Companies and their many stakeholder groups depend on accurate information. Whether you’re a manager, investor, board director, or employee, it’s crucial to have an accurate picture of what is happening in a company.
Publicly traded companies provide this picture through financial data, collected and shared through formal, published financial reports. The information in those reports is governed by a company’s internal control over financial reporting (ICFR), to assure that the material in those financial statements can be relied upon.
Corporate financial reports also need independent assurance as well. This job falls to an independent auditor. For public companies with $100 million or more in revenue, the SEC requires that their auditors conduct an audit and publish an opinion on the company’s internal control over financial reporting.
A company’s system of ICFR includes many things, and getting ICFR right is a critical part of the preparation of financial statements. In this post we’ll explain that in more detail.
What Is Internal Control Over Financial Reporting (ICFR)?
Internal control over financial reporting is the set of the controls that companies put in place to assure that their financial statements are accurate and reliable. For public companies in particular, ICFR also means financial statements are prepared in accordance with Generally Accepted Accounting Principles (GAAP). This assures that financial statements tell an accurate picture of the business over that fiscal period (typically a year or a quarter).
ICFR is one part of SOX compliance – but it is only one part of SOX compliance. “SOX” is shorthand for the Sarbanes-Oxley Act, which Congress passed in 2002 following a series of high-profile corporate accounting scandals.
The Sarbanes-Oxley Act’s goal is to protect investors from fraudulent financial reporting by corporations. It establishes general controls such as record keeping, disclosure requirements, and strict punishments for non-compliance. The controls put in place as part of ICFR help a company comply with the Sarbanes-Oxley Act, but SOX compliance includes many other measures as well.
Why Are Internal Controls Important for Financial Reporting?
ICFR is about making sure that investors trust the disclosures a company releases. One of the best ways that investors can have reasonable assurance that the risk of material misstatement has been mitigated is for them to know that the company’s internal controls are robust.
Simply put, the effectiveness of internal control reduces the chance of inaccurate reporting reaching the general public, where it could lead to financial harm.
Five Components of internal Control
The Committee on Sponsoring Organizations (COSO) has laid out an integrated framework for robust internal controls. The COSO framework consists of five components.
The control environment is the overarching controls and systems that govern how the company approaches its financial reporting. The environment consists of explicit controls, such as policies, processes, and standards for how internal controls should be carried out. It also includes implicit elements that can be less tangible, such as the organization’s expectations, integrity, and ethical values.
Ultimately ICFR is management’s responsibility, so bodies such as the Center for Audit Quality (CAQ) often mention the importance of senior management leading by example when establishing a control environment. The “tone at the top” implicitly shows the entire organization how people should approach ICFR.
It’s much easier to prevent any harmful material effects on a company’s reporting when the company has a clear idea of what those potential harms are. Companies must therefore perform a risk assessment of the internal and external threats to their organization.
Before risk assessment takes place, management must first establish clear control objectives related to compliance, reporting, and operations at different levels. COSO defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.” This is an important distinction because a negative event might not always threaten the organization’s existence – but if it threatens management’s stated business objectives, then it must be disclosed and relevant controls put in place.
Internal control activities get ICFR done. After establishing a control environment and completing a risk assessment, management must develop policies and actions to mitigate risk and prevent material weakness.
Control activities must be carried out at all levels of the organization, so segregation of duties (that is, dividing work tasks among multiple people so no single employee has too much power) is necessary. Effective internal control requires action to prevent risk and determine the risk’s source, giving management up-to-date insight into the inner workings of the organization.
For this reason, it’s often necessary to set up process-level controls as well as entity-level controls. Entity level controls monitor risks that can affect the highest level of the organization; say, an internal reporting hotline so that anyone can raise concerns about fraud. Process-level controls work to prevent mistakes within one business process, such as policies about how to procure inventory or pay vendors.
Information and communication
The COSO defines information and communication as “the continual, iterative process of providing, sharing, and obtaining necessary information.” Management cannot determine the effectiveness of the controls they have in place unless they know that information is being delivered quickly and effectively across all levels of the business entity.
Information and communication processes must be developed in conjunction with effective monitoring activities, as one without the other is useless. There’s no point monitoring activities to capture data on the business unless the information ends up in the right hands.
Circumstances change over time, so businesses must also implement monitoring controls to assure that when something changes, management is aware of that fact and its possible significance. COSO outlines three levels of deficiencies that a company’s monitoring tries to identify:
- Material weakness, a deficiency (or deficiencies) that create the reasonable possibility of material misstatement in the annual report or interim financial statements
- Significant deficiency, which is less serious than a material weakness, but still important enough to require attention
- Deficiency, where a control does not allow the detection or prevention of misstatements on a timely basis
Why Do External Auditors Need to Understand Their Client’s Internal Control Over Financial Reporting?
A company’s board of directors has a broad range of oversight responsibilities, from ensuring that robust risk management systems are in place to confirming the accuracy of financial information.
The audit committee is responsible for the audit of the financial statements as well as overseeing and reporting on all aspects of the company’s ICFR. The audit committee is also responsible for hiring and overseeing the independent auditor. SOX requires companies that file annual reports with the SEC to include an auditor’s report, so boards appoint an audit committee to oversee the company’s ICFR standards.
There are some exceptions, such as investment companies, non-accelerated filers, and emerging growth companies, but large public companies will need an independent auditor’s report. The Public Company Accounting Oversight Board’s (PCAOB) auditing standards – which fall under SOX – require that the auditor report an overview of the audit strategy to the audit committee.
Take Control Over Reporting with ROAR
The Reciprocity® ROAR Platform makes compliance and audit management easier. It delivers a faster, simpler, and smarter path to compliance, automating processes, accelerating onboarding, and keeping you up-to-date on the progress and effectiveness of your programs.
ROAR also gives you a real-time view of compliance and providing the contextual insight needed to make the right decision. Schedule a demo today to see how ROAR can make your compliance process effortless.