Internal Control System (ICS) in Public Limited Companies

Since the revision of the Code of Obligations, corporations have the obligation to create, implement, and use an internal control system (ICS). It is a risk management control instrument. The existence of the ICS is audited by the audit office.

Why is an internal control system needed?

The internal control system (ICS) is a management tool in companies, which is intended to ensure the proper execution of business transactions and their economic efficiency, thus contributing to efficient risk management. At its core, it is about preventing or at least identifying errors in the work process through standardized controls. Through the management using ICS, business processes can be handled efficiently and reliably.

What belongs in an internal control system?

The ICS primarily pursues three objectives: ensuring effectiveness and efficiency, reliability of reporting, and compliance with laws. For these objectives to be achieved, an ICS must be traceable, effective, and efficient. The specific ICS must be adapted to the specific circumstances of a company. However, a reference point is provided by the COSO Framework, which serves as a basic pattern for the design of ICS. It stipulates that the first step must define what is controlled (control environment). Subsequently, the specific risks in the company must be identified and assessed (risk assessment) and appropriate measures implemented to address these risks (control activities). These control measures and risk processes need to be communicated (information and communication) as well as continuously monitored and improved (monitoring).

What does the audit office check?

According to Art. 728a OR, the audit office checks in corporations subject to ordinary auditing whether an ICS exists. Existence is generally affirmed if an ICS is present and verifiable (documented), if the ICS is adapted to the business risks and activity of the company, if the ICS is known to the employees, and if the defined ICS is actually applied, meaning a control consciousness exists in the company. The audit office checks the existence through a comprehensive analysis of the ICS and so-called compliance tests (random samples). Here, the audit office only examines the above existence criteria, but does not conduct a detailed operative effectiveness audit.

Findea helps you keep your taxes simple and uncomplicated.