IDW PS 340

from Wikipedia, the free encyclopedia

The auditing standard 340 published by the Institut der Wirtschaftsprüfer (IDW for short) includes the auditing of the risk early warning system in accordance with Section 317 (4) of the German Commercial Code ( HGB) , which is used in risk management for both re-identification and continuous monitoring of risks .

General

The standard defines a minimum design of the risk early warning system and examines the risk-bearing capacity of companies. IDW PS 340 has been supplemented by IDW PS 981 since 2017 and by DIIR auditing standard No. 2 since 2018 , which also takes into account the requirements of Section 93 AktG ( Business Judgment Rule ) for risk management (including risk management when preparing business decisions ).

The Board of joint stock companies shall establish a monitoring system in the company in accordance with § 91 para. 2 AktG, so existential risks can be detected early. The risks identified there must be disclosed in the management report in accordance with Section 289 (1) HGB (or, for groups, Section 315 (1) HGB). The aim is to provide an understanding third party with a comprehensive picture of the company's risk situation.

Risk concept

The concept of risk encompasses both a broader and a narrower definition. In general, this is understood to mean both the concept of the chance of winning and the concept of the risk of loss. Both terms aim at a deviation of the actual result from the planned state. Depending on the type of deviation (positive or negative), it is an opportunity or a danger. In connection with the IDW PS 340, the risk is often limited to the narrower view.

Legal issues

Since the publication of the Law for Control and Transparency in the Corporate Sector (KontraG), an increase in the transparency of the company's risk position has been sought for both internal and external purposes. The KontraG regulated the implementation of the monitoring system for stock corporations. For other legal forms such as B. the GmbH , no special regulations were made because it was assumed that the new regulation in the Stock Corporation Act would also have an impact on other legal forms.

As a consequence of this law, the IDW PS 340 was passed for the first time on June 25, 1999. This standard became necessary in order to monitor the identification of risks threatening the existence of the company, which is mandatory for companies. The standard stipulates a continuous quantification of the identified fundamental risks, as this is a necessary prerequisite for later risk aggregation (using simulation methods, e.g. Monte Carlo simulation ). A common mistake companies make is that risks are not aggregated. An aggregation (i.e. calculation of the total risk volume) is particularly necessary, since specific individual risks usually only endanger the continued existence of the company when they interact with other risk positions. In this context, IDW PS 340 stipulates: “The risk analysis includes an assessment of the scope of the identified risks in terms of the likelihood of occurrence and quantitative effects. This also includes the assessment of whether individual risks, which, viewed in isolation, are of minor importance, can aggregate in their interaction or through accumulation over time to form a risk that could endanger the continued existence of the company. "

Only on the basis of risk aggregation is it possible to make an accurate forecast of the future by estimating profits or losses and making a rating. IDW PS 340 requires the monitoring system to identify risks threatening the asset, financial and earnings position at all company levels. If this has been done successfully, the identified risk positions should be communicated to the Management Board as soon as possible.

Tasks of the risk early warning system

The terms risk management system and risk early warning system must be separated semantically. The risk early warning system required by law is part of the risk management system. It includes the following perspectives of the risk management system:

  • Risk identification (IDW: risk identification, see PS 340, items 5 and 9)
  • Risk assessment ( risk quantification ) and risk aggregation (IDW: risk analysis, see PS 340, items 5 and 10)
  • Risk communication (IDW PS 340, Item 5 and 11 et seq.)

The internal auditing department (IDW PS 340, Item 15 ff.) Monitors the system through the monitoring system.

Not to the risk early warning system acc. Section 91 (2) AktG and thus not relevant to the audit for the auditors according to Section 317 (4) HGB. IDW PS 340.6 concrete implementation measures to overcome and manage the risks. The annual audit is therefore a review of whether the system identifies, evaluates, analyzes, communicates and carries out regular controls. In this context, one speaks of a system check and not a management check (IDW PS 340.19).

Requirements for a risk management system according to IDW PS 340

According to Section 317 (4) of the German Commercial Code (HGB), the following measures initiated by the Management Board are subject to the auditor's review . According to IDW PS 340.24-25 to determine whether the following measures have actually been taken and whether they have been used in such a way that they actually serve to identify risks (IDW PS 340.26-30).

Definition of risk areas (IDW PS 340.7-8)

As a first step, the board of directors must define risk areas that could pose a threat to the company's existence. Before the company can communicate about risks, acc. Implement a monitoring system in accordance with Section 91 (2) AktG, which extends across the company. This includes all departments, levels and processes. The purpose of this company-wide extension of the risk management system is to identify risks that, in combination with other risks, pose a particular threat. These risk areas should be checked continuously to ensure that they are up to date.

Risk identification and risk analysis (IDW PS 340.9-10)

In order for risks to be analyzed, risks must be defined and employees must be made aware that a risk culture is being created in the company. However, not only already defined, but also still unknown risks should be identified. In the next step, risks can then be analyzed by examining them in terms of their probability of occurrence and the amount of damage. In doing so, it is particularly important to ensure that risks should be aggregated, as they only accumulate together with other risks to form risks that threaten the continued existence of the company. A risk aggregation must therefore be used to examine whether the combined effects of individual risks could result in “developments that threaten the continued existence of the company” (within the meaning of Section 91 (2) AktG).

Risk communication (IDW PS 340.11-12)

The communication of risks relates to both regulatory (i.e. to the Management Board) and commercial (i.e. recipient of the risk reports) risk reporting. It is necessary that quick communication takes place on the basis of the identified risks. In particular, risks threatening the existence of the company must be reported to the Board of Management immediately. The IDW attaches particular importance to the risks that have not yet been managed. In order to recognize whether risks can threaten the existence of the company, it is essential to define limit values. Exceeding these thresholds should then immediately lead to communication to the board. In addition to continuous reporting, an ad hoc notification should be made to the Management Board in the event of developments occurring at short notice that could take a special development.

Assignment of responsibilities and tasks (IDW PS 340.13-14)

For a functioning risk management system in the company, it is essential that clear responsibilities for the risks are defined. The person responsible should ensure that risks are identified, managed and passed on. In the event of interdependencies between different risks, an increased need for communication between the responsible persons must be taken into account.

Establishment of a monitoring system (IDW PS 340.15-16)

The internal audit department is responsible for monitoring the company's risk situation. This has the task of regularly identifying risky developments in the company and reviewing the measures taken in accordance with Section 91 (2) AktG. In doing so, it is not only necessary to check the existence of such a system, but also to regularly check whether the reporting limits are up-to-date and the efficiency of processes. From a task perspective, the internal audit can be compared with the auditor, as it checks the implementation of measures. The IDW names factors for reviewing the internal audit, such as B. Complete recording of all risk areas, continuous application of measures or compliance with integrated controls.

Documentation of the measures taken (IDW PS 340.17-18)

For both internal and external purposes, it is necessary to document all decisions made in a risk management manual. The board of directors can use the documentation to prove that according to Section 91 (2) AktG complies with its implementation of the early warning system. For the auditor, the manual provides a basis for the audit. Inconsistent documentation usually means that the risk management system is not fully functional. On the other hand, extensive documentation appears to have fully implemented Section 91 (2) AktG. Comprehensive documentation is necessary, especially for internal actors (e.g. employees), since personnel changes should not have any effect on the risk management process.

Critical appraisal

There are a number of critical aspects for the IDW PS 340, based on which its usefulness can be questioned.

  • The narrow view of IDW PS 340 with regard to the non-review of the measures for risk management implies an inappropriate regulation. Since the full functionality of the risk management system is not assessed, it can happen that risks are recognized early and communicated quickly, but appropriate countermeasures are not taken.
  • Critics doubt whether the measure required by Section 91 (2) HGB is aimed exclusively at an early warning system or rather requires a more comprehensive monitoring system review.
  • Failure to check risks that do not endanger the continued existence of the company can have serious consequences, as there are risks which, in combination with other risks, lead to a threat to the continued existence of the company, but which alone only represent a minor risk.
  • No statement is required from the auditor about the system design with regard to system efficiency.
  • There is no uniformly defined target target, which means that not all measures taken in the current state can be assessed in accordance with legal regulations, which means that the management allows a certain degree of discretion. The lack of standardization reduces comparability.
  • Section 91 (2) AktG aims to identify developments that could threaten the company's existence and not to identify risks that could threaten its existence. Accordingly, Section 91 (2) AktG does not describe a “risk” early warning system as interpreted by IDW PS 340.
  • The auditing standard does not contain any information on liquidity management, which is why developments that may threaten the company's existence and are caused by liquidity risks remain undetected. - In the IDW PS 340 the documentation is not considered sufficiently. A comprehensive and needs-based documentation forms the basis of the audit for the auditor and is therefore absolutely necessary to carry out such an audit. At the same time, the documentation has fundamental internal functions.

literature

  • Werner Gleißner , Risk Management, KonTraG and IDW PS 340 , in: WPg - Die Wirtschaftsprüfung, 3/2017, pp. 158–164

Individual evidence

  1. ↑ Wording of the law § 317 Paragraph 4 HGB. Retrieved June 15, 2016 .
  2. ↑ Wording of the law § 289 Paragraph 1 HGB. Retrieved June 15, 2016 .
  3. ↑ Wording of the law, Section 315 (1) HGB. Retrieved June 15, 2016 .
  4. Bogna Filipiuk: Transparency of risk reporting: requirements and implementation in corporate practice. 2008, accessed June 15, 2015 .
  5. Werner Gleißner: Fundamentals of risk management in companies: Controlling, corporate strategy and value-based management . 2011.
  6. Werner Gleißner, Reinhard Heyd. In: Accounting according to IFRS - consequences for rating and risk management. Retrieved June 15, 2016 .
  7. Risk management system: basics and structure. Retrieved June 2, 2016 .
  8. IDW PS 340, p. 3
  9. Werner Gleißner. In: Assessment of risk management by the supervisory board: necessary and possible? Retrieved June 15, 2016 .
  10. Klaus Von Wysocki: Examination principles and examination procedures according to national and international examination standards. Retrieved June 2, 2016 .
  11. Werner Gleißner: Fundamentals of risk management in companies: Controlling, corporate strategy and value-based management . 2011.
  12. Pampel, K .: Requirements for a business risk management taking into account national and international audit standards (No. 13/2005) . 2005.
  13. Britta Kunze: Monitoring operational risks at banks: internal and external actors in the context of qualitative and quantitative monitoring. 2007, accessed June 14, 2016 .
  14. Holger Wich: Internal control system and management information system: Analysis of the significance of the system for company management and auditors. 2008, accessed June 14, 2015 .
  15. ^ Marten, KU, Quick, R., & Ruhnke, K .: Auditing. Basics of business auditing according to national and international standards. Schäffer-Poeschl, Stuttgart 2001.
  16. Bunting, N .: The early detection system of Section 91 (2) AktG in practice: a critical view of IDW PS 340. 2011.