Internal Control over Financial Reporting, in the formal sense established by the Sarbanes-Oxley framework in the US and adopted in various forms across other jurisdictions including parts of the GCC, was conceived as a continuous discipline embedded in the institution’s operating model. The COSO Internal Control — Integrated Framework, in its 2013 revision, describes five components — control environment, risk assessment, control activities, information and communication, and monitoring activities — that operate continuously across the institution’s processes and that together produce the reasonable assurance that financial reporting is reliable.

In practice, ICoFR in many institutions has settled into a different operating model. The five components exist on paper. The substantive activity, however, concentrates in a quarterly or annual testing cycle, typically conducted in the run-up to year-end audit, in which a sample of controls is tested for evidence of operation. The institution receives a report identifying control deficiencies, addresses the most material of them, and proceeds to the next cycle.

The gap between continuous ICoFR and periodic testing ICoFR is the gap that most often surfaces material weaknesses when external review — by auditors, by regulators, or by acquirers in due diligence — examines the framework. The substantive difference is not in the controls themselves. It is in whether the controls are operating continuously or only at the points the institution looks at them.

COSO 2013 — what the framework actually asks for

The 2013 update to the COSO framework introduced seventeen principles distributed across the five components, each of which the institution is expected to address explicitly. The principles are not optional. The framework expects that each of the seventeen is present and functioning in the institution’s control environment, with the evidence retrievable.

The seventeen principles are detailed in the framework itself and reproduced widely in audit and compliance literature, so a comprehensive recitation here is not useful. What is useful is to note the framework’s substantive direction. The principles are written in the present tense — the organisation demonstrates a commitment to integrity, the board exercises oversight, management establishes structures, the organisation specifies suitable objectives, and so on. The verbs are operational. The framing assumes continuous operation, with evidence of operation continuously available.

The framework’s substantive expectation is not consistent with an operating model in which the institution’s primary ICoFR activity is a periodic testing exercise. The expectation is that the institution operates the framework continuously and tests its operation periodically. These are different things.

Design effectiveness and operating effectiveness — substantively distinct

The two concepts most central to ICoFR practice, and most consistently conflated in conversation, are design effectiveness and operating effectiveness. They assess substantively different aspects of a control.

Design effectiveness asks whether the control, if it operates as designed, would address the relevant risk. A reconciliation control between two systems is designed effectively if the reconciliation logic, the frequency, the review, and the exception escalation are configured in a way that would detect material discrepancies if they exist. The design assessment is largely a documentation exercise — the institution can demonstrate design effectiveness by showing the control’s design specification and explaining why it addresses the risk.

Operating effectiveness asks whether the control, in practice, has been operating as designed. The same reconciliation control is operating effectively if the reconciliations have actually been performed at the specified frequency, the reviews have actually been documented, the exceptions have actually been escalated, and the evidence of all of this is retrievable for the period under examination. The operating assessment is a testing exercise — the institution can demonstrate operating effectiveness only by examining a sample of the control’s operation over the period.

A control can be designed effectively and not operate effectively. This is the most common failure mode in practice. The control specification is sound. The actual execution has drifted. Reconciliations have been performed but reviews have not been documented. Exceptions have been identified but escalation has not been consistent. The evidence trail has gaps. The design assessment passes. The operating assessment fails. The institution discovers this during testing, with limited time to remediate before audit completion.

A control can also operate effectively and not be designed effectively. This is less common but more difficult to address. The control is being performed diligently, but the control as designed does not actually address the risk it is intended to address. The operating assessment passes — the control is doing what the design specifies. The design assessment fails — the design specifies the wrong thing. This kind of finding usually surfaces when external review takes a substantive view of whether the control addresses the underlying risk rather than testing the control against its own specification.

Where material weaknesses cluster

Across ICoFR engagements we have conducted or supported for institutions in the GCC and across the broader market, the material weaknesses identified tend to cluster in two areas with substantial consistency.

The first cluster is in information technology general controls. Access management, change management, computer operations, and program development — the four standard ITGC categories — are areas where the gap between policy and practice tends to be widest. Access management findings most often arise from joiner-mover-leaver processes that have weakened over time, with terminated employees retaining system access, role changes not being reflected in access entitlements, and segregation of duties violations occurring through accumulated permissions. Change management findings most often arise from emergency change processes that have become routine, from production access that has expanded beyond the authorisation it was originally granted under, and from change approval evidence that exists but does not consistently link to the change implemented. These are findings that institutions can address, but they tend to be findings that recur cycle after cycle because the underlying processes have not been substantively redesigned.

The second cluster is in manual journal entries. The journal entry process is, in most institutions, the area of financial reporting with the largest residual manual component, the highest concentration of judgement, and the most direct path to material misstatement if controls fail. The risks include inappropriate journal entries posted without proper authorisation, journal entries posted outside business hours or by users with conflicting roles, and journal entries that move balances across accounts in ways that obscure rather than reveal the underlying transaction. The controls that address these risks — authorisation thresholds, segregation of duties on posting and review, exception reporting on unusual entries, audit committee review of significant manual adjustments — are well understood, but they are also areas where operating effectiveness most often weakens over time.

The clustering is consistent across jurisdictions and institutional types because the underlying conditions are consistent. Both areas involve substantial volumes of activity, both rely heavily on individual user behaviour rather than purely systemic controls, and both are areas where small drift in operational practice produces material control gaps over time.

Continuous versus periodic — what the substantive difference looks like

The institutions whose ICoFR frameworks operate as continuous discipline rather than as periodic testing tend to share several specific characteristics.

Controls are monitored as they operate, not just tested in arrears. Automated controls produce real-time exception reports that route to control owners for resolution. Manual controls have monitoring metrics — completion rates, review evidence, exception volumes — that are reviewed on a frequency proportional to the control’s criticality. The monitoring activity is operationally separate from the testing activity, and the monitoring runs continuously while the testing runs periodically.

Control owners are identified at a level granular enough to be operationally accountable. The control over a specific reconciliation has a named owner who is responsible for its operation, with that responsibility documented in their role description and reflected in their performance management. ICoFR is not a corporate function’s discipline; it is the operational responsibility of the people who execute the controls.

Exception management is treated as a continuous discipline. Exceptions identified through control operation are tracked through to resolution, with explicit governance on closure and explicit escalation when exceptions remain open beyond defined thresholds. The exception register is itself a control, and its quality is one of the most informative metrics for whether the ICoFR framework is functioning as designed.

The relationship with internal audit is collaborative but structurally distinct. Internal audit provides independent assurance over the ICoFR framework. The ICoFR function, sitting within finance or within enterprise risk, owns the framework’s operation. The two functions exchange information but do not duplicate each other’s work. The institution that has internal audit testing the same controls that the ICoFR function is testing is using its audit resources less efficiently than the framework requires, and is producing duplicate findings that obscure rather than illuminate the residual risk position.

A closing observation

Closing that gap is rarely a technical exercise. It is an operational discipline exercise — the work of treating control operation as a continuous responsibility rather than as an annual deliverable, of building monitoring that surfaces drift before the testing cycle identifies it, and of clarifying the relationship between control operation, control testing, and independent assurance so that each function does what only that function can do.

Annual testing demonstrates that controls were operating at points in time. Continuous monitoring demonstrates that the institution has the capability to identify control failures when they occur. The supervisory and audit direction of travel, across jurisdictions, is increasingly toward expecting the second rather than only the first. The institutions that have built that capability tend to find their external review cycles substantively easier than those that have not, and the difference compounds over time.