Skip to main content

What is a financial statement audit?

A financial statement audit is an independent, third-party examination of a company's financial statements conducted by a licensed accounting firm. The auditor's job is to evaluate whether those statements present a fair and accurate picture of the company's financial position and performance in accordance with applicable accounting standards. When an audit firm signs an audit opinion, they are essentially vouching for the credibility of the numbers—not because they guarantee perfection, but because they have applied rigorous testing and found no material errors or fraud. For public companies in the United States, an audit by a certified public accounting (CPA) firm is legally required. For private companies, banks, investors, and lenders often demand an audit as a condition of lending or investment. Understanding what an audit is, how it works, and what an auditor's opinion really means is essential for anyone reading financial statements.

Quick definition: An audit is a comprehensive, independent examination of a company's financial records and controls conducted by a licensed accounting firm, resulting in an opinion about whether the financial statements fairly present the company's financial position and results in accordance with applicable accounting standards.

Key takeaways

  • A financial statement audit is a legal requirement for public companies and a practical necessity for many private companies seeking capital or credit.
  • Auditors test a representative sample of transactions and internal controls rather than verifying every single transaction, so the audit provides "reasonable assurance," not absolute certainty.
  • The auditor's opinion is the most visible output, but the audit process involves extensive risk assessment, control testing, substantive procedures, and documentation.
  • Audit firms are regulated by the Public Company Accounting Oversight Board (PCAOB) in the US; PCAOB inspects major audit firms annually and investigates audit failures.
  • An audit is not a forensic investigation or a guarantee of accuracy; it is a standardized examination designed to detect material misstatements, whether caused by error or fraud.
  • The audit opinion comes in four main flavors: unqualified (clean), qualified, adverse, and disclaimer—each carrying different implications for statement credibility.

What is the purpose of a financial statement audit?

The core purpose of an audit is to serve the public interest by providing independent assurance that financial statements are reliable. Companies prepare their own financial statements, so there is an inherent conflict of interest: management has incentives to present results in the most favorable light. An external auditor, hired by (but independent of) the company, brings objectivity. The auditor tests the company's accounting, examines the quality of its internal controls, and investigates areas of high risk or judgment. The end result is an opinion—signed by a partner at the audit firm—that states whether the statements fairly present the company's financial condition and performance.

This purpose serves multiple stakeholders. Investors use audits to gain confidence in the numbers they rely on for valuations. Creditors and lenders use audits to assess the creditworthiness of borrowers. Regulators use audits to enforce compliance with accounting standards and detect fraud. And the public, broadly, benefits from the knowledge that major companies' financial statements have been subject to professional scrutiny.

The audit process: start to finish

An audit does not happen in a single examination. Instead, it unfolds over months, typically following this arc:

Planning and risk assessment. The auditor begins by understanding the company's business, its industry, and its key financial risks. They review prior-year audit findings, discuss changes in accounting policies or systems, and assess the environment for fraud risk. This phase is crucial because it allows the auditor to focus testing on the areas most likely to contain errors or fraud. A company in a cyclical industry facing declining revenues, for instance, signals higher risk of impairment charges or aggressive revenue recognition.

Assessment of internal controls. The auditor evaluates the company's internal control system—the policies and procedures designed to ensure that transactions are authorized, recorded, and safeguarded. Strong controls reduce the auditor's testing burden; weak controls require more extensive substantive testing. The auditor may review how the company segregates duties (so that no one person can both authorize and record a payment), how it reconciles accounts, and how it authorizes significant transactions.

Substantive testing. This is the phase where the auditor rolls up their sleeves. For each significant account or transaction class (like revenue, inventory, or accounts payable), the auditor selects a sample—often using statistical sampling techniques—and tests it in detail. They might verify that a sale was actually recorded in the correct period, that the customer is real and creditworthy, and that the invoice matches the shipping document. They do not test 100% of transactions; instead, they test enough to be confident that any errors in the untested population would not be material.

Audit of estimates and judgments. Many financial statement line items require accounting estimates: the allowance for doubtful accounts, the useful life of fixed assets, the provision for warranty claims, the fair value of investments. The auditor challenges these estimates by checking the company's historical accuracy, reviewing third-party appraisals, and comparing assumptions to observable market data.

Going-concern assessment. The auditor evaluates whether the company will be able to continue operations for at least the next 12 months. This is not a guarantee that the company will never fail, but rather an assessment of whether it has liquidity and solvency to operate without material distress. A company with declining cash, mounting losses, and covenant violations signals going-concern risk.

Finalization and opinion formation. The auditor aggregates all findings—errors found, control deficiencies identified, disputed estimates, and going-concern concerns. For each finding, the auditor assesses whether it is material (i.e., would it change a user's decision about the company?). If no material errors remain uncorrected and no going-concern doubt exists, the auditor issues an unqualified (clean) opinion. If material issues exist, the opinion is modified.

Who performs audits and under what standards?

In the United States, audits of public companies are performed by firms registered with the Public Company Accounting Oversight Board (PCAOB). The Big Four accounting firms—Deloitte, PwC, EY, and KPMG—audit most large public companies, though mid-size and smaller firms also conduct audits. Auditors must be Certified Public Accountants (CPAs) licensed by their state, which requires passing the CPA exam and maintaining continuing education.

Audits are conducted under auditing standards—a set of rules that govern how an audit should be performed. In the US, these are the Generally Accepted Auditing Standards (GAAS) for public companies, which are administered by the PCAOB. Internationally, audits are conducted under International Standards on Auditing (ISA), issued by the International Auditing and Assurance Standards Board (IAASB). These standards define the auditor's responsibilities, the types of testing to perform, the documentation required, and the form of the opinion.

Reasonable assurance vs. absolute certainty

An audit provides "reasonable assurance," not absolute certainty. This distinction matters. The auditor is not responsible for finding every error; rather, they are responsible for designing procedures that would catch any misstatement that is material (large enough to affect a user's judgment). An error of $50,000 in a company with $1 billion in revenue might not be material, and the auditor would not be expected to find it. An error of $20 million might well be material, and the auditor would be expected to have testing procedures rigorous enough to detect it.

Further, an auditor is not responsible for detecting all fraud. However, they are responsible for designing the audit with professional skepticism and for considering the risk of material misstatement due to fraud. If a company's CEO and CFO are actively colluding to fabricate transactions, a standard audit might miss the fraud if it is well-concealed. This is a limitation—but not a loophole. The Sarbanes-Oxley Act of 2002 and subsequent standards have strengthened the auditor's obligation to assess fraud risk and communicate findings to those charged with governance.

The auditor's opinion

The auditor's conclusion is rendered as an audit opinion, a formal written statement included in the audit report. The opinion is the main deliverable that the public sees. It states whether, in the auditor's view, the financial statements present fairly the company's financial position and results of operations in accordance with applicable accounting standards. The four standard opinion types are:

  • Unqualified (clean) opinion: The statements are free from material misstatement. This is the gold standard.
  • Qualified opinion: The statements are mostly fair, but the auditor has identified a limitation in scope or a departure from standards that is material but not pervasive.
  • Adverse opinion: The statements do not fairly present the company's financial position because of a material departure from standards.
  • Disclaimer of opinion: The auditor cannot express an opinion because of a lack of sufficient evidence (severe scope limitation).

Audit committee and governance

For public companies, the audit is overseen by the Audit Committee of the Board of Directors. The Audit Committee is responsible for hiring the auditor, approving the audit plan, reviewing audit findings, and ensuring that management addresses audit concerns. Audit Committee members must be independent (not employed by the company) and, under current SEC rules, at least one member must have accounting or financial expertise. The Audit Committee acts as a buffer between management and the auditor, providing the auditor with a confidential channel to raise concerns without fear of retaliation from management.

Key differences: audit vs. review vs. compilation

For private companies, there are three levels of engagement offered by accounting firms, each with a different scope and cost:

  • Audit: Comprehensive examination with testing of internal controls and substantive procedures. Provides reasonable assurance. Most expensive; takes several months.
  • Review: Limited examination focusing on analytical procedures and inquiry. Provides only moderate assurance. Mid-cost; takes weeks.
  • Compilation: Accountant organizes financial data provided by management without testing or validation. Provides no assurance. Least expensive; takes days.

A lender might require an audit; an investor might accept a review; a small company might only be asked to provide compiled statements. The choice depends on how much assurance is needed.

Modern audit challenges: IT systems, cryptocurrencies, and fair-value measurement

Contemporary audits face challenges that did not exist a generation ago. When a company's financial records are stored in cloud-based enterprise resource planning (ERP) systems with thousands of users and complex data access controls, the auditor must assess the security and integrity of that system. Cryptocurrency holdings and transactions present valuation and existence challenges. Fair-value measurements in investment portfolios or acquisitions rely on models and assumptions that are difficult to verify independently. Auditors now employ data analytics specialists, IT security experts, and valuation specialists to address these complexities.

The rise of "critical audit matters" (CAMs), required to be disclosed in the audit report since 2019, reflects this complexity. A CAM is an area where significant auditor judgment was required, such as the valuation of a major acquisition or the assessment of an impairment. By naming CAMs, the auditor signals to investors which parts of the statements involved the most subjectivity.

Audit costs and economics

An audit is expensive. For a large public company, an annual audit can cost millions of dollars. For a mid-size private company seeking capital, audit fees often range from $50,000 to $500,000+, depending on size and complexity. These costs come out of the company's bottom line, so there is always pressure to minimize audit scope or frequency. However, the benefits—access to credit, investor confidence, and the deterrent effect of third-party oversight—typically justify the cost.

Real-world examples

Apple's annual audit. Apple's financial statements are audited annually by Ernst & Young (EY), one of the Big Four. EY's audit opinion is included in Apple's 10-K filing. Because Apple is a large, globally complex company with significant acquisitions, foreign operations, and revenue-recognition judgments, the audit is extensive and likely takes several months. The auditor's opinion is a few paragraphs but carries enormous weight: if EY were to issue anything other than an unqualified opinion, Apple's stock price would likely fall sharply.

Wirecard's audit disaster. Wirecard, a German payments company, was audited by EY for years. In 2020, it was revealed that Wirecard's CEO had fabricated €1.9 billion in cash held at a bank in the Philippines. The cash did not exist; the auditor had been deceived by fake bank confirmations. This case became a symbol of audit failure and led to greater regulatory scrutiny and calls for auditor rotation. It illustrates that even major audit firms can miss fraud if management is sophisticated in its deception.

Common mistakes investors make about audits

Confusing an audited statement with an accurate statement. An unqualified audit opinion means the statements are free from material misstatement, not that they are perfectly accurate or that the company is free from fraud. Immaterial errors can still exist, and if management has engaged in a carefully concealed fraud, the auditor might not detect it.

Ignoring the fine print in the audit opinion. The audit opinion is often lengthy and includes nuance. Reading only the first sentence ("We have audited the financial statements...") and the last line ("In our opinion...") means missing important qualifications or emphasis-of-matter paragraphs that the auditor included to highlight risks.

Assuming the auditor verified every number. Auditors use sampling; they do not test 100% of transactions. If a company has $1 million in accounts payable made up of 10,000 invoices, the auditor might test 50 invoices in detail and use other procedures (like analytical review) to gain confidence in the rest. This approach is efficient and appropriate, but it means errors in the untested population are possible.

Treating an audit change as a red flag without context. If a company changes auditors, it is not automatically a sign of trouble. Companies change auditors for many legitimate reasons: cost, geography, industry expertise, or a merger. However, if a company changes auditors after disagreement over accounting policy, that is worth investigating.

FAQ

Q: If a company is audited, does that mean it cannot commit fraud? A: No. An audited company can still commit fraud. The auditor's job is to design the audit with an appropriate level of skepticism and to test for risks of misstatement, but a sophisticated, well-concealed fraud can slip past an auditor. Audits are not a guarantee of accuracy.

Q: How long does an audit take? A: For a large public company, 6–12 months from fieldwork start to final opinion. For a mid-size private company, 2–4 months. Fieldwork itself (the testing phase) often spans 2–3 months, with preliminary work before and wrap-up after.

Q: What is the cost of an audit? A: Audit fees vary widely. A small private company might pay $10,000–$30,000; a mid-size company $50,000–$500,000; a large public company $1 million–$10 million+. Fees depend on company size, complexity (number of locations, business lines, foreign operations), and the extent of risk identified in planning.

Q: Can a company fire its auditor if the auditor finds problems? A: Legally, yes—a company can terminate an auditor. However, the company must disclose the termination (and the reason) in an 8-K filing with the SEC. If the auditor resigned due to disagreement over accounting policy, the auditor is required to notify the SEC and the company's Audit Committee. This disclosure is a red flag that the market watches closely.

Q: What is the difference between an auditor and a controller? A: A controller is an internal employee of the company responsible for accounting, financial reporting, and internal controls. An auditor is an external professional hired to examine the controller's work. The controller prepares the statements; the auditor audits them.

Q: Does an audit opinion cover the MD&A? A: No. The audit opinion covers the financial statements (balance sheet, income statement, cash flow statement, and notes). The Management's Discussion and Analysis (MD&A) section is not audited, though auditors do read it to ensure it is consistent with the audited statements and does not contain material misrepresentations.

  • Internal controls: Systems and procedures designed to ensure the accuracy and completeness of financial reporting. Auditors test controls to determine the extent of substantive testing needed.
  • Material misstatement: An error or omission large enough to change a user's judgment about the company's financial condition. The auditor's threshold for materiality determines the scope of testing.
  • Audit evidence: Information gathered by the auditor (e.g., confirmations from customers, bank statements, inventory counts, expert valuations) used to support the audit opinion.
  • Audit sampling: The statistical technique by which the auditor selects a subset of items from a population to test, rather than examining every item. Appropriate sampling design allows the auditor to draw conclusions about the entire population.
  • Professional skepticism: The auditor's mindset of questioning assumptions, challenging management's assertions, and maintaining independence. This is central to effective auditing.

Summary

A financial statement audit is an independent examination of a company's financial statements by a licensed accounting firm, designed to provide reasonable assurance that the statements are free from material misstatement. The audit process involves planning, risk assessment, testing of internal controls, substantive procedures on significant accounts, and evaluation of accounting estimates. The auditor's conclusion is expressed as an audit opinion—unqualified, qualified, adverse, or disclaimer—which is the most important signal of statement credibility available to investors and creditors. Audits are legally required for public companies and demanded by lenders and investors for private companies seeking capital. While audits do not guarantee accuracy or detect all fraud, they provide an independent check on management's financial reporting and serve a vital public interest function.

Next

Audit firms: the Big Four and the rest →