Transcription

Summary of revisions to theUniform CPA Examination BlueprintsEffective July 1, 2019The AICPA Board of Examiners (BOE) approved revisions to the Uniform CPAExamination Blueprints (Blueprints) on October 4, 2018. There are no revisions to theFinancial Accounting and Reporting (FAR) Blueprint. The Blueprint revisions apply to thefollowing Exam sections:1. Auditing and Attestation (AUD) - The revisions expand upon or add more detailto the AUD Blueprint on audit data analytics. The revisions do not change thenature or scope of content eligible for testing in the AUD section. The auditdata analytics concepts addressed in the revisions are covered by the existingAUD Blueprint and are currently eligible for testing.2. Business Environment and Concepts (BEC) - The revisions are not intended tosignificantly change the content eligible for testing in the BEC section. Therevisions:a. Clarify the Section introduction.b. Reorganize Area IV, Information Technology, to clarify the nature andscope of the Area with respect to newly licensed practice. See the tablein the BEC discussion below for a mapping of the representative taskstatements in Area IV of the existing BEC Blueprint to the revised Area IVBlueprint.3. Regulation (REG) - The revisions clarify the REG Blueprint and do not changethe nature and scope of content eligible for testing in the REG section. Therevisions add a section assumptions discussion to the Section introduction andclarify three representative task statements.This summary is organized by Exam section. The complete, revised Blueprints may befound in the CPA Exam Study Materials section of aicpa.org/cpaexam.1

1: Auditing and Attestation (AUD)Blueprint SectionRevisionRevised the 3nd bullet under thedescription of Area II on page AUD3 asfollows (new words in italics):Assessing Risks and Planning FurtherProcedures — Identifying and assessingrisks of misstatement due to error or fraudand developing appropriate engagementprocedures, including understanding andcalculating materiality and consideringspecific engagement risks, as well asincorporating concepts such as audit dataanalytics, group audits, using the work ofthe internal audit function and the work ofspecialistsRevised the 1st sentence in the descriptionof Area III on page AUD4 as follows (newwords in italics):Section introductionArea III of the AUD section blueprint coversperforming engagement procedures andconcluding on the sufficiency andappropriateness of evidence obtained,including performing specific types ofprocedures (e.g., analytical procedures,analytical procedures using audit dataanalytics, observation and inspection,recalculation and reperformance); testingthe operating effectiveness of internalcontrols; performing tests of complianceand agreed-upon procedures;understanding and responding to specificmatters that require special consideration(e.g., accounting estimates, including fairvalue estimates); evaluating andresponding to misstatements due to erroror fraud and to internal controldeficiencies; obtaining managementrepresentations; and performingprocedures to identify and respond to2

subsequent events and subsequentlydiscovered facts.Revised the application representativetask statements as follows:Area II, Group C, Topic 4 – Assessing Risk andDeveloping a Planned Response –Understanding an entity’s internal control –Information Technology (IT) general andapplication controlsArea II, Group E, Topic 3 – Assessing Risk andDeveloping a Planned Response – Identifyingand assessing the risk of materialmisstatement, whether due to error or fraud, andplanning further procedures responsive toidentified risks - Further procedures responsiveto identified risksIdentify and document an entity’s key ITgeneral and application controls, theirimpact on the audit of an entity’s financialstatements, including an audit of anentity’s internal controls, and consider theeffect of these controls and manualcontrols on the completeness andreliability of an entity’s data.Perform and document tests of an entity’skey IT general and application controls,their impact on the audit of an entity’sfinancial statements, including an audit ofan entity’s internal controls, and considerthe effect of these controls and manualcontrols on the completeness andreliability of an entity’s data.Added an analysis representative taskstatement as follows:Assess risks of material misstatementusing audit data analytic outputs (e.g.,reports and visualizations) to determinerelationships among variables andinterpret results to provide a basis fordeveloping planned audit procedures.Added an analysis representative taskstatement as follows:Area III, Group C, Topic 1 – Performing FurtherProcedures and Obtaining Evidence –Performing specific procedures to obtainevidence - Analytical proceduresArea III, Group C, Topic 6 – Performing FurtherProcedures and Obtaining Evidence –Performing specific procedures to obtainevidence - All other proceduresPerform analytical procedures usingoutputs (e.g., reports and visualizations)from audit data analytic techniques todetermine relationships among variablesand interpret results in an audit or nonaudit engagement.Added two analysis representative taskstatements as follows:3

Determine the attributes, structure andsources of data needed to complete auditdata analytic procedures.Use audit data analytic outputs (e.g.,reports and visualizations) to determinerelationships among variables andinterpret results to meet objectives ofplanned procedures in an audit or nonaudit engagement.4

2: Business Environment and Concepts (BEC)a. Clarify the Section introductionBlueprint SectionRevisionReplaced the description of Area I on pageBEC2 as follows:Area I of the BEC section blueprint coversseveral topics related to CorporateGovernance, including the following:· Knowledge and use of internal controlframeworks· Knowledge and use of enterprise riskmanagement frameworks· Identifying key corporate governanceprovisions of regulatory frameworks andlaws such as the Sarbanes-Oxley Act of2002Section introductionReplaced the description of Area IV on pageBEC3 as follows:Area IV of the BEC section blueprint coversseveral topics related to InformationTechnology (IT), including the following:· Understanding the role of IT and systems,including the use of data in supportingbusiness decisions.· Identifying IT-related risks associated withan entity’s information systems andprocesses, such as processing integrity,protection of information and systemavailability, including those risks introducedby the relationships with third-parties.· Identifying application and IT generalcontrol activities, whether manual, ITdependent or automated, that areresponsive to IT-related risks, such asaccess and authorization controls, systemimplementation testing and incidentresponse plans.5

Added a reference on page BEC5 asfollows:– COSO-issued application material, thoughtpapers and guides related to the aboveframeworksb. Reorganize Area IV, Information TechnologyExisting Area IV Representative TaskStatementsIdentify the role that the IT function plays indetermining/supporting an organization's visionand strategy. (Group A, Topic 1)Describe the IT governance structure within anorganization (tone at the top, policies, steeringcommittees, IT strategies, oversight, etc.).(Group A, Topic 2)Revised Area IV BlueprintGroup A, Topic 1 – Understanding ofinformation technology (IT) - Organizationand governanceRemembering and understandingrepresentative task statement:Explain the role that IT people, processesand strategies play in determining andsupporting an entity’s overall vision andstrategy.Group A, Topic 1 – Understanding ofinformation technology (IT) - Organizationand governanceApplication representative task statement:Describe the IT governance structurewithin an entity (e.g., tone at the top,policies, frameworks, steering committeesand oversight).6

Group A, Topic 2 – Understanding ofinformation technology (IT) - Systems andprocessesRemembering and understandingrepresentative task statements:Define the basics of hardware, software,databases, networks, mobile technology,etc. used by an entity internally, externallyand through outsourcing arrangements(e.g., application service providers andcloud computing).Understand the flow of transactionsrepresented in a flowchart, data diagramand system interface diagram.Group A, Topic 2 – Understanding ofinformation technology (IT) - Systems andprocessesApplication representative task statement:Identify the role of information systems in keybusiness processes within an entity. (Group B)Identify the role of e-commerce in key businessprocesses within an entity. (Group B)Identify the role of information systems(e.g., enterprise and application systems)in key business processes (e.g., sales, cashcollections, purchasing, disbursements,human resources, payroll, production,treasury, fixed assets, general ledger andreporting).7

Group A, Topic 3 – Understanding ofinformation technology (IT) - DataRemembering and understandingrepresentative task statements:Recognize the role of big data/data analyticsand statistics in supporting business decisions.(Group B)Understand key characteristics of arelational database (e.g., data dictionary,data types, tables, records, fields,relationships, keys, views, queries andreports).Recognize the role of big data insupporting business decisions.Group A, Topic 3 – Understanding ofinformation technology (IT) - DataApplication representative task statement:Use business intelligence (including dataanalytics and statistics) to supportbusiness decisions.Group B, Topic 1 – Risks associated withIT - Risk assessmentApplication representative task statement:Conduct an IT risk assessment, identify risksand suggest mitigation strategies. (Group A,Topic 3)Identify weaknesses and mitigation strategieswithin an entity’s IT environment in relation to ITgeneral and application controls. (Group C,Topic 2)Identify IT-related risks and describemitigation strategies given risk severity,probability and costs.8

Group B, Topic 2 – Risks associated withIT - System development and maintenanceApplication representative task statement:Recognize the fundamental issues and risksassociated with implementing new informationsystems or maintaining existing informationsystems within an entity. (Group E)Determine the fundamental issues andrisks associated with selecting, developingand implementing new informationsystems or maintaining existinginformation systems.Group B, Topic 3 – Risks associated withIT - Processing integrityApplication representative task statement:Describe the role of input, processing andoutput controls within an entity to supportcompleteness, accuracy and continuedprocessing integrity. (Group D)Determine the risks associated withensuring the completeness, accuracy andcontinued processing integrity in input,storage, processing and output processes.Group B, Topic 4 – Risks associated withIT - Security, availability, confidentiality andprivacyApplication representative task statement:Identify weaknesses and mitigation strategieswithin an entity’s IT environment in relation tological and physical access controls. (Group C,Topic 2)Identify system access and segregation ofduties risks.9

Group B, Topic 4 – Risks associated withIT - Security, availability, confidentiality andprivacyApplication representative taskstatements:Identify the risks (e.g., cybersecurity andinternal) associated with protectingsensitive and critical information (e.g.,proprietary and personal information)Recognize the risks and controls associatedwith protecting sensitive and critical information within information systems (includingwithin an organization’s IT environment (the use processing, storing and transmittingof mobile technology, data storage devices, data information internally and with externalparties).transmission, cybersecurity, etc.). (Group C,Topic 1)Perform threat identification to identifyrisks related to information confidentiality.Group B, Topic 4 – Risks associated withIT - Security, availability, confidentiality andprivacyApplication representative task statement:Describe an entity’s disaster recovery/businesscontinuity plans, including threat identificationand mitigation strategies, data backup andrecovery procedures, alternate processingfacilities, etc. (Group C, Topic 3)Perform threat identification to identifyrisks related to system availability.10

Group C, Topic 1 – Controls that respondto risks associated with IT - ApplicationcontrolsApplication representative task statement:Describe the role of input, processing andoutput controls within an entity to supportcompleteness, accuracy and continuedprocessing integrity. (Group D)Determine the appropriateness of the designand operating effectiveness of applicationcontrols (authorizations, approvals, tolerancelevels, input edits, etc.). (Group D)Determine the role and appropriateness ofinput, storage, processing, and outputapplication controls (e.g., authorizations,approvals, tolerance levels, input edits andconfigurations) to support completeness,accuracy and continued processingintegrity.Group C, Topic 2 – Controls that respondto risks associated with IT - General ITcontrolsRemembering and understandingrepresentative task statement:Identify different information system testingstrategies. (Group E)Understand the controls and testingstrategies used in selecting, developingand implementing new informationsystems.Group C, Topic 2 – Controls that respondto risks associated with IT - General ITcontrolsApplication representative task statement:Identify issues related to the design andeffectiveness of IT control activities, includingmanual vs. automated controls, as well aspreventive, detective and corrective controls.(Group D)Identify effective IT control activities,including manual, IT dependent andautomated controls, as well as preventive,detective and corrective controls.11

Group C, Topic 3 – Controls that respondto risks associated with IT - Logical andphysical controlsApplication representative task statement:Identify weaknesses and mitigation strategieswithin an entity’s IT environment in relation tological and physical access controls. (Group C,Topic 2)Identify logical and physical accesscontrols (e.g., roles and rights andsegregation of duties).Group C, Topic 3 – Controls that respondto risks associated with IT - Logical andphysical controlsApplication representative taskstatements:Identify the controls associated withprotecting sensitive and criticalinformation (e.g., proprietary and personal)within information systems.Recognize the risks and controls associatedwith protecting sensitive and critical informationwithin an organization’s IT environment (the useof mobile technology, data storage devices, data Determine responses to informationsystem confidentiality risks (e.g., incidenttransmission, cybersecurity, etc.). (Group C,response plan).Topic 1)Group C, Topic 4 – Controls that respondto risks associated with IT - Continuity andrecovery plansApplication representative task statement:Describe an entity’s disaster recovery/businesscontinuity plans, including threat identificationand mitigation strategies, data backup andrecovery procedures, alternate processingfacilities, etc. (Group C, Topic 3)Determine responses to system availabilityrisks (e.g., data backup and recoveryprocedures and alternate processingfacilities).12

C: Regulation (REG)Blueprint SectionRevisionAdded a section assumptions discussionto page REG3 as follows:Section introductionThe REG section of the Exam includesmultiple-choice questions, task-basedsimulations and research prompts.Candidates should assume that theinformation provided in each question ismaterial and should apply all statedassumptions. To the extent a questionaddresses a topic that could have differenttax treatments based on timing (e.g.,alimony arrangements or net operatinglosses), it will include a clear indication ofthe timing (e.g., use of real dates) so thatthe candidates can determine theappropriate portions of the InternalRevenue Code or Treasury Regulations toapply to the question. Absent such anindication of timing or other statedassumptions, candidates should assumethat transactions or events referenced inthe question occurred in the current yearand should apply the most recentprovisions of the tax law in accordancewith the timing specified in the CPA ExamPolicy on New Pronouncements.Revised the first applicationrepresentative task statement as follows:Area III, Group A, Topic 4 – Federal Taxation ofProperty Transactions - Acquisition anddisposition of assets - Related partytransactions (included computed interests)Calculate the direct and indirect ownershippercentages of corporation stock orpartnership interests to determine whetherthere are related parties for federal incometax purposes.Area III, Group C, Topic 3 – Federal Taxation ofProperty Transactions - Estate and gift taxation Determination of taxable estateRevised the remembering andunderstanding representative taskstatements as follows:13

Recall assets includible in a decedent’sgross estate for federal estate taxpurposes.Recall allowable estate tax deductions forfederal estate tax purposes.14

Summary of revisions to theUniform CPA Examination BlueprintsEffective July 1, 201915

following Exam sections: 1. Auditing and Attestation (AUD) - The revisions expand upon or add more detail to the AUD Blueprint on audit data analytics. The revisions do not change the nature or scope of content eligible for testing in the AUD section. The audit data analytics concep