US Statutory Audit Requirements: What UK Companies Operating in the USA Should Know

Introduction

Many UK finance directors assume the United States operates a statutory audit framework similar to the UK's Companies Act 2006. That assumption creates two distinct risks.

Some UK subsidiaries commission audits they don't legally need, draining resources on unnecessary compliance. More seriously, others skip audits they are legally required to conduct — triggered by SEC registration, federal funding thresholds, or industry-specific regulations they weren't aware applied to them.

Unlike the UK's threshold-based universal mandate, the US takes a different, trigger-based approach. Most private companies face no blanket federal audit requirement — but specific circumstances change that entirely. This article covers the key triggers that matter for UK companies operating stateside: SEC registration, the Single Audit Act, state-level requirements, and industry-specific rules that catch many foreign subsidiaries off guard.

TLDR

The US has no universal statutory audit requirement for private companies, unlike the UK's Companies Act
Mandatory audits are triggered by SEC registration, $1M+ in federal award expenditure, regulated industry rules, or lender covenants
Two primary frameworks govern US audits: GAAS (for private companies) and PCAOB standards (for public/SEC-registered entities)
The Sarbanes-Oxley Act adds internal control reporting obligations for public companies
UK companies should map their specific triggers before assuming an audit is or isn't needed

US vs. UK Statutory Audits: The Fundamental Difference

UK's Threshold-Based Universal System

Under the UK Companies Act 2006, most companies above the "small company" threshold must have an annual statutory audit. A company qualifies for audit exemption only if it meets at least two of these three criteria (for financial years beginning between 1 January 2016 and 5 April 2025):

Annual turnover no more than £10.2 million
Balance sheet total no more than £5.1 million
50 or fewer employees on average

For financial years beginning on or after 6 April 2025, these thresholds increase to £15 million turnover and £7.5 million balance sheet total.

This creates a clear default: exceed the thresholds, and you need an audit — a framework UK finance professionals know well.

US's Trigger-Based Conditional System

The US has no equivalent universal mandate. As the AICPA confirms, "By law, the annual financial statements of public companies must be audited each year by independent auditors," but private companies face no such general legal mandate. Audits for private US companies are triggered by:

SEC registration
Federal funding above specific thresholds
Industry-specific regulation (banking, insurance, broker-dealers)
Contractual obligations (lender requirements)

JLK Rosenberger, a PKF Global member firm, states directly: "For most private companies—such as many foreign-owned U.S. subsidiaries—there is no mandatory statutory audit imposed by U.S. law."

UK threshold-based versus US trigger-based statutory audit requirement comparison infographic

What "Statutory Audit" Means in the US Context

In the US, "statutory audit" refers to an audit legally required by a specific statute—federal law, state regulation, or industry regulator rule. The concept exists, but it's conditional and trigger-based, not a default national requirement.

Practical Consequences for UK Companies

A UK subsidiary or branch operating in the US may face:

No audit requirement under federal private company rules
Obligations under state law (for charities, for example)
Industry regulation mandates (banking, insurance)
Lender-imposed audit requirements as loan covenants

Beyond the question of whether an audit is required, there is a second cross-border consideration: which accounting standards govern that audit.

Accounting Standards Divergence

UK statutory audits are conducted under UK GAAP or IFRS, while US audits are conducted under US GAAP. When an audit is required, UK companies may need to reconcile or restate their financial reporting framework—a layer of complexity specific to cross-border operations.

One significant exception: the SEC permits foreign private issuers to file IFRS financial statements as issued by the IASB without reconciliation to US GAAP (effective March 4, 2008). For UK companies pursuing SEC registration, this removes one major reporting burden.

When Is a Statutory Audit Mandatory in the USA?

SEC-Registered Public Companies

Any company with securities registered with the US Securities and Exchange Commission—including foreign private issuers listing on US stock exchanges—must have annual audits conducted under PCAOB standards. UK companies listed or planning to list on US markets are directly covered. These companies report under Sections 13 or 15(d) of the Securities Exchange Act of 1934, filing audited annual statements within four months of fiscal year-end.

Single Audit Act — Federal Award Recipients

Under 2 CFR Part 200 (Uniform Guidance), any non-federal entity—including for-profit companies, nonprofits, and state/local entities—that expends $1,000,000 or more in federal awards during a fiscal year must undergo a Single Audit. This threshold was increased from $750,000 to $1,000,000 effective for fiscal years beginning on or after October 1, 2024.

"Federal awards expended" includes:

Grants and cooperative agreements
Federal cost-reimbursement contracts
Loans (when the federal share is expended)
Awards received directly or passed through other entities

UK companies accepting US government contracts or grants should verify whether cumulative federal expenditure will cross this threshold before fiscal year-end.

Banking and Financial Institution Regulators

Banks and financial institutions face mandatory audit requirements from regulators including the Office of the Comptroller of the Currency (OCC), FDIC, and Federal Reserve.

Under 12 CFR Part 363, insured depository institutions with consolidated total assets of $1 billion or more must have annual independent audits of GAAP-prepared financial statements. Institutions at $5 billion or more must additionally obtain auditor attestation on internal controls over financial reporting.

Federal banking regulators OCC FDIC Federal Reserve audit oversight logos and branding

Lender-Imposed Requirements

Even when no law mandates an audit, US commercial banks routinely require borrowers to submit audited financial statements as a condition of loan approval or covenant compliance. In practice, any UK company seeking a US commercial loan should expect audited financials to be a standard requirement, not an exception.

Voluntary but Practically Necessary Situations

Beyond lender requirements, audits frequently become commercially unavoidable in other high-stakes situations:

Investor due diligence
Mergers and acquisitions
Private equity involvement
Maintaining credibility with US business partners

US investors and acquirers typically expect GAAP-compliant audited statements as a baseline — having them in place before negotiations begin puts UK companies in a stronger position.

US Audit Standards: GAAS, PCAOB, and SOX Explained

GAAS — Generally Accepted Auditing Standards

The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) issues and maintains GAAS, which governs audits of private (non-public) companies in the US. GAAS defines:

Auditor qualifications and independence requirements, including rules on independence from audit clients
Conduct of audit engagements, covering planning, evidence gathering, and documentation
Reporting requirements, specifying how auditors communicate findings and opinions

Most UK companies with US private subsidiaries requiring an audit will be audited under GAAS.

PCAOB — Public Company Accounting Oversight Board

Established under the Sarbanes-Oxley Act of 2002, the PCAOB sets auditing standards specifically for companies registered with the SEC. Any UK company with US-listed securities must have its audit conducted by a PCAOB-registered auditor.

Notably, the PCAOB has conducted inspections of registered firms in 58 non-US jurisdictions including the United Kingdom. This means UK audit firms signing off on SEC-registrant financials must register with and submit to PCAOB inspection—creating dual regulatory oversight alongside the Financial Reporting Council (FRC).

SOX — Sarbanes-Oxley Act Obligations

For UK companies that are SEC-registered public companies, SOX imposes significant additional obligations:

SOX Section	Requirement	Key Details
Section 302	Management certification	Principal executive and financial officers must certify report accuracy, financial statement fair presentation, and disclosure controls effectiveness
Section 404(a)	Management assessment	Management must assess and report on internal control effectiveness over financial reporting
Section 404(b)	Auditor attestation	External auditors must independently assess and attest to internal controls effectiveness

US audit standards framework GAAS PCAOB and SOX obligations compared by company type

These requirements are in addition to the standard annual audit and represent a significant compliance burden compared to UK equivalents.

US GAAP vs. IFRS — The Reporting Framework Question

Beyond audit standards, the reporting framework itself matters. US audits typically require financial statements prepared under US GAAP, which means UK companies reporting under IFRS may need to restate or reconcile financials for their US-regulated entity.

There is, however, a notable exception: the SEC permits foreign private issuers to submit IFRS-based financials (as issued by the IASB) without reconciliation to US GAAP in specific circumstances. UK companies should confirm whether they qualify for this accommodation before determining their filing approach.

Industry-Specific and State-Level Audit Triggers

Regulated Industries Beyond Banking

Insurance Companies: Operating under the NAIC Annual Financial Reporting Model Regulation (Model Law 205), all insurers must have an annual audit by an independent CPA and file an audited financial report with the state insurance commissioner by June 1 each year.

Broker-Dealers: Registered with the SEC and FINRA, broker-dealers must undergo annual audits under SEC Rule 17a-5. Firms must file audited annual reports (Form X-17A-5 Part III), with electronic EDGAR filing mandatory from June 30, 2025 onward.

Employee Benefit Plans: Plans with 100 or more participants at the beginning of the plan year must include an independent audit report with Form 5500 under ERISA requirements.

UK companies entering these sectors inherit these obligations immediately upon US market entry.

State-Level Audit Requirements

Beyond federal requirements, individual states impose their own audit mandates. For charitable organizations, the thresholds vary significantly by state:

New York: CPA audit required above $1 million gross revenue (effective July 1, 2021); CPA review required between $250,000 and $1 million
California: Audit required above $2 million gross revenue (effective January 1, 2005)

Major commercial states—New York, California, and Delaware—do not impose general statutory audit requirements on foreign-registered corporations simply for doing business there. For commercial entities, audit triggers are industry-specific or contractual, not state-corporate-law-based.

Nonprofit and Grant-Funded UK Entities

UK charitable organizations or foundations operating in the US that receive federal or state grant funding must comply with the Single Audit Act if the $1,000,000 federal expenditure threshold is met. This applies regardless of UK registration status.

Practical Steps for UK Companies to Assess Their US Audit Obligations

Step 1 — Identify Your US Entity Structure and Registration

Determine whether your US presence is structured as:

C-Corporation
Limited Liability Company (LLC)
Branch of the UK parent
Another entity form

Each structure has different implications for audit requirements. Registration status with the SEC or a state securities regulator matters too — it immediately triggers PCAOB or state-specific audit obligations.

Step 2 — Map Your Specific Triggers

Work through a checklist of known triggers:

SEC registration status
Federal awards expended (above $1M threshold)
Industry regulation (banking, insurance, broker-dealer, ERISA)
Lender covenants requiring audited financials
State-specific rules (charitable registration, insurance licensing)

Five-step US audit obligation checklist for UK companies operating in America

Any single trigger creates a mandatory audit obligation — regardless of company size or private status.

Step 3 — Engage Cross-Border Accounting Expertise

Navigating US federal, state, and industry-specific requirements alongside UK parent company obligations requires specialized expertise. VJM Global has advised 250+ UK businesses on cross-border compliance, drawing on 30+ years of experience in international tax, audit, and financial advisory. As a member of EAI International, the firm connects clients with qualified, independent accounting professionals in the US and other jurisdictions as needed.

VJM Global can help UK companies assess their US audit obligations and coordinate the right professional support. Services relevant to this process include:

Financial statement reconciliation between IFRS and US GAAP
Internal controls review and audit readiness assessment
Regulatory examination support and compliance coordination
Liaison with US-qualified auditors through the EAI International network

Frequently Asked Questions

What are the legal requirements for a statutory audit?

US statutory audit requirements are not universal: they arise from specific statutes such as the Securities Exchange Act (for SEC-registered companies), the Single Audit Act (for federal award recipients expending $1M+), or sector regulators (banking, insurance, broker-dealers). Private companies without these triggers generally face no federal legal mandate.

Is a statutory audit mandatory?

For most US private companies, a statutory audit is not mandatory under federal law. However, it becomes required when triggered by SEC registration, federal funding thresholds ($1M+), regulated industry membership (banking, insurance), or contractual obligations such as bank lending covenants.

Who can do statutory audits in the USA?

US audits must be performed by a licensed Certified Public Accountant (CPA) or CPA firm. For SEC-registered public companies, the auditor must additionally be registered with the PCAOB. Foreign auditors from the UK participating in audits of US-listed companies also fall under PCAOB oversight.

What are the audit standards in the US?

Two main frameworks govern US audits: GAAS (Generally Accepted Auditing Standards), issued by the AICPA and applied to private company audits; and PCAOB standards, which apply to public companies registered with the SEC. SOX compliance adds internal control reporting requirements for public companies.

What are the 4 types of audits?

The four main audit types in the US context are:

Financial statement audit — examines financial statements for fair presentation under GAAP
Compliance audit — includes Single Audits for federal award recipients
Performance/operational audit — assesses efficiency and program effectiveness under GAO's Yellow Book
Forensic audit — fraud investigation and litigation support

UK companies operating in the US most commonly encounter financial statement and compliance audits.