Handbook: Internal control over financial reporting
Handbooks | December 2025
Our guide to designing, implementing and maintaining an effective system of internal control over financial reporting.
Using Q&As and examples, KPMG provides interpretive guidance on the key elements of a risk-based approach to the design, implementation and maintenance of an effective system of internal control over financial reporting (ICFR) using the COSO Internal Control – Integrated Framework. The Handbook addresses hot topics such as precision of controls, information used in controls, controls at service organizations, cybersecurity and evaluation of control deficiencies. It also introduces considerations related to a company’s use of artificial intelligence (AI) and automation in the financial reporting process and provides guidance for management’s assessment of the effectiveness of ICFR.
Applicability
- All companies
Relevant dates
- Effective immediately
Key impacts
Effective ICFR provides many benefits: promoting accountability, safeguarding a company’s assets from fraud or significant loss, maintaining integrity of financial data and transactions, facilitating compliance with the applicable financial reporting and statutory compliance frameworks, and enabling information flows across the entity. Simply put, ICFR forms the bedrock of public and investor confidence in the capital markets. Without effective ICFR, companies risk significant financial and reputational harm.
Although the Sarbanes-Oxley Act of 2002 (SOX) is more than 20 years old, ICFR remains in the spotlight as an essential part of an entity’s financial reporting agenda. One reason for this is that continuous change is now the normal state for many companies. For example, companies continue to implement increasingly complex systems as well as AI and automation to support financial reporting and operating performance. External factors also contribute to companies facing new and evolving risks – the recent pandemic, international conflicts and uncertain economic environment. Effective ICFR is needed to manage these risks.
In this Handbook, we discuss and illustrate the key elements of a risk-based approach to the design, implementation and evaluation of ICFR using the predominant framework employed in practice – the 2013 Internal Control – Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission. The Handbook also addresses a number of hot button issues that are the focus areas of management and regulators, including cybersecurity matters and use of AI.
Report contents
- Entity-level controls
- Risk assessment
- Process understanding
- Process control activities
- Information used in controls
- General IT controls, including cybersecurity considerations
- Service organizations
- Identifying and evaluating deficiencies
- Artificial intelligence and automation
Download the document:
Internal control over financial reporting
Download PDFExplore more
Reference Library
In-depth analysis, examples and insights to give you an advantage in understanding the requirements and implications of financial reporting issues.
Handbooks
KPMG handbooks that include discussion and analysis of significant issues for professionals in financial reporting.
CPE webcasts & seminars
KPMG webcasts and in-person events cover the latest financial reporting standards, resources and actions needed for implementation. CPE eligible replays now available.
Meet our team
