An integrated audit is a single audit that examines both a company's financial statements and the internal controls over its financial reporting at the same time. Instead of just checking whether the numbers are right, it also checks whether the systems that produce those numbers are reliable. The two reviews are run together because they answer related questions: are the figures accurate, and can you trust the process that created them?
The integrated audit exists mainly because regulators wanted more than a clean set of accounts. After major accounting scandals, the concern shifted to how those numbers were produced, on the logic that strong controls make reliable statements far more likely. For most finance teams, an integrated audit is something larger or regulated companies undergo, but the thinking behind it, that good controls protect good numbers, applies to any business.
Two audits in one.It reviews the financial statements and the internal controls behind them together, not separately.
Driven by SOX.US public companies must have it under the Sarbanes-Oxley Act, which made controls auditable.
Controls protect numbers.The premise is that reliable processes, like clean reconciliations, produce reliable financial statements.
An integrated audit has two halves: an audit of the financial statements and an audit of internal control over financial reporting, both delivered as one engagement with one opinion on each. They feed each other, because what the auditor learns about your controls shapes how deeply they test the numbers, and vice versa.
Verifies that the accounts give a true and fair view, free of material misstatement, by testing balances and transactions.
Tests whether controls over financial reporting are designed well and actually operating, not just written down.
Identifies where a misstatement is most likely, focusing effort on the accounts and processes that matter most.
The auditor issues a view on the financial statements and a separate view on the effectiveness of internal controls.
The link between the two halves is the whole point. If your controls are strong, the auditor can rely on them and test fewer individual transactions. If controls are weak, they have to dig deeper into the numbers to get the same comfort, which costs more and takes longer. This is why clean, routine processes like a disciplined account reconciliation directly lower the effort and cost of an audit: every control the auditor can trust is work they do not have to repeat by hand.
An integrated audit follows a top-down, risk-based approach: the auditor starts with the financial statements, works back to the accounts and processes that could materially misstate them, then tests the controls over those areas before testing the numbers themselves. In practice it runs in a clear sequence.
Identify which accounts are significant and where a misstatement could realistically arise.
Assess whether the relevant controls are well designed to prevent or catch the risks identified.
Check that those controls actually operated throughout the year, not just on the day they were sampled.
Where controls are reliable, lean on them and reduce direct testing. Where they are not, substantive testing fills the gap.
Conclude on the statements and the controls, ranking any control issues from minor deficiencies up to material weaknesses.
Where controls are not reliable, substantive testing of the numbers fills the gap, often by tracing balances back through a ledger reconciliation to source evidence. Crucially, a clean financial statement opinion does not guarantee a clean controls opinion: a company can produce correct numbers through heroic manual effort while its underlying controls are weak, and the integrated audit is designed to surface exactly that gap.
A financial audit only gives an opinion on the financial statements; an integrated audit adds a second opinion on whether internal controls over financial reporting are effective. The integrated version is broader, deeper and required for US public companies, while a standalone financial audit is what most private companies receive. This table shows the difference.
| Financial audit | Integrated audit | |
|---|---|---|
| What it covers | Financial statements only | Financial statements and internal controls |
| Opinions issued | One, on the statements | Two, on statements and controls |
| Who needs it | Most private companies | US public companies under SOX |
| Main question | Are the numbers right? | Are the numbers right and the process trustworthy? |
In short, every integrated audit includes a financial audit, but not every financial audit is integrated. The extra layer is the assessment of internal control over financial reporting, which is what turns a standard audit into an integrated one. For private businesses, understanding the distinction is useful even without the legal obligation, because the controls auditors test, such as balance sheet reconciliation and segregation of duties, are exactly the habits that keep any set of books trustworthy.
The integrated audit was effectively created by the Sarbanes-Oxley Act of 2002 (SOX), which requires US public companies to report on their internal controls and have an auditor attest to them. Before SOX, auditors opined on the numbers alone.
Section 404 made management responsible for maintaining effective internal control over financial reporting and required the external auditor to test and opine on it too, in one integrated engagement. The aim was to restore investor confidence after scandals where the statements looked fine but the underlying processes were broken or manipulated. The practical effect is that public companies now invest heavily in documenting and testing controls year round, not just at audit time.
The stakes are real. If the auditor concludes a company has a material weakness in its internal controls, that has to be disclosed publicly, and it tends to dent the share price and investor trust even when the actual numbers turn out to be correct. That consequence is what pushes finance teams to treat controls as a continuous discipline rather than an annual scramble, building evidence and reconciling steadily so the audit simply confirms what is already in good order.
Accounts receivable is one of the areas an integrated audit looks at closely, because it is a large balance, it involves cash, and it is exposed to both error and fraud. Auditors want to see real controls around it: invoices that match what was delivered, receipts reconciled to the ledger, credit notes that are approved rather than waved through, and a clear separation between the person who raises invoices and the person who records payments. Weak AR controls are a classic source of audit findings, from misstated revenue to cash that goes missing. Even if your business will never face a formal integrated audit, building those controls pays off: tight reconciliations and consistent collections through accounts receivable reporting are the same disciplines an auditor would test, and they keep your numbers honest whether anyone is checking or not.

Don't let these critical mistakes hurt your
collections - See how to fix them, today!