Internal control

An Internal Control System ( ICS) consists of systematically developed technical and organizational measures and controls in the company for compliance with policies and to fight off any damage that may be caused by its own staff or a malicious third party. The controls can both process- independent, for example, by the internal audit department, as also be performed depending on the process.

As the basis of an ICS are frequently control models such as COSO, CobiT CoCo or used.

Control measures

The measures are based on technical and organizational principles. They include activities and facilities for corporate control as well as their relationships to each other. They include, for example,

• Structural and technical software access controls,
• Written instructions, such as for security
• The confidentiality of trade secrets
• For communication with the public and the press

Classification of control measures / control activities

Control activities can be summarized in different divisions. The most basic classification is the "manual" to or " automatic " controls. In contrast to manual controls " automatic / system-based " controls are carried out by an automatic system and applied without manual intervention or interaction. As a good example here is the self-verification of transactions on a database to be used for example in a accounting software. There are also hybrid " system-based manual - control activities ." It is the system of decision-makers, which assigns the selection for control of revenues, for example, the accountant ( per period ) makes the manual comparison of sales.

Testing activities in different cycles return again. There are daily, weekly, monthly and annual checks carried out. In the area of ​​accounting monthly checks as are " check book ", " check provisions" or make the " Umsatzsteuerverprobung ". The control tasks will be presented responsible persons, checklists assist in the implementation. The results of the inspections is recorded in a test report. In tests, these reports are spotted randomly in addition to the organization of controls.

Another classification can be carried out " preventive " control activities for " detective " or. " Preventive " controls are intended to prevent errors and omissions, and are used particularly for processes that involve a high risk. The control can " manually " or done "automatically". " Detectives " controls are in contrast to the detection and correction of errors. Such a control activity, for example the verification of the method of depreciation ( depreciation ) in the context of the financial statements carried out by the accountant.

Judging from the sequence of inspections, one can distinguish between "primary" and " secondary" controls, where " primary" controls are most often used as "secondary" controls are not critical enough to management and also by " primary" be replaced controls.

Be assessed as the most risky are controls that take place on non-routine processes, such as the measurement of provisions, as these contain a subjective component and the most vulnerable are the manipulation of management.

ICS principles

Form the basis of an internal control system, the following principles:

• The principle of transparency: This principle states that for processes target concepts must be established that will allow an outsider to assess the extent to which stakeholders work conforms to this target concept. Same time, the expectations of the organization's top management is defined.
• The principle of the four eyes: This principle states that in a well functioning control system, no significant procedure without (counter) is to remain control.
• The principle of separation of functions: This principle states that the executive (in part settlement of purchases ), accounted for (eg, financial accounting, inventory accounting ) and managed (eg inventory management ) activities ( eg shopping process understood within a business process be carried out as a process from needs assessment to cash payment to ), should not be united in one hand.
• The principle of minimum information: This principle states that for employees only that information should be available, which they need for their work. This includes the appropriate security measures for IT systems with a.

Objectives of ICS

Internal Control Systems (ICS ), exemplified here the COSO framework, pursue the following objectives:

• Functioning and profitability of business processes
• Reliability of business information
• Asset Protection
• Rule compliance

Structure of ICS

The ICS is the whole organization - at a minimum, the accounting directly or indirectly serving business processes - wide network whose elements ("nodes " ) are involved in various ways in the organizational and technical processes. It is arranged as required by the line or furnished regarding reviewed and adjusted its functionality and effectiveness periodically. Internal control is not a matter of owners or managers alone, but is often also required by external bodies ( legislators, EU, courts of auditors, accountants, insurance companies and banks).

By the definition of objectives (English: Control Objectives ) and controls ( Controls) into to hedge the line can explore the entire consumption of controls gradually. The creation and obtaining a reliable functioning internal control requires the involvement of line managers and employees at all levels.

Trends and prospects of ICS

Studies show increasingly the trend in practice to integrate the internal control system in the Governance, Risk & Compliance Management and corporate planning in order to achieve synergy effects. The increasing use of IT solutions in practice is observed, although the market is still very scattered it far and have thus not yet enforced a few standard solutions.

Importance of internal controls in relation to financial reporting

( Internal control over financial reporting ), short ICoFR, in particular in the context of the implementation of the Sarbanes Oxley Actes (SOX ) is becoming increasingly important and has always been an important part of the ICS.

This is made in the German IDW Auditing Standard 261 ( identify and assess the risk of errors and reactions of the auditor to the assessed risks of error (IDW PS 261) ) addresses, which IDW PS 260 replaced. Of Auditing Standard 261, other standards of IDW Furthermore referenced ( PS 200, PS 210, PS 230, PS 240, PS 250, PS 300, PS 321 ) with respect to the expression of procedural questions during the audit to report on the audit of financial statements (PS 400, PS 450, PS 470 ) and the IDW PS 330 for audit of the use of information technology to accounting.

The IDW PS 261 has received in the form of IDW PS 951 a supplement (in force since 9/2007 ) concerning the additional requirements for the internal control system at outsourcing ( the outsourcing company and the service company ) within the framework of the audit.

Require, inter alia, in Switzerland Provisions of the Corporation Law ( 728a and 728b OR: 2006 ) a functioning internal control system.

The U.S. model of financial reporting

Defines is Internal control over financial reporting in this context as

• A process that is sufficiently assurance regarding the reliability of financial reporting at follow generally accepted rules of financial reporting

To be covered here:

• Appropriate and fair consideration of transactions
• The approval of recorded transactions
• Preventing and uncovering fraudulent acts that could have a material effect on the financial reporting

As part of the Sarbanes Oxley Actes (SOX ), the managers of a company explicitly committed

• Establish effective controls over financial reporting ( ICoFR )
• The functioning of the internal controls over financial reporting under basis lay reasonable criteria (such as the COSO standards) to assess
• Create external auditors evidence and documentation by which to evaluate and verify these controls
• The end of the financial year submit a written assessment of the effectiveness of the controls