ICFR shows why identity controls now sit inside financial reporting

At a glance

What this is: This is a practical overview of Internal Controls over Financial Reporting and its role in preventing errors, fraud, and weak auditability.

Why it matters: It matters to IAM practitioners because financial reporting controls increasingly depend on identity, access, and evidence management across human, NHI, and privileged workflows.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Pathlock's full ICFR guide and regulatory breakdown

Context

Internal controls over financial reporting, or ICFR, are the policies and checks that make sure financial statements are accurate, authorised, and supported by evidence. In practice, that depends on who can approve transactions, who can change systems, and how those actions are recorded for audit.

For identity and access teams, the important point is that ICFR is no longer just an accounting concern. Access governance, privileged workflow control, and audit-ready evidence now influence whether the finance organisation can stand behind its numbers under SOX, COSO, and related oversight models.

Key questions

Q: How should security teams govern access in ICFR-controlled finance workflows?

A: Security teams should treat finance approvals, postings, and exceptions as identity-governed actions. That means mapping each step to a named account, verifying segregation of duties, and removing any shared or undocumented access. If the workflow can change financial facts without a traceable identity, the control environment is incomplete.

Q: Why do service accounts create ICFR risk in finance systems?

A: Service accounts create risk when they can post, approve, or alter financial data outside the same review expected of human users. Because they often bypass password change cycles and access reviews, they can become persistent control blind spots. ICFR programmes should include them in the same governance and evidence standards as privileged humans.

Q: What breaks when evidence for financial controls is incomplete?

A: When evidence is incomplete, auditors cannot verify that controls operated as intended, even if the process looked correct in the moment. Missing logs, altered approvals, or weak retention undermine trust in the reporting chain and make remediation harder to prove. That turns a control weakness into a governance problem.

Q: Who is accountable when ICFR failures involve access and system controls?

A: Accountability sits with the control owner, but it is shared across finance, IT, and identity governance when access enables the failure. Boards and audit committees need a clear line of sight to who approved the control design, who operated it, and who verified its effectiveness. Without that chain, remediation is too easy to defer.

Technical breakdown

How ICFR links transaction control to identity assurance

ICFR works by making financial actions traceable from initiation to record keeping. A payment, journal entry, or system change should pass through authorised roles, documented approvals, and reviewable evidence before it affects the ledger. That means identity controls are part of financial control design, not separate from it. If the wrong person can approve, alter, or conceal a transaction, the reporting control has already weakened. In modern environments, those risks often sit in SaaS workflows, ERP admin access, and service identities that can bypass normal human review.

Practical implication: map financial approval paths to the identities that can execute them and remove unauthorised access from each step.

Why evidence quality matters as much as approval logic

ICFR is not satisfied by policy alone. Auditors need proof that controls operated as intended, which means timestamps, approval trails, logs, and retained artefacts must be reliable and complete. If the evidence is incomplete or easy to alter, the control becomes hard to defend even when the process looked correct on paper. This is where IT general controls, log integrity, and access governance converge. A control that cannot be evidenced consistently is usually a control that cannot be trusted at scale.

Practical implication: treat evidence retention and log integrity as control requirements, not after-the-fact audit tasks.

What COSO and SOX mean for privileged access governance

COSO and SOX both push organisations toward accountable control design, testing, and remediation. That becomes especially relevant when privileged users, finance admins, and application service accounts can create, change, or approve financial data. The governance question is not only whether access exists, but whether it is justified, reviewed, and limited to the role it supports. As organisations automate more of the finance stack, privileged access becomes a control surface that can either strengthen or undermine reporting integrity.

Practical implication: include privileged access reviews and segregation-of-duties checks in ICFR testing cycles.

Threat narrative

Attacker objective: The attacker aims to manipulate financial records or conceal misuse in a way that survives internal review and external audit.

1. Entry occurs when an unauthorised actor or over-privileged insider gains access to finance systems, approval workflows, or supporting data sources.
2. Escalation follows when that access is used to alter transactions, suppress evidence, or bypass segregation of duties controls.
3. Impact appears when inaccurate reporting, fraud, or undetected misstatement reaches management, auditors, or external stakeholders.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ICFR is increasingly an identity governance problem, not just a finance control problem. The article frames financial reporting as a control environment that depends on authorisation, evidence, and oversight. That is structurally the same governance pattern used in IAM, PAM, and NHI programmes when access creates financial or operational risk. Practitioners should therefore treat financial reporting controls as part of the wider identity assurance model.

The control failure ICFR exposes is not only bad reporting, but weak accountability over who can change the facts. If approvals, system changes, and evidence retention are not anchored to governed identities, the organisation cannot reliably defend the ledger or the audit trail. This is where lifecycle, access review, and privileged governance become one assurance chain. Practitioners should align control ownership with named identities and reviewable evidence.

Identity-backed evidence trail: ICFR depends on proving that each transaction, approval, and system change came from an authorised identity and was preserved in tamper-resistant form. That concept matters because it links reporting integrity to the same governance discipline used for service accounts, admin roles, and automated workflows. Practitioners should treat evidence lineage as a first-class control object.

SOX-era control models still assume a stable human approval chain, but modern finance operations increasingly include service identities and automated workflows. That assumption holds only when access is mediated through visible, reviewable roles. When application accounts or automated processes can initiate or alter financial events, traditional review cycles lose part of their assurance value. Practitioners should reassess which controls still depend on human-paced review.

ICFR maturity now depends on how well organisations can join finance, IT, and identity governance into one audit narrative. The article shows that controls, testing, and remediation are no longer isolated functions. The strongest programmes will evidence who approved, who executed, and who can be held accountable across the full transaction path. Practitioners should integrate identity evidence into ICFR governance.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For lifecycle and revocation detail, review NHI Lifecycle Management Guide for the operational controls behind offboarding and rotation.

What this signals

ICFR programmes are moving closer to identity governance because finance controls now depend on who can act, who can approve, and who can evidence the action. The practical shift is toward control ownership that spans ERP administration, access review, and audit evidence in one chain.

Identity-backed evidence trail: organisations that cannot preserve tamper-resistant approval and change evidence will struggle to defend both financial reporting and access governance. That is especially true where service identities and privileged workflows sit inside core finance processes.

The governance signal is clear: identity teams that already manage privileged access, offboarding, and audit logging are increasingly part of the ICFR control fabric. If those controls are weak, finance inherits the risk even when the accounting policy is sound.

For practitioners

• Map financial control points to governed identities Inventory every approval, adjustment, and posting path in finance systems, then identify the human, privileged, and service identities that can act in each path. Remove shared or unmanaged accounts from control-critical workflows and document who owns each identity.
• Add identity evidence to ICFR testing Require audit-ready logs, approval records, and change history for each control objective. Test whether evidence is complete enough to show who acted, what changed, and whether the control operated as designed.
• Review privileged finance access on a fixed cycle Re-certify finance administrators, ERP superusers, and service accounts that can post or approve transactions. Confirm segregation of duties, limit standing privilege, and revoke access that no longer maps to a live business need.
• Tie remediation to control ownership When a weakness is found, assign a named control owner, a remediation due date, and a verification step. Track whether the fix changes the identity path, the evidence trail, or both.

Key takeaways

• ICFR is not only a finance discipline, because access, approvals, and evidence are now part of the same control problem.
• The scale of identity risk matters, with compromised non-human identities and delayed secret remediation repeatedly undermining assurance models.
• Practitioners should align finance controls with identity governance, privileged access review, and durable evidence retention.

Key terms

• Internal Controls over Financial Reporting: Internal Controls over Financial Reporting are the policies, procedures, and technical checks that help ensure financial statements are accurate, authorised, and supported by evidence. In practice, they connect finance operations, IT systems, and governance so that errors, fraud, and unauthorised changes are less likely to distort reported results.
• Segregation of Duties: Segregation of Duties is the practice of splitting critical work across different people or identities so no single actor can create, approve, and conceal a sensitive transaction. In finance and identity governance, it reduces the chance that one account or user can quietly bypass controls and alter records without detection.
• IT General Controls: IT General Controls are foundational controls over systems, access, change management, and operations that support reliable business processes. For ICFR, they matter because weak access control, logging, or change oversight can make financial reporting evidence unreliable even when the accounting workflow itself looks sound.
• Control Environment: The control environment is the organisational tone that shapes how seriously controls are designed, followed, and challenged. It includes leadership expectations, accountability, role clarity, and oversight structures, all of which determine whether financial and identity controls are treated as real operating discipline or as paperwork.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: Internal Controls over Financial Reporting and related governance guidance. Read the original.