Rapid Momentum Consulting

A twelve-question diagnostic of your organisation's internal controls over financial reporting (ICFR) programme. Designed for finance leadership, audit committee members, and internal audit at listed entities subject to SOX 404, NI 52-109, or equivalent regimes.

0 of 12 questions answered

Foundations

1.Does your organisation have a documented ICFR programme charter approved by the audit committee?

Yes, current and reviewed annually
Yes, but it hasn't been reviewed for 2+ years
We operate the programme but no formal charter exists
No documented programme

2.What control framework underpins your ICFR programme?

COSO 2013 (Internal Control — Integrated Framework), with all 17 principles addressed substantively
COSO 2013, but principles-level assessment is partial
COCO, Turnbull, or other recognised framework
An internal framework not anchored to a recognised standard

3.How comprehensive is your risk-and-control matrix (RCM)?

Maps significant accounts → assertions → processes → controls → ITGCs, kept current
Covers most significant accounts but has known gaps
Exists at high level but lacks process or control detail
No formal RCM in place

Operations

4.What is your testing cadence for key controls?

Interim testing plus year-end rollforward testing for SOX 404 / NI 52-109
Annual substantive testing with documented evidence
Annual walkthroughs only, limited substantive testing
Ad hoc or no consistent testing schedule

5.How do you track and classify control deficiencies?

Logged with severity classification (deficiency / significant / material weakness), remediation owners, and tracked closure
Logged but without consistent severity classification
Informally tracked by the audit team
No formal deficiency tracking

6.How mature is your IT general controls (ITGC) framework supporting automated controls?

Documented across access, change, operations, and backup; tested annually
Documented but testing coverage is partial
Informally addressed without dedicated ITGC framework
ITGCs not specifically addressed in the ICFR programme

Reporting & Governance

7.What is your audit committee reporting cadence on ICFR?

Each scheduled meeting with formal ICFR status report including deficiency log
Semi-annual or quarterly formal report
Annual only, at year-end
Ad hoc or only when material issues arise

8.Do you have established CEO/CFO certification protocols (SOX 302/906 or NI 52-109 F1/F2)?

Structured sub-certification process from process owners up to CEO/CFO
CEO/CFO certify directly without sub-certification process
Certification happens but without a defined process
Not applicable (organisation not subject to certification requirement)

9.Is your evidence documentation calibrated for external auditor reliance (PCAOB AS 2201 standard)?

Yes, evidence supports auditor independent attestation requirements
Sufficient for management certification but not for SOX 404(b) attestation
Documentation is thin or inconsistent
Not applicable (no external attestation requirement)

Cross-border considerations

10.Does your organisation have cross-border ICFR exposure (MJDS, dual-listing, or multi-regime requirements)?

MJDS issuer or dual-listed, with programme designed to satisfy both regimes substantively
MJDS issuer or dual-listed, but programme primarily oriented to one regime
Single-regime, domestic-only
Not certain of the applicable regime(s)

11.How are control deficiencies remediated through to closure?

Remediation plans with milestones; tested before closure is confirmed
Remediation documented but not always tested before closure
Ad hoc remediation without consistent verification
Remediation is informal

12.Is your ICFR programme positioned to extend to emerging disclosure controls (climate, sustainability, AI/automation)?

Active extension underway with explicit governance
Monitoring the developments; no extension yet
Not on the immediate agenda
Not aware of the implications

ICFR maturity self-assessment

Foundations

Operations

Reporting & Governance

Cross-border considerations

Companion content