Skip to main content

Documenting Internal Control over Financial Reporting

Risk Management
Internal Controls
Internal Audit
5 min read
Matt Kelly
Editor and CEO
Published: June 22, 2021
Last Updated: August 10, 2023

Strong internal control over financial reporting (ICFR) has been a priority for corporate governance and regulatory compliance ever since the Sarbanes-Oxley Act first underlined the importance of ICFR nearly 20 years ago. 

More recently, compliance officers have seen several other trends draw even more lines under the importance of ICFR. From more expansive enforcement of internal controls by the Securities and Exchange Commission (SEC), disclosure of critical audit matters (CAMs), to lingering audit and compliance challenges from the pandemic, strong, effective ICFR has never been more important to get right.

What should compliance officers understand about those pressures? And how should compliance officers respond to them? Let’s consider those issues. 

One thing we’ve seen from the SEC isn’t just continued enforcement of ICFR issues related to accounting fraud or corporate bribery. It’s also an expansion of the offenses that draw the SEC’s ire, where weak ICFR plays a starring role. 

For example, last fall the SEC settled charges (including a $20 million penalty) with an oil services company over insider stock sales that happened while the company was in merger talks. SEC officials later said that the plans companies draw up to let insiders sell company stock at fixed intervals—so-called 10(b)5-1 plans, named after the relevant SEC rules—should have internal controls that prevent an insider’s stock sales once the company comes into possession of non-public information, “even if an individual officer or director did not personally have knowledge of the information.

The SEC also recently charged a company that manages a portfolio of fashion brands with failing to disclose a $304 million goodwill impairment in a timely manner. In that case (which the company has contested), the SEC cited weak internal controls over the process management used to determine whether a goodwill impairment was necessary. 

Meanwhile, SEC enforcement of the Foreign Corrupt Practices Act (FCPA), which prohibits companies from bribing foreign government officials to win business, continues at its usual brisk pace. Weak ICFR turns up in those cases in all sorts of ways: insufficient documentation, false spreadsheets, loose accounting policies, inability to resolve known issues, and so forth. 

We also have critical audit matters. CAMs aren’t necessarily a problem unto themselves—although they can be, and fewer CAMs is better than more CAMs. But remember that CAMs are issues both material to the financial statement and that involve “especially challenging, subjective, or complex auditor judgments.” The stronger your internal controls are, the less auditors will need to rely on challenging, subjective, or complex judgments. 

Finally, consider the pandemic and its lingering effects on business processes. Changes to business operations that we introduced in 2020 to cope with the pandemic—especially expanding into new lines of business, and allowing employees to work remotely—strained ICFR in all sorts of ways. Those strains will not recede any time soon, so compliance executives must assure that they’ve “pandemic-proofed” their ICFR as much as possible. 

As we look at those forces pummeling ICFR from all directions, the message that they underline is actually quite simple. 

Internal controls should be interlocking activities that, working together, form a process that generates a result

Internal Controls and Strong Processes: The Dynamic Duo

So often we say a process “needs more internal controls” like we’re adding more lentils to a stew. That’s not really accurate. The controls themselves work together to establish  a process. When we say something needs “more internal control,” we’re really saying it needs to be a better process. 

From that idea, several more points quickly fall into place:

1. A process should have structure, so it can be repeatable. If your process is simply to use subjective judgment to make a decision—well, that’s not repeatable. It can’t necessarily provide the assurance that your board, audit firm, or regulators will want to see. Subjective judgment happens to be precisely what CAMs are all about, and it's a critical issue in the SEC enforcement case over goodwill impairment we mentioned above. Subjective judgment also crept into business processes last year when COVID-19 forced so much change.

2. The more objective evidence your process can collect or produce, the better. That’s true whether we’re talking about the FCPA and “discounts” offered to customers without evidence that they’re necessary; goodwill impairment judgments made without rigorous testing; or so many other accounting fraud issues. 

3. That objective evidence is so important because the evidence generates transparency into the transaction, which provides assurance. That’s what your organization wants. When you collect the proper amount of objective evidence, you have assurance that the transactions were authorized by management, carried out accordingly, and recorded properly. 

If that last sentence sounds familiar, that’s because those words are the definition of effective internal control included in the Foreign Corrupt Practices Act. They’re the cornerstone of accounting fraud enforcement in the United States. They’re the legal standard that your internal controls need to climb over. 

The importance of internal control will only increase in years to come, and the sheer challenge of building effective ICFR might seem overwhelming. 

That doesn’t need to be so. Begin by understanding the nature of internal controls and how they bond together to form stronger businesses processes. That will clarify how those processes should work to generate the objective evidence you need, which provides the assurance you and your board want. 

Will you still need technology to govern those processes and scale them up for the operations of a modern business? You bet. We can talk about that in another post. But once you understand what your internal controls must achieve, suddenly enduring all that pummeling from all directions gets easier.

This blog post was originally featured on the SOX & Internal Controls Professionals Group website.

About the Author
Matt Kelly Headshot
Matt Kelly

Editor and CEO

Matt Kelly is an independent compliance consultant who studies corporate compliance, governance, and risk management issues. He maintains a blog,, where he shares his thoughts on business issues and speaks on compliance, governance, and risk topics frequently. Kelly was named as "Rising Star of Corporate Governance" by the Millstein Center for Corporate Governance in the inaugural class of 2008 and named to Ethisphere’s "Most Influential in Business Ethics" list in 2011 (no. 91) and 2013 (no. 77). Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Mass., and can be reached at or on Twitter at @compliancememe.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at