INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR) – THE COSO WAY.

Introduction

• Are you a board director or an assurance provider of a company listed in the Nigerian Stock Exchange (now NGX Group) or a company classified as Public Interest Entity or a company with shares and registered with the Corporate Affairs Commission (CAC)?
• If yes, has your company complied with the ICFR regulations?
• If your company is still in the waiting list or you have complied, but your compliance is a mere cosmetic tick-the-box exercise, severe penalty may be in the waiting for your company. How ready are you for the consequences?

ICFR is an acronym for Internal Control Over Financial Reporting and is about ethics and business conducts focused on making the organization ready and resilient to protecting stakeholders’ investments, preserving corporate assets and increasing value additions through robust risk management standards, strong internal control culture, commitment to business excellence and credible reporting. across all levels in the organization.

ICFR appears to be an emerging concept to many board directors and assurance providers in Nigeria at the moment, but this should not be so, because the concept has been introduced in Nigeria since year 2007 through the Investment and Securities Act (ISA) 2007 sections 60 to 63. ICFR was introduced in Nigeria five years after ICFR was introduced in the United State of America in 2002 through the SOX Act Section 404 (SOX 404). Therefore, counting from year 2007 to the year 2023 of this writing, ICFR has been in Nigeria for seventeen (17) years.

Now, with the requirements of the FRC Act 2011, CAMA 2020 and National Code of Corporate Governance 2018 making the ICFR voice to become louder with severe penalties likely for noncompliance, there is no excuse for delay and non-compliance by the regulated companies. The non-regulated companies can also benefit from the ICFR rewards by embedding ICFR principles and practices in their business operations to demonstrate commitment to leading practices and business excellence for driving growth and longevity of their companies.

ICFR compliance reporting requires testing the effectiveness of the significant entity level controls and the activity level controls (control activities). The activity level controls comprise of the manual control and ICT driven controls and Data Assurance at the business process and transactions levels.

To a regular assurance provider, testing control effectiveness for ICFR compliance appears very easy but what makes ICFR compliance a big challenge to the business leaders (executive management and governance teams) and the assurance providers is the requirements for the Chief Executive Officers and Chief Financial Officers of the companies to make certifications on the credibility of the financial reports and the adequacy and efficiency of the related financial controls as well as the attestation statements that the statutory auditors are required to issue on the adequacy and effectiveness of the company’s internal control before filing with the regulatory agencies and communication with members of the organizations and others outside the organization.

Board approval of the financial reports and management certification of the credibility is very important because when things go wrong in the organization, the company board led by the board chairman and the executive management led by the Chief Executive Officer are held responsible by the equity investors, regulators and general public. The implication of this is that the Board chairman has the primary responsibility to ensure that all the non-executive directors of the board have access to the right information for all the required information at the right time and also receive same from the non-executive directors. Similarly, the Chief Executive Office has the obligation to provide the executive directors with all the information required at the right time and form and also receive same from the executive directors and provide to the company board chairman and other non-executive directors on need basis at the right time and form. Meeting the above responsibilities could be a very big challenge to both the executive management team, CEO, company board directors and Board Chairman.

The default and standard mandate of the assurance providers is to ensure that the business leaders (executive management & Board members), business owners, relevant regulatory agencies and other stakeholders are made aware of all that they should know about their company at the right time and form. As a result, the assurance providers should ensure that the executive leaderships, board of directors, equity investors and regulators are provided with accurate, complete, valid, clear and timely information. Delivering on this mandate could be a big challenge to the assurance providers.

The above hierarchy of information needs and the top-down bottom-up information sharing, and flow are critical components of stakeholders’ engagements and communication requirements of the corporate governance principles.

One of the primary goals and objectives of ICFR is to make it possible and easy for the assurance providers, the executive management team, CEO, Company Board members and Board Chairman to deliver on their above roles, responsibilities and mandates seamlessly.

Overcoming the above challenges requires that the ICFR implementation should never be control-based but should be agile and risk-based to ensure that the exercise is not just a tick-the-box to meet compliance requirements.

Control-based means that the absence risk control registers or presence of poor-quality risk and control registers do not matter in the ICFR compliance, and that the principles of Risk Control Self-Assessment (RCSA) and focus on the big issues are totally ignored. Agile Risk-Based means that the presence of robust risk and control registers and principles of Risk Control Self-Assessment with a focus on the critical issues that matter drive the ICFR implementation.

Again, the current silo work approach that is pervasive across the three lines of defense assurance functions in most organizations cannot in any way help the officers approving and signing financial reports and making certifications on the signed reports to carry on their statutory ICFR responsibilities with trust and confidence.

Adopting Agile Risk-Based and tightly Integrated or Combined Assurance approach across all levels including the ICFR implementation, testing and reporting are the only way to build the required trust and confidence levels for the board, board audit committees, executive management team to fulfill their statutory ICFR roles.

Overcoming the above challenges and issues across all levels in the organization requires that everyone in the organization should be intentional in thoughts, words and actions and making it a priority to drive value protection and value creation with strong commitment to excellence across all levels in the organization.

The three lines of defense assurance providers which include internal Audit, internal control, compliance and risk management functions have significant roles in the ICFR compliance journey.

This blog brings insights into the ICFR regulations in Nigeria, helpful tips and key elements that the assurance providers should consider while helping their organization achieve effective, efficient and value driven ICFR compliance.