The principals of the financial audit

Here, we look at the principles of auditing. Specifically, we explore how auditors manage risk when auditing the financial statements of large, complex organisations.

All companies are legally obliged to have their financial statements independently audited.

As an in-house lawyer, you’ll be expected to understand the audit process. If you work for a large organisation or a publicly listed company, you may even be on your employer’s audit committee.

The principles of the financial audit

A statutory financial audit is a risk-based approach to verifying the ‘truth and fairness’ of an organisation’s financial statements. It’s not a detailed check of every number and transaction. The three main purposes of the statutory audit are to:

  • Provide an independent opinion to the company’s shareholders and other stakeholders about the ‘truth and fairness’ of financial statements that report on the organisation’s financial position and performance;
  • Ascertain whether the financial statements have been properly prepared in accordance with GAAP (Generally Agreed Accounting Principles - see by accounting standards bodies), company law and any relevant sector accounting guidelines; and
  • Report, where, in the auditors’ opinion, proper accounting records have not been observed.

By law, all companies, with a few exceptions such as dormancy, must have their financial statements audited annually. The auditor must be independent of the organisation and adhere to relevant statutes and professional guidelines.

The auditor can be an individual or a firm, but must hold a relevant licence to practice issued by the appropriate regulatory body.

Audit risk

Remember, the responsibility for preparing an organisation’s financial statements lies with its senior management, not the auditor.

Ideally, the audit would ensure that every number and every disclosure in all summary financial statements is valid and supported. However, in large organisations, financial statements represent the amalgamation of millions of transactions. To review each one individually would be unrealistic in terms of time and cost and, in most cases, unnecessary.

For this reason, auditors use a risk-based approach to auditing and tailor it to each organisation based on factors such as its size, complexity and industry sector. They aim to identify areas where material misstatement is most likely and focus primarily on those risk areas. However, even in these areas, auditors are unable to check every detail. Instead, they look for ‘sufficient and appropriate’ evidence to support their conclusions.

Audit risk increases where management have an incentive to flatter their organisation’s financial performance, particularly around things that happen or might be made to appear that they have happened just one side or the other of an accounting or tax reporting period. Examples of these circumstances include:

  • Justifying executive compensation plans;
  • Avoiding or minimising the effect of creditor covenants;
  • Market and stakeholder pressure to sustain performance growth trends; and
  • Initial public offerings (IPOs), where an organisation offers stock to the public for the first time and there is a strong, often personal financial gain based temptation for management to make the organisation look as "plump" as possible at the time of the offer even if this is not actually sustainable.


A core principle in assessing audit risks, reviewing transactions and making corrections is materiality.

To establish materiality, auditors assess whether an error or omission would change the decisions of someone relying on the information presented in the organisation’s financial statements.

Audit planning

When planning an audit, the auditor seeks to gain an understanding of:

  • The organisation’s business activity;
  • How the organisation operates;
  • The risks in its business environment; and
  • The organisation’s internal accounting processes.

The auditor will be particularly interested in the internal controls over the accounting processes. These should prevent things from going wrong and minimise scope for fraud or manipulation of the accounts. This means, during their first year of working with an organisation, auditors have a great deal to do. In subsequent years, the planning phase becomes more a process of updating previous knowledge, looking to see where anything has changed and reassessing any major risk areas.

Internal controls testing

Because it’s currently impossible to test every transaction a large organisation makes (although advances in technology may mean that this starts to change in the next few years), a vital part of the audit process is to test the internal controls of its financial systems and processes.

Auditors do this by tracking representative transactions, such as sales to customers or procurement of raw materials, through their full life cycle. At each stage, the auditor will ensure the transactions are authorised, categorised and recorded according to the organisation’s internal controls.

If the controls prove to be robust, the auditor will consider the risk of misstatement low. Accordingly, they’ll reduce the amount of evidence they feel they need to support a particular figure.

To support internal controls testing, an auditor may wish to confirm the integrity of the organisation’s IT systems. If so, they’ll employ computer audit specialists for this job.

This testing of systems and processes is often termed an interim audit as it’s usually performed one or more times part way through an organisation’s financial year.

Year-end audit

For most organisations, auditing is a concentrated activity that begins when the financial year and/or quarterly reporting periods (when applicable) ends, and continues for a few weeks.

As well as testing the most significant entries on the financial statements, the year-end audit will also look at areas where there are most likely to be errors or manipulation. This often involves numbers that are outside normal transaction routines and may require management to make subjective judgements.

Substantive testing

While observing the principle of materiality, auditors typically apply three tests, which fall under the heading of substantive testing. These are:

  • Analytical procedures: comparing numbers reported against expectations calculated by assessing comparable companies, industry trends and existing forecasts;
  • Tests of detail: testing the reported balance against documentation such as purchase invoices and bank statements or inspecting stock at hand; and
  • Tests of account analysis: scanning the items that make up a figure to identify any unusual amounts or items that indicate risks in the business, such as excessive legal fees.

The auditors will also review other elements in the organisation’s formal annual report, such as the chairperson’s statement. They’ll look to ensure that messages in the report are consistent with the picture provided by the financial statements.

Signing the audit report

Once the auditors have finished their work and your organisation has corrected any errors or problems found in the final accounts, the auditors will sign the audit report. This means they’re stating that your accounts are ‘true and fair’ and comply with relevant law and accounting standards. The auditors will only sign the report after the directors have approved the accounts. That way, the auditors know they are the final, official version. The auditors will also want to know that any events between the financial year-end the date of the approval of the accounts have been dealt with properly and don’t affect any conclusions they’ve reached.

If the auditors don’t get sufficient evidence or don’t agree that the accounts show a true and fair view, they will modify their audit report. This is a very serious matter and the directors are usually keen to avoid this at all costs.

The audit committee

Larger organisations, and all publicly listed companies, have an audit committee. This comprises executive directors, non-executive directors and, possibly, experts such as finance academics. The audit committee oversees the financial reporting process, selection of the auditor and receipt of audit results, both internal and external. Some audit committees also oversee their organisation’s regulatory compliance and risk management activities.

Directors duties to report and forward looking statements

The Companies Act 2006 has also forced companies in England and Wales to start to produce forward looking statements, signed off by the directors about the future prospects and risks for the company as part of the sign off of the accounts. This is a new and evolving area with limited guidance available from law firms, auditors and from the Financial Reporting Council. As an area of law (as with Modern Slavery reporting declarations) it is important that the legal and company secretarial teams understand the law and how it works and evolves even if the reporting and sign off processes are run by the finance team and the auditors to your business.


All companies must have an annual audit of their accounts prepared and signed off by an independent, qualified and licenced auditor. In most organisations, it’s not possible to track and verify every transaction, so auditors take a risk-based approach. They look for areas where errors or misstatements are most likely to be made and test key transactions in these areas. They may also subject the organisation’s internal accounting controls and IT systems to rigorous testing. Auditors will not sign off on an organisation’s accounts until they’re satisfied they’re a true and fair statement of its performance.