Key features of ICFR and related design challenges are described below.
(a) Segregation of duties – The term “segregation of duties” refers to one or more employees or procedures acting as a check and balance on the activities of another so that no one individual has control over all steps of processing a transaction or other activity. Assigning different people responsibility for authorizing transactions, recording transactions, reconciling information and maintaining custody of assets reduces the opportunity for any one employee to conceal errors or perpetrate fraud in the normal course of his or her duties. Segregating duties also increases the chance of discovering inadvertent errors early. If an issuer has few employees, a single employee may be authorized to initiate, approve and effect payment for transactions and it might be difficult to re-assign responsibilities to segregate those duties appropriately.
(b) Board expertise – An effective board objectively reviews management’s judgments and is actively engaged in shaping and monitoring the issuer’s control environment. An issuer might find it challenging to attract directors with the appropriate financial reporting expertise, objectivity, time, ability and experience.
(c) Controls over management override – An issuer might be dominated by a founder or other strong leader who exercises a great deal of discretion and provides personal direction to other employees. Although this type of individual can help an issuer meet its growth and other objectives, such concentration of knowledge and authority could allow the individual an opportunity to override established policies or procedures or otherwise reduce the likelihood of an effective control environment.
(d) Qualified personnel – Sufficient accounting and financial reporting expertise is necessary to ensure reliable financial reporting and the preparation of financial statements in accordance with the issuer’s GAAP. Some issuers might be unable to obtain qualified accounting personnel or outsourced expert advice on a cost-effective basis. Even if an issuer obtains outsourced expert advice, the issuer might not have the internal expertise to understand or assess the quality of the outsourced advice. If an issuer consults on technically complex accounting matters, this consultation alone is not indicative of a deficiency relating to the design of ICFR.
An issuer’s external auditor might perform certain services (e.g., income tax, valuation or internal audit services), where permitted by auditor independence rules, that provide skills which would otherwise be addressed by hiring qualified personnel or outsourcing expert advice from a party other than the external auditor. This type of arrangement should not be considered to be a component of the issuer’s ICFR design.
If an issuer identifies one or more of these ICFR design challenges, additional involvement by the issuer’s audit committee or board of directors could be a suitable compensating control or alternatively could mitigate risks that exist as a result of being unable to remediate a material weakness relating to the design challenge. The control framework the certifying officers use to design ICFR could include further information on these design challenges. See section 9.1 of the Policy for a discussion of compensating controls versus mitigating procedures.