Financial audits are not small affairs. As anyone in business can attest, money and its appropriate use can make or break your business. If you are a publicly traded firm, appropriate financial oversight can keep you out of prison. This is why financial audits are critical — and sometimes scary. This guide is a companion piece to “Financial Statement Audits: How to Make Your Next Audit Your Best.” It will lead you through the concept of a financial audit by defining terms and the different types of audits (including integrated audits) along the way. Then, you will learn about the purpose of an audit and why it is necessary. Next, we discuss how auditors perform audits and learn about auditors themselves. In addition, you’ll discover how to read and understand an audit report and how to prepare for one while also saving time and money. Plus, find tips from industry experts and a free checklist to help you jumpstart your preparation.
A financial audit is the investigation of your business’ financial statements and accompanying documentation and processes, and is performed by someone who is independent of your organization. These often-annual events probe your company’s financial position: They look at your accounting records, internal control policies, and accounts in accordance with industry-accepted accounting standards. This process can look and feel as if someone is scrutinizing your sensitive files, searching for errors and misstatements. However, financial auditors use this process to assure your stakeholders (and any interested outsiders) of your company’s financial position. They give them reasonable assurance — not absolute assurance — and they give your company’s financial documentation more value. Other reasons to conduct an audit include to verify that you are in compliance with regulatory agencies, and to protect your company from the risk of fraudulent financial practices.
Independent financial auditors are people who are not on the payroll of your company and do not have a stake in your outcome. At the conclusion of an audit, they render their opinion on the integrity of your documentation. Financial auditors can perform an external or an internal audit for you, but they must not have a stake in your company.
While external audits assess financial risks and statements, internal audits go further and consider your business’ growth, impact to the environment, employee culture, and reputation. Internal auditors report to your board and senior management within your governance structure and, instead of just providing reasonable assurance to your stakeholders and outsiders, they offer ways to improve your company overall. Performing regular internal audits also shows the external auditors that your company has a means to improve your internal controls and thereby manage your organization effectively.
There are many different types of checklists available for financial audits. Whether you are an auditor, or you own a company and want to prepare for an audit, you can use a checklist to get ready. With membership to the American Institute of Certified Public Accountants (AICPA), you’ll receive auditing checklists for everything from basic auditing to assessment of the risk of fraud. The United States Government Accountability Office (US GAO) also puts out checklists for federal auditing. Additionally, there are self-assessment checklists you can review prior to your audit, whether your business is public, private, or nonprofit.
An integrated audit is one that combines the financial statement audit with an audit of your internal controls. In 2002, the U.S. Congress passed the Sarbanes-Oxley (SOX) Act. This Act required strict reforms by corporations to prevent accounting fraud. The act had substantial impact on the industry: Under it, senior management became responsible for certifying the accuracy of their financial statements as well as for instituting internal controls and reporting on those controls. This crackdown on corporate fraud also led to the creation of the Public Company Accounting Oversight Board (PCAOB), which provides guidance for integrated audits. Separately, the Securities and Exchange Commission (SEC) provides enforcement. The SOX Act also mandated that public companies undergo integrated audits. Furthermore, auditing professionals say that an integrated audit is incomplete unless it also reviews the company’s Information Systems (IS) processes. IS, financial, and operational controls are mutually dependent on each other in order to foster an environment of support and efficacy.
The PCAOB guide on performing integrated audits includes the following requirements:
The SOX Act requires integrated audits of larger, publicly held companies. The Act does not require smaller public or private companies to have an integrated audit — in general, these institutions only need audits of their financial statements. A small public company or a private company may want to have an integrated audit performed when they are preparing for sale. The auditor’s verification of a strong system of controls can improve the sales price of the company.
Outside of integrated audits, audit types focus on single processes. We have already discussed information systems auditing; other unique audits include operational and compliance audits. Operational audits focus specifically on the business processes. Some of these processes affect the finances, and some do not. An internal audit should address these operational processes as well as the accounting procedures that affect them and are affected by them. Your auditors should be able to identify implementation issues and recommend remedial actions for improvement. Compliance audits deal specifically with the level of compliance with internal policies or external regulatory requirements.
Your auditor aims to give you an objective appraisal of your company’s financial situation based upon its documentation. An audit also provides proof that your documents accurately represent your situation (your auditor’s final report serves as this proof). Moreover, your auditor is there to improve your processes by providing suggestions and pointing out any inconsistencies.
The Big Four, the largest professional services networks in the world, specialize in auditing globally. Although these are certainly not the only firms that you may retain to perform your audit, they possess longstanding esteem in the finance profession. Together, these four professional service networks currently account for the majority of public-company audits as well as for those of a large number of private firms. The Big Four are KPMG, Deloitte Touche Tohmatsu, PricewaterhouseCoopers, and Ernst & Young. They are networks (and not discrete firms) because of the way they are structured: They are independently owned and operated, but each functions under the umbrella of their respective “parent” firm. Under this parent firm, each of these networks shares branding, name, and quality standards for their services. These services include auditing, assurance, tax law, consultation, actuarial services, legal services, and corporate financial advice.
With documentation dating from 1314, England boasts the earliest recorded financial audit. In the United States, the Industrial Revolution forced the widespread adoption of financial auditing. The railroad industry, in an effort to control costs and operating ratios, became an auditing pioneer. After the 1929 stock market crash, auditing became obligatory for companies that wanted to participate in the stock market. Investors came to rely on the financial reports that auditors produced as a part of an overall audit. In 1934, Congress commissioned the SEC as the regulatory agency for auditing requirements and standards.
Financial auditing was not only necessary for the oversight of companies traded on the stock market, but was also used as a mechanism for fraud detection and finance accountability. However, in those early days of the SEC, company managers produced audit reports. Independent auditors did not conduct the audits. Companies implemented significant changes in auditing procedures only after intensely adverse business events occurred. For example, physical inspection of inventory became mandatory only after the treasurer of McKesson & Robbins (a pharmaceutical concern) discovered that the company was a front for an illegal bootlegging operation. This scandal also precipitated another mandate: The SEC now required public companies to appoint external audit committees.
Experts in the financial industry say that the future of auditing will bring even more regulatory control in order to stay consistent with the traditional requirement. Given the last few years of potent technological advancement, especially in the realm of automation and outsourcing, the trend toward more regulatory control is significant. Experts cite the possible need for changes to audit timing and frequency. They also say that auditors may need more education on technology and analytical methods. If this proves to be the case, cross-discipline auditing may become necessary. Sampling may become obsolete as auditors become able and necessary to complete full audits. And, the industry may have to revisit the concepts of materiality and independence. Materiality assigns a cut-off point to transactions it considers insignificant. Independence concerns the question of the auditor’s independence (i.e., whether or not they have a financial interest in the business they are auditing).
You need an audit if you are a publicly held company or see a public offering in your future. You will need auditing documentation for the year that your company has its initial public offering (IPO) as well as for all subsequent years. If you accept funding from the federal or state government, you may need an audit. Some banks will also require an audit if they give you a particularly large loan or if they consider you high risk. Finally, you may want an audit because it can mean the difference between being approved or rejected for a loan and getting a low or high interest rate.
You can break down audits into three main phases: prep, fieldwork, and reporting. Each phase can be further broken down as well. For the prep work phase, there are eight main steps:
The second main phase of your audit is the fieldwork. This is when your auditor or audit team is on-site at your office. They start by formalizing the audit program with your workforce, laying out their plan, and being introduced to staff members who will assist them by gathering and explaining documentation and processes. The following are examples of steps that your auditor may perform during your audit (the order depends on your auditor’s plan and necessity):
Your auditor documents the results of each of these activities in their working papers. After they have completed their onsite reviews and tests, the auditor perform a comprehensive review of the working papers. Now, they can move to the reporting phase of the process. This last phase of reporting is when your auditor gets to write up their findings on your company. They may come back and confer with you or staff members prior to concluding and finalizing their report. This report gives you their conclusion on how your company adheres to accounting standards or the agreed-upon benchmarks.
Equally important in this whole process is your auditor. The AICPA is very specific about the responsibilities and the functions of an independent auditor. Although there is some room for creativity in auditing practice, your auditor has a heavy responsibility not only to perform the audit based on their experience and best judgment, but also to act as a representative of their entire profession. They are required to perform the audit in accordance with standard auditing practices. It is your management’s responsibility to have sound accounting principles and internal controls, and to present them as such. However, if there are issues, it is your auditor’s responsibility to find and report them. Your auditor is bound by a code, and as such, that code may be enforced if they do not perform accordingly.
This can become a sticky problem when you have an auditor who is under pressure from the company that is funding their audit. On the one hand, the company being audited is paying the auditor for their needed service, and the auditor needs to support their own business. On the other hand, the company under audit may exert pressure by not hiring a particular auditor or firm or by withholding auditing fees in the case of an unfavorable outcome. Even subtle disfavor can harm the auditor personally. A scenario such as this can become an ethical dilemma for an auditor because as gatekeepers, they have a substantial responsibility. Experts suggest better incentive systems and policy reform for auditors overall, especially those faced with economic ethical dilemmas. It does save a company money when they retain the same auditing services annually. Although an audit takes a set amount of time, an auditor may become familiar with a company so that they can save time during the overall process.
The independent auditing service requirement, as enforced by the SEC, is that the auditor has no conflict of interest with the companies they audit. Additionally, they must not be in the position where they are auditing their own work, may become employed (separately) by the firm they audit, or where they will become an advocate for the company. They may not provide additional services, such as bookkeeping, financial information system design or implementation, actuarial services, brokering services, legal services, or valuation services. If a company seeks to hire a former employee to perform an audit, that auditor must refrain from doing so for a one-year period following his initial employment with said company. The audit committee must also assess any direct or material relationships the auditor has with the company in order to determine if those relationships conflict with independence.
In order to be an auditor, there are academic, professional, and personal requirements. The minimum educational requirement is a bachelor’s degree, but many employers prefer a master’s degree with a focus on finance or accounting. In order to audit public companies, an auditor must have the Certified Public Accountant’s (CPA) credential. They must stay current with the principles, theory, practice, and laws in accounting. They should also have integrity and tact when dealing with companies and a methodical practice. Many companies list personality traits, such as assertiveness and punctuality, that they want their auditors to possess. Nevertheless, selecting an auditor is ultimately about deciding whether you can entrust someone with the responsibility to perform their job and maintain your confidentiality. You must be able to rely on this person. The job descriptions for auditors are often interchangeable with those for accountants. Still, auditors perform more detailed work when it comes to finding fraud or errors in financial documentation.
In a job description, a financial auditor evaluates companies’ financial statements, documentation, accounting entries, and data. They may gather information from the company’s reporting systems, balance sheets, tax returns, control systems, income documents, invoices, billing procedures, and account balances. Then they conduct a comprehensive review of all this information in a fair, accurate manner to ensure there are no major errors or fraud. They must deal with different levels of management throughout different departments in pursuing data and information. They do this in order to gain an understanding of how the business operates, as well as of the company’s purpose and its reporting systems.
The national average salary for a financial auditor in 2017 was about $60,000. Different locations and firms adjust this figure, however, based on education, experience, expertise, and clientele. There are several types of auditors: These include internal auditors, government auditors, and independent auditors. Internal auditors and government auditors work in house. They can foresee and head off an organization’s major problems early. Internal auditors may not conduct independent audits, but they are valuable because of their capacity to advise on regular activities and systems. Government auditors are specific to federal or state agencies. Federal auditors work for the U.S. GAO and report to Congress.
An audit report is the final document that wraps up the audit. It is your written auditor opinion prepared in the standard format delineated by GAAS. Auditors write reports for users of the company’s financial statements. If your company is public, you include these reports when filing with the SEC.
An audit report gives you an independent opinion on your company’s financial statements, and can help you make better economic decisions. Even though the report’s findings are based on persuasive (rather than conclusive) evidence, they still give you a fair estimate of a company’s financial position. In a financial audit by a CPA, the findings can be one of the following: an unqualified approval, a qualified approval, a disclaimer of opinion, or an adverse finding. The best result is an unqualified approval. The worst result is an adverse finding. Below, you’ll find descriptions of the four types of findings:
Experts in reading audit reports recommend paying special attention to the introductory paragraphs, especially those concerned with management and auditor responsibilities, scope, and opinion. If you read and become familiar with audit reports, you will see that although each company is different, the reports are homogeneous and provide an excellent way to learn about a company.
It is normal to be nervous about an impending company audit. They be expensive and make you unsure about what your auditor will find. However, if you plan ahead of time, you can save money and assure that your auditor’s findings are only helpful.
As you’ve read in earlier sections of this guide, your auditor is looking for inconsistencies that could lead to financial inaccuracies. In their arsenal, your auditor has many different types of analytic procedures, though if they do not understand something, they will investigate and ask you or your staff questions. They will also ask for supporting documents to make sure you have recorded your financial information accurately. They will review your operational procedures and may review your information security to ensure that the data they are seeing is reliable.
To keep hours and costs down, there are steps you can take, including the following:
Now, our experts weigh in with their opinions on how you can get ready for your audit.
Robert Campbell, Financial Analyst at Withum, says, “I work for the accounting firm of WithumSmith+Brown, PC, and I conduct the initial risk assessment and setup for the audit of some of our clients. My particular expertise is getting into the transaction level of the business to know common practices and good internal controls and judge where problems might be. As for the CFO counterparts of my clients, they need to prepare to walk me through the transactions that occur and give me access to the people who do them, so I can make sure that what management thinks happens actually does. Then, when planning the audit, I will assign the risk of categories of transactions and accounts that I’ll instruct the auditors to either do analytics for or actually review. For the CFO, the fewer questions or concerns I have during the risk assessment, the more limited the scope (and, thus, the cost and time expense) of the audit.”
CPA and realtor Robert Riordan says, “I am a CPA in South Carolina and do a lot financial audits for licenses and banks. I have to follow the guidelines of our state and national organizations. Depending on what the client wants me to look at, preparing an audit requires varying levels of detail. A detailed audit would require me to look at all the accounts in the balance sheet to see if they are proper. This means going to the place of business, looking at the accounts and transactions, and determining what makes the amounts up. The income statement has to look about the same. I may find something interesting when I look at the major accounts or some smaller ones.
“I have to sign my name to the report. If it is an IRS audit, then you have to have everything in order. Most of the time, the experience is not that bad. People that you are working for will help you. When you deliver the report to an entity, they might call you back to clarify something. You can at times get someone difficult, but just deal with it.
“If you need a financial audit, help the person preparing the reports with updated financial information and great supporting information. Be prepared to adjust when the person making the financial statements asks for more information. Do not get upset…unless you are trying to hide something.”
The following are some terms that you may come across during your audit or while you are prepping for your audit. Understanding these terms can help you on your audit path:
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.