Riskweise implements Internal Controls Over Financial Reporting (ICOFR) frameworks aligned with COSO 2013 — covering risk-control matrix design, walkthroughs, operating effectiveness testing, deficiency remediation, and management attestation support — for GCC banks, NBFCs, fintechs, and listed entities.
ICOFR engagements range from first-time implementation to remediation of audit findings to ongoing testing programs. The framework supports management attestation, external auditor coordination, and audit committee reporting under the supervisory and listing-authority requirements of every GCC jurisdiction.
Risk and control environment assessment, financial reporting process mapping, control identification and classification (entity-level, process-level, IT general), risk-control matrix development, and ICOFR policy and governance documentation.
Design effectiveness testing through walkthroughs, operating effectiveness testing through sampling, deficiency identification with explicit severity classification, remediation action tracking and re-testing, and full testing documentation and evidence management.
Management assessment and attestation support, audit committee reporting frameworks, external auditor coordination and readiness, ongoing monitoring program design, and annual ICOFR cycle planning and execution.
Listed entities on GCC exchanges (DFM, ADX, Tadawul, BHB, QSE, Boursa Kuwait, MSX) generally have ICOFR attestation requirements. Banks and licensed financial institutions face ICOFR expectations from their central bank regardless of listing status. NBFCs and fintechs typically need ICOFR ahead of external audit and licensing milestones. The level of formality scales with size and listing status.
COSO 2013 is the global standard framework for internal control, structured around five components and seventeen principles. Alignment means the institution's ICOFR framework explicitly addresses each principle — control environment, risk assessment, control activities, information and communication, and monitoring activities. External auditors and regulators reference COSO 2013 directly when assessing framework adequacy.
Three tiers: control deficiency (a control gap that does not rise to material weakness), significant deficiency (gap material enough to merit audit committee attention but not Board), and material weakness (gap creating reasonable possibility of material misstatement). Classification drives both remediation urgency and disclosure requirements — material weaknesses typically need formal disclosure under listing rules.
First-time implementation for a mid-sized bank or listed entity: 16-24 weeks including framework design, control identification, walkthroughs, and first testing cycle. Smaller NBFCs or fintechs: 10-14 weeks. Remediation engagements following audit findings: 6-12 weeks depending on deficiency scope. Annual testing cycles thereafter: 8-12 weeks.
Yes. We work alongside (or directly with) your external auditors so the ICOFR framework, control testing, and documentation are organised to their expectations. This avoids the common failure mode where management ICOFR work and auditor ICOFR work duplicate or conflict — both teams end up working from the same risk-control matrix and testing evidence.
Yes — they overlap but serve different purposes. ICOFR is a management process for financial reporting integrity. Internal audit is an independent assurance function reviewing the institution as a whole. Internal audit may test ICOFR as part of its plan, but the ICOFR framework itself is owned by management and reports to the audit committee. Riskweise handles both, separately, with clear role distinction.
We respond within one business day. No agency-style discovery process — straight to scope, fit, and what you actually need.
Start the conversation