Compliance and Auditing Cheat Sheet 2026

The 30 highest-yield Compliance and Auditing facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

  1. What does RPO (Recovery Point Objective) define in business continuity planning? The maximum acceptable amount of data loss measured in time
  2. What is the purpose of a 'compensating control' in internal control design? To substitute for a primary control that cannot be implemented
  3. What is the purpose of a risk tolerance threshold in a compliance program? Defining the maximum acceptable level of risk before action must be taken
  4. Under HIPAA Security Rule, what is a 'covered entity' required to conduct periodically? Risk analysis of ePHI
  5. What is a 'user access review' (UAR) in IT compliance? A periodic review of user accounts and access rights to ensure they remain appropriate
  6. What is 'residual risk' in risk management? The risk remaining after controls and mitigation measures have been applied
  7. Which audit approach tests a sample of transactions to draw conclusions about the entire population? Statistical sampling
  8. Which of the following best describes a 'Key Risk Indicator' (KRI)? A forward-looking metric that signals increasing risk exposure
  9. What is the primary purpose of Generally Accepted Auditing Standards (GAAS)? To provide a framework for measuring the quality and consistency of audit engagements
  10. The IIA's International Standards for the Professional Practice of Internal Auditing require internal auditors to maintain which combination of attributes? Independence and objectivity in their work
  11. Which auditing standard requires auditors to maintain professional skepticism throughout an engagement? Generally Accepted Auditing Standards (GAAS)
  12. What is a 'vulnerability scan' primarily used for in IT compliance? Automatically identifying known security weaknesses in systems and software
  13. Which type of audit opinion is issued when financial statements are free from material misstatement? Unqualified (clean) opinion
  14. What does a 'material weakness' in internal controls indicate under SOX? A reasonable possibility of material misstatement not being prevented or detected
  15. Which risk management standard provides guidelines applicable to any organization regardless of industry? ISO 31000
  16. Which US law requires financial institutions to protect consumers' personal financial information? Gramm-Leach-Bliley Act (GLBA)
  17. Which principle requires that all financial transactions be supported by adequate documentation? Documented evidence
  18. What is a 'penetration test' in the context of IT security compliance? An authorized simulated attack to identify exploitable vulnerabilities
  19. What is the primary purpose of a risk register in compliance management? Documenting identified risks, their ratings, ownership, and mitigation actions
  20. What is 'earnings management' in the context of financial reporting compliance? Manipulating financial results within or outside GAAP to achieve desired outcomes
  21. Which security concept involves verifying a user's identity through multiple verification factors? Multi-factor authentication (MFA)
  22. Which approach to risk assessment assigns numerical probabilities and financial values to risk scenarios? Quantitative risk assessment
  23. Under the Sarbanes-Oxley Act of 2002, which body is responsible for setting auditing standards for audits of public companies in the United States? PCAOB
  24. What is the purpose of a walk-through test in an audit? To trace a transaction from initiation to recording to confirm controls work as designed
  25. Which financial reporting fraud scheme involves recording revenue before it is earned? Premature revenue recognition
  26. Which of the following is an example of a 'self-review threat' to auditor independence? An auditor reviewing financial statements they previously prepared
  27. Under SOX Section 302, who is primarily responsible for certifying the accuracy of financial reports? CEO and CFO
  28. Which organization publishes the Code of Professional Conduct governing the ethical behavior of Certified Public Accountants (CPAs) in the United States? AICPA
  29. An auditor who accepts a contingent fee based on the outcome of their engagement faces which type of independence threat? Self-interest threat
  30. What is the formula for calculating risk in qualitative risk assessment? Risk = Likelihood × Impact