A "healthier" internal controls over financial reporting approach to better manage risks, reduce costs, and find opportunities to improve performance
How can companies design "healthier" internal controls over financial reporting?
- SOX Center of Competence Germany›
- Internal controls over financial reporting
- The 6 Questions SOX Leaders Must Ask Themselves
- Internal Controls Survey
- COVID-19's impact on SOX 404 programmes
- > Internal controls over financial reporting
- Outlining a programme that meets stakeholder expectations
- Uncovering the full picture of control costs
- Maintaining controls in a COVID-19 environment
- Back to SOX Center of Competence Germany
ICOFR can be costly and many companies are looking for opportunities to reduce expenditures while maintaining compliance. But if companies do not continue to examine and evaluate their ICOFR programs, the natural tendency is for rising complexity and requirements to lead to rising effort and cost. Better strategy, governance, and performance can meet higher demands without a higher budget.
In the case of ICOFR, an unhealthy program can be expensive and increase the risk of a material weakness.
But beneath these risks are opportunities, as the journey to continuously improve and mature ICOFR programs can reduce risk, cut costs, and increase efficiency. A healthy ICOFR program can drive value through a positive impact on business processes and risk management and therefore on business performance.
This article will deal into how the evolution of Sarbanes-Oxley 404 (SOX) has impacted ICOFR programs and offers insights on how to evaluate whether your company’s ICOFR program is providing value as a mature, “healthy” program should.
+49 89 9282-4788 Luisav. EsterházyPhone number
+49 89 9282-4788 Luisav. Esterházy Phone number
Email Luisav. Esterházy
Responsible individuals, even if they have not had serious health issues in recent years, still have regular medical check-ups. Similarly, companies whose ICOFR programs appear to be running smoothly should still periodically evaluate the health of their ICOFR program and control portfolio. In addition to identifying and correcting potentially unhealthy aspects of the programs or control problems before they occur, a well-designed evaluation (health check) can provide significant insights:
- Assessing the total cost of controls may identify opportunities for cost savings and better allocation of resources. These opportunities are growing as documentation requirements, particularly around completeness and accuracy, increase.
- An effective ICOFR program assessment may identify specific areas that are less mature than others. A common example is ICOFR governance, where there may be disconnects between who owns the overall program, who designs the controls, who performs the controls and who tests the controls. The result is often inefficiencies and/or omissions.
- Defining an ICOFR strategy may reduce financial reporting risks without increasing spending by helping identify a company's most critical areas. Companies can then focus both their control performance and testing efforts on the most critical areas.
- A more strategic and focused ICOFR program allows internal audit resources to focus more on the broader risk assessment, process improvement and value-creation audits, leading to better organizational performance.
1. Understanding themes in material weaknesses
No company expects to discover costly and damaging weaknesses in its ICOFR program, but failures happen, even in companies that devote extensive and expensive resources to performing and testing controls. Several consecutive years without material weaknesses or significant deficiencies is no guarantee that a control issue is not looming, particularly if the company does not have a healthy ICOFR program.
The seven primary themes of material weaknesses are as follows:
|Lack of documentation, policies and procedures||“…a deficiency in the effectiveness of a control intended to properly document and review facts and apply the appropriate tax accounting unser accounting standards…”|
|Lack of accounting resources/expertise||“The Company did not maintain a sufficient complement of personnel with an appropriate level of knowledge of accounting, experience, and training commensurate with its financial reporting requirements…”|
|Material and/or numerous auditor year-end adjustments||“…we identified a material weakness in our internal control over financial reporting with respect to the application of complex technical accounting standards|
|IT, software, security, and access issues||“Insufficient information technology controls and documentation”|
|Issues around the segregation of duties||“The Company has not appropriately restricted access to the accounting applications to appropriate users and does not have processes in the place that ensure that appropriate segregation of duties is maintained.”|
|Inadequate control design or a lack of controls||“…The internal audit department did not develop its functions to comply with the analysis of the controls during the year, consequently, this limited the functions of the Audit Committee|
|Non-routine/ complex transitions||“Management has identified a material weakness in the internal control over financial reporting relating to the accounting for significant and complex transitions…”|
Understanding these themes can help companies take ongoing measures to reduce the risk of future errors. As an added benefit, these measures can also reduce the total cost of ICOFR and improve efficiency throughout the company.
2. The evolution of Sarbanes-Oxley
Since the Sarbanes-Oxley (SOX) Act was passed in 2002, the related demands on companies and external auditors have evolved, as seen in the graphic below.
Without going into too much detail on each phase in the ICOFR evolution, it is still possible to identify several broad trends:
- SOX continues to evolve from a high number of controls with a low level of testing detail to a lower number of controls with more in-depth testing.
- The type of effort required from process and control owners to execute and document controls has changed. Management must now provide a more detailed documentation for key reports, especially around management review controls, and appropriately consider completeness and accuracy for key reports.
- The SEC and the PCAOB are both signaling that management and auditors have not yet finished the controls journey, and we expect a continued trend of increasing requirements for the external auditor and therefore, indirectly, for companies.
- The balance of cost and reliance should be a deliberate consideration in establishing a company's ICOFR program strategy.
- The new accounting standards around revenue recognition and leases bring new internal control challenges. These standards also require new types of data and estimates which rely on historical details and trends that have not previously required controls to be in place.
- The increasingly complex nature of business transactions also has an impact on internal control considerations, as acquisitions, divestitures, restructuring, and refinancing measures are all “significant unusual transactions” that need extra attention from a control perspective. These are also focus areas for the SEC and PCAOB.
3. Assessing the health of an ICOFR program
A thorough health check can identify the potential for a more effective and efficient ICOFR program. Answering the following questions will provide perspective on where your company's ICOFR program currently stands:
Is the ICOFR program’s value clear to senior management and the board of directors?
If your ICOFR program is merely seen as a necessary cost, then it is not demonstrably fulfilling its role of ensuring the reliability of financial statements and avoiding costly errors. An ICOFR program should serve management and the board by providing insights beyond compliance to enable and support process improvement, thereby decreasing risk and adding value to the business.
Does your organization culture support the ICOFR program?
Even the best set of controls will not function well if key personnel are not collaborating fully. This culture should start at the top Companies with significant control issues often end up identifying the roots cause as senior management’s failure to place appropriate emphasis on controls and not allocating sufficient resources to fully remediate controls failures with sustainable processes.
Have you identified the 10-20 most critical internal controls and directed efforts towards them?
Not all key controls are created equal. Some are far more likely to catch errors. The program as a while should show a visible difference in approach for the most critical controls. ICOFR programs often allocate the same amount of time and effort to all key controls, rather than designing, operating, and testing controls with a greater focus on the most critical areas.
Do those critical internal controls include a strong set of direct entity level controls (ELCs)?
Well-designed direct ELC operating at the right level of precision can function as an “insurance policy” to mitigates lower level control failures and keep them from becoming material to the company. These direct ELCs are often key operational controls that management relies on to run the business. Since they are complex ad time consuming to document and test, ICOFR programs often do not include them, but they are important to a well-balanced ICOFR program.
Are you confident that your controls are effective, even without testing them each year?
If you cannot answer yes to this question, or are concerned with testing your controls before the external auditor dies, it is a sign you are worried the controls are not operating effectively. In that case, you should consider the cause of this uncertainty, which may be incorrectly designed controls, problems in the control environment, or cultural issues.
Do you have KPIs to identify potential issues?
Defining control-related KPIs is one of the best ways to measure and monitor ICOFR program and control performance. Monitoring controls can assess whether controls are failing elsewhere in the company. For example, how many terminated users are identified during a periodic user access review should be used to identify and address shortcomings in the regular employee termination process where access for those users should have been revoked.
4. Why should you check the health of your ICOFR program, even if you have not had any issues?
- Need for a strong 404a process, irrespective of PCAOB or external auditor perspective
- The external auditor cost is high once you end up with material weakness
- Focus on total cost of control
- In extreme circumstances, the external auditor may resign
- Even if you do not think you have a problem, you should have a “check up”
- It is expensive to remediate once something has gone wrong
- Drive continuous improvement and efficiencies
- Potential impact on management compensation
- A link between stronger controls and greater predictability of earnings/overall valuation of a company
- Potential loss of Audit Committee trust
- You have had a significant deficiency or some “close calls”
- Impact on share price/total cost of the business
What are the internal controls over financial reporting? ›
Internal control over financial reporting (ICFR or ICOFR) is a process consisting of policies and control procedures to assess financial statement risk and provide reasonable assurance that a company prepares reliable financial statements.What is the difference between IFC and ICFR? ›
3. IFC Vs ICFR. From the above statutory provisions, it is evident that IFC is applicable to only listed companies and Internal financial controls with respect to financial statements (ICFR) is applicable to all companies other than those exempted by MCA Notification No G.S.R.What section of SOX covers internal controls over financial reporting? ›
Section 404(a) of the Act requires management to assess and report on the effectiveness of internal control over financial reporting (“ICFR”).What are the 5 internal controls? ›
There are five interrelated components of an internal control framework: control environment, risk assessment, control activities, information and communication, and monitoring.What is an example of ICFR controls? ›
The classic example is balancing your checkbook: if the bank statement doesn't match your ledger, search for a reason. Matching delivery receipts to vendor payments is another method. Monitoring performance can also be a way to detect errors.What is the difference between IFC and SOX? ›
While SOX is applicable at a consolidated financial statement level and requires only material subsidiaries to be covered, IFC is applicable at a stand-alone entity level.Is IFC mandatory? ›
Further, the private companies will be exempted from IFC Applicability only if it has not committed a default in filing their financial statements under section 137 of the Companies Act 2013 or annual return under section 92 of Act with the Registrar.How is IFC different from internal audit? ›
On analysis of the above definition, it is evident that the focus of internal audit on mostly on the functioning of the entity and improvement suggested thereto whereas the internal financial control includes the financial impact of lack of control and control for prevention of fraud.Is ICFR mandatory? ›
IFC/ICFR is applicable without any terms and conditions for Listed companies and public unlisted companies. In case of private companies, IFC/ICFR is applicable wherein Turnover > 500 million or outstanding loan & borrowings from bank > 250 million.What is SOX 404 internal control over financial reporting? ›
Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls and procedures to ensure their effectiveness.
What are the 3 types of internal controls in SOX? ›
Internal controls are policies, procedures, and technical safeguards that protect an organization's assets by preventing errors and inappropriate actions. Internal controls fall into three broad categories: detective, preventative, and corrective.What is the difference between SOX 404A and 404B? ›
SOX 404B is the phase after SOX 404A. In a nutshell, SOX 404A requires you to have checks and balances in place to monitor your business activities and financial reporting, but there are no external auditors that independently test your internal controls over financial accounting and reporting.What are the 9 common internal controls? ›
Here are controls: Strong tone at the top; Leadership communicates importance of quality; Accounts reconciled monthly; Leaders review financial results; Log-in credentials; Limits on check signing; Physical access to cash, Inventory; Invoices marked paid to avoid double payment; and, Payroll reviewed by leaders.What are the 7 internal controls in accounting? ›
The seven internal control procedures are separation of duties, access controls, physical audits, standardized documentation, trial balances, periodic reconciliations, and approval authority.What are the 6 internal controls? ›
The six principles of control activities are: 1) Establishment of responsibility, 2) Segregation of duties, 3) Documentation procedures, 4) Physical controls, 5) Independent internal verification, 6) Human resource controls.What are the 3 types of internal controls? ›
- Preventive controls are proactive in that they attempt to deter or prevent undesirable events from occurring.
- Corrective controls are put in place when errors or irregularities have been detected.
- Detective controls provide evidence that an error or irregularity has occurred.
- Separation of duties.
- Pre-approval of actions and transactions (such as a Travel Authorization)
- Access controls (such as passwords and Gatorlink authentication)
- Physical control over assets (i.e. locks on doors or a safe for cash/checks)
The EU has equivalent anti-fraud reporting measures that mandate accurate and transparent auditing. Passed in 2002, the Sarbanes-Oxley Act (commonly referred to as SOX) was designed to protect investors from fraudulent financial reporting conducted by companies they invest in.Which countries use SOX? ›
In response to the perception that stricter financial governance laws are needed, SOX-type regulations were subsequently enacted in Canada (2002), Germany (2002), South Africa (2002), France (2003), Australia (2004), India (2005), Japan (2006), Italy (2006), Israel, and Turkey.What is the UK equivalent of SOX? ›
UK SOx is the unofficial name given to the UK new corporate governance regime. The Government has announced details of its corporate governance reforms which will move the UK regime closer to the US Sarbanes-Oxley regulations.
What are the two types of IFC? ›
There are currently two official versions: IFC2x3 TC1 (IFC2x3) – this is aligned to ISO 16739:2005. IFC4 ADD2 TC1 (IFC4) – this is aligned to ISO 16739-1:2018.
Our Board. Established in 1956, IFC is owned by 186 member countries, a group that collectively determines our policies. Through a Board of Governors and a Board of Directors, our member countries guide IFC's programs and activities. Each of our member countries appoints one governor and one alternate.What are the disadvantages of IFC? ›
- EXCHANGE FORMAT DOES NOT EQUAL OPEN FORMAT. One of the things many people don't seem to appreciate is that IFC (and by extension COBie) is an exchange format. ...
- FUNCTIONALITY. ...
- BUILDINGS ONLY, NOT COMPONENTS. ...
- ARCHIVAL QUALITY. ...
- AS-BUILT and FUTURE WORKS. ...
- COMPLEXITY. ...
- ANALYSIS. ...
- FACILITIES MANAGEMENT.
IFC helps developing countries achieve sustainable growth by financing investment, mobilizing capital in international financial markets, and providing advisory services to businesses and governments.What is the role of internal auditor in IFC? ›
The auditor's objective in an audit of IFC - FR (which is generally carried out along with an audit of financial statements) is to express an opinion on the adequacy and operating effectiveness of the company's IFC - FR.What are the major difference between Ind AS and IFRS? ›
|IFRS stands for International Financial Reporting Standards, it is an internationally recognised accounting standard||IND AS stands for Indian Accounting Standards, it is also known as India specific version of IFRS|
- Map/Identify significant accounts, processes and key areas of business.
- Segregate scope between business process and IT enabled services.
- Discuss/align the scope with External Auditors.
- Define materiality, finalize scope exclusion and validate with auditor.
ICFR – Audit committees are responsible for overseeing ICFR, including in connection with their consideration of management's assessment of ICFR effectiveness and, when applicable, the auditor's attestation.What does ICFR mean in audit? ›
Internal control over financial reporting (ICFR).What is the difference between 404 A and 404 B? ›
Section 404(a) requires management to report on the effectiveness of ICFR. Section 404(b) requires an auditor attestation with respect to an issuer's ICFR. Section 404(c) provides that Section 404(b) does not apply for an issuer that is neither an accelerated filer nor a large accelerated filer.
What are the 4 SOX controls? ›
These include control environment, risk assessment, control activities, information and communication, and monitoring. SOX is a complex law with 11 sections, each delineating mandates including oversight, auditor independence, and corporate responsibility.What is SOX 404b requirements? ›
Section 404(b) requires a publicly-held company's auditor to attest to, and report on, management's assessment of its internal controls. The AICPA has consistently urged implementation of Section 404(b) for all publicly held companies. Section 404(b) has led to improved financial reporting and greater transparency.What is the difference between SOX and COSO? ›
What is the difference between COSO and SOX? Both the COSO and SOX address the need for more robust internal controls from different angels. COSO provides a framework for managers to use when designing their control environment. On the other hand, the SOX does not provide a guidance related to internal controls.What is SOX vs non SOX controls? ›
SOX controls are narrower in scope, targeting financial reporting specifically. Non-SOX controls are more comprehensive, covering a variety of areas such as financial and operations security, data integrity, and compliance. Additionally, SOX controls are mandated by law, while non-SOX controls are not.Are SOX controls internal controls? ›
☑ Sarbanes Oxley
The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data are accurate (within 5% variance) and adequate controls are in place to safeguard financial data.
Section 404(a) requires all companies, regardless of filing status, that file an annual report pursuant to Section 13(a) or 15(d) of the Securities and Exchange Act of 1934 (Exchange Act) to include a report on internal controls that states the responsibility of management for establishing and maintaining adequate ...What is type 1 and type 2 SA 402 report? ›
The short answer is that a Type 1 report just provides a report of procedures / controls an organization has put in place as of a point in time. A Type 2 report has an audit period and provides evidence of how an organization operated its controls over a period of time.What is the difference between SOX and SOC compliance? ›
SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law.What are the 17 principles of internal control? ›
- Demonstrates commitment to integrity and values.
- Demonstrates independence and exercises oversight responsibility.
- Establishes structure, authority and responsibility.
- Demonstrates commitment to attracting, developing and retaining competent staff.
- Enforces accountability. ...
- Specifies suitable, specific objectives.
Internal controls consists of all the measures taken by the organization for the purpose of; (1) protecting its resources against waste, fraud, and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization; and (4) evaluating the ...
What is the difference between internal audit and internal control? ›
Internal control is a process that ensures the accuracy and reliability of the activities, and internal audit tests and reports the accuracy and reliability of the activities. Internal auditing is a service for management.What are financial reporting controls examples? ›
What are examples of financial controls? Financial controls are policies and procedures designed to prevent or detect accounting errors and fraud. Examples of financial controls include account reconciliation, double-counting cash deposits, approving new vendors and rotating staff responsibilities.What are the internal control checklist? ›
The Internal Control Checklist is a tool for the campus community to help evaluate and strengthen internal controls, promote effective and efficient business practices, and improve compliance in a department or functional unit.What are the accounting and financial reporting controls? ›
The three main areas of accounting controls are detective controls, preventive controls, and corrective controls. The Sarbanes-Oxley Act is a piece of regulation drafted to ensure financial reporting avoids any fraudulent activity.What are internal controls for financial reporting? ›
What is Internal Control over Financial Reporting (ICFR or IOCFR)? Internal control over financial reporting (ICFR or ICOFR) is a process consisting of policies and control procedures to assess financial statement risk and provide reasonable assurance that a company prepares reliable financial statements.What is COSO framework? ›
The COSO Framework is a system used to establish internal controls to be integrated into business processes. Collectively, these controls provide reasonable assurance that the organization is operating ethically, transparently and in accordance with established industry standards.What is the definition of internal controls over financial reporting? ›
ICFR refers to the controls specifically designed to address risks related to financial reporting. In simple terms, a public company's ICFR consists of the controls that are designed to provide reasonable assurance that the company's financial statements are reliable and prepared in accordance with GAAP.Why are internal controls important in financial reporting? ›
Ensure the reliability and integrity of financial information - Internal controls ensure that management has accurate, timely and complete information, including accounting records, in order to plan, monitor and report business operations.What are the 9 common internal controls accounting? ›
Here are controls: Strong tone at the top; Leadership communicates importance of quality; Accounts reconciled monthly; Leaders review financial results; Log-in credentials; Limits on check signing; Physical access to cash, Inventory; Invoices marked paid to avoid double payment; and, Payroll reviewed by leaders.What are the 7 internal control procedures? ›
- Separation of duties.
- Access controls.
- Physical audits.
- Standardised financial documents.
- Periodic trial balances.
- Periodic reconciliations.
- Approval authority.
What is IFC checklist? ›
An Internal Finance Control (IFC) audit checklist is an invaluable tool for comparing a business's practices and processes to the requirements set out by ISO standards.What are the four 4 broad objectives of internal control? ›
Internal controls consists of all the measures taken by the organization for the purpose of; (1) protecting its resources against waste, fraud, and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization; and (4) evaluating the ...What is the effectiveness of internal control over financial reporting? ›
Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes.What are the 6 internal controls in accounting? ›
The six principles of control activities are: 1) Establishment of responsibility, 2) Segregation of duties, 3) Documentation procedures, 4) Physical controls, 5) Independent internal verification, 6) Human resource controls.What are the 7 internal control objectives? ›
The control objectives include authorization, completeness, accuracy, validity, physical safeguards and security, error handling and segregation of duties.What does GAAP say about internal controls? ›
The Financial Accounting Standards Board (FASB) is the body that develops and adopts GAAP as necessary. Internal controls are the policies, procedures, and other measures that businesses put in place to reasonably assure that their financial operations follow GAAP.Does GAAP require internal controls? ›
As a reminder, public companies are required to establish and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP.What are the 5 components of the COSO framework? ›
- Control Environment. The control environment sets the tone of an organization, influencing the control consciousness of its people. ...
- Risk Assessment. ...
- Control Activities. ...
- Information and Communication. ...