Audit and Review Readiness
Assess whether your trial balance, reconciliations, schedules, contracts, controls, and prepared-by-client package are ready for external accountants.
Open the free toolAssess whether your purchase-to-pay process controls spend before it is committed: purchase order thresholds, an approval matrix aligned to real authority, three-way match and receiving discipline, verified vendor onboarding, duplicate and fraudulent payment detection, corporate card governance, and the category-level spend visibility that turns clean data into negotiation leverage. Ten questions route you to the control gap, exposure, or opportunity that most deserves attention.
Answer a few quick questions below. It is private - nothing is submitted or stored - and takes about a minute.
Informational business diagnostic only; not accounting, audit, tax, legal, investment, lending, or valuation advice.
Here is what the checker asks and why each step matters. Prefer to talk it through? Contact us and we will help directly.
Purchase-to-pay controls scale with delegation: once people other than the owner can commit funds, preventive controls have to replace personal oversight. Count anyone who can place an order, sign a contract, or swipe a card - informal authority counts exactly the same as formal authority.
A multi-level purchase order structure is premature; the control work is a hardened payment perimeter around the owner's gate.
Official guidance: GAO Standards for Internal Control
The preventive gate is the control that operates before money is committed - once an order is placed, the negotiation is over and the invoice must generally be paid. Under Green Book Principle 10 the design question is whether authorization occurs at the point in the process where the risk arises, not whether an approval eventually appears somewhere in the paper trail.
The 2013 framework's control activities component describes the authorization, verification, and segregation controls a purchase-to-pay process should embed.
Official guidance: GAO Standards for Internal Control
Pull the delegation-of-authority schedule and compare it line by line to the workflow configuration; drift usually appears after reorganizations, promotions, and system migrations. An approval matrix that no longer matches real authority gives the appearance of control while routing spend decisions to the wrong desk.
Use the interactive tool above to see how this applies to your situation.
Official guidance: GAO Standards for Internal Control
Three-way match is the classic verification control: it converts the approved order and the receiving record into a payment gate. The common failure is receiving discipline - goods arrive without a receiving record, or services are confirmed by the same person who ordered them - which quietly turns three-way match into invoice-only approval.
Use the interactive tool above to see how this applies to your situation.
Official guidance: GAO Standards for Internal Control
The vendor master is the primary fraud vector in purchase-to-pay: business email compromise works by changing a legitimate vendor's bank details, and fictitious-vendor schemes work by inserting a payee. Verification through independently obtained contact details - never the phone number or email on the change request itself - is the control that defeats both.
Vendor-master weaknesses are the direct path to fraudulent and misdirected payments - close them before anything else.
Official guidance: GAO Standards for Internal Control
Detection controls back up the preventive gate: duplicate payments cluster around vendor name variants, re-sent invoices, and system conversions, while fraudulent payments cluster around bank-detail changes. A periodic duplicate-payment test - exact and fuzzy matching on vendor, amount, and invoice number - is inexpensive and routinely pays for itself.
Detection that depends on vendor honesty is not a control - build duplicate blocking and payment analytics now. With no detection layer, duplicate and fraudulent payments clear silently - treat this as an immediate exposure.
Official guidance: GAO Standards for Internal Control
Card and expense spend is the channel that bypasses the purchase order gate by design, so it needs its own compensating policy. The review must be independent - a cardholder approving their own statement is the most common card-control failure - and the offboarding checklist must cancel the card the day access ends.
Card spend is committing funds outside your authorization gate - extend the documented framework to cover every spend channel.
Official guidance: GAO Standards for Internal Control
Every process has emergencies; the control question is whether exceptions remain exceptions. Under Green Book Principle 12, a documented policy that is routinely bypassed without ratification is not an implemented control - the operating control is whatever actually happens, and that is what an auditor or fraud examiner will test.
A policy that is routinely bypassed without ratification is not the operating control - redesign and enforce the gate.
Official guidance: GAO Standards for Internal Control
When authorization before commitment is weak, the payment release becomes the last preventive control standing. Dual release, independent bank-detail verification, and a full disbursement-register review do not fix uncontrolled buying, but they determine whether the exposure is overspending or outright fraud loss.
Payment-side controls are compensating, not sufficient - design the pre-commitment authorization gate next. With no gate and no payment-side control, duplicate and fraudulent payment exposure is immediate - act on payment controls first.
Official guidance: GAO Standards for Internal Control
Controls make spend data trustworthy; visibility makes it valuable. A spend cube - vendor by category by period - built from accounts payable history is usually the fastest route to savings, because fragmented purchasing hides volume that suppliers would otherwise have to price for. Green Book Principle 13 frames this as using quality information to achieve objectives.
The control stack and the information layer both screen as mature - shift to sustainment testing and a standing negotiation program. Controls are sound but the data is unused - build the category spend view and convert clean records into negotiation leverage.
Official guidance: GAO Standards for Internal Control
Send us your situation and one of our senior CPAs will review it with you - fixed fee, no surprises.
Contact Us