PwC's ICFR benchmarking survey 2016

PwC's report on the Internal Control over Financial Reporting (ICFR) benchmarking survey for 2016 is designed to provide ICFR leaders (e.g. internal control officers, CFOs, Corporate Accountants and such) with the benchmarking data they need in order to understand common practices today, and plan for more effective and more efficient ICFR operations in the future.

Although ICFR should be adapted to the nature and needs of the business, there are a number of best practice elements any company that seeks to implement an effective and efficient internal control should adopt. This report aims to provide answers to some of the many questions posed to us by our clients regarding what peers are doing and also highlight key gaps between common practice in Norway and our views on best practice and global trends. Below are some sample findings from the report.

Overall ICFR maturity is low

More than a quarter of the respondents have assessed their internal control maturity to be below the acceptable standard for Norwegian listed companies. 40% of these companies are listed on the Oslo Stock Exchange. Less than half of the respondents state that their internal controls are in place, formalised and monitored, indicating that there are a number of companies that would benefit from improving their approach to ensure that financial reporting risks are adequately and efficiently mitigated by well-functioning controls. Furthermore, the more survey’s detailed questions looking into actual internal control practices among the respondents show that a number of companies are in reality less mature than they may believe.

Scoping is an underutilised tool

Although most of the respondents assess risks, few link these risks to the financial statement and what could actually go wrong. Less than half systematically define the scope of their ICFR activities based on their risk assessments, indicating that many companies may benefit from a more structured planning and scoping process, in order to increase efficiency and effectiveness and prioritise ICFR activities that provide the most benefit.

Control design is insufficient

Only half of the respondents state that they have built a complete design of controls that in total addresses all critical risks to the financial statement. A defined and formally documented design of controls that addresses all critical risks and is regularly maintained is a prerequisite for effective internal control.

Monitoring practices provide low levels of assurance

The most common way to monitor ICFR among the respondents is through periodic self-assessments. Monitoring activities should be adapted to the nature and operating model of the business and the level of risks and internal control maturity. In our experience, the most effective monitoring systems build on a combination of specifically designed monitoring activities, where automated or manual gathering and evaluation of evidence provides the strongest assurance, and self assessments unaccompanied by.