Internal control system | ICS—definition, areas of application, implementation

An internal control system (ICS) consists of rules with which the control mechanisms within a company are centrally managed. These controls in turn serve to ensure compliance with internally set and externally imposed guidelines or laws and to prevent damage.

An ICS therefore prevents “blind actionism”—i.e. uncontrolled business processes that can harbor errors and are often undocumented. Instead, a well-implemented ICS has systematic procedures for self-monitoring. These can be carried out before or after work processes or during them. They can therefore also be carried out preventively.

The ICS is a component of the organizational and operational structure. An ICS is therefore the responsibility of the management or management board. The implementation of the rules extends across the entire organization and is controlled via processes. An ICS regulates authorizations and approvals (usually according to the dual control principle) and clearly and purposefully defines what a business process should look like on a day-to-day basis. Closely interwoven with this are regulated responsibilities, so that it is clear who is responsible for certain processes or procedures. Incidents can therefore be assigned to individuals. In practice, this possibility of being held accountable is an effective means of ensuring compliance with procedural instructions, guidelines and specifications.

The central aim is to increase profitability; profits should be maximized. Existing business assets should be protected. On the one hand, by ensuring that quality-relevant business processes are properly executed and continuously improved. On the other hand, an ICS helps to act in compliance with the law. Risks of fines, contractual penalties and damage to image are kept to a minimum.

To achieve these goals, the effectiveness of defined rules is tested: A check is made to see whether everything is running as intended in practice and whether the established control mechanisms are effective. If differences arise between the specifications and observations, measures must be taken.

The term “internal control system” is usually associated with accounting. However, an ICS includes controls and security measures for many business areas. This includes compliance audits or the review of the company’s own management style and ethical values. The overall aim is to achieve greater (internal and external) transparency, set higher quality standards and take fewer risks (due to ambiguous instructions, unclear responsibilities, etc.). An ICS is required at the latest when a company is obliged to comply with standards and must therefore meet certain audit-proof standards.

Although many companies already monitor their work processes, they have not introduced a standardized and systematically documented system. Instead, everyone usually checks as he or she sees fit. An ICS brings standardization and verifiable compliance with the standards set.

Most corporations are legally obliged to set up an ICS (see Sections 91 and 107 of the German Stock Corporation Act). The supervisory board is liable for this. According to section 289 (4) of the German Commercial Code (HGB), capital market-oriented companies are also obliged to present “the main features of the internal control and risk management system with regard to the accounting process” in a management report.

Corporations are companies with limited liability and therefore AGs, i.e. stock coporations, (and the special form SE), KGaA and GmbH. Capital market-oriented companies trade in securities. For most other companies and organizations, an ICS is voluntary. If there are standards in your industry, an ICS will help you to comply with them. In addition, controls can be demanded by external bodies (supervisory authorities, customers with a corresponding interest). However, an ICS is recommended even without such bodies. This is because, among other things, it is about implementing quality-relevant processes safely and achieving corporate goals.

Before an internal control system is introduced, the mindset in the team should move away from the idea that it is about monitoring employees. An ICS is also not synonymous with micromanagement due to a lack of trust. Rather, the team members themselves implement the rules of the ICS. They monitor, document and optimize their own processes.

From a purely pragmatic point of view, some companies start with accounting when introducing an ICS, which is related to the legal obligations mentioned above. Over time, the system can become more comprehensive, for example to ensure the implementation of ISO standards. Thematically, other areas such as information security or quality standards can be added.

We recommend this procedure for implementation: 

• Define your business objectives. These can be financial goals, but also penalty avoidance or legal compliance.

• Identify possible risks and/or guidelines for the objectives to be achieved. 

• Link the risks and/or legal regulations to the respective processes. In other words: To which process is an identified risk assigned? Who is responsible for this process?

• Design control mechanisms that regularly and effectively check whether the target values have actually been achieved. Deviations and achieved targets must be documented.

• Make sure that the controls are part of the process. This means that the checks are not external to day-to-day business, but are integrated.

• Controls—especially when they are newly introduced—must also be tested. It’s like in science: Does the defined measurement value make sense in terms of target achievement?

• An important point anyway: Don’t forget the documentation! Ideally, the documentation is taken over by the software used.

• Then optimize your control processes (according to the plan-do-check-act principle) by evaluating control results cyclically.

• Use graphical representations or reports to make it easier to record results and derive suitable measures.

Let’s assume that invoices were paid for services or goods that were never provided or delivered. This was either due to a lack of communication, insufficient control or deliberate fraud.

In any case, the invoice payment process would now be a chapter in your ICS questionnaire. Some things need to be clarified. Another example would be the quality control of your own products and services.

With a specialized compliance software, you can now create an object for this and store questions and instructions. Graphics, checklists or question catalogs with specific action steps can also be stored in suitable solution.

Once the rules have been defined, they should be checked regularly. Again, it is helpful to use software that sends reminders as required, for example when a deadline is about to expire. Subsequently, a distinction should be made not only between “rule was implemented” or “was not implemented”, but also in gradations such as “only partially fulfilled”. Reasons should be added for unsatisfactory results, as constructive criticism is the only way to improve.

It would also be possible to work with different software such as spreadsheets and text programs, but once the processes reach a certain level of complexity, chaos is inevitable in the truest sense of the word. An Excel spreadsheet, for example, does not send reminders and no rights and roles can be assigned in these programs—which are central to a control system. Spreadsheets are also not audit-proof; manipulation or operating errors can lead to data loss. The qualitative documentation should also not be separated from the quantitative measurements, but combined in one application.

OMNITRACKER does not offer stand-alone software for internal control systems, as every company has an individual process landscape and specific corporate objectives. However, the OMNITRACKER Governance, Risk and Compliance Center as an integrated audit and compliance software contains all the necessary functions to map a precisely fitting (and later adaptable) ICS. The procedure can be similar to audits for ISO certifications. The only difference with the ICS is that the “standards” to be audited are defined by the company itself. So make sure you use software that allows you to freely define guidelines and work instructions.

An ICS is part of the compliance strategy of an institution (company, authority, NGO, etc.). This compliance strategy includes elements of risk management. As all objects, processes and the associated authorization and role concept are interrelated, the various disciplines should not be viewed in isolation from one another. In the course of audit planning and implementation, preparing for emergencies, establishing an ICS and evaluating suppliers (mandatory under the LKsG, i.e. Supply Chain Act) as part of ISO 27001 certification, for example, risks are identified that could impair the achievement of objectives. A central GRC tool creates synergy effects here.

Introducing a separate tool for each of these sub-areas of the GRC cosmos would be neither economical nor expedient in terms of day-to-day operation.