What is the status of internal control among Norway’s largest companies, and which common practices can be found?
Aase Lindahl, Partner and the Business Controls team in RISK Advisory Services, PwC Norway.
assess their internal control to be less mature than required for Norwegian listed companies.
have a systematic risk-based approach for defining the scope of ICFR.
lack a complete control design that addresses all critical risks.
use self assessments as their monitoring tool.
PwC's report on the Internal Control over Financial Reporting (ICFR) benchmarking survey for 2016 is designed to provide ICFR leaders (e.g. internal control officers, CFOs, Corporate Accountants and such) with the benchmarking data they need in order to understand common practices today, and plan for more effective and more efficient ICFR operations in the future.
Although ICFR should be adapted to the nature and needs of the business, there are a number of best practice elements any company that seeks to implement an effective and efficient internal control should adopt. This report aims to provide answers to some of the many questions posed to us by our clients regarding what peers are doing and also highlight key gaps between common practice in Norway and our views on best practice and global trends. Below are some sample findings from the report.
More than a quarter of the respondents have assessed their internal control maturity to be below the acceptable standard for Norwegian listed companies. 40% of these companies are listed on the Oslo Stock Exchange. Less than half of the respondents state that their internal controls are in place, formalised and monitored, indicating that there are a number of companies that would benefit from improving their approach to ensure that financial reporting risks are adequately and efficiently mitigated by well-functioning controls. Furthermore, the more survey’s detailed questions looking into actual internal control practices among the respondents show that a number of companies are in reality less mature than they may believe.
Although most of the respondents assess risks, few link these risks to the financial statement and what could actually go wrong. Less than half systematically define the scope of their ICFR activities based on their risk assessments, indicating that many companies may benefit from a more structured planning and scoping process, in order to increase efficiency and effectiveness and prioritise ICFR activities that provide the most benefit.
Only half of the respondents state that they have built a complete design of controls that in total addresses all critical risks to the financial statement. A defined and formally documented design of controls that addresses all critical risks and is regularly maintained is a prerequisite for effective internal control.
The most common way to monitor ICFR among the respondents is through periodic self-assessments. Monitoring activities should be adapted to the nature and operating model of the business and the level of risks and internal control maturity. In our experience, the most effective monitoring systems build on a combination of specifically designed monitoring activities, where automated or manual gathering and evaluation of evidence provides the strongest assurance, and self assessments unaccompanied by.