Related posts
See all
Key Insights
- PCAOB deficiency rates dropped to 39% in 2024 from 46%, but ICFR execution gaps kept recurring around deficiency aggregation and written communication.
- Integrated audits produce two opinions on the same date. The control testing that clears one evidentiary bar may not clear the other.
- AS 2901, effective December 15, 2026, makes auditors responsible for deficiencies surfaced after the report goes out. Post-issuance isn't quiet anymore.
- Auditor AI use is on the PCAOB's 2025 inspection priorities, not just client AI use.
When you're running a public company engagement, the hard part is rarely the headline requirement. It's keeping the financial statement opinion and the ICFR work aligned on one report date, since a late control finding can reopen substantive work the team's already done. That matters because timing pressure, deficiency classification, and inspection exposure all build across the same engagement. This article covers how financial audits and SOX compliance fit together, where integrated audits get difficult to manage, and what's changing in 2026 across planning, testing, and post-issuance work.
What Is a Financial Audit?
A financial audit examines a company's financial statements for material misstatement, whether from error or fraud. For public company engagements, every phase runs under PCAOB standards. Investors, lenders, and regulators rely on the resulting opinion to make decisions, which is why the work has to hold up.
Part I.A deficiencies are the most severe inspection findings: instances where the engagement team didn't have enough evidence to support its opinion. The PCAOB's 2024 Inspection Spotlight showed a positive trend. Across portions of over 800 public company audit engagements at 171 firms, the rate of Part I.A findings fell to 39% in 2024 from 46% in 2023. Big Four U.S. firms dropped to 20% from 26%. Movement in the right direction, with a long tail still to work through.
What Is SOX Compliance, and Why Does It Matter for Auditors?
SOX, the Sarbanes-Oxley Act, is the federal law that governs public company financial reporting and the audit work that backs it. For auditors, Section 404 is the part that matters most. For accelerated filers, that section effectively turns the audit into two audits: alongside the financial statement opinion, the auditor independently attests to internal control over financial reporting.
The 404 work splits between management and the auditor:
- Section 404(a): Management assesses the effectiveness of internal control over financial reporting (ICFR).
- Section 404(b): The auditor independently attests to that ICFR effectiveness. Applies only to large accelerated and accelerated filers; non-accelerated filers and emerging growth companies are exempt.
The 404(b) attestation is the piece that creates the additional audit work.
The governing standard is AS 2201. In practice, you work from the same control framework as management, test both design and operating effectiveness, and classify any deficiencies you find. All ICFR deficiencies go to management in writing before the ICFR report goes out, with significant deficiencies and material weaknesses also going to the audit committee.
Where the work breaks down is the execution. Underneath those aggregate numbers, the 2024 Inspection Spotlight surfaced two recurring ICFR issues. Teams weren't always evaluating whether identified deficiencies, individually or stacked together, added up to a material weakness. And they weren't always communicating all ICFR deficiencies in writing before issuing the report. Both are execution issues, not knowledge gaps, and they show up consistently across firm sizes.
What Is an Integrated Audit?
For accelerated filers, the audit produces two opinions: one on the financial statements, one on internal control over financial reporting. Together, they make up an integrated audit, governed by AS 2201.
Both opinions are issued on the same date, but they answer different questions:
- Financial statement audit: Are the statements free of material misstatement?
- ICFR audit: Was internal control effective as of year-end?
The catch: control testing has to support both opinions, and the bar is different for each. A control test that's enough for the financial statement work may not be enough for the ICFR opinion.
The two opinions also affect each other. A broken control caught during ICFR testing can force rework on the financial statement side, especially when the control was meant to catch fraud. Late discovery means reopened substantive work.
How Does the Financial Audit and SOX Engagement Work? A Phase-by-Phase Overview
The work runs in four phases, each handing off to the next.
Pre-Engagement and Planning
Decisions made in planning carry through every later phase. Before fieldwork begins, the team locks in scope, confirms independence, sets the audit strategy, and decides preliminary materiality and staffing.
For integrated audits, planning also means evaluating management's assessment process, getting up to speed on ICFR, and deciding which controls to test. Those activities rarely run in a clean sequence in practice. What planning hands off to risk assessment is a scope, a preliminary materiality, and an early read on which controls matter. When that handoff is loose, the next phase spends its first two weeks correcting it.
Risk Assessment and Controls Testing
This phase has two jobs: identify what could go wrong in the financial statements, and test whether the client's controls catch those things. Risk assessment maps the business, the accounts, and the events that could cause material misstatement, including fraud risk. The list of significant risks isn't a one-time planning artifact; it keeps evolving as the team learns more.
Controls testing builds the evidence behind the ICFR opinion. It covers both design and operating effectiveness: whether the controls are designed to catch problems, and whether they actually caught them across the year. The conclusion gets handed to substantive testing. If controls work, substantive procedures can lean on that evidence; if not, they have to absorb the gap.
The Forvis inspection report shows how this breaks down: a 2024 PCAOB inspection found the engagement team didn't test controls over how the client rated the risk of its loans, leaving its conclusion on the client's allowance for loan losses without sufficient supporting evidence.
Substantive Testing and Wrap-Up
This is the phase that fills the workpaper file. Final fieldwork includes confirmations, sampling documentation, estimates and fair value workpapers, journal entry testing, and related party documentation. The procedures are designed to respond to the risks of material misstatement the team identified earlier.
Wrap-up turns months of fieldwork into a report under real time pressure. The team evaluates results, including qualitative aspects of significant accounting practices and identified misstatements, while engagement quality review runs in parallel. For integrated audits, you also have to finalize ICFR deficiency classifications early enough to communicate any significant deficiencies and material weaknesses before reporting. Leave that too late and the report date slips.
Reporting and Post-Issuance
At reporting, both opinions issue together. The team can use a combined or separate report format, but both have to be dated the same day.
The phase that used to end at issuance is about to get longer. AS 2901 becomes effective on December 15, 2026. It replaces the prior standard limited to omitted audit procedures, and now requires auditors to take specific action in response to any engagement deficiency identified after the report goes out. That ties back to the broader QC 1000 quality control system, and it means post-issuance is no longer a quiet phase.
What Makes an Integrated Audit Complex to Manage?
An integrated audit's complexity goes well beyond the volume of work. The consequences of mismanaging it are concrete: inspection deficiencies that trigger remediation, budgets that blow past estimates when late-stage findings force procedural changes, and filing timelines that slip when one side of the engagement cannot close on schedule.
Deficiency Classification Under Client Pressure
When the team identifies a control problem, classifying its severity isn't always straightforward. Management often pushes back, arguing that review or compensating controls mitigate the issue. The team has to weigh those arguments while applying the standard's tests for what counts as a significant deficiency or material weakness.
The stakes go beyond the audit relationship. Material weaknesses require public disclosure, which means the classification call affects how investors, lenders, and regulators read the company. Overclassify and the client faces unnecessary disclosure exposure and friction; underclassify and the engagement invites inspection findings.
Multi-Location Scope and Internal Audit Reliance
On a multi-location entity, scope means a series of judgment calls. The team has to decide which business units to test for ICFR, which processes within those units, and which controls within each process. Pull back too far and inspection picks up the gaps. Reach too wide and the budget runs out before substantive testing starts.
When the client has an internal audit team, the engagement team can lean on internal audit's work to reduce duplication. Under AS 2201.16–.17, that reliance is conditional: the engagement team has to assess how competent internal audit is, how objective it is from management, and how much of its testing it can rely on. A strong internal audit team saves the engagement real time. A weak one means redoing work the engagement team expected to skip.
How Technology Is Changing How Firms Run Financial Audits and SOX Engagements
Technology is reshaping integrated audits on both sides of the engagement: how the work gets done, and what auditors have to evaluate when clients themselves are running on AI. For partners and managers, that means modernizing the engagement while the bar for what a quality audit looks like keeps moving.
Client-side adoption is the first force. McKinsey's November 2025 State of AI survey found 88% of organizations report regular AI use in at least one business function, compared with 78% a year earlier. That changes the control environment, the data the team works with, and the questions the audit committee will ask.
The second force is what regulators expect from auditors. Auditor use of technology, including generative AI, is part of the PCAOB's 2025 inspection priorities, so how a firm uses these tools is now part of the inspection picture, not just an internal efficiency question.
For practitioners, the practical question is how to keep the engagement moving while a major standards package lands at the end of 2026. Platforms purpose-built for audit workflows can take real weight off the team: centralized engagement and document management, real-time visibility across both workstreams, and a consistent documentation flow that keeps the financial statement and ICFR sides moving toward a single report date.
The firms that handle this well are the ones treating technology as an operating-model decision, not a single-tool purchase. The platform that fits that decision has to cover both sides of the engagement, keep practitioner judgment central to every output, and hold up to PCAOB scrutiny on the auditor's own use of AI.
How Fieldguide Supports Financial Audit and SOX Engagements
Fieldguide is the only end-to-end AI-native platform for audit and advisory. It is designed for integrated engagements on a single system. The platform covers the full engagement lifecycle, from planning through reporting. This ensures financial statement and ICFR workstreams move toward the same report date.
The operating model combines practitioners with Field Agents. Field Agents handle work like scoping, evidence review, and control testing. Practitioners provide human oversight by reviewing outputs, applying professional judgment, and approving final work. This keeps human oversight explicit at every stage of the audit-grade workflow.
Explore Fieldguide's audit platform or request a demo to see how it works in practice.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
