Integrated Audit

Accounts Receivable Dictionary

What is an integrated audit?

An integrated audit is a single audit that examines both a company's financial statements and the internal controls over its financial reporting at the same time. Instead of just checking whether the numbers are right, it also checks whether the systems that produce those numbers are reliable. The two reviews are run together because they answer related questions: are the figures accurate, and can you trust the process that created them?

The integrated audit exists mainly because regulators wanted more than a clean set of accounts. After major accounting scandals, the concern shifted to how those numbers were produced, on the logic that strong controls make reliable statements far more likely. For most finance teams, an integrated audit is something larger or regulated companies undergo, but the thinking behind it, that good controls protect good numbers, applies to any business.

Key takeaways

Two audits in one.It reviews the financial statements and the internal controls behind them together, not separately.

Driven by SOX.US public companies must have it under the Sarbanes-Oxley Act, which made controls auditable.

Controls protect numbers.The premise is that reliable processes, like clean reconciliations, produce reliable financial statements.

The two components of an integrated audit

An integrated audit has two halves: an audit of the financial statements and an audit of internal control over financial reporting, both delivered as one engagement with one opinion on each. They feed each other, because what the auditor learns about your controls shapes how deeply they test the numbers, and vice versa.

Financial statement audit

Verifies that the accounts give a true and fair view, free of material misstatement, by testing balances and transactions.

Internal control audit

Tests whether controls over financial reporting are designed well and actually operating, not just written down.

Risk assessment

Identifies where a misstatement is most likely, focusing effort on the accounts and processes that matter most.

Two opinions

The auditor issues a view on the financial statements and a separate view on the effectiveness of internal controls.

The link between the two halves is the whole point. If your controls are strong, the auditor can rely on them and test fewer individual transactions. If controls are weak, they have to dig deeper into the numbers to get the same comfort, which costs more and takes longer. This is why clean, routine processes like a disciplined account reconciliation directly lower the effort and cost of an audit: every control the auditor can trust is work they do not have to repeat by hand.

How an integrated audit is conducted

An integrated audit follows a top-down, risk-based approach: the auditor starts with the financial statements, works back to the accounts and processes that could materially misstate them, then tests the controls over those areas before testing the numbers themselves. In practice it runs in a clear sequence.

1
Understand the business and its risks

Identify which accounts are significant and where a misstatement could realistically arise.

2
Evaluate control design

Assess whether the relevant controls are well designed to prevent or catch the risks identified.

3
Test operating effectiveness

Check that those controls actually operated throughout the year, not just on the day they were sampled.

4
Test the numbers to the right depth

Where controls are reliable, lean on them and reduce direct testing. Where they are not, substantive testing fills the gap.

5
Form two opinions and report weaknesses

Conclude on the statements and the controls, ranking any control issues from minor deficiencies up to material weaknesses.

Where controls are not reliable, substantive testing of the numbers fills the gap, often by tracing balances back through a ledger reconciliation to source evidence. Crucially, a clean financial statement opinion does not guarantee a clean controls opinion: a company can produce correct numbers through heroic manual effort while its underlying controls are weak, and the integrated audit is designed to surface exactly that gap.

Integrated audit vs financial audit

A financial audit only gives an opinion on the financial statements; an integrated audit adds a second opinion on whether internal controls over financial reporting are effective. The integrated version is broader, deeper and required for US public companies, while a standalone financial audit is what most private companies receive. This table shows the difference.

 Financial auditIntegrated audit
What it coversFinancial statements onlyFinancial statements and internal controls
Opinions issuedOne, on the statementsTwo, on statements and controls
Who needs itMost private companiesUS public companies under SOX
Main questionAre the numbers right?Are the numbers right and the process trustworthy?

In short, every integrated audit includes a financial audit, but not every financial audit is integrated. The extra layer is the assessment of internal control over financial reporting, which is what turns a standard audit into an integrated one. For private businesses, understanding the distinction is useful even without the legal obligation, because the controls auditors test, such as balance sheet reconciliation and segregation of duties, are exactly the habits that keep any set of books trustworthy.

Integrated audits and the Sarbanes-Oxley Act

The integrated audit was effectively created by the Sarbanes-Oxley Act of 2002 (SOX), which requires US public companies to report on their internal controls and have an auditor attest to them. Before SOX, auditors opined on the numbers alone.

What Section 404 changed

Section 404 made management responsible for maintaining effective internal control over financial reporting and required the external auditor to test and opine on it too, in one integrated engagement. The aim was to restore investor confidence after scandals where the statements looked fine but the underlying processes were broken or manipulated. The practical effect is that public companies now invest heavily in documenting and testing controls year round, not just at audit time.

Why a material weakness matters

The stakes are real. If the auditor concludes a company has a material weakness in its internal controls, that has to be disclosed publicly, and it tends to dent the share price and investor trust even when the actual numbers turn out to be correct. That consequence is what pushes finance teams to treat controls as a continuous discipline rather than an annual scramble, building evidence and reconciling steadily so the audit simply confirms what is already in good order.

Why internal controls matter for accounts receivable

Accounts receivable is one of the areas an integrated audit looks at closely, because it is a large balance, it involves cash, and it is exposed to both error and fraud. Auditors want to see real controls around it: invoices that match what was delivered, receipts reconciled to the ledger, credit notes that are approved rather than waved through, and a clear separation between the person who raises invoices and the person who records payments. Weak AR controls are a classic source of audit findings, from misstated revenue to cash that goes missing. Even if your business will never face a formal integrated audit, building those controls pays off: tight reconciliations and consistent collections through accounts receivable reporting are the same disciplines an auditor would test, and they keep your numbers honest whether anyone is checking or not.

Frequently asked questions
What is an integrated audit in simple terms?
An integrated audit is a single audit that checks both a company's financial statements and the internal controls behind them at the same time. It confirms the numbers are accurate and that the systems producing those numbers are reliable, giving a separate opinion on each.
What is the difference between an integrated audit and a financial audit?
A financial audit gives one opinion, on whether the financial statements are fairly stated. An integrated audit adds a second opinion on whether internal controls over financial reporting are effective. Every integrated audit includes a financial audit, but not every financial audit is integrated.
Who is required to have an integrated audit?
In the United States, public companies are required to have an integrated audit under the Sarbanes-Oxley Act, which mandates an auditor opinion on internal control over financial reporting. Most private companies receive only a standalone financial audit, though they can choose a controls review voluntarily.
How does an integrated audit relate to SOX?
The Sarbanes-Oxley Act of 2002 effectively created the integrated audit. Section 404 requires management to maintain effective internal control over financial reporting and the external auditor to test and opine on it, combining the controls review and the financial statement audit into one engagement.
What internal controls does an integrated audit examine?
It examines controls over financial reporting, such as account and bank reconciliations, approval and authorization steps, segregation of duties, and access controls over systems. In accounts receivable that means invoice matching, reconciled receipts, approved credit notes, and separating who raises invoices from who records payments.
Keep reading

Are you making these
5 invoicing mistakes?

Don't let these critical mistakes hurt your
collections - See how to fix them, today!