Uncategorized
When Does a Company Need an Audit? Lender, Investor, Regulatory, and Bylaw Triggers
When does a company need an audit? Almost always when an external party with money or authority at stake demands reasonable assurance: a lender, an investor, a regulator, a government grant agency, or the company’s own governing documents. There is no general law forcing a private company to be audited. The trigger is a specific demand or statute.
Key takeaways
- No statute requires a private U.S. company to be audited simply for existing. An audit becomes mandatory only when a specific external party or regulation demands it (our evaluation of U.S. statutory and lending norms).
- Public companies must file audited financials prepared under the Securities Act of 1933 and Securities Exchange Act of 1934, with audits performed by a PCAOB-registered firm (SEC Regulation S-X).
- A Single Audit is triggered when a non-federal entity expends $1,000,000 or more in federal awards in a fiscal year, a threshold raised from $750,000 effective for fiscal years beginning on or after October 1, 2024 (OMB Uniform Guidance, 2 CFR 200 Subpart F).
- ERISA requires a plan audit for “large” retirement plans, generally those with 100 or more participants, reported on Form 5500 Schedule H (ERISA Section 103; DOL regulations).
- Nonprofit audit triggers are set by state law and vary widely, for example California requires an audit at $2 million in gross revenue while New York uses a tiered $250K review and $1M audit structure (California Nonprofit Integrity Act; New York Executive Law Article 7-A).
The short answer: when
A company needs an audit when an external party who can withhold money, capital, or legal standing requires reasonable assurance over its financial statements. The most common triggers are lender covenants, investor and board mandates, SEC registration, federal grant spending above $1 million, ERISA retirement plan size, state nonprofit revenue thresholds, and franchise disclosure rules. Absent one of these demands, a private company can usually operate on a review or a compilation instead (our evaluation).
The triggers
Start with lenders, because they generate more private-company audits than any other single source. Senior debt facilities commonly require audited financial statements once total debt rises above roughly $10 million, reflecting standard middle-market loan covenant practice. In the broader mid-market band of about $2 million to $25 million in facility size, lenders frequently accept a review rather than a full audit, and the smallest borrowers, including many SBA loans, will accept a compilation (our evaluation of commercial lending covenant norms). If you are weighing which level a lender will accept, our explainer on audit versus review versus compilation lays out the assurance differences that drive these covenant decisions.
Investors are the second major trigger. Private equity owners and venture capital term sheets routinely mandate an annual audit as a condition of the investment, and that requirement usually survives in the company’s governing documents after closing. Corporate bylaws, operating agreements, and shareholder agreements can independently require an annual audit regardless of what any lender wants, so the obligation can be self-imposed and contractual rather than statutory (our evaluation of standard PE and VC investment terms). When buyers or boards demand an audit, the next question is usually cost, which we break down in our guide to how much an audit costs.
Securities regulation creates the most absolute trigger. A company that registers securities with the SEC, an issuer, must file audited financial statements. That obligation flows from the Securities Act of 1933 for offerings and the Securities Exchange Act of 1934 for ongoing reporting, with the form and content of those statements governed by SEC Regulation S-X. The audit itself must be performed by a firm registered with the Public Company Accounting Oversight Board (PCAOB). For public companies there is no review-level alternative.
Government funding is the next trigger, and it has a bright-line number. Under the OMB Uniform Guidance at 2 CFR 200 Subpart F, a non-federal entity that expends $1,000,000 or more in federal awards in a single fiscal year must obtain a Single Audit covering both its financial statements and its compliance with the terms of those awards. That $1,000,000 figure is a recent change: it was raised from $750,000 effective for fiscal years beginning on or after October 1, 2024 (OMB, 2 CFR 200.501). The test is based on amounts expended, not amounts received or awarded.
Nonprofits face audit triggers set by state charity law rather than federal rule, and the thresholds differ sharply. California requires a charity registered in the state to obtain an audit once it has $2 million or more in annual gross revenue, under the Nonprofit Integrity Act. New York uses a tiered structure under Executive Law Article 7-A and the attorney general’s charities registration: an organization above a $250,000 revenue level must file reviewed financials, and above roughly $1 million it must file audited financials. Many other states cluster their audit thresholds in the $500,000 to $2 million revenue band (our evaluation of state charity registration statutes). A nonprofit operating across state lines may be pulled into the strictest applicable threshold.
Two ERISA plan triggers catch companies that never think of themselves as audit candidates. An employee stock ownership plan (ESOP) that is covered by ERISA and has 100 or more participants must attach audited plan financial statements to its annual Form 5500 (ERISA Section 103; DOL Form 5500 instructions). Separately, a 401(k) plan must be audited once it files as a “large plan,” generally meaning 100 or more participants with account balances at the start of the plan year, reported on Form 5500 Schedule H. The 80-120 participant rule lets a plan that has been filing as a small plan continue to do so until it exceeds 120 participants, which softens the cliff at exactly 100 (ERISA Section 103; DOL Form 5500 instructions, 80-120 Participant Rule).
Finally, two commercial regimes pull in companies that sell access or carry risk. A franchisor must include audited financial statements in its Franchise Disclosure Document under the FTC Franchise Rule (16 CFR Part 436), which is why even early-stage franchisors commission audits before they sell their first unit. And surety and insurance underwriters frequently require reviewed or audited statements before extending bonding capacity to a contractor, because the bond exposure depends on verified financial strength (our evaluation of surety underwriting practice). Companies pursuing technology and trust customers may also need a SOC 2 audit, which is a controls examination rather than a financial-statement audit but is demanded by enterprise buyers in much the same way.
Audit thresholds by trigger
| Trigger | Threshold / condition | Authority |
|---|---|---|
| Senior bank debt covenant | Audited financials commonly required above roughly $10M total debt | Commercial lending covenant norms (our evaluation) |
| Mid-market loan facility | Review often accepted on facilities of about $2M to $25M | Commercial lending covenant norms (our evaluation) |
| Small SBA loan | Compilation often accepted | SBA lending practice (our evaluation) |
| PE / VC investment | Annual audit mandated by term sheet or governing documents | Standard PE and VC investment terms (our evaluation) |
| Corporate bylaws / shareholder agreement | Annual audit when the governing document requires it | Company bylaws and shareholder agreements (our evaluation) |
| SEC-registered issuer | Audited financials required for all public companies | Securities Act of 1933; Securities Exchange Act of 1934; Regulation S-X; PCAOB |
| Federal grant recipient (Single Audit) | $1,000,000 or more in federal awards expended per fiscal year (raised from $750,000 for fiscal years beginning on or after Oct 1, 2024) | OMB Uniform Guidance, 2 CFR 200 Subpart F (200.501) |
| California nonprofit | Audit at $2,000,000 or more in annual gross revenue | California Nonprofit Integrity Act |
| New York nonprofit | Review above $250K revenue; audit above roughly $1M revenue | New York Executive Law Article 7-A (AG charities registration) |
| ESOP (ERISA-covered) | Annual audit at 100 or more participants, filed with Form 5500 | ERISA Section 103; DOL Form 5500 instructions |
| 401(k) “large plan” | Audit generally at 100+ participants with balances; 80-120 rule allows small-plan filing up to 120 | ERISA Section 103; DOL Form 5500 Schedule H instructions |
| Franchisor | Audited statements required in the Franchise Disclosure Document | FTC Franchise Rule, 16 CFR Part 436 |
| Surety / insurance bonding | Reviewed or audited statements often required for bonding capacity | Surety underwriting practice (our evaluation) |
What happens if you do not get one
The consequence depends on which trigger you missed, and the penalties range from technical to severe. Missing a lender-required audit usually puts a borrower in covenant default, which lets the lender accelerate the loan, raise the interest rate, or freeze further draws even if every payment is current (our evaluation of standard loan covenant remedies). For an SEC issuer, filing without audited statements is not an option at all: late or missing audited financials can trigger SEC enforcement, delisting, and a halt in the ability to raise capital under the Securities Exchange Act of 1934.
For federal grant recipients, failing to file a required Single Audit under 2 CFR 200 Subpart F can result in withheld payments, disallowed costs the entity must repay, and designation as a higher-risk recipient that loses access to future awards (OMB Uniform Guidance, 2 CFR 200). On the ERISA side, a “large” retirement plan that files Form 5500 without the required audit has filed an incomplete return, exposing the plan sponsor to Department of Labor penalties that accrue per day until corrected (ERISA Section 502; DOL Form 5500 instructions). A franchisor that sells without audited statements in its FDD violates the FTC Franchise Rule and risks rescission claims from franchisees and FTC action (16 CFR Part 436). And a nonprofit that ignores a state audit threshold can lose its charitable registration and its ability to solicit donations in that state (state charity registration statutes; our evaluation).
How to prepare
Preparation starts long before the auditor arrives, and the companies that prepare well pay less and finish faster. First, confirm which trigger actually applies and at what date, because the obligation often attaches to a specific fiscal year or a participant count measured on the first day of the plan year (ERISA Section 103). Second, close your books cleanly and reconcile every major account, since unreconciled cash, receivables, and inventory are the most common cause of audit overruns (our evaluation).
Third, assemble the evidence the auditor will request before fieldwork: bank statements, loan agreements, board minutes, signed contracts, the fixed-asset register, and revenue documentation. Fourth, document your significant accounting policies and any judgment areas, such as revenue recognition or impairment, so the auditor is testing a position rather than constructing one. Fifth, if this is your first audit, expect the prior-period opening balances to draw extra scrutiny and budget time for that. For a deeper walk-through of assurance levels and what each engagement actually delivers, our learning center collects the related guides in one place.
Frequently asked questions
- Is a private company ever legally required to be audited just for being large?
- No. U.S. federal law does not require a private company to be audited based on revenue or headcount alone. An audit becomes mandatory only when a specific external party demands it or a statute such as ERISA or the Uniform Guidance applies (our evaluation of U.S. statutory norms).
- At what loan size do lenders typically require an audit?
- Audited financials are commonly required once total debt exceeds roughly $10 million. Facilities in the $2 million to $25 million range often accept a review, and small SBA loans frequently accept a compilation (commercial lending covenant norms; our evaluation).
- What is the federal grant threshold for a Single Audit?
- A non-federal entity that expends $1,000,000 or more in federal awards in a fiscal year must obtain a Single Audit. That threshold rose from $750,000 effective for fiscal years beginning on or after October 1, 2024 (OMB Uniform Guidance, 2 CFR 200.501).
- When does a 401(k) plan need an audit?
- Generally when it files as a “large plan,” meaning 100 or more participants with account balances at the start of the plan year, reported on Form 5500 Schedule H. The 80-120 rule lets a plan keep filing as a small plan until it exceeds 120 participants (ERISA Section 103; DOL Form 5500 instructions).
- Do ESOPs require a separate audit?
- Yes. An ERISA-covered ESOP with 100 or more participants must attach audited plan financial statements to its annual Form 5500 (ERISA Section 103; DOL Form 5500 instructions).
- What is the nonprofit audit threshold in my state?
- It depends on the state. California requires an audit at $2 million in gross revenue, New York uses a tiered $250K review and $1M audit structure, and many states fall in the $500K to $2 million band (California Nonprofit Integrity Act; New York Executive Law Article 7-A; our evaluation).
- Do franchisors have to be audited?
- Yes. The FTC Franchise Rule requires franchisors to include audited financial statements in their Franchise Disclosure Document before selling franchises (FTC Franchise Rule, 16 CFR Part 436).
- Can my bylaws require an audit even if no lender or regulator does?
- Yes. Corporate bylaws, operating agreements, and shareholder agreements can mandate an annual audit. That obligation is contractual and applies regardless of any statutory threshold (company governing documents; our evaluation).
- Is a SOC 2 report the same as an audit?
- No. A SOC 2 is an examination of a company’s controls over security and related criteria, not an audit of its financial statements, though enterprise customers often demand one in a similar way (our evaluation).
Bottom line
A company needs an audit when an external party with money or legal authority at stake requires reasonable assurance: a lender above its covenant threshold, an investor or board, the SEC, a federal grant program at $1 million expended, an ERISA plan at 100 participants, a state charity threshold, or a franchise filing. Identify which trigger applies, confirm the threshold and date, and prepare your books before the auditor arrives.
Sources and methodology
This article draws on primary statutory and regulatory sources: ERISA Section 103 and Section 502 and the Department of Labor Form 5500 instructions (including Schedule H and the 80-120 Participant Rule) for retirement plan and ESOP audit requirements; the OMB Uniform Guidance at 2 CFR Part 200 Subpart F (including 200.501) for the Single Audit threshold and its increase to $1,000,000 effective for fiscal years beginning on or after October 1, 2024; the Securities Act of 1933, the Securities Exchange Act of 1934, SEC Regulation S-X, and PCAOB registration requirements for public-company audits; the FTC Franchise Rule at 16 CFR Part 436 for franchise disclosure; the California Nonprofit Integrity Act and New York Executive Law Article 7-A for representative state nonprofit thresholds. Lender covenant thresholds, SBA loan practice, PE and VC investment terms, and surety underwriting practice reflect our evaluation of prevailing market norms rather than a single statute and are labeled accordingly. Specific thresholds vary by jurisdiction, contract, and fiscal year; confirm the rule that applies to your entity before acting.