Kezia Farnham

Senior Manager

6 internal controls checklists, definition & examples

Internal controls are a complex and interconnected system of processes and protocols. An internal controls checklist is the maintenance manual for that system, offering audit teams the guidance they need to evaluate and improve organization-wide controls regularly.

Checklist in hand, audit teams can strategically review all controls and spot any weaknesses before they lead to significant losses.

This article will give you the tools to create a checklist, including:

• An internal controls checklist definition
• The benefits of using a checklist to test internal controls
• Common examples of internal controls checklists
• When to evolve beyond checklists to a more comprehensive solution

What is an internal controls checklist?

An internal controls checklist is a guide that dictates how audit teams should evaluate the internal controls system. The most effective guides will detail what the controls are and how and when they should be reviewed.

This empowers organizations to systematically assess their controls and any deficiencies that may have arisen — a key way to more comprehensively manage risk.

Benefits of using an internal controls checklist

Think of an internal controls checklist as a risk management tool. Like internal controls, themselves, an internal controls checklist is a line of defense against fraud and other types of unauthorized access to company assets.

The complete benefits of using an internal controls checklist are far-reaching and include the following:

1. Increased regulatory compliance: Many organizations must follow specific regulations relating to financial and other data types. Controls backed by a controls checklist help organizations comply with regulations and defend their compliance to auditors.
2. Improved audit results: Internal and external audits will test internal controls’ effectiveness. An internal control checklist will help you proactively strengthen controls, leading to more positive audit reports.
3. Greater financial assurance: Both boards and leadership want to know that financial statements are accurate. A control checklist gives them increased visibility into controls and how they function, fostering greater confidence in company finances.
   

Types of internal controls checklists

Internal controls checklists can be as varied as internal controls themselves. Small businesses may need a very different checklist than a corporate enterprise. Likewise, key regulations may call for their internal controls checklist to ensure greater compliance.

That said, some of the most common internal controls checklists are:

Small business internal controls checklist

1. Assess the control environment: Check that management and their direct reports have a constructive attitude toward controls and that everyone can access written policies and procedures.
2. Review documentation: Ensure all documents are updated according to your workflow. For example, categorize financial documents as paid, approved, denied, etc.
3. Check controls: Go through existing controls and their components to ensure they function correctly, focusing on the most impactful controls.
4. Determine segregation of duties: Review key processes — like collecting payments — to verify that a different employee is handling different steps of the process.
5. Conduct spot checks: Assess inventory, points of sale, reconciliations and more at-random to pressure test the controls and whether employees are following them.

Accounts payable internal controls checklist

1. Verify transaction approvals: Ensure that all transactions above a certain amount have received management approval.
2. Reconcile receipts: Compare purchase order, invoice and receipts to verify they all match.
3. Safeguard blank checks: Confirm that checks are securely stored and that access to them is limited.
4. Manual signatures: All financial documents should be manually signed. Verify that no auto-sign devices or stamps are in use.
5. Review invoices: Check that all paid invoices have been marked paid.

Accounts receivable internal controls checklist

1. Review contracts: Make sure that all payment terms comply with relevant regulations and are favorable for your accounting department.
2. Validate invoices: Ensure invoices have the proper details and are in the right amounts to avoid non-payment.
3. Check access controls: Verify that only select employees have access to billing software and use a password and two-factor authentication.
4. Verify transactions: Use accounting software that automatically generates transaction tracking, then review the logs to ensure all documentation is accurate.
5. Analyze cash receipts: Compare receipts to transactions to ensure the receipts are matched to the right purchase and customer file.

COSO

COSO, short for the Committee of Sponsoring Organizations, established a universal framework for implementing and evaluating internal controls. Our internal controls checklist for COSO includes items like:

1. Review the control environment
2. Assess risk
3. Monitor controls and the risk landscape

NIST

NIST 800-171 is a regulation from the National Institute of Standards and Technology that offers guidance on safely working with vendors and subcontractors. An effective NIST 800-171 checklist will feature steps including:

1. Identify how you’re storing and handling unclassified information
2. Verify all information is correctly classified
3. Analyze control documentation to validate the controls

SOX internal controls checklist

Many organizations must also follow the Sarbanes-Oxley (SOX) Act, which requires that organizations follow a specific set of protocols to ensure accurate and transparent financial reporting. A SOX compliance checklist may require you to:

1. Verify that any system access is tracked and validated
2. Review timestamps on all data to ensure nothing was tampered with
3. Analyze control reports to spot any critical messages or alerts

Future-proof your internal controls checklists

Internal controls are one of the best — and most proactive — safeguards organizations have against fraud, breach and the damaging loss of assets. As the risk landscape evolves, so, too, should internal controls. While an internal controls checklist can go a long way to keeping your controls up-to-date, the fast pace of modern business may require a more comprehensive approach.

Internal controls management can take your internal controls checklist one step further. Turn your manual controls and documentation into a seamless and automated process for implementing, monitoring and improving internal controls — all within a single platform.