ICFR Compliance: What Public Interest Entities in Nigeria Must Do in 2026

Let me ask you a question that keeps compliance officers awake at night.

Is your organisation ready for ICFR?

If you are a Public Interest Entity in Nigeria, the answer needs to be yes. The Financial Reporting Council has made that clear.

The year 2026 marks a critical period for compliance with Internal Control over Financial Reporting requirements. Following the expanded definitions under the Financial Reporting Council of Nigeria (Amendment) Act, 2023, more organisations than ever fall under this mandate.

This guide walks you through everything you need to know. What ICFR is. Who must comply. What you need to do. And how to build a system that works.

If you need professional support, our ICFR compliance and internal controls advisory for Nigerian PIEs can help you navigate the requirements.

What is Internal Control over Financial Reporting?

Before diving into compliance requirements, let us understand what ICFR actually means.

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control is defined as “a process, carried out by the board of directors, the administration and other personnel of an entity, designed to provide reasonable security with respect to the achievement of objectives in operations, financial reporting, and compliance with applicable laws and regulations.”

In plain language, ICFR refers to the processes, policies, and procedures that ensure your financial reports are reliable.

The system covers recording, processing, summarising, and reporting financial transactions. It also includes safeguarding assets and preventing fraud.

ICFR is not just a policy document sitting on a shelf. It is an active process involving people at all levels of your organisation.

For a broader perspective on governance, check out our corporate governance framework for Nigerian companies.

Who must comply? Expanded definition of Public Interest Entities

Understanding whether your organisation qualifies as a PIE is the first critical step.

The Financial Reporting Council of Nigeria (Amendment) Act, 2023 broadened the scope significantly.

Listed companies on the Nigerian Exchange and other recognised stock exchanges are PIEs.

Financial institutions regulated by the Central Bank of Nigeria, including banks, insurance companies, pension fund administrators, and other financial service providers are PIEs.

Non-listed regulated entities regulated by sector-specific regulators including the Nigerian Communications Commission (NCC), Nigerian Electricity Regulatory Commission (NERC), Nigerian Civil Aviation Authority (NCAA), National Insurance Commission (NAICOM), and other sectoral regulators are PIEs.

Entities engaged in public works by any tier of government with annual contract sums of ₦1 billion and above, settled from public funds are PIEs.

High-turnover entities with annual turnover of ₦30 billion and above are PIEs.

Government entities and government organisations at all levels are PIEs.

Companies required to file returns with regulatory authorities (excluding private companies that only file with CAC and FIRS) are PIEs.

This expansion means many private companies that previously fell outside the FRC’s regulatory purview must now comply. Organisations must carefully assess whether they meet any of these criteria.

Key regulatory updates and compliance timelines for 2026

The regulatory landscape continues to evolve. Several important developments affect PIEs in 2026.

National Repository Portal (NRP) implementation.

Effective January 21, 2025, the Financial Reporting Council of Nigeria introduced the National Repository Portal to enhance compliance and streamline financial reporting. All PIEs must now register on this portal and submit their financial statements and ICFR reports through this centralised system.

Second year of mandatory ICFR compliance.

With the mandate effective from financial years ending on or after 31 December 2024, 2025 marked the first year of mandatory compliance. For financial years ending in 2026, PIEs must have fully operational ICFR systems in place and must report on their effectiveness.

Organisations that implemented ICFR in 2024 should now focus on refining their processes and addressing identified weaknesses.

Public sector agencies waiver.

A one-year waiver has been granted to Public Sector Agencies regarding mandatory submission of ICFR reports. However, this does not exempt public sector entities from establishing ICFR systems. It merely extends the reporting timeline.

FRC guidance on management report on ICFR.

The FRC issued its Guidance on Management Report on Internal Control Over Financial Reporting (ICFR) on May 26, 2024. This guidance provides comprehensive directives for management assessment and reporting including documentation requirements, framework selection, annual assessment procedures, reporting formats, and treatment of material weaknesses.

For help with NRP registration, our FRC National Repository Portal registration assistance can help.

What PIEs must do: essential compliance requirements

Compliance with ICFR requirements involves multiple interconnected responsibilities. Here is what your organisation must accomplish in 2026.

1. Register with the FRC and NRP.

Every PIE must register with the Financial Reporting Council through the appropriate category on the online portal. Categories include professional firms, not-for-profit organisations, public sector entities, and companies and enterprises.

Individual professionals such as directors, CFOs, and CEOs should also register on the portal to facilitate their roles.

2. Establish and maintain ICFR systems.

Management is responsible for designing, implementing, and maintaining a robust system of internal controls. This system must address five components.

Control environment means establishing a culture of integrity, ethics, and accountability at all organisational levels.

Risk assessment means identifying and analysing risks to reliable financial reporting, including both internal and external risks.

Control activities means implementing specific policies, procedures, and mechanisms to mitigate identified risks.

Information and communication means ensuring relevant financial information flows efficiently throughout the organisation.

Monitoring activities means conducting ongoing and periodic evaluations of control effectiveness.

3. Adopt a recognised control framework.

Management must base its evaluation of ICFR effectiveness on a suitable, recognised control framework. While the FRC does not mandate a specific framework, the COSO Internal Control – Integrated Framework (2013) is highly recommended and widely used.

Organisations may consider other internationally recognised frameworks but must clearly identify the framework used in their management reports.

4. Conduct annual assessments.

Management must conduct an annual evaluation of internal control effectiveness and include a report in the company’s annual report.

This assessment must evaluate the design and implementation of controls, test the operating effectiveness of controls, identify and document any deficiencies or material weaknesses, conclude on overall ICFR effectiveness as of the fiscal year-end, and disclose any material weaknesses.

After the first year of implementation, subsequent evaluations should focus more on changes in risks and controls rather than complete re-identification.

5. Maintain documentation and evidence.

Adequate documentation is critical. Organisations must maintain documentation of significant processes and transaction flows, Risk and Control Matrices mapping risks to controls, control design documentation, evidence of control performance, testing results and conclusions, remediation plans, and management’s evaluation methodology.

Documentation should be updated annually rather than recreated from scratch.

6. Obtain independent attestation.

External auditors are required to independently review management’s ICFR assessment and issue a separate attestation report. This may be conducted as part of an integrated audit.

Importantly, management’s responsibility for ICFR assessment cannot be delegated to external auditors to preserve auditor independence.

7. Report effectively.

The entity’s annual report must include a management report on ICFR containing a statement of management’s responsibility, identification of the control framework used, management’s assessment of ICFR effectiveness, disclosure of any material weaknesses, and the auditor’s attestation report.

For support with implementation, our ICFR framework design and implementation services can help.

Implementing ICFR: a practical approach

Organisations new to ICFR should consider this structured implementation approach.

Phase 1: Planning and scoping (months 1 to 2).

Establish governance structures with a steering committee and executive sponsorship. Conduct scoping analysis to identify significant accounts, processes, and locations. Select the control framework and document the decision. Develop project plans defining timelines, resources, and milestones. Secure budget and personnel. Engage stakeholders including the board, management, and process owners.

Phase 2: Risk assessment and process documentation (months 3 to 5).

Document significant processes with narratives and flowcharts for all significant transaction cycles. Identify financial statement assertions mapping processes to existence, completeness, valuation, rights and obligations, and presentation and disclosure. Assess risks identifying what could go wrong at each step. Determine control objectives. Evaluate entity-level controls including tone at the top, code of conduct, whistleblower mechanisms, and board oversight.

Phase 3: Control design and documentation (months 6 to 8).

Design control activities including preventive and detective controls, authorisations, reconciliations, reviews, system controls, and segregation of duties. Create control documentation for each control’s objective, frequency, performer, and evidence. Develop Risk and Control Matrices linking risks to controls. Address IT general controls including system access, change management, data backup, and IT operations. Design monitoring activities.

Phase 4: Control implementation and testing (months 9 to 11).

Implement controls across the organisation. Provide training to control owners. Test control design to verify that controls would effectively prevent or detect errors. Test operating effectiveness gathering evidence of consistent application. Document test results. Identify deficiencies where controls did not operate as intended.

Phase 5: Evaluation and reporting (month 12).

Aggregate all identified control deficiencies. Evaluate severity classifying deficiencies as control deficiencies, significant deficiencies, or material weaknesses. Assess compensating controls that mitigate risk. Conclude on overall ICFR effectiveness. Prepare management report for the annual report. Remediate weaknesses developing execution plans. Facilitate auditor attestation providing documentation and access.

Continuous improvement.

Monitor changes in business processes, systems, organisational structure, and risks. Update documentation to maintain currency. Conduct periodic reviews of control relevance and effectiveness. Leverage GRC tools to automate documentation, testing, and monitoring. Foster a control-conscious culture embedding controls into daily operations.

Common challenges and how to overcome them

Organisations implementing ICFR often encounter similar obstacles.

Resource constraints.

Many organisations, particularly smaller PIEs, struggle to allocate sufficient resources.

Solutions include prioritising high-risk areas rather than attempting comprehensive coverage immediately. Leverage existing internal audit or risk management functions. Consider engaging external consultants for initial implementation. Use technology to automate routine testing. Start early in the fiscal year.

Lack of awareness and buy-in.

Employees and even some managers view ICFR as a compliance burden.

Solutions include securing visible commitment from the CEO and board. Communicate ICFR benefits beyond compliance including fraud prevention and operational efficiency. Provide training explaining why not just what. Share real-world examples of weak controls harming organisations. Recognise and reward control consciousness.

Documentation overwhelm.

Organisations create excessive documentation that becomes difficult to maintain.

Solutions include focusing documentation on significant risks and controls. Use templates and standardised formats. Integrate control documentation with existing process documentation. Leverage visual tools like flowcharts. Update documentation incrementally throughout the year.

IT and system complexity.

Modern organisations rely on complex, integrated IT systems that are difficult to control.

Solutions include identifying critical IT applications supporting financial reporting. Ensure IT general controls are strong. Work closely with IT teams to understand system controls. Consider automated controls within systems. Document system interfaces and data flows.

Remediation fatigue.

Addressing numerous control deficiencies year after year can lead to frustration.

Solutions include prioritising remediation based on risk severity. Set realistic timelines. Assign clear ownership for each remediation action. Track progress and celebrate successes. Analyse root causes to prevent recurrence.

The role of different stakeholders in ICFR

Effective ICFR requires clear delineation of responsibilities.

Board of directors.

The board has ultimate responsibility for ensuring the integrity of financial controls and reporting. Duties include setting expectations for a strong control environment, overseeing management’s implementation and assessment, reviewing ICFR reports, ensuring adequate resources, establishing an audit committee, and addressing material weaknesses.

Management (CEO, CFO, and senior leadership).

Management is responsible for design, implementation, and annual certification of ICFR effectiveness. This responsibility cannot be delegated to external auditors to preserve their independence.

Specific responsibilities include designing and implementing the ICFR system, conducting the annual assessment, certifying conclusions, remediating deficiencies, maintaining adequate documentation, and fostering a culture of controls.

Internal audit function.

Internal audit plays a crucial supporting role including providing independent assurance on control design and effectiveness, testing controls, identifying deficiencies, monitoring remediation, assisting with ICFR documentation, and reporting directly to the audit committee.

External auditors.

External auditors uphold independence by refraining from performing ICFR assessments. Responsibilities include attesting to management’s assessment, conducting their own testing of controls, issuing a separate opinion on ICFR, communicating deficiencies, and maintaining independence.

Process owners and control performers.

Front-line employees execute controls daily. Responsibilities include performing assigned controls consistently, retaining evidence of control performance, escalating issues promptly, participating in documentation and testing activities, suggesting improvements, and maintaining awareness of why controls matter.

For board-level support, our audit committee and board ICFR oversight advisory can help.

Benefits of robust ICFR beyond compliance

While regulatory compliance is the immediate driver, organisations that invest in strong ICFR realise substantial additional benefits.

Enhanced investor and stakeholder confidence.

A clean ICFR opinion signals that financial statements can be trusted. This translates into better access to capital, favourable financing terms, and enhanced reputation.

Fraud prevention and detection.

Strong internal controls are the first line of defence against fraud. Organisations with effective ICFR are better positioned to prevent fraud and detect it quickly when it occurs.

Operational efficiency.

Well-designed controls often streamline processes, eliminate redundancies, and reduce errors. What begins as a compliance exercise frequently reveals opportunities to improve workflows.

Better risk management.

The risk assessment process embedded in ICFR helps organisations understand risks beyond just financial reporting. This supports strategic decision-making and resilience.

Improved decision-making.

When management has confidence in financial information, they can make better-informed business decisions. Reliable data is the foundation of effective strategy.

Competitive advantage.

In markets where many organisations struggle with financial reporting quality, those with demonstrably strong ICFR stand out.

Looking ahead: the future of ICFR in Nigeria

The regulatory landscape will continue evolving. Organisations should anticipate several trends.

Increased enforcement and inspections.

The FRC has commenced audit firm inspection visits. Expect increased scrutiny of both management ICFR assessments and auditor attestations. Organisations with weak controls may face regulatory sanctions.

Technology integration.

As businesses increasingly digitise, ICFR must adapt to address risks in cloud computing, robotic process automation, artificial intelligence, and other emerging technologies. Expect regulatory guidance on IT controls to expand.

Sustainability and ESG reporting controls.

Following global trends, internal controls are expanding beyond financial reporting to encompass ESG reporting. The COSO framework has already issued guidance on Internal Control over Sustainability Reporting (ICSR).

Continuous monitoring and real-time assurance.

Traditional annual assessments may give way to continuous monitoring approaches enabled by technology. Data analytics, automated testing, and real-time dashboards can provide ongoing assurance.

Greater integration with risk management.

ICFR will increasingly integrate with broader enterprise risk management frameworks. Organisations will view controls as part of comprehensive risk strategies.

Key takeaways for Nigerian PIEs in 2026

For Public Interest Entities in Nigeria, 2026 represents a critical juncture. With expanded PIE definitions, the operational National Repository Portal, and the second year of mandatory ICFR compliance, organisations can no longer view internal controls as optional.

Effective ICFR implementation requires commitment from the top, adequate resources, a recognised framework, robust processes, continuous monitoring, and transparent reporting.

Organisations that embrace ICFR as an opportunity to strengthen governance, prevent fraud, improve operations, and build stakeholder confidence will emerge stronger. Those that treat it as a checkbox exercise risk regulatory sanctions and missed opportunities.

The time to act is now. Whether you are refining an existing ICFR programme or building one from the ground up, the steps outlined provide a roadmap to compliance and beyond.

Recommended services from Business Cardinal

Ready to strengthen your ICFR framework and ensure full compliance? These services are designed to help Nigerian PIEs build robust internal controls.

ICFR Compliance and Internal Controls Advisory for Nigerian PIEs – Comprehensive advisory services for ICFR implementation and compliance.

ICFR Framework Design and Implementation Services – End-to-end support for designing and implementing COSO-aligned ICFR systems.

FRC National Repository Portal Registration Assistance – Help with NRP registration and ongoing filing requirements.

Audit Committee and Board ICFR Oversight Advisory – Support for boards and audit committees overseeing ICFR implementation.

Where to go from here

ICFR compliance is not optional for Public Interest Entities in Nigeria. The FRC has made that clear.

But do not view this as just another regulatory burden. View it as an opportunity. Strong internal controls protect your organisation from fraud. They improve operational efficiency. They build stakeholder confidence.

Start with an honest assessment of where you stand. Identify gaps. Build a plan. Execute systematically.

The organisations that embrace ICFR as a strategic advantage will be the ones that thrive.

Let’s work together

Is your organisation ready for ICFR compliance in 2026? Or are you still trying to figure out where to start?

At Business Cardinal, we help Public Interest Entities in Nigeria build robust ICFR frameworks that satisfy regulatory requirements and deliver real business value. We understand the FRC requirements. We know the COSO framework. And we have practical experience helping organisations implement effective internal controls.

Not theory. Not generic advice. Practical, actionable support tailored to your specific organisation.

Contact us today:

📧 Email: hello@businesscardinal.com
📞 Phone: +234 802 320 0801
📍 Address: 5, Ishola Bello Close, Off Iyalla Street, Alausa, Ikeja, Lagos, Nigeria

Contact Business Cardinal to discuss your ICFR compliance needs.

Schedule a consultation today. Let us help you turn ICFR compliance into a competitive advantage.

Business Cardinal – Your Partner in ICFR Excellence

References

COSO Internal Control Framework – Committee of Sponsoring Organizations
Financial Reporting Council of Nigeria – Guidance on Management Report on ICFR
Andersen Nigeria – FRC ICFR Guidance
1st Fiduciary – PIE Compliance Guide
Stransact – FRCN ICFR Requirements
PwC Nigeria – ICFR Implementation FAQs
KPMG Nigeria – Guide to ICFR Implementation