Internal Controls Checklist Small Business Audit Readiness: 5 Essential Areas

Internal Controls Checklist Small Business: What Auditors Examine and What Your Clients Need Ready

An internal controls checklist small business CPA advisors can use for audit readiness is one of the most useful deliverables a CPA firm can give a private-company client before fieldwork begins. The issue is almost never the financial statements themselves.

At BusAcTa Advisors, we support audit documentation and bookkeeping for small business clients behind US CPA partners. The preparation gap we see most consistently in your clients' files isn't about the numbers. It's about the control evidence. The auditor arrives, asks for the bank reconciliation sign-off, the purchase approval log, the access review, and the journal entry authorization record, and the client either doesn't have them or can't locate them. Their audit drags. Their findings get written up. Your client's management letter gets longer than it needs to be.

This internal controls checklist small business guide organizes the essential internal controls across five areas your client needs to address before audit fieldwork begins. It's structured around the small business internal controls COSO Internal Control, Integrated Framework, the five-component model that auditors use when assessing internal control in accordance with AU-C 315 (as revised by SAS 145). Each section ends with a ready-to-use checklist your firm can hand directly to the client. When deficiencies are found during audit fieldwork, AU-C 265 internal controls communication standards require auditors to report significant deficiencies and material weaknesses in writing or use as a pre-fieldwork walkthrough guide focused on audit readiness internal controls.

This is a general-purpose internal controls guide for CPA advisory use. Specific audit procedures and internal control assessments depend on the client's facts and the applicable auditing standards. Always tailor the assessment to the specific engagement.

Area 1: Entity-Level Controls: Tone at the Top

Entity-level controls are the foundation everything else rests on. They include the owner's or board's attitude toward accurate financial reporting, the clarity of financial policies, and the existence of any oversight function that reviews management's actions. In a small business, compensating controls small business audit teams rely on often substitute for formal segregation. Entity-level controls often look different from a large company, but auditors under AU-C 315 still need to document their understanding of them.

What makes entity-level controls matter most in small business audits is the concentration of authority. If the owner is also the bookkeeper and the sole check-signer, the entity-level control environment carries enormous weight. An owner who reviews their financial statements monthly, questions unusual variances, and holds their bookkeeper accountable is exercising a compensating control that partially substitutes for formal segregation of duties. An owner who signs whatever their bookkeeper puts in front of them provides no entity-level control whatsoever.

Entity-level controls checklist:

• Written financial policies covering approval authorities, expense limits, and signing authority

• Regular management review of monthly financial statements (document with sign-off or email confirmation)

• Annual review of all bank signatories and removal of departed employees

• Written code of conduct or conflict-of-interest policy (even a one-page document satisfies this)

• Board or advisory board review of annual financial statements and major transactions (for entities with governance structures)

• Owner review of bank statements directly from the bank, independent of the bookkeeper

Does your firm document which entity-level controls each small business client has in place before their fieldwork begins?

Area 2: Transaction Controls: Authorization, Approval, and Documentation

Transaction-level controls are what most people think of when they hear "internal controls": the approval workflow for purchases, the authorization limits for payment, the documentation supporting each transaction. These are the controls auditors test directly when they pull a sample of disbursements, payroll payments, or revenue entries.

The single most common internal control finding in small business audits is the absence of documented approval for significant expenditures. An auditor who finds ten invoices in a sample with no evidence of approval before payment will write that up as a control deficiency regardless of whether the payments were appropriate. The issue isn't always that the wrong person approved, it's that there's no evidence anyone approved at all.

The solution isn't a complex approval workflow for your client. It's a consistent habit of documenting what was approved, by whom, and when, before their payment is made.

Transaction controls checklist:

• Purchase order or written approval required for all expenditures above a defined threshold (e.g., $500 or $1,000)

• Vendor invoice matched to purchase order or approval email before payment is processed

• Check signing authority limited to two designated individuals; dual signatures required above a defined limit

• Petty cash fund with receipts required for every disbursement and periodic reconciliation

• New vendor approval process requiring at least one level of management authorization before adding to the approved vendor list

• Employee expense reports reviewed and approved by someone other than the submitter before reimbursement

• Payroll additions, terminations, and rate changes authorized in writing before processing

Area 3: Bank Reconciliation and Cash Controls

Cash controls and bank reconciliation controls audit teams examine most closely are the highest-priority control area in any small business audit. Cash is the most liquid asset, the most susceptible to misappropriation, and the area where small business fraud most frequently originates. Auditors will examine cash controls closely on every engagement regardless of overall risk assessment, because AU-C 240 presumes the risk of management override and employee fraud is always present in the cash cycle.

Before covering cash controls, note that segregation of duties small business auditors expect is the hardest control to implement when teams are lean. The most important compensating control when duties cannot be separated is the bank reconciliation review process, and specifically, who performs it on your client's team and who reviews it. A bank reconciliation your client's bookkeeper completes while also having custody of checks, reviewed by no one else, provides no control value. It confirms what their bookkeeper entered but doesn't catch what they might have omitted.

Bank reconciliation and cash controls checklist:

• Bank reconciliations completed monthly for every account within 15 days of month-end

• Bank statements received directly from the bank by someone other than the bookkeeper (paper statements mailed to owner, or owner receives online access independently)

• Bank reconciliations reviewed and signed off by the owner or a supervisor who is not the preparer

• Outstanding checks older than 90 days investigated and resolved before the reconciliation is finalized

• All bank accounts included in the reconciliation process, including payroll, savings, and any sweep accounts

• Voided checks documented with reason and authorized by a second person

• ACH and wire transfer authorizations logged and reviewed monthly against the bank statement

If your client has only one person who touches cash, reconciles accounts, and signs checks, the compensating control that partially addresses this risk is owner review of the original bank statement, line by line, each month. The owner initialing each of their bank statements is a documentable compensating control your auditor can reference. No initialing, no compensating control, and the control deficiency finding is almost certainly coming.

Area 4: IT and Access Controls

IT and access controls in a small business context are primarily about who can do what in the accounting system. Under SAS 145, auditors are required to understand IT general controls, including user access management, as part of assessing whether automated controls and system-generated reports are reliable. For a client using QuickBooks Online, Xero, or Sage Intacct, this means understanding who holds administrator access, who can post journal entries, and whether the system generates a meaningful audit trail.

When did your client last review who has administrator access to their accounting platform? The access control problem in your small business clients is almost always permissiveness, not technical failure. Everyone on their team has administrator-level access because it was easier to set up that way. Their former employees who haven't been removed still have active logins. Their owner doesn't know how to run the user access report.

IT and access controls checklist:

• User access list reviewed at least annually and documented; departed employees removed within one business day of termination

• Accounting system administrator access limited to one or two designated individuals; not shared with all staff

• Journal entry posting restricted by user role; staff without accounting responsibility cannot post to the general ledger

• Audit trail or transaction log enabled in the accounting software and reviewed periodically for unusual entries

• Unique logins for every user; no shared credentials

• Regular data backup (minimum weekly) with at least one backup stored off-site or in the cloud

• Password policy in place; system access passwords changed at least annually

Has your team confirmed that your clients' former employees are removed from their accounting system access on their last day?

Area 5: Financial Close and Reporting Controls

Financial close controls small business auditors examine govern how transactions are recorded, how the books are closed, and how financial statements are produced. Auditors examine this area when they test journal entries (a required procedure under AU-C 240), when they tie out the trial balance to the general ledger, and when they assess whether the financial statements presented for audit are reliable starting points for their procedures.

Your small business clients that struggle most in this area are those with no consistent close process: journal entries posted throughout the month without authorization, no cutoff discipline, accounts left unreconciled, and their financial statements produced only when the auditor asks for them. Your client doesn't need a closing schedule as elaborate as a public company, but they need a repeatable monthly process that produces a clean, reconciled trial balance.

Financial close controls checklist:

• Monthly close checklist completed and signed off before the period is closed in the accounting system

• All balance sheet accounts reconciled to supporting schedules at least quarterly (monthly for high-activity accounts)

• Journal entries require a preparer, a reviewer, and supporting documentation attached before posting

• Period-end cutoff applied consistently: revenue recognized in the period earned, expenses in the period incurred

• Adjusting journal entries reviewed by a supervisor or owner before posting; unusual entries flagged for discussion

• Accounts payable aging reviewed monthly to identify unrecorded liabilities near period-end

• Accruals for major recurring expenses (payroll, rent, insurance) calculated and posted each period using a consistent methodology

• Financial statements issued to management within 20 days of period-end and signed as reviewed

You can see how we integrate internal controls documentation support into the broader offshore accounting workflow on the how it works page. Our bookkeeping services team maintains the monthly reconciliation and close-checklist discipline that makes this checklist operational rather than aspirational for your clients. Our quality control framework applies similar pre-close verification steps on every engagement we support, and our offshore accounting service covers the transaction documentation and journal entry review workflow your auditor will examine during fieldwork.

For the COSO Internal Control, Integrated Framework guidance your firm uses when assessing small business internal controls, see the COSO internal control guidance page, which links to the current framework and small business implementation guidance.

Using This Checklist Before Fieldwork Begins

The most valuable time to work through this internal controls checklist with your small business client is three to six months before their audit begins, not the week the auditor arrives. Controls your client doesn't have yet can be put in place, reducing the likelihood of an internal control deficiency material weakness finding in the audit report. Compensating controls for segregation-of-duties gaps can be documented. Bank statement review habits can be established. Their audit management letter gets shorter when your controls conversation happens before the engagement, not during it.

If you'd like to see how we structure internal controls documentation and bookkeeping support for CPA partners' small business audit clients, book a scoping call with BusAcTa Advisors, and we'll walk your team through the pre-fieldwork workflow before you commit to anything.