Internal Controls and the Shifting Wave of Focus

Poor internal controls systems, whether it be financial or operational, have caused this wave to change direction in favour of the other, whenever a new and significant event occurs. Events in the past decade have increased the attention on the likes of internal controls for operational processes such as logistics or manufacturing, whilst other significant events have brought the focus back to financial reporting. So, why do organisations struggle to maintain balance and equilibrium between ICFR and operational internal control systems? Why is a reliable ICS paired with good management not a habit in most organisations, but rather a reaction to the shift in focus? And what do I mean by all of that?

Well, let’s take a look at a brief and very simplified timeline of the events that shifted the wave of attention, with regard to the United States and Germany:

• Pre Enron Scandal (Leading up to 2001) focus on operational ICS

Corporations were largely focussed on improving the effectiveness of internal processes and systems, such as logistics, manufacturing, procurement and other operational processes, and less so on highly governed financial reporting and management. That was, until the infamous Enron accounting scandal took place in the United States in 2001.

• Enron Scandal (2001) places focus on financial reporting

The fraudulent accounting scheme of the energy giant in 2001 created a tectonic shift in regulators reassessing how financial reporting is governed, and to what extent – thus, placing the focus squarely on financial reporting practices. An outcome of this was the implementation of the Sarbanes-Oxley Act (SOX), which became effective on July 30, 2002. SOX was implemented to ensure that publicly listed companies take comprehensive measures to enhance the accuracy of corporate disclosures that report on financial data. More specifically, SOX 404 requires companies to implement adequate Internal Control over Financial Reporting (ICFR) to ensure fair financial reporting practices have been put in place in accordance with Generally Accepted Accounting Principles (GAAP).

• German car giant emissions scandal (2015) places focus on errors evident within operational ICS

So while regulators were focussed on assurance mechanisms for financial reporting, the ball was slowly dropping in other areas of internal control practices – those of a non-financial nature. Let us take an example in 2013, where the public was made aware of practices of a German car giant in modifying emissions tests for their cars to comply with required standards in the US.

This scandal prompted a focus on ethics, better governance around operational systems and tone from the top in the context of target setting. As a consequence, the weight of the wave shifted course again. That was until recently, when the next big event occurred in Germany.

• Wirecard Scandal (2020) places focus back on financial reporting in Germany

Arguably one of the biggest corporate scandals in Germany in recent history, the German Fintech Wirecard had a series of accounting scandals which included inflated assets and incorrect reporting on the number of transactions it actually handled. This resulted in the insolvency of a company valued at €24bn when they joined the DAX 30 share index two years ago. The €1.9bn that was missing from its accounts led to political and public allegations around a lack of proper oversight from external auditors, financial regulators and the government.

The spotlight was now fair and square back onto Internal Control over Financial Reporting practices, as regulators and government designed new laws to counteract similar fraudulent behaviour.

New Financial Reporting Law in Germany: Finanzmarktintegritätsstärkungsgesetz (FISG)

While ICS is not new, much of the activity from the recent scandal can be linked to the spurring up of a new German financial reporting regulation, called the Finanzmarktintegritätsstärkungsgesetz (FISG). The objective of FISG, scheduled to enter into force on July 1, 2021, is to strengthen the confidence of the financial market, by reforming the financial statement control process for capital market companies.

At a glance, the requirements of the Finanzmarktintegritätsstärkungsgesetz (FISG) which include a chapter on increased liabilities, can be summarised into 3 core areas with requirements such as:

Internal Perspective:

• Mandatory and more formalised requirements to have both internal control and risk management systems introduced in a company. (relevant for publicly listed companies).

Supervisory Board Perspective:

• Mandatory for two financial experts to form part of a supervisory board.
• An audit committee will have to be established in supervisory boards.

External Auditor Perspective:

• Dedicated communication channel between the external auditor and the supervisory board.
• It will be mandatory to rotate both the external auditing company, as well as the relevant partner within that auditing company.

Maintaining a robust ICS across business disciplines

As we have gone full circle and the focus is now thoroughly back on financial reporting, the question of why organisations struggle to maintain equilibrium between ICFR and non-financial internal control systems still remains. How do we create the balance of well performing internal control systems throughout all business practices, rather than it being a reaction to the shift in focus and hence continually neglecting one core aspect?

Although easier said than done, if your organisation’s ICS is robust and set up sustainably across all disciplines, then the wave of industry events, new laws and requirements should be far easier to avoid, resulting in more stable operations overall.

Learn more about this in our latest episode of The Regtech Report, discussing the new focus on financial reporting and the Finanzmarktintegritätsstärkungsgesetz (FISG).

Written by Claudia Howe in collaboration with Bayley Benton.