A&A Focus recap: Auditing Standards Board chair; a new COSO framework; stablecoin criteria

The AICPA A&A Focus webcast on June 4 explored standard-setting developments and emerging trends in governance and digital assets. Hosted by Bob Durak, CPA, CGMA, director of A&A Technical Services at the Association of International Certified Professional Accountants, and Andrew Merryman, CPA, senior manager–A&A Technical Services, the program welcomed three expert guests: new Auditing Standards Board (ASB) chair, Halie Creps, CPA; Lucia Wind, executive director of COSO; and Jeff Trent, CPA, partner at PwC and chair of the AICPA’s Stablecoin Controls Workstream.

Auditing Standards Board update

Creps, partner in KPMG’s Department of Professional Practice, opened the program with an update on the ASB’s May 14–16 meeting, highlighting three primary areas of activity: proposed changes to AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, ongoing revisions to the attestation standards with a focus on sustainability, and the board’s evolving research agenda.

First, Creps discussed the Board’s development of the fraud exposure draft, noting that the ASB’s fraud project aligns closely with the International Auditing and Assurance Standards Board’s (IAASB) recently revised International Standard on Auditing No. 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements. The ED retains the U.S.-specific definition of fraud while incorporating elements of ISA 240 such as more robust fraud risk assessments, an increased emphasis on professional skepticism, and expanded auditor communication with those charged with governance. The ED is expected to be released in July . The ED will be available on the ASB’s exposure drafts page of its website. Creps wrapped up her discussion of fraud by noting that Heather Funsch, CPA, a member of the ASB, will join the July A&A Focus broadcast to dive deeper into what the ED contains and provide additional insights.

The expected effective date for the revised fraud standard is expected to be for audits of financial statements with periods ending on or after Dec. 15, 2028.

In the attestation space, the ASB is working to modernize its baseline standards and to develop a sustainability-specific section in response to the IAASB’s newly issued International Standard on Sustainability Assurance No. 5000, General Requirements for Sustainability Assurance Engagements. The ASB’s goal, according to Creps, is to integrate sustainability assurance requirements within the existing U.S. attestation framework rather than create a standalone standard.

Creps also shared that the ASB’s research efforts, led by ASB member and previous A&A Focus guest, Greg Jenkins, CPA, are focusing on peer review feedback, the auditor’s use of technology, and additional research on going concern reporting. Creps emphasized that research plays a critical role in grounding standard-setting in stakeholder needs.

Finally, Creps reminded viewers of the current ASB ED open for comment which makes revisions to external confirmation procedures. She encouraged members to review and comment on this proposal and to consider commenting on the fraud related exposure draft when it is available.

The ASB also held a meeting on June 10 and will hold another two-day meeting on Aug. 20–21. To view highlights, agendas, meeting materials and to register to attend future meetings, visit the ASB area on aicpa-cima.com.

COSO Corporate Governance Framework

The broadcast welcomed Wind, executive director of COSO, for her first appearance, and Wind presented information on the newly released exposure draft of COSO’s Corporate Governance Framework (CGF). Wind explained that the CGF is COSO’s response to a growing need for broader, more holistic guidance on governance, especially in the U.S. market where, she noted, there really is no comprehensive authoritative guidance or framework on a broader view of corporate governance. Unlike existing frameworks that focus narrowly on the role of the entity’s board of directors, the CGF is designed to address governance throughout the organization. The new framework builds on COSO’s legacy frameworks—Internal Control–Integrated Framework (ICIF) and Enterprise Risk Management (ERM).

Wind described the CGF as a holistic, principles-based framework composed of six components and 24 principles, each supported by points of focus. The framework reflects extensive research, including a review of nearly 100 governance frameworks worldwide, and was designed to be usable across all sectors, regardless of an entity’s size. Although, Wind noted, the GCF’s visual representation, a circular “pizza pie” model, departs from the iconic COSO cube, it maintains the layered structure familiar to COSO users.

Wind highlighted that the CGF retains conceptual continuity with COSO’s prior publications. For instance, the ICIF’s control environment component and the ERM’s governance and culture component are expanded upon in the CGF, which explores governance not only as a foundation but as a dynamic and organizationwide process. The new framework addresses timely topics that may not have been prominent in earlier guidance, such as the use of emerging technologies in governance processes and evolving expectations for oversight roles.

The CGF ED is open for public comment until July 11, with final publication expected in early fall. To support understanding of the framework, COSO plans to release a certificate program based on the CGF, similar to offerings tied to its other frameworks.

Proposed criteria for controls supporting token operations

Trent, of PwC, also made his A&A Focus debut and concluded the presentation portion of the webcast with an overview of a new AICPA-developed exposure draft for control criteria over stablecoin operations, Proposed Criteria for Controls Supporting Token Operations: Specific to Asset-Backed Fiat-Pegged Tokens. The proposed criteria define control objectives for stablecoin issuers across eight operational areas—ranging from token issuance and reserve management to cryptographic key control and client onboarding—and include guidance for IT general controls.

Trent emphasized that, although guidance and legislative efforts around stablecoins are evolving, there has been no consistent, standardized approach for issuers to follow when establishing and evaluating internal controls related to stablecoin operations.

Trent explained that current regulatory expectations often focus on reserve attestations—point-in-time reports on whether the reserves held by a stablecoin issuer adequately back the coins in circulation. However, he noted that these attestations alone don’t provide ongoing assurance about how those reserves are managed or how the underlying processes are controlled.

One of the key motivations for developing the criteria was the absence of an agreed-upon baseline for what stablecoin issuers should be doing in terms of controls. To address this gap, the criteria defines control objectives across eight operational areas, along with IT general controls. It provides points of focus—essentially, implementation guidance—that help issuers design and assess the effectiveness of their systems. The framework is meant to promote consistency, transparency, and preparedness across current and future issuers, especially as the marketplace grows and more entities enter the space.

Public comment on the ED are due by Aug. 11. Once finalized, the criteria will be integrated into a comprehensive AICPA publication that also includes the previously released AICPA stablecoin reserve reporting criteria. Regular viewers will recall Jay Schulman, CPA, principal at RSM and leader of its digital assets practice, joined the broadcast in March 2025 to discuss the reporting criteria.

Looking ahead

As noted, the July 2 A&A Focus webcast will feature Heather Funsch, CPA, ASB member, discussing the ASB’s fraud exposure draft. Additionally, joining the program are Pete Ugo, CPA, the chair of the AICPA’s Not-for-Profit Expert Panel, to discuss recent topics of interest to not-for-profit entities and assurance providers, and Cathy Cobey, CPA, of EY, who will return to discuss the third in a series of AICPA/CPACanada whitepapers on trust in AI and the role of AI in assurance.

AICPA members are encouraged to attend these monthly events and review the accompanying newsletters for more in-depth coverage of these critical topics. Members can access archives of past sessions at the A&A Focus Series webpage.

— Dave Arman, CPA, MBA, is senior manager–Audit Quality at the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.