A Beginner’s Guide to Internal Control over Financial Reporting (ICFR)

Barbara Cook
By Barbara Cook
Barbara Cook

Barbara Cook

Barbara is a financial writer for Tipalti and other successful B2B businesses, including SaaS and financial companies. She is a former CFO for fast-growing tech companies with Deloitte audit experience. Barbara has an MBA from The University of Texas and an active CPA license. When she’s not writing, Barbara likes to research public companies and play Pickleball, Texas Hold ‘em poker, bridge, and Mah Jongg.

Follow

Updated September 18, 2024
Financial Reporting
Finops
Risk Management

Whether public or privately held, companies of all sizes, should establish an adequate system of policies and procedures for internal control over financial reporting (ICFR). With no material weaknesses, a company’s internal control system can prevent fraud and material errors in transactions and fairly present financial statements. 

Internal control over financial reporting (ICFR) is required by the SEC for public companies to comply with the Sarbanes-Oxley Act of 2002. ICFR is important to establish public trust in the capital markets and issuers of financial statements. 

This guide provides an overview of ICFR meaning and objectives, internal control, ICFR requirements for public companies, and links to other helpful ICFR resources. If your company has the growth potential for going public, you’ll be ready to meet ICFR requirements. 

What is Internal Control over Financial Reporting (ICFR or IOCFR)?

Internal control over financial reporting (ICFR or ICOFR) is a process consisting of policies and control procedures to assess financial statement risk and provide reasonable assurance that a company prepares reliable financial statements. Detailed, fair, and accurate financial records with receipts for transactions are maintained by employees and approved by management for corporate governance. 

What Should IOCFR (ICFR) Include?

KPMG’s Risk Compliance Practice identifies 7 pillars of IOCFR (internal controls over financial reporting) to assess IOCFR program progress:

1. “Strategy

2. Risk assessment

3. Entity-level controls (ELCs)

4. Control selection

5. Testing strategy

6. Evaluating results

7. Governance”

In the same white paper, KPMG lists stakeholder expectations from an IOCFR program:

•“Ensure a strong [Sarbanes Oxley] 404a process 
• Reduce the impact of control issues
• Prevent material weaknesses
• Develop controls and enhance business performance
• Keep down external audit fees and total cost of control
• Support a company culture that drives improvements and efficiencies.”

KPMG defines key stakeholders as:

• “The Audit Committee
• The CFO and finance organization
• The controller’s organization
• The CEO
• The CIO
• Internal audit and/or SOX team
• Owners of key processes
• The external auditor [with different goals and oversight].”

The SEC regulates ICFR for applicable public companies and the PCAOB controls ICFR application by independent auditors of publicly-traded companies. The CIO provides information technology knowledge for ICFR implementation and monitoring and understands data security best practices. 

Deloitte & Touche LLP suggests that a company’s ICFR should focus on risk assessment instead of benchmarks and use the latest technology. For example, data analytics and visualization tools can be useful in the ICFR assessment process. 

Companies can use an ICFR risk and control matrix (RACM) to document control measures that can mitigate risks. Controls include preventive and detective controls. 

What is the Objective of ICFR?

As the objective of ICFR, internal control policies and procedures for financial reporting are designed to fairly and accurately record transactions and prevent and detect unauthorized acquisition, use, or disposition of the company’s assets that could materially affect the financial statements. ICFR includes adherence to a financial reporting framework. 

Through the effectiveness of ICFR, companies can reduce the risks of material misstatement, improve financial statement quality, including disclosures, and attain adequate data security.  

What is a Financial Reporting Framework for Preparing Financial Statements?

A financial reporting framework (FRF) for ICFR is an applicable accounting standard. Accounting standard frameworks for financial reporting include U.S. GAAP (generally accepted accounting principles), International Financial Reporting Standards (IFRS), special purpose OCBOA (other comprehensive bases of accounting), and the FRF for SMEs, according to an AICPA FAQ.

What is the COSO Framework for Internal Control?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a framework for internal control in 1992, with an update in 2013. COSO also provides other guides relating to “internal control, risk management, governance, and fraud deterrence”. 

The COSO framework is useful for effective ICFR (internal control over financial reporting), including cash controls, accounts payable internal controls, and AP financial controls

The COSO Internal Control-Integrated Framework includes:

1. Control environment 

2. Risk assessment

3. Control activities

4. Information & communication 

5. Monitoring activities

The five sponsoring member firms of COSO are American Accounting Association, American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Association of Accountants and Financial Professionals in Business (IMA), and the Institute of Internal Auditors (IIA). 

What is the CAQ Guide to Internal Control over Financial Reporting (ICFR)?

In May 2019, the CAQ (Center for Audit Quality) updated its comprehensive Guide to Internal Control Over Financial Reporting (downloadable PDF file), initially issued in 2013. The Center for Audit Quality is a public policy organization that strives to improve “investor confidence and public trust in the global capital markets.” 

What is the Role of Companies in ICFR? 

Companies set up an ICFR (internal control over financial reporting) strategy, establish policies and procedures for internal control, assess the control environment and risks of material misstatement of financial statements, monitor and approve transactions, test a sample of transactions, and issue ICFR report certifications by the CEO and CFO filed as part of their 10-K.

Companies establish internal control systems with policies and procedures that include segregation of duties, invoice document matching, and authorizations and approvals. For proper separation of duties, the same employee isn’t handling assets like cash and recording accounting transactions for revenue, costs, assets, expenses, and other expenditures. 

Businesses establish a control environment that includes the corporate culture, an ethical executive management tone that encourages proper financial reporting, and the Audit Committee’s review of the financial statements as a source of high-level oversight. 

ICFR relates to the preparation of financial statements and includes data security requirements.

The financial statements should be internally reviewed, including authorizing journal entries, reconciling accounts to the general ledger, comparing financial statements to the underlying accounting records, and evaluating reasonableness through an analytic review. 

FP&A procedures like trend analysis, ratios computation, and variance analysis comparing actual with budgeted amounts should be scrutinized as another check on financial statement accuracy.  

On an annual basis, management’s assessment of internal control over financial statements is performed. Management of public companies reports the results regarding reasonable assurance of the operating effectiveness of ICFR at the business in the 10-K. 

Quarterly, management assesses if any material changes in its ICFR have occurred. In Form 10-Q reports filed with the SEC, management has reporting requirements to disclose that it has responsibility for establishing and maintaining ICFR. It must include any changes to ICFR that have or are likely to affect its ICFR materially. 

All public companies (registrants) must include management’s report on internal control over financial reporting in their Form 10-K annual report filed with the SEC, per SOX 404(a). The SEC requires publicly traded companies with at least $100 million in revenue to have their auditors complete a separate attestation of ICFR (internal control over financial reporting)and also include the auditor attestation report in their Form 10-K. 

The company must disclose material weaknesses in internal control in its SEC filing. The company should have procedures to remedy internal control, particularly those deemed significant deficiencies or the most severe classification of ICFR deficiency, material weaknesses. 

What is the Role of Auditors in ICFR?

Auditors assess their client’s system of internal control procedures for ICFR, including assessing risk of material misstatement of the financial statements and sample testing of transactions. Auditors determine if deficiencies to the extent of material weaknesses in internal control exist. The extent of audit testing increases with weak internal controls at a client company, increasing the annual audit bill. 

In connection with an annual audit or review of the financial statements, auditors issue reports to their privately-held and publicly-traded clients on internal control matters requiring improvement. These reports are presented to management and the Audit Committee of the Board of Directors. Companies should correct these internal control deficiencies on a timely basis. 

As small companies grow to achieve different stages of growth and add employees, their internal controls, including ICFR, should improve because separation of duties, review, approval, and IT systems improve.  

Auditors of public companies with at least $100 million in revenue perform a separate attestation engagement for ICFR and issue an ICFR attestation report included in the client’s Form 10-K filed with the SEC and viewed by stakeholders, including shareholder investors. 

Does the AICPA Provide a Tool for ICFR Compliance?

The AICPA (American Institute of CPAs) provides a downloadable internal control over financial reporting tool for its auditor members to help them document the results of a client entity’s internal control. 

What is the Difference Between ICFR and IFC?

The main difference between ICFR (internal control over financial reporting) and IFC (internal financial control) is that IFC is much more comprehensive than ICFR, which specifically relates to financial reporting internal controls. 

What is the Difference Between ICFR and SOX?

The main difference between ICFR and SOX (Sarbanes-Oxley Act) is that ICFR (internal control over financial reporting) is required for SOX compliance by public companies to detect material errors and fraud in financial statements filed with the SEC. 

SOX covers CEO & CFO (or chief accounting officer – CAO) annual report certifications (section 302) of internal control and the company’s financial statements adequacy, including disclosures, reporting the company’s internal control structure, and data security control policies. SOX regulatory requirements for internal control system policies and procedures (SOX 404) apply to companies and their auditors. 

What is ICFR Testing

ICFR testing is performed by both the company and its auditor to test internal controls over financial statements. Auditors use larger sample sizes later in the year to test internal control procedures, as required by the PCAOB. Companies assess risk and the control environment for testing strategies and implement continuous monitoring. 

What are SEC Requirements for ICFR Attestation?

In amendments effective April 2020, the Securities and Exchange Commission (SEC) exempts reporting companies with under $100 million in revenue from separate attestation of their ICFR (internal control over financial reporting) by an independent auditor. Auditors continue to review a company’s ICFR when performing an integrated financial statement audit with an auditor’s report.  

These SEC amendments change accelerated filer and large accelerated filer definitions besides changing the separate ICFR attestation rule. The amendments specifically exempt those companies eligible to be smaller reporting companies, at least five years after IPO, with less than $100 million in revenue in the most recent fiscal year having audited financial statements. 

In April 2012, the JOBS Act (and SEC) exempted smaller companies with under $100 million in revenues from separate ICFR attestation for the first five years after an IPO. The 2020 SEC amendments extend the exemption beyond the five years for smaller reporting companies not yet reaching $100 million in revenues. The intent is to reduce regulatory burdens for emerging growth companies. 

Recommendations

You may also like