ICFR Assessment
Internal Controls Over Financial Reporting
Assessed with Precision
Independent ICFR Evaluation
We conduct thorough assessments of your internal controls over financial reporting against COSO framework standards and public company expectations.
Gap Identification and Prioritization
We identify control gaps, design weaknesses, and operating failures -- and help you prioritize remediation based on financial reporting risk.
Audit-Ready Documentation
Every assessment produces documentation your external auditors can work with directly -- process narratives, risk and control matrices, and a clear summary of findings.
100+
Successful transactions completed
20+
Years of experience
$5 - 50m
Average size of transaction
$20-200m
Average market cap of clients across tech, manufacturing & services
ICFR Assessment for Public and Pre-Public Companies
What makes us different?
Internal controls over financial reporting are the foundation of reliable financial statements and a prerequisite for SOX compliance. But for many companies — particularly those that are newly public or approaching an IPO — the existing control environment has not been formally assessed against the standards that public company auditors apply. The result is often a gap between what management believes exists and what auditors find when they test.
Corviniti conducts ICFR assessments that give management a clear, honest picture of the current control environment — what is working, what is not, and what needs to be addressed before the next audit cycle. We evaluate controls across all significant financial reporting processes, assess design and operating effectiveness, and deliver findings in a format that supports a direct path to remediation.
Our assessments are built on Big 4 audit methodology — the same standards external auditors apply when they evaluate ICFR. That means our findings are reliable, our gap analysis is practical, and the documentation we produce is organized the way auditors expect to see it.
We help with:
- ICFR Gap Analysis: Identify areas where controls are missing, poorly designed, or not operating effectively across all significant financial reporting processes.
- Control Design Assessment: Evaluate whether existing controls are designed to prevent or detect material misstatements, and identify design deficiencies that need to be addressed.
- Operating Effectiveness Testing: Test whether controls are actually functioning as designed — the most common source of audit findings for companies with documented but unverified control environments.
- Entity-Level Controls Assessment: Evaluate the tone at the top, governance structures, and oversight mechanisms that form the foundation of an effective control environment under COSO.
- Process-Level Controls Assessment: Assess key controls across financial close, revenue, accounts payable, payroll, treasury, and other significant financial reporting processes.
- IT General Controls Assessment: Evaluate IT general controls — access management, change management, and computer operations — that underpin the reliability of financial systems.
- Deficiency Classification: Classify identified control gaps as control deficiencies, significant deficiencies, or material weaknesses based on their potential impact on financial reporting.
- Risk and Control Matrix Preparation: Prepare or update risk and control matrices for each significant process, mapping financial reporting risks to the controls that address them.
- Remediation Roadmap: Deliver a prioritized remediation roadmap that identifies what needs to be fixed, in what order, and what the timeline should be before the next audit.
- Pre-Audit Readiness Assessment: Conduct a final ICFR assessment immediately before the external audit to identify any remaining gaps and confirm that the control environment is ready for auditor testing.
Why Choose Us?
Big 4 expertise,
boutique agility
Corviniti conducts ICFR assessments using Big 4 audit methodology — the same standards your external auditors will apply. Our findings are reliable, our documentation is audit-ready, and our remediation recommendations are practical.
Startups and US Capital Markets are our focus
From pre-IPO companies undergoing their first ICFR assessment to established public companies managing an annual SOX cycle, Corviniti provides assessments that give management the clear picture they need to act.
- Pre-IPO and Newly Public Companies
- Built for Capital Markets (including IPO and SPAC transactions)
- Boutique Attention
- Big Four Experience
- Transaction Deadline Oriented
Contact Us To
Learn More
Call: (347) 472-1115
Email: info@corviniti.com
Tell us about your company, your current control environment, and your audit timeline. We will respond within 24 hours.
Learn More From
Frequently Asked Questions
Internal controls over financial reporting (ICFR) are the policies, procedures, and processes a company uses to ensure that its financial statements are reliable and free from material misstatement. For public companies, management is required to assess and certify the effectiveness of ICFR annually under SOX Section 404. For pre-IPO companies, building an effective ICFR framework is a prerequisite for going public — external auditors will assess it, and gaps identified late in the process are disruptive and expensive to fix.
An ICFR assessment is a management-side evaluation of the control environment — we conduct it on your behalf to identify gaps and prepare you for external review. A SOX audit is conducted by your external auditors, who independently test controls and form their own conclusion on ICFR effectiveness. The two are complementary — an ICFR assessment by Corviniti prepares you for the external auditors’ assessment.
We assess controls across all significant financial reporting processes — typically including the financial close and reporting process, revenue and accounts receivable, procurement and accounts payable, payroll and human resources, treasury and cash management, and IT general controls. The exact scope depends on the company’s size, industry, and financial reporting risks.
For a typical growth-stage or mid-market company, an initial ICFR assessment takes four to six weeks. This includes process walkthroughs, control documentation review, testing of key controls, deficiency assessment, and delivery of the gap analysis and remediation roadmap. More complex organizations take longer.
Six months is tight but workable for many companies, depending on the current state of the control environment. We would conduct an accelerated assessment, prioritize the highest-risk gaps for immediate remediation, and help manage the timing so that controls are operational and documented before your PCAOB auditors begin their work. The earlier you engage, the more options you have.
Yes. Most ICFR assessment engagements flow directly into remediation support — designing the missing or deficient controls, updating process documentation, implementing changes, and re-testing to confirm effectiveness. We stay engaged through the remediation cycle, not just through the assessment.
Yes. We regularly work with foreign private issuers and companies with cross-border structures, including IFRS reporting, US GAAP reconciliations, and multi-entity consolidations for companies with domestic and international subsidiaries.
In most cases, we can begin within a few days of finalizing our agreement. Our onboarding process is straightforward — a brief discovery session, a clear statement of work, and secure access setup. We do not have lengthy intake procedures that delay the start of actual work.
