A thread in r/InternalAudit put it plainly: the hardest part of auditing expense reports isn’t spotting the fraud, it’s the fact that no one told you to look until months after the money was gone.
By the time the finance team flags that an employee submitted $800 in personal dinners as “client entertainment,” the reimbursement has cleared, the approval chain has moved on, and recovering the money means starting a very uncomfortable conversation with HR.
This plays out more often than most companies realize.
Travel and expense typically represents upwards of 10% of an organization’s operating budget, making it one of the largest and least-controlled areas of discretionary spending.
Finance professionals regularly debate what a realistic review process actually looks like, with most admitting that their company either audits too little or audits inconsistently, leaving gaps that employees (sometimes deliberately, sometimes accidentally) fall through.
A structured expense report audit process closes those gaps. It creates a consistent framework for reviewing what’s going out the door, who approved it, and whether the approval should have happened at all. This guide walks through exactly how to run one, and how to build a process that largely runs itself.
What Is an Expense Report Audit and Why Do Companies Do It?
An expense report audit is a systematic review of employee-submitted expense claims to verify that every item is accurate, supported by documentation, and consistent with company policy. It sits within a broader internal controls framework, and it carries direct regulatory implications. The IRS requires businesses to maintain adequate records for any expense claimed as a tax deduction, including the amount, date, place, business purpose, and the business relationship of anyone involved.
Beyond tax compliance, auditing expense reports protects companies from two very different types of problems: honest mistakes and deliberate fraud. The distinction matters less at the audit stage than most people think. Whether an employee genuinely forgot to attach a receipt or deliberately omitted it, the effect on your books is the same, until someone checks.
According to the ACFE’s 2024 Report to the Nations, organizations lose an average of 5% of annual revenue to fraud each year, and expense reimbursement schemes specifically result in an average loss of $251,000 per case, going undetected for 18 months on average. For mid-market companies, that’s not a rounding error.
Who Is Responsible for Auditing Expense Reports?
In most organizations, day-to-day expense report auditing sits with the Finance or Accounts Payable team. Larger companies may have a dedicated Internal Audit function that runs periodic deep-dive reviews, particularly for senior employees or high-risk departments. Some businesses outsource this to third-party audit firms when reviewing at scale or investigating specific compliance concerns.
Regardless of structure, role clarity matters. Someone specific needs to own exception flagging and follow-up. Without clear ownership, audit findings sit in a spreadsheet and nothing changes.
What Are the Most Common Issues Found During Expense Audits?
When finance teams discuss their audit findings publicly, as they do regularly on r/Accounting and r/smallbusiness, the same categories come up repeatedly:
- Missing or illegible receipts: Claims without documentation are both unverifiable and non-deductible. This is the most common finding in any manual audit.
- Misclassified expenses: Personal items coded as business expenses, or meals billed as “team entertainment” when no team was present.
- Policy violations: Spending above per diem limits, unapproved flight upgrades, or bookings made outside preferred vendors.
- Duplicate claims: The same receipt submitted twice, sometimes in different reporting periods or under slightly different descriptions.
- Inflated amounts: Receipt totals that don’t match claimed amounts, often by small margins calculated to avoid scrutiny.
- Vague business purpose: “Dinner” with no client name, no project reference, and no context that would justify the expense.
Most of these are correctable if caught early. The problem is that manual processes rarely catch them until after reimbursement, if at all.
What Are the Warning Signs of Expense Report Fraud During an Audit?
Some patterns in a report warrant closer investigation. Round-number claims (exactly $50.00, exactly $200.00) are statistically unusual for real-world purchases, genuine receipts almost never end in a zero. Frequent amendments to already-approved reports suggest testing of approval thresholds. Claims with no merchant name, no location, and no accompanying receipt remove the paper trail almost entirely.
A thread in r/deloitte about expense audit termination risk highlighted a recurring pattern: expenses filed consistently just below approval thresholds, or a sudden spike in submissions before quarter close, are two of the clearest behavioral signals that something is off.
For a full breakdown of fraud patterns, detection methods, and how to handle confirmed cases, see our guide on expense report fraud →.
How Do You Conduct an Expense Report Audit Step by Step?
A structured expense report audit follows a repeatable eight-step sequence:
1. Define the audit scope. Are you auditing all reports for a given period, only reports above a spending threshold, or a random statistical sample? Document the scope before you pull a single report. Scope creep mid-audit leads to inconsistent findings and incomplete documentation.
2. Pull the relevant reports. Gather all submissions within the defined window, along with associated receipts, approval records, and any supporting documentation (conference registrations, flight itineraries, client meeting notes).
3. Verify receipts. Every line item should have a matching receipt showing vendor name, date, amount, and a description of the purchase. Missing, altered, or illegible receipts are immediate flags, not assumptions of fraud, but mandatory follow-ups.
4. Validate against your expense policy. Check each claim against the documented policy: category limits, eligible expense types, required approval levels, submission deadlines, and any category-specific rules (per diem caps, mileage reimbursement rates, hotel tier restrictions).
5. Check approvals. Verify that every report has a proper approver signature or digital approval, and that the approver had authority over the claimant. Self-approved reports should never clear an expense report audit. Manager-approving-their-own-report is a scenario that surfaces in real audits more than it should.
6. Flag exceptions. Log every claim that fails a check. Note the specific policy rule violated or the missing item. Don’t resolve or dismiss exceptions informally, document them formally so findings can be tracked over time.
7. Document findings. Produce a written summary of what was reviewed, what was found, and what remediation is recommended. This record protects the company if disputes arise later.
8. Communicate outcomes. Notify claimants, managers, and HR where relevant. For minor documentation errors, a correction request is usually sufficient. For repeated violations or patterns that suggest intent, escalation to HR or Legal is appropriate.
How Often Should Businesses Audit Expense Reports?
Frequency should match risk profile:
- High-risk employees (large budgets, frequent travel, prior compliance issues): 100% audit of every submission.
- Larger organizations: Statistical sampling, typically 10–20% of all reports, is standard practice and statistically defensible.
- Most businesses: A quarterly expense report audit at minimum. Monthly reviews are advisable for any company with significant T&E spend.
Waiting until year-end to audit a full year’s submissions is the most common mistake finance teams make. By then, the 18-month average detection window the ACFE documented has already been exploited.
What Should an Expense Report Audit Checklist Include?
A standardized expense report audit checklist removes subjectivity from the review process and gives auditors a consistent, documentable framework. Here is a complete checklist covering the most common audit checks:
- Receipt present and legible for every claim
- Expense date falls within the policy submission window
- Category correctly assigned per policy definitions
- Amount within per-transaction and per-category policy limits
- Business purpose clearly and specifically stated (not just “dinner” or “supplies”)
- Approver signature or digital approval present and verified
- Approver is not the same person as the claimant
- No duplicate submissions across same date and vendor
- Personal expenses not included in the report
- Mileage claims supported by route documentation or mapping tool output
- Per diem amounts within applicable policy caps
- Receipt amounts match claimed amounts exactly
- Foreign currency claims converted at the correct exchange rate
- All claims fall within the applicable IRS substantiation requirements
This checklist can be adapted into a formal audit template, used as a pre-approval review tool for managers, or built directly into your expense management platform as a pre-submission validation step.
How Does Expense Report Software Make Auditing Easier?
Manual auditing is time-consuming, inconsistent, and vulnerable to the same oversights it’s designed to catch.
According to American Express’ 2023 Expense Management Trendex, 65% of travel expense processors spend at least one hour reviewing a single monthly expense report.
Multiplied across a mid-market organization with dozens of regular travelers, that’s a significant ongoing cost for something that could largely be automated.
Automated expense reporting changes the audit equation at every stage:
- Policy enforcement at submission: Limits and category rules are checked before a report moves forward, not after reimbursement.
- Real-time duplicate detection: The system flags when the same receipt has already been submitted, regardless of period or description.
- Timestamped audit trails: Every action, submission, approval, amendment, rejection, is logged with a timestamp and user ID.
- OCR-verified receipts: Receipt amounts are read and cross-referenced against claimed amounts automatically.
- Exception reporting: Auditors see a consolidated view of flagged items rather than reviewing every line of every report manually.
Research consistently shows that companies using automated expense management have materially lower fraud exposure. Employees who submitted expenses using manual processes were found to be more than twice as likely to commit fraud compared to those using automated solutions.
ITILITE builds compliance into the submission process itself. Policy flags appear before approval, not after. Finance teams get structured, searchable data with complete audit trails, not stacks of PDF attachments that need to be manually cross-referenced. Every step from booking through reimbursement is logged, timestamped, and auditable on demand.
See how ITILITE Expense Management works →
Conclusion
An expense report audit isn’t just a finance task, it’s one of the most direct ways a company protects against both honest mistakes and deliberate misuse. The ACFE’s data makes the stakes clear: the average fraud case involving expense reimbursement goes unnoticed for a year and a half and costs a quarter of a million dollars before anyone catches it. A consistent audit process, built on a clear checklist and enforced with the right tools, closes that window dramatically.
The less manual your process, the less there is to audit in the first place. See how ITILITE builds compliance into every submission so your next expense report audit takes hours, not days.
