ICOFR – more than a Risk Approach

Rose Hightower
December 17, 2008 — 2,556 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

Using a risk based approach to determine what and where to test internal controls may be standard practice and a requirement to demonstrate Internal Control over Financial Reporting (ICOFR); however don't be fooled, that's not all you need.  ICOFR must be more than just testing that reviews have been completed and authorization has been given prior to the event taking place.  By the way, what do YOU think review means?


  • a risk based approach to ICOFR is to identify those accounts with the largest dollar volumes and test those account balances.
  • a financial review is conducted to ensure transactions are properly reviewed and authorized. A financial review analyzes numbers from two different sources to ensure that they are reconciled.

Scenario:  An Accounts Receivable employee prepares an A/R report and analyzes it to rationalize sales and distribution activity for the period.

If the reviews and approvals are in the right place, this review and analysis may identify differences in the financial results, but it should not give you a warm feeling that the sales, distribution, revenue recognition or collection process is working as it should.  It doesn't tell you if you have recorded ALL transactions, accurately, completely or timely.  It doesn't tell you if there are internal control weaknesses in the sales, distribution or A/R processes.   

ICOFR is really testing whether there are adequate review and approval steps from entering financial data to reporting it. Finance employees have become so enamored with the numbers; they don't realize or respect the transactions or processes which give rise to the numbers.  How many of you have thought about where or how that contract or sales order gets translated into a booked deal and dollars?  I'm suggesting that you need more. Risk related to financial reporting is a symptom of a lack of quality within the financial reporting process and by extension; the inference is that there is risk within the operational processes.

The advice I give to new CPAs or accountants is to walk your process; find out what generates the numbers.  You need to be observant, watch not only what is occurring but what is not happening.  Look to see if the same person who has custody of the asset is also the same person who has access to entering or changing the data.  Ask questions and listen; ask under what conditions could the process be bypassed or what happens to the exceptions.  Are all transactions accounted for in a timely manner, what happens when these are delayed?   In other words, conduct an operational review not just a financial review.

Scenario:  Sales order comes into sales administration, it is reviewed for completeness, changes to the standard contract language, product availability and pricing. The Sales order administrator sends acknowledgements to the Company's sales representative and the Customer and a copy goes to distribution for fulfillment.  The data is entered into the sales application which feeds data and information input for financial reporting purposes including: revenue recognition, sales commissions. Once the order has been fulfilled, inventory and cost of goods sold data and information is updated and released for financial processing.  The accounting system matches to see that the product has been delivered before sending the revenue and sales commission to be recognized.

As you can see, reviews and approvals are required along the operational as well as the financial front.  As a matter of fact, since most of this process is contained within an application, there is little room for independent financial reviews or approvals.  Ensuring data access controls, processing skill and control provides assurance that internal controls over financial reporting exists.

Minimal risks exist for: processing an incomplete or inaccurate sales order, recording revenue on unaccepted sales orders, shipping the product without billing for it.   

Once there is confidence that the process is working correctly, then by extension and inference we know the internal controls over financial reporting are working correctly. My message is to not shortcut the process. Conduct operational not just financial reviews. When there is confidence in the numbers - then all we are looking for is fraud.

Structure your internal control reviews

A review requires more than just validating that the same numbers appear on the backup and the top sheet.  A review requires that you understand the process of how the transaction actually is processed so as to produce the numbers on the backup and the top sheet.  You can follow the transaction and the parallel number flow from physical initiation and input to final disposition and output.   Walk the process once, make notes and then walk it again until you are satisfied.  Then spot check it by walking it at unannounced times.

Put internal control testing where it belongs; connect operational and financial processes. Risk assess the process not just the numbers.

If this story resonates, consider attending the Policy and Procedure Program Management training in New York on October 22 and 23 to find out more about the Program and how to handle objections and roadblocks. Visit www.idealpolicy.com to register.

For assistance with this Program and the individual projects refer to the Accounting and Finance Policies and Procedures manual published by John Wiley and Sons and available on Amazon

Rose Hightower, Accountant, MSc, is the owner of IDEAL Consulting Solutions International, LLC, a firm specializing in consulting in implementation of internal control policy and procedure programs for companies. Bringing over 20 years experience from IBM and as a finance manager and providing service as a professor her program contains practical lessons and simple solutions for any size company.  She is known as ‘The Policy Guru' and offers advice to clients via her website www.idealpolicy.com,

Rose Hightower