Countdown to CECL Go-Live: Your ICFR Check-In and Checkpoint


FASB’s proposed extension for qualifying entities has provided some relief to those impacted by ASC 326 or Current Expected Credit Loss (CECL). Those still concentrating on the January 1, 2020 deadline are hopefully well into their implementation. Many first-wave compliant organizations have been focused on models and data to this point, but now is the right time to stop and think through your Internal Controls over Financial Reporting (ICFR) considerations.

Here, we focus on overall governance and oversight as well as model inputs and processing, including what to consider as you progress with your implementation and our recommendations for a successful implementation.



You have probably considered the right individuals (oversight committee), performed a financial statement impact assessment, and identified areas of CECL compliance. The oversight committee has consulted the accounting group, decisions and assumptions have been made and you are running parallel testing.



As you progress with your implementation, have you:

  • Drafted detailed policies and procedures describing how your entity will account for CECL?
  • Documented the risk mitigation strategies or risk acceptance conclusions associated with the model data selected and assumptions that have been made?
  • Obtained and documented the appropriate approvals required to proceed with each stage of the implementation?
  • Discussed your model approach with both the internal and external auditors?


For a successful implementation, we recommend that you:

  • Create clear and concise documentation with supporting evidence that is easily traceable and can be validated. Some necessary documentation includes:
    • Data source identification
    • Drivers and assumptions behind model selection
    • Pooling decisions
    • Accounting judgements (historical loss, reversions)
    • Model change management
  • Have controls in place during the implementation process. Peer and supervisory reviews ensure documentation is complete and accurate.
  • Have internal and external auditors closely review the support you provide to understand where data is from, how it is validated, and the assumptions you used and why you used them? Plan to hold regular meetings with both internal and external auditors to get better insight into what they are looking for.



You may have identified all necessary data and have made a modeling decision – either developing models in house, or via third-party vendor user, outsourcing the expected credit loss calculation.


Checkpoint (In-House Model)

As you progress with your implementation:

  • Have you performed procedures to ensure that all internal data is complete and accurate prior to being utilized by the model? Have you documented your validation efforts?
  • Is internally sourced data used in the model mapped to existing controls and, if those controls are operational, have you checked that the controls meet ICFR requirements?
  • Have you retained evidence of your user-acceptance testing (considering all scenarios), parallel runs as well the required approvals?
  • Are your business requirements up to date for all systems/databases?


Checkpoint (Third-Party Vendor)

As you progress with your implementation, have you:

  • Obtained or had discussions with your vendor about the System and Organization Controls (SOC/SSAE16)-1 report?
  • Developed internal controls to manage the risk associated with vendor data-limitations or errors?



For a successful implementation, we recommend that:

  • You create a data-mapping file that allows for easy identification of data dependencies, which helps to make quick assessments of the system and process change impacts.
  • Have data controls that could include:
    • General IT controls over the databases or applications housing the data
    • System calculations
    • Data movement from one application to the next
    • Validating data against source documentation
  • You understand third party vendors will often not provide access to the loss estimation calculation, but will allow you to make entity specific adjustments. Developing an expectation of model results and then comparing your expectation against third party results is critical and can be done on a sample basis by targeting portfolios with high-risk and/or high-value.
  • External data should always be from trusted sources, and risks associated with single source reliance must be evaluated.


Concerned you aren’t ready for CECL yet? Please feel free to reach out. Our next installment will focus on disclosures and analytics.

How To Get The Most Out Of RPA In Finance And Accounting
Procure-to-Pay (P2P) Staying Ahead of the Curve
Related Posts
Workday Tips and Tricks
Workday Tips and Tricks
Credit Unions (and Other Non-Public Entities): CECL is Coming
Credit Unions (and Other Non-Public Entities): CECL is Coming
Internal Audit & Enterprise Risk Management: Stronger Together
Internal Audit & Enterprise Risk Management: Stronger Together