Compliance Audit Checklist

Pull the WTB at period end and reconcile it to the GL by account, including consolidated entities and intercompany eliminations. Attach the tie-out workpaper and flag any account where the WTB-to-GL variance exceeds performance materiality.

Confirm revenue recognition under ASC 606, lease treatment under ASC 842, and credit-loss methodology under ASC 326. For IFRS reporters, confirm IFRS 15 / 16 / 9 equivalents. Note any departures and the management rationale.

Review the filing calendar for the period: 10-K, 10-Q, state annual reports, lender covenant certificates, and any industry-specific reports (e.g., FOCUS for broker-dealers, NAIC for insurers). Confirm each was filed on or before the statutory deadline.

Catalog each missed deadline, the responsible filer, and the late-filing penalty exposure. Coordinate with outside counsel on Form 12b-25 (NT 10-K/10-Q) for SEC filers and on state amnesty options where available.

Sit with the control owner for each key control identified in the risk-control matrix — order-to-cash, procure-to-pay, payroll, period-end close, treasury. Document the actual operation versus the documented procedure; flag any drift.

Verify that no single user can initiate, approve, and post a disbursement. Pull the user-role report from the GL and AP automation tool (Bill.com, Ramp, NetSuite) and trace conflicting permissions. Wire-initiation and bank-rec roles are the most common SoD failures.

Pull a stratified sample of manual JEs over the period (high-dollar, period-end, top-side, and round-dollar). Trace each to a memo, supporting workpaper, and approver who is not the preparer.

Classify each deficiency identified during walkthroughs and testing using the AS 2201 / AU-C 265 framework: control deficiency, significant deficiency, or material weakness. Likelihood × magnitude drives the rating.

Material weaknesses must be communicated in writing to the audit committee before issuance of the auditor's report. Draft the management letter point, the proposed remediation plan, and the target completion date for committee discussion.

Tie taxable income on the 1120, 1120-S, or 1065 to the book-to-tax workpaper. Recompute Schedule M-1 / M-3 reconciling items, basis schedules for S-corp shareholders or partners, and apportionment factors for multi-state filers.

Confirm the federal deposit schedule (monthly vs. semiweekly) per the lookback-period rule and trace each deposit to the EFTPS confirmation. Late-deposit penalties stack at 2% (1-5 days), 5% (6-15 days), and 10% (16+ days) — every day matters.

Pull a 50-state revenue and transaction-count report from Avalara or TaxJar against each state's economic-nexus threshold (commonly $100K or 200 transactions post-Wayfair). Flag any state crossed without a registration on file.

Confirm the entity's industry-specific licenses are current — state CPA firm registration, FINRA / SEC for broker-dealers, NMLS for mortgage entities, state insurance department for producers. Lapses commonly happen during entity restructures.

BSA/AML obligations apply to financial institutions, money service businesses, and certain dealers. Confirm whether the entity is a covered person under 31 CFR 1010 and whether a written AML program with a designated officer is required.

Pull a sample of customer files opened during the period and verify CIP documentation, beneficial-ownership certification (FinCEN CDD rule, 25%+ owners), OFAC screening evidence, and risk rating. Document any SAR filings reviewed.

Confirm I-9s on file for all current employees, EEO-1 filed for employers with 100+ employees, and the OSHA 300 log posted Feb 1 through Apr 30 for prior-year recordable injuries. State-specific items (CA pay-data, NY HERO Act) layer on.

Walk the GITC domains — logical access (joiner/mover/leaver, MFA, privileged-access review), change management (ticketed approval, segregation of dev and prod), and IT operations (job scheduling, backup monitoring) — for systems supporting the financial close.

Paid tax preparers must maintain a Written Information Security Plan per IRS Pub 4557 and the FTC Safeguards Rule. Verify the plan was reviewed within the last 12 months and that the named security coordinator and incident-response contacts are current.

Inspect the most recent restore test for the GL and document repository. A backup that has never been restored is not a backup. Confirm RTO/RPO targets in the BCP align with what the test actually achieved.

Pull current SOC 2 Type II reports for outsourced GL, payroll (Gusto, ADP, Paychex), and document storage (SmartVault, ShareFile) providers. Review the complementary user-entity controls and confirm they are implemented internally.

Pull the HR attestation report and confirm 100% completion for partners, officers, and finance staff. Missing attestations from accounting personnel are a material disclosure point in the management letter.

For attest-engagement firms, every disclosed relationship must be tested against AICPA independence rules before the engagement opens. Cross-reference disclosures to the related-party-vendor list in the GL.

Read minutes for the period to identify subsequent events, dividend declarations, debt covenants amended, and any management or auditor changes. Extract action items still open and trace to resolution.

Aggregate every observation from the prior sections into a single register with severity, owner, target remediation date, and status. The register feeds the audit committee report and the management representation letter.

Engagement partner reviews the findings register and signs off on disposition. A 'Pass with findings' result requires a written remediation plan with named owners; 'Fail' triggers a re-audit scope before issuance.