Three Core sections (AUD, FAR, REG) plus one Discipline section (BAR, ISC, or TCP). Each section is a separate 4-hour exam scored 0–99; passing is 75.
---
---
Estimated study time: 50 minutes
Content:
Independence is the cornerstone of the audit function. The AICPA Code of Professional Conduct (ET Section 1.200) requires auditors to be independent in both fact and appearance. A threat to independence exists in five categories: self-interest, self-review, advocacy, familiarity, and intimidation. Threats are evaluated against whether a reasonable and informed third party would conclude that the auditor's objectivity is compromised.
Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. PCAOB AS 1015 requires auditors to plan and perform the audit with professional skepticism, recognizing that circumstances may exist that cause the financial statements to be materially misstated. Professional skepticism is not synonymous with suspicion but demands that auditors not accept management representations without corroboration.
Ethical obligations under the Sarbanes-Oxley Act (SOX) include requirements for audit partner rotation (every 5 years for lead engagement partner under PCAOB rules), a cooling-off period before former audit firm personnel can join a public-company audit client in a financial reporting oversight role (1 year), and prohibition on auditors providing certain non-audit services (bookkeeping, financial information systems design, appraisal, actuarial services, internal audit outsourcing, management functions, human resources, broker/dealer services, legal services) to public-company audit clients.
The AICPA's Conceptual Framework approach: when no specific rule governs, the auditor evaluates threats and applies safeguards. Safeguards include firm-level controls (e.g., partner concurring reviews), profession-level controls (e.g., licensing, standards), and client-level controls (e.g., audit committees). If safeguards cannot reduce threats to an acceptable level, the auditor must decline or terminate the engagement.
Government Auditing Standards (Yellow Book) impose additional independence requirements beyond AICPA standards for auditors performing government engagements. The GAGAS personal independence requirements cover financial relationships and employment impairments; organizational independence covers the structure of the audit organization relative to the audited entity.
Key Terms:
---
Estimated study time: 55 minutes
Content:
The audit risk model: Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR). The auditor cannot control IR or CR — these exist in the client's environment. The auditor manages AR by setting an acceptable level and then calculating the allowable DR, which drives detection procedures. When IR × CR is high (significant risk), DR must be set low, requiring more or better substantive procedures.
Risk assessment procedures under AU-C 315 (ISAs) and AS 2110 (PCAOB) include: (1) inquiries of management and others; (2) analytical procedures comparing current-year data to expectations; (3) observation and inspection of facilities, documents, and operations; and (4) information-technology general controls assessment. These procedures produce an understanding of the entity and its environment, including internal control, but do not constitute substantive evidence.
Significant risks require special audit consideration and cannot be addressed by reliance on controls alone. The auditor must perform substantive procedures for each significant risk identified. Examples: revenue recognition (complex estimates, side agreements), related-party transactions, management override risk.
The five components of internal control under COSO: Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities. The auditor assesses each component to understand design and to determine whether controls have been implemented (walking through transactions). Assessing operating effectiveness (testing controls) is optional in a financial statement audit unless the auditor plans to rely on controls to reduce substantive testing.
Under PCAOB AS 2201 (integrated audit of public companies), the auditor must opine on the effectiveness of ICFR (Internal Control over Financial Reporting) as of year-end. This requires the auditor to: (1) identify and test controls over each significant account and disclosure, (2) assess whether deficiencies individually or in aggregate constitute a material weakness, and (3) issue the ICFR opinion alongside the financial statement opinion.
Fraud risk: AU-C 240 requires auditors to presume two fraud risks — management override of controls and revenue recognition irregularities — in every audit. A brainstorming session among engagement team members to discuss where and how fraud might occur is mandatory.
**Key Terms:*