Touring the Open Audit Methodology Library: ISA 600, CSRD, PCAOB, Wolfsberg, and 12 More

Today VynFi shipped the Audit Methodology Library — a free, public, SEO-indexed reference catalog covering the methodology surfaces every audit firm uses and almost no one publishes openly. This post walks through every family: where the data comes from, what each endpoint exposes, which portal page surfaces it for human readers, and how to consume it programmatically.

Why a public library?

Audit methodology is the operating system of every Big 4 firm. EY GAM, PwC Aura, KPMG Clara, Deloitte Omnia — internally they're meticulously structured, ISA-aligned, jurisdiction-specific, with hundreds of procedures, evidence requirements, working-paper templates, and assertion mappings. Externally they're a black box: the firms publish high-level marketing pages and methodology principles, but the actual procedure-level structure stays inside the firm's training portals. New auditors, mid-tier firms building competing methodologies, regulators benchmarking practice quality, and academics studying audit methodology all hit the same wall — there's no openly-readable methodology corpus.

VynFi's stance: a public, accurate-to-standards methodology corpus is a public good. We're not publishing the firms' proprietary internal methodologies — we're publishing a synthesis of public sources (ISA, IFRS, ESRS, MiCA, AMLR, PCAOB AS, CSRD, ASEC 280-10, Wolfsberg, public Big4 disclosures, MROS SAR templates, UBS reconstruction forms, regulatory press releases) curated into a structured, queryable, machine-readable form.

Family 1 — Big4 methodology (4 endpoints)

The Big4 family captures the common ISA-derived spine that all four firms share, plus four firm overlays that document the firm-specific extensions, naming differences, and audit-tool integrations on top of that spine, plus a cross-firm equivalence map.

• `GET /v1/audit-methodology/big4/spine` — the common ISA-derived methodology spine. Phases (planning → risk assessment → response → completion → reporting), procedures, assertion catalog. The shared baseline.
• `GET /v1/audit-methodology/big4/firms` — list of 4 firms with overview metadata.
• `GET /v1/audit-methodology/big4/firms/{firm}` — firm-specific overlay. `procedure_extensions` shows what each firm adds; `firm_specific_artifacts` documents firm naming for working papers (KPMG calls them e-files, EY calls them GAM working papers, etc.).
• `GET /v1/audit-methodology/big4/equivalence` — cross-firm map. Pick any spine procedure; see the EY name, the PwC name, the KPMG name, the Deloitte name. Useful for auditors moving between firms or for procurement evaluating methodology equivalence.

Portal pages live at `/audit-methodology/big4/`, `/audit-methodology/big4/spine`, `/audit-methodology/big4/firms/ey-gam`, `/pwc-aura`, `/kpmg-clara`, `/deloitte-omnia`, and `/audit-methodology/big4/equivalence`. All deeply linked from the firm pages back to the spine.

Family 2 — Jurisdictional overlays (2 endpoints)

Seven jurisdictions, 39 procedures total, each layered on top of the ISA spine: PCAOB US (public-company audit), EU CSRD (sustainability assurance), UK FRC (FRC-supervised audit + ARGA), ASIC AU (Australian Auditing Standards), JFSA JP (Financial Services Agency Japan), ACRA SG (Singapore Accountancy and Corporate Regulatory Authority), HKICPA HK.

Each jurisdictional overlay declares which spine procedures are in scope, which are extended (extra evidence required), and which are jurisdiction-only (e.g., PCAOB AS 2201 ICFR procedures don't exist in non-US jurisdictions). The portal index page surfaces a comparison matrix: pick three jurisdictions, see where they diverge.

Family 3 — Methodology blueprints (2 endpoints)

Two named, deeply-specified blueprints in Wave 1: ISA 600 (group audit) and CSRD limited-assurance. Each blueprint includes phases, procedures, materiality model (component vs group), and the working-paper artifacts emitted at each phase. ISA 600 is the canonical multi-component audit blueprint — group auditor → component auditors → consolidation. CSRD is the EU sustainability-reporting limited-assurance blueprint with the ESRS data-point reference.

Future blueprints (PCAOB AS 2201, ISA 240 fraud, ISA 705 modified opinions, ISA 720 other-information) are in the upstream crate's roadmap. As they ship in datasynth-audit-fsm releases, they'll appear here automatically.

Family 4 — KYC blueprints (2 endpoints)

Six AML/KYC workflow blueprints — the operational sequences that financial-institution compliance teams run on every relationship: private banking onboarding (high-net-worth screening), correspondent banking due diligence (cross-border bank-to-bank), crypto-CASP onboarding under MiCA (the new EU crypto regime), periodic review (annual customer refresh), SAR escalation (suspicious-activity report routing), sanctions remediation (post-flag remediation).

Each workflow includes the procedures, decision points, evidence requirements, and the cross-references to AMLR / FATF / Wolfsberg / FinCEN sources. Useful as a compliance reference and as a structured input for AI-assisted compliance tooling.

Family 5 — Banking forms (4 endpoints, 7 forms, 228 fields)

The banking-forms family is the catalog's most field-dense surface. Seven publicly-available forms with full field-level structure:

• **MROS SAR** (Switzerland) — the Swiss FIU's suspicious-activity report template.
• **UBS Form A** (Banking Reconstruction A) — historical wealth-and-assets reconstruction.
• **UBS KYC ID** — identity-verification reconstruction.
• **UBS SOF** (Source of Funds) — wealth-origination reconstruction.
• **UBS Tax** — tax-status reconstruction.
• **Wolfsberg CBDDQ v1.4** — the canonical correspondent-banking due-diligence questionnaire.
• **Wolfsberg FCCQ v1.2** — the financial-crime compliance questionnaire.

Beyond the per-form schema, the family includes a cross-form **canonical-terms** index: pick any concept (account_number, beneficial_owner, source_of_funds, ...) and see every form that references it, with each form's local field name and validation rules. This is the practical surface that AML compliance teams want — when a regulator asks 'show me where this concept is captured across your evidence base', the index answers in one query.

Family 6 — Engagement scenarios (2 endpoints)

15 deterministic engagement scenarios with expected outcomes — these are the reference test cases for the audit-methodology FSM. Each scenario fixes a starting condition (clean books, material misstatement, going-concern uncertainty, IFRS 8 segment complexity) and asserts the expected opinion type and procedural path. Useful as test cases for audit AI/automation, as training scenarios for junior auditors, and as benchmarks for methodology coverage.

Scenarios shipped in Wave 1: clean-engagement, qualified-opinion-material-misstatement, going-concern-material-uncertainty, going-concern-inappropriate, ifrs-first-time-adopter, segment-reporting-complexity-ifrs-8, plus 9 more covering audit-of-estimates, related-parties, subsequent-events, fraud-risk, group-component, ESG-CSRD-limited-assurance edge cases.

Family 7-8 — Reference content (3 endpoints)

Three foundational schemas that the rest of the catalog references:

• **RMM taxonomy** (`/rmm/taxonomy`) — the 12-factor risk-of-material-misstatement taxonomy: 7 inherent factors + 5 control factors. Each factor has Beta(α, β) priors, ISA references, and assertion-level applicability. This is the structured input to Wave 4's Bayesian RMM scoring.
• **L4 graph schema** (`/graph/schema`) — the level-4 audit knowledge graph: 11 node types (entity, component, account, assertion, control, procedure, evidence, finding, working_paper, ...) and 10 edge types (belongs_to, applies_to, yields_finding, supports_assertion, ...). The schema for Wave 4's graph query API.
• **Working-papers schema** (`/working-papers/schema`) — ISA 230-compliant working-paper structure across 5 jurisdictions (IAASB, US PCAOB, UK FRC, EU CSRD, Swiss FER). Includes retention range (5–10 years), required engagement-bundle fields, and Merkle-hash structure for integrity proofs.

How to consume

All endpoints are open. No API key. No auth header. Just GET:

# List all 7 jurisdictions
curl https://api.vynfi.com/v1/audit-methodology/jurisdictional
# Get the PCAOB overlay
curl https://api.vynfi.com/v1/audit-methodology/jurisdictional/pcaob-us
# Get all banking forms
curl https://api.vynfi.com/v1/audit-methodology/banking-forms
# Resolve canonical-term lookup
curl https://api.vynfi.com/v1/audit-methodology/banking-forms/canonical-terms/account_number

Cache aggressively. Every endpoint sets `Cache-Control: public, max-age=86400, immutable` and emits an ETag — re-request with `If-None-Match` to get a fast 304. Front Door caches at the edge; most requests never reach our origin.

Why this matters for synthetic data

VynFi generates synthetic financial data; the methodology library is the structured framework that tells you what to test the data against. Pair the catalog with the generation API: pick a methodology blueprint (say ISA 600), pick a scenario (going-concern uncertainty), generate the matching dataset, run the procedures from the blueprint against the data, validate the working papers against the schema. The generated data plus the methodology spec is a complete, reproducible, ground-truth audit engagement.

Wave 4 of the DS 5.5 adoption will wire the active surface — POST endpoints that execute the FSM, run the RMM scoring against a generated dataset, and emit the working-paper Merkle bundle. Wave 1's catalog is the read-only reference that Wave 4's POST endpoints will reference.

Try it

Browse: https://vynfi.com/audit-methodology. Free-tier signup gets you the rest of the platform — generation, multi-period chains (Team+), and everything else. If you're an auditor, methodology specialist, or compliance ops lead and want to feed back on what's missing or wrong, support@vynfi.com — we read every email.