Whether public or privately held, companies of all sizes, should establish an adequate system of policies and procedures for internal control over financial reporting (ICFR). With no material weaknesses, a company’s internal control system can prevent fraud and material errors in transactions and fairly present financial statements.
Internal control over financial reporting (ICFR) is required by the SEC for public companies to comply with the Sarbanes-Oxley Act of 2002. ICFR is important to establish public trust in the capital markets and issuers of financial statements.
This guide provides an overview of ICFR meaning and objectives, internal control, ICFR requirements for public companies, and links to other helpful ICFR resources. If your company has the growth potential for going public, you’ll be ready to meet ICFR requirements.
What is Internal Control over Financial Reporting (ICFR or IOCFR)?
Internal control over financial reporting (ICFR or ICOFR) is a process consisting of policies and control procedures to assess financial statement risk and provide reasonable assurance that a company prepares reliable financial statements. Detailed, fair, and accurate financial records with receipts for transactions are maintained by employees and approved by management for corporate governance.
What Should IOCFR (ICFR) Include?
KPMG’s Risk Compliance Practice identifies 7 pillars of IOCFR (internal controls over financial reporting) to assess IOCFR program progress:
2. Risk assessment
3. Entity-level controls (ELCs)
4. Control selection
5. Testing strategy
6. Evaluating results
In the same white paper, KPMG lists stakeholder expectations from an IOCFR program:
•“Ensure a strong [Sarbanes Oxley] 404a process
• Reduce the impact of control issues
• Prevent material weaknesses
• Develop controls and enhance business performance
• Keep down external audit fees and total cost of control
• Support a company culture that drives improvements and efficiencies.”
KPMG defines key stakeholders as:
• “The Audit Committee
• The CFO and finance organization
• The controller’s organization
• The CEO
• The CIO
• Internal audit and/or SOX team
• Owners of key processes
• The external auditor [with different goals and oversight].”
The SEC regulates ICFR for applicable public companies and the PCAOB controls ICFR application by independent auditors of publicly-traded companies. The CIO provides information technology knowledge for ICFR implementation and monitoring and understands data security best practices.
Deloitte & Touche LLP suggests that a company’s ICFR should focus on risk assessment instead of benchmarks and use the latest technology. For example, data analytics and visualization tools can be useful in the ICFR assessment process.
Companies can use an ICFR risk and control matrix (RACM) to document control measures that can mitigate risks. Controls include preventive and detective controls.
What is the Objective of ICFR?
As the objective of ICFR, internal control policies and procedures for financial reporting are designed to fairly and accurately record transactions and prevent and detect unauthorized acquisition, use, or disposition of the company’s assets that could materially affect the financial statements. ICFR includes adherence to a financial reporting framework.
Through the effectiveness of ICFR, companies can reduce the risks of material misstatement, improve financial statement quality, including disclosures, and attain adequate data security.
What is a Financial Reporting Framework for Preparing Financial Statements?
A financial reporting framework (FRF) for ICFR is an applicable accounting standard. Accounting standard frameworks for financial reporting include U.S. GAAP (generally accepted accounting principles), International Financial Reporting Standards (IFRS), special purpose OCBOA (other comprehensive bases of accounting), and the FRF for SMEs, according to an AICPA FAQ.
What is the COSO Framework for Internal Control?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a framework for internal control in 1992, with an update in 2013. COSO also provides other guides relating to “internal control, risk management, governance, and fraud deterrence”.
The COSO framework is useful for effective ICFR (internal control over financial reporting), including cash controls, accounts payable internal controls, and AP financial controls.
The COSO Internal Control-Integrated Framework includes:
1. Control environment
2. Risk assessment
3. Control activities
4. Information & communication
5. Monitoring activities
The five sponsoring member firms of COSO are American Accounting Association, American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Association of Accountants and Financial Professionals in Business (IMA), and the Institute of Internal Auditors (IIA).
What is the CAQ Guide to Internal Control over Financial Reporting (ICFR)?
In May 2019, the CAQ (Center for Audit Quality) updated its comprehensive Guide to Internal Control Over Financial Reporting (downloadable PDF file), initially issued in 2013. The Center for Audit Quality is a public policy organization that strives to improve “investor confidence and public trust in the global capital markets.”
What is the Role of Companies in ICFR?
Companies set up an ICFR (internal control over financial reporting) strategy, establish policies and procedures for internal control, assess the control environment and risks of material misstatement of financial statements, monitor and approve transactions, test a sample of transactions, and issue ICFR report certifications by the CEO and CFO filed as part of their 10-K.
Companies establish internal control systems with policies and procedures that include segregation of duties, invoice document matching, and authorizations and approvals. For proper separation of duties, the same employee isn’t handling assets like cash and recording accounting transactions for revenue, costs, assets, expenses, and other expenditures.
Businesses establish a control environment that includes the corporate culture, an ethical executive management tone that encourages proper financial reporting, and the Audit Committee’s review of the financial statements as a source of high-level oversight.
ICFR relates to the preparation of financial statements and includes data security requirements.
The financial statements should be internally reviewed, including authorizing journal entries, reconciling accounts to the general ledger, comparing financial statements to the underlying accounting records, and evaluating reasonableness through an analytic review.
FP&A procedures like trend analysis, ratios computation, and variance analysis comparing actual with budgeted amounts should be scrutinized as another check on financial statement accuracy.
On an annual basis, management’s assessment of internal control over financial statements is performed. Management of public companies reports the results regarding reasonable assurance of the operating effectiveness of ICFR at the business in the 10-K.
Quarterly, management assesses if any material changes in its ICFR have occurred. In Form 10-Q reports filed with the SEC, management has reporting requirements to disclose that it has responsibility for establishing and maintaining ICFR. It must include any changes to ICFR that have or are likely to affect its ICFR materially.
All public companies (registrants) must include management’s report on internal control over financial reporting in their Form 10-K annual report filed with the SEC, per SOX 404(a). The SEC requires publicly traded companies with at least $100 million in revenue to have their auditors complete a separate attestation of ICFR (internal control over financial reporting)and also include the auditor attestation report in their Form 10-K.
The company must disclose material weaknesses in internal control in its SEC filing. The company should have procedures to remedy internal control, particularly those deemed significant deficiencies or the most severe classification of ICFR deficiency, material weaknesses.
As a seasoned expert in the field of internal controls over financial reporting (ICFR), I bring a wealth of firsthand knowledge and depth of expertise to guide you through the intricacies of establishing and maintaining effective systems within companies. Over the years, I have closely followed the evolution of regulatory requirements, industry best practices, and the technological advancements shaping the landscape of financial reporting.
Now, let's delve into the key concepts covered in the provided article:
Internal Control over Financial Reporting (ICFR):
Definition: ICFR is a systematic process encompassing policies and control procedures designed to assess financial statement risk and provide reasonable assurance that a company prepares reliable financial statements.
Importance: It helps prevent fraud, detect material errors in transactions, and ensures the fair presentation of financial statements.
Seven Pillars of ICFR (KPMG's Risk Compliance Practice):
- Risk assessment
- Entity-level controls (ELCs)
- Control selection
- Testing strategy
- Evaluating results
Stakeholder Expectations (KPMG):
Stakeholders, including the Audit Committee, CFO, CEO, CIO, and others, expect an ICFR program to:
- Ensure a strong Sarbanes-Oxley 404a process.
- Reduce the impact of control issues.
- Prevent material weaknesses.
- Develop controls to enhance business performance.
- Manage external audit fees.
- Support a company culture that drives improvements.
- The SEC (Securities and Exchange Commission) mandates ICFR for public companies to comply with the Sarbanes-Oxley Act of 2002.
- The PCAOB (Public Company Accounting Oversight Board) controls ICFR application by independent auditors of publicly-traded companies.
Role of Companies in ICFR:
- Companies establish an ICFR strategy, policies, and procedures.
- Assess the control environment and risks.
- Monitor and approve transactions, test samples.
- Issue ICFR report certifications filed in their 10-K.
COSO Framework for Internal Control:
- Issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
- Includes control environment, risk assessment, control activities, information & communication, and monitoring activities.
CAQ Guide to ICFR:
- The Center for Audit Quality (CAQ) provides a comprehensive guide to ICFR to improve investor confidence.
Financial Reporting Framework:
- A financial reporting framework (FRF) for ICFR is an applicable accounting standard.
- Frameworks include U.S. GAAP, IFRS, OCBOA, and FRF for SMEs.
Reporting and Attestation:
- Management's assessment of ICFR's operating effectiveness is done annually.
- Material changes in ICFR are assessed quarterly.
- Public companies must include management’s report on internal control in their Form 10-K, and auditors complete a separate attestation of ICFR.
Understanding and implementing these concepts is crucial for companies aspiring to build trust in the capital markets and comply with regulatory requirements, ensuring the reliability and accuracy of their financial reporting systems.