ICFR Reporting and Certification - Where Assurance Meets Accountability
What is ICFR Reporting?
ICFR reporting consolidates the outcome of all the work done across the lifecycle:
- Scoping
- Process documentation
- Risk and control mapping
- Testing
- Remediation
It provides an official record of what was tested, what failed, and how it was resolved, giving management the basis to sign off on control effectiveness.
Key ICFR Reporting Components
|
Report Type |
Audience |
Purpose |
|
Control Test Summary |
Internal Controls / Risk Team |
Summarizes test results, by process and control |
|
Deficiency Register |
Control Owners, Auditors |
Lists gaps, remediation status, and timelines |
|
Management Assertion Letter |
Board, Regulators, External Auditors |
Official declaration of ICFR effectiveness |
|
Audit Committee Pack |
Board Audit Committee |
High-level briefing on status, material issues, action plans |
Example: Management Assertion (UAE Context)
"Based on our evaluation, we believe that the Company’s internal control over financial reporting as of December 31, 2025, was effective and provides reasonable assurance regarding the reliability of financial statements in accordance with IFRS. All identified deficiencies have been evaluated and no material weaknesses remain unresolved."
- CEO / CFO, [Company Name]
UAE Regulatory Landscape
SCA (for PJSCs):
- 2024: Auditor to issue a private ICFR opinion
- 2025: Publicly disclosed opinion required with detailed disclosure of material weaknesses
- Management must provide formal ICFR certification
CBUAE (for Insurers):
- Annual submission must include evidence of ICFR design and operating effectiveness
- ICFR tracking is part of prudential supervision
Corporate Tax:
- ICFR documentation helps justify financial positions, intercompany pricing, and digital record-keeping mandates under Federal Decree-Law No. 47 of 2022
ICFR Dashboard Metrics to Monitor
|
Metric |
Target |
|
% Key Controls Tested |
≥ 90% |
|
% Controls Rated Effective |
≥ 85% |
|
% Deficiencies Remediated On Time |
≥ 95% |
|
% Automated Controls |
Year-on-Year Increase |
|
% Entity-Level Controls Documented |
100% |
Certification Timing and Readiness Tips
- Complete all control testing and remediation before financial year-end
- Schedule a dry-run audit or readiness review with internal audit or advisors
- Ensure documentation is audit-ready: clear, versioned, signed-off
- Communicate assertion wording and responsibilities to C-suite early
How Crowe Can Support ICFR Certification
We assist in:
- Preparing ICFR summary and dashboard reports
- Drafting management assertion letters
- Supporting auditor walkthroughs and ICFR reviews
- Facilitating SCA or CBUAE submission packages
- Acting as independent advisors to validate ICFR program maturity
Coming Next Week: Final Week of the ICFR Series
In our concluding session, we’ll spotlight ICFR Across Industries, highlighting how financial reporting risks and control practices differ in sectors such as banking, real estate, retail, manufacturing and tech. Don’t miss the final instalment as we bring the series to a practical close with real-world applications.
Contact Us
