🛡️ Module 11: Controls & Audit
Strong internal controls and audit readiness are essential for protecting business assets, ensuring accuracy,
and maintaining compliance. This detailed module covers internal controls, segregation of duties,
audit trails in QuickBooks Online, and how to prepare for an external audit or CRA review.
11.1 What Are Internal Controls?
Internal controls are policies, procedures, and systems designed to:
- Safeguard business assets (cash, inventory, data)
- Ensure the accuracy and reliability of financial records
- Prevent and detect fraud and errors
- Promote operational efficiency
- Ensure compliance with laws and regulations (including CRA rules)
In QuickBooks Online, internal controls are achieved through a combination of system settings, user permissions,
workflows, and manual review processes.
11.2 Key Principles of Internal Controls
- Segregation of Duties: No single person should handle all aspects of a transaction (authorization, recording, custody)
- Authorization: All significant transactions must be properly approved
- Physical Controls: Safeguarding assets and documents
- Independent Verification: Regular reconciliations and reviews by someone other than the person doing the work
- Documentation: Clear records and audit trails for every transaction
11.3 Segregation of Duties in QuickBooks Online
One of the most important controls in small businesses:
- The person who reconciles the bank should **not** be the same person who issues payments or creates invoices.
- The person entering bills should not be the one approving and paying them.
- Owner or manager should review and approve large or unusual transactions.
Real-World Example: If the bookkeeper also signs cheques and reconciles the bank account, there is high risk of fraud.
Best practice: Bookkeeper records transactions → Manager approves payments → Different person performs bank reconciliation.
11.4 User Roles and Permissions in QuickBooks Online
QBO allows granular control over what each user can do:
- Master Admin: Full access
- Company Admin: Can manage users and most settings
- Standard User: Can create and edit transactions
- Time Tracking Only
- Reports Only
- Accountant User: Special access for external accountants
Best Practice: Give users the minimum permissions they need to do their job (Principle of Least Privilege).
11.5 Audit Trail in QuickBooks Online
The Audit Log is one of QBO’s most powerful control features (available in Plus and Advanced plans).
How to Access the Audit Log:
- Click the Gear Icon (⚙️) → Tools → Audit Log
- Filter by Date, User, or Event
- Review changes to transactions, settings, users, or reports
The Audit Log records who made what change, when, and what the previous value was. This is extremely useful during audits or investigations.
11.6 Bank Reconciliation as a Control Tool
Monthly bank reconciliation is one of the strongest detective controls:
- It verifies that recorded transactions match actual bank activity
- It detects unauthorized or fraudulent transactions
- It catches errors in recording
Control Tip: Have someone independent of the person entering transactions perform the reconciliation and sign off on it.
11.7 Preparing for an Audit or CRA Review
Good controls make audits much smoother. Key preparation steps include:
- Maintaining complete supporting documentation attached to transactions in QBO
- Keeping clear memos on all journal entries and adjustments
- Retaining bank statements, invoices, and receipts
- Having an up-to-date Chart of Accounts with proper classifications
- Being able to produce Trial Balance, General Ledger, and HST Summary reports quickly
- Documenting all significant accounting policies and estimates
11.8 Common Control Weaknesses in Small Businesses Using QBO
- Single person handling all bookkeeping functions
- No review or approval process for payments
- Weak password policies and shared logins
- Lack of regular bank reconciliations
- Over-reliance on bank feeds without review
- Not using the Audit Log regularly
- Mixing personal and business expenses
11.9 Best Practices for Strong Internal Controls in QBO
- Enable two-factor authentication for all users
- Regularly review user permissions and remove access when someone leaves
- Perform monthly bank and credit card reconciliations
- Use bank rules and recurring transactions to reduce manual entry errors
- Attach source documents to every transaction
- Have a second person review large or unusual transactions
- Run and review key reports monthly (P&L, Balance Sheet, A/R Aging)
- Document all adjusting journal entries thoroughly
- Keep a separate "Month-End File" with checklists and supporting schedules
11.10 Canadian Compliance Considerations (CRA Focus)
For Canadian businesses, strong controls help with:
- HST/GST compliance and Input Tax Credit claims
- Payroll source deductions and T4 reporting
- Corporate tax filings
- CRA audit readiness
Always ensure HST is correctly charged, collected, and remitted, and that Input Tax Credits are supported by proper documentation.
11.11 Extended Self-Check Questions
Q1: What is the most important internal control principle for preventing fraud?
Answer: Segregation of Duties.
Q2: Who should ideally perform the bank reconciliation?
Answer: Someone who does not issue payments or enter most transactions.
Q3: Where can you see a history of all changes made in QuickBooks Online?
Answer: In the Audit Log (Gear Icon → Tools → Audit Log).
Q4: Why is attaching source documents to transactions a strong control?
Answer: It provides evidence and support during audits or reviews.
← Back to All Modules