Under the Companies Act 71 of 2008, companies above certain Public Interest Score thresholds are legally required to have their financial statements audited by a registered auditor. Public companies, state-owned companies, and private companies with a Public Interest Score of 350 or more must be audited. Private companies with a score between 100 and 349 must at minimum undergo an independent review.
Many South African business owners treat the annual audit as a compliance exercise: something required by law, managed by the finance department, and filed away once the signed opinion is issued. This approach leaves significant value on the table.
The audit process generates far more than a signed opinion on financial statements. It produces a structured, evidence-based examination of how a business records transactions, manages assets, controls risk, and reports to stakeholders. In 2026, as operating costs rise, governance requirements tighten, and stakeholders demand greater transparency, the question is not simply whether a business has been audited, but whether it is using what the audit reveals.
JZA also assists clients with broader audit and assurance requirements.
How the Audit Process Generates Operational Intelligence
Registered auditors in South Africa conduct audits in accordance with the International Standards on Auditing (ISAs), as adopted by the Independent Regulatory Board for Auditors (IRBA) under the Auditing Profession Act 26 of 2005. The ISAs require auditors to:
- Understand the entity’s business and its environment, including its industry, regulatory context, and internal control structure.
- Identify and assess risks of material misstatement, whether due to error or fraud.
- Design and perform audit procedures responsive to those risks.
- Evaluate the appropriateness of management’s accounting estimates and judgments.
- Communicate significant findings to management and those charged with governance.
Each of these steps requires the auditor to develop a deep understanding of how the business operates. The risk assessment phase alone involves mapping key processes, identifying where errors or irregularities could occur, and evaluating whether existing controls are designed and operating effectively. This information, the auditor’s documented understanding of the business, is precisely the kind of structured analysis that management rarely has the bandwidth to perform independently.
Internal Control Findings as a Management Tool
One of the most directly actionable outputs of an audit is the management letter, or letter of reportable matters, in which the auditor communicates internal control deficiencies to management. These findings are the product of systematic testing of whether controls are working as intended.
Common internal control findings in South African businesses include:
- Inadequate segregation of duties, particularly in smaller entities where one person performs incompatible functions such as authorising and recording transactions.
- Weaknesses in accounts receivable or creditor management processes, such as insufficient credit vetting or delayed reconciliations.
- Gaps in stock management controls, including inaccurate perpetual inventory records or infrequent physical counts.
- Payroll processing errors or the absence of formal approval procedures for salary changes.
- Insufficient controls over cash handling or bank reconciliation preparation.
When management responds to these findings constructively, they reduce the risk of fraud, improve the reliability of financial information, and lay the groundwork for more efficient operations. The audit finding is, in effect, a free diagnostic.
Fraud Risk Assessment and Financial Resilience
The IRBA has adopted ISA 240 (Revised 2025), which strengthens auditor responsibilities in relation to fraud. Effective for audits beginning on or after 15 December 2026, the revised standard introduces fraud-focused risk assessment procedures, enhanced documentation requirements, stronger communication with governance structures, and clearer guidance on the auditor’s response when fraud is suspected.
The revised standard also aligns with ISA 570 (Revised 2024) on going concern, recognising that fraud risk and financial distress are often interrelated. For South African businesses operating in a complex economic environment, this alignment means that audit processes will increasingly examine whether a business can continue as a going concern and whether financial pressures create conditions conducive to fraud.
For management, this is operationally significant. A going concern finding, or even an auditor’s formal enquiries about going concern indicators, is a clear signal that the business requires a financial health review. Companies that respond proactively, by addressing liquidity concerns, renegotiating debt, or restructuring operations, are better positioned than those that receive the finding and take no action.
Turning Audit Findings into Strategic Action
Converting audit insight into operational advantage requires a structured response. Businesses that derive the most value from the audit process typically adopt the following approach:
1. Treat the management letter as an action document
Each finding should be assigned an owner, a remediation plan, and a deadline. Management should track progress against the prior year’s findings to assess whether weaknesses have been resolved.
2. Use the risk assessment as a process map
The auditor’s documented understanding of key business processes, developed during the planning phase, provides management with a structured view of where risk concentrates. This can inform decisions about where to invest in systems, people, or controls.
3. Engage with the auditor beyond the compliance cycle
Registered auditors are required to remain independent, but this does not preclude a professional relationship between the audit firm and its client. Firms such as JZA regularly assist clients in understanding the practical implications of audit findings and in identifying where operational changes would have the greatest impact. The auditor’s knowledge of the business, accumulated over multiple engagement cycles, is a resource that management should draw on actively.
4. Use audit data to prepare for stakeholder scrutiny
Lenders, investors, and large procurement clients increasingly request audited financial statements as a prerequisite for doing business. A clean audit opinion, supported by robust internal controls and a well-documented remediation record, strengthens a business’s position in these interactions.
Practical Implications for South African Businesses in 2026
Several developments make the strategic use of audit insight particularly important for South African businesses this year:
- Regulatory scrutiny is increasing. The IRBA’s 2025 Audit Quality Indicators Survey, published in March 2026, highlighted the importance of independence, adequate resourcing, and robust review practices in shaping audit quality. Businesses subject to audit should ensure they are working with registered auditors who meet the IRBA’s quality standards.
- Economic pressure intensifies the need for sound financial management. In an environment of sustained cost pressure and constrained credit, businesses that have implemented strong internal controls, informed by audit findings, are better placed to manage cash flow and demonstrate creditworthiness.
- Governance requirements are evolving. The revised IRBA Code of Ethics and updated auditing standards mean that the audit process in South Africa is becoming more rigorous, particularly around fraud, going concern, and the use of technology. Businesses should expect more probing questions from auditors and prepare to engage substantively.
- B-BBEE compliance requires reliable financial data. B-BBEE verification depends on accurate financial records. Businesses with strong internal controls, a direct outcome of acting on audit findings, are less likely to encounter discrepancies during B-BBEE audits.
- Access to finance depends on financial credibility. Commercial banks and development finance institutions in South Africa assess creditworthiness partly on the basis of audited financial statements. A qualified audit opinion, or a history of unresolved control weaknesses, may adversely affect a business’s borrowing capacity.
Conclusion
Many South African companies have no choice but to undergo an audit. What they do with the results, however, is a choice. Companies that treat audit findings as operational intelligence, acting on control deficiencies, addressing risk concentrations, and engaging constructively with their auditors, convert a compliance obligation into a genuine competitive advantage.
In 2026, as governance standards rise and economic conditions demand greater financial discipline, the gap between businesses that use audit insight and those that file it away is likely to widen. The advantage belongs to those who read the findings carefully and act.
Turn your audit process into a stronger, more informed business strategy. Contact JZA
Frequently Asked Questions
1. Does my South African company need to be audited?
Under the Companies Act 71 of 2008, your company must be audited if it is a public company, state-owned company, or a private company with a Public Interest Score (PIS) of 350 or more. Private companies with a PIS between 100 and 349 must undergo an independent review unless their financial statements are internally compiled, in which case an audit is required. Your PIS is calculated annually based on the number of employees, annual turnover, third-party liabilities, and number of beneficial shareholders.
2. What is the difference between an audit and an independent review?
An audit provides reasonable assurance that financial statements are free from material misstatement and is conducted in accordance with the International Standards on Auditing (ISAs) by a registered auditor. An independent review provides limited assurance and is conducted in accordance with the International Standard on Review Engagements (ISRE) 2400. An audit involves more extensive evidence-gathering and testing of internal controls than an independent review.
3. What does an auditor include in the management letter?
The management letter, also referred to as the letter of reportable matters or report to those charged with governance, communicates significant findings identified during the audit that fall short of causing a qualified opinion but are nonetheless important for management to address. These typically include internal control deficiencies, accounting irregularities, compliance observations, and recommendations for improving financial processes.
4. What is a going concern finding, and what should I do about it?
A going concern finding arises when the auditor has identified conditions or events that cast significant doubt on a company’s ability to continue operating for at least twelve months from the date of the financial statements. This may be disclosed in the audit report or raised with management during the engagement. If your auditor raises a going concern as a matter of concern, it is important to engage immediately with your accountant or audit firm. Practical responses may include securing additional financing, renegotiating payment terms with creditors, reducing operating costs, or restructuring the business.
5. Can a business use its audit findings to improve day-to-day operations?
Yes. Audit findings, particularly those contained in the management letter, provide direct, evidence-based observations on where a business’s processes and controls are functioning below standard. Businesses that assign responsibility for each finding, implement corrective measures, and track resolution from one audit cycle to the next are able to systematically strengthen their financial controls and operational reliability.
While every reasonable effort is taken to ensure the accuracy and soundness of the contents of this publication, neither writers of articles nor the publisher will bear any responsibility for the consequences of any actions based on information or recommendations contained herein. Our material is for informational purposes.