Internal Control over Financial Reporting (ICFR)

TheProReaders > All Articles  > Internal Control over Financial Reporting (ICFR)

Internal Control over Financial Reporting (ICFR)

Spread Learning



Central Bank Guidelines on Internal Control over Financial Reporting


The State Bank of Pakistan vide its BSD circular no.7 dated May 27, 2004   ( has issued guidelines on the internal control over financial reporting for all banks / DFIs naming SBP Internal Control Guidelines) and in order to ensure consistency in the process of compliance with the internal control guidelines, SBP vide BSD Circular No.5 dated Feb 24, 2009 has provided the roadmap naming SBP road map identifying various activities / stages involved in the internal control program. The requirements of each stage of the roadmap has been further elaborated through Annexure B of OSED circular no.1 dated Feb 7, 2004


Governance of Internal Control for Financial Reporting System

An internal control system consists of five components:


Control environment:

Control Environment is the mixture of policies, processes, and structures which provide the basis for carrying out internal control within the organization. The Board and senior management establish the culture to demonstrate the importance of internal control in the organization. The control environment includes the integrity and ethical values of the organization.

Risk Assessment

Risk is an event that if occurs it may affect the objectives of the organization. The process of risk assessment is designed to identify the threats that may affect the organization. and identification of controls which are necessary to apply to address the risks.

Control activities:

Control activities are the list of actions in the form of policies and procedures by the management to prevent the organization from the threats.

Information and communication:

Process of identifying, capturing, and exchanging information from internal and external sources in order to support the functioning of internal control. Communication of risk areas which are relevant to the staff is an important means of risk awareness.


The monitoring process is the process that evaluate the quality of internal controls over the period of time and report the deficiencies.



Implementation of ICFR can be achieved in eight stages.


I Process and control documentation
II Identification of gaps and recommendations
III Development of detailed Remediation / Implementation Plans
IV Development of Management Testing Plan (for Key Controls identified)
V Implementation of project initiatives as planned
VI Quality Assurance / Validation on the Initiatives taken
VII Conduct of Management Testing of Key Controls and Reporting of Results

Review by External Auditors


Tasks performed in each ICFR stage


Description  Summary of Tasks Performed
I Process and control documentation

Scoping of Accounts on the basis of materiality.

Understanding and Documenting processes with        identification of controls (activity level controls).

Documenting Entity Level Controls.

Documentation of risks and key controls in Risk and     Control Matrices (RCM).

II & III Identification of GAPS & Recommendations

Identification of gaps during the review of activity level  and entity level controls.

Providing recommendations for gap filling.

Timelines of the recommendations.

IV & VII Testing Strategy & Testing of Key Controls

Development of testing strategy and plans.

Testing of controls identified in stage I.

Preparation of reports on exceptions identification during testing.

V & VI Design and implementation Review

Review the progress on implementation plans highlighted in stage II & III.

Review of tasks performed by the departments assigned.

Whether task carried out same as documented.

VIII Review by External Auditors

Checking of all documents prepared and re-testing




Entity Level Controls:

These controls set the tone of the organization’s overall system of internal control. Their influence on financial statements assertions can have an effect on nature, timing and extent of testing of process level controls. These controls are documented in stage 1.

List of ELC is as follows:

  1. Human Resource
  2. IT Governance and IT Security
  3. Finance
  4. Corporate Affairs (Legal)
  5. Internal Audit
  6. Strategy
  7. Marketing
  8. International Business
  9. Administration
  10. Business Continuity Plans
  11. Risk Management
  12. Treasury
  13. Compliance


Activity Level Controls: (for Insurance Company)

The insurance companies are required to document the process for identification of processes / sub processes that are covered in company’s process flow documentation.

List of core and support activities are as follows:

Core Business Activities

  1. Claims (includes motor, general, health and life)
  2. Underwriting (includes motor, general, health and life)
  3. Reinsurance
  4. Investments


Support Activities

  1. VAT (value added tax)
  2. Procurement
  3. Working Capital Management
  4. Payroll & Admin Expenses


Related Links:


Also Read:

Future Professions


Ali Murtaza

1 Comment

  • Waqas
    Reply April 26, 2024 at 11:51


Leave a Comment