Companies are putting in place internal control systems (ICS) that comprise measures and controls to ensure the accuracy of their financial reporting. As part of their audit of the financial statements of large companies and public companies, auditors verify the existence of an ICS for financial reporting, but not whether this ICS functioned throughout the year.
Take-Outs
- To achieve their objectives, companies define responsibilities, measures and controls, which are collectively referred to as an internal control system (ICS).
- In particular, the ICS should also ensure the accuracy of financial reporting.
- Auditors therefore consider the ICS in their audit of annual financial statements. However, the requirement to provide a separate audit opinion on the existence of an ICS only applies in the case of large companies and public companies.
- The audit of the existence of an ICS involves delivering an opinion as to whether an ICS for the company’s financial reporting has been established and is generally adequate in terms of ensuring the accuracy of financial reporting. Whether the ICS actually functioned throughout the year is not audited.
What is an internal control system and why is it important?
Companies aim to achieve certain strategic and operational targets. Responsibilities, measures and controls are defined in order to monitor attainment of these targets.
These measures are collectively referred to as an internal control system (ICS).
Customary ICS targets include:
- ensuring the effectiveness and efficiency of business processes;
- adherence to legal requirements and the company’s own rules;
- ensuring accurate financial reporting.
Legal requirements and responsibilities relating to the ICS
The implementation and structure of the ICS is the responsibility of the company’s management, which for corporations means the board of directors and senior management.
The law clearly states that the board of directors is responsible for the company’s overall management and issuing the necessary directives. The board of directors determines the concept, scope and level of complexity of the internal control system. It is then the responsibility of the senior management to implement these guidelines in the day-to-day business activities.
In the case of large companies and public companies, the statutory auditor is required to verify the existence of an ICS in addition to the task of auditing the annual financial statements.
This audit requirement relates only to the ICS for financial reporting. This means that the statutory auditor must determine whether the company has measures and controls in place to ensure that the annual and group financial statements comply with the applicable financial reporting requirements. The statutory auditor must also assess whether these measures and controls are generally suitable and have been implemented. However, the statutory auditor is not required to assess whether these measures and controls were effective throughout the entire year – i.e. were continuously observed and complied with.
Responsibilities relating to the ICS
The board of directors determines the concept, scope and level of complexity of the internal control system (ICS). It is then the responsibility of the senior management to implement these guidelines in the day-to-day business activities. Once a year, the statutory auditor then confirms the existence of the ICS that has been defined by the board of directors and implemented by senior management.
Other important considerations
An internal control system is essential to ensuring orderly accounting and sound, legally-compliant financial reporting. A defective ICS increases the risk of accounting errors and, consequently, the audit risk for auditors of financial statements.
Although there is no explicit legal requirement, it is in companies’ best interests to maintain an appropriate ICS. However, the current statutory audit of the existence of an ICS covers only part of this and does not answer the question of whether the ICS is consistently effective. Even if the auditor of the financial statements assesses whether the company-specific ICS is appropriate to the company’s size, complexity and risk profile as part of the audit of the existence of an ICS, this does not change the fact that an isolated statement on the existence of an ICS is less relevant than a comprehensive opinion on whether an ICS exists and is consistently effective. Nevertheless, lawmakers have been unable to bring themselves to enforce a more extensive ICS audit. In spite of this, many companies also choose to have the effectiveness of their ICS audited in their own interest.