By Martin Bartonitz

Compliance management is the responsibility of the executive board

With over 25,000 rules now in force for the correct management of a business alone, a clear, properly thought-out organizational framework for managing and complying with such rules is essential. Any company that is not already bound by law to implement compliance management and which wants to provide information on more than just external and internal company rules will generally install an ICS.

What is an Internal Control System?

An Internal Control System (ICS) or GRC (Governance Risk and Compliance) consists of systematically designed organizational measures and controls within a company, in order to comply with guidelines and to avert damage that could be caused by internal employees or malicious third parties.

Both the executive board of stock companies and the managers of large limited companies must have a risk management system in place, which must also be comprehensively documented (AktG (German Stock Corporation Act), KoTraG (German Law on Control and Transparency in the Corporate Sector), BilMoG (German Act to Modernize Accounting Law)). The absence of documentation is a major infringement of the law that generally leads to the dismissal of the executive board.

The structure of the ICS according to Prof. Thomas Berndt ACA-HSG – Source:

Tasks of the Internal Control System

In a report, the monitoring body must state how and to what extent it has audited the company’s executive board during the fiscal year. This concerns e.g. the number of meetings, information on the frequency of the audits, and the subject of the audit and methods used. In the event of economic difficulties, the monitoring organ must also report whether and with what success it has intensified its monitoring activity. This applies in particular to unusual audit measures such as requested reports, access to ledgers and documents, the commissioning of experts, and decisions on reserve approvals.

Basic Features of an ICS


Target concepts must be established for processes. These target concepts then form the basis for external parties to assess the extent to which those involved work in compliance with this target concept. The target concepts also define the expectations of the heads of the organization.

Dual Control Principle

In a good control system, no major activity or transaction takes place without being checked or counter-checked.

Separation of Functions

Certain activities within a company process, e.g. the purchase process understood as a process running from demand calculation right through to outgoing payment – must be performed by different persons. Here a distinction is made between execution (e.g. the making of purchases), recording (e.g. financial accounting, stock accounting), and administration (e.g. warehouse management).

Minimum Information

Employees have only the information available to them that they require for their work. This includes the relevant back-up measures for IT systems.

The objectives ensure the survival of a company for ALL stakeholders, whether it be the correct functioning and efficiency of business processes including IT, the reliability of company information, asset security, or rule compliance with regard to legislation in order to safeguard reputations.

The ECM Comes into Play

Following clarification of who must do what, by when, and who makes (counter) checks, the next stage is technical implementation of documentation and checks. The simplest option for this is an Excel table (Example). The other extreme is a professional but very expensive GRC system. If ECM software is already in use, the following elegant compromise exists: Those involved in the ICS can enjoy technical support for their audit tasks by means of a simple application consisting of three components:

  1. Task catalog:
    All tasks to be regularly carried out are entered in the task catalog with definition of the persons responsible, the frequency (e.g. every Monday), and a Word protocol template. The latter contains information on what is to be done and an area in which the results are logged.
  2. Active tasks (workflow):
    If one of the deadlines defined in the task catalog is reached, an active task arrives in the inbox of the responsible person. This person can now find out what needs to be audited and, after completing their task, write the protocol or add other documents and confirm that the task has been performed. If a dual-control process is in place, the second person also receives a task and acts accordingly.
  3. Audit trail:
    The final, confirmed tasks are archived in the audit trail and retained for further analyses, improvements, and audits, if necessary by third parties, e.g. for IT compliance in accordance with SAS 70 II for insurance companies who also wish to do business in the USA.

Internal Control System – Summary

As is very evident, the focus of all efforts of an internal control system is on the analysis of what aspects in particular need to be audited based on what legislation and risks, and the organization of these audits. On a technical level, the amount of work involved here is usually minimal. In the end, a good Internal Control System helps secure an organization’s survival.


» More on the Topic
Read our Practical Guide “Ensuring Legal Compliance” – In Control with ECM Compliance Management.