Internal controls over financial reporting: Definition, examples & best practices

What are internal controls over financial reporting?

Internal control over financial reporting is a process that enables companies to manage risk related to their finances and reliably compile accurate financial statements.

More specifically, the accepted internal controls over financial reporting definition includes the daily control policies and procedures employees at all levels must follow when engaging with company finances. This typically involves tracking receipts and seeking managerial approval for all transactions, among other control practices.

ICFR regulations and frameworks

Most shareholders want to not only review financial statements but also receive assurance that those statements are accurate. But investors aren’t the only motivator for ICFR. Several regulations and frameworks dictate the internal control over financial reporting practices companies must implement. These are:

• SOX ICFR regulations: The SEC requires that all public companies comply with the SOX Act, which has numerous requirements for financial reporting controls. This is a crucial way the SEC seeks to bolster consumer and shareholder confidence in the capital market.
• COSO ICFR framework: While the COSO framework isn’t a legal requirement, it does bridge the gap between business imperatives and the risk landscape by offering a pre-defined control structure.
• Financial reporting frameworks: There are several frameworks beyond COSO companies can utilize to meet accounting standards. These include the U.S. Generally Accepted Accounting Principles (GAAP) and the International Financial Reporting Standards (IFRS).

What is the purpose of internal control over financial reporting?

Above all, internal controls over financial reporting mitigate risk. Through effective controls, companies can detect unauthorized use of company resources — whether by an internal bad actor or external breach.

Adopting a financial reporting framework means proactively identifying any activities that could impact financial statements. This increases the quality of financial statements, reduces the likelihood of misstating company assets, and enhances information security.

Examples of internal control over financial reporting

Internal controls and their components should be unique to your organization and industry. After all, a company with retail storefronts will need different controls than an online pharmacy. Several specific examples of financial reporting controls are relatively common across industries. A few of these are:

1. Transaction approvals: In this example, an employee — like a manager or accountant — approves transactions. This should be someone other than the employee purchasing to ensure the purchase is necessary and is an appropriate business expense.
2. Transaction receipts: Many businesses also collect receipts for every transaction to verify the approved funds used are as intended.
3. Account reconciliation: Another IFCR example is reconciliation, which involves using receipts to validate any money coming in and out of company accounts.

What is an audit of internal controls over financial reporting?

During an audit of internal controls over financial reporting, an auditor will assess how effective a business’s controls are. This is typically an external auditor; their published report will offer independent assurance that the business follows credible and ethical financial reporting practices.

The ICFR audit process is an important way to validate financial controls. It’s also an SEC requirement for public companies with over $100 million in revenue. Generally speaking, an ICFR auditor will:

• Review a sample set of transactions
• Identify any weaknesses in internal controls
• Determine whether a company is at risk of misstating finances
• Issue a report of their findings
• Present to management and the board so they can remediate any issues

Audit report on internal controls over financial reporting

During an audit of internal controls over financial reporting, an external auditor will review all controls to ensure they are designed effectively and implemented to protect the organization from financial risk. Audits are a regulatory requirement, but they’re also an invaluable opportunity.

Even the best ICFR process may yield weak internal controls. What’s more, the best controls can flounder because employees don’t know how to follow them. An audit of internal controls over financial reporting pressure tests controls so the auditor discovers potential threats — not hackers and bad actors.

An audit report on internal controls is the product of the audit. It’s the document that describes whether the organization passed the audit and the auditor’s recommendations for improvement.

How do audits report on internal controls?

An external auditor will issue an audit report on internal controls detailing a company’s financial performance and risk management in a given year. This report will summarize the auditor’s findings regarding the different control components: the control environment, the organization’s assessment of risk, control activities, internal communication about controls and control monitoring.

The SEC requires organizations to file the audit report along with the annual report. That said, organizations can also use the auditor's opinion to improve their internal controls or strengthen their financial reporting policies.

Example of an audit report on internal controls

There are four types of audit reports depending on whether the auditor issues a favorable or unfavorable position about the company’s ICFR process. A few examples of those reports are:

1. Clean report: This is the most common report an auditor issues, and it means the company’s financial reporting is satisfactory.
2. Disclaimer report: This is considered an unfavorable audit report and usually suggests that the organization interfered with the auditor’s process in some way.

Adverse report: An organization may receive this audit report on internal controls if its financial statements contain fraud, misstatements or the data wasn’t prepared properly. Though clean reports are the most common opinion auditors issue, disclaimer and adverse reports do happen. While this is a red flag, it’s not the end of the road. Rather, it’s an opportunity to create a plan for improvement, like the one the Government Accountability Office created for the Department of Defense.

Management’s report on internal control over financial reporting

The SEC requires that companies include both a management report on ICFR and an audit report on internal controls in the Form 10-K annual report. This requirement applies to all public companies regardless of revenue. In the report, management should disclose any internal control weaknesses and the plan to repair them.

Internal control over financial reporting checklist

An internal control over financial reporting checklist is a tool that documents controls employees should follow. Employees can use the checklist to verify that they follow the appropriate controls, assuming they aren’t automated. The checklist will likely vary between departments — payroll, for example, has very different needs than customer billing.

Regularly, team members can use the checklist to confirm that their process aligns with established controls. This process reduces internal control weaknesses, strengthens an organization’s culture of compliance and offers assurance that employees at all levels are implementing the proper controls.

A sample checklist for payroll would include:

• Matching timesheets to individual employees
• Seeking approval on billed hours from supervisors
• Confirming the hours in payroll match hours in timesheets
• Having the payroll manager review paychecks before they go out
• Depositing paychecks to accounts associated with the people named on the paychecks

Best practices for internal control over financial reporting

ICFR processes and procedures are iterative, meaning they should evolve along with the business to sidestep possible limitations. Creating a culture that allows for this evolution in internal control over financial reporting starts with effective best practices, including:

For all members of the financial reporting supply chain, the importance of tone at the top cannot be overstated. Management, together with the board of directors, sets this tone by:

• Communicating effectively
• Visibly adhering to clear ethical principles and codes of conduct
• Providing necessary support and resources for robust fraud risk management programs and internal controls

2. Watch for warning signs

Often, the tone at the top needs to improve to encourage company-wide adoption of ICFR. Warning signs that the tone needs improvement include:

• A very strong-willed CEO who creates a “don’t ask questions” culture. CEOs tend to have commanding personalities, but it is a problem if a CEO is so intimidating that opposing views are not welcomed or adequately considered.
• A culture of perfection that inhibits open and transparent communication. “Perfection might sound good — everyone is striving to do their best,” said one workshop participant. “But will anybody raise their hand when there’s bad news to deliver?” In a culture of perfection, problems can be ignored and allowed to mushroom.
• Pressure to meet key metrics. How much pressure is there to find that extra revenue or income to meet an analyst’s forecast or comply with a debt covenant? A related issue: significant compensation plans that are tied only to revenue and earnings. “Compensation needs to be a combination of short — and long-term incentives,” observed a participant. “Compliance must be part of the compensation determination as well.”

3. Enhance the vital role of the audit committee

As observed by Wesley R. Bricker, Chief Accountant at the Securities and Exchange Commission, audit committees “play a critical role in contributing to financial statement credibility through their oversight and resulting impact on the integrity of a company’s culture and ICFR, the quality of financial reporting, and the quality of audits performed on behalf of investors.”

In keeping with this critical role, there are several critical approaches the audit committee can take to increase the chances of earning a favorable audit report on internal controls over financial reporting:

• The audit committee’s lines of communication should be widely open to senior management, not just to the CEO and CFO. Employees should feel comfortable reporting to the audit committee, either directly or through the company’s ethics hotline, in situations where they believe they have been pressured by management to perform illegal or unethical acts.
• The audit committee should look beyond their meeting materials and ask, “What else should we be talking about?” Similarly, audit committee meetings with management are often arranged for a specific purpose, with agendas decided well in advance of meetings. Audit committees should be proactive in broaching other topics when necessary.
• The audit committee needs to take greater ownership of accounting issues and ask more open-ended questions about them. One workshop participant recommended that a member of the audit committee listen to the company’s earnings call with analysts to consider if the messaging is consistent with the financial filings.
• For audit committees in industries with highly specialized accounting, the audit committee may benefit from external industry specialists. The role of the audit committee should include challenging senior management on the accounting for complex transactions and estimates. Having expert advice promotes the ability to have a robust dialogue on these issues.
• When audit committee members and management have both served long terms, there can be a tendency for problems to go unnoticed and questions left unasked. Turnover on boards can provide fresh eyes and a new spirit for engaging in accounting issues.
• As part of the assessment of ICFR by both the company and the external auditor, concerns related to inadequate or ineffective staffing should be considered when evaluating the design and operation of a company’s controls. Some participants said the external auditor and audit committees should address the topic of company staffing before it appears in the audit report on internal controls.
• Formal and informal interactions are necessary between and among external auditors, the financial reporting team, internal auditors, and the audit committee. These interactions strengthen the relationships and enable more candid communication.

Streamline internal controls over financial reporting

Internal controls over financial reporting aren’t something to take lightly. Robust ICFR processes are essential to SOX compliance and offer shareholders much-needed assurance about the viability of their financial practices.

Though you can implement ICFR manually, choosing the right software solution is integral to mastering internal controls over financial reporting for the long term. Download Diligent’s buyer’s guide to what to look for as you research internal controls management solutions.