Internal control over financial reporting (ICFR) guide

Key Takeaway: ICFR is a process designed to provide reasonable assurance over the reliability of financial reporting and GAAP-compliant statements. Practitioners in 2026 contend with expanded scope into climate and cyber disclosures, a 39% PCAOB ICFR deficiency rate, and $2.3M average SOX cost. COSO 2013 remains the backbone, now supplemented by COSO's 2026 GenAI guidance.

Internal control over financial reporting (ICFR) is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with Generally Accepted Accounting Principles (GAAP). It combines entity-level controls, process-level controls, and IT general controls (ITGCs) — anchored to specific financial statement assertions and tested against the risk of material misstatement. The PCAOB's 2024 Staff Update reported a 39% ICFR deficiency rate, a reminder that design and operating effectiveness remain a moving target even for mature filers.

With the U.K. contemplating legislation that would require companies to establish internal control over financial reporting in a SOX-like fashion, the spotlight is back on ICFR and how it can support the preparation and integrity of financial disclosures. Establishing a requirement for companies to maintain internal control over financial reporting in the U.K. would drive a new standard for disclosures, and potentially attract a new or different crop of international investors.

The importance of ICFR grew significantly with the Sarbanes-Oxley Act (SOX) of 2002. This U.S. legislation transformed public company financial reporting by mandating that management assess its internal control over financial reporting annually. SOX Section 404 requires a company's independent auditors to review and provide an opinion on management's report on ICFR. These external audit firms are, in turn, overseen and inspected by the Public Company Accounting Oversight Board (PCAOB).

Effective ICFR augments the reliability of annual reports, giving investors and capital markets an honest and accurate view of company performance over a fiscal year. It also delivers value beyond compliance — supporting strategic decision-making, operational efficiency, and stakeholder trust.

What does internal control over financial reporting (ICFR) mean?

ICFR is a process consisting of policies and control procedures designed to provide reasonable assurance that financial statements and their inputs are protected from tampering, that fraud risk is mitigated, and that financial reporting is accurate and reliable. ICFR is now often included as part of integrated audits in the U.S., which combine audits of financial statements with audits of internal control over financial reporting. A strong ICFR program reduces the likelihood of unreliable financial statement disclosures and improves audit quality.

ICFR is sometimes written as ICOFR in practitioner literature; both acronyms refer to the same concept.

What are the 7 pillars of ICFR?

To better understand internal control over financial reporting in concept and in practice, KPMG has identified seven "pillars" of ICFR that come together to form a strong ICFR program:

1. Strategy
2. Risk assessment
3. Entity-level controls
4. Control selection
5. Testing strategy
6. Evaluating results
7. Governance

Source: KPMG’s Internal Controls Over Financial Reporting

Strategy

The basis of an ICFR program is a strategy — a plan for addressing risks to financial statements and data, and for reducing the likelihood of significant deficiencies, material weaknesses, or material misstatements in reporting. When developing an ICFR strategy, integrate ICFR activities with the business's broader goals and objectives. The strategy should be flexible enough to adjust as circumstances change, and incorporate input from multiple stakeholders across the organization. Mature ICFR programs see strategy driven by culture and values.

Risk assessment

Risks to financial reporting and fraud risk have a real, detrimental impact on companies when realized, and financial statement risks deserve the same rigor applied to other risk categories.

Risks to an organization's financial statements should follow the risk management cycle of identification, analysis and prioritization, treatment and mitigation, and monitoring and review. A top-down, risk-based approach — prescribed by KPMG's 2023 ICFR Handbook and PCAOB AS 2201 — prioritizes effort on the accounts and assertions most likely to result in material misstatement, rather than testing every control uniformly. Risk assessments need to be refreshed at least annually, driving companies to review their ICFR program as well. At higher levels of maturity, risk assessments help companies identify new and emerging threats.

Entity-level controls (ELCs)

Although entity-level controls may sometimes lack precision to address granular risks, they can be helpful in defining the control environment, conducting risk assessment processes, monitoring other controls, and tackling entity-level changes. While they may not have a direct effect on financial statement risks, effective ELCs foster an environment and culture that is risk-aware and that encourages accuracy and integrity in financial reporting. Over time, ELCs that integrate with the enterprise as a whole drive progress toward company objectives.

Control selection

In the context of an ICFR program, review key controls regularly and ask whether any are redundant, missing, or insufficient. Disruptive events — supply chain shocks, regulatory shifts, M&A activity — can quickly change the risk picture, and companies must be prepared to adjust their control strategy accordingly. The foundation enabling that adjustment is a sound understanding of the risk register and controls inventory.

As companies mature their capabilities, they align controls to objectives and foster a risk-aware team culture. The same principles apply to internal control over financial reporting — teams need to regularly assess the controls in place and determine whether they are sufficient to address identified risks.

The 5 main types of internal controls. Practitioners commonly classify controls into five categories that all play a role in ICFR:

1. Preventive — stop errors before they occur (e.g., system-enforced approval limits).
2. Detective — identify errors after the fact (e.g., bank reconciliations).
3. Corrective — remediate identified issues (e.g., journal entry reversals).
4. Directive — guide behavior through policy (e.g., revenue recognition policy).
5. Compensating — substitute when a primary control isn't feasible (e.g., management review where full segregation of duties isn't possible in a small finance team).

A well-designed ICFR program uses a balanced mix weighted toward preventive and detective controls at the process level.

The role of IT general controls (ITGCs). ITGCs are the foundational IT controls that ensure financial reporting systems operate reliably. They cover four domains: logical access (provisioning, privileged access, ERP segregation of duties), change management (program changes and configuration), computer operations (backups, job scheduling, incident management), and data security. Auditors test ITGCs first because their failure invalidates reliance on automated application controls and system-generated reports — a frequent root cause behind the PCAOB's 39% ICFR deficiency rate.

Testing strategy

A good ICFR program must include a strong testing strategy — otherwise there is no way to assess the performance of the program and its controls. ICFR testing, whether conducted by internal audit or external auditors, should be risk-based and test both the design and operating effectiveness of controls. Testing must provide auditors with reasonable assurance that the control is working as it should, and could consist of inquiry, inspection of evidence, observation of the control being performed, and reperformance of existing tests.

Audit readiness reduces both cost and findings. Conduct walkthroughs and self-assessments before external auditors arrive, maintain a centralized evidence repository indexed to the control matrix, pre-test ITGCs (the most common source of late-cycle surprises), and coordinate on sample selection so internal audit testing can be relied upon by externals under PCAOB AS 2605. Auditor reports summarizing test results and recommendations should be made available to the audit committee and other stakeholders as appropriate. A mature testing function continuously evolves as the ICFR landscape changes.

Evaluating results

What companies do after receiving auditor's reports is just as important as what they do to prepare for the audit. Organizations that do not seek to optimize their ICFR programs and neglect to address the root cause of deficiencies may encounter further deficiencies down the line, exposing themselves to material misstatement risk or a material weakness that is costly and burdensome to remediate.

The SEC's Primoris enforcement reinforced the standard: severity must be evaluated based on the magnitude of potential misstatement and the volume of transactions exposed — not just actual errors detected. Companies that review audit reports and risk assessment results, then act on gaps and findings, will see deficiencies and remediation costs decrease over time.

Governance

A mature ICFR program incorporates strong tone at the top, allocates sufficient resources to the program, clearly delineates roles and responsibilities, and provides regular training for personnel involved with internal control over financial reporting. Reporting structures and designated accountability are in place for tasks and initiatives. Stakeholders are aligned and communicate transparently. ICFR program leadership in a mature state looks to optimize the program and innovate on controls, such as through automation and continuous control monitoring.

What to consider when performing an ICFR internal audit

Conducting an ICFR internal audit provides companies with increased assurance that the ICFR program is functioning as intended and that financial statements retain accuracy and integrity. Tests performed by internal audit at a sufficient level of rigor can be relied upon by independent auditors under PCAOB AS 2605, reducing the effort and cost involved with the external audit. Since public disclosures must comply with GAAP, internal audits of ICFR should adhere to GAAP as well.

Ultimately, it is the audit committee's responsibility to oversee the internal audit function, and to oversee and engage with external audit firms for integrated financial statement and ICFR audits. Audit committees are independent from management and hold management accountable for activities related to financial and risk management.

How to improve internal control over financial reporting

Improvement focuses on five levers practitioners can pull regardless of program maturity:

1. Refresh risk-based scoping annually so controls follow current materiality thresholds and process changes.
2. Remediate root causes of deficiencies, not symptoms — a frequent gap cited in PCAOB inspections.
3. Strengthen ITGCs, since they underpin nearly all automated financial controls and are a leading source of deficiencies.
4. Automate manual, high-volume controls through continuous control monitoring (CCM) and AI-assisted testing.
5. Invest in control owner training to reduce execution errors — 58% of control owners surveyed reported audit inquiries had increased their SOX hours.

The IIA's 2025 North American Pulse of Internal Audit found that leading functions allocate roughly 17% of the audit plan to IT and cybersecurity work — a useful benchmark when sizing ITGC investment.

How AI and continuous control monitoring are changing ICFR

AI is reshaping ICFR in two directions: AI as a control (anomaly detection in journal entries, automated evidence collection, AI-assisted walkthroughs) and AI as a controlled risk (GenAI use in the financial close requires governance). COSO's February/April 2026 Generative AI publication provides a six-step roadmap — govern, inventory, assess, design, implement, monitor — mapped to the 17 COSO principles. It explicitly warns that "set-and-forget" assurance is inadequate for probabilistic models; continuous monitoring of model drift and output quality is required.

Practitioners running modern programs increasingly pair COSO 2013 with COBIT or ISO 27001 for IT-specific controls and the IIA's 2024 AI Auditing Framework for AI assurance, rather than replacing the core model.

How ICFR applies to SEC climate and cybersecurity disclosures

Both rules extend ICFR-grade rigor to data that historically sat outside the financial close. The SEC's March 6, 2024 climate disclosure rule requires larger registrants to obtain attestation over material Scope 1 and Scope 2 GHG emissions, meaning data capture, calculation, and reporting controls must meet auditor-attestable standards. The cybersecurity rule (Item 1.05) requires Form 8-K disclosure within four business days of a materiality determination, demanding tight integration between security operations, legal/disclosure committees, and financial reporting controls — typically formalized as a disclosure control under SOX 302.

ICFR considerations for pre-IPO and newly public companies

Pre-IPO companies should begin building SOX-grade ICFR 18-24 months before filing. SOX Section 404(a) management attestation applies in the first 10-K, and 404(b) external auditor attestation kicks in once the company exits emerging growth company (EGC) status or crosses large accelerated filer thresholds. Deloitte's IPO Roadmap notes that auditors must still obtain a sufficient understanding of internal controls in financial statement audits even when 404(b) doesn't yet apply — meaning weak controls surface as audit findings well before formal SOX attestation begins.

Five components of the COSO framework for internal controls

COSO — the Committee of Sponsoring Organizations of the Treadway Commission — was sponsored by five major U.S. professional associations: the American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA). In 1992, COSO published the first version of the Internal Control – Integrated Framework (ICIF) that would form the basis of many SOX internal control programs across U.S. public companies.

The framework was updated and reissued in 2013, with five components illustrated in the "COSO Cube":

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring activities

These components form the basis of COSO's framework for internal control, and can be adopted by companies to support their internal control over financial reporting capabilities. COSO 2013 has not been superseded; supplemental guidance — including the 2026 GenAI publication — maps new risk domains onto the existing 17 principles.

Implementing COSO's ICIF yields benefits for management and boards, including:

• "Requirements for an effective system of internal control" based on the company's unique posture.
• Opportunities to reduce or remove controls that are redundant, inefficient, or ineffective.
• Methods for completing risk assessments and responding to risks, especially fraud risk.

The COSO ICIF also offers external stakeholders:

• Improved confidence in management and the board's handling of internal controls and risk.
• Assurance that the organization is pursuing and achieving its objectives.
• Deeper understanding of the company's internal control components.

Control environment

A company's control environment is its macro environment, defined by the standards, processes, norms, and structures that allow internal controls to be executed across the business. It incorporates tone at the top, organizational values, authority structures, and processes for recruiting and retaining talent. The control environment has a significant impact on the successful implementation and execution of internal control. In the COSO ICIF, the organization's control environment must demonstrate:

1. Commitment to integrity and ethics.
2. The board of directors is independent from management and helps oversee internal control.
3. Structures, authority, and reporting lines are set up to pursue business objectives.
4. Dedication to recruiting and retaining skilled personnel aligned to objectives.
5. Individual accountability for internal control responsibilities.

Risk assessment

Conducting regular risk assessments forms another component of the COSO Internal Control – Integrated Framework. Risk assessments — including identification, analysis, treatment, and monitoring — help companies handle risks in a systematic, prioritized manner and demonstrate the alignment of control processes, the risks they address, and the company objectives that may be affected.

As part of the risk assessment component, the organization:

1. Clearly defines objectives to facilitate the identification and analysis of risks.
2. Identifies and analyzes risks.
3. Considers the possibility of fraud risk.
4. Detects and reports on changes that could impact internal control.

Control activities

Policies and procedures detail the control activities companies need to perform to mitigate risks to business objectives. Control activities are performed at every level and by nearly every person in the company, and each control has attributes, characteristics, and technologies associated with it. Establishing strong internal control over financial reporting requires selecting the right controls and ensuring they reduce risks to tolerable levels. In the COSO internal control framework, three items are defined under control activities that the organization must achieve:

1. Selected control activities address risks and support the achievement of business objectives.
2. General control activities are implemented over information technology to support internal control.
3. Written policies and procedures outline the control activities that need to occur.

Information and communication

Clarity of communication can determine the success or failure of a project or initiative. Well-defined lines of communication and a regular flow of information enable organizations to respond to realized risks as close to real time as possible. COSO's ICIF categorizes three activities into this component:

1. Internal control is supported by relevant, quality information.
2. Internal communications specify objectives and responsibilities supporting internal control functions.
3. External communications regarding matters of internal control occur as needed.

Monitoring activities

The fifth component of COSO's internal control framework concerns the ongoing monitoring and evaluation of a company's ICFR. By regularly evaluating ICFR performance, teams can identify gaps and opportunities for improvement, then act on them, reducing the likelihood of a control deficiency going undetected. In this component, the organization:

1. Develops and conducts evaluations over internal control functions.
2. Assesses and communicates internal control deficiencies in a timely manner to the appropriate personnel.

Get to assurance in your financial reporting with internal controls management software

ICFR for public companies is not optional. In the U.S., SOX requires companies to maintain internal controls over financial reporting, and regions like the U.K. are considering similar mandates. With the SEC focused on fraud risk and investors relying on accurate financial statements to make capital allocation decisions, protecting financial data and disclosures from tampering and error is critical. The cost of failure goes beyond fines and restatements to brand and reputational damage. The compliance burden has also expanded substantially over the last two decades, with HIPAA, GDPR, SOC 2, climate, and cyber requirements rising in priority alongside ICFR — and the 2025 KPMG SOX Survey puts the average SOX program cost at $2.3 million.

Technology solutions that reduce coordination overhead across control, risk, and compliance work offer built-in collaboration tools and workflows, remediation tracking, AI-assisted control testing, anomaly detection in journal entries, and stakeholder dashboards. Get started with Optro's controls management solution today.

Frequently asked questions

How do you implement internal control over financial reporting in a risk-based way?

Implementation follows a top-down, risk-based approach: define financial reporting objectives, identify material accounts and disclosures, assess risks of material misstatement at the assertion level, then design controls (entity-level, process-level, and ITGCs) proportionate to those risks. KPMG's 2023 ICFR Handbook and PCAOB AS 2201 both prescribe this methodology, which prioritizes effort on accounts and assertions most likely to result in material misstatement rather than testing every control uniformly.

What are the biggest ICFR challenges practitioners face in 2025-2026?

The top challenges are scope expansion into non-financial domains (SEC climate attestation and cyber 8-K reporting), rising compliance cost — the 2025 KPMG SOX Survey puts average SOX spend at $2.3 million — and control owner fatigue, with 58% of surveyed control owners reporting audit inquiries have increased their SOX hours. Practitioners also contend with anticipatory deficiency evaluation; the SEC's Primoris action made clear that companies must assess potential misstatement impact, not just errors actually detected.

How can organizations improve internal controls over financial reporting?

Improvement focuses on five levers: refresh risk-based scoping annually, remediate root causes of deficiencies rather than symptoms, strengthen ITGCs since they underpin automated financial controls, automate high-volume manual controls through continuous control monitoring, and invest in control owner training. The IIA's 2025 Pulse of Internal Audit shows leading functions allocate roughly 17% of the audit plan to IT and cybersecurity — a useful ITGC investment benchmark.

What role do IT general controls (ITGCs) play in ICFR?

ITGCs are the foundational IT controls that ensure financial reporting systems operate reliably. They cover logical access, change management, computer operations, and data security. Auditors test ITGCs first because their failure invalidates reliance on automated application controls and system-generated reports — a frequent root cause behind the PCAOB's 39% ICFR deficiency rate reported in 2024.

How are AI and continuous control monitoring changing ICFR?

AI is reshaping ICFR as both a control (anomaly detection, automated evidence collection, AI-assisted walkthroughs) and a controlled risk (GenAI in the financial close). COSO's 2026 Generative AI publication provides a six-step roadmap — govern, inventory, assess, design, implement, monitor — mapped to the 17 COSO principles. It warns that "set-and-forget" assurance is inadequate for probabilistic models; continuous monitoring of drift and output quality is required.

What's the difference between a control deficiency, significant deficiency, and material weakness?

A control deficiency exists when a control's design or operation doesn't prevent or detect misstatements on a timely basis. A significant deficiency is less severe than a material weakness but important enough to merit attention from those charged with governance. A material weakness is a deficiency where there is a reasonable possibility that a material misstatement will not be prevented or detected. The SEC's Primoris enforcement clarified that severity is evaluated based on the magnitude of potential misstatement and transaction volume exposed — not just actual errors found.

What are the 5 main types of internal controls, and how do they apply to ICFR?

Controls are typically categorized into five types: preventive (stop errors before they occur), detective (identify errors after the fact), corrective (remediate identified issues), directive (guide behavior through policy), and compensating (substitute when a primary control isn't feasible). A well-designed ICFR program uses a balanced mix weighted toward preventive and detective controls at the process level, mapped back to specific financial statement assertions.

About the authors

Cannon Nikzad, CPA, is an Account Executive at Optro. Prior to joining Optro, Cannon spent 10 years at EY, serving in their Los Angeles and London offices where he led audit teams conducting integrated audits of U.S. public companies. Connect with Cannon on LinkedIn.