Account Reconciliation Hygiene: The Audit-Ready Evidence Pack Mid-Market Controllers Don't Yet Build

Account reconciliations exist in nearly every mid-market finance team. The evidence pack a SOX or GAAP audit will accept, preparer/reviewer separation, item-level support, aging policy, exception sign-off, exists in materially fewer.

Updated for 2026. Reconciliation tools now ship agent-assisted matching and exception-clearing features that quietly enter the control narrative. The evidence pack discipline holds, but the policy attached to it needs the language in our one-page AI governance policy field guide before an external auditor accepts agent activity in the control. The auditor scores the file, not the math The reconciliation finding pattern across the mid-market audits we have observed is consistent enough that we can name it without reservation: the finding is rarely that the account did not balance. The finding is that the evidence the controller produced for the auditor did not satisfy the auditor's procedural requirements. The balance ties. The reconciliation tool ran cleanly. The number in the GL agrees with the number in the source system. And the audit still produces a control deficiency, sometimes a significant deficiency, sometimes, under SOX 404 conditions in a publicly-held or PE-backed-with-public-aspiration environment, a material weakness. The pattern resolves to a single observation. The auditor does not score the reconciliation as a balancing exercise. The auditor scores the reconciliation as a control, and a control is evaluated by its evidence. A reconciliation with no preparer signature, with auto-generated reviewer approval where the reviewer never actually examined the work, with item-level reconciling differences that have no underlying support, with stale unreconciled items that have aged beyond any defensible threshold, fails the control test even though the balance ties. The math is correct. The control is broken. The finding follows. This guide walks the reconciliation regime as the auditor actually evaluates it, the four-quadrant classification we use to triage reconciliations across the chart, the role of the reconciliation tooling, BlackLine, FloQast, ReconArt, Trintech Cadency, and the variants, versus the discipline that operates the tooling, the audit-finding patterns we have cited most often in mid-market reviews, and the structured workpaper that constitutes the audit-ready evidence pack. The audience is the controller running month-end close in a mid-market organization, the assistant controller who owns the reconciliation review, the SOX or internal audit lead, and the CFO who will see the finding if the work is not done. We covered the broader 10-day close discipline in our close calendar guide and the systems-integrator role in our finance transformation guide; this guide is the reconciliation-specific layer underneath both. The four-quadrant classification: high-risk and high-volume, separately The first discipline that applies to the reconciliation regime is classification. Every account in the GL does not warrant the same reconciliation rigor. The mid-market chart of accounts typically runs to several hundred natural accounts plus segment dimensions; treating each account as equally significant is operationally infeasible and produces a reconciliation regime that exhausts the team without focusing the work where the audit actually scores it. The classification we apply across our engagements is two-dimensional. The first dimension is risk: how likely is a misstatement in this account to lead to a material misstatement of the financial statements, considering the account's volume, complexity, judgment content, and historical findings? The second dimension is volume: how many transactions flow through this account in a typical period, and how many reconciling items typically appear on the reconciliation? The cross of the two dimensions produces four quadrants. High-risk, high-volume accounts, operating cash, AR, AP, payroll liabilities, accrued expenses with judgment content, intercompany, receive the highest rigor. The reconciliation runs at month-end with no exceptions, the preparer is a senior accountant with the substantive knowledge to identify reconciling items, the reviewer is a controller or assistant controller who actually examines the items, the supporting documentation is attached at the item level, and the exception aging is policed weekly rather than monthly. High-risk, low-volume accounts, debt, lease obligations under ASC 842, equity, deferred tax, certain accruals, receive equivalent rigor on the documentation side but a different cadence on the procedural side. The reconciliation may run monthly or quarterly depending on activity; the analytical work supporting it (debt schedule, lease amortization schedule, deferred tax roll-forward) is the substantive support; the reviewer is typically a controller or above; the audit's interest is in the schedule and the rationale rather than the volume of items. Low-risk, high-volume accounts, small expense categories with consistent patterns, certain prepaid balances, low-dollar accruals that resolve mechanically, receive automated reconciliation with sampled review. The reconciliation tool can run an auto-match at the transaction level; the reviewer samples a defined percentage of auto-matched items each period to validate the match logic; the documentation discipline is the sample, not the universe. Low-risk, low-volume accounts, small balance sheet accounts with limited activity, certain intracompany clearing accounts, immaterial balances, receive a quarterly review at minimum, often with a documented threshold below which a substantive reconciliation is not required. The discipline here is the documented threshold, not the absence of reconciliation; an account that does not warrant a monthly reconciliation under the risk policy still warrants a documented decision to that effect. The four-quadrant classification is itself an audit artifact. The auditor will ask, in any defensible reconciliation regime, how the controller decided which accounts received which level of rigor. The answer should be the classification matrix, dated, signed by the controller and assistant controller, with the rationale for each quadrant assignment. Without the matrix, the question of why a particular account is on a quarterly cadence has no defensible answer. The tooling: BlackLine, FloQast, ReconArt, Trintech Cadency, and what they do not solve The reconciliation tooling market has matured materially over the past decade. BlackLine is the deepest and most widely-adopted in publicly-held and PE-backed mid-market organizations, with the strongest reconciliation, transaction matching, and intercompany modules; the implementation footprint is meaningful and the cost is non-trivial. FloQast is the strongest mid-market alternative, often deployed in firms that find BlackLine excessive for their scale; its tight Excel and Office 365 integration suits teams that build reconciliations in spreadsheets and want governance on top. ReconArt appears in mid-market and financial services contexts; its strength is in transaction-level matching for high-volume accounts. Trintech Cadency competes with BlackLine in the upper-mid-market and institutional space, with a strong record in financial services and a meaningful footprint in real estate and healthcare. Adra by Trintech, Solver, Vena, and a longer tail of platforms appear in specific contexts. The tooling decision is not the discipline. The mid-market controllers we work with frequently arrive at the engagement believing that adopting BlackLine or FloQast will resolve the reconciliation findings they have been carrying. The expectation is partially correct, the tooling does enforce certain disciplines that were ad-hoc in the prior state, captures sign-off electronically, retains evidence in a structured way, and produces auditor-friendly export packs. The expectation is also partially wrong; the tooling does not, on its own, produce the discipline. A team that signed reconciliations electronically without examining them in the prior state will, in the new state, click through electronic reviews on BlackLine without examining them. The artifact is cleaner; the underlying control deficiency is unchanged. The auditing finding pattern in tool-equipped firms is illustrative. We have audited firms with multi-year BlackLine deployments that still receive reconciliation findings because the reviewer-approval pattern is one click within thirty seconds of the preparer's submission; the timestamp pattern itself is the finding. The tool captured the data; the data exposed the absence of substantive review. The tool was an honest instrument; what it instrumented was the absence of the control. The discipline that holds across tooling choices is the same: documented preparer/reviewer separation, item-level support attached and examinable, aging enforced procedurally rather than aspirationally, and a policy that distinguishes the levels of review across the four-quadrant classification. The tooling supports the discipline; it does not generate the discipline. Preparer and reviewer: the separation that the audit examines Segregation of duties at the reconciliation level rests on preparer/reviewer separation. The preparer performs the reconciliation: gathers the source data, identifies reconciling items, attaches the support, signs the workpaper. The reviewer examines the work: tests the items against the support, challenges the rationale where appropriate, ensures the items have a path to resolution, signs the approval. The preparer and reviewer are different people with appropriate seniority differentials. The recurring failure pattern is the procedural shortcut where the same individual functions as both preparer and reviewer, or where the reviewer's role is held by someone without the substantive expertise to challenge the preparer's work. We have walked into engagements where the controller was preparing the high-risk reconciliations and reviewing them in the same role, where a junior staff accountant was reviewing the work of a senior accountant whose technical depth materially exceeded the reviewer's, and where the reviewer was a non-finance executive (the CFO or a controller from another entity) who lacked the time and technical context to perform substantive review. The control the auditor examines is whether the reviewer actually examined the work. The evidence is the timestamp pattern, the comments captured during review, the items the reviewer flagged and the resolution captured for those items, and the seniority and technical depth of the reviewer relative to the preparer. The control deficiency the audit cites when it cites this pattern is invariably labeled "ineffective review", the review occurred procedurally; it did not occur substantively. The discipline we recommend is documented preparer/reviewer assignments by quadrant, with seniority requirements specified by quadrant; a reviewer-comment requirement on high-risk reconciliations (the reviewer cannot sign without recording at least one substantive observation, even if the observation is "no exceptions identified, items aged within policy"); and a periodic, quarterly is sufficient, internal-audit-style sample of reviewer work to test that substantive review is occurring. The sample is the evidence the audit will reference when the reviewer's substantive performance is questioned. Item-level support: the discipline most often missing The reconciliation that ties at the balance level but cannot produce support at the item level is the recurring finding configuration in mid-market reviews. A reconciliation showing $1,247,832.18 in the GL, $1,247,832.18 from the source system, and a balanced reconciliation has prima facie passed the balance test. The reconciliation that lists three reconciling items totaling to a $0 net difference, without backing documentation for the three items, has not satisfied the audit. The item-level discipline holds across reconciling items in both directions. Outstanding deposits at month-end on a bank reconciliation should have backup, the deposit slip, the cash receipts journal entry, the source transaction. Outstanding checks should have backup, the check register, the AP record. Timing differences in subledger-to-GL reconciliations should be supported with the underlying transactions and a documented expectation of when they will clear. Reclassification adjustments should have a memo explaining the rationale and tying to the original posting. The recurring failure is the reconciling item that exists on the reconciliation but has no underlying support. Sometimes the support exists in a system the reconciliation does not link to and the controller could produce it on request. Sometimes the support has been aged out, archived, or lost in a system migration. Sometimes, most often, the support never existed because the reconciling item is a plug that brought the reconciliation to balance without an underlying explanation. The plug pattern is the most damaging. An audit that identifies a reconciling item that the controller cannot trace to a source transaction calls into question every other reconciling item in the engagement. The audit's escalation logic is reasonable: if the controller cannot defend this item, the audit must test additional items, and the additional testing surfaces additional weaknesses. A single unsupported plug at the start of the audit can extend the engagement timeline by weeks. The discipline we recommend is mandatory item-level support attached to the reconciliation at preparation, with a defined documentation standard (PDF attachment, system screenshot with date, reference number tying to the source system) and a review test that verifies the support is examinable. The documentation standard is itself an audit artifact; the controller who has documented the standard and trained the team to it produces reconciliations that close on first review. Aging the unreconciled items: the policy that prevents compounding The unreconciled-item aging policy is the discipline that prevents the reconciliation from accumulating debt over time. A reconciliation that resolves cleanly each month has no aged items. A reconciliation that runs monthly with the same five reconciling items appearing each month, growing by additions, never resolving the prior items, is a reconciliation in progressive failure even while it appears procedurally clean. The aging policy we recommend has three thresholds. 30 days: every reconciling item must have an identified resolution path within 30 days of first appearance, even if the resolution itself takes longer. The path is the assignment to a specific person with a specific expected resolution date. 60 days: items unresolved at 60 days require a documented escalation to the controller, with a written explanation of why resolution has not been achieved and a revised expected date. 90 days: items unresolved at 90 days require CFO sign-off and a determination of whether the item should be written off, reclassified, or further investigated through a special procedure (potentially involving outside consultation or fraud investigation). The 90-day threshold is firm. An item that has aged past 90 days without resolution is, by the audit's interpretation, a control failure regardless of the dollar amount. The control is not "resolve all items"; the control is "ensure no item ages beyond the policy threshold without a documented determination." The determination is the artifact; the absence of the determination is the finding. The aging report itself is an evidence artifact. The reconciliation tool can typically generate the aging report; the controller can generate it from the underlying spreadsheets if no tool is in use. The aging report attached to the close package, reviewed by the CFO, signed monthly, is the documentary evidence that the control is operating. The audit will frequently sample the aging report and trace specific items to their resolution; the trace either supports the control or surfaces the gap. Auto-reconciled accounts: the pattern that hides the failure A specific and increasingly common audit-finding pattern in tool-equipped firms is the auto-reconciliation pattern. The reconciliation tool, BlackLine, FloQast, others, supports auto-reconciliation for accounts where the matching logic can be defined deterministically. Bank reconciliations on accounts with cleanly-flowing electronic transactions, certain intercompany accounts with matched-pair postings, prepaid amortizations with known schedules, all are candidates for auto-reconciliation. The pattern that produces findings is auto-reconciliation without sampled human review. The tool runs the match, the reconciliation closes automatically, no human signs the workpaper, no exceptions are flagged because the tool did not encounter any. The control is, in the auditor's view, fully delegated to the tool's algorithm. The audit's question is what testing has been performed on the tool's logic, what sampling reviews have been conducted to validate that auto-matched items are correctly matched, and who is responsible for the periodic review. The discipline that holds is sampled human review on every auto-reconciled account. The sampling rate is risk-based: higher for accounts in the high-risk quadrants, lower for low-risk; the tool can typically generate the sample. The reviewer examines a defined percentage of auto-matched items, validates the match logic, and signs a sampling review attestation. The attestation is the evidence that the auto-reconciliation control includes human oversight. A second discipline is periodic logic review. The auto-reconciliation rules are tested annually (quarterly for high-risk accounts) by an independent reviewer who validates the rules against the current data patterns. A rule that was correct two years ago when configured may produce silent mismatches today as transaction patterns drift. The annual logic review surfaces the drift before it produces a misstatement. The audit-ready evidence pack: what the file actually contains The structured workpaper that constitutes an audit-ready reconciliation evidence pack has, in our experience, eight elements. The pack is organized at the reconciliation level, one pack per reconciliation per period, and the eight elements appear in every pack regardless of risk quadrant, with depth varying by quadrant. 1. The reconciliation cover sheet identifying the account, the period, the preparer, the reviewer, the dates of preparation and review, and the risk quadrant assignment. 2. The GL balance drawn directly from the GL with a screenshot or system export demonstrating the source. 3. The source-system or subledger balance drawn from the source with the equivalent demonstration. 4. The reconciling items list with each item itemized: description, amount, age, resolution path, and the support reference. 5. The supporting documentation for each reconciling item, attached at the item level (PDF, screenshot, source-system reference). 6. The aging summary showing the aging buckets for any unresolved items, with the policy threshold and the determination for items aged past threshold. 7. The reviewer commentary capturing the substantive observations from review, the items the reviewer challenged, and the resolution. 8. The sign-off block with timestamp, system-recorded preparer and reviewer signatures, and any escalation evidence (CFO sign-off for 90+ day items). The pack is the audit's primary artifact. When the auditor selects an account for testing, the pack is what is produced; the pack is what the audit examines; the pack is what determines whether the testing closes on the first round or requires follow-up. The discipline that produces clean audits is the discipline that produces the pack as a byproduct of normal close, not as a deliverable assembled under audit pressure. The reconciliation tooling supports pack generation directly in BlackLine, FloQast, and other major platforms. The pack export can be produced for the period or for an individual account on demand, formatted in a way the audit can consume. The teams that build the pack proactively and exchange a sample with the audit team early in the engagement materially shorten the audit timeline. What we recommend Begin with the four-quadrant classification matrix. Map every account in the chart into one of the four quadrants, document the rationale, and establish the rigor level for each. The matrix is the foundation; without it, the reconciliation regime cannot be calibrated. Second, formalize the preparer/reviewer separation by quadrant. Document the seniority requirements, the comment-on-review requirement for high-risk accounts, and the periodic substantive-review sample. Third, establish the unreconciled-item aging policy with the 30/60/90 thresholds, document the escalation path, and run the aging report monthly with CFO review on the high-risk quadrants. Fourth, evaluate the reconciliation tooling against the discipline rather than as a substitute for it. BlackLine, FloQast, ReconArt, or Trintech Cadency are the right answer in many mid-market organizations, but only if the discipline they support is itself defined first. Fifth, build the eight-element evidence pack as the standard reconciliation deliverable, exchange a sample with the external auditor at the planning stage of the next audit, and use any feedback to refine the pack format. The audit that closes on first round is the audit where the pack and the auditor's expectations match. Reconciliation is the audit control most often cited because it is the control most often performed without its evidence. Build the evidence as the work runs; produce the pack as the output of normal operation; close the audit on the strength of the file rather than the strength of the explanation. The cost of the discipline is hours per period. The cost of the finding, in remediation work, audit-fee escalation, and management-letter exposure, is materially larger.