7 minute read 10 May 2019
Close-up of man hands touching digital tablet with business diagram

How ICFR affects business development companies


Eyal Seinfeld

EY US Financial Services BDC Markets Leader

Deep knowledge and experience with BDCs. Married father of two. Passionate about coaching my children in basketball.

7 minute read 10 May 2019

We identify the key considerations related to internal controls over financial reporting (ICFR).

Business development companies (BDCs) are registered with the Securities and Exchange Commission (SEC) under the Securities Exchange Act of 1934 (the 1934 Act). BDCs offer equity interests to investors, either through a listing on a securities exchange (listed BDCs) or bypassing a securities exchange to sell their equity interests directly to investors (non-listed BDCs). Both listed and non-listed BDCs are registered with the SEC and considered to be public issuers as defined by the SEC and the Sarbanes-Oxley Act of 2002 (SOX). As a result, a BDC must engage an independent public accounting firm (independent auditor) that is registered with the Public Company Accounting Oversight Board (PCAOB) to perform an audit and issue an audit report on the BDC’s annual financial statements and to perform certain review procedures related to the BDC’s quarterly financial statements (for which no separate report is required). Such registered independent auditor must perform procedures and comply with the standards issued by the PCAOB. The 1934 Act requires domestic issuers, including BDCs, to file an annual report on Form 10-K and quarterly reports on Form 10-Q with the SEC.

As public issuers, all BDCs are also required to comply with the applicable rules established by SOX regarding management certification with respect to financial statement presentation (Section 906) and certification and assessment of the design and effectiveness of internal controls over financial reporting (ICFR) (Sections 302 and 404(a)). Additionally, many BDCs are required to comply with Section 404(b) of SOX. Compliance with Section 404(a) requires that public issuers evaluate the design and operating effectiveness of their ICFR and include a report on their assessment of the effectiveness (also referred to as management’s assessment on ICFR). Some of these public issuers (discussed in detail on the following page) are also required to engage their public accounting firm that is registered with the PCAOB to independently test their ICFR and issue an attestation report on their effectiveness (independent auditor’s report on ICFR) to comply with Section 404(b), in addition to the audit of the financial statements. Compliance with Section 404(b) can add incremental costs to the operations of the BDC. These consist of costs for management to document and evaluate its ICFR, as well as the costs to engage the independent auditor to perform an audit of internal control over financial reporting in conjunction with the audit of the financial statements (integrated audit).

You can download the full article here.

Definition and scope of ICFR Rules

13a-15(a) and 15d-15(a) require registrants to maintain “internal control over financial reporting.” Exchange Act Rules 13a-15(f) and 15d-15(f) define the term “internal control over financial reporting” as: “A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

  • Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
  • Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
  • Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements."

This definition is consistent with the definition of internal accounting controls in Section 13 of the Exchange Act, which was added by the Foreign Corrupt Practices Act of 1977. The SEC doesn't have specific rules informing public companies how to design and implement an effective system of internal control. There is, however, useful guidance available from other sources. One of these is the internal control framework set out by a private-sector organization called the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Scope of management’s assessment

Because the process of evaluating ICFR will vary from company to company, SEC rules do not specify the methods or procedures to be performed in an evaluation. In adopting its Section 404 reporting rules in 2003, the SEC stated: “The assessment of a company’s internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include, but are not limited to:

  • Controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements;
  • Controls related to the initiation and processing of nonroutine and non-systematic transactions;
  • Controls related to the selection and application of appropriate accounting policies;
  • Controls related to the prevention, identification and detection of fraud."

In addition to controls stated above, following controls are also important in management’s assessment:

  • Controls over significant, unusual transactions, particularly those that result in late or unusual journal entries;
  • Controls related to management override in financial reporting;
  • Controls over related party transactions;
  • Controls related to significant management estimates.

The nature of a BDC’s testing activities will largely depend on the circumstances of the BDC and the significance of the controls being tested. An assessment of the effectiveness of ICFR must be supported by evidential matter, including documentation, regarding both the design of internal control and evidence supporting that controls are operating effectively. This evidential matter should provide reasonable support for how a company’s controls are designed to address identified risks; the procedures performed to gather and evaluate evidence about the operating effectiveness of a company’s controls; and the basis for the company’s determination that controls were operating effectively.

Internal control considerations for valuation of investments

While BDCs are required to have effective internal controls over all aspects of financial reporting, the valuation of investments is one of the most significant. Every BDC organization has a different set of processes and controls over the investment valuation process. However, by and large, the processes and controls will focus primarily on the following areas:

  • Establishing a methodology for determining fair value
  • Obtaining and validating source data and clerical accuracy for use in a valuation model
  • Reviewing and approving the results of model outputs with consideration of other market data (if available)

Furthermore, the controls over this process typically involve reviews of the data, methods, models and valuation assumptions and inputs used. The combination of a high degree of judgment and qualitative reviews places significant burdens on organizations to demonstrate the proper functioning of the review controls used in the determination of fair value. In performance of the control, management must demonstrate that its review of the data, methods, model and valuation assumptions and inputs is sufficient to identify potential errors. Management must also demonstrate how it has addressed and resolved errors identified in the course of performing its control procedures.


Management’s recognition and awareness of its ongoing responsibilities are the most critical components to designing, implementing and completing successful annual assessments of ICFR. By the nature of its involvement with day-to-day operations, management is most familiar with the specific business and financial reporting risks facing the BDC and should constantly challenge itself to determine whether the BDC’s processes and controls, and the documentation of those controls, are directly and adequately responding to the BDC’s unique risks.

About this article


Eyal Seinfeld

EY US Financial Services BDC Markets Leader

Deep knowledge and experience with BDCs. Married father of two. Passionate about coaching my children in basketball.