Operational Audit Checklist

Pull the working trial balance from the ERP (NetSuite, Sage Intacct, or QBO) and tie each balance back to GL detail. Investigate any tie-out variance over performance materiality. Attach the WTB as the lead workpaper for the engagement.

Document control owner, frequency, and evidence type for each key control in the ICFR matrix. Focus on revenue recognition, journal-entry approval, segregation of duties in cash disbursements, and access provisioning. Note any controls that have changed since last year's walkthrough.

Pull a haphazard sample of 25 manual JEs posted during the period. Confirm preparer/reviewer separation, supporting documentation, and posting date alignment with the entry's effective date. Flag entries posted directly to retained earnings without a partner-level memo.

Aggregate issues noted in the prior steps and classify each per AS 2201 as a control deficiency, significant deficiency, or material weakness. Severity drives whether management must communicate to the audit committee under SAS 115.

Required when classification reaches material weakness. Memo should state root cause, compensating controls in place, the remediation owner, and target completion date. CFO and Audit Committee chair sign before issuance.

Verify the master calendar covers federal (1120, 1065, 941, 940, 1099-NEC), state income/franchise, sales tax in registered states, and payroll deposits. Cross-check against the prior-year calendar — new state nexus or entity changes commonly create gaps.

Pull a 50-state revenue summary and compare against each state's economic-nexus threshold (commonly $100K or 200 transactions post-Wayfair). Document any state where the entity has crossed threshold but has not registered — these are the highest-priority compliance risks.

Confirm the Written Information Security Plan exists, has been reviewed in the last 12 months, and that employee training is documented. Required for paid preparers under the FTC Safeguards Rule and IRS Pub 4557.

Survey legal, tax, and HR for any active inquiries from the IRS, state revenue agencies, DOL, EEOC, or state CPA boards. Capture the agency, matter ID, and assigned counsel for each. Open inquiries change audit scope and may require management representations.

Required when active regulatory matters are open. Brief GC on the audit's findings touching the matter so privilege and disclosure handling are coordinated. Do not draft remediation language without legal alignment.

Compare days-to-close, days-to-issue financials, and number of post-close AJEs against prior-period baselines. A drift longer than 2 business days is the trigger for a process root-cause review.

Pull DSO and DPO trends; investigate aging-bucket shifts. For AP, review the three-way-match exception rate. For AR, review the 90+ aging bucket and write-off frequency.

Confirm each department's KPI dashboard is updated on cadence and reviewed by the function lead. Stale dashboards (more than 30 days without update) signal that KPIs are decorative rather than operational.

Add new risks identified during the audit. Each risk needs an owner, likelihood/impact rating, and mitigation status. Stale risks (no movement in 12 months) get re-rated or retired rather than carried forward indefinitely.

Confirm risk reviews happen at the cadence the policy requires (typically quarterly for top-tier risks). Pull meeting minutes or the risk-committee log as evidence.

Pull current COIs for D&O, E&O, cyber, general liability, property, and crime/fidelity. Compare limits and deductibles to the exposure assessment in the risk register. Cyber-liability gaps are the most common finding here.

Pull the user-access listing from NetSuite, Sage Intacct, or QBO. Test for terminated users with active accounts (a privileged-access exit failure), users with both prep and approval roles in cash disbursements, and admin accounts not tied to a named employee.

Confirm the last DR test was performed within the policy window (commonly annually) and that test results documented RTO and RPO measurements. A DR plan that has never been tested is effectively no plan.

Collect current SOC 1 Type 2 or SOC 2 Type 2 reports for ERP, payroll, and AP-automation vendors. Review complementary user entity controls (CUECs) — the controls the vendor's report assumes you operate. Missing CUEC mapping is a common audit finding.

Sample new hires from the period; confirm I-9 completion within 3 business days, signed offer letters, background-check documentation, and policy-acknowledgment signatures. I-9 timing failures are the most common HR audit finding.

Pull a sample of completed reviews across departments. Test for calibration (rating distributions consistent across managers), documentation of goals tied to compensation actions, and signature completeness.

Confirm required federal and state postings are current and visible at each work location (or distributed for remote workforces). Verify mandatory training (anti-harassment in CA, NY, IL, CT and others) has been completed within the regulatory window.

Final CAE or engagement-partner sign-off. Capture overall audit opinion, the executive summary, the full report file, and signature. The signed report is the artifact delivered to the audit committee.