CPA Exam: Auditing and Attestation
CPA Exam: Auditing and Attestation
The Auditing and Attestation (AUD) section of the CPA Exam tests more than memorized standards. It assesses whether you can think like an auditor: plan an engagement, evaluate risk, gather and document appropriate evidence, apply professional judgment, and communicate results through clear reporting. The content spans audit and attestation standards, internal control, ethics and independence, sampling concepts, and the practical mechanics of audit procedures.
This article explains what AUD covers, how the pieces fit together in real engagements, and what candidates should understand to perform well on the exam and in practice.
What AUD Measures: Competence, Judgment, and Professional Skepticism
AUD is built around the responsibilities of CPAs who provide assurance. Whether you are auditing a public company, reviewing a private company’s financial statements, or performing an attestation engagement on a subject matter other than financial statements, the expectation is consistent:
- You follow applicable standards
- You remain independent and ethical
- You exercise professional skepticism
- You obtain sufficient appropriate evidence
- You report in a way users can rely on
Professional skepticism is not cynicism. It is an alert, questioning mindset, especially when evidence is inconsistent or management explanations are convenient but weak. On the exam, skepticism shows up in questions about contradictory documents, unusual journal entries, management override, or when additional procedures are needed.
Audit Planning: Setting the Foundation
Audit quality is heavily determined before substantive testing begins. Planning aligns the work to the risks, the client’s environment, and the expectations of the engagement.
Understanding the Entity and Its Environment
Auditors must understand the client’s business model, industry, regulatory environment, and how it makes money. That understanding informs risk identification. For example, a software company with multi-year subscriptions raises different revenue recognition risks than a retailer with cash sales and high inventory shrink.
Planning also includes understanding:
- Accounting policies and significant estimates
- Related parties and unusual transactions
- IT systems that produce financial reporting data
- The “tone at the top” and governance
Materiality and Risk: The Core Planning Logic
Materiality guides the nature, timing, and extent of procedures. While the exam often tests definitions, the practical point is simple: auditors focus effort where misstatements could influence users’ decisions.
Audit risk is commonly conceptualized as:
- Inherent risk (IR): Susceptibility of an assertion to misstatement
- Control risk (CR): Risk a misstatement is not prevented or detected by controls
- Detection risk (DR): Risk audit procedures fail to detect misstatements
If inherent and control risks are high, detection risk must be lower, which means more persuasive evidence, larger sample sizes, or more work at year-end rather than interim.
The Audit Strategy and Audit Plan
Planning outputs include an audit strategy and a detailed audit plan. Candidates should know what belongs where: the strategy is the high-level approach; the audit plan is the specific procedures and staffing.
Internal Control: Why Auditors Care and How They Evaluate It
Internal control sits at the center of audit planning because it affects the risk of material misstatement and the auditor’s response.
Components of Internal Control
While frameworks vary, exam content commonly reflects control concepts such as:
- Control environment (ethics, governance, competence)
- Risk assessment processes
- Control activities (authorizations, reconciliations, segregation of duties)
- Information and communication
- Monitoring
Auditors identify and assess whether controls are designed effectively and implemented. Design addresses whether a control, if operating, would prevent or detect misstatements. Implementation asks whether it exists in practice.
Tests of Controls vs. Substantive Procedures
Candidates must clearly distinguish:
- Tests of controls: Evaluate operating effectiveness of controls (inspection, observation, reperformance, inquiry with corroboration)
- Substantive procedures: Detect material misstatements in account balances and transactions (tests of details and analytical procedures)
If controls are strong and tested, the auditor may reduce substantive testing. If controls are weak or not tested, the auditor generally increases substantive work. Importantly, substantive procedures are always required in a financial statement audit, even if controls are excellent.
Audit Evidence: Sufficiency, Appropriateness, and Reliability
AUD frequently tests evidence evaluation because it is where judgment is most visible.
- Sufficiency is quantity
- Appropriateness is quality (relevance and reliability)
Reliability: Why Source Matters
Evidence is generally more reliable when it is:
- Obtained directly by the auditor (for example, observation, reperformance)
- From independent external sources (confirmations, bank statements)
- Produced under effective controls
- Documentary rather than purely oral
For example, a bank confirmation is typically more reliable than a client-prepared cash schedule. A signed contract is typically stronger than a verbal explanation of terms.
Common Audit Procedures Candidates Should Know
AUD expects familiarity with procedures and what they address:
- Inspection: examining records, documents, or tangible assets
- Observation: watching a process (inventory count procedures)
- Inquiry: asking management and others (requires corroboration)
- Confirmation: obtaining external verification (receivables, cash, legal)
- Recalculation: checking mathematical accuracy
- Reperformance: independently executing controls or procedures
- Analytical procedures: studying plausible relationships (gross margin trends)
These procedures link to management assertions like existence, completeness, valuation, rights and obligations, and presentation and disclosure.
Sampling: Practical Tools and Common Pitfalls
Sampling appears on AUD because audits balance effectiveness with efficiency. Candidates should understand why sampling risk exists and how to manage it.
Sampling Risk and Types of Incorrect Conclusions
Sampling risk is the risk the sample does not represent the population, leading to a wrong conclusion. Two classic errors:
- Incorrect acceptance: concluding a balance is fairly stated when it is materially misstated (more serious for the auditor)
- Incorrect rejection: concluding a balance is misstated when it is fairly stated (inefficient but less dangerous)
Non-sampling risk also matters: using the wrong procedure, misinterpreting results, or failing to recognize a misstatement.
What Drives Sample Size
Sample size generally increases when:
- Expected misstatement is higher
- Tolerable misstatement is lower
- Desired assurance is higher (lower detection risk)
- Population variability is higher
Ethics and Independence: The Non-Negotiables
Ethics is not a separate chapter in practice. It is embedded in planning, evidence evaluation, and reporting.
Independence in Fact and Appearance
Auditors must be independent both in fact (actual objectivity) and appearance (a reasonable third party would see you as independent). Threats include financial interests in the client, certain business relationships, and prohibited nonattest services. Even when a technical rule is not triggered, the appearance standard can still be violated.
Due Care and Professional Conduct
AUD tests principles such as due professional care, integrity, and objectivity. In real engagements, due care is reflected in supervision, documentation, appropriate consultation, and performing procedures that match the assessed risks.
Reporting: Turning Work Into a Clear Conclusion
Audit reporting is where standards, evidence, and judgment converge. The CPA Exam expects you to understand the structure and implications of different reports.
The Standard Unmodified Audit Opinion
An unmodified opinion communicates that the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. Candidates should recognize the purpose of each report section and the concept of reasonable assurance.
Modified Opinions and Explanatory Matters
When issues arise, the auditor may need to modify the opinion or add emphasis or other matter language, depending on the circumstances and applicable standards. Typical triggers include material misstatements, scope limitations, or significant uncertainties requiring user attention.
The key exam skill is classification: identify the issue, determine materiality and pervasiveness, and select the appropriate reporting response.
Attestation Engagements: Assurance Beyond the Financial Statement Audit
Attestation engagements extend assurance to other subject matters or assertions. While audits focus on historical financial statements, attestation can address reports on controls, compliance, or other measured subject matters.
Candidates should understand that attestation still requires:
- A suitable subject matter and criteria
- Sufficient appropriate evidence
- Independence when required by the engagement standards
- A clear written report describing the scope and conclusion
What Successful AUD Candidates Focus On
Strong performance in AUD comes from connecting concepts rather than studying them in isolation. When you read a question, ask:
- What is the objective of the procedure?
- Which assertion or risk is being addressed?
- What evidence is most reliable here?
- How do internal controls affect the audit response?
- What reporting outcome follows from the facts?
AUD is ultimately about credibility. The exam tests whether you can build and defend that credibility through ethical behavior, sound planning, appropriate evidence, and clear reporting, the same fundamentals that define high-quality assurance work in the real world.