John Verver, CPA CA, CISA, CMC

Advisor to ACL


Goals and processes for internal control over financial reporting (ICFR) compliance and improvement have a lot in common with those for other risk management, control testing, and assessment areas. Although ICFR compliance is a legal requirement for many organizations and often regarded as more regulatory burden, the fundamental objectives of ICRF do make good sense. The risk of fraud or error in financial statement reporting is certainly something that must be managed.

Appropriate controls throughout financial processes are the answer—but the challenge is how to make it economical to implement and maintain them, as well as to continually assess their effectiveness.

This challenge is virtually the same one that applies to any control process, whether you’re addressing financial reporting risks or any other risk among the large number that any organization faces. The process of documenting systems and repeatedly having to assess risks and test controls can easily become very time consuming and costly. Coordinating and reporting on the activities of multiple control owners and others involved in assessment and testing can be a complex task, particularly if methods used are primarily manual or involve spreadsheets or other general-purpose software.

Taming the burden of ICFR with automation

The solution to all this complexity is to harness the power of dedicated technology to perform and manage the whole process as efficiently and painlessly as possible. A modern, centralized system supports all aspects of a straightforward series of workflow activities to:

  • document processes, narratives, risks and controls, and test plans
  • evaluate and test controls
  • report on results
  • certify.

Of course, there are multiple levels of detail in the workflow that must also be supported. For example, as SOX and A-123 compliance involves taking a top-down risk assessment (TDRA) approach, software can support the identification of:

  • significant financial reporting elements and accounts
  • material financial statement risks within these accounts
  • entity-level controls that address the risks
  • transaction-level controls that address risks where entity-level controls are insufficient
  • the nature, extent, and timing of evidence that impacts the assessment of controls.

Data analysis improves control testing

Testing and monitoring are often the most labor-intensive activities. Data analysis technology deserves a special call-out for its crucial role in ICFR processes.

Data analysis software is well proven in the audit and risk world for testing entire populations of transactions and balances. This helps determine transaction integrity as well as the effectiveness of related controls. Data analysis can also provide indicators of new and changing risks for which no specific internal control has been established.

This form of testing and analysis can be performed as required—usually automated—so that testing can take place on a repeated or continual basis. Automated testing leads to reduced costs, as well as the ability to rapidly identify control problems and transaction anomalies before they escalate into more serious problems.

When testing becomes a control …

While data analysis can be used for objective testing purposes, the same form of analysis can also become the control mechanism itself. For example, testing can take place to determine on a daily or weekly basis whether general ledger entries that have been processed are suspect due to, for example, lack of segregation of duties or proper approvals, postings to unusual accounts, or the transactions being made at unusual times. In cases where it is not realistic or cost effective to maintain traditional internal control procedures, transaction monitoring can become its own highly effective alternate control mechanism.

Using questionnaires in ICFR processes

Another area in which technology can play a valuable role in reducing costs and improving efficiency is in the use of automated questionnaires and surveys to collect information from individuals. Their use and the related concept of “human analytics” can become an important part of the controls testing and assessment process. A self-assessment is a good example: you need input from a control owner on control effectiveness, send a questionnaire, get a detailed response.

Likewise, if you find an anomaly, it does not necessarily mean there is a control gap until after someone does a review and provides supporting evidence. There are many instances when business thresholds are exceeded for valid reasons and no control gap exists. Questionnaires help you get to the right understanding.

General ledger entries: A good starting point

General ledger entries are a great place to run data analytics and easily determine if fraud and/or errors exist. Examine all journal entries to identify:

  • statistical outliers
  • journal entries processed without adequate segregation of duties
  • journal entries posted outside of authorization limits
  • multiple journal entries posted just under an authorization limit (“split entries”)
  • postings to unusual account combinations
  • postings made at unusual times
  • temporary over-rides/changes of authorization limits
  • unusual patterns of journal entry reversals.

This is a good place to begin before building out a more mature and comprehensive data-driven ICFR program.

7 steps to reduce the burden of ICFR/SOX/A-123 compliance

eBook: 7 steps for improving compliance processes that will seriously reduce the burden of ICFR/SOX/A-123 compliance

In this 26-page guide, we’ll look at how you can use technology to create a sustainable ICFR framework that will reduce the financial and resource burden of ICFR, while providing greater assurance over the reliability of financial statements.

Download now

Share This