The New Auditing Standards on the CPA AUD Exam (SAS 145, Quality Management, SAS 147)

The AUD section tests auditing standards more directly than any other part of the CPA exam, and the standards underneath it have changed more in the last three years than in the previous decade. Three updates matter most for anyone sitting for AUD in 2025 or 2026: SAS 145 rewrote how auditors assess risk, the new quality management standards (SQMS No. 1 and No. 2, plus SAS No. 146) retired the old “six elements of quality control,” and SAS 147 added required predecessor-auditor inquiries about fraud. If your study materials still teach a single combined risk of material misstatement, the six quality-control elements, or the old ten generally accepted auditing standards as current law, you are studying answers the exam now scores as wrong.

This guide walks through each change in the depth the exam actually requires, then lists the specific multiple-choice traps the AICPA builds from the gap between the old rules and the new ones.

First, why these are already testable

The AICPA does not test a pronouncement the day it is issued. Under its long-standing policy, an auditing or accounting pronouncement becomes eligible for testing in the later of (1) the first calendar quarter beginning after the standard's earliest mandatory effective date, or (2) the first calendar quarter beginning six months after the standard's issuance date. In practice that means a standard is usually fair game a few months after it takes effect. SAS 145 (effective for periods ending on or after December 15, 2023) has been testable since 2024. SAS 147 (effective for periods beginning on or after June 30, 2023) has been testable even longer. And the quality management standards, effective for periods beginning on or after December 15, 2025, became eligible for testing in the first quarter of 2026 — so they are testable right now.

1. SAS 145 — the risk assessment rewrite (AU-C 315)

SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, superseded the old AU-C 315 and is the single most heavily tested update on modern AUD. It did not change the audit risk model — audit risk still equals inherent risk × control risk × detection risk — but it changed how several pieces of that model are defined and assessed. Five points carry almost all of the exam weight:

• Inherent risk and control risk are assessed separately. The pre-SAS-145 shortcut of assessing a single combined “risk of material misstatement” is gone. You assess IR on its own and CR on its own, for each relevant assertion.
• Control risk is set at maximum unless you plan to test controls. If the auditor does not intend to test the operating effectiveness of controls — even when the controls look well designed — control risk is assessed at the maximum. You only get to assess CR below maximum when you plan to test, and the tests support it.
• Inherent risk sits on a spectrum. Rather than “high / low,” inherent risk is assessed along a range using inherent risk factors: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement from management bias or fraud.
• A “significant risk” has a new definition. It is a risk for which inherent risk is assessed near the upper end of the spectrum — judged before considering controls. The old wording (“a risk requiring special audit consideration”) is now a distractor.
• New “stand-back” requirement. After identifying significant classes of transactions, account balances, and disclosures, the auditor must step back and evaluate whether anything material was missed — a completeness check on the risk assessment itself.

SAS 145 also sharpened two definitions you will see in answer choices. A relevant assertion is one with a reasonable possibility of material misstatement; a significant class of transactions, account balance, or disclosure is one with at least one relevant assertion. And it expanded the IT requirements: the auditor must identify the IT applications subject to risks arising from IT and the related general IT controls.

2. The quality management overhaul (SQMS 1 & 2, SAS 146, SSARS 26)

This is the change most likely to catch a candidate off guard, because it retired material that prep courses taught for years. Effective for periods beginning on or after December 15, 2025, the AICPA's quality management standards replaced the old quality control framework — including QC Section 10 and its six elements of quality control (leadership, ethics, acceptance and continuance, human resources, engagement performance, and monitoring). If a question offers those six elements as the current firm-level framework, it is testing whether you know they were superseded.

In their place, SQMS No. 1 requires every firm to design and operate a risk-based system of quality management. Instead of a fixed checklist, the firm sets quality objectives, identifies the quality risks that threaten them, and designs responses. The system has eight components:

1. The firm's risk assessment process
2. Governance and leadership
3. Relevant ethical requirements
4. Acceptance and continuance of client relationships and engagements
5. Engagement performance
6. Resources (human, technological, and intellectual)
7. Information and communication
8. Monitoring and remediation

Two companion standards round it out. SQMS No. 2 governs engagement quality reviews — who must perform them and when they are required, based on the criteria the firm sets in its system. SAS No. 146 moves quality management to the engagement level, superseding the old AU-C 220, and SSARS No. 26 does the same for reviews, compilations, and preparations. The cleanest way to hold it together for the exam: quality management is a firm-level system (SQMS), implemented on each individual engagement (SAS 146 / AU-C 220), while GAAS governs the conduct of the audit itself.

One more piece of housekeeping the exam tests: the old ten generally accepted auditing standards (the three general, three fieldwork, and four reporting standards, with their TIP / PIE / GCDO mnemonics) were replaced years ago by the clarified standards' principles — purpose and premise, responsibilities, performance, and reporting. The concepts survive, but “the ten GAAS” is no longer current AICPA law, and answer choices that treat it as current are wrong.

3. SAS 147 — predecessor-auditor inquiries about fraud and NOCLAR

SAS 147, effective for audits of periods beginning on or after June 30, 2023, amended the client-acceptance rules in AU-C 210. Before accepting a new audit, the successor auditor has always had to request management's permission to communicate with the predecessor and then make inquiries. SAS 147 added a specific, required subject to those inquiries: once management authorizes the predecessor to respond, the successor must ask about identified or suspected fraud and noncompliance with laws and regulations (NOCLAR) — on top of the classic topics (disagreements with management, the reason for the change, and communications with those charged with governance).

The exam-friendly takeaway: if management refuses to authorize the predecessor to respond, or limits that response, treat it as a serious red flag weighing against acceptance — not a routine formality. This pairs with the related AICPA ethics interpretation, Responding to NOCLAR, which governs what a CPA does after discovering noncompliance.

A related “what's current” trap: seven independence threats

Not a new standard, but a recurring error in older materials: the AICPA conceptual framework for independence identifies seven threats, not five. Alongside self-interest, self-review, advocacy, familiarity, and undue influence (intimidation), the framework also names management participation (taking on a client-management role, such as serving as interim controller) and adverse interest (the CPA's interests directly opposed to the client's, such as litigation between the firm and the client). A question that lists “the five threats” or omits these two is testing whether you know the full set.

The MCQ traps these changes create

The AICPA writes some of its hardest distractors straight out of superseded guidance — the “wrong” answer is simply the rule from a few years ago. Memorize the right column.

What's coming next: SAS 149 (group audits)

One more change is on the horizon. SAS 149 overhauls group audits and supersedes AU-C 600, introducing a risk-based approach and a new distinction between component auditors (part of the engagement team) and referred-to auditors (not part of the team). It is effective for audits of group financial statements for periods ending on or after December 15, 2026, so it generally enters the testing window in 2027. If you are sitting before then, the current AU-C 600 group-audit rules still apply — assuming versus dividing responsibility, and a reference to another auditor being a division of responsibility rather than a qualification.

Where to study this for free

Every standard above is taught at current-law accuracy in our free AUD study guide, with concept cards, interactive diagrams, and practice MCQs. The quality management and standards hierarchy live in A2: Professional Standards and Regulatory Requirements; the seven independence threats are in A3: Ethics and Independence; and SAS 145 risk assessment runs through A5: Understanding the Entity and A6: Risk Assessment and Materiality. For a broader view of everything that changed, see our complete guide to CPA exam changes in 2025 and 2026.