Detect by automated adversarial generation and by human auditing
Your team reports $1.2M in quarterly Revenue, and the Operating Statement looks clean. Then a routine Spot-Check catches $180K booked before the customer actually received the product. Now you're restating numbers, explaining to the CFO why your controls failed, and wondering what else is hiding in your Ledger.
Auditing is systematic detection of errors, misstatements, and fraud in your Financial Statements - using both automated checks that try to break your numbers and human reviewers who catch what machines miss. It's Quality Control applied to money.
Auditing is the practice of independently verifying that your Financial Statements reflect reality. It extends Quality Control from products to money: instead of sampling widgets for defects, you're sampling transactions for errors.
There are two complementary modes:
The combination matters. Automated checks give you coverage at scale. Human reviewers give you depth on the cases machines can't evaluate. Neither alone is sufficient - automated checks miss what they weren't designed to catch, and human reviewers can't cost-effectively touch every transaction.
If you own a P&L, your decisions run on Financial Statements. Bad numbers produce bad Allocation decisions - you invest in the wrong projects, miss a Bottleneck, or report Profit that doesn't exist.
The Error Cost of undetected mistakes compounds in three ways:
Auditing is the Quality Gate between your raw financial data and the decisions you make from it. Without it, you're flying on instruments you haven't calibrated.
You build rules that test your Ledger the way you'd write tests for code:
These automated checks are adversarial by design - they assume the numbers are wrong and try to prove it. Most flags will be false positives. That's fine. The defect rate you're hunting is low, but the Error Cost per miss is high.
Human auditors work from the flags automated checks produce, plus their own judgment:
Every error a human auditor finds should become a new automated check. Over time, your automated coverage grows, and human reviewers spend less time on known patterns and more time hunting novel failure modes. This is Graduated Autonomy applied to financial verification - machines handle what's routine, humans handle what's ambiguous.
Always have automated checks running. The cost is near zero once built, and they catch the simple errors that account for most defect volume.
Scale human auditing to the stakes:
The decision rule: audit intensity should scale with the Error Cost of an undetected mistake, not with the volume of transactions. A single $500K Revenue Recognition error matters more than a thousand $50 expense miscategorizations.
You run a SaaS product with $400K in monthly ARR. Your automated checks include a rule: flag any Revenue Recognition entry where the service period hasn't started yet. In March, the rule flags 12 entries totaling $67K.
The automated check identifies 12 Revenue entries booked in March for contracts with April 1 start dates. Total flagged: $67K.
Human reviewer examines the 12 entries. 9 are legitimate (annual contracts with partial March service). 3 are genuine errors - the sales team booked Revenue at contract signing, not service delivery. Error total: $23K.
Error Cost calculation: $23K overstated March Revenue. If uncaught, this inflates the Operating Statement, distorts monthly Profit by $23K, and makes Q1 look $23K better than reality. At a 10x Revenue multiple for Valuation, that's $230K of phantom Enterprise Value.
Fix: reverse the 3 entries, recognize in April. Add a new automated rule - flag any entry where booking date precedes service start by more than 7 days. Update the failure mode log.
Insight: The automated check cost almost nothing to run but caught a $23K error with $230K in Valuation impact. The human reviewer's job wasn't to find the errors - it was to separate real problems from false positives and identify the root failure mode.
You manage a Cost Center with a $2M annual Budget. Automated checks show no anomalies - every entry maps to a valid Chart of Accounts code, totals match, no duplicates. But during a quarterly human review, the auditor notices something.
The auditor samples 40 expense entries over $5K (about 15% of high-dollar transactions). She traces each to its source document - the invoice, contract, or purchase order.
She finds that 7 of the 40 entries are contractor invoices coded as 'software licenses' instead of 'professional services.' Total: $180K over the quarter. The automated checks didn't flag this because both codes are valid in the Chart of Accounts.
Impact: the Operating Statement shows Fixed vs Variable Costs incorrectly. Software licenses look $180K higher than reality, contractor spend looks $180K lower. Anyone making Cost Structure decisions from this data - like whether to Build, Buy, or Hire - is working from wrong numbers.
Root cause: one person entering invoices was using the wrong code consistently. This is a failure mode - systematic, recurring, and invisible to pattern-based automated checks because it was internally consistent.
Fix: reclassify the $180K. Add an automated cross-check - if a vendor is categorized as a contractor in vendor records, flag any invoice from them coded to non-labor categories.
Insight: Automated checks verify internal consistency. Human auditors verify that the data matches reality. This failure mode was invisible to machines because the error was logically valid - just factually wrong. The Feedback Loop matters: this human finding became a new automated rule.
Auditing combines automated adversarial checks (high coverage, low cost, catches known patterns) with human review (low coverage, high cost, catches novel failure modes). You need both.
Every error a human auditor finds should become an automated check. This is how your Quality Systems compound over time via the Feedback Loop.
Audit intensity should scale with Error Cost of an undetected mistake, not transaction volume. A single large Revenue Recognition error can distort Valuation more than hundreds of small expense mistakes.
Treating auditing as a Compliance Risk checkbox instead of an operational tool. The point isn't to pass an audit - it's to make sure the numbers you use for Allocation decisions are actually correct.
Only auditing at year-end. By the time you find a systematic failure mode 11 months in, you've made 11 months of decisions on bad data. Continuous automated checks plus monthly human Spot-Checks catch problems when the Error Cost of fixing them is still low.
You run a business unit with $3M in annual Revenue across 200 customer contracts. You have zero automated financial checks today. Design your first three automated audit rules. For each rule, specify: what it checks, what data it compares, and what the Error Cost would be if the problem went undetected for a full quarter.
Hint: Think about the highest-dollar failure modes in Revenue Recognition, expense classification, and Balance Sheet accuracy. Prioritize by Error Cost, not by how easy the check is to build.
Rule 1: Revenue timing check - flag any Revenue Recognition entry where the booking date is more than 7 days before the contract service start date. Compares Ledger dates to contract records. Undetected Error Cost: if 5% of $750K quarterly Revenue is early ($37.5K), that's a $37.5K overstatement - and at a 10x Valuation multiple, $375K in phantom value. Rule 2: Duplicate detection - flag any two entries with the same vendor, same amount, and same date within a 5-day window. Compares Ledger entries to each other. Undetected Error Cost: average duplicate might be $5K, with maybe 2 per quarter - $10K in overstated expenses, which understates Profit by $10K. Rule 3: Budget Variance alert - flag any Financial Statement Line Item that exceeds its Budget by more than 20% or deviates more than 2 Standard Deviations from its 6-month trailing average. Compares actuals to Budget and historical trend. Undetected Error Cost: a $50K overspend caught at quarter-end instead of month one means 2 extra months of Cash Flow drain and lost opportunity cost of the capital.
Your automated checks flag 45 transactions this month. You have 8 hours of human auditor time available. How do you prioritize which flags to review? Define your decision rule.
Hint: Think about Expected Value. Each flag has a probability of being a real error and a potential Error Cost if real. You want to maximize total errors caught per hour of review time.
Sort the 45 flags by Expected Value = P(real error) x Error Cost. Estimate P(real error) from historical data - if your Revenue timing check has a 25% true-positive rate and average error is $15K, each flag from that rule has EV of $3,750. If your duplicate check has a 60% true-positive rate but average error is $2K, each flag has EV of $1,200. Review the highest-EV flags first. At roughly 10-15 minutes per review, 8 hours covers about 32-48 flags - so you might cover them all. But if you can't, the decision rule is: stop when the next flag's Expected Value drops below the cost of the reviewer's time per review. If reviewer time costs $150/hr and a review takes 15 minutes ($37.50), any flag with EV above $37.50 is worth examining. Log the unreviewed flags and use the pattern data to refine your automated rules so fewer false positives reach human review next month.
Auditing is what happens when you apply Quality Control to financial data instead of products. Quality Control taught you that sampling plus Variance reduction lets you monitor defect rate without inspecting everything - auditing uses the same logic on your Ledger. You sample transactions, measure error rates, and use statistical thresholds to decide when to dig deeper. The failure mode concept is equally critical: effective auditors don't just check random entries. They build a catalog of known failure modes - early Revenue Recognition, expense misclassification, duplicate payments - and design both automated and human checks specifically to detect them. Downstream, auditing feeds into Quality Gates and Exception Review: when an audit catches something, the Exception Review process determines whether it's a one-off or a systemic problem, and Quality Gates prevent bad data from reaching the decisions that depend on it. In high-stakes contexts like M&A due diligence, auditing isn't optional - it's the mechanism that separates real EBITDA from fantasy.
Disclaimer: This content is for educational and informational purposes only and does not constitute financial, investment, tax, or legal advice. It is not a recommendation to buy, sell, or hold any security or financial product. You should consult a qualified financial advisor, tax professional, or attorney before making financial decisions. Past performance is not indicative of future results. The author is not a registered investment advisor, broker-dealer, or financial planner.