Audit readiness should be a continuous state maintained through monthly governance, not a frantic two-to-four-week annual exercise. BDO found that 58% of mid-market companies describe their audit process as stressful or very stressful, while ICAEW reports that 73% of audit quality issues trace to preparation quality — the company’s readiness, not the auditor’s competence. A self-assessment across five dimensions — documentation completeness, reconciliation currency, control evidence, data lineage clarity, and issue resolution speed — makes readiness measurable with a composite score from 5 to 25. Companies that achieve a 5-day month-end close pay up to 40% less in audit fees than those closing in 15+ days, because close speed signals control quality to auditors. A 12-month governance calendar distributes preparation across the year, eliminating the year-end scramble by making audit evidence a by-product of routine monthly governance activities.
For most mid-market companies, audit readiness is a frantic two-to-four-week exercise that begins when the auditor sends the information request list. Files are gathered from multiple locations. Reconciliations are completed retrospectively. Documentation is created after the fact. The result is a stressful, expensive process that consumes the finance team precisely when they should be focusing on year-end reporting and forward planning.
This approach treats audit readiness as an event. It should be a state — a continuous condition maintained through monthly governance activities that produce audit evidence as a by-product, not as a deliverable. This article presents a framework for mid-market companies to achieve that state without enterprise-grade compliance infrastructure.
Why Audit Readiness Matters Beyond the Audit
The immediate cost of poor audit readiness is visible: longer audits, higher fees, management letter points, and stressed finance teams. UK audit fees rose 8–12% in 2024–2025, and BDO reports that 58% of mid-market companies describe their audit process as stressful or very stressful.
But the indirect costs are larger:
- Decision confidence — if the finance team cannot demonstrate how numbers were produced, leadership has no basis for trusting them. Audit trails exist for governance, not just for auditors.
- Control quality — the FRC Audit Quality Review 2025 found recurring issues with preparation quality in the companies being audited, not just with audit firms. Weak controls at the company level propagate into audit findings.
- Financing and transactions — lenders, investors, and acquirers assess governance quality. A clean audit with minimal management letter points signals a well-governed business. A qualified opinion or material adjustments signal risk.
ICAEW research confirms that 73% of audit quality issues trace to preparation quality — the company’s readiness, not the auditor’s competence. Improving audit outcomes starts with the company, not with changing auditors.
Audit Readiness Self-Assessment
To make readiness measurable, we use five dimensions. Each is scored from 1 (ad hoc) to 5 (continuous), giving a composite score from 5 to 25:
| Dimension | Score 1 — Ad Hoc | Score 3 — Periodic | Score 5 — Continuous |
|---|---|---|---|
| Documentation completeness | Policies exist but are outdated; no process documentation | Key processes documented; reviewed annually | All critical processes documented; reviewed quarterly |
| Reconciliation currency | Reconciliations done for year-end only | Monthly reconciliations for key accounts | All balance sheet accounts reconciled monthly with evidence retained |
| Control evidence | Controls exist informally; no evidence trail | Key controls documented; evidence retained for audit | All controls evidenced monthly; exceptions logged and resolved |
| Data lineage clarity | Nobody can trace report numbers to source | Key reports have documented data sources | Full lineage documented from source to report; validated quarterly |
| Issue resolution speed | Audit findings from prior year remain open | Prior-year findings addressed before audit | Issues resolved within 30 days; root cause analysis documented |
Scoring interpretation:
| Score Range | Readiness Level | Typical Audit Experience |
|---|---|---|
| 5–10 | Reactive | Audit is stressful, expensive, and reveals surprises |
| 11–15 | Developing | Audit is manageable but requires significant year-end preparation |
| 16–20 | Established | Audit runs smoothly with minor preparation effort |
| 21–25 | Continuous | Audit is a confirmation exercise, not a discovery process |
Most mid-market companies score 8–12. The goal is to reach 16+ within 12 months through systematic monthly governance.
The Four-Phase Close Process
Audit readiness is not a separate workstream — it is a by-product of a well-governed month-end close. The structured close process has four phases that repeat every month and produce audit evidence as a natural output.
Phase 1: Prepare (Day 1–2)
- Complete all transaction posting for the period
- Import and reconcile bank feeds
- Process payroll and accruals
- Ensure all source data is current and complete
Audit evidence produced: Complete transaction records, bank statements matched to ledger.
Phase 2: Execute (Day 2–3)
- Run month-end journals (depreciation, prepayments, accruals)
- Perform balance sheet reconciliations
- Complete intercompany eliminations (if applicable)
- Validate control totals and cross-checks
Audit evidence produced: Signed reconciliations, journal documentation, control framework evidence.
Phase 3: Review (Day 3–4)
- Analytical review — period-over-period comparison, budget vs actual
- Variance analysis for material movements
- Management commentary on results
- Exception investigation and resolution
Audit evidence produced: Variance explanations, management review evidence, exception documentation.
Phase 4: Confirm (Day 4–5)
- Final review and sign-off by finance lead
- Report distribution to stakeholders
- File all supporting documentation in a structured, accessible location
- Log any open items for next period
Audit evidence produced: Signed management accounts, distribution records, open items register.
When this cycle runs consistently for 12 months, the year-end audit becomes a confirmation of what has already been documented and reviewed — not a discovery of what happened during the year. The Month-End Close Best Practices guide details the operational mechanics.
The 12-Month Governance Calendar
The governance calendar distributes audit preparation activities across the year so that no single month carries a disproportionate burden. It layers annual governance activities on top of the monthly four-phase close process.
| Month | Monthly Activities (Every Month) | Additional Governance Activity |
|---|---|---|
| Jan | Four-phase close process | Annual policy review; update accounting policies |
| Feb | Four-phase close process | Process documentation review (P1 processes) |
| Mar | Four-phase close process | Q1 control self-assessment; address prior audit findings |
| Apr | Four-phase close process | Tax provision review; VAT compliance check |
| May | Four-phase close process | Data ownership review; update RACI matrix |
| Jun | Four-phase close process | Half-year analytical review; interim reconciliations |
| Jul | Four-phase close process | Process documentation review (P2 processes) |
| Aug | Four-phase close process | IT general controls review; system access audit |
| Sep | Four-phase close process | Q3 control self-assessment; pre-audit preparation |
| Oct | Four-phase close process | Auditor liaison; confirm timeline and information requirements |
| Nov | Four-phase close process | Pre-audit file preparation; interim audit fieldwork |
| Dec | Four-phase close process | Year-end procedures; final reconciliations |
The key principle: no activity in the calendar is created solely for the audit. Every activity serves ongoing governance — the audit benefits because governance evidence is naturally retained.
Right-Sizing for the Mid-Market
Enterprise organisations follow SOX (Sarbanes-Oxley) or COSO (Committee of Sponsoring Organizations) frameworks for internal controls . These frameworks are comprehensive, rigorous, and entirely impractical for a company with one to five people in finance.
Mid-market controls need to achieve the same objectives — accurate reporting, asset protection, compliance readiness — with a fraction of the resources. The distinction is not lower quality but different design:
| Dimension | Enterprise (SOX/COSO) | Mid-Market (Right-Sized) |
|---|---|---|
| Control documentation | Formal control matrices, risk registers, testing protocols | Simple control checklist per process; monthly self-assessment |
| Segregation of duties | Strict separation of authorisation, custody, recording | Compensating controls where segregation is impossible |
| Testing | Independent internal audit function | Backup person executes process quarterly using documentation |
| Evidence | Formal sign-off sheets, system logs | Saved files, email confirmations, checklist completion |
| Governance | Audit committee, risk committee | Finance lead monthly review; board quarterly |
The Internal Controls for Mid-Market guide provides detailed control designs for one-person, three-person, and five-person finance teams.
Preventive vs Detective Controls
Controls fall into two categories, and mid-market companies need both:
Preventive Controls
Stop errors before they enter the system:
- Approval workflows — purchase orders above threshold require manager approval
- Authorisation limits — payment limits tiered by role
- Input validation — ERP validation rules that reject incomplete or illogical entries
- Access controls — system permissions that restrict who can post journals, approve payments, or modify master data
Preventive controls are more efficient because they avoid the cost of finding and correcting errors after the fact. But they require system configuration and discipline.
Detective Controls
Identify errors after they have occurred:
- Reconciliations — bank, intercompany, balance sheet
- Variance analysis — period-over-period, budget vs actual
- Analytical review — ratio analysis, trend analysis, reasonableness checks
- Exception reports — automated alerts for unusual transactions
Detective controls are the safety net. They catch what preventive controls miss. In practice, most mid-market companies rely heavily on detective controls because preventive controls require upfront investment in system configuration.
The optimal balance depends on team size and system capability, but the principle holds: invest in preventive controls first, then use detective controls as verification.
Common Pitfalls
The Year-End Scramble
The most common pitfall: doing nothing for 11 months and then attempting to create audit evidence in month 12. This produces low-quality documentation, stressed teams, and audit findings. The governance calendar eliminates this pattern by distributing effort.
Over-Engineering Controls
Designing controls that are more complex than the risk warrants. A £5M company does not need the same approval matrix as a £500M company. Controls should be proportionate to the risk and the team’s capacity to operate them consistently.
Controls Performed but Not Documented
Many mid-market finance teams perform controls informally — they review reconciliations, check variances, and investigate anomalies — but do not retain evidence. From a governance perspective, a control without evidence is a control that does not exist. The fix is simple: save the file, add a comment, tick the checklist.
Confusing Compliance with Governance
Compliance means meeting external requirements (HMRC, Companies House, auditors). Governance means managing data and processes to support decision-making. The audit benefits from governance, but governance exists for the business, not for the auditor.
Frequently Asked Questions
What is audit readiness and why does it matter outside the audit? Audit readiness is the state where all financial reporting processes are documented, controlled, and evidenced — continuously, not just at year-end. It matters beyond the audit because the same evidence that satisfies auditors also gives leadership confidence in the numbers used for decision-making.
How do I run the audit readiness self-assessment? Score each of the five dimensions (documentation completeness, reconciliation currency, control evidence, data lineage clarity, issue resolution speed) from 1 to 5. A score below 15 indicates that audit preparation will be reactive and stressful. Above 20 means the audit is a confirmation exercise.
Can a one-person finance team achieve audit readiness? Yes, but the controls look different. A one-person team cannot segregate duties, so compensating controls — such as board review of bank reconciliations and external accountant review of journals — replace segregation. Documentation becomes even more critical because there is no backup. See Internal Controls for Mid-Market .
How much can good audit readiness reduce audit fees? Deloitte research suggests that companies achieving a 5-day close pay up to 40% less in audit fees than those closing in 15+ days. The mechanism is straightforward: well-prepared clients require less auditor time, and auditors price accordingly. With UK mid-market audit fees at £30,000–£80,000, a 20–40% reduction represents material savings.
What is the relationship between the governance calendar and the month-end close ? The month-end close is the monthly heartbeat of the governance calendar. The four-phase close process produces audit evidence as a by-product of the close. The governance calendar layers annual activities (policy reviews, control assessments, documentation updates) on top of this monthly rhythm.
Related Reading
- Month-End Close Best Practices — the operational mechanics of the structured close process
- Internal Controls for Mid-Market — purpose-designed controls for 1–5 person teams
- Documenting Financial Data Processes — the documentation layer that underpins audit readiness
- Financial Data Governance Framework — the overarching governance structure
- Key Person Risk in Finance — documentation as mitigation for knowledge concentration
- Data Ownership Framework — who is accountable for data that auditors will test
- Financial Data Governance — Why It Is the Foundation of Trustworthy Reporting — the broader case for governance
- Variance Analysis Guide — detective controls through analytical review
Sources
- BDO Mid-Market Report 2025 — 58% of mid-market companies describe audit as stressful or very stressful
- ICAEW — “Audit Quality and Preparation” 2025 — 73% of audit quality issues trace to preparation quality
- FRC Audit Quality Review 2025 — recurring preparation issues in audited companies
- Deloitte — “The Fast Close Advantage” 2025 — companies with 5-day close pay up to 40% less in audit fees
- UK Audit Fee Survey 2024–2025 — mid-market audit fees rose 8–12%
- COSO — Internal Control Framework — enterprise reference framework adapted for mid-market
Martin Duben is the founder of Onetribe, where he helps mid-market finance teams build governance frameworks that make audit readiness a by-product of monthly operations, not an annual crisis. His approach right-sizes enterprise concepts for companies where the finance team is one to five people and the budget for compliance tools is near zero.