There are various reasons to opt for an audit of the internal control system. In addition to the supervisory duty within the scope of supervisory board activities, the audit of the ICS may be necessary for various regulatory or business reasons or may be of interest to your company for efficiency reasons.

As distinct from the assessment of the ICS in the context of the audit of the financial statements, our ICS experts are at your disposal with different ICS audit approaches. 

1. Audit of the effectiveness of the internal control system according to IDW PS 982

The internal control system has been part of the corporate governance system subject to the monitoring duty of an audit committee or supervisory board at the latest since the BilMoG came into force. In addition to the accounting process, the supervisory body's monitoring duties (§ 107 para. 3 AktG) focus on the effectiveness of the ICS, the risk management system (RMS) and the internal audit system (IRS).

The ICS audit according to IDW PS 982 is a voluntary business management system audit. The objective of the audit is to obtain sufficient certainty about a defined scope of the ICS as an independent audit subject and to issue an overall opinion on it. In this respect, this procedure goes beyond the audit of selected parts of the accounting-related ICS within the scope of the audit of the financial statements in accordance with IDW PS 261, as amended. For audits of financial statements beginning on or after 15 December 2020, reference is made to the new IDW PS 475, which requires reporting of material deficiencies in the ICS in the audit report.

The audit according to IDW PS 982 covers all basic elements of the ICS and, depending on the type, scope and objective of the corporate reporting, extends to the underlying core business processes with their management and control measures. The contents of the reporting (e.g. balance sheet, profit and loss account or management report) are not the subject of this system audit. Rather, these are the company's statements about the ICS and its design contained in the ICS description. The description must include certain minimum contents and should present the ICS in such a way that its basic structure is comprehensible to an expert third party in a relatively short time.

Within the scope of the audit, a distinction must be made between a certification of adequacy and a certification of effectiveness.

  • Adequacy: Assessment of the regulations of the ICS presented in the description as well as their implementation at a certain point in time.
  • Effectiveness: Evaluation of the regulations of the ICS presented in the description and their implementation as well as their adequate application in a certain period of time.

2. Further reviews of the internal control system

For a Shared Service Centre (SSC), the internal control system certificate may be necessary because it is a legally separate company that independently performs one or more operational functions (accounting, IT operations, distribution logistics, etc.) of an outsourcing company on its behalf. However, the responsibility for the outsourced functions remains in principle with the outsourcing company and its legal representatives. With the outsourcing of the functions, the internal control system (ICS) of the SSC becomes important for the assessment of whether risks for the (accounting-related) corporate activities of the outsourcing company can arise from the design of the controls.

Our ICS experts can assist you in an audit according to ISAE 3402 or IDW PS 951 or SSAE 18 to examine the (accounting-related) internal control system (ICS) of the service company for adequacy and effectiveness and to issue an attestation on the result.

The auditing standard SSAE 18 of the Auditing Standard Board (ASB) applies here in particular to US companies. The standard defines reporting requirements and quality for service organisation control (SOC) reports. All audit reports that can be issued under the standard (SOC1, SOC2, SOC3) are possible as Type 1 or Type 2.

Special feature: The requirements catalogue C5 of the Federal Office for Information Security (BSI) can be checked by an audit analogous to ISAE 3000 at the cloud provider, resulting in a so-called SOC2 report on the adequacy and effectiveness of the controls.

Our ICS experts are happy to answer any questions you may have on current developments and topics related to ICS assurance. We support you in keeping pace with the regulatory requirements for the internal control system and in ensuring continuous security in your business processes through the extended audit of the internal controls in your company.

Further Information (in German only)