Understanding Internal Control Over Financial Reporting

Internal Control over Financial Reporting (ICFR) continues to be an intense focus of regulators. After the SEC recently fined a number of companies for failing to remedy material weaknesses in ICFR, the PCAOB released a Staff Preview of its 2018 Inspection Observations, highlighting the testing of ICFR remains a common audit deficiency. ICFR remains an important component to fostering confidence in a company’s financial reporting, and ultimately, trust in our capital markets. To assist in these concerns, the Center for Audit Quality (CAQ) has updated and re-released its popular Guide to Internal Control over Financial Reporting as an overview to assist stakeholders in understanding key ICFR concepts, roles and responsibilities, and what ICFR means for companies, investors, and the markets. This publication includes the addition of significant research demonstrating the importance and impact of ICFR and integrated audits on the quality of financial reporting at a time when the SEC is proposing amendments to tailor filer definitions potentially reducing the number of companies subject to the auditor ICFR attestation requirement under Section 404(b) of the Sarbanes-Oxley Act (SOX).  



Internal Control over Financial Reporting (ICFR) has been required for public companies and included as part of issuer audits for more than a decade. Often the conversation around ICFR is based on regulatory expectations, but an equally important conversation focuses on the intent of those regulations which is to increase trust in financial reporting by establishing reliable systems and controls.

As a result of SOX, most large public issuers are required to have an integrated audit performed[1], which includes an external auditor’s assessment of the effectiveness of the company’s ICFR (in addition to management’s annual assessment of internal control effectiveness). All issuer audits are subject to reviews performed by the PCAOB. 


Current State of Affairs

SEC Activities Impacting ICFR

In January 2019, the SEC announced settled charges against four public companies for failing to maintain ICFR for seven to ten consecutive annual reporting periods. Two of the charged companies also failed to complete the required evaluation of the effectiveness of ICFR for two consecutive annual reporting periods. SEC Chief Accountant Wesley Bricker is quoted in the release saying, “Adequate internal controls are the first line of defense in detecting and preventing material errors or fraud in financial reporting… When internal control deficiencies are left unaddressed, financial reporting quality can suffer.” This action further supports the intent of the regulators and underlying regulations: to protect and enhance the trust in our capital markets.

Meanwhile, in May, the SEC voted on proposed amendments to the accelerated filer and large accelerated filer definitions intended to reduce costs for certain lower-revenue companies as a potential means for such companies to redirect the savings into growing their companies by investing in research and human capital and helping promote capital formation. Under the proposal, smaller reporting companies (SRCs) with less than $100 million in revenue would not be required to obtain an attestation from an independent external auditor on ICFR. The proposal would not change other key provisions of SOX, such as the independent audit committee requirements, CEO and CFO certifications on financial reports, or the requirement that companies continue to establish, maintain, and assess the effectiveness of ICFR. For more on the SEC’s proposal, refer to BDO’s Alert here.  

PCAOB 2018 Inspections Observations on ICFR

Also in May 2019, the Division of Registration and Inspections staff of the PCAOB issued a preview of its observations related to 2018 inspections of audits of public companies, which considered approximately 700 audits performed by over 160 audit firms. The information is primarily for auditors’ consideration in planning and performing upcoming audits and for audit committees in engaging with and overseeing the external auditors. While there were a number of good practices observed regarding efforts of improved audit quality, the PCAOB noted ICFR as a continuing area of common audit deficiencies[2]. Specifically, the PCAOB cited observations where:

  • Auditors did not sufficiently test the design and operating effectiveness of the controls that include a review element. Specifically, auditors did not obtain an understanding or evaluate the activities performed and factors considered by the control owner when reviewing the reasonableness of certain estimates and assumptions.
  • Auditors did not select controls for testing that address the specific risks of material misstatement. Auditors did not obtain a sufficient understanding of whether the control addressed the assessed risk of material misstatement.

CAQ Guide to ICFR

In May 2019, in its efforts to continually improve audit quality and to enhance investor confidence and public trust in the global capital markets, the CAQ re-issued its Guide to Internal Control Over Financial Reporting ICFR to educate stakeholders on the purpose and benefits of ICFR. The guide provides an overview of the structure and design of ICFR and stresses the importance of internal processes and controls to the integrity of financial reporting. The guide explains what ICFR is and describes management’s responsibility for implementing effective ICFR. It also discusses the responsibilities of the audit committee to oversee ICFR and of the independent auditor to audit the effectiveness of the company’s ICFR.

As a reminder, public companies are required to establish and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP. SOX added a requirement under Section 404(a) that management annually assess the effectiveness of the company’s ICFR and report the results to the public. SOX further requires most large issuers under section 404(b) to have an integrated audit performed by their external auditor.

Key ICFR Concepts

  • Effective ICFR provides reasonable assurance that corporate records are not intentionally or unintentionally misstated.
  • ICFR is one element of the broader concept of internal control defined by COSO, which provides a commonly used framework to assist companies in structuring and evaluating controls comprised of five integrated components:
    • control environment
    • risk assessment
    • control activities
    • information and communication
    • monitoring activities
  • Control systems can provide reasonable, but not absolute, assurance that financial statements are reliable and prepared in accordance with GAAP.
  • Controls designed to generate reliable financial reporting are more likely to succeed if the company’s culture reflects the importance of integrity and ethical values and a commitment to reliable financial reporting.
  • In addition to internally developed controls, management should consider any relevant controls at a service organization that may impact company’s ICFR.
  • Control activities are the specific actions established through policies and procedures designed to mitigate financial reporting risk. These activities vary by company but may include: segregation of duties, information technology (IT) general controls, entity-level and process-level controls, and preventative and detective controls.
  • ICFR deficiencies are categorized as follows:
    • Material weakness – a deficiency such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis
    • Significant deficiency – a deficiency that is less severe, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting
    • Deficiency – a deficiency where the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
  • For the purposes of SEC reporting, if a single material weakness in ICFR exists, then ICFR is not effective, regardless of the effectiveness of the rest of the controls.


ICFR Roles and Responsibilities Summarized


Management Independent Auditors Audit Committees
  • Responsible for the design, implementation, and monitoring of ICFR
  • Annually assess the effectiveness of ICFR in accordance with SOX. The SEC recommends this assessment take a top-down risk-based approach
  • Quarterly evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting
  • Maintain evidential matter, including documentation, to provide reasonable support for its assessment of ICFR
  • Provide quarterly reporting stating management’s responsibility for ICFR
  • Provide annual reporting of management’s assessment of the company’s ICFR
  • Keep the audit committee apprised of the operation and effectiveness of controls
  • Follow a top-down risk-based approach that considers the whole financial reporting system but focuses greater attention on the controls over financial reporting areas most susceptible to material misstatement
  • Obtain an understanding of each component of the company’s ICFR, even in a financial statement only audit
  • Report timely to management and the audit committee any deficiencies in internal control
  • When performing an integrated audit, report on the effectiveness of management’s ICFR
  • Oversee management’s preparation of financial statements and design and operation of controls
  • Oversee financial reporting under SOX
  • Review the assessment of financial reporting risks
  • Review management’s planned responses to the identified financial reporting risks
  • Discuss with management control deficiencies and their potential impact on financial reporting and nature of remedial actions
  • Evaluate the quality of management’s financial reporting and related disclosures
  • Oversee and monitor activities of the internal audit including review of reports from internal audit
  • Hire and oversee the external auditor


What ICFR Means for Companies, Investors, and Markets

Amidst concerns expressed in the SEC’s proposal over regulatory burdens and costs around ICFR compliance, the CAQ highlights compelling evidence that points towards SOX provisions strengthening U.S. capital markets and the reliability of financial reporting including:

  • SOX provides an “early warning system” for company fraud
  • Companies subject to 404(b)[3] reporting experienced higher valuation premiums and higher credit ratings, resulting in overall lower cost of debt
  • 80% of all companies viewed auditor attestation under 404(b) as beneficial to the quality of the company’s controls
  • Companies that are not required to comply with 404(b) and thus, may not benefit from the discipline and rigor of ICFR, experience financial reporting problems at a higher rate
  • Companies that disclosed that their ICFR was effective and did not have an external audit of ICFR under 404(b) had a 46% higher restatement rate than companies that disclosed that ICFR was effective and did have an audit of ICFR
  • Enhanced focus on ICFR may have driven a decrease in the number and severity of financial statement restatements since the SOX ICFR requirement became effective in 2004

Refer to the CAQ guide for additional resources for further consideration.

Next Steps

We encourage audit committees, management, and our audit professionals to remain abreast of the dynamics of ICFR. Please stay tuned for additional thought leadership and educational opportunities from BDO’s Center for Corporate Governance and Financial Reporting on this and many other topics of interest.  



[1] Auditor reporting on internal control over financial reporting is not required for non-accelerated filers with market capitalization less than $75 million. Similarly, under the JOBS Act of 2012, Emerging Growth Companies (EGCs) are also excluded from the requirement of having an auditor’s report on the company’s ICFR. An EGC is an issuer with less than $1.07 billion in annual gross revenues in its most recently completed fiscal year. EGC status continues for the first five years after the IPO, but ceases sooner if the issuer (1) issues more than $1 billion in non-convertible debt in a rolling three-year period, (2) becomes a large accelerated filer (i.e., with a market capitalization exceeding $700 million), or (3) exceeds $1.07 billion in annual revenues. A new issuer may meet the criteria to be considered an accelerated or large accelerated filer after it has been subject to the 1934 Securities Act reporting requirements for one year. Once it meets those criteria, it is required to comply with both the management and auditor internal control reporting requirements (i.e., generally in its second rather than first Form 10-K).
[2] Please see BDO Corporate Governance Alert summarizing the full report.
[3] Section 404(a) requires that the management of publicly-held companies assess the effectiveness of their ICFR. Section 404(b) requires a publicly-held company’s independent auditors to attest to, and report on, the company’s ICFR.