Internal Control System (ICS)

ICS and Risk Management – different requirements with many parallels

An ICS is understood within a company/organization as a tool for error prevention and quality assurance.
The focus of the consideration, monitoring and control of risks in an ICS is more on the present and the past.


The management tool internal control system includes techniques, roles, IT systems and policies for the

  • compliance with guidelines based on controls, and
  • prevention of risks resulting in damage for the company.

Established control models such as COSO or COBIT often serve as the basis of an ICS. Hereby his management is focused on the “controlling” area.

Basic requirements for an internal control system are:

  • Transparency: The established concepts must allow for a target/actual comparison, which also enables external parties to assess whether process owners are working according to the target requirements.
  • Separation of functions: Example: purchasing process. The sub-processes belonging to the process (determination of requirements to payment) should not be executed by one responsible person, but distributed to different persons.
  • “Four-eyes principle”: No essential process in an ICS should be established without cross-checks.
  • “Need to know principle”: Employees should only have access to the information (including authorizations in e.g. IT systems) that they really need to carry out their work.

It includes processes, procedures, policies, requirements and resources within an organization in order to protect the company’s assets and minimize the risks. The included risk management is a key element of this system.

In contrast to the ICS, the focus here is on the

  • Identication
  • Avoidance
  • Reduction or
  • Acception

of risks.

The risk management view is more focused on the future. The focus in risk management lies in particular on the area of optimization and further development of the ACTUAL status.

Nevertheless, the ICS and risk management have similarities and intersections.

Both pursue goals such as

  • Compliance,
  • Avoidance of risks,
  • Reliability of operational information and
  • Protection of company assets.

The implementation of governance, risk and compliance and the ICS system in a common management system is recommended in order to achieve synergy effects.


Connection of ISMS or GRC and ICS – in one management software

Advantages and opportunities of combining the internal control system and risk management from an ICS perspective on example QSEC:

  • Prevention of redundancies through central, uniform data storage
  • Multi-standard compliance in one system
  • Uniform and automated processes
  • Integration of all relevant business processes
  • Assessment of ICS-relevant risks
  • Clear and transparent ICS reports
  • Role-based rights management (process owner, ICS coordinator, risk controlling)
  • Monitoring the actual implementation of the control
  • Savings in resources, time and costs
  • Valid data and comprehensive transparency for the management and the supervisory body

QSEC – an ISMS & GRC software with IMS / ICS functionality

The process-oriented software solution QSEC links all activities relating to governance, risk, compliance and data protection management and thus provides the basis for the sustainable establishment of an internal control system. The separation of responsibilities with corresponding user rights structures ensures that all the principles of requirements for an internal control system are maintained.


ICS software- ICS-relevant business processes


ICS software- ICS-relevant business processes


The operation of an ICS based on the integrated management system QSEC provides a complete picture of the risk and security status of an organization/company, increases quality and minimizes costs. The management can make more transparent and valid decisions. The joint operation of ICS software and GRC/ISMS in one management system brings many advantages.