Uncategorized

Audit vs Review vs Compilation: Levels of Assurance, Cost, When to Use Which

By chrisomo

Audit vs review vs compilation is the foundational question every CFO faces when a lender, board, or investor asks for “financial statements.” An audit provides reasonable assurance under GAAS. A review provides limited assurance under SSARS 21. A compilation provides no assurance. The right level depends on who is asking, why, and what they will pay for.

The short version

Get an audit when an external party demands reasonable assurance: SEC, large lenders, PE owners, M&A buyers, and federally-funded grant recipients. Get a review when a mid-market lender or growth-stage investor wants meaningful assurance at a fraction of audit cost. Get a compilation when you need a CPA-prepared deliverable for routine tax, internal management, or small lender purposes with no assurance attached.

What an audit does

An audit is conducted under Generally Accepted Auditing Standards (GAAS) for private companies and PCAOB Auditing Standards for SEC issuers. The auditor’s objective is to obtain reasonable assurance that the financial statements as a whole are free from material misstatement. Reasonable assurance is a high but not absolute level of assurance, formally defined as a high probability that material misstatement would be detected by the procedures performed.

The work is substantial. The auditor plans the engagement using a risk-based approach (AU-C 315), tests internal controls when reliance is planned (AU-C 330), and performs substantive procedures including confirmations with third parties, recalculations, inspections, observations, and analytical procedures. For public companies, the auditor also issues an opinion on the effectiveness of internal control over financial reporting under SOX 404 and AS 2201.

The deliverable is a written opinion that the financial statements are presented fairly in all material respects in accordance with the applicable financial reporting framework (US GAAP or IFRS most commonly). The opinion can be unmodified (clean), qualified (a specific issue, but otherwise fair), adverse (the statements are not presented fairly), or a disclaimer (the auditor could not gather sufficient evidence). Anything other than unmodified is a procurement problem.

Audits are the only assurance level the SEC accepts for issuer financial reporting under the Securities Act of 1933 and the Securities Exchange Act of 1934. They are the standard requirement for senior lender debt covenants above approximately $10M, for ESOP fairness opinions, and for M&A transaction packages above the small-business threshold.

What a review does

A review is conducted under AICPA SSARS 21 AR-C 90 (Statements on Standards for Accounting and Review Services). The accountant’s objective is to obtain limited assurance that no material modifications need to be made to the financial statements for them to conform to the applicable framework. Limited assurance is also called “negative assurance” because the conclusion is stated negatively (we are not aware of material modifications) rather than positively (the statements are fairly presented).

The procedures are materially lighter than an audit. The accountant performs inquiry and analytical procedures rather than substantive testing. There are no third-party confirmations. There is no internal control testing. There is no observation of physical inventory. The accountant inquires of management, performs analytical comparisons, and reads the financial statements with an eye for anything that looks anomalous.

The deliverable is a “review report” stating that the accountant is not aware of any material modifications that should be made. The negative phrasing matters: a review does not say the statements are correct; it says nothing came to the accountant’s attention to suggest they are wrong. The threshold for evidence is much lower than for an audit.

Reviews are the standard mid-market lender requirement in the $2M to $25M debt range. Most regional and community bank commercial lending groups accept reviewed financial statements for borrowers in this range. Private investors often accept reviews for portfolio reporting. SBA lenders typically require reviewed or audited statements for loans above $350K.

What a compilation does

A compilation is conducted under AICPA SSARS 21 AR-C 80. The accountant’s objective is to apply accounting and financial reporting expertise to assist management in presenting financial information. There is no assurance objective. The accountant does not gather evidence. The accountant is not required to perform any verification procedures.

What the accountant does is take management’s numbers (typically from QuickBooks, NetSuite, or a similar GL) and present them in a financial statement format that conforms to the applicable reporting framework. The accountant must read the statements to identify obvious errors and must be independent or disclose lack of independence in the compilation report. That is essentially the floor of the engagement.

The deliverable is a one-page compilation report stating that the accountant did not audit or review the statements and does not express an opinion or any assurance. The report is intentionally clear that the user gets no assurance from the engagement; the CPA’s name is on the cover, but the work performed is minimal.

Compilations are used by small owner-managed businesses, sole proprietorships, and small partnerships for internal management reporting, tax preparer file transfers, and small SBA loans (typically under $350K). They are often the entry-level deliverable a CPA firm provides to a small business client who will progress to a review or audit as the business grows.

Side-by-side comparison table

Which fits your situation

Get an audit if: You are an SEC issuer (mandatory). Your senior lender debt covenant requires audited financials (read the covenant; this is the most common reason). A PE owner expects audited statements quarterly or annually. You are in active M&A negotiation and the buyer is performing reverse-Q4-stub diligence. You are a 401(k) plan sponsor over the 100-eligible-participant threshold (ERISA Section 103). You are an OMB Uniform Guidance recipient with $750K or more in federal awards (Single Audit). You are seeking to issue debt or equity to outside investors with audit-level assurance baked into the term sheet.

Get a review if: Your lender covenant explicitly accepts reviewed financials (common for community banks and regional commercial lenders in the $2M to $25M range). Your bonding company requires reviewed statements for surety capacity. Your growth equity or family-office investor accepts reviews for quarterly or annual reporting. You are scaling toward an audit but want a lighter assurance step in the meantime to build the muscle for full audit procedures.

Get a compilation if: You are a small owner-managed business that needs CPA-prepared financial statements for an SBA loan under $350K. Your CPA prepares the compilation as part of an annual tax return engagement. You need a clean cut of financial statements to share with internal management or a family partner without paying for assurance. You are an early-stage company where the cost of assurance is not yet justified by external demand.

The single most common mistake is buying the wrong level of assurance and discovering after issuance that the recipient cannot use it. Read the lender covenant, read the investor side letter, read the bonding application before scoping. See quality of earnings report coverage for the M&A-specific deliverable that supplements (not replaces) audited statements in transaction diligence.

Cost comparison

Pricing varies widely by company size, industry, complexity (multiple entities, foreign operations, complex revenue recognition), and the auditor’s brand. The 2026 ranges below reflect mid-market firm pricing across the Big 4, BDO, Grant Thornton, RSM, and the regional national networks.

Audit, mid-market private company. A clean single-entity company with $10M to $50M revenue and standard GAAP complexity pays $50K to $150K for an annual audit. Multi-entity, multi-jurisdiction companies with complex revenue recognition, derivatives, or stock-based compensation pay $150K to $400K. SEC issuers in the $250M to $1B revenue band pay $400K to $1.5M for the audit plus the integrated audit of internal control under SOX 404.

Review, mid-market private company. The same single-entity company pays $15K to $30K for an annual review. Multi-entity or complex companies pay $30K to $50K. Reviews scale less steeply with complexity than audits because the procedures are not expanding to match the underlying complexity; the accountant is still doing inquiry and analytical procedures regardless of the underlying GL structure.

Compilation. A small business compilation runs $3K to $15K annually. The cost driver is GL hygiene rather than business complexity: an immaculate QuickBooks file produces a $3K compilation; a tangled multi-entity QuickBooks file with intercompany messes produces a $15K compilation because the CPA is essentially doing cleanup work as a precondition to the compilation.

Industry premiums apply. Construction (revenue recognition complexity), healthcare (third-party reimbursement and HIPAA), cannabis (Section 280E and banking constraints), and crypto (digital asset accounting under FASB ASU 2023-08) all push fees toward the upper end of each range. Auditors charge a premium for technology-heavy companies because GAAP application is harder.

Common mistakes when choosing

Choosing based on cost without reading the covenant. Compilation costs $5K, review costs $25K, audit costs $100K. The temptation to buy down is obvious. The lender covenant determines what is actually accepted. If the covenant says “audited” and you produce “reviewed,” the bank can call the loan. Read the covenant before scoping.

Assuming reviews can be upgraded to audits. A review can inform an audit but cannot substitute for one. If you completed a review in Year 1 and your lender now requires audit in Year 2, the audit firm will perform the full audit procedures regardless of the prior review work. The prior review reduces familiarization time, not procedure scope.

Picking compilation to save money before an M&A process. Compiled statements are essentially worthless for M&A diligence. Buyers’ QoE providers will rebuild the financial statements from raw GL data regardless of what the compilation shows. Pre-process founders who have never been audited often discover during M&A that the underlying records cannot support the multiples they believed they were getting because there is no assurance trail. The fix is to invest in reviews or audits two to three years before contemplated exit.

Selecting the cheapest firm. Audit fee compression is real, but going with the cheapest firm typically produces an audit that fails the procurement-reader smell test. Lenders, PE owners, and acquirers all weigh the audit firm brand. A Big 4 audit carries weight; a Grant Thornton or RSM audit carries weight. An audit from a small regional firm carries less weight, which can become a procurement-velocity problem in M&A.

Treating the engagement as a one-time event. All three levels are recurring annual engagements. The first year is the expensive one because the auditor is learning the business. Year two and beyond should run 10 to 20 percent cheaper. Companies that switch auditors annually pay the first-year premium repeatedly. Our internal controls testing primer covers the operating-model investment that smooths fees across cycles.

Frequently asked questions

Can I move from compilation to audit in a single year?

Yes, but the first audit will be substantially more expensive than a steady-state audit because the auditor is performing opening balance procedures and learning the business at the same time. Plan for 1.4x to 1.8x of the typical recurring audit fee in year one. Best practice for a company anticipating an audit need within 24 months is to upgrade to a review first as a stepping stone.

Does a review check internal controls?

No. Reviews do not test internal controls. The accountant performs inquiry and analytical procedures only. This is a frequent source of confusion because the reviewed financial statement footnotes look superficially similar to audited footnotes, but the underlying procedures are materially lighter.

Who decides what level my company needs?

The external party with demand power. The lender’s loan covenant. The investor’s side letter. The federal agency’s award terms. The SEC’s reporting rules. Management does not choose; management responds to the requirements of the parties demanding the deliverable. The CFO’s job is to read those requirements before scoping the engagement.

Are reviews and audits performed by CPAs?

Yes for both, with one wrinkle. Audits must be performed by a licensed CPA firm under GAAS or PCAOB standards. Reviews under SSARS 21 must be performed by a licensed CPA. Compilations under SSARS 21 must also be performed by a licensed CPA but with different independence requirements. Bookkeeper-prepared statements without CPA involvement do not qualify as any of the three.

What happens if the financial statements contain errors discovered after issuance?

The accountant has obligations under AU-C 560 (audit) and AR-C 90.69 (review) to respond. The response depends on the materiality and timing. Material errors discovered after issuance typically require either a restatement, a recall of the report, or a communication to known users of the report. Compilations have lighter post-issuance obligations because there was no assurance to begin with.

Do I need an audit for ESOP fairness opinion purposes?

Practically, yes. ESOP trustees (Argent, Greatbanc, Prairie Capital) require audited financial statements as a foundation for the fairness opinion. A review is sometimes accepted for very small ESOPs but is increasingly rare post-DOL scrutiny of trustee process.

Can I switch between levels year to year?

Yes, though it creates noise in the financial reporting trail. Switching from audit to review to compilation looks like a downgrade to lenders and investors and triggers questions about why. Switching upward (compilation to review to audit) is normal as a company grows. Stability is generally preferred by external readers.

Does any of these prevent fraud?

An audit has the highest probability of detecting material misstatement caused by fraud but is not designed as a fraud-detection engagement. SAS 99 / AU-C 240 outlines the auditor’s fraud-related responsibilities; the auditor is required to consider fraud risk but is not engaged to find every fraud. Reviews and compilations have even lower fraud-detection probability. Dedicated fraud detection is a separate engagement (forensic accounting). See our learn library for related coverage.