Compliance Audit Checklist

Pull the WTB at period end and reconcile it to the GL by account, including consolidated entities and intercompany eliminations. Attach the tie-out workpaper and flag any account where the WTB-to-GL variance exceeds performance materiality.

Confirm revenue recognition under ASC 606, lease treatment under ASC 842, and credit-loss methodology under ASC 326. For IFRS reporters, confirm IFRS 15 / 16 / 9 equivalents. Note any departures and the management rationale.

Review the filing calendar for the period: 10-K, 10-Q, state annual reports, lender covenant certificates, and any industry-specific reports (e.g., FOCUS for broker-dealers, NAIC for insurers). Confirm each was filed on or before the statutory deadline.

Sit with the control owner for each key control identified in the risk-control matrix — order-to-cash, procure-to-pay, payroll, period-end close, treasury. Document the actual operation versus the documented procedure; flag any drift.

Verify that no single user can initiate, approve, and post a disbursement. Pull the user-role report from the GL and AP automation tool (Bill.com, Ramp, NetSuite) and trace conflicting permissions. Wire-initiation and bank-rec roles are the most common SoD failures.

Pull a stratified sample of manual JEs over the period (high-dollar, period-end, top-side, and round-dollar). Trace each to a memo, supporting workpaper, and approver who is not the preparer.

Classify each deficiency identified during walkthroughs and testing using the AS 2201 / AU-C 265 framework: control deficiency, significant deficiency, or material weakness. Likelihood × magnitude drives the rating.

Tie taxable income on the 1120, 1120-S, or 1065 to the book-to-tax workpaper. Recompute Schedule M-1 / M-3 reconciling items, basis schedules for S-corp shareholders or partners, and apportionment factors for multi-state filers.

Confirm the federal deposit schedule (monthly vs. semiweekly) per the lookback-period rule and trace each deposit to the EFTPS confirmation. Late-deposit penalties stack at 2% (1-5 days), 5% (6-15 days), and 10% (16+ days) — every day matters.

Confirm the entity's industry-specific licenses are current — state CPA firm registration, FINRA / SEC for broker-dealers, NMLS for mortgage entities, state insurance department for producers. Lapses commonly happen during entity restructures.

BSA/AML obligations apply to financial institutions, money service businesses, and certain dealers. Confirm whether the entity is a covered person under 31 CFR 1010 and whether a written AML program with a designated officer is required.

Pull a sample of customer files opened during the period and verify CIP documentation, beneficial-ownership certification (FinCEN CDD rule, 25%+ owners), OFAC screening evidence, and risk rating. Document any SAR filings reviewed.

Walk the GITC domains — logical access (joiner/mover/leaver, MFA, privileged-access review), change management (ticketed approval, segregation of dev and prod), and IT operations (job scheduling, backup monitoring) — for systems supporting the financial close.

Paid tax preparers must maintain a Written Information Security Plan per IRS Pub 4557 and the FTC Safeguards Rule. Verify the plan was reviewed within the last 12 months and that the named security coordinator and incident-response contacts are current.

Inspect the most recent restore test for the GL and document repository. A backup that has never been restored is not a backup. Confirm RTO/RPO targets in the BCP align with what the test actually achieved.

Pull the HR attestation report and confirm 100% completion for partners, officers, and finance staff. Missing attestations from accounting personnel are a material disclosure point in the management letter.

For attest-engagement firms, every disclosed relationship must be tested against AICPA independence rules before the engagement opens. Cross-reference disclosures to the related-party-vendor list in the GL.

Aggregate every observation from the prior sections into a single register with severity, owner, target remediation date, and status. The register feeds the audit committee report and the management representation letter.