Regulatory Compliance Checklist
Annual regulatory compliance review for an accounting firm or in-house finance team. Covers reporting standards, tax filings, internal controls, ethics, AML, and data security obligations under IRS Pub 4557, FTC Safeguards, and state data-protection rules.
Financial Reporting Standards
-
Confirm reporting framework and ASU updates
Document whether the entity reports under US GAAP or IFRS and list any FASB ASUs effective this period (e.g., ASC 842 lease tracking, ASC 326 CECL for financial assets). Note any newly-adopted standards that change the prior-year comparison.
Collects list -
Tie financial disclosures to lead schedules
Each footnote should trace to a working trial balance lead schedule. Common gaps: related-party disclosures, subsequent events through report date, lease maturity tables, going-concern assessment.
-
Refresh accounting policy memo
Update revenue recognition, capitalization thresholds, depreciation methods, and inventory valuation policies. The controller signs off; a stale policy memo is the first thing an auditor flags during walkthrough.
Tax Compliance
-
Reconcile federal filings (1120, 1120-S, 1065, 941)
Confirm 1120-S and 1065 filed by Mar 15; 1120 and 1040 by Apr 15. Tie quarterly 941s to W-3 totals and to GL payroll-tax expense. Flag any unfiled extensions (Form 7004 / 4868).
Collects list -
File late returns under reasonable cause
If any federal return is past due, prepare reasonable-cause statement and assess first-time abate eligibility. Document the timeline and circumstances; the IRS rejects boilerplate.
-
Run 50-state nexus and sales-tax review
Pull revenue by ship-to state and compare to post-Wayfair economic-nexus thresholds (commonly $100K or 200 transactions). Verify Avalara or TaxJar is registered in each tripped state. Retroactive registration under VDA is the fix when nexus was crossed silently.
-
Audit 1099-NEC vendor list against W-9s
Pull every vendor paid more than $600 for services. Confirm a current W-9 on file and exclude corporations (with the attorney and medical-payment exceptions). 1099-NEC due Jan 31 — late filings hit per-form penalties.
Internal Controls and Risk
-
Walk through key controls in the close cycle
Document the bank rec preparer-vs-reviewer split, AJE approval threshold, and wire-release dual control. Test one transaction per key control; failures go on the management letter draft.
-
Verify segregation of duties in QBO or NetSuite
Pull the user permissions report. The bookkeeper who enters bills should not also release payments in Bill.com. Cash-handling, recordkeeping, and reconciliation should sit with three different people — or compensating review controls if headcount is too small.
-
Review SOC 1 reports for outsourced providers
Pull current SOC 1 Type II reports for Gusto, ADP, Bill.com, NetSuite, and any other service organizations affecting financial reporting. Read the complementary user entity controls (CUECs) and confirm each is implemented.
Collects file
Ethics and Governance
-
Confirm AICPA independence for attest clients
Run the client list against attest engagements (audit, review, compilation with assurance). Bookkeeping for a review client breaches independence under most state-board interpretations of SSARS. Cross-selling teams trip this most often.
-
Refresh annual conflict-of-interest disclosures
Partners and managers complete a fresh COI questionnaire covering personal investments, family employment at clients, and outside board seats. Anything new gets routed to the managing partner before sign-off.
-
Verify partner CPE hours and ethics credit
Pull the CPE tracker and confirm 40+ hours per license holder for the reporting year, including the state-required ethics hours. Lapsed license = the firm cannot sign attest reports until reinstated.
Anti-Money Laundering
-
Confirm BSA/AML program scope applies
Determine whether the firm or its clients fall under BSA reporting (MSBs, broker-dealers, certain advisory clients). Note FinCEN Beneficial Ownership Information (BOI) reporting obligations for reporting companies under the Corporate Transparency Act.
Collects list -
Run KYC and sanctions screening on new clients
Document the beneficial owners (25%+) for each entity client added this year. Screen names against OFAC SDN and PEP lists. File the CIP record in the client folder; auditors and bank-relationship reviews ask for it.
-
Deliver annual AML training to staff
Cover SAR red flags, structuring, and the firm's escalation path. Training log goes in the compliance folder; FinCEN exam-readiness depends on dated attendance records.
Data Privacy and Security
-
Update the WISP under IRS Pub 4557
Every paid preparer must maintain a Written Information Security Plan. Refresh the asset inventory, designated security coordinator, encryption standards, and incident-response playbook. The FTC Safeguards Rule expects annual review and a documented risk assessment.
Collects file -
Map state privacy laws (CCPA, NY SHIELD, MA 201 CMR 17)
Identify the states where clients or staff reside. CCPA/CPRA, NY SHIELD, and MA 201 CMR 17 each have unique notification and safeguard rules. Note GDPR exposure if any clients have EU operations.
-
Sign off on the annual compliance review
Managing partner and compliance lead review findings, document remediation owners and dates, and sign. Open items roll into next quarter's compliance committee agenda.
Collects list Collects signature Collects paragraph
Use this template
Copy it to your account, customize the steps, and run it with your team in minutes.
Browse hundreds of free templates across every team and industry.
Back to template libraryRelated templates
More workflows your team can run.
Run Regulatory Compliance Checklist with your team
Customize the steps, assign roles, set a schedule, and keep a complete record for every run.