Is Your Company Flunking ICFR?

Countless organizations are walking a wobbly tightrope when it comes to internal control over financial reporting (ICFR). Facing increasingly tough regulations, chief financial officers and their teams have to stay on their toes in this precarious balancing act. One misstep could lead to dire consequences, from class-action lawsuits and U.S. Securities and Exchange Commission (SEC) sanctions to management turnover and serious reputation damage.

False sense of security

Enacted in 2002, Section 404 of the Sarbanes-Oxley Act requires management and auditors to establish internal controls and file a detailed internal control report each year. In the beginning, this requirement proved to be problematic and costly for companies across the nation. Today, however – more than a decade later – many have a better handle on these internal reports.

Many financial managers report that they feel that their teams are experts when it comes to regulatory compliance requirements: In a Robert Half Management Resources survey, 45 percent of chief financial officers interviewed rated their teams’ regulatory and compliance knowledge as excellent, and 48 percent characterized it as good.

Some CFOs might be too optimistic, however. In May of last year, COSO, whose chairman is Protiviti senior managing director Bob Hirth, released the updated Internal Control-Integrated Framework to help organizations adapt to the changes in the business and operating environments since the Framework was first published in 1992. Despite the December 15, 2014, deadline to transition to the 2013 version, many companies have been slow to apply it to their key internal controls, Protiviti research found.

Noted Brian Christensen, executive vice president at Protiviti and leader of the firm’s Internal Audit and Financial Advisory practice, “A surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls. Our survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”

A ‘perfect storm’

The SEC, too, feels many financial managers may be overly confident about their ICFR process. In fact, the SEC has reported a boost in audit inspection findings related to internal controls in recent years. At a national accounting conference late last year, Brian Croteau, deputy chief accountant at the SEC, said this increase indicates management is not always properly evaluating internal control – and many are failing to identify material weaknesses.

In 2013, the Public Company Accounting Oversight Board (PCAOB) issued a report listing a string of internal control audit problems the board has noted in recent years. The PCAOB advised auditors to take more care in their risk assessment and audit of internal control.

Jeanette Franzel, a member of the PCAOB, calls the current ICFR environment a “perfect storm.” Speaking at The Institute of Internal Auditors 2014 General Audit Management Conference, she said companies are implementing an updated framework for internal controls while simultaneously facing new questions from external auditors who are being urged by the PCAOB to get tough on controls.

“Unfortunately, over the decades, we've seen multiple cycles in which company management and internal and external auditors simply didn't get it right in the area of internal control, resulting in failures to effectively define, understand, implement, and assess internal control,” she added.

Overcoming ICFR obstacles

There are positive signs emerging. According to Benchmarking the Accounting & Finance Function: 2014 from Robert Half and Financial Executives Research Foundation, the escalating complexity of regulatory compliance has spurred businesses to develop more internal controls.

Still, there clearly remains much work to do. Businesses need to continue building on strategies to keep their teams up to date on emerging regulatory demands and instill in staff a broad business outlook that enables them to anticipate and respond quickly to new developments.

In an effort to overcome towering ICFR obstacles, quite a few businesses are turning to specialized consultants. Because these experts have extensive experience with internal controls, they can assist organizations in navigating the intricate ICFR maze. A skilled consultant can help reorganize internal controls and prepare an ICFR report to present to external auditors, for example. This not only saves a company time but also allows it to create a more streamlined reporting process.

Faced with ever-evolving regulations, financial executives must go above and beyond to ensure their organizations are properly positioned to certify internal control over financial reporting – not only today, but in the years to come.

For more insights on the new COSO Framework, download Protiviti's FAQ guides. Contact us to find out how we can help you transition to the new standards.