An internal control system (ICS) includes all forms of monitoring measures immanent in the processes and organization of a business. The purpose of it is to secure the company’s capital and to prevent losses. In addition, the ICS is supposed to ensure the accuracy and reliability of the company’s reports and accounts and secondly, support the compliance to company-intern guidelines.
Swiss legal Framework
According to this aim, the Swiss legislature made some legal changes which have made it mandatory for businesses to conform to these demands since 2008.
OR Art. 663b Ziffer 12, Art. 728a, Art. 728b
Risk management is the overall concept which sets the framework for the corporate governing of risks and chances, as well as the internal control system. Therefore, it is not only a legal obligation, it also includes future-oriented activities that guarantee a lasting company development and security of existence.
Risk assessment according to OR Art. 663b, Ziffer 12
Swiss companies (corporations, LLCs, cooperatives and foundations), which are subject to a proper, respectively limited revision, have to, since 2008, do reports about the performance of a risk assessment, in attachment to their annual financial statement (Art. 663b Ziffer 12. OR). This attachment as well as the risk assessment has to be inspected by the auditors. The focus lies on risks that can have a substantial influence on the assessment of the annual financial statement.
Internal Control System according to OR Art. 728a, Art. 728b
Further, the new terms of the Swiss Code of Obligations requires businesses, for which a revision is mandatory, to have auditors prove the existence of an effective internal control system. The results of the revision have to be extensively reported to the administrative board.
The benefit of risk management comes into being on a strategic level, with transparent risks and efficient governing mechanisms. On an operational level, risk management supports the realization of strategies and the coping with the resulting operational risks. The goal is to protect business and production processes from failures, and to at the same time reduce damages. It is necessary to be able to easily create the risk assessment which is attached to the business report. What is more, there should be a balance between the security interests of the company and the information interests of the recipients.
Internal Control System
The internal control system should be derived from the risks and should be incorporated into the respective processes. The balance between as much control as necessary and as little as possible is the challenge. The ICS is not a controlling device, but part of the operational processes. In addition to the process-intern ICS activities, a company can also employ process-independent controls. This function is usually performed by the internal audit. The advantages of an internal audit, in contrast to an external audit, are that it is closer to the material and has a deeper understanding of the controlled areas. That way, costs for an external audit can be saved.
Risk Management and Internal Control System
Risk management and ICS can mutually influence each other in a positive way. Risk management as a super-ordinate function captures the company’s exposure to risk and sets the targets for the internal control system’s activities. The internal control system monitors the handling of the risks and thereby generates proof that business risks are dealt with efficiently. That way, risks can be identified early, or even before they come into existence.
The activities of risk management as well as the internal control system should be supported by suitable software tools. The selection and implementation of a suitable tool is a demanding task. The criteria are ideally derived from the previously developed concept.
- How well is your ICS developed?
- Who is controlling your control > Internal Audit
- Coaching / Training: control has to be learned