Internal Control System (ICS)

The Internal Control System (hereinafter also referred to as Internal Control System (ICS)) of a company consists of systematically designed, technical and organizational regulations, measures and processes for monitoring and controlling essential process controls in the company. The internal control system serves to ensure compliance with guidelines and to avert damage that may be caused by the company's own personnel or malicious third parties.

Internal Control System in Financial Reporting

The necessity for implementing and maintaining an ICS results from various legal requirements, e.g. from the German Stock Corporation Act or the German Commercial Code. How an ICS is to be designed is derived from the existing IDW auditing standards, such as IDW PS 982 and IDW PS 951. Control models such as COSO or COBIT are often used as the basis for an ICS.

In financial reporting, and in particular in management reporting, numerous standards refer to internal control systems. These can vary from country to country. The best known are the requirements of the Sarbanes Oxley Act (SOX). Different regulations apply depending on the country:

• USA: SEC regulations
• Germany: IDW Auditing Standards
• Switzerland: including provisions of stock corporation law
   

The components of IDW PS 982 form the basis for a holistic internal control system:

Your challenges in the area of the Internal Control System

Our services in the area of the Internal Control System are particularly relevant for you in the following situations:

• Start-up of a company or spin-off of a company and the need to establish an internal control system in principle

• Rapid company growth and thus also increasing risks that controls are neglected due to the dynamics

• Internal requirements for an appropriate ICS, e.g. deficits in reporting, fraud cases, etc.

• Increasing pressure from stakeholders to establish adequate internal control systems

• Change of legal form, e.g. to an AG, or of shareholder structure (entry of private equity investors, IPO)

• Listing in the U.S. or purchase of your company by an SEC-listed company in the U.S.

• Lack of overview of controls in the area of ICS, SOX and compliance and their adequacy and effectiveness

• Known deficiencies in the efficiency and effectiveness of implemented controls or measures

• Introduction of an ICS or a compliance management system and the need to monitor and ensure the functionality of the controls at all times

• Lack of separation of functions to avoid conflicts of interest

• Updating the existing ICS documentation

Approaches to the challenges of implementing an internal control system

Our services in the area of Internal Control System incl. SOX include in particular:

• Analysis of your existing internal control system with regard to the various components such as control environment, organization, processes and controls on the basis of recognized evaluation systems

• Design and implementation of optimization measures in your internal control system and in relation to individual controls or SOX controls

• Review of the adequacy and effectiveness (monitoring) of your internal control system and in particular also of the (SOX) controls (SOX Testing)

• Setting up reporting to management and supervisory bodies

• Software selection and support of the implementation of tools for documentation and testing of controls in your ICS and/or SOX

Solutions to the challenges of existing control processes - Control Testing

We also support you im the area of Control Testing with additional resources and our expert know-how:

• Analysis/recording of existing controls in your structures, processes and systems

• Adequacy and effectiveness tests of your controls either as part of the legally required self-assessments of your internal control system (e.g. SOX testing) or in the course of certification projects such as ISAE 3402, Type I or Type II as well as on the basis of IDW PS 951

• Identification of control weaknesses and definition of mitigation measures and follow-up of effective implementation

• Reporting to the supervisory bodies on the adequacy and effectiveness of your controls and measures

• Software selection and support of the implementation of tools for documentation and testing of controls in your ICS, SOX or Compliance Management System

Solution approaches for the challenges in the context of IT General Controls

Effective IT general controls (ITGC) are a fundamental prerequisite for all IT-based and all pure IT processes. Even though ITGC generally only indirectly influence financial reporting, they occupy a central position. They are responsible for the technically correct implementation and availability of the applications and (partially) automated controls relevant to the ICS. Conversely, this means that improperly functioning IT controls have a comprehensive impact on all related systems and thus also on the financial reporting based on them.

ITGC basically concern the areas of procurement, development, maintenance of systems, access protection and operations. ITGC can be found in the context of:

• Operating systems
• Applications
• Databases
• Network

Typical areas for IT general controls (ITGC) are:

Support for the introduction, optimization and monitoring of ITGCs

Our services in the area of IT General Controls include in particular:

• Design and implementation of ITGCs in cooperation with your IT department and your IT service provider (keyword SOK reports or ISAE 3402 reports)

• Analysis of your existing IT general controls with regard to the various components, e.g. control environment, organization, processes and controls on the basis of recognized assessment systems

• Design and implementation of optimization measures in relation to ITGC

• Review of the adequacy and effectiveness (monitoring) of the existing ITGC.

Approaches to the challenges of ensuring segregation of duties

In functional organization, segregation of duties (SoD) refers to the organizational separation of organizational units or positions in the business process to avoid potential conflicts of interest. The principle of dual control is probably the best-known principle of segregation of duties. It is intended to prevent important decisions from being made by a single person or critical activities from being performed by more than one person. There are further functional separations between front office and back office at credit institutions or between data entry and data release in the context of IT systems such as SAP.

Particularly in the case of credit institutions and capital management companies, the separation of functions is required by law. In the case of credit institutions, the front office and back office functions must be separated (Section 25a (1) of the German Banking Act (KWG) in accordance with BTO 1.1 (1) MaRisk). Pursuant to Section 29 (1) KAGB, capital management companies must also establish and maintain a function for permanent risk controlling that is hierarchically and functionally independent of the operating divisions.