Regulatory Compliance Checklist

Document whether the entity reports under US GAAP or IFRS and list any FASB ASUs effective this period (e.g., ASC 842 lease tracking, ASC 326 CECL for financial assets). Note any newly-adopted standards that change the prior-year comparison.

Each footnote should trace to a working trial balance lead schedule. Common gaps: related-party disclosures, subsequent events through report date, lease maturity tables, going-concern assessment.

Update revenue recognition, capitalization thresholds, depreciation methods, and inventory valuation policies. The controller signs off; a stale policy memo is the first thing an auditor flags during walkthrough.

Confirm 1120-S and 1065 filed by Mar 15; 1120 and 1040 by Apr 15. Tie quarterly 941s to W-3 totals and to GL payroll-tax expense. Flag any unfiled extensions (Form 7004 / 4868).

If any federal return is past due, prepare reasonable-cause statement and assess first-time abate eligibility. Document the timeline and circumstances; the IRS rejects boilerplate.

Pull revenue by ship-to state and compare to post-Wayfair economic-nexus thresholds (commonly $100K or 200 transactions). Verify Avalara or TaxJar is registered in each tripped state. Retroactive registration under VDA is the fix when nexus was crossed silently.

Pull every vendor paid more than $600 for services. Confirm a current W-9 on file and exclude corporations (with the attorney and medical-payment exceptions). 1099-NEC due Jan 31 — late filings hit per-form penalties.

Document the bank rec preparer-vs-reviewer split, AJE approval threshold, and wire-release dual control. Test one transaction per key control; failures go on the management letter draft.

Pull the user permissions report. The bookkeeper who enters bills should not also release payments in Bill.com. Cash-handling, recordkeeping, and reconciliation should sit with three different people — or compensating review controls if headcount is too small.

Pull current SOC 1 Type II reports for Gusto, ADP, Bill.com, NetSuite, and any other service organizations affecting financial reporting. Read the complementary user entity controls (CUECs) and confirm each is implemented.

Run the client list against attest engagements (audit, review, compilation with assurance). Bookkeeping for a review client breaches independence under most state-board interpretations of SSARS. Cross-selling teams trip this most often.

Partners and managers complete a fresh COI questionnaire covering personal investments, family employment at clients, and outside board seats. Anything new gets routed to the managing partner before sign-off.

Pull the CPE tracker and confirm 40+ hours per license holder for the reporting year, including the state-required ethics hours. Lapsed license = the firm cannot sign attest reports until reinstated.

Determine whether the firm or its clients fall under BSA reporting (MSBs, broker-dealers, certain advisory clients). Note FinCEN Beneficial Ownership Information (BOI) reporting obligations for reporting companies under the Corporate Transparency Act.

Document the beneficial owners (25%+) for each entity client added this year. Screen names against OFAC SDN and PEP lists. File the CIP record in the client folder; auditors and bank-relationship reviews ask for it.

Cover SAR red flags, structuring, and the firm's escalation path. Training log goes in the compliance folder; FinCEN exam-readiness depends on dated attendance records.

Every paid preparer must maintain a Written Information Security Plan. Refresh the asset inventory, designated security coordinator, encryption standards, and incident-response playbook. The FTC Safeguards Rule expects annual review and a documented risk assessment.

Identify the states where clients or staff reside. CCPA/CPRA, NY SHIELD, and MA 201 CMR 17 each have unique notification and safeguard rules. Note GDPR exposure if any clients have EU operations.

Managing partner and compliance lead review findings, document remediation owners and dates, and sign. Open items roll into next quarter's compliance committee agenda.