Reporting Requirements

PUBLIC AND NONPUBLIC entities diverge when it comes to publicly disclosing the effectiveness of internal control over financial reporting and material weaknesses. Only public entities are required to publicly report on internal controls effectiveness and disclose material weaknesses. Nonpublic entities may be required by regulatory requirements to report on controls over compliance with laws and regulations or on internal controls as defined in specific regulations.1 In addition, lenders, venture capitalists, or absentee owners may require such reports. Of course, such entities may voluntarily report on internal control and can have an auditor issue an opinion on the entity's internal control.

The Government Accountability Office (GAO) has indicated that it may require some form of internal controls reporting for entities under its audit jurisdiction in the future.


While not required to report on internal controls unless required by a regulator or a covenant, private entities and other nonpublic entities can obtain an auditor's opinion on the effectiveness of their internal controls over financial reporting (ICFR). That report would be accompanied by management's assertion about the effectiveness of controls, similar to the reporting model for public companies, and would be issued under a newly revised Statement ...

Get Internal Control Audit and Compliance: Documentation and Testing Under the New COSO Framework now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.