For more than a decade, public companies in the United States of America (USA), Canada, Brazil, Turkey, and more have been required to implement Internal Control over Financial Reporting (ICFR), especially as part of issuer audits. While some organizations may view the ICFR requirements as a burden or a check-the-box exercise, these companies are likely missing opportunities to unlock hidden value, which may have a broader impact on their system of internal control.
This is why it is unfortunate that most discussions about ICFR are focused on how public companies can meet regulatory expectations, often leaving out another important aspect of ICFR, the intent, which if understood would bring the importance of these regulations to the forefront and can be a strong motivator for compliance.
This is especially true in Nigeria, where new Security and Exchange Commission (SEC) regulations require listed entities to comply with ICFR by the end of their fiscal year in 2021.
In this article, we will go over the intent, importance and challenges of ICFR, the consideration for its implementation, and best practices for compliance.
WHY IS ICFR SO IMPORTANT?
In the 1990s, publicly traded companies in the USA like Xerox and Global Crossing engaged in a series of fraudulent and misleading activities. Notably, these companies published false financial statements in order to increase the prices of their stock. However, like a house of cards, there is only so long false reporting can stand up to market forces before crumbling. The companies that engaged in fraudulent reporting began to crash, and almost a thousand listed trading companies were forced to restate their financial statements. This resulted in almost $6 trillion of stock market value disappearing overnight.
The high-profile nature of these frauds shook investor confidence in the trustworthiness of corporate financial statements. It led many to demand an overhaul of regulatory standards guiding financial reporting for publicly traded companies. In response to these events, and in a bid to protect investors from fraudulent financial reporting by corporations, the Sarbanes-Oxley Act (SOX) of 2002 was passed by the United States Congress. This new Act imposed tough new penalties on lawbreakers and mandated strict reforms to existing securities regulations. Thus began the era of ICFR.
COMPLIANCE REQUIREMENT IN NIGERIA
The SEC issued the "Guidance for the Implementation of Sections 60-63 of the Investment Securities Act" which provides guidelines for directors to implement relevant ICFR and auditors to review the same and issue reports on the effectiveness of ICFR. Based on the guidelines, public companies are required to report on compliance in their annual reports effective December 2021 financial year-end.
As a result, quoted companies in Nigeria, are required to have an integrated audit performed, which includes an external auditor's assessment of the effectiveness of the company's ICFR and an annual managerial evaluation of the aforementioned internal controls.
OBJECTIVE OF ICFR
ICFR is designed to protect the interests of investors and other stakeholders by preventing fraud and financial crimes as a result of poor reporting by publicly traded companies. This is why regulatory bodies worldwide see ICFR engagements as opportunities for public companies to improve the quality and efficiency of their financial reporting models.
CHALLENGES AND CONSIDERATIONS FOR EFFECTIVE IMPLEMENTATION OF INTERNAL CONTROLS
When done right, internal controls can be an integral part of business operations that can help add value and mitigate risks. That said, all companies, regardless of their size, are faced with the challenge of maintaining internal control in financial reporting. Some of the challenges and considerations to review for quality reporting are highlighted below:
Challenge 1: Scarcity of Resources
Public companies frequently face a resource shortage when it comes to achieving appropriate segregation of duties and monitoring financial reporting processes. There is also a scarcity of resources with sufficient experience and skill in financial reporting, and many businesses struggle to find and retain qualified employees. Some even convince themselves that there is no such thing as segregation of duties unless fraud is discovered.
Do not underestimate the significance of clear and detailed job segregation. Control owners, or those responsible for carrying out control activities, will be effective only if they have a clear understanding of the duties associated with the control for which they are responsible, as well as the internal control design itself.
Challenge 2: Isolation of Compliance Programmes
Many organisations run compliance programmes in isolation to prove compliance to selective laws/ regulations, raising the overall cost of compliance.
Your company's internal controls systems should be informed by a comprehensively thorough risk assessment that identifies which critical processes of the ICFR may be susceptible to errors. Focus on the ones that matter most to your business operations and strategy.
Once risk areas have been identified, classified, and prioritised, it is vital to consider the type of internal controls that will best mitigate those risks. The options are — manual, preventive, or automated. This can vary depending on the level of risk assessed and other factors.
Challenge 3: Extending Value over Time
An essential aspect of a system of internal controls and a challenge faced by many organisations is determining how to sustain and ideally, improve the effectiveness of the framework they have put in place over time.
Your internal control framework should be well designed to be flexible, scalable, and nimble in order to provide extended value. As your company evolves over time, new risks may emerge, and previously identified risks may become obsolete. These modifications offer an opportunity to standardise your internal controls.
It can also assist you in ensuring that the controls are functioning properly and remain relevant as your business grows and evolves.
Challenge 4: Limited IT Tools
Smaller organisations are more likely to have limited technical resources and be unable to maintain the appropriate operating controls over their information systems.
Given the importance of implementing ICFR, businesses with limited resources must opt for automation and outsourcing of non-critical finance processes. This will allow for standardisation and give them faster and better access to data, resulting in cost savings.
Large organisations that maintain multiple finance environments with different business rules, policies, finance systems, and charts of accounts can also benefit, as managing everything in-house can be expensive, cumbersome, and challenging.
RECOMMENDATIONS AND BEST PRACTICES
Publicly traded corporations and any organization implementing ICFR must follow the guidelines, with the board of directors ultimately responsible for internal control. Employees are responsible for implementing the board's risk and control policies. As a result, a top-down methodology, in which the expectations and tone are set at the top, is the best strategy.
Regardless of regulatory obligations, putting in place a sound governance system is the way to go. This requires a team with skills, technical knowledge, and an expansive understanding of the objectives of the organisation to set up the ICRF while keeping the costs of compliance in check.
Once an organization has a focus on developing a robust compliance management programme, the organisation will only need to make minor changes to its existing compliance and risk management programme if a new regulation or law is enacted at a later date. Therefore, we recommend incorporating these practises into the DNA of your organisation, so it becomes second nature.
Internal financial reporting controls have been in place for a long time, but they have recently gained importance as risk management has become more important. As a result, establishing the proper internal controls increases the likelihood that your company will meet its compliance, financial reporting, and operational goals.
Establishing ICFR is critical for any organisation, large or small, public or private, to ensure that the policies, directions, and procedures put in place by the board and management are effective.
You are not required to do this alone. It is imperative to engage professionals with the knowledge, skill and experience to work with you across the full spectrum of finance and accounting processes to ensure that every business process with a financial implication is monitored. These advisers can ensure compliance and recommend bespoke strategic structures in line with best practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.