Category: Audit

The introduction of Management’s Assessment of Internal Control over Financial Reporting (ICFR) under the Financial Reporting Council of Nigeria (FRCN) regime represents a fundamental shift in governance accountability. At its core, ICFR is intended to strengthen governance, reinforce management ownership, and enhance the reliability of financial statements signed by those charged with preparing them.

Yet in practice, a subtle but significant scope creep has emerged.

Many organisations, often guided by auditors or ICFR consultants, define the scope of management’s ICFR assessment using external audit materiality thresholds and quantitatively driven, trial‑balance logic. What begins as a governance exercise gradually morphs into a compliance‑heavy process that closely resembles a substantive audit without delivering commensurate governance value.

This trend risks obscuring the true purpose of ICFR.

Management’s Assessment Is Not an Audit Extension

The FRCN framework is clear in its separation of responsibilities: ICFR is a management assessment, while the auditor’s role is to attest to management’s assessment—not to own, design, or redefine ICFR.

Management is responsible for designing, implementing, maintaining, evaluating, and certifying ICFR. The Board and Audit Committee provide oversight and challenge. The external auditor expresses an independent limited assurance conclusion on management’s assessment, without the engagement being positioned or understood as a reasonable assurance audit of internal controls, or being treated as equivalent to one.

Under the current Nigerian regime, external involvement in ICFR typically takes the form of a negative‑form, limited assurance conclusion, performed as at the reporting date. Evidence depth is scaled to the risk of a material weakness and not to demonstrate consistent operation of controls throughout the period.

The issue is role clarity: when external assurance considerations are allowed to define management’s ICFR scope by default, the distinction between management assessment and auditor attestation becomes blurred.

The Assurance Ceiling: More Effort, Same External Messaging

A critical concept for Boards and executive management is the assurance ceiling.

Under a limited assurance ICFR model, expanding management’s ICFR scope or increasing testing depth does not change the level of assurance communicated to users. The external conclusion remains limited assurance and continues to be expressed with reference to management’s assessment as at the reporting date.

Accordingly, where management elects to adopt more granular scoping or deeper testing, this should be a deliberate governance decision grounded in internal risk mitigation or decision‑useful insight rather than driven by an expectation of incremental assurance outcomes.

This distinction matters because the cost of ICFR should be justified by meaningful risk reduction, not by the volume of testing performed.

Reframing Materiality: Back to the Primary User (With Discipline)

ICFR scoping should be guided not by spreadsheets alone, but by the principles in IFRS Practice Statement 2: Making Materiality Judgements.

PS2 reminds us that information is material only if it could reasonably be expected to influence the decisions of primary users of financial statements. This introduces an essential qualitative dimension to ICFR scoping.

Management is required to ask a simple but powerful question:

If a control failure affected this line item, would a rational investor or lender change their assessment of our financial position or performance?

For many routine, high‑volume, mechanistic balances, the honest answer may be “not likely.” While such balances may be quantitatively significant, they may not be decision‑useful in the same way as judgment‑laden estimates, revenue recognition judgments, tax uncertainties, or complex transactions.

However, an inspection‑defensible ICFR approach requires management to confront a second, often overlooked question:

Even if this balance is not decision‑useful in isolation, could control failures in this process lead to accumulated misstatement risk?

Where management scopes out granular testing based on qualitative materiality, inspection discipline requires explicit evaluation and documentation of:

1. the risk of accumulation, and
2. the entity‑level or monitoring controls relied upon to mitigate that risk.

A top‑down, risk‑based ICFR methodology beginning at the financial‑statement level and cascading to significant accounts and relevant controls supports this judgment while remaining transparent to auditor challenge.

The Strategic Role of Entity‑Level Controls (ELCs)—With Precision

A Well‑designed entity‑level controls (ELCs), such as governance oversight and analytical review controls, can provide effective assurance over routine balances. However, defensible reliance on ELCs requires discipline: they must demonstrate sufficient precision, frequency, and documented follow‑up to detect material misstatements on a timely basis.

This is not an argument for weaker controls. It is an argument for smarter control architecture.

Where ELCs are precise, well‑documented, and consistently applied, management can legitimately reduce granular testing driven primarily by audit convention rather than risk relevance while remaining fully aligned with a top‑down, risk‑based ICFR approach.

Re‑centering Management Ownership

To meet the spirit of the FRCN framework, organisations must move from a compliance‑defensive mindset to a governance‑conscious one. Three practical resets are critical:

1. Define management’s own ICFR materiality and scoping framework, rather than defaulting to substantive audit thresholds.
2. Prioritise risk, judgment, and susceptibility to misstatement (including fraud and accumulation risk), not just balance size.
3. Use ELCs intelligently and only where they demonstrate the precision and evidence required to support inspection‑defensible reliance.

Conclusion: ICFR as Stewardship, Not Shadow Auditing

ICFR was never intended to be an extension of the external audit. It is a statement of management stewardship, ownership, and accountability for the integrity of financial reporting.

Ultimately, ICFR reflects how Boards and executive management discharge their fiduciary responsibility over financial reporting independent of the audit process. By grounding ICFR scoping in IFRS materiality principles and applying a disciplined top‑down, risk‑based methodology, management can focus effort where it truly matters, enhancing decision‑useful reporting for primary users while keeping audit‑driven clutter firmly in check.

The mandate is clear: reclaim ICFR as a governance tool, not an audit shadow.

---

Written by Akeem Taofik – FCA

Nigeria did not fail IFRS adoption. But the quality of IFRS reporting has not advanced at the same pace as compliance. IFRS adoption is largely complete, but IFRS maturity may now be the defining risk. The consequences of that gap are now becoming visible. What we have achieved in practice is compliance, while IFRS fundamentally requires judgment. 

The Promise vs Reality 

When IFRS was adopted, the expectation was clear: Better reporting should lead to better decisions. 

More than a decade later, a more fundamental question must now be asked: Have we improved how we report or primarily what we report? The answer to that question matters because it directly shapes our readiness for IFRS S1 and S2. 

A Simple but Revealing Test 

Recently, I reviewed the financial statements of 138 out of 146 listed entities on the Nigerian Exchange (NGX) across the Main and Growth Boards. 

The focus was deliberately narrow:
Material accounting policies. 

A consistent and observable pattern emerged: 

• Extensive use of standardised language across entities 

• Limited evidence of entity-specific articulation of accounting judgments 

• In some instances, wording that appeared largely unchanged from pre-IFRS reporting frameworks 

These are public interest entities, operating under full IFRS for over a decade. 

Yet: Entity-specific, judgment-driven disclosure yet the core principle of IFRS is still uneven in practice. 

This level of uniformity is fundamentally inconsistent with a principles-based, entity-specific reporting framework. It suggests that, in many cases, disclosure is being standardised where judgment should be differentiated. 

This matters beyond compliance and it directly affects how investors interpret the underlying economics of these entities. 

What This Signals 

This is not primarily a compliance issue. It reflects a structural reality: IFRS adoption is largely complete. But IFRS maturity may now be uneven and in some areas underdeveloped. 

This same maturity gap may now represent the central risk for IFRS S1 and S2 

A Broader Context 

This pattern is not unique, and similar concerns have been observed globally: 

• Financial statements often contain significant volumes of information without proportional insight 

• Disclosure requirements are frequently applied using a checklist mindset rather than a judgment-based approach 

• Boilerplate disclosures can reduce the clarity and usefulness of financial reporting 

Now Consider IFRS S1 and S2 

Nigeria is transitioning toward mandatory sustainability disclosure standards. 

IFRS S1 and S2 represent a step change in expectations: 

• Forward-looking information 

• Integration with strategy 

• Explicit articulation of risks and opportunities 

• Linkage to financial performance 

This is not a routine extension of financial reporting; it is a step change in expectation. It shifts reporting from explaining the past to demonstrating future resilience. In doing so, it brings financial reporting closer to business strategy than ever before. 

The Key Question 

Against current reporting practices, the critical question becomes: How prepared are we for disclosures that depend even more heavily on judgment than IFRS financial statements?  

A Likely Early Outcome 

If reporting practices do not evolve sufficiently, the early phase will likely exhibit familiar characteristics: 

• High-level policy statements 

• General sustainability commitments 

• Limited quantification or financial linkage 

In practical terms: 

There is a strong likelihood that at least in the early stages of transitioning from financial reporting boilerplate to sustainability reporting boilerplate. 

Why This Risk Exists 

This is not about intent; it reflects how systems and incentives operate. 

1. Compliance-Oriented Reporting

Reporting is often assessed based on: 

• Completeness 

• Alignment with standards 

Less emphasis is placed on: 

• Decision-usefulness 

This encourages reporting that meets requirements but not necessarily insight. 

2. Sensitivity Around Judgment

IFRS S1 and S2 require: 

• Assumptions 

• Estimates 

• Forward-looking analysis 

In high-scrutiny environments, entities tend to favor: Conservative and generalised disclosures 

3. Assurance Focus

Historically, assurance prioritises whether disclosures are present more than whether disclosures are decision-useful, entity-specific, and reflective of underlying economic realities 

An Important Shift 

Market evidence increasingly suggests a changing dynamic: 

• Investors are placing greater emphasis on understanding sustainability-related risks and opportunities 

• At the same time, concerns are growing regarding the credibility and consistency of sustainability disclosures 

The result is a widening credibility gap in sustainability reporting. Reliance without trust is a fragile foundation for capital allocation. This creates a structural tension: Greater reliance on sustainability reporting combined with increased scrutiny of its quality. 

Nigeria: Progress and Tension 

Nigeria is making measurable progress: 

• Advancing IFRS S1 and S2 implementation frameworks 

• Building institutional capacity 

• Aligning with global reporting developments 

However, adoption momentum currently exceeds reporting maturity. This raises a critical question: whether implementation timelines are moving faster than organisational readiness. 

This creates a fundamental tension: Accelerated adoption alongside evolving disclosure capability 

So, Are We Ready? 

Short answer: Not fully, not yet. 

A complete answer: Readiness will ultimately be defined by how quickly reporting practices evolve beyond compliance toward informed judgment. 

What Will Define Success 

This is where leadership and not standards will make the difference. The difference will lie in how organisations respond both strategically and operationally. The differentiator will not be adoption. 

It will be credibility. Organizations that succeed will demonstrate: 

1. Clear Linkage to Financial Impact

Not just: statements of intent, but: explicit articulation of how sustainability risks affect financial performance 

2. Stronger Governance of Narrative Reporting

Boards and Audit Committees will need to: 

• Engage deeply with disclosures 

• Challenge assumptions 

• Demand clarity and relevance 

3. Integration of Reporting

Sustainability disclosures must: 

• Connect to financial reporting 

• Be measurable and auditable 

• Support decision-making 

4. Evolution in Assurance

Assurance frameworks must evolve from: completeness checks, to assessment of relevance, coherence, and consistency.

Final Thought 

IFRS delivered important structural improvement. However, disclosure quality has not always advanced at the same pace. IFRS S1 and S2 provide a significant opportunity: Not just to report more but to report more meaningfully. 

The core risk is no longer non-compliance. It is replicating compliance-driven reporting without sufficient insight. And ultimately: Markets do not reward disclosure alone rather they reward clarity, consistency, and credible, decision-useful, and actionable insights. 

---

Written by Akeem Taofik – FCA

In modern governance, independence is often misunderstood as standing back—a polite distance maintained to avoid “interfering” with management. In reality, true governance excellence demands something much harder: Active Neutrality. 

Active Neutrality reframes independence from detachment to disciplined engagement without ownership, influence without control, courage without bias.

Risk Intelligence Is a Governance Asset

Internal Audit does not and should not make commercial or financial decisions; that responsibility rests with management. 

Active Neutrality recognises, however, that Internal Audit is uniquely positioned to assess whether the organisation’s current risk posture remains aligned with actual exposure, especially as conditions evolve. 

When Internal Audit uses data to challenge whether current caution (or lack thereof) remains proportionate, it is not directing outcomes; it is enhancing decision context. 

The distinction between ownership of decisions and transparency of risk is the foundation of Active Neutrality.

Timing: The Difference Between a Diagnosis and an Autopsy

Risk insight delivered after a scheduled audit may confirm history.
Risk insight delivered at the point of decision shapes the future. 

In high‑velocity environments, waiting for predetermined audit cycles means: 

• behavioral patterns harden, 

• value‑preserving adjustments are missed, and 

• remediation becomes a reactive cost rather than a preventive strategy. 

A perfect autopsy report doesn’t save the patient it only explains the funeral. 

Active Neutrality requires Internal Audit to engage at the speed of execution, providing timely, data‑driven challenge without assuming managerial authority.

Independence Through Clarity, Not Distance

There is a persistent Independence Trap where Internal Audit hesitates to provide real‑time insight to “protect” objectivity. This is a misunderstanding of the role. 

Independence is not a mandate for silence.
It is a shield that allows the auditor to speak truth to power while the risk is still manageable. 

Independence is strengthened not weakened when Internal Audit: 

• grounds challenge in objective data, 

• avoids ownership of outcomes, and 

• escalates concerns without waiting for the “proper” quarterly window. 

The Three Principles of Active Neutrality 

These ideas crystallise into three practical principles: 

• Zero Ownership of Decisions: Identifying that an initiative is drifting off‑track is not “managing” it. It is reporting on the health of the asset. 
• Zero Dilution of Facts: Independence means reporting facts as they are, not as they become comfortable. Filtering insight to preserve relationships weakens governance. 
• Zero Waiting for the “Window”: If a material risk is crystallising today, waiting for next quarter’s report is a governance failure and not prudence. 

The Bottom Line for the Board 

The Board’s oversight is strong when Internal Audit is neutral in judgment, but courageous in timing. 

An Internal Audit function practising Active Neutrality protects both downside risk and missed opportunity without compromising objectivity. 

If Internal Audit is staying quiet to “stay independent,” it is not protecting the process; it is hiding from it. 

A Final Reflection 

After decades of leading audit teams and managing complex audits, one truth remains: the most valuable independence is not found in the organisational chart. 

It is found in the willingness to be the first person in the room to say, “This doesn’t look right” long before the formal report is due. 

Is your Internal Audit team empowered to be that voice? 

---

Written by Akeem Taofik – FCA

Most Boards intuitively understand speed.  If the business is moving at 100 mph and Internal Audit is constrained by static annual planning cycles is moving at 20 mph, the Assurance Gap widens every day. 

This is not a capability issue; it is a velocity mismatch. 

The Execution Blind Spot 

Risks that emerge during execution, market shifts, operational shortcuts, or behavioral drift rarely wait for the next formal audit cycle. Yet, these are exactly the risks most likely to bypass assurance entirely. 

When Internal Audit is tethered to a “point-in-time” plan, they are essentially looking at a map of where the business was, while the business is already driving through new, unmapped territory. 

The Governance Reality Check 

In a high-velocity environment: 

• Accuracy without timeliness does not protect value; it merely explains losses after the fact. 

• Retrospective assurance provides a perfect autopsy, but the Board needs a diagnosis while the patient is still on the table. 

The real governance question for modern Boards is no longer: “Was the audit done well?” It is: “Did the insight arrive in time to matter?” 

The Bottom Line 

Modern assurance is not about auditing more. It is about auditing at the speed of the business. Governance excellence requires a shift from “periodic validation” to “continuous intelligence.” If your audit function isn’t moving at the speed of your strategy, you aren’t just independent, you’re out of the loop. 

A Final Reflection

As a professional who has led audit teams and managed complex statutory audits for decades, I’ve observed a consistent truth: the most valuable “independence” isn’t found in the organizational chart. It is found in the auditor’s willingness to be the first person in the room to say, “This doesn’t look right” long before the formal report is due. 

Is your Internal Audit team empowered to be that voice? 

---

Written by Akeem Taofik – FCA

In many Boardrooms, independence is rightly treated as the ultimate safeguard of Internal Audit.  Yet increasingly, independence is interpreted even within Internal Audit itself as a reason for detachment. 

When independence becomes a wall that delays engagement with emerging risks until a formal audit cycle begins, it does not strengthen governance. It creates a visibility lag one that Boards should care deeply about. 

Understanding the Visibility Lag 

The IIA Global Internal Audit Standards (2024) encourage agile and continuous auditing and explicitly align Internal Audit with enterprise objectives and risk. However, in practice, many Internal Audit functions still operate on rigid annual or semi‑annual “big‑bang” audit plans. 

What this means is that audit plans often reflect the risks management identified and embedded within enterprise objectives at the point of strategy setting. As execution unfolds, management pivots in real time but Internal Audit remains tethered to a point‑in‑time risk assessment. 

The consequence is a timing gap: while the business adapts at speed, Internal Audit insight arrives later, bound by planning cycles. This creates a governance blind spot, where the most dangerous risks those that emerge during execution are the least likely to be audited in time. 

Boards intuitively understand this challenge. If the business is moving at 100 mph and Internal Audit is constrained by planning cycles is moving at 20 mph, the assurance gap widens every day. 

Objectivity of Judgment ≠ Isolation of Timing 

Independence exists to protect objectivity of judgment, not to justify a wait‑and‑see posture. A perfect autopsy report doesn’t save the patient; it only explains the funeral. 

Accuracy without timeliness is a wasted investment. From a governance perspective, assurance that arrives too late may still be technically correct—but strategically irrelevant. 

Boards should therefore ask a simple but critical question: 

“Is our Internal Audit function staying silent on emerging risks to protect independence or providing the real‑time risk intelligence needed to protect the organisation?” 

Three Provocations for Audit Committees 

1. Risk Intelligence Is Not Management Interference

   Identifying an emerging exposure: such as operations scaling ahead of a signed contract is not an operational decision.
   It is risk intelligence. 

• The trap is viewing proactive signaling as encroachment.
• The reality is that objectivity is compromised when auditors decide, not when they highlight risk. 

2. The Danger of “Autopsy” Governance

   When Internal Audit limits itself to post‑event validation, Boards are left with explanations rather than protection. A perfect autopsy report doesn’t save the patient, rather it only explains the funeral. 

In high‑velocity environments, assurance that arrives months after risk emerges may be technically correct, but strategically irrelevant. 

• The provocation for Boards is simple:
  “Do we value retrospective accuracy more than independent foresight?” 

3. Reframing the Mandate

   Independence should be the shield that allows Internal Audit to:

• speak truth to power in real time, 

• challenge management assumptions before they harden into failures, 

• escalate concerns without hiding behind the “proper” quarterly window, and 

• practice active neutrality: independence is not passive neutrality; it is the fearless, factual reporting of risks as they develop. 

The Bottom Line 

Independence should be a shield, not a hideout.  An Internal Audit function that waits until risk manifests may remain independent in form
but risks becoming irrelevant in substance.

True governance excellence requires Internal Audit to be independent in mind but integrated in timing.

---

Written by Akeem Taofik – FCA

If you run a Nigerian subsidiary of a multinational and still think Section 57 of Nigeria’s updated corporate tax regime is just “one more calculation,” you’re already behind. Yes, Section 57 introduces a 15% minimum effective tax rate (ETR), neutralizing the benefit of incentives where they depress tax outcomes below the threshold. But the arithmetic is not the real story.

Section 57 is a governance signal

It marks the end of an era where local tax outcomes could be exceptional, lightly governed, and explained after the numbers were already consolidated.

The Comfort That Is Now Gone

For years, many Nigerian subsidiaries operated with quiet confidence. Incentives justified low ETRs. Group headquarters accepted Nigeria as a “special case.” Where questions arose, explanations typically came after the numbers were final.

 Section 57 disrupts that comfort

It now asks a tougher question, one that cannot be deferred: Can Nigeria’s tax outcome be clearly and credibly defended to Group Tax and the Audit Committee without relying on technical footnotes?

If the answer is no, the challenge is not tax complexity.

Why This Is a GRC Issue (Before It’s a Tax One)

From a Governance, Risk, and Compliance (GRC) perspective, Section 57 is not a tax rule; it is a stress test for control maturity, particularly Internal Control over Financial Reporting (ICFR).

Why?

The minimum tax threshold anchors directly to Profit Before Tax (PBT) as reported in audited financial statements. Once that linkage exists, tax is no longer a downstream calculation. It becomes a direct reflection of how disciplined or fragile the financial close process really is.

In practice:

• Weak controls become earnings risk: Volatile PBT caused by late adjustments, weak accrual discipline, inconsistent judgments, or provisioning gaps now creates immediate fiscal and reputational exposure.

• Tax risk moves upstream: Tax outcomes are no longer “managed” after close. They are shaped by how well financial reporting is governed in real time.

• ICFR maturity is exposed: Where tax has been treated as a compliance appendix rather than a governed outcome, Section 57 makes the deficiency visible.

This is how good regulation works. It reveals institutional weaknesses without prescribing the fix.

Audit Friction Is No Longer Tolerated

Historically, tax incentives could often survive scrutiny through post‑hoc explanations. In the Section 57 environment, credibility is defined by the audit trail.

Incentives that are not:

• clearly owned,

• embedded in control design, and

• supported by inspectable evidence

will struggle under Group‑level review or external audit scrutiny.

Persistent “audit friction” is no longer an irritation. It is a governance signal.

The Strategic Shift: From Compliance to Control

High‑maturity organisations are already pivoting. The change is subtle but decisive:

From: “Nigeria is compliant because our incentives are legal.”

To: “Nigeria is controlled because its ETR is deliberate, monitored, and explainable.”

This shift must happen before consolidation, not as a reconciliation exercise after Group questions arise. In a multinational environment, unexplained local volatility is not a local issue, it is an enterprise risk.

The Question That Now Defines Credibility

For CFOs and GRC leaders, the defining question has changed:

If Group Tax or the Audit Committee asked today, ‘Why is Nigeria’s ETR what it is?’ would the response be a spreadsheet model or a governance framework embedded in ICFR?

One signals calculation, the other signals control.

Final Thought

Section 57 is not asking Nigerian subsidiaries to be perfect, it is asking them to be credible.

Credibility does not come from technical explanations delivered after consolidation. It comes from discipline, alignment, and governance maturity.

If Nigeria is still being explained after the fact rather than positioned deliberately within the Group’s governance architecture, Section 57 isn’t the problem.

Your GRC maturity is.

Written by Akeem Taofik – FCA

In governance, discomfort is not always a warning sign it can be a signal worth listening to. As ICFR assurance becomes more established in Nigeria, some Boards and CFOs experience a persistent unease not because anything is demonstrably wrong, but because something no longer sits comfortably. The scope feels heavier than expected. The effort feels closer to reasonable assurance than limited assurance. The logic between work performed and conclusions reported feels less tidy than before.

In governance, that discomfort deserves attention.

Discomfort Often Emerges Before Failure

A well‑functioning governance systems rarely fail without warning. More often, signals appear early in the form of questions that linger, costs that are harder to explain, or execution patterns that no longer align intuitively with first principles.

In the context of ICFR assurance, discomfort may surface when:

• Execution effort materially exceeds what the assurance conclusion can support.
• scope expands incrementally without explicit Board discussion; or
• Management can no longer clearly articulate why additional procedures are being performed, beyond precedent.

These moments are not indicators of non‑compliance. They are indicators of governance tension.

When Discomfort Points to a Loss of Intentionality

Discomfort is particularly instructive when it reveals that:

• a Board did not consciously choose the current assurance depth.
• methodology has evolved through repetition rather than decision; or
• The assurance model being experienced no longer reflects the one originally approved.

In such cases, unease is not resistance, it is a signal that intentional ownership may have eroded.

Governance strength lies not in eliminating discomfort, but in understanding what it is reacting to.

Discomfort Is an Invitation, not a Verdict

Importantly, feeling uneasy does not compel immediate change.

It invites examination:

• Is the current ICFR execution still proportionate to our risk profile?
• Does the incremental work provide comfort we genuinely value?
• Are we implicitly moving toward a reasonable‑assurance posture without naming it?
• If circumstances changed, could we confidently recalibrate scope?

When Boards can engage these questions openly, discomfort becomes productive rather than destabilising.

The Risk of Ignoring Discomfort

Where discomfort is consistently deferred, two governance risks emerge:

• drift, where practice gradually moves beyond intent without accountability; and
• inertia, where future change becomes harder because the status quo hardens into perceived necessity.

Over time, what was once a mild unease can evolve into rigidity precisely the opposite of good governance.

A Discipline Worth Developing

Just as comfort can be a governance outcome when consciously chosen, discomfort can be a governance asset when properly interpreted.

It encourages Boards and Audit Committees to:

• revisit first principles without presuming error.
• distinguish between regulatory requirement and inherited practice; and
• maintain agency over assurance models, rather than inheriting them passively.

In this sense, discomfort is not a call to disrupt but a call to reengage.

Closing Reflection

ICFR assurance will continue to mature. For some Boards, that journey will feel settled. For others, it will surface questions that resist easy answers.

When discomfort arises, the objective is not to resolve it quickly, but to understand it thoroughly. In that understanding lies the capacity to decide consciously, proportionately, and with confidence whether the present course still serves the organisation’s governance intent.

Discomfort, well‑handled, is not a threat to governance.

---

Written by Akeem Taofik – FCA

Not every Audit Committee or CFO is unsettled by the current approach to ICFR assurance. For some organisations, the status quo feels appropriately understood, defensible, and aligned with their broader risk posture.

That position deserves recognition.

Governance is not about relentless change. It is about informed choices. Where Boards have consciously elected to accept broader ICFR execution than what a limited‑assurance conclusion strictly requires, the critical question is not whether that choice is right or wrong, but whether it is clearly understood, intentionally owned, and periodically revisited.

Comfort Can Be Rational and Still Require Oversight

There are legitimate reasons why Boards may be comfortable with current ICFR execution practices:

• Higher levels of assurance effort can feel safer in uncertain regulatory or market environments
• Additional procedures may reduce perceived audit friction or inspection risk
• Costs may be proportionate to organisational scale and complexity
• The approach may align with global group practices or long‑standing auditor relationships

None of these drivers is inherently problematic. Comfort, however, is not a substitute for clarity.

Good governance asks not only “Are we comfortable?” but also: “Do we fully understand what we are approving—and why?”

The Risk Is Not Over‑Execution, but Unexamined Execution

Choosing to tolerate or even welcome expanded ICFR procedures is a defensible governance stance. The risk arises when that expansion becomes default behavior, rather than an explicitly articulated decision.

Over time, unexamined execution can:

• harden into perceived regulatory necessity,
• blur the distinction between limited and reasonable assurance, and
• make future scope or cost recalibration more difficult to justify.

In such cases, the Board may remain comfortable yet gradually lose intentional control over the assurance model it is sponsoring.

What Good Ownership Looks Like in Practice

For Boards that deliberately prefer the status quo, strong governance is demonstrated by being able to clearly articulate:

• Why the current ICFR scope exceeds the minimum required for limited assurance.
• what incremental comfort that additional work is intended to provide.
• how comfort aligns with the assurance conclusion ultimately reported; and
• under what conditions the approach would be reconsidered.

When these questions are answerable, comfort becomes a governance outcome, not a governance blind spot.

A Discipline Worth Preserving

ICFR assurance will continue to evolve through regulatory refinement, market practice, and organisational maturity. Boards that are comfortable today are not obligated to lead that change.

They are, however, custodians of intentionality.

Whether maintaining the current model or reshaping it over time, the enduring marker of sound governance is not alignment with best practice trends, but clarity of purpose, proportionality of execution, and readiness to reengage first principles when circumstances change.

Comfort, when consciously chosen, can coexist with strong governance.
Comfort, when inherited and unexamined, rarely does.

---

Written by Akeem Taofik – FCA

As assurance becomes more routine, it may be worth pausing to reflect on whether execution, scope, and reported assurance levels remain coherently aligned.
Sharing a governance reflection below.

Internal Control over Financial Reporting (ICFR) is now firmly embedded in Nigeria’s financial reporting framework under the oversight of the Financial Reporting Council of Nigeria (FRCN). As ICFR assurance becomes more routine, a natural governance question arises for Boards, CFOs, and Audit Committees: does the way ICFR assurance is being executed reflect the assurance level ultimately reported?

This is not a technical debate, but rather, it is a governance consideration that goes directly to proportionality, cost discipline and expectation setting between auditors and Boards, and the credibility of what ICFR assurance communicates to the market.

The Significance of the Limited Assurance Starting Point

From inception, ICFR assurance in Nigeria was deliberately framed by FRCN as a limited assurance engagement under ISAE 3000 (Revised). That design reflected regulatory judgement balancing improved governance oversight against market readiness, implementation burden, and cost efficiency.

A limited assurance model is intended to:

• provide moderate assurance in negative form, using procedures less extensive than those required for reasonable assurance; and
• avoid conclusions that imply sustained operating effectiveness comparable to US SOX style regimes.

This starting logic is important, as it defines both what ICFR assurance is designed to achieve and what it is not.

What the Independent ICFR Attestation Report Signals

Independent ICFR attestation reports consistently emphasize three elements:

• negative form conclusions (“nothing has come to our attention…”).
• explicit acknowledgment that procedures performed are less extensive than those required for reasonable assurance; and
• clear differentiation between limited and reasonable assurance.

These disclosures are not incidental. They establish the boundary conditions of the engagement and shape market expectations about the level of comfort being provided.

From a governance perspective, this framing naturally prompts a simple question: should the experience of an ICFR review materially exceed what the final report itself can support?

Where Practical Tensions Arise

In practice, ICFR engagements often involve procedures that feel more extensive than what stakeholders typically associate with limited assurance. Operating effectiveness activities are frequently embedded within ICFR workstreams.

Such procedures are well understood and entirely appropriate when used deliberately to support audit reliance strategies under ISA 330. However, they serve a specific audit objective and are not intrinsically required to support a negative assurance of ICFR conclusion.

This raises a legitimate governance reflection:

If an ICFR engagement culminates in a limited assurance conclusion regardless of whether operating effectiveness exceptions are identified, how should Audit Committees interpret the role and necessity of those procedures?

The issue is not whether such work can be performed, but whether it is essential to the assurance outcome being reported.

Proportionality, Cost, and Clarity

As ICFR becomes more embedded, Boards and management increasingly bear the cost of ongoing assurance activity. With that comes a fiduciary obligation to ensure proportionality.

From a governance standpoint:

• assurance scope should be clearly traceable to stated objectives.
• methodology choices should be distinguishable from mandatory requirements; and
• cost should align with the level of assurance ultimately expressed to the market.

Where these lines blur, there is a risk that ICFR assurance evolves through habit rather than deliberate governance intent.

A Forward-Looking Question for the Nigerian Market

The evolution of practice also raises a broader policy question—one that may become unavoidable over time:

If ICFR execution increasingly resembles reasonable assurance behaviour in substance, should the assurance level remain limited in form?

Conversely, if limited assurance remains the intended endpoint, what additional discipline is required to ensure that execution remains consistent with that intent?

These are not questions for auditors alone. They fall squarely within the responsibility of regulators, Audit Committees, and Boards charged with safeguarding reporting integrity and cost efficiency.

Closing Reflection

ICFR assurance should mean exactly what it states in the report — no more, no less.

As ICFR practices mature, the real test of governance will not be how much work is performed, but how deliberately assurance scope, assurance level, and cost are aligned. When execution quietly exceeds what reporting can support, clarity is lost, accountability weakens, and value becomes harder to demonstrate.

For CFOs and Audit Committees, the task ahead is neither resistance nor automatic acceptance. It is intentional oversight returning to first principles, interrogating scope with precision, and ensuring that ICFR assurance evolves as a disciplined governance tool, not a matter of habit or momentum.

In that discipline lies both credibility and confidence.

---

Written by Akeem Taofik – FCA

As insurers move further into their IFRS 17 journey, one thing is now clear: The conversation has moved beyond compliance. The real question is: “How do we turn IFRS 17 into a competitive advantage?”

Across Nigeria, insurers have now completed at least one full-year reporting cycle under IFRS 17 (2023 FY) consistent with global adoption timelines and transition activity already reported by Nigerian insurers such as Leadway Assurance and others; the insights emerging from the 2024 and 2025 cycles show a striking pattern: The market leaders are the companies treating IFRS 17 as a management system, not an accounting project.

Why IFRS 17 Matters More in Nigeria’s 2026 Economy

With FX volatility, inflationary pressure, higher discount rates, and rising capital costs, the insurance sector needs a clearer economic lens. IFRS 17 provides exactly that by:

• Replacing premium‑based revenue with service‑based revenue
• Converting unearned profit into a visible liability: the Contractual Service Margin (CSM)
• Requiring cohort‑level discipline that exposes pricing strength (or weakness) early
• Improving comparability and investor confidence through consistent reporting

This is the level of transparency global investors and rating agencies expect.

Read more: Your Tax, Your Responsibility: A Practical Guide to Personal Income Tax Filing in Nigeria

The Biggest Mindset Shift: From Premium Volume → To Earned‑Value Profitability

Under legacy accounting, profitability could be flattered by cash inflow.
Under IFRS 17, this disappears.

Instead, finance leaders now get:

• CSM as a forward‑earnings reservoir

It tells the truth about long‑term profitability, not just what happened this quarter.

• Risk Adjustment as a volatility indicator

A direct measure of uncertainty and risk appetite.

• Coverage Units as the engine of profit release

A methodology that needs strong governance and clear Board oversight.

Where the Winners Are Emerging: CFOs Who Treat IFRS 17 Data as Strategy

The best‑performing insurers are using IFRS 17 insights to:

1. Refine product pricing before underpricing becomes a balance‑sheet problem
2. Redesign reinsurance treaties using CSM, RA and cohort analytics not negotiations alone
3. Strengthen claims performance through clearer loss‑component identification
4. Improve capital planning and dividend forecasts with more predictable earnings visibility
5. Communicate with Boards and investors using business‑ready IFRS 17 dashboards instead of technical jargon

These are the companies moving from compliance to competitive edge.

Audit Reality: Integration Is the Make‑or‑Break Factor

Across the 2025/2026 audit cycles, we’ve seen one constant:

Where actuarial engines and finance systems are not aligned, IFRS 17 becomes a reconciliation nightmare. But where integration is strong:

• Month‑end closes improve
• Audit exceptions reduce
• Regulatory questions are easier to answer
• CFOs spend time on strategy, not troubleshooting

This is where real value is unlocked.

Read more: NRS Rolls Out Nationwide E-Invoicing Regime What It Means for Nigerian Businesses

The Leadership Imperative for 2026

IFRS 17 is not just a technical standard. It is a leadership standard. To lead in today’s market, finance executives must:

• Treat CSM movement as a strategic KPI
• Build a unified Actuarial–Finance “single source of truth”
• Define Board‑friendly dashboards for CSM, RA, and cohort profitability
• Link IFRS 17 insights into pricing, capital, claims, and reinsurance
• Strengthening governance around coverage units and assumption changes

This is how insurers differentiate themselves as the market consolidates and competition intensifies.

 Call to Action for CFOs & Finance Directors

As we head into the 2026 reporting cycle, ask yourself:

• Are you leveraging IFRS 17 to reshape your profit story or only to comply?
• Is your CSM movement aligned with strategic decisions?
• Are actuarial and finance speaking the same language?
• Do your Board and investors understand your IFRS 17 narrative?
• Are you using IFRS 17 data to drive pricing, capital allocation, and reinsurance strategy?

If you see breakthroughs or friction points, we did love to hear them.

Drop your insights in the comments or send us a mail at [email protected]. Let’s turn IFRS 17 from a requirement into a strategic weapon for the Nigerian insurance industry.