Audit and Review Readiness
Assess whether your trial balance, reconciliations, schedules, contracts, controls, and prepared-by-client package are ready for external accountants.
Open the free toolA structured self-check of the controls that protect money movement and financial data: user access and privileged accounts over the ledger and banking portals, segregation of duties, multi-factor authentication, vendor bank-change verification, payment fraud response, backup and recovery for financial systems, and incident escalation involving finance. Built for owners, controllers, and CFOs who want to know where the next hour of control effort belongs.
Answer a few quick questions below. It is private - nothing is submitted or stored - and takes about a minute.
This tool is a general business diagnostic for information only and is not accounting, tax, legal, investment, financing, insurance, or security advice. Confirm decisions with your advisor.
Here is what the checker asks and why each step matters. Prefer to talk it through? Contact us and we will help directly.
This question scopes the whole review. If insiders hold credentials that can move funds or alter the ledger, the access, segregation, verification, and recovery controls below are yours to design and operate. If everything is executed by providers, the control work changes character: it becomes provider assurance, contractual obligations, and entity-level verification of what the providers did. The common trap is a forgotten credential - an old bank token or a dormant administrator login kept 'just in case' - which quietly puts the entity back in the first category.
Management remains responsible for processes performed by external parties - shift the control work to provider oversight and independent verification (Green Book, Principle 11).
Official guidance: GAO Standards for Internal Control
Access management is the foundation the other financial controls stand on: every payment release, journal entry, and master-file change must trace to one accountable individual. Answer from the system-generated user listings, not from memory. If you chose the second option, the review continues, but carry the missing recertification forward as a documented finding - stale access is how departed employees and role creep quietly become payment risk.
Framework reference for the control activities component, including Principle 11 on general control activities over technology.
Official guidance: GAO Standards for Internal Control
Test the claim, not the setting: log in from a new device and observe what is actually demanded. The recurring traps are legacy email protocols that bypass MFA, 'remember this device' horizons measured in months, and exemptions granted to the very executives whose mailboxes attackers target to approve payments. Approver email belongs on this list because a compromised mailbox is how payment instructions get forged and intercepted.
A password-only banking portal or approver mailbox is the most common entry point for payment fraud - enforce multi-factor authentication before relying on any downstream control (Green Book, Principle 11).
Official guidance: GAO Standards for Internal Control
Judge this on system rights, not job descriptions - portal administrator roles often carry both powers even when the daily routine splits them, and the answer is 'yes' if the rights coexist in one login. In small teams where full separation is impractical, the standard compensating controls are bank-enforced dual release on wires and ACH plus an owner's independent review of the payee-change report each cycle.
One person who can change payee details and release funds is an unmitigated fraud path - impose dual control at the bank-portal level now (Green Book, Principle 10).
Official guidance: GAO Standards for Internal Control
Business email compromise works by hijacking or imitating a genuine correspondence thread, so any verification that travels through the requesting channel is circular - the attacker controls both the request and the confirmation. The control that works is deliberately boring: an out-of-band call to a number the entity already held, documented on the change form, with no exceptions for urgent, executive-sponsored, or end-of-quarter requests. If you rely on portal automation alone, add the human callback for payees above a value threshold.
Confirming a bank change through the channel that requested it is the exact failure business email compromise exploits - adopt out-of-band callback verification (Green Book, Principle 8). Unverified payee changes are the leading mechanism of vendor impersonation fraud - stand up a documented callback procedure before the next change request arrives (Green Book, Principle 8).
Official guidance: GAO Standards for Internal Control
Recovery prospects for a fraudulent wire or ACH fall sharply after the first hours, so the response has to be written, named, and rehearsed before it is needed - during an incident is too late to look up the bank's fraud desk. Training matters because the human is the control surface: the red flags are urgency, changed remittance details, new bank instructions, and pressure invoking an executive's name, and staff who have seen the pattern once in training recognize it in the inbox.
Recall windows for fraudulent transfers are measured in hours - a written same-day response and trained staff are part of the control, not an afterthought (Green Book, Principle 12).
Official guidance: GAO Standards for Internal Control
Ransomware operators deliberately hunt backups using the same stolen administrator credentials that took production, so 'we have backups' only counts if at least one copy sits beyond those credentials - offline, immutable, or under separate authentication - and a restore has been rehearsed end to end. For cloud accounting platforms, learn what the provider's resilience actually guarantees and what remains yours to export and protect, such as attachments, configurations, and integrations.
An untested backup reachable with production credentials is not a control - segregate the copy and prove the restore (Green Book, Principle 11).
Official guidance: GAO Standards for Internal Control
A financial incident is two responses in one: the technical containment, and the money response - the bank recall call, payment holds, ledger correction, and insurer notification. Both begin with an employee speaking up fast, which is why a blame-free, widely known reporting path is itself an internal control. The test is simple: ask three employees today whom they would tell about a suspicious email, and see whether the answers match the procedure.
The core control set is designed and operating - shift effort to monitoring, periodic testing, and reassessment (Green Book, Principle 16). Escalation that stops at the helpdesk leaves the bank recall, payment holds, and the ledger impact unmanaged - publish a path that reaches finance leadership (Green Book, Principle 14).
Official guidance: GAO Standards for Internal Control
Send us your situation and one of our senior CPAs will review it with you - fixed fee, no surprises.
Contact Us