Not every Audit Committee or CFO is unsettled by the current approach to ICFR assurance. For some organisations, the status quo feels appropriately understood, defensible, and aligned with their broader risk posture.
That position deserves recognition.
Governance is not about relentless change. It is about informed choices. Where Boards have consciously elected to accept broader ICFR execution than what a limited‑assurance conclusion strictly requires, the critical question is not whether that choice is right or wrong, but whether it is clearly understood, intentionally owned, and periodically revisited.
Comfort Can Be Rational and Still Require Oversight
There are legitimate reasons why Boards may be comfortable with current ICFR execution practices:
- Higher levels of assurance effort can feel safer in uncertain regulatory or market environments
- Additional procedures may reduce perceived audit friction or inspection risk
- Costs may be proportionate to organisational scale and complexity
- The approach may align with global group practices or long‑standing auditor relationships
None of these drivers is inherently problematic. Comfort, however, is not a substitute for clarity.
Good governance asks not only “Are we comfortable?” but also: “Do we fully understand what we are approving—and why?”
The Risk Is Not Over‑Execution, but Unexamined Execution
Choosing to tolerate or even welcome expanded ICFR procedures is a defensible governance stance. The risk arises when that expansion becomes default behavior, rather than an explicitly articulated decision.
Over time, unexamined execution can:
- harden into perceived regulatory necessity,
- blur the distinction between limited and reasonable assurance, and
- make future scope or cost recalibration more difficult to justify.
In such cases, the Board may remain comfortable yet gradually lose intentional control over the assurance model it is sponsoring.
What Good Ownership Looks Like in Practice
For Boards that deliberately prefer the status quo, strong governance is demonstrated by being able to clearly articulate:
- Why the current ICFR scope exceeds the minimum required for limited assurance.
- what incremental comfort that additional work is intended to provide.
- how comfort aligns with the assurance conclusion ultimately reported; and
- under what conditions the approach would be reconsidered.
When these questions are answerable, comfort becomes a governance outcome, not a governance blind spot.
A Discipline Worth Preserving
ICFR assurance will continue to evolve through regulatory refinement, market practice, and organisational maturity. Boards that are comfortable today are not obligated to lead that change.
They are, however, custodians of intentionality.
Whether maintaining the current model or reshaping it over time, the enduring marker of sound governance is not alignment with best practice trends, but clarity of purpose, proportionality of execution, and readiness to reengage first principles when circumstances change.
Comfort, when consciously chosen, can coexist with strong governance.
Comfort, when inherited and unexamined, rarely does.
Written by Akeem Taofik – FCA
Leave a Reply