Starting Point: A Disclaimer Audit That Raised Serious Concerns
A year ago, a client reached out to us with a critical issue. Their statutory auditor-one of the Big 6-had issued a disclaimer opinion on their Internal Controls over Financial Reporting (ICFR). The issue wasn’t about fraud or misconduct. The company simply didn’t have any formal documentation in place. There were no Standard Operating Procedures (SOPs), no Risk Control Matrix (RCM)-nothing that could give an auditor confidence in their internal controls.
For an investor-driven company, this wasn’t just a red flag-it was a fire alarm. Investors, independent directors, and the board took it seriously. The goal was clear: get the internal controls in place and move from a disclaimer audit to a clean one before the next review cycle.
That’s when they brought us in.
What We Were Asked to Do ?
We were given a specific mandate:
- Document SOPs for all key financial processes.
- Build a comprehensive Risk Control Matrix tailored to Big 6 expectations.
- Test the controls to identify design or implementation weaknesses.
This wasn’t a surface-level documentation exercise. It required deep involvement with the company’s teams and a clear understanding of the auditor’s expectations.
The Timeline We Worked With
We kicked off the implementation in January and wrapped it up by June, working in two focused phases.
Phase 1: Understanding Processes and Designing Controls
We started with interviews across key functions to map out financial processes. Based on these, we created SOPs and built the initial RCM.
We then conducted ICFR testing for the period of April to December, giving us enough data to assess real control gaps. We submitted an interim report by February, which gave the company a one-month window to fix the major design issues.
That short window mattered more than you might think.
According to the Guidance Note on ICFR by ICAI, if a company fixes its design gaps before the year-end, the auditor isn’t required to issue a modified opinion. That’s why we worked quickly and ensured our report was ready in time.
Phase 2: Final Testing and Auditor Engagement
In April, we entered the second phase. We completed a round of control testing, updated documentation, and compiled the final report. We submitted it to the board and shared it with the audit team.
We also joined a detailed call with the auditors to answer their questions and walk them through the approach. We knew they’d be looking closely-this was a complete turnaround from the prior year.
The result? The auditors acknowledged the improvement. The board received a clean ICFR audit report-a major step forward for the company.
Why This Case Study Matters?
At first glance, this may seem like a simple audit story. But it’s more than that.
This is a clear example of how companies can move from reactive to proactive compliance when they commit to structured internal control design. It also highlights the critical role of timing, documentation, and collaboration in achieving audit success.
Here are a few key takeaways from the project:
- Start early. Don’t wait for the audit cycle to begin before thinking about ICFR.
- Collaborate with auditors. Keeping them in the loop helped us build trust and reduce the chances of surprise objections.
- Invest in SOPs and RCMs. These aren’t just documentation exercises; they are the foundation of your internal control system.
- Design gaps can be fixed mid-year. As long as you do it before the reporting period ends, you may still avoid a modified opinion.
Our Perspective: Building Trust Through Compliance
At MSNA, we treat these projects not as audit checkboxes but as opportunities to build business resilience.
We know that for investor-driven companies, compliance isn’t just about meeting statutory requirements but also about building trust with stakeholders. That trust starts with strong internal processes and the willingness to address gaps proactively.
What made this case special wasn’t just the clean audit report. It was the fact that everyone-from the CFO to process owners-came together to own the problem and fix it the right way.
What’s Next for Companies Like This?
Internal control failures are rarely intentional. More often, they’re the result of rapid growth, outdated documentation, or resource constraints. But none of these are reasons to accept a disclaimer audit report as the norm.
If you’re facing a similar situation, know this: you can fix it. You just need the right structure, a focused timeline, and a team that knows what auditors expect.
Want to Strengthen Your ICFR Compliance?
We’ve done this before, and we can help you build a roadmap from documentation gaps to audit readiness. Whether you’re preparing for your first ICFR audit or trying to improve last year’s result, we can support you every step of the way.
Let’s talk about your ICFR journey.
Discover more from MSNA & Associates LLP
Subscribe to get the latest posts sent to your email.
