Internal Control Procedures Checklist

Walk the controller through each significant account and disclosure on the trial balance — revenue, AR, inventory, fixed assets, accrued liabilities, equity. For each, document inherent risk (volume, complexity, judgment) and the assertions at risk: existence, completeness, valuation, cutoff, presentation. Update the prior-year register rather than starting blank.

Apply a high / moderate / low ROMM rating using performance materiality (typically 50-75% of overall materiality). Flag any account where actuals exceed performance materiality and judgment is involved — revenue cutoff, allowance for doubtful accounts, inventory reserve, lease accounting under ASC 842.

AU-C 240 / AS 2401 brainstorming with controller, CFO, and internal audit. Cover the fraud triangle (incentive, opportunity, rationalization) and management override of controls. Document specific schemes considered: revenue recognition cutoff, journal-entry override, fictitious vendors, payroll ghost employees.

SEC issuers must comply with SOX 404(a) management assessment; accelerated filers add 404(b) auditor attestation. Private companies generally elect a COSO 2013 framework assessment for lender or PE reporting. Scope sets which sections below apply.

Pull the HR roster of finance and accounting staff with GL or disbursement access. Verify each has a signed annual code-of-conduct and conflict-of-interest attestation on file. Missing attestations are the most common COSO Principle 1 deficiency.

Pull minutes from the last four audit committee meetings. Confirm the committee reviewed the risk assessment, met with external auditors in executive session, and reviewed whistleblower hotline reports. Note any meetings missed or quorum failures.

Map the four incompatible duties — authorization, custody, recordkeeping, reconciliation — across AP, AR, payroll, and journal entry. Single-person finance teams require compensating controls (CFO review, owner approval over a threshold). Flag any role that holds two of the four.

Trace one transaction from sales order through invoice, AR posting, cash receipt, and bank deposit. Confirm key controls: credit approval over threshold, three-way match on shipments, monthly AR aging review, and lockbox / Plaid bank-feed reconciliation.

In Bill.com or Ramp, sample 25 vendor payments. Verify W-9 on file, three-way match (PO + receiving + invoice), approver in DOA matrix, and ACH/wire dual approval over $10K. Common deficiency: standing approvers who never reject.

Pull the JE log from QBO / NetSuite / Sage Intacct for the test period. Sample 40 manual JEs (excluding system-generated). Verify each has a memo, supporting workpaper, preparer ≠ approver, and any AJE to retained earnings has CFO sign-off. Management override is the single most common ICFR fraud vector.

For each operating, payroll, and trust account, confirm the rec was completed within 10 business days of month-end and reviewed by someone other than the preparer. Investigate any reconciling items aged over 30 days — stale checks and unidentified deposits are the leading indicator of weak cash controls.

Pull the user access list from the GL (NetSuite, Sage Intacct, QBO). Confirm terminated employees were removed within 24 hours, MFA is enforced, and admin / superuser access is restricted and logged. Pull SOC 1 Type II reports from outsourced providers (ADP, Bill.com, Avalara) and review CUECs.

The monthly close calendar should specify owner, due date, and reviewer for each task — bank rec, sub-ledger tie-out, AJEs, flux analysis, package delivery. Verify the audit PBC list is shared via Suralink or TaxDome with target dates 60 days before fieldwork.

Pull the EthicsPoint / Navex / Syntrio log for the period. Verify each report was triaged within 5 business days, investigated by a party independent of the subject, and reported to the audit committee. Document any reports related to financial reporting or asset misappropriation.

FTC Safeguards Rule and IRS Pub 4557 require a Written Information Security Plan with annual review. Confirm laptop encryption, MFA on email, and incident-response procedures. Document the most recent tabletop test of the breach-notification process.

Roll up exceptions from each cycle walkthrough into a single deficiency log. Classify each as control deficiency, significant deficiency, or material weakness using likelihood-and-magnitude analysis per AS 2201.

Material weakness = reasonable possibility of material misstatement not prevented or detected on a timely basis. Significant deficiency = less severe but merits attention. Document compensating controls before downgrading any finding.

For each significant deficiency or material weakness, name the process owner, target remediation date, and how the new control will be tested. Generic remediation language ('improve oversight') without an owner is the reason findings repeat year over year.

Present the deficiency log, severity classification, and remediation plan to the audit committee in executive session. Material weaknesses for SEC issuers must be disclosed in the 10-K Item 9A. Capture committee direction in the meeting minutes.

Re-test each remediated control in the quarter following implementation. A control is not closed until evidence of operating effectiveness exists for at least one full reporting cycle. Carry open items into the next year's risk assessment.