ITGC Basics – ICS Refresher

What is an ICS?

Listed companies are obliged to operate a functioning internal control system (= ICS).

The Internal Control System is the entire control environment and controls on company-, process- and IT level with the purpose to secure the assets, to ensure the accuracy and reliability of financial accounting data und to make deficiencies and fraud in the financial reporting difficult, to make them impossible or to prevent them.

An Internal Control System fulfills the following tasks:

1. Securing the entity assets and protection against losses of any kind
2. Gaining of exact, informative and timely records
3. Improvement of corporate efficiency
4. Support in pursuing strategic goals

What is SOX?

SOX is an acronym for the Sarbanes-Oxley-Act. This American federal law has been written by senators Paul Sarbanes and Michael Oxley as a reaction to the scandals on financial statement manipulation by big American companies like Enron or WorldCom. It passed American congress in summer 2002. The goal of SOX is to protect investors from fraud and to strenghten their trust on published financial data from listed companies.

The law resembles a behavioral catalog for board members of large companies. For example, board members have to commit to the correctness and completeness of their balance sheets. With the help of this law, balance sheet manipulations as they have happened in the past are supposed to become more difficult to achieve.

What is EuroSOX?

“EuroSOX” commonly refers to EU directive 2006/43/EG, which has been introduced after similar financial reporting scandals by big companies like Parmalat and Ahold. This directive regulates how financial closings in the EU have to be prepared and aims to ensure that investors and other stakeholders can fully rely on the completeness and accuracy of financial reports published by companies listed on EU stock exchanges.

The EU member countries have implemented this directive within local law. In Austria, for example, this directive is largely realised with the Unternehmensrechtsänderungsgesetz (URÄG) from 2008. Again, this law aims to strengthen investor trust in published financial reports of companies listed on the Austrian Stock Exchange.

Which companies have to comply with those regulations?

The Sarbanes-Oxley Act is mandatory for all US and foreign companies and their subsidiaries that are listed on American stock exchanges, such as the NYSE (“New York Stock Exchange”). Each affected company must submit its balance sheets to the United States Securities and Exchange Commission.

In the EU, all companies listed at stock exchanges within the EU have to comply with the “EuroSOX” EU-directive, and companies listed on stock exchanges of EU member countries have to comply with the local law that implements the “EuroSOX” directive. In Austria, this means that companies listed at the Wiener Börse have to implement and comply with the Unternehmensrechtsänderungsgesetz URÄG 2008.

What are the implications for affected companies?

For affected companies, this means

• that there are stricter requirements for the company itself, but also for the appointed auditor.
• that a functional internal control system must be set up.
• that complete documentation of this internal control system must be available.
• that the functionality and functionality of the internal control system must be proven. This proof is called “compliance”.
• that the auditor has to check the internal control system. All internal controls related to accounting are subject to the audit.