Stransact Blog

Blog

  • Payroll Errors That Trigger Tax Audits: What HR and Finance Teams Overlook

    Payroll Errors That Trigger Tax Audits: What HR and Finance Teams Overlook

    Payroll is no longer just about paying employees; it is a key part of compliance that affects taxes, regulatory filings, and the accuracy of financial records. Because of this, tax authorities pay close attention to payroll, and it is often one of the first areas they review during an audit. In many cases, payroll issues do not come from complex technical problems. They usually arise from everyday mistakes, weak controls, or poor coordination between HR and Finance.

    This article explains the common payroll errors that can trigger tax audits, why they happen, and what organizations often overlook. Some of these errors are highlighted below:

    Employee Misclassification: A Key Risk

    How employees are classified has a direct impact on taxes and statutory payments. However, many organizations treat this as a one-time HR task rather than something that requires regular review.

    When employees are incorrectly classified by role or employment status, it can lead to underpaid taxes, incorrect pension contributions, and overall non-compliance. Over time, these errors become patterns that tax authorities can easily spot.

    Employee classification should be reviewed regularly and properly documented to ensure it aligns with current regulations.

    Incorrect Tax Deductions and System Issues

    Payroll systems are meant to make tax compliance easier, but they only work well when they are correctly set up and updated. Problems arise when tax rates, thresholds, or employee details are outdated or wrongly configured. This can lead to incorrect PAYE deductions or wrong tax calculations.

    Even small errors, when repeated, can signal weak controls. Tax authorities often see consistent mistakes as a system problem, not a one-off issue.

    Delays in Statutory Remittances

    Calculating taxes correctly is not enough; they must also be paid on time. Late remittance of PAYE, pension, or other statutory deductions is one of the most visible compliance issues.

    Even when calculations are accurate, delays can make an organization look non-compliant. These delays are often caused by unclear responsibilities, cash flow challenges, or poor coordination between HR and Finance.

    Timely remittance is a basic but critical requirement.

    Poor Data Quality and Disconnected Systems

    Payroll depends on data from different sources such as HR systems, attendance records, and manual inputs. When these systems are not connected, errors are likely to occur. This can lead to wrong salary adjustments, incorrect leave deductions, or unverified overtime payments. These issues may go unnoticed at first but can build up over time and create compliance risks.

    Organizations need to focus on improving data accuracy and integrating their systems.

    Lack of Proper Documentation

    A common issue during audits is the lack of supporting documents. Even when payroll is processed correctly, organizations often cannot provide evidence for adjustments or tax treatments. Without proper records, it becomes difficult to defend payroll figures during an audit. Tax authorities rely heavily on documentation, and in its absence, even correct figures may be questioned.

    Keeping clear records and approval trails is essential.

    Errors in Overtime and Variable Pay

    Payments like overtime, bonuses, and allowances are more complex because they follow different rules and tax treatments. Errors in this area often come from poor tracking, unclear eligibility, or inconsistent tax handling. Because these payments vary, they are more likely to attract attention during audits, especially when patterns look unusual.

    Clear policies and proper tracking systems can reduce these risks.

    Reliance on Manual Processing

    Many organizations still rely on spreadsheets and manual adjustments in payroll. While this may seem manageable, it increases the risk of errors and reduces transparency. Manual processes often happen outside formal controls, making it hard to track or detect mistakes. This creates both operational and compliance risks.

    Increasing automation and adding proper checks can help reduce these issues.

    Weak Payroll Reconciliation

    Payroll reconciliation ensures that payroll records match financial records, tax filings, and actual payments. However, it is often ignored or done irregularly. When figures do not align, it raises concerns during audits and can affect financial reporting.

    Regular and consistent reconciliation helps maintain accuracy and builds confidence in payroll data.

    Weak Controls and Governance

    Payroll works best when there are strong controls in place. Problems occur when roles are unclear or when oversight is weak. Common issues include a lack of formal approval processes, poor separation of duties, and unrestricted system access. These gaps increase the risk of errors and even fraud.

    Strong governance and clear control processes are necessary to manage payroll effectively.

    Lack of Regular Payroll Reviews

    Many organizations only review payroll when there is a problem. This reactive approach allows errors to build up over time. Without regular checks, small issues can turn into bigger compliance risks.

    Creating a routine review and audit process helps identify and fix problems early.

    Why Payroll Errors Attract Tax Audits

    Tax authorities focus on payroll because it directly affects tax collection. They look beyond single errors and focus on patterns that suggest weak controls. Frequent late payments, inconsistent tax filings, and unexplained adjustments are all red flags. Once noticed, these can lead to deeper investigations and financial exposure.

    Managing the Risk: A Joint Effort

    Reducing payroll risk requires HR and Finance to work closely together.

    Key steps include:

    • Improving system integration
    • Ensuring accurate and updated data
    • Defining clear responsibilities
    • Performing regular reconciliations
    • Keeping proper documentation
    • Updating tax settings on time

    Payroll should be treated as a compliance function, not just an administrative task.

    Conclusion

    Payroll errors are one of the most common reasons for tax audits, not because they are complex, but because they reflect deeper control issues. Organizations that take a proactive approach, by strengthening controls, improving coordination, and maintaining transparency, will reduce their audit risk.

    In today’s regulatory environment, accurate and well-managed payroll is not optional; it is essential.

    Written by Kikelomo Banmeke – Associate, People and Consulting Services

  • Section 57 Compliance in Nigeria: Key Governance Risks Every Subsidiary Must Address

    Section 57 Compliance in Nigeria: Key Governance Risks Every Subsidiary Must Address

    If you run a Nigerian subsidiary of a multinational and still think Section 57 of Nigeria’s updated corporate tax regime is just “one more calculation,” you’re already behind. Yes, Section 57 introduces a 15% minimum effective tax rate (ETR), neutralizing the benefit of incentives where they depress tax outcomes below the threshold. But the arithmetic is not the real story.

    Section 57 is a governance signal

    It marks the end of an era where local tax outcomes could be exceptional, lightly governed, and explained after the numbers were already consolidated.

    The Comfort That Is Now Gone

    For years, many Nigerian subsidiaries operated with quiet confidence. Incentives justified low ETRs. Group headquarters accepted Nigeria as a “special case.” Where questions arose, explanations typically came after the numbers were final.

     Section 57 disrupts that comfort

    It now asks a tougher question, one that cannot be deferred: Can Nigeria’s tax outcome be clearly and credibly defended to Group Tax and the Audit Committee without relying on technical footnotes?

    If the answer is no, the challenge is not tax complexity.

    Why This Is a GRC Issue (Before It’s a Tax One)

    From a Governance, Risk, and Compliance (GRC) perspective, Section 57 is not a tax rule; it is a stress test for control maturity, particularly Internal Control over Financial Reporting (ICFR).

    Why?

    The minimum tax threshold anchors directly to Profit Before Tax (PBT) as reported in audited financial statements. Once that linkage exists, tax is no longer a downstream calculation. It becomes a direct reflection of how disciplined or fragile the financial close process really is.

    In practice:

    • Weak controls become earnings risk: Volatile PBT caused by late adjustments, weak accrual discipline, inconsistent judgments, or provisioning gaps now creates immediate fiscal and reputational exposure.

    • Tax risk moves upstream: Tax outcomes are no longer “managed” after close. They are shaped by how well financial reporting is governed in real time.

    • ICFR maturity is exposed: Where tax has been treated as a compliance appendix rather than a governed outcome, Section 57 makes the deficiency visible.

    This is how good regulation works. It reveals institutional weaknesses without prescribing the fix.

    Audit Friction Is No Longer Tolerated

    Historically, tax incentives could often survive scrutiny through post‑hoc explanations. In the Section 57 environment, credibility is defined by the audit trail.

    Incentives that are not:

    • clearly owned,

    • embedded in control design, and

    • supported by inspectable evidence

    will struggle under Group‑level review or external audit scrutiny.

    Persistent “audit friction” is no longer an irritation. It is a governance signal.

    The Strategic Shift: From Compliance to Control

    High‑maturity organisations are already pivoting. The change is subtle but decisive:

    From: “Nigeria is compliant because our incentives are legal.”

    To: “Nigeria is controlled because its ETR is deliberate, monitored, and explainable.”

    This shift must happen before consolidation, not as a reconciliation exercise after Group questions arise. In a multinational environment, unexplained local volatility is not a local issue, it is an enterprise risk.

    The Question That Now Defines Credibility

    For CFOs and GRC leaders, the defining question has changed:

    If Group Tax or the Audit Committee asked today, ‘Why is Nigeria’s ETR what it is?’ would the response be a spreadsheet model or a governance framework embedded in ICFR?

    One signals calculation, the other signals control.

    Final Thought

    Section 57 is not asking Nigerian subsidiaries to be perfect, it is asking them to be credible.

    Credibility does not come from technical explanations delivered after consolidation. It comes from discipline, alignment, and governance maturity.

    If Nigeria is still being explained after the fact rather than positioned deliberately within the Group’s governance architecture, Section 57 isn’t the problem.

    Your GRC maturity is.

    Written by Akeem Taofik – FCA

  • When Discomfort Signals the Need for Governance Reassessment

    When Discomfort Signals the Need for Governance Reassessment

    In governance, discomfort is not always a warning sign it can be a signal worth listening to. As ICFR assurance becomes more established in Nigeria, some Boards and CFOs experience a persistent unease not because anything is demonstrably wrong, but because something no longer sits comfortably. The scope feels heavier than expected. The effort feels closer to reasonable assurance than limited assurance. The logic between work performed and conclusions reported feels less tidy than before.

    In governance, that discomfort deserves attention.

    Discomfort Often Emerges Before Failure

    A well‑functioning governance systems rarely fail without warning. More often, signals appear early in the form of questions that linger, costs that are harder to explain, or execution patterns that no longer align intuitively with first principles.

    In the context of ICFR assurance, discomfort may surface when:

    • Execution effort materially exceeds what the assurance conclusion can support.
    • scope expands incrementally without explicit Board discussion; or
    • Management can no longer clearly articulate why additional procedures are being performed, beyond precedent.

    These moments are not indicators of non‑compliance. They are indicators of governance tension.

    When Discomfort Points to a Loss of Intentionality

    Discomfort is particularly instructive when it reveals that:

    • a Board did not consciously choose the current assurance depth.
    • methodology has evolved through repetition rather than decision; or
    • The assurance model being experienced no longer reflects the one originally approved.

    In such cases, unease is not resistance, it is a signal that intentional ownership may have eroded.

    Governance strength lies not in eliminating discomfort, but in understanding what it is reacting to.

    Discomfort Is an Invitation, not a Verdict

    Importantly, feeling uneasy does not compel immediate change.

    It invites examination:

    • Is the current ICFR execution still proportionate to our risk profile?
    • Does the incremental work provide comfort we genuinely value?
    • Are we implicitly moving toward a reasonable‑assurance posture without naming it?
    • If circumstances changed, could we confidently recalibrate scope?

    When Boards can engage these questions openly, discomfort becomes productive rather than destabilising.

    The Risk of Ignoring Discomfort

    Where discomfort is consistently deferred, two governance risks emerge:

    • drift, where practice gradually moves beyond intent without accountability; and
    • inertia, where future change becomes harder because the status quo hardens into perceived necessity.

    Over time, what was once a mild unease can evolve into rigidity precisely the opposite of good governance.

    A Discipline Worth Developing

    Just as comfort can be a governance outcome when consciously chosen, discomfort can be a governance asset when properly interpreted.

    It encourages Boards and Audit Committees to:

    • revisit first principles without presuming error.
    • distinguish between regulatory requirement and inherited practice; and
    • maintain agency over assurance models, rather than inheriting them passively.

    In this sense, discomfort is not a call to disrupt but a call to reengage.

    Closing Reflection

    ICFR assurance will continue to mature. For some Boards, that journey will feel settled. For others, it will surface questions that resist easy answers.

    When discomfort arises, the objective is not to resolve it quickly, but to understand it thoroughly. In that understanding lies the capacity to decide consciously, proportionately, and with confidence whether the present course still serves the organisation’s governance intent.

    Discomfort, well‑handled, is not a threat to governance.

    Written by Akeem Taofik – FCA

  • An Executive Guide to Data Security in Nigerian Professional Services Firms

    An Executive Guide to Data Security in Nigerian Professional Services Firms

    Nigerian professional services firms such as law practices, audit and accounting firms, tax advisors, HR and payroll providers, and consulting practices are custodians of high‑value personal and confidential client data.  As regulatory scrutiny increases and clients become more risk‑aware, data security has moved beyond an IT concern to a governance, trust, and reputation imperative.

    Recent incidents across financial services, technology, and advisory firms have demonstrated a simple truth: a single data breach can erase years of brand equity. Under the Nigeria Data Protection Act, 2023 (NDPA) and its implementation guidance issued by the Nigeria Data Protection Commission (NDPC), data security has become a board‑level requirement, not only an IT concern.

    This white paper provides an executive‑level framework for establishing “defensible security”: governance, risk assessment, and proportionate technical and organisational measures that protect confidentiality, integrity and availability of personal data, reduce business disruption, and support client trust.

    The Nigerian Context: Rising Risk, Rising Expectations

    Several factors have significantly increased data‑security expectations in Nigeria’s professional services market:

    • Stricter regulation (NDPR, sector‑specific guidelines, cross‑border data considerations)
    • Growing multinational presence, with global security standards applied to local vendors
    • Increased digitization of audit, tax, payroll, and advisory processes
    • Heightened client due diligence, especially for firms handling financial or personal data.

    Today, clients are no longer asking if their advisers are secure, they are asking how security is governed, tested, and assured.

    Why Is Data Security Important for Professional Services Firms?

    Data security is non-negotiable for professional services firms (law, accounting, consulting, engineering) because their business model is built on trust, intellectual property (IP), and the handling of sensitive client information, therefore, a security breach would negatively impact their value proposition, resulting in legal challenges, operational disruptions, and most importantly, reputational damage.

    Implementing robust data security measures goes beyond compliance with regulatory requirements, it is about protecting the very foundation of the firm. It prevents unauthorized access to data, safeguards sensitive information, effectively detects breaches, promptly responding to them, amongst others, thereby ensuring business continuity and enhancing clients’ trust.

    Why Professional Services Firms are a target of data breaches

    1. Nature of Professional Services Firms: These Professional firms are custodians of sensitive personal and client data, which are targets for cybercrimes and other forms of misuse.
    1. Nigeria’s heightened Legal and Regulatory environment: The Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025 serve as the major statutory framework for personal data protection in Nigeria. In addition, the Nigeria Data Protection Commission was established to provide oversight functions and enforce compliance with the act.
    1. Risk Factors: Professional services firms often experience security failures such as weak accounts authentication, inadequate data back up, weak security controls, amongst others, making them an obvious target.
    1. Weak Governance structures: Lack of effective corporate governance structure, ineffective controls, no succession planning, etc, could expose the firm to such attacks.
    1. Third party Data Management: The reliance on vendors and other third-party tools and platforms pose a huge risk, if effective due diligence processes are not enforced and where the NDPA framework has not been complied with.
    1. Incident Response framework: The NDPA contains provisions on breaches and how they should be treated. Where breaches are not promptly investigated and corrected or reported, it could escalate into more severe issues.

    ISO 27001: An International Standard for Information Security

    ISO 27001 is the world’s most widely recognized standard for Information Security Management Systems (ISMS). It defines the requirements for establishing, implementing, maintaining, and continually improving a structured and auditable approach to information security across a Firm or an organization.

    ISO 27001 adopts an all-embracing, management‑driven approach to security. It integrates people, processes, and technology, ensuring that information security is embedded into organizational governance rather than treated as an independent IT function. The standard is deliberately sector‑ neutral, making it particularly suitable for professional services firms that manage diverse categories of information assets, including digital records, physical files, intellectual property, and institutional knowledge.

    The ISO 27001 is critical for ensuring Data security in Nigerian Professional services firms, as it provides not just a framework for managing risks, but helps to ensure confidentiality and compliance with the NDPA 2023. Implementing ISO 27001 helps firms secure their sensitive client data, reducing incidences of cyber threats and consolidating on clients’ trust.

    Nigerian Professional services firms operate in an increasingly regulated environment; ISO 27001 provides a globally acceptable basis for demonstrating the existence of well-established and defensible data security practices.

    When a Firm / Company is ISO 27001 certified, it indicates that they have followed best practices to protect their client and other personal data, they have measures in place to proactively identify risks and mitigate them, as well as respond appropriately to security breaches.

    From an executive perspective, the certification provides assurance to clients, regulators, and stakeholders that data security is being managed in a disciplined, systematic, and auditable manner.

    Core Features of ISO 27001

    • Risk-based security model: This ensures that the firm’s security controls are mapped to specific risks, as against generic risks. This flexibility is important especially for Professional Services firms, as there is increased data sensitivity, organizational flexibility and heightened client expectations.
    • Governance and Management System: This requires the involvement of top Management in establishing information security objectives, integrating information security into business processes and generally performing oversight functions in relation to information security. This equally aligns with the requirements of the NDPA 2023, where data security relies on the organisation’s data controllers and processors. For Nigerian Professional services firms, the ISO 27001 serves to ensure that this regulatory requirement becomes an operational discipline.
    • ISO 27001 and the Nigeria Data Protection Act: In addition to implementing proper technical measures to ensure data security and integrity of personal data, the act also mandates on-going monitoring, evaluation and maintenance of data security systems, which should be supported by well-determined policies, training and incident response processes. ISO 27001 provides the framework through which Professional services firms can demonstrate compliance with the NDPA and other stakeholders.
    • Provision of Business value: The ISO 27001 certification provides incredible business value to Professional services firms, far beyond the traditional regulatory compliance. It enhances Client confidence and trust, especially in our environment where data protection is fast becoming a factor in client selection. It equally reduced operational inconsistency and inefficiency, whilst ensuring Firms are mature enough to compete in our increasingly competitive market. With improved operational performance comes increased business value.
    • Third party risk management: Professional services firms are known to rely on third party service providers and platforms, cloud hosting services, amongst others. ISO 27001 mandates the assessment of Vendor security, defining contractual safeguards, as well as monitoring compliance with these safeguards.

    Securing the ISO 27001 certification provides significant benefits including:

    • Enhanced data protection: proactive identification and mitigation of security threats.
    • Regulatory alignment: structured compliance with NDPA requirements and global data protection expectations.
    • Operational efficiency: clearer processes, defined responsibilities, and improved internal coordination.
    • Client confidence: demonstrable commitment to safeguarding client information.
    • Competitive positioning: differentiation in a market where clients increasingly prioritise data protection maturity when selecting advisers.

     

    Stransact: Leading the Charge in Secure Professional Services

    Stransact is among the few professional services firms in Nigeria to have achieved ISO 27001 certification: demonstrating a firm‑wide commitment to enterprise‑grade data security, governance, and risk management. Stransact assures her clients of the following:

    • Protection of sensitive data: Our clients’ data is completely secure. They never have to worry about their information being handled carelessly or not confidentially. Measures have been put in place to identify any threats and respond to them appropriately.
    • Regulatory compliance: as stated above, ISO 27001 aligns our processes with international regulations, thereby ensuring credibility, compliance and reduce operational disruptions. In addition, Stransact is a licensed Data Protection Compliance organisation, having dedicated Data Protection Officers (DPOs), who ensure that we comply completely with the law.
    • Internal Efficiency: the existence of structured processes in Stransact, result in internal efficiency, clarity, improved communication and overall productivity.
    • Customer Trust and Loyalty: by implementing ISO 27001, we show our clients that we value their business by keeping their data secure. They don’t have to worry about unauthorized access to their data or any data breaches.
    • Enhances our competitive edge: through this certification, we have shown the world that we are ready for the future; we have taken the required steps to stand out from the crowd and show that we are worth doing business with.

    In an environment such as Nigeria, with heightened regulatory scrutiny, increasing digitalisation, and evolving cyber threats, ISO 27001 provides Nigerian professional services firms with more than a certification. It offers a defensible, governance‑led foundation for data security.

    When integrated with NDPA compliance efforts, ISO 27001 enables firms to demonstrate accountability, resilience, and a sustained commitment to protecting client data. For boards and executive leadership, it transforms data security from a reactive technical concern into a strategic capability that safeguards trust, reputation, and long‑term enterprise value.

    Written by Ogechi Odiah – Director, People and Consulting Services

  • The Status Quo as Strategy: A Governance Perspective

    The Status Quo as Strategy: A Governance Perspective

    Not every Audit Committee or CFO is unsettled by the current approach to ICFR assurance. For some organisations, the status quo feels appropriately understood, defensible, and aligned with their broader risk posture.

    That position deserves recognition.

    Governance is not about relentless change. It is about informed choices. Where Boards have consciously elected to accept broader ICFR execution than what a limited‑assurance conclusion strictly requires, the critical question is not whether that choice is right or wrong, but whether it is clearly understood, intentionally owned, and periodically revisited.

    Comfort Can Be Rational and Still Require Oversight

    There are legitimate reasons why Boards may be comfortable with current ICFR execution practices:

    • Higher levels of assurance effort can feel safer in uncertain regulatory or market environments
    • Additional procedures may reduce perceived audit friction or inspection risk
    • Costs may be proportionate to organisational scale and complexity
    • The approach may align with global group practices or long‑standing auditor relationships

    None of these drivers is inherently problematic. Comfort, however, is not a substitute for clarity.

    Good governance asks not only “Are we comfortable?” but also: “Do we fully understand what we are approving—and why?”

    The Risk Is Not Over‑Execution, but Unexamined Execution

    Choosing to tolerate or even welcome expanded ICFR procedures is a defensible governance stance. The risk arises when that expansion becomes default behavior, rather than an explicitly articulated decision.

    Over time, unexamined execution can:

    • harden into perceived regulatory necessity,
    • blur the distinction between limited and reasonable assurance, and
    • make future scope or cost recalibration more difficult to justify.

    In such cases, the Board may remain comfortable yet gradually lose intentional control over the assurance model it is sponsoring.

    What Good Ownership Looks Like in Practice

    For Boards that deliberately prefer the status quo, strong governance is demonstrated by being able to clearly articulate:

    • Why the current ICFR scope exceeds the minimum required for limited assurance.
    • what incremental comfort that additional work is intended to provide.
    • how comfort aligns with the assurance conclusion ultimately reported; and
    • under what conditions the approach would be reconsidered.

    When these questions are answerable, comfort becomes a governance outcome, not a governance blind spot.

    A Discipline Worth Preserving

    ICFR assurance will continue to evolve through regulatory refinement, market practice, and organisational maturity. Boards that are comfortable today are not obligated to lead that change.

    They are, however, custodians of intentionality.

    Whether maintaining the current model or reshaping it over time, the enduring marker of sound governance is not alignment with best practice trends, but clarity of purpose, proportionality of execution, and readiness to reengage first principles when circumstances change.

    Comfort, when consciously chosen, can coexist with strong governance.
    Comfort, when inherited and unexamined, rarely does.

    Written by Akeem Taofik – FCA

  • ICFR Is Already Here: Is Limited Assurance Being Executed as Intended?

    ICFR Is Already Here: Is Limited Assurance Being Executed as Intended?

    As assurance becomes more routine, it may be worth pausing to reflect on whether execution, scope, and reported assurance levels remain coherently aligned.
    Sharing a governance reflection below.

    Internal Control over Financial Reporting (ICFR) is now firmly embedded in Nigeria’s financial reporting framework under the oversight of the Financial Reporting Council of Nigeria (FRCN). As ICFR assurance becomes more routine, a natural governance question arises for Boards, CFOs, and Audit Committees: does the way ICFR assurance is being executed reflect the assurance level ultimately reported?

    This is not a technical debate, but rather, it is a governance consideration that goes directly to proportionality, cost discipline and expectation setting between auditors and Boards, and the credibility of what ICFR assurance communicates to the market.

    The Significance of the Limited Assurance Starting Point

    From inception, ICFR assurance in Nigeria was deliberately framed by FRCN as a limited assurance engagement under ISAE 3000 (Revised). That design reflected regulatory judgement balancing improved governance oversight against market readiness, implementation burden, and cost efficiency.

    A limited assurance model is intended to:

    • provide moderate assurance in negative form, using procedures less extensive than those required for reasonable assurance; and
    • avoid conclusions that imply sustained operating effectiveness comparable to US SOX style regimes.

    This starting logic is important, as it defines both what ICFR assurance is designed to achieve and what it is not.

    What the Independent ICFR Attestation Report Signals

    Independent ICFR attestation reports consistently emphasize three elements:

    • negative form conclusions (“nothing has come to our attention…”).
    • explicit acknowledgment that procedures performed are less extensive than those required for reasonable assurance; and
    • clear differentiation between limited and reasonable assurance.

    These disclosures are not incidental. They establish the boundary conditions of the engagement and shape market expectations about the level of comfort being provided.

    From a governance perspective, this framing naturally prompts a simple question: should the experience of an ICFR review materially exceed what the final report itself can support?

    Where Practical Tensions Arise

    In practice, ICFR engagements often involve procedures that feel more extensive than what stakeholders typically associate with limited assurance. Operating effectiveness activities are frequently embedded within ICFR workstreams.

    Such procedures are well understood and entirely appropriate when used deliberately to support audit reliance strategies under ISA 330. However, they serve a specific audit objective and are not intrinsically required to support a negative assurance of ICFR conclusion.

    This raises a legitimate governance reflection:

    If an ICFR engagement culminates in a limited assurance conclusion regardless of whether operating effectiveness exceptions are identified, how should Audit Committees interpret the role and necessity of those procedures?

    The issue is not whether such work can be performed, but whether it is essential to the assurance outcome being reported.

    Proportionality, Cost, and Clarity

    As ICFR becomes more embedded, Boards and management increasingly bear the cost of ongoing assurance activity. With that comes a fiduciary obligation to ensure proportionality.

    From a governance standpoint:

    • assurance scope should be clearly traceable to stated objectives.
    • methodology choices should be distinguishable from mandatory requirements; and
    • cost should align with the level of assurance ultimately expressed to the market.

    Where these lines blur, there is a risk that ICFR assurance evolves through habit rather than deliberate governance intent.

    A Forward-Looking Question for the Nigerian Market

    The evolution of practice also raises a broader policy question—one that may become unavoidable over time:

    If ICFR execution increasingly resembles reasonable assurance behaviour in substance, should the assurance level remain limited in form?

    Conversely, if limited assurance remains the intended endpoint, what additional discipline is required to ensure that execution remains consistent with that intent?

    These are not questions for auditors alone. They fall squarely within the responsibility of regulators, Audit Committees, and Boards charged with safeguarding reporting integrity and cost efficiency.

    Closing Reflection

    ICFR assurance should mean exactly what it states in the report — no more, no less.

    As ICFR practices mature, the real test of governance will not be how much work is performed, but how deliberately assurance scope, assurance level, and cost are aligned. When execution quietly exceeds what reporting can support, clarity is lost, accountability weakens, and value becomes harder to demonstrate.

    For CFOs and Audit Committees, the task ahead is neither resistance nor automatic acceptance. It is intentional oversight returning to first principles, interrogating scope with precision, and ensuring that ICFR assurance evolves as a disciplined governance tool, not a matter of habit or momentum.

    In that discipline lies both credibility and confidence.

    Written by Akeem Taofik – FCA

  • Stransact and Doftwerks Achieve ISO/IEC 27001:2022 Certification, Setting the Benchmark for Secure NRS E-Invoicing in Nigeria

    Stransact and Doftwerks Achieve ISO/IEC 27001:2022 Certification, Setting the Benchmark for Secure NRS E-Invoicing in Nigeria

    Stransact, a leading professional services firm and RSM correspondent in Nigeria, together with its technology subsidiary, Doftwerks, has achieved ISO/IEC 27001:2022 certification, the globally recognised standard for information security management systems (ISMS).

    This milestone affirms the firms’ adherence to the highest international standards for data protection, confidentiality, integrity, and availability, and positions Stransact and Doftwerks at the forefront of secure, enterprise grade compliance solutions supporting Nigeria’s Nigeria Revenue Service (NRS) e invoicing mandate.

    ISO/IEC 27001:2022 is regarded as the gold standard for information security governance, requiring organisations to implement rigorous controls across people, processes, and technology. Certification confirms that Stransact and Doftwerks have established a comprehensive, independently audited framework to identify, manage, and mitigate information security risks across all operations.

    “ISO/IEC 27001:2022 certification is not a badge; it is an operating discipline,” said Eben Joels, Managing Partner at Stransact. “For our clients—particularly CFOs, CIOs, and compliance leaders—this provides board level assurance that sensitive financial and transactional data is protected in line with the most demanding global standards. It also reinforces our commitment to supporting the NRS e invoicing regime with solutions that are not only compliant, but secure by design.”

    As Nigeria advances the implementation of mandatory electronic invoicing, data security and system resilience have become critical concerns for businesses operating at scale. Through Doftwerks, Stransact delivers technology enabled compliance solutions that integrate seamlessly with enterprise finance systems while meeting regulatory and security expectations.

    “Security is foundational to trust in any digital tax infrastructure,” said Tunde Awopegba, Chief Technology Officer at Doftwerks. “This certification validates the robustness of our platforms and internal controls, and gives clients confidence that their data is handled with the same level of care expected in leading global markets.”

    What the Certification Means for Clients

    The ISO/IEC 27001:2022 certification provides tangible benefits to organisations engaging Stransact and Doftwerks, including:

    • Regulatory confidence in meeting NRS e invoicing and broader data protection expectations
    • Reduced information security risk across financial, tax, and transactional data
    • Enterprise grade governance and controls aligned with international best practices
    • Assurance for boards, investors, and regulators on data integrity and confidentiality
    • A trusted partner for organisations operating in highly regulated or data sensitive environments

    By embedding information security into service delivery and technology architecture, Stransact and Doftwerks continue to differentiate themselves as trusted advisors at the intersection of regulation, technology, and risk management.

    About Stransact

    Stransact is a multidisciplinary professional services firm providing audit, tax, advisory, transaction support, and regulatory compliance services to local and international clients. As an RSM correspondent firm in Nigeria, Stransact combines deep local expertise with global standards to support organisations navigating complex regulatory and business environments.

    About Doftwerks

    Doftwerks is the technology subsidiary of Stransact, delivering secure, scalable digital solutions across tax compliance, finance transformation, and regulatory technology. The firm specialises in building enterprise grade platforms that align with both Nigerian regulatory requirements and international best practices.

  • 5 Must-Reads for Forward-Thinking Leaders

    5 Must-Reads for Forward-Thinking Leaders

    At Stransact, we remain aligned to the ever-evolving landscape of business, regulation, and industry developments. Our weekly insights are designed to equip you with the foresight and clarity to make informed decisions and lead with impact.

    Filing your Personal Income Tax (PIT) is more than a statutory obligation; it’s a fundamental civic duty that supports national development. Learn the essentials of PIT compliance, common pitfalls to avoid, and how to ensure you stay on the right side of the law with ease.
    Read the article

    Nigeria’s e-invoicing rollout marks a decisive shift toward a transparent, efficient, and digitally governed tax system. Explore how this reform is backed by statutory authority and phased implementation that will reshape how businesses document, validate, and report transactions.
    Read the article

    For many insurers, IFRS 17 has long been seen as a complex reporting requirement. However, market leaders are shifting perspective, treating it as a management system rather than just an accounting standard. Discover how forward-thinking organizations are leveraging IFRS 17 to enhance decision-making, improve financial transparency, and gain a competitive edge.
    Read the article

    A tax system that commands respect is one built on predictability, transparency, and the rule of law. Understand the implications of Nigeria’s evolving tax laws and what they reveal about the balance between regulatory authority and taxpayer rights.
    Read the article

    Data protection is no longer optional; it’s a critical business priority. Discover why proactive organizations investing in strong data protection frameworks today are positioning themselves for long-term success in an increasingly digital economy.
    Read the article

    Follow Stransact for weekly insights on the future of business, finance, and regulation in Nigeria.

  • IFRS 17 in Nigeria: The Shift from Compliance Burden to Strategic Advantage

    IFRS 17 in Nigeria: The Shift from Compliance Burden to Strategic Advantage

    As insurers move further into their IFRS 17 journey, one thing is now clear: The conversation has moved beyond compliance. The real question is: “How do we turn IFRS 17 into a competitive advantage?”

    Across Nigeria, insurers have now completed at least one full-year reporting cycle under IFRS 17 (2023 FY) consistent with global adoption timelines and transition activity already reported by Nigerian insurers such as Leadway Assurance and others; the insights emerging from the 2024 and 2025 cycles show a striking pattern: The market leaders are the companies treating IFRS 17 as a management system, not an accounting project.

    Why IFRS17 Matters More in Nigerias 2026 Economy

    With FX volatility, inflationary pressure, higher discount rates, and rising capital costs, the insurance sector needs a clearer economic lens. IFRS 17 provides exactly that by:

    • Replacing premium‑based revenue with service‑based revenue
    • Converting unearned profit into a visible liability: the Contractual Service Margin (CSM)
    • Requiring cohort‑level discipline that exposes pricing strength (or weakness) early
    • Improving comparability and investor confidence through consistent reporting

    This is the level of transparency global investors and rating agencies expect.

    Read more: Your Tax, Your Responsibility: A Practical Guide to Personal Income Tax Filing in Nigeria

    The Biggest Mindset Shift: From Premium Volume → To Earned‑Value Profitability

    Under legacy accounting, profitability could be flattered by cash inflow.
    Under IFRS 17, this disappears.

    Instead, finance leaders now get:

    • CSM as a forward‑earnings reservoir

    It tells the truth about long‑term profitability, not just what happened this quarter.

    • Risk Adjustment as a volatility indicator

    A direct measure of uncertainty and risk appetite.

    • Coverage Units as the engine of profit release

    A methodology that needs strong governance and clear Board oversight.

    Where the Winners Are Emerging: CFOs Who Treat IFRS17 Data as Strategy

    The best‑performing insurers are using IFRS 17 insights to:

    1. Refine product pricing before underpricing becomes a balance‑sheet problem
    2. Redesign reinsurance treaties using CSM, RA and cohort analytics not negotiations alone
    3. Strengthen claims performance through clearer loss‑component identification
    4. Improve capital planning and dividend forecasts with more predictable earnings visibility
    5. Communicate with Boards and investors using business‑ready IFRS 17 dashboards instead of technical jargon

    These are the companies moving from compliance to competitive edge.

    Audit Reality: Integration Is the Make‑or‑Break Factor

    Across the 2025/2026 audit cycles, we’ve seen one constant:

    Where actuarial engines and finance systems are not aligned, IFRS 17 becomes a reconciliation nightmare. But where integration is strong:

    • Month‑end closes improve
    • Audit exceptions reduce
    • Regulatory questions are easier to answer
    • CFOs spend time on strategy, not troubleshooting

    This is where real value is unlocked.

    Read more: NRS Rolls Out Nationwide E-Invoicing Regime What It Means for Nigerian Businesses

    The Leadership Imperative for 2026

    IFRS 17 is not just a technical standard. It is a leadership standard. To lead in today’s market, finance executives must:

    • Treat CSM movement as a strategic KPI
    • Build a unified Actuarial–Finance “single source of truth”
    • Define Board‑friendly dashboards for CSM, RA, and cohort profitability
    • Link IFRS 17 insights into pricing, capital, claims, and reinsurance
    • Strengthening governance around coverage units and assumption changes

    This is how insurers differentiate themselves as the market consolidates and competition intensifies.

     Call to Action for CFOs & Finance Directors

    As we head into the 2026 reporting cycle, ask yourself:

    • Are you leveraging IFRS 17 to reshape your profit story or only to comply?
    • Is your CSM movement aligned with strategic decisions?
    • Are actuarial and finance speaking the same language?
    • Do your Board and investors understand your IFRS 17 narrative?
    • Are you using IFRS 17 data to drive pricing, capital allocation, and reinsurance strategy?

    If you see breakthroughs or friction points, we did love to hear them.

    Drop your insights in the comments or send us a mail at [email protected]. Let’s turn IFRS 17 from a requirement into a strategic weapon for the Nigerian insurance industry.

  • Your Tax, Your Responsibility: A Practical Guide to Personal Income Tax Filing in Nigeria

    Your Tax, Your Responsibility: A Practical Guide to Personal Income Tax Filing in Nigeria

    Filing your Personal Income Tax (PIT) in Nigeria is more than a statutory obligation, it is a fundamental civic duty. It ensures that individuals contribute equitably to national development while protecting themselves from the legal and financial consequences of non‑compliance. Whether you are a salaried employee, a business owner, or earn income from multiple sources, understanding your personal tax obligation is essential.

    With the annual PIT filing deadline set for 31 March, this guide provides a clear and practical overview of:

    • Who is required to file a return
    • How and where to file
    • Key documentation required
    • The consequences of non‑compliance under the Nigeria Tax Administration Act, 2025

    Read more: How to File Your Personal Income Tax in Nigeria: A Step-by-Step Compliance Guide

    Who Is Required to File Personal Income Tax?

    In Nigeria, every taxable person is required to file an annual Personal Income Tax return, regardless of whether tax has already been deducted at source.

    1. Employees under the PAYE System

    If you are in paid employment, your employer deducts tax monthly under the Pay‑As‑You‑Earn (PAYE) system and remits it to the relevant State Internal Revenue Service (IRS). However, PAYE deductions do not eliminate your obligation to file an annual return.

    An annual filing is required to formally declare your income and confirm your tax position. Additional tax may become payable where:

    • You earned income outside your employment (e.g. rental income, consulting fees, investments), or
    • Your employer under‑deducted tax during the year.

    1. Self‑Employed Individuals and Business Owners

    If you are self‑employed such as a freelancer, consultant, contractor, or business owner, no taxes are deducted on your behalf. You are therefore personally responsible for:

    • Computing your tax liability
    • Paying the tax due
    • Filing your annual Personal Income Tax return

    Failure to do so exposes you to penalties and limits your access to important business and financial opportunities.

    Read more: Avoid These Payroll Penalties: What Every Nigerian Employer Should Know

    Step‑by‑Step Guide to Filing Personal Income Tax

    Step 1: Determine Your Tax Residency

    Your tax residency determines where you are required to file and pay tax.

    • Resident Individuals

      If you live or work in a Nigerian state for 183 days or more in a year, you are deemed resident in that state and must file with its State IRS. An individual is also deemed to be resident in Nigeria if any of the following is met:

    • They serve as a Nigerian diplomat, diplomatic agent, or government employee posted abroad, OR
    • They have a permanent home available in Nigeria for domestic use, OR
    • They have a habitual place of abode in Nigeria, OR
    • They are a Nigerian who earns income from employment or business exercised wholly or partly in Nigeria, OR
    • They have substantial economic and immediate family ties in Nigeria.

    • Non‑Residents

      These are individuals who do not meet any of the above criteria for determining residency. However, Individuals living outside Nigeria but earning income sourced from Nigeria may still have Nigerian tax obligations, subject to applicable tax rules.

    Step 2: Compute Your Taxable Income

    Your taxable income includes all income earned during the year, such as:

    • Salaries, wages, bonuses, allowances, and commissions
    • Business or professional income
    • Rental income
    • Investment income (dividends, interest, etc.)
    • Any other taxable income earned within the year

    Nigeria operates a progressive tax system, meaning higher income attracts higher tax rates but only on the portion of income that falls within each tax band.

    Step 3: Pay the Tax Due

    Once your tax liability has been determined, payment can be made through any of the following channels:

    • Your State Internal Revenue Service’s online portal
    • Bank deposits using the appropriate state revenue code
    • Remita or other government‑approved payment platforms

    It is critical to retain proof of payment, as this will be required during filing and for future tax verification.

    Step 4: File Your Annual Tax Return (On or Before 31 March)

    By law, individuals must file their Personal Income Tax returns on or before 31 March each year, covering income earned in the preceding year.

    To file, you will typically need:

    • Pay slips or income statements.
    • Financial statements (for business owners).
    • Bank statements (where applicable).
    • Rental agreements (if applicable).
    • Investment documentation.
    • Evidence of tax payments made.

    Returns may be filed through:

    • Your State IRS e-filing portal.
    • Physical submission at the State IRS office.
    • Completion and submission of the Taxpayer Self‑Assessment Form (Form A) available on your State IRS website.

    Read more: NRS Rolls Out Nationwide E-Invoicing Regime What It Means for Nigerian Businesses

    Tax Clearance Certificate (TCC): Why It Matters

    Upon filing and settling your taxes, you may apply for a Tax Clearance Certificate (TCC). A TCC is official evidence that your tax affairs are in order and is commonly required for:

    • Government contracts and tenders
    • Business registration and regulatory approvals
    • Visa and immigration applications
    • Loan and credit facilities
    • Property and high‑value transactions

    Without proper tax filing, obtaining a TCC can be delayed or denied.

    Penalties for Late or Non‑Filing

    Section 101 of the Nigeria Tax Administration Act, 2025 provides that a taxable person who fails to file returns, or knowingly files incomplete or inaccurate returns, is liable to administrative penalties as follows:

    • ₦100,000 for the first month of default, and
    • ₦50,000 for each subsequent month the failure continues

    These penalties apply irrespective of whether tax is eventually paid.

    Conclusion

    Personal Income Tax compliance is not merely a regulatory formality. It safeguards you from penalties, strengthens your financial credibility, and unlocks access to critical personal and business opportunities. Proactive compliance today prevents costly consequences tomorrow.

    Your tax. Your responsibility. Your compliance.