INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR) – THE COSO WAY.

5 Comments /
Who can perform ICFR Control Testing?

As can be seen from the figures 4 and 5 above, illustrating the project management activities that are involved in the implementation of ICFR compliance, Internal Control Testing is one of the phases. The key questions are

  • Who can perform the ICFR control testing and reporting?
  • What types of ICFR control tests are performed?
  • What are the primary objectives of the ICFR control testing?
  • When is an internal control system be considered adequate and effective?

Based on ISA 2007, FRC 2011 and CAMA 2020 regulations, there are two type of ICFR control testing that are required, namely: ICFR control testing for management certifications and ICFR control testing for Statutory Auditor’s attestation.

  • ICRF control testing for management certifications is required for the CEO and CFO issue certification statements on the accuracy and reliability of the financial statements and also on the adequacy and effectiveness of the internal controls.

The ICFR control tests can be performed by the following:

  • management through Continuous Risk Assessment (RCA) and continuous control monitoring  
    • Internal Audit through  continuous and periodic audit schedules for reporting to the board audit committee
    • external consultant through co-sourcing or outsourcing arrangements based on agreed upon procedures
    • combinations of the above sourcing options.
  • ICFR control testing Statutory auditor attestation:

The external statutory auditor can only do the control testing in order to issue attestation statements on the adequacy and effectiveness of the controls.

Other responsibilities around the ICFR based on Corporate Governance Principles, ISA 2007, CAMA, and FRC Act 2011 are as follows:

  • The executive management led by the CEO has the primary responsibility for risk identification, quantification, risk response, control design, operation and reporting. T
  • the company board led by the board chairman has the overall oversight responsibility on the enterprise risk management and internal control systems. 
  • The Board Audit Committee has the primary responsibility for keeping the risk and controls under review while the internal assurance functions including the Internal audit provides independent assurance over the ICFR systems.  
What types of ICFR Control Tests are Performed?

ICFR control testing are grouped into two: Entity Level Control testing and Control Activities testing. Presented below is a brief description of the ICFR control tests:

  • Entity level control tests are performed to establish the overall business leadership management and governance oversight philosophies pervasive and demonstrated at the top and which drives the ethical culture, the mood in the middle and buzz at the bottom. The adequacy and effectiveness of the entity level controls, and deficiency rating score determine to a large extent the focus and scope of control activities testing to be done and directions for the conclusions. Testing the entity level controls should be risk-based and focused on the significant entity level controls that will adversely impact on producing reliable and credible financial reports.
  • Activity Level Controls tests generally called Control Activities are done at lower levels, specifically at business transactions or business process or business unit level with a focus on the Manual Controls, IT General Controls, Applications Controls and Data Quality Assurance.

The deficiencies noted on each of the review areas are rated and the impacts are assessed to ascertain if they are material to cause misstatement of the financial statements.

What are the primary objectives of ICFR control testing?

ICFR control tests are primarily done to validate management’s assertions about the adequacy and effectiveness of the internal controls over financial reporting to ensure that misstatements of the financial reports are prevented and detected timely, and the root causes are properly and promptly addressed. The specific objectives of the ICFR control tests are to achieve the following:

  • Validate the correctness of the RCSA methodology and approaches applied by the risk, control and process owners over the ICFR.
  • Establish that the known, unknown and emerging risks likely to impact the accuracy and reliability of the financial report processes and results are proactively monitored – identified, quantified and response actions prioritized to address the root causes and potential impacts.
  • Validate the appropriateness of the risk responses and adequacy of the internal controls designed to mitigate the risks that the organisation has accepted to control.
  • Validate that the controls are working well and reducing the risks (probability of risk occurrence, velocity and consequences) to an acceptable level in line with the board approved risk appetite and tolerance levels.
  • Validate that the inherent and residual risk reporting templates and style and stakeholders communications meet the right quality
  • Validate that the red flags for risk, control and process incidents are timely identified and appropriate actions taking to prevent being crystallized and that those that crystalized are promptly identified, tracked, deep root cause and impact analysis are performed and best-fit solutions implemented and reported.
  • Validate that the final financial reports are accurate, reliable and timely.
When should an internal control system be considered adequate and effective?

In Nigeria, the criteria for evaluating the adequacy and effectiveness of the internal controls, and deficiencies in an organization depends on the Guidelines provided by the Financial Reporting Council of Nigeria (FRC) and Securities and Exchange Commission (SEC).   The SEC and FRC guidelines on implementing Internal Control Over Financial reporting state that an internal control system is considered inadequate and ineffective if one or more material deficiencies that will lead to material misstatement of the financial statement reporting and disclosures have been identified. These deficiencies need to be remediated before the commencement of the statutory audit of the financial statements.

Based on COSO Internal Control perspectives, an effective and adequate internal control requires each of the five components of COSO Internal Control and the 17 principles to be present and functioning well in the organization, COSO considers an internal control system to be deficient, inadequate and ineffective when at least one COSO Internal Control component does not exist in the organization and functioning well.

Conclusion:

Internal Control Over Financial Reporting exists to drive and protect shareholders’ value and corporate assets. The enforcement by the organization is a deserved journey and requires diligence, discipline and commitment to excellence to reap the bountiful beyond regulatory compliance. The capabilities and capacities of the assurance providers across the three lines of defense in the organizations and the understanding that they need to build the right competence, knowledge, skills, numbers, partnership and collaborative business relationships across the three lines of defense and with the core and support business functions without compromise to values and good ethical conducts will enhance their abilities to drive quality and value add risk assurance and advisory to support their organization effectively in the ICFR compliance journey.

My suggestion is that before the business leaders approve and sign the financial reports and make certifications for ICFR compliance and others, the business leaders (executive management (CEO & CFO) and board directors /Board chairman) should include the requirements for the assurance providers to certify internally that the, CFO, CEO, Board Chairman and others in the organization have been made aware of all the information they should know about the company and financial reporting at the right time and form to support risk-informed decision making, strategic planning, action execution and fulfilment of their statutory and fiduciary roles in the organization.

The response from the Assurance providers will drive the next step decisions and actions of the executive management and board regarding the approval, signing and certifications of the financial reports for filing and stakeholders’ communication.

The above suggestions will help the assurance providers to embed discipline and business excellence customer driven service delivery across all levels in the organization and motivate the auditees and business leaders to hold assurance providers with great respect and high esteem, trusting their words and reports and building the confidence to deliver their statutory ICFR responsibilities.

Please, note that the detailed information about COSO Frameworks, the practical applications in the implementation of ICFR, and the key elements, principles and sample reporting templates to consider in the ICFR compliance journey will be discussed in the upcoming ICFR Part 2 blog.

Thanks for investing your time and effort in reading my blog. Kindly leave your comments to help me improve my writing skills.

To access my post on Leveraging Combined Assurance Model To Enhance Internal Control Over Financial Repotting (ICFR) and other posts, please click https://www,sallyogwookeyumahi.com//blog/

Please, contact sally on contactus@platinumedgeconsultingltd.com or visit our website https://www.platinumedgeconsultingltd.com If you need more information on Corporate Governance Principles, Boards and Board Committees Effectiveness Tool Kits or need help to support your organisation provide solutions on the following:

  • Board induction.
  • Corporate governance framework design and implementation and post-implementation handholding support,
  • Assessment of corporate governance framework, Board evaluation and Board Directors peer reviews for regulatory compliance.
  • Training on how to design corporate governance framework and implementation, conduct assessment of corporate governance framework, Board evaluation and Board Directors peer reviews.
More information about sally:

Sally facilitates training on Risk governance and assurance for Company Board Directors, Executive Management and also Senior and Middle Level Managers aspiring to be Company Board Directors. Some of the organizations where Sally
has facilitated training programs include: Lagos Business School (LBS), West African Institute for Financial and Economic Management (WAIFEM, established by Central Banks of The Gambia, Ghana, Liberia, Nigeria and Sierra Leone), The Institute of Directors (IOD) Nigeria, Nigeria Deposit Insurance Corporation (NDIC), Financial Institutions Training Centre (FITC), Chartered Institute of Bankers of Nigeria (CIBN), The Society for Corporate Governance Nigeria
(SCGN), Microfinance Agricultural Learning & Development Centre (MLDC), FirstBank of Nigeria, Access Bank PLC, Guaranty Trust Bank (GTB), Jaiz Bank,
Daily Trust and Leadway Pensure PFA.

Sally authored the books on “Corporate Governance “and “Professional Conducts” for Bankers. The books have been adopted by the Chartered Institute
of Bankers of Nigeria (CIBN) as Study Packs for the student members of the institute.

 Sally is widely travelled and have executed client projects for big and medium scale brands in many geographical locations including UK, USA, UAE, Netherlands, South Africa, Kenya, Zambia, Mauritius, Ghana, Togo, Sierra Leone, Zanzibar, Tanzania and Nigeria.

Sally is an advocate for victims of cultural biases, domestic violence and abuse.

Pages: 1 2 3 4 5 6 7 8 9

5 thoughts on “INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR) – THE COSO WAY.”

  1. Segun Agbekeye

    Thank you for this insightful post. And thanks for creating awareness as some companies are not even aware of the the immense benefits of ICFR

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

error: Content is protected !!