
Difference between audit and review: a guide for SA businesses

Executive Summary
- An audit offers reasonable assurance through thorough verification, while a review provides limited assurance through inquiries and analysis. Choosing the wrong engagement risks compliance violations and can lead to costly delays, especially under South African regulations. Proper preparation and understanding stakeholder requirements ensure selecting the appropriate service and avoiding expensive mistakes.
An audit is defined as an independent examination of financial statements that provides reasonable assurance they are free from material misstatement, while a review provides only limited assurance through analytical procedures and management inquiries. The difference between audit and review engagements is not a matter of scale. They are fundamentally different services governed by separate standards: audits follow ISA 200, and reviews follow ISRE 2400. For South African business owners, finance professionals, and entrepreneurs, choosing the wrong engagement type creates real compliance risk with SARS, banks, and regulators. This guide cuts through the confusion so you can make the right call.
What is the difference between audit and review engagements?
An audit delivers reasonable assurance through deep verification, while a review delivers limited assurance through inquiry and analysis only. That single distinction drives every other difference in cost, time, and legal weight between the two.

An audit ends with a positive opinion. The auditor states that the financial statements present fairly, in all material respects, in accordance with the applicable reporting framework. A review ends with a negative conclusion. The reviewer states that nothing came to their attention indicating the financial statements contain material misstatements. These are not interchangeable phrases. Banks, investors, and SARS read them very differently.
A review is not a scaled-down audit. It is a fundamentally different engagement with its own scope, evidence standards, and output. Starting with a review and then deciding you need an audit means starting the entire audit process from scratch, with new scope and new evidence collection. That costs time and money you could have saved by choosing correctly upfront.
South African businesses regulated under the Companies Act must understand which engagement their public interest score triggers. SAICA and SAIPA both recognize the distinction, and SARS compliance requirements often hinge on the assurance level your financial statements carry.
What are the key procedural differences between an audit and a review?
The audit process follows five defined phases: engagement and planning, risk assessment, fieldwork, evaluation, and reporting. Each phase builds on the last, and the fieldwork phase alone involves both substantive testing and control testing. Substantive testing includes vouching transactions back to source documents and tracing records forward to confirm completeness. Control testing examines whether the business’s internal systems actually prevent and detect errors.

A review skips all of that. The reviewer performs analytical procedures, comparing current figures to prior periods and industry benchmarks, and asks management direct questions about anything unusual. No third-party confirmations. No transaction testing. No inspection of physical assets or contracts.
The resource difference is significant. Audits require substantially more time and cost because of the depth of evidence required. A review engagement can often be completed in days. An audit for an SME typically runs 6–12 weeks. That gap reflects the difference in procedures, not just team size.
Both engagements require independence. The practitioner cannot audit or review an entity in which they have a financial interest or close personal relationship. Documentation standards also differ: auditors must retain working papers that support every conclusion, while reviewers document their inquiries and the analytical procedures performed.
Pro Tip: Prepare a Provided By Client (PBC) list before your auditor arrives. A complete PBC list, covering bank statements, VAT returns, fixed asset registers, and debtor schedules, can cut weeks off your audit timeline and reduce audit fees significantly.
The numbered phases of a full audit
- Engagement and planning. The auditor agrees scope, materiality, and timing with management.
- Risk assessment. The auditor identifies where material misstatements are most likely to occur.
- Fieldwork. Substantive and control testing takes place, including third-party confirmations and physical inspections.
- Evaluation. The auditor assesses whether evidence gathered supports the financial statements.
- Reporting. The auditor issues a formal opinion under ISA standards.
How do audits and reviews differ in terms of assurance and reporting?
Reasonable assurance, the level an audit provides, means the auditor has gathered sufficient evidence to conclude with high confidence that the financial statements are free from material misstatement. Limited assurance, the level a review provides, means the practitioner found nothing obvious to suggest a problem. The gap between “high confidence” and “nothing obvious” is wide.
Audit opinions carry legal weight that review reports do not. Banks granting credit facilities, investors conducting due diligence, and regulators assessing compliance all treat an audit opinion as a stronger signal of financial integrity. A review report satisfies some of these stakeholders in lower-risk contexts, but not all.
A common misconception is that a review is “almost as good” as an audit. It is not. Engagement types are distinct, not points on a spectrum. Using a review when an audit is required creates compliance risk and can trigger technical default on credit facilities. Submitting a compilation, which provides no assurance at all, in place of either is even more dangerous and can cause a lender to call in a facility immediately.
The table below summarizes the reporting differences clearly.
| Feature | Audit | Review |
|---|---|---|
| Governing standard | ISA 200 | ISRE 2400 |
| Assurance level | Reasonable (high) | Limited (negative) |
| Report wording | Positive opinion on fair presentation | Nothing came to attention indicating misstatement |
| Transaction testing | Yes, substantive and control testing | No |
| Third-party confirmations | Yes | No |
| Typical use | Statutory, bank covenants, investors | Voluntary, interim, smaller entities |
When should a business choose an audit over a review?
An audit is the correct choice when a stakeholder with authority requires it. That includes statutory requirements under the South African Companies Act for entities above a certain public interest score, bank covenants that specify audited financial statements, and investor agreements that demand reasonable assurance. Choosing a review in these situations is not a cost-saving measure. It is a compliance failure.
A review suits situations where the business needs a credible check on its financials without a statutory obligation for full audit assurance. Common use cases include:
- Interim financial statements for internal decision-making or board reporting
- Voluntary assurance for smaller entities that want credibility without full audit cost
- Situations where a lender or investor accepts limited assurance explicitly in writing
- Pre-sale due diligence where the buyer accepts a review as sufficient for the transaction size
The risk of choosing inadequate assurance is real. A business that submits a review report to a bank requiring an audit report may face technical default on its credit facility. That outcome is far more expensive than the cost difference between the two engagements.
Cost and time are legitimate factors, but they should inform the decision only after confirming what your stakeholders actually require. An audit for an SME costs more and takes 6–12 weeks. A review costs less and completes faster. Neither figure matters if you choose the wrong one.
Pro Tip: Before signing an engagement letter, confirm in writing what assurance level your bank, investor, or regulator requires. An engagement letter commits you to a specific type of engagement. Changing from a review to an audit mid-process means starting over, with full audit fees.
What are the practical steps and typical timelines involved?
Knowing what to expect during each process helps you prepare your team and avoid costly delays. The audit process for a South African SME typically follows this sequence:
- Pre-engagement. Agree on scope, fees, and timing. Prepare your PBC list covering all financial records, VAT returns, SARS correspondence, and supporting schedules.
- Planning and risk assessment. The auditor reviews your business model, identifies risk areas, and sets materiality thresholds.
- Fieldwork. This is the longest phase. Expect 2–4 weeks of active testing for a typical SME, longer for group structures or complex transactions.
- Evaluation and queries. The auditor raises queries on items requiring explanation. Fast, accurate responses from management shorten this phase significantly.
- Reporting. The auditor issues the final opinion. For SMEs, total elapsed time runs 6–12 weeks from engagement start.
A review follows a simpler path. The reviewer requests key financial schedules, performs analytical comparisons, and asks management about variances or unusual items. Review engagements require less documentation and complete faster, often within one to two weeks for a straightforward entity.
The most common cause of audit delays is incomplete or disorganized records. Missing bank reconciliations, unreconciled VAT accounts, and undocumented related-party transactions each add days or weeks to fieldwork. Businesses that maintain accurate financial reporting year-round consistently complete audits faster and at lower cost.
Key takeaways
An audit provides reasonable assurance through verified evidence and a positive opinion, while a review provides limited assurance through inquiry and analysis only. Choosing the wrong engagement type creates compliance risk, not just inconvenience.
| Point | Details |
|---|---|
| Assurance levels differ fundamentally | Audits give reasonable assurance; reviews give limited assurance. They are not interchangeable. |
| Procedures drive the cost gap | Audits include transaction testing and confirmations; reviews rely on inquiry and analysis only. |
| Report wording carries legal weight | A positive audit opinion and a negative review conclusion mean different things to banks and regulators. |
| Engagement type is fixed upfront | Switching from a review to an audit mid-process requires starting the entire audit from scratch. |
| Preparation reduces audit duration | A complete PBC list and organized records can cut SME audit timelines from 12 weeks to 6. |
Why getting this choice right matters more than most business owners realize
The most expensive mistake I see South African SMEs make is not choosing the wrong engagement type on purpose. It is choosing it by default, because someone assumed a review would “probably be fine” without checking what the bank or investor actually required.
I have seen businesses lose credit facilities because their accountant submitted a review report against a covenant that explicitly required an audited Annual Financial Statement. The business owner had no idea there was a difference. By the time the lender flagged it, the facility was already in technical default.
The second mistake is treating the audit as a once-a-year scramble. Businesses that maintain clean, cloud-based accounting records throughout the year spend a fraction of the time in fieldwork compared to those who reconstruct records in the weeks before the auditor arrives. The audit fee reflects that difference directly.
South Africa’s regulatory environment, with SARS, CIPC, and the Companies Act all touching financial reporting, makes the importance of audit and review clarity even higher than in many other jurisdictions. The assurance level on your financial statements is not a technicality. It is a signal to every stakeholder about how seriously you manage financial integrity.
My honest advice: before you sign any engagement letter, ask your bank, your investors, and your legal advisors exactly what they need. Then choose accordingly. The cost difference between an audit and a review is real, but it is always smaller than the cost of getting it wrong.
— Johan
How Readyaccounting supports your audit and review readiness
Clean, accurate financial records are the foundation of any successful audit or review. Readyaccounting builds cloud accounting infrastructure for South African SMEs and VC-backed startups that keeps your books audit-ready year-round, not just in the weeks before fieldwork begins. Automated reconciliations, real-time reporting, and structured data flows mean your auditor or reviewer spends less time chasing records and more time completing the engagement. Learn how automation improves cash flow and financial accuracy for scaling businesses, or explore the accounting tasks worth automating to reduce your audit preparation burden significantly.
FAQ
What is the main difference between an audit and a review?
An audit provides reasonable assurance through substantive and control testing, while a review provides limited assurance through analytical procedures and management inquiries only. The audit issues a positive opinion; the review issues a negative conclusion.
Can a review replace an audit for SARS or bank compliance?
No. A review cannot substitute for an audit where reasonable assurance is required by law, a bank covenant, or an investor agreement. Submitting a review in place of a required audit can trigger technical default or SARS non-compliance.
How long does an audit take for a South African SME?
An SME audit typically takes 6–12 weeks from engagement start to final report. Businesses with complete, organized records and a prepared PBC list consistently complete audits at the shorter end of that range.
What is a PBC list and why does it matter?
A PBC list is a Provided By Client schedule of all documents and records the auditor needs before fieldwork begins. Preparing it in advance reduces delays, lowers audit fees, and shortens the overall engagement timeline.
Is a compilation the same as a review?
No. A compilation provides no assurance at all and does not meet the requirements of any lender, regulator, or investor that specifies an audit or review. Submitting a compilation in place of either can result in immediate facility default or regulatory non-compliance.
Recommended
- Independent review vs audit South Africa: what you need to know | Ready Accounting
- Understanding auditing: a guide for South African SMEs | Ready Accounting
- Grasp the basic principles of auditing for SA SME success | Ready Accounting
- Key Difference Between Accountant and Auditor for SA Businesses | Ready Accounting
