Workflow Templates for Accounting: Internal Controls Review Checklist

Control Environment Assessment

Review the entity-level controls matrix

Pull the prior-period ELC matrix and confirm each control owner is still in role. Update for any reorganizations, new hires in finance leadership, or scope changes since the last review. The matrix should map each entity-level control to a COSO principle (1-17).

Confirm the code of conduct and ethics attestation

Verify all employees have signed the current-year code of conduct attestation. New hires get it at onboarding; existing staff re-attest annually. Pull the HRIS report and reconcile against active headcount — exceptions go on the deficiency log.

Verify the delegation of authority schedule

Confirm dollar thresholds for PO approval, journal entry posting, wire release, and contract signature match what is configured in the ERP and bank platforms. A common gotcha: the DOA was updated in the policy doc but never pushed to NetSuite or Bill.com workflow rules.

Confirm the WISP is current and tested

Per IRS Pub 4557 and the FTC Safeguards Rule, the Written Information Security Plan must be reviewed annually. Confirm the latest tabletop exercise is documented, that designated qualified individual is named, and that vendor risk assessments cover any subprocessors handling client SSNs.

Risk Assessment

Update the enterprise risk register

Refresh likelihood and impact ratings on each registered risk. Add new risks that emerged since last review — new product lines, new jurisdictions creating sales-tax nexus, new cloud vendors, M&A activity. Retire risks that are no longer applicable.

Run the fraud risk assessment workshop

Walk the fraud triangle (incentive, opportunity, rationalization) across each significant process. Specific scenarios to test: fictitious vendor schemes in AP, lapping in AR, ghost employees in payroll, unauthorized journal entries at period close. Document any red flags surfaced.

Map ROMM to financial statement assertions

For each significant account, document the risk of material misstatement against the relevant assertions — existence, completeness, accuracy, cutoff, valuation, rights and obligations. This becomes the basis for selecting which key controls get tested in the next phase.

Document changes since the last assessment

Capture system changes (ERP upgrades, new modules), personnel changes in key control roles, organizational changes, and regulatory changes. The external auditor will ask for this when planning their walkthroughs — having it ready avoids a fire drill in fieldwork.

Control Activities Testing

Test segregation of duties in the AP cycle

Pull the user access report from Bill.com or the ERP. Confirm no single user can create a vendor, approve a bill, and release payment. Test a sample of 25 disbursements over $10K — for each, identify the three distinct user IDs in the trail.

Walk through the bank reconciliation control

Sample three months of bank recs across the operating, payroll, and trust accounts. Confirm the preparer and reviewer are different, that recs are signed off within 10 business days of month-end, and that any reconciling items aged over 30 days have a documented disposition plan.

Test journal entry approval thresholds

Pull all manual JEs over the materiality threshold posted during the period. Confirm each has a supporting workpaper, a memo, and an electronic approval from a user above the preparer in the DOA. AJEs posted directly to retained earnings get extra scrutiny — those are a classic audit finding.

Sample three-way match exceptions

Pull the exceptions report showing invoices paid without a matching PO and receiving document. Investigate the top 20 by dollar value. Persistent override patterns by a specific user or vendor are a control failure even if individual amounts are immaterial.

Review IT general controls

Cover the four ITGC domains: access management (provisioning, deprovisioning, periodic recerts), change management (release approvals), computer operations (backups, batch monitoring), and data security (MFA, encryption at rest). Pull SOC 1 Type II reports for cloud-hosted financial systems.

Information and Communication

Verify the management reporting cadence

Confirm monthly financial packages reach executives within the close-calendar SLA, that variance commentary is included, and that KPIs flow from the source system without manual override. Late or skipped packages indicate an information-flow weakness even if the underlying numbers are correct.

Review whistleblower hotline activity

Pull the period's hotline log from the third-party provider (EthicsPoint, NAVEX, etc.). Confirm each report has a triage decision, a documented investigator, and a closure memo. Zero reports across a multi-quarter span is itself a finding — the channel may not be visible to staff.

Confirm the external auditor communications log

Verify the audit committee chair has received any required AU-C 260 / SAS 114 communications from the external auditor — significant findings, uncorrected misstatements, disagreements with management. Cross-reference with the prior management letter to ensure prior-year comments were addressed.

Monitoring and Remediation

Compile the deficiency log

Aggregate every exception surfaced during the testing phase into a single log: control reference, COSO principle, description, root cause, affected assertions, and recommended remediation. This log feeds both the severity classification and the remediation tracker.

Classify findings by severity

Apply the AU-C 265 / PCAOB AS 1305 framework: control deficiency, significant deficiency, or material weakness. Classification turns on both the likelihood of misstatement and the magnitude relative to materiality. Document the rationale — auditors will challenge any classification that downgrades a finding.

Investigate the fraud indicators

Engage outside forensic counsel before pulling user activity logs or interviewing personnel. Preserve evidence per the firm's investigation protocol. Brief the audit committee chair within 48 hours regardless of dollar magnitude — fraud findings are a board-level matter.

Notify the external auditor of material weakness

Material weaknesses must be disclosed to the external auditor in writing before fieldwork. For SEC issuers, this also drives an Item 9A disclosure and may require an 8-K under Item 4.02 if it indicates prior financials cannot be relied upon. Loop in disclosure counsel.

Build the remediation plan

For each deficiency, name an owner, a target completion date, and a validation step. Group remediations that share a root cause (e.g., access management gaps that all trace to the joiner-mover-leaver process). Track in the GRC platform or a controls-tracker spreadsheet reviewed monthly.

Brief the audit committee on findings

Walk the committee through the deficiency log, severity classifications, remediation owners, and target dates. Tie back to the prior period's open items so the committee sees what's been closed since last review. Document the meeting in the audit committee minutes.

Sign off on the assessment

The CFO and internal audit lead sign the conclusion memo. The conclusion drives any required SOX 302/404 management certifications and is filed in the controls evidence repository for the external auditor's reliance.