Generally accepted auditing standards: A practitioner's overview

Key Takeaway: GAAS comprises 10 codified standards across three categories that govern how CPAs audit non-issuer financial statements in the U.S. Public company audits follow PCAOB standards instead. The biggest near-term change is SAS No. 146, which moves firms to risk-based quality management for periods beginning on or after December 15, 2025.

Generally Accepted Auditing Standards (GAAS) set the minimum guidelines CPAs must follow when auditing non-issuer financial statements. Established by the American Institute of Accountants (now the AICPA) in 1939 and codified across 10 standards in three categories, GAAS defines auditor qualifications, fieldwork procedures, and reporting obligations. The framework is currently in the middle of its most significant overhaul in years, with SAS No. 146 on quality management, the PCAOB's enhanced confirmation standard, and the IAASB's revised going-concern standard all landing between mid-2025 and late 2026.

Historical context of GAAS

Before 1939, the auditing profession lacked standardized practices. This changed when the American Institute of Accountants, now known as the American Institute of Certified Public Accountants (AICPA), formed the Committee on Auditing Procedures in 1939. The committee established the initial set of auditing standards, which have been continuously refined and expanded over time.

In 1972, the development of GAAS saw a major milestone with the issuance of the "Statements on Auditing Standards" (SAS) by the AICPA. These statements offered a more structured and comprehensive approach to auditing, addressing various stages of the audit process from planning to reporting. Since then, the GAAS framework has been adopted and adapted by many countries worldwide, serving as the cornerstone of modern auditing practices. In the U.S., GAAS is regulated by the AICPA's AU sections (Audit and Attestation Standards). Specifically, AU-C Section 150 explains the overall objectives of an audit and the framework for applying GAAS.

The 10 GAAS standards across three categories

GAAS comprises 10 codified standards organized into three primary categories: general standards, standards of field work, and standards of reporting. Auditors must adhere to the specific principles defined in each category during an audit engagement.

General standards

The general standards lay the foundation for the auditor's qualifications, independence, and professional judgment. There are three primary standards under this category:

1. Adequate technical training and proficiency: Auditors must possess the necessary technical skills and knowledge to conduct an audit effectively. This includes continuous education and staying updated with the latest developments in accounting and auditing practices.
2. Independence in mental attitude: Auditors must maintain an unbiased and impartial mindset throughout the audit process. Independence is crucial to ensuring the objectivity and credibility of the audit findings. This standard requires auditors to avoid any conflicts of interest that could compromise their judgment.
3. Due professional care: Auditors are expected to exercise due professional care in planning and performing the audit. This involves thoroughness, accuracy, and diligence in gathering and evaluating audit evidence, as well as making informed and reasonable judgments. The Public Company Accounting Oversight Board (PCAOB) provides further insight into professional care and its importance in the auditing profession.

Standards of field work

The standards of field work outline how auditors should perform their tasks in the field, emphasizing planning, supervision, and the collection of evidence. This category encompasses three main standards:

1. Proper planning and audit planning: Auditors are required to thoroughly plan the audit and effectively supervise any assistants involved in the engagement. This entails understanding the client's business, evaluating risks, and devising an audit strategy. Supervision is crucial to ensure that all audit procedures are executed accurately and uniformly.
2. Understanding the entity and its environment: Auditors must develop a deep understanding of the entity being audited, including its internal controls, industry, and operating environment. This knowledge is essential for identifying potential risks and issues that could affect the financial statements.
3. Sufficient appropriate audit evidence: Auditors must gather sufficient and appropriate evidence to substantiate their findings and conclusions. This process includes selecting suitable audit procedures, assessing the reliability and relevance of the evidence, and meticulously documenting the audit process.

Standards of reporting

The standards of reporting are centered on how audit findings are communicated to stakeholders, ensuring the audit report is clear, accurate, and informative. The four primary standards in this category are:

1. Consistency in application of accounting principles: Auditors need to verify that the financial statements are prepared according to generally accepted accounting principles (GAAP) and that these principles have been applied consistently across the current and previous periods.
2. Informative disclosures: The audit report must include all necessary disclosures to ensure the financial statements are not misleading. This means confirming that all relevant information is presented accurately and thoroughly.
3. Expression of an opinion: Auditors are required to express an opinion on the financial statements as a whole. Depending on the audit findings, this opinion can be unqualified (clean), qualified, adverse, or a disclaimer of opinion.
4. Opinion on financial statements: The auditor's report must state whether the financial statements provide a true and fair view of the entity's financial position, operational results, and cash flows in accordance with GAAP.

While GAAS establishes the fundamental principles and framework for conducting audits, Statements on Auditing Standards (SASs) offer detailed guidance and specific instructions on various aspects of the auditing process. SASs operate within the GAAS framework to address particular auditing challenges and provide practical directives for implementing GAAS effectively. While GAAS outlines the broad standards necessary for ensuring consistency and integrity in audits, SASs deliver the precise guidance needed to navigate specific auditing situations and requirements.

GAAS vs. GAAP, PCAOB, GAGAS, and ISA

GAAS sits alongside several adjacent frameworks that practitioners routinely confuse. Knowing which standard applies to which engagement is foundational to scoping work and signing the right opinion.

GAAS vs. GAAP. GAAP, set by FASB, dictates how companies prepare their financial statements. GAAS, set by the AICPA's Auditing Standards Board, dictates how independent CPAs audit those statements. An audit opinion under GAAS expresses whether the statements are fairly presented in conformity with GAAP.

GAAS vs. PCAOB standards. PCAOB Auditing Standards apply to audits of U.S. public companies and SEC-registered broker-dealers. GAAS applies to audits of non-issuers — private companies, nonprofits, employee benefit plans, and most state and local governments. PCAOB standards are more prescriptive than GAAS, particularly on internal control over financial reporting (ICFR), auditor independence, and documentation. Firms auditing both issuers and non-issuers maintain parallel methodologies.

GAAS vs. GAGAS (the Yellow Book). GAGAS, issued by the U.S. GAO, incorporates GAAS for financial audits and layers on requirements covering independence, 80 hours of CPE every two years, peer review, and reporting on internal controls and compliance. Auditors of federal grant recipients and Single Audit engagements under the Uniform Guidance must comply with both GAAS and GAGAS.

GAAS vs. ISA. International Standards on Auditing, issued by the IAASB, are GAAS's global counterpart and are mandated or permitted in more than 130 jurisdictions outside the U.S. The ASB has substantially converged AU-C sections with ISA structure, but differences persist in group audits, going concern, and the new ISA for Less Complex Entities (effective for periods beginning on or after December 15, 2025).

Why GAAS matters in auditing

GAAS is the minimum set of standards CPAs must follow when performing audits, and it directly governs audit risk — the risk that an auditor issues an incorrect opinion on the financial statements. The framework matters most for entities whose shareholders, lenders, and regulators rely on the audit report to make decisions. Four practitioner-relevant considerations follow.

1. Ensuring consistency and reliability

GAAS provides a standardized framework for conducting audits, ensuring consistency and reliability in the audit process. This consistency allows stakeholders to have confidence in the audit findings, regardless of the auditor or the entity being audited. It also facilitates comparability of financial information across different entities and periods.

2. Enhancing credibility and trust

By adhering to GAAS, auditors demonstrate their commitment to professionalism, integrity, and objectivity. This enhances the credibility and trustworthiness of the audit report, making it a valuable tool for stakeholders in making informed decisions. Investors, creditors, and regulators rely on audit deficiency rates and findings reported under GAAS to assess the financial health and performance of an entity.

3. Promoting transparency and accountability

GAAS promotes transparency and accountability by ensuring that financial statements are presented fairly and accurately. This helps prevent fraud and misrepresentation, protecting the interests of stakeholders. Transparent financial reporting also fosters a culture of accountability within the organization, encouraging responsible financial management.

4. Facilitating compliance with regulations

Compliance with GAAS helps entities meet regulatory requirements and avoid legal and financial penalties. Regulatory bodies, such as the Securities and Exchange Commission (SEC) in the United States, mandate that publicly traded companies have their financial statements audited in accordance with GAAS. This ensures that the financial information disclosed to the public is reliable and accurate.

Challenges and criticisms of GAAS

While GAAS provides a solid framework for auditing, it is not without its challenges and criticisms. Some common issues include:

Complexity and volume of standards

The growing complexity and volume of auditing standards can be difficult to manage, particularly for smaller firms. Staying updated with the latest changes and interpretations requires significant time and resources. This complexity can also lead to inconsistencies in the application of standards.

Subjectivity in judgments

Auditing often involves significant judgment and estimation, which can introduce subjectivity into the audit process. Different auditors may interpret and apply standards differently, leading to variations in audit outcomes. This subjectivity can affect the comparability and reliability of audit reports.

Balancing professional skepticism and client relationships

Maintaining professional skepticism while preserving client relationships is a recurring tension, and a recurring PCAOB inspection finding. GAAS requires skepticism as a core mindset under the general standards, meaning auditors must critically assess audit evidence and management representations regardless of past client integrity. Practical safeguards include rotating engagement teams, mandatory engagement quality reviews (EQRs), documented challenge of management estimates, and disconfirming-evidence procedures in revenue recognition, going concern, and complex estimates.

Rapidly changing business environment

The rapidly changing business environment, driven by technological advancements and globalization, presents new risks and challenges for auditors. Auditors must continuously adapt their audit approaches and procedures to address emerging risks, such as cybersecurity threats and complex financial instruments.

What's changing in GAAS for 2025-2026

The auditing profession is undergoing significant changes, and the GAAS framework is adapting accordingly. The American Institute of Certified Public Accountants (AICPA) and the Auditing Standards Board (ASB) are driving several near-term updates that practitioners need to operationalize:

1. SAS No. 146: Risk-based quality management

SAS No. 146 shifts firms from a compliance-based QC model to a risk-based, scalable quality management standards system at the engagement level. Engagement partners now have explicit responsibility for managing and achieving quality, including assessing engagement-specific quality risks, supervising team members, and documenting how quality objectives were met. It is effective for audits of periods beginning on or after December 15, 2025, and aligns the AICPA framework with the IAASB's ISQM 1/2 and ISA 220 (Revised). Firms should run a gap analysis against their current QC system now.

2. PCAOB enhanced confirmation standard

The PCAOB's enhanced confirmation standard modernizes the audit confirmation process, including expanded use of electronic confirmations and tightened procedures for managing nonresponses. It is effective for fiscal years ending on or after June 15, 2025. Firms running parallel PCAOB and GAAS methodologies should reconcile confirmation workflows against AICPA SAS guidance to keep procedures consistent across engagements.

3. Technology, data analytics, and AI

Advanced data analytics tools can improve the efficiency and effectiveness of audits by enabling auditors to analyze large volumes of data and identify patterns and anomalies. GAAS does not yet contain an AI-specific standard, but auditors can apply AU-C 315 risk assessment requirements alongside COSO's 2024 generative AI guidance and the IIA's updated AI Auditing Framework. Key considerations include model governance, data lineage and integrity, bias and accuracy testing, change management over models, and management review of AI-generated outputs used in financial reporting.

4. Enhanced focus on auditor independence

Auditor independence remains a critical issue, and a frequent PCAOB inspection theme. Future developments in GAAS may include stricter guidelines and regulations to prevent conflicts of interest and maintain the objectivity of independent auditors. This could involve more stringent rules on auditor rotation and the provision of non-audit services, in line with the requirements outlined by the Sarbanes-Oxley Act.

5. Emerging risks: cyber and climate

As new risks emerge, such as those tied to cybersecurity and climate, GAAS will need to evolve to address the risk of material misstatements they create. Practitioners can map IT audit checklists to NIST CSF 2.0 (released February 26, 2024) using NIST SP 1331, and watch ISSA 5000 (effective for periods beginning on or after December 15, 2026) for sustainability assurance methodology cues — even though ISSA 5000 sits under IAASB, not GAAS.

6. Global harmonization with ISA

With the increasing globalization of business, harmonization of auditing standards across jurisdictions continues. ISA 570 (Revised 2024) on going concern, effective for periods beginning on or after December 15, 2026, and the IAASB's ISA for Less Complex Entities are two near-term anchors. Multinational firms should monitor ASB convergence activity and document scoping decisions on which framework applies to each engagement.

Where audit quality stands today

Aggregate PCAOB Part I.A deficiency rates dropped from 46% in 2023 to 39% in 2024 — the most notable improvement in several inspection cycles. Non-affiliated network firms inspected on a triennial basis still showed deficiency rates of 61% in 2024 (down from 67%), indicating that smaller firms continue to face disproportionate difficulty with audit evidence, ICFR, and revenue testing. Practitioners should benchmark internal deficiency root-cause analyses against PCAOB themes and reassess training and engagement quality review effectiveness.

Generally accepted auditing standards remain the bedrock of audit quality control for non-issuer attestation engagements. As the profession progresses, audit software, auditor independence, professional judgment, and global harmonization will continue to shape how GAAS is interpreted and applied.

Frequently asked questions

What is the difference between GAAP and GAAS?

GAAP, set by FASB, governs how companies prepare financial statements. GAAS, set by the AICPA's Auditing Standards Board, governs how independent CPAs audit those statements. Management uses GAAP to produce the numbers; auditors use GAAS to test them. An audit opinion under GAAS expresses whether financial statements are fairly presented in conformity with GAAP.

What is the difference between PCAOB and GAAS standards?

PCAOB standards apply to audits of U.S. public companies and SEC-registered broker-dealers, while GAAS applies to audits of private companies, nonprofits, and most non-issuers. PCAOB standards are more prescriptive, with heavier requirements on internal control over financial reporting, auditor independence, and documentation. Firms auditing both populations maintain two parallel methodologies.

What are the 10 GAAS standards?

GAAS comprises 10 codified standards organized into three categories: three general standards (technical training and proficiency, independence in mental attitude, due professional care), three standards of field work (planning and supervision, understanding the entity and its environment, sufficient appropriate audit evidence), and four standards of reporting (consistent application of GAAP, informative disclosures, identification of GAAP departures, and expression of an opinion).

Who is required to follow GAAS?

GAAS is the minimum set of standards that CPAs must follow when auditing non-issuer financial statements in the United States, including private companies, nonprofits, employee benefit plans, and state and local governments (which also follow GAGAS). Audits of SEC issuers and registered broker-dealers follow PCAOB standards instead. State boards of accountancy and the AICPA Code of Professional Conduct enforce GAAS compliance for licensed CPAs.

How does GAAS relate to GAGAS (the Yellow Book)?

GAGAS, the Yellow Book issued by the U.S. GAO, incorporates GAAS for financial audits and layers on additional requirements covering independence, 80 hours of CPE every two years, quality control and peer review, and reporting on internal controls and compliance. Auditors of federal grant recipients, Single Audits under the Uniform Guidance, and most government engagements must comply with both GAAS and GAGAS. The Yellow Book also extends to attestation engagements and performance audits, which GAAS does not directly cover.

What's changing in GAAS for 2025-2026 that practitioners need to prepare for?

Three near-term changes dominate the GAAS roadmap: SAS No. 146 on quality management, effective for periods beginning on or after December 15, 2025; the PCAOB's enhanced confirmation standard, effective for fiscal years ending on or after June 15, 2025; and ISA 570 (Revised 2024) on going concern, effective December 15, 2026. Firms should run gap analyses now against their current quality management systems and confirmation procedures.

How should auditors apply GAAS when auditing a client's use of AI?

GAAS does not yet contain an AI-specific standard, but auditors should apply existing AU-C 315 risk assessment requirements alongside COSO's 2024 generative AI guidance and the IIA's updated AI Auditing Framework. Key audit considerations include model governance, data lineage and integrity, bias and accuracy testing, change management over models, and management review of AI-generated outputs used in financial reporting. Auditors should also reassess their own use of AI tools under the due professional care and audit evidence standards.

About the authors

Chris Kane, CPA is a Manager of Product Solutions at Optro. Prior to joining Optro, Chris spent 7 years with PwC in Philadelphia as part of the external audit line of service focusing on the healthcare, pharmaceutical, and telecommunications industries. Connect with Chris on LinkedIn.