Finance AI Skill
Audit Compliance
Manage internal audit, SOX compliance, internal controls testing, segregation of duties, audit trail management, and external audit coordination. Use when performing controls testing, monitoring segregation of duties, maintaining audit trails, preparing for...
Audit & Compliance
Maintain strong internal controls, ensure regulatory compliance, and streamline audit processes.
Internal Controls Framework
SOX Controls Inventory & Testing
SOX CONTROLS INVENTORY — Finance Processes
════════════════════════════════════════════
FINANCIAL REPORTING CONTROLS:
┌──────┬────────────────────────┬───────────┬──────────┬──────────┐
│ ID │ Control Description │ Frequency │ Type │ Owner │
├──────┼────────────────────────┼───────────┼──────────┼──────────┤
│ FC-01│ JE approval workflow │ Monthly │ ITGC │ Controller│
│ FC-02│ Month-end close checklist│ Monthly │ Manual │ Controller│
│ FC-03│ Revenue recognition review│ Monthly │ Manual │ Rev. Acct│
│ FC-04│ Account reconciliation│ Monthly │ Manual │ Acctg Mgr│
│ FC-05│ Financial statement review│ Quarterly│ Manual │ CFO │
│ FC-06│ General Ledger access │ Quarterly │ ITGC │ IT + Fin │
│ FC-07│ Chart of accounts change│ Ad-hoc │ Manual │ Controller│
│ FC-08│ Consolidation review │ Monthly │ Manual │ Controller│
└──────┴────────────────────────┴───────────┴──────────┴──────────┘
PAYMENT CONTROLS:
┌──────┬────────────────────────┬───────────┬──────────┬──────────┐
│ ID │ Control Description │ Frequency │ Type │ Owner │
├──────┼────────────────────────┼───────────┼──────────┼──────────┤
│ PC-01│ 3-way match (PO/RX/INV)│ Per trans │ Automated│ AP Mgr │
│ PC-02│ Payment approval matrix│ Per trans │ Automated│ Finance │
│ PC-03│ Vendor master change │ Ad-hoc │ Manual+IT│ AP + Fin │
│ PC-04│ Wire payment dual auth │ Per trans │ ITGC │ Treasury │
│ PC-05│ Duplicate payment check │ Per trans │ Automated│ AP Sys │
│ PC-06│ Bank rec review │ Monthly │ Manual │ Controller│
└──────┴────────────────────────┴───────────┴──────────┴──────────┘
REVENUE CONTROLS:
┌──────┬────────────────────────┬───────────┬──────────┬──────────┐
│ ID │ Control Description │ Frequency │ Type │ Owner │
├──────┼────────────────────────┼───────────┼──────────┼──────────┤
│ RC-01│ Contract review & approval│ Per contract│ Manual│ Rev. Acct│
│ RC-02│ Revenue recognition schedule│ Monthly │ Manual │ Rev. Acct│
│ RC-03│ Billing accuracy check │ Per invoice │Automated│ Billing │
│ RC-04│ AR reconciliation │ Monthly │ Manual │ AR Mgr │
│ RC-05│ Write-off approval │ Ad-hoc │ Manual │ CFO │
└──────┴────────────────────────┴───────────┴──────────┴──────────┘
TOTAL CONTROLS: 18 (Finance) + 12 (ITGC) + 6 (HR/Payroll) = 36 controls
TESTING CYCLE: Quarterly sampling (manual) + Continuous (automated)
LAST FULL TEST: Q4 2024 — All controls operating effectively ✓Controls Testing Process
QUARTERLY CONTROLS TESTING — Q1 2025 Plan
══════════════════════════════════════════
TESTING SCHEDULE:
Planning: Feb 1-7 (define scope, sample selection)
Execution: Feb 8 — Mar 15
Reporting: Mar 16 — Mar 21
Remediation (if needed): Mar 22 — Apr 10
Sign-off: Apr 15
SAMPLE SELECTION:
Manual controls: 25 transactions per control (per company policy)
Automated controls: 100% test (system configuration review + operating effectiveness)
ITGC controls: Configuration review + change management testing
TEST PROCEDURES (per control):
1. Obtain understanding: Review control design documentation
2. Test design effectiveness: Does the control, if operating properly, prevent/detect error?
3. Test operating effectiveness: Did the control operate as designed during the period?
4. Document results: Pass/Fail with evidence
5. Evaluate exceptions: Root cause, materiality, remediation
EVIDENCE REQUIREMENTS:
- Screenshots of system configurations
- Approval emails/system logs
- Signed checklists and review documentation
- Reconciliation workpapers with sign-off
- Transaction samples with supporting documentation
PRIOR YEAR RESULTS:
Q4 2024: 36/36 controls passed (100%)
Q3 2024: 35/36 passed (1 minor exception — remediated)
Q2 2024: 36/36 passed (100%)
Q1 2024: 34/36 passed (2 exceptions — remediated)
Annual: 141/144 tests passed (98% — within target)Segregation of Duties (SOD)
SOD Monitoring Framework
SEGREGATION OF DUTIES MATRIX — Key Incompatible Roles
══════════════════════════════════════════════════════
INCOMPATIBLE DUTY PAIRS:
┌──────────────────────────┬──────────────────────────┬───────────┐
│ Duty A │ Duty B │ Risk │
├──────────────────────────┼──────────────────────────┼───────────┤
│ Create vendor │ Approve payment │ HIGH — │
│ │ │ Fraud risk│
├──────────────────────────┼──────────────────────────┼───────────┤
│ Create JE │ Approve JE │ HIGH — │
│ │ │ Financial │
│ │ │ misstate. │
├──────────────────────────┼──────────────────────────┼───────────┤
│ Process payment │ Reconcile bank statement │ HIGH — │
│ │ │ Misapp. │
├──────────────────────────┼──────────────────────────┼───────────┤
│ Create customer │ Apply cash / write-off │ MEDIUM — │
│ │ │ Revenue │
│ │ │ misstate. │
├──────────────────────────┼──────────────────────────┼───────────┤
│ Manage GL access │ Post to GL │ HIGH — │
│ │ │ Unauthorized│
│ │ │ entries │
├──────────────────────────┼──────────────────────────┼───────────┤
│ Process payroll │ Approve payroll changes │ HIGH — │
│ │ │ Fraud risk│
└──────────────────────────┴──────────────────────────┴───────────┘
CURRENT SOD VIOLATIONS (Q1 2025):
Total violations identified: 3
HIGH severity: 1
MEDIUM severity: 2
LOW severity: 0
VIOLATION #1 — HIGH:
User: J. Smith (AP Analyst)
Violation: Create vendor + Approve payment (same user in NetSuite)
Risk: Could create fictitious vendor and approve payment
Status: Remediation in progress
Action: Remove vendor creation access; assign to AP Supervisor
Deadline: Feb 15, 2025
Compensating control: Dual approval for all new vendors
VIOLATION #2 — MEDIUM:
User: M. Lee (Accountant)
Violation: Create JE + Approve JE (amounts <$10K)
Risk: Could post unauthorized journal entries
Status: Compensating control documented
Action: Implement system rule — self-created JEs require 2nd approval
Deadline: Mar 1, 2025
VIOLATION #3 — MEDIUM:
User: K. Patel (Rev. Accountant)
Violation: Manage revenue schedules + Write AR adjustments
Risk: Could manipulate revenue recognition
Status: Acceptable risk (amounts immaterial; quarterly review by Controller)
Action: Document compensating control; monitor quarterly
Deadline: Ongoing
SOD REVIEW CYCLE:
Automated monitoring: Continuous (daily system check)
Formal review: Quarterly (comprehensive access review)
Annual certification: Manager attestation of team access appropriatenessAudit Trail & Change Management
Financial System Change Tracking
AUDIT TRAIL POLICY:
═══════════════════
CAPTURED CHANGES:
1. General Ledger:
- Journal entry creation, modification, voiding
- Chart of accounts changes
- Fiscal period open/close
- Currency/rate changes
2. Sub-ledgers:
- Invoice creation/modification (AP/AR)
- Customer/vendor master changes
- Payment processing
- Credit memo issuance
3. System Administration:
- User access grants/revocations
- Role/permission changes
- Configuration changes
- Integration settings
4. Financial Close:
- Close checklist status changes
- Reconciliation sign-offs
- Financial statement approvals
AUDIT TRAIL DATA RETAINED:
Who: User ID + name
What: Action performed (create, modify, delete, approve)
When: Timestamp (UTC + local timezone)
Where: System/module
Why: Business justification (captured at time of change)
Before/After: Previous and new values
RETENTION POLICY:
Active audit logs: 7 years (regulatory requirement)
Archived logs: 10 years (offsite, immutable storage)
Access: Read-only for auditors; write access restricted to system admins
ANOMALY DETECTION:
Automated alerts for:
- After-hours GL changes
- High-value JEs outside normal close window
- Multiple voids/reversals by same user
- Vendor master changes without approval
- Access changes to financial systems
- Unusual volume of transactions in short period
Current month anomalies: 2 (both investigated, no issues found)External Audit Coordination
Audit Preparation & Management
EXTERNAL AUDIT PREPARATION — FY2024 Audit
══════════════════════════════════════════
AUDIT FIRM: [Big 4 / Regional Firm]
AUDIT TEAM: Engagement partner + 4 seniors + 6 staff
AUDIT PERIOD: January 1 — December 31, 2024
TARGET REPORT DATE: April 30, 2025
AUDIT TIMELINE:
┌─────────────────────────┬──────────────────────┐
│ Phase │ Dates │
├─────────────────────────┼──────────────────────┤
│ Planning & scoping │ Jan 15 — Feb 7 │
│ Interim testing │ Feb 10 — Mar 15 │
│ Data room access │ Feb 1 (ongoing) │
│ Substantive testing │ Mar 16 — Apr 10 │
│ Close procedures │ Apr 11 — Apr 21 │
│ Management letter │ Apr 22 — Apr 25 │
│ Audit opinion │ Apr 30 │
└─────────────────────────┴──────────────────────┘
AUDIT PREPARATION CHECKLIST:
Corporate & Governance:
[ ] Org chart (current)
[ ] Board meeting minutes (FY2024)
[ ] Audit committee charters and meeting minutes
[ ] Key policies (code of conduct, whistleblower, related party)
[ ] Insurance certificates
[ ] Legal register and litigation status
Financial:
[ ] Trial balance (monthly, FY2024)
[ ] General ledger detail
[ ] Journal entry log (all JEs, FY2024)
[ ] Balance sheet reconciliations (all months)
[ ] Bank reconciliations (all months)
[ ] Intercompany reconciliations
[ ] Fixed asset register
[ ] Inventory records (if applicable)
[ ] Revenue contracts (significant)
[ ] Debt agreements and schedules
Tax:
[ ] Tax returns filed (federal, state, international)
[ ] Tax provision workpapers
[ ] Transfer pricing documentation
[ ] Tax audit correspondence (if any)
IT:
[ ] ITGC testing results
[ ] System access logs
[ ] Change management records
[ ] Disaster recovery documentation
[ ] Cybersecurity assessment
DATA ROOM STATUS:
Total items required: 85
Uploaded: 72 (85%)
In progress: 10
Missing: 3 (legal opinions, insurance certs, DR test results)
Target completion: Feb 15
PRIOR YEAR AUDIT RESULTS:
Opinion: Unqualified (clean)
Management letter findings: 3 (all resolved)
1. Timely bank recs — RESOLVED (implemented automated recs)
2. JE documentation — RESOLVED (enhanced templates)
3. Access review frequency — RESOLVED (quarterly reviews started)
No material weaknesses or significant deficienciesAudit Findings & Remediation
Finding Management Process
AUDIT FINDING MANAGEMENT:
══════════════════════════
FINDING CLASSIFICATION:
Material Weakness (MW): Most severe — reasonable likelihood of material misstatement
Significant Deficiency (SD): Less severe than MW but important enough to merit attention
Observation/Recommendation: Best practice improvement, not a deficiency
Observation: Informational — no deficiency identified
CURRENT FINDINGS (FY2023 Audit — All Remediated):
┌──────┬────────────────────────┬──────────┬──────────────┬──────────┐
│ # │ Finding │ Severity │ Remediation │ Status │
│ │ Description │ │ Action │ │
├──────┼────────────────────────┼──────────┼──────────────┼──────────┤
│ F-01 │ Late bank recs (3 │ SD │ Auto-rec │ ✓ Closed │
│ │ months >5 days late) │ │ implementation│ │
├──────┼────────────────────────┼──────────┼──────────────┼──────────┤
│ F-02 │ Insufficient JE │ SD │ Enhanced JE │ ✓ Closed │
│ │ documentation │ │ templates + │ │
│ │ │ │ approval │ │
├──────┼────────────────────────┼──────────┼──────────────┼──────────┤
│ F-03 │ Annual (not quarterly)│ Obs │ Quarterly │ ✓ Closed │
│ │ access review │ │ reviews │ │
│ │ │ │ implemented │ │
└──────┴────────────────────────┴──────────┴──────────────┴──────────┘
REMEDIATION WORKFLOW:
1. Finding issued (audit report)
2. Management assessment (agreement with finding, severity)
3. Remediation plan (action steps, owner, deadline)
4. Implementation (execute remediation)
5. Testing (verify remediation effectiveness)
6. Close (document resolution, auditor confirmation)
Average remediation time (prior year): 45 days
Target: 30 days for SD, 60 days for MWCompliance Monitoring
Regulatory Compliance Calendar
REGULATORY COMPLIANCE CALENDAR:
════════════════════════════════
SOX COMPLIANCE:
Quarterly controls testing: ✓ On schedule (Q1 2025 in progress)
Annual management assessment: Feb 28, 2025
External auditor attestation: April 2025
SOD review: Quarterly (next: Mar 15)
Annual access certification: Apr 30, 2025
DATA PRIVACY (GDPR/CCPA):
Data protection impact assessments: Annual (next: Q3 2025)
Privacy policy review: Annual (last: Jan 2025) ✓
Data subject request process: Ongoing (avg. 12 days response)
Third-party data processing agreements: Quarterly review
Breach response plan: Annual test (next: Q2 2025)
FINANCIAL REGULATORY:
SEC filings (if public): 10-K (Apr 30), 10-Q (quarterly), 8-K (as needed)
Sarbanes-Oxley: CEO/CFO certifications on all filings
Whistleblower program: Annual communication (last: Jan 2025) ✓
Code of conduct training: Annual (completion rate: 96%)
EMPLOYEE/PAYROLL COMPLIANCE:
DOL wage & hour: Ongoing monitoring
I-9 audit readiness: Quarterly spot checks
EEO reporting: Annual (EEO-1 filing: Sep 2025)
Benefits compliance (ERISA): Annual
CYBERSECURITY:
SOC 2 Type II: Annual (report due: June 2025)
Penetration testing: Semi-annual (next: Apr 2025)
Vulnerability assessment: Monthly
Incident response drill: Semi-annual (next: May 2025)Output
Audit & Compliance Dashboard
AUDIT & COMPLIANCE DASHBOARD — Q1 2025
══════════════════════════════════════════
Controls Testing:
Q1 2025 testing: In progress (45% complete)
Prior year pass rate: 98% (141/144)
Current exceptions: 0 (on track for 100%)
Target: 95%+ pass rate
SOX Compliance:
Overall status: ✓ COMPLIANT
Material weaknesses: 0
Significant deficiencies: 0
Observations: 2 (non-material)
SOD Monitoring:
Total violations: 3 (1 HIGH, 2 MEDIUM)
Remediated: 0 (in progress)
Compensating controls: 3 documented
Next review: Mar 15
Audit Trail:
Coverage: 100% financial systems
Anomalies (current month): 2 (investigated, no issues)
Retention: 7 years active, 10 years archived
Last integrity check: Jan 2025 ✓
External Audit (FY2024):
Status: Interim testing phase
Data room: 85% complete
Prior year opinion: Unqualified (clean)
Prior year findings: 3 (all remediated)
Target report date: April 30, 2025
Compliance Calendar:
Upcoming deadlines:
Feb 28: SOX management assessment — 2 days ⚠
Mar 15: SOD review — 17 days
Apr 30: Annual access certification — 53 days
Jun 30: SOC 2 Type II report — 95 days
Risk Rating: LOW
All key controls operating effectively
No unresolved material findings
Audit preparation on trackIntegration Points
- ERP/GL (NetSuite, SAP): Transaction data, audit log, change tracking
- GRC platforms (ServiceNow GRC, MetricStream, AuditBoard): Controls management, testing
- Access management (Okta, Azure AD): User access, role assignment, SOD analysis
- Document management (SharePoint, Box): Audit evidence, workpapers
- External auditor portals: Data room, document sharing, Q&A
- BI platforms: Compliance dashboards, metrics tracking
- IT monitoring tools: System logs, anomaly detection, change tracking
- HR systems: Employee access provisioning/deprovisioning
- Cybersecurity platforms: SOC 2 compliance, penetration testing results
Edge Cases
- Remote/hybrid workforce: Access controls for remote users; multi-factor authentication enforcement
- Cloud ERP migration: Parallel testing during transition; data integrity validation; cut-over controls
- Acquired entities: Controls gap assessment; integration into SOX program; timeline for compliance
- Regulatory changes: New compliance requirements assessment; control updates; training
- Whistleblower allegations: Investigation process; documentation; remediation; reporting
- Audit scope changes: Auditor expands scope → additional testing; resource allocation
- Material weakness identification: Immediate escalation to Audit Committee; emergency remediation plan
- International compliance: Multiple regulatory regimes; local audit requirements; cross-border data transfer
- System failures: Disaster recovery testing; data restoration validation; business continuity
- Third-party risk: Vendor audit rights; SOC report review; sub-service provider monitoring