EPSO Auditors | Field-related MCQ resources

Preparing for the EPSO AD7 Audit competition is not just about knowing audit terminology.

At this level, EPSO is likely to test whether you can apply audit judgement in realistic situations: choosing the right audit response, recognising weak evidence, identifying control failures, understanding public-sector accountability, and deciding what conclusion is actually supported by the facts.

This guide accompanies EU Training’s field-related Audit practice questions for EPSO/AD/428/26 – Administrators AD7 in the field of audit. It explains the main knowledge areas covered in the question set and lists the official or openly accessible resources used when creating the questions.

Remember - this is not official EPSO material. Always use the Notice of Competition as your primary source for the rules, eligibility criteria, test format, pass marks and language arrangements.

What is covered in the EPSO Auditors field-related test?

The EPSO Auditor field-related MCQ is a technical exam designed to assess a candidate’s knowledge of internal and external auditing standards for the EPSO/AD/411/24 competition.

According to the Notice of Competition, the field-related multiple-choice test for the AD7 Audit competition:

• is taken in language 2
• contains 30 questions
• lasts 40 minutes
• has a pass mark of 15/30
• is used for ranking among candidates who pass the threshold

Your goal should not be to scrape past the minimum. You need to aim comfortably above it.

The standard to aim for is not:

“Can I define this audit term?”

It is closer to:

“Can I recognise the best audit judgement under time pressure when several answer options look plausible?”

The questions in this practice set are therefore not limited to textbook definitions. They cover applied audit reasoning, evidence quality, controls, audit planning, reporting, performance audit, IT audit, fraud risk and the EU public-sector context.

How to use this guide

Do not try to read every resource from beginning to end. That would be slow, frustrating and probably unnecessary.

Start with the core resources, then use the topic sections below to focus on your weaker areas.

A good study cycle is:

1. Read the short introduction to a topic.
2. Answer a block of 15–20 related practice questions.
3. Review only the questions you missed or guessed.
4. Go back to the listed resources selectively.
5. Keep a short error log: topic, mistake, rule to remember.

The aim is to build an audit reasoning habit:

objective → risk → criteria → evidence → conclusion → recommendation → follow-up

That chain appears again and again in good audit judgement.

Core resources to start with

These are the most important resources to keep open while studying.

EPSO/AD/428/26 Notice of Competition

This is the legally binding document for the competition. Use it to confirm the test format, language arrangements, pass marks and typical duties in Annex II. 

The practice questions are built around the duties listed in the Notice, not around a generic private-sector accounting syllabus.

URL: https://eur-lex.europa.eu/eli/C/2026/1979/oj

EU Careers open competitions page

Use this page to access the live competition entry, EPSO updates and practical candidate information.

It is also useful for remembering one basic but important point: EPSO competitions lead to reserve lists, not automatic recruitment.

URL: https://eu-careers.europa.eu/en/open-competition-permanent-staff

European Court of Auditors guide to methodology

This is probably the most useful EU-specific audit methodology source.

It explains how the European Court of Auditors approaches planning, examination and reporting, and how it distinguishes financial, compliance and performance audit objectives in an EU public-audit context.

URL: https://www.eca.europa.eu/Lists/ECADocuments/ECA_methodology_guide/ECA_methodology_guide-EN.pdf

INTOSAI professional pronouncements

INTOSAI standards are central to public-sector audit. The portal gives access to ISSAIs and GUIDs used by supreme audit institutions.

For this competition, focus especially on ISSAI 100, 200, 300, 400 and 140.

URL: https://www.issai.org/professional-pronouncements/

IIA Global Internal Audit Standards

These are especially useful for internal audit, engagement planning, independence, assurance, advisory work, quality, communication and audit management.

URL: https://www.theiia.org/globalassets/site/standards/globalinternalauditstandards_2024january9.pdf

European Commission internal control framework

This is directly relevant to governance, risk management, control activities, monitoring and the EU institutional control environment.

URL: https://commission.europa.eu/publications/internal-control-framework_en

EU Financial Regulation

Use this for the principles and procedures governing the EU budget, including legality, regularity, sound financial management, grants, procurement, internal control and protection of the Union’s financial interests.

URL: https://commission.europa.eu/publications/eu-financial-regulation_en

OLAF and anti-fraud resources

These are useful for fraud-risk questions, irregularities, red flags, conflicts of interest and escalation.

URL: https://anti-fraud.ec.europa.eu/index_en

Main study areas

Risk-based audit planning

Risk-based planning is about deciding where audit work is most needed.

At AD7 level, you should be able to compare possible audit topics and explain why one deserves priority over another. This is not as simple as choosing the biggest budget line or the most visible political issue.

You may need to consider:

• inherent risk
• residual risk
• likelihood and impact
• control maturity
• management discretion
• fraud indicators
• financial and reputational exposure
• changes in systems or processes
• previous audit coverage
• assurance gaps

A good answer usually links the audit objective to the risk exposure and the organisation’s priorities. A weak answer often focuses on one attractive factor in isolation.

Typical traps

Watch out for answers that:

• treat high expenditure as automatically high risk
• ignore control maturity
• remove a topic from the audit plan only because it had a clean audit recently
• follow management preference without independent risk assessment
• choose a topic before checking whether it is actually auditable
• confuse inherent risk with residual risk

Best resources

• European Court of Auditors guide to methodology
  
  URL: https://www.eca.europa.eu/Lists/ECADocuments/ECA_methodology_guide/ECA_methodology_guide-EN.pdf
• ISSAI 100 – Fundamental Principles of Public-Sector Auditing
  
  URL: https://www.intosai.org/fileadmin/downloads/documents/open_access/ISSAI_100_to_400/issai_100/ISSAI_100_EN.pdf
• IIA Global Internal Audit Standards
  
  URL: https://www.theiia.org/globalassets/site/standards/globalinternalauditstandards_2024january9.pdf
• GAO Government Auditing Standards, 2024 revision
  
  URL: https://www.gao.gov/assets/d24106786.pdf
• OECD internal control and audit in the public sector
  
  URL: https://www.oecd.org/en/topics/internal-control-and-audit-in-the-public-sector.html

Internal and external audit logic

Internal and external auditors may examine similar systems, but they do not serve exactly the same purpose.

Internal audit is part of the organisation’s assurance and advisory structure. It must remain independent and objective, but it still operates within the organisation.

External audit provides independent assurance or scrutiny to external stakeholders, such as legislatures, discharge authorities or the public.

For EPSO-style questions, the key is usually not the definition. The key is recognising the boundary.

Internal audit may advise, recommend and help management think through risks. But management owns the controls and decisions. External auditors may use internal audit work, but they remain responsible for their own conclusions.

Typical traps

Watch out for answers that:

• make internal audit responsible for management decisions
• suggest external auditors can simply adopt internal audit conclusions without review
• treat all advisory work as automatically forbidden
• assume cooperation between internal and external auditors always compromises independence
• ignore reporting lines and safeguards

Best resources

• The IIA Three Lines Model
  
  URL: https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf
• Applying the Three Lines Model in the Public Sector
  
  URL: https://www.theiia.org/globalassets/site/content/articles/applying_the_three_lines_model_in_the_public_sector.pdf
• OECD – Enhancing co-operation between internal and external auditors
  
  URL: https://www.oecd.org/content/dam/oecd/en/publications/reports/2024/12/enhancing-co-operation-between-internal-and-external-auditors_bb0f2668/0d4976ed-en.pdf
• European Commission Internal Audit Service
  
  URL: https://commission.europa.eu/about/departments-and-executive-agencies/internal-audit-service_en
• European Court of Auditors methodology page
  
  URL: https://www.eca.europa.eu/en/our-methodology

Audit types: financial, compliance and performance audit

You need to be able to recognise which audit logic applies in a given situation.

A financial audit asks whether financial information is fairly presented or free from material misstatement.

A compliance audit asks whether activities, expenditure or decisions comply with applicable rules, contracts, grant conditions, procurement requirements or other authorities.

A performance audit asks whether resources have been used with economy, efficiency and effectiveness.

EPSO can test this indirectly. For example, a question may ask which evidence supports a value-for-money conclusion, or why compliance with eligibility rules does not prove that a programme was effective.

Typical traps

Watch out for answers that:

• treat legal compliance as proof of effectiveness
• treat high expenditure absorption as proof of good performance
• confuse financial accuracy with regularity
• use performance-audit language for a compliance issue
• ignore the criteria needed for the audit conclusion

Best resources

• ISSAI 200 – Financial Audit Principles
  
  URL: https://www.issai.org/wp-content/uploads/2019/08/issai-200.pdf
• ISSAI 300 – Performance Audit Principles
  
  URL: https://www.issai.org/wp-content/uploads/2019/08/ISSAI-300-Performance-Audit-Principles.pdf
• ISSAI 400 – Compliance Audit Principles
  
  URL: https://www.issai.org/wp-content/uploads/2019/08/ISSAI-400.pdf
• European Court of Auditors methodology page
  
  URL: https://www.eca.europa.eu/en/our-methodology
• EU Funding & Tenders Online Manual – checks, audits, reviews and investigations
  
  URL: https://webgate.ec.europa.eu/funding-tenders-opportunities/spaces/OM/pages/1867977/Checks%2Baudits%2Breviews%2Band%2Binvestigations

Governance, risk management and internal control

This is one of the most important areas for the AD7 Audit competition.

A control is not good just because it exists on paper. It must address the relevant risk, operate at the right point in the process, be performed by someone with the right authority and competence, and leave evidence that can be reviewed.

You should be comfortable with:

• segregation of duties
• approval controls
• reconciliations
• ex ante and ex post checks
• delegated authority
• management supervision
• conflict-of-interest controls
• monitoring
• control design versus operating effectiveness
• risk registers
• audit trails

A useful way to think is:

objective → risk → control → evidence → residual risk

If the control does not reduce the risk, it is not relevant. If it reduces the risk but cannot be evidenced, it may not be auditable. If it operates too late, it may detect but not prevent. If management overrides it frequently, its operating effectiveness is weak.

Typical traps

Watch out for answers that:

• praise a control without asking whether it addresses the risk
• ignore segregation of duties
• treat a checklist as a control even when no one reviews it
• focus on administrative neatness rather than risk reduction
• confuse control design with operating effectiveness
• propose more reporting when the real issue is lack of review or accountability

Best resources

• European Commission Internal Control Framework
  
  URL: https://commission.europa.eu/publications/internal-control-framework_en
• Revision of the Internal Control Framework – C(2017) 2373
  
  URL: https://commission.europa.eu/system/files/2018-10/revision-internal-control-framework-c-2017-2373_2017_en.pdf
• European Commission – Public Internal Control
  
  URL: https://commission.europa.eu/strategy-and-policy/eu-budget/protection-eu-budget/public-internal-control_en
• OECD SIGMA – Guidelines for assessing the quality of internal control systems
  
  URL: https://www.oecd.org/content/dam/oecd/en/publications/reports/2019/06/guidelines-for-assessing-the-quality-of-internal-control-systems_a14f705d/2a38a1d9-en.pdf
• Anti-Fraud Knowledge Centre – handbooks
  
  URL: https://antifraud-knowledge-centre.ec.europa.eu/guidance-legislation/handbooks_en

IT systems audit and digital evidence

This part of the practice set approaches IT from an auditor’s perspective. It is not a technical cybersecurity exam.

The key question is usually:

Can the auditor rely on the system, the automated control, or the data produced by it?

You should understand:

• user access rights
• privileged access
• segregation of duties in systems
• change management
• audit trails
• interface controls
• automated controls
• dashboard reliability
• spreadsheet risks
• backup and recovery
• logging
• management-generated data

A basic distinction matters a lot:

IT general controls support the wider IT environment. These include access management, change management, operations, backups and incident handling.

Application controls operate inside a system. These include validations, authorisations, completeness checks, exception reports and automated calculations.

If general controls are weak, it becomes harder to rely on application controls or system-generated reports without extra testing.

Typical traps

Watch out for answers that:

• rely on a dashboard without checking the source data
• ignore privileged access rights
• treat an automated control as reliable without considering change management
• focus on cybersecurity buzzwords rather than audit evidence
• overlook spreadsheet risks
• ignore whether system changes were approved, tested and logged

Best resources

• NIST Cybersecurity Framework 2.0
  
  URL: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
• NIST CSF 2.0 Resource and Overview Guide
  
  URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1299.pdf
• ENISA technical implementation guidance on cybersecurity risk management measures
  
  URL: https://www.enisa.europa.eu/sites/default/files/2025-06/ENISA_Technical_implementation_guidance_on_cybersecurity_risk_management_measures_version_1.0.pdf
• OWASP Application Security Verification Standard
  
  URL: https://owasp.org/www-project-application-security-verification-standard/
• CISA Configuration and Change Management Resource Guide
  
  URL: https://www.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf
• AFROSAI-E IT Audit Manual
  
  URL: https://audit.gov.gh/files/publications/IT_Audit_Manual74494806.pdf

Audit evidence and methodology

Audit conclusions are only as strong as the evidence behind them.

This area tests whether you can judge whether evidence is sufficient and appropriate. You may need to decide which source is more reliable, whether more testing is needed, or whether a conclusion goes beyond what the evidence supports.

You should be familiar with:

• relevance and reliability of evidence
• inspection, observation, inquiry, recalculation and reperformance
• analytical procedures
• sampling risk
• management-generated information
• contradictory evidence
• materiality
• audit trails
• working papers
• documentation quality

Independent evidence is often more reliable, but it is not automatically more relevant. Management evidence can be usable, but its reliability may need to be tested. Inquiry alone is usually weak if the conclusion is important.

The best answer is often the one that is most directly linked to the audit objective.

Typical traps

Watch out for answers that:

• confuse “some evidence” with “enough appropriate evidence”
• rely only on management explanations
• choose independent evidence even when it does not answer the audit question
• ignore contradictory evidence
• draw a broad conclusion from a weak or narrow sample
• treat a working paper as adequate when it would not support review

Best resources

• ISA 500 – Audit Evidence
  
  URL: https://www.ifac.org/system/files/publications/files/ISA-500-Audit-Evidence.pdf
• ISA 315 – Identifying and assessing risks of material misstatement
  
  URL: https://www.ifac.org/system/files/publications/files/ISA-315-Full-Standard-and-Conforming-Amendments-2019-.pdf
• ISA 530 – Audit Sampling
  
  URL: https://www.ibr-ire.be/docs/default-source/nl/Documents/regelgeving-en-publicaties/rechtsleer/normen-en-aanbevelingen/ISA-s/clarified-ISA-s/ISA-update-2015/English/A027-ISA-530-for-Handbook_formatted.pdf
• European Commission guidance on sampling methods for audit authorities
  
  URL: https://ec.europa.eu/regional_policy/sources/guidance/guidance_sampling_method_en.pdf
• European Court of Auditors guide to methodology
  
  URL: https://www.eca.europa.eu/Lists/ECADocuments/ECA_methodology_guide/ECA_methodology_guide-EN.pdf