Compare how AICPA and PCAOB standards differ in scope, independence, documentation, reporting, and integrated-audit requirements.
AUD questions often test standards scope indirectly. The fact pattern may say the client is a nonissuer, an issuer, a broker-dealer, a public company, or a private company seeking financing. That detail is not background noise. It determines which standards apply, how independence is evaluated, whether an integrated audit is expected, and what reporting model controls the answer.
The AICPA and PCAOB frameworks share the same broad audit objective: obtain reasonable assurance and express an opinion on whether the financial statements are presented fairly, in all material respects, under the applicable financial reporting framework. The exam distinction is that the frameworks are not interchangeable.
Use the entity and engagement type before choosing the standard set.
| Fact pattern clue | Standards implication |
|---|---|
| Nonissuer financial statement audit | AICPA Statements on Auditing Standards, codified mainly in AU-C sections, usually control. |
| Issuer audit | PCAOB auditing standards control because the audit is performed for a public company reporting environment. |
| Public company internal control audit | PCAOB AS 2201 governs the integrated audit of internal control over financial reporting and financial statements. |
| Broker-dealer audit or attestation engagement | PCAOB rules may apply even when the entity is not a traditional operating issuer. |
| Compilation, review, or preparation engagement | Do not default to audit standards; SSARS or attestation standards may be more relevant depending on the engagement. |
The first exam move is therefore classification. If the question says the entity is a nonissuer, do not import PCAOB-only requirements unless the facts make them applicable. If the question says the audit is for an issuer, do not answer as if ordinary private-company GAAS is the full answer.
AICPA auditing standards are issued by the Auditing Standards Board and organized in AU-C sections. They apply to audits of nonissuers whose audits are not required to follow PCAOB standards. Common AUD reference points include overall objectives, professional skepticism, planning, risk assessment, audit evidence, group audits, and auditor reporting.
PCAOB standards are issued for registered public accounting firms auditing issuers and certain other entities within the PCAOB’s authority. PCAOB standards include financial statement audit standards, attestation standards, ethics and independence rules, quality control standards, and inspection and enforcement consequences. For AUD, the practical difference is that PCAOB standards sit inside a public-market oversight system with SEC involvement, firm registration, inspection, and discipline.
flowchart TD
A["AUD fact pattern"] --> B{"Entity or engagement type?"}
B --> C["Nonissuer audit"]
B --> D["Issuer audit"]
B --> E["Broker-dealer or PCAOB-covered engagement"]
B --> F["Review, compilation, or other service"]
C --> G["AICPA AU-C standards"]
D --> H["PCAOB auditing standards"]
E --> I["PCAOB rules and applicable attestation/audit standards"]
F --> J["Do not assume an audit; identify the service first"]
The diagram captures the decision order. Standards selection comes before procedure selection.
| Area | Exam effect |
|---|---|
| Authority | AICPA standards govern many nonissuer audits; PCAOB standards govern issuer audits and certain PCAOB-covered engagements. |
| Oversight | AICPA practice is tied to professional standards, peer review, and state-board or membership consequences; PCAOB work adds registration, inspection, and enforcement oversight. |
| Independence | Both require independence in fact and appearance; issuer audits also trigger SEC and PCAOB independence restrictions that may be stricter in practice. |
| Internal control | A nonissuer financial statement audit requires understanding internal control to assess risk, but it normally does not require an opinion on internal control effectiveness. |
| Integrated audit | PCAOB issuer audits often require an audit of internal control over financial reporting integrated with the financial statement audit. |
| Documentation | Both require enough documentation to support conclusions; PCAOB documentation is also exposed to inspection by the oversight board. |
| Reporting | Both frameworks require specific report language, but report form, addressee, critical audit matter concepts, and ICFR reporting can differ under PCAOB standards. |
Independence is a shared requirement, but the exam often tests the stricter public-company environment. Under the AICPA framework, candidates should recognize threats such as direct financial interests, certain family relationships, management participation, unpaid fees, and prohibited advocacy or self-review situations. Under the PCAOB and SEC environment, additional restrictions on non-audit services, audit committee preapproval, partner rotation, and public-market independence expectations can become decisive.
The trap is assuming that a service acceptable for a private company audit client is automatically acceptable for an issuer audit client. If a public company audit client asks the auditor to design financial information systems, perform bookkeeping, or take on management responsibilities, independence concerns should be immediate.
Both frameworks require the auditor to understand internal control as part of risk assessment. That does not mean both frameworks require the same opinion.
In a nonissuer audit under AICPA standards, the auditor obtains an understanding of internal control to identify and assess risks of material misstatement and to design further audit procedures. The auditor may test controls if that strategy is efficient or necessary, but the audit report normally expresses an opinion on the financial statements, not on internal control effectiveness.
In a PCAOB integrated audit, the auditor performs two connected audits: one of the financial statements and one of internal control over financial reporting. AS 2201 uses a top-down, risk-based approach that begins with financial statement risks, entity-level controls, significant accounts and disclosures, relevant assertions, and the controls that address those risks. If a material weakness exists, internal control over financial reporting cannot be considered effective, even if the financial statements are not materially misstated.
The risk-based logic is similar across the frameworks: identify where material misstatement could occur, assess the risks, and design procedures that respond to those risks. The differences appear in the engagement environment and the required reporting outcomes.
For a private manufacturing company, a high inventory risk might lead to expanded observation, cutoff testing, price testing, and control testing over cycle counts. For a public issuer, the same inventory risk may also affect the integrated audit, including control selection, operating effectiveness testing, evaluation of deficiencies, and possible ICFR reporting.
AUD questions often ask for the “best” next procedure. The standard set changes what “best” means. Under a financial statement audit only, the answer may be a substantive procedure that addresses the assertion. Under an integrated audit, the answer may require testing a control that addresses both the financial statement risk and the ICFR opinion.
Documentation supports the audit opinion under both frameworks. It should show the work performed, evidence obtained, significant judgments made, and conclusions reached. The candidate should reject answers implying that documentation is optional because a client is small, because no misstatement was found, or because the engagement partner remembers the work.
PCAOB audits add inspection pressure. Workpapers may be reviewed by the PCAOB, and inspection findings often focus on whether the file actually supports the opinion. The exam implication is simple: undocumented work is weak evidence of compliance, especially in issuer audits.
Reporting questions require careful separation of financial statement opinions, explanatory paragraphs, and internal control opinions. In an AICPA nonissuer audit, the report usually addresses the financial statements. In a PCAOB issuer audit, the report may include PCAOB-specific language, public-company addressees, tenure information, critical audit matters when applicable, and separate or combined reporting on internal control when an integrated audit is performed.
Do not confuse a material weakness with a financial statement misstatement. A material weakness requires an adverse opinion on internal control in an integrated audit. It does not automatically require an adverse opinion on the financial statements. The financial statement opinion depends on whether the financial statements themselves are materially misstated or whether the auditor lacks sufficient appropriate evidence.
A public company has ineffective controls over manual journal entries. The auditor performs additional substantive testing and concludes the financial statements are fairly presented. In an integrated audit, the auditor may still issue an unqualified opinion on the financial statements and an adverse opinion on internal control if the control deficiency is a material weakness.
If the same weakness appears in a nonissuer financial statement audit without an ICFR opinion, the auditor still considers the effect on risk assessment, substantive procedures, and communication of significant deficiencies or material weaknesses. The auditor does not automatically add an opinion on internal control to the financial statement audit report.