When a lender, investor, or regulator asks for a financial statement, they’re asking for one of three distinct things: a compilation, a review, or an audit. 

Each one involves a different scope of work, a different level of CPA involvement, and a different level of assurance for whoever receives the report.

Understanding the differences matters both for knowing what to produce and how to be prepared. This article walks through how each engagement works, when each is required, and what finance teams need to do before the CPA shows up.

Audit vs. Review vs. Compilation: A Side-by-Side Comparison

As a quick reference before diving into the details, here’s how the three engagements compare across the dimensions that matter most:

Comparison table: Compilation vs. Review vs. Audit across nine dimensions: assurance level, CPA independence, analytical procedures, internal controls evaluation, source document testing, footnotes, governing standard, relative cost, and relative timeline.

What Is a Compilation?

A compilation is the most basic of the three engagements. A CPA takes financial data provided by management and assembles it into financial statements formatted to conform to an applicable reporting framework, typically GAAP. The CPA doesn’t verify the underlying numbers, test transactions, or perform any analytical procedures.

The output is formatted financial statements, not an assurance. Because the CPA isn’t expressing an opinion or drawing conclusions about accuracy, independence isn’t required, though if the CPA isn’t independent, that must be disclosed in the compilation report.

Footnotes are optional in a compilation, unlike the other two engagement types. The CPA flags obvious inconsistencies in the data but won’t examine source documents or evaluate controls.

The AICPA‘s Accounting and Review Services Committee (ARSC) governs compilations through the Statements on Standards for Accounting and Review Services (SSARS), specifically AR-C Section 80. SSARS apply to engagements involving unaudited financial statements of nonpublic entities.

What Is a Review?

A review sits in the middle of the assurance spectrum. It provides limited assurance – the CPA reports whether they’re aware of any material modifications needed to bring the financial statements into conformity with the applicable framework. That’s a meaningful step up from a compilation, but it’s also a different conclusion than the positive opinion an audit delivers.

To reach that conclusion, the CPA performs analytical procedures and asks management targeted questions covering areas like revenue recognition, significant estimates, related-party transactions, and changes from prior periods. Typical procedures include ratio analysis and comparisons to prior-period results. 

What the CPA doesn’t do is test source documents, evaluate internal controls, or obtain third-party confirmations.

CPA independence is required for a review. Footnotes are also required, giving the financial statements more context and disclosure than a compilation provides.

SSARS governs reviews as well, under AR-C Section 90.

What Is an Audit?

An audit is the highest level of assurance available. The CPA issues a formal opinion on whether the financial statements are, in all material respects, free from material misstatement, whether due to error or fraud. That opinion represents reasonable assurance, which is a high standard, but not an absolute guarantee of accuracy.

Reaching that opinion requires substantially more work than a review. Auditors test internal controls, sample transactions, examine source documents, obtain third-party confirmations (such as bank confirmations and accounts receivable aging schedules), and formally assess fraud risk. 

CPA independence is required in the case of an audit. The audit report follows a standardized format and covers both the financial statements and, in some cases, related disclosures and supplementary information.

The AICPA’s Auditing Standards Board governs private company audits through Generally Accepted Auditing Standards (GAAS). Public companies registered with the SEC follow Public Company Accounting Oversight Board (PCAOB) standards instead. Companies subject to the Sarbanes-Oxley Act (SOX) also face requirements around internal controls over financial reporting, which are integrated into the audit.

When Is Each Engagement Required?

Engagement requirements come from a mix of sources: lender covenants, regulatory rules, state law, investor agreements, and federal funding conditions. The same organization can face different requirements across different relationships or funding streams. Here’s how each engagement type typically comes into play.

When a compilation is typically sufficient

Compilations work well when no external party requires verified or assured financial statements:

  • Early-stage businesses that need organized reporting for internal management use
  • Smaller financing requests where lenders accept unaudited financial statements
  • Organizations that need professionally formatted financials without external scrutiny
  • Tax preparation support

The compilation’s main value is structure and consistency, not assurance. It’s a reasonable starting point for organizations building out their financial reporting practices.

When a review is typically required

A review becomes the standard when an outside party needs some level of CPA involvement but a full audit isn’t mandated:

  • Mid-market lender requirements, which vary depending on credit facility size and lender preference
  • Certain grant applications where funders require more than management-prepared statements
  • Nonprofit charitable registration requirements in some states, for example, in Maryland, organizations with $300,000 to $750,000 in gross charitable contributions must provide an independent financial statement audit or review.
  • Private equity or investor requests at early growth stages, where a full audit would be premature
  • Board-level governance decisions when an audit isn’t mandated but the board wants independent scrutiny

When an audit is typically required

A number of specific circumstances require an audit, and the consequences of missing a requirement can be significant:

  • Publicly traded companies: All SEC-filing companies must have their financial statements audited under PCAOB standards. Companies subject to SOX also face requirements around internal controls over financial reporting
  • Federal funding recipients: Organizations that expend $1 million or more in federal awards during a fiscal year must undergo a Single Audit under the Uniform Guidance (2 CFR Part 200)
  • Nonprofit charitable registration thresholds: Requirements vary by state. In Maryland, organizations with $750,000 or more in gross charitable contributions must have audited financial statements for charitable registration purposes. In Virginia, organizations with $1.5 million or more in gross annual revenue may need to provide an audit rather than a review to maintain their sales tax exemption. Organizations operating across multiple states should verify their requirements individually.
  • Complex financing: Transactions involving outside investors, business sales, or merger and acquisition due diligence typically require audited financial statements
  • Regulated industries: Financial services, healthcare, and government contracting often carry audit obligations tied to specific regulatory frameworks
  • Lender or bonding requirements: Larger credit facilities and bonding requirements frequently specify audited financials above defined thresholds.
  • PCAOB-registered companies under SOX: These companies require both a financial statement audit and an assessment of internal controls over financial reporting

Regulatory thresholds and state-specific requirements change. Teams should confirm their current obligations with legal and accounting advisors before the engagement cycle begins.

What Each Engagement Demands from Finance Teams

The engagement type sets the bar for how prepared finance teams need to be before the work begins. The gap between a smooth engagement and a disruptive one usually comes down to preparation.

Preparing for a compilation

Preparation for a compilation is relatively straightforward. Your team needs to:

  • Provide clean, organized general ledger data and a complete trial balance
  • Align account classifications with the applicable reporting framework
  • Resolve any obvious inconsistencies in the data before handing it over

Because the CPA won’t verify transactions or trace entries to source documents, the accuracy of the final statements depends directly on what you provide.

Preparing for a review

A review requires more preparation than a compilation, but less than a full audit. In addition to everything a compilation requires:

  • Be ready to answer management inquiry questions about revenue recognition, significant estimates, and related-party transactions
  • Organize prior-period comparatives so the CPA has a clean baseline for analytical procedures
  • Reconcile material accounts before the engagement begins. Unexplained variances will require responses during the review, and unresolved ones slow the process

The CPA performing a review is looking for anything that doesn’t add up or can’t be explained. Getting ahead of those questions reduces back-and-forth and keeps the engagement on schedule.

Preparing for an audit

An audit requires the most comprehensive preparation, and the quality of that preparation directly affects how long fieldwork takes and how disruptive it is to the team. Auditors typically need:

  • Complete supporting documentation for all material transactions and account balances
  • An evidence file for key estimates and judgments, including lease calculations, revenue recognition, and accruals
  • Prior-year workpapers and any open items from the previous audit cycle
  • Internal control documentation covering who approves what, segregation of duties, and period-end close checklists
  • Bank confirmations, accounts receivable aging schedules, and fixed asset records ready before fieldwork begins

Teams that arrive at an audit with gaps in their documentation often spend the first week of fieldwork scrambling to fill them in. 

Whatever the Engagement, the Work Starts Before the CPA Arrives

There’s a pattern that holds across all three: the finance teams that move through engagements most efficiently are the ones that don’t treat readiness as a one-time event.

The engagement type sets the bar for how organized, documented, and traceable your accounting operations need to be throughout the year. Teams that maintain clean, well-documented workflows go into any engagement (compilation, review, or audit) with a real advantage. They produce cleaner handoffs, answer CPA inquiries faster, and spend less time on rework.

That foundation doesn’t come from a last-minute sprint before fieldwork begins. It comes from accounting operations that are structured, evidence-backed, and defensible from the first transaction of the year.

Trullion helps accounting and finance teams build and maintain that foundation year-round. By connecting source documents to validated, traceable data across workflows like lease accounting, revenue assurance, and financial close, Trullion keeps teams audit-ready as a matter of course, not just when a deadline is approaching. See how it works.

Author

Katie Cavanaugh