There are four disclosure requirements to the Annual Report on ICFR as defined by Item 308(a) of SEC Regulation S-K (§229.308):
The Internal Control – Integrated Framework, by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is by far the most common framework used by SEC registrants for evaluating ICFR. This does not mean that the COSO Framework is the only option, as the SEC mentions other control frameworks that they consider suitable.
In addition to disclosing the framework used to evaluate the effectiveness of ICFR in the annual Form 10-K report, management must maintain documentation to provide reasonable support for their assessment. This means that you need evidence to support utilizing the COSO Framework in the evaluation process unless another framework is cited in the Annual Report on ICFR. Simply referencing a framework in the Annual Report on ICFR is not sufficient as there must be evidence of how relevant facets of the framework were utilized. For the COSO Framework, this means that all five components and 17 principles must be concluded upon unless a principle is not deemed relevant.
It is ultimately management’s responsibility, as led by the CEO and CFO, to conclude on their assessment. However, the internal audit function should be an integral part of the ICFR evaluation process to provide an independent prospective. We provide such services through both outsourcing and co-sourcing options.
SEC staff enforcers have been investigating and prosecuting a broader range of ICFR violations than ever before, thus raising the stakes for certifying officers and others involved in the financial reporting process. While it is true that the language of the Annual Report on ICFR seldom changes from year- to-year, the evaluation process in concluding on the effectiveness of ICFR typically does thanks to new accounting changes, evolving risks, merger and acquisition transactions, new personnel, changing operating environments, etc. Don’t underestimate the ICFR evaluation effort.