Strengthening internal controls over financial reporting to ensure financial reporting integrity

What’s the difference between a financial report you can trust and one that exposes your business risk? It all comes down to strong internal controls. Internal controls over financial reporting (ICFR) ensure accuracy, transparency, and compliance in an unpredictable business world. For publicly listed businesses in Canada, compliance with National Instrument 52-109 (NI 52-109 or CSOX) and its companion policy is essential for ensuring financial statements are accurate, reliable, timely, and free from material misstatements.

Yet, maintaining strong ICFR is not just about meeting regulatory obligations. It’s about promoting shareholder confidence, preventing financial restatements, and reinforcing governance in an environment where business operations, workforce structures, and technology are constantly shifting.

Financial leaders — particularly CEOs, CFOs (i.e., certifying officers) — must stay ahead of risks that could impact the integrity of the organization’s financial reporting. Lack of oversight, anti-fraud controls, and accurate financial reporting can expose organizations and result in deficiencies that require disclosure in management discussion and analysis (MD&A) reports.

By taking a proactive approach, businesses can mitigate risk through effective financial reporting controls, enabling them to make informed decisions. Here are the key areas where organizations can reinforce their ICFR programs while improving overall business resilience.

Managing the risk of control failures

As business operations evolve, so do risks associated with financial reporting control failures. Organizations must ensure that control processes remain consistent and effective, even when dealing with:

• Remote or hybrid work arrangements that limit direct oversight,
• Resource constraints affecting finance teams and internal auditors, and
• Process disruptions from structural changes or new financial reporting systems.

Inconsistent execution of controls increases the likelihood of financial reporting errors. If material, these errors must be disclosed publicly in regulatory filings and MD&A reports. Common control lapses include:

• Reconciliation delays due to fewer staff managing financial close processes,
• Reduced segregation of duties, increasing fraud and error risks and,
• Limited oversight of manual journal entries or financial adjustments,
• Poor internal controls frameworks following system implementations.

Effective strategies to prevent control failures

• Conduct regular internal audits to identify gaps in control design, and execution
• Strengthen management oversight of financial reporting cycles and,
• Implement real-time monitoring for critical financial reporting controls, such as tracking manual journal entries, ensuring timely reconciliations, and reviewing segregation of duties to mitigate fraud and error risks.

Enhancing sub-certification processes 

Organizations often use sub-certification as a safeguard, requiring senior officers to confirm the accuracy of financial data before final CEO/CFO certification. As business structures become more decentralized, the importance of sub-certification processes to maintain accountability increases.

Optimizing sub-certification for better oversight

• Establish clear accountability frameworks for senior officers,
• Increase frequency and scope of certification signoffs, and
• Utilize digital certification tools to improve tracking and documentation.

A robust sub-certification process enables better governance and oversight, ensuring transparency so that leadership remains fully informed about emerging financial reporting risks in order to make informed business decisions.

Leveraging automation and IT general controls (ITGC) 

The shift toward enterprise resource planning (ERP) systems, automation, and cloud-based financial tools is transforming ICFR programs. While automation can promote accurate, reliable and timely financial reporting, it also introduces new IT-related risks that organizations must address.

Automated processes increase reliance on ITGCs, including:

• User access control and segregation of access (ensuring only authorized personnel can make changes),
• Approval hierarchies embedded in financial system workflows,
• Change management protocols (governing system modifications), and
• Data integrity checks (validating automated financial transactions).

It’s also important to consider where a company relies on a third-party provider for components of its financial reporting. Best practice for businesses that outsource financial processes (e.g., payroll, procurement, IT services) is to require and assess service organization controls (SOC) reports from third-party relationships where reliance is placed on outsourced processes and controls. These reports help organizations map third-party controls to their risk management frameworks.

Steps for strengthening IT general controls

• Conduct IT control assessments to evaluate automation risks,
• Ensure SOC report reviews are integrated into ICFR evaluations, and
• Implement continuous monitoring for automated transactions and determine which complimentary user entity controls are being relied upon to mitigate financial reporting risks.

Conducting comprehensive fraud risk assessments

Fraud is an ongoing concern for businesses of all sizes. Financial pressure, organizational changes, and operational disruptions can create opportunities for fraud, bribery, and financial misstatements. A strong fraud risk management framework enables organizations to detect and mitigate fraudulent activities before they impact financial reporting.

Here’s a four-step approach to fraud risk management:

1. Establish a fraud risk management program:
   • Define clear anti-fraud policies and communicate them organization-wide.
2. Conduct comprehensive fraud risk assessments:
   • Identify vulnerabilities, assess fraud risks specific to the business, and implement anti-fraud controls.
3. Implement detective controls:
   • Strengthen internal oversight and introduce fraud detection techniques like whistleblower programs and artificial intelligence (AI)/data analytics.
4. Develop an investigation and response plan:
   • Ensure a coordinated approach to responding to and handling identified fraud incidents.

Common fraud risks impacting ICFR

• Financial misstatements fraud (inflated revenue, understated expenses, and managing the bottom line due to incentive programs related to financial performance).
• Bribery and corruption (kickbacks, false customer transactions, improper vendor payments, and fictitious employees).
• Embezzlement and asset misappropriation (unauthorized fund transfer, and lack of safeguarding assets).

Proactive measures for enhancing enterprise risk management and business resilience

Enterprise risk management (ERM) plays a crucial role in supporting ICFR compliance and overall business resilience. Strong entity-level controls — such as governance oversight, ethical tone at the top, and a well-defined risk management framework — form the foundation of an effective ICFR program. ERM is one critical component of this framework, helping organizations take a proactive approach to financial reporting risks. As low-probability, high-impact events are becoming more prevalent, businesses require a shift in how they identify, assess, and mitigate emerging threats to maintain financial integrity and stakeholder confidence.

Key areas of focus for ERM include:

• Cyber security risks affecting data integrity and safeguarding of financial assets.
• Third-party vendor risks impacting outsourced financial controls.
• Regulatory changes requiring updated compliance strategies.
• Heightened reporting requirements to external stakeholders on risks facing the organization.

How to build a resilient ERM program

• Integrate financial reporting risk assessments into broader ERM frameworks,
• Have in place a robust and agile business resilience program supported by a business continuity and disaster recovery plan,
• Conduct regular scenario planning to stress-test financial controls,
• Establish cross-functional management for governance oversight,
• Implement a third-party risk management program that includes identifying material vendor relationships and obtain SOC reports, and
• Maintain a cyber security program that considers cyber risks facing the organization, leveraging prevention and detection tools and techniques.

By prioritizing ERM and ICFR, organizations can confidently navigate stakeholder expectations, regulatory requirements and adapt to dynamic market challenges.

Beyond compliance: The real value of strong ICFR

When ICFR is treated as a compliance burden, organizations miss a crucial opportunity to maximize revenue, manage costs and optimize operations. ICFR isn’t just about preventing financial misstatements or passing audits — it’s about creating a financial control environment that supports stronger decision-making, operational efficiency, and strategic growth.

Consider the impact of a financial misstatement, a fraud incident, or an IT control failure — the consequences extend far beyond compliance. They erode investor trust, trigger regulatory scrutiny, and disrupt business operations. Organizations that take control of their ICFR programs don’t just minimize these risks but build a financial infrastructure that fosters confidence and resilience.

Instead of viewing ICFR as a static requirement, consider it as a dynamic tool — one that adapts to new technologies, regulatory shifts, and evolving business models. The businesses that get this right don’t just comply with regulations — they use strong financial controls as a competitive advantage.

Moving ICFR from obligation to opportunity

Maintaining strong internal controls is more than checking the right boxes — it’s about protecting the integrity of your financial reporting, reducing risk exposure, and ensuring leadership has the insights needed to make informed decisions. However, achieving this requires more than a set of policies and procedures, and demands a strategic approach tailored to your business’ unique structure, risks, and goals.

That’s where the right expertise makes all the difference. Working with a reputable firm can help your organization take control of your ICFR program in a way that is pragmatic, proactive, and aligned with long-term business strategies and objectives. Our team doesn’t just identify weaknesses — we work alongside leadership to streamline processes, strengthen oversight, and rationalize controls to evolve with your business.

Whether it’s navigating regulatory changes, optimizing performance, leveraging automation, or embedding fraud prevention into daily operations, we help organizations move beyond compliance to create an ICFR framework that actively supports growth, resilience, and financial reporting confidence. In today’s business environment, strong internal controls can ultimately position your organization for what’s next — provided you have the right strategic approach.