Understanding Internal Control over Financial Reporting (ICFR) | Tipalti (2024)

KPMG’s Risk Compliance Practice identifies 7 pillars of IOCFR (internal controls over financial reporting) to assess IOCFR program progress:

1. “Strategy

2. Risk assessment

3. Entity-level controls (ELCs)

4. Control selection

5. Testing strategy

6. Evaluating results

7. Governance”

In the same white paper, KPMG lists stakeholder expectations from an IOCFR program:

•“Ensure a strong [Sarbanes Oxley] 404a process
• Reduce the impact of control issues
• Prevent material weaknesses
• Develop controls and enhance business performance
• Keep down external audit fees and total cost of control
• Support a company culture that drives improvements and efficiencies.”

KPMG defines key stakeholders as:

• “The Audit Committee
• The CFO and finance organization
• The controller’s organization
• The CEO
• The CIO
• Internal audit and/or SOX team
• Owners of key processes
• The external auditor [with different goals and oversight].”

The SEC regulates ICFR for applicable public companies and the PCAOB controls ICFR application by independent auditors of publicly-traded companies. The CIO provides information technology knowledge for ICFR implementation and monitoring and understands data security best practices.

Deloitte & Touche LLP suggests that a company’s ICFR should focus on risk assessment instead of benchmarks and use the latest technology. For example, data analytics and visualization tools can be useful in the ICFR assessment process.

Companies can use an ICFR risk and control matrix (RACM) to document control measures that can mitigate risks. Controls include preventive and detective controls.

As the objective of ICFR, internal control policies and procedures for financial reporting are designed to fairly and accurately record transactions and prevent and detect unauthorized acquisition, use, or disposition of the company’s assets that could materially affect the financial statements. ICFR includes adherence to a financial reporting framework.

Through the effectiveness of ICFR, companies can reduce the risks of material misstatement, improve financial statement quality, including disclosures, and attain adequate data security.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a framework for internal control in 1992, with an update in 2013. COSO also provides other guides relating to “internal control, risk management, governance, and fraud deterrence”.

The COSO framework is useful for effective ICFR (internal control over financial reporting), including cash controls, accounts payable internal controls, and AP financial controls.

The COSO Internal Control-Integrated Framework includes:

1. Control environment

2. Risk assessment

3. Control activities

4. Information & communication

5. Monitoring activities

The five sponsoring member firms of COSO are American Accounting Association, American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Association of Accountants and Financial Professionals in Business (IMA), and the Institute of Internal Auditors (IIA).

Companies set up an ICFR (internal control over financial reporting) strategy, establish policies and procedures for internal control, assess the control environment and risks of material misstatement of financial statements, monitor and approve transactions, test a sample of transactions, and issue ICFR report certifications by the CEO and CFO filed as part of their 10-K.

Companies establish internal control systems with policies and procedures that include segregation of duties, invoice document matching, and authorizations and approvals. For proper separation of duties, the same employee isn’t handling assets like cash and recording accounting transactions for revenue, costs, assets, expenses, and other expenditures.

Businesses establish a control environment that includes the corporate culture, an ethical executive management tone that encourages proper financial reporting, and the Audit Committee’s review of the financial statements as a source of high-level oversight.

ICFR relates to the preparation of financial statements and includes data security requirements.

The financial statements should be internally reviewed, including authorizing journal entries, reconciling accounts to the general ledger, comparing financial statements to the underlying accounting records, and evaluating reasonableness through an analytic review.

FP&A procedures like trend analysis, ratios computation, and variance analysis comparing actual with budgeted amounts should be scrutinized as another check on financial statement accuracy.

On an annual basis, management’s assessment of internal control over financial statements is performed. Management of public companies reports the results regarding reasonable assurance of the operating effectiveness of ICFR at the business in the 10-K.

Quarterly, management assesses if any material changes in its ICFR have occurred. In Form 10-Q reports filed with the SEC, management has reporting requirements to disclose that it has responsibility for establishing and maintaining ICFR. It must include any changes to ICFR that have or are likely to affect its ICFR materially.

All public companies (registrants) must include management’s report on internal control over financial reporting in their Form 10-K annual report filed with the SEC, per SOX 404(a). The SEC requires publicly traded companies with at least $100 million in revenue to have their auditors complete a separate attestation of ICFR (internal control over financial reporting)and also include the auditor attestation report in their Form 10-K.

The company must disclose material weaknesses in internal control in its SEC filing. The company should have procedures to remedy internal control, particularly those deemed significant deficiencies or the most severe classification of ICFR deficiency, material weaknesses.