Financial Risk Assessment Checklist

Pull the signed engagement letter and confirm the risk-assessment scope, deliverables, and out-of-scope items. Watch for scope creep — a financial risk assessment is not an audit under SSARS or AICPA attest standards, and any assurance language in the letter must be removed before fieldwork starts.

Send via Suralink, TaxDome, or SmartVault. Standard items: three years of financial statements, current-year trial balance, A/R and A/P agings, debt schedules, insurance schedule, top-customer revenue concentration, current org chart. Track receipt weekly so fieldwork doesn't extend on missing items.

Read the auditor's opinion, footnotes, and management letter for each year. Flag going-concern qualifications, restatements, and any change in accounting framework (cash-to-accrual, GAAP-to-IFRS).

Compute current ratio, quick ratio, debt-to-equity, interest coverage, DSO, DPO, and gross-margin trend over three years. Variance > 10% YoY without a documented driver becomes a flagged item in the findings memo.

Ask the controller for the policy document, the date of last board review, and the named risk owner. A policy > 24 months without review counts as missing for the findings memo.

Walk the cash disbursement, payroll, and journal-entry approval flows. Document who initiates, approves, and reconciles. Common weakness in SMBs: the controller both posts and approves AJEs, with no second-set-of-eyes review.

Pull the prior-year management letter and confirm each finding has been remediated. Repeat findings (same item flagged two years in a row) escalate from significant deficiency to material weakness under AS 2201.

Export the aging from QBO, Xero, or NetSuite as of the assessment date. Tie the aging total to the GL receivables balance — variance indicates unposted invoices, misapplied payments, or a reporting-period mismatch.

Use D&B, Experian Business, or Creditsafe. Compare the credit limit on file to the highest open-AR balance for each customer in the past 12 months. A customer carrying balances > their limit without partner approval is a flagged item.

List foreign-currency revenue and payables. Note natural hedges (matched FX inflows and outflows) vs. unhedged net exposure. For unhedged exposure > 5% of revenue, recommend a forward-contract or option program with the client's bank.

Pull the rolling 13-week forecast from Float, Dryrun, or the client's spreadsheet. Run two stress scenarios: top-customer 60-day payment delay, and 20% revenue decline. Minimum cash dipping below the line-of-credit covenant trigger goes in the findings memo.

Identify processes where one person holds exclusive system access or institutional knowledge — payroll administrator, sole bank-signer, the only person who knows the QBO admin password. These are the highest-likelihood operational risks in SMBs.

Confirm RTO and RPO targets are documented and the last tabletop exercise occurred within the last 12 months. A plan that has never been tested is a finding regardless of how well-written it is.

Confirm 941, 940, state withholding, and sales-tax filings are current. Pull the IRS account transcript if any uncertainty. For multi-state clients, run a 50-state revenue summary against post-Wayfair economic-nexus thresholds ($100K or 200 transactions, varies by state).

Pull the top-five customer and vendor contracts. Flag uncapped indemnification, mutual-vs-one-way clauses, and limitation-of-liability ceilings below the contract value. Tie any flagged items to the insurance coverage review.

Aggregate flagged items by severity: control deficiency, significant deficiency, or material weakness. Each finding includes condition, criteria, cause, effect, and recommendation. Attach supporting workpapers to the memo for the partner review.

Walk the CFO and audit-committee chair through each finding. Capture management responses inline — whether they accept, mitigate, or accept-the-risk. The response language goes verbatim in the final report.

Engagement partner reviews the final report, signs in DocuSign or the practice-management portal, and the report is delivered through the client portal. Lock the engagement file in Caseware or ProSystem fx Engagement after delivery.