Building an efficient internal control system in the company
Part 1 of the blog post serie: 5 steps in building an efficient ICS
The German Parliament passed the Financial Market Integrity Strengthening Act (FISG) in 2021, creating a clear requirement for all industries to "establish an adequate and effective internal control system and risk management system" (§91 (3) AktG), if they are a listed public company. Previously, the establishment of an internal control system (ICS) was only mandatory for regulated industries, such as banks and insurance companies. However, with the insolvency of Wirecard AG, it became clear that further, stricter requirements were needed.
This means that many companies are now legally obliged to establish an ICS that meets the specified requirements. This first part of the blog post serie with the topic "Internal Control System" is intended to highlight some points on how you can make the ICS more efficient with the help of automated, also data-based controls. In the second blog post, we will focus more on the use of data analytics to automate controls.
5 steps to an efficient ICS
The ICS should be set up in several steps. These are briefly described below:
1. Determine the status quo
Before setting up a new control system, you should first determine what already exists in your company. Which controls already exist? Which ones are perhaps even carried out and evaluated on a regular basis? Who is responsible for setting up the system-based or manual checks, and who is responsible for carrying them out? Often, different departments have already set up controls that they manage on their own. In addition, other governance functions certainly already have corresponding instruments in place that could be useful for your ICS and integrated accordingly.
If you compile these controls in an overall list, you will probably find that there is already a quite comprehensive catalogue of controls, which, however, is still being handled in a rather uncoordinated manner.
2. Determine target state and identify gaps
There are already several ready-made standards for the ICS that you can use as a guide when setting up your own system. Examples are COSO or COBIT. A risk analysis can help you identify the vulnerable areas of your company. Based on this, you can then develop the control environment, i.e. compile a catalogue of appropriate and effective controls.
Subsequently, a comparison should be made between the target ("Which controls are necessary, based on the relevant standards and the risk analysis?") and the actual state ("Which of these already exist? Do these completely cover the respective requirement?") to identify which gaps exist. Regarding the use of data analytics, care should already be taken when creating the control catalogue to mark automatable controls as such. The goal must be that many control actions run as automatically as possible to use the available time efficiently, to minimise the manual work steps and to ensure comparability of the results.
3. Implementation of the controls
Together with the departments, the controls must now be established (i.e. designed, documented and delegated to the responsible unit), as well as planned and executed. It is important that
a) the automation potentials are used.
b) the documentation of the control implementation is done digitally and in a tool that allows collaborative work to simplify the follow up and to prevent a flood of Excel files that can no longer be processed.
c) Involve the executing persons as early as possible to create ownership and increase acceptance.
4. Develop a review concept for effectiveness
The simple implementation of controls is not enough to set up an ICS. The effectiveness of the ICS must also be tested to comply with the regulations on the one hand and to ensure the meaningfulness of the ICS on the other. After all, only effective controls have a benefit for the company and provide the necessary security that the identified risks can be adequately countered.
Thus, the control design and effectiveness should be reviewed regularly to prevent controls from going nowhere, changes in business processes from necessitating an adjustment, or efforts from being made that are basically of no use.
5.Integration as a success factor: The interaction with other governance and control functions
As part of the first of the three "lines of defence", however, the ICS should not be viewed completely separately. Intersections between ICS, risk management, IT security and internal audit happen regularly. Therefore, it makes sense for these functions to exchange information on a regular basis. For example, the result of an audit by internal audit may mean that further controls should be introduced.
There are also clear overlaps with risk management, especially when - which makes absolute sense in the context of interdepartmental collaboration - an integrated system is followed. As already mentioned, the risk-oriented approach is useful in the design of the ICS. Also, the general handling of risks is controlled by risk management anyway and the decision is made there if the potential risks are accepted or mitigated. When mitigating the risks, appropriate measures are then defined, which in turn can be checked via internal controls; the circle is closed.
Similar examples can be given for other governance functions, such as information security or business continuity. However, it is important to understand that cooperation between the functions, even if they act independently, should be aimed for.
To be continued!
In the second part, we will look how to automate the ICS using data analytics and give you some helpful tips on how to reduce the effort required for an efficient ICS.
Do you have further questions about this blog post or need help with your internal control system? We look forward to support you with any questions you may have on the topic of ICS and help you set up or even expand an efficient and effective system. You are welcome to contact our consultant Philipp Kiencke, who specialises in this topic.