Internal Controls Review Checklist

Pull the prior-period ELC matrix and confirm each control owner is still in role. Update for any reorganizations, new hires in finance leadership, or scope changes since the last review. The matrix should map each entity-level control to a COSO principle (1-17).

Verify all employees have signed the current-year code of conduct attestation. New hires get it at onboarding; existing staff re-attest annually. Pull the HRIS report and reconcile against active headcount — exceptions go on the deficiency log.

Confirm dollar thresholds for PO approval, journal entry posting, wire release, and contract signature match what is configured in the ERP and bank platforms. A common gotcha: the DOA was updated in the policy doc but never pushed to NetSuite or Bill.com workflow rules.

Per IRS Pub 4557 and the FTC Safeguards Rule, the Written Information Security Plan must be reviewed annually. Confirm the latest tabletop exercise is documented, that designated qualified individual is named, and that vendor risk assessments cover any subprocessors handling client SSNs.

Refresh likelihood and impact ratings on each registered risk. Add new risks that emerged since last review — new product lines, new jurisdictions creating sales-tax nexus, new cloud vendors, M&A activity. Retire risks that are no longer applicable.

Walk the fraud triangle (incentive, opportunity, rationalization) across each significant process. Specific scenarios to test: fictitious vendor schemes in AP, lapping in AR, ghost employees in payroll, unauthorized journal entries at period close. Document any red flags surfaced.

For each significant account, document the risk of material misstatement against the relevant assertions — existence, completeness, accuracy, cutoff, valuation, rights and obligations. This becomes the basis for selecting which key controls get tested in the next phase.

Capture system changes (ERP upgrades, new modules), personnel changes in key control roles, organizational changes, and regulatory changes. The external auditor will ask for this when planning their walkthroughs — having it ready avoids a fire drill in fieldwork.

Pull the user access report from Bill.com or the ERP. Confirm no single user can create a vendor, approve a bill, and release payment. Test a sample of 25 disbursements over $10K — for each, identify the three distinct user IDs in the trail.

Sample three months of bank recs across the operating, payroll, and trust accounts. Confirm the preparer and reviewer are different, that recs are signed off within 10 business days of month-end, and that any reconciling items aged over 30 days have a documented disposition plan.

Pull all manual JEs over the materiality threshold posted during the period. Confirm each has a supporting workpaper, a memo, and an electronic approval from a user above the preparer in the DOA. AJEs posted directly to retained earnings get extra scrutiny — those are a classic audit finding.

Pull the exceptions report showing invoices paid without a matching PO and receiving document. Investigate the top 20 by dollar value. Persistent override patterns by a specific user or vendor are a control failure even if individual amounts are immaterial.

Cover the four ITGC domains: access management (provisioning, deprovisioning, periodic recerts), change management (release approvals), computer operations (backups, batch monitoring), and data security (MFA, encryption at rest). Pull SOC 1 Type II reports for cloud-hosted financial systems.

Confirm monthly financial packages reach executives within the close-calendar SLA, that variance commentary is included, and that KPIs flow from the source system without manual override. Late or skipped packages indicate an information-flow weakness even if the underlying numbers are correct.

Pull the period's hotline log from the third-party provider (EthicsPoint, NAVEX, etc.). Confirm each report has a triage decision, a documented investigator, and a closure memo. Zero reports across a multi-quarter span is itself a finding — the channel may not be visible to staff.

Verify the audit committee chair has received any required AU-C 260 / SAS 114 communications from the external auditor — significant findings, uncorrected misstatements, disagreements with management. Cross-reference with the prior management letter to ensure prior-year comments were addressed.

Aggregate every exception surfaced during the testing phase into a single log: control reference, COSO principle, description, root cause, affected assertions, and recommended remediation. This log feeds both the severity classification and the remediation tracker.

Apply the AU-C 265 / PCAOB AS 1305 framework: control deficiency, significant deficiency, or material weakness. Classification turns on both the likelihood of misstatement and the magnitude relative to materiality. Document the rationale — auditors will challenge any classification that downgrades a finding.

Engage outside forensic counsel before pulling user activity logs or interviewing personnel. Preserve evidence per the firm's investigation protocol. Brief the audit committee chair within 48 hours regardless of dollar magnitude — fraud findings are a board-level matter.

Material weaknesses must be disclosed to the external auditor in writing before fieldwork. For SEC issuers, this also drives an Item 9A disclosure and may require an 8-K under Item 4.02 if it indicates prior financials cannot be relied upon. Loop in disclosure counsel.

For each deficiency, name an owner, a target completion date, and a validation step. Group remediations that share a root cause (e.g., access management gaps that all trace to the joiner-mover-leaver process). Track in the GRC platform or a controls-tracker spreadsheet reviewed monthly.

Walk the committee through the deficiency log, severity classifications, remediation owners, and target dates. Tie back to the prior period's open items so the committee sees what's been closed since last review. Document the meeting in the audit committee minutes.

The CFO and internal audit lead sign the conclusion memo. The conclusion drives any required SOX 302/404 management certifications and is filed in the controls evidence repository for the external auditor's reliance.