A Internal Control System (ICS)
A Internal Control System (ICS)
Companies that are subject to regular audits must continue to confirm the existence
of an internal control system (ICS). To date, auditors assess the internal control
system only to obtain an understanding of the entity to be audited for consideration
in the preparation of the ICS audit strategy and the audit approach.
This chapter provides an overview of:
The concept and objectives of an Internal Control System
The different components of an Internal Control System
Tasks and responsibilities and
Minimum requirements for an Internal Control System
4.1
39
40
4.1.1
Components of an ICS
The design and the implementation of an ICS depend on the size of the business, the
business risks and the complexity of the organization. Smaller companies can more
easily achieve the objectives of an ICS with less formal means and simpler
processes and structures.
Based on COSO, the components of an ICS are subsequently divided into the
following five categories:
Category
Control Environment
Risk Assessment
Control Activities
Description
The design of the control environment of a company comprises various
components and the way management influences the processes in the
company.
These include regulations for the delegation of tasks and
responsibilities, communication and enforcement of integrity and
ethical values, commitment to competence, the involvement of those
responsible for the management and supervision, leadership principles
and management style, organizational structure and, finally, interaction
with employees and customers.
Every organization needs to be aware of the risks that it is exposed to
and how to manage these risks. The risk assessment typically involves:
Specification of corporate objectives and risk management objectives
(safety objectives), Department of Risk Management Policies
Risk identification (identifying the principal risks that could result in
a misstatement in the accounts, and the accounting and business risks
that could affect the financial reporting)
Risk assessment (assessment of the importance of a risk, and
assessment of the likelihood of occurrence)
Information/communication (defining who, when, what is to be
informed)
Risk Management (decisions about possible measures)
Monitoring of the control measures
Each company must define and implement instructions and procedures
to ensure that those activities which have been considered as necessary
targets by the BoD and the Executive Board are actually executed.
Examples of control activities are the processes of authorization
(authorization levels, signature policies), work instructions,
performance monitoring, entry rights in IT processes, physical controls
and segregation of duties/4-eyes principle.
(continued)
Category
Accounting relevant
information systems
Monitoring of the
internal control system
4.1.2
41
Description
Information and communication channels must be defined so that the
board and the employees have the right information at the right time in
order to perform the required activities/controls.
Information systems that ensure that all relevant information is reliable
and timely collected, processed and distributed are a prerequisite.
The ICS is only effective if the control measures are reliable in the long
term. Therefore, the ICS must be constantly monitored so that it
remains effective. This includes a timely review of the structure and
function of the controls by supervisors and the implementation of
necessary corrective measures.
The responsibility for the implementation of an ICS is with the Board of Directors;
respectively its the Audit Committee. Primarily, the BoD has to make sure that the
appropriate control measures are taken so that misstatements of transactions and the
related statements are prevented, detected or can be corrected. The management,
however, is responsible for the operation and maintenance. The tasks and responsibilities in the area of the ICS can be illustrated as follows:
Board of Directors resp. its
Audit Committee
Management
42
The Board has to periodically deal with the following fundamental issues in
relation to the ICS:
1. Are all significant risks in the operational business processes known?
2. Are there measures that reduce these significant risks to an acceptable level for
the company?
3. Do BoD and Management receive the guarantee that the ICS is actually effective
and operating efficiently?
4. Do organization and corporate culture allow for continuous improvement of
processes and controls?
4.1.3
Traceability
Efficiency
Meaning/content/expression
Compliance with the corporate culture
Clearly defined responsibilities
Controls are aligned to risks
Controls are integrated into processes and are monitored
Sufficient tested controls
Well trained employees
A clearly defined information and escalation process
ICS objectives and degree of expansion are documented
Business risks are documented
Processes and controls are recorded in writing
Control activities are clearly documented
The quality of the ICS is regularly assessed and reported
ICS is an integral part of the enterprise-wide risk management
Use of internal audit and coordination with auditors
Focusing on key risks
Possibility to automate the controls
43
There are no statutory regulations on the scope and the minimum requirements
for the ICS.1 However, the ICS must meet certain requirements to ensure that the
auditor can confirm its existence:
The ICS must be documented
The ICS has to have the size relevant to business risks and be appropriate to the
scope of the business
The ICS must be communicated to the employees
The ICS must be applied and has to be implemented
The company must have a control consciousness
An internal control system, like the company, has to develop itself further and
further. The adaption to changing environmental conditions is of central importance. Globalization, competitive pressures, new technologies and legal changes
have, therefore, always to be included into business processes. In addition, the ICS
must be continually reviewed and the responsible manager has to react immediately
if adjustments are needed. The costs, however, have to always be kept in mind. The
costs of establishing and maintaining the ICS are, in the medium term, certainly
expected to be offset by the following benefits:
Clear organization, roles and responsibilities within the company
Identified business risks associated with controls, a step towards Enterprise Risk
Management (ERM)
Identification of efficiency potential in business processes
Reduced amount of error corrections (since errors are detected more quickly)
Development of control consciousness of employees at all levels
Increased confidence in the financial report (stakeholders)
Improved corporate monitoring
Eliminated redundancies in the controlling processes
Reduced risk of fraud
Fewer error corrections during the audit
Such an ICS almost automatically satisfies the requirements for auditability; the
compliance can be regarded as a by-product.
Reference
Atteslander, J., & Cheetham, M. (2007). Vorschlage der Unternehmen zum IKS: Definition der
Gesetzgebung und die Rolle der Revisionsstelle. Der Schweizer Treuh
ander: Monatsschrift f
ur
Wirtschaftspr
ufung, Rechnungswesen, Unternehmens- und Steuerberatung; offizielles Organ
der Treuhand-Kammer. - Z
urich, 81.2007(1/2), 3037.