ICS: Internal Control Systems Explained

Every company wants to minimize risk. Accidents, mistakes or even criminal acts should have no place within companies. This applies, for example, in terms of oc­cu­pa­tion­al safety or in the pro­tec­tion of business premises against unau­tho­rized access by third parties. While these measures and rules can be im­ple­ment­ed for these more tangible aspects, correct financial practices or good man­age­ment are more difficult to ensure. Therefore, many companies establish an internal control system (ICS). This should ensure that every­thing goes as the company planned.

The man­age­ment of a company controls the employees in certain aspects. But who reviews the actions and decisions of man­age­ment? For these and other parts of an operation, an internal control system can be used to improve the security of a company. Both mistakes and criminal acts should be prevented here. In order to minimize the risks, an ICS consists of rules and workflows designed to prevent mis­con­duct as much as possible. If all employees comply with these reg­u­la­tions, mistakes are unlikely to be able to occur and whoever is dis­re­gard­ing the rules can be quickly de­ter­mined.

The control mech­a­nisms are located upstream, at the position, or down­stream of the work to be monitored, depending on the use­ful­ness and the pos­si­bil­i­ties in each specific case. The internal control system’s special feature lies in the internal mon­i­tor­ing. Instead of using external par­tic­i­pants as su­per­vi­so­ry bodies, like other concepts (such as financial su­per­vi­sors or auditors) do, a good ICS allows employees to monitor each other.

In order to establish an effective internal control system, companies need to consider two areas: An internal control system and an internal mon­i­tor­ing system. The first category deals with rules for con­trol­ling the company. Mon­i­tor­ing is a more complex, broader part of the ICS. The measures should run au­to­mat­i­cal­ly, as much as possible.

In general, internal control systems should ensure that no one within the company behaves er­ro­neous­ly, that all processes are conducted properly, and that cor­rup­tion and economic crime are prevented. However, the scope of an ICS can also be further specified:

• Asset pro­tec­tion: Existing assets should be protected against losses.
• Recording: All processes must be recorded correctly and promptly.
• Im­prove­ment: Records can be used to improve processes.
• Reg­u­la­to­ry com­pli­ance: The system ensures that all par­tic­i­pants comply with reg­u­la­tions.

To achieve these ob­jec­tives, an internal control system relies on four different prin­ci­ples:

• Seg­re­ga­tion of duties: It is important that executing (e.g., pur­chas­ing), book­keep­ing (e.g., warehouse ac­count­ing), and ad­min­is­tra­tive (e.g., warehouse man­age­ment) functions within a business process are not performed by one and the same person or group.
• Control: Every important employee process must be monitored by someone else.
• Minimum in­for­ma­tion: Every employee should only receive the in­for­ma­tion they need for their job, no more.
• Trans­paren­cy: With a clear vision of the ideal state, external par­tic­i­pants can also assess if tasks have been carried out correctly.

There are two models that are used re­peat­ed­ly for internal control systems and are very suc­cess­ful. They have been des­ig­nat­ed the acronyms COSO and COBIT.

COSO internal control framework is actually a private North American or­ga­ni­za­tion dedicated to the overall im­prove­ment of corporate struc­tures. This includes, for example, questions of ethics - but also a lot of what an ICS covers. That’s why the or­ga­ni­za­tion had already developed a practical framework in the 1990s, which got an update in 2004.

The model targets four different cat­e­gories:

• Strategic: Over­rid­ing ob­jec­tives of business ac­tiv­i­ties
• Op­er­a­tions: Efficient use of resources
• Reporting: Reliable reporting
• Com­pli­ance: Com­pli­ance with laws

These cat­e­gories are in­ter­laced with five com­po­nents:

• Control en­vi­ron­ment: This component deals primarily with ethics, phi­los­o­phy, com­pe­tences, but also struc­tur­al aspects of the company. The control en­vi­ron­ment consists of different standards for per­form­ing controls. It also iden­ti­fies mech­a­nisms that enable man­age­ment to assign re­spon­si­bil­i­ties.
• Risk as­sess­ment: What risks can arise for the company? The risk as­sess­ment is based on the specific company ob­jec­tives. Anything that can prevent the achieve­ment of ob­jec­tives is perceived as a risk.
• Control ac­tiv­i­ties: This component deals with the im­ple­men­ta­tion of controls. Man­age­ment’s decisions and target spec­i­fi­ca­tions must be carried out in full. Specific pro­ce­dures are used for the im­ple­men­ta­tion.
• In­for­ma­tion and com­mu­ni­ca­tion: The dis­sem­i­na­tion of in­for­ma­tion as well as internal and external com­mu­ni­ca­tion are con­sid­ered with this component. For the trans­mis­sion of in­for­ma­tion, verbal reports as well as handbooks and written guide­lines come into con­sid­er­a­tion.
• Mon­i­tor­ing: Mon­i­tor­ing refers to assessing the procedure. The extent to which the ICS is enforced and functions is con­tin­u­ous­ly or at least regularly checked.

All cat­e­gories refer to all com­po­nents. Every­thing should be carried out at every level of the company.

Another update to the framework from 2017 addresses new chal­lenges posed by dig­i­ti­za­tion.

The framework of the In­for­ma­tion Systems Audit and Control As­so­ci­a­tion is aimed at the IT de­part­ment of a company. So, while COSO focuses primarily on ac­count­ing and business man­age­ment, COBIT deals with the tech­no­log­i­cal struc­tures within a company. COBIT (in the fifth version) consists of five prin­ci­ples, seven cat­e­gories and 37 processes within five domains.

The five prin­ci­ples of COBIT are basic as­sump­tions:

• Meet all re­quire­ments: Stake­hold­ers must have all their wishes fulfilled through the system. Part of this principle is therefore to first define the stake­hold­ers.
• Map the whole company: To prevent in­for­ma­tion losses, every part of the company must be in­te­grat­ed into the ICS, including those which do not involve IT solutions.
• Integrate a single framework: For COBIT to work as ef­fec­tive­ly as possible, you should not use two frame­works side by side. Two systems not only increase the effort, they also lead to more errors.
• Take a holistic approach: COBIT 5 in­ter­venes in all processes of a company and therefore makes it possible to jointly achieve corporate ob­jec­tives.
• Separate mon­i­tor­ing and man­age­ment: Man­age­ment and mon­i­tor­ing must be clearly separated in a func­tion­ing internal control system so that incorrect decisions are not made by the executing in­di­vid­u­als.

To be suc­cess­ful, you can track seven different enablers in COBIT 5 that are linked together.

• Prin­ci­ples, guide­lines and framework values: The desired ob­jec­tives are trans­lat­ed into practical im­ple­men­ta­tions to enable daily work.
• Processes: This enabler comprises a set of practices that can be used to achieve the ob­jec­tives set.
• Or­ga­ni­za­tion­al struc­tures: This enabler de­ter­mines the grounds for assigning clear roles to employees.
• Culture, ethics and behavior: Behaviors are in­tro­duced for the entire company as well as each in­di­vid­ual employee, that should improve the culture of the company in the long term.
• In­for­ma­tion: In order for in­for­ma­tion to be correctly handled – both in­for­ma­tion orig­i­nat­ing from the company and that coming from outside the or­ga­ni­za­tion – this enabler provides in­for­ma­tion on quality, security and ac­ces­si­bil­i­ty.
• Services, in­fra­struc­ture and ap­pli­ca­tions: This point de­ter­mines which tech­nolo­gies and ap­pli­ca­tions must be used so that IT is secure and always available.
• Employees, skills and com­pe­ten­cies: The level of education and the qualities of each employee is important in order to make correct decisions and be able to take cor­rec­tive action.

The 37 processes defined by COBIT in turn refer to specific use cases within a company. They provide in­di­ca­tions of how certain groups of people are to behave in specific sit­u­a­tions. COBIT again dif­fer­en­ti­ates here between man­age­ment and gov­er­nance.

In the US, the Sarbanes Oaxley Act led to the mandatory es­tab­lish­ment of internal control systems. Scandals sur­round­ing large companies such as Enron and Worldcom, who had not released honest balance sheets, were the trigger. Many practices in internal control systems (including in­ter­na­tion­al­ly) are derived from the US statutory re­quire­ments of the Sarbanes Oaxley Act. In the UK, for example, there are also reg­u­la­tions that require the effects and practices of such a system.

These reg­u­la­tions govern the strength­en­ing of auditors' rights to in­for­ma­tion from directors and employees, the widened powers of the Financial Reporting Council to obtain in­for­ma­tion from auditors, and the new regime for reg­u­lat­ing auditors. The Companies (Audit, In­ves­ti­ga­tions and Community En­ter­prise) Act came into effect in 2004. It can also be seen from the various legal texts that the re­quire­ments partly depend on the legal form of the company.

In practice, an ICS is adapted to the cir­cum­stances and re­quire­ments of a company (or even an or­ga­ni­za­tion or authority). Therefore, no two internal control systems are the same. Here, the doc­u­men­ta­tion often does not primarily guarantee safe and clear processes within a company. Corporate culture and in­ter­nal­ized conduct are often more decisive. This requires clear signals from man­age­ment to every single employee.

Other points, in turn, work better with accurate records. This can help ensure that su­per­vi­so­ry bodies have the insight they need to monitor man­age­ment (or other relevant areas of a business). This works in the form of reports that are created on a regular basis, but also due to the situation. Of course, detailed financial reporting is of par­tic­u­lar im­por­tance to an internal control system.

ICS often represent a challenge for smaller companies. Suc­cess­ful­ly im­ple­ment­ing this kind of a control system requires personnel to take control. However, as many different ac­tiv­i­ties within smaller companies are often carried out by only one or maybe a few people, control is difficult. This issue can be in­ten­si­fied if, for example, there is only one person rep­re­sent­ing the man­age­ment of the company. Employees would then have to oversee man­age­ment, which proves difficult in practice.

A bottom-up approach can help, in which in­di­vid­ual aspects are gradually in­te­grat­ed into the ICS, before a holistic system is in­tro­duced. The starting point can be, for example, ac­count­ing, for which every company has already es­tab­lished a reporting system. anyway. In addition to self-dis­ci­pline, above all, proper doc­u­men­ta­tion helps to establish a suc­cess­ful ICS within SMEs.

Business owners will also be familiar with other control systems that they may have already es­tab­lished within their op­er­a­tions or are con­sid­er­ing doing so. These include, for example, the risk man­age­ment system (RMS). You could assume that an RMS and an ICS would be identical, since both systems are concerned with the mon­i­tor­ing of a company and managing risks, but they relate to com­plete­ly different pro­ce­dures, even if overlaps exist.

Risk man­age­ment revolves around complex corporate gov­er­nance strate­gies and the dangers that can arise from related decisions. The internal control system focuses more on the actual work of employees and managing directors. Here, it is con­stant­ly checked whether everyone is complying with the guide­lines - and these guide­lines are also pursued by a RMS. First of all, this means that risk man­age­ment systems and internal control systems go hand in hand, and secondly, that it makes sense to install both systems in parallel within a company.

Also a com­pli­ance man­age­ment system (CMS) does not cover the same areas as the other two systems. A CMS should very specif­i­cal­ly prevent unlawful actions or practices. These are clearly risks, but not the only ones. You can also conduct yourself in ac­cor­dance with the law and still endanger the company through certain actions.

Internal Audit – another term that is regularly used in the context of mon­i­tor­ing a company - can, in turn, be seen as an ICS measure. This is an inferior category, whereas ICS, RMS and CMS operate equally on one level.

Click here for important legal dis­claimers.