Internal Controls and the Shifting Wave of Focus

Looking at the focus areas of internal controls since 2000, it is clear to see how the tide has shifted back and forth in the priorities of corporations. In this article, Alyne's Regional Head of Sales, Claudia Howe discusses the impact of poor internal controls systems and events that have shifted the attention between operational internal control systems and Internal Control over Financial Reporting (ICFR). How do organisations maintain the balance of well performing ICS throughout all business practices? Additionally, the article looks at the new financial reporting law in Germany: Finanzmarktintegritätsstärkungsgesetz (FISG).

Poor internal controls systems, whether it be financial or operational, have caused this wave to change direction in favour of the other, whenever a new and significant event occurs. Events in the past decade have increased the attention on the likes of internal controls for operational processes such as logistics or manufacturing, whilst other significant events have brought the focus back to financial reporting. So, why do organisations struggle to maintain balance and equilibrium between ICFR and operational internal control systems? Why is a reliable ICS paired with good management not a habit in most organisations, but rather a reaction to the shift in focus? And what do I mean by all of that?

Well, let’s take a look at a brief and very simplified timeline of the events that shifted the wave of attention, with regard to the United States and Germany:

  • Pre Enron Scandal (Leading up to 2001) focus on operational ICS

Corporations were largely focussed on improving the effectiveness of internal processes and systems, such as logistics, manufacturing, procurement and other operational processes, and less so on highly governed financial reporting and management. That was, until the infamous Enron accounting scandal took place in the United States in 2001.

  • Enron Scandal (2001) places focus on financial reporting

The fraudulent accounting scheme of the energy giant in 2001 created a tectonic shift in regulators reassessing how financial reporting is governed, and to what extent – thus, placing the focus squarely on financial reporting practices. An outcome of this was the implementation of the Sarbanes-Oxley Act (SOX), which became effective on July 30, 2002. SOX was implemented to ensure that publicly listed companies take comprehensive measures to enhance the accuracy of corporate disclosures that report on financial data. More specifically, SOX 404 requires companies to implement adequate Internal Control over Financial Reporting (ICFR) to ensure fair financial reporting practices have been put in place in accordance with Generally Accepted Accounting Principles (GAAP). 

  • German car giant emissions scandal (2015) places focus on errors evident within operational ICS

So while regulators were focussed on assurance mechanisms for financial reporting, the ball was slowly dropping in other areas of internal control practices – those of a non-financial nature. Let us take an example in 2013, where the public was made aware of practices of a German car giant in modifying emissions tests for their cars to comply with required standards in the US. 

This scandal prompted a focus on ethics, better governance around operational systems and tone from the top in the context of target setting. As a consequence, the weight of the wave shifted course again. That was until recently, when the next big event occurred in Germany. 

  • Wirecard Scandal (2020) places focus back on financial reporting in Germany

Arguably one of the biggest corporate scandals in Germany in recent history, the German Fintech Wirecard had a series of accounting scandals which included inflated assets and incorrect reporting on the number of transactions it actually handled. This resulted in the insolvency of a company valued at €24bn when they joined the DAX 30 share index two years ago. The €1.9bn that was missing from its accounts led to political and public allegations around a lack of proper oversight from external auditors, financial regulators and the government.

The spotlight was now fair and square back onto Internal Control over Financial Reporting practices, as regulators and government designed new laws to counteract similar fraudulent behaviour.

New Financial Reporting Law in Germany: Finanzmarktintegritätsstärkungsgesetz (FISG)

While ICS is not new, much of the activity from the recent scandal can be linked to the spurring up of a new German financial reporting regulation, called the Finanzmarktintegritätsstärkungsgesetz (FISG). The objective of FISG, scheduled to enter into force on July 1, 2021, is to strengthen the confidence of the financial market, by reforming the financial statement control process for capital market companies.

At a glance, the requirements of the Finanzmarktintegritätsstärkungsgesetz (FISG) which include a chapter on increased liabilities, can be summarised into 3 core areas with requirements such as:

Internal Perspective:

  • Mandatory and more formalised requirements to have both internal control and risk management systems introduced in a company. (relevant for publicly listed companies).

Supervisory Board Perspective:

  • Mandatory for two financial experts to form part of a supervisory board.
  • An audit committee will have to be established in supervisory boards.

External Auditor Perspective: 

  • Dedicated communication channel between the external auditor and the supervisory board. 
  • It will be mandatory to rotate both the external auditing company, as well as the relevant partner within that auditing company.

Maintaining a robust ICS across business disciplines

As we have gone full circle and the focus is now thoroughly back on financial reporting, the question of why organisations struggle to maintain equilibrium between ICFR and non-financial internal control systems still remains. How do we create the balance of well performing internal control systems throughout all business practices, rather than it being a reaction to the shift in focus and hence continually neglecting one core aspect?

Although easier said than done, if your organisation’s ICS is robust and set up sustainably across all disciplines, then the wave of industry events, new laws and requirements should be far easier to avoid, resulting in more stable operations overall.

Learn more about this in our latest episode of The Regtech Report, discussing the new focus on financial reporting and the Finanzmarktintegritätsstärkungsgesetz (FISG). 
Would you also like to understand how you can achieve a health-check of your organisation’s financial integrity, and meet ICFR requirements through the help of Alyne’s solution? Why not access our latest white paper here

Written by Claudia Howe in collaboration with Bayley Benton.

Claudia Howe

Related Posts

Tackling The Surge In Information Security Incidents

Ransomware attacks in 2021 have become more sophisticated and disruptive than they have ever been. With this increase, it is imperative for business leaders to build up comprehensive defense against information security attacks by leveraging both mandatory and voluntary standards. In this article, Alyne Senior Consultant, Maximilian Millitzer elaborates on what business leaders should do to enable a quicker response, in the event of an information security incident.
Read more

Gearing Towards Greater Cyber Security Maturity in the Automotive Sector

The automotive industry is moving full speed ahead towards the software defined car and regulations and standards such as UN R155 and ISO/SAE 21434 have made it mandatory for businesses in the automotive industry to be compliant with cyber security management. Learn about Product Security Organisation Framework (PROOF), developed by Escrypt ad KPMG in partnership with Alyne's technology, and get the details on the upcoming workshop at escar (The world's leading automotive cyber security conference).
Read more

Tightened Cyber Security Awareness Training To Combat Heightened Attempts

October is Cybersecurity Awareness Month. This 2021, Co-founder of Alyne, Stefan Sulistyo shares how Alyne goes beyond the notion of being in compliance with various security awareness requirements to strengthen our collective digital ecosystem – especially during remote working, and the recent acquisition of Alyne by Mitratech – two events which have heightened cyber and phishing attempts across the business.
Read more