Internal control over financial reporting: A guide for governance leaders
Many factors contribute to the persistent confidence that investors maintain in U.S. financial markets, including internal control over financial reporting (ICFR). It's the framework of controls companies use to compile and deliver accurate financial statements, and it's the focus for critical external audits businesses must pass. Investors depend on reliable financial information, and effective ICFR — including a successful audit report on internal controls — helps reduce the risk that financial statements will contain material errors or misstatements.
Recent data from MossAdams analysis shows material weaknesses trending downward through April 2025, indicating improved ICFR effectiveness across organizations. However, regulations continue evolving, with new auditing standards and enhanced cybersecurity disclosure requirements creating additional complexity for governance leaders.
As with any system, maintaining sound ICFR requires ongoing effort and dialogue among stakeholders to create and maintain effective controls. This article will help those involved with financial reporting establish better controls by explaining:
- What internal control over financial reporting means and why it matters
- ICFR regulations and frameworks, including SOX requirements and COSO guidelines
- Practical ICFR examples across common business processes
- The audit process and types of audit reports on internal controls
- Internal controls over financial reporting checklist for payroll and procurement
- Best practices for audit committee oversight and control design
- How AI technology transforms ICFR through automation and continuous monitoring
What are internal controls over financial reporting?
Internal control over financial reporting is a process that helps companies manage risks and ensure the reliable preparation of accurate financial statements.
The accepted internal controls over financial reporting definition includes the daily control policies and procedures that employees at all levels must follow when engaging with company finances. This typically involves tracking receipts and seeking managerial approval for all transactions, among other control practices.
For mid-market and pre-IPO companies, ICFR represents the foundation for transaction readiness and investor confidence. These organizations must build governance infrastructure that supports current operations and future growth milestones, including potential IPO preparation.
ICFR regulations and frameworks
Most shareholders want to review financial statements and receive assurance about statement accuracy. However, investors aren't the only motivator for ICFR. Several regulations and frameworks dictate the internal control over financial reporting practices that companies must implement:
- Sarbanes-Oxley ICFR regulations: The SEC requires that all public companies comply with the Sarbanes-Oxley Act, which has numerous requirements for financial reporting controls. This is a crucial way the SEC seeks to bolster consumer and shareholder confidence in the capital market. Recent SEC enforcement activity resulted in a record $8.2 billion in financial remedies obtained in fiscal year 2024, highlighting the critical importance of compliance.
- COSO ICFR framework: Although the COSO framework isn't a legal requirement, it bridges the gap between business imperatives and the risk landscape by providing a predefined control structure that many organizations adopt as their foundation.
- Financial reporting frameworks: There are several frameworks beyond COSO that companies utilize to meet accounting standards. These include the U.S. Generally Accepted Accounting Principles (GAAP) and the International Financial Reporting Standards (IFRS).
- Regulatory updates: New Public Company Account Oversight Board (PCAOB) auditing standards became effective December 15, 2024, including enhanced requirements for auditor coordination procedures. Additionally, cybersecurity disclosure requirements now mandate 8-K filings within four business days of materiality determination.
What is the purpose of internal control over financial reporting?
Internal controls over financial reporting mitigate risk. Through effective controls, companies detect unauthorized use of company resources — whether by an internal bad actor or external breach.
Adopting a financial reporting framework means proactively identifying any activities that could impact financial statements. This increases the quality of financial statements, reduces the likelihood of misstating company assets, and enhances information security. For growth-stage companies preparing for investment rounds or IPO, robust ICFR demonstrates governance maturity that sophisticated investors increasingly demand.
Examples of internal control over financial reporting
Internal controls and their components should be unique to your organization and industry. After all, a company with retail storefronts will need different controls than an online pharmacy. Several specific examples of financial reporting controls are relatively common across industries:
1. Transaction approvals: A designated employee, such as a manager or accountant, reviews and approves transactions. To maintain proper separation of duties, this approver should not be the same person making the purchase. In mid-market companies, approval processes often involve multi-level workflows that scale with transaction amounts.
2. Transaction receipts: Many businesses collect receipts for every transaction to verify that the approved funds used are as intended. Modern approaches include digital receipt management systems that integrate with enterprise resource planning platforms.
3. Account reconciliation: Another ICFR example is reconciliation, which involves using receipts to validate any money coming in and out of company accounts. Advanced reconciliation processes now incorporate automated matching capabilities that flag discrepancies for management review.
4. Segregation of duties: Ensuring that no single individual has control over all aspects of a financial transaction helps prevent both errors and fraud. This becomes particularly important as organizations grow and transaction volumes increase.
5. Management review controls: Systematic review of financial results, including variance analysis and trend identification, helps identify potential issues before they become material weaknesses.
What is an audit of internal controls over financial reporting?
During an audit of internal controls over financial reporting, an external auditor evaluates the effectiveness of a company’s controls. The resulting report provides independent assurance that the company adheres to credible and ethical financial reporting practices.
The ICFR audit process is an important way to validate financial controls. It's also an SEC requirement for most public companies classified as accelerated filers (public float of $75 million or more), according to Section 404(b) of the Sarbanes-Oxley Act.
Generally speaking, an ICFR auditor will:
- Review a sample set of transactions across multiple periods
- Identify any weaknesses in the internal controls design or implementation
- Determine whether a company is at risk of misstating finances
- Issue a report of their findings with specific recommendations
- Present to management and the board so they can remediate any issues
The new PCAOB "Other Auditors" standard, effective December 15, 2024, enhances audit coordination procedures when multiple audit firms are involved, particularly relevant for complex organizations with subsidiaries or joint ventures.
Audit report on internal controls over financial reporting
During an audit of internal controls over financial reporting, an external auditor will review all controls to ensure they are designed effectively and implemented to protect the organization from financial risk. Audits are a regulatory requirement, but they're also an invaluable opportunity.
Even the best ICFR process may yield weak internal controls. What's more, the best controls can flounder because employees don't know how to follow them. An audit of internal controls over financial reporting pressure tests controls so the auditor discovers potential threats, not hackers and bad actors.
An audit report on internal controls is the product of the audit. It's the document that describes whether the organization passed the audit and the auditor's recommendations for improvement.
How do audits report on internal controls?
An external auditor issues an opinion on whether internal controls over financial reporting are effective. This is separate from — but aligned with — the audit of the financial statements.
The report will summarize the auditor's findings regarding the different control components:
- The control environment
- The organization's assessment of risk
- Control activities
- Internal communication about controls
- Control monitoring
The SEC requires organizations to file the audit report along with the annual report. That said, organizations can also use the auditor's opinion to improve their internal controls or strengthen their financial reporting policies.
Examples of audit reports on internal controls
There are four types of audit reports depending on whether the auditor issues a favorable or unfavorable position about the company's ICFR process:
1. Clean report: This is the most common report an auditor issues, and it means the company's financial reporting is satisfactory with no material weaknesses identified.
2. Qualified report: This indicates that while the financial statements are fairly presented overall, there are specific areas of concern that don't rise to the level of material weaknesses.
3. Disclaimer report: This is considered an unfavorable audit report and usually suggests that the organization interfered with the auditor's process in some way, preventing them from forming an opinion.
4. Adverse report: An organization may receive this audit report on internal controls if its financial statements contain fraud, misstatements or the data wasn't prepared properly.
Though clean reports are the most common opinion auditors issue, disclaimer and adverse reports do happen. While this represents a significant challenge, it's not insurmountable. Rather, it's an opportunity to create a comprehensive remediation plan, similar to approaches documented by the Government Accountability Office.
Management's report on internal control over financial reporting
The SEC requires that companies include both a management report on ICFR and an audit report on internal controls in the Form 10-K annual report. Non-accelerated filers must conduct management ICFR assessments, but only accelerated filers and large accelerated filers must include an external auditor's attestation.
For companies preparing for IPO, Alvarez & Marsal recommends a comprehensive readiness process executed over a one- to two-year period, with their illustrative timeline showing 15 months from initial assessment to IPO. This preparation involves building out financial reporting capabilities, internal controls, and governance structures, with early engagement of external advisors critical to success.
Internal control over financial reporting checklist
An internal control over financial reporting checklist is a tool that documents controls employees should follow. Employees use the checklist to verify that they follow the appropriate controls, assuming they aren't automated. The checklist will likely vary between departments — payroll, for example, has very different needs than customer billing.
Regularly, team members can use the checklist to confirm that their process aligns with established controls. This process reduces internal control weaknesses, strengthens an organization's culture of compliance and offers assurance that employees at all levels are implementing the proper controls.
Sample checklist: Payroll processing
A sample checklist for payroll would include:
- Matching timesheets to individual employees with proper authorization
- Seeking approval on billed hours from supervisors before processing
- Confirming the hours in payroll match the hours in timesheets exactly
- Having the payroll manager review paychecks before they go out
- Depositing paychecks into accounts associated with the people named on the paychecks
- Maintaining proper documentation for all payroll adjustments
- Reconciling payroll registers to general ledger entries monthly
Sample checklist: Purchase-to-pay processes
For purchase-to-pay processes, a comprehensive checklist might include:
- Purchase requisition approval based on spending authority limits
- Three-way matching: Purchase order, receiving report, and vendor invoice
- Vendor master file maintenance with proper segregation of duties
- Duplicate payment prevention controls and procedures
- Monthly vendor statement reconciliations and follow-up on discrepancies
Best practices for internal control over financial reporting
ICFR processes and procedures are iterative, meaning they should evolve along with the business to sidestep possible limitations. Creating a culture that allows for this evolution in internal control over financial reporting starts with effective best practices. This includes the following:
1. Set a healthy tone at the top
For all members of the financial reporting supply chain, the importance of tone at the top cannot be overstated. Management, together with the board of directors, sets this tone by:
- Communicating effectively about control expectations and accountability
- Visibly adhering to clear ethical principles and codes of conduct
- Providing necessary support and resources for comprehensive fraud risk management programs and internal controls
- Demonstrating commitment through resource allocation and performance incentives
2. Watch for warning signs
Often, the tone at the top needs to improve to encourage company-wide adoption of ICFR. Warning signs that the tone needs improvement include:
- A very strong-willed CEO who creates a "don't ask questions" culture. CEOs tend to have commanding personalities, but it becomes problematic if a CEO is so intimidating that opposing views are not welcomed or adequately considered.
- A culture of perfection that inhibits open and transparent communication. This might result in problems being ignored and allowed to mushroom.
- Excessive pressure to meet key metrics. How much pressure exists to find that extra revenue or income to meet an analyst's forecast or comply with a debt covenant? A related issue involves significant compensation plans tied only to revenue and earnings. Compensation needs to balance short- and long-term incentives, with compliance forming part of the compensation determination.
3. Enhance the vital role of the audit committee
As observed by Wesley R. Bricker, Chief Accountant at the Securities and Exchange Commission, audit committees "play a critical role in contributing to financial statement credibility through their oversight and resulting impact on the integrity of a company's culture and ICFR, the quality of financial reporting, and the quality of audits performed on behalf of investors."
In keeping with this critical role, there are several approaches the audit committee can take to increase the chances of earning a favorable audit report on internal controls over financial reporting:
- Open communication channels: The audit committee's lines of communication should be widely open to senior management, not just to the CEO and CFO. Employees should feel comfortable reporting to the audit committee, either directly or through the company's ethics hotline, in situations where they believe they have been pressured by management to perform illegal or unethical acts.
- Proactive agenda management: The audit committee should look beyond its meeting materials and ask, "What else should we be talking about?" Similarly, audit committee meetings with management are often arranged for a specific purpose, with agendas decided well in advance of meetings. Audit committees should be proactive in broaching other topics when necessary.
- Active engagement on accounting issues: The audit committee needs to take greater ownership of accounting issues and ask more open-ended questions about them. To pull this off, a member of the audit committee could listen to the company's earnings call with analysts to consider if the messaging is consistent with the financial filings.
- Specialized expertise access: For audit committees in industries with highly specialized accounting, the audit committee may benefit from external industry specialists. The role of the audit committee should include challenging senior management on the accounting for complex transactions and estimates. Having expert advice promotes the ability to have a thorough dialogue on these issues.
- Fresh perspectives: When audit committee members and management have both served long terms, there can be a tendency for problems to go unnoticed and questions left unasked. Turnover on boards can provide fresh eyes and a new spirit for engaging in accounting issues.
- Resource adequacy assessment: As part of the assessment of ICFR by both the company and the external auditor, concerns related to inadequate or ineffective staffing should be considered when evaluating the design and operation of a company's controls.
- Relationship building: Formal and informal interactions are necessary between and among external auditors, the financial reporting team, internal auditors, and the audit committee. These interactions strengthen relationships and enable more candid communication.
4. Implement continuous monitoring and testing
Rather than relying on periodic testing, leading organizations implement continuous monitoring capabilities that provide real-time insights into control effectiveness. This approach enables faster identification and remediation of control deficiencies before they escalate to material weaknesses.
5. Leverage technology for control optimization
Organizations that successfully implement AI and automation in their ICFR processes report significant improvements in accuracy and efficiency. However, Deloitte research suggests that CFOs are taking a “cautious approach to GenAI” as they evaluate what the technology can do for their business before committing resources.
Key technology implementation principles include:
- Start with high-impact, low-risk applications like automated reconciliations
- Maintain audit trails for all automated processes
- Implement human oversight protocols for AI-generated outputs
- Regularly validate automated controls against manual procedures
Transform your ICFR efficiency
Diligent's Internal Controls Management continuously monitors internal controls and automatically identifies potential compliance risks before they become audit findings.
Book a demo6. Focus on control design effectiveness
According to Deloitte DART guidance, design deficiencies represent controls that "even if operating effectively, would not prevent or detect a material misstatement." Understanding this distinction is critical: A control has a design deficiency when it's fundamentally incapable of preventing or detecting errors, even if executed perfectly.
Common design deficiencies include:
- Management reviews that examine aggregate numbers without sufficient detail to identify material misstatements
- Inadequate segregation of duties that allows one person to initiate and approve transactions
- Controls that address only some aspects of a risk while leaving other pathways unprotected.
Organizations should regularly assess whether controls are properly designed by mapping each significant financial reporting risk to specific controls and asking: If this control operates exactly as designed, would it actually prevent or detect a material misstatement?
Consider whether the control occurs at the right point in the process, includes appropriate precision to identify material issues, and is performed by someone with the necessary skills and authority.
How AI technology transforms internal controls over financial reporting
Artificial intelligence is changing how organizations approach ICFR, offering opportunities for automation, risk detection, and control optimization. However, as noted in a PwC resource discussed by The Center for Audit Quality, successful AI integration requires careful oversight to ensure “internal controls over financial reporting are updated, risks are managed, and human oversight validates AI outputs.”
Leading organizations implement AI across the entire ICFR lifecycle — from control documentation and testing to audit coordination and board reporting. The most effective approach integrates these capabilities into a unified governance platform rather than deploying disconnected point solutions. Here's how comprehensive technology addresses each critical area:
Automated control management and monitoring
The foundation of effective ICFR lies in systematic control documentation, testing and monitoring. Diligent's Internal Controls Management directly automates and streamlines these processes — from risk assessment and documentation to control testing and real-time monitoring. The platform helps organizations ensure SOX and ICFR compliance by reducing manual errors and audit fatigue through automated workflows and exception tracking.
This continuous monitoring capability represents a fundamental shift from periodic testing to real-time oversight. The system automatically identifies compliance risks before they become audit findings, analyzing patterns across governance frameworks to flag anomalies and control failures as they occur.
Coordinated audit processes
Effective ICFR requires seamless coordination between internal audit teams and external auditors. Diligent Audit Management coordinates end-to-end audit processes, integrates with financial controls data, and facilitates smooth collaboration among all stakeholders.
The platform enables risk-based audit planning and data-driven reporting, with comprehensive oversight of controls related to financial statement accuracy — critical capabilities for ICFR and SOX audits.
Comprehensive compliance alignment
ICFR doesn't exist in isolation. Diligent Compliance extends ICFR strength by aligning financial controls with broader regulatory requirements, including SEC reporting, SOX compliance, and cybersecurity regulations. This integrated approach supports continuous compliance and risk mitigation across the organization, preventing the siloed risk management that often creates compliance gaps.
The integration of AI into ICFR represents more than incremental efficiency gains. Organizations that successfully implement these technologies are bound to see reductions in audit preparation time, earlier identification of control deficiencies, and improved audit committee effectiveness.
However, success requires viewing technology as governance infrastructure rather than isolated tools — a unified platform that evolves with organizational complexity while maintaining the rigorous oversight contemporary compliance demands.
Ready to transform your internal controls with AI-powered governance? Schedule a demo to see how Diligent's comprehensive ICFR platform streamlines control management, audit coordination, and board oversight.
FAQs about internal controls over financial reporting
What are the most common types of material weaknesses in internal controls?
The most common material weaknesses involve design deficiencies where controls, even if operating effectively, would not prevent or detect material misstatements. This includes inadequate segregation of duties, insufficient management review controls, and weak IT general controls around financial systems.
How long does it take to remediate material weaknesses in ICFR?
Remediation timelines vary based on the severity and nature of the weakness. Simple operational deficiencies may be resolved within one quarter, while design deficiencies requiring new systems or processes can take 12-18 months. Organizations preparing for IPO should begin ICFR development 12-18 months before their planned filing date to ensure adequate preparation time.
What role does AI play in contemporary internal controls over financial reporting?
AI enhances ICFR through automated risk detection, continuous monitoring, and intelligent document preparation. However, the CAQ emphasizes that audit committees must ensure internal controls over financial reporting are updated, risks are managed, and human oversight validates AI outputs. Successful AI implementation requires maintaining proper oversight and validation procedures.
How do cybersecurity requirements integrate with traditional ICFR frameworks?
The SEC's cybersecurity disclosure requirements mandate 8-K filings within four business days of materiality determination, requiring organizations to integrate cyber incident controls into existing ICFR frameworks. This includes clear materiality determination procedures, rapid response protocols, and coordination between IT security and financial reporting teams.
What are the key differences between ICFR requirements for public and private companies?
Public companies with over $100 million in revenue must comply with SOX Section 404, requiring both management assessment and external auditor attestation of ICFR effectiveness. Private companies have more flexibility but still require adequate controls to support reliable financial reporting, particularly when preparing for investment rounds, IPOs, or sale transactions.
Ready to transform your ICFR with AI-powered governance solutions? Explore how Diligent's comprehensive platform streamlines ICFR processes while maintaining the oversight and control modern organizations require.
