Back to Glossary

Integrated Audit

What Is an Integrated Audit?

An integrated audit is one that combines an examination of financial statements with an evaluation of internal financial controls.

An audit is an independent examination and evaluation of the accuracy of information provided by a business pertaining to certain aspects of its operations.

An audit can be performed on various aspects of the business, such as performance, operations, employee benefits, and information systems.

A financial audit looks at the business’s financial statements.

Audits can be defined as internal, external, or IRS audits.

A non-integrated or traditional financial audit examines only financial statements. An integrated audit goes one step further than a financial audit and evaluates a business’s internal controls that impact its financial affairs. Internal controls are safeguards implemented by a business to ensure the accuracy of information provided in its financial statements.

What Does an Integrated Audit Include?

The primary purpose of an integrated audit, in contrast to a traditional, non-integrated audit, is to evaluate a business’s internal controls. More specifically, it is intended to identify “material weaknesses” in those internal controls.

A material weakness is defined as a deficiency, or a combination of deficiencies, in the controls that could allow an inaccuracy or misstatement in the business’s financial statements to go undetected.

According to the Public Company Accounting Oversight Board, a nonprofit corporation established by Congress to oversee the audits of public companies, an integrated audit follows several steps:

  • Planning—research about the business and its existing internal controls

  • Risk Assessment—identification and appropriate examination of those areas within the business and its internal controls that represent the greatest amount of risk for material weakness

  • Scaling the Audit—evaluation of the size and complexity of the business and how this affects its internal controls

  • Fraud Assessment—evaluation of the risk posed by fraud to the business’s internal controls

  • Use the Top-Down Approach—beginning at the financial statement level and working down to entity-level controls, then to significant accounts and disclosures


Why Do Businesses Conduct an Integrated Audit?

Integrated audits are largely a result of federal legislation that implemented reforms designed to increase corporate responsibility.

The U.S. federal Sarbanes-Oxley Act (SOX) was passed in 2002 to help restore investor confidence in financial markets after several high-profile cases of corporate fraud.

The law implemented many reforms to corporate governance, including the requirement for internal financial controls.

Specifically, Section 404 of the law requires public companies to perform extensive internal control tests and include an internal control report with their annual audits.

What Is an Attestation?

The Sarbanes-Oxley Act requires the executives of all publicly traded companies to establish, maintain, and report on internal controls for the business.

An auditor who is performing an integrated audit is evaluating the conclusions reached by management in its own report or assessment.

This is referred to as an attestation. The auditor is “attesting to the assertions made by management in its report on internal controls.”

To ensure consistency in executing the attestation, the auditor should use the same methodology as management in performing the integrated audit.

Internal controls address several elements, including:

  • Integrity and ethics

  • Independence of the board of directors from management

  • Lines of authority and reporting

  • Workforce competency

  • Accountability

Internal controls contain five key elements:

  1. A control environment that provides the foundation for performing internal controls

  2. A risk assessment process that is used to identify and manage risks that will interfere with the business’s ability to achieve its objectives

  3. Control activities which are performed under the direction of management and directed by the business’s policies and procedures to mitigate risk

  4. Information and communication which allow for the distribution of information needed to perform control activities

  5. Ongoing monitoring and evaluations of the above internal controls

Are Businesses Required to Perform an Integrated Audit?

Publicly traded companies with market capitalization in excess of $75 million are required to perform an integrated audit, which must be performed by a Certified Public Accountant (CPA). Smaller publicly traded companies or private companies are not required to perform an integrated audit, although some may still choose to do so.

What Is the Difference Between an Integrated Audit and an Internal Audit?

An integrated audit is an audit that looks at both financial statements and internal controls. An internal audit is an audit performed by internal auditors who are employees of the company. This is distinct from an external audit, which is performed by someone, typically a CPA, who is not an employee of the business.