Proven safety

Dhe statutory ICS (Art. 728a Para. 1 No. 3 CO) combines all internal control measures that monitor and control the financial processes within an organisation. The aim is to identify and minimise errors and risks in the daily work. This contributes to the protection of the organization's assets and to reliable financial reporting. It is important not to use the ICS as a detached control task, but rather as an integral management tool.

Control processes consciously
The first step is to identify the business activities and key processes in an organization. Subsequently, an assessment is made as to whether there is a direct or indirect influence on the financial statements. Finally, an assessment is made as to whether this influence is material for the company and is included in the ICS consideration. Based on this assessment, the most important processes to be considered for the statutory ICS are identified. These are documented and reviewed for financial risks and existing control measures.

The primary aim of ICS is not to define and implement as many control functions as possible in a process, but to consciously and systematically control the relevant internal company processes and to make them more secure by means of so-called key controls. These should be defined and implemented in the company. Important for the existence of the ICS is that

• an ICS is in place and verifiable;
• the ICS is adapted to the business risks and the scope of business activities;
• employees know and understand the tasks in the ICS process;
• the controls are traceable;
• the responsible persons within the company are clearly identified;
• the control awareness is present in the company.

The law requires public companies and other economically significant companies to operate an ICS. The provisions on the ICS apply irrespective of the legal form of an entity to be audited if two of the following three criteria are exceeded in two consecutive financial years (Art. 727 para. 1 CO):

• Sales > CHF 40 million
• Balance sheet total > CHF 20 million
• Full-time positions > 250 annual average

During the regular annual audit, the auditor must confirm the existence of the ICS.

The appropriate system
For large, multinational companies, existing, internationally recognized frameworks such as the COSO framework are a good choice. The components and recommendations described in this framework represent a holistic system of ICS measures. COSO is widely used today, especially in the USA, where it is mandatory for listed companies. Swiss law does not prescribe a specific system. The principle applies that the ICS must be adapted to the specific circumstances of the company. In doing so, it is basically free in its design. As a minimum requirement, those processes that lead to financial reporting must be illuminated.

Medium-sized enterprises (MU) often face a particular challenge. Oversized systems do not meet their needs. Specially tailored ICS models offer solutions adapted to the circumstances. The structure, documentation and maintenance of the system and control mechanisms should be as simple as possible. In addition to fulfilling the legal obligation, these models are also intended to ensure more efficient and secure financial processes, which help to avoid errors in business transactions.

Audit of the control system
The audit firm's review of the ICS covers the corporate, process and IT levels as well as the preparation of the annual financial statements and reporting. From the analysis of the risk assessment, the control environment and the general tools, the board of directors or the leading body derives the ICS basic concept. This does not require reinventing the wheel. Rather, existing documents, directives and guidelines are incorporated. These include signature and authority regulations, job descriptions, mission statements, etc. Processes with a significant influence on the annual financial statements are also explained in the basic concept and the ICS procedures and responsibilities are recorded. The auditors review this document.

Processes under the microscope
The audit at process level requires good knowledge of the business processes and business management know-how. The defined main processes, their documentation and the key controls are audited. This audit can be carried out by questioning, observation, review or by means of a so-called root sample, in which the process documentation and key controls are assessed. The close cooperation between auditor and client brings great added value. Experienced auditors critically scrutinize the operating processes and can be consulted for suggestions for improvement.

IT-supported business processes are also part of the ICS audit. For larger companies, an IT audit is indicated, in which specialists examine the IT-supported processes in detail. The content of the IT audit is the entire infrastructure, interfaces, the programs used and information about manual and automated processes. Organisational measures such as access authorisations and data protection functions are also the focus of the audit, as is the IT security concept.

Annual financial statements and reporting The preparation of the annual financial statements harbours potential for error due to their complexity. For this reason, the individual steps in the preparation of the financial statements must be documented. The preparation and quality of the figures are of central importance. Particularly in group relationships, it must be ensured that the respective subsidiaries deliver financial statements that can be audited. Particularly in the case of those items in the annual financial statements that are based on a significant discretionary decision, the superordinate controls are essential.

Reporting to the Board of Directors is carried out by the person responsible for the ICS. However, the auditors are also obliged to submit a comprehensive report to the governing body on the findings made and to propose adjustments.

The effectiveness of the ICS does not need to be audited
In contrast to foreign requirements, the ICS in Switzerland does not have to be reviewed for its effectiveness or functionality. This is the compromise that the Swiss legislator has made. An effectiveness audit would have more far-reaching consequences, both for the company and for the auditor. The company would have to be able to demonstrate the effectiveness of the ICS, which would involve a certain amount of effort. However, this would allow the auditor to rely more on the systems by means of functional audits. Detailed audits in the annual financial statements could be reduced as a result. This approach is more efficient and effective, especially for companies with a high accounting volume. An effectiveness audit also gives the management body the certainty that important processes in the company are running securely and thus protects assets.