Does every control in a company count as ICFR?
No. ICFR is the subset of controls that supports reliable external financial reporting. Many operational, compliance, cybersecurity, or customer-service controls are important, but they are not automatically ICFR unless they materially affect financial-reporting assertions such as completeness, accuracy, cutoff, valuation, or classification.
On the exam, start by asking whether the risk described in the question could distort the financial statements or related disclosures. If yes, the control may fall within ICFR. If the control only improves efficiency or service quality without a reporting impact, it is usually not an ICFR control.
Master part-2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.