Now is a great time to revisit Internal Control Over Financial Reporting (ICFR) disclosures, since many public companies are preparing their annual reports for the U.S. Securities and Exchange Commission (SEC), also known as 10-K season. Management, especially the certifying officers, must fully understand the 10-K disclosure report entitled Management’s Annual Report on Internal Control Over Financial Reporting (Annual Report on ICFR). This report involves much more than simply fulfilling a disclosure requirement through “boilerplate” language. Failure to follow the underlying requirements can lead to harsh regulatory actions. Are you comfortable with the documentation requirements, including use of a framework and properly concluding on the severity of deficiencies? This article cites SEC guidance, as well as an enforcement case from last year, to help answer this question. For private companies and nonprofit organizations not subject to SEC requirements, defining and assessing controls is simply a sound business exercise regardless of regulatory compliance considerations (refer to my previous article entitled “Controls” Is Not a Dirty Word for additional insights).
While those directly responsible for the SEC financial reporting process are generally well-versed with the Annual Report on ICFR requirements, others are not. This is especially true for people outside the finance department, such as information technology (IT), human resources (HR) and operations teams, and yes – even the CEO in some cases. To realize an effective ICFR evaluation process, it is important for everyone involved to have a clear understanding of the requirements and their roles. Correctly applying the required framework, such as COSO’s Internal Control – Integrated Framework, greatly helps in shaping accountabilities, but other challenges lurk. Here are some common questions this article addresses:
- What is the purpose of the evaluation of ICFR?
- Since this is primarily the responsibility of financial reporting personnel, why should I care?
- What are the Annual Report on ICFR requirements?
- What is the difference between an evaluation and an assessment?
- What is involved with using a framework for evaluating ICFR?
- Who should conclude on the assessment of ICFR?
- What are the documentation requirements?
Let’s first address the initial two questions before moving onto the requirements. According to the SEC’s Release #33-8810 & #34-55929 (Interpretive Release): “The purpose of the evaluation of ICFR is to provide management with a reasonable basis for its annual assessment as to whether any material weaknesses in ICFR exist as of the end of the fiscal year.” The Interpretive Release provides guidance for management in evaluating and assessing ICFR. Although dating back to 2007, this is a release that should be periodically revisited by management of all public companies. The concepts of reasonable judgment, scalability and risk are central themes. Additionally, the Interpretive Release advocates a top-down, risk-based approach to identify risks and controls and in determining evidential matter necessary to support the assessment. This approach explicitly includes IT general controls and entity-level controls, which encompasses a wide range of employees from multiple departments. A company’s culture, as well as its process for attracting, developing and retaining employees, are examples of entity-level control areas that have a pervasive effect on financial reporting objectives and thus need to be considered in the ICFR evaluation process. Hence, this is not simply an exercise of the CFO and controllership functions, but rather involves the inputs and efforts of many people (refer to footnote #2 to better understand the definition of entity-level controls and the different roles impacting ICFR).
The scoping matter of IT controls deserves further attention, since there is often an ongoing debate between the IT department, the controllership function and auditors on this topic. IT general controls and software application controls may be relevant to the ICFR evaluation, but this varies widely depending on the company’s technology infrastructure and ultimate uses of the technology. The SEC’s Interpretive Release states that “management only needs to evaluate those IT general controls that are necessary for the proper and consistent operation of other controls designed to adequately address financial reporting risks.” There is a lot of judgment that factors into this, but ultimately if the IT infrastructure or software is relevant to addressing financial reporting risks, either directly or indirectly through other financial reporting controls, it should be considered for scoping purposes.
4 Requirements of the Annual Report on ICFR
There are four disclosure requirements to the Annual Report on ICFR as follows:
- A statement of management’s responsibility for establishing and maintaining adequate ICFR for the registrant;
- A statement identifying the framework used by management to evaluate the effectiveness of the registrant’s ICFR;
- Management’s assessment of the effectiveness of the registrant’s ICFR as of the end of the registrant’s most recent fiscal year, including a statement as to whether or not ICFR is effective. This discussion must include disclosure of any material weakness in the registrant’s internal control over financial reporting identified by management. Management is not permitted to conclude that the registrant’s ICFR is effective if there are one or more material weaknesses in the registrant’s ICFR; and
- If the registrant is an accelerated filer or a large accelerated filer, or otherwise includes in its annual report a registered public accounting firm’s attestation report on ICFR, a statement that the registered public accounting firm that audited the financial statements has issued an attestation report on the registrant’s ICFR.
The first disclosure requirement is simply an affirmation of management’s responsibility for ICFR. Management is led by the CEO and CFO (or persons performing similar functions), otherwise known as the “certifying officers,” since they must also sign off on these responsibilities through Exhibit 31 of the 10-K. Long gone are the days of the CEO being able to plead ignorance of ICFR thanks to this requirement. The fourth requirement is also straightforward in disclosing that your external auditor has issued an audit report on the effectiveness of ICFR if the company files their 10-K as either an accelerated filer or a large accelerated filer. It is the second and third requirements that warrant the most attention in terms of an underlying process.
Framework Used (Requirement #2)
The Internal Control – Integrated Framework, created by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is by far the most common framework used by SEC registrants for evaluating ICFR. This does not mean that the COSO Framework is the only option, as the SEC mentions other control frameworks that they consider suitable.
The important takeaway is that management must disclose the framework they use to evaluate the effectiveness of ICFR and “must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the registrant’s internal control over financial reporting.” This means that you need evidence to support utilizing the COSO Framework in the evaluation process unless another framework is cited in the Annual Report on ICFR, in which case there must be evidence of the framework used. Simply referencing a framework in the Annual Report on ICFR is not sufficient, as there must be evidence of how relevant facets of the framework were utilized. For the COSO Framework, this means that all five components and 17 principles must be concluded upon unless a principle is not deemed relevant (refer to my previous article entitled Implementing COSO’s 2013 Framework for more details). Understand that the 17 principles are usually owned by several different departments, such as IT with principles #11 and #13. Finally, keep in mind that the COSO Framework is a powerful tool for achieving operating, compliance and other reporting objectives beyond the Annual Report on ICFR. Look beyond pure compliance to best maximize shareholder value.
Management’s Assessment (Requirement #3)
The internal audit function should be an integral part of the ICFR evaluation process. However, it is ultimately management’s responsibility, as led by the CEO and CFO, to conclude on their assessment. This was made very clear through an SEC enforcement action against Magnum Hunter Resources Corporation (MHR) in 2016. The following four CPAs were penalized in this case, including fines and cease and desist orders:
- MHR’s Chief Financial Officer
- MHR’s Chief Accounting Officer
- A former partner at the public accounting firm who was responsible for providing MHR’s external auditing services
- A partner at a public accounting firm responsible for the engagement to provide Sarbanes-Oxley Act of 2002 (SOX) consulting and internal auditing services to MHR.
To summarize, MHR engaged an internal auditor to assist management with the documentation, testing and evaluation of the company’s ICFR. The internal auditor concluded that a significant deficiency existed due to inadequate and inappropriately aligned staffing. Specifically, the internal auditor’s report stated that “the potential for error in such a compressed work environment presents substantial risk,” yet cited the staffing deficiency as only a significant deficiency rather than a material weakness without explanation. The external auditor and MHR management accepted the assessment that MHR’s insufficient accounting staffing represented a significant deficiency. Thus, MHR concluded that its ICFR was effective, since they did not report a material weakness in its 10-K filing. Additionally, management did not prepare any documentary evidence to supplement the documentation created by the internal auditor. The failures to properly conclude on the severity of an ICFR deficiency, as well as maintaining documentation in support of management’s assessment, were cited in the enforcement action. Also cited was the external auditor’s failure to adequately document the basis of their conclusion in accordance with PCAOB standards.
While the judgments on the severity of the deficiency were obviously questionable in the MHR case, the fact that there was not adequate documentation from the internal auditor, management or the external auditor is likely what sealed their fates. In practice, professional judgments will vary, as not everyone will necessarily come to the same conclusion. However, you should always have the supporting reasons behind important conclusions fully documented to best protect yourself and your employer. Consider the Annual Report on ICFR as one of these important conclusions. Ultimately, it is management’s call on concluding if any material weaknesses in ICFR exist as of the end of the fiscal year, not their auditors.
SEC enforcers have been investigating and prosecuting a broader range of ICFR violations than ever before, thus raising the stakes for certifying officers and others involved in the financial reporting process. Understand the regulatory requirements through ongoing training, and seek answers when in doubt. Remember that management must retain their own documentation to support their assessment. The internal audit function can be an integral part of the ICFR evaluation process; however, the certifying officers must understand the definition of a material weakness themselves and retain their own documentation in support of the ICFR assessment. It is management, led by the certifying officers, who owns the Annual Report on ICFR.
While it is true that the language of the Annual Report on ICFR seldom changes from year to year, the evaluation process in concluding on the effectiveness of ICFR is typically dynamic thanks to new accounting changes, evolving risks, merger and acquisition transactions, new personnel, changing operating environments, etc. Don’t underestimate the ICFR evaluation effort.
This is an article from the Governance Issues™ Newsletter, Volume 2017, Number 1, published on February 17, 2017.
 Page 9 of RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06; June 20, 2007.
 The term “entity-level controls” describes aspects of a system of internal control that has a pervasive effect on the entity’s system of internal control, such as controls related to the control environment (for example, management’s philosophy and operating style, integrity and ethical values; board or audit committee oversight; and assignment of authority and responsibility); controls over management override; the company’s risk assessment process; centralized processing and controls, including shared service environments; controls to monitor results of operations; controls to monitor other controls, including activities of the internal audit function, the audit committee and self-assessment programs; controls over the period-end financial reporting process; and policies that address significant business control and risk management practices. The terms “company-level” and “entity-wide” are also commonly used to describe these controls. Footnote 21, Page 10 of RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06; June 20, 2007.
 Page 20 of RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06; June 20, 2007.
 Item 308(a) of SEC Regulation S-K (§229.308).
 Per SEC Rule 13a-15(c), The framework on which management’s evaluation of the issuer’s internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
 Per SEC Rule 13a-15(c), Although there are many different ways to conduct an evaluation of the effectiveness of internal control over financial reporting to meet the requirements of this paragraph, an evaluation that is conducted in accordance with the interpretive guidance issued by the Commission in Release No. 34-55929 will satisfy the evaluation required by this paragraph.
 The term “evaluation” or “evaluation process” refers to the methods and procedures that management implements to comply with these rules. The term “assessment” is used to describe the disclosure required by Item 308 of Regulations S-B and S-K [17 CFR 228.308 and 229.308]. Footnote 11, Page 5 of RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06; June 20, 2007. Item 308(a) of SEC Regulation S-K (§229.308).
 Footnote 23, Page 11 of RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06; June 20, 2007.
 Instruction #2 of Item 308 of SEC Regulation S-K (§229.308).
 SEC RELEASE NOS. 77345; 3756; File No. 3-17166; March 10, 2016, https://www.sec.gov/litigation/admin/2016/34-77345.pdf.
 Page 5, SEC RELEASE NOS. 77345; 3756; File No. 3-17166; March 10, 2016.