Auditing 101 | Part 1: Starting the Audit
How an Audit Works from Start to Finish (Part 1 of 4)
Client Acceptance, the Engagement Letter, Audit Documentation, Planning, and Relying on Others
The AUD section of the CPA exam tests the entire audit process, and the biggest mistake students make is trying to memorize individual rules without understanding the overall flow. When you see how every phase connects, from accepting a new client to issuing the audit opinion, the individual rules start to make sense on their own.
This is Part 1 of a four-part series that walks through the complete audit process. In this article, we cover everything that happens before the auditors ever test a single account balance: client acceptance, the engagement letter, audit documentation, audit planning, and the groups of people the external auditors can rely on.
AUD 101: The Complete Audit Process
- Part 1: Client Acceptance, Engagement Letter, Documentation, and Planning (this article)
- Part 2: Audit Risk, Materiality, and Internal Controls (coming soon)
- Part 3: Substantive Testing -- Cash, Receivables, and Revenue (coming soon)
- Part 4: Audit Reports and Opinions (coming soon)
Who this guide is for:
- AUD students who want to understand the big picture before drilling MCQs
- First-time AUD takers who need a clear roadmap of what happens in each audit phase
- Audit interns and staff who want to understand the "why" behind the work they perform
- Anyone who prefers learning the process first and the rules second
Jump to:
Video: The Entire Audit Process Explained (Part 1 of 4)
Want the full AUD study system?
My Free CPA 101 course includes a complete study roadmap for AUD, including the exact strategies I used to pass every CPA exam section with a 90+.
Get My Free CPA 101 CourseWhy Does a Company Need to Be Audited? AUD
A company prepares its own financial statements and then provides those statements to the people who rely on them: investors, creditors, banks, and other stakeholders. The problem is obvious. If the company creates the financial statements, what stops the company from inflating revenue or hiding liabilities?
That is the entire reason external auditors exist. The company pays the external auditors to come in, independently test the accounts, and issue an opinion on whether the financial statements are fairly presented. Once the auditors provide that opinion, the users of the financial statements have a basis for trusting the numbers.
The Flow
Kyle's 90+ Score Insight: The CPA exam tests this concept from multiple angles. Remember that the financial statements belong to management, not the auditors. The auditors provide an opinion on those statements, but the responsibility for preparing and fairly presenting them is always on management.
Client Acceptance Phase 1
The primary goal of client acceptance is avoiding clients that lack integrity. The auditors will depend heavily on information that management provides throughout the engagement. If management is not trustworthy, the foundation of the audit is compromised from the start.
Beyond integrity, the firm also evaluates practical considerations before accepting:
Firm competence
Does the firm have experience in this industry? Does the engagement require specialized knowledge the firm does not have?
Staffing and resources
Will the firm need to hire component auditors for different locations or subsidiaries? Is there enough staff available for the engagement timeline?
Deadlines and reporting
Can the firm complete the audit within the client's financial reporting timeline?
Common Trap: AUD questions sometimes present a scenario where the client is willing to pay a large fee, but there are red flags about management's integrity. The correct answer is almost always to decline the engagement. Fee size does not override integrity concerns.
Management's Three Responsibilities High-Yield
Preparation and fair presentation of the financial statements
The financial statements are management's responsibility, not the auditor's. Management must prepare them and ensure they are fairly presented in accordance with the applicable financial reporting framework.
Internal controls: design, implementation, and maintenance
Designing internal controls means putting the processes together to prevent errors and fraud. Implementing means actually following those controls in practice. Maintaining means reviewing and updating the controls over time as the business changes.
Providing auditors with access
Management must give the auditors access to all documentation, records, and personnel necessary to perform the audit. Without this access, the auditors cannot gather sufficient evidence.
Study Tip: These three responsibilities show up in the engagement letter, in the audit report, and in management representation letters. Learn them once and they pay off across multiple AUD topics.
The Engagement Letter AUD
The auditor prepares the engagement letter and sends it to management. Management signs it and returns it to the auditors. Once both sides have agreed, the audit can officially begin.
What IS Included
- Management's responsibilities
- Auditor's responsibilities
- The expected audit reports to be delivered
- The company's financial reporting framework (e.g., U.S. GAAP)
- A statement that the auditors provide reasonable assurance, not absolute assurance
- Audit fees (may be included)
What is NOT Included
- Materiality levels set by the auditors
- Specific audit procedures the auditors plan to perform
- Sample sizes or testing details
- Anything that would allow management to manipulate the audit
Common Trap: The AICPA tests the "what is NOT included" side heavily. If the engagement letter disclosed that materiality was set at $100,000, management would know it could make misstatements up to that threshold without triggering an issue. That is why materiality levels and specific procedures are never disclosed to management.
Kyle's 90+ Score Insight: The engagement letter mentions "reasonable assurance" because there is always a chance the auditors may not detect a misstatement. That concept links directly to audit risk, which we will cover in Part 2 of this series. For now, remember: reasonable assurance is high but not absolute.
Understanding the audit process is the foundation for every AUD topic.
My Free CPA 101 Course includes the study system I used to score 90+ on every section, including how to approach AUD's heavily conceptual question style. Start it here for free.
Audit Documentation (Working Papers) AUD
A working paper can be as simple as an Excel spreadsheet where an auditor records the procedures performed, the evidence examined, and the conclusions reached. The key rules about audit documentation:
Ownership
Working papers belong to the auditors, not the client. The auditors have no obligation to provide the working papers to the client.
Two Purposes
1. Provide enough documentation to support the auditor's opinion. 2. Demonstrate that the audit was performed in accordance with auditing standards.
Sufficient and Appropriate Evidence
Two terms you will see repeatedly throughout the AUD exam are sufficient and appropriate. They describe the two dimensions of audit evidence quality:
| Term | What It Measures | How the Auditor Controls It |
|---|---|---|
| Sufficient | The quantity of audit evidence. Do we have enough? | Increase the extent of testing (test more items) |
| Appropriate | The quality of audit evidence. Is it reliable and relevant? | Change the nature and timing of procedures |
Nature, Extent, and Timing
These three levers are how auditors control the quality and quantity of audit evidence. They come up constantly on the CPA exam:
Nature = the type of procedure performed
For example, performing a search for unrecorded liabilities when testing accounts payable. Changing the nature means choosing a different or more persuasive type of test.
Extent = how much testing is performed
Testing 40 invoices provides more evidence than testing 20. Increasing the extent increases the sufficiency of evidence.
Timing = when the testing is performed
Year-end testing means testing after the end of the reporting period, which captures the full year of activity. Interim testing means testing before year-end. Year-end testing provides higher quality evidence.
Study Tip: Think of it as N-E-T. Nature, Extent, Timing. If an AUD question asks how to improve the quality of evidence, the answer almost always involves changing one or more of these three levers.
Audit Planning: Strategy and Plan AUD
Audit Strategy (High Level)
- Overall objectives of the engagement
- Staffing requirements
- Budgeted hours and timeline
- Big picture risk areas
- Resources and logistics
Audit Plan (Detailed Level)
- Specific procedures for each account or cycle
- What assertions each procedure addresses
- Sample sizes and testing approach
- Links between risk assessment and planned responses
Planning Analytical Procedures (Required)
During planning, the auditors are required to perform analytical procedures. These are high-level analyses, including trend analysis and ratio analysis, designed to identify the riskier areas of the company before any detailed testing begins.
Analytical procedures are required in two phases of the audit:
| Phase | Purpose | Required? |
|---|---|---|
| Planning | Understand the client and identify risk areas | Yes, always required |
| Substantive testing | Gather evidence about specific account balances | Optional (auditor's choice) |
| Overall review | Evaluate whether the financial statements make sense as a whole | Yes, always required |
Common Trap: Students sometimes confuse "planning analytics" with "substantive analytical procedures." Planning analytics are a required risk assessment tool. Substantive analytical procedures are an optional evidence-gathering technique used during fieldwork. The exam tests this distinction directly.
Understanding the Client's Business and Industry
Part of the planning phase includes gaining an understanding of how the client actually operates: its business model, accounting methods, and what is normal for its industry. Auditors accomplish this by touring the client's facilities, reviewing industry publications, reading prior-year financial statements, and interviewing key personnel.
This understanding is critical because it helps auditors distinguish between normal business fluctuations and unusual activity that could indicate a misstatement or fraud.
Understanding Internal Controls High-Yield
There are three distinct concepts related to internal controls that the CPA exam tests separately. Confusing them is one of the most common mistakes on AUD:
| Concept | What It Means | Required Every Audit? |
|---|---|---|
| Design | How is the control structured? What are the steps involved? | Yes |
| Implementation | Is the control actually being followed in practice? | Yes |
| Operating effectiveness | If we test the control, can we rely on it to reduce our substantive testing? | No (auditor's choice) |
The auditor is always required to understand the design and implementation of internal controls. Understanding design means knowing what the control looks like on paper. Understanding implementation means confirming that the company is actually performing the control, not just having it documented.
Testing for operating effectiveness is a separate decision. If the auditor chooses to test controls for operating effectiveness and the controls are working, the auditor can reduce the amount of substantive testing needed. If the auditor does not test controls, the auditor performs more substantive testing instead.
Common Trap: Exam questions love to present a scenario and ask whether the auditor is "required" to test internal controls. The answer: understanding design and implementation is always required. Testing operating effectiveness is not. Students who conflate these lose easy points.
Kyle's 90+ Score Insight: Think of it this way. Design asks: "Does this control exist on paper?" Implementation asks: "Is anyone actually doing it?" Operating effectiveness asks: "If they are doing it, is it working well enough that we can rely on it?" The first two are mandatory. The third is the auditor's strategic choice.
The Predecessor Auditor AUD
When a company changes audit firms, the new auditor is called the successor auditor and the prior firm is the predecessor auditor. Before accepting the engagement, the successor auditor is required to attempt to communicate with the predecessor auditor.
The purpose is straightforward: the successor auditor wants to find out why the company changed firms. Was there a disagreement over accounting principles? Does management lack integrity? Is there anything the successor auditor should know before taking on the engagement?
Key Rules
- The successor must attempt communication. If the predecessor does not respond, the successor can still accept the engagement, but should consider the implications.
- The predecessor needs the client's permission before disclosing confidential information to the successor.
- If the client refuses to grant permission, that itself is a red flag the successor should carefully consider.
Study Tip: The word "attempt" matters. The standard does not require the successor to successfully communicate, only to make the attempt. If the predecessor is unresponsive, the successor evaluates the risk and decides whether to proceed.
Relying on Others: Internal Auditors, Specialists, and Component Auditors High-Yield
Internal Auditors
Internal auditors are employees of the company being audited. They perform audit-related work inside the organization throughout the year, often in preparation for the external audit.
The external auditors can use the internal auditors to assist with the audit, but with an important limitation: because internal auditors work for the company, they are not independent. This means their work should be limited to low-complexity, low-subjectivity areas. The external auditors should not rely on internal auditors for complex estimations or areas requiring significant judgment.
Specialists
A specialist is someone with special skills in a field outside of accounting and auditing. For example, if the company holds a complex investment that is difficult to value, the auditors may hire a valuation specialist to perform the analysis.
Even though the specialist performs the work, the external auditor remains responsible for the conclusion. The auditor must understand the specialist's approach, evaluate their qualifications, and assess whether the specialist's findings are reasonable.
Common Trap: Students sometimes think that hiring a specialist transfers responsibility for that area. It does not. The external auditor is always responsible for the overall opinion, including any work performed by a specialist.
Component Auditors (Group Audits)
When a parent company has multiple subsidiaries in different locations, the main auditor (the group auditor) may engage separate firms (the component auditors) to audit individual subsidiaries.
Each component auditor sets their own materiality levels, performs their own test work on their assigned subsidiary, and completes their portion of the audit independently. The group auditor then reviews the component auditors' work and incorporates it into the overall audit of the parent company's consolidated financial statements.
Study Tip: Think of a company like Walt Disney Co. The group auditor handles the parent company. One component auditor might handle the parks subsidiary in Florida. Another might handle the media subsidiary in California. The group auditor is responsible for pulling it all together.
| Group | Role | Independent? | Key Limitation |
|---|---|---|---|
| Internal Auditors | Assist the external auditors with lower-risk testing | No (employees of the client) | Restrict to low-complexity, low-subjectivity work |
| Specialists | Perform specialized work outside of accounting (e.g., valuations) | Typically yes | External auditor must still evaluate the specialist's work |
| Component Auditors | Audit individual subsidiaries in a group audit | Yes (separate firms) | Group auditor must review and take responsibility for the consolidated opinion |
Kyle's 90+ Score Insight: The one rule that connects all three groups is this: the external auditor is always ultimately responsible. Internal auditors, specialists, and component auditors can all contribute, but the buck stops with the external auditor who signs the opinion.
FAQ
What is the purpose of the engagement letter?
The engagement letter is the written agreement between the auditor and management that establishes the terms of the audit. It outlines management's responsibilities, the auditor's responsibilities, the expected reports, and a statement that the audit provides reasonable (not absolute) assurance. It does not include materiality levels or specific audit procedures.
What is the difference between sufficient and appropriate audit evidence?
Sufficient refers to the quantity of evidence (do we have enough?). Appropriate refers to the quality (is it reliable and relevant?). The auditor controls sufficiency through the extent of testing and controls appropriateness through the nature and timing of procedures.
Is the auditor required to test internal controls on every audit?
The auditor is required to understand the design and implementation of internal controls on every audit. Testing controls for operating effectiveness is optional. If the auditor tests controls and they are effective, the auditor can reduce substantive testing. If the auditor does not test controls, more substantive testing is needed instead.
What happens if the predecessor auditor does not respond to the successor's communication?
The successor auditor is only required to attempt communication with the predecessor. If the predecessor does not respond, the successor can still accept the engagement but should consider the implications and any additional risk factors.
Who is responsible when a specialist performs work for the audit?
The external auditor remains responsible. Even though the specialist performs the technical work, the auditor must evaluate the specialist's qualifications, understand their approach, and assess the reasonableness of their findings before incorporating the results into the audit.
What are planning analytical procedures?
Planning analytical procedures are high-level analyses (trend analysis, ratio analysis, comparisons to industry data) performed during the planning phase to help the auditor understand the client and identify higher-risk areas. They are required in every audit.
Ready to master every phase of the audit?
This is Part 1 of 4. In Part 2, we will cover audit risk, materiality, and testing internal controls. My Free CPA 101 Course gives you a complete study roadmap for AUD and every other CPA exam section, including the strategies I used to score 90+ on all four exams.
Kyle Ashcraft is a CPA who scored a 90+ on all four CPA exams. Kyle founded Maxwell CPA Review, which is an exam-prep company that offers a comprehensive CPA exam review course and private tutoring.
Explore the Complete AUD 101 Series
The foundation of the audit, from engagement letters to initial strategy.
Master the audit risk formula, materiality, and the framework that drives procedures.
A complete walkthrough of the balance sheet, sampling, and the legal letter.
Concluding the audit, handling subsequent events, and issuing the final report.