Internal Control Over Financial Reporting (ICFR)
DownloadSOX was enacted in 2002, and its ICFR provisions went into effect in 2003. Since then, numerous other countries have adopted similar laws, such as:
- Canada: Bill 198, commonly known as C-SOX
- China: The Basic Standard for Internal Control, or ‘China SOX’
- Japan: The Financial Instruments and Exchange Act, or J-SOX
The European Union addresses corporate financial reporting through several directives, which each member state must then “translate” into national law. The EU 8th Company Directive addresses the duties of the audit committee and internal audit functions, including the effectiveness of internal controls.
Some countries don’t have a specific law that requires attention to ICFR, but have other regulations or codes that imply management’s responsibility for ICFR. For example, Britain does not have a “UK SOX” law, but the U.K. Corporate Governance Code holds corporate boards responsible for internal control generally, including ICFR.
The Sarbanes-Oxley Act (SOX) requires publicly-traded companies to maintain adequate controls over financial reporting (Section 404 of the law) so that management can certify that the company’s financial statements are a fair and accurate representation of financial performance (Section 302 of the law).
All filers are subject to Section 404(a), which says management must assess and report on the company’s internal control over financial reporting (ICFR). Large filers are also subject to Section404(b), which requires an audit of ICFR by a certified public accounting firm. Smaller filers are exempt from Section 404(b).
A company does not need effective ICFR to meet filing standards for the Securities and Exchange Commission: it can report that it has ineffective ICFR, usually by disclosing one or more weaknesses in its internal controls. It does, however, need to make accurate disclosures about internal controls over financial reporting.
For example, if management attests to effective ICFR under Section 404(a), but auditors find weaknesses as they perform their duties under Section 404(b), then the certification senior executives make about financial statement accuracy under Section 302 of SOX are no longer reliable.
Ineffective ICFR is often the precursor to a financial restatement. In the worst cases, CEOs and CFOs could be personally liable for making false statements under Section 302.
The Role of Cybersecurity in ICFR
Cybersecurity is crucial to ICFR and SOX compliance, but too often, the threat is misunderstood.
For example, user access controls to financial systems are one potential weakness; so are poor password reset policies, internal control frameworks already exist to help companies implement strong controls over those areas, and audit firms review and test those controls regularly.
Those examples, however, only address cybersecurity at the application level. Companies subject to SOX compliance must also consider cybersecurity risks at the infrastructure and data levels.
That is, an unauthenticated attack targeting a misconfiguration or vulnerability in your ERP system could let hackers manipulate underlying financial data without touching financial applications or leaving an audit trail. Even with strong internal controls and audits at the data and infrastructure layers, those other security weaknesses in the application layer can still leave financial data subject to exploitation.
So declarations about ICFT would not be correct, and the company would not be in SOX compliance like executives (and auditors) might mistakenly believe.
Steps to Take
- Understand the nature of this security threat and assign responsibility for it. CISOs may not understand the nuances of SOX compliance, while internal audit teams may not grasp how weak ERP security creates risks that evade internal control. Don’t let the issue go ignored.
- Develop a security strategy for mission-critical applications that encompasses ICFR concerns. That strategy should address system configuration, log management, custom application development, patches, continuous monitoring and more. Otherwise your ICFR will remain vulnerable.
- Find the right tools to do the job. Security, finance and audit teams need to identify weaknesses that jeopardize ICFR, and then seal those gaps. With ERP systems’ complexity supporting mission-critical applications,that’s no easy task. Using the right technology is crucial to success.
Learn how Onapsis can help identify security and compliance risks and streamline your audit processes. https://onapsis.com/request-a-demo/