Considerations for Successful Application of ICFR

During a recent webinar, Sarah Ovuka, Financial Executives International’s (FEI) Professional Accounting Fellow, discussed FEI’s recent ICFR Insights documents and the association’s efforts to aide preparers in the ICFR space.

In November 2018, Financial Executives International (FEI) published two ICFR Insights documents on the recent Leases standard and the upcoming Current Expected Credit Losses (CECL) standard. These documents were written by preparers for preparers in an effort to share best practices around implementing and maintaining ICFR in relation to the respective standards.

ICFR Timeline

Though management’s responsibility to prepare reliable financial reporting has always had its roots in effective internal controls, there was no legal obligation to do so until 1977’s Foreign Corrupt Practices Act required that U.S. traded companies create a system of internal accounting controls.

“Essentially,” Ovuka said, “the act required that companies maintain books and records in reasonable detail accurately and fairly to reflect the company’s transactions. It also required that management maintain internal controls sufficient to provide assurance that transactions are executed and that access to assets are permitted only by the authorization of management.”

Additionally, the law required companies to create and maintain internal controls to provide assurance that financial transactions are recorded, and financial statements are prepared, in accordance with U.S. Generally Accepted Accounting Principles (U.S. GAAP).

ICFR further evolved over the next few decades, primarily due to the following rules and regulations:

  • 1992 – COSO Internal Control – Integrated Framework – released to help companies measure the effectiveness of their internal control.
  • 2002 – Sarbanes-Oxley Act – Congress passes the Sarbanes-Oxley Act (“SOX”), creating the PCAOB, a new oversight body for auditors of public companies; Sarbanes-Oxley Act Section 404 (SOX 404) requires management to report on the effectiveness of the company’s ICFR and for an independent auditor to attest to management’s assessment.
  • 2004 – Audit Standards (AS) No. 2 – PCAOB adopts AS No. 2 for use when attesting to management’s assessment of the effectiveness of the company’s ICFR as required by Section 404(b) of the Sarbanes-Oxley Act.

“Sarbanes-Oxley expanded the responsibilities outlined in the FCPA in multiple ways. It added requirements for most public companies to annually assess the effectiveness of their internal controls and to report on that assessment.  It also established requirements for around an independent auditor’s involvement in that process,” Ovuka said.

Further evolution of ICFR came as a result of the following developments:

  • 2007 – Auditing Standard (AS) No. 5 – PCAOB adopts AS No. 5, superseding AS No. 2, creating a more principles-based approach and among other changes, revises requirements such that the auditor attests directly to the effectiveness of ICFR. AS No. 5 was designed to be more risk-based and scalable-based on company size or complexity. One of the other key intentions was to create more alignment with the SECs management guidance also released that year.  
  • 2007 – SEC Management Guidance – SEC approves interpretive guidance to enhance compliance under Section 404 and help public companies strengthen their ICFR.
  • 2013 – 2013 COSO Framework – COSO releases updated version of its internal control framework, which supersedes the 1992 framework.

“The feedback received post-implementation of SOX was that the audit of ICFR generally produced benefits including enhancing governance and higher quality controls,” Ovuka explained. “But, along with that came significant costs, not only from a monetary perspective but also from the level of effort required in many cases.”

“Some financial executives have expressed concern that the costs have far exceeded what was required to conduct quality, effective internal control,” she added.

“In addition to the PCAOB’s Auditing Standards, the public accounting firms also have their own methodologies for internal control,” Ovuka said. “Those methodologies have continued to evolve over the years for a variety of reasons. Meanwhile, there’s still no guidance beyond the COSO Framework for preparers to follow.”

The evolution of guidance on auditing ICFR has led to discussions about what could be done to improve the ICFR experience for preparers and for their auditors, according to Ovuka. Despite the effort to align AS No. 5 with SEC’s management guidance, some have seen a growing misalignment between auditors and management expectations about internal controls.

“The misalignment stems from the type of guidance that is available to auditors as compared to preparers,” Ovuka said. “There is an absence of application guidance, insights and examples for preparers to refer to in their efforts around internal control.”

That means a stark difference between auditors’ rules and management guidance, the latter of which hasn’t been updated over the years. This creates a challenge according to Ovuka. “Preparers must translate high level internal control theory and principles into practice.”

Another challenge is that ICFR can require a lot of judgement and subjectivity, Ovuka said. “The context and the fact patterns for a specific company and a specific accounting area are very important to the application of internal control.”

Additionally, there is no   structure in place for ICFR that is comparable to the infrastructure and process that’s in place to support the evolution of accounting standards.

“So, we are left with questions such as what does it mean to have effective internal controls? How does management assess it? For management, it’s about assessing risks and trying to do it in a pragmatic way to control risk within the organization,” Ovuka said, likening good internal financial controls to a good foundation for a house. Both are important for long-time stability.

Per Ovuka, the best way to implement and maintain internal controls and to assess their effectiveness can differ between companies of different sizes with different complexities. These are challenges for large and small companies alike.

FEI’s documents are offered as interpretive insights offering an approach for management to create a top-down, risk-based approach to ICFR over Leases and CECL.