Share with your friends

Internal controls over Financial Reporting

Internal controls over Financial Reporting

Designing a healthy program that evolves to meet changing needs.



Related content

Internal controls over Financial Reporting

In a series of white papers, KPMG’s Risk consulting practice looks at how companies can design a “healthier” internal controls over financial reporting (ICOFR) approach to better manage risks, reduce costs, and find opportunities to improve operational performance.

Because, even companies whose ICOFR programs appear to be running smoothly should still periodically evaluate the health of their ICOFR program and controls portfolio.

In the case of ICOFR, an unhealthy program can be expensive and increase the risk of a material weakness. But, beneath these risks are opportunities, as the journey to continuously improve and mature ICOFR programs can reduce costs, and increase efficiency.

A series of KPMG white papers provides an insight on how to design a healthy ICOFR approach that drives value through a positive impact on business processes and risk management, and therefore on business performance.

1. Designing a healthy program that evolves to meet changing needs

No company expects to discover costly and damaging weaknesses in its ICOFR program, but failures happen. Even several consecutive years without material weaknesses or significant deficiencies is no guarantee that control issue is not looming – particularly is the company does not have a healthy ICOFR program.

A first step in designing a healthy ICOFR program is to understand the primary themes of material weaknesses, as it can help companies take continuing measures to reduce the risk of future errors. Examples of material weaknesses are:

  • lack of documentation, policies and procedures
  • lack of accounting resources and expertise
  • IT, software, security and access issues

In addition, answering the questions as the following will provide perspective on where your company’s ICOFR program currently stands:

  1. Is the ICOFR program’s value clear to senior management and the board of directors?
  2. Does your organizational culture support the ICOFR program?
  3. Have you identified the 10-20 most critical controls and directed efforts toward them?

2. Understanding hidden costs to identify opportunities for cost savings and better allocation of resources.

Based on a KPMG survey related to current SOX trends, it appears that one of the main improvement areas is to reduce control testing cost and effort. In order to identify opportunities for cost savings, it is important to understand hidden costs.

To analyze the cost of ICOFR, the following five step analysis should be conducted:

  1. Understand the controls
  2. Understand operating costs
  3. Understand testing and other compliance cost factors
  4. Calculate the total cost of control and analyze the results
  5. Evaluate opportunities and determine next steps

A solution for organization can be to focus on an effective use of automations, which can create a cost-effective control environment. Based on the KPMG survey on Internal Controls, it appears that increasing control automation is top priority when it comes to areas where improvement is needed.

3. Assessing whether the ICOFR program is fulfilling its potential to benefit the company

A program assessment should be conducted to identify areas that are less mature than others, and how to improve those areas to align with corporate objectives and meet key stakeholder expectations.

  • The first step to determine the right approach, is to assess the current performance by looking at the seven pillars: Strategy, risk assessment, entity-level controls, control selection, testing strategy, evaluating results and governance.
  • Afterwards, it should be determined what maturity levels stakeholders expect and how the company will get there. Common expectations include efforts to ensure a strong 404a process, or to reduce the impact of control issues.
  • Lastly, the company should outline a roadmap to prioritize where the program needs to change to better meet expectations. This roadmap should align with the company’s overall ICOFR strategy, and should include a strong and effective financial statement risk assessment process.

4. Defining an ICOFR strategy

Based on the results from the KPMG survey on Internal Controls, it appears that the SOX program strategy for 54% of the organizations is to ensure maximum reliance by the external auditor. However, only 23% of organizations are able to quantify the savings achieved as a result of external audit reliance on their organization’s testing.

Focusing less on external auditor reliance may open the door to other cost reduction strategies. It is therefore important to understand how deliberate consideration of external auditor reliance, a strong financial statement risk assessment process, and well-designed entity-level controls can shape a strategy that aligns ICOFR efforts with the company’s needs.

5. Strategic and focused ICOFR program

A more strategic and focused ICOFR approach enables internal audit resources to focus more on the broader risk assessment, process improvement, and value-creation audits.

This is key, as it could have a positive impact on organizational performance.

  • PDF - Internal controls over financial reporting I
    Designing a healthy program that evolves to meet changing needs
  • PDF - Internal controls over financial reporting II
    Uncovering the full picture of control costs
  • PDF - Internal controls over financial reporting III
    Outlining a program that meets stakeholder expectations
  • PDF - Internal Controls Survey Report

Return to the Risk + Newsletter January 2018

© 2019 KPMG Advisory, a Belgian civil CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

Connect with us


Want to do business with KPMG?


loading image Request for proposal