Don't be passive about ICOFR.
Too many ICOFR programs obey two simple rules: (1) do the bare minimum to achieve compliance and/or (2) let the external auditor lead the way. But a just-enough-for-compliance approach will miss opportunities to support growth,mitigate risk, reduce costs, and drive value that ICOFR can provide.
And the external auditor’s priorities may not align with the company’s objectives and needs. Whatever approach companies take toward ICOFR, it shouldn’t be a passive one. It should be a thoughtful decision based on what key stakeholders expect of the program.
No company expects to find costly weaknesses in its ICOFR program, but companies that successfully signed ICOFR certifications one year may discover material weaknesses the next. Even programs without material weaknesses may still be spending too much, facing unnecessary risks, and failing to keep up with the rapidly changing demands on ICOFR.
The first paper in this series, “Designing a healthy program that evolves to meet changing needs,” outlines common causes of material weaknesses, Sarbanes-Oxley’s (SOX) evolving demands, reasons ICOFR program health is important, and six questions to give companies an initial idea of the risks the program faces and the opportunities it may offer.
Once you’ve assessed how the ICOFR program currently measures on the seven pillars, it’s time to determine what maturity levels the stakeholders expect and how the company will get there.
Not every ICOFR program needs to invest in achieving maximum maturity in every pillar. Part of meeting stakeholder expectations is making a strategic, risk-based, economic decision about ICOFR priorities. Some pillars will likely be functioning at a higher level of maturity than others. It may be worth investing more in some pillars.
In others, it may be wise to accept certain mirror risks in return for major cost savings.
Learn more about internal controls over financial reporting by downloading the PDF below.