Audit and Review Readiness
Assess whether your trial balance, reconciliations, schedules, contracts, controls, and prepared-by-client package are ready for external accountants.
Open the free toolFor owners, controllers, and CFOs who want to test whether the business manages risk deliberately rather than by renewal habit. Eight questions screen the fundamentals: a maintained risk register with owners and mitigation status, alignment to the COSO ERM framework's governance and appetite disciplines, an insurance program mapped to actual exposures, and the renewal, claims, and contractual risk transfer practices that make coverage respond when it is needed.
Answer a few quick questions below. It is private - nothing is submitted or stored - and takes about a minute.
This tool is a general business diagnostic for information only and is not accounting, tax, legal, investment or valuation advice. Confirm decisions with your advisor.
Here is what the checker asks and why each step matters. Prefer to talk it through? Contact us and we will help directly.
A risk register is the inventory everything else depends on: insurance limits, mitigation spending, and board oversight all presume the business knows what could impair it. Look for a document that names specific risks - customer concentration, key person loss, cyber intrusion, supply interruption - not generic categories copied from a template.
The COSO ERM framework (2017) organizes risk management into five components and twenty principles, from governance and culture through reporting.
Official guidance: COSO Enterprise Risk Management Framework
Ownership is the difference between a register and a memo: a named person answers for each risk's mitigation. The common trap is listing a department ("Operations") or the owner-manager for everything - accountability diffused that way rarely produces action. Status should distinguish a deliberate decision to accept a risk from a risk nobody has addressed.
A register without owners and response status is documentation, not risk management - assign ownership and responses before relying on it (COSO ERM (2017), Principle 13).
Official guidance: COSO Enterprise Risk Management Framework
The 2017 COSO framework's central idea is integration: risk informs strategy and performance rather than sitting in a standalone binder. The evidence is simple - board or owner meeting minutes showing top risks reviewed, and appetite language specific enough to answer a real question, such as how large a deductible the business will carry or which exposures it knowingly self-insures.
Integrate risk with governance - board-level review of top risks and a stated appetite driving retention decisions (COSO ERM (2017), Principles 1 and 7).
Official guidance: COSO Enterprise Risk Management Framework
Insurance transfers risk only where a policy actually responds - the mapping is what proves it. Renewal alone does not test this: a program can renew unchanged for years while the business adds locations, products, data, and contracts the policies never contemplated. The mapping should be dated, name who performed it, and show its conclusions.
Official small business guidance on financial management, including maintaining appropriate business insurance against identified exposures.
Official guidance: COSO Enterprise Risk Management Framework
Judge the program by scenarios, not policy names: a total property loss with twelve months of interruption, a data breach with notification and liability costs, the death or departure of the person who drives revenue. The common traps are sublimits and exclusions inside otherwise adequate policies, and property or interruption values that have not kept pace with the business.
Known uninsured or underinsured exposures require a disposition decision - close, retain deliberately, or transfer by contract - documented at the owner level. Untested limits are unproven limits - run scenario losses against each line's limits, sublimits, and exclusions before relying on the program. Compliance-driven programs protect the counterparty's interest, not the full business - rebuild the program from the exposure inventory outward.
Official guidance: COSO Enterprise Risk Management Framework
Renewal is when the program is repriced and its terms reset, so process failures here compound: stale exposure values understate coverage and invite coinsurance penalties, while a never-marketed program drifts above market pricing. Lead time matters most - underwriters quote better on complete, early submissions than on last-minute ones.
Rushed renewals on stale exposure data produce both overpayment and underinsurance - build the renewal calendar and data discipline first.
Official guidance: COSO Enterprise Risk Management Framework
Coverage only pays if the claim is presented properly and on time. Claims-made lines - directors and officers, cyber, professional liability - require reporting within the policy period, so a missed deadline can void otherwise valid coverage. The test is practical: could you produce every policy, its notice address, and its deadline within one business day of a loss?
Late or defective notice is a standard basis for claim denial - build the claims playbook before a loss forces improvisation.
Official guidance: COSO Enterprise Risk Management Framework
Contracts move risk in both directions: vendors should carry and evidence their own coverage naming you where required, while indemnities you grant can assume liabilities your policies exclude. The common trap is treating a certificate of insurance as protection - it evidences coverage on its issue date only and confers no rights; additional-insured status requires an endorsement to the vendor's policy.
The fundamentals are in place - shift to the portfolio view, substantial-change triggers, and periodic independent review (COSO ERM (2017), Principles 14-17). Contractual risk transfer is the unmanaged leg of the program - build certificate tracking and pre-signature contract review.
Official guidance: COSO Enterprise Risk Management Framework
Send us your situation and one of our senior CPAs will review it with you - fixed fee, no surprises.
Contact Us