Fast growth fixes revenue, then exposes controls. Close runs longer, access piles up, and approvals drift from Slack threads to memory. You do not need a full SOX program yet. You do need a “Sox-Lite for Scale-ups: Practical Internal Controls Before Your First Audit” set that keeps risk low and documentation clean.
What this section covers
A pragmatic control framework for pre-audit scale-ups in the US and UK, including teams that work with offshore accountants. It covers entity-level controls, ITGCs, and key process controls across revenue, purchasing, and payroll. You also get simple templates to plug in today.
1) Entity-level controls that set the tone
Board and oversight
- Quarterly financial pack to the board with KPI trends and variance notes
- Written delegation of authority with spend limits by role
- Related-party register updated each quarter
Policies and training
- Accounting policy manual with revenue, capitalization, and expense recognition rules
- Document retention policy for finance and tax
- Annual fraud and ethics acknowledgement for finance and IT
Template: Delegation of Authority (one page)
Role Threshold Requires Second Approval?
Finance Lead Up to $25k Yes, above $10k by Controller
Controller Up to $75k Yes, above $50k by CFO
CFO Up to $250k Yes, above $150k by CEO
2) IT General Controls (ITGCs) that keep data reliable
Access and change
- User provisioning with ticket evidence and manager approval
- Quarterly access review for ERP, billing, payroll, and data warehouse
- Change management tickets for code and configuration with peer review
Operations and backups
- Daily automated backups for ERP and billing, restore tested each quarter
- Audit logging enabled on finance apps and SSO
- Offboarding checklist that removes access within one business day
Template: Access Review Log
System Period Reviewer Exceptions Found Fix Date Evidence Link
ERP Q1 Controller None n/a /ITGC/Q1/ERP_Access.pdf
3) Revenue controls that prevent reclass and restatements
Order to cash
- Signed order, price, and term in CRM before billing
- Billing generated from approved order only; no manual price edits without a ticket
- Credit memos require approver different from biller
Revenue recognition
- Contract review checklist that flags multi-element bundles and setup fees
- Revenue schedule auto-generated by billing or RevRec tool and reviewed monthly
- Cutoff test each month: sample the first 10 next-month invoices for prior-period services
Receivables
- Cash application performed by a person who does not raise invoices
- AR aging reviewed monthly with write-off policy and approver
Template: Contract Review Checklist (extract)
[ ] Is there variable consideration (usage, overage, rebates)?
[ ] Are services distinct? If not, bundle documented.
[ ] Term start date aligns to service delivery start.
[ ] Revenue schedule attached to ticket and reviewed.
4) Purchasing controls that stop leakage
Procure to pay
- Vendor onboarding with bank verification and tax forms
- Three-way match for POs over the threshold
- No vendor master edits without a ticket and second reviewer
Expense and card controls
- Corporate card policy with per-user limits and MCC blocks
- Monthly expense review by someone other than the cardholder’s manager
- AP cutoff test: sample receipts received but not invoiced and accrue
Template: Vendor Change Ticket
Vendor: ______ Change: Bank details update
Requestor: ____ Approver: ____ Verification: Call-back completed (Y/N)
Evidence: Screenshot + bank letter, stored at /AP/Vendors/<Vendor>/YYYYMMDD.pdf
5) Payroll controls that keep totals tight
Hires and changes
- HRIS to payroll sync with maker-checker review
- Pay rate changes require manager approval and HR verification
- Access to payroll limited to named roles; quarterly payroll access review
Pay run
- Gross-to-net report reviewed and signed by Controller
- Bank file release by a second person
- Post-payroll reconciliation of payroll expense, taxes, and liabilities
Template: Payroll Sign-off
Prepared by: Payroll Lead Date: ___
Reviewed by: Controller Date: ___
Bank file released by: CFO Date: ___
Tie-out to GL completed: Yes/No Evidence link: /Payroll/TieOut_YYYYMM.xlsx
6) Maker-checker when using offshore teams
- Separate preparer and approver for journals, bank recs, and revenue schedules
- Handoffs documented with ticket IDs and links to source evidence
- Restricted access to bank portals, payroll, and vendor banking
- Weekly close cadence with a 30-minute pre-close review
Template: Close Handoff Note
Task: Bank Rec May
Preparer: Offshore Sr. Accountant
Approver: Controller
Evidence: /Close/2025-05/Bank/XYZ_BankRec.pdf
Exceptions: None
7) Minimum monthly close pack
- Trial balance with flux analysis vs last month and same month last year
- Bank, AR, AP, and payroll reconciliations with sign-offs
- Revenue recognition rollforward and deferred revenue schedule
- Fixed asset rollforward and capex additions
- JE log with purpose, support link, and approver
Template: JE Log (columns)
Date | JE # | Purpose | Amount | Accounts | Support Link | Prepared by | Approved by
8) Control testing plan for pre-audit readiness
- Pick 10 high-value controls across entity-level, ITGCs, revenue, purchasing, and payroll
- For each, test one sample per month for three months
- Store results in a single workbook with pass or fail and remediation owner
- Present summary to leadership each quarter
Template: Control Test Matrix
Control ID Process Assertion Frequency Samples Result Remediation Owner Due Date
R-02 Revenue Accuracy Monthly 3 Pass n/a n/a
9) Document retention and evidence rules
- Use searchable PDFs. Add page numbers to multi-page exhibits
- Save evidence where the control lives, not in email threads
- Keep a cross-reference index so auditors can trace from control to support in one click
- Retention: finance seven years unless law requires longer
10) Rollout sequence that works in a quarter
- Publish the delegation of authority and card policy
- Turn on SSO and audit logs for finance apps, then run an access review
- Lock the close calendar and maker-checker for journals and reconciliations
- Implement contract review and revenue schedule sign-off
- Add vendor change tickets and bank verification
- Pilot control testing on five controls, then expand to ten
Summary
Keep controls small, visible, and testable. With clear approvals, clean access, and maker-checker on the big money flows, you arrive at your first audit with evidence that reads like a story and a close that does not stall. This is enough structure to protect the numbers and light enough to run fast.