Introduction
The modern business landscape demands more than just traditional financial audits. With increasing reliance on digital systems and data-driven processes, the audit profession has embraced a more comprehensive approach: integrated audits. These audits combine the evaluation of financial reporting with the assessment of internal controls over information technology (IT).
This blog explores what integrated audits are, why they matter, how they’re conducted, and the value they provide to organizations striving for regulatory compliance, risk mitigation, and operational efficiency.
What Are Integrated Audits?
Integrated audits simultaneously evaluate both:
- Financial Statement Audits – Ensuring the accuracy and fair presentation of financial records following accounting standards.
- Internal Control Over Financial Reporting (ICFR) – Assessing whether controls in place (including IT systems) prevent or detect material misstatements.
This dual-focus audit approach is mandated for public companies under the Sarbanes-Oxley Act (SOX) Section 404 in the U.S. and emphasized by PCAOB Audit Standard No. 2201.
Why Integrated Audits Matter
As digital transformation grows, financial reporting is deeply intertwined with IT systems. Integrated audits:
- Enhance transparency into how data flows from source systems to financial statements
- Improve identification of risks related to cybersecurity, access controls, and automated processing
- Foster better coordination between auditors, IT teams, and internal audit functions
- Strengthen internal controls, leading to fewer audit adjustments and improved governance
Key Components of Integrated Audits
| Component | Focus Area |
|---|---|
| Entity-Level Controls | Tone at the top, governance, risk management |
| Process-Level Controls | Financial transaction cycles: revenue, procurement, payroll |
| IT General Controls (ITGCs) | Change management, access controls, backup/recovery |
| Application Controls | Automated calculations, validation checks, audit trails |
Steps in Performing an Integrated Audit
- Planning and Risk Assessment
- Identify significant accounts and disclosures
- Understand relevant IT systems and environments
- Scoping IT Controls
- Determine in-scope applications, databases, and interfaces
- Evaluate ITGCs supporting the financial systems
- Testing Controls
- Walkthroughs and tests of the design for process and IT controls
- Operating effectiveness testing for controls that mitigate financial risks
- Evaluating Deficiencies
- Assess severity and likelihood of control failures
- Determine whether deficiencies are material weaknesses or significant deficiencies
- Reporting
- Provide an opinion on financial statements and internal control effectiveness
- Discuss findings with management and the audit committee
Example Scenario: ERP System Implementation
A manufacturing firm implements a new enterprise resource planning (ERP) system. During the integrated audit:
- Financial Audit: Tests account balances impacted by the new system
- ITGC Review: Evaluates access control configurations and change management around ERP deployment
- Application Controls: Reviews automated approval workflows for purchase orders
The integrated approach uncovers that segregation of duties in the new system was not properly enforced, prompting remediation.
Benefits of Integrated Audits
| Benefit | Description |
| Holistic Risk View | Combines financial and IT insights to address enterprise risks |
| Efficiency | Reduces redundancy in audit testing |
| Improved Control Environment | Promotes consistency in compliance and risk oversight |
| Stakeholder Confidence | Enhances transparency and governance for investors and regulators |
Challenges and Best Practices
Challenges:
- Coordination between the financial and IT audit teams
- Complexity of modern IT environments
- Ensuring adequate documentation of control testing
Best Practices:
- Use a collaborative approach between external auditors, internal auditors, and IT
- Maintain strong documentation of controls and remediation
- Perform regular training on integrated audit frameworks and standards
Conclusion
Integrated audits offer a powerful approach to understanding how financial and IT systems interconnect and impact risk. By simultaneously evaluating financial and IT controls, these audits enable organizations to build stronger internal control environments, meet regulatory demands, and gain meaningful insights into operational resilience.
As technology continues to influence every aspect of financial reporting, the integrated audit will become the standard, not the exception, for organizations seeking reliable, future-ready assurance.
References
- PCAOB Audit Standard No. 2201 – An Audit of Internal Control Over Financial Reporting
- COSO Framework for Internal Control
- ISACA IT Control Objectives for Sarbanes-Oxley (IT Governance Institute)
- Messier, Glover & Prawitt (2022). Auditing & Assurance Services