Quarterly Internal Control Review Checklist

Pull the working trial balance for the quarter and tie each balance to the GL detail. Investigate any account whose ending balance does not roll forward from prior quarter plus current activity. The controller owns this tie-out before any review work begins.

Run a P&L and balance sheet variance report at the GL-account level. Document explanations for any line moving more than 10% or $25K versus prior quarter. Common gotchas: misposted reclasses sitting in suspense and accruals that didn't reverse.

Classify each finding using the SAS 115 / AS 2201 framework: control deficiency, significant deficiency, or material weakness. The classification drives reporting obligations to the audit committee and external auditors.

Material weaknesses must be communicated in writing to the audit committee and to the external auditor before the next 10-Q or annual report. Draft the communication memo with root cause, scope, and remediation owner.

Pull a risk-based sample of manual JEs — typically all entries above the materiality threshold plus a random selection from below. Trace each to supporting workpaper and verify the memo explains the business reason, not just the accounting mechanics.

Same-user prep-and-post is the most common SOD failure in QBO and Sage Intacct. Pull the user audit log and flag any JE where preparer = approver. SMBs sometimes argue staffing constraints; the compensating control is partner review of all entries above a threshold.

Run the audit log filtered for posting date earlier than entry date, and for entries posted Saturday or Sunday. These patterns are classic Benford-style red flags for management override and warrant a written explanation per entry.

Verify the closed quarter is locked with a closing password in QBO, or that the period status is Closed in Intacct/NetSuite. Confirm only the controller and CFO hold the unlock credential. Re-opens after lock should require a documented exception.

Confirm each rec is signed by a preparer and a reviewer who is not the preparer. Age the unreconciled items list — anything over 30 days needs a written disposition. Stale outstanding checks beyond state escheatment thresholds need to be reported as unclaimed property.

Pull the bank wire log for the quarter. Match each wire above the policy threshold (commonly $10K or $25K) to a documented second approval in the bank portal. Wire fraud via business email compromise typically slips through where dual approval is policy on paper but not enforced in the bank's online tool.

Sample the daily positive-pay upload and tie issued check numbers, payees, and amounts to the AP check register. Investigate any positive-pay exception that was approved without an exception memo.

Request the current signature card from each bank and tie it to the board-authorized signatory list. Terminated employees still listed is a high-frequency finding. Attach the bank-issued roster as the working paper.

Aging total should reconcile to the GL receivables balance to the dollar. Differences typically come from journal entries posted directly to the AR control account, which bypass the sub-ledger and break the tie-out.

Sample new customer accounts opened in the quarter. Verify each has a documented credit application, a credit-bureau pull (D&B or Experian Business), and approval from someone above the salesperson's level. Sales reps approving their own customer credit is a frequent SOD finding.

Pull every write-off above $1,000 for the quarter. Each should have a CFO-level approval memo documenting collection efforts and the reason for write-off. Lapping schemes typically hide in unauthorized write-off entries — pay attention to round-dollar amounts and repeat customers.

Document the customer, amount, who approved, and what control failed. Reverse the write-off if recovery is plausible, and add the finding to the deficiency tracker. Recurring patterns escalate to forensic review.

Pull a risk-based sample from Bill.com or the AP module. Each sampled invoice needs a matching PO and a receiving document or service-acceptance record. Bill.com auto-approve rules are the common source of broken matches — review the rule list as part of the sample.

Pull the vendor-master change log for the quarter. Bank-account changes are the highest-risk modifications — every one should have an out-of-band callback to the vendor and a second-person approval. This is the primary control against vendor-impersonation fraud.

Run the duplicate-payment report by vendor / amount / invoice number. Investigate any pair where the same invoice number was paid twice, or the same dollar amount hit the same vendor in a short window. Recover overpayments before the quarter closes.

Compare the perpetual-system extended value to the count-sheet results by location. Variances above the policy threshold need a documented research and a posted adjustment with management approval. Repeat shrinkage at the same SKU or location is the operational signal worth tracking.

Confirm every ABC-class A item was cycle counted at least once in the quarter. Review variance trends — a steady direction of error suggests a systemic issue (incorrect BOM, unit-of-measure mismatch) rather than counting noise.

Re-run the reserve calculation using the documented aging-tier policy. Confirm management has not made unsupported overrides for individual SKUs. Underreserved obsolete inventory is one of the most common SMB audit adjustments.

Tie beginning balance + additions − disposals − depreciation to ending balance, by asset class. Confirm the depreciation expense ties to the GL. Sage Fixed Assets and NetSuite FAM ties usually break around mid-quarter disposals that weren't recorded in both systems.

For each sampled addition, verify the capitalization policy threshold was applied correctly and the approval level matches the authority matrix. Common error: items below the cap threshold capitalized to defer expense, which understates current-period expense.

Walk to the sampled assets and confirm the asset tag, serial number, and location match the FA register. Ghost assets — items on the register that no longer exist — accumulate when disposals aren't reported by operations.

Pull POs at and above each authority tier ($25K, $100K, $500K — per your policy). Confirm the actual approver in the system matches the role required at that tier. Splitting POs to evade the next tier is a recurring finding worth a separate same-vendor rollup test.

Sample new vendors added in the quarter. Each needs a W-9 on file, a TIN match result, and an out-of-band bank verification. Vendors flagged as 1099-eligible without a valid W-9 will become a January-31 filing problem.

Cross-reference the HR termination list with active users in the GL system, payroll system, banking portals, and Bill.com. Any termed employee with active access is a SOX-relevant finding. SLA for deprovisioning should be same-day for finance-system access.

Verify MFA is enforced — not just enabled — on the GL, banking, payroll, and AP systems. Pull the user list and confirm no exceptions. Password policy should match the IT GC policy (length, rotation, history). SMS-only MFA should be flagged as a finding given SIM-swap risk.

Confirm IT performed a documented restore — not just a successful backup job — within the quarter. Attach the restore-test memo with the date, source backup, and verified data integrity check. An untested backup is not a backup for SOC 1 / SOC 2 purposes.

Log the failure with IT, document compensating controls, and set a deadline for a successful retest before the next quarter-close. Add to the deficiency tracker for audit-committee reporting.

Pull all production changes to financial systems. Every change needs a ticket, an approver distinct from the implementer, and a successful UAT sign-off. Emergency changes need post-implementation review documented within the SLA.

Roll every finding from the quarter into a single memo organized by severity. Each item gets an owner, a target remediation date, and a current status (Open / In progress / Closed). The tracker carries forward into the next quarter's review.

Walk the CFO through the findings memo, the deficiency classification, and the remediation tracker. Capture the disposition, reviewer notes, and a digital signature. The signed memo becomes the working paper for the external auditor's controls testing.