• 1000

The FISG, which came into force on 1 July 2021, for the first time legally requires adequate and effective internal control systems and risk management systems.

For the first time, the legislator explicitly requires adequate and effective internal control and risk management systems and creates a direct right of information of the audit committee with the heads of ICS, RMS and internal audit. On this page, we show you which changes are to be expected and what you can do now.

With the Financial Market Integrity Strengthening Act (FISG), the German Federal Government is reacting to the Wirecard fraud scandal. The draft law, published on 26 October 2020, includes a large number of innovations aimed at strengthening confidence in the German financial market. In addition to optimising balance sheet control and further regulating the auditing of financial statements, the innovations also affect corporate governance of companies.

Connect with us

The three most important legal innovations at a glance

Zahl eins

§ Section 91 III AktG (new):

Specification of the duty of care of the management board of listed companies with regard to the establishment of adequate and effective internal control systems (ICS) and risk management systems (RMS)

Zahl zwei

§ Section 107(4):

The duty of the supervisory board of a public interest entity to establish an audit committee

The audit committee's direct right to information from the head of ICS, the head of RMS and the head of internal audit

Zahl drei

§ 331a (new):

The punishability of the incorrect "balance sheet oath" is transferred to an independent offence of incorrect assurance (increased range of punishment).

The new regulations of the FISG are to be seen in the overall context of a multitude of tightening requirements for corporate governance. Various regulatory developments aim at higher corporate governance requirements in Germany. Some examples are:

Association Sanctions Act (draft):

  • An appropriate response to criminal offences is to be ensured by means of severe sanctions and strong incentives for preventive measures (ICS, compliance, RMS) and internal investigations

Audit focus of the German Financial Reporting Enforcement Panel 2021:

  • Completeness and adequacy of reporting on material risks, including liquidity and default risks as well as financial risks from covenants

IDW PS 340:

  • Increased requirements for early risk detection systems of listed companies (including risk-bearing capacity, risk aggregation, risk control).

Although the above-mentioned amendments are primarily directed at listed companies and companies of public interest, they also redefine the standard of due diligence for capital market-oriented and other companies and legal forms.

So what is to be done?

From the perspective of board members:
  • Critical and objective assessment of ICS and RMS to ensure adequacy and effectiveness.
  • Special diligence on governance issues that may lead to inaccurate management reporting (e.g. ineffective ICS and RMS), as the wrong balance sheet oath is now relevant under criminal law
  • Explicit obligation to set up the system suggests a higher degree of formalisation, which is to be determined and designed individually for each company. 
  • Explicit naming of the management functions RMS and ICS suggests a stronger organisational implementation (2nd line in the sense of the IIA's Three Lines Model).
  • There is no explicit mention of compliance in § 93a FISG, but a risk-oriented establishment of compliance management systems arises from the board's duty to monitor legality (irrespective of listing). An assessment of the situation seems advisable, especially against the background of increasing regulation.

From the perspective of supervisory boards :

  • Addressing the adequacy and effectiveness of risk management and internal control systems sufficiently, e.g. through external audits
  • The establishment of an appropriate and effective governance model for proper direct interaction between the supervisory board and the heads of ICS, RMS and audit (incl. immediate information to the executive board)