How to use this template

The template below structures the six foundational sections of a working ICFR programme. Each section contains the substantive items that must be addressed regardless of organisation size or regulatory regime (SOX, NI 52-109, or both for MJDS issuers). The template is structural; the specific instantiation depends on the organisation's reporting regime, entity scope, and operating environment.

For organisations building an ICFR programme from a low maturity base, work through the sections in order. For organisations operating an existing programme, the template can be used as a diagnostic — walk through each item and assess whether the current programme addresses it substantively.

01

Programme foundations

  • Confirm regulatory regime applicability: SOX 302/404/906 for SEC issuers; NI 52-109 for Canadian reporting issuers; both for MJDS issuers
  • Confirm filer status (accelerated, large accelerated, non-accelerated, EGC, SRC) — drives 404(b) auditor attestation requirement
  • Identify in-scope reporting period and entities (consolidation scope; significance thresholds; joint ventures and equity-method affiliates)
  • Establish programme governance: ICFR programme owner (typically Controller or Internal Audit Director); steering committee composition; reporting cadence to audit committee
  • Document programme charter including scope, methodology references, deficiency severity framework, escalation protocols
02

COSO 2013 framework deployment

  • Document the five COSO components and seventeen principles applicable to the entity
  • For each principle, document the points of focus the organisation has assessed and the design choices made
  • Identify entity-level controls (ELCs) that operationalise each principle; map ELCs to specific principles
  • Document the integrated control framework — how ELCs interact with process-level and IT general controls (ITGCs)
  • Establish principle-by-principle effectiveness conclusions; identify and address any principles where design or operation is inadequate
03

Risk and control matrix (RCM)

  • Identify significant accounts and disclosures based on quantitative materiality and qualitative considerations (volatility, complexity, accounting estimates)
  • For each significant account, identify relevant assertions (existence, completeness, valuation, rights and obligations, presentation and disclosure)
  • Identify processes that affect each significant account and assertion (revenue, expenditure, payroll, treasury, period-close, IT operations, etc.)
  • Document key controls within each process that address the relevant risks — preventive and detective
  • For each key control: document control owner, frequency, automation level, evidence of operation, dependency on ITGCs
  • Map IT general controls (ITGCs) to the application controls they support; assess ITGC effectiveness as a precondition for relying on automated controls
04

Testing approach

  • Determine testing scope by control type: design effectiveness testing; operating effectiveness testing; rollforward testing
  • Set sample sizes based on control frequency and risk: typically larger samples for higher-frequency, higher-risk controls
  • Document testing methodology: walkthrough, inquiry, observation, examination, reperformance
  • Conduct testing on the prescribed schedule (typically interim and rollforward for SOX 404; annual for many NI 52-109 controls)
  • Document testing evidence to a standard supporting both management certification and external auditor reliance where applicable
  • Identify deficiencies and classify by severity (deficiency, significant deficiency, material weakness) using COSO/PCAOB-aligned criteria
05

Deficiency tracking and remediation

  • Maintain a deficiency log with deficiency description, root cause, severity classification, control affected, accountable owner, target remediation date
  • For each significant deficiency or material weakness: document the remediation plan, intermediate milestones, and evidence requirements for closure
  • Track remediation progress on the established cadence; escalate slipping items appropriately
  • Test remediated controls under operating effectiveness procedures; do not assume remediation effectiveness without testing
  • Document the year-end deficiency conclusion: are there material weaknesses requiring disclosure; are there significant deficiencies requiring audit committee communication
06

Certification and disclosure preparation

  • Prepare management's assessment of ICFR effectiveness for inclusion in the relevant filing (10-K Item 9A; 20-F Item 15; 40-F equivalents; NI 52-109 F1)
  • Confirm the framework used (typically COSO 2013) and disclose accordingly
  • Identify and disclose any material weaknesses with appropriate severity assessment and remediation status
  • Prepare CEO/CFO certification language consistent with the applicable regulatory regime (SOX 302/906; NI 52-109 prescribed forms)
  • Coordinate with external auditor on attestation (where 404(b) applies): provide the RCM, testing evidence, deficiency log, and management assessment as the basis for the auditor's independent work

For deeper treatment

The companion article ICFR for the cross-border listed entity covers the substantive divergence points between SOX and NI 52-109 at engagement depth. The SOX vs NI 52-109 quick-reference matrix provides the side-by-side comparison.