ICFR: The New Compliance Mandate in Nigeria – What Every CFO Must Know

A new compliance mandate is here. And it affects more businesses than you think.

The Financial Reporting Council now requires Public Interest Entities to assess and report on their internal controls over financial reporting. This is not optional. It is the law.

If you are a CFO, this is your responsibility. You cannot delegate it to auditors. You must certify the effectiveness of your controls.

Let me walk you through everything you need to know about ICFR compliance in Nigeria.

What is Internal Control over Financial Reporting?

According to the Public Company Accounting Oversight Board, Internal Control over Financial Reporting refers to procedures within a company designed to reasonably ensure compliance with the company’s policies, specifically those controls that affect a company’s financial reporting.

Source: Public Company Accounting Oversight Board (PCAOB). A Layperson’s Guide to Internal Control Over Financial Reporting (ICFR). https://pcaobus.org/news-events/speeches/speech-detail/a-layperson-s-guide-to-internal-control-over-financial-reporting-(icfr)_112

Under the COSO framework, there are three types of internal controls. ICFR focuses solely on controls affecting financial reporting accuracy and reliability.

In simple terms, ICFR means having systems and processes that ensure your financial statements are accurate, complete, and reliable. It covers policies that ensure accurate transaction recording. Controls that safeguard assets from unauthorised use. Mechanisms that detect and prevent errors and fraud. Systems that support compliance with IFRS and IPSAS. Processes that enable timely and reliable financial information.

The ICFR mandate in Nigeria: timeline and key developments

The journey toward mandatory ICFR in Nigeria began with the Financial Reporting Council Act of 2011. This granted the FRC authority to require independent attestation on management’s assessment of internal controls, including Information Systems controls.

November 2022. The FRC issued comprehensive guidance on the Management Report on Internal Control over Financial Reporting, establishing the framework for ICFR implementation in Nigeria.

May 2024. On May 26, 2024, the FRC issued updated guidance providing detailed directives for management of Public Interest Entities to assess and report on the effectiveness of their internal controls over financial reporting.

December 2024. The mandate became effective for financial years ending on or after December 31, 2024. This means 2025 marked the second year of mandatory compliance.

April 2025. The FRC granted a one year waiver to Public Sector Agencies for ICFR submission with their 2024 Audited Financial Statements. These agencies must now submit ICFR reports with their 2025 financial statements in 2026.

May 2025. The FRC issued comprehensive guidance on assurance engagement reports on ICFR, detailing auditor responsibilities and attestation requirements.

Who must comply? Understanding Public Interest Entities

The ICFR mandate applies specifically to Public Interest Entities as defined under the Financial Reporting Council of Nigeria (Amendment) Act, 2023. The 2023 Amendment Act significantly broadened the scope beyond the original 2011 Act.

Original categories under the FRC Act 2011. Federal and State Governments. Government organisations and parastatals. Quoted companies listed on the Nigerian Stock Exchange. Unquoted public companies. Entities mandated to file returns with regulatory authorities, excluding private companies filing only with CAC and FIRS.

New categories under the FRC Amendment Act 2023. Large private companies with an annual turnover of ₦30 billion and above. Government contractors engaged by any tier of government in public works with annual contract sums of ₦1 billion and above, settled from public funds. Specified regulated entities, including those regulated by CBN, SEC, NAICOM, PENCOM, and other sector regulators.

Source: Financial Reporting Council of Nigeria (Amendment) Act, 2023. Federal Republic of Nigeria.

Exemptions. Private companies with a turnover below ₦30 billion that only file returns with CAC and FIRS are currently exempt. Small and medium-sized entities that do not meet the PIE criteria are also exempt. Certain startups and emerging businesses below regulatory thresholds are exempt.

This expanded definition means thousands of Nigerian organisations that previously operated below regulatory radar now face mandatory ICFR compliance. CFOs must immediately assess whether their organisations qualify as PIEs under the new definition.

CFO responsibilities under the ICFR mandate

The ICFR framework places significant responsibility on Chief Financial Officers and senior management.

Design and implementation. Establish a comprehensive system of internal controls over financial reporting. Ensure controls provide reasonable assurance regarding financial statement reliability. Align the control framework with COSO 2013 or other recognised frameworks. Document all significant financial reporting processes and controls.

Annual assessment and testing. Conduct annual evaluation of ICFR effectiveness. Test key controls to verify they are operating as designed. Identify and remediate control deficiencies. Maintain evidential matter supporting the assessment.

Management certification. Prepare and sign the Management Report on ICFR. Certify the effectiveness of internal controls as of year-end. Disclose any material weaknesses or significant deficiencies. Submit the ICFR report as part of the annual financial statements.

Professional qualifications. The CFO providing ICFR certification must be a professional member of an accounting body established by Act of National Assembly in Nigeria. This includes the Institute of Chartered Accountants of Nigeria, Association of National Accountants of Nigeria, and Chartered Institute of Taxation of Nigeria. The CFO must indicate their individual FRC registration number on the ICFR certification, vouching for the integrity of the report.

Non-delegable responsibility. The FRC guidance emphasises that ICFR assessment and certification is management’s responsibility and cannot be delegated to external auditors to preserve auditor independence. While internal audit or independent consultants may support the process, only management can assess and certify ICFR effectiveness.

External auditor requirements for ICFR

Beyond management’s responsibilities, the ICFR framework creates specific obligations for external auditors.

Independent attestation requirement. External auditors must independently review management’s ICFR assessment. They must issue a separate attestation report on ICFR effectiveness. They must express an opinion on whether management’s assessment is fairly stated. They must identify and report material weaknesses or significant deficiencies. They must maintain independence throughout the process.

Integrated audit approach. The FRC guidance permits an integrated audit that includes a traditional financial statement audit, ICFR assessment and attestation, and combined reporting on both financial statements and internal controls.

Important distinction. Even if ICFR is found to be ineffective, this does not automatically mean the financial statements are misstated. However, ineffective ICFR may require more extensive substantive testing by auditors, result in higher audit fees, indicate increased risk of material misstatement, and reduce stakeholder confidence.

The ICFR framework: components and structure

Nigerian organisations implementing ICFR typically adopt the COSO 2013 Internal Control Integrated Framework, which the FRC highly recommends.

Control environment. This is the foundation of internal control. It encompasses tone at the top and ethical values. Board oversight and governance structure. Organisational structure and assignment of authority. Commitment to competence. Accountability mechanisms.

Risk assessment. This involves identifying and analysing risks to financial reporting. Specify financial reporting objectives. Identify risks that could prevent objective achievement. Assess fraud risks. Monitor changes that could impact controls.

Control activities. These are policies and procedures that ensure directives are carried out. Authorisation and approval processes. Segregation of duties. Reconciliations and reviews. Physical controls over assets. IT general and application controls.

Information and communication. Systems supporting the identification and exchange of information. Financial reporting processes. Internal communication channels. External reporting mechanisms. Whistleblower and escalation procedures.

Monitoring activities. Ongoing evaluations and separate assessments. Continuous monitoring activities. Periodic internal audits. Management self-assessments. External audit coordination. Deficiency remediation tracking.

ICFR implementation: step-by-step guide for CFOs

Phase one: Scoping and planning (months 1 to 3).

Determine your PIE status. Assess whether your organisation meets the criteria. Review turnover thresholds and government contract values. Document your determination.

Secure board and management commitment. Present the ICFR mandate to the board. Obtain budget approval. Establish a steering committee with executive sponsorship.

Select a control framework. Adopt COSO 2013, which is highly recommended by the FRC. Ensure the framework is publicly available and established through due process. Document your framework selection.

Conduct a gap assessment. Review your existing internal control environment. Identify gaps between the current state and ICFR requirements. Prioritise remediation areas. Develop an implementation roadmap.

Phase two: Documentation and design (months 4 to 8).

Identify significant accounts and disclosures. Perform materiality assessment. Identify financial statement line items that could contain material misstatements. Focus on areas with the highest risk.

Map financial reporting processes. Document end-to-end processes for significant accounts. Create process narratives and flowcharts. Identify key transaction classes. Map information flows.

Identify and document key controls. Determine key controls for each significant process. Document control objectives. Describe control activities, including what, who, when, and how. Create Risk and Control Matrices.

Assess entity-level controls. Evaluate the control environment. Review board and audit committee effectiveness. Assess management override controls. Document IT general controls.

Phase three: Testing and evaluation (months 9 to 12).

Develop a testing plan. Determine sample sizes based on control frequency. Create testing procedures for each key control. Assign testing responsibilities.

Perform control testing. Test design effectiveness to verify if controls are properly designed. Test operating effectiveness to verify if controls operated as designed. Document testing procedures and results. Retain evidence of testing.

Evaluate testing results. Assess whether controls are operating effectively. Identify control deficiencies. Classify deficiencies as control deficiency, significant deficiency, or material weakness. Develop remediation plans.

Remediate deficiencies. Address identified control weaknesses. Redesign ineffective controls. Re-test remediated controls. Document remediation efforts.

Phase four: Reporting and certification (month 12 and beyond).

Prepare the Management Report on ICFR. Summarise assessment scope and methodology. State the control framework used, such as COSO 2013. Present the assessment conclusion. Disclose material weaknesses or significant deficiencies. Include the CFO certification with the FRC registration number.

Engage external auditors. Provide ICFR documentation to auditors. Facilitate auditor testing and inquiries. Address auditor questions and requests. Coordinate the integrated audit approach.

File the ICFR report. Include the Management Report on ICFR in the annual financial statements. Submit the external auditor’s attestation report. File with the FRC through the National Repository Portal. Meet applicable deadlines.

Key elements of the Management Report on ICFR

The FRC guidance specifies minimum requirements for the Management Report on ICFR.

Statement of management responsibility. Clear assertion that management is responsible for establishing and maintaining adequate ICFR.

Identification of the control framework. Explicit statement of the framework used. For example: “Management assessed ICFR effectiveness using the COSO 2013 Internal Control Integrated Framework.”

Assessment of ICFR effectiveness. Management’s conclusion on whether ICFR was effective as of the end of the fiscal year. For example: “Management has concluded that ICFR was effective as of December 31, 2024” or “Management has identified material weaknesses in ICFR as of December 31, 2024.”

Disclosure of material weaknesses. If material weaknesses exist, include a description of each material weakness, an explanation of why it is considered material, management’s remediation plan, and an estimated timeline for remediation.

CFO certification. The report must be signed by the CFO, including name and professional designation, FRC registration number, and date of certification.

Understanding control deficiencies: classifications and implications

Not all control weaknesses are equal. The FRC guidance adopts a three-tier classification system.

Control deficiency. A control deficiency exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis. Example: A reconciliation is performed but not reviewed by a supervisor, creating a risk that errors could go undetected.

Significant deficiency. A significant deficiency is a control deficiency or combination of deficiencies that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Characteristics include more than a remote likelihood of misstatement, less than a material amount at risk, and warrant audit committee attention. An example is the lack of segregation of duties in a process affecting a significant but not material account balance. Significant deficiencies must be reported to the audit committee but are not required to be disclosed publicly.

Material weakness. A material weakness is a control deficiency or combination of deficiencies such that there is a reasonable possibility that a material misstatement of annual or interim financial statements will not be prevented or detected on a timely basis. Characteristics include a reasonable possibility of occurrence, a material amount at risk, and could result in a material misstatement of financial statements. Examples include inadequate segregation of duties over significant financial processes, ineffective audit committee or board oversight, material restatements of previously issued financial statements, identification of fraud by senior management, and failure to implement controls over significant financial reporting elements. Material weaknesses must be publicly disclosed in the Management Report on ICFR and in the external auditor’s attestation report.

Common ICFR challenges for Nigerian organisations

Limited internal control maturity. Many Nigerian organisations lack documented processes and controls. Solutions include starting with entity-level controls as a foundation, focusing initially on high-risk areas, leveraging external consultants for initial design, building internal capabilities over time, and using the first year as a learning experience.

Resource constraints. ICFR implementation requires significant investment in people, systems, and processes. Solutions include prioritising based on materiality and risk, leveraging technology for automation where possible, using shared services for testing activities, building a phased implementation plan, and demonstrating ROI through reduced audit fees and improved operations.

Skills gap. Many finance teams lack experience in control design, documentation, and testing. Solutions include investing in ICFR and COSO framework training, hiring experienced internal audit professionals, engaging consultants for knowledge transfer, participating in industry forums and peer learning, and developing internal ICFR champions.

IT systems limitations. Legacy systems and manual processes create control gaps and testing challenges. Solutions include compensating with manual controls where systems lack functionality, prioritising system upgrades for highest risk areas, implementing automated exception reporting, strengthening IT general controls around access, change management, and backups, and considering cloud-based solutions for better built-in controls.

Maintaining documentation. ICFR requires extensive documentation that must be kept current. Solutions include establishing a centralised control documentation repository, assigning clear ownership for documentation updates, integrating documentation into business processes, scheduling annual review and update cycles, and using control management software platforms.

Change management and culture. Employees view ICFR as a regulatory burden rather than a value adding activity. Solutions include communicating benefits beyond compliance, involving operational teams in control design, recognising and rewarding control excellence, embedding controls into performance metrics, and sharing examples of how controls prevented errors or fraud.

Benefits of robust ICFR beyond compliance

Enhanced financial statement reliability. Strong ICFR ensures financial statements are accurate, complete, and comply with IFRS. This reduces the risk of material misstatements, likelihood of financial restatements, audit adjustments and qualifications, and stakeholder concerns about data quality.

Fraud prevention and detection. Effective controls reduce opportunities for fraud through segregation of duties preventing single person fraud schemes, authorisation controls stopping unauthorised transactions, reconciliation controls detecting irregularities, monitoring activities identifying unusual patterns, and whistleblower mechanisms encouraging reporting.

Operational efficiency. ICFR implementation often reveals process inefficiencies. This enables streamlined financial close processes, elimination of redundant activities, better use of technology and automation, improved accuracy of management information, and faster decision making with reliable data.

Improved corporate governance. ICFR strengthens governance by clarifying roles and responsibilities, enhancing board and audit committee oversight, providing transparency into risks and controls, creating accountability mechanisms, and supporting an ethical culture.

Investor confidence and access to capital. Organisations with effective ICFR enjoy enhanced credibility with investors and lenders, better credit ratings and financing terms, reduced cost of capital, increased market valuation, and competitive advantage in capital raising.

Stakeholder trust. Strong controls build trust with shareholders seeking transparency, lenders evaluating credit risk, customers concerned about business continuity, suppliers assessing payment reliability, and regulators monitoring compliance.

Where to start tomorrow

Do not wait until year end to address ICFR compliance.

Assess your PIE status first. Determine whether your organisation qualifies under the expanded definition.

Register with the FRC if you have not already. Ensure your CFO has an active FRC registration number.

Conduct a gap assessment. Compare your current controls against COSO requirements.

Develop an implementation roadmap. Prioritise high risk areas first.

Engage stakeholders. Get buy in from the board, management, and process owners.

Seek professional help if needed. ICFR implementation is complex. Expert guidance saves time and prevents mistakes.

Final word

ICFR is not optional for Public Interest Entities in 2026.

The expanded PIE definitions, the operational National Repository Portal, and the second year of mandatory compliance all point to one conclusion. Internal controls are now a regulatory requirement, not a best practice suggestion.

CFOs own this responsibility. You cannot delegate it to auditors. You must certify the effectiveness of your controls.

Organisations that embrace ICFR as an opportunity will strengthen governance, prevent fraud, improve operations, and build stakeholder confidence. Those that treat it as a checkbox exercise risk regulatory sanctions and missed opportunities.

The time to act is now.

CALL TO ACTION

Take Action Today: Partner with Stonehill Research for ICFR Excellence

At Stonehill Research, we specialise in helping Nigerian organisations navigate the complexities of ICFR compliance and build world class internal control frameworks.

Our Comprehensive ICFR Services

ICFR Readiness Assessment. Evaluate your current control environment, identify gaps, and develop an implementation roadmap.

Control Framework Design and Documentation. Design a comprehensive ICFR framework aligned with COSO 2013 and FRC requirements, including process documentation, risk identification, and control design.

Control Testing and Evaluation. Perform rigorous testing of key controls, evaluate effectiveness, and identify deficiencies.

Management Report Preparation. Draft the Management Report on ICFR, including CFO certification and compliance documentation.

Remediation Support. Address identified control weaknesses, redesign ineffective controls, and implement sustainable solutions.

Training and Capacity Building. Comprehensive ICFR and COSO framework training for finance teams, internal audit, and process owners.

External Audit Coordination. Support coordination with external auditors, facilitate information requests, and manage the attestation process.

Technology Solutions Advisory. Guidance on control automation, monitoring tools, and ICFR software platforms.

Ongoing ICFR Support. Annual control testing, continuous improvement, and compliance monitoring to sustain ICFR effectiveness.

Why Choose Stonehill Research?

Deep Nigerian Market Expertise. We understand the local regulatory environment, business culture, and practical implementation challenges facing Nigerian organisations.

Experienced ICFR Professionals. Our team includes Chartered Accountants, Certified Internal Auditors, and COSO framework specialists with extensive ICFR implementation experience.

Proven Methodology. We leverage best practices from global ICFR implementations adapted for the Nigerian context, ensuring efficient and effective compliance.

End to End Support. From initial assessment through annual certification, we provide comprehensive support at every stage of your ICFR journey.

Knowledge Transfer Focus. We build internal capabilities while delivering results, ensuring your team can sustain ICFR compliance independently.

Industry Specific Expertise. We tailor ICFR frameworks to your industry including banking, oil and gas, telecommunications, manufacturing, and retail.

Cost Effective Solutions. Our scalable approach ensures you get maximum value from your ICFR investment, with solutions sized to your organisation.

Regulatory Insight. We stay current with FRC guidance and regulatory developments, ensuring your ICFR program remains compliant.

Ready to Achieve ICFR Compliance?

Don’t let the ICFR mandate become a compliance crisis. Partner with Stonehill Research to build a robust internal control framework that meets regulatory requirements while enhancing your organisation’s financial governance.

Contact us today for a complimentary ICFR readiness consultation.

📧 Email: info@stonehillresearch.com
📞 Phone: +234 802 320 0801
📍 Address: 5, Ishola Bello Close, Off Iyalla Street, Alausa, Ikeja, Lagos, Nigeria

Schedule Your Free Consultation. Take the first step toward ICFR excellence. Our experts will assess your current state, clarify your obligations, and outline a practical path to compliance.

Stonehill Research – Your Trusted Partner for ICFR Compliance and Financial Control Excellence in Nigeria.

REFERENCES

Public Company Accounting Oversight Board (PCAOB). A Layperson’s Guide to Internal Control Over Financial Reporting (ICFR). https://pcaobus.org/news-events/speeches/speech-detail/a-layperson-s-guide-to-internal-control-over-financial-reporting-(icfr)_112

Financial Reporting Council of Nigeria. Guidance on Management Report on Internal Control over Financial Reporting (ICFR). https://frcnigeria.gov.ng/wp-content/uploads/2024/07/FRC-Guidance-on-Management-Report-on-ICFR-RR-1.pdf

Financial Reporting Council of Nigeria. FRC Guidance on Assurance Engagement Report on Internal Control over Financial Reporting. https://frcnigeria.gov.ng/wp-content/uploads/2025/05/FRC-GUIDANCE-ASSURANCE-ENGAGEMENT-ON-ICFR.pdf

Financial Reporting Council of Nigeria. Public Notice: One-Year Waiver for Public Sector Agencies for Submission of ICFR. https://frcnigeria.gov.ng/2025/04/29/public-notice-one-year-waiver-for-public-sector-agencies-for-submission-of-icfr/

Financial Reporting Council of Nigeria (Amendment) Act, 2023. Federal Republic of Nigeria.

Financial Reporting Council Act No. 6. Federal Republic of Nigeria.

Andersen Nigeria. The FRC issued its Guidance on Management Report on ICFR. https://ng.andersen.com/the-frc-issued-its-guidance-on-management-report-on-icfr/

Stransact Chartered Accountants. FRCN Requirements on Internal Control over Financial Reporting [ICFR]. https://stransact.com/insights/frcn-requirements-on-internal-control-over-financial-reporting-icfr

KPMG Nigeria. A Guide to Implementing Internal Controls over Financial Reporting in Nigeria. https://assets.kpmg.com/content/dam/kpmg/ng/pdf/advisory/kpmg-a-guide-to-implementing-internal-controls-over-financial-reporting-in-nigeria.pdf

KPMG. Handbook: Internal Control over Financial Reporting. https://kpmg.com/us/en/frv/reference-library/2025/handbook-internal-control-over-financial-reporting.html

Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control – Integrated Framework. https://www.coso.org

The Center for Audit Quality (CAQ). Guide to Internal Control Over Financial Reporting. https://www.thecaq.org/guide-internal-control-over-financial-reporting