1. Introduction

In a constantly changing and unpredictable business environment, which is influenced by complex global economic interrelationships, the challenge for enterprises is to ensure the efficient and secure ongoing of their core processes. A central element in this is the control and supervision of these processes to be able to react quickly to changing circumstances. The implementation of an internal control system can therefore be a massive advantage. Many literary sources exist that explain the structure and use of an internal control system in practice, and consulting companies have already specialized in this field.

Especially in the finance sector, the existence of an internal control system is of great importance to save companies from financial risks and preserve their competitiveness. The Finance department of a company serves almost every operational process as the last responsible authority and is therefore reliant on the dependability of the transmitted data and information.

Many companies still do not know how to implement an effective internal control system or are not willing to implement such a system. The system often has negative connotations because of its name. Who likes to be controlled? Who likes to deal with control and sees it as a useful and valuable tool? In addition, ICS is associated with a strongly audit-driven topic that primarily represents a regulatory requirement (Hübner, 2009). However, this way of thinking should be strongly discouraged, as these initial misjudgments, which are mainly caused by ignorance, are offset by the numerous advantages of an ICS. It helps companies to achieve their development and profitability targets and avoid a loss of resources. It supports the creation of reliable financial reporting and compliance with laws and regulations to avoid reputational damage and other consequences. To summarize, the ICS helps a company achieve its goals by identifying and avoiding unexpected hurdles and surprises along the way (Bungartz & Strobl, 2012). Therefore, in this study, a new model for an internal control system is created, which can be used for finance processes in general. A case study of a company running in the chemical industry is used for primary research.

The motivation and general objective of this study is to develop a working and usable model for an internal control system for financial accounting and Controlling. There are already several existing models and several definitions of what an ICS should be. The state of research has drastically increased over the years but especially the model designed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is often used. The model was first published in 1992 and has been updated over the years. Looking at the published literature one can also see that especially the implementation of an ICS within the separate departments of a company (HR, Sales, etc.) has been discussed very extensively. Many best practices exist as well as checklists and defined requirements.

Another topic that is looked at closely in this study is the implementation of risk management. Going along with this is an appropriate monitoring strategy and a well-thought-out review protocol, which must also be established. Several pieces of literature on this subject can also be found. It can be stated that there is already a regulated DIN standard for risk management, which provides specifications for its structure (IDW, 2017). There are also numerous models, instruments, and procedures for the individual components of risk management that have already been defined, explained, and applied.

2. Literature Review

The importance and function of internal control systems have already been greatly discussed in various sources. In the following, the most important sources of each subarea of the research are presented.

An ICS can be used in various company sectors but is especially considered for financial security and performance and how it is important for its success.

It was investigated whether the internal control system and corporate governance principles affect financial performance. The study concluded that “the internal control system has a moderator effect on the financial success of corporate governance”. This result indicates that the efficiency of the internal control system should be increased for the financial success of corporate governance in enterprises.

Furthermore, there exists a whole book about how to implement internal control systems within the financial sector of companies. It provides four steps to a successful ICS and explains basics as well as specific recommendations for actions (Hunziker, Renggli, & Fallegger, 2018).

Within an ICS, risk management is always a highly considered factor.

The general functions and steps of risk management are explained by Wilfried Hoffmann in his book about the risk management process. Within it, a general understanding of the basics of risk management is described ().

Stefan Hunziker gives a more detailed and step-by-step-oriented view. In his book “Risk Management in 10 Steps”, he provides not only a solid basis for risk management implementation but also explains which factors define successful risk management (Hunziker & Meissner, 2016).

In contrast to the chemical sector, which this publication is focused on, it has already been investigated how risk management can be implemented in small and medium enterprises in the UK construction industry. It was found that it was extremely difficult to implement risk management due to a lack of management skills, and knowledge in the adoption of the right tools or techniques to identify and analyze the risks (Rostami, Sommerville, Wong, & Lee, 2015).

Certain rules and guidelines on how effective risk management should be designed are given by Robert Chapman. He supports these guidelines by giving mini-case study examples and thus brings his rules into practical use (Chapman, 2019).

Also, studies exist on how an ICS should be designed to be most effective.

The most commonly known ICS model comes from COSO and their cube model. It is often referred to when asking how an ICS should be built up. It has been described and reviewed by many authors and is seen as the standard of an ICS model (Annen, 2008).

Some consulting companies such as PwC or KPMG have designed several models of their own ICS, which can be implemented in several company branches.

KPMG, for example, introduced a highly detailed chart on how an ICS is defined, what is necessary regarding regulations, and how it can be designed (KPMG, 2021).

PwC did something similar and designed their chart, also using the COSO cube but focusing more on a periodical cycle of implementing an ICS (PwC, 2015).

In some cases, an ICS has already been implemented and its procedure has been recorded in depth.

The city of Dortmund, for example, used an ICS approach for its processes and developed its system.

They divided the ICS into three steps with a planning phase before them.

Planning Phase:

Creation of a process landscape for each department. Show all relevant processes for each department and assign processes to sub-departments and teams.

1) ICS overall analysis

A short evaluation by management is performed for all relevant department processes and showcases all possible damages, risk control activities, and countermeasures.

2) Risk management in specialized departments

Listing all global risks and the results of the overall analysis. Prioritizing of an ICS creation for defined processes.

3) ICS specialized processes

Detailed ICS for defined processes with process documentation and risk analysis. Furthermore, it provides a detailed description and evaluation of new and existing countermeasures.

For the ICS within processes, they created a special concept consisting of 5 steps that are repeated constantly:

 

 

(Dortmund, 2018)

An ICS for financial and controlling activities has also already been developed within a master thesis. The main focus was on internal control systems in the field of state-owned enterprises. The author then created his model for an ICS consisting of three independent layers. The innermost circle represents the three objective categories of the COSO framework: Operations, Reporting, and Compliance. The next layer of the model also reflects a part of the COSO framework, where its elements are incorporated. To implement an internal control system, the components of the COSO framework—Control Environment, Risk Assessment, Control Activities, Information and Communications, and Monitoring—must be taken into account. The outermost layer represents the Three Lines of Defense model (Figure 1). The three lines of defense complete the model (Prem & Stahile, 2017)

Looking at the presented literature, it becomes clear that regarding an ICS and risk management there is already a detailed collection of different sources. Also, the fact that alternative models other than COSO have been developed is a pleasant sight.

However, the need for an operationally designed ICS with a focus on financial controlling and accounting, capable of being implemented within large organizations is still something to be desired.

 

 

Figure 1. Three lines of defense model.

3. Theoretical Concept and Hypothesis Development

3.1. Internal Control System

An internal control system is a structured approach to ensure the efficiency and effectiveness of a company’s operative processes, retain internal and external guidelines and regulations, and secure the company’s assets. Usually, an internal control system is applied to an entire organization; however, in this study, the focus lies on applying an ICS to certain processes. Furthermore, one has to mention that often the term “risk management” is equated to an internal control system, but in this case, risk management is considered a central part of the control system and so it is defined and explained individually.

There is no real definition of an internal control system, but it is certainly a leading instrument in well-functioning corporate governance (Paschke, 2013). The Institute of German Business Auditors defined three major objectives of an ICS (IDW PS 261, 3.1.2.1.)

– The insurance of the efficiency and effectiveness of the operative tasks of a company as well as the protection of company assets (operations)

– The reliability and regularity of the financial reporting (Financial Reporting)

– The compliance with relevant guidelines and legislation (Compliance)

Special legal requirements apply especially to stock companies. These must comply with sections §91 (2) and §107 (3) of the German Stock Corporation Act. On the one hand, the Management Board must take suitable measures and, in particular, set up a monitoring system so that developments that could jeopardize the company can be recognized at an early stage. On the other hand, the Supervisory Board can appoint an Audit Committee, which is responsible for monitoring the accounting process, the effectiveness of the internal control system, the risk management system, and the internal audit system, as well as the audit of the financial statements.

A central model for the use of an internal control system within companies is the COSO model. COSO is short for “Committee of Sponsoring Organizations of the Treadway Commission”. It was founded in 1985 in the USA and has the main objective of developing and promoting frameworks and guidelines for risk management and internal control (Olaniyi & Omubo, 2023). Researchers like Moeller (2014) emphasize its comprehensive approach, which integrates five key components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. These components are designed to provide a systematic approach to internal control, bridging financial reporting, operational processes, and compliance with legal standards. COSO defines the internal control system as a “process that is carried out by supervisory bodies, management, and employees and ensures with reasonable assurance that the specified objectives are achieved” (Tadesse et al., 2022).

The application of the COSO model and limitations hereto have been explored in different geographic, industry and business contexts. Jiang and Xie (2017), for instance, note that small and medium enterprises (SMEs) often struggle to adopt COSO due to limited resources and expertise. Vallabhaneni (2023) discusses the key components of the COSO framework, its impact on organizational success, and its role in maintaining compliance and achieving business goals in the context of cloud data. Chan et al. (2020) examine the impact of internal control and its five components on corporate innovation using the Committee of Sponsoring Organizations (COSO) framework with a sample of Chinese firms.

Nugraha (2023) examines the internal control system based on the COSO ERM within the Indonesian banking sector and finds deficiencies in implementation. This study aims to analyze how the management of PT JOY applies internal control, whether it is in accordance with the COSO ERM perspective.

The model this study is referring to is the so-called “COSO cube” (Figure 2). The model is three-dimensional and is divided into the following dimensions. The first dimension (x-dimension) consists of the three main targets of an internal control system, as mentioned earlier. The second dimension (z-dimension) defines the five core elements to which the ICS system is related. The third dimension (y-dimension) describes the entrepreneurial units the system is used in (Bungartz & Strobl, 2012). All those dimensions correlate with each other and one dimension cannot function on its own.

 

 

Figure 2. COSO model (2013).

The z-dimension given core elements can be defined as follows:

1) Control Environment

It describes the company culture, the style of leading by the management, established ethical values, and forms the basis for the ICS. It is the basis of the COSO system and assumes a basic part in molding an organization’s culture of integrity, moral behavior, and responsibility. Laying out clear governance structures and elevating initiative obligation to moral qualities gives a strong base for successful inward controls. An advanced control environment strengthens risk management endeavors as well as improves administrative strength, adjusting execution to both internal values and external expectations (El Junusi, 2020; Vasilev et al., 2017).

2) Risk Assessment

This can be understood as the constant intake and evaluation of possible risks that might threaten the achievement of the previously defined targets for the ICS and, thus, a fundamental part of the COSO system, empowering organizations to recognize and address risks that might block their goals. Moreover, risk assessment upholds dependable reporting by determining financial risks and executing controls to prevent errors and fraud in financial reporting processes, in this manner advancing transparency and dependability (Chan et al., 2020).

3) Control Activities

Control activities are fundamental approaches and methodologies that assist organizations with mitigating risks and guaranteeing the accomplishment of their goals. These activities include preventive and criminal investigator systems like approval, compromises, and isolation of obligations, as well as all intended to shield resources, improve functional proficiency, and guarantee the reliability of monetary announcements. They are critical for ensuring compliance with laws and regulatory requirements, as they embed internal controls within daily operations (Chan et al., 2020).

4) Information and Communication

An effective communication of relevant information includes the preparation and transmission of this information to the corresponding addressees. To be most effective, communication should be vertical and horizontal within the corporate structure. This component highlights the significance of dispersing precise and opportune information to employees and partners, empowering them to understand their jobs inside the internal control framework (El Junusi, 2020).

5) Monitoring

This includes the constant process of integrated auditing for the effectiveness of the implemented controls. This needs to take place to define the weak points of the ICS in an early stage. (Paschke, 2013)

Although it might seem that an internal control system is flawless, one has to be reminded that there are also some boundaries to this system (Bungartz & Strobl, 2012):

– Processes which are not a routine act are covered barely or not at all by the ICS

– The abuse or ignoring of the control responsibilities from employees

– The ineffectiveness of the ICS due to changing environmental- and business conditions

– Human failure, for example, due to carelessness, diversion, miscalculations, or misunderstandings of work instructions

Nevertheless, the positive aspects of an ICS are not to be forgotten and positive side effects also occur. On the one hand, from the results of process optimization and the identification of operational weaknesses within the processes and, on the other hand, from the achievement of increased risk awareness among employees, which in turn contributes to the detection and avoidance of sources of error in the company. (Bungartz & Strobl, 2012)

3.2. Risk Management

Risk management is a central component of an internal control system. It is the systematic analysis of, assessment, and control of company risks. (Brauweiler, 2018). Its main task is the early identification of critical situations within a company and to reduce or avoid them, but many other objectives are mentioned in the following (Brauweiler, 2018):

– The development of an early warning system for all the relevant risks

– The consequent and regular analysis, evaluation, and treatment of risks

– The improvement of external and internal audits

– Compliance with regulations

– The increase in transparency within the company

In Germany, the requirements for risk management are primarily characterized by the Corporate Control and Transparency Act (KonTraG), which came into force in 1998. The following requirement in Section 91 (2) of the German Stock Corporation Act (AktG) is central to this: “The Management Board must take appropriate measures, in particular, to set up a monitoring system, so that developments that jeopardize the continued existence of the company are recognized at an early stage.”

A known model for a risk management system is the DIN ISO 31000. It can be used as an instruction for action for effective and efficient risk management, regardless of the industry the company is active in. (ISO DIN 31000, 2009). The risk management process consists of several process steps, but the basic principles and core processes can be found in DIN ISO 310000 (Figure 3).

 

 

Figure 3. Risk management process as described in DIN ISO 31000 (Hoffmann, 2017).

The different process steps can be explained in more detail as follows:

Establishing the context

Before implementing risk management, certain principles need to be set. This also contains setting objectives that the risk management needs to fulfill and setting framework conditions within the organizational structure of the company. (Hoffmann, 2017)

Risk identification

To determine the treatment of risks, they need to be identified first. The trick is to recognize all current and future potential risks as early as possible. The risk identification process is, therefore, a continuous task, especially as companies are exposed to constant change and new framework conditions in today’s world. Risk identification aims to provide a structured presentation of all existing and potential risks, including their effects, in a risk catalog. It is thus possible to present the overall risk profile of a company, project, or process. (Hoffmann, 2017)

Risk analysis

How risk is analyzed correctly is given in the DIN EN 62198. Risk analysis involves analyzing the causes and sources of risks, their positive and negative effects on project objectives, and the likelihood of these effects occurring. Factors that influence the impact and probability should be determined. It therefore serves to determine the causes of the identified risks. This is not a point-in-time analysis, but rather a process-accompanying observation of all risk factors (Schmitz & Wehrheim, 2006).

Risk evaluation

Risk evaluation aims to visualize the potential danger posed by the identified risks. The effects of the risk position on the company must be identified and quantified. Therefore, the probabilities of occurrence, the potential amount of loss, and the frequency of loss occurrence must first be determined to determine the individual extent of risk. Determining the amount of loss depends on the company’s objectives. The impending loss of assets should be identified. Attention should be paid not only to the direct losses when a risk materializes but also to the possible consequential losses (Fiege, 2006).

The results of a risk assessment are usually presented in a risk matrix (Figure 4), whereby the likelihood of occurrence and the impact of damage of a risk are made transparent in a coordinate system. The axis of the level of damage usually ranges from very low to very high, and the probability of occurrence ranges from rare to very frequent. This can then look as follows:

 

 

Figure 4. Risk matrix.

The intersection of those two measurements divides the risk into several clusters, which define the total evaluation of the risk.

Risk treatment

Following the evaluation, the risks need to be treated according to their evaluated significance. This can be done by either active measures, which are cause-oriented, or passive measures, which are impact-oriented. Active measures mainly focus on the avoidance and reduction of the impact and likelihood of the risk, whereas passive measures accept the risk and try to compensate for the expected outcome. In total, there are four types of measures: risk avoidance and risk reduction are seen as active measures and risk transference as well as risk acceptance are seen as passive measures. (Hoffmann, 2017)

Risk avoidance

This strategy focuses on not entering a risk at all and is done by finding other solutions or implementing suitable protective measures (Höcker, 2013). It provides the highest security of all alternative risk treatment measures (Diederichs, 2006).

Risk reduction

This measure usually takes place when a risk has already occurred. Then, it is necessary to reduce the future probability of risk and minimize the damage it causes (Sevda et al., 2022). This can be done by taking some of the following measures into account:

– Gather information

– Detailed research (Tests, Evaluations, etc.)

– Additional quality assurance measures

– Qualification measures for employees

Risk transference

In this strategy, the risk is transferred onto several people involved, mainly by making insurance (Diederichs, 2006).

Risk acceptance

By accepting the risk, the company takes the risk into account without taking any regulating or preventive measures. By doing so, a certain residual risk is taken which usually only contains negligible effects and a very unlikely probability. This measure is often taken when the measures for a risk treatment would outcost the damage of the risk. (Hoffmann, 2017)

In general, one has to consider that risks are not static elements but rather dynamic elements that have to be checked and measured constantly. Only by doing so, it is possible to measure the effectiveness of the measures taken and determine whether further steps are necessary to treat the risks.

Monitoring and review

The risks need to be checked and evaluated constantly. Furthermore, it is necessary to determine who is responsible for the monitoring and review process in general. The interaction of monitoring and review is the basis for further optimizing processes and delivers the basics for risk databases, checklists, and criteria for the assessment of implemented risk treatment measures. The review process needs to ask the following questions to ensure the effectiveness of the implemented treatment measures (Reichmann, 2001).

– Have the targets of the ICS been reached?

– Were the treatment measures appropriate enough?

– Were correction measures necessary?

– Did any losses occur?

– Was the effect desired?

– Have all risks been identified?

Communication and consultation

Only by using adequate communication and coordination between the responsible employees, the success of the ICS can be ensured. Therefore, an open and constructive communication culture must be established which comes along with a solution-oriented work atmosphere (Boutellier et al., 2007). Only by doing so adequate solutions for improved monitoring and decision-making can be implemented.