What Are Internal Controls Over Financial Reporting?

Internal controls over financial reporting (ICFR) are the policies, procedures, and activities that an organization designs and operates to provide reasonable assurance that its financial statements are reliable, accurate, and prepared in conformity with GAAP. For public companies in the United States, ICFR is not optional – it is mandated by Section 404 of the Sarbanes-Oxley Act (SOX), which requires both management’s assessment and, for larger filers, an independent auditor’s attestation of the effectiveness of ICFR.

But ICFR is not just a compliance obligation. A well-designed control environment reduces the risk of material misstatement, accelerates the financial close, supports operational decision-making, and builds trust with investors, lenders, and regulators. This guide provides a practical framework for building and maintaining ICFR that serves both compliance and operational objectives.

The COSO Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the Internal Control – Integrated Framework in 2013, which is the most widely used framework for evaluating ICFR. The framework identifies five interrelated components and 17 principles:

1. Control Environment

The tone at the top. This component addresses the organization’s commitment to integrity and ethical values, the board’s oversight of internal controls, management’s philosophy and operating style, organizational structure, and the assignment of authority and responsibility.

Key principles: - Demonstrate commitment to integrity and ethical values - Exercise oversight responsibility - Establish structure, authority, and responsibility - Demonstrate commitment to competence - Enforce accountability

2. Risk Assessment

The process of identifying and analyzing risks that could prevent the organization from achieving its financial reporting objectives. This includes identifying risks of material misstatement, assessing the likelihood and magnitude of those risks, and evaluating the potential for fraud.

Key principles: - Specify suitable objectives - Identify and analyze risk - Assess fraud risk - Identify and analyze significant change

3. Control Activities

The specific actions taken to address risks. Control activities include authorizations, approvals, verifications, reconciliations, reviews of performance, segregation of duties, and IT general controls.

Key principles: - Select and develop control activities - Select and develop general controls over technology - Deploy through policies and procedures

4. Information and Communication

The systems and processes that support the identification, capture, and exchange of information in a form and timeframe that enable people to carry out their responsibilities.

Key principles: - Use relevant information - Communicate internally - Communicate externally

5. Monitoring Activities

The ongoing and separate evaluations that assess whether the five components of internal control are present and functioning.

Key principles: - Conduct ongoing and/or separate evaluations - Evaluate and communicate deficiencies

Designing an Effective ICFR Program

Step 1: Scope the Assessment

Determine which entities, accounts, and processes are in scope for the ICFR assessment. For SOX compliance, focus on:

  • Significant accounts – Accounts that have a reasonable possibility of containing a material misstatement. Consider both quantitative materiality and qualitative risk factors.
  • Significant processes – The business processes that affect the significant accounts (e.g., revenue, procurement, payroll, treasury, financial close).
  • Significant locations – For multi-entity organizations, determine which subsidiaries or locations are individually significant or require testing based on aggregation risk.

Step 2: Identify Risks and Assertions

For each significant account and process, identify the relevant financial statement assertions:

  • Existence/Occurrence – Transactions and balances exist and occurred during the period.
  • Completeness – All transactions that should be recorded have been recorded.
  • Valuation/Accuracy – Amounts are recorded at the correct values.
  • Rights and Obligations – Assets are rights of the entity; liabilities are obligations.
  • Presentation and Disclosure – Accounts are properly classified and disclosed.

Map each identified risk to the specific assertion it threatens. This risk-assertion matrix becomes the foundation for control design.

Step 3: Design and Document Controls

For each identified risk, design one or more controls that mitigate the risk to an acceptable level. Controls can be:

  • Preventive – Stop errors or fraud before they occur (e.g., system-enforced approval workflows, segregation of duties).
  • Detective – Identify errors or fraud after they occur (e.g., reconciliations, management review of journal entries, variance analysis).

Both types are important. A healthy control environment includes a mix of preventive and detective controls.

Control Documentation Standards

Each control should be documented with:

  • Control objective – What risk does this control address?
  • Control description – What is done, by whom, how often, and what evidence is retained?
  • Control owner – The individual responsible for operating the control.
  • Key inputs – The information or reports used to perform the control.
  • Evidence of performance – The documentation that demonstrates the control was operated (e.g., sign-offs, system logs, reconciliation files).
  • Frequency – Daily, weekly, monthly, quarterly, or annually.
  • Type – Manual, automated, or IT-dependent manual control.

IT General Controls (ITGCs)

IT general controls underpin the reliability of automated controls and IT-dependent manual controls. The four major categories are:

  1. Access to programs and data – Logical access controls, user provisioning, and periodic access reviews.
  2. Program change management – Controls over the development, testing, and deployment of changes to applications and infrastructure.
  3. Computer operations – Job scheduling, backup and recovery, and incident management.
  4. Program development – Controls over the development and implementation of new systems.

Common ITGC Deficiencies

  • Inadequate segregation of duties between developers and those who deploy changes to production.
  • Failure to remove access promptly when employees terminate or change roles.
  • Insufficient documentation of change management approvals.
  • Lack of regular access reviews for critical financial applications.

Testing Controls

Management Testing

Management must test the operating effectiveness of controls to support its annual assessment. Testing approaches include:

  • Inquiry – Asking control owners how they perform the control (never sufficient on its own).
  • Observation – Watching the control being performed.
  • Inspection – Examining the evidence of control performance (e.g., reviewing signed reconciliations, approved journal entries, system reports).
  • Re-performance – Independently performing the control to verify the result.

The most persuasive evidence combines inspection and re-performance.

Sample Sizes

Sample sizes for testing depend on the frequency of the control:

Control Frequency Typical Sample Size
Annual 1
Quarterly 2
Monthly 2-5
Weekly 5-15
Daily 20-25
Per transaction (high volume) 25-40

These are general guidelines. Your auditor may require different sample sizes depending on the risk profile and the nature of the control.

Testing Automated Controls

Automated controls that are fully system-enforced (e.g., three-way match in AP, system-calculated depreciation) generally require only one test per period, provided the related ITGCs are effective and no changes were made to the application during the period. This is the concept of “test one, rely many.”

Evaluating Deficiencies

When a control does not operate effectively, the deficiency must be evaluated for severity:

  • Control deficiency – A deficiency exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis.
  • Significant deficiency – A deficiency, or combination of deficiencies, that is less severe than a material weakness but important enough to merit the attention of those responsible for oversight of financial reporting.
  • Material weakness – A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.

Factors in Severity Assessment

  • The magnitude of the potential misstatement (could it be material?)
  • The likelihood of the misstatement occurring
  • Whether compensating controls exist that mitigate the deficiency
  • The nature of the affected accounts and disclosures
  • The volume and monetary value of transactions processed through the control

Remediation

When a deficiency is identified, develop a remediation plan that includes:

  1. Root cause analysis – Why did the control fail? Was it a design issue, an execution issue, or both?
  2. Corrective action – What changes will be made to the control design, the process, the technology, or the personnel?
  3. Timeline – When will the remediation be implemented and ready for testing?
  4. Validation – How will management confirm that the remediated control is operating effectively? This typically requires testing the redesigned control over a sufficient period.

Building a Sustainable ICFR Program

Embed Controls in Daily Operations

Controls should not feel like a separate compliance activity layered on top of the business process. The most effective controls are built into the process itself – automated validations, system-enforced workflows, and exception-based reviews.

Invest in Training

Control owners must understand not just what they are supposed to do, but why. Annual training on ICFR responsibilities, documentation standards, and common pitfalls reduces the likelihood of control failures.

Maintain a Living Control Matrix

The risk and control matrix (RCM) is a living document that should be updated whenever processes change, systems are replaced, or new risks emerge. Assign ownership of the RCM to a specific team (typically internal audit or the controllership) and require an annual refresh.

Leverage Technology

GRC (Governance, Risk, and Compliance) platforms can automate control testing, track deficiency remediation, and provide dashboards for management and the audit committee. For organizations with a large number of controls, the efficiency gains from automation are substantial.

Coordinate with External Auditors

Maintain an ongoing dialogue with your external auditors about the scope of the ICFR assessment, the testing approach, and any emerging risks. Surprises during the audit are almost always more expensive than proactive communication.

Final Thoughts

ICFR is often perceived as a burden, but it is better understood as the infrastructure that makes reliable financial reporting possible. Organizations that view internal controls as a strategic investment – rather than a compliance cost – build faster closes, fewer audit adjustments, stronger investor confidence, and more resilient operations. The key is to design controls that are practical, well-documented, and embedded in the way the business actually operates, not bolted on as an afterthought.