Internal Controls and the Shifting Wave of Focus

Looking at the focus areas of internal controls since 2000, it is clear to see how the tide has shifted back and forth in the priorities of corporations. In this article, Alyne's Regional Head of Sales, Claudia Howe discusses the impact of poor internal controls systems and events that have shifted the attention between operational internal control systems and Internal Control over Financial Reporting (ICFR). How do organisations maintain the balance of well performing ICS throughout all business practices? Additionally, the article looks at the new financial reporting law in Germany: Finanzmarktintegritätsstärkungsgesetz (FISG).

Poor internal controls systems, whether it be financial or operational, have caused this wave to change direction in favour of the other, whenever a new and significant event occurs. Events in the past decade have increased the attention on the likes of internal controls for operational processes such as logistics or manufacturing, whilst other significant events have brought the focus back to financial reporting. So, why do organisations struggle to maintain balance and equilibrium between ICFR and operational internal control systems? Why is a reliable ICS paired with good management not a habit in most organisations, but rather a reaction to the shift in focus? And what do I mean by all of that?

Well, let’s take a look at a brief and very simplified timeline of the events that shifted the wave of attention, with regard to the United States and Germany:

  • Pre Enron Scandal (Leading up to 2001) focus on operational ICS

Corporations were largely focussed on improving the effectiveness of internal processes and systems, such as logistics, manufacturing, procurement and other operational processes, and less so on highly governed financial reporting and management. That was, until the infamous Enron accounting scandal took place in the United States in 2001.

  • Enron Scandal (2001) places focus on financial reporting

The fraudulent accounting scheme of the energy giant in 2001 created a tectonic shift in regulators reassessing how financial reporting is governed, and to what extent – thus, placing the focus squarely on financial reporting practices. An outcome of this was the implementation of the Sarbanes-Oxley Act (SOX), which became effective on July 30, 2002. SOX was implemented to ensure that publicly listed companies take comprehensive measures to enhance the accuracy of corporate disclosures that report on financial data. More specifically, SOX 404 requires companies to implement adequate Internal Control over Financial Reporting (ICFR) to ensure fair financial reporting practices have been put in place in accordance with Generally Accepted Accounting Principles (GAAP). 

  • German car giant emissions scandal (2015) places focus on errors evident within operational ICS

So while regulators were focussed on assurance mechanisms for financial reporting, the ball was slowly dropping in other areas of internal control practices – those of a non-financial nature. Let us take an example in 2013, where the public was made aware of practices of a German car giant in modifying emissions tests for their cars to comply with required standards in the US. 

This scandal prompted a focus on ethics, better governance around operational systems and tone from the top in the context of target setting. As a consequence, the weight of the wave shifted course again. That was until recently, when the next big event occurred in Germany. 

  • Wirecard Scandal (2020) places focus back on financial reporting in Germany

Arguably one of the biggest corporate scandals in Germany in recent history, the German Fintech Wirecard had a series of accounting scandals which included inflated assets and incorrect reporting on the number of transactions it actually handled. This resulted in the insolvency of a company valued at €24bn when they joined the DAX 30 share index two years ago. The €1.9bn that was missing from its accounts led to political and public allegations around a lack of proper oversight from external auditors, financial regulators and the government.

The spotlight was now fair and square back onto Internal Control over Financial Reporting practices, as regulators and government designed new laws to counteract similar fraudulent behaviour.

New Financial Reporting Law in Germany: Finanzmarktintegritätsstärkungsgesetz (FISG)

While ICS is not new, much of the activity from the recent scandal can be linked to the spurring up of a new German financial reporting regulation, called the Finanzmarktintegritätsstärkungsgesetz (FISG). The objective of FISG, scheduled to enter into force on July 1, 2021, is to strengthen the confidence of the financial market, by reforming the financial statement control process for capital market companies.

At a glance, the requirements of the Finanzmarktintegritätsstärkungsgesetz (FISG) which include a chapter on increased liabilities, can be summarised into 3 core areas with requirements such as:

Internal Perspective:

  • Mandatory and more formalised requirements to have both internal control and risk management systems introduced in a company. (relevant for publicly listed companies).

Supervisory Board Perspective:

  • Mandatory for two financial experts to form part of a supervisory board.
  • An audit committee will have to be established in supervisory boards.

External Auditor Perspective: 

  • Dedicated communication channel between the external auditor and the supervisory board. 
  • It will be mandatory to rotate both the external auditing company, as well as the relevant partner within that auditing company.
     

Maintaining a robust ICS across business disciplines

As we have gone full circle and the focus is now thoroughly back on financial reporting, the question of why organisations struggle to maintain equilibrium between ICFR and non-financial internal control systems still remains. How do we create the balance of well performing internal control systems throughout all business practices, rather than it being a reaction to the shift in focus and hence continually neglecting one core aspect?

Although easier said than done, if your organisation’s ICS is robust and set up sustainably across all disciplines, then the wave of industry events, new laws and requirements should be far easier to avoid, resulting in more stable operations overall.

Learn more about this in our latest episode of The Regtech Report, discussing the new focus on financial reporting and the Finanzmarktintegritätsstärkungsgesetz (FISG). 
Would you also like to understand how you can achieve a health-check of your organisation’s financial integrity, and meet ICFR requirements through the help of Alyne’s solution? Why not access our latest white paper here

Written by Claudia Howe in collaboration with Bayley Benton.

 
ZurückWeiter
Claudia Howe

Related Posts

A 360 Degree Risk View of Your Vendors with Alyne and SecurityScorecard

Recently, Alyne’s third party risk management capabilities became a whole lot more powerful with the introduction of the SecurityScorecard integration which offers users a comprehensive 360 degree risk view of their third party dependancies. Read more about how you can power-up your vendor governance process with the help of Alyne and SecurityScorecard.
Weiterlesen

Integrating Cyber Security, IT and Vendor Strategy for Improved Enterprise Risk Management

This year, United State's President Joe Biden signed a cyber security executive order to increase scrutiny and raise the bars for software security standards. In this article, Christina Casino from Alyne’s Customer Success Team unpacks and explains Alyne’s approach that can help your organisation streamline and integrate IT, cyber security and vendor strategy all within a single SaaS platform.
Weiterlesen

Data Security, Data Sovereignty and Data Residency Within a SaaS Cloud Environment

The convergence of big data and hyper cloud infrastructure has created a myriad of issues around the access, use and storage of data. The wave of nationalism and ‘inward focus’ as a reaction to a sustained period of outward-looking globalism is a major reason for this. Data custodians have very strong views and often regulatory requirements around how data should be treated. In this article, Stephen Nyabadza from Alyne’s Sales Team unpacks and explains Alyne’s approach to data within a Software-as-a-service (SaaS) cloud environment satisfies all concerns in this area.
Weiterlesen