Читать книгу Successful Compliance - Barbara Neiger - Страница 20

An ICS is defined as all principles, methods and measures introduced and agreed within an organisation that are used to secure the assets and the regularity, accuracy and reliability of internal and external reporting, as well as compliance with prescribed business policies.[46] In order to ensure the effectiveness and profitability of business, an ICS should cover all key business processes.

The term ICS goes back to a study published in 1992 by the Committee of Sponsoring Organisations of the Treadway Commission (COSO)[47]. The ‘internal control system’ described in this study helped to define corporate governance terms more precisely and back them with specific measures. In order to properly classify this approach, one must take into consideration the fact that the word ‘control’ denotes not only controls in the sense of checks, but also measures that have been put in place to achieve certain results. It is therefore advisable to consider an ICS as a whole of its two parts: an internal steering system and an internal monitoring system.[48]

COSO defines three objectives of an ICS: (i) the effectiveness and efficiency of business processes (operations), (ii) the reliability of financial reporting and (iii) compliance with valid laws and regulations. The term ‘internal control’ is defined as the sum of all institutions that are required to ensure the achievement of these three categories of objectives (1. Dimension). Institutions are divided into five components: control environment, risk assessment, control activities (in the sense of management), information and communication, and monitoring (2. Dimension). The three categories of objectives and all five components are applied at both the corporate level as well as to all areas and/or activities of an organisation (3. Dimension). A graphic representation of the three dimensions is given in Figure 1. The components of the second dimension are explained in more detail below.[49]

FIGURE 1

COSO INTERNAL CONTROL – INTEGRATED FRAMEWORK[50]

Control environment – the control environment encompasses the basis of the organisation as expressed in the influences and values that govern behaviour, the structures that allocate and reflect responsibilities and the processes that govern the coordination of tasks. All these parameters must be designed so as to support the achievement of strategic objectives. The willingness to take risks as an element of the internal environment is expressed through both quantitative and qualitative objectives and restrictions and subsequently acts as a measurement parameter for acceptable risk in risk assessment.

Risk assessment – identified risks are evaluated by determining the probability of their occurrence and the potential extent of damage caused. Control measures are taken to address residual risks following the application of risk transfer measures (e.g. insurance).

Control measures – regulations, guidelines and procedures (such as separation of duties, spot checks, etc.) are implemented to ensure proper business operation, proper accounting and observance of rules (compliance) that are relevant to the organisation.

Information and communication – knowledge of all essential process steps allows employees to carry out their responsibilities and to contribute to the efficient management of operations, proper accounting and compliance with all (statutory) requirements.

Monitoring – all measures taken must be monitored regularly and, if necessary, improved. The functioning and adequacy of the ICS must be audited by an independent body.