For Controllers ·
What you'll accomplish
This guide shows you how to use Claude to draft audit-ready internal control narratives, risk/control matrices, and audit response letters in a fraction of the time it takes to write them from scratch. Control documentation that previously took 45–90 minutes per control becomes 10–15 minutes of paste-and-review work.
What you'll need
Start every control documentation session by telling Claude what framework and format to use:
I'm a Controller documenting internal controls for [SOX compliance / internal audit / external audit preparation]. Please use COSO framework language and format control narratives to include: (1) Control Objective, (2) Risk Addressed, (3) Control Description, (4) Control Performer, (5) Frequency, (6) Evidence of Performance, and (7) Control Type [Preventive/Detective]. I'll describe controls in plain language and you format them into audit-ready narratives.
What you should see: Claude confirming it understands the framework and ready for your control descriptions.
For each control, send a plain-language description:
Control to document: The Controller reviews the monthly bank reconciliation for all accounts with balances over $100,000. Review must be completed within 5 business days of month-end. The Controller signs the reconciliation in Blackline and dates it. The review is meant to ensure that all transactions are properly recorded and that any unexplained reconciling items are investigated.
What you should see: A formally structured control narrative using COSO language, ready to paste into your control documentation or audit workpapers.
For multiple related controls in one process area:
Create a risk/control matrix section for the financial close process. Include these risks and the controls that mitigate each:
Risk 1: Journal entries posted without proper review — Control: All manual JEs over $25K require a second approver in the ERP before posting
Risk 2: Accruals recorded at incorrect amounts — Control: Controller reviews accrual schedule and supporting calculations monthly before posting
Risk 3: Bank transactions not recorded timely — Control: Daily bank statement reconciliation by accounting staff; reviewed by Controller weekly
Format as a table: Risk | Risk Level [H/M/L] | Control Description | Control Type | Frequency | Performer
What you should see: A complete risk/control matrix table ready to paste into Excel or Word.
For responding to auditor findings or PBC (Prepared By Client) requests:
Draft a management response to this audit finding: [paste the finding]. Our planned remediation: [describe]. Timeline: [when it will be fixed]. Tone: professional, constructive, not defensive. Use formal audit response letter language.
For audit process walkthroughs:
Write a process walkthrough narrative for the accounts payable disbursement process. Steps in our process: (1) Invoice received by AP clerk, coded to GL account, entered in ERP; (2) Invoices over $5,000 require department manager approval in ERP before payment; (3) All ACH and check payments require Controller approval before processing; (4) Weekly payment run every Friday; (5) Bank reconciliation completed monthly by Senior Accountant. Format as a narrative walkthrough suitable for inclusion in audit workpapers.
Control narrative:
Write an internal control narrative using COSO framework. Sections: Control Objective, Risk Addressed, Control Description, Performer, Frequency, Evidence, Control Type [Preventive/Detective]. Control description: [plain language description].
Risk/control matrix:
Create a risk/control matrix table for [process area]. Risks: [list]. For each risk: Control Description, Control Type, Frequency, Performer. Format as table.
Audit response:
Write a management response to this audit finding: [finding]. Remediation: [plan]. Timeline: [dates]. Professional, constructive, not defensive. Formal audit response format.
Process walkthrough:
Write a process walkthrough narrative for [process name] for inclusion in audit workpapers. Steps: [numbered list]. Include any key controls embedded in the process.