What is Internal Control Over Financial Reporting (a.k.a. ICFR)?
ICFR is more than a "check the block" exercise; effective and quality ICFR describes an entire ethos of financial transparency and accountability. ICFR runs the gamut of control systems and processes a company takes to ensure the validity of its financial statements and stay out of hot water with regulators, investors, and stakeholders.
While ICFR seems complex, considering the abundant resources available, many steps are common sense and easily implemented. Still, effective implementation depends on a nuanced understanding of controls and the ecosystem surrounding ICFR – which this guide looks at as an orientation and an initial jumping-off point to long-term financial compliance.
Basic Concepts to Know
Understanding the basic, core underpinnings of ICFR is the first step to total understanding. Remember that internal controls are procedures and processes management emplace to ensure accounting integrity and financial transparency. For some companies, particularly publicly traded ones, ICFR is a key part of required financial filings and helps stakeholders rest assured that data they’re examining is accurate and timely.
Ultimately, remember that ICFR is more than compliance. It includes building an ecosystem on a foundation of trust and transparency, reassuring stakeholders and investors while offering the highest-quality financial data possible to drive accurate and effective operational decision-making.
Definition: What is ICFR? “Internal Controls over Financial Reporting”
Internal Controls over Financial Reporting, shortened to ICFR, describes the range of formal processes, procedures, and mechanisms a company uses to ensure that financial statements are accurate and reflect reality. But the true ICFR meaning is much more all-encompassing than the basic definition implies. The controls prevent fraud and serve as checks and balances to catch human error or missteps when generating or analyzing financial statements.
ICFR, in a sense, acts as a referee using a playbook to manage a game. In this case, the referee (actual control measures and checks) uses the playbook (company procedures built on accepted accounting principles) to manage the game (financial reporting). And, just as the rules vary between soccer and basketball, your referee's rules depend on your specific business. In general, though, everyday ICFR activities include transaction approval requirements, employee duty separation, tracking, monitoring software, and even something as basic as double-checking calculations.
What is SOX? “the Sarbanese-Oxley Act of 2002”
SOX, or the Sarbanes-Oxley Act, is a US federal law designed to protect against fraud and creative accounting techniques and applies to companies trading on US stock exchanges. It also applies to accounting firms, audit agencies, and any third party that a publicly traded company uses in its accounting management process.
The act requires companies to develop, publish, audit, and actively use their ICFR. In other words, federal law demands these companies have clear and well-established systems to manage financial reporting fraud or mistakes and that they use those systems as intended. The Securities and Exchange Commission (SEC) oversees the Sarbanese-Oxley Act and is charged with enforcing it. Companies must occasionally file reports with the SEC affirming their responsibility for enacting and enforcing ICFR – and prove it.
What is §404 of the Sarbanes-Oxley Act of 2002?
Section 4 of the Sarbanes-Oxley Act is usually called SOX 404 for short. This section is one of SOX's most impactful portions and demands management and third-party audit teams report on a company's ICFR quality. The section is comprised of two sub-sections:
- 401A: This sub-section to SOX 404 requires a company to include its internal controls report that affirms management's responsibility for ICFR. In addition to validating management's understanding of their responsibility, 404A also requires an objective assessment of the company's ICFR.
- 404B: This sub-section has the same mandate as 404A but applies to external and third-party auditors and requires them to attest that the managerial reporting under 404A is valid.
How Does ICFR Promote Stronger Financial Controls?
ICFR promotes stronger financial controls by building a foundation for companies to develop and enact their processes and systems to ensure accuracy of financial reporting. The ICFR offers an enhanced series of recurring and periodic oversight protocols to help ensure the company is doing the right thing consistently while also demanding an internal risk assessment look at areas of possible concern so the company can pay special attention to them between audit and reporting periods.
Adequate and quality ICFR also serves as a communication tool to flatten hierarchies when it comes to financial reporting and accounting. By implementing ICFR, you ensure that correct information is circulating within your company and that only vetted and correct information leaves the firm. In addition to compliance and fraud management, comprehensive ICFR also helps create a culture of communication while helping management make informed decisions quickly.
What Risks Do Companies Face if Internal Controls Over Financial Reporting is Ignored?
Ignoring agreed-upon standards and ICFR exposes companies of all types and sizes to substantial risk, not the least of which include financial penalties and (in the case of willful misconduct) prison time for those involved. Even if not ill-intentioned, ignoring ICFR means insiders and third-party investors, regulators, and auditors cannot determine financial statement accuracy and will "punish" the company accordingly, i.e., by not investing in or refusing to work with the non-compliant company.
Ignoring ICFR might lead to:
- Inaccurate financial statements: The most obvious outcome, improper or lacking controls, increases the risk of error or omission in financial statements.
- Fraud: Where loose standards exist and limited checks on actions prevent it, fraud flourishes.
- Penalties: Failure to follow established guidelines, like the Sabanes-Oxley Act, may lead to legal penalties, fines, and sanctions from the regulatory bodies that enforce them.
- Inefficiency: Your decision-making is only as good as the data feeding it, and improper controls mean your data is questionable, which could lead to poor or ineffective operational implementation.
- Investor confidence: Investors don't trust companies with loose accounting practices, for good reason. Ignoring ICFR means you may not attract investor capital as readily as companies happy to comply.
- Reputation: It only takes one accounting slip-up to cascade and destroy a company's reputation with customers, investors, vendors, and competitors. In short, a lack of ICFR can very tangibly lead to the downfall of even a well-run company.
What is an Internal Controls Report? And What Does It Look Like?
An Internal Control Report (ICR) is a document produced by a company's management team that details its efforts and results in implementing internal controls over financial reporting. The ICR is a requirement for publicly traded companies under the Sarbanes-Oxley Act and is usually included in a company's periodic SEC filings.
The internal control report generally consists of:
- A statement affirming management's responsibility in establishing and maintaining internal controls.
- An assessment of how adequate internal controls were for the preceding period.
- A methodology statement detailing how the company determines control efficacy.
The ICR will also usually include a narrative statement that describes controls, how they're evaluated, and any material weaknesses in the controls that could affect filings. They may also include internal or third-party audit findings that detail problem areas and how management plans to address them from that point forward.
Example
Companies may put together an internal control report that includes:
- An executive summary detailing findings and planned future action.
- A declaration of managerial responsibility affirming an understanding that internal controls are mandatory.
- Scope and methodology describing how the company validates internal controls.
- The framework used to evaluate internal controls.
- An assessment of the control evaluation that includes fraud detection reports, bank statements, reconciliation data, etc.
- A detailed look at specific findings and any issues arising from audit.
What is an ICFR Audit?
The ICFR audit is a formal examination or inspection that assesses a company's ICFR compliance and the effectiveness of implemented controls. The audit is designed to ensure a company's financial filings are accurate and compliant with established frameworks and requirements, including the Sarbanes-Oxley Act.
Throughout the course of an ICFR audit, evaluators and auditors examine ICFR design and implementation, test the controls to ensure they work as planned, and pin down any weaknesses or deficiencies that could lead to inaccurate or mistaken reporting. They'll look at:
- The control environment (including company culture surrounding audit compliance)
- Risk assessment covering weaknesses and areas of concern to watch closely
- Information and communication processes
- A plan for monitoring ICFR in the future
What is a “Material Weakness” in ICFR?
A material weakness in ICFR is a deficiency or series of deficiencies that create the real possibility of future misstatements or mistakes in financial filings. Specifically, a material weakness refers to those deficiencies that create a likely scenario in which misstatements are unlikely to be prevented, detected, or corrected within a reasonable timeframe.
Bottom line – material weaknesses are problems with a company's internal controls across the enterprise that increase the risk of financial information being wrong and remaining unknown until after a financial statement is published or distributed outside of the organization.
Who Are the Key Stakeholders Responsible for IFCR Within an Organization?
Typical stakeholders or individuals within a company responsible for maintaining ICFR include:
- Senior management: This stakeholder group includes C-suite management (notably the CEO and CFO) and is ultimately responsible for the entirety of a company's ICFR.
- Internal auditors: This group assesses ICFR effectiveness, works to pin down weaknesses, and develops recommendations for fixes. They may use manual examination processes, but, increasingly, audit steps are automated today and involve simple auditor oversight, saving time and money.
- Audit committee: Usually including high-level management and board of directors (if applicable), the internal audit committee is the oversight body that evaluates audit results and implements fixes as needed.
- External auditors: This group serves the same function as the internal audit team but works as an unbiased third party.
- Finance department: The finance department ensures day-to-day compliance with established controls.
- IT staff: Today, many ICFR components depend on the effective use of technology; IT staff help deploy, manage, and monitor these systems.
What is the CAQ Guide to ICFR?
The Center for Audit Quality (CAQ) developed the CAQ Guide to ICFR to offer a one-stop resource for stakeholders to understand and apply ICFR requirements. The guide helps assist management, audit teams, and committees when designing, assessing, and fixing ICFR.
The guide includes an ICFR overview, best practices, valuable checklists, and frameworks for building and maintaining quality internal controls and steps to address or remediate problems.
What is the COSO Framework?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the COSO Framework as a means to help organizations create, evaluate, and enhance ICFR. The COSO Framework uniquely describes internal controls as a process rather than a series of steps, creating an ecosystem-minded approach that encompasses the entire organization.
The COSO Framework says effective controls consist of:
- Control Environment: This is the "ecosystem" view of an organization's ICFR efforts and includes culture, integrity, ethics, and competence.
- Risk Assessment: This helps companies identify and analyze risks that run counter to a company's financial transparency objectives.
- Control Activities: These are the steps, actions, and methods, including policies and procedures a company uses to manage ICFR efforts. It may include approvals, authorizations, reconciliations, and similar controls.
- Information and Communication: This aspect helps companies realize that information is a fungible resource that must be identified, captured, and disseminated to enable stakeholders to carry out their respective responsibilities.
- Monitoring Activities: This component ensures the entire ecosystem is adequately monitored and tweaks or adjustments are made as necessary.
How Do Independent Auditors Engage With ICFR?
Independent auditors engage with the ICFR by auditing company internal controls across domains like accounts payable controls and other department systems to ensure they're effective in helping prevent (or detect) material misstatements in financial filings. Independent auditor actions usually include:
- Audit planning: Since each company is different, auditors must develop a unique plan of attack for each audit.
- Control design: Auditors evaluate how well controls are developed and whether or not they're adequately implemented.
- Testing: This action is a "stress test" of ICFR that includes questioning, direct observation, documentation overview, and putting specific controls through their paces.
- Communicating findings: The best audit is useless if it doesn't give stakeholders visibility into a company's ICFR; auditors develop and disseminate conclusions to ensure transparency and help kickstart planning to address weaknesses found.
- Reporting: If a company is public and required to report under the Sarbanes-Oxley Act, the final step for external auditors includes formal reporting requirements.
What Should Your Team Do To Ensure Compliance & ICFR?
Structured and understandable operating procedures are key to ensuring effective ICFR and compliance. A structured approach includes:
- Understand and Document Control Environment: Knowledge is key when it comes to ICFR, and compliance begins with a thorough of regulations and the requirements of SOX Section 404. Document your company's control environment, including the culture and tone set by management concerning ICFR.
- Conduct a Risk Assessment: Perform a comprehensive risk assessment to identify where material misstatements due to error or fraud could pop up.
- Design and Implement Control Activities: Develop and implement comprehensive controls to address specific risks identified in the risk assessment. These should include checks and balances, segregation of duties, approval hierarchies, and other relevant controls.
- Monitor Controls: Regularly monitor these controls to ensure they are operating effectively. This can include both ongoing monitoring activities and separate evaluations.
- Review and Test Controls: Periodically review and test the controls to verify their effectiveness. Adjust and improve them as needed based on the test results.
- Report Internally: Promptly communicate the findings, including any deficiencies or weaknesses, to management and the audit committee.
- Educate and Train Staff: Provide ongoing education and training to ensure that all relevant team members understand the internal control processes and their individual roles within these processes. Remember, effective controls aren't a one-time action; they're an ongoing, iterative process.
- Engage with External Auditors: Work with external auditors to provide them with the necessary information and support their independent audit of your ICFR.
Additional Resources
ICFR is a complex topic, and this is just a jumping-off point. For more information, you can explore: