ICFR Compliance: What Public Interest Entities in Nigeria Must Do in 2026

Regulatory pressure is increasing. Public Interest Entities are in the spotlight.

The Financial Reporting Council has expanded its reach. More businesses now qualify as PIEs. The rules are stricter. The deadlines are real.

Internal Control over Financial Reporting is no longer optional. It is mandatory.

If your organisation qualifies as a PIE, you need to act now. Let me walk you through exactly what you must do in 2026.

What is Internal Control over Financial Reporting?

According to the Committee of Sponsoring Organisations of the Treadway Commission (COSO), internal control is “a process, carried out by the board of directors, the administration and other personnel of an entity, designed to provide reasonable security with respect to the achievement of objectives in operations, financial reporting, and compliance with applicable laws and regulations.”

In plain language, ICFR means having systems and processes that ensure your financial statements are accurate and reliable. It is not just policies on paper. It is active processes involving people at every level.

In the Nigerian context, ICFR covers controls related to recording, processing, summarising, and reporting financial transactions. It also includes safeguarding assets and preventing fraud.

Who must comply? The expanded definition of Public Interest Entities

Understanding whether your organisation qualifies as a PIE is your first critical step. The Financial Reporting Council of Nigeria (Amendment) Act, 2023, significantly broadened the scope.

Source: Financial Reporting Council of Nigeria (Amendment) Act, 2023.

Listed companies on the Nigerian Exchange and other recognised stock exchanges are PIEs.

Financial institutions regulated by the Central Bank of Nigeria are PIEs. This includes banks, insurance companies, pension fund administrators, and other financial service providers.

Non-listed regulated entities are also PIEs. This includes those regulated by the Nigerian Communications Commission, Nigerian Electricity Regulatory Commission, Nigerian Civil Aviation Authority, National Insurance Commission, Nigerian Tourism Development Corporation, and other sectoral regulators.

Entities engaged in public works with annual contract sums of ₦1 billion and above, settled from public funds, are PIEs.

High turnover entities with annual turnover of ₦30 billion and above are PIEs.

Government entities and government organisations at all levels are PIEs.

Companies required to file returns with regulatory authorities are PIEs. This excludes private companies that only file with CAC and FIRS.

This expansion means many private companies that previously fell outside the FRC’s purview must now comply. Assess your status carefully.

Key regulatory updates and compliance timelines for 2026

Several important developments affect PIEs in 2026.

National Repository Portal implementation.

Effective January 21, 2025, the FRC introduced the National Repository Portal to enhance compliance and streamline financial reporting. All PIEs must now register on this portal and submit their financial statements and ICFR reports through this centralised system.

Second year of mandatory ICFR compliance.

The mandate has been effective for financial years ending on or after December 31, 2024. For financial years ending in 2025 and beyond, including the current 2026 fiscal year, PIEs must have fully operational ICFR systems in place and must report on their effectiveness.

Organisations that implemented ICFR in 2024 should now focus on refining processes, addressing weaknesses, and ensuring continuous improvement.

Public sector agencies’ waiver.

A one-year waiver has been granted to Public Sector Agencies regarding the mandatory submission of ICFR reports. This does not exempt them from establishing ICFR systems. It merely extends the reporting timeline.

FRC guidance on management report on ICFR.

The FRC issued its Guidance on Management Report on Internal Control Over Financial Reporting on May 26, 2024. This provides comprehensive directives for management assessment and reporting, including documentation requirements, framework selection, annual assessment procedures, reporting formats, and treatment of material weaknesses.

What PIEs must do: essential compliance requirements

Compliance involves multiple interconnected responsibilities. Here is what your organisation must accomplish in 2026.

One: Register with the FRC and NRP.

Every PIE must register with the Financial Reporting Council through the appropriate category on the online portal. Professional firms, not-for-profit organisations, public sector entities, companies and enterprises all have different categories. Individual professionals like directors, CFOs, and CEOs should also register.

Two: Establish and maintain ICFR systems.

Management is responsible for designing, implementing, and maintaining a robust system of internal controls. This system must provide reasonable assurance concerning the accuracy and reliability of financial statements.

Your ICFR system must address the five COSO components. Control environment means establishing a culture of integrity, ethics, and accountability. Risk assessment means identifying and analysing risks to reliable financial reporting. Control activities mean implementing specific policies and procedures to mitigate risks. Information and communication means ensuring relevant financial information flows efficiently. Monitoring activities means conducting ongoing and periodic evaluations of control effectiveness.

Three: Adopt a recognised control framework.

Management must base its evaluation on a suitable, recognised control framework. The FRC does not mandate a specific framework, but the COSO Internal Control Integrated Framework (2013) is highly recommended and widely used.

Organisations may also consider other internationally recognised frameworks. But you must clearly identify the framework used in your management reports.

Four: Conduct annual assessments.

Management must conduct an annual evaluation of the effectiveness of internal controls. You must include a report of this assessment in the company’s annual report.

Your assessment must evaluate the design and implementation of controls. Test the operating effectiveness of controls. Identify and document any deficiencies, significant deficiencies, or material weaknesses. Conclude on the overall effectiveness of ICFR as of the fiscal year end. Disclose any material weaknesses that exist as of the reporting date.

After the first year of implementation, subsequent evaluations should focus more on changes in risks and controls rather than complete re-identification. This makes the process more efficient over time.

Five: Maintain documentation and evidence.

Adequate documentation is critical for supporting management’s assessment. You must maintain documentation of significant processes and transaction flows. Risk and Control Matrices mapping risks to controls. Control design documentation describing how controls operate. Evidence of control performance such as approvals, reconciliations, and reviews. Testing results and conclusions. Remediation plans for identified deficiencies. Management’s evaluation methodology and conclusions.

Documentation should be updated annually rather than recreated from scratch. Focus on changes in the control environment.

Six: Obtain independent attestation.

External auditors are required to independently review management’s ICFR assessment and issue a separate attestation report. This may be conducted as part of an integrated audit, including both an audit of management’s assessment and a financial statement audit informed by ICFR conclusions.

Importantly, management’s responsibility for ICFR assessment cannot be delegated to external auditors. This preserves auditor independence. While internal audit functions or independent consultants may support the process, only management can assess and certify ICFR effectiveness annually.

Seven: Report effectively.

Your annual report must include a management report on ICFR. This report must contain a statement of management’s responsibility for establishing and maintaining adequate ICFR. Identification of the control framework used for evaluation. Management’s assessment of ICFR effectiveness as of the fiscal year end. Disclosure of any material weaknesses identified. The auditor’s attestation report on management’s assessment.

This report demonstrates to stakeholders that your organisation takes financial reporting integrity seriously.

Implementing ICFR: a practical approach

Organisations new to ICFR or looking to strengthen compliance should follow this structured approach.

Phase one: Planning and scoping (months 1 to 2).

Establish governance structures. Form a steering committee with executive sponsorship and cross functional representation. Conduct scoping analysis. Identify significant accounts, processes, and locations. Select the control framework. Formally adopt COSO or another recognised framework. Develop a project plan with timelines, resources, and milestones. Engage stakeholders. Communicate the importance of ICFR to the board, management, and process owners.

Phase two: Risk assessment and process documentation (months 3 to 5).

Document significant processes. Create process narratives and flowcharts for all significant transaction cycles, including revenue, procurement, payroll, and treasury. Identify financial statement assertions. Map processes to relevant assertions such as existence, completeness, valuation, rights and obligations, and presentation. Assess risks. Identify what could go wrong at each step. Evaluate entity-level controls. Assess tone at the top, code of conduct, whistleblower mechanisms, and board oversight.

Phase three: Control design and documentation (months 6 to 8).

Design control activities. Develop preventive and detective controls, including authorisations, reconciliations, reviews, system controls, and segregation of duties. Create control documentation. Document each control’s objective, frequency, performer, evidence, and how it addresses risks. Develop Risk and Control Matrices linking risks to controls for each significant process. Address IT general controls. Document controls over system access, change management, data backup, and IT operations. Design monitoring activities. Establish ongoing monitoring mechanisms and periodic evaluation processes.

Phase four: Control implementation and testing (months 9 to 11).

Implement controls. Put designed controls into practice across the organisation. Provide training. Educate control owners on their responsibilities. Test control design. Verify that controls, if operating as designed, would effectively prevent or detect errors. Test operating effectiveness. Gather evidence that controls have been consistently applied throughout the period. Document test results. Maintain evidence of testing procedures, samples selected, and conclusions reached. Identify deficiencies. Note any instances where controls did not operate as intended.

Phase five: Evaluation and reporting (month 12).

Aggregate deficiencies. Compile all identified control deficiencies from testing. Evaluate severity. Classify deficiencies as control deficiencies, significant deficiencies, or material weaknesses. Assess compensating controls. Determine if other controls mitigate the risk of identified deficiencies. Conclude on effectiveness. Form an overall conclusion on whether ICFR is effective as of year-end. Prepare the management report. Draft the required ICFR report for inclusion in the annual report. Remediate weaknesses. Develop and begin executing plans to address identified deficiencies. Facilitate auditor attestation. Provide documentation and access to external auditors for their review.

Common challenges and how to overcome them

Resource constraints.

Many organisations struggle to allocate sufficient resources. Prioritise high-risk areas rather than attempting comprehensive coverage immediately. Leverage existing internal audit or risk management functions. Consider external consultants for initial implementation. Start early in the fiscal year to spread work over time.

Lack of awareness and buy-in.

Some employees and managers view ICFR as a compliance burden. Secure visible commitment from the CEO and board. Communicate ICFR’s benefits beyond compliance, including fraud prevention, operational efficiency, and better decision making. Provide training that explains why, not just what. Recognise and reward employees who demonstrate strong control consciousness.

Documentation overwhelm.

Organisations create excessive documentation that becomes difficult to maintain. Focus documentation on significant risks and controls, not every minor activity. Use templates and standardised formats. Integrate control documentation with existing process documentation. Use visual tools like flowcharts and RCMs. Update documentation incrementally throughout the year.

IT and system complexity.

Modern organisations rely on complex, integrated IT systems. Identify critical IT applications that support financial reporting. Ensure IT general controls around access, change management, and backup are strong. Work closely with IT teams to understand system controls. Consider automated controls within systems rather than manual compensating controls.

Remediation fatigue.

Addressing numerous deficiencies year after year can lead to frustration. Prioritise remediation efforts based on risk severity. Set realistic timelines. Assign clear ownership for each remediation action. Track progress and celebrate successes. Analyse root causes to prevent recurrence.

The role of different stakeholders in ICFR

Board of directors.

The board has ultimate responsibility for ensuring the integrity of financial controls and reporting. Board duties include setting expectations for a strong control environment, overseeing management’s implementation and assessment of ICFR, reviewing management’s reports and conclusions, ensuring adequate resources are allocated, establishing an audit committee, and addressing material weaknesses promptly.

Management (CEO, CFO, and senior leadership).

Management is responsible for the design, implementation, and annual certification of ICFR effectiveness. This responsibility cannot be delegated to external auditors. Management must design and implement the ICFR system, conduct the annual assessment, certify conclusions, remediate deficiencies, maintain adequate documentation, and foster a culture of controls.

Internal audit function.

Internal audit plays a crucial supporting role. It provides independent assurance on control design and effectiveness. It tests controls as part of routine activities. It identifies deficiencies and recommends improvements. It monitors management’s remediation. It assists with ICFR documentation while maintaining independence.

External auditors.

External auditors uphold independence by refraining from performing ICFR assessments. They independently review and attest to management’s assessment. They conduct their own testing of controls. They issue a separate opinion on ICFR. They communicate identified deficiencies to management and the audit committee.

Process owners and control performers.

Frontline employees execute controls daily. They perform assigned controls consistently and accurately. They retain evidence of control performance. They escalate issues promptly. They participate in documentation and testing. They suggest improvements based on operational experience.

Benefits of robust ICFR beyond compliance

Enhanced investor and stakeholder confidence.

A clean ICFR opinion signals that your financial statements can be trusted. This translates into better access to capital, favourable financing terms, and enhanced reputation.

Fraud prevention and detection.

Strong internal controls are the first line of defence against fraud. Organisations with effective ICFR prevent fraud from occurring and detect it quickly when it does.

Operational efficiency.

Well-designed controls streamline processes, eliminate redundancies, and reduce errors. What begins as a compliance exercise frequently reveals opportunities to improve workflows.

Better risk management.

The risk assessment process helps organisations identify and understand risks beyond just financial reporting. This supports strategic decision-making and resilience.

Improved decision-making.

When management has confidence in the accuracy and timeliness of financial information, they can make better-informed business decisions.

Competitive advantage.

In markets where many organisations struggle with financial reporting quality, those with demonstrably strong ICFR stand out.

Looking ahead: the future of ICFR in Nigeria

Increased enforcement and inspections.

The FRC has commenced audit firm inspection visits. Expect increased scrutiny of both management ICFR assessments and auditor attestations. Organisations with weak controls may face regulatory sanctions.

Technology integration.

As businesses digitise, ICFR must adapt to address risks in cloud computing, robotic process automation, artificial intelligence, and other emerging technologies. Expect regulatory guidance on IT controls and cybersecurity to expand.

Sustainability and ESG reporting controls.

Internal controls are expanding beyond traditional financial reporting to encompass sustainability and ESG reporting. The COSO framework has already issued guidance on Internal Control over Sustainability Reporting. Nigeria may follow suit.

Continuous monitoring and real-time assurance.

Traditional annual assessments may give way to continuous monitoring approaches enabled by technology. Data analytics, automated testing, and real-time dashboards can provide ongoing assurance.

Greater integration with risk management.

ICFR will increasingly integrate with broader enterprise risk management frameworks. Controls will be viewed as part of comprehensive risk strategies.

Where to start tomorrow

Do not wait until year-end to address ICFR compliance.

Assess your PIE status. Determine whether your organisation qualifies under the expanded definition.

Register with the FRC and NRP if you have not already.

Conduct a gap assessment. Compare your current controls against COSO requirements.

Develop an implementation roadmap. Prioritise high-risk areas first.

Engage stakeholders. Get buy-in from the board, management, and process owners.

Seek professional help if needed. ICFR implementation is complex. Expert guidance saves time and prevents mistakes.

Final word

ICFR is not optional for Public Interest Entities in 2026.

The expanded PIE definitions, the operational National Repository Portal, and the second year of mandatory compliance all point to one conclusion. Internal controls are now a regulatory requirement, not a best practice suggestion.

Organisations that embrace ICFR as an opportunity will strengthen governance, prevent fraud, improve operations, and build stakeholder confidence. Those who treat it as a checkbox exercise risk regulatory sanctions and missed opportunities.

The time to act is now.

CALL TO ACTION

Take the Next Step with Stonehill Research

Are you ready to strengthen your ICFR framework and ensure full compliance in 2026?

At Stonehill Research, we provide comprehensive advisory services to help Public Interest Entities navigate the complexities of ICFR implementation and compliance. Our team of experienced professionals can support your organisation through every stage of the journey.

Our ICFR Advisory Services

ICFR Readiness Assessments. Evaluate your current state and identify gaps against regulatory requirements.

Framework Implementation. Design and implement robust ICFR systems aligned with COSO and FRC requirements.

Risk Assessment and Control Design. Identify financial reporting risks and design effective controls to mitigate them.

Documentation Support. Develop comprehensive process narratives, flowcharts, and Risk and Control Matrices.

Testing and Evaluation. Conduct control testing and provide an independent assessment of effectiveness.

Training and Capacity Building. Equip your team with the knowledge and skills for sustainable ICFR management.

Remediation Support. Address identified deficiencies and strengthen control environments.

NRP Registration and Filing. Navigate the National Repository Portal requirements with expert guidance.

Why Choose Stonehill Research?

Deep Regulatory Knowledge. We understand the FRC requirements and how they apply to your organisation.

COSO Framework Expertise. Our team has extensive experience implementing COSO-based ICFR systems.

Practical Approach. We provide solutions that work in real business environments, not just theoretical frameworks.

Proven Track Record. We have helped numerous PIEs achieve ICFR compliance and maintain it.

End-to-End Support. From readiness assessment through implementation and ongoing monitoring, we are with you.

Contact Us Today

Don’t wait until year-end to address ICFR compliance. Let us help you build a robust, efficient, and effective internal control framework.

📧 Email: info@stonehillresearch.com
📞 Phone: +234 802 320 0801
📍 Address: 5, Ishola Bello Close, Off Iyalla Street, Alausa, Ikeja, Lagos, Nigeria

Schedule a Consultation Today. Let us help you turn ICFR compliance into a competitive advantage.

Stonehill Research – Your Trusted Partner in Governance, Risk, and Compliance

REFERENCES

COSO Internal Control Framework Definition. Committee of Sponsoring Organizations of the Treadway Commission. https://en.wikipedia.org/wiki/Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission

Financial Reporting Council of Nigeria. Guidance on Management Report on Internal Control Over Financial Reporting (ICFR). https://frcnigeria.gov.ng/

Financial Reporting Council of Nigeria (Amendment) Act, 2023.

Andersen Nigeria. The FRC issued its Guidance on Management Report on ICFR. https://ng.andersen.com/the-frc-issued-its-guidance-on-management-report-on-icfr/

1st Fiduciary. Compliance Guide: Financial Reporting Council Act Requirements for Public Interest Entities (PIEs). https://firstfiduciary.ng/compliance-guide-financial-reporting-council-act-requirements-for-public-interest-entities-pies/

Stransact. FRCN Requirements on Internal Control over Financial Reporting [ICFR]. https://stransact.com/insights/frcn-requirements-on-internal-control-over-financial-reporting-icfr

PwC Nigeria. ICFR Implementation: FAQs. https://www.pwc.com/ng/en/publications/icfr-faqs.html

KPMG Nigeria. A Guide to Implementing Internal Controls over Financial Reporting in Nigeria. https://assets.kpmg.com/