Too many ICOFR programmes obey two simple rules:
Whatever approach companies take toward ICOFR, it should not be a passive one. It should be a thoughtful decision based on what key stakeholders expect of the programme.
Characteristics of ICOFR programme maturity:
To determine the right approach, the first step is to assess current performance by looking at the seven pillars of an ICOFR programme.
The foundation of every good ICOFR programme is a well-defined strategy that aligns with organizational priorities. That requires more than just focusind on the desired level of external auditor reliance. It requires understanding how that chosen level of reliance supports broader goals. More mature ICOFR strategies aim beyond basic compliance – they support corporate values and strategies.
An effective ICOFR risk assessment connects key risk audit assertions and supports the overall strategy, control selection, and testing approach. A More mature ICOFR risk assessment isn’t static. It’s technology enabled, aligned with the enterprise risk assessment and include qualitative risk factors so that it’s more than just a financial scooping exercise.
Direct ELCs that operate at the right level of precision can act as an “insurance policy” to help mitigate other control failures if they occur. Management tends to shy away from ELCs due to external auditor concerns about precision levels and due to the requirements associated with management review controls. But, in practice, management often relies on direct ELCs to gain confidence in the overall financial results. It’s wise to consider them in evaluating controls.
Control selection should stay up to date with current business processes and focus on non-routine areas that requires judgment. A common problem is too many key controls, many of which don’t clearly link back to the overall assessment of financial reporting risk. The control inventory should include different kinds of controls (automated versus manual and preventative versus detective), contribute to improving control design and automation, and keep down the total coast of control.
A healthy ICOFR testing strategy adjusts the testing approach based on a risk, incorporates continuous monitoring, and leverages management’s knowledge and expertise.
When ICOFR runs smoothly, the results won’t show many deficiencies. When deficiencies do occur, a mature programme sets the right priorities: remediation efforts that implement sustainable solutions and also help improve operations and the broader organization. Without such robust remediation, which correctly identifies and completely addressed a deficiency’s root cause, the deficiency may return in subsequent years – an all-too-common occurrence in many companies.
Good ICOFR governance means the right tones at the top, frequent training for process owners and control testers, enough resources, and the right reporting structures. A mature ICOFR programme sets clean responsibilities and facilitates communication between who owns the overall programme, who designs the control, who performs the controls, and tests the controls.
Once you have assessed how the ICOFR programme currently measures on the seven pillars, it is time to determine what maturity levels the stakeholders expect and how the company will get there.
Not every ICOFR programme needs to invest in achieving maximum maturity in every pillar. Part of meeting stakeholder expectations is making strategic, risk-based economic decisions about ICOFR priorities. It may be worth investing more in some pillars. In others, it may be wise to accept certain minor risks in return for major cost savings.
What do stakeholders want from the ICOFR programme? Common expectations include efforts to:
To help align the ICOFR programme with the company's goals, objectives, and overall strategic direction, ask key stakeholders about their expectations. These stakeholders may include, among others: the Audit Committee, the CFO and finance organization, the controller's organization, the CEO, the CIO, Internal Audit and/or SOX team, owners of key processes. What stakeholders say about their expectations will help determine how much to invest in the different pillars. It is often a good idea to add the external auditor to this list of stakeholders to see what they want most. As we will see, however, different regulations guide the company's needs and those of the external auditor. As a result, these two parties' needs do not always align.
In KPMG's 2017 Internal Controls Survey, more than half of the respondents said their ICOFR programme strategy is to ensure maximum reliance from the external auditor. But before a company makes maximizing external auditor reliance its goal, it should ask: have we set out a clear business case for this approach?
The ICOFR programme should certainly consider the external auditor's needs, but they should not be the only consideration. For a start, the external auditor has a different regulator than management. And fundamentally, the external auditor has a different role than management: it has to come to an independent conclusion on both ICOFR and the company's financial statements.
When companies are less focused on external auditor reliance, they may have greater flexibility in terms of documentation requirements and control testing. They can use the SEC's interpretative guidance and focus more on their own overall objectives.
Reliance should be a deliberate economic decision.
A company should determine its stakeholders' priorities, then engage in open dialogue with the auditor.
For an ICOFR programme to fulfill its potential benefit to the company, it is better to pivot away from an exclusive focus on compliance and the external auditor's needs.
It's also important to:
That roadmap should align with the company's overall ICOFR strategy and include a strong and effective financial statement risk assessment process. With the right roadmap, a company will be on a path to ICOFR that not only fulfills compliance requirements, but also does what the key stakeholders most need it to - and at a reasonable cost.