Auditing and Attestation (AUD)
Welcome to the Auditing and Attestation section of the CPA Bear Book. This section covers everything you need to know about the AUD portion of the CPA exam—from the ethical foundation of the profession to the final issuance of audit reports and attestation opinions.
The AUD exam tests your ability to think like an auditor: evaluating risk, designing audit procedures, gathering evidence, and reaching well-supported conclusions about whether financial statements are free of material misstatement. Whether a publicly traded company like Kingfisher Industries is filing with the SEC or a private firm like BIF Partners needs compiled financial statements, the principles in this section apply.
What This Section Covers
The AUD section is organized into eight major topic areas, each corresponding to a core domain of auditing knowledge tested on the CPA exam.
1. Ethics & Professional Responsibilities
The profession is built on trust. This area covers the AICPA Code of Professional Conduct, independence requirements (conceptual framework and specific rules), and the regulatory landscape—including SEC and PCAOB independence rules for audits of public companies (issuers). You will learn how to navigate threats to independence, evaluate ethical dilemmas, and understand quality management standards that firms must follow.
Suppose your firm audits Illini Entertainment and a senior manager on the engagement owns stock in the company. The Code of Professional Conduct requires you to evaluate this financial interest and likely remove the manager from the engagement to preserve independence.
2. Audit Planning & Risk Assessment
Before performing a single test, auditors must understand the client's business, industry, and internal environment. This area covers planning the audit, setting materiality thresholds, performing risk assessment procedures, assessing fraud risk (including the fraud triangle), and evaluating the entity's compliance with laws and regulations.
For example, planning the audit of Bear Co. might involve setting overall materiality at 5% of pre-tax income, identifying revenue recognition as a significant risk, and designing an audit strategy that responds to those assessed risks.
3. Internal Control
Auditors must understand and evaluate the entity's system of internal control over financial reporting. This area covers the COSO framework (the five components of internal control), information technology controls (general IT controls and application controls), and SOC reports used to evaluate controls at service organizations.
4. Audit Evidence & Procedures
This is the heart of fieldwork. You will study the nature of audit evidence, what makes evidence sufficient and appropriate, how to perform tests of controls and substantive procedures, when and how to use analytical procedures, and how to leverage the work of specialists, internal auditors, and other auditors. This area also covers audit data analytics—the use of technology and data analysis techniques to enhance audit quality.
5. Audit Sampling
When it is impractical to test an entire population, auditors use sampling. This area covers the fundamental concepts of audit sampling (statistical and nonstatistical), sampling for tests of controls (attribute sampling), and sampling for substantive tests (variables sampling, including monetary-unit sampling).
Audit sampling is one of the most quantitative topics on the AUD exam. Be comfortable calculating sample sizes, evaluating deviations, and projecting misstatements. If Gies Co. has 10,000 purchase orders and the auditor can only test 60, sampling theory determines whether those 60 items provide enough evidence to draw a conclusion about the entire population.
6. Auditing Specific Accounts & Transactions
Each financial statement account has unique risks and audit considerations. This area walks through the audit approach for major balance sheet and income statement line items—including cash and investments, receivables and revenue, inventory and cost of sales, property, plant, and equipment, payables and expenses, debt and equity, accounting estimates, and related-party transactions.
7. Completing the Audit & Reporting
After gathering evidence, the auditor must form an opinion and communicate results. This area covers forming an opinion, the four types of audit reports (unmodified, qualified, adverse, and disclaimer), emphasis-of-matter and other-matter paragraphs, subsequent events, written representations from management, going concern evaluations, communications with audit committees, reporting on internal control (integrated audits), and the treatment of supplementary information.
8. Attestation & Review Engagements
Not all engagements are audits. This area covers attestation engagements under the SSAEs (Statements on Standards for Attestation Engagements), compilation and review engagements under the SSARSs (Statements on Standards for Accounting and Review Services), reporting on compliance, and governmental auditing under Government Auditing Standards (the Yellow Book) and Single Audits under the Uniform Guidance.
Key Standards You Will Encounter
Throughout this section, you will work with several authoritative frameworks:
| Abbreviation | Full Name | Applies To |
|---|---|---|
| GAAS | Generally Accepted Auditing Standards | Audits of nonissuers (private companies) under AICPA standards |
| PCAOB Standards | Public Company Accounting Oversight Board Standards | Audits of issuers (public companies) and broker-dealers |
| SSARSs | Statements on Standards for Accounting and Review Services | Compilation and review engagements for nonissuers |
| SSAEs | Statements on Standards for Attestation Engagements | Examination, review, and agreed-upon procedures engagements |
One of the most tested distinctions on the AUD exam is the difference between issuer and nonissuer engagements. Issuers (public companies) are subject to PCAOB standards, while nonissuers (private companies) follow AICPA standards (GAAS). Many rules overlap, but there are critical differences—especially around internal control reporting, partner rotation, and communication requirements. Pay close attention to which set of standards applies in each scenario.
How to Use This Section
- Start with Ethics & Professional Responsibilities. Understanding the ethical framework provides the foundation for every topic that follows. If you do not know why independence matters, the rest of the audit process will not make full sense.
- Follow the audit process sequentially. The topics are arranged in the approximate order of an actual audit engagement—from planning and risk assessment through evidence gathering to reporting. This mirrors how the exam tests concepts.
- Practice with examples. Each page includes practical scenarios using companies like MAS Inc., Illini Security, and Bear Co. Work through these examples actively rather than passively reading them.
- Focus on the "why." The exam often asks you to choose the best answer among several plausible options. Understanding the reasoning behind audit procedures—not just memorizing rules—is the key to selecting the correct response.
- Use the journal entry blocks. Several topics (especially in auditing specific accounts) include journal entries that illustrate the transactions auditors are testing. These help connect AUD concepts to your FAR knowledge.
The AUD exam is known for its emphasis on judgment and professional skepticism. Questions frequently present a scenario and ask what the auditor should do next or which procedure is most appropriate. Build the habit of thinking through each scenario systematically: What is the risk? What evidence do I need? What standard applies? What is the correct response?
Ready to begin? Start with Ethics & Professional Responsibilities or jump to any topic area using the sidebar navigation.