Comprehensive Examination — 2026 Professional
Standards.
Total Questions: 70 | Total Points: 104 | Time: 140 minutes | Passing Score: 85% (88.4 points)
Standards Referenced: COSO 2026 Framework, PCAOB AS 2025-2026, AICPA Clarity Project
Updates, ISA 2026 Revisions, AU-C 200-700 Series, SEC Final Rules 2024-2026
=== SECTION I: SCENARIO-BASED MULTIPLE CHOICE (38 questions, 1 pt each, 50 min) ===
Q1: Axiom Technologies, a publicly traded cloud infrastructure provider, is undergoing its fiscal
2026 audit. The audit team has identified that Axiom uses an AI-driven revenue recognition
system that automatically allocates revenue across multiple performance obligations based on
machine learning algorithms trained on historical contract data. The system has been in place
for 18 months and has not been independently validated. Which risk factor presents the
GREATEST concern for the audit engagement?
A. The AI system may produce biased outputs due to training data limitations, creating
undetected misstatements in revenue recognition.
B. The lack of independent validation constitutes a control deficiency but does not affect
inherent risk assessment.
C. The 18-month operational period is insufficient to establish system reliability; the auditor
should recommend reverting to manual processes.
D. Revenue recognition risk is inherently low for technology companies due to standardized
contractual terms.
Correct Answer: A Rationale: Per COSO 2026 Principle 11 (Expanded IT Controls), AI-driven
systems introduce algorithmic bias and explainability risks that can produce material
misstatements undetectable through traditional substantive testing. The training data
limitations create inherent risk (AU-C 315.14) because the system's outputs lack transparent
audit trails. Distractor B incorrectly separates control deficiency from inherent risk—AI opacity
affects both. Distractor C is wrong because reverting to manual processes is not a required or
,practical audit response; the auditor must evaluate the existing system's controls. Distractor D
contradicts industry knowledge—technology revenue recognition involves complex multi-
element arrangements with high inherent risk. Cognitive Level: Analyzing Content Area: Risk
Assessment Difficulty: Hard Common Error: Students often confuse control risk (absence of
validation) with the deeper issue of inherent risk in AI opacity. Selecting B misses that AI bias is
an inherent risk factor, not merely a control deficiency.
Q2: Meridian Healthcare Corp., a large hospital system, has implemented blockchain technology
for its pharmaceutical supply chain reconciliation. During interim testing, the audit team
observes that while blockchain entries are immutable, the interface between the blockchain
ledger and the general ledger (GL) is maintained through a custom API that lacks access
controls. What is the PRIMARY audit concern?
A. Blockchain immutability ensures data integrity, so no additional testing is needed beyond the
API review.
B. The API interface represents a vulnerability where unauthorized modifications could occur
before data reaches the GL, creating a material misstatement risk.
C. The absence of access controls is a compensating control that should be documented but not
tested.
D. Blockchain reconciliation eliminates the need for traditional cutoff testing procedures.
Correct Answer: B Rationale: Per ISA 2026 revised guidance on emerging technologies (ISA 315
Revised 2026), the interface between blockchain and legacy systems represents a critical control
point where data integrity can be compromised. While blockchain entries are immutable, the
API acts as a bridge where unauthorized or erroneous data can be introduced before posting to
the GL (AU-C 330.A56). Distractor A incorrectly assumes blockchain immutability extends to
downstream systems—it does not. Distractor C mischaracterizes the absence of controls as
compensating; compensating controls must be effective alternatives, not merely absent
controls. Distractor D is factually incorrect—cutoff testing remains essential regardless of
technology. Cognitive Level: Analyzing Content Area: Control Environment / Evidence Difficulty:
Medium Common Error: Students fixate on blockchain's immutability property (A) without
considering the system boundary where legacy integration occurs. The "technology halo" effect
causes this error.
Q3: During the 2026 audit of Pacifica Retail Holdings, the engagement partner determines that
the company has understated its ESG-related contingent liabilities by $4.2 million due to
,inadequate climate risk disclosure modeling. The total assets are $890 million, and net income
is $42 million. Under the revised ISA 2026 materiality thresholds, which conclusion is MOST
appropriate?
A. The misstatement is immaterial because $4.2 million is less than 5% of total assets.
B. The misstatement is material because ESG disclosures are now subject to the same
quantitative and qualitative materiality considerations as financial statements.
C. The misstatement is immaterial because contingent liabilities are inherently uncertain and
cannot be precisely quantified.
D. The misstatement is material only if it affects a specific debt covenant threshold.
Correct Answer: B Rationale: ISA 2026 revisions explicitly expand materiality to encompass ESG
reporting risks, requiring auditors to apply both quantitative and qualitative materiality
considerations to sustainability disclosures (ISA 320 Revised 2026). The $4.2 million represents
10% of net income, which exceeds typical quantitative thresholds, and the qualitative aspect of
climate risk disclosure creates investor reliance concerns. Distractor A applies an arbitrary 5%
rule without considering qualitative factors or the revised standard. Distractor C incorrectly
suggests that uncertainty precludes materiality assessment—AU-C 450 requires evaluation of all
misstatements, including estimates. Distractor D is too narrow; materiality is not covenant-
dependent. Cognitive Level: Evaluating Content Area: Reporting / Risk Assessment Difficulty:
Hard Common Error: Students apply pre-2026 materiality frameworks that excluded ESG
disclosures (A) or rely on the "uncertainty excuse" (C) that was explicitly rejected in ISA 2026
revisions.
Q4: The audit team for Summit Manufacturing has identified that the CFO has override
authority over all journal entries in the ERP system, including those related to revenue
recognition and inventory valuation. There is no secondary approval requirement for entries
exceeding $50,000. During risk assessment, what is the MOST appropriate auditor response?
A. Document the override capability as a significant deficiency and proceed with standard
substantive testing.
B. Treat the override authority as a fraud risk factor and design specific audit procedures to
address management override of controls.
C. Conclude that the $50,000 threshold is reasonable for a manufacturing company and reduce
control testing.
D. Recommend immediate termination of the CFO's system access pending board approval.
, Correct Answer: B Rationale: Per PCAOB AS 2025 (New Fraud Risk Identification Requirements),
management override of controls is explicitly identified as a fraud risk factor requiring specific
audit response (AS 2110.65). The absence of secondary approval for material entries creates
opportunity for fraudulent financial reporting. The auditor must design procedures to test for
unauthorized or inappropriate entries (AU-C 240.32). Distractor A understates the risk by
categorizing it merely as a significant deficiency rather than a fraud risk factor. Distractor C
incorrectly accepts the threshold without evaluating the company's transaction volume and
materiality. Distractor D exceeds the auditor's authority—recommending termination is a
governance matter, not an audit response. Cognitive Level: Applying Content Area: Risk
Assessment / Ethics Difficulty: Medium Common Error: Students select A by conflating control
deficiencies with fraud risk factors. Management override is specifically designated as a fraud
risk in PCAOB AS 2025, requiring heightened procedures beyond standard deficiency
documentation.
Q5: During inventory observation at Coastal Distribution, the audit team notes that the
perpetual inventory system shows 12,400 units of Product X, while the physical count reveals
11,850 units. The company attributes the 550-unit difference to "normal shrinkage." The unit
cost is $28, and annual sales of Product X are $2.4 million. What is the MOST appropriate
auditor action?
A. Accept the explanation as normal shrinkage is typical in distribution and does not require
further investigation.
B. Calculate the shrinkage rate (4.4%), compare it to industry benchmarks, and investigate
significant variances.
C. Treat the entire difference as a misstatement and propose an adjusting entry for $15,400.
D. Request a complete recount of all inventory items before forming any conclusion.
Correct Answer: B Rationale: Per AU-C 501, the auditor must obtain sufficient appropriate audit
evidence regarding inventory existence and valuation. A 4.4% shrinkage rate requires analytical
comparison to industry norms and historical trends to determine if it represents a normal
operational variance or indicates control failures (e.g., theft, recording errors). Distractor A
violates professional skepticism by accepting management's explanation without corroboration.
Distractor C is premature—the difference may be explainable through normal operations;
treating it as a misstatement without investigation is inappropriate. Distractor D is excessive—a
complete recount is not required unless the variance indicates systemic issues; targeted
investigation is more efficient. Cognitive Level: Applying Content Area: Evidence Difficulty:
Medium Common Error: Students select A due to "shrinkage normalization bias"—accepting