Financial Statement Audit Checklist

Confirm the firm and engagement team meet AICPA Code of Professional Conduct independence rules. Run the conflict check against affiliates and beneficial owners. Common breach: a partner provided bookkeeping services last year and the engagement is now a review or audit — that's a SSARS / AU-C independence problem.

Document the reason in the conflict log, notify the client in writing, and either propose a remediation (rotate partner, drop disqualifying service) or decline. Do not proceed to engagement-letter execution without partner sign-off on remediation.

Engagement letter spells out scope (audit vs. review vs. compilation), fee structure, deliverables, and management's responsibilities for the financial statements and ICFR. Get it signed before any fieldwork — unsigned letters are the most common malpractice-claim trigger.

Send the prepared-by-client request list through Suralink, TaxDome, or Liscio at least 30 days before fieldwork. Tag each item with owner and due date. Track weekly with the controller — half-empty PBC lists at fieldwork start are the most common reason audits overrun.

Walk through changes since prior year: new revenue streams, M&A activity, debt covenant changes, accounting-policy elections, key personnel turnover. Capture in the planning memo per AU-C 300.

Calculate planning materiality (commonly 5% of pretax income or 0.5%–1% of revenue for non-issuers), then performance materiality (typically 50%–75% of planning). Document the benchmark choice and rationale in the workpaper per AU-C 320.

Update the understanding-of-the-entity workpaper: industry, regulatory framework, ownership, related parties, key contracts. Required by AU-C 315; reuse prior-year and document changes rather than starting from scratch.

Walk revenue, purchases-to-pay, payroll, and financial-close cycles end to end with the process owner. Identify key controls and points where misstatement could occur. Document in the cycle memo with screenshots from QuickBooks, NetSuite, or Sage Intacct.

For each key control, assess whether it is designed to prevent or detect a material misstatement and whether it has been implemented. Test of design only — operating-effectiveness testing is a separate decision driven by your reliance strategy.

Per AU-C 240, hold the fraud brainstorming meeting with the engagement team. Address revenue recognition risk and management override of controls — both presumed risks. Document incentive, opportunity, and rationalization factors observed.

Combine inherent risk and control risk per assertion per significant account. Document in the RoMM matrix. The overall assessment drives the nature, timing, and extent of substantive procedures in fieldwork.

Pull the working trial balance from the client's GL and tie each significant account to its lead schedule in Caseware or CCH ProSystem fx Engagement. Reconciling differences between the WTB and the lead must be cleared before substantive work begins.

Send bank confirmations through Confirmation.com. Test year-end bank rec for each account: trace deposits in transit and outstanding checks to the subsequent statement. Stale items over 90 days are an audit flag — agree write-off with the controller.

Select the sample using monetary-unit sampling sized to performance materiality. Send positive confirmations; perform alternative procedures (subsequent-receipt testing, shipping documents) for non-responses. Document the exception summary.

Observe the year-end physical count if inventory is material. Test count-tag controls, perform test counts, and reconcile to the perpetual records. Test lower-of-cost-or-NRV by sampling SKUs against recent sales prices.

Vouch additions over the scoping threshold to vendor invoices; confirm capitalization vs. expense per the client's policy. Recompute depreciation on the roll-forward and tie to the GL expense.

Confirm balances and terms directly with lenders. Recompute key covenant ratios (DSCR, leverage, fixed-charge coverage). A failed covenant without a waiver letter dated before year-end can force current-classification of long-term debt and trigger going-concern questions.

For high-RoMM areas, expand sample sizes, lower scoping thresholds, or add procedures (cutoff testing, journal-entry testing for management override per AU-C 240, third-party valuation review). Document the expanded scope and rationale in the audit program.

Per AU-C 560, inquire of management about events between year-end and report date. Read minutes, latest interim financials, and material contracts. Recognized vs. non-recognized events drive disclosure vs. adjustment treatment.

Per AU-C 570, evaluate whether substantial doubt exists about the entity's ability to continue as a going concern for one year from the report date. Consider recurring losses, negative working capital, covenant defaults, and management's mitigation plans.

When substantial doubt is not alleviated, add a separate section in the auditor's report titled "Substantial Doubt About the Entity's Ability to Continue as a Going Concern" per AU-C 570.20. Coordinate with the client on Note disclosure language before finalizing.

Letter must be dated the same date as the auditor's report and signed by the CEO and CFO. Include client-specific representations for unusual matters (litigation, related-party transactions, estimates). No rep letter, no report — this is a hard stop.

Engagement partner signs off on every section; the engagement quality control reviewer (EQCR / concurring partner) reviews the financial statements, report, and significant judgments before report release per the firm's quality-management system.

Use the AU-C 700 report format. Confirm the financial statements distributed to users match the version covered by the report. Release through the client portal with a signed PDF and watermarked draft removal.

Communicate significant deficiencies and material weaknesses in writing to those charged with governance per AU-C 265. Include management's planned remediation. Distinguish from "other matters" that are best-practice suggestions, not control deficiencies.

Cover required AU-C 260 communications: scope, significant accounting policies, management's judgments and estimates, uncorrected misstatements, disagreements with management, and difficulties encountered. Provide written deck and executive summary.

Final assembly within 60 days of report release. Lock the engagement file in Caseware or CCH Engagement; any post-archive changes require documented justification per AU-C 230.16. Retain for the firm's required period (typically 7 years; longer for some states).