Internal Control System (ICS)

Our services in the area of Internal Control System incl. SOX comprise in particular:

• Analysis of your existing internal control system with regard to the various components such as control environment, organization, processes and controls
• Design and implementation of optimization measures in your internal control system and in relation to processes, individual controls or SOX controls or documentation requirements
• Review of the adequacy and effectiveness (monitoring) of your internal control system
• Setting up reporting to management and supervisory bodies
• Support in selecting software and assisting with the implementation of tools for documenting and testing the internal controls

We also support you in the area of control testing with additional resources and our expert know-how:

• Analysis/recording of existing controls in your structures, processes and systems
• Adequacy and effectiveness testing of your controls through testing activities
• Identification of control weaknesses, definition of mitigation measures and follow-up of effective implementation
• Reporting to the management and supervisory bodies on the adequacy and effectiveness of your controls and measures

Effective IT general controls (ITGC) are a fundamental prerequisite for all IT-based and all pure IT processes. Even though ITGC generally only indirectly influence the financial reporting, they occupy a central position and are becoming increasingly relevant for the audit of financial statements. They are responsible for the technically correct implementation and availability of the applications and (partially) automated controls relevant to the ICS. Conversely, this means that improperly functioning IT controls have a comprehensive impact on all related systems and thus also on the financial reporting based on them.

ITGC basically concern the areas of procurement, development, maintenance of systems, access protection and operations. ITGC can be found in the context of:

• Operating systems
• Applications
• Databases
• Networks

Our range of services includes the following areas:

• Analysis of the existing ITGC and derivation of any necessary adjustments
• Design and implementation of ITGCs in cooperation with your IT department and your IT service provider (keyword SOC reports or ISAE 3402 reports)
• Coordination of audit activities with the auditors and implementation of mitigation measures in the event of findings by the auditors
• Setting up monitoring concepts and reporting to ensure appropriateness and effectiveness

In organizations, segregation of duties (SoD) refers to the organizational separation of organizational units or positions or duties in the business process to avoid potential conflicts of interest. The 4-eyes-principle is probably the best-known principle of segregation of duties. It is intended to prevent important decisions from being made by or critical activities being performed by a single person. 

Your challenges when separating duties in the company

Our services in the area of segregation of duties are particularly relevant for you in the following situations:

• Lack of overview and/or documentation of existing structures, processes and systems with regard to appropriate segregation of duties
• Known violations of the principle of segregation of duties
• Identified or known deficiencies in authorization concepts

Support for the introduction of separation of duties

Our services in the area of segregation of duties include in particular:

• Analysis, recording and documentation of structures, processes and systems with relevance for the separation of duties
• Development, alignment and implementation of optimization potentials in the area of separation duties
• Analysis and documentation of the situation as well as the facts in cases of violations of the principle of segregation of duties that have become known and identification of the possible consequences and counter measures