What UK auditors look for in your finance system under ISA 315 — and how the right system shrinks your PBC list, your audit fee, and your annual stress levels.
Your audit fee went up again last year. The PBC list had more items than the year before. Your auditors raised a management letter point about IT controls, or switched to "a primarily substantive approach" and never quite explained what that meant in plain English.
What it meant was this: they didn't trust your system to tell them the truth, so they checked everything by hand instead. And they billed you for every hour of it.
Most audit-readiness articles never have that conversation with you. They give you a checklist of documents to prepare. They tell you to reconcile your bank early. None of them explain the structural reason your audit keeps getting harder, and why the fix isn't a better folder structure. It's a better finance system.
The Shift You Might Not Have Noticed
Your auditors are following a standard you may not have noticed change. ISA 315 (Revised 2019) came into force for accounting periods beginning on or after 15 December 2021, and it expanded what they have to do around your IT environment. Before they can rely on a single balance in your accounts, they now have to identify the IT applications relevant to financial reporting, understand how your data flows through them, and identify the general IT controls (access, change management, data integrity) sitting around those systems.
Your audit's first half looks different now. It used to mean understanding your business, identifying risks, and testing balances. Now it also means understanding your IT environment, assessing whether your controls are sound, and then deciding how much of your data they can rely on.
If your finance system can answer those IT-environment questions, your audit becomes shorter and quieter. If it can't, the audit gets longer and more expensive. Your team isn't slipping. Your system just can't produce what your auditor now has to ask for.
The Six Things Every Auditor Really Wants To See
Walk back from the audit fee and you'll find the same six evidence requests sitting underneath almost every difficult audit. Your auditor needs:
- A complete, immutable audit trail
Not a transaction log. An audit trail that shows every create, every edit, every delete, with the user who made the change, the timestamp, the prior value, and the new value. If they can't see that, they can't distinguish an error from a manipulation from a legitimate correction.
- Demonstrable segregation of duties
Can the same person approve their own invoice? Raise and pay a supplier? Post and approve a journal? If your system doesn't enforce role boundaries, your auditor has to assume the worst and test for it.
- Controlled access and change history
Who has administrator access? Who had it last year? Were there any configuration changes to your chart of accounts, approval limits, or user roles during the period? If you can't produce that without calling your IT support line, your auditor has a problem.
- System-generated reports they can reproduce
Hand your auditor an Excel file pulled from your accounting system and they'll want to know whether the underlying data could have been altered before extraction. A report they can regenerate directly from the system, with drill-through to the underlying journal, is a different proposition entirely.
- Journal entry controls
Journals are the highest-risk area in your general ledger. Your auditor wants to know: does every journal have a description and supporting documentation? Are journals approved before posting? Are there controls around unusual journals: large ones, late ones, ones posted by users who don't normally post journals? The FRC has flagged journals testing as a persistent audit deficiency across multiple inspection cycles.
- Reconciliation evidence
Not the reconciliation itself. The evidence that someone independent checked it. Who prepared the bank rec, who reviewed it, when, and what happened to the variances?
Why Your Finance System Probably Can't Give Them All Six
If you're on Sage 50 or Xero, this isn't a criticism. Both do what they were designed to do; they just weren't designed for audit evidence.
Sage 50 doesn't preserve the prior value of a transaction once it's been edited. If your auditor asks what the invoice amount was before it was amended, you can't tell them from the system. The change happened, but the system has nothing left to show.
Xero has activity logs, but they aren't granular enough for ISA 315. They don't capture prior values, and the access controls are limited. A shared admin login, common in smaller finance teams, makes segregation of duties demonstrably indefensible.
Spreadsheets are the worst of the bunch. Every Excel workbook in your close process is an audit trail break. When your auditor asks "who changed cell D14 in the cost allocation model on 15 March?", the answer is always the same: silence.
Without supporting evidence from the system, your auditor moves to substantive testing. Larger samples. More queries. More time. The FRC's Annual Review of Audit Quality 2025 found that 31% of audits reviewed outside the largest (Tier 1) firms still required significant improvements. That's the climate your auditor is working in: more inspection pressure, more testing, more billed hours.
Your audit fee moves with that pressure. Audit Group's 2026 benchmarks put mid-sized organisations at £15,000–£35,000 for statutory audit, with complex groups at £40,000 and above. When audit work expands, your audit fee follows.
What The FRC Is Finding (And Why It Matters To You)
FRC pressure on audit quality doesn't stay with audit firms. It flows downhill to you. When the FRC inspects how audit firms test general IT controls, the findings are consistent. In the relevant inspection sample referenced in the FRC's 2025 inspection results, all three audits reviewed in that area showed deficiencies, particularly around segregation of duties and privileged user access within key IT systems. Journals testing, GITCs, inventory and provisions remain the most common areas requiring improvement across the profession.
Your auditor doesn't absorb that pressure. They pass it through. More questions about your access controls, your user roles, your change management. More time. More fee. If your system can't answer those questions in seconds, every FRC inspection cycle adds hours to your engagement.
What Audit-Friendly System Design Looks Like
If your finance system makes audit straightforward, it shares a few identifiable properties. None of them are about how the software looks or what your dashboard does. They're about what your system can produce.
A single ledger
Your numbers live in one place. Every transaction traces back to a single source, with no parallel spreadsheet universe and no reconciliation between system and workbook before your trial balance and supporting detail can be shown together.
A permanent, field-level change record
Not a summary log. A field-level record, with timestamps, user IDs, and the values before and after. Every create, edit and delete. That record can't be deleted or rewritten by anyone, including administrators.
Role-based access by design
Access flows from roles, not individuals. Your AP Clerk and Controller roles have different permissions by design, and your system makes it impossible for one person to approve their own work. The role design itself becomes your auditor's evidence of segregation of duties.
Live, reproducible reports
Your auditor can run reports directly from live data and drill through to the underlying journal and supporting document. Live, drillable dashboards and reports are the system, not an export from it. No Excel, no reconciliation to a separate source.
Approval workflows and mandatory evidence at posting
Approval workflows and mandatory documentation are built into the transaction process. Supporting evidence exists at the point of posting, not after the fact. No scramble at year-end to find what was attached to what.
Independent third-party assurance
Ideally, the platform itself comes with an independent third-party opinion on its own controls: a SOC 1 or equivalent attestation. Your auditor doesn't have to start from scratch on the platform. They can rely on assurance work someone else has already done.
How Sage Intacct Handles Each Of The Six
Sage Intacct has an answer to each of the six:
- A complete, immutable audit trail
Sage Intacct's audit trail captures every create, edit and delete on a record, with the user, the timestamp, the prior value, and the new value. Nothing is overwritten or lost. Your auditor doesn't need to ask what an invoice said before it was amended. They can see the original alongside the change.
- Demonstrable segregation of duties
Sage Intacct enforces segregation of duties through roles. AP Clerk, AR Clerk, Controller, Reviewer, each with their own permission set, configured at role level rather than individually. Sage Intacct's own documentation recommends role-based permissions as best practice for almost every organisation. Your auditor doesn't have to interview your staff about who does what. The system design shows them.
- Controlled access and change history
Every login (successful and failed) is recorded with user ID, timestamp, IP address and session duration. Every configuration change to the GL, AP, AR, or user roles is tracked the same way. When your auditor asks who had administrator access last year, or whether anyone amended the AP approval limit in October, the answer is a thirty-second lookup.
- System-generated reports they can reproduce
Sage Intacct is a multi-dimensional GL. Every report runs from the same underlying data your transactions live in. Your auditor opens the trial balance, clicks through to the journal, clicks through to the supporting document. That drill-through is the evidence. No Excel, no reconciliation to a separate source, no "let me find the original file."
- Journal entry controls
Journal controls include mandatory descriptions, mandatory supporting documentation, and approval workflows. Exception reports can be configured to flag journals posted outside business hours, journals above threshold, or journals posted by users without a standard posting role. That's the exact pattern of control the FRC has repeatedly cited as a gap in mid-market audits.
- Reconciliation evidence
Reconciliation evidence is built into the close process. Sage Intacct's Close Automation creates a structured, reviewer-evidenced close record. Your auditor sees the reconciliation, the preparer, the reviewer, the date, and how each variance was resolved, all in the system rather than in a folder of PDFs. That close discipline also compresses the time it takes to reach an audit-ready position each period.
Underpinning all six: Sage Intacct maintains an SSAE 18 SOC 1 Type II opinion, audited twice yearly by an independent third party, and a SOC 2 Type II opinion audited annually. It's the only preferred financial management system endorsed by the AICPA. For your auditor assessing your IT environment under ISA 315, those attestations cut the work they have to do on the platform itself, which means less time billed on your engagement.
What Changes When Audit Becomes A Non-Event
A Grant Thornton survey of UK CFOs found that 68% want technology and automation enhancements to improve their close and reporting process. Most are looking at efficiency. The audit angle is part of the same equation: the controls that produce a fast close are the controls that produce a fast audit. When your auditor can find their own evidence in the system, four things change.
Your PBC list shrinks from 120 items to 40. Questions that used to spawn email threads become drill-throughs your auditor can run themselves. Your management letter gets quieter too, because the control gaps that produced it have been closed at the system level rather than patched at year-end.
The three weeks your controller normally spends pulling audit evidence compresses into a few days of pointing your auditor at the right reports. Their time goes back where it belongs: on analysis, advice, and decisions. Not on reconstructing a paper trail that should have existed in the system all along.
Your audit fee may not fall, but it stops growing in step with your auditor's testing scope. When your ITGCs hold up under FRC pressure, your auditor doesn't have to compensate with more substantive testing. Hours stop expanding. The fee stops drifting upward each year.
For law firms, wealth managers and accountancy practices, the effect compounds. Your engagement-level and matter-level data already lives in the system rather than parallel workbooks, which means project, client and matter-level evidence is available to your auditor in the same drill-through that produces your monthly P&L.
Where This Leaves Your Next Audit
This decision is about your finance system, not your audit. The real question is whether the system is producing the controls, the evidence, and the time savings the rest of your business has been waiting for. Audit is just where the gap shows up most expensively. Once a year, in a fee letter you can't argue with.
If your current setup makes audit feel like a disruption rather than a formality, a conversation with us is a practical starting point. Use the audit evidence your system should already be producing as a lens on whether it's the system your business will need next year.
Book your free Discovery Call
Finance System Audit FAQs
- Does ISA 315 apply to our firm if we're not a publicly listed company or a PIE?
Yes. ISA 315 (Revised 2019) applies to all statutory audits conducted under ISAs, including those of private companies, charities, law firms, wealth managers, and other regulated entities. It was adopted into UK auditing standards for periods beginning on or after 15 December 2021. The IT-environment requirements aren't scaled to company size. Auditors at every tier have to understand and evaluate your IT general controls. In practice, the questions your auditor asks about your systems have become more detailed regardless of your firm's size or structure.
- What's the difference between an audit trail and a transaction log?
A transaction log records what was posted: the journal entries that made it into your ledger. An audit trail records what happened to every record throughout its life, including changes made before or after posting: who edited it, when, what the value was before and what it became. For ISA 315 purposes, the audit trail is what matters. If a transaction was amended three times before it settled, your auditor wants to see each step. A transaction log that only shows the final state isn't sufficient.
- Will Sage Intacct's SOC 1 and SOC 2 reports satisfy our auditor's ITGC requirements?
Sage Intacct's SOC 1 Type II report (SSAE 18, issued twice yearly) covers the controls at the service organisation that are relevant to user entities' internal control over financial reporting. Your auditor can use it as part of their assessment of the IT environment under ISA 315, reducing the testing they need to perform directly on the platform. It doesn't eliminate GITC work entirely. Your own access controls, user role configuration and change management still need to be evidenced. But the SOC report reduces the starting point. Your auditor will be familiar with SOC 1 reports; ask them to request a copy as part of their planning.
- How long does it typically take to move from Sage 50, Sage 200, or Xero to Sage Intacct?
For a regulated services firm with clean data and a clearly scoped implementation, a Sage Intacct go-live typically runs between three and six months from project kick-off. The range depends on your entity complexity, the number of integrations required, and how much data cleansing is needed before migration. Accord's implementations follow a structured approach (discovery, configuration, testing, training, go-live), with preparation phases scoped in detail before any commitment is made. The most common factor that extends timelines is data quality in your source system, not the implementation process itself.
- Can our auditor get read-only access directly into Sage Intacct?
Yes. Sage Intacct supports read-only user roles that can be configured for auditor access. Your auditor can drill through reports, view audit trail records, and verify journal entries directly in the system without any ability to modify data. Many audit teams are familiar with this approach and prefer it, because direct system access is cleaner evidence than exported reports. Access is role-controlled, logged, and revocable. It also removes the back-and-forth of repeated PBC requests for the same underlying data.
- What's the realistic impact on audit fees of moving to Sage Intacct?
It depends on your starting point, but a consistent pattern shows up. The first year post-migration typically sees a reduction in audit hours, because the IT-environment questions that previously required manual investigation can now be answered directly from the system. Subsequent years tend to see fee stabilisation where costs had been creeping upward. The savings aren't from Sage Intacct's pricing; they come from the reduction in substantive testing your auditor has to perform when they can rely on your controls. For a mid-sized firm paying £20,000–£35,000 in audit fees, a meaningful reduction in testing scope can translate to several thousand pounds annually. The more important variable is the management letter: fewer control findings means fewer remediation conversations, and fewer remediation conversations means less time burned for everyone.