Compliance and Auditing Cheat Sheet 2026
The 30 highest-yield Compliance and Auditing facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
- What does RPO (Recovery Point Objective) define in business continuity planning? → The maximum acceptable amount of data loss measured in time
- What is the purpose of a 'compensating control' in internal control design? → To substitute for a primary control that cannot be implemented
- What is the purpose of a risk tolerance threshold in a compliance program? → Defining the maximum acceptable level of risk before action must be taken
- Under HIPAA Security Rule, what is a 'covered entity' required to conduct periodically? → Risk analysis of ePHI
- What is a 'user access review' (UAR) in IT compliance? → A periodic review of user accounts and access rights to ensure they remain appropriate
- What is 'residual risk' in risk management? → The risk remaining after controls and mitigation measures have been applied
- Which audit approach tests a sample of transactions to draw conclusions about the entire population? → Statistical sampling
- Which of the following best describes a 'Key Risk Indicator' (KRI)? → A forward-looking metric that signals increasing risk exposure
- What is the primary purpose of Generally Accepted Auditing Standards (GAAS)? → To provide a framework for measuring the quality and consistency of audit engagements
- The IIA's International Standards for the Professional Practice of Internal Auditing require internal auditors to maintain which combination of attributes? → Independence and objectivity in their work
- Which auditing standard requires auditors to maintain professional skepticism throughout an engagement? → Generally Accepted Auditing Standards (GAAS)
- What is a 'vulnerability scan' primarily used for in IT compliance? → Automatically identifying known security weaknesses in systems and software
- Which type of audit opinion is issued when financial statements are free from material misstatement? → Unqualified (clean) opinion
- What does a 'material weakness' in internal controls indicate under SOX? → A reasonable possibility of material misstatement not being prevented or detected
- Which risk management standard provides guidelines applicable to any organization regardless of industry? → ISO 31000
- Which US law requires financial institutions to protect consumers' personal financial information? → Gramm-Leach-Bliley Act (GLBA)
- Which principle requires that all financial transactions be supported by adequate documentation? → Documented evidence
- What is a 'penetration test' in the context of IT security compliance? → An authorized simulated attack to identify exploitable vulnerabilities
- What is the primary purpose of a risk register in compliance management? → Documenting identified risks, their ratings, ownership, and mitigation actions
- What is 'earnings management' in the context of financial reporting compliance? → Manipulating financial results within or outside GAAP to achieve desired outcomes
- Which security concept involves verifying a user's identity through multiple verification factors? → Multi-factor authentication (MFA)
- Which approach to risk assessment assigns numerical probabilities and financial values to risk scenarios? → Quantitative risk assessment
- Under the Sarbanes-Oxley Act of 2002, which body is responsible for setting auditing standards for audits of public companies in the United States? → PCAOB
- What is the purpose of a walk-through test in an audit? → To trace a transaction from initiation to recording to confirm controls work as designed
- Which financial reporting fraud scheme involves recording revenue before it is earned? → Premature revenue recognition
- Which of the following is an example of a 'self-review threat' to auditor independence? → An auditor reviewing financial statements they previously prepared
- Under SOX Section 302, who is primarily responsible for certifying the accuracy of financial reports? → CEO and CFO
- Which organization publishes the Code of Professional Conduct governing the ethical behavior of Certified Public Accountants (CPAs) in the United States? → AICPA
- An auditor who accepts a contingent fee based on the outcome of their engagement faces which type of independence threat? → Self-interest threat
- What is the formula for calculating risk in qualitative risk assessment? → Risk = Likelihood × Impact
Turn these facts into recall: