What are managements responsibilities related to internal control over financial reporting?

Companies set up an ICFR (internal control over financial reporting) strategy, establish policies and procedures for internal control, assess the control environment and risks of material misstatement of financial statements, monitor and approve transactions, test a sample of transactions, and issue ICFR report certifications by the CEO and CFO filed as part of their 10-K.

Companies establish internal control systems with policies and procedures that include segregation of duties, invoice document matching, and authorizations and approvals. For proper separation of duties, the same employee isn’t handling assets like cash and recording accounting transactions for revenue, costs, assets, expenses, and other expenditures. 

Businesses establish a control environment that includes the corporate culture, an ethical executive management tone that encourages proper financial reporting, and the Audit Committee’s review of the financial statements as a source of high-level oversight. 

ICFR relates to the preparation of financial statements and includes data security requirements.

The financial statements should be internally reviewed, including authorizing journal entries, reconciling accounts to the general ledger, comparing financial statements to the underlying accounting records, and evaluating reasonableness through an analytic review. 

FP&A procedures like trend analysis, ratios computation, and variance analysis comparing actual with budgeted amounts should be scrutinized as another check on financial statement accuracy.  

On an annual basis, management’s assessment of internal control over financial statements is performed. Management of public companies reports the results regarding reasonable assurance of the operating effectiveness of ICFR at the business in the 10-K. 

Quarterly, management assesses if any material changes in its ICFR have occurred. In Form 10-Q reports filed with the SEC, management has reporting requirements to disclose that it has responsibility for establishing and maintaining ICFR. It must include any changes to ICFR that have or are likely to affect its ICFR materially. 

All public companies (registrants) must include management’s report on internal control over financial reporting in their Form 10-K annual report filed with the SEC, per SOX 404(a). The SEC requires publicly traded companies with at least $100 million in revenue to have their auditors complete a separate attestation of ICFR (internal control over financial reporting)and also include the auditor attestation report in their Form 10-K. 

The company must disclose material weaknesses in internal control in its SEC filing. The company should have procedures to remedy internal control, particularly those deemed significant deficiencies or the most severe classification of ICFR deficiency, material weaknesses. 

  • Policies
  • Internal Controls

Internal control is all of the policies and procedures management uses to achieve the following goals.

  • Safeguard University assets - well designed internal controls protect assets from accidental loss or loss from fraud.
  • Ensure the reliability and integrity of financial information - Internal controls ensure that management has accurate, timely and complete information, including accounting records, in order to plan, monitor and report business operations.
  • Ensure compliance - Internal controls help to ensure the University is in compliance with the many federal, state and local laws and regulations affecting the operations of our business.
  • Promote efficient and effective operations - Internal controls provide an environment in which managers and staff can maximize the efficiency and effectiveness of their operations.
  • Accomplishment of goals and objectives - Internal controls system provide a mechanism for management to monitor the achievement of operational goals and objectives.


Management Responsibility: Administrative management is responsible for maintaining an adequate system of internal control. Management is responsible for communicating the expectations and duties of staff as part of a control environment. They are also responsible for assuring that the other major areas of an internal control framework are addressed.

Staff Responsibility: Staff and operating personnel are responsible for carrying out the internal control activities set forth by management.

Framework for Internal Control

The framework of a good internal control system includes:

  • Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.
  • Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.
  • Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks.
  • Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system.
  • Control activities: These are the activities that occur within an internal control system. These are fully described in the next section.

Internal Control Activities and Best Practices

Internal control activities are the policies and procedures as well as the daily activities that occur within an internal control system. A good internal control system should include the control activities listed below. These activities generally fit into two types of activities.

  1. Preventive: Preventive control activities aim to deter the instance of errors or fraud. Preventive activities include thorough documentation and authorization practices. Preventive control activities prevent undesirable "activities" from happening, thus require well thought out processes and risk identification.
  2. Detective: Detective control activities identify undesirable "occurrences" after the fact. The most obvious detective control activity is reconciliation.

Click on the links below for information regarding these activities including best practices.

  • Authorization
  • Documentation
  • Reconciliation
  • Security
  • Separation of Duties

Other Internal Control Best Practices

With a good internal control system in place, other considerations to keep in mind include:

  • Regularly communicate updates and reminders of policies and procedures to staff through emails, staff meetings and other communication methods.
  • Periodically assess risks and the level of internal control required to protect University assets and records related to those risks. Document the process for review, including when it will take place. (Example: Determine that all security activities, reconciliation processes and separation of duties will be reviewed annually. They will, however, be staggered. Security activities will be reviewed in July, reconciliation in September and separation of duties in March.)
  • Management is responsible for making sure that all staff are familiar with University policies and changes in those policies.

Additional Information

Washington State Office of Financial Management's guide to internal control and auditing