Internal control over financial reporting (ICFR) series
Uncover ICFR insights and guidance
In response to increased regulatory focus, our ICFR series explores the benefits of a proactive versus reactive system for internal controls to help your organization improve its ICFR program—and save costs along the way.
Refocus your internal control lens
As the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) increase their focus on internal control over financial reporting, this series will share our perspectives on ICFR areas to help you address common challenges and improve your ICFR program.
As Wesley R. Bricker, SEC chief accountant, stated in his December 5, 2016, keynote address before the 2016 American Institute of Certified Public Accountants Conference on Current SEC and PCAOB Developments:
It is hard to think of an area more important than ICFR to our mission of providing high-quality financial information that investors can rely on. If left unidentified or unaddressed, ICFR deficiencies can lead to lower-quality financial reporting and ultimately higher financial reporting restatement rates and higher cost of capital.
Financial statement risk assessments
The starting point to evaluate the sufficiency of an ICFR program should be with a financial statement risk assessment. The risk assessment, which includes specific financial reporting objectives and identification of risks to achieving those objectives, answers these fundamental questions:
- Which controls are necessary to address the company's risks?
- How many controls does the company need?
- What is "just enough" for the company's ICFR program?
A risk assessment that integrates the right people, processes, tools, and techniques serves to identify the relevant risks of material misstatement (ROMMs). The risk assessment also includes the selection of controls and the evaluation of the design of the control in regard to the ROMM. It's through the risk assessment process that a company can report with confidence the number and types of controls necessary to have an effective ICFR system.
What can management do to refresh their lens?
Management's focus on ICFR should start with determining whether the company's risk assessment process is sufficient to identify and assess the risks to reliable financial reporting, including changes in those risks. Proactive steps management can consider include:
- Refreshing the risk assessment program to incorporate the right people, processes, and technologies to unlock the hidden value.
- Integrating data analytics and visualization to improve the quality of the data analyzed to support robust risk identification and report results succinctly to key stakeholders. This, in turn, can rationalize risks of material misstatement to a level of granularity to focus on what could truly be a material misstatement.