Free Word download • Edit online • Save & share with Drive • Export to PDF
An Audit Contract — also referred to as an audit engagement letter — is a legally binding agreement between a company and an external auditor that governs the terms under which a financial-statement audit will be conducted. It defines the scope of services, the applicable auditing standards (GAAS, PCAOB, or ISA depending on jurisdiction), the auditor's independence obligations, management's responsibilities for the financial statements, the fee structure, the deliverables the auditor will issue, and the timeline for completing the engagement. Professional auditing standards in every major jurisdiction require this agreement to be in writing and signed before any audit procedures begin.
Without a signed audit contract, both the auditor and the client are exposed on multiple fronts. The auditor has no contractual basis to collect fees, limit liability, or enforce scope boundaries if the engagement is cancelled or disputed mid-way through fieldwork. The client has no documented commitments on deliverable dates, report format, or the specific standards the auditor will apply — leaving them unable to satisfy a lender, regulator, or investor who requires a compliant audit opinion. Disputes over what the audit did and did not cover — fraud detection, internal-control recommendations, tax advice — are among the most common sources of professional liability claims against auditors, and virtually all of them stem from an incomplete or missing engagement agreement. This template gives both parties a clear, enforceable framework that meets GAAS and ISA requirements, protects the auditor's liability exposure, and gives management the certainty they need to plan a filing or financing timeline around the audit.
| If your situation is… | Use this template |
|---|---|
| Annual statutory audit for a private company or corporation | Audit Contract |
| Internal audit engagement with an in-house or co-sourced team | Internal Audit Engagement Letter |
| Agreed-upon procedures engagement with limited scope | Agreed-Upon Procedures Engagement Letter |
| Review engagement rather than a full audit | Financial Statement Review Engagement Letter |
| Audit of a nonprofit required by a government grant | Single Audit Engagement Letter |
| Tax compliance and advisory services alongside audit | Accounting Services Agreement |
| Forensic accounting or fraud investigation | Forensic Accounting Engagement Letter |
Why it matters: Commencing planning or requesting records before execution leaves the auditor with no contractual basis to collect fees or limit liability if the engagement is cancelled or disputed.
Fix: Treat the signed engagement letter as a hard prerequisite. Circulate the contract for signature at least five business days before the planned start of planning procedures.
Why it matters: First-year audits, restated financials, or disorganized client records routinely double the hours budgeted. Without a written mechanism to bill additional work, the auditor absorbs the overrun.
Fix: Add a clause stating that work outside the agreed scope will be billed at a named hourly rate, with a change order required before additional work begins.
Why it matters: Regulators, lenders, and listing exchanges often require a specific named standard. A report issued under vaguely described standards may not satisfy a statutory or contractual filing requirement.
Fix: Name the standard in full — 'Generally Accepted Auditing Standards as established by the AICPA' — and confirm the required standard with any third-party relying on the report before finalizing the contract.
Why it matters: Without a liability cap, an auditor faces potentially unlimited exposure to consequential damages — lost financing, regulatory penalties, or investor losses — that bear no relationship to the audit fee received.
Fix: Cap total liability at the fees paid for the specific engagement and explicitly exclude consequential, indirect, and punitive damages. Review local law — some jurisdictions restrict liability caps for auditors by statute.
Why it matters: If the contract does not clearly state that management is responsible for the financial statements and for providing complete records, the auditor may be held partly responsible for misstatements that arose from incomplete information.
Fix: Use the exact management-responsibility language required by the applicable auditing standards (GAAS AU-C 210 or ISA 210) and require management to countersign the responsibility acknowledgment.
Why it matters: When clients deliver trial balances or supporting schedules weeks late, the report deadline still passes — exposing the auditor to breach-of-contract claims and the client to regulatory late-filing penalties.
Fix: Include a clause that automatically extends the report delivery date by one business day for each business day that required client materials arrive after the agreed delivery date.
In plain language: Identifies the audit firm and the client as legal entities, names the engagement, and references the fiscal period to be audited.
This Audit Engagement Agreement is entered into as of [DATE] between [AUDIT FIRM LEGAL NAME] ('Auditor') and [CLIENT LEGAL NAME], a [STATE/COUNTRY] [ENTITY TYPE] ('Client'), for the audit of Client's financial statements for the fiscal year ending [DATE].
Common mistake: Using a trade name instead of the registered legal entity for either party. If the contracting entity differs from the billing or reporting entity, enforcing fee obligations or limiting liability becomes legally complex.
In plain language: Defines precisely what the auditor will and will not do — which financial statements are covered, which reporting framework applies (GAAP, IFRS), and any explicit exclusions such as tax returns or internal control advisory.
The Auditor shall audit the balance sheet, income statement, statement of cash flows, and notes to the financial statements of Client as of and for the year ending [DATE], prepared in accordance with [US GAAP / IFRS]. This engagement does not include preparation of tax returns or review of internal controls beyond those required by auditing standards.
Common mistake: Omitting an explicit list of what is excluded from scope. Without exclusions, clients routinely expect tax advice, fraud detection, or internal-control recommendations that a standard audit does not provide.
In plain language: States the specific standards framework — GAAS, PCAOB, ISA, or a national equivalent — that governs how the audit is conducted and the basis for the auditor's opinion.
The audit will be conducted in accordance with [Generally Accepted Auditing Standards (GAAS) as established by the AICPA / International Standards on Auditing (ISA) as issued by the IAASB]. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
Common mistake: Referencing standards generically as 'applicable auditing standards' without specifying the framework. Regulatory bodies and lenders often require a named standard; a vague reference can invalidate the audit opinion for compliance purposes.
In plain language: Confirms the auditor's independence from the client under the applicable professional code, discloses any known threats to independence, and sets out the client's obligation to notify the auditor of changes that could impair independence.
The Auditor confirms independence from Client within the meaning of [AICPA Code of Professional Conduct / IESBA Code of Ethics] as of the date of this Agreement. Client shall promptly notify Auditor of any transaction, relationship, or event that may reasonably affect Auditor's independence, including [acquisition, issuance of securities, related-party transactions].
Common mistake: Omitting the client's ongoing disclosure obligation. Independence threats frequently arise mid-engagement — without a contractual duty to disclose, the auditor may not learn of a threat until after fieldwork is complete.
In plain language: Sets out what management must do to enable the audit — preparing financial statements, maintaining internal controls, providing access to records and personnel, and signing a management representation letter.
Management is responsible for the preparation and fair presentation of the financial statements in accordance with [GAAP / IFRS], for maintaining internal controls sufficient to enable such preparation, and for providing the Auditor with unrestricted access to all records, personnel, and information relevant to the audit. Management shall execute a representation letter in the form required by auditing standards prior to issuance of the audit report.
Common mistake: Vague language like 'cooperate fully with the audit.' Courts and professional standards bodies have held that unclear management-responsibility clauses shift blame to the auditor when records are incomplete or access is denied.
In plain language: States the fixed fee or hourly rates, the billing schedule (e.g., 30% on signing, 40% at fieldwork, 30% on report delivery), reimbursable expenses, and the late-payment interest rate.
Client shall pay Auditor a fixed fee of $[AMOUNT] for the services described in this Agreement, payable as follows: $[X] upon execution, $[X] upon commencement of fieldwork, and $[X] upon delivery of the audit report. Out-of-pocket expenses shall be reimbursed at cost. Balances unpaid after [30] days bear interest at [1.5]% per month.
Common mistake: Agreeing to a fixed fee without a scope-change clause. If the client's records are disorganized or additional entities must be consolidated, the auditor absorbs the overrun with no contractual basis to request additional compensation.
In plain language: Specifies what the auditor will deliver — the audit report, management letter, and any required communications to those charged with governance — and the format and addressees of each.
Auditor shall deliver: (a) an independent auditor's report addressed to [Board of Directors / Shareholders] expressing an opinion on the financial statements; (b) a written communication to those charged with governance of any significant deficiencies or material weaknesses identified; and (c) a management letter summarizing recommendations, if applicable. Reports will be delivered in [PDF / hard copy] within [X] business days of completion of fieldwork.
Common mistake: Omitting the governance communication deliverable. Professional standards require auditors to communicate significant deficiencies and material weaknesses in writing — failing to specify this in the contract leaves the client uncertain about what they will receive.
In plain language: Sets the start date for planning, the fieldwork window, and the target date for report issuance — and allocates responsibility for delays caused by late client deliverables.
Planning begins [DATE]. Fieldwork is scheduled for [START DATE] through [END DATE]. Client shall provide a trial balance and supporting schedules by [DATE]. Final audit report shall be issued no later than [DATE], subject to timely receipt of all requested information. Delays caused by late client deliverables shall extend the report delivery date by a corresponding number of business days.
Common mistake: No consequence for late client deliverables. Without a timeline-extension clause, auditors face fee disputes and client complaints when late records push the report past a regulatory or lender deadline.
In plain language: Caps the auditor's total liability to the client at a defined amount — typically the fee paid — and excludes consequential, indirect, and punitive damages.
Auditor's total aggregate liability to Client arising out of or related to this Agreement, whether in contract, tort, or otherwise, shall not exceed the fees paid by Client to Auditor for the engagement giving rise to the claim. In no event shall Auditor be liable for consequential, indirect, incidental, special, or punitive damages.
Common mistake: No limitation of liability clause at all, or a cap set at total audit fees paid to date rather than fees for the specific engagement. Audit firms have faced seven-figure claims on engagements billed at five figures — an uncapped liability is commercially unacceptable.
In plain language: Specifies the jurisdiction whose law governs the contract, the mechanism for resolving disputes (arbitration or litigation), and the conditions under which either party may terminate the engagement.
This Agreement is governed by the laws of [STATE / PROVINCE / COUNTRY]. Any dispute shall be resolved by binding arbitration in [CITY] under the rules of [AAA / JAMS / applicable body], except claims for injunctive relief. Either party may terminate this Agreement upon [30] days' written notice; Client shall pay fees for work performed through the termination date.
Common mistake: Choosing a governing law with no connection to where the audit is performed or either party is located. Some jurisdictions impose mandatory provisions on audit engagements — a mismatched governing-law clause can create unenforceable terms.
Enter the audit firm's registered legal name and the client's full corporate or entity name. Confirm both against official registry documents before execution.
💡 For group audits, specify which legal entity is the contracting party and list subsidiaries to be included in scope in a separate schedule.
Specify which financial statements are covered (balance sheet, income statement, cash flow statement, notes), the applicable framework (US GAAP or IFRS), and the fiscal year-end date. List explicit exclusions such as tax preparation or internal-control advisory.
💡 If the engagement includes comparative period financials, state the prior year's scope explicitly to avoid disputes about reperforming prior-year procedures.
Choose GAAS (AICPA) for US non-public company audits, PCAOB standards for SEC registrants, or ISA for international engagements. State the standard by full name and issuing body — never refer to them generically.
💡 If the client's lender or regulator has specified a required standard, obtain that requirement in writing before finalizing this clause.
State the independence framework (AICPA Code or IESBA Code), confirm independence as of the contract date, and add a clause requiring the client to notify the auditor of any transaction or relationship that could impair independence during the engagement.
💡 Independence threats most commonly arise from loans, business relationships with firm personnel, and client acquisitions — tailor the disclosure examples to the client's specific situation.
Enter the fixed fee or hourly rate schedule, the three-tranche billing schedule (signing, fieldwork, delivery), and the reimbursable-expense policy. Add a scope-change clause specifying the billing rate for additional work outside the agreed scope.
💡 For a first-year audit, add a contingency of 10–15% above the base fee to cover unknown complications — price it as an optional line in the scope-change schedule rather than inflating the base fee.
List every document the auditor will deliver: the audit opinion (addressed to shareholders or the board), the governance communication (addressed to the audit committee), and any management letter. State the format and the target delivery date for each.
💡 Confirm with the client whether the audit report needs to be addressed to specific regulatory bodies or lenders — getting this wrong requires re-issuance, which delays funding or filing deadlines.
Enter the planning start date, fieldwork window, client trial-balance delivery date, and final report date. Add language extending the report delivery date by a corresponding number of days for each day client deliverables are late.
💡 Build in a buffer of at least five business days between the end of fieldwork and the target report date to accommodate final review and partner sign-off.
Both the audit firm's authorized partner and the client's authorized signatory (CFO or CEO) must sign before any audit procedures — including planning — commence. Store the fully executed original in a secure file.
💡 Use a dated e-signature platform to create an automatic timestamp; professional standards bodies and regulators accept e-signatures for engagement letters in most jurisdictions.
An audit contract — also called an audit engagement letter — is a legally binding agreement between an external auditor and a client company that defines the terms of a financial-statement audit engagement. It covers the scope of services, applicable auditing standards, auditor independence, management responsibilities, fee structure, deliverables, timeline, and liability limits. Professional auditing standards in most jurisdictions require a written engagement agreement before audit work begins.
Yes, in most jurisdictions. AICPA auditing standards (AU-C 210) require auditors to agree on audit engagement terms in writing before commencing a new engagement or continuing a recurring one. ISA 210 imposes the same requirement internationally. Many statutory audit frameworks — including UK Companies Act audits and EU statutory audits — also mandate a written engagement agreement as part of auditor appointment.
Functionally, they are the same document. 'Engagement letter' is the term used in professional auditing standards (GAAS, ISA); 'audit contract' is the commercial term used when the document is negotiated and executed as a formal bilateral agreement. Both create the same enforceable obligations. Larger engagements and public-company audits often use a more detailed contract format, while smaller private audits may use a shorter engagement letter format.
Reference the standard that matches your jurisdiction and the nature of the engagement. US non-public company audits typically reference GAAS as established by the AICPA (AU-C standards). SEC-registered public company audits require PCAOB standards. International engagements reference ISA as issued by the IAASB. Confirm the required standard with any regulator, lender, or exchange that will rely on the report before finalizing the contract.
At minimum, the contract should state that management is responsible for preparing financial statements in accordance with the applicable framework, maintaining adequate internal controls, providing the auditor unrestricted access to records and personnel, and executing a management representation letter before the audit report is issued. These responsibilities mirror the requirements of GAAS AU-C 210 and ISA 210 and are non-negotiable for a compliant engagement.
Most audit engagements use a fixed fee with a three-tranche billing schedule: a percentage on signing, a percentage at the start of fieldwork, and the balance on report delivery. The contract should also address reimbursable out-of-pocket expenses, the interest rate on overdue balances, and the billing rate for any work outside the agreed scope. Agreeing on a scope-change mechanism upfront avoids fee disputes when additional work is required.
Auditor independence is the requirement that the external auditor has no financial, personal, or business relationship with the client that could impair — or appear to impair — objective judgment. The audit contract confirms independence as of the signing date and requires the client to disclose any future transactions or relationships that could create an independence threat. Without this clause, independence threats arising mid-engagement may go undetected until they invalidate the audit opinion.
In most jurisdictions, yes — limitation of liability clauses are enforceable in audit contracts for private companies, typically capping total liability at the fees paid for the engagement. However, some jurisdictions restrict or prohibit liability caps for statutory auditors. In the UK, liability limitation agreements require shareholder approval under the Companies Act 2006. In the EU, member states vary in their treatment of auditor liability caps. Consider consulting legal counsel before finalizing any liability limitation clause.
Without a timeline-extension clause, the auditor may still be held to the original report delivery date even if the delay was entirely the client's fault — exposing both parties to missed regulatory filing deadlines. A well-drafted audit contract should automatically extend the report delivery date by the number of business days the client's required materials arrive late, and should require the client to acknowledge this mechanism at signing.
For straightforward private-company audits, a high-quality template adapted by the audit firm's engagement partner typically suffices. Legal counsel is advisable when the engagement involves a public company, a regulated entity, cross-border audit requirements, liability limitation agreements that require shareholder approval, or a fee arrangement above $100,000 where the commercial risk warrants professional review.
An accounting services agreement covers ongoing bookkeeping, financial statement preparation, or tax compliance — work that does not require independence or the expression of an audit opinion. An audit contract specifically governs an independent audit engagement where the auditor expresses an opinion on whether financial statements are free from material misstatement. The two documents serve entirely different professional and legal purposes and should never be combined.
A consulting agreement is a general-purpose service contract for advisory work. It lacks the mandatory elements required by auditing standards — independence confirmation, management responsibilities, applicable auditing standards, and the management representation requirement. Using a consulting agreement instead of a proper audit engagement letter may render the resulting audit non-compliant with professional standards.
An NDA protects confidential information shared between parties but creates no framework for delivering audit services, expressing an opinion, or allocating audit-specific risks. Audit contracts include confidentiality provisions as one clause among many. An NDA alone is insufficient to govern an audit engagement and should be used as a companion document, not a substitute.
An internal audit charter defines the mandate, authority, and responsibilities of an in-house internal audit function within an organization. An audit contract governs the relationship with an external, independent auditor. External auditors express an opinion on financial statements; internal auditors provide assurance and advisory services to management and the board. The two documents address fundamentally different audit relationships.
Regulatory audit requirements from SEC, FINRA, FCA, or OSFI mean engagement letters must reference the specific regulatory framework and address auditor reporting obligations to regulators in addition to management.
Government grant recipients subject to US Single Audit requirements (Uniform Guidance) or equivalent national frameworks need scope language that explicitly covers compliance testing and the Schedule of Expenditures of Federal Awards.
Revenue recognition under ASC 606 or IFRS 15 and capitalized software development costs are common audit focus areas; scope should specify these as areas requiring extended procedures.
Inventory valuation, cost-of-goods-sold allocation, and physical inventory count procedures are typically major scope items; the contract should specify the client's obligation to facilitate physical counts.
Revenue recognition from third-party payors, Medicare/Medicaid cost reports, and HIPAA-related data access restrictions require specific scope language addressing how the auditor will handle protected health information.
Fair value measurement of investment properties, lease accounting under ASC 842 or IFRS 16, and multi-entity consolidation structures require scope language addressing valuation methodology and specialist reliance.
AICPA AU-C 210 requires a written engagement letter for every audit, including recurring engagements where terms change. SEC-registered issuers must use PCAOB standards; PCAOB AS 1301 also requires an engagement letter. Liability limitation clauses are generally enforceable for private-company audits but are prohibited for PCAOB-registered audits of public companies. State CPA statutes may impose additional requirements.
Canadian auditing standards (CAS), based on ISA and issued by CPA Canada, require a written engagement letter under CAS 210. Provincial securities regulators require PCAOB-equivalent standards for reporting issuers. Liability limitation for auditors is addressed by provincial legislation and varies — Ontario and British Columbia permit contractual caps for non-reporting-issuer audits. French-language requirements apply in Quebec.
Statutory auditors are appointed under the Companies Act 2006, which mandates written engagement terms. ISA (UK) 210, issued by the FRC, requires a written engagement letter for every audit. Liability limitation agreements for statutory auditors require shareholder approval by ordinary resolution under Companies Act 2006 s.535. The FRC Ethical Standard governs auditor independence for public-interest entities.
EU Regulation 537/2014 on statutory audits of public-interest entities requires written engagement terms and addresses auditor independence, fee transparency, and mandatory rotation. GDPR applies to any personal data accessed by the auditor during fieldwork — the contract should include a data processing addendum for engagements where personal data is reviewed. Member states implement ISA through national standards with varying additional requirements.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Private companies engaging a local audit firm for a standard annual audit with straightforward scope | Free | 30–60 minutes to customize |
| Template + legal review | First-time audit engagements, engagements with lender or investor reporting requirements, or fees above $50,000 | $300–$800 for a one-hour legal or senior partner review | 1–3 business days |
| Custom drafted | Public companies, regulated financial institutions, cross-border engagements, or any engagement where liability limitation requires shareholder approval | $1,500–$5,000+ | 1–2 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start free · No credit card required
