Questions for the CPA-AUDITING were updated on : Nov 21 ,2025
The GAO standards of reporting for governmental financial audits incorporate the AICPA standards of
reporting and prescribe supplemental standards to satisfy the unique needs of governmental audits.
Which of the following is a supplemental reporting standard for governmental financial audits?
A
Explanation:
Choice "a" is correct. The auditor's report on compliance and on internal control over financial
recording (based on an audit) must include the scope of testing of compliance and internal control.
Choice "b" is incorrect. Material indications of illegal acts are not only reported to the members of
the governing body of the audited entity and their senior staff officials but, in some circumstances,
auditors should report illegal acts directly to external parties (such as the grantor agency).
Choice "c" is incorrect. Although GAO standards require that the auditor communicate information
regarding the nature, timing and extent of planned testing to officials of the audited entity and to
individuals contracting for the audit, reporting of all changes is not required. (For example,
immaterial changes to the audit program need not be reported.)
Choice "d" is incorrect. Certain privileged or confidential information may be prohibited from general
disclosure and should not be included in the audit report. The report should, however, disclose the
nature of the information omitted and the requirement that makes an opinion necessary.
In obtaining an understanding of an entity's internal control in a financial statement audit, an auditor
is not obligated to:
D
Explanation:
Choice "d" is correct. When obtaining an understanding of an entity's internal control in a financial
statement audit, an auditor is not obligated to search for significant deficiencies in the operation of
internal control.
Choice "a" is incorrect. In order to determine the nature, timing and extent of tests to be performed,
an auditor must determine whether the control activities have been implemented.
Choice "b" is incorrect. An auditor is required to perform procedures to confirm his/her
understanding of the internal control systems' design, and to determine whether relevant controls
have been implemented.
Choice "c" is incorrect. An auditor is required to document his or her understanding of the entity's
internal control components, even if he or she intends to use a substantive approach.
Which of the following representations should not be included in a report on internal control related
matters noted in an audit of a nonissuer?
B
Explanation:
Choice "b" is correct. A report on internal control related matters noted in an audit should not state
that there are no significant deficiencies in internal control, since this statement might erroneously
imply that the auditor searched for such conditions.
Choice "a" is incorrect. The auditor is permitted to state that no material weaknesses were identified
during the audit. Typically this occurs in reports submitted to governmental authorities.
Choice "c" is incorrect. The auditor may suggest that corrective follow-up action should be taken due
to the relative significance of material weakness discovered.
Choice "d" is incorrect. The auditor's report may state that his or her consideration of internal control
would not necessarily disclose all significant deficiencies that exist.
Which of the following statements concerning an auditor's communication of significant deficiencies
identified during the audit of a nonissuer is correct?
B
Explanation:
Choice "b" is correct. Any report issued on significant deficiencies should indicate that providing
assurance on internal control was not the purpose of the audit.
Choice "a" is incorrect. The auditor should communicate significant deficiencies to management and
those charged with governance, but is not required to request a meeting with management one level
above the source of the reportable conditions, to discuss suggestions for remedial action.
Choice "c" is incorrect. Significant deficiencies discovered and communicated at an interim date do
not need to be reexamined with tests of controls before completing the engagement.
Choice "d" is incorrect. Suggestions concerning administration efficiencies and business strategies
may be communicated in the same report with significant deficiencies (the significant deficiencies
must be separately identified, however).
Which of the following statements is correct concerning significant deficiencies noted in an audit of a
nonissuer?
D
Explanation:
Choice "d" is correct. The auditor should separately identify those significant deficiencies that are
considered to be material weaknesses.
Choice "a" is incorrect. Not all significant deficiencies are material weaknesses.
Choice "b" is incorrect. The auditor is not obligated to search for significant deficiencies. The auditor
is obligated to communicate to the client any significant deficiencies identified while auditing the
financial statements.
Choice "c" is incorrect. The auditor is obligated to re-communicate significant deficiencies each year,
even if management has acknowledged its understanding of such deficiencies.
An engagement to express an opinion on the internal control of a nonissuer will generally:
C
Explanation:
Choice "c" is correct. An engagement to express an opinion on internal control will generally be more
extensive in scope than the assessment of control risk made during a financial statement audit of a
nonissuer. This occurs because assessing control risk is the primary purpose of an engagement to
express an opinion on internal control, whereas it is an incidental result of an audit of a nonissuer.
Choice "a" is incorrect. Since the results of the audit may be considered in performing the
engagement to express an opinion on internal control, it is unlikely that the auditor would duplicate
those procedures already applied.
Choice "b" is incorrect. It is unlikely that the reliability of the financial statements that have already
been audited would be increased if an engagement to express an opinion on internal control is
performed.
Choice "d" is incorrect. An engagement to express an opinion on internal control is more extensive in
scope than the control risk assessment performed during an audit of a nonissuer.
When reporting on conditions relating to an entity's internal control observed during an audit of the
financial statements of a nonissuer, the auditor should include a:
D
Explanation:
Choice "d" is correct. When reporting on conditions relating to an entity's internal control observed
during an audit of the financial statements, the auditor should include a restriction on the use of the
report.
Choice "a" is incorrect. The auditor would not include a description of tests performed to search for
material weaknesses since the auditor is not in fact obligated to search for them.
Choices "b" and "c" are incorrect. An auditor would make a statement of positive assurance on
internal control and include a paragraph describing the inherent limitations of internal control in
conjunction with an engagement to report on internal control. These comments would not be made
when reporting on an entity's internal control in conjunction with an audit of the financial
statements of a nonissuer.
An auditor's communication of internal control related matters noted in an audit usually should be
addressed to:
A
Explanation:
Choice "a" is correct. An auditor's communication of internal control related matters noted in an
audit usually should be addressed to management and those charged with governance.
Choices "b", "c", and "d" are incorrect. The director of internal auditing, the chief financial officer,
and the chief accounting officer all would have access to the letter; however, it would not be
addressed to them since they do not have the same level of authority and responsibility to the
shareholders as management and those charged with governance.
The management of Cain Company, a nonissuer, engaged Bell, CPA, to express an opinion on Cain's
internal control. Bell's report described several material weaknesses and potential errors and
irregularities that could occur. Subsequently, management included Bell's report in its annual report
to the Board of Directors with a statement that the cost of correcting the weaknesses would exceed
the benefits. Bell should:
A
Explanation:
Choice "a" is correct. The auditor should disclaim an opinion as to management's cost-benefit
statement (i.e., "We do not express an opinion or any other form of assurance on management's
cost-benefit statement.").
Choice "b" is incorrect. The CPA should disclaim an opinion regarding management's representation.
Choice "c" is incorrect. The CPA's report on internal control is not restricted as to use.
Choice "d" is incorrect. The CPA does not need to withdraw the opinion as long as a disclaimer on
management's cost-benefit statement is presented.
Which of the following statements concerning material weaknesses and significant deficiencies is
correct with respect to an audit of a nonissuer?
B
Explanation:
Choice "b" is correct. A material weakness in internal control is a significant deficiency that results in
more than a remote likelihood that a material misstatement in the financial statements will not be
prevented or detected.
Choice "a" is incorrect. The auditor is required to separately identify and communicate significant
deficiencies and material weaknesses.
Choice "c" is incorrect. Significant deficiencies (including material weaknesses) are generally
communicated to the appropriate parties after the audit is complete. They may, at the auditor's
discretion, be communicated during the audit, but there is no requirement for immediate
communication.
Choice "d" is incorrect. A material weakness is a significant deficiency that results in more than a
remote likelihood that a material misstatement in the financial statements will not be prevented or
detected. Not all significant deficiencies will meet this description.
Processing data through the use of simulated files provides an auditor with information about the
operating effectiveness of controls. One of the techniques involved in this approach makes use of:
B
Explanation:
Choice "b" is correct. An integrated test facility runs test transactions through the "live" system and
posts to simulated (dummy) files to provide an auditor with information about the operating
effectiveness of controls.
Choice "a" is incorrect. Controlled reprocessing of transactions is a less common term used for
parallel processing where the auditor writes a program to "reprocess" some or all of the client's live
data. It does not involve the use of simulated files.
Choice "c" is incorrect. Input validation is a general description of any test that ensures that the input
was accurate. It does not involve the use of simulated files.
Choice "d" is incorrect. Program code checking is the review of the client's program source code by a
qualified auditor/IT specialist. It does not involve the use of simulated files.
When engaged to express an opinion on a nonissuer's internal control, an accountant should:
A
Explanation:
Choice "a" is correct. An auditor should obtain management's written assertion about the
effectiveness of the entity's internal control.
Choice "b" is incorrect. The accountant should disclaim (not qualify) an opinion on management's
assertions that the cost of correcting weaknesses exceeds the benefits.
Choice "c" is incorrect. The accountant has no responsibility to evaluate the effect of subsequent
events. In fact, the report on an entity's internal control specifically states that projections of the
internal control evaluation to future periods is inappropriate.
Choice "d" is incorrect. The accountant does provide an opinion (and not a disclaimer) on the
effective operation of internal control.
In a computerized payroll system environment, an auditor would be least likely to use test data to
test controls related to:
B
Explanation:
Choice "b" is correct. Proper approval of overtime by supervisors is least likely to be used by the
auditor in a "test data" test of controls because it is information generally not recorded in the
computer.
Choices "a", "c", and "d" are incorrect. Test data is data (with a predetermined result) that is run
through the client's computer system. The auditor creates one transaction of each type of valid and
invalid conditions in which the auditor is interested and runs them through the client's processing
system. The following are recorded in the computer and are likely candidates for "test data" tests of
controls.
A. Missing employee numbers.
C. Time tickets with invalid job numbers.
D. Agreement of hours per clock card with hours on time tickets.
Which of the following statements most likely represents a disadvantage for an entity that keeps
microcomputer-prepared data files rather than manually prepared files?
C
Explanation:
Choice "c" is correct. Microcomputer systems are sometimes characterized by weak file and data
security, and are usually accessible by many office personnel. (Manual systems, in contrast, generally
restrict one user from accessing other users' files.) Thus, it is usually easier (increased risk) for
unauthorized persons to access and alter computer system files, especially microcomputer system
files.
Choice "a" is incorrect. No difference exists between manual and computer-based systems for
detecting transposition errors.
Choice "b" is incorrect. Transactions should always be authorized before they are executed and
recorded, in both manual and computer-based systems.
Choice "d" is incorrect. Because computer-based processing imposes strict rules on input and
processing, generally there are fewer random processing errors.
An auditor who is testing IT controls in a payroll system would most likely use test data that contain
conditions such as:
C
Explanation:
Choice "c" is correct. Test data often contains invalid information (such as invalid job numbers) that is
used to test EDP controls.
Choices "a", "b", and "d" are incorrect. While approvals and authorizations should all be tested, they
are not IT controls and would not be tested through use of test data.