Stransact Blog

Blog

  • IFRS S1 & S2 in Nigeria: Ready for Mandatory Adoption or Still Operating at a Compliance Level?

    IFRS S1 & S2 in Nigeria: Ready for Mandatory Adoption or Still Operating at a Compliance Level?

    Nigeria did not fail IFRS adoption. But the quality of IFRS reporting has not advanced at the same pace as compliance. IFRS adoption is largely complete, but IFRS maturity may now be the defining risk. The consequences of that gap are now becoming visible. What we have achieved in practice is compliance, while IFRS fundamentally requires judgment. 

    The Promise vs Reality 

    When IFRS was adopted, the expectation was clear: Better reporting should lead to better decisions. 

    More than a decade later, a more fundamental question must now be asked: Have we improved how we report or primarily what we report? The answer to that question matters because it directly shapes our readiness for IFRS S1 and S2. 

    A Simple but Revealing Test 

    Recently, I reviewed the financial statements of 138 out of 146 listed entities on the Nigerian Exchange (NGX) across the Main and Growth Boards. 

    The focus was deliberately narrow:
    Material accounting policies. 

    A consistent and observable pattern emerged: 

    • Extensive use of standardised language across entities 
    • Limited evidence of entity-specific articulation of accounting judgments 
    • In some instances, wording that appeared largely unchanged from pre-IFRS reporting frameworks 

    These are public interest entities, operating under full IFRS for over a decade. 

    Yet: Entity-specific, judgment-driven disclosure yet the core principle of IFRS is still uneven in practice. 

    This level of uniformity is fundamentally inconsistent with a principles-based, entity-specific reporting framework. It suggests that, in many cases, disclosure is being standardised where judgment should be differentiated. 

    This matters beyond compliance and it directly affects how investors interpret the underlying economics of these entities. 

    What This Signals 

    This is not primarily a compliance issue. It reflects a structural reality: IFRS adoption is largely complete. But IFRS maturity may now be uneven and in some areas underdeveloped. 

    This same maturity gap may now represent the central risk for IFRS S1 and S2 

    A Broader Context 

    This pattern is not unique, and similar concerns have been observed globally: 

    • Financial statements often contain significant volumes of information without proportional insight 
    • Disclosure requirements are frequently applied using a checklist mindset rather than a judgment-based approach 
    • Boilerplate disclosures can reduce the clarity and usefulness of financial reporting 

    Now Consider IFRS S1 and S2 

    Nigeria is transitioning toward mandatory sustainability disclosure standards. 

    IFRS S1 and S2 represent a step change in expectations: 

    • Forward-looking information 
    • Integration with strategy 
    • Explicit articulation of risks and opportunities 
    • Linkage to financial performance 

    This is not a routine extension of financial reporting; it is a step change in expectation. It shifts reporting from explaining the past to demonstrating future resilience. In doing so, it brings financial reporting closer to business strategy than ever before. 

    The Key Question 

    Against current reporting practices, the critical question becomes: How prepared are we for disclosures that depend even more heavily on judgment than IFRS financial statements?  

    A Likely Early Outcome 

    If reporting practices do not evolve sufficiently, the early phase will likely exhibit familiar characteristics: 

    • High-level policy statements 
    • General sustainability commitments 
    • Limited quantification or financial linkage 

    In practical terms: 

    There is a strong likelihood that at least in the early stages of transitioning from financial reporting boilerplate to sustainability reporting boilerplate. 

    Why This Risk Exists 

    This is not about intent; it reflects how systems and incentives operate. 

    1. Compliance-Oriented Reporting

    Reporting is often assessed based on: 

    • Completeness 
    • Alignment with standards 

    Less emphasis is placed on: 

    • Decision-usefulness 

    This encourages reporting that meets requirements but not necessarily insight. 

    1. Sensitivity Around Judgment

    IFRS S1 and S2 require: 

    • Assumptions 
    • Estimates 
    • Forward-looking analysis 

    In high-scrutiny environments, entities tend to favor: Conservative and generalised disclosures 

    1. Assurance Focus

    Historically, assurance prioritises whether disclosures are present more than whether disclosures are decision-useful, entity-specific, and reflective of underlying economic realities 

    An Important Shift 

    Market evidence increasingly suggests a changing dynamic: 

    • Investors are placing greater emphasis on understanding sustainability-related risks and opportunities 
    • At the same time, concerns are growing regarding the credibility and consistency of sustainability disclosures 

    The result is a widening credibility gap in sustainability reporting. Reliance without trust is a fragile foundation for capital allocation. This creates a structural tension: Greater reliance on sustainability reporting combined with increased scrutiny of its quality. 

    Nigeria: Progress and Tension 

    Nigeria is making measurable progress: 

    • Advancing IFRS S1 and S2 implementation frameworks 
    • Building institutional capacity 
    • Aligning with global reporting developments 

     

    However, adoption momentum currently exceeds reporting maturity. This raises a critical question: whether implementation timelines are moving faster than organisational readiness. 

    This creates a fundamental tension: Accelerated adoption alongside evolving disclosure capability 

    So, Are We Ready? 

    Short answer: Not fully, not yet. 

    A complete answer: Readiness will ultimately be defined by how quickly reporting practices evolve beyond compliance toward informed judgment. 

    What Will Define Success 

    This is where leadership and not standards will make the difference. The difference will lie in how organisations respond both strategically and operationally. The differentiator will not be adoption. 

    It will be credibility. Organizations that succeed will demonstrate: 

    1. Clear Linkage to Financial Impact

    Not just: statements of intent, but: explicit articulation of how sustainability risks affect financial performance 

    1. Stronger Governance of Narrative Reporting

    Boards and Audit Committees will need to: 

    • Engage deeply with disclosures 
    • Challenge assumptions 
    • Demand clarity and relevance 
    1. Integration of Reporting

    Sustainability disclosures must: 

    • Connect to financial reporting 
    • Be measurable and auditable 
    • Support decision-making 
    1. Evolution in Assurance

    Assurance frameworks must evolve from: completeness checks, to assessment of relevance, coherence, and consistency.

    Final Thought 

    IFRS delivered important structural improvement. However, disclosure quality has not always advanced at the same pace. IFRS S1 and S2 provide a significant opportunity: Not just to report more but to report more meaningfully. 

    The core risk is no longer non-compliance. It is replicating compliance-driven reporting without sufficient insight. And ultimately: Markets do not reward disclosure alone rather they reward clarity, consistency, and credible, decision-useful, and actionable insights. 

  • 5 Must-Reads for Forward-Thinking Leaders

    5 Must-Reads for Forward-Thinking Leaders

    At Stransact Chartered Accountants, we remain aligned to the ever-evolving landscape of business, regulation, and industry developments. Our weekly insights are designed to equip you with the foresight and clarity to make informed decisions and lead with impact.

    As cyber threats continue to evolve, Nigerian firms must prioritize data security at the leadership level. This guide highlights the importance of protecting sensitive data, mitigating risks, and implementing effective security practices to safeguard operations and client confidence.
    Read the article

    Organisational discomfort can be a valuable indicator that governance frameworks are no longer aligned with current realities. This article examines how leaders can identify warning signs early, reassess governance structures, and implement stronger systems that support sustainable growth and strategic clarity.
    Read the article

    As regulatory scrutiny increases, subsidiaries in Nigeria must pay closer attention to Section 57 compliance and its broader governance implications. Explore the major risks businesses face when compliance structures are weak and how proactive governance practices can help organisations mitigate exposure and maintain stakeholder confidence.
    Read the article

    Payroll errors can expose organisations to unnecessary tax audits, penalties, and reputational risks. This article explores the critical mistakes HR and Finance teams often overlook and provides practical insights for strengthening payroll accuracy and tax compliance.
    Read the article

    True board independence is not about detachment; it is about maintaining objective oversight while remaining fully engaged in governance responsibilities. Discover the governance blind spots that emerge when independence becomes a hideout rather than a tool for effective stewardship.
    Read the article

    Follow Stransact for weekly insights on the future of business, finance, and regulation in Nigeria.

  • The Active Neutrality Construct: What Independence Really Demands

    The Active Neutrality Construct: What Independence Really Demands

    In modern governance, independence is often misunderstood as standing back—a polite distance maintained to avoid “interfering” with management. In reality, true governance excellence demands something much harder: Active Neutrality. 

    Active Neutrality reframes independence from detachment to disciplined engagement without ownership, influence without control, courage without bias.

    Risk Intelligence Is a Governance Asset

    Internal Audit does not and should not make commercial or financial decisions; that responsibility rests with management. 

    Active Neutrality recognises, however, that Internal Audit is uniquely positioned to assess whether the organisation’s current risk posture remains aligned with actual exposure, especially as conditions evolve. 

    When Internal Audit uses data to challenge whether current caution (or lack thereof) remains proportionate, it is not directing outcomes; it is enhancing decision context. 

    The distinction between ownership of decisions and transparency of risk is the foundation of Active Neutrality.

    Timing: The Difference Between a Diagnosis and an Autopsy

    Risk insight delivered after a scheduled audit may confirm history.
    Risk insight delivered at the point of decision shapes the future. 

    In highvelocity environments, waiting for predetermined audit cycles means: 

    • behavioral patterns harden, 
    • valuepreserving adjustments are missed, and 
    • remediation becomes a reactive cost rather than a preventive strategy. 

    A perfect autopsy report doesn’t save the patient it only explains the funeral. 

    Active Neutrality requires Internal Audit to engage at the speed of execution, providing timely, data‑driven challenge without assuming managerial authority.

    Independence Through Clarity, Not Distance

    There is a persistent Independence Trap where Internal Audit hesitates to provide realtime insight to “protect” objectivity. This is a misunderstanding of the role. 

    Independence is not a mandate for silence.
    It is a shield that allows the auditor to speak truth to power while the risk is still manageable. 

    Independence is strengthened not weakened when Internal Audit: 

    • grounds challenge in objective data, 
    • avoids ownership of outcomes, and 
    • escalates concerns without waiting for the “proper” quarterly window. 

    The Three Principles of Active Neutrality 

    These ideas crystallise into three practical principles: 

    • Zero Ownership of Decisions: Identifying that an initiative is drifting offtrack is not “managing” it. It is reporting on the health of the asset. 
    • Zero Dilution of Facts: Independence means reporting facts as they are, not as they become comfortable. Filtering insight to preserve relationships weakens governance. 
    • Zero Waiting for the “Window”: If a material risk is crystallising today, waiting for next quarter’s report is a governance failure and not prudence. 

    The Bottom Line for the Board 

    The Board’s oversight is strong when Internal Audit is neutral in judgment, but courageous in timing. 

    An Internal Audit function practising Active Neutrality protects both downside risk and missed opportunity without compromising objectivity. 

    If Internal Audit is staying quiet to “stay independent,” it is not protecting the process; it is hiding from it. 

    A Final Reflection 

    After decades of leading audit teams and managing complex audits, one truth remains: the most valuable independence is not found in the organisational chart. 

    It is found in the willingness to be the first person in the room to say, “This doesn’t look right” long before the formal report is due. 

    Is your Internal Audit team empowered to be that voice? 

    Written by Akeem Taofik – FCA

  • Audit Velocity vs. Business Velocity: The Growing Assurance Gap

    Audit Velocity vs. Business Velocity: The Growing Assurance Gap 

    Most Boards intuitively understand speed.  If the business is moving at 100 mph and Internal Audit is constrained by static annual planning cycles is moving at 20 mph, the Assurance Gap widens every day. 

    This is not a capability issue; it is a velocity mismatch. 

    The Execution Blind Spot 

    Risks that emerge during execution, market shifts, operational shortcuts, or behavioral drift rarely wait for the next formal audit cycle. Yet, these are exactly the risks most likely to bypass assurance entirely. 

    When Internal Audit is tethered to a “point-in-time” plan, they are essentially looking at a map of where the business was, while the business is already driving through new, unmapped territory. 

    The Governance Reality Check 

    In a high-velocity environment: 

    • Accuracy without timeliness does not protect value; it merely explains losses after the fact. 
    • Retrospective assurance provides a perfect autopsy, but the Board needs a diagnosis while the patient is still on the table. 

    The real governance question for modern Boards is no longer: “Was the audit done well?” It is: “Did the insight arrive in time to matter?” 

    The Bottom Line 

    Modern assurance is not about auditing more. It is about auditing at the speed of the business. Governance excellence requires a shift from “periodic validation” to “continuous intelligence.” If your audit function isn’t moving at the speed of your strategy, you aren’t just independent, you’re out of the loop. 

    A Final Reflection

    As a professional who has led audit teams and managed complex statutory audits for decades, I’ve observed a consistent truth: the most valuable “independence” isn’t found in the organizational chart. It is found in the auditor’s willingness to be the first person in the room to say, “This doesn’t look right” long before the formal report is due. 

    Is your Internal Audit team empowered to be that voice? 

    Written by Akeem Taofik – FCA

  • Independence as a Shield, not a Hideout: A Governance Blind Spot for Boards

    Independence as a Shield, not a Hideout: A Governance Blind Spot for Boards

    In many Boardrooms, independence is rightly treated as the ultimate safeguard of Internal Audit.  Yet increasingly, independence is interpreted even within Internal Audit itself as a reason for detachment. 

    When independence becomes a wall that delays engagement with emerging risks until a formal audit cycle begins, it does not strengthen governance. It creates a visibility lag one that Boards should care deeply about. 

    Understanding the Visibility Lag 

    The IIA Global Internal Audit Standards (2024) encourage agile and continuous auditing and explicitly align Internal Audit with enterprise objectives and risk. However, in practice, many Internal Audit functions still operate on rigid annual or semiannual “bigbang” audit plans. 

    What this means is that audit plans often reflect the risks management identified and embedded within enterprise objectives at the point of strategy setting. As execution unfolds, management pivots in real time but Internal Audit remains tethered to a pointintime risk assessment. 

    The consequence is a timing gap: while the business adapts at speed, Internal Audit insight arrives later, bound by planning cycles. This creates a governance blind spot, where the most dangerous risks those that emerge during execution are the least likely to be audited in time. 

    Boards intuitively understand this challenge. If the business is moving at 100 mph and Internal Audit is constrained by planning cycles is moving at 20 mph, the assurance gap widens every day. 

    Objectivity of Judgment ≠ Isolation of Timing 

    Independence exists to protect objectivity of judgment, not to justify a waitandsee posture. A perfect autopsy report doesn’t save the patient; it only explains the funeral. 

    Accuracy without timeliness is a wasted investment. From a governance perspective, assurance that arrives too late may still be technically correct—but strategically irrelevant. 

    Boards should therefore ask a simple but critical question: 

    “Is our Internal Audit function staying silent on emerging risks to protect independence or providing the realtime risk intelligence needed to protect the organisation?” 

    Three Provocations for Audit Committees 

    1. Risk Intelligence Is Not Management Interference

      Identifying an emerging exposure: such as operations scaling ahead of a signed contract is not an operational decision.
      It is risk intelligence. 

    • The trap is viewing proactive signaling as encroachment.
    • The reality is that objectivity is compromised when auditors decide, not when they highlight risk. 

    1. The Danger of “Autopsy” Governance

      When Internal Audit limits itself to postevent validation, Boards are left with explanations rather than protection. A perfect autopsy report doesn’t save the patient, rather it only explains the funeral. 

    In highvelocity environments, assurance that arrives months after risk emerges may be technically correct, but strategically irrelevant. 

    • The provocation for Boards is simple:
      “Do we value retrospective accuracy more than independent foresight?” 

    1. Reframing the Mandate

      Independence should be the shield that allows Internal Audit to:

    • speak truth to power in real time, 
    • challenge management assumptions before they harden into failures, 
    • escalate concerns without hiding behind the “proper” quarterly window, and 
    • practice active neutrality: independence is not passive neutrality; it is the fearless, factual reporting of risks as they develop. 

    The Bottom Line 

    Independence should be a shield, not a hideout.  An Internal Audit function that waits until risk manifests may remain independent in form
    but risks becoming irrelevant in substance.

    True governance excellence requires Internal Audit to be independent in mind but integrated in timing.

    Written by Akeem Taofik – FCA

  • Payroll Errors That Trigger Tax Audits: What HR and Finance Teams Overlook

    Payroll Errors That Trigger Tax Audits: What HR and Finance Teams Overlook

    Payroll is no longer just about paying employees; it is a key part of compliance that affects taxes, regulatory filings, and the accuracy of financial records. Because of this, tax authorities pay close attention to payroll, and it is often one of the first areas they review during an audit. In many cases, payroll issues do not come from complex technical problems. They usually arise from everyday mistakes, weak controls, or poor coordination between HR and Finance.

    This article explains the common payroll errors that can trigger tax audits, why they happen, and what organizations often overlook. Some of these errors are highlighted below:

    Employee Misclassification: A Key Risk

    How employees are classified has a direct impact on taxes and statutory payments. However, many organizations treat this as a one-time HR task rather than something that requires regular review.

    When employees are incorrectly classified by role or employment status, it can lead to underpaid taxes, incorrect pension contributions, and overall non-compliance. Over time, these errors become patterns that tax authorities can easily spot.

    Employee classification should be reviewed regularly and properly documented to ensure it aligns with current regulations.

    Incorrect Tax Deductions and System Issues

    Payroll systems are meant to make tax compliance easier, but they only work well when they are correctly set up and updated. Problems arise when tax rates, thresholds, or employee details are outdated or wrongly configured. This can lead to incorrect PAYE deductions or wrong tax calculations.

    Even small errors, when repeated, can signal weak controls. Tax authorities often see consistent mistakes as a system problem, not a one-off issue.

    Delays in Statutory Remittances

    Calculating taxes correctly is not enough; they must also be paid on time. Late remittance of PAYE, pension, or other statutory deductions is one of the most visible compliance issues.

    Even when calculations are accurate, delays can make an organization look non-compliant. These delays are often caused by unclear responsibilities, cash flow challenges, or poor coordination between HR and Finance.

    Timely remittance is a basic but critical requirement.

    Poor Data Quality and Disconnected Systems

    Payroll depends on data from different sources such as HR systems, attendance records, and manual inputs. When these systems are not connected, errors are likely to occur. This can lead to wrong salary adjustments, incorrect leave deductions, or unverified overtime payments. These issues may go unnoticed at first but can build up over time and create compliance risks.

    Organizations need to focus on improving data accuracy and integrating their systems.

    Lack of Proper Documentation

    A common issue during audits is the lack of supporting documents. Even when payroll is processed correctly, organizations often cannot provide evidence for adjustments or tax treatments. Without proper records, it becomes difficult to defend payroll figures during an audit. Tax authorities rely heavily on documentation, and in its absence, even correct figures may be questioned.

    Keeping clear records and approval trails is essential.

    Errors in Overtime and Variable Pay

    Payments like overtime, bonuses, and allowances are more complex because they follow different rules and tax treatments. Errors in this area often come from poor tracking, unclear eligibility, or inconsistent tax handling. Because these payments vary, they are more likely to attract attention during audits, especially when patterns look unusual.

    Clear policies and proper tracking systems can reduce these risks.

    Reliance on Manual Processing

    Many organizations still rely on spreadsheets and manual adjustments in payroll. While this may seem manageable, it increases the risk of errors and reduces transparency. Manual processes often happen outside formal controls, making it hard to track or detect mistakes. This creates both operational and compliance risks.

    Increasing automation and adding proper checks can help reduce these issues.

    Weak Payroll Reconciliation

    Payroll reconciliation ensures that payroll records match financial records, tax filings, and actual payments. However, it is often ignored or done irregularly. When figures do not align, it raises concerns during audits and can affect financial reporting.

    Regular and consistent reconciliation helps maintain accuracy and builds confidence in payroll data.

    Weak Controls and Governance

    Payroll works best when there are strong controls in place. Problems occur when roles are unclear or when oversight is weak. Common issues include a lack of formal approval processes, poor separation of duties, and unrestricted system access. These gaps increase the risk of errors and even fraud.

    Strong governance and clear control processes are necessary to manage payroll effectively.

    Lack of Regular Payroll Reviews

    Many organizations only review payroll when there is a problem. This reactive approach allows errors to build up over time. Without regular checks, small issues can turn into bigger compliance risks.

    Creating a routine review and audit process helps identify and fix problems early.

    Why Payroll Errors Attract Tax Audits

    Tax authorities focus on payroll because it directly affects tax collection. They look beyond single errors and focus on patterns that suggest weak controls. Frequent late payments, inconsistent tax filings, and unexplained adjustments are all red flags. Once noticed, these can lead to deeper investigations and financial exposure.

    Managing the Risk: A Joint Effort

    Reducing payroll risk requires HR and Finance to work closely together.

    Key steps include:

    • Improving system integration
    • Ensuring accurate and updated data
    • Defining clear responsibilities
    • Performing regular reconciliations
    • Keeping proper documentation
    • Updating tax settings on time

    Payroll should be treated as a compliance function, not just an administrative task.

    Conclusion

    Payroll errors are one of the most common reasons for tax audits, not because they are complex, but because they reflect deeper control issues. Organizations that take a proactive approach, by strengthening controls, improving coordination, and maintaining transparency, will reduce their audit risk.

    In today’s regulatory environment, accurate and well-managed payroll is not optional; it is essential.

    Written by Kikelomo Banmeke – Associate, People and Consulting Services

  • Section 57 Compliance in Nigeria: Key Governance Risks Every Subsidiary Must Address

    Section 57 Compliance in Nigeria: Key Governance Risks Every Subsidiary Must Address

    If you run a Nigerian subsidiary of a multinational and still think Section 57 of Nigeria’s updated corporate tax regime is just “one more calculation,” you’re already behind. Yes, Section 57 introduces a 15% minimum effective tax rate (ETR), neutralizing the benefit of incentives where they depress tax outcomes below the threshold. But the arithmetic is not the real story.

    Section 57 is a governance signal

    It marks the end of an era where local tax outcomes could be exceptional, lightly governed, and explained after the numbers were already consolidated.

    The Comfort That Is Now Gone

    For years, many Nigerian subsidiaries operated with quiet confidence. Incentives justified low ETRs. Group headquarters accepted Nigeria as a “special case.” Where questions arose, explanations typically came after the numbers were final.

     Section 57 disrupts that comfort

    It now asks a tougher question, one that cannot be deferred: Can Nigeria’s tax outcome be clearly and credibly defended to Group Tax and the Audit Committee without relying on technical footnotes?

    If the answer is no, the challenge is not tax complexity.

    Why This Is a GRC Issue (Before It’s a Tax One)

    From a Governance, Risk, and Compliance (GRC) perspective, Section 57 is not a tax rule; it is a stress test for control maturity, particularly Internal Control over Financial Reporting (ICFR).

    Why?

    The minimum tax threshold anchors directly to Profit Before Tax (PBT) as reported in audited financial statements. Once that linkage exists, tax is no longer a downstream calculation. It becomes a direct reflection of how disciplined or fragile the financial close process really is.

    In practice:

    • Weak controls become earnings risk: Volatile PBT caused by late adjustments, weak accrual discipline, inconsistent judgments, or provisioning gaps now creates immediate fiscal and reputational exposure.

    • Tax risk moves upstream: Tax outcomes are no longer “managed” after close. They are shaped by how well financial reporting is governed in real time.

    • ICFR maturity is exposed: Where tax has been treated as a compliance appendix rather than a governed outcome, Section 57 makes the deficiency visible.

    This is how good regulation works. It reveals institutional weaknesses without prescribing the fix.

    Audit Friction Is No Longer Tolerated

    Historically, tax incentives could often survive scrutiny through post‑hoc explanations. In the Section 57 environment, credibility is defined by the audit trail.

    Incentives that are not:

    • clearly owned,

    • embedded in control design, and

    • supported by inspectable evidence

    will struggle under Group‑level review or external audit scrutiny.

    Persistent “audit friction” is no longer an irritation. It is a governance signal.

    The Strategic Shift: From Compliance to Control

    High‑maturity organisations are already pivoting. The change is subtle but decisive:

    From: “Nigeria is compliant because our incentives are legal.”

    To: “Nigeria is controlled because its ETR is deliberate, monitored, and explainable.”

    This shift must happen before consolidation, not as a reconciliation exercise after Group questions arise. In a multinational environment, unexplained local volatility is not a local issue, it is an enterprise risk.

    The Question That Now Defines Credibility

    For CFOs and GRC leaders, the defining question has changed:

    If Group Tax or the Audit Committee asked today, ‘Why is Nigeria’s ETR what it is?’ would the response be a spreadsheet model or a governance framework embedded in ICFR?

    One signals calculation, the other signals control.

    Final Thought

    Section 57 is not asking Nigerian subsidiaries to be perfect, it is asking them to be credible.

    Credibility does not come from technical explanations delivered after consolidation. It comes from discipline, alignment, and governance maturity.

    If Nigeria is still being explained after the fact rather than positioned deliberately within the Group’s governance architecture, Section 57 isn’t the problem.

    Your GRC maturity is.

    Written by Akeem Taofik – FCA

  • When Discomfort Signals the Need for Governance Reassessment

    When Discomfort Signals the Need for Governance Reassessment

    In governance, discomfort is not always a warning sign it can be a signal worth listening to. As ICFR assurance becomes more established in Nigeria, some Boards and CFOs experience a persistent unease not because anything is demonstrably wrong, but because something no longer sits comfortably. The scope feels heavier than expected. The effort feels closer to reasonable assurance than limited assurance. The logic between work performed and conclusions reported feels less tidy than before.

    In governance, that discomfort deserves attention.

    Discomfort Often Emerges Before Failure

    A well‑functioning governance systems rarely fail without warning. More often, signals appear early in the form of questions that linger, costs that are harder to explain, or execution patterns that no longer align intuitively with first principles.

    In the context of ICFR assurance, discomfort may surface when:

    • Execution effort materially exceeds what the assurance conclusion can support.
    • scope expands incrementally without explicit Board discussion; or
    • Management can no longer clearly articulate why additional procedures are being performed, beyond precedent.

    These moments are not indicators of non‑compliance. They are indicators of governance tension.

    When Discomfort Points to a Loss of Intentionality

    Discomfort is particularly instructive when it reveals that:

    • a Board did not consciously choose the current assurance depth.
    • methodology has evolved through repetition rather than decision; or
    • The assurance model being experienced no longer reflects the one originally approved.

    In such cases, unease is not resistance, it is a signal that intentional ownership may have eroded.

    Governance strength lies not in eliminating discomfort, but in understanding what it is reacting to.

    Discomfort Is an Invitation, not a Verdict

    Importantly, feeling uneasy does not compel immediate change.

    It invites examination:

    • Is the current ICFR execution still proportionate to our risk profile?
    • Does the incremental work provide comfort we genuinely value?
    • Are we implicitly moving toward a reasonable‑assurance posture without naming it?
    • If circumstances changed, could we confidently recalibrate scope?

    When Boards can engage these questions openly, discomfort becomes productive rather than destabilising.

    The Risk of Ignoring Discomfort

    Where discomfort is consistently deferred, two governance risks emerge:

    • drift, where practice gradually moves beyond intent without accountability; and
    • inertia, where future change becomes harder because the status quo hardens into perceived necessity.

    Over time, what was once a mild unease can evolve into rigidity precisely the opposite of good governance.

    A Discipline Worth Developing

    Just as comfort can be a governance outcome when consciously chosen, discomfort can be a governance asset when properly interpreted.

    It encourages Boards and Audit Committees to:

    • revisit first principles without presuming error.
    • distinguish between regulatory requirement and inherited practice; and
    • maintain agency over assurance models, rather than inheriting them passively.

    In this sense, discomfort is not a call to disrupt but a call to reengage.

    Closing Reflection

    ICFR assurance will continue to mature. For some Boards, that journey will feel settled. For others, it will surface questions that resist easy answers.

    When discomfort arises, the objective is not to resolve it quickly, but to understand it thoroughly. In that understanding lies the capacity to decide consciously, proportionately, and with confidence whether the present course still serves the organisation’s governance intent.

    Discomfort, well‑handled, is not a threat to governance.

    Written by Akeem Taofik – FCA

  • An Executive Guide to Data Security in Nigerian Professional Services Firms

    An Executive Guide to Data Security in Nigerian Professional Services Firms

    Nigerian professional services firms such as law practices, audit and accounting firms, tax advisors, HR and payroll providers, and consulting practices are custodians of high‑value personal and confidential client data.  As regulatory scrutiny increases and clients become more risk‑aware, data security has moved beyond an IT concern to a governance, trust, and reputation imperative.

    Recent incidents across financial services, technology, and advisory firms have demonstrated a simple truth: a single data breach can erase years of brand equity. Under the Nigeria Data Protection Act, 2023 (NDPA) and its implementation guidance issued by the Nigeria Data Protection Commission (NDPC), data security has become a board‑level requirement, not only an IT concern.

    This white paper provides an executive‑level framework for establishing “defensible security”: governance, risk assessment, and proportionate technical and organisational measures that protect confidentiality, integrity and availability of personal data, reduce business disruption, and support client trust.

    The Nigerian Context: Rising Risk, Rising Expectations

    Several factors have significantly increased data‑security expectations in Nigeria’s professional services market:

    • Stricter regulation (NDPR, sector‑specific guidelines, cross‑border data considerations)
    • Growing multinational presence, with global security standards applied to local vendors
    • Increased digitization of audit, tax, payroll, and advisory processes
    • Heightened client due diligence, especially for firms handling financial or personal data.

    Today, clients are no longer asking if their advisers are secure, they are asking how security is governed, tested, and assured.

    Why Is Data Security Important for Professional Services Firms?

    Data security is non-negotiable for professional services firms (law, accounting, consulting, engineering) because their business model is built on trust, intellectual property (IP), and the handling of sensitive client information, therefore, a security breach would negatively impact their value proposition, resulting in legal challenges, operational disruptions, and most importantly, reputational damage.

    Implementing robust data security measures goes beyond compliance with regulatory requirements, it is about protecting the very foundation of the firm. It prevents unauthorized access to data, safeguards sensitive information, effectively detects breaches, promptly responding to them, amongst others, thereby ensuring business continuity and enhancing clients’ trust.

    Why Professional Services Firms are a target of data breaches

    1. Nature of Professional Services Firms: These Professional firms are custodians of sensitive personal and client data, which are targets for cybercrimes and other forms of misuse.
    1. Nigeria’s heightened Legal and Regulatory environment: The Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025 serve as the major statutory framework for personal data protection in Nigeria. In addition, the Nigeria Data Protection Commission was established to provide oversight functions and enforce compliance with the act.
    1. Risk Factors: Professional services firms often experience security failures such as weak accounts authentication, inadequate data back up, weak security controls, amongst others, making them an obvious target.
    1. Weak Governance structures: Lack of effective corporate governance structure, ineffective controls, no succession planning, etc, could expose the firm to such attacks.
    1. Third party Data Management: The reliance on vendors and other third-party tools and platforms pose a huge risk, if effective due diligence processes are not enforced and where the NDPA framework has not been complied with.
    1. Incident Response framework: The NDPA contains provisions on breaches and how they should be treated. Where breaches are not promptly investigated and corrected or reported, it could escalate into more severe issues.

    ISO 27001: An International Standard for Information Security

    ISO 27001 is the world’s most widely recognized standard for Information Security Management Systems (ISMS). It defines the requirements for establishing, implementing, maintaining, and continually improving a structured and auditable approach to information security across a Firm or an organization.

    ISO 27001 adopts an all-embracing, management‑driven approach to security. It integrates people, processes, and technology, ensuring that information security is embedded into organizational governance rather than treated as an independent IT function. The standard is deliberately sector‑ neutral, making it particularly suitable for professional services firms that manage diverse categories of information assets, including digital records, physical files, intellectual property, and institutional knowledge.

    The ISO 27001 is critical for ensuring Data security in Nigerian Professional services firms, as it provides not just a framework for managing risks, but helps to ensure confidentiality and compliance with the NDPA 2023. Implementing ISO 27001 helps firms secure their sensitive client data, reducing incidences of cyber threats and consolidating on clients’ trust.

    Nigerian Professional services firms operate in an increasingly regulated environment; ISO 27001 provides a globally acceptable basis for demonstrating the existence of well-established and defensible data security practices.

    When a Firm / Company is ISO 27001 certified, it indicates that they have followed best practices to protect their client and other personal data, they have measures in place to proactively identify risks and mitigate them, as well as respond appropriately to security breaches.

    From an executive perspective, the certification provides assurance to clients, regulators, and stakeholders that data security is being managed in a disciplined, systematic, and auditable manner.

    Core Features of ISO 27001

    • Risk-based security model: This ensures that the firm’s security controls are mapped to specific risks, as against generic risks. This flexibility is important especially for Professional Services firms, as there is increased data sensitivity, organizational flexibility and heightened client expectations.
    • Governance and Management System: This requires the involvement of top Management in establishing information security objectives, integrating information security into business processes and generally performing oversight functions in relation to information security. This equally aligns with the requirements of the NDPA 2023, where data security relies on the organisation’s data controllers and processors. For Nigerian Professional services firms, the ISO 27001 serves to ensure that this regulatory requirement becomes an operational discipline.
    • ISO 27001 and the Nigeria Data Protection Act: In addition to implementing proper technical measures to ensure data security and integrity of personal data, the act also mandates on-going monitoring, evaluation and maintenance of data security systems, which should be supported by well-determined policies, training and incident response processes. ISO 27001 provides the framework through which Professional services firms can demonstrate compliance with the NDPA and other stakeholders.
    • Provision of Business value: The ISO 27001 certification provides incredible business value to Professional services firms, far beyond the traditional regulatory compliance. It enhances Client confidence and trust, especially in our environment where data protection is fast becoming a factor in client selection. It equally reduced operational inconsistency and inefficiency, whilst ensuring Firms are mature enough to compete in our increasingly competitive market. With improved operational performance comes increased business value.
    • Third party risk management: Professional services firms are known to rely on third party service providers and platforms, cloud hosting services, amongst others. ISO 27001 mandates the assessment of Vendor security, defining contractual safeguards, as well as monitoring compliance with these safeguards.

    Securing the ISO 27001 certification provides significant benefits including:

    • Enhanced data protection: proactive identification and mitigation of security threats.
    • Regulatory alignment: structured compliance with NDPA requirements and global data protection expectations.
    • Operational efficiency: clearer processes, defined responsibilities, and improved internal coordination.
    • Client confidence: demonstrable commitment to safeguarding client information.
    • Competitive positioning: differentiation in a market where clients increasingly prioritise data protection maturity when selecting advisers.

     

    Stransact: Leading the Charge in Secure Professional Services

    Stransact is among the few professional services firms in Nigeria to have achieved ISO 27001 certification: demonstrating a firm‑wide commitment to enterprise‑grade data security, governance, and risk management. Stransact assures her clients of the following:

    • Protection of sensitive data: Our clients’ data is completely secure. They never have to worry about their information being handled carelessly or not confidentially. Measures have been put in place to identify any threats and respond to them appropriately.
    • Regulatory compliance: as stated above, ISO 27001 aligns our processes with international regulations, thereby ensuring credibility, compliance and reduce operational disruptions. In addition, Stransact is a licensed Data Protection Compliance organisation, having dedicated Data Protection Officers (DPOs), who ensure that we comply completely with the law.
    • Internal Efficiency: the existence of structured processes in Stransact, result in internal efficiency, clarity, improved communication and overall productivity.
    • Customer Trust and Loyalty: by implementing ISO 27001, we show our clients that we value their business by keeping their data secure. They don’t have to worry about unauthorized access to their data or any data breaches.
    • Enhances our competitive edge: through this certification, we have shown the world that we are ready for the future; we have taken the required steps to stand out from the crowd and show that we are worth doing business with.

    In an environment such as Nigeria, with heightened regulatory scrutiny, increasing digitalisation, and evolving cyber threats, ISO 27001 provides Nigerian professional services firms with more than a certification. It offers a defensible, governance‑led foundation for data security.

    When integrated with NDPA compliance efforts, ISO 27001 enables firms to demonstrate accountability, resilience, and a sustained commitment to protecting client data. For boards and executive leadership, it transforms data security from a reactive technical concern into a strategic capability that safeguards trust, reputation, and long‑term enterprise value.

    Written by Ogechi Odiah – Director, People and Consulting Services

  • The Status Quo as Strategy: A Governance Perspective

    The Status Quo as Strategy: A Governance Perspective

    Not every Audit Committee or CFO is unsettled by the current approach to ICFR assurance. For some organisations, the status quo feels appropriately understood, defensible, and aligned with their broader risk posture.

    That position deserves recognition.

    Governance is not about relentless change. It is about informed choices. Where Boards have consciously elected to accept broader ICFR execution than what a limited‑assurance conclusion strictly requires, the critical question is not whether that choice is right or wrong, but whether it is clearly understood, intentionally owned, and periodically revisited.

    Comfort Can Be Rational and Still Require Oversight

    There are legitimate reasons why Boards may be comfortable with current ICFR execution practices:

    • Higher levels of assurance effort can feel safer in uncertain regulatory or market environments
    • Additional procedures may reduce perceived audit friction or inspection risk
    • Costs may be proportionate to organisational scale and complexity
    • The approach may align with global group practices or long‑standing auditor relationships

    None of these drivers is inherently problematic. Comfort, however, is not a substitute for clarity.

    Good governance asks not only “Are we comfortable?” but also: “Do we fully understand what we are approving—and why?”

    The Risk Is Not Over‑Execution, but Unexamined Execution

    Choosing to tolerate or even welcome expanded ICFR procedures is a defensible governance stance. The risk arises when that expansion becomes default behavior, rather than an explicitly articulated decision.

    Over time, unexamined execution can:

    • harden into perceived regulatory necessity,
    • blur the distinction between limited and reasonable assurance, and
    • make future scope or cost recalibration more difficult to justify.

    In such cases, the Board may remain comfortable yet gradually lose intentional control over the assurance model it is sponsoring.

    What Good Ownership Looks Like in Practice

    For Boards that deliberately prefer the status quo, strong governance is demonstrated by being able to clearly articulate:

    • Why the current ICFR scope exceeds the minimum required for limited assurance.
    • what incremental comfort that additional work is intended to provide.
    • how comfort aligns with the assurance conclusion ultimately reported; and
    • under what conditions the approach would be reconsidered.

    When these questions are answerable, comfort becomes a governance outcome, not a governance blind spot.

    A Discipline Worth Preserving

    ICFR assurance will continue to evolve through regulatory refinement, market practice, and organisational maturity. Boards that are comfortable today are not obligated to lead that change.

    They are, however, custodians of intentionality.

    Whether maintaining the current model or reshaping it over time, the enduring marker of sound governance is not alignment with best practice trends, but clarity of purpose, proportionality of execution, and readiness to reengage first principles when circumstances change.

    Comfort, when consciously chosen, can coexist with strong governance.
    Comfort, when inherited and unexamined, rarely does.

    Written by Akeem Taofik – FCA