The Internal Control
The internal control consists of the necessary processes to detect risks that are potentially harmful to an organization and to avoid them by adhering to a compelling framework. Embedding the internal control in an organization is fundamental for compliance with internationally applicable regulations (e.g. COSO framework) or national procedures (e.g. MaRisk in Germany).
Companies from all over the world trust us
How does an internal control system add value?
The controls in an internal control system help organizations to keep performance or a state of affairs within a range that is expected, allowed or accepted. Controls which are created within a process are internal in nature and based on a combination of components – ranging from the social environment affecting employee behavior to regulations, methods and other essential information. The internal control structure outlines which of these various components are included in the controls. This plan is an important assurance for the company's efforts to maintain an overview of compliance within policies, processes and authorization limits.
Internal controls can also extend to intercompany controls in financial reporting, IT controls, compliance controls, and export controls and customs (ECC). Since these areas are very different in nature, the monitoring must be individually configured to fit the specific purpose. The approach for each of these disciplines, however, is the same:
- Identify risks: Discover potential errors in the business process.
- Choose suitable controls: Define monitoring mechanisms to avoid risks.
- Anchor controls in the process: Inform about the process and controls through active communication.
- Document actions: Collect audit-proof evidence of the actual execution and documentation of controls.
- Validate controls: Check and secure that controls are upheld.
Check effectiveness: Test the design and operational effectiveness on a regular basis.
The internal control cycle
The internal control cycle describes the six stages which are used by the internal control of an organization in order to review the measures of governance, risk management and compliance. Furthermore, it is the basis to initiate improvement measures. The tasks, competencies and responsibilities for the process participants are transparently defined for each individual stage. The first stage of the internal control is the (1) scoring, where the processes of an organization are identified and delimited. The objective of the scoring is to qualitatively and quantitatively evaluate processes based on their possible effects and to set review rhythms. This is followed by the (2) risk-control-identification, where a risk control matrix is established to make sure all process risks are covered with key controls. With the (3) control-design-assessment, the internal control examines the adequacy of the key controls, i.e. whether a defined control is suitable for reducing or averting the corresponding process risk. During the (4) testing stage, the internal control determines whether a control is feasible, reasonable and effective according to the pre-defined specifications. The (5) measures for optimization can be derived from previous steps. Both the effectiveness and adequacy of controls are critically reviewed and optimization requirements are defined so that controls can withstand future examination. With the (6) re-testing previous tests are repeated to ensure improved effectiveness and adequacy. Since the processes of an organization are subject to constant change, an effective internal control must regularly re-start with the scoring and run through the whole cycle again.
COSO framework - the standard for internal controls
The COSO Framework (Commitee of Sponsoring Organizations of the Treadway Commission) forms the basis for internal controls in organizations. This internationally recognized framework describes the governance of financial reporting. Compliance with the COSO guidelines, verifying the effectiveness of a company‘s financial reporting, is required by law in many countries around the world (e.g. SOX in the United States). The current "Enterprise Risk Management" framework contains the following elements: Governance & Culture, Strategy & Objectives, Performance, Control & Revision and Information, Communication & Reporting.
A secure basis for the internal revision
Audits and control measures of the internal revision aim at a continual improvement of business processes, making them more transparent as well as defining preventing actions against malicious acts. With the internal control as a basis, the internal revision organizes its workflows in accordance with the relevant guidelines (e.g. MaRisk in Germany) and organizational requirements. This way, the internal revision gains an overview of critical business areas as well as infrastructures and can consistently pass through the compliant and targeted controls.
What should be considered in an internal control system?
As part of the implementation, relevant challenges should be considered at an early stage in order to ensure success:
- Finding the right balance between globally binding rules
- Achieving a comparable level of control through process improvements for smaller legal entities with too many and too complex requirements.
- Assigning and allocating sufficient resources across the organization.
- Respecting the segregation of duties in smaller organizations where only one employee is responsible for completing multiple tasks in a critical process.
- Meeting managements' expectations while keeping the involvement of the 1st line at a reasonable level.
- Ensuring that their framework is consistently applied in all affiliated entities regardless of their size and unique culture.
- Developing the maturity level of internal controls without losing the 1st line or management.
- Establishing ICS as a business enabler rather than a necessary burden.
What are the advantages of an internal control system software?
Our ICS software enables the development of a future-proof, efficient management system. You find all information on all controls in one system (i.e. single point of truth).
- Eliminate potential problems with controls by managing their weak spots centrally and monitoring their progress.
- Integrate all control owners efficiently in a workflow-driven process.
- Define generic, central control objectives (i.e. key controls) and adapt them locally (e.g. through modifications or more detail).
- Map company-level controls through questionnaires that can be individually modified by business users and sent ad hoc with different inquiries at any time to the various business classes.
- Combine various assessment approaches across different companies or business units.
- Manage and distribute year-end controls automatically when the testing phase begins.
- Submit controls with resolved issues for immediate retesting.
Which ICS software is right for me?
Whether you prefer a custom design or pre-built solution, GBTEC offers the right software for your needs.
See for yourself and discover our BIC GRC Solutions for professional internal control.
BIC Custom GRC
BIC Custom GRC offers customizable, flexible custom solutions that can be tailored to the client’s unique processes.
BIC Internal Control
BIC Internal Control is our intuitive, fast-to-implement standardized solution that fulfills leading standards.
GBTEC Software AG
Gesundheitscampus-Süd 23
44801 Bochum
Germany
Further Information
Career
Webinars & Events
Videos
Podcast
Newsletter