International Standards on Auditing (ISAs)
Core Principles and Responsibilities
| Standard | Title | Key Requirements |
|---|---|---|
| ISA 200 | Overall Objectives of the Independent Auditor | – Obtain reasonable assurance about financial statements <br> – Exercise professional skepticism <br> – Apply ethical requirements including independence |
| ISA 210 | Agreeing the Terms of Audit Engagements | – Document engagement terms in writing <br> – Establish preconditions for an audit <br> – Clarify respective responsibilities |
| ISA 220 | Quality Control for an Audit | – Implement quality control procedures <br> – Ensure engagement team compliance with ethical requirements <br> – Document consultation on difficult matters |
| ISA 230 | Audit Documentation | – Prepare documentation that provides sufficient evidence <br> – Document significant matters and judgments <br> – Assemble final audit file timely (usually 60 days) |
| ISA 240 | The Auditor’s Responsibilities Relating to Fraud | – Maintain professional skepticism <br> – Identify and assess fraud risks <br> – Design procedures responsive to fraud risks |
| ISA 250 | Consideration of Laws and Regulations | – Identify non-compliance with laws and regulations <br> – Communicate identified non-compliance <br> – Consider impact on financial statements |
| ISA 260 | Communication with Those Charged with Governance | – Communicate significant audit matters <br> – Establish two-way communication process <br> – Document verbal communications |
| ISA 265 | Communicating Deficiencies in Internal Control | – Identify significant deficiencies <br> – Communicate in writing <br> – Include description and potential effects |
Risk Assessment and Response
| Standard | Title | Key Requirements |
|---|---|---|
| ISA 300 | Planning an Audit | – Develop audit strategy and detailed plan <br> – Update and change as necessary <br> – Document significant changes to plan |
| ISA 315 | Identifying and Assessing Risks | – Understand the entity and its environment <br> – Assess internal controls <br> – Identify and assess risks of material misstatement |
| ISA 320 | Materiality | – Determine materiality for financial statements as a whole <br> – Set performance materiality <br> – Revise materiality if necessary during audit |
| ISA 330 | The Auditor’s Responses to Assessed Risks | – Design and implement responses to risks <br> – Perform tests of controls and substantive procedures <br> – Evaluate sufficiency of evidence obtained |
Audit Evidence
| Standard | Title | Key Requirements |
|---|---|---|
| ISA 500 | Audit Evidence | – Design procedures to obtain sufficient appropriate evidence <br> – Evaluate reliability of information <br> – Consider relevance and reliability of evidence |
| ISA 501 | Specific Considerations for Selected Items | – Observe inventory counting <br> – Confirm litigation and claims <br> – Verify segment information |
| ISA 505 | External Confirmations | – Consider whether to use external confirmations <br> – Design confirmation requests <br> – Maintain control over confirmation process |
| ISA 520 | Analytical Procedures | – Use analytics in risk assessment and review <br> – Design substantive analytical procedures <br> – Investigate significant fluctuations |
| ISA 530 | Audit Sampling | – Design appropriate samples <br> – Perform procedures on selected items <br> – Evaluate sample results and project misstatements |
| ISA 540 | Auditing Accounting Estimates | – Identify and assess risks related to estimates <br> – Evaluate reasonableness of estimates <br> – Review management’s judgment and potential bias |
| ISA 550 | Related Parties | – Identify related party relationships <br> – Identify and assess risks associated with related parties <br> – Evaluate disclosure of related party transactions |
| ISA 560 | Subsequent Events | – Perform procedures for events between financial statement date and audit report date <br> – Respond appropriately to facts discovered after audit report date |
| ISA 570 | Going Concern | – Evaluate management’s going concern assessment <br> – Consider period of at least 12 months <br> – Determine implications for audit report |
| ISA 580 | Written Representations | – Request written representations from management <br> – Evaluate reliability of representations <br> – Take appropriate action if management refuses |
Using the Work of Others
| Standard | Title | Key Requirements |
|---|---|---|
| ISA 600 | Special Considerations—Group Audits | – Determine involvement in component audits <br> – Communicate with component auditors <br> – Evaluate group-wide controls |
| ISA 610 | Using the Work of Internal Auditors | – Evaluate internal audit function <br> – Determine if work can be used <br> – Document conclusions about using internal auditors’ work |
| ISA 620 | Using the Work of an Auditor’s Expert | – Determine need for expert <br> – Evaluate expert’s competence, capabilities, and objectivity <br> – Agree on nature, scope, and objectives of expert’s work |
Audit Conclusions and Reporting
| Standard | Title | Key Requirements |
|---|---|---|
| ISA 700 | Forming an Opinion and Reporting | – Form opinion based on evidence obtained <br> – Express opinion clearly through written report <br> – Include required elements in audit report |
| ISA 701 | Communicating Key Audit Matters | – Determine key audit matters <br> – Describe in audit report <br> – Include appropriate details without disclosing proprietary information |
| ISA 705 | Modifications to the Opinion | – Modify opinion when financial statements are materially misstated or cannot obtain sufficient evidence <br> – Determine type of modification (qualified, adverse, disclaimer) <br> – Provide basis for modification |
| ISA 706 | Emphasis of Matter and Other Matter Paragraphs | – Include emphasis paragraph when necessary <br> – Clearly reference matter being emphasized <br> – State that opinion is not modified because of emphasized matter |
| ISA 710 | Comparative Information | – Obtain sufficient evidence about comparative information <br> – Evaluate whether consistent with current period <br> – Determine reporting implications |
| ISA 720 | The Auditor’s Responsibilities Relating to Other Information | – Read other information for material inconsistencies <br> – Respond to material inconsistencies or misstatements <br> – Report accordingly in audit report |
Public Company Accounting Oversight Board (PCAOB) Standards
Key PCAOB Auditing Standards
| Standard | Title | Key Requirements |
|---|---|---|
| AS 1101 | Audit Risk | – Define components of audit risk <br> – Determine acceptable level of detection risk <br> – Design procedures to reduce audit risk to appropriate level |
| AS 1105 | Audit Evidence | – Obtain sufficient appropriate evidence <br> – Consider relevance and reliability <br> – Evaluate whether evidence supports opinion |
| AS 1201 | Supervision of the Audit Engagement | – Supervise assistants <br> – Provide appropriate direction <br> – Review work performed |
| AS 1301 | Communications with Audit Committees | – Communicate audit strategy <br> – Discuss significant accounting policies <br> – Report significant difficulties or disagreements |
| AS 2201 | An Audit of Internal Control Over Financial Reporting | – Integrate with financial statement audit <br> – Evaluate design and operating effectiveness <br> – Express opinion on internal control effectiveness |
| AS 2301 | The Auditor’s Responses to the Risks | – Design appropriate responses <br> – Perform tests of controls <br> – Carry out substantive procedures |
| AS 2401 | Consideration of Fraud | – Maintain professional skepticism <br> – Conduct fraud risk assessment <br> – Design audit to address fraud risks |
| AS 2501 | Auditing Accounting Estimates | – Evaluate process used by management <br> – Develop independent expectation <br> – Review subsequent events that confirm estimate |
| AS 2601 | Consideration of an Entity’s Use of a Service Organization | – Evaluate effect on internal controls <br> – Obtain understanding of services provided <br> – Consider reliability of service auditor’s report |
| AS 2605 | Consideration of Internal Audit | – Understand internal audit function <br> – Assess objectivity and competence <br> – Coordinate with internal auditors |
| AS 2610 | Using the Work of a Specialist | – Evaluate specialist’s qualifications <br> – Understand specialist’s work <br> – Assess relationship to client |
| AS 2810 | Evaluating Audit Results | – Accumulate misstatements <br> – Evaluate uncorrected misstatements <br> – Form conclusion on fair presentation |
| AS 3101 | The Auditor’s Report | – Issue appropriate report type <br> – Include required elements <br> – Modify as necessary |
| AS 3305 | Special Reports | – Report on special-purpose financial statements <br> – Report on specified elements <br> – Report on compliance with contractual provisions |
Generally Accepted Government Auditing Standards (GAGAS)
Yellow Book Standards
| Section | Focus Area | Key Requirements |
|---|---|---|
| Chapter 3 | Ethics, Independence, and Professional Judgment | – Maintain independence <br> – Avoid conflicts that impair independence <br> – Apply conceptual framework approach |
| Chapter 4 | Competence and Continuing Professional Education | – Ensure staff have appropriate competence <br> – Complete 80 hours CPE every 2 years <br> – Include 24 hours in government auditing |
| Chapter 5 | Quality Control and Peer Review | – Establish quality control system <br> – Undergo external peer review every 3 years <br> – Take remedial actions for deficiencies |
| Chapter 6 | Planning | – Communicate with management and oversight bodies <br> – Assess risks including fraud <br> – Document planning decisions |
| Chapter 7 | Supervision | – Properly supervise staff <br> – Provide guidance on audit objectives <br> – Review documentation |
| Chapter 8 | Audit Evidence | – Obtain sufficient, appropriate evidence <br> – Evaluate evidence <br> – Document evidence assessment |
| Chapter 9 | Reporting | – Issue timely reports <br> – Include all required elements <br> – Present findings clearly and objectively |
The Institute of Internal Auditors (IIA) Standards
International Standards for the Professional Practice of Internal Auditing
| Standard Series | Title | Key Requirements |
|---|---|---|
| 1000 Series | Purpose, Authority, and Responsibility | – Document in internal audit charter <br> – Obtain board approval of charter <br> – Define scope of internal audit activities |
| 1100 Series | Independence and Objectivity | – Maintain organizational independence <br> – Avoid conflicts of interest <br> – Disclose impairments to independence |
| 1200 Series | Proficiency and Due Professional Care | – Possess knowledge, skills, and competencies <br> – Develop through continuing education <br> – Exercise due professional care |
| 1300 Series | Quality Assurance and Improvement | – Develop quality assurance program <br> – Conduct internal and external assessments <br> – Report results to senior management and board |
| 2000 Series | Managing the Internal Audit Activity | – Plan audit activities based on risk <br> – Communicate plan to management and board <br> – Coordinate with other assurance providers |
| 2100 Series | Nature of Work | – Evaluate governance processes <br> – Assess risk management effectiveness <br> – Evaluate adequacy of controls |
| 2200 Series | Engagement Planning | – Document objectives, scope, timing, resources <br> – Develop work programs <br> – Consider risk during planning |
| 2300 Series | Performing the Engagement | – Identify, analyze, and document information <br> – Base conclusions on evidence <br> – Supervise engagements appropriately |
| 2400 Series | Communicating Results | – Communicate accurately, objectively, clearly <br> – Include significant conclusions and recommendations <br> – Distribute reports to appropriate parties |
| 2500 Series | Monitoring Progress | – Establish follow-up process <br> – Monitor implementation of recommendations <br> – Communicate significant issues to management |
| 2600 Series | Communicating Risk Acceptance | – Discuss unacceptable risk levels with management <br> – Escalate to board if necessary <br> – Determine appropriate monitoring |
Industry-Specific Auditing Standards
Financial Services Industry
| Standard | Issuing Body | Key Focus Areas |
|---|---|---|
| FDICIA | FDIC | – Internal control attestation for larger institutions <br> – Reporting on compliance with designated laws |
| SOC for Service Organizations | AICPA | – Controls at service organizations relevant to user entities <br> – Defined control objectives (SOC 1, 2, 3) |
| Basel Committee on Banking Supervision | BIS | – Internal audit function in banks <br> – Risk-based audit approach <br> – Independence of internal audit |
Healthcare Industry
| Standard | Issuing Body | Key Focus Areas |
|---|---|---|
| HIPAA Audit Protocol | HHS OCR | – Privacy Rule compliance <br> – Security Rule implementation <br> – Breach Notification procedures |
| Compliance Program Guidance | OIG HHS | – Effective compliance programs <br> – Risk areas specific to provider types <br> – Self-disclosure protocols |
IT Auditing Standards
| Standard | Issuing Body | Key Focus Areas |
|---|---|---|
| COBIT | ISACA | – IT governance framework <br> – Control objectives for IT <br> – Maturity models for control processes |
| ISO 27001 | ISO | – Information security management <br> – Risk assessment <br> – Control implementation and effectiveness |
| NIST Cybersecurity Framework | NIST | – Identify, Protect, Detect, Respond, Recover <br> – Critical infrastructure security <br> – Risk-based approach |
Ethical Standards for Auditors
Fundamental Principles
| Principle | Description | Application |
|---|---|---|
| Integrity | Being straightforward and honest | – Avoid association with misleading information <br> – Do not subordinate judgment to others |
| Objectivity | Not allowing bias or undue influence | – Avoid conflicts of interest <br> – Maintain independence in fact and appearance |
| Professional Competence and Due Care | Maintaining professional knowledge and skill | – Continuing professional education <br> – Act diligently according to standards |
| Confidentiality | Respecting confidentiality of information | – Not disclosing information without authority <br> – Not using information for personal advantage |
| Professional Behavior | Complying with laws and avoiding discredit | – Act in public interest <br> – Maintain reputation of profession |
Professional Skepticism and Documentation Requirements
Professional Skepticism
- Questioning mind that does not assume management is dishonest or of unquestioned honesty
- Critical assessment of audit evidence
- Alert to conditions that may indicate misstatement
- Includes consideration of reliability of evidence
Documentation Requirements
- Sufficient to enable experienced auditor to understand:
- Nature, timing, and extent of procedures performed
- Results of procedures and evidence obtained
- Significant matters, conclusions, and professional judgments
- Should include:
- Discussions among engagement team about fraud susceptibility
- Identified and assessed risks
- Responses to assessed risks
- Conclusions on going concern
- Significant matters discussed with management
- How information inconsistent with final conclusion was addressed
Recent Updates and Emerging Standards
Recent Updates to Major Standards
- PCAOB: Enhanced auditor reporting requirements including Critical Audit Matters (CAMs)
- ISA 540 (Revised): Enhanced requirements for auditing accounting estimates
- ISA 315 (Revised): Updated risk assessment procedures
- GAGAS 2018 Revision: Strengthened independence requirements and CPE
Emerging Audit Areas
- ESG (Environmental, Social, Governance) Assurance
- Cybersecurity Risk Management Attestation
- Digital Assets and Cryptocurrency Auditing
- Data Analytics and Artificial Intelligence in Auditing
- Auditing Remote Work Controls
Resources for Auditing Standards
- International Auditing and Assurance Standards Board (IAASB): www.iaasb.org
- American Institute of Certified Public Accountants (AICPA): www.aicpa.org
- Public Company Accounting Oversight Board (PCAOB): www.pcaobus.org
- Government Accountability Office (GAO): www.gao.gov
- The Institute of Internal Auditors (IIA): www.theiia.org
- Information Systems Audit and Control Association (ISACA): www.isaca.org