An Internal Control System (ICS) ensures that legal and regulatory requirements within a company are met. In simple terms, an ICS is used to monitor, document, and control all relevant business processes.
Because these controls are subject to documentation and proof requirements, an ICS is legally mandatory for companies. If no functioning system is in place in the event of damage or misconduct, companies face significant penalties under §§ 30 and 130 OWiG. At the same time, internal controls often involve a high level of manual effort. Business processes should therefore ideally be aligned with regulatory requirements and company‑specific needs — which further increases the demands placed on an ICS.
Risk Control Matrix as a central foundation
A proven method for structuring an ICS is the Risk Control Matrix. It maps all process‑oriented control activities required for analysis and evaluation. Key components include:
- Description of control objectives
- Execution of controls
- Identification and assessment of potential risks
- Assignment of responsibilities
- Documentation of relevant compliance requirements
Excel or software solution?
In principle, an ICS can be implemented without specialized software — many companies use Excel for this purpose. Advantages include ease of use and familiarity with the tool. However, the disadvantages outweigh the benefits:
- Low transparency
- Limited data quality
- No parallel collaboration
- Missing workflows
- High manual maintenance effort
- Limited permission management
Modern ICS solutions, on the other hand, offer clear advantages: responsibilities can be assigned, permissions can be controlled granularly, and detailed logging shows who made which changes. Errors can be corrected quickly through versioning.
Digital transformation as a driver
The requirements for an ICS are continuously increasing — particularly due to new compliance regulations and ongoing digitalization. Agile methods such as SCRUM help companies manage change flexibly and build a sustainable digitalization strategy.
A modern ICS should therefore:
- be quickly adaptable
- support process automation
- efficiently reflect compliance changes
- ensure transparency and traceability
Which software solution is most suitable depends heavily on company size, processes, and regulatory requirements. A general recommendation is therefore not possible — the selection must be made individually.
