The introduction of Management’s Assessment of Internal Control over Financial Reporting (ICFR) under the Financial Reporting Council of Nigeria (FRCN) regime represents a fundamental shift in governance accountability. At its core, ICFR is intended to strengthen governance, reinforce management ownership, and enhance the reliability of financial statements signed by those charged with preparing them.
Yet in practice, a subtle but significant scope creep has emerged.
Many organisations, often guided by auditors or ICFR consultants, define the scope of management’s ICFR assessment using external audit materiality thresholds and quantitatively driven, trial‑balance logic. What begins as a governance exercise gradually morphs into a compliance‑heavy process that closely resembles a substantive audit without delivering commensurate governance value.
This trend risks obscuring the true purpose of ICFR.
Management’s Assessment Is Not an Audit Extension
The FRCN framework is clear in its separation of responsibilities: ICFR is a management assessment, while the auditor’s role is to attest to management’s assessment—not to own, design, or redefine ICFR.
Management is responsible for designing, implementing, maintaining, evaluating, and certifying ICFR. The Board and Audit Committee provide oversight and challenge. The external auditor expresses an independent limited assurance conclusion on management’s assessment, without the engagement being positioned or understood as a reasonable assurance audit of internal controls, or being treated as equivalent to one.
Under the current Nigerian regime, external involvement in ICFR typically takes the form of a negative‑form, limited assurance conclusion, performed as at the reporting date. Evidence depth is scaled to the risk of a material weakness and not to demonstrate consistent operation of controls throughout the period.
The issue is role clarity: when external assurance considerations are allowed to define management’s ICFR scope by default, the distinction between management assessment and auditor attestation becomes blurred.
The Assurance Ceiling: More Effort, Same External Messaging
A critical concept for Boards and executive management is the assurance ceiling.
Under a limited assurance ICFR model, expanding management’s ICFR scope or increasing testing depth does not change the level of assurance communicated to users. The external conclusion remains limited assurance and continues to be expressed with reference to management’s assessment as at the reporting date.
Accordingly, where management elects to adopt more granular scoping or deeper testing, this should be a deliberate governance decision grounded in internal risk mitigation or decision‑useful insight rather than driven by an expectation of incremental assurance outcomes.
This distinction matters because the cost of ICFR should be justified by meaningful risk reduction, not by the volume of testing performed.
Reframing Materiality: Back to the Primary User (With Discipline)
ICFR scoping should be guided not by spreadsheets alone, but by the principles in IFRS Practice Statement 2: Making Materiality Judgements.
PS2 reminds us that information is material only if it could reasonably be expected to influence the decisions of primary users of financial statements. This introduces an essential qualitative dimension to ICFR scoping.
Management is required to ask a simple but powerful question:
If a control failure affected this line item, would a rational investor or lender change their assessment of our financial position or performance?
For many routine, high‑volume, mechanistic balances, the honest answer may be “not likely.” While such balances may be quantitatively significant, they may not be decision‑useful in the same way as judgment‑laden estimates, revenue recognition judgments, tax uncertainties, or complex transactions.
However, an inspection‑defensible ICFR approach requires management to confront a second, often overlooked question:
Even if this balance is not decision‑useful in isolation, could control failures in this process lead to accumulated misstatement risk?
Where management scopes out granular testing based on qualitative materiality, inspection discipline requires explicit evaluation and documentation of:
- the risk of accumulation, and
- the entity‑level or monitoring controls relied upon to mitigate that risk.
A top‑down, risk‑based ICFR methodology beginning at the financial‑statement level and cascading to significant accounts and relevant controls supports this judgment while remaining transparent to auditor challenge.
The Strategic Role of Entity‑Level Controls (ELCs)—With Precision
A Well‑designed entity‑level controls (ELCs), such as governance oversight and analytical review controls, can provide effective assurance over routine balances. However, defensible reliance on ELCs requires discipline: they must demonstrate sufficient precision, frequency, and documented follow‑up to detect material misstatements on a timely basis.
This is not an argument for weaker controls. It is an argument for smarter control architecture.
Where ELCs are precise, well‑documented, and consistently applied, management can legitimately reduce granular testing driven primarily by audit convention rather than risk relevance while remaining fully aligned with a top‑down, risk‑based ICFR approach.
Re‑centering Management Ownership
To meet the spirit of the FRCN framework, organisations must move from a compliance‑defensive mindset to a governance‑conscious one. Three practical resets are critical:
- Define management’s own ICFR materiality and scoping framework, rather than defaulting to substantive audit thresholds.
- Prioritise risk, judgment, and susceptibility to misstatement (including fraud and accumulation risk), not just balance size.
- Use ELCs intelligently and only where they demonstrate the precision and evidence required to support inspection‑defensible reliance.
Conclusion: ICFR as Stewardship, Not Shadow Auditing
ICFR was never intended to be an extension of the external audit. It is a statement of management stewardship, ownership, and accountability for the integrity of financial reporting.
Ultimately, ICFR reflects how Boards and executive management discharge their fiduciary responsibility over financial reporting independent of the audit process. By grounding ICFR scoping in IFRS materiality principles and applying a disciplined top‑down, risk‑based methodology, management can focus effort where it truly matters, enhancing decision‑useful reporting for primary users while keeping audit‑driven clutter firmly in check.
The mandate is clear: reclaim ICFR as a governance tool, not an audit shadow.
Written by Akeem Taofik – FCA
Leave a Reply