Free download β’ Use as a template β’ Print or share
An Internal Control Checklist is a structured assessment form used to verify that a company's financial and operational safeguards are in place and functioning as designed. It systematically documents each control activity β who performs it, how often, whether it is currently compliant, and what evidence supports that finding β across key functions such as cash management, accounts payable, payroll, and IT access. By converting abstract control requirements into a testable, line-by-line record, the checklist creates a documented audit trail that management, external auditors, and lenders can evaluate with confidence.
Operating without a completed internal control checklist means your controls exist only in theory β you have no documented proof they are working, no record of who owns them, and no list of known gaps to address. When an external auditor arrives or a lender requests evidence of financial controls, an undocumented control environment forces a rushed, reactive assessment that routinely surfaces problems too late to fix before they affect the audit opinion or financing decision. Fraud losses in businesses without documented controls are significantly higher β because undetected gaps in segregation of duties, cash handling, and approval authority are exactly where occupational fraud begins. This template gives you a repeatable, evidence-backed assessment process you can complete in a few hours and present with confidence to any auditor, investor, or board.
| If your situation is⦠| Use this template |
|---|---|
| Evaluating controls across all financial reporting areas | Internal Control Checklist |
| Conducting a full internal audit with formal workpapers | Internal Audit Report |
| Reviewing cash handling and petty cash procedures | Petty Cash Log |
| Assessing IT system access and cybersecurity controls | IT Security Audit Checklist |
| Tracking remediation of identified control weaknesses | Corrective Action Plan |
| Documenting purchasing approval thresholds and vendor controls | Purchase Order Template |
| Evaluating controls for a specific department only | Department Audit Checklist |
Why it matters: A control written as 'expenses are approved' cannot be assessed as passing or failing because there is no defined standard to evaluate against. Auditors will flag it as untestable.
Fix: Write each control as a specific, observable action: who performs it, under what threshold or condition, and how often. 'The CFO approves all expense reports above $500 within 5 business days' is testable.
Why it matters: A checklist with all Yes marks and no evidence references is indistinguishable from one that was filled out without doing any testing β it provides no audit protection.
Fix: Require a document reference for every Compliant finding before the checklist is considered complete. No evidence, no pass.
Why it matters: Department-level ownership means no one is accountable when a control fails, and remediation actions are never completed because everyone assumes someone else owns them.
Fix: Name a specific individual for every control. Update ownership assignments immediately when roles change or employees leave.
Why it matters: A gap without an owner and deadline is just a documented problem with no resolution path β it will still be open at the next review cycle.
Fix: Treat every gap entry as incomplete until it has a named owner, a specific corrective action, and a target date no more than 90 days out.
Decide which functional areas the checklist will cover β cash, payables, receivables, payroll, purchasing, IT access. List each as a named section header with a two-letter area code (e.g., AP for Accounts Payable).
π‘ Start with cash and disbursements β these areas carry the highest fraud risk and are the first thing an external auditor reviews.
For each control area, write out every control activity in plain English. Assign a sequential reference (AP-01, AP-02) so individual controls can be tracked and discussed without ambiguity.
π‘ Aim for 5β10 controls per functional area. Fewer than 5 suggests the area is under-controlled; more than 15 suggests you are documenting procedures, not controls.
Enter the full name and title of the individual responsible for each control. For controls with a backup or secondary approver, record both.
π‘ Share the draft checklist with each owner before finalizing β they will often identify controls you missed or describe how the control actually works versus how it was designed.
For each control, evaluate whether it was operating effectively during the review period. Mark Yes, No, or Partial based on evidence reviewed β not on assumption.
π‘ Pull at least three samples of evidence per control (e.g., three months of reconciliations) before marking a control Compliant. One sample is not sufficient to conclude consistency.
Record the specific document name, file path, or system reference that supports each Compliant finding. This step turns the checklist into an auditable workpaper.
π‘ Create a shared folder named by review period (e.g., 'Internal Controls β Q2 2026') and save all evidence there before completing the checklist.
For every Non-Compliant or Partial finding, assign a High, Medium, or Low risk rating based on the financial impact and likelihood of an error or fraud occurring without the control.
π‘ Any gap in cash disbursements, payroll, or system access should default to High unless you have strong compensating controls documented.
Write a specific corrective action for every gap, name the individual responsible, and set a realistic target date. Generic actions like 'improve the process' are not acceptable entries.
π‘ Schedule a 30-day follow-up meeting with all remediation owners at the time you complete the checklist β not after the due date passes.
Have the preparer and a reviewing manager sign and date the completed checklist. File it with the supporting evidence folder and retain for a minimum of three years.
π‘ Date-stamp the file name (e.g., 'Internal-Control-Checklist-2026-Q2-Final') so you can immediately identify the most current version during an audit.
An internal control checklist is a structured form used to evaluate whether a company's financial and operational safeguards are in place and working as intended. It lists specific control activities β such as invoice approval requirements, bank reconciliations, and access restrictions β and records whether each is compliant, who owns it, what evidence supports the finding, and what remediation is needed for any gaps. It is a core tool for internal audits, pre-audit preparation, and ongoing control monitoring.
Typically the finance manager, internal auditor, or CFO completes the checklist during a scheduled review. For small businesses without a dedicated audit function, the owner or controller can conduct the assessment. The reviewer should be independent from the person performing each control β having the AP clerk assess AP controls defeats the purpose of the review.
For most small and mid-size businesses, an annual review is the minimum. High-risk areas β cash disbursements, payroll, and system access β benefit from quarterly reviews. Any time there is a significant organizational change (new accounting system, key employee departure, rapid headcount growth), an out-of-cycle review is warranted. Companies preparing for an external audit should complete a fresh assessment 60β90 days before the audit fieldwork begins.
An internal control checklist is the assessment workpaper used to test individual controls and record findings. An internal audit report is the formal summary document delivered to management and the audit committee, drawing conclusions from the checklist findings and recommending corrective actions. The checklist is the input; the audit report is the output.
Yes β in fact, small businesses are statistically more vulnerable to fraud and error than larger organizations because they have fewer people and less separation of duties. The Association of Certified Fraud Examiners reports that businesses with fewer than 100 employees suffer a disproportionately high share of occupational fraud losses. Basic controls β dual signatures on checks, monthly reconciliations, and segregated access to accounting software β meaningfully reduce this risk at minimal cost.
Segregation of duties means dividing key financial tasks β authorizing a transaction, recording it, and having custody of the related asset β among at least two different people. This prevents a single employee from being able to both commit and conceal a fraud or error. It appears on every internal control checklist because its absence is the single most common root cause of occupational fraud in small and mid-size businesses.
For each control rated Compliant, retain the specific document that proves the control was performed β a signed reconciliation, a system access log, an approved expense report, or an email approval chain. Store these in a labeled folder organized by review period and retain for a minimum of three years, or longer if required by industry regulation. Digital copies are acceptable; the key requirement is that they can be produced quickly when requested.
Yes, and it is one of its most common uses. Completing the checklist 60β90 days before external audit fieldwork gives you time to identify and remediate gaps before auditors arrive. Auditors will conduct their own control testing, but presenting a completed self-assessment with documented evidence typically reduces the scope of their procedures and shortens the audit cycle.
An internal audit report is the formal findings document delivered to management and the audit committee after testing is complete. An internal control checklist is the working assessment tool used during that testing. You complete the checklist first, then summarize the results in the audit report. Both are needed for a complete audit cycle.
A risk assessment identifies and prioritizes business risks before controls are designed. An internal control checklist evaluates whether controls already in place are actually working. Use the risk assessment to decide which controls matter most, then use the checklist to verify those controls are operating effectively.
A compliance checklist evaluates adherence to a specific external regulation β HIPAA, SOX, GDPR, or a licensing requirement. An internal control checklist evaluates internal financial and operational safeguards regardless of any specific regulatory mandate. In practice, regulatory compliance checklists are built on top of a strong internal control foundation.
An SOP documents how a process should be performed step by step. An internal control checklist verifies that the controls embedded within those processes are actually being followed. SOPs define the design; the checklist tests the operation. Both are necessary β an SOP without control testing is an aspiration, not a safeguard.
Focus on billing authorization controls, time-entry approval, client trust account reconciliation, and expense reimbursement thresholds.
Cash handling procedures, inventory shrinkage controls, point-of-sale system access restrictions, and returns authorization requirements.
Purchase order approval thresholds, receiving verification against POs, raw-material inventory counts, and production cost variance reviews.
Patient billing authorization, HIPAA-related access controls to patient data, controlled-substance inventory counts, and insurance reimbursement reconciliation.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small businesses, finance managers, and controllers conducting annual or quarterly self-assessments | Free | 2β4 hours per review cycle |
| Template + professional review | Companies preparing for a first external audit or lender due diligence review | $500β$2,000 for a CPA or fractional CFO review session | 1β2 days |
| Custom drafted | Companies subject to SOX compliance, regulated industries, or multi-entity organizations requiring a formal internal audit function | $5,000β$25,000+ for a professional internal audit engagement | 2β6 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
