55%
use an acknowledged framework
59%
perform scoping once a year
71%
have designed internal controls to prevent and detect fraudulent behaviour
36%
apply digital tools to support the ICFR process
The survey aims to provide valuable insight into what characterises the most efficient and effective ICFR frameworks and how far Norwegian companies have travelled on their digitalisation journeys with respect to ICFR.
When we conducted the ICFR benchmark in 2016, we noted a significant potential for improvement of overall ICFR maturity. Were we expecting to see improvements in 2019? The short answer is yes, we expected to see a general increase in ICFR maturity due to i.e. key trends within digitalisation and fraud risk management evolving over recent years. However, the results from the survey provide little evidence supporting a general increase in overall ICFR maturity since 2016.
The 2019 survey also aims to gain insights into how the respondents use digital tools to further advance their ICFR frameworks and how ICFR is utilised to manage fraud risk.
In short, the results from the survey provide little evidence supporting a general increase in overall ICFR maturity since 2016. The overall maturity is largely unchanged, and monitoring continues to be the area with the highest improvement potential.
There has been a slight negative development in the overall risk maturity score since 2016. However, a large majority of the companies have a defined approach for identifying and assessing inherent risks of significant financial statement misstatements.
The use of scoping to build a focused and cost efficient ICFR framework continues to be an area of improvement for most respondents.
According to our survey, companies performing scoping scope out low risk processes and low risk entities, leading to more efficient and focused internal control. However, it is more common to scope out processes than entities.
Control design maturity has improved slightly, indicating that companies are increasingly focusing on formalising their controls. However, the survey shows that little has changed with regards to monitoring. Most respondents have some form of monitoring in place for entity level (policies), process level, analytical and IT general controls (ITGC). Interestingly, we see that only approximately half of the respondents conduct monitoring of their automated controls.
The most cost effective and productive companies are moving towards fully automated financial reporting processes and controls and digital tools for analysing data and managing the ICFR framework. The survey indicates that using digital tools for a more efficient and effective ICFR framework is still not a widespread practice.