Back to Top
What is the purpose of the evaluation of ICFR?
While periodic evaluations of internal control over financial reporting (ICFR) is advisable for all
sizes and types of organization, those with registered debt or equity with the US Securities and
Exchange Commission (SEC) must perform this annually. The purpose of the evaluation is to
provide management with a reasonable basis for its annual assessment as to whether any
material weaknesses in ICFR exist as of the end of the fiscal year. The concepts of reasonable
judgment, scalability, and risk are central themes.
Since this is primarily the
responsibility of financial reporting personnel, why should I care?
SEC staff advocates a top-down, risk-based approach to identify risks and controls, and in
determining evidential matter necessary to support the assessment. This approach explicitly
includes IT general controls and entity-level controls, which encompasses a wide range of
employees from multiple departments. A company’s culture, as well as its process for attracting,
developing, and retaining employees, are examples of entity-level control areas that have a
pervasive effect on financial reporting objectives and thus need to be considered in the ICFR
evaluation process. Hence, this is not simply an exercise of the CFO and controllership functions,
but rather involves the inputs and efforts of many people.