This assessment evaluates the maturity of a company's internal financial controls across five critical dimensions: control environment and governance, segregation of duties, financial close and reporting controls, IT general controls, and audit readiness. The output is a COSO-aligned composite maturity score (1-5) that identifies control gaps before auditors do. [src2]
What this measures: Tone at the top, organizational structure, policies, and risk assessment aligned with COSO Component 1.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No formal policies; roles unclear; no risk assessment | No written policies; no org chart |
| 2 | Emerging | Basic policies outdated; sporadic compliance training | Some policies; last update >2 years ago |
| 3 | Defined | Comprehensive policy manual; formal risk assessment; code of conduct | Policy manual current; annual risk assessment; hotline active |
| 4 | Managed | COSO-aligned framework; continuous monitoring; board oversight | Quarterly risk reviews; risk appetite defined; audit committee engaged |
| 5 | Optimized | Integrated GRC platform; continuous monitoring; risk-aware culture | GRC deployed; predictive risk analytics; culture surveys |
Red flags: No written policies; CEO overrides controls; no whistleblower mechanism. [src2]
Quick diagnostic question: "When was your financial policy manual last updated?"
What this measures: Whether duties are divided to prevent any single person from controlling an entire financial process.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | One person handles end-to-end financial processes | Same person creates vendors and approves payments |
| 2 | Emerging | SoD concerns identified but not systematically addressed | Some dual controls; spreadsheet tracking |
| 3 | Defined | Formal SoD matrix; key conflicts remediated | SoD matrix; compensating controls documented |
| 4 | Managed | Automated SoD enforcement; continuous monitoring | System-enforced SoD; automated alerts |
| 5 | Optimized | Real-time cross-system SoD monitoring; predictive detection | Zero unresolved violations; predictive analytics |
Red flags: Same person creates vendors and processes payments; no SoD matrix. [src3]
Quick diagnostic question: "Can a single person create a vendor, enter an invoice, and approve payment?"
What this measures: Controls around financial close, reconciliations, journal entries, and statement preparation.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No formal close; sporadic recs; unreviewed JEs; 20+ day close | No close checklist; reconciliations for audit only |
| 2 | Emerging | Basic close checklist; key recs monthly; 15-20 day close | Bank/AR/AP recs monthly; JE review for material entries |
| 3 | Defined | Close calendar; all BS accounts reconciled; 10-15 day close | Full BS reconciliation; JE approval workflow |
| 4 | Managed | Automated close management; continuous recs; 5-10 day close | Close tool; automated recs; sub-certifications |
| 5 | Optimized | Continuous close; AI anomaly detection; <5 day close | Real-time matching; virtual close capability |
Red flags: Close >15 days; BS accounts not reconciled monthly; large JEs unreviewed. [src5]
Quick diagnostic question: "How many business days does your monthly close take?"
What this measures: Controls over IT systems supporting financial reporting — access, change, backup, and operations.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | Shared passwords; no change management; no logs | Shared admin; no access reviews; no audit trail |
| 2 | Emerging | Individual passwords; informal change management | No periodic review; basic logging |
| 3 | Defined | Quarterly access reviews; documented change management | Change tickets; automated backups; audit logging |
| 4 | Managed | RBAC; automated provisioning; formal SDLC | Automated onboard/offboard; complete audit trail; DR tested |
| 5 | Optimized | Zero-trust; continuous monitoring; automated validation | Security analytics; SOC 2 Type II |
Red flags: Shared admin passwords; terminated employees retain access >24hrs. [src4]
Quick diagnostic question: "How quickly is access revoked when an employee leaves?"
What this measures: Preparedness for internal or external audit — documentation, evidence retention, and remediation.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No audit prep; evidence gathered reactively; findings not tracked | Audit prep is firefighting; no internal audit |
| 2 | Emerging | Basic prep 2-4 weeks before; findings partially addressed | Some findings remediated; documentation incomplete |
| 3 | Defined | Year-round readiness; PBC list maintained; self-assessments | PBC list current; findings tracked; evidence retained |
| 4 | Managed | Continuous readiness; automated evidence; internal audit function | Automated evidence; finding SLAs; management testing |
| 5 | Optimized | AI-assisted testing; zero repeat findings; continuous assurance | Predictive analytics; continuous assurance platform |
Red flags: Prior findings recur yearly; evidence scrambled during audit; material weaknesses reported. [src1]
Quick diagnostic question: "How many of last year's audit findings have been fully remediated?"
Overall Score = (Control Env + SoD + Close Controls + ITGCs + Audit Readiness) / 5
Private company variant = (Control Env + SoD + Close Controls + ITGCs x 0.5 + Audit Readiness) / 4.5| Overall Score | Maturity Level | Interpretation | Recommended Next Step |
|---|---|---|---|
| 1.0 - 1.9 | Critical | Major control deficiencies — material weakness likely | Engage external advisor for urgent remediation |
| 2.0 - 2.9 | Developing | Significant gaps; suitable for private but not public reporting | Document controls, implement SoD, formalize close |
| 3.0 - 3.9 | Competent | Adequate for private; pre-IPO needs 6-12 months improvement | Automate testing, implement GRC, build internal audit |
| 4.0 - 4.5 | Advanced | SOX-compliant environment | Optimize with continuous monitoring and AI testing |
| 4.6 - 5.0 | Best-in-class | Leading control environment; audit is a formality | Maintain through continuous improvement |
| Segment | Expected Average | "Good" Threshold | "Alarm" Threshold |
|---|---|---|---|
| Private (<$75M) | 2.0 - 2.5 | > 3.0 | < 1.5 |
| Private (>$75M, pre-IPO) | 2.5 - 3.0 | > 3.5 | < 2.0 |
| Newly Public (first 2 years) | 3.0 - 3.5 | > 4.0 | < 2.5 |
| Mature Public | 3.5 - 4.5 | > 4.0 | < 3.0 |
Fetch when a user asks about SOX readiness, internal control assessment, audit preparedness, segregation of duties evaluation, IPO readiness from a controls perspective, or diagnosing recurring audit findings.