because uncorrected misstatements are always the primary required communication.
B. Update the significant findings section for the material corrected cutoff adjustment and the significant difficulty caused by management’s delay, and arrange communication with the audit committee.
C. Leave the schedule unchanged because the adjustment was corrected and the evidence delay was resolved before report release.
D. Prepare a written significant deficiency communication for the material cutoff adjustment because any material adjustment indicates a control deficiency.

Best answer: B

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The workpaper should be updated before report release because the audit identified required communications that are missing from the draft schedule. A material corrected misstatement and a significant difficulty caused by management’s delay are significant audit findings for communication to those charged with governance.

Under U.S. GAAS, auditors communicate significant findings from the audit to those charged with governance. These include corrected misstatements that could have a significant effect on the entity’s financial reporting process and significant difficulties encountered during the audit, such as unreasonable management delays in providing information. The fact that management recorded the material cutoff adjustment does not eliminate the communication requirement. Likewise, obtaining sufficient appropriate evidence after the delay avoids a scope limitation, but the delay may still be a significant difficulty to communicate. The $12,000 reclassification is below the clearly trivial amount, so it is not the item driving the required communication. No control deficiencies were identified, so a deficiency communication is not the next step.

Leaving the schedule unchanged ignores required communications about significant audit findings.
Focusing on the $12,000 reclassification is misplaced because it is below the clearly trivial amount.
Treating the material adjustment as a significant deficiency assumes a control deficiency not supported by the facts.
Modifying the audit report for a scope limitation would be inappropriate because sufficient appropriate evidence was ultimately obtained.

Material corrected misstatements and significant difficulties encountered during the audit are required communications to those charged with governance.

Question 42

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a privately held electronics distributor, the engagement team identifies the following facts:

Two major suppliers introduced replacement models before year-end.
Industry data shows selling prices for the client’s older models declined by approximately 25%.
The client has a large year-end inventory balance for the older models recorded at cost.

The draft audit plan states: “No change is needed to the inventory audit approach because the team will observe the physical inventory count.” Which correction to the audit plan is most appropriate?

A. Shift audit effort from inventory to revenue cutoff because reduced selling prices primarily indicate premature revenue recognition.
B. Add procedures to evaluate inventory valuation, including testing older models for lower of cost and net realizable value using current price lists, subsequent sales, and management’s write-down assumptions.
C. Plan to qualify the audit opinion unless management records an inventory write-down before substantive testing begins.
D. Increase only the extent of physical inventory count observations because the external condition primarily affects inventory existence.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The external business condition directly increases the risk that inventory is overstated. Observing the count provides evidence about existence and quantity, but the audit plan must also address valuation through procedures focused on lower of cost and net realizable value.

Audit planning should respond to external conditions that affect inherent risk. A market decline caused by replacement products creates a risk that older inventory may not be recoverable at recorded cost. The appropriate correction is to add valuation-focused procedures, such as reviewing current selling prices, testing subsequent sales, analyzing slow-moving or obsolete items, and evaluating management’s write-down assumptions. Physical observation remains useful, but it does not provide sufficient evidence about whether inventory should be written down. The response should be targeted to the affected assertion and should not jump directly to a reporting modification before obtaining evidence.

Expanding only count observations addresses existence and quantity, not the valuation risk created by lower selling prices.
Planning a qualified opinion before testing overstates the required response; the auditor first obtains evidence and evaluates management’s accounting.
Revenue cutoff is a different risk area and is not the primary implication of the external price decline described.

External price declines increase inherent risk for inventory valuation, so the plan should add procedures addressing lower of cost and net realizable value rather than only quantity.

Question 43

Topic: Forming Conclusions and Reporting

An auditor is completing the final review of a nonissuer audit of financial statements prepared under U.S. GAAP. Overall materiality for the financial statements as a whole is $800,000, and performance materiality used in planning and testing was $350,000. Management corrected all other identified misstatements but declined to correct the following items. No projected sampling misstatements or other unresolved matters remain.

Uncorrected misstatement	Effect
Allowance for doubtful accounts understated	Assets and income before tax overstated by $210,000
Accrued expenses understated	Liabilities understated and income before tax overstated by $160,000
Depreciation expense overstated	Property, plant, and equipment understated and income before tax understated by $90,000

The auditor found no fraud indicators, no covenant or compensation threshold affected, and no trend affected by the uncorrected misstatements. Final analytical procedures showed gross margin declined from 41% to 35%; supplier invoices showed a 15% increase in raw material costs, sales prices were unchanged, and production volumes were consistent with management’s explanation.

Which conclusion is most consistent with the audit evidence obtained?

A. A qualified opinion is required because the $460,000 aggregate absolute amount of uncorrected misstatements exceeds performance materiality.
B. A scope limitation exists because final analytical procedures identified a significant gross margin decline from the prior year.
C. No evaluation of the balance sheet effects is needed because the $280,000 net income overstatement is below overall materiality.
D. The evidence supports an unmodified opinion, with communication of the uncorrected misstatements, because the misstatements and corroborated margin decline do not indicate a material misstatement.

Best answer: D

What this tests: Forming Conclusions and Reporting

Explanation: The final evaluation uses overall materiality and qualitative factors, not performance materiality alone. Here, the uncorrected misstatements are not material individually or in aggregate, and the gross margin fluctuation has been corroborated by other audit evidence.

In forming an opinion, the auditor evaluates whether uncorrected misstatements are material individually or in the aggregate, considering both quantitative and qualitative factors. Performance materiality is used to plan and perform audit procedures; it is not the final threshold that automatically requires a modified opinion. The aggregate absolute uncorrected misstatements are $460,000, and the net income overstatement is $280,000, both below the $800,000 overall materiality amount. The stem also states that no qualitative factors, such as fraud indicators, covenant effects, compensation effects, or trend changes, make the items material. The gross margin decline does not create an unresolved issue because it is supported by corroborating evidence from invoices, pricing, and production data.

Treating performance materiality as the final reporting threshold misuses a planning concept.
Looking only at the net income effect ignores the required evaluation of misstatements individually and in aggregate, including balance sheet effects.
A significant analytical fluctuation is not a scope limitation when the auditor obtains corroborating evidence that explains it.

The uncorrected misstatements are below overall materiality individually and in aggregate, no qualitative factors indicate materiality, and the analytical fluctuation is corroborated.

Question 44

Topic: Performing Further Procedures and Obtaining Evidence

An auditor tests a client’s control requiring electronic approval before cash disbursements are released. The auditor selects a random sample of 60 disbursements from the complete disbursement population. During review, the audit manager finds that the staff auditor misunderstood the approval screen and recorded several unapproved items as approved. Which conclusion best classifies this issue?

A. It is sampling risk because the random sample may not represent the complete disbursement population.
B. It is nonsampling risk because the staff auditor misinterpreted the evidence when evaluating sampled items.
C. It is control risk because the client’s approval control may not have operated effectively.
D. It is sampling risk because increasing the sample size would necessarily prevent the misclassification.

Best answer: B

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The issue is nonsampling risk because the error arose from the auditor’s misunderstanding of the evidence. Sampling risk concerns the chance that a properly evaluated sample leads to a different conclusion than testing the entire population would have produced.

Sampling risk relates to representativeness: even a properly selected and evaluated sample may not reflect the population closely enough, causing the auditor to reach the wrong conclusion. Nonsampling risk arises from causes other than the sample itself, such as using an inappropriate procedure, failing to detect an exception, or misinterpreting audit evidence. Here, the population was complete and the sample was randomly selected, but the staff auditor incorrectly evaluated the approval evidence. That is an execution or judgment error, so it is nonsampling risk.

A nonrepresentative sample is a sampling-risk concern, but the stem identifies an evaluation error after sample selection.
Increasing sample size reduces sampling risk, but it does not necessarily correct misunderstanding or misclassification of evidence.
The client’s control may have exceptions, but the issue being classified is the auditor’s incorrect recording of those exceptions.

Misinterpreting evidence is an auditor performance error unrelated to whether the selected sample represents the population.

Question 45

Topic: Assessing Risk and Developing a Planned Response

A CPA is planning the audit of a nonissuer electronics manufacturer for the year ended December 31, 20X6. The client obtains a key microchip from a single overseas supplier, and new export restrictions in that country caused uncertain delivery schedules in the fourth quarter. The client’s finished goods have short product life cycles because models are replaced annually. Which planning conclusion is most appropriate?

A. Export restrictions primarily create detection risk because the auditor may be unable to observe inventory.
B. Supply-chain disruption and rapid technological change increase inherent risk related to inventory valuation and obsolescence.
C. The annual model replacement cycle eliminates inherent risk if inventory is recorded under U.S. GAAP.
D. The use of a single supplier primarily indicates a control risk related to purchasing approvals.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: External conditions can increase susceptibility to material misstatement before considering internal controls. Here, supplier disruption and short technology cycles create a heightened risk that inventory may be obsolete or not recoverable at recorded amounts.

Inherent risk is affected by economic, industry, regulatory, supply-chain, technology, and financial reporting framework factors. A single-source overseas supplier subject to export restrictions is a supply-chain and regulatory condition that can disrupt production or sales. Short product life cycles are an industry and technology condition that can make inventory become obsolete quickly. Together, those facts most directly affect the valuation assertion for inventory, including whether recorded cost is recoverable under the applicable financial reporting framework. The conclusion is not about control risk unless facts indicate a control design or operating issue, and it is not detection risk, which relates to the auditor’s procedures.

Classifying the supplier issue as purchasing approval control risk ignores that the decisive facts are external supply-chain and regulatory conditions.
Saying U.S. GAAP eliminates inherent risk is incorrect; the framework supplies measurement requirements but does not remove susceptibility to misstatement.
Treating export restrictions as detection risk confuses client business risk with the risk that audit procedures fail to detect a misstatement.

These external supply-chain and industry technology conditions make inventory more susceptible to valuation misstatement before considering controls.

Question 46

Topic: Forming Conclusions and Reporting

An auditor is completing an audit of a nonissuer’s comparative financial statements prepared under U.S. GAAP. During the current year, management changed its inventory cost-flow method from FIFO to weighted-average. The auditor concludes the new method is preferable, the change was accounted for in accordance with GAAP, and the notes adequately disclose the nature and effect of the change. The change has a material effect on comparability. How should the auditor characterize this reporting issue?

A. As a scope limitation requiring a qualified opinion because prior-period inventory amounts were measured using a different method.
B. As a GAAP departure requiring a qualified or adverse opinion because comparability is materially affected.
C. As a matter affecting consistency that is reported in an emphasis-of-matter paragraph without modifying the opinion.
D. As an other-matter paragraph because the matter relates primarily to the auditor’s reporting responsibilities.

Best answer: C

What this tests: Forming Conclusions and Reporting

Explanation: The change is not an opinion issue because the auditor concluded it is preferable, GAAP-compliant, and adequately disclosed. A material change in accounting principle affecting comparability is ordinarily communicated with an emphasis-of-matter paragraph while the opinion remains unmodified.

Report modifications, such as qualified, adverse, or disclaimer opinions, address opinion issues like material misstatements or insufficient appropriate audit evidence. By contrast, emphasis-of-matter paragraphs draw users’ attention to matters that are appropriately presented or disclosed in the financial statements. Here, the accounting change is justified, properly accounted for, and adequately disclosed, so it is not a GAAP departure. Because it materially affects comparability, the auditor should highlight it in an emphasis-of-matter paragraph referring to the related disclosure, while issuing an unmodified opinion.

Treating the change as a GAAP departure ignores the auditor’s conclusion that the change is preferable and properly reported under GAAP.
Using an other-matter paragraph is inappropriate because the matter is presented in the financial statements, not primarily about the audit or auditor’s report.
Calling it a scope limitation is incorrect because the auditor has sufficient appropriate evidence; the issue is consistency, not lack of evidence.

A justified, properly accounted for, and adequately disclosed change in accounting principle that materially affects comparability is highlighted in an emphasis-of-matter paragraph and does not modify the opinion.

Question 47

Topic: Performing Further Procedures and Obtaining Evidence

During the audit of a nonissuer, the allowance for credit losses was identified as a significant risk because management uses a spreadsheet model with multiple assumptions. The engagement team selected the commercial-loan Grade B segment for reperformance of the model application. Based on the exhibit, which conclusion is best supported?

Workpaper excerpt—Grade B allowance component
Documented method: Allowance = Amortized cost balance × probability of default (PD) × loss given default (LGD)
Clearly trivial threshold for audit differences: \$50,000

Audited input data:
- Amortized cost balance per reconciled loan file: \$40,000,000
- PD per approved risk committee assumption file: 3.0%
- LGD per approved recovery study: 45.0%

Management's recorded Grade B allowance component: \$360,000
Auditor's reperformance: \$40,000,000 × 3.0% × 45.0% = \$540,000

A. The difference should be treated only as a deficiency in spreadsheet controls because reperformance does not provide substantive evidence about an estimate.
B. The auditor should accept a 2.0% implied PD assumption because it reconciles the model to management’s recorded allowance.
C. The Grade B component is adequately supported because the balance, PD, and LGD inputs agree to approved source data.
D. Management did not correctly apply its documented method for the Grade B segment, resulting in a $180,000 potential understatement to be accumulated and discussed with management.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: Reperformance tests whether management correctly applied the selected method using the relevant data and assumptions. Here, the audited inputs and approved assumptions produce an allowance of $540,000, not $360,000, so the exhibit supports a potential understatement that should be accumulated and discussed.

For a significant accounting estimate, the auditor may obtain evidence by testing management’s process, including whether the method was applied accurately. Reperformance is especially useful when the method is formula-driven, such as a credit loss model using balance, PD, and LGD. In this exhibit, the data and assumptions appear to agree to audited or approved sources, but management’s recorded amount does not agree to the documented formula. The difference is $540,000 minus $360,000, or $180,000. Because that amount exceeds the clearly trivial threshold, it should not be ignored; it should be accumulated as an audit difference and discussed with management for correction or further explanation.

Agreeing inputs to source data is not enough when the model formula was not correctly applied.
Reperformance can provide substantive evidence about whether an estimate was calculated in accordance with management’s method.
Back-solving to a 2.0% PD is not appropriate without evidence that the approved 3.0% assumption is wrong.

The auditor’s reperformance using audited data and approved assumptions produces $540,000, which is $180,000 above management’s recorded amount and exceeds the clearly trivial threshold.

Question 48

Topic: Assessing Risk and Developing a Planned Response

During the audit of a nonissuer, the user auditor is deciding how to use the following workpaper note about a payroll service organization. Which planned audit response is most appropriate?

Fact	Detail
Service organization	PayServ processes all payroll transactions and maintains programmed controls over employee master-file changes.
User entity year-end	December 31, 20X6.
SOC 1 report obtained	Type 2 report for January 1 through September 30, 20X6, with an unmodified service auditor’s opinion.
Relevant SOC results	Controls over authorization and processing of employee master-file changes were tested with no exceptions.
Complementary user controls stated in report	The user entity’s HR department must approve pay-rate changes and review payroll exception reports.
Procedures to date	No procedures have been performed for PayServ controls or the complementary HR controls for October through December.

A. Disregard the report because only direct testing by the user auditor at PayServ can support reliance on PayServ controls.
B. Use the report only after obtaining management’s written representation that PayServ controls and HR controls continued to operate effectively through year-end.
C. Rely on the report for the entire year because it has an unmodified opinion and no control exceptions, and eliminate further payroll procedures.
D. Use the report as evidence for PayServ controls during January through September, test the complementary HR controls, and perform additional procedures for October through December.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: A SOC 1 Type 2 report provides evidence about the design and operating effectiveness of relevant service organization controls only for the period and control objectives covered. Here, it may reduce direct testing of PayServ controls for January through September, but the user auditor still must address complementary user controls and the October-through-December gap.

A user auditor may use a SOC 1 Type 2 report as audit evidence about controls at a service organization when those controls are relevant to the user entity’s financial reporting and the report covers the period being relied on. The Type 2 report is stronger than a Type 1 report because it includes operating effectiveness testing, but it does not automatically cover periods outside the report date range. Also, if the report assumes complementary user entity controls, the user auditor must evaluate and, when relying on them, test those controls at the user entity. For the uncovered October-through-December period, the auditor should perform additional procedures, such as obtaining a bridge letter, inquiring about changes, extending control testing, or modifying substantive procedures.

Treating the report as sufficient for the entire year overextends the evidence beyond the January-through-September period and improperly eliminates further payroll work.
Rejecting the report entirely is too restrictive because a relevant SOC 1 Type 2 report can provide evidence about service organization controls.
Management representations alone do not provide sufficient appropriate evidence about control operation at PayServ or the complementary HR controls.

A SOC 1 Type 2 report can support reliance for the covered period, but the user auditor must address complementary user controls and any gap period.

Question 49

Topic: Performing Further Procedures and Obtaining Evidence

An audit manager is reviewing engagement-team documentation for a complex fair value estimate of an acquired technology intangible asset. Management used an external valuation specialist, and the recorded fair value is material.

Workpaper excerpt	Details
Specialist competence and objectivity	Valuation credential verified; no financial interest or other relationship with the client identified.
Method used	Relief-from-royalty method; engagement team recalculated the model without exception.
Key assumptions in specialist report	Royalty rate of 6%; discount rate of 9%.
Other evidence in the file	Recent comparable licenses show royalty rates of 2% to 3%; guideline company data indicate discount rates of 12% to 14%.
Engagement-team note	Management stated the 6% rate reflects expected premium pricing but provided no customer contracts, market studies, or other corroborating support.

Which review comment is most appropriate based on the workpaper excerpt?

A. Perform additional procedures to evaluate the royalty-rate and discount-rate assumptions, using corroborating evidence or an independently developed expectation or range.
B. Conclude that the estimate is adequately supported because the valuation specialist is qualified and the model was recalculated without exception.
C. Add an emphasis-of-matter paragraph to the auditor’s report describing estimation uncertainty if management does not revise the recorded fair value.
D. Rely on management’s representation about premium pricing because assumptions about future licensing are management’s responsibility.

Best answer: A

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The workpaper shows that significant assumptions used in the specialist’s valuation are inconsistent with other evidence and lack corroboration. The appropriate review comment is to perform further procedures focused on those assumptions, not to accept the estimate based only on credentials, arithmetic accuracy, or management representations.

When management uses a specialist for a complex estimate, the auditor evaluates whether the specialist’s work provides sufficient appropriate audit evidence. That includes considering the specialist’s competence and objectivity, but it also requires evaluating the relevance and reasonableness of significant assumptions, methods, and source data. Here, the royalty rate and discount rate materially drive the relief-from-royalty valuation. The engagement team documented evidence suggesting lower royalty rates and higher discount rates than management used, and management has not provided corroborating support for its premium-pricing assertion. The reviewer should require additional audit procedures, such as obtaining market support, testing source data, challenging assumptions, or developing an independent expectation or range.

Specialist qualifications and recalculation address only part of the evidence needed; they do not resolve unsupported valuation assumptions.
Management representations may support other evidence, but they are not sufficient by themselves for significant estimate assumptions.
An emphasis-of-matter paragraph is not a substitute for obtaining evidence or addressing a potential material misstatement.

The file identifies unsupported significant assumptions that conflict with available market evidence, so recalculation and specialist credentials alone are insufficient.

Question 50

Topic: Performing Further Procedures and Obtaining Evidence

An auditor of a nonissuer plans to use a substantive analytical procedure to test the completeness and accuracy of interest expense. Audit documentation includes the following:

Fact or result	Amount or description
Debt population	Confirmed directly with lenders; no unrecorded debt identified from minutes or subsequent cash disbursements
Interest terms	Fixed rates in loan agreements; no modifications during the year
Expected interest expense	$842,000
Recorded interest expense	$834,500
Acceptable difference for this procedure	$30,000

Which is the best interpretation of these results for the specified assertion?

A. The procedure supports only the existence of debt because confirmed principal balances were used to develop the expectation.
B. The procedure proves all debt-related accounts and disclosures are fairly stated because the difference is below the acceptable threshold.
C. The procedure is suitable substantive evidence because the expectation is based on reliable, predictable data and the difference is within the acceptable threshold.
D. The procedure is not suitable because analytical procedures cannot provide substantive evidence about the completeness of expenses.

Best answer: C

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: Substantive analytical procedures are most persuasive when the account has a predictable relationship and the auditor can develop a precise expectation from reliable data. Here, confirmed debt amounts, fixed contractual rates, and the absence of modifications make expected interest expense highly predictable, and the difference is within the stated threshold.

A substantive analytical procedure may support an assertion when the auditor can form a sufficiently precise expectation, the underlying data are reliable, and any difference from the recorded amount is acceptably small or otherwise explained. Interest expense often fits this model because it can be recomputed from principal, contractual rates, and time outstanding. In this scenario, the debt population has been addressed through confirmations and other procedures, loan terms are fixed, and the $7,500 difference is well below the $30,000 acceptable difference. Therefore, the procedure is suitable evidence for completeness and accuracy of interest expense, although it does not automatically resolve every debt-related audit area.

Saying analytical procedures cannot test expense completeness is too broad; they can when the relationship is predictable and data are reliable.
Treating the procedure as only evidence about debt existence misreads the relationship between confirmed debt terms and interest expense.
Concluding that all debt-related accounts and disclosures are proven fairly stated overstates what this single procedure supports.

Interest expense has a predictable relationship to confirmed debt terms, and the unexplained difference is smaller than the planned acceptable difference.

Questions 51-75

Question 51

Topic: Ethics, Professional Responsibilities and General Principles

A nonissuer asks a CPA firm to perform inquiry and analytical procedures on its annual GAAP financial statements for use by its lender. Management states that it does not want an audit. The draft engagement letter says, “We will perform a review and issue a report expressing an opinion that the financial statements present fairly in accordance with GAAP; this engagement provides reasonable assurance.” Which correction should be made?

A. Change the engagement to a compilation because management does not want an audit and the report will be used by an external lender.
B. Change the engagement to agreed-upon procedures because management has identified the procedures the CPA should perform.
C. Revise the letter to state that the review provides limited assurance and the report will state whether the CPA is aware of material modifications needed for GAAP conformity.
D. Retain the review description but state that an unmodified opinion will be issued if inquiry and analytical procedures identify no exceptions.

Best answer: C

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The requested work—primarily inquiry and analytical procedures on nonissuer financial statements—matches a review engagement. A review provides limited assurance and reports a conclusion about whether the CPA is aware of material modifications needed, rather than expressing an audit opinion or reasonable assurance.

A financial statement review under SSARS is designed to provide limited assurance, not reasonable assurance. The accountant primarily performs inquiry and analytical procedures and issues a report stating whether the accountant is aware of any material modifications that should be made for the financial statements to be in accordance with the applicable financial reporting framework. Reasonable assurance and an opinion on fair presentation are features of an audit. Because management specifically requested no audit and described review-level procedures, the best correction is to align the engagement letter’s scope, assurance level, and reporting language with a review engagement.

An audit opinion would overstate the assurance obtained from inquiry and analytical procedures alone.
A compilation is not required merely because the user is an external lender; a compilation provides no assurance and does not fit the requested review procedures.
Agreed-upon procedures report findings from specified procedures and does not provide a financial statement review conclusion.

A review of a nonissuer’s financial statements provides limited assurance based primarily on inquiry and analytical procedures and reports a conclusion, not an audit opinion.

Question 52

Topic: Forming Conclusions and Reporting

A CPA has a signed engagement letter under SSARS to prepare a nonissuer’s annual financial statements from management’s trial balance. Management will send the prepared statements to its bank. The CPA firm also performs bookkeeping services for the client and is not independent. A staff member added this conclusion to the file: “Because the statements will be used by a third party and the firm lacks independence, the engagement must be changed to a compilation with a report disclosing the lack of independence.” What is the best correction to the staff member’s conclusion?

A. Keep the preparation engagement only if management agrees in writing to restrict distribution of the statements to internal use.
B. Withdraw from the engagement unless the firm becomes independent before the financial statements are distributed.
C. Keep the preparation engagement; independence is not required, no compilation report is issued, and each page should state that no assurance is provided.
D. Change the engagement to a compilation and disclose the firm’s lack of independence in the compilation report.

Best answer: C

What this tests: Forming Conclusions and Reporting

Explanation: The staff member is incorrectly applying compilation requirements to a preparation engagement. Third-party use and lack of independence do not, by themselves, require a compilation or review. A preparation engagement provides no assurance and normally uses a no-assurance statement on each page of the financial statements.

Under SSARS, an accountant engaged to prepare financial statements prepares the statements from information provided by management and does not issue an assurance report. Independence is not required for a preparation engagement, and third-party distribution does not automatically change the engagement to a compilation. The accountant should have an appropriate engagement agreement and should ensure that the prepared financial statements communicate that no assurance is provided, typically by including that statement on each page. In this scenario, the signed preparation engagement can continue; the error is the staff member’s conclusion that bank use and nonindependence require a compilation report.

Restricting distribution to internal use is not required merely because the engagement is a preparation engagement.
A compilation report with an independence disclosure applies when the accountant is engaged to compile, not simply because the accountant lacks independence.
Withdrawal is not required solely due to nonindependence; it may be necessary for other issues, such as management refusing to correct known misleading information.

A SSARS preparation engagement may be performed without independence and for third-party use, but the prepared statements should clearly communicate that no assurance is provided.

Question 53

Topic: Performing Further Procedures and Obtaining Evidence

During the audit of a nonissuer’s December 31 accounts receivable, an auditor sent a positive confirmation for a $240,000 customer balance. The customer replied directly to the auditor: “We agree that we owe $150,000. The remaining $90,000 relates to goods received on January 4; title passes on delivery.” Management says the $90,000 is only a timing difference because the goods were shipped on December 30. What follow-up should the auditor perform?

A. Treat the reply as an exception and examine shipping terms and delivery evidence to determine whether the $90,000 sale and receivable were recorded in the proper period.
B. Treat the reply as a nonresponse and send a second positive confirmation request for the full $240,000 balance.
C. Treat the $150,000 agreement as sufficient evidence and perform no further procedures on the disputed $90,000 amount.
D. Accept management’s explanation if the customer pays the $90,000 after year-end.

Best answer: A

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The customer did respond, but the response disputes part of the recorded balance. That makes the $90,000 an exception, not a nonresponse, and the auditor must investigate the cause with relevant corroborating evidence such as shipping terms and delivery documentation.

A confirmation exception exists when information returned directly by the confirming party differs from the client’s recorded information. The auditor should evaluate whether the difference is a misstatement or a valid timing difference. Here, the customer’s statement raises a cutoff issue because title passes on delivery and delivery occurred after year-end. The auditor should inspect documents such as the sales invoice, shipping terms, bill of lading, proof of delivery, and related cutoff records to determine whether the receivable and revenue should have been recorded at December 31. Subsequent cash receipt evidence may help support collectibility or existence, but it does not by itself resolve whether the sale was recorded in the correct period.

Sending a second request is a response to a nonresponse, but the customer already replied and disputed part of the balance.
Agreeing to $150,000 does not provide evidence for the disputed $90,000.
Later payment may support existence or collectibility, but it does not resolve the cutoff question raised by title passing on delivery.

A disputed amount in a direct confirmation response is an exception that requires investigation and corroborating evidence, especially for cutoff.

Question 54

Topic: Forming Conclusions and Reporting

A CPA firm is engaged under AICPA attestation standards to perform a review, not an examination, of management’s written assertion that Green Co.’s greenhouse gas emissions schedule is prepared in accordance with stated, suitable criteria. The criteria are available to all intended users. The CPA completes the review and is not aware of any material modifications needed to management’s assertion. Which report conclusion is appropriate?

A. “Based on our review, we are not aware of any material modifications that should be made to management’s assertion for it to be fairly stated, in all material respects, based on the criteria.”
B. “Because the criteria are available to all intended users, this report is restricted to management and the specified parties who established the criteria.”
C. “We do not express any assurance on management’s assertion because a review consists primarily of inquiries and analytical procedures.”
D. “In our opinion, management’s assertion is fairly stated, in all material respects, based on the criteria.”

Best answer: A

What this tests: Forming Conclusions and Reporting

Explanation: An attestation review report expresses limited assurance using negative assurance language. Because the CPA performed a review and found no material modifications, the report should state that the CPA is not aware of needed material modifications to the assertion.

In an attestation examination, the practitioner provides reasonable assurance and expresses a positive opinion. In an attestation review, the practitioner provides limited assurance, so the conclusion is phrased negatively, such as “we are not aware of any material modifications” needed for the assertion to be fairly stated based on the criteria. The stem states that the engagement is a review, the criteria are suitable and available, and no material modifications were identified. Therefore, an unrestricted review conclusion using negative assurance is appropriate.

A positive “in our opinion” conclusion is appropriate for an examination, not a review.
Saying no assurance is expressed understates the result; an attestation review provides limited assurance.
Restricting the report is not required merely because criteria exist; the stem says the criteria are available to all intended users.

A review engagement provides limited assurance expressed in negative form when no material modifications are identified.

Question 55

Topic: Assessing Risk and Developing a Planned Response

An auditor is planning substantive procedures over a client’s significant revenue transaction class. The client sells inventory FOB shipping point and recognizes revenue when goods are shipped. Planning analytics for the year ended December 31, 20X5 show:

Result	Observation
Shipments	Shipping volume from December 29-31 was consistent with the normal daily run rate.
Recorded sales	Sales recorded from December 29-31 were 30% below the normal daily run rate.
Subsequent sales	Sales recorded from January 2-5 were 35% above the normal daily run rate.

Which substantive procedure is best supported by these results?

A. Select shipments from the December 29-31 shipping log and trace them to sales invoices and the sales journal to determine whether revenue was recorded in the proper period.
B. Select entries from the December sales journal and vouch them to bills of lading to determine whether shipments occurred before year-end.
C. Recalculate price extensions on December sales invoices and agree unit prices to approved price lists.
D. Confirm accounts receivable balances for customers with the largest recorded year-end balances.

Best answer: A

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The analytics suggest some goods shipped before year-end may have been recorded as sales after year-end. The best procedure starts with the shipping log, which is the source of potentially unrecorded revenue, and traces to the accounting records to test completeness and cutoff.

When the risk is understated revenue or improper cutoff for shipments made before year-end, the auditor should test from source documents to the accounting records. Because FOB shipping point revenue is earned when goods are shipped, December 29-31 shipping documents should have corresponding sales invoices and sales journal entries in the proper period. Tracing from the shipping log to recorded sales is the correct direction for testing completeness. Starting with recorded sales would primarily test occurrence, while confirmations and pricing recalculations address different assertions.

Vouching recorded December sales to shipping documents tests whether recorded sales occurred, not whether all pre-year-end shipments were recorded.
Confirming receivables may support existence and rights for recorded balances but is less effective for detecting unrecorded shipments.
Recalculating invoice pricing addresses accuracy, not the cutoff pattern indicated by the analytics.

Tracing pre-year-end shipments to recorded sales directly tests revenue completeness and cutoff for goods shipped before year-end.

Question 56

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a nonissuer manufacturer, the auditor reads industry publications showing that a newly enacted safety regulation will prohibit sales of the client’s main product unless it is redesigned. The rule becomes effective shortly after year-end and may affect inventory valuation and sales forecasts. No control exceptions or unreasonable accounting estimates have been identified. How should this condition be characterized in planning?

A. A management bias indicator affecting estimates
B. An external risk indicator affecting inherent risk for relevant assertions
C. A confirmed misstatement from substantive procedures
D. A deficiency in internal control over financial reporting

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The new safety regulation is an external condition that may increase inherent risk in areas such as inventory valuation and forecast-based estimates. The stem does not identify a failed control, unreasonable estimate, or detected misstatement.

In audit planning, external factors include industry, regulatory, economic, technological, and competitive conditions that may affect the risks of material misstatement. A new regulation that restricts the client’s main product is outside management’s control and may create valuation, obsolescence, impairment, or going-concern risks. That classification differs from an internal control deficiency, which requires a problem in the design or operation of controls, and from management bias, which requires evidence that management judgments are unreasonable or systematically slanted. Here, the auditor should treat the regulation as an external risk indicator and design further procedures responsive to the affected assertions.

A control deficiency is not established merely because an external regulation changed the business environment.
Management bias is not shown because no unreasonable estimate or selective accounting judgment has been identified.
A confirmed misstatement would require audit evidence showing an amount is misstated, not just a planning risk indicator.

A regulatory change outside the entity can increase inherent risk, such as valuation risk for inventory, without by itself indicating a control deficiency or bias.

Question 57

Topic: Performing Further Procedures and Obtaining Evidence

Near the end of a nonissuer audit, after most substantive testing has been completed, the auditor performs final analytical procedures to assist in forming an overall conclusion.

Final analytical review item	Prior year audited	Current year unaudited	Auditor’s understanding/expectation
Net sales	$20.0 million	$21.2 million	About a 6% increase due to a price increase
Year-end accounts receivable	$2.1 million	$3.4 million	Should generally move with sales
Days sales outstanding	38 days	58 days	Should remain near prior-year level
Allowance for doubtful accounts as % of receivables	4.0%	2.5%	Should remain near prior-year level

Management states that credit terms, customer mix, and collection policies did not change. Which action is most appropriate based on these final analytical procedures?

A. Conclude that the financial statements are consistent with the auditor’s understanding because net sales increased as expected.
B. Issue a qualified opinion because the receivables balance appears misstated based on the analytical procedures alone.
C. Use the final analytical procedures as a substitute for remaining substantive procedures on receivables.
D. Investigate the inconsistent receivables relationships and perform additional procedures before forming the overall audit conclusion.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The sales trend is consistent with expectations, but receivables, days sales outstanding, and the allowance percentage are not. Final analytical procedures are used to evaluate whether the financial statements are consistent with the auditor’s understanding and may reveal areas requiring further audit work.

Final analytical procedures are performed near the end of the audit to help the auditor form an overall conclusion about whether the financial statements are consistent with the auditor’s understanding of the entity. Here, sales increased about as expected, but receivables increased much faster, collection days worsened, and the allowance percentage declined despite no change in credit terms, customer mix, or collection policies. Those relationships suggest a possible unrecognized risk or misstatement affecting receivables, revenue cutoff, collectibility, or the allowance. The auditor should investigate the inconsistency and perform additional procedures as necessary before concluding on the financial statements.

Focusing only on the expected sales increase ignores contradictory receivables and allowance relationships.
Modifying the opinion based only on analytical procedures is premature; the auditor must first investigate and obtain sufficient appropriate evidence.
Final analytical procedures support the overall conclusion; they do not automatically replace necessary substantive procedures on specific balances.

Final analytical procedures identified relationships inconsistent with the auditor’s understanding, so the auditor should investigate and obtain additional evidence as needed.

Question 58

Topic: Assessing Risk and Developing a Planned Response

During planning for a nonissuer audit, staff documented the client’s revenue process as follows: “Sales orders are entered into the order-entry system. Approved orders are shipped. The billing system records invoices and posts monthly sales totals to the general ledger.” The workpaper does not identify source documents, system interfaces, reports used for recording and review, or how revenue data are accumulated for financial statement presentation and disclosure. The audit senior asks staff to correct the walkthrough documentation. Which correction is most appropriate?

A. Limit the correction to documenting the monthly journal entry that posts sales totals from the billing system to the general ledger.
B. Revise the documentation to trace a selected sales transaction from customer order initiation through approval, shipping, invoicing, posting, reporting, and disclosure, identifying relevant source documents, IT applications, interfaces, reports, and key control points.
C. Add a management representation stating that all revenue transactions are properly recorded and disclosed.
D. Expand the planned sample size for substantive tests of revenue and accounts receivable to compensate for the incomplete process documentation.

Best answer: B

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The best correction is to document the complete transaction and data flow, not merely add more testing or a representation. A walkthrough should follow a transaction from initiation through recording, processing, reporting, and disclosure while identifying the relevant documents, systems, interfaces, reports, and controls.

In planning an audit, the auditor obtains an understanding of significant business processes and related information systems. For a revenue process, adequate walkthrough documentation should show how transactions are initiated, authorized, processed, recorded in the general ledger, summarized for reporting, and reflected in financial statement presentation and disclosure. It should also identify the source documents, IT applications, interfaces, reports, and key control points that affect the flow of relevant data. The deficiency in the workpaper is incomplete process documentation, so the appropriate correction is to revise the narrative or flowchart to show the end-to-end flow.

Increasing substantive sample sizes responds to audit risk but does not correct the incomplete understanding and documentation of the process.
A management representation is not a substitute for documenting the transaction flow and related information system.
Documenting only the monthly posting entry addresses one recording step but omits initiation, processing, reporting, and disclosure.

Walkthrough documentation should show the end-to-end transaction and data flow for the significant process, including documents, systems, reports, and control points.

Question 59

Topic: Forming Conclusions and Reporting

A city’s financial statements are audited under GAAS and Government Auditing Standards, and the city is also subject to a single audit under the Uniform Guidance. The auditor’s results include:

Area	Result
Financial statements	Unmodified opinion
Internal control over financial reporting	One significant deficiency; no material weaknesses
Compliance affecting the financial statements	No instances of noncompliance required to be reported under Government Auditing Standards
Major federal program compliance	Material noncompliance with an eligibility requirement
Internal control over compliance for the major program	Material weakness

Which is the best interpretation of the required reporting?

A. The auditor should modify the financial statement opinion because any significant deficiency in internal control over financial reporting affects the fairness of the financial statements.
B. The auditor should omit the Government Auditing Standards report because there were no material weaknesses and the financial statement opinion was unmodified.
C. The auditor should report the significant deficiency in internal control over financial reporting, state that no opinion is expressed on internal control, and modify the opinion on major program compliance for the eligibility noncompliance.
D. The auditor should express an adverse opinion on internal control over compliance because a material weakness was identified for the major federal program.

Best answer: C

What this tests: Forming Conclusions and Reporting

Explanation: The unmodified financial statement opinion does not eliminate Government Auditing Standards reporting. The auditor reports the significant deficiency in internal control over financial reporting and reports the major program compliance problem through the single audit compliance opinion, while not expressing an opinion on internal control itself.

In a financial statement audit performed under Government Auditing Standards, the auditor reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements that could have a material effect on the financial statements. This reporting describes the scope and results of testing and includes significant deficiencies and material weaknesses, but it does not provide an opinion on internal control effectiveness unless separately engaged to do so. In a single audit, the auditor also reports on compliance for each major federal program and on internal control over compliance. Material noncompliance with an eligibility requirement for a major program affects the compliance opinion for that program; the related material weakness is reported, but not as an opinion on internal control.

A significant deficiency does not, by itself, require modification of the financial statement opinion.
An unmodified financial statement opinion and absence of material weaknesses do not permit omitting required Government Auditing Standards reporting.
A material weakness in internal control over compliance is reported, but the auditor ordinarily does not express an adverse opinion on internal control over compliance.

Government Auditing Standards require reporting significant deficiencies in internal control over financial reporting without expressing an internal control opinion, while the single audit requires an opinion on major program compliance.

Question 60

Topic: Ethics, Professional Responsibilities and General Principles

A nonissuer client asks a CPA firm to assist with a lender’s request related to a debt covenant calculation. The lender has specified the exact procedures it wants performed, including agreeing selected inputs to the general ledger and recalculating the ratio. The lender and client want a report that lists the procedures performed and the CPA’s findings, without an opinion or conclusion. Which engagement type best fits this request?

A. Agreed-upon procedures engagement
B. Review engagement
C. Examination engagement
D. Compilation engagement

Best answer: A

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The request is for specified procedures and factual findings, not an overall assurance conclusion. That matches an agreed-upon procedures engagement, which provides no opinion or conclusion on the subject matter.

In an agreed-upon procedures engagement, the practitioner performs specific procedures and reports the resulting findings. The report does not provide reasonable assurance, limited assurance, an opinion, or a conclusion. Here, the lender identified the exact procedures and wants only a list of procedures and findings about the covenant calculation. That decisive fact rules out assurance engagements that express an opinion or conclusion, and it also rules out a compilation, which is generally associated with presenting financial information without undertaking specified attestation procedures.

An examination would provide reasonable assurance through an opinion, which the client and lender do not want.
A review would provide limited assurance through a conclusion, not merely procedures and findings.
A compilation provides no assurance, but it does not fit a request to perform and report specified procedures on a covenant calculation.

An agreed-upon procedures engagement reports procedures and findings without providing an opinion or conclusion.

Question 61

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is testing a nonissuer’s investment securities measured at fair value at year-end. The financial statements use the fair value hierarchy disclosures required by GAAP.

Investment	Carrying amount	Management’s valuation support	Other facts
Exchange-traded equity fund	$1,800,000	Closing price from a national exchange	Shares traded daily; disclosed as Level 1
Private company preferred shares	$2,400,000	Management discounted cash flow model	No active market; discount rate and revenue growth assumptions supplied by the CFO; disclosed as Level 2
Corporate bond	$1,200,000	Price from an independent pricing service	Pricing service uses observable yields for similar bonds; disclosed as Level 2

Which audit response is best supported by this exhibit?

A. For the corporate bond, require Level 1 disclosure because the value was obtained from an independent pricing service.
B. For the private company preferred shares, evaluate the reasonableness of the DCF assumptions and whether the fair value hierarchy disclosure should be Level 3.
C. For the exchange-traded equity fund, require Level 2 disclosure because the investment is held through a fund rather than as individual equity securities.
D. For all three investments, rely on management’s representations because fair value estimates are inherently subjective.

Best answer: B

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The exhibit indicates the private company preferred shares have no active market and are valued using a management DCF model with internally supplied assumptions. Those facts point to significant unobservable inputs, so the auditor should test the assumptions and consider whether Level 3 disclosure is appropriate.

For investments measured at fair value, the auditor considers both measurement evidence and required disclosures. Quoted prices in active markets generally provide strong evidence and support Level 1 classification. Prices based on observable market data for similar instruments generally support Level 2 classification. A DCF model for a private security with no active market depends heavily on assumptions such as discount rates and projected revenue growth. When those inputs are significant and unobservable, the auditor should perform procedures to evaluate management’s model, data, and assumptions, and should assess whether the financial statement fair value hierarchy disclosure properly reflects Level 3 inputs.

Treating the exchange-traded equity fund as Level 2 ignores the daily active-market quoted price evidence.
Treating the corporate bond as Level 1 confuses an independent pricing source using observable similar-instrument data with a quoted price for the identical instrument in an active market.
Relying only on management representations is insufficient; representations do not replace substantive evidence for fair value measurement and disclosure.

The private shares rely on significant management-developed unobservable inputs, requiring substantive evaluation of assumptions and likely Level 3 disclosure consideration.

Question 62

Topic: Forming Conclusions and Reporting

A CPA firm was engaged by a borrower and its lender to perform procedures selected by the lender on the borrower’s debt covenant certificate. The report lists the procedures performed, including comparing amounts on the certificate to the general ledger and recalculating the current ratio, and lists the related findings. The report also states that the CPA does not express an opinion or conclusion and that users are responsible for determining whether the procedures are sufficient for their purposes. Which interpretation of the report is best?

A. The report is an examination report because recalculation and comparison procedures support reasonable assurance on covenant compliance.
B. The report is a compilation report because the CPA helps present the borrower’s covenant information without verifying it.
C. The report is an agreed-upon procedures report that provides findings but no assurance, so users draw their own conclusions.
D. The report is a review report because the CPA provides limited assurance based on procedures less extensive than an audit.

Best answer: C

What this tests: Forming Conclusions and Reporting

Explanation: The described report is characteristic of an agreed-upon procedures engagement. The practitioner reports the specific procedures and findings but does not express an opinion or conclusion, and users evaluate the results for their own purposes.

In an agreed-upon procedures engagement, the practitioner performs procedures that specified users or the engaging party have determined are appropriate for the intended purpose. The report describes the procedures performed and the findings obtained. Unlike an examination, review, or audit, the practitioner does not provide reasonable assurance, limited assurance, or an audit opinion. Unlike a compilation, the practitioner is not merely assisting in presenting information; the practitioner performs procedures and reports factual findings. Here, the report’s language that no opinion or conclusion is expressed and that users decide whether the procedures are sufficient points directly to agreed-upon procedures reporting.

Reasonable assurance and an opinion are associated with examinations or audits, not agreed-upon procedures.
Limited assurance phrased as no material modifications is associated with review reporting, not a report of procedures and findings.
Compilation reporting involves presenting information without performing verification procedures, unlike the comparison and recalculation procedures described.

Agreed-upon procedures reporting presents procedures and findings without an opinion, conclusion, or assurance.

Question 63

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is evaluating a management-prepared allowance for credit losses analysis generated with the company’s analytics platform, which uses an embedded artificial intelligence tool to classify receivables by expected collectibility. The auditor noted the following:

Observation	Fact
Source data	The controller imported accounts receivable aging and dispute-log files; the platform did not retain a system-generated import log or audit trail of filters applied.
AI instructions	The saved prompt instructed the tool to “avoid over-reserving for normal seasonal delays.”
Manual changes	The controller manually changed several customer classifications, and the final output does not identify overrides.
Exception noted	The tool excluded all invoices over 180 days from a new product line as “data anomalies”; the excluded balance is material to the allowance.
Reconciliation	The final schedule agrees to the accounts receivable trial balance after a year-end adjusting entry posted by the controller.

Which interpretation is best?

A. The auditor’s primary concern should be limited to recalculating the reserve percentages because agreement to the trial balance resolves completeness and bias risks.
B. The schedule has significant reliability concerns because input completeness, applied filters, and overrides cannot be authenticated, and the prompt and exclusions indicate susceptibility to management bias.
C. The schedule should be rejected solely because it was generated with artificial intelligence rather than prepared manually by management.
D. The schedule provides sufficient appropriate evidence because it agrees to the accounts receivable trial balance after the year-end adjusting entry.

Best answer: B

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: Agreement to the trial balance does not establish that an AI-assisted analysis is reliable. The auditor must consider whether the underlying data, processing, prompts, filters, and management overrides are authentic, complete, accurate, and free from undue management bias.

Audit evidence from analyses, schedules, or reconciliations prepared with technology or artificial intelligence is not reliable merely because it is automated or reconciles to a ledger total. The auditor should evaluate the authenticity and reliability of the information used, including data provenance, completeness and accuracy of inputs, controls over processing, and whether management could bias assumptions, prompts, classifications, or exclusions. Here, the lack of import logs, missing override trail, biased prompt language, and material exclusion of older invoices create reliability concerns. The trial balance reconciliation addresses only one aspect of consistency with the accounting records and does not validate the model output or the completeness of items considered.

Trial balance agreement is a useful check, but it does not authenticate source data, filters, AI classifications, or management overrides.
Use of AI does not automatically make evidence unacceptable; reliability depends on validation, controls, and corroboration.
Recalculating reserve percentages would not address omitted invoices, biased prompts, or unsupported manual classification changes.

Unauthenticated data lineage, unflagged overrides, biased prompting, and material exclusions impair the reliability of the AI-assisted analysis as audit evidence.

Question 64

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is testing a nonissuer’s control that requires the warehouse supervisor to observe inventory cycle counts and immediately resolve count discrepancies. The auditor wants evidence about whether the supervisor performs this control as designed while the process is occurring. Which procedure best provides observation evidence about the control?

A. Ask warehouse employees whether the supervisor normally oversees cycle counts and resolves discrepancies.
B. Attend a scheduled cycle count and watch the supervisor oversee the count and resolve discrepancies during that count.
C. Independently recount selected inventory items and compare the auditor’s counts with the client’s count sheets.
D. Inspect completed cycle count sheets for the supervisor’s signature and notes about resolved discrepancies.

Best answer: B

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: Observation consists of watching a process or control being performed. It provides direct evidence that the control operated as observed, but only for the time the auditor was present.

Observation is an audit procedure in which the auditor watches others perform a process or control. It is especially relevant when the evidence sought is about how a control is carried out, such as whether a supervisor actually oversees a cycle count and resolves discrepancies during the count. However, observation provides evidence only about performance at the observed point in time; personnel may perform differently when being watched, and additional evidence may be needed for other periods.

Inspecting signed count sheets is inspection of documentation, not direct observation of the supervisor performing the control.
Asking employees is inquiry, which may support other evidence but does not directly show the control being performed.
Independently recounting inventory is reperformance or a substantive counting procedure, not observation of the supervisor’s control.

Watching the supervisor perform the control as it occurs provides observation evidence limited to that point in time.

Question 65

Topic: Performing Further Procedures and Obtaining Evidence

An audit team is auditing a nonissuer’s goodwill impairment estimate. Management measured the reporting unit’s fair value using a discounted cash flow model. The engagement team’s valuation specialist has issued a draft memo concluding that fair value exceeds carrying amount by a small margin. The audit team has already evaluated the specialist’s competence and objectivity and checked the mathematical accuracy of the model, but it has not tested the management forecasts used in the model or evaluated the significant assumptions. What should the audit team do next?

A. Modify the auditor’s opinion because the fair value exceeds carrying amount by only a small margin.
B. Obtain a management representation stating that the cash flow forecasts are reasonable and perform no further procedures on the estimate.
C. Conclude that no impairment exists because the engagement team’s specialist supported management’s recorded amount.
D. Evaluate the relevance and reliability of the data and the reasonableness of the significant assumptions used in the specialist’s model.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The audit team cannot rely on a specialist’s conclusion solely because the specialist is competent and the model is mathematically accurate. For a complex estimate, the auditor must evaluate the methods, significant assumptions, and underlying data before concluding whether the estimate is reasonable.

When an auditor uses the work of an engagement-team specialist for a complex accounting estimate, the auditor remains responsible for obtaining sufficient appropriate audit evidence. Evaluating competence and objectivity is only part of the process. The auditor also should evaluate whether the specialist’s work is adequate for audit purposes, including whether the model is appropriate, the significant assumptions are reasonable, and the source data are relevant and reliable. Because the estimate has a narrow cushion and the audit team has not tested management’s forecasts or assumptions, the next step is to perform those procedures before accepting the conclusion or determining any reporting effect.

Accepting the specialist’s conclusion is premature because key inputs and assumptions have not been audited.
A management representation may support evidence but cannot replace substantive procedures on a significant estimate.
A modified opinion is out of sequence; the auditor has not yet completed procedures needed to determine whether a material misstatement or scope limitation exists.

Before relying on the specialist’s conclusion, the auditor must evaluate whether the underlying data, methods, and significant assumptions provide sufficient appropriate audit evidence.

Question 66

Topic: Ethics, Professional Responsibilities and General Principles

During client acceptance, a CPA firm is classifying employee benefit plan-related engagements for independence review. Which engagement should be characterized as subject to Department of Labor independence requirements for the audit?

A. An audit of a city’s governmental pension plan that is exempt from ERISA and is performed solely under state law.
B. An audit of a church retirement plan that has not elected ERISA coverage and is not required to file an audited Form 5500.
C. An audit of a private company’s financial statements that includes pension obligation disclosures but no separate ERISA plan audit report.
D. An audit of a large private-company 401(k) plan that is subject to ERISA, with the auditor’s report to be attached to the plan’s Form 5500 filed with the Department of Labor.

Best answer: D

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: DOL independence requirements affect audits of employee benefit plans subject to ERISA when the audit report is filed with the plan’s Form 5500. The correct engagement is the large ERISA 401(k) plan audit, not merely any pension-related audit or disclosure.

For an employee benefit plan audit, the Department of Labor independence rules are relevant when the plan is subject to ERISA and the independent qualified public accountant’s audit report is included in the plan’s annual Form 5500 filing. These requirements are in addition to applicable AICPA independence requirements. Governmental plans and many church plans are generally outside ERISA unless special facts bring them within ERISA. Also, auditing the plan sponsor’s financial statements is not the same as performing a separate ERISA plan audit for Form 5500 purposes.

A governmental pension plan performed solely under state law is not an ERISA Form 5500 plan audit.
A sponsor financial statement audit with pension disclosures does not itself trigger DOL independence rules for a plan audit.
A church plan that has not elected ERISA coverage and has no audited Form 5500 filing is not subject to the DOL plan audit independence framework.

DOL independence requirements apply to ERISA plan audits when the auditor’s report is included with the plan’s Form 5500 filing.

Question 67

Topic: Assessing Risk and Developing a Planned Response

During planning for the audit of a nonissuer, the engagement team runs a revenue data analytic over all invoices recorded from December 26 through January 5. The client recognizes revenue when goods are shipped, and all sales terms are FOB shipping point.

Analytic exception	Current year result	Prior-year comparable result
December invoices with shipment dates after December 31	48 invoices totaling $2.4 million	5 invoices totaling $180,000
December invoices with manual shipment-date override	41 of the 48 exceptions	2 of the 5 exceptions
January credit memos linked to the 48 December exceptions	$620,000	$35,000

Which planned audit procedure best responds to the risk indicator shown by this analytic?

A. Test operating effectiveness of credit approval controls for a sample of sales orders processed throughout the year.
B. Increase confirmations of year-end accounts receivable balances for customers with the largest unpaid invoices, regardless of shipment date.
C. Conclude that no additional revenue procedures are needed because the exceptions were identified by a complete-population analytic.
D. Perform targeted substantive cutoff testing of the 48 December exceptions by agreeing invoice dates and shipment dates to carrier records and evaluating whether revenue was recorded in the proper period.

Best answer: D

What this tests: Assessing Risk and Developing a Planned Response

Explanation: The analytic points to a specific revenue cutoff risk: December invoices may have been recorded before shipment occurred. A planned response should directly test the identified exception population using reliable shipment evidence and evaluate period recognition.

Data analytic exceptions should be translated into audit responses that address the specific risk indicated. Here, revenue is recognized when goods are shipped, but the report identifies a large increase in December invoices with shipment dates after year-end, many with manual shipment-date overrides and related January credit memos. Those facts indicate a risk of premature revenue recognition and overstatement of revenue and receivables at year-end. The most responsive procedure is targeted substantive cutoff testing of the exceptions, using carrier records or similar evidence to verify actual shipment dates and determine whether the revenue belongs in the current period.

Confirming only the largest receivables may provide existence evidence but does not directly address whether revenue was recorded in the correct period.
Testing credit approval controls addresses collectibility or authorization, not the cutoff risk indicated by post-year-end shipment dates.
Identifying exceptions with an analytic is not sufficient audit evidence by itself; the exceptions require follow-up procedures.

The analytic indicates elevated cutoff risk from December revenue recorded before shipment, especially where shipment dates were manually overridden.

Question 68

Topic: Ethics, Professional Responsibilities and General Principles

A CPA firm audits Lake Co., a privately held nonissuer. Lake asks the firm to prepare the year-end financial statements and recurring depreciation entries from client-provided records. Lake’s controller has sufficient skill, knowledge, and experience and will select the accounting policies, approve all entries and financial statements, evaluate the results, and accept responsibility. The firm will not authorize transactions or have custody of assets. Which conclusion is most appropriate under the AICPA independence framework?

A. Independence may be maintained because qualified client management will oversee the services, make management judgments, evaluate the results, and accept responsibility.
B. Independence is impaired because preparing financial statements for an audit client always creates a self-review threat that safeguards cannot reduce.
C. Independence is maintained solely because the firm will not authorize transactions or have custody of Lake’s assets.
D. Independence is impaired unless the firm uses separate personnel for the nonattest services and discloses the services in the auditor’s report.

Best answer: A

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: Because Lake is a nonissuer, certain nonattest bookkeeping and financial statement preparation services are not automatically prohibited. The decisive safeguard is that qualified client management, not the auditor, makes decisions, oversees the work, evaluates results, and accepts responsibility.

Under AICPA independence rules for nonissuer attest clients, services such as preparing financial statements or recurring depreciation entries create self-review and management participation threats. Those threats may be reduced to an acceptable level if the client designates a person with suitable skill, knowledge, and experience to oversee the service, make significant judgments, evaluate the adequacy of the results, and accept responsibility. The auditor also must avoid management functions, such as authorizing transactions or taking custody of assets. In this scenario, Lake’s controller performs the required oversight and responsibility functions, so independence may be maintained.

Automatic impairment confuses nonissuer AICPA rules with stricter issuer-related restrictions.
Avoiding custody of assets and transaction authorization is important, but it is not the only required safeguard.
Separate personnel or report disclosure does not replace management’s responsibility for judgments, oversight, and results.

For a nonissuer, these nonattest services may be permitted when client management with suitable skill oversees the work and assumes the management responsibilities.

Question 69

Topic: Ethics, Professional Responsibilities and General Principles

During an audit of a nonissuer, the auditor tests a material sale recorded on December 31. The invoice is dated December 31, and management states that title transferred before year-end. However, the independent carrier’s bill of lading shows pickup on January 3 under FOB shipping point terms. Management explains that the carrier “often uses later administrative dates” and offers to include that explanation in the management representation letter. Which characterization best describes the auditor’s appropriate skeptical response?

A. A documentation issue that can be resolved by adding management’s explanation to the audit workpapers
B. A reportable control deficiency over shipping documents that determines the audit conclusion on the sale
C. An inconsistency in audit evidence requiring further corroboration and evaluation before accepting management’s explanation
D. A sufficient management representation because management has direct knowledge of the shipment terms

Best answer: C

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The bill of lading conflicts with management’s explanation about when title transferred. Professional skepticism requires the auditor to investigate inconsistent evidence and obtain corroboration rather than accept an unsupported management representation.

When audit evidence is inconsistent, the auditor should not resolve the matter by choosing the explanation that is most convenient or persuasive. Here, the recorded sale depends on cutoff: under FOB shipping point terms, shipment timing is central to when title transfers. An independent carrier document dated after year-end is more objective evidence than management’s unsupported explanation. The appropriate skeptical response is to perform additional procedures, seek corroborating evidence, and evaluate whether revenue was misstated or whether risk assessments need revision. A management representation letter may support other evidence, but it ordinarily is not sufficient by itself to resolve contradictory external evidence.

Treating the matter as mere documentation ignores the substantive conflict between external shipping evidence and recorded revenue.
Relying on a management representation is inappropriate because representations do not replace corroborating audit evidence.
Classifying the issue as a control deficiency may be relevant later, but it does not by itself resolve the inconsistent evidence about the sale.

The independent shipping evidence conflicts with management’s explanation, so professional skepticism requires investigating and corroborating the cutoff conclusion.

Question 70

Topic: Performing Further Procedures and Obtaining Evidence

While testing a nonissuer manufacturer’s revenue cutoff, an auditor identifies sales invoices dated December 31 that were recorded in current-year revenue. The related customer orders specify FOB shipping point. The controller states that the goods were placed on the shipping dock on December 31, but the shipping log shows carrier pickup dates of January 2 for 12 of 25 sampled December 31 invoices. The auditor’s objective is to determine whether those sales were recorded in the proper period. Which procedure best addresses the auditor’s objective?

A. Inspect the original bills of lading or carrier pickup confirmations for the sampled invoices and compare shipment dates and FOB terms with the recording date.
B. Ask the controller to provide a written explanation for why the shipping log shows January 2 pickup dates.
C. Trace January cash receipts for the sampled invoices to the bank statement.
D. Recalculate the prices and extensions on the sampled December 31 invoices.

Best answer: A

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The key issue is cutoff, not invoice accuracy or later collection. Because management’s explanation conflicts with the shipping log, inquiry alone is insufficient; the auditor should inspect source evidence showing when shipment actually occurred under the FOB shipping point terms.

When an audit exception creates doubt about management’s explanation, the auditor should obtain corroborating evidence from a more reliable source. For revenue recorded at year-end under FOB shipping point terms, the critical evidence is whether the goods were shipped before year-end. Inspecting bills of lading, carrier pickup confirmations, or similar shipping documents directly addresses the cutoff objective by linking the recorded sale to shipment timing and contractual shipping terms. A management explanation may help the auditor understand the exception, but it does not provide enough appropriate evidence when documentary records suggest a different date.

A written explanation from the controller is still inquiry-based and does not resolve the conflicting shipping evidence.
Recalculating invoice prices tests mathematical accuracy, not whether revenue belongs in the current period.
Tracing January cash receipts may support collectibility or existence, but it does not establish that shipment occurred before year-end.

Source shipping documents directly corroborate when shipment occurred and whether year-end revenue cutoff was appropriate under FOB shipping point terms.

Question 71

Topic: Ethics, Professional Responsibilities and General Principles

A CPA is completing an audit of a nonissuer’s financial statements. The audit documentation includes this control finding:

The payroll supervisor can add employees to the payroll master file and approve weekly payroll changes. No independent review of master-file changes is performed. The auditor concluded that the deficiency is less severe than a material weakness but important enough to merit attention by those charged with governance.

The audit manager’s draft disposition states: “Treat as a control deficiency. Discuss orally with the controller at the closing meeting; no written communication to the board is required.” Which correction should the engagement partner make?

A. Reclassify it as a significant deficiency and communicate it in writing to those charged with governance and an appropriate level of management no later than 60 days after the report release date.
B. Reclassify it as a material weakness and modify the financial statement audit opinion unless management remediates the control before the report is released.
C. Retain it as a control deficiency and communicate it orally to the controller because written communication is required only for material weaknesses.
D. Retain it as a control deficiency and include it only in the audit documentation because the auditor did not rely on payroll controls.

Best answer: A

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The finding meets the definition of a significant deficiency because it is important enough to merit attention by those charged with governance but is not a material weakness. For a nonissuer audit, significant deficiencies are communicated in writing to governance and appropriate management on a timely basis, no later than 60 days after report release.

A control deficiency exists when a control is missing or not properly designed or operating. A significant deficiency is less severe than a material weakness but important enough to merit attention by those charged with governance. A material weakness involves a reasonable possibility that a material misstatement will not be prevented, or detected and corrected, on a timely basis. Here, the auditor already concluded the issue is less severe than a material weakness but important to governance, so the draft disposition understates both the classification and required communication. In a nonissuer financial statement audit, significant deficiencies and material weaknesses identified during the audit should be communicated in writing to those charged with governance and appropriate management on a timely basis, with a deadline no later than 60 days after the report release date.

Treating the matter as a material weakness overstates the severity stated in the facts and does not automatically require modifying the financial statement audit opinion.
Oral communication to the controller alone is insufficient because significant deficiencies require written communication to governance and appropriate management.
Documentation alone is insufficient even if controls were not relied on; communication requirements are based on the deficiency’s severity, not reliance strategy.

A deficiency important enough for governance attention but less severe than a material weakness is a significant deficiency requiring timely written communication.

Question 72

Topic: Performing Further Procedures and Obtaining Evidence

During the audit of a nonissuer’s December 31 financial statements, the auditor identifies recurring operating losses, negative operating cash flows, and a large note payable that matures six months after the expected auditor’s report date. Management has not prepared a formal going-concern evaluation but orally states that it expects to refinance the note and reduce payroll costs. Given the current facts, what should the auditor do next?

A. Obtain a written representation that management believes the entity will continue as a going concern and perform no additional procedures.
B. Add a going-concern emphasis-of-matter paragraph to the draft auditor’s report because adverse conditions have already been identified.
C. Request management’s going-concern evaluation and obtain audit evidence supporting the feasibility of the refinancing and cost-reduction plans.
D. Expand subsequent disbursements testing to search for unrecorded liabilities related to the maturing note payable.

Best answer: C

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The auditor has identified conditions that may raise substantial doubt, but the reporting conclusion cannot be made until management’s evaluation and plans are assessed. The next step is to obtain and evaluate evidence about whether those plans are feasible and likely to alleviate the conditions.

Going-concern indicators such as recurring losses, negative cash flows, and near-term debt maturities require the auditor to perform additional procedures. If management has not prepared a formal evaluation, the auditor should request one and evaluate management’s plans, such as refinancing or cost reductions. Oral assertions alone are not sufficient audit evidence. The auditor should inspect support such as lender correspondence, draft or executed financing agreements, cash-flow forecasts, board approvals, and cost-reduction analyses. Only after evaluating the evidence can the auditor conclude whether substantial doubt exists and whether any disclosures or report modifications are necessary.

Adding a going-concern paragraph is premature because the auditor has not yet evaluated management’s plans or related disclosures.
A written representation may support other evidence, but it cannot replace audit procedures addressing going-concern uncertainty.
Subsequent disbursements testing addresses liability completeness, not whether management’s plans alleviate going-concern doubt.

When going-concern indicators exist, the auditor should evaluate management’s assessment and plans using appropriate supporting audit evidence before determining the reporting effect.

Question 73

Topic: Performing Further Procedures and Obtaining Evidence

An auditor is performing a substantive analytical procedure over interest expense for the year ended December 31, 20X5. The auditor established a tolerable difference of $12,000 for this procedure.

Workpaper note:

Debt instrument	Source of terms	Principal	Interest rate	Period outstanding in 20X5
Term loan	Direct lender confirmation	$1,200,000	6% fixed	Full year
Equipment note	Direct lender confirmation	$900,000	8% fixed	April 1–December 31

No other debt was outstanding during 20X5. The client recorded interest expense of $126,000.

A. The auditor should not use this analytical procedure as substantive evidence because analytical procedures cannot provide evidence over interest expense.
B. The auditor’s expectation is $144,000, and the recorded amount should be investigated as a possible understatement.
C. The auditor’s expectation is $126,000, and the recorded amount does not require further investigation based on this analytical procedure.
D. The auditor should use management’s interest expense budget as the primary expectation because it reflects planned financing activity.

Best answer: C

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: A precise expectation can be developed by applying confirmed fixed interest rates to confirmed principal amounts for the periods the debt was outstanding. The expected interest is $72,000 on the term loan plus $54,000 on the equipment note, totaling $126,000, which equals the recorded amount.

For a substantive analytical procedure, the expectation should be based on relevant, reliable data and a relationship precise enough to identify a material misstatement. Direct lender confirmations provide reliable evidence of principal, interest rates, and timing. Because the debt has fixed rates and known outstanding periods, interest expense can be estimated precisely: $1,200,000 × 6% for 12 months = $72,000, and $900,000 × 8% for 9 months = $54,000. The total expected amount is $126,000. Since the client recorded $126,000 and the difference is zero, the result is within the $12,000 tolerable difference.

Using $144,000 incorrectly assumes the equipment note was outstanding for the full year.
Management’s budget is generally less persuasive than an expectation computed from confirmed loan terms.
Substantive analytical procedures may provide audit evidence when the expectation is sufficiently precise and based on reliable data.

Confirmed principal, rates, and time outstanding provide reliable data and a precise relationship that produces expected interest expense of $126,000.

Question 74

Topic: Ethics, Professional Responsibilities and General Principles

A CPA firm audits Baxter Co., a privately held nonissuer. Baxter asks the firm to prepare monthly bank reconciliations and propose correcting journal entries using Baxter’s bank statements and check register. Baxter’s controller has sufficient skill, knowledge, and experience to oversee the work, reviews and approves each proposed entry before any posting, and accepts responsibility for the accounting records. The firm assigns personnel who are not on the audit engagement team to perform the reconciliation work. How should the independence effect be characterized under the AICPA independence rules?

A. Independence is not impaired solely because Baxter is a nonissuer rather than an issuer.
B. Independence is impaired unless Baxter’s controller independently reperforms every reconciliation prepared by the firm.
C. Independence is impaired because preparing bank reconciliations for any attest client is prohibited regardless of safeguards.
D. Independence is not impaired because the self-review threat is reduced to an acceptable level when Baxter oversees the service and the firm does not assume management responsibilities.

Best answer: D

What this tests: Ethics, Professional Responsibilities and General Principles

Explanation: The service creates a self-review threat, but the facts include safeguards that address it. Because Baxter’s qualified controller oversees, approves, and accepts responsibility for the work, and the firm does not take on management responsibilities, independence is not impaired under AICPA rules for a nonissuer engagement.

Under the AICPA independence framework, a CPA firm may provide certain nonattest services, such as bookkeeping assistance, to a nonissuer attest client if the firm does not assume management responsibilities and the client meets its responsibilities. The client must designate a qualified individual to oversee the service, evaluate the results, accept responsibility, and make management decisions. Here, Baxter’s controller has appropriate competence, reviews and approves proposed entries, and accepts responsibility for the records. Using personnel outside the audit team also helps address the self-review threat. Therefore, the safeguards reduce the independence threat to an acceptable level.

Treating all bank reconciliation assistance as automatically prohibited overstates the AICPA restriction for nonissuer attest clients.
Requiring the controller to independently reperform every reconciliation is too strict; effective oversight and acceptance of responsibility are required.
Nonissuer status alone does not preserve independence; the client responsibility and safeguard conditions must still be satisfied.

For a nonissuer attest client, certain bookkeeping assistance may be permissible when the client accepts responsibility and qualified client personnel oversee the service.

Question 75

Topic: Performing Further Procedures and Obtaining Evidence

During Uniform Guidance compliance testing of a major federal award, an auditor selected a $42,000 professional-services invoice charged to the award. The award period began July 1, 20X5, and the award terms state that costs must be for services performed during the period of performance unless pre-award costs are specifically approved in writing. The invoice was paid on July 20, 20X5, but the detailed billing shows all services were performed in June 20X5. No written approval for pre-award costs exists. What is the best correction?

A. Reclassify the charge as an indirect cost because professional services benefit the program generally.
B. Obtain a management representation stating that the services were useful to the program and retain the charge as allowable.
C. Accept the charge because the cash disbursement occurred after the award period began.
D. Treat the $42,000 as an exception and propose that management remove it from costs claimed to the federal award.

Best answer: D

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: The key compliance condition is when the services were performed, not when the invoice was paid. Because the services occurred before the award period and there was no written approval for pre-award costs, the amount is not allowable as charged to the federal award.

When testing federal award transactions, the auditor should compare the transaction to the applicable compliance requirements, including award terms and conditions. Here, the award permits costs only for services performed during the period of performance unless pre-award costs are specifically approved in writing. The invoice detail shows the services were performed before the award began, and no approval exists. Therefore, the auditor should identify the charge as a compliance exception and propose that management remove the amount from the costs claimed to the federal award, which may result in a questioned cost depending on reporting thresholds and evaluation of the finding.

Payment date does not make a cost allowable when the award terms focus on the period in which services were performed.
Indirect-cost classification does not cure a cost that is outside the period of performance.
A management representation cannot substitute for required written approval or override award terms.

The services were performed before the period of performance and lacked required written approval, so the cost should not be claimed to the award.

Questions 76-78

Question 76

Topic: Forming Conclusions and Reporting

A nonissuer is subject to a single audit under the Uniform Guidance. For one major program, the auditor identified a material weakness in internal control over compliance related to eligibility. After performing additional substantive procedures, the auditor found no instances of noncompliance and obtained sufficient appropriate evidence to support compliance with the applicable compliance requirements. Which reporting treatment is required?

A. Issue a qualified opinion on compliance for the major program, but exclude the matter from the schedule of findings and questioned costs because no questioned costs were identified.
B. Issue an adverse opinion on internal control over compliance, but issue an unmodified opinion on compliance for the major program.
C. Issue an unmodified opinion on compliance for the major program, identify the material weakness in the report on internal control over compliance, and include it in the schedule of findings and questioned costs.
D. Communicate the material weakness only in a separate management letter because no instances of noncompliance were detected.

Best answer: C

What this tests: Forming Conclusions and Reporting

Explanation: A material weakness in internal control over compliance is reportable even when the auditor finds no actual noncompliance. The compliance opinion can remain unmodified, but the weakness must be reported in the internal control over compliance report and included in the schedule of findings and questioned costs.

In a single audit, the auditor reports both on compliance for each major program and on internal control over compliance. The compliance opinion addresses whether the auditee complied with applicable compliance requirements; it is modified for material noncompliance, not solely because a control weakness exists. A material weakness in internal control over compliance is separately reported in the internal control over compliance section and is also a federal award finding included in the schedule of findings and questioned costs. The absence of questioned costs does not eliminate the requirement to report a material weakness.

A qualified compliance opinion confuses a control reporting issue with actual material noncompliance.
An adverse opinion on internal control over compliance is not appropriate because the auditor does not express an opinion on internal control effectiveness in this report.
A management letter alone is insufficient because material weaknesses in internal control over compliance are required findings in a single audit.

A control material weakness affects internal control reporting and the schedule of findings, but it does not by itself require modifying the compliance opinion when compliance evidence supports an unmodified opinion.

Question 77

Topic: Forming Conclusions and Reporting

An auditor is completing an integrated audit of an issuer for the year ended December 31. The auditor’s workpapers include the following findings:

Finding	Details
Revenue cutoff control	The control did not operate effectively in November and December.
Audit adjustment	A material revenue cutoff error was identified by substantive procedures and corrected by management before the financial statements were issued.
New control	Management implemented a replacement review control on December 20, but it operated only once before year-end.
Compensating control	A monthly gross-margin review was performed, but it was not precise enough to detect material cutoff errors.

Which is the best interpretation of these facts when forming the auditor’s opinion on internal control over financial reporting?

A. The auditor should disclaim an opinion on ICFR because the replacement control operated only once before year-end.
B. The auditor should express an unmodified ICFR opinion because management corrected the material misstatement before issuing the financial statements.
C. The auditor should conclude that a material weakness existed as of year-end and express an adverse opinion on ICFR.
D. The auditor should express an unmodified ICFR opinion because substantive procedures detected the cutoff error.

Best answer: C

What this tests: Forming Conclusions and Reporting

Explanation: In an integrated audit, the ICFR opinion focuses on whether controls were effective as of the balance sheet date. A material weakness requires an adverse ICFR opinion even if the related financial statement misstatement was corrected before issuance.

When forming an opinion on ICFR, the auditor evaluates whether identified control deficiencies, individually or in combination, represent a material weakness as of the specified date. The presence of a material misstatement that was not prevented or detected by the company’s controls is a strong indicator of a material weakness. Management’s late replacement control does not demonstrate effective remediation unless the auditor obtains sufficient evidence that the new control was designed and operating effectively as of year-end. Substantive audit procedures may support the financial statement opinion, but they do not cure ineffective ICFR. Because the compensating review was not precise enough to detect material cutoff errors, it does not reduce the severity of the deficiency enough to avoid an adverse ICFR opinion.

Correcting the misstatement affects the financial statements, not the conclusion that ICFR failed to prevent or detect a material error.
Detection by substantive procedures is auditor evidence, not company-level internal control effectiveness.
Limited operation of the replacement control means remediation is not supported; it does not by itself require a disclaimer when the auditor can conclude a material weakness remains.

A material corrected misstatement and ineffective cutoff control, without effective remediation or precise compensating controls as of year-end, support a material weakness and an adverse ICFR opinion.

Question 78

Topic: Performing Further Procedures and Obtaining Evidence

In an audit of a nonissuer’s December 31 financial statements, the auditor selected a material accounts receivable balance for positive confirmation. The auditor sent the initial and second requests directly to Customer Z at an independently verified address, but no response was received. The receivable relates to goods shipped on December 28, FOB shipping point, with payment terms of net 120 days, and no cash has been collected as of the fieldwork date. Which procedure is the best alternative procedure for the confirmation nonresponse?

A. Inspect Customer Z’s purchase order, a signed bill of lading or delivery record, and the related sales invoice to determine whether the receivable arose from a valid year-end shipment.
B. Accept the client’s accounts receivable aging and management representation because the balance is not yet due under the payment terms.
C. Treat Customer Z’s failure to respond as evidence that the customer agrees with the recorded balance because no exception was reported.
D. Send a negative confirmation to Customer Z and rely on the absence of a reply as sufficient evidence for the recorded balance.

Best answer: A

What this tests: Performing Further Procedures and Obtaining Evidence

Explanation: A nonresponse to a positive confirmation does not provide audit evidence about the receivable. When subsequent cash receipts are not available, the auditor should inspect other evidence supporting the transaction, such as the customer order, shipping evidence, and billing documents.

For a positive confirmation request, the auditor needs a response or alternative procedures; silence from the customer is not evidence of agreement. For accounts receivable, a common alternative procedure is to examine subsequent cash receipts and trace them to the specific receivable. Here, no cash has been collected because the receivable is not yet due. The next best alternative is to inspect documents that support the existence of the receivable at year-end, especially evidence that the customer ordered the goods, the goods were shipped before year-end under the stated shipping terms, and the client billed the customer. Those procedures provide more relevant evidence than internal schedules or management representations alone.

Failure to respond to a positive confirmation is not the same as agreeing with the balance.
A negative confirmation provides weaker evidence and is not an adequate substitute for a failed positive confirmation on a material selected item.
An aging schedule and management representation may support audit documentation but do not replace corroborating evidence from alternative procedures.

Because no subsequent cash receipt is available, inspecting source documents that evidence the customer order, shipment, and billing is the best alternative evidence for the receivable’s existence.

Continue with full practice

Use the CPA AUD Practice Test page for the full practice route, mixed-topic practice, timed mock exams, and explanations.

Use the CPA AUD practice route for timed mocks, topic drills, progress tracking, explanations, and full practice.

Try CPA AUD on Web View full CPA AUD practice page

Focused topic pages

Free review resource

Read the CPA AUD guide on CPAExamsMastery.com for concept review, then return here for Mastery Exam Prep practice.

Revised on Wednesday, May 13, 2026

Forming Conclusions and Reporting

Browse Certification Practice Tests by Exam Family

Free CPA AUD Full-Length Practice Exam: 78 Questions

Before you start

How to use your result

Miss pattern to next drill

Exam snapshot

Full-length exam mix

Practice questions

Questions 1-25

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Questions 26-50

Question 26

Question 27

Question 28

Question 29

Question 30

Question 31

Question 32

Question 33

Question 34

Question 35

Question 36

Question 37

Question 38

Question 39

Question 40

Question 41

Question 42

Question 43

Question 44

Question 45

Question 46

Question 47

Question 48

Question 49

Question 50

Questions 51-75

Question 51

Question 52

Question 53

Question 54

Question 55

Question 56

Question 57

Question 58

Question 59

Question 60

Question 61

Question 62

Question 63

Question 64

Question 65

Question 66

Question 67

Question 68

Question 69