Internal controls over financial reporting: Definition, examples & best practices

Many factors go into the robust confidence that investors consistently show in U.S. financial markets, including internal control over financial reporting (ICFR). It’s the framework of controls companies use to compile and deliver accurate financial statements. Investors depend on reliable financial information, and effective ICFR helps reduce the risk that financial statements will contain material errors or misstatements.

As with any system, maintaining sound ICFR requires continual effort and dialogue among stakeholders on creating and maintaining effective ICFR controls. This article will help those involved with financial reporting establish better controls by explaining:

• What internal control over financial reporting

• Regulations and frameworks that influence ICFR

• ICFR examples

• How to report on ICFR

• Internal controls over financial reporting best practices

What are internal controls over financial reporting? 

Internal control over financial reporting is a process that enables companies to manage risk related to their finances and reliably compile accurate financial statements.

More specifically, the accepted internal controls over financial reporting definition includes the daily control policies and procedures employees at all levels must follow when engaging with company finances. This typically involves tracking receipts and seeking managerial approval for all transactions, among other control practices. 

ICFR regulations and frameworks

Most shareholders want to not only review financial statements but also receive assurance that those statements are accurate. But investors aren’t the only motivator for ICFR. Several regulations and frameworks dictate the internal control over financial reporting practices companies must implement. These are: 

• SOX ICFR regulations: The SEC requires that all public companies comply with the SOX Act, which has numerous requirements for financial reporting controls. This is a crucial way the SEC seeks to bolster consumer and shareholder confidence in the capital market. 

• COSO ICFR framework: While the COSO framework isn’t a legal requirement, it does bridge the gap between business imperatives and the risk landscape by offering a pre-defined control structure.

• Financial reporting frameworks: There are several frameworks beyond COSO companies can utilize to meet accounting standards. These include the U.S. Generally Accepted Accounting Principles (GAAP) and the International Financial Reporting Standards (IFRS).

What is the purpose of internal control over financial reporting?

Above all, internal controls over financial reporting mitigate risk. Through effective controls, companies can detect unauthorized use of company resources — whether by an internal bad actor or external breach.

Adopting a financial reporting framework means proactively identifying any activities that could impact financial statements. This increases the quality of financial statements, reduces the likelihood of misstating company assets, and enhances information security. 

Examples of internal control over financial reporting

Internal controls and their components should be unique to your organization and industry. After all, a company with retail storefronts will need different controls than an online pharmacy. Several specific examples of financial reporting controls are relatively common across industries. A few of these are: 

1. Transaction approvals: In this example, an employee — like a manager or accountant — approves transactions. This should be someone other than the employee purchasing to ensure the purchase is necessary and is an appropriate business expense. 

2. Transaction receipts: Many businesses also collect receipts for every transaction to verify the approved funds used are as intended. 

3. Account reconciliation: Another IFCR example is reconciliation, which involves using receipts to validate any money coming in and out of company accounts.  

What is an audit of internal controls over financial reporting? 

During an audit of internal controls over financial reporting, an auditor will assess how effective a business’s controls are. This is typically an external auditor; their published report will offer independent assurance that the business follows credible and ethical financial reporting practices.

The ICFR audit process is an important way to validate financial controls. It’s also an SEC requirement for public companies with over $100 million in revenue. Generally speaking, an ICFR auditor will: 

• Review a sample set of transactions

• Identify any weaknesses in internal controls

• Determine whether a company is at risk of misstating finances

• Issue a report of their findings

• Present to management and the board so they can remediate any issues 

Reporting on financial internal controls

The SEC has extensive ICFR reporting requirements. One of these reports follows an external audit, while the other is an annual report that management authors. These are: 

Audit report on internal control over financial reporting

An external auditor will issue an audit report detailing a company’s financial performance and controls in a given year. There are four types of audit reports depending on whether the auditor issues a favorable or unfavorable position about the company’s ICFR process.

Management’s report on internal control over financial reporting

The SEC requires that companies include a management report on ICFR in the Form 10-K annual report. This requirement applies to all public companies regardless of revenue. In the report, management should disclose any internal controls weaknesses and the plan to repair them. 

Internal control over financial reporting checklist

An internal control over financial reporting checklist is a tool that documents controls employees are expected to follow. Employees can use the checklist to verify that they follow the appropriate controls, assuming they aren’t automated. The checklist will likely vary between departments — payroll, for example, has very different needs than customer billing. 

Regularly, team members can use the checklist to confirm that their process aligns with established controls. This process reduces internal controls weaknesses, strengthens an organization’s culture of compliance and offers assurance that employees at all levels are implementing the proper controls. 

A sample checklist for payroll would include:

• Matching timesheets to individual employees

• Seeking approval on billed hours from supervisors

• Confirming the hours in payroll match hours in timesheets

• Having the payroll manager review paychecks before they go out

• Depositing paychecks to accounts associated with the people named on the paychecks

Best practices for internal control over financial reporting

ICFR processes and procedures are iterative, meaning that they should evolve along with the business to sidestep possible limitations. Creating a culture that allows for this evolution in internal control over financial reporting starts with effective best practices, including: 

1. Set a healthy tone at the top

For all members of the financial reporting supply chain, the importance of tone at the top cannot be overstated. Management, together with the board of directors, sets this tone by:

• Communicating effectively

• Visibly adhering to clear ethical principles and codes of conduct

• Providing necessary support and resources for robust fraud risk management programs and internal controls

2. Watch for warning signs

Often, the tone at the top needs to improve to encourage company-wide adoption of ICFR. Warning signs that the tone needs improvement include: 

•  A very strong-willed CEO who creates a “don’t ask questions” culture. CEOs tend to have commanding personalities, but it is a problem if a CEO is so intimidating that opposing views are not welcomed or adequately considered.

• A culture of perfection that inhibits open and transparent communication. “Perfection might sound good— everyone is striving to do their best,” said one workshop participant. “But will anybody raise their hand when there’s bad news to deliver?” In a culture of perfection, problems can be ignored and allowed to mushroom.

• Pressure to meet key metrics. How much pressure is there to find that extra revenue or income to meet an analyst’s forecast or comply with a debt covenant? A related issue: significant compensation plans that are tied only to revenue and earnings. “Compensation needs to be a combination of short- and long-term incentives,” observed a participant. “Compliance must be part of the compensation determination as well.”

3. Enhance the vital role of the audit committee

As observed by Wesley R. Bricker, Chief Accountant at the Securities and Exchange Commission, audit committees “play a critical role in contributing to financial statement credibility through their oversight and resulting impact on the integrity of a company’s culture and ICFR, the quality of financial reporting, and the quality of audits performed on behalf of investors.”

In keeping with this critical role, there are several critical approaches to the audit committee that create a favorable environment for internal controls over financial reporting: 

• The audit committee’s lines of communication should be widely open to senior management, not just to the CEO and CFO. Employees should feel comfortable reporting to the audit committee, either directly or through the company’s ethics hotline, in situations where they believe they have been pressured by management to perform illegal or unethical acts.

• The audit committee should look beyond their meeting materials and ask, “What else should we be talking about?” Similarly, audit committee meetings with management are often arranged for a specific purpose with agendas decided well in advance of meetings. Audit committees should be proactive in broaching other topics when necessary.

• The audit committee needs to take greater ownership of accounting issues and ask more open-ended questions about them. One workshop participant recommended that a member of the audit committee listen to the company’s earnings call with analysts to consider if the messaging is consistent with the financial filings.

• For audit committees in industries with highly specialized accounting, the audit committee may benefit from external industry specialists. The role of the audit committee should include challenging senior management on the accounting for complex transactions and estimates. Having expert advice promotes the ability to have a robust dialogue on these issues.

• When audit committee members and management have both served long terms, there can be a tendency for problems to go unnoticed and questions left unasked. Turnover on boards can provide fresh eyes and a new spirit for engaging in accounting issues.

• As part of the assessment of ICFR by both the company and the external auditor, concerns related to inadequate or ineffective staffing should be considered when evaluating the design and operation of a company’s controls. Some participants said the external auditor and audit committees should address the topic of company staffing.

• Formal and informal interactions are necessary between and among external auditors, the financial reporting team, internal auditors, and the audit committee. These interactions strengthen the relationships and enable more candid communication.

Streamline internal controls over financial reporting

Internal controls over financial reporting aren’t something to take lightly. Robust ICFR processes are essential to SOX compliance and offer shareholders much-needed assurance about the viability of their financial practices. 

Though you can implement ICFR manually, choosing the right software solution is integral to mastering internal controls over financial reporting for the long term. Download Diligent’s buyer’s guide to what to look for as you research internal controls management solutions.