Blog / Audit & Analytics

Kezia Farnham
Senior Manager

Internal controls over financial reporting:

Definition, examples & best practices
November 29, 2023 • 8 min read

Many factors go into the robust confidence that investors consistently show in U.S. financial
markets, including internal control over financial reporting (ICFR). It’s the framework of
controls companies use to compile and deliver accurate financial statements; it’s also the
focus for critical external audits businesses must pass. Investors depend on reliable financial
information, and effective ICFR — including a successful
Hi there 👋audit report
thanks on internal controls —
for visiting
1
helps reduce the risk that financial statements willDiligent!
containCanmaterial errors
I point you orright
in the misstatements.
direction?I'm a virtual agent...
As with any system, maintaining sound ICFR requires continual effort and dialogue among
stakeholders on creating and maintaining effective ICFR controls. This article will help those
involved with financial reporting establish better controls by explaining:
What internal control over financial reporting
Regulations and frameworks that influence ICFR
ICFR examples
How to report on ICFR, including the audit report on internal controls
Internal controls over financial reporting best practices

What are internal controls over financial reporting?

Internal control over financial reporting is a process that enables companies to manage risk
related to their finances and reliably compile accurate financial statements.
More specifically, the accepted internal controls over financial reporting definition includes
the daily control policies and procedures employees at all levels must follow when
engaging with company finances. This typically involves tracking receipts and seeking
managerial approval for all transactions, among other control practices.

ICFR regulations and frameworks

Most shareholders want to not only review financial statements but also receive assurance
that those statements are accurate. But investors aren’t the only motivator for ICFR. Several
regulations and frameworks dictate the internal control over financial reporting practices
companies must implement. These are:
SOX ICFR regulations: The SEC requires that all public companies comply with the SOX
Act, which has numerous requirements for financial reporting controls. This is a crucial way
the SEC seeks to bolster consumer and shareholder confidence in the capital market.
COSO ICFR framework: While the COSO framework isn’t a legal requirement, it does
bridge the gap between business imperatives and the risk landscape by offering a pre-
defined control structure.
Financial reporting frameworks: There are several frameworks beyond COSO companies
can utilize to meet accounting standards. These include the U.S. Generally Accepted
Accounting Principles (GAAP) and the International Financial Reporting Standards (IFRS).

What is the purpose of internal control over financial

reporting?
Above all, internal controls over financial reporting mitigate risk. Through effective controls,
companies can detect unauthorized use of company resources — whether by an internal bad
actor or external breach.
Adopting a financial reporting framework means proactively identifying any activities that
could impact financial statements. This increases the quality of financial statements,
reduces the likelihood of misstating company assets, and enhances information security.

Examples of internal control over financial reporting

Internal controls and their components should be unique to your organization and industry.
After all, a company with retail storefronts will need different controls than an online
pharmacy. Several specific examples of financial reporting controls are relatively common
across industries. A few of these are:
1. Transaction approvals: In this example, an employee — like a manager or accountant —
approves transactions. This should be someone other than the employee purchasing to
ensure the purchase is necessary and is an appropriate business expense.
2. Transaction receipts: Many businesses also collect receipts for every transaction to verify
the approved funds used are as intended.
3. Account reconciliation: Another IFCR example is reconciliation, which involves using
receipts to validate any money coming in and out of company accounts.

What is an audit of internal controls over financial reporting?

During an audit of internal controls over financial reporting, an auditor will assess how
effective a business’s controls are. This is typically an external auditor; their published report
will offer independent assurance that the business follows credible and ethical financial
reporting practices.
The ICFR audit process is an important way to validate financial controls. It’s also an SEC
requirement for public companies with over $100 million in revenue. Generally speaking, an
ICFR auditor will:
Review a sample set of transactions
Identify any weaknesses in internal controls
Determine whether a company is at risk of misstating finances
Issue a report of their findings
Present to management and the board so they can remediate any issues
Audit report on internal controls over financial reporting
During an audit of internal controls over financial reporting, an external auditor will review all
controls to ensure they are designed effectively and implemented to protect the
organization from financial risk. Audits are a regulatory requirement, but they’re also an
invaluable opportunity.
Even the best ICFR process may yield weak internal controls. What’s more, the best controls
can flounder because employees don’t know how to follow them. An audit of internal
controls over financial reporting pressure tests controls so the auditor discovers potential
threats — not hackers and bad actors.
An audit report on internal controls is the product of the audit. It’s the document that
describes whether the organization passed the audit and the auditor’s recommendations for
improvement.

How do audits report on internal controls?

An external auditor will issue an audit report on internal controls detailing a company’s
financial performance and risk management in a given year. This report will summarize the
auditor’s findings regarding the different control components: the control environment, the
organization’s assessment of risk, control activities, internal communication about controls
and control monitoring.
The SEC requires organizations to file the audit report along with the annual report. That said,
organizations can also use the auditor's opinion to improve their internal controls or
strengthen their financial reporting policies.

Example of an audit report on internal controls

There are four types of audit reports depending on whether the auditor issues a favorable or
unfavorable position about the company’s ICFR process. A few examples of those reports
are:
1. Clean report: This is the most common report an auditor issues, and it means the
company’s financial reporting is satisfactory.
2. Disclaimer report: This is considered an unfavorable audit report and usually suggests that
the organization interfered with the auditor’s process in some way.

Adverse report: An organization may receive this audit report on internal controls if its
financial statements contain fraud, misstatements or the data wasn’t prepared properly.
Though clean reports are the most common opinion auditors issue, disclaimer and adverse
reports do happen. While this is a red flag, it’s not the end of the road. Rather, it’s an
opportunity to create a plan for improvement, like the one the Government Accountability
Office created for the Department of Defense.

Management’s report on internal control over financial reporting

The SEC requires that companies include both a management report on ICFR and an audit
report on internal controls in the Form 10-K annual report. This requirement applies to all
public companies regardless of revenue. In the report, management should disclose any
internal control weaknesses and the plan to repair them.

Internal control over financial reporting checklist

An internal control over financial reporting checklist is a tool that documents controls
employees should follow. Employees can use the checklist to verify that they follow the
appropriate controls, assuming they aren’t automated. The checklist will likely vary between
departments — payroll, for example, has very different needs than customer billing.
Regularly, team members can use the checklist to confirm that their process aligns with
established controls. This process reduces internal control weaknesses, strengthens an
organization’s culture of compliance and offers assurance that employees at all levels are
implementing the proper controls.
A sample checklist for payroll would include:
Matching timesheets to individual employees
Seeking approval on billed hours from supervisors
Confirming the hours in payroll match hours in timesheets
Having the payroll manager review paychecks before they go out
Depositing paychecks to accounts associated with the people named on the paychecks

Best practices for internal control over financial reporting

ICFR processes and procedures are iterative, meaning they should evolve along with the
business to sidestep possible limitations. Creating a culture that allows for this evolution in
internal control over financial reporting starts with effective best practices, including:
1. Set a healthy tone at the top
For all members of the financial reporting supply chain, the importance of tone at the top
cannot be overstated. Management, together with the board of directors, sets this tone by:
Communicating effectively
Visibly adhering to clear ethical principles and codes of conduct
Providing necessary support and resources for robust fraud risk management programs
and internal controls

2. Watch for warning signs

Often, the tone at the top needs to improve to encourage company-wide adoption of ICFR.
Warning signs that the tone needs improvement include:
A very strong-willed CEO who creates a “don’t ask questions” culture. CEOs tend to have
commanding personalities, but it is a problem if a CEO is so intimidating that opposing
views are not welcomed or adequately considered.
A culture of perfection that inhibits open and transparent communication. “Perfection
might sound good — everyone is striving to do their best,” said one workshop participant.
“But will anybody raise their hand when there’s bad news to deliver?” In a culture of
perfection, problems can be ignored and allowed to mushroom.
Pressure to meet key metrics. How much pressure is there to find that extra revenue or
income to meet an analyst’s forecast or comply with a debt covenant? A related issue:
significant compensation plans that are tied only to revenue and earnings. “Compensation
needs to be a combination of short — and long-term incentives,” observed a participant.
“Compliance must be part of the compensation determination as well.”

3. Enhance the vital role of the audit committee

As observed by Wesley R. Bricker, Chief Accountant at the Securities and Exchange
Commission, audit committees “play a critical role in contributing to financial statement
credibility through their oversight and resulting impact on the integrity of a company’s
culture and ICFR, the quality of financial reporting, and the quality of audits performed on
behalf of investors.”
In keeping with this critical role, there are several critical approaches the audit committee
can take to increase the chances of earning a favorable audit report on internal controls over
financial reporting:
The audit committee’s lines of communication should be widely open to senior
management, not just to the CEO and CFO. Employees should feel comfortable reporting
to the audit committee, either directly or through the company’s ethics hotline, in
situations where they believe they have been pressured by management to perform illegal
or unethical acts.
The audit committee should look beyond their meeting materials and ask, “What else
 should we be talking about?” Similarly, audit committee meetings with management are
often arranged for a specific purpose, with agendas decided well in advance of meetings.
Audit committees should be proactive in broaching other topics when necessary.
The audit committee needs to take greater ownership of accounting issues and ask more
open-ended questions about them. One workshop participant recommended that a
member of the audit committee listen to the company’s earnings call with analysts to
consider if the messaging is consistent with the financial filings.
For audit committees in industries with highly specialized accounting, the audit committee
may benefit from external industry specialists. The role of the audit committee should
include challenging senior management on the accounting for complex transactions and
estimates. Having expert advice promotes the ability to have a robust dialogue on these
issues.
When audit committee members and management have both served long terms, there
can be a tendency for problems to go unnoticed and questions left unasked. Turnover on
boards can provide fresh eyes and a new spirit for engaging in accounting issues.
As part of the assessment of ICFR by both the company and the external auditor,
concerns related to inadequate or ineffective staffing should be considered when
evaluating the design and operation of a company’s controls. Some participants said the
external auditor and audit committees should address the topic of company staffing
before it appears in the audit report on internal controls.
Formal and informal interactions are necessary between and among external auditors, the
financial reporting team, internal auditors, and the audit committee. These interactions
strengthen the relationships and enable more candid communication.

Streamline internal controls over financial reporting

Internal controls over financial reporting aren’t something to take lightly. Robust ICFR
processes are essential to SOX compliance and offer shareholders much-needed
assurance about the viability of their financial practices.
Though you can implement ICFR manually, choosing the right software solution is integral to
mastering internal controls over financial reporting for the long term. Download Diligent’s
buyer’s guide to what to look for as you research internal controls management solutions.
Solutions

Resources

Company

security Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about
your rights and facilitating their exercise. You're in control, with the option to manage your
preferences and the extent of information shared with us and our partners.

Privacy Policy

Terms of use

Cookie Policy

Digital Services Act

Your Privacy Choices

Trust Center

Vulnerability Disclosure Program

Modern Slavery
© 2024 Diligent Corporation. All rights reserved.