Quarterly Internal Control Review Checklist

Pull the working trial balance for the quarter and tie each balance to the GL detail. Investigate any account whose ending balance does not roll forward from prior quarter plus current activity. The controller owns this tie-out before any review work begins.

Run a P&L and balance sheet variance report at the GL-account level. Document explanations for any line moving more than 10% or $25K versus prior quarter. Common gotchas: misposted reclasses sitting in suspense and accruals that didn't reverse.

Classify each finding using the SAS 115 / AS 2201 framework: control deficiency, significant deficiency, or material weakness. The classification drives reporting obligations to the audit committee and external auditors.

Pull a risk-based sample of manual JEs — typically all entries above the materiality threshold plus a random selection from below. Trace each to supporting workpaper and verify the memo explains the business reason, not just the accounting mechanics.

Same-user prep-and-post is the most common SOD failure in QBO and Sage Intacct. Pull the user audit log and flag any JE where preparer = approver. SMBs sometimes argue staffing constraints; the compensating control is partner review of all entries above a threshold.

Run the audit log filtered for posting date earlier than entry date, and for entries posted Saturday or Sunday. These patterns are classic Benford-style red flags for management override and warrant a written explanation per entry.

Confirm each rec is signed by a preparer and a reviewer who is not the preparer. Age the unreconciled items list — anything over 30 days needs a written disposition. Stale outstanding checks beyond state escheatment thresholds need to be reported as unclaimed property.

Pull the bank wire log for the quarter. Match each wire above the policy threshold (commonly $10K or $25K) to a documented second approval in the bank portal. Wire fraud via business email compromise typically slips through where dual approval is policy on paper but not enforced in the bank's online tool.

Sample the daily positive-pay upload and tie issued check numbers, payees, and amounts to the AP check register. Investigate any positive-pay exception that was approved without an exception memo.

Aging total should reconcile to the GL receivables balance to the dollar. Differences typically come from journal entries posted directly to the AR control account, which bypass the sub-ledger and break the tie-out.

Sample new customer accounts opened in the quarter. Verify each has a documented credit application, a credit-bureau pull (D&B or Experian Business), and approval from someone above the salesperson's level. Sales reps approving their own customer credit is a frequent SOD finding.

Pull every write-off above $1,000 for the quarter. Each should have a CFO-level approval memo documenting collection efforts and the reason for write-off. Lapping schemes typically hide in unauthorized write-off entries — pay attention to round-dollar amounts and repeat customers.

Pull a risk-based sample from Bill.com or the AP module. Each sampled invoice needs a matching PO and a receiving document or service-acceptance record. Bill.com auto-approve rules are the common source of broken matches — review the rule list as part of the sample.

Pull the vendor-master change log for the quarter. Bank-account changes are the highest-risk modifications — every one should have an out-of-band callback to the vendor and a second-person approval. This is the primary control against vendor-impersonation fraud.

Compare the perpetual-system extended value to the count-sheet results by location. Variances above the policy threshold need a documented research and a posted adjustment with management approval. Repeat shrinkage at the same SKU or location is the operational signal worth tracking.

Confirm every ABC-class A item was cycle counted at least once in the quarter. Review variance trends — a steady direction of error suggests a systemic issue (incorrect BOM, unit-of-measure mismatch) rather than counting noise.

Tie beginning balance + additions − disposals − depreciation to ending balance, by asset class. Confirm the depreciation expense ties to the GL. Sage Fixed Assets and NetSuite FAM ties usually break around mid-quarter disposals that weren't recorded in both systems.

For each sampled addition, verify the capitalization policy threshold was applied correctly and the approval level matches the authority matrix. Common error: items below the cap threshold capitalized to defer expense, which understates current-period expense.

Pull POs at and above each authority tier ($25K, $100K, $500K — per your policy). Confirm the actual approver in the system matches the role required at that tier. Splitting POs to evade the next tier is a recurring finding worth a separate same-vendor rollup test.

Cross-reference the HR termination list with active users in the GL system, payroll system, banking portals, and Bill.com. Any termed employee with active access is a SOX-relevant finding. SLA for deprovisioning should be same-day for finance-system access.

Verify MFA is enforced — not just enabled — on the GL, banking, payroll, and AP systems. Pull the user list and confirm no exceptions. Password policy should match the IT GC policy (length, rotation, history). SMS-only MFA should be flagged as a finding given SIM-swap risk.

Confirm IT performed a documented restore — not just a successful backup job — within the quarter. Attach the restore-test memo with the date, source backup, and verified data integrity check. An untested backup is not a backup for SOC 1 / SOC 2 purposes.

Log the failure with IT, document compensating controls, and set a deadline for a successful retest before the next quarter-close. Add to the deficiency tracker for audit-committee reporting.

Roll every finding from the quarter into a single memo organized by severity. Each item gets an owner, a target remediation date, and a current status (Open / In progress / Closed). The tracker carries forward into the next quarter's review.