Internal Control over Financial Reporting(ICFR)

01 Sep 2023

Internal Control Over Financial Reporting (ICFR)

Internal Control Over Financial Reporting (ICFR)

By: Ume Onyedikachi. C

Introduction to ICFR

ICFR or ICOFR which stands for internal control of financial reporting refers to internal controls implemented within a company to confront the risks involved in financial reporting. Some of these risks include: The risk of material misstatement, risk of misreporting against standards, risk of fraud and other financial crimes, etc. The SEC in Nigeria issued a guideline for the implementation of sections 60 to 63 of the Investments and securities act of 2007 which requires publicly quoted companies to include in their annual reports an audited report of the company’s internal control system to assure the level of reliability of its financial reporting and conformance of financial statements with accounting standards. The main objective of ICFR is to establish a system that protects the interest of investors and stakeholders in the firm by preventing fraud and manipulation of the financial statements prepared and reported by the company.

Financial reporting is an important aspect of the market standing and operation of public ally quoted companies because it represents the financial position and performance of a firm on the stock market through its revenue figures, earnings, growth percentages, etc. The market’s expectation of the firm’s improvement in its performance in terms of revenue puts pressure on management to modify and manipulate records and reports to meet these thresholds. This creates doubts in the mind of the public on the truthfulness of the financial reports, whereas where effective ICFR is put in place, it provides reasonable assurance of the credibility and reliability of financial records not being adjusted to meet these pressures.  ICFR should therefore be designed to curb any manipulation of financial statements and tailored to cater to any specific need of the firm.

Weaknesses of ICFR

  1. The design of internal controls: The design of internal control adopted by a firm should be formulated in such a way that suits the company’s management, employees, financial reporting, and management as a whole. ICFR should be tailored to meet the risk of reporting unique to the company. The strength of the ICFR adopted by a company is crucial but no system of ICFR can provide absolute assurance that the financial statements are free from misstatements.
  2. Cost efficiency: While the maintenance of ICFR remains an obligation for public companies, the cost of consideration may affect its strength and design it. Therefore, it becomes impossible for companies with minimal finances to adopt an ICFR system that detects misstatements on a timely basis.
  3. Fraud: Intentional misstatement or fraud by employees who are meant to implement the internal control system but manipulate the control systems for their gain also nullify the ability of ICFR to detect misstatements. This is a huge possibility because the employees who operate the internal controls will know how to work around them to commit fraud.
  4. Human error: As long as ICFR continues to be operated by individuals, there remains room for misstatements and fraud. This is a result of humans’ tendency to make mistakes which extends into the internal control system. A strong system may be put in place by management but incorrect or mistakes in operating ICFR may still lead to misstatement in the records.
  5. Management override: It is also possible for management to decide to negate the internal controls put in place and direct employees to manipulate or contour the figure in the financial statement to either improve the image of the company in terms of performance or to get personal gain from it. The influence of management over the organization allows them to do as they please unchecked.

It is noteworthy, that control systems provide reasonable but not absolute assurance that financial statements represent a true and fair view of the company’s position and are prepared by accounting standards. Control systems are just as effective as management and staff operating it allow it to be.

COSO Framework on Internal Control

The COSO framework, or the Committee of Sponsoring Organizations of the Treadway Commission framework, is a widely recognized and accepted framework for internal control. It was developed by a joint initiative of five professional organizations: the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives International, the Institute of Internal Auditors, and the Institute of Management Accountants.

The COSO framework provides guidance and a comprehensive approach for organizations to design, implement, and assess internal control systems. It helps organizations achieve their objectives by managing risks effectively, ensuring reliable financial reporting, and complying with laws and regulations.

Components of the COSO framework

The framework consists of five integrated components that work together to support effective internal control: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. These components are interconnected and should be considered holistically when establishing internal control systems.

  1. Control Environment: The control environment sets the tone for the organization and influences the control consciousness of its employees. It includes factors such as management’s integrity and ethical values, the organization’s commitment to competence and accountability, and the establishment of a structure that supports effective internal control.
  2. Risk Assessment: Risk assessment involves identifying and analyzing risks that could hinder the achievement of organizational objectives. This comprises an assessment of both internal and external risks, examining their impact potential, and ascertaining the possibility of them occurring. This component helps organizations prioritize their efforts and allocate resources effectively.
  3. Control Activities: Control activities are the policies, procedures, and practices that are implemented to mitigate identified risks. They can include a wide range of activities such as approvals, authorizations, reconciliations, segregation of duties, and physical controls. Control activities are designed to ensure that actions are taken to address risks and that they are executed effectively.
  4. Information and Communication: This component focuses on the timely and accurate communication of relevant information throughout the organization. It involves the identification, capture, and exchange of information needed to support internal control processes. Effective communication ensures that employees have the necessary information to carry out their responsibilities and make informed decisions.
  5. Monitoring: Monitoring is an ongoing process that assesses the effectiveness of internal controls over time. It involves regular evaluations of the design and operation of internal controls to identify deficiencies or areas for improvement. Monitoring activities can include management reviews, internal audits, self-assessments, and feedback from external parties. It helps organizations identify weaknesses in their internal control system and take corrective actions as needed.

These five components are interrelated and should be considered together when designing, implementing, and assessing internal control systems. They provide a comprehensive framework for organizations to manage risks, achieve their objectives, and maintain effective internal control. By following the COSO framework, organizations can establish a strong internal control system that helps them achieve their objectives, manage risks effectively, and ensure reliable financial reporting. It provides a comprehensive framework that can be tailored to fit the specific needs and circumstances of each organization.

Sections 60 – 63 of the Investments and Securities Act 2007

The Securities and Exchange Commission (SEC) in Nigeria defines ICFR as Internal Control over Financial Reporting. It refers to the processes, policies, and procedures implemented by a company to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements by applicable laws, regulations, and accounting standards. ICFR includes controls related to the recording, processing, summarizing, and reporting of financial transactions, as well as controls over the safeguarding of assets and the prevention and detection of fraud. The SEC in Nigeria emphasizes the importance of effective ICFR in ensuring the accuracy, completeness, and reliability of financial information provided by public companies.

ICFR Roles and Responsibilities on internal controls of public companies are given in sections 60 – 63 of Investments and securities act 2007

Role of auditors in ICFR

Section 60-63 of the Investments and Securities Act 2007 in Nigeria outlines the duties of an auditor regarding internal controls of public companies. These duties include:

  1. Assessing the Adequacy of Internal Controls: Auditors are required to assess the adequacy of internal controls within a public company. This involves evaluating the design, implementation, and effectiveness of internal control systems to ensure they are sufficient to mitigate risks and safeguard assets.
  2. Reporting on Internal Controls: Auditors must report on the adequacy of internal controls in their audit reports. They should provide an opinion on whether the internal control systems are effective in preventing and detecting fraud, errors, and irregularities.
  3. Evaluating Compliance with Laws and Regulations: Auditors should evaluate whether the internal controls of a public company ensure compliance with applicable laws, regulations, and standards. This includes assessing whether the company has established appropriate procedures to detect and prevent non-compliance.
  4. Detecting and Reporting Fraud: Auditors must detect and report any instances of fraud or suspected fraud that they come across during their audit. They should assess the effectiveness of internal controls in detecting and preventing fraudulent activities and report any findings to management, the board of directors, or regulatory authorities as necessary.
  5. Assessing the Reliability of Financial Statements: Auditors are responsible for assessing the reliability of financial statements prepared by a public company. This includes evaluating whether the internal controls in place provide reasonable assurance that transactions are properly recorded, assets are safeguarded, and financial statements are free from material misstatements.
  6. Maintaining Independence and Professional Skepticism: Auditors must maintain independence and exercise professional skepticism throughout their audit of internal controls. They should approach their work objectively and critically assess the information and evidence provided by the company.

These duties outlined in Section 60-63 of the Investments and Securities Act 2007 aim to ensure that auditors fulfill their responsibilities in evaluating and reporting on the adequacy and effectiveness of internal controls within public companies in Nigeria. By doing so, auditors contribute to the transparency, accountability, and integrity of financial reporting and the protection of investor interests.

Role of Directors in ICFR

Section 60-63 of the Investments and Securities Act 2007 in Nigeria also outlines the duties of directors regarding internal controls of public companies. These duties include:

  1. Establishing and Maintaining Internal Controls: Directors are responsible for establishing and maintaining effective internal control systems within their public company. This involves implementing policies, procedures, and processes that provide reasonable assurance regarding the reliability of financial reporting, the safeguarding of assets, and the prevention and detection of fraud.
  2. Assessing the Effectiveness of Internal Controls: Directors must assess the effectiveness of internal controls within their public company. This includes regularly reviewing and evaluating the design, implementation, and operation of internal control systems to ensure they are adequate and functioning as intended.
  3. Disclosing Deficiencies in Internal Controls: Directors must disclose any significant deficiencies or weaknesses in internal controls to shareholders, regulatory authorities, and other relevant stakeholders. This includes promptly reporting any material weaknesses or breakdowns in internal controls that could have a significant impact on the company’s financial reporting or operations.
  4. Implementing Recommendations from Auditors: Directors should take appropriate action to address any recommendations or findings provided by auditors regarding internal controls. This may involve implementing corrective measures, strengthening control procedures, or enhancing monitoring and oversight mechanisms.
  5. Ensuring Compliance with Laws and Regulations: Directors are responsible for ensuring that the internal controls of their public company comply with applicable laws, regulations, and standards. This includes establishing appropriate procedures to detect and prevent non-compliance and taking corrective action when necessary.
  6. Overseeing Risk Management: Directors must oversee the risk management processes of their public company. This involves identifying, assessing, and managing risks that could affect the achievement of the company’s objectives, including risks related to internal controls.

These duties outlined in Section 60-63 of the Investments and Securities Act 2007 emphasize the importance of directors’ responsibilities in establishing, maintaining, and monitoring internal controls within public companies. By fulfilling these duties, directors contribute to the overall effectiveness and integrity of internal control systems, ensuring the protection of shareholder interests and promoting good corporate governance practices.

If you require support to comply with ICFR requirement by SEC, please contact us

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Hoa can we help you?