Financial Risk Assessment Checklist

Pull the signed engagement letter and confirm the risk-assessment scope, deliverables, and out-of-scope items. Watch for scope creep — a financial risk assessment is not an audit under SSARS or AICPA attest standards, and any assurance language in the letter must be removed before fieldwork starts.

Send via Suralink, TaxDome, or SmartVault. Standard items: three years of financial statements, current-year trial balance, A/R and A/P agings, debt schedules, insurance schedule, top-customer revenue concentration, current org chart. Track receipt weekly so fieldwork doesn't extend on missing items.

Document overall materiality (typically 5% of pre-tax income or 0.5-1% of revenue, whichever is lower) and performance materiality at 50-75% of overall. Memo the rationale in the workpaper — partners will reference it during findings review.

Read the auditor's opinion, footnotes, and management letter for each year. Flag going-concern qualifications, restatements, and any change in accounting framework (cash-to-accrual, GAAP-to-IFRS).

Compute current ratio, quick ratio, debt-to-equity, interest coverage, DSO, DPO, and gross-margin trend over three years. Variance > 10% YoY without a documented driver becomes a flagged item in the findings memo.

Pull revenue by top-10 customers and spend by top-10 vendors. Any customer > 10% of revenue or vendor > 20% of spend is a concentration risk for the findings memo. Note SOC 1/SOC 2 dependency on critical service providers (payroll, hosting, payment processing).

Ask the controller for the policy document, the date of last board review, and the named risk owner. A policy > 24 months without review counts as missing for the findings memo.

Walk the cash disbursement, payroll, and journal-entry approval flows. Document who initiates, approves, and reconciles. Common weakness in SMBs: the controller both posts and approves AJEs, with no second-set-of-eyes review.

Pull the prior-year management letter and confirm each finding has been remediated. Repeat findings (same item flagged two years in a row) escalate from significant deficiency to material weakness under AS 2201.

Provide a one-page outline the client can adopt: scope, named risk owner, escalation thresholds, board-review cadence. Reference COSO ERM framework as the basis.

Export the aging from QBO, Xero, or NetSuite as of the assessment date. Tie the aging total to the GL receivables balance — variance indicates unposted invoices, misapplied payments, or a reporting-period mismatch.

Use D&B, Experian Business, or Creditsafe. Compare the credit limit on file to the highest open-AR balance for each customer in the past 12 months. A customer carrying balances > their limit without partner approval is a flagged item.

Compare standard terms (Net 30, Net 60) against industry DSO benchmarks. If client's DSO trends 20+ days above benchmark, recommend tightening terms, early-pay discounts, or factoring.

List foreign-currency revenue and payables. Note natural hedges (matched FX inflows and outflows) vs. unhedged net exposure. For unhedged exposure > 5% of revenue, recommend a forward-contract or option program with the client's bank.

Pull the rolling 13-week forecast from Float, Dryrun, or the client's spreadsheet. Run two stress scenarios: top-customer 60-day payment delay, and 20% revenue decline. Minimum cash dipping below the line-of-credit covenant trigger goes in the findings memo.

Confirm investment policy statement (IPS) is on file and the current portfolio matches it. SMB clients commonly drift into single-bank concentration above FDIC limits — note any cash position > $250K at one institution as a finding.

Identify processes where one person holds exclusive system access or institutional knowledge — payroll administrator, sole bank-signer, the only person who knows the QBO admin password. These are the highest-likelihood operational risks in SMBs.

Confirm RTO and RPO targets are documented and the last tabletop exercise occurred within the last 12 months. A plan that has never been tested is a finding regardless of how well-written it is.

Confirm a Written Information Security Plan exists per IRS Pub 4557 (if the client is a paid preparer) or per the FTC Safeguards Rule. Check MFA on banking, accounting, and payroll systems; verify encrypted backups; review incident-response process.

Confirm 941, 940, state withholding, and sales-tax filings are current. Pull the IRS account transcript if any uncertainty. For multi-state clients, run a 50-state revenue summary against post-Wayfair economic-nexus thresholds ($100K or 200 transactions, varies by state).

Pull the top-five customer and vendor contracts. Flag uncapped indemnification, mutual-vs-one-way clauses, and limitation-of-liability ceilings below the contract value. Tie any flagged items to the insurance coverage review.

Request the legal letter (attorney representation letter) covering pending and threatened litigation. Confirm contingent liabilities are accrued or disclosed per ASC 450 — probable + estimable goes on the balance sheet, reasonably possible goes in the footnotes.

Aggregate flagged items by severity: control deficiency, significant deficiency, or material weakness. Each finding includes condition, criteria, cause, effect, and recommendation. Attach supporting workpapers to the memo for the partner review.

Walk the CFO and audit-committee chair through each finding. Capture management responses inline — whether they accept, mitigate, or accept-the-risk. The response language goes verbatim in the final report.

Engagement partner reviews the final report, signs in DocuSign or the practice-management portal, and the report is delivered through the client portal. Lock the engagement file in Caseware or ProSystem fx Engagement after delivery.

For material weaknesses, schedule a 90-day remediation check-in and issue a change order extending the engagement scope. Track each finding to closure in Karbon or Canopy with a named owner and target date.