GAAS: Generally Accepted Auditing Standards

Generally Accepted Auditing Standards (GAAS) form the foundational framework governing how independent auditors plan, execute, and report on financial statement audits in the United States. Established by the American Institute of Certified Public Accountants (AICPA) and codified in the Auditing Standards Board's Statements on Auditing Standards (SAS), GAAS defines the minimum quality thresholds that distinguish a credible audit from an inadequate one. This page covers the definition, structural mechanics, classification, and contested dimensions of GAAS as it applies to non-public entities, with cross-references to the separate regime that governs public company audits under the Public Company Accounting Oversight Board (PCAOB).

Definition and scope

GAAS is not a single statute but a structured body of professional standards developed by the AICPA's Auditing Standards Board (ASB) and published as Statements on Auditing Standards (SAS). The ASB reorganized its codification in 2012 through SAS No. 122 (AICPA AU-C Section 200), replacing the prior ten "Generally Accepted Auditing Standards" with a more granular framework organized into AU-C sections. That reorganization aligns GAAS with the International Standards on Auditing (ISA) issued by the International Auditing and Assurance Standards Board (IAASB), though material differences remain.

The scope of GAAS covers audits of financial statements prepared by non-public entities — private companies, nonprofit organizations, governmental entities (where not governed by Government Auditing Standards), and employee benefit plans. Public company audits fall under the PCAOB framework, which Congress authorized through the Sarbanes-Oxley Act of 2002. Understanding the difference between PCAOB standards and GAAS is essential for any financial statement user interpreting an audit report.

GAAS applies whenever a licensed CPA issues an audit opinion under the authority of their state board of accountancy. The standards govern three overarching domains: the qualifications of the auditor, the quality of fieldwork, and the adequacy of reporting. Each AU-C section addresses a specific element of audit practice, ranging from engagement acceptance to the content of the auditor's report.

Core mechanics or structure

The pre-2012 GAAS framework consisted of 10 standards grouped into 3 categories: General Standards, Standards of Field Work, and Standards of Reporting. Although the ASB replaced that structure with the AU-C codification, the 3-category logic persists as an organizational lens.

General Standards (AU-C 200 series): These address auditor competence, independence, and professional care. AU-C 200 requires the auditor to obtain reasonable assurance — defined as a high but not absolute level of assurance — that the financial statements are free from material misstatement, whether due to fraud or error.

Standards of Field Work (AU-C 300–600 series): This group governs planning (AU-C 300), risk assessment (AU-C 315), audit evidence (AU-C 500), and the audit of specific items including accounting estimates (AU-C 540) and related party transactions (AU-C 550). The 2021 revision to AU-C 315, effective for audits of periods ending on or after December 15, 2023 (AICPA SAS No. 145), substantially enhanced risk identification and assessment procedures.

Standards of Reporting (AU-C 700 series): AU-C 700 governs formation and expression of opinions on financial statements. AU-C 705 covers modifications to the opinion, including qualified opinions, adverse opinions, and disclaimers — see qualified vs. unqualified audit opinion for a treatment of opinion types.

The entire framework rests on two pervasive principles: professional skepticism and professional judgment. AU-C 200 defines professional skepticism as an attitude that includes a questioning mind and critical assessment of audit evidence. Neither is measurable by a single metric; both are subject to peer review and AICPA inspection programs.

Causal relationships or drivers

GAAS evolved in direct response to documented audit failures and capital market needs. The McKesson & Robbins fraud of 1938, in which fictitious inventory and receivables went undetected, prompted the AICPA's predecessor to require physical observation of inventory and direct confirmation of receivables — procedures now codified in AU-C 501 and AU-C 505. The Enron and WorldCom collapses of 2001–2002 drove Congress to create the PCAOB and bifurcate the standard-setting landscape between public and non-public entities.

For non-public entities, the primary institutional pressure comes from lenders, private equity sponsors, and regulators who require GAAS-compliant audits as a condition of financing or regulatory standing. The FDIC's audit requirements for banks, for example, mandate GAAS-compliant independent audits for insured depository institutions with total assets of $500 million or more (FDIC Part 363, 12 CFR Part 363). Employee benefit plans governed by ERISA require annual GAAS audits filed with the Department of Labor on Form 5500 for plans with 100 or more eligible participants.

International convergence is another driver. The IAASB's ISA framework, adopted by over 130 jurisdictions, creates pressure on the ASB to align AU-C sections with corresponding ISAs. The SAS No. 145 revision mentioned above directly parallels ISA 315 (Revised 2019), reducing the standard-setting divergence that previously complicated cross-border audits.

Classification boundaries

GAAS is specifically the AICPA ASB framework for non-public entity audits. Four parallel frameworks coexist in the U.S. audit landscape:

  1. GAAS (AU-C) — AICPA ASB, applicable to non-public entities.
  2. PCAOB Auditing Standards — Applicable to audits of SEC-registered issuers and broker-dealers. Reviewed at PCAOB standards for financial audits.
  3. Government Auditing Standards (GAS/Yellow Book) — Issued by the U.S. Government Accountability Office (GAO), applicable to audits of governmental entities and entities receiving federal financial assistance. GAAS is incorporated by reference into GAS as a baseline.
  4. Single Audit Standards (Uniform Guidance) — Issued by the Office of Management and Budget (OMB) at 2 CFR Part 200, applicable to entities expending $750,000 or more in federal awards annually.

The classification boundary between GAAS and PCAOB standards is not firm in every respect: PCAOB AS 1000 and related standards borrow substantially from GAAS history, but PCAOB standards are enforced through a separate inspection regime and carry SEC oversight authority not present in GAAS.

An auditor cannot apply GAAS alone when auditing a public company — doing so creates a violation of the Sarbanes-Oxley Act and exposes the firm to PCAOB sanctions. Conversely, applying PCAOB standards to a private company audit is unnecessary and imposes cost without regulatory benefit.

Tradeoffs and tensions

Reasonable assurance vs. absolute assurance: GAAS explicitly acknowledges that even a fully compliant audit cannot guarantee detection of all misstatements. AU-C 200 defines reasonable assurance as high but not absolute, which creates persistent tension when audit failures occur and financial statement users argue that auditors should have caught material fraud.

Judgment vs. prescription: The AU-C framework relies heavily on auditor judgment, particularly in risk assessment under AU-C 315 and evaluation of accounting estimates under AU-C 540. Critics argue this creates inconsistency across audit firms. The 2019–2023 SAS revision cycle moved toward more prescribed procedures in response to AICPA peer review findings showing high deficiency rates in risk assessment documentation.

Convergence with ISA vs. U.S. specificity: Alignment with IAASB ISAs reduces cross-border complexity but requires the ASB to accept international compromises that may not reflect U.S. regulatory conditions. Some practitioners argue that the SAS No. 145 risk assessment requirements, imported from ISA 315 (Revised 2019), are more burdensome for small non-public audits than the underlying risk warrants.

Independence requirements: GAAS independence rules (ET Section 1.200 of the AICPA Code of Professional Conduct) govern non-public audits, while PCAOB Rule 3520 and SEC independence rules govern public company audits. These frameworks differ on permissible non-audit services, creating complexity for firms that serve both markets. See auditor independence in financial services for a fuller treatment.

Common misconceptions

Misconception 1: GAAS and GAAP are interchangeable.
GAAP (Generally Accepted Accounting Principles) governs how financial statements are prepared. GAAS governs how auditors examine those statements. A financial statement can be GAAP-compliant but audited in violation of GAAS, and vice versa. The FASB issues GAAP; the ASB issues GAAS.

Misconception 2: A clean audit opinion means no fraud exists.
AU-C 240, which addresses the auditor's responsibilities relating to fraud, explicitly states that auditors provide reasonable assurance, not a guarantee. Auditors assess fraud risk and design procedures accordingly, but they are not forensic investigators. An unmodified opinion indicates the financial statements are free from material misstatement in the auditor's professional judgment — not that no fraud occurred at any level.

Misconception 3: GAAS applies to all audits of U.S. entities.
GAAS applies to non-public entities. Audits of SEC registrants follow PCAOB standards. Federal program audits follow GAS and Uniform Guidance. Applying GAAS to a public company audit is not compliant with applicable law.

Misconception 4: GAAS compliance is self-certified by audit firms.
GAAS compliance is subject to mandatory peer review every 3 years under the AICPA Peer Review Program for firms not enrolled in the PCAOB inspection system. Peer review findings are a matter of public record through the AICPA's National Peer Review Committee. High deficiency rates in peer reviews have historically triggered ASB standard revisions.

Checklist or steps (non-advisory)

The following sequence reflects the structural phases of a GAAS-compliant audit engagement as organized by AU-C sections. This is a reference framework, not professional guidance.

Phase 1 — Engagement Acceptance and Continuance (AU-C 210, 220)
- Assess preconditions for an audit, including management's acknowledgment of its responsibility for the financial statements
- Evaluate auditor independence and competency
- Agree on audit engagement terms in a written engagement letter

Phase 2 — Planning (AU-C 300, 315, 320)
- Develop an overall audit strategy
- Perform risk assessment procedures including inquiries, analytical procedures, and observation
- Identify and assess risks of material misstatement at the financial statement and assertion levels
- Determine materiality thresholds (see audit materiality in financial services)

Phase 3 — Response to Assessed Risks (AU-C 330)
- Design and implement overall audit responses
- Design and perform further audit procedures — tests of controls and substantive procedures
- Apply audit sampling where applicable (AU-C 530)

Phase 4 — Evidence Gathering (AU-C 500 series)
- Obtain sufficient appropriate audit evidence on specific items: external confirmations (AU-C 505), inventory observation (AU-C 501), accounting estimates (AU-C 540), related parties (AU-C 550)
- Evaluate audit evidence obtained

Phase 5 — Evaluation and Conclusion (AU-C 450, 560, 570)
- Evaluate misstatements identified during the audit
- Assess subsequent events through the date of the auditor's report (AU-C 560)
- Evaluate whether substantial doubt about going concern exists (AU-C 570)

Phase 6 — Reporting (AU-C 700, 705, 706)
- Form an opinion on the financial statements
- Prepare the auditor's report with required elements under AU-C 700
- Determine whether a modification (qualified, adverse, disclaimer) or emphasis-of-matter paragraph is required

Reference table or matrix

Framework Standard-Setter Applies To Oversight Body Enforcement Mechanism
GAAS (AU-C) AICPA Auditing Standards Board Non-public entities State boards of accountancy; AICPA Peer Review Peer review (3-year cycle); state licensure discipline
PCAOB Auditing Standards Public Company Accounting Oversight Board SEC-registered issuers, broker-dealers SEC PCAOB inspections; SEC enforcement
Government Auditing Standards (Yellow Book) U.S. GAO Governmental entities; federal award recipients GAO; cognizant federal agencies Single Audit Act; OMB Uniform Guidance
Single Audit Standards OMB (2 CFR Part 200) Federal award recipients ≥ $750,000 OMB; Inspector General offices Federal award compliance; debarment
International Standards on Auditing (ISA) IAASB Jurisdictions adopting ISA (130+) National regulators by jurisdiction Varies by jurisdiction
AU-C Series Topic Area Key Standard 2023 Effective Revision?
AU-C 200 Overall objectives and definitions SAS No. 122 No
AU-C 300 Planning SAS No. 122 No
AU-C 315 Risk identification and assessment SAS No. 145 Yes (periods ending ≥ Dec 15, 2023)
AU-C 330 Responses to assessed risks SAS No. 122 No
AU-C 500 Audit evidence SAS No. 122 No
AU-C 540 Accounting estimates SAS No. 134 Yes (effective 2021)
AU-C 700 Forming and expressing opinions SAS No. 134 Yes (effective 2021)
AU-C 705 Modifications to opinions SAS No. 134 Yes (effective 2021)

References

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Compound Interest Calculator