Internal control system

An internal control system (ICS) consists of systematically designed technical and organizational rules for methodical control and controls in the company to comply with guidelines and to prevent damage that can be caused by its own staff or malicious third parties. The measures can be carried out independently of the process as retrospective controls, for example by the internal audit department , and process-dependent as preventive rules.

Frequently, the basis of an ICS control models such. B. COSO or COBIT are used.

Control measures

The measures are based on technical and organizational principles. They include activities and facilities for internal company control and their relationships with one another. They include e.g. B.

structural and software access controls ,
written instructions, e.g. B.
- for safety
- for the confidentiality of trade secrets
- for communication with the public and the press
Measures to protect the company's tangible and intangible assets
Measures to prevent illegal activities in the field of white-collar crime , e.g. B. the four-eyes principle to prevent embezzlement , corruption and excess of competence.

Classification of control measures / control activities

Control activities can be summarized in different classifications. The most basic classification is that of "manual" or "automatic" controls. In contrast to manual controls, “automatic / system-based” controls are carried out by an automatic system and are applied without manual intervention or interaction. A good example here is the independent monitoring of transactions on a database, for example in accounting software. There is also a hybrid form: “system-based manual control activities”. The system is the decision maker who, for example, assigns the selection for checking sales, with the accountant performing the manual comparison of sales (per period).

Test activities recur in different cycles. There are daily, weekly, monthly and yearly checks. In the area of accounting, monthly checks such as “check bookings”, “check provisions” or “sales tax verification” must be carried out. The control tasks are presented to the responsible persons, checklists help with the implementation. The result of the controls is recorded in a test report. In addition to the organization of the controls, these reports are examined at random during audits.

A further classification can be carried out according to "detective" or "preventive" control activities. "Preventive" controls are used to prevent errors and omissions and are particularly used in processes that involve a high level of risk. The control can be done “manually” or “automatically”. In contrast, "detectives" controls serve to uncover and correct errors. Such a control activity is e.g. B. the review of the depreciation method ( AfA ) in the context of the annual financial statements, which is carried out by the accountant.

Based on the order of the controls, a distinction can be made between "primary" and "secondary" controls, with "primary" controls being used most frequently, since "secondary" controls are not decisive enough for management and are also characterized by "primary" Have controls replaced.

The most risky are controls that take place via non-routine processes, such as the valuation of provisions, as these contain a subjective component and are most susceptible to manipulation by management.

ICS principles

The following principles form the basis of an internal control system:

The principle of transparency: This principle states that target concepts must be established for processes that enable an outsider to assess the extent to which those involved are working in conformity with this target concept. At the same time, this defines the expectations of the organization management.
The principle of controls: This principle states that in a well-functioning control system, the risks jeopardizing the ICS goals should be counteracted by means of process-integrated and process-independent activities.
The principle of the separation of functions: This principle states that executive (e.g. processing of purchases), booking (e.g. financial accounting, warehouse accounting) and administrative (e.g. warehouse management) activities that occur within a company process (e.g. Purchasing process understood as a process from the determination of requirements to the outgoing payment) should not be combined in one hand.
The principle of minimum information : This principle states that employees should only have access to the information they need for their work. This also includes the corresponding security measures for IT systems.

Goals of the ICS

Internal control systems (ICS), here the COSO model as an example , pursue the following goals:

Functionality and profitability of business processes
Reliability of operational information
Asset protection
Compliance

ICS structure

The ICS is a network that encompasses the entire organization - at least the business processes that are used directly or indirectly for accounting purposes, the elements ("nodes") of which are integrated into the organizational and technical processes in a variety of ways. It is arranged and set up by the management as required and its functionality and effectiveness are periodically checked and adjusted. Internal control is not just a matter for the owners or managers , but is often demanded by external bodies ( legislators , EU , audit offices , auditors , insurance companies and banks ).

By the definition of objectives (English: Control Objectives ) and controls ( Controls ) into to hedge the line can fathom the overall need for controls gradually. The creation and maintenance of a reliably functioning internal control requires the cooperation of management, executives and employees at all levels.

ICS trends and prospects

Studies increasingly show the trend in practice to integrate the internal control system into governance, risk & compliance management and corporate planning in order to achieve synergy effects. The increasing use of IT solutions can also be observed in practice, although the market for them is still very broad and not a few standard solutions have established themselves as a result.

Importance of Internal Controls on Financial Reporting

( Internal control over financial reporting ), ICoFR for short , has become increasingly important , particularly in the context of the implementation of the Sarbanes Oxley Act (SOX), and has always been an important part of the ICS.

This is addressed, among other things, in the German IDW auditing standard 261 (identification and assessment of error risks and the auditor's reactions to the assessed error risks (IDW PS 261)), which replaces IDW PS 260. Furthermore, the audit standard 261 references further standards of the IDW (PS 200, PS 210, PS 230, PS 240, PS 250, PS 300, PS 321) with regard to the development of procedural questions in the final examination for reporting on the final examination (PS 400, PS 450, PS 470) as well as the IDW PS 330 for checking the use of information technology for accounting.

The IDW PS 261 has received a supplement in the form of the IDW PS 951 (in force since 9/2007), which relates to the additional requirements for the internal control system for outsourcing (at the outsourcing company as well as at the service company) within the scope of the audit.

In Switzerland you may require a. Provisions of stock corporation law ( OR 728a and 728b: 2006) a functioning internal control system.

The US model of financial reporting

Internal control over financial reporting in this context is defined as

a process that gives sufficient certainty about the reliability of financial reporting when generally recognized financial reporting rules are applied

The following should be covered:

Appropriate and fair consideration of business transactions
Approval of recorded business transactions
Preventing and detecting fraudulent activities that could have a material impact on financial reporting

As part of the Sarbanes Oxley Act (SOX), the executives of a company are explicitly obliged to do so

put in place effective controls over financial reporting (ICoFR)
to assess the functionality of the internal controls over financial reporting based on appropriate criteria (e.g. the COSO standards)
to create evidence and documentation for external auditors on the basis of which they can assess and review the controls
to submit a written assessment of the functionality of the controls at the end of the financial year

Remarks

↑ Bungartz, Oliver: Handbook of internal control systems (IKS) - control and monitoring of companies. Erich Schmidt Verlag, Berlin, 2011, p. 58 ff.
^ Committee of Sponsoring Organizations of the Treadway Commission (COSO) (ed.): Internal Control - Integrated Framework . 2nd ed. AICPA, Jersey NY 1994.
↑ The restriction to financial information provided for in COSO I was dropped in the later COSO models.

Web links

Website with further information on the internal control system at compliance-net.de

Blog series on the introduction of an accounting ICS with COSO (master's thesis) on saperionblog.com

Lecture slides on information systems for corporate governance in companies on uni-potsdam.de (PDF; 218 kB)

Internal Control System 2.0 - NTT Dataemea.nttdata.com

[1] Bungartz, Oliver: Handbook of internal control systems (IKS) - control and monitoring of companies. Erich Schmidt Verlag, Berlin, 2011, p. 58 ff.

[2] Committee of Sponsoring Organizations of the Treadway Commission (COSO) (ed.): Internal Control - Integrated Framework . 2nd ed. AICPA, Jersey NY 1994.

[3] The restriction to financial information provided for in COSO I was dropped in the later COSO models.