From risk assessment to monitoring


A guide to effective internal controls over financial reporting

From risk assessment to monitoring

Discover the potential benefits of effective internal controls over financial and non-financial reporting (ICFR)

Internal controls: A primer for private company owners and executives

Reliable information is vital for companies to make strategic business decisions. But how can you ensure your company’s data flows are timely, accurate and reliable?

Internal controls can mitigate financial risks, allowing private companies across a broad spectrum—whether venture-backed, private equity investor-funded or family businesses—to gain business value from their internal controls program.

Overview: Private company internal controls over financial reporting

Public and private companies are subject to different regulatory requirements regarding their financial and non-financial disclosures, including the target of their disclosures and the level of detail they should contain. However, private companies can still benefit from certain lessons learned by public companies, including the financial value of effective internal controls over financial reporting.
The following points explore:

  • What internal controls are, the value they can provide, the role of a risk assessment, and how to apply the results of the assessment;
  • Internal control design and implementation; and
  • How to sustain, monitor and rationalize controls over time.

1. Internal controls and risk assessments: What every company should know

ICFR play an integral part in finance operations that can help mitigate risks and add business value.

Internal controls play an integral part in operations that can help mitigate risks and add business value.

An internal control system should be informed by an appropriately detailed and periodically performed risk assessment. This should identify which critical processes could be susceptible to errors that may result in quantitatively and qualitatively significant risks for your company. A risk assessment can help you determine the impacts of these errors on your company, helping you focus on those most relevant to your business strategy and operations.

Once this is done, it is time to design and implement the internal controls over financial reporting.

internal controls
Deploying internal controls

2. Deploying internal controls over financial and non-financial reporting: What private companies can learn from public entities

Designing and implementing internal controls is a multistep process. After performing a risk assessment and identifying specific areas of risk, you should try to gain a clear picture of “what could go wrong” in each area—a prerequisite to understanding your company’s risks and designing effective internal controls.

Once risks or risk areas are identified, categorized and prioritized, it is important to consider what type of internal controls could best mitigate these risks—i.e., preventive or detective, manual or automated. This can vary according to the assessed level of risk and other factors.

As you implement the controls, do not underestimate the importance of clear and detailed documentation. Control owners are only effective if they have a clear understanding of the process related to the control and the internal control design itself.

With documented controls in place, it is time to close the loop on the controls environment by developing an effective monitoring program. This can help you sustain, monitor and rationalize the controls over time.

3. Internal controls: Extending value over time

An important aspect of a system of internal controls over financial reporting is determining how to maintain their effectiveness and, optimally, improve them over time. A well-designed internal control framework, informed by periodic risk assessments, can make your system of internal controls nimble and scalable. It can also help you assure the controls are operating effectively and remain relevant as your business grows and evolves.

The following considerations should guide the development of your monitoring program:

  • Who will be on the monitoring team?
  • What is expected of team members?
  • How will control deficiencies be defined and identified?

To provide value, your internal control framework should also be scalable and flexible. As your company evolves over time, new risks may be identified, and previously identified risks may no longer be relevant. Such changes provide an opportunity to rationalize your internal controls.

Extending value over time


Luc Brucher

Luc Brucher

Partner | Public Sector & Healthcare Leader

Luc has over 20 years of experience in audit and advisory services mainly in the commercial, industrial and public sector. Luc is part of the Deloitte’s multidisciplinary service line dedicated to com... More

Bettina Werner

Bettina Werner

Partner | Assurance and CFO Advisory

Bettina is supporting CFOs and finance functions on accounting and reporting challenges including financial close optimization, internal controls audit readiness and accounting technology implementati... More

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.