ICS: Internal Control Systems Explained

Every company wants to minimize risk. Accidents, mistakes or even criminal acts should have no place within companies. This applies, for example, in terms of occupational safety or in the protection of business premises against unauthorized access by third parties. While these measures and rules can be implemented for these more tangible aspects, correct financial practices or good management are more difficult to ensure. Therefore, many companies establish an internal control system (ICS). This should ensure that everything goes as the company planned.

The management of a company controls the employees in certain aspects. But who reviews the actions and decisions of management? For these and other parts of an operation, an internal control system can be used to improve the security of a company. Both mistakes and criminal acts should be prevented here. In order to minimize the risks, an ICS consists of rules and workflows designed to prevent misconduct as much as possible. If all employees comply with these regulations, mistakes are unlikely to be able to occur and whoever is disregarding the rules can be quickly determined.

The control mechanisms are located upstream, at the position, or downstream of the work to be monitored, depending on the usefulness and the possibilities in each specific case. The internal control system’s special feature lies in the internal monitoring. Instead of using external participants as supervisory bodies, like other concepts (such as financial supervisors or auditors) do, a good ICS allows employees to monitor each other.

In order to establish an effective internal control system, companies need to consider two areas: An internal control system and an internal monitoring system. The first category deals with rules for controlling the company. Monitoring is a more complex, broader part of the ICS. The measures should run automatically, as much as possible.

In general, internal control systems should ensure that no one within the company behaves erroneously, that all processes are conducted properly, and that corruption and economic crime are prevented. However, the scope of an ICS can also be further specified:

• Asset protection: Existing assets should be protected against losses.
• Recording: All processes must be recorded correctly and promptly.
• Improvement: Records can be used to improve processes.
• Regulatory compliance: The system ensures that all participants comply with regulations.

To achieve these objectives, an internal control system relies on four different principles:

• Segregation of duties: It is important that executing (e.g., purchasing), bookkeeping (e.g., warehouse accounting), and administrative (e.g., warehouse management) functions within a business process are not performed by one and the same person or group.
• Control: Every important employee process must be monitored by someone else.
• Minimum information: Every employee should only receive the information they need for their job, no more.
• Transparency: With a clear vision of the ideal state, external participants can also assess if tasks have been carried out correctly.

There are two models that are used repeatedly for internal control systems and are very successful. They have been designated the acronyms COSO and COBIT.

COSO internal control framework is actually a private North American organization dedicated to the overall improvement of corporate structures. This includes, for example, questions of ethics - but also a lot of what an ICS covers. That’s why the organization had already developed a practical framework in the 1990s, which got an update in 2004.

The model targets four different categories:

• Strategic: Overriding objectives of business activities
• Operations: Efficient use of resources
• Reporting: Reliable reporting
• Compliance: Compliance with laws

These categories are interlaced with five components:

• Control environment: This component deals primarily with ethics, philosophy, competences, but also structural aspects of the company. The control environment consists of different standards for performing controls. It also identifies mechanisms that enable management to assign responsibilities.
• Risk assessment: What risks can arise for the company? The risk assessment is based on the specific company objectives. Anything that can prevent the achievement of objectives is perceived as a risk.
• Control activities: This component deals with the implementation of controls. Management’s decisions and target specifications must be carried out in full. Specific procedures are used for the implementation.
• Information and communication: The dissemination of information as well as internal and external communication are considered with this component. For the transmission of information, verbal reports as well as handbooks and written guidelines come into consideration.
• Monitoring: Monitoring refers to assessing the procedure. The extent to which the ICS is enforced and functions is continuously or at least regularly checked.

All categories refer to all components. Everything should be carried out at every level of the company.

Another update to the framework from 2017 addresses new challenges posed by digitization.

The framework of the Information Systems Audit and Control Association is aimed at the IT department of a company. So, while COSO focuses primarily on accounting and business management, COBIT deals with the technological structures within a company. COBIT (in the fifth version) consists of five principles, seven categories and 37 processes within five domains.

The five principles of COBIT are basic assumptions:

• Meet all requirements: Stakeholders must have all their wishes fulfilled through the system. Part of this principle is therefore to first define the stakeholders.
• Map the whole company: To prevent information losses, every part of the company must be integrated into the ICS, including those which do not involve IT solutions.
• Integrate a single framework: For COBIT to work as effectively as possible, you should not use two frameworks side by side. Two systems not only increase the effort, they also lead to more errors.
• Take a holistic approach: COBIT 5 intervenes in all processes of a company and therefore makes it possible to jointly achieve corporate objectives.
• Separate monitoring and management: Management and monitoring must be clearly separated in a functioning internal control system so that incorrect decisions are not made by the executing individuals.

To be successful, you can track seven different enablers in COBIT 5 that are linked together.

• Principles, guidelines and framework values: The desired objectives are translated into practical implementations to enable daily work.
• Processes: This enabler comprises a set of practices that can be used to achieve the objectives set.
• Organizational structures: This enabler determines the grounds for assigning clear roles to employees.
• Culture, ethics and behavior: Behaviors are introduced for the entire company as well as each individual employee, that should improve the culture of the company in the long term.
• Information: In order for information to be correctly handled – both information originating from the company and that coming from outside the organization – this enabler provides information on quality, security and accessibility.
• Services, infrastructure and applications: This point determines which technologies and applications must be used so that IT is secure and always available.
• Employees, skills and competencies: The level of education and the qualities of each employee is important in order to make correct decisions and be able to take corrective action.

The 37 processes defined by COBIT in turn refer to specific use cases within a company. They provide indications of how certain groups of people are to behave in specific situations. COBIT again differentiates here between management and governance.

In the US, the Sarbanes Oaxley Act led to the mandatory establishment of internal control systems. Scandals surrounding large companies such as Enron and Worldcom, who had not released honest balance sheets, were the trigger. Many practices in internal control systems (including internationally) are derived from the US statutory requirements of the Sarbanes Oaxley Act. In the UK, for example, there are also regulations that require the effects and practices of such a system.

These regulations govern the strengthening of auditors' rights to information from directors and employees, the widened powers of the Financial Reporting Council to obtain information from auditors, and the new regime for regulating auditors. The Companies (Audit, Investigations and Community Enterprise) Act came into effect in 2004. It can also be seen from the various legal texts that the requirements partly depend on the legal form of the company.

In practice, an ICS is adapted to the circumstances and requirements of a company (or even an organization or authority). Therefore, no two internal control systems are the same. Here, the documentation often does not primarily guarantee safe and clear processes within a company. Corporate culture and internalized conduct are often more decisive. This requires clear signals from management to every single employee.

Other points, in turn, work better with accurate records. This can help ensure that supervisory bodies have the insight they need to monitor management (or other relevant areas of a business). This works in the form of reports that are created on a regular basis, but also due to the situation. Of course, detailed financial reporting is of particular importance to an internal control system.

ICS often represent a challenge for smaller companies. Successfully implementing this kind of a control system requires personnel to take control. However, as many different activities within smaller companies are often carried out by only one or maybe a few people, control is difficult. This issue can be intensified if, for example, there is only one person representing the management of the company. Employees would then have to oversee management, which proves difficult in practice.

A bottom-up approach can help, in which individual aspects are gradually integrated into the ICS, before a holistic system is introduced. The starting point can be, for example, accounting, for which every company has already established a reporting system. anyway. In addition to self-discipline, above all, proper documentation helps to establish a successful ICS within SMEs.

Business owners will also be familiar with other control systems that they may have already established within their operations or are considering doing so. These include, for example, the risk management system (RMS). You could assume that an RMS and an ICS would be identical, since both systems are concerned with the monitoring of a company and managing risks, but they relate to completely different procedures, even if overlaps exist.

Risk management revolves around complex corporate governance strategies and the dangers that can arise from related decisions. The internal control system focuses more on the actual work of employees and managing directors. Here, it is constantly checked whether everyone is complying with the guidelines - and these guidelines are also pursued by a RMS. First of all, this means that risk management systems and internal control systems go hand in hand, and secondly, that it makes sense to install both systems in parallel within a company.

Also a compliance management system (CMS) does not cover the same areas as the other two systems. A CMS should very specifically preventunlawful actionsor practices. These are clearly risks, but not the only ones. You can also conduct yourself in accordance with the law and still endanger the company through certain actions.

Internal Audit – another term that is regularly used in the context of monitoring a company - can, in turn, be seen as an ICS measure. This is an inferior category, whereas ICS, RMS and CMS operate equally on one level.

Click here for important legal disclaimers.