Internal control over financial reporting, shortened to ICFR, consists of those controls that support and enforce the accuracy, reliability, and integrity of a company’s financial statements. Part of ICFR includes following Generally Accepted Accounting Principles (GAAP) and applying key controls like segregation of duties to business processes. Throughout the preparation of financial statements, companies need to be aware of ICFR requirements, considering the organization’s control environment, control activities, any control deficiencies, and their effect on the risk of material misstatement.
With the UK contemplating legislation that would require companies to establish internal control over financial reporting in a SOX-like fashion, the spotlight is back on ICFR and how it can support the preparation and integrity of financial disclosures. Establishing a requirement for companies to maintain internal control over financial reporting in the UK would drive a new standard for disclosures, and potentially attract a new or different crop of international investors.
ICFR’s importance rose with the Sarbanes-Oxley Act of 2002 in the U.S., which revolutionized the requirements for public company financial statement reporting in the US, mandating that company management assess the company’s internal control over financial reporting as part of annual public disclosures. In addition to management’s assessment of the company’s internal control, SOX Section 404 requires an organization’s independent auditors to review, provide an opinion, and attest to management’s report on the company’s ICFR. In turn, public accounting firms that consist of external auditors are overseen and regularly inspected by the Public Company Accounting Oversight Board (PCAOB).
Effective ICFR augments the reliability of annual reports, giving investors and capital markets an honest and accurate view of that company’s performance over that fiscal year.
What Does Internal Control Over Financial Reporting (ICFR) Mean?
Internal control over financial reporting is the set of controls or a control system at an organization that protects financial statements and their inputs from being tampered with; limit fraud risk; and ensure the accuracy and validity of the company’s financial reporting. ICFR is now often included as part of “integrated audits” in the US, which combines audits of financial statements with audits of internal control over financial reporting. A company that establishes a robust ICFR program reduces the likelihood of unreliable financial statement disclosures and improves audit quality.
What Are the Seven Pillars of ICFR?
To better understand internal control over financial reporting in concept and in practice, KPMG has identified seven “pillars” of ICFR that come together to form a strong ICFR program. Those pillars are: strategy, risk assessment, entity-level controls, control selection, testing strategy, evaluating results, and governance.
The basis of an ICFR program is a strategy, a plan, for tackling risks to financial statements and data, and for reducing the likelihood of significant deficiencies, material weaknesses, or even material misstatements in reporting. When developing a strategy for ICFR, companies should consider how ICFR activities can integrate with the business’s goals and objectives. This strategy should be flexible enough to change as circumstances call for an adjusted approach, and incorporate the input and feedback of multiple stakeholders across the organization. Mature ICFR programs will see strategy driven by culture and values.
As with many internal control-related activities, we can’t ignore the risks that face the organization and the integrity of its financial reporting. Risks to financial reporting and fraud risk have a very real, very detrimental impact on companies should they be realized, and it’s important to treat financial statement risks just as rigorously as other types of risk.
Risks to an organization’s financial statements should follow the risk management cycle of identification, analysis and prioritization, treatment and mitigation, and monitoring and review. By taking a risk-based approach to reporting risks, companies can prioritize major risks and focus resources and personnel on those critical areas. Risk assessments need to be renewed periodically, driving companies to review their ICFR program as well. At higher levels of maturity, risk assessments help companies identify new and emerging threats.
Entity-Level Controls (ELCs)
Although entity-level controls may sometimes lack precision to address granular risks, they can be helpful in defining the control environment, conducting risk assessment processes, monitoring other controls, and tackling entity-level changes. While they may not have a direct effect on financial statement risks, effective ELCs foster an environment and culture that is risk-aware and that facilitates and encourages accuracy and integrity in financial reporting. With time and growth, entity-level controls that integrate with the enterprise as a whole drive progress to company objectives.
In the context of an ICFR program, companies should review their key controls regularly and ask themselves if there are any redundant or insufficient controls in their processes. World-changing events occur seemingly regularly these days, causing upheaval throughout the world and affecting individuals, small businesses, supply chains — everyone. Companies must be prepared to alter their control strategy to meet the risks facing them, and the foundation enabling them to do so is a sound understanding of their risk register and controls inventory.
As companies mature their capabilities in this area, they find themselves clearly aligning controls to objectives and fostering a risk-aware team culture. The same principles apply to internal control over financial reporting — teams need to regularly assess the controls in place and determine whether or not they are sufficient to address identified risks.
A good ICFR program must include a good testing strategy — otherwise there would be no way to assess the performance of the program and its controls. ICFR testing, whether it’s conducted by internal audit or external auditors, should be risk-based and test both the design and operating effectiveness of controls. Testing must provide auditors with reasonable assurance that the control is working as it should, and could consist of inquiry, inspection of evidence, observation of the control being performed, and reperformance of existing tests.
Auditor reports summarizing the results of tests and any recommendations should be made available to the audit committee and other stakeholders as needed and when appropriate. An organization with a mature testing strategy would continuously evolve their testing as a company’s ICFR landscape changes.
What companies do after receiving auditor’s reports is just as important (or at least most of the way there) as what they do to prepare for the audit. Organizations that do not seek to optimize their ICFR programs and neglect to address the root cause of any deficiencies may find themselves encountering further deficiencies down the line, maybe even exposing them to the risk of material misstatement or a material weakness that is costly and burdensome to remediate. In contrast, companies that take care to review their audit reports and risk assessment results, then act on gaps and findings will find their number of deficiencies decreasing and expenditures on remediation lowering commensurately.
A mature ICFR program incorporates good tone at the top, allocates enough resources to the program, clearly delineates roles and responsibilities, and provides regular training for personnel involved with internal control over financial reporting. There are reporting structures and designated accountability for tasks and initiatives. Stakeholders are aligned, and communicate transparently. ICFR program leadership in a mature state looks to optimize the program and innovate on controls, such as through automation.
What to Consider When Performing an ICFR Internal Audit
Conducting an ICFR internal audit provides companies with increased assurance that their ICFR program is functioning as intended and financial statements retain accuracy and integrity. Tests performed by internal audit at a sufficient level of rigor could even be relied upon by independent auditors, reducing the effort and cost involved with the audit. Since public disclosures must comply with GAAP, internal audits of ICFR should adhere to Generally Accepted Accounting Principles as well.
Ultimately, it is the audit committee’s responsibility to oversee the internal audit function, and oversee and engage with external audit firms for integrated financial statements and ICFR audits. Audit committees are independent from management, and hold management accountable for their activities related to financial and risk management.
Five Components of the COSO Framework for Internal Controls
COSO — which stands for Committee of Sponsoring Organizations of the Treadway Commission — was sponsored by five major professional associations based in the US. Those five organizations were the American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA). In 1992, COSO published its first version of the Internal Control – Integrated Framework (ICIF) that would form the basis of many SOX internal control programs across public companies in the United States.
This framework was updated and reissued in 2013, with five components illustrated in the “COSO Cube:” Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. These components form the basis of COSO’s framework for internal control, and can be adopted by companies to support their internal control over financial reporting capabilities.
Implementing COSO’s ICIF in your organization yields benefits for management and boards, like providing:
- “Requirements for an effective system of internal control” based on the company’s unique posture.
- Opportunities to reduce or remove controls that are redundant, inefficient, or ineffective.
- Methods for completing risk assessments and responding to risks, especially fraud risk.
The COSO ICIF also offers a company’s external stakeholders the following benefits:
- Improved confidence in management and the board’s handling of internal controls and risk.
- Assurance that the organization is pursuing and achieving objectives and goals.
- Deeper understanding of the company’s internal control components.
A company’s control environment is its macro environment, as defined by the standards, processes, norms, and structures that allow for internal controls to be executed across the business. The control environment in internal control does incorporate the company’s tone at the top, the values of the organization, the structure for authority, and the processes for recruiting and retaining talent. The overarching control environment at an organization has a large impact on the successful implementation and execution of internal control. In the COSO ICIF, the organization’s control environment must demonstrate:
- Commitment to integrity and ethics.
- The Board of Directors is independent from management and helps oversee internal control.
- Structures, authority, and reporting lines are set up to pursue business objectives.
- Dedication to recruiting and retaining skilled personnel aligned to objectives.
- Individual accountability for internal control responsibilities.
Conducting regular risk assessments as part of a risk management program or initiative forms another component of the COSO Internal Control – Integrated Framework. Risk assessments, which include risk identification, analysis, treatment, and monitoring, help companies mitigate and handle their risks in a systemic, prioritized manner, and demonstrate the alignment of control processes, the risks they address, and the company objectives that may have been affected by said risks.
As part of the risk assessment component of the framework, the organization:
- Clearly defines objectives to facilitate the identification and analysis of risks;
- Identifies and analyzes risks;
- Considers the possibility of fraud risk;
- And detects and reports on changes that could impact internal control.
Policies and procedures detail the control activities that companies need to perform to mitigate risks to business objectives. Control activities are performed at every level and by almost every person in the company, and each control has attributes, characteristics, and technologies associated with it. Establishing robust internal control over financial reporting necessitates selecting the right controls for the job and ensuring they are sufficient to bring risks down to tolerable levels. In the COSO Internal Control framework, there are three items defined under control activities that the organization must achieve:
- Selected control activities address risks and support the achievement of business objectives.
- General control activities are implemented over information technology to support internal control.
- Written policies and procedures outline the control activities that need to occur.
Information and Communication
Often ignored or neglected, the importance of information and communication in an internal control program, whether it’s over financial reporting or another area, can never be overstated. Clarity of communication can determine the success or failure of a project or initiative. In a fast-paced environment of dynamic risks and controls that may need to change to meet them, having well-defined lines of communication and a regular flow of information can be a huge boon, enabling organizations to respond to realized risks as close to real-time as possible. COSO’s ICIF categorizes three activities into this component:
- Internal control is supported by relevant, quality information.
- Internal communications specify objectives and responsibilities for the support of internal control functions.
- As needed, external communications regarding matters of internal control occur.
The fifth component of COSO’s Internal Control framework has two activities, and has to do with the ongoing monitoring and evaluation of a company’s ICFR. By regularly evaluating the performance of internal control over financial reporting at the organization, teams can identify gaps and opportunities for improvement, then put them into play, reducing the likelihood of a control deficiency being detected. In this component, the organization:
- Develops and conducts evaluations over internal control functions.
- Assesses and communicates internal control deficiencies in a timely manner to the appropriate personnel.
Get to Assurance in Your Financial Reporting With Internal Controls Management Software
ICFR for public companies is not optional. In the U.S, SOX requires companies to have internal controls over financial reporting in place, and regions like the UK are considering similar regulations and mandates. With the SEC focused on fraud risk of all kinds, and investors relying on accurate and reliable financial statements to make big decisions, the importance of protecting financial data and disclosures from tampering and errors is massive. The cost for companies goes beyond fines and declaring misstatements, including brand and reputational damage. Not to mention, the burden of compliance beyond financial statements has increased significantly over the last decade or two, with HIPAA, GDPR, SOC 2, and ESG requirements rising in priority and impact for organizations. It’s almost too much for the modern risk and compliance professional to cope with.
Technology solutions that can streamline your internal controls and risk management programs can eliminate many challenges involved with coordinating and improving various internal control, risk, and compliance programs. Built-in collaboration tools and workflows, remediation tracking and dashboards to keep all your stakeholders aligned are just some of the features I’d suggest exploring further. Get started with AuditBoard’s internal controls management solution today!
Cannon Nikzad, CPA, is an Account Executive at AuditBoard. Prior to joining AuditBoard, Cannon spent 10 years at EY, serving in their Los Angeles and London offices where he led audit teams conducting integrated audits of U.S. public companies. Connect with Cannon on LinkedIn.