Some cringe at the word “audit.” But those of us with hands-on experience understand the value of financial statement audits. Businesses often perceive audits as an invasion of their books and records, and the fear of judgment at the end can cause angst for business owners and their accountants. Audits, however, are one of the most respected and meaningful ways for external stakeholders to gain confidence when lending to, investing in or even just doing business with an organization. Companies of all sizes and industries, public and private, have their financial statements audited annually.
As a certified public accountant (CPA) and former auditor for a “Big 4” accounting firm, allow me to demystify financial statement audits, their objectives and how they work.
What Is a Financial Statement Audit?
A financial statement audit is a professional examination of a company’s financial statements. Its goal is to determine whether the financial statements present a fair and materially correct representation of a business’s activity and financial position, in accordance with the Generally Accepted Accounting Principles (GAAP) issued by the Financial Accounting Standards Board. Specifically, auditors opine on the accuracy of an income statement, balance sheet, statement of cash flows and all the disclosures that support them. Under GAAP, external, independent auditors must perform financial statement audits.
A financial statement audit differs from other common types of audits, such as tax audits and internal audits. Tax audits are performed by the IRS with the objective of ensuring the accuracy of tax returns and the amount of taxes paid. Internal audits are performed by employees of the company and can take many forms at the direction of company management. When an internal audit department reviews financial statements, it is for the benefit of company management and is not considered an independent review for external stakeholders.
Reviews and compilations are two other engagements that external auditors may undertake. These are both more limited in scope than a financial statement audit.
- A financial statement audit assesses whether the statements under review present a fair and materially correct representation of a business’s activity and financial position, resulting in an audit opinion.
- Independent auditors conduct audit planning, internal control and substantive testing, all in accordance with multiple established standards.
- Companies can benefit from audits in several ways, beyond simply meeting compliance requirements; auditors may, for example, make suggestions for improving the business.
- Audits also have inherent limitations, so undetected fraud remains possible.
- Understanding the audit process, using the right accounting software and getting to know the auditor can help audits be unproblematic and increase the likelihood of an “unqualified” audit opinion — the best possible outcome.
Financial Statement Audits Explained
An audit verifies whether financial statements fairly represent a company’s financial position, through a series of tests (described in the next section). They are performed by external auditors using professional standards called Generally Accepted Auditing Standards (GAAS), which were established and are continually reviewed and updated by the American Institute of Certified Public Accountants (AICPA). These standards help ensure that external audits are performed accurately, consistently and reliably. GAAS guides how audits should be done properly, whereas GAAP are the standards for how accounting should be done properly. Public companies have additional audit rules beyond GAAS (discussed later in this article). Audits of international companies adhere to International Standards on Auditing, rather than GAAS, and are regulated by the International Auditing and Assurance Standards Board. International Financial Reporting Standards are the international equivalent of GAAP.
At the end of the process, the auditor provides an opinion that is attached to the financial statements when they are released to external shareholders. There are five outcomes of a financial statement audit, each of which comes with a corresponding audit opinion (in accounting lexicon):
- Unqualified opinion: An unqualified opinion is the best outcome. It’s sometimes casually referred to as a “clean” opinion. It indicates that the financial statements present fairly, in all material respects, the financial position, results of operations and cash flows of the entity, in conformance with GAAP.
- Unqualified with explanatory language: In this case, the auditor is issuing an unqualified opinion, but adds an explanation about an issue that arose during the audit that is worth mentioning but doesn’t change the nature of the opinion. For example, if part of the audit relies on work done by another auditor, explanatory language may be added.
- Qualified: A qualified opinion indicates that the financial statements are materially fair, but there is a specific exception. The exception is described in the opinion, for transparency. A departure from GAAP for an item that is inconsequential, and, therefore, does not cause the financial statements to be misleading, could prompt a qualified opinion. Scope limitations, meaning that the audit was unable to perform a specific procedure, are another common cause of qualified opinions.
- Adverse: If an auditor determines that the financial statements are materially incorrect or do not conform with GAAP, they issue an adverse opinion. The reason for the adverse opinion is described on the face of the opinion. External stakeholders view financial statements containing adverse opinions with high skepticism. In practice, most companies will choose to remedy the concerning issue raised by the auditor before bringing the audit to a close to avoid publishing an adverse opinion.
- Disclaimer of opinion: A disclaimer of opinion means that the auditor does not express an opinion on the financial statements. The reason(s) why the auditor is unable to determine whether the financial statements are materially correct is noted in the disclaimed opinion. A significant scope limitation, such as not having access to physical inventory, is one common reason for a disclaimed opinion.
Stages of a Financial Statement Audit
Most sources will tell you there are three stages in a financial statement audit, ultimately leading to the audit opinion. The length and scope of each stage may differ, based on the complexity of a company’s business, the sophistication of its accounting staff and whether it’s an initial or recurring audit. Understanding these stages can help companies better prepare for an audit, which can make it go much smoother.
- Planning and risk assessment: This first stage begins when a company’s audit committee or board of directors hires the external auditor and signs an engagement letter. The auditor begins a series of administrative steps, including assigning the audit team (including any specialists, if needed), verifying that the auditor(s) is independent of any disqualifying relationships with the company being audited, and establishing a timeline for the audit. The risk assessment part of this stage includes getting the audit team up to speed on the nuances of the company’s business, its industry, native accounting issues and any applicable regulatory requirements. This helps the auditor plan appropriate efforts for areas that have a higher potential for error. In addition, the audit team engages in a high-level discussion about the susceptibility of the company’s financial statements to fraud. At the end of this stage, an overall audit strategy and tactical plan are documented for the auditor to follow in the next two stages. The plan can be updated if the auditor discovers something unexpected in the subsequent stages.
- Internal controls testing: This step involves identifying, documenting and evaluating a company’s internal controls — the processes and policies a business uses to reduce the likelihood of financial reporting errors and fraud. If the auditor perceives a weak control environment, they will be on high alert for errors and fraud and will increase the amount of substantive testing of balances (see step 3). A strong control environment has the opposite effect. Preventive controls — such as segregation of duties, user access restrictions for accounting systems, physical safeguarding of assets and proper authorization and delegation of authority — are designed to prevent errors before they occur. Detective controls, such as account reconciliations and physical inventory cycle counts, work to identify errors or irregularities for investigation and correction after they happen. Control tests aim to make sure the control is actually in place, that it is working as designed and that it is effective.
- Substantive testing: The purpose of substantive testing is to verify balances in the accounting data. It involves sampling transactions and gathering evidence to support the data in accounting records. Evidence from third parties is preferred, such as bank statements, confirmation letters from customers and suppliers, invoices and statements. In addition, the auditor may physically observe assets, like inventory and equipment. In some cases, substantive testing may simply consist of analytical analysis or recalculations, as with depreciation or reserves.
Auditors apply skepticism and judgment throughout these three steps and use the results to form the audit opinion. It’s important to note that the auditor is in constant communication with the company’s management team, and the ultimate opinion should not be a surprise. In fact, it’s common practice to discuss audit findings before the opinion is finalized, so that any issues can be remedied before the opinion is issued.
It’s also important for company managers embarking on their first independent audit to understand that the audit experience won’t necessarily be neatly linear, the way these stages suggest. In about a third of our audits, the audit teams I’ve been on discovered that the company’s control environment did not work exactly as advertised. That would make us go back to the planning stage and adjust the strategic and/or tactical portion of the audit plan to make sure we were gathering sufficient evidence to support an audit opinion. If, for example, a company told us that changes to its accounting data required double authentication, but its accounting system didn’t enforce that policy or staff was able to work around it, additional substantive testing would need to be done beyond what was specified in the original plan.
In addition, the control and substantive testing — which we thought of, together, as “field work” — doesn’t necessarily all happen after the close of the period being audited. For companies on a calendar fiscal year, for example, much, if not all, of the control testing could be done in October or November. In addition, certain substantive testing could be performed in advance if it was clear that those elements wouldn’t change materially between then and January, after the books close. For example, you can confirm that a company’s buildings exist and are as the company has described. As a practical matter, most substantive testing has to be done after the year-end accounting close.
Purpose of a Financial Statement Audit
Financial statement audits provide assurance that the statements fairly present the financial position of a company. This assurance is very meaningful for external parties that rely on the financial statements, such as investors, lenders, suppliers and even some customers. In fact, many lending institutions require annual audits as part of their loan covenants, and the U.S. Securities and Exchange Commission (SEC) mandates them for publicly traded companies, although the extent of the reporting requirements are reduced for those that meet the SEC’s definition of a small company.
Top Financial Statements to Audit
A financial statement audit typically focuses on the three core financial statements, as well as the footnotes to those statements (which may be its own separate document) and other related disclosures. Each financial statement serves a specific purpose, but they have the most impact when read together. The top financial statements to audit include:
- Balance sheet: Lists a company’s assets, liabilities and equity. It presents a company’s financial position as of a certain point in time, typically the last day of a month, quarter or year.
- Income statement: Presents a company’s revenue, expenses, gains and losses for a period of time, such as one, three or 12 months. The income statement, sometimes called a P&L (for “profit and loss”), shows whether the business made a profit or withstood a loss during the period.
- Statement of cash flows: Displays the inflows and outflows of cash during a reporting period. The sources and uses of cash are categorized into three sections: cash flow from operating activities, from financing activities and from investing activities.
The footnotes to each of the three core financial statements are also audited. They provide important context, such as accounting methods used, as well as supporting information, such as lease details, for certain balances.
When it comes to annual reports, it’s worth mentioning that not all information is audited. The annual report is a corporate document sent to shareholders that includes the audited financial statements, along with graphics, photos and management narrative about a company’s performance. Typically, when auditors review annual report information that is outside the financial statements, they only make sure there are no inconsistencies in relation to the audited statements.
Benefits of an Audit
Financial statements are great tools for communicating financial information in a standardized way — as long as they are accurate. The primary benefit of audits is to assure external stakeholders that the financial statements are fairly stated and materially correct. But potential audit benefits extend beyond that, including:
- Helping customers and suppliers feel more comfortable doing business with a company.
- Keeping a company compliant with regulations, thus avoiding the reputational damage and potential fines that may come from noncompliance.
- Uncovering ways a company can improve their business. An auditor is an independent, fresh set of eyes familiar with the industry and the company. Their perspective can identify potential ways to improve operating efficiencies.
- Revealing opportunities for a company to improve accounting operations. Auditors can suggest ways to make accounting functions more effective and efficient, such as accounting software, workflow and staff training.
- Identifying weaknesses and recommending remedies for the company’s control environment. A strong control environment reduces the potential for fraud.
Limitations of an Audit
Even the best planned and expertly executed audits have certain limitations. A clean, unqualified opinion states that the financial statements are “free of material misstatements,” which is not the same as being completely error-free. The concept of materiality is fundamental to auditing. Materiality can be described as an acceptable range of error in the financial statements that would not cause a reasonable reader to draw the wrong conclusions. During the planning phase, auditors use their judgment and experience to determine materiality levels. Materiality is both quantitative, based on the size of a company’s business, and qualitative, based on the nature of an error. Beyond the boundaries of materiality, here are some other limitations of an audit:
- Auditors opine on financial statements, they do not create them. The primary responsibility for creating financial statements lies with company management.
- While auditors are responsible for identifying and evaluating fraud risks, using the professional standards set forth by GAAS, fraud can sometimes remain undetected — especially a well-orchestrated fraud perpetrated by internal employees.
- Because it would be time- and cost-prohibitive, audits do not verify every single piece of financial data. Instead, audit procedures rely on testing representative samples.
Auditor Qualifications and Skills
As an audit manager at a Big 4 accounting firm, I had a number of longtime clients. I noticed, with some disappointment, the times when I detected a collective sigh as my team walked into a client’s office. We didn’t necessarily want to be seen as standoffish or aloof, but the job of auditor comes with certain requirements that make us seem that way. There are certain lines auditors are not allowed to cross. Let me describe an auditor’s qualifications and skills, so you can get to know us better.
Auditors must be CPAs or working toward their CPA license under the supervision of a CPA. CPAs have at least 150 college semester hours (five years), have passed all four sections of the CPA exam, have a certain amount of work experience (which varies by jurisdiction) and have completed annual continuing professional education requirements set by the AICPA and state licensing authorities. They understand GAAP and GAAS and are familiar with SEC regulations.
Inherently, auditors must possess high integrity and the ability to keep information confidential. They must adhere to multiple ethics requirements from the SEC, AICPA and the Public Company Accounting Oversight Board (PCAOB). A primary aspect of these codes is that an auditor must be independent of their client, meaning that the auditor is free from any relationships that could compromise their ability to make unbiased decisions. Examples of disqualifying relationships include being an investor, shareholder or lender to a client; having relatives who work at or do business with a client; and maintaining personal relationships with client employees. Independence also means that auditors can give advice to clients but cannot execute that advice.
Auditors must possess a combination of hard and soft skills to be successful. They need to be proficient in analytics, statistics and technology. They also need a high level of business acumen, critical thinking, logical judgment and organizational skills. The most successful auditors also have well-developed soft skills, ranging from interpersonal communication and collaboration to customer service and leadership. Like most CPAs, auditors typically must put in long hours.
Financial Audits for Public vs. Private Companies
Public companies are required by law to undergo an annual audit of their financial statements by independent auditors. Audited financial statements are included in a public company’s annual form 10-K, filed with the SEC. Audits of public companies are extra rigorous so as to protect shareholders and the integrity of public markets. In addition to GAAS, audits of public companies must also adhere to standards from PCAOB, an agency overseen by the SEC, which was formed to promote quality in audits. In addition, public companies must file an annual audit of their internal controls, in accordance with the Sarbanes-Oxley Act, although there are some exceptions for small businesses (as defined by the SEC).
Private companies are those without publicly traded shares, typically owned by an entrepreneur, a group of investors or a family. They are not subject to SEC or PCAOB requirements, and their audits must only be GAAS-compliant. Private companies of any size often need audited financial statements to satisfy investors and lenders. Selling or merging a private business typically requires audited financial statements.
Manage Your Financial Statements With Software
While independent external auditors increase the legitimacy of a company’s financial statements, the burden of responsibility for compiling those statements and all the underlying accounting data falls squarely on the shoulders of the company. Managing the data and creating financial statements using automated software, such as NetSuite Financial Management, not only makes the process more accurate but also can streamline the audit process. The software’s seamless integration and access controls enhance the control environment. When properly deployed, the system’s accounting data is more accurate and GAAP compliant, which reduces the number of potential audit adjustments. The ability to drill down to the transaction level makes audit testing easier. And since it’s cloud-based, auditors can access the information they need from anywhere.
A financial statement audit is an examination of a company’s financial statements by an independent auditor. Companies of all sizes, public or private, undertake audits. It’s done to give external parties, like shareholders, investors and lenders, confidence that the financial statements fairly represent a company’s results and financial position. Audits are performed in accordance with GAAS and other standards by highly trained and impartial CPAs. Audits generally follow three steps and focus on the company’s core financial statements. Understanding the audit process and using the right accounting and reporting software can help audits proceed more smoothly and quickly — and increase the likelihood of an unqualified audit opinion, the best possible outcome.
Financial Statement Audit FAQs
What is the objective of a financial statement audit?
The primary object of a financial statement audit is to provide assurance that financial statements fairly present the financial position of a company. This assurance is very meaningful for external parties that rely on the financial statements, such as investors, lenders, suppliers and even some customers. In fact, many lending institutions require annual audits as part of their loan covenants, and the U.S. Securities and Exchange Commission (SEC) mandates them for publicly traded companies, although the extent of the reporting requirements are reduced for those meeting the SEC’s definition of a small company.
What are the 4 types of financial statements?
There are three core financial statements: the balance sheet, the income statement and the statement of cash flows. When referring to four types of financial statements, either the footnotes or a statement of equity is also included.
How do auditors check financial statements?
There are three phases to an audit: the planning phase, testing internal controls and substantive testing. Auditors check the accounting data using substantive testing, within the context of materiality and risk assessed during the planning phase, as well as the overall effectiveness of the control environment. Substantive testing involves sampling transactions and gathering evidence to support the accounting data. Evidence from third parties is preferred, such as bank statements, confirmation letters from customers and suppliers, as well as invoices and statements. In addition, auditors may physically observe assets, like inventory and equipment. In some cases, substantive testing may simply require analytical analysis or recalculations, as with depreciation or reserves.
When should financial statements be audited?
Financial statements should be audited annually. Most lenders and the SEC will require audits of full-year financial statements at the end of each year. The audit should be performed by an independent external auditor after the books have been closed and management has created the financial statements. Often, control testing can be performed prior to the year-end close.