ICS in the SME environment

Copy-from-Acton-LinkedIn-Templates-17-1


Setting up a pragmatic ICS for SMEs - explained step by step

Many management teams of small and medium-sized enterprises (SMEs) associate the topic of internal control systems (ICS) with large corporations and complex processes. However, a functioning ICS is also of great benefit to SMEs - not only for auditing purposes, but also as a practical management tool.

Why does an SME need an internal control system (ICS)?
A functioning ICS helps companies to systematically identify business risks, prevent errors or misuse and fulfil legal requirements. It strengthens the reliability of financial reporting and protects assets.

Legal framework in accordance with the OR:

  • Art. 716a para. 1 no. 3 CO: The Board of Directors is responsible for the organisation of accounting, financial control and financial planning.
  • Art. 728a para. 1 no. 3 CO: Companies with an ordinary audit are obliged to maintain an internal control system.
  • Art. 957 ff. OR: Companies that are subject to an ordinary or limited audit must ensure proper accounting - an ICS supports this obligation.

Even if no formal ICS is required for SMEs that are not obliged to have an ordinary audit, the duties of the board of directors and the need for reliable financial management mean that there is a clear need for action - not least for liability reasons.


Step-by-step guide for a pragmatic ICS

1. identify risks

 Which processes in the company harbour operational or financial risks? Typical areas are

  • Payment transactions
  • Accounts receivable/accounts payable
  • Payroll accounting
  • IT access and data security

Questions that arise in practice: Who can authorise payments? Is there a dual control principle? Has a separation of functions been introduced (e.g. entry of vendor master data and execution of payments)?

2. define control objectives

What should be achieved with the controls? Objectives can be:

  • Completeness of expenses and income
  • Prevention of errors or embezzlement
  • Compliance with legal requirements (e.g. AHV statements, VAT)

3. define suitable control measures

How are risks controlled in practice? Examples:

  • Monthly bank reconciliation
  • Access authorisations to accounting systems
  • Release rules for invoices above a defined amount

4. documentation and responsibilities

  • Who is responsible for which control?
  • How often are they carried out?
  • Where are results documented?

A simple control matrix (Excel or internal tool) is all you need to get started. 

5. regular review and adjustment

An ICS is not a static system. It must be reviewed annually and adapted to changes - especially in the event of growth, digitalisation or staff changes.


Conclusion

Even if SMEs are not legally required to have an ICS, a pragmatic approach makes sense and minimises risk. The board of directors bears the responsibility - and smaller companies also benefit considerably from clearly regulated processes and controls. A well-designed ICS is not an end in itself, but a management tool that creates trust - both internally and with auditors and accountants.

Would you like to set up an internal control system in your company or optimise existing processes?
We are happy to support you - from the risk analysis to the specific design of an ICS that suits the size of your company.

Get in touch with us - together we will work out the best solution for you.