Every company wants to minimise risk. Accidents, mistakes or even criminal acts should have no place within companies. This applies, for example, in terms of oc­cu­pa­tion­al safety or in the pro­tec­tion of business premises against un­au­thor­ised access by third parties. While these measures and rules can be im­ple­men­ted for these more tangible aspects, correct financial practices or good man­age­ment are more difficult to ensure. Therefore, many companies establish an internal control system (ICS). This should ensure that everything goes as the company planned.

What is an Internal Control System?

The man­age­ment of a company controls the employees in certain aspects. But who reviews the actions and decisions of man­age­ment? For these and other parts of an operation, an internal control system can be used to improve the security of a company. Both mistakes and criminal acts should be prevented here. In order to minimise the risks, an ICS consists of rules and workflows designed to prevent mis­con­duct as much as possible. If all employees comply with these reg­u­la­tions, mistakes are unlikely to be able to occur and whoever is dis­reg­ard­ing the rules can be quickly de­term­ined.

The control mech­an­isms are located upstream, at the position, or down­stream of the work to be monitored, depending on the use­ful­ness and the pos­sib­il­it­ies in each specific case. The internal control system’s special feature lies in the internal mon­it­or­ing. Instead of using external par­ti­cipants as su­per­vis­ory bodies, like other concepts (such as financial su­per­visors or auditors) do, a good ICS allows employees to monitor each other.

In order to establish an effective internal control system, companies need to consider two areas: An internal control system and an internal mon­it­or­ing system. The first category deals with rules for con­trolling the company. Mon­it­or­ing is a more complex, broader part of the ICS. The measures should run auto­mat­ic­ally, as much as possible.

Tasks and prin­ciples of an ICS

In general, internal control systems should ensure that no one within the company behaves er­ro­neously, that all processes are conducted properly, and that cor­rup­tion and economic crime are prevented. However, the scope of an ICS can also be further specified:

  • Asset pro­tec­tion: Existing assets should be protected against losses.
  • Recording: All processes must be recorded correctly and promptly.
  • Im­prove­ment: Records can be used to improve processes.
  • Reg­u­lat­ory com­pli­ance: The system ensures that all par­ti­cipants comply with reg­u­la­tions.

To achieve these ob­ject­ives, an internal control system relies on four different prin­ciples:

  • Se­greg­a­tion of duties: It is important that executing (e.g., pur­chas­ing), book­keep­ing (e.g., warehouse ac­count­ing), and ad­min­is­trat­ive (e.g., warehouse man­age­ment) functions within a business process are not performed by one and the same person or group.
  • Control: Every important employee process must be monitored by someone else.
  • Minimum in­form­a­tion: Every employee should only receive the in­form­a­tion they need for their job, no more.
  • Trans­par­ency: With a clear vision of the ideal state, external par­ti­cipants can also assess if tasks have been carried out correctly.
Note

There is no universal internal control procedure that could be applied equally to all companies. An in­di­vidu­al ICS must be developed depending on the size, industry and legal form of the company.

Frame­works

There are two models that are used re­peatedly for internal control systems and are very suc­cess­ful. They have been des­ig­nated the acronyms COSO and COBIT.

COSO (Committee of Spon­sor­ing Or­gan­isa­tions of the Treadway Com­mis­sion)

COSO internal control framework is actually a private North American or­gan­isa­tion dedicated to the overall im­prove­ment of corporate struc­tures. This includes, for example, questions of ethics - but also a lot of what an ICS covers. That’s why the or­gan­isa­tion had already developed a practical framework in the 1990s, which got an update in 2004.

The model targets four different cat­egor­ies:

  • Strategic: Over­rid­ing ob­ject­ives of business activ­it­ies
  • Op­er­a­tions: Efficient use of resources
  • Reporting: Reliable reporting
  • Com­pli­ance: Com­pli­ance with laws

These cat­egor­ies are in­ter­laced with five com­pon­ents:

  • Control en­vir­on­ment: This component deals primarily with ethics, philo­sophy, com­pet­ences, but also struc­tur­al aspects of the company. The control en­vir­on­ment consists of different standards for per­form­ing controls. It also iden­ti­fies mech­an­isms that enable man­age­ment to assign re­spons­ib­il­it­ies.
  • Risk as­sess­ment: What risks can arise for the company? The risk as­sess­ment is based on the specific company ob­ject­ives. Anything that can prevent the achieve­ment of ob­ject­ives is perceived as a risk.
  • Control activ­it­ies: This component deals with the im­ple­ment­a­tion of controls. Man­age­ment’s decisions and target spe­cific­a­tions must be carried out in full. Specific pro­ced­ures are used for the im­ple­ment­a­tion.
  • In­form­a­tion and com­mu­nic­a­tion: The dis­sem­in­a­tion of in­form­a­tion as well as internal and external com­mu­nic­a­tion are con­sidered with this component. For the trans­mis­sion of in­form­a­tion, verbal reports as well as handbooks and written guidelines come into con­sid­er­a­tion.
  • Mon­it­or­ing: Mon­it­or­ing refers to assessing the procedure. The extent to which the ICS is enforced and functions is con­tinu­ously or at least regularly checked.

All cat­egor­ies refer to all com­pon­ents. Everything should be carried out at every level of the company.

Another update to the framework from 2017 addresses new chal­lenges posed by di­git­isa­tion.

COBIT (Control Ob­ject­ives for In­form­a­tion and Related Tech­no­logy)

The framework of the In­form­a­tion Systems Audit and Control As­so­ci­ation is aimed at the IT de­part­ment of a company. So, while COSO focuses primarily on ac­count­ing and business man­age­ment, COBIT deals with the tech­no­lo­gic­al struc­tures within a company. COBIT (in the fifth version) consists of five prin­ciples, seven cat­egor­ies and 37 processes within five domains.

The five prin­ciples of COBIT are basic as­sump­tions:

  • Meet all re­quire­ments: Stake­hold­ers must have all their wishes fulfilled through the system. Part of this principle is therefore to first define the stake­hold­ers.
  • Map the whole company: To prevent in­form­a­tion losses, every part of the company must be in­teg­rated into the ICS, including those which do not involve IT solutions.
  • Integrate a single framework: For COBIT to work as ef­fect­ively as possible, you should not use two frame­works side by side. Two systems not only increase the effort, they also lead to more errors.
  • Take a holistic approach: COBIT 5 in­ter­venes in all processes of a company and therefore makes it possible to jointly achieve corporate ob­ject­ives.
  • Separate mon­it­or­ing and man­age­ment: Man­age­ment and mon­it­or­ing must be clearly separated in a func­tion­ing internal control system so that incorrect decisions are not made by the executing in­di­vidu­als.

To be suc­cess­ful, you can track seven different enablers in COBIT 5 that are linked together.

  • Prin­ciples, guidelines and framework values: The desired ob­ject­ives are trans­lated into practical im­ple­ment­a­tions to enable daily work.
  • Processes: This enabler comprises a set of practices that can be used to achieve the ob­ject­ives set.
  • Or­gan­isa­tion­al struc­tures: This enabler de­term­ines the grounds for assigning clear roles to employees.
  • Culture, ethics and behaviour: Be­ha­viours are in­tro­duced for the entire company as well as each in­di­vidu­al employee, that should improve the culture of the company in the long term.
  • In­form­a­tion: In order for in­form­a­tion to be correctly handled – both in­form­a­tion ori­gin­at­ing from the company and that coming from outside the or­gan­isa­tion – this enabler provides in­form­a­tion on quality, security and ac­cess­ib­il­ity.
  • Services, in­fra­struc­ture and ap­plic­a­tions: This point de­term­ines which tech­no­lo­gies and ap­plic­a­tions must be used so that IT is secure and always available.
  • Employees, skills and com­pet­en­cies: The level of education and the qualities of each employee is important in order to make correct decisions and be able to take cor­rect­ive action.

The 37 processes defined by COBIT in turn refer to specific use cases within a company. They provide in­dic­a­tions of how certain groups of people are to behave in specific situ­ations. COBIT again dif­fer­en­ti­ates here between man­age­ment and gov­ernance.

Legal re­quire­ments

In the US, the Sarbanes Oaxley Act led to the mandatory es­tab­lish­ment of internal control systems. Scandals sur­round­ing large companies such as Enron and Worldcom, who had not released honest balance sheets, were the trigger. Many practices in internal control systems (including in­ter­na­tion­ally) are derived from the US statutory re­quire­ments of the Sarbanes Oaxley Act. In the UK, for example, there are also reg­u­la­tions that require the effects and practices of such a system.

These reg­u­la­tions govern the strength­en­ing of auditors' rights to in­form­a­tion from directors and employees, the widened powers of the Financial Reporting Council to obtain in­form­a­tion from auditors, and the new regime for reg­u­lat­ing auditors. The Companies (Audit, In­vest­ig­a­tions and Community En­ter­prise) Act came into effect in 2004. It can also be seen from the various legal texts that the re­quire­ments partly depend on the legal form of the company.

Practical im­ple­ment­a­tion of an internal control system

In practice, an ICS is adapted to the cir­cum­stances and re­quire­ments of a company (or even an or­gan­isa­tion or authority). Therefore, no two internal control systems are the same. Here, the doc­u­ment­a­tion often does not primarily guarantee safe and clear processes within a company. Corporate culture and in­ter­n­al­ised conduct are often more decisive. This requires clear signals from man­age­ment to every single employee.

Tip

So that important in­form­a­tion about the ICS is also readily available within the company in a sus­tain­able manner, it is worth­while creating guides, manuals and in­form­a­tion leaflets. This enables employees to access in­form­a­tion about their duties and ob­lig­a­tions at any time.

Other points, in turn, work better with accurate records. This can help ensure that su­per­vis­ory bodies have the insight they need to monitor man­age­ment (or other relevant areas of a business). This works in the form of reports that are created on a regular basis, but also due to the situation. Of course, detailed financial reporting is of par­tic­u­lar im­port­ance to an internal control system.

ICS often represent a challenge for smaller companies. Suc­cess­fully im­ple­ment­ing this kind of a control system requires personnel to take control. However, as many different activ­it­ies within smaller companies are often carried out by only one or maybe a few people, control is difficult. This issue can be in­tens­i­fied if, for example, there is only one person rep­res­ent­ing the man­age­ment of the company. Employees would then have to oversee man­age­ment, which proves difficult in practice.

A bottom-up approach can help, in which in­di­vidu­al aspects are gradually in­teg­rated into the ICS, before a holistic system is in­tro­duced. The starting point can be, for example, ac­count­ing, for which every company has already es­tab­lished a reporting system. anyway. In addition to self-dis­cip­line, above all, proper doc­u­ment­a­tion helps to establish a suc­cess­ful ICS within SMEs.

Dif­fer­en­ti­ation to other control mech­an­isms

Business owners will also be familiar with other control systems that they may have already es­tab­lished within their op­er­a­tions or are con­sid­er­ing doing so. These include, for example, the risk man­age­ment system (RMS). You could assume that an RMS and an ICS would be identical, since both systems are concerned with the mon­it­or­ing of a company and managing risks, but they relate to com­pletely different pro­ced­ures, even if overlaps exist.

Risk man­age­ment revolves around complex corporate gov­ernance strategies and the dangers that can arise from related decisions. The internal control system focuses more on the actual work of employees and managing directors. Here, it is con­stantly checked whether everyone is complying with the guidelines - and these guidelines are also pursued by a RMS. First of all, this means that risk man­age­ment systems and internal control systems go hand in hand, and secondly, that it makes sense to install both systems in parallel within a company.

Also a com­pli­ance man­age­ment system (CMS) does not cover the same areas as the other two systems. A CMS should very spe­cific­ally prevent unlawful actions or practices. These are clearly risks, but not the only ones. You can also conduct yourself in ac­cord­ance with the law and still endanger the company through certain actions.

Internal Audit – another term that is regularly used in the context of mon­it­or­ing a company - can, in turn, be seen as an ICS measure. This is an inferior category, whereas ICS, RMS and CMS operate equally on one level.

Please note the legal dis­claim­er relating to this article

Reviewer

Go to Main Menu