The Internal Control System (hereinafter also referred to as Internal Control System (ICS)) of a company consists of systematically designed, technical and organizational regulations, measures and processes for monitoring and controlling essential process controls in the company. The internal control system serves to ensure compliance with guidelines and to avert damage that may be caused by the company's own personnel or malicious third parties.
The necessity for implementing and maintaining an ICS results from various legal requirements, e.g. from the German Stock Corporation Act or the German Commercial Code. How an ICS is to be designed is derived from the existing IDW auditing standards, such as IDW PS 982 and IDW PS 951. Control models such as COSO or COBIT are often used as the basis for an ICS.
In financial reporting, and in particular in management reporting, numerous standards refer to internal control systems. These can vary from country to country. The best known are the requirements of the Sarbanes Oxley Act (SOX). Different regulations apply depending on the country:
- USA: SEC regulations
- Germany: IDW Auditing Standards
- Switzerland: including provisions of stock corporation law
The components of IDW PS 982 form the basis for a holistic internal control system:
Our services in the area of the Internal Control System are particularly relevant for you in the following situations:
Start-up of a company or spin-off of a company and the need to establish an internal control system in principle
Rapid company growth and thus also increasing risks that controls are neglected due to the dynamics
Internal requirements for an appropriate ICS, e.g. deficits in reporting, fraud cases, etc.
Increasing pressure from stakeholders to establish adequate internal control systems
Change of legal form, e.g. to an AG, or of shareholder structure (entry of private equity investors, IPO)
Listing in the U.S. or purchase of your company by an SEC-listed company in the U.S.
Lack of overview of controls in the area of ICS, SOX and compliance and their adequacy and effectiveness
Known deficiencies in the efficiency and effectiveness of implemented controls or measures
Introduction of an ICS or a compliance management system and the need to monitor and ensure the functionality of the controls at all times
Lack of separation of functions to avoid conflicts of interest
Updating the existing ICS documentation
Our services in the area of Internal Control System incl. SOX include in particular:
Analysis of your existing internal control system with regard to the various components such as control environment, organization, processes and controls on the basis of recognized evaluation systems
Design and implementation of optimization measures in your internal control system and in relation to individual controls or SOX controls
Review of the adequacy and effectiveness (monitoring) of your internal control system and in particular also of the (SOX) controls (SOX Testing)
Setting up reporting to management and supervisory bodies
Software selection and support of the implementation of tools for documentation and testing of controls in your ICS and/or SOX
We also support you im the area of Control Testing with additional resources and our expert know-how:
Analysis/recording of existing controls in your structures, processes and systems
Adequacy and effectiveness tests of your controls either as part of the legally required self-assessments of your internal control system (e.g. SOX testing) or in the course of certification projects such as ISAE 3402, Type I or Type II as well as on the basis of IDW PS 951
Identification of control weaknesses and definition of mitigation measures and follow-up of effective implementation
Reporting to the supervisory bodies on the adequacy and effectiveness of your controls and measures
Software selection and support of the implementation of tools for documentation and testing of controls in your ICS, SOX or Compliance Management System
Effective IT general controls (ITGC) are a fundamental prerequisite for all IT-based and all pure IT processes. Even though ITGC generally only indirectly influence financial reporting, they occupy a central position. They are responsible for the technically correct implementation and availability of the applications and (partially) automated controls relevant to the ICS. Conversely, this means that improperly functioning IT controls have a comprehensive impact on all related systems and thus also on the financial reporting based on them.
ITGC basically concern the areas of procurement, development, maintenance of systems, access protection and operations. ITGC can be found in the context of:
User authorization concepts
User authorization management
Separation of functions from incompatible functions
Access protection procedure
Program Change Management Procedure
Procedures within the framework of operational IT processes
Our services in the area of IT General Controls include in particular:
Design and implementation of ITGCs in cooperation with your IT department and your IT service provider (keyword SOK reports or ISAE 3402 reports)
Analysis of your existing IT general controls with regard to the various components, e.g. control environment, organization, processes and controls on the basis of recognized assessment systems
Design and implementation of optimization measures in relation to ITGC
Review of the adequacy and effectiveness (monitoring) of the existing ITGC.
In functional organization, segregation of duties (SoD) refers to the organizational separation of organizational units or positions in the business process to avoid potential conflicts of interest. The principle of dual control is probably the best-known principle of segregation of duties. It is intended to prevent important decisions from being made by a single person or critical activities from being performed by more than one person. There are further functional separations between front office and back office at credit institutions or between data entry and data release in the context of IT systems such as SAP.
Particularly in the case of credit institutions and capital management companies, the separation of functions is required by law. In the case of credit institutions, the front office and back office functions must be separated (Section 25a (1) of the German Banking Act (KWG) in accordance with BTO 1.1 (1) MaRisk). Pursuant to Section 29 (1) KAGB, capital management companies must also establish and maintain a function for permanent risk controlling that is hierarchically and functionally independent of the operating divisions.
Our services in the area of segregation of duties are particularly relevant for you in the following situations:
Our services in the area of segregation of duties include in particular:
If you are interested and have any questions, please do not hesitate to contact us.
Unsere Leistungen im Bereich Internes Kontrollsystem inkl. SOX umfassen insbesondere:
Wir unterstützen Sie auch Im Bereich Control Testing durch zusätzliche Ressourcen und unser Experten-Know-how:
Wirksame allgemeine IT Kontrollen (IT General Controls oder ITGC) sind fundamentale Voraussetzung für alle IT basierten- und alle reinen IT-Prozesse. Auch wenn die ITGC die Finanzberichterstattung in der Regel nur mittelbar beeinflussen, nehmen sie eine zentrale Stellung ein. Sie sind für die technisch korrekte Umsetzung und Verfügbarkeit der im IKS relevanten Anwendungen sowie (teil-)automatisierten Kontrollen verantwortlich. Im Umkehrschluss bedeutet dies, dass nicht korrekt funktionierende IT-Kontrollen umfassenden Einfluss auf alle damit verbundenen Systeme und damit auch auf die darauf basierende Finanzberichterstattung haben.
Die ITGC betreffen grundsätzlich die Bereiche der Beschaffung, Entwicklung, Pflege von Systemen, Zugriffschutz und den operativen Betrieb. Dahingehen finden sich ITGC im Kontext von:
Benutzerberechtigungskonzepte
Benutzerberechtigungsverwaltung
Funktionstrennung von unvereinbaren Funktionen
Zugriffschutzverfahren
Program-Change-Management Verfahren
Verfahren im Rahmen von operativen IT Prozessen
Unsere Leistungen im Bereich IT General Controls umfassen insbesondere:
Unter Funktionstrennung (englisch: Segregation of Duties, SoD) versteht man in der funktionalen Organisation die organisatorische Trennung zwischen Organisationseinheiten oder Positionen im Geschäftsprozess zur Vermeidung von möglichen Interessenkollisionen. Das Vier-Augen-Prinzip ist das wohl bekannteste Prinzip der Funktionstrennung. Es soll verhindern, dass wichtige Entscheidungen von einer einzelnen Person getroffen oder kritische Tätigkeiten nicht nur von einer einzelnen Person durchgeführt werden. Weitere funktionale Trennungen gibt es zwischen Frontoffice und Backoffice bei Kreditinstituten oder zwischen Datenerfassung und Datenfreigabe im Rahmen von IT-Systemen wie beispielsweise SAP.
Insbesondere bei Kreditinstituten und bei Kapitalverwaltungsgesellschaften ist die Funktionstrennung gesetzlich vorgeschrieben. Bei Kreditinstituten muss eine Trennung zwischen Markt und Marktfolge durchgeführt werden (§ 25a Abs. 1 KWG gemäß BTO 1.1 Tz. 1 MaRisk). Auch Kapitalverwaltungsgesellschaften haben nach § 29 Abs. 1 KAGB eine Funktion zum dauerhaften Risikocontrolling einzurichten und aufrechtzuerhalten, die von den operativen Bereichen hierarchisch und funktionell unabhängig ist.
Unsere Leistungen im Bereich Funktionstrennung (Segregation of Duties) sind für Sie insbesondere in folgenden Situationen relevant:
Unsere Leistungen im Bereich Funktionstrennung (Segregation of Duties) umfassen insbesondere:
Bei Interesse und für Fragen stehen wir Ihnen gerne zur Verfügung.
Do you have any questions about our services or WTS Advisory? We look forward to your message or your call!