We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
14 December 2009
Set-up of Internal Control System
Duty of Board of Directors and Management
Audit Treatment of Internal Control System
On January 1 2008 the revised auditing legislation entered into force in Switzerland.(1) This update discusses the audit of internal control systems – an extension of the scope of the regular audit that was introduced during the revision.
An organization's internal control system covers all of the procedures, methods and controls established by its board of directors and management in order to ensure the proper functioning of business operations. Internal controls are an integral part of an entity's business processes. The internal control system helps the board of directors and management to:
The requirement to have an internal control system is not explicitly stipulated in the Code of Obligations as a duty of the audited company; rather, it is specified as an audit objective of the auditor. Pursuant to Article 728a of the code, auditors must examine whether an internal control system exists. Furthermore, pursuant to Article 728a the auditors must take the system into account when performing and determining the scope of the audit, .
The above provisions apply only to companies that are subject to a regular audit pursuant to Articles 727 and following of the code.(2) It therefore follows that the legislature expects those companies which are subject to a regular audit to have an internal control system in place. Due to the fact that the audit requirements are independent of the legal form of an organization, different legal entities such as corporations, limited liability companies, cooperatives, associations or foundations may be required to set up an internal control system if they are subject to a regular audit.
Swiss legislation provides no guidelines on the set-up of internal control systems. In its report on the revision of the auditing law, the Federal Council specified that the internal control system as mentioned in the code applies only to accounting and financial reporting, and need not cover operational processes and compliance matters which do not affect the financial statements. However, companies are free to decide on additional areas such as operational, compliance and strategic risks that can be included in their internal control system.
Generally speaking, internal control systems should be geared to the size, complexity and risk profile of the organization. Since every company has different requirements and objectives, the internal control system cannot be the same for all companies. Every business distinguishes itself from others subject to the products and services it offers, the way it is financed and the resources it requires to support its ongoing concerns. Internal control systems must address the specific needs of a business and thus should be tailored to the organization and risk appetite.
The requirements regarding internal control systems have been described in various framework documents. The most popular of these is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. COSO divides the content and structure of internal control systems into components with the intention of ensuring that the systems achieve their objectives.
Pursuant to Article 716a of the code, the board of directors has the non-transferable and inalienable duty to set up an accounting and financial control system. This includes the duty to set up an internal control system. Therefore, the board of directors is responsible for ensuring that an internal control system exists or is created in a timely manner. However, the design and execution of such systems are the management's responsibility.
As part of its oversight responsibility, the board of directors, together with the management, must regularly assess the quality of the internal control system and ensure that it is adjusted to accommodate new business processes. A quality review should be conducted at least once a year or whenever there are significant organizational changes. In larger enterprises, an internal audit function is often set up to support the board of directors and the management.
When performing and determining the scope of their audit, auditors must take the internal control system into account. Where the auditor identifies deficiencies in an internal control system, it must undertake procedures to compensate for these deficiencies.
The audit industry and its professional organizations view the audit of internal control systems as an additional audit objective of the regular audit, and as such consider such audits an extension of their statutory duties.
As part of a regular audit, the auditor must submit two reports.
Firstly, the auditor must submit a complete and comprehensive report to the board of directors with findings concerning the financial statements, the internal control system, the execution and the results of the audit. Thus, if the auditor concludes that an internal control system is inadequate, it must highlight such shortcomings to the board.
Secondly, the auditor must submit a summary report to the general meeting of shareholders. Initially there were different views in the industry as to whether the auditor should address the internal control system in its summary report. Some held that the inexistence of an adequate internal control system should not be included in the summary audit report if the annual report were fully compliant. However, after more than a year's experience with the new audit provisions, it now seems clear that the summary report to the shareholders' meeting must include a corresponding note as to whether a compliant internal control system is in place. Many companies which are subject to regular audits have been obliged to establish proper internal control systems prior to their audit. Quite a number of companies which did not have the resources to establish an internal control system in time decided not to establish a system for their first business year after the entry into force of the new auditing provisions and accepted a corresponding note in their audit reports stating that they were yet to establish an internal control system, which is in line with the statutory requirements. In many cases control systems were already in place, but could not be properly assessed by the auditors since they were not documented.
For further information on this topic please contact Markus Dörig or Philipp Schaller at BADERTSCHER by telephone (+41 44 266 20 66), fax (+41 1 266 20 70) or email (firstname.lastname@example.org or email@example.com).
(1) For further details please see "Summary of Revised Auditing Law".
(2) For the differences between a regular and a limited audit please see "Summary of Revised Auditing Law".
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.