ARTICLE
20 October 2025

Rating And Certification Of Internal Control Systems (ICS)

Boege Rohde Luebbehuesen

Contributor

Boege Rohde Luebbehuesen logo
BRL is an internationally oriented partnership of lawyers, auditors and tax consultants that was founded in 2006. Today, we have around 400 employees at eight offices in Hamburg, Berlin, Bochum, Hanover, Dortmund, Essen, Munich and Bielefeld. Through Moore BRL GmbH, BRL is a network partner of Moore Global in Germany, a global network of independent audit and accounting firms. BRL is therefore ideally positioned to provide reliable and efficient solutions for cross-border issues in the areas of Tax, Legal, Insolvency & Restructuring as well as Risk Advisory Services (RAS). The fully dedicated RAS Team at BRL Risk Consulting is dedicated to a professional service offering with regards to Corporate Governance, Risk Management, Compliance, Internal Audit, Internal Controls (SOX), ESG, IT, Cyber Security and Data Science & Artificial Intelligence.
Explore Firm Details
Internal Control Systems (ICS) have for centuries been a central pillar of responsible corporate governance — representing both an expression of managerial due diligence...
Germany Corporate/Commercial Law
Oliver Bungartz
Your Author LinkedIn Connections
Boege Rohde Luebbehuesen are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Accounting and Audit topic(s)
  • in Middle East
  • with readers working within the Banking & Credit industries

Internal Control Systems (ICS) have for centuries been a central pillar of responsible corporate governance — representing both an expression of managerial due diligence and the legal obligation of every merchant to ensure proper oversight and compliance. Originally, such systems were often established reactively, as a response to corporate crises or regulatory interventions — for example, following the Enron scandal and the subsequent introduction of the Sarbanes–Oxley Act (SOX) in 2002.

Since then, the perspective has shifted significantly. Today, effective internal controls are no longer viewed merely as a compliance requirement but as a strategic instrument for corporate steering, risk mitigation, and trust building.

Amid growing complexity, global supply chains, increasing exposure to cybersecurity and ESG-related risks, the regular assessment and certification of ICS have become ever more important. Companies are under increasing pressure not only to implement an ICS but also to demonstrate its effectiveness in line with international standards — in a manner that is transparent, comparable, and verifiable.

Given the heightened public interest in governance and accountability, the ability to credibly demonstrate compliance and control capabilities has become a key factor in maintaining stakeholder trust and corporate reputation.

Internationally recognized and widely adopted frameworks for internal controls

An internationally recognized framework such as the Internal Control – Integrated Framework (ICIF), developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), provides the theoretical and methodological foundation for the design, evaluation, and certification of ICS.

First introduced in 1992 and comprehensively revised in 2013, the COSO framework has become the global benchmark for establishing adequate and effective internal controls. An ICS based on COSO consists of five interrelated and integrally operating components that collectively determine the effectiveness of an ICS.

COSO became particularly well known for its three-dimensional representation – the so-called "COSO Cube", which illustrates the relationship between objectives, components, and organizational levels. This visualization underscores that an ICS is always an integrated construct of culture, structure, and processes, rather than a collection of isolated control activities.

Fig. 1: COSO-Cube – Structure of an ICS based on internationally recognized principles

1693820a.jpg

Source: COSO: Internal Control – Integrated Framework. Framework, May 2013, p. 5.

  • Control Environment: Defines values, integrity, leadership behavior, and organizational responsibilities
  • Risk Assessment: Involves the systematic identification and evaluation of risks
  • Control Activities: Encompasses measures and procedures implemented to manage risks within processes and systems
  • Information & Communication: Ensures that relevant information is identified, captured, and communicated in a timely manner to support sound decision-making
  • Monitoring Activities: Refers to the ongoing and independent evaluation of the adequacy and effectiveness of controls

This structure provides an internationally consistent foundation for audits, assessments, ratings, and certifications. National standards, such as the audit standards issued by the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer in Deutschland e.V. – IDW), are aligned with the COSO framework, while the standards of the International Organization for Standardization (ISO) serve as global references.

Purpose and nature of an ICS Certification

A certification goes beyond the traditional audit of an ICS. The certification of an ICS serves not only to confirm its adequacy and effectiveness, but also to provide a comprehensive assessment and basis for continuous improvement of internal controls.

The rating component within a certification process demonstrates how effectively an organization manages its risks and the extent to which it aligns with international best practices. In addition, it enables a benchmark comparison of compliance and control maturity against other organizations.

A certification thus serves as an objective signal that the management system meets legal and regulatory requirements, withstands best-practice benchmarking, and is actively supported by the organization's leadership.

Benefits of an ICS Certification

The certification of an ICS provides organizations with a dual advantage: it helps reduce potential liability risks while simultaneously enhancing competitiveness and reputation.

A certified ICS demonstrates compliance with regulatory requirements and sound business practices, while signaling to stakeholders that risks are being managed systematically and transparently.

Key benefits of an ICS certification include:

  • Reduction of civil and criminal liability risks through documented evidence of due diligence
  • Improved competitiveness and credibility in the market
  • Strengthened corporate image with business partners, financial institutions, auditors, and regulatory authorities
  • Prevention of potential exclusion from tenders or procurement procedures
  • Guidance for continuous improvement and operational efficiency

Certification of management systems in an international context

Other management systems within the field of corporate governance — such as Compliance Management Systems (CMS), Risk Management Systems (RMS), or Internal Audit Systems (IAS) — are increasingly subject to international audit and certification standards.

While the IDW auditing standards in Germany provide guidance for assessing the adequacy and effectiveness of such systems, internationally recognized ISO standards have become the prevailing global benchmarks, e.g.:

  • IDW PS 980 as the German auditing standard for CMS and ISO 37301 as the corresponding international certification standard
  • IDW PS 981 as the auditing standard for RMS and ISO 31000 as the general international reference framework for RMS certification
  • IDW PS 982 as the auditing standard for ICS and Certinova as a COSO-based approach for rating and certification of ICS
  • IDW PS 983 as the auditing standard for IAS and Quality Assessments based on IIA standards for evaluating maturity and performance

It is worth noting that all IDW auditing standards mentioned above are derived from and aligned with the global COSO frameworks. The examples of audits, ratings, and certifications across these management systems illustrate that certification extends well beyond national regulatory requirements and aims to establish internationally comparable trust in the design and effective­ness of management systems.

When ICS are reviewed as part of an audit, the assessment focuses on the adequacy and/or effectiveness of the system and identifies potential weaknesses. However, such an audit does not include a formal rating or benchmarking scale. The resulting audit reports are typically intended for internal use only, and external disclosure requires the auditor's explicit authorization.

In contrast, an ICS certification includes a rating component that enables classification within a maturity model. This provides a benchmark for comparison with business partners, auditors, and competitors, and serves as public evidence that risks are systematically analyzed and that appropriate control and governance measures are in place.

Maturity models as rating instruments

Maturity models are a key tool in ICS certification, providing both a status assessment and a strategic orientation by illustrating the current stage of development of an ICS. They help identify the necessary steps for optimization, thereby creating a scalable and internationally comparable rating of the system's effectiveness.

In practice, organizations often refer to the Capability Maturity Model Integration (CMMI) as a methodological basis for determining the maturity level of their ICS. Following this approach, the ICS can be classified into five distinct maturity levels, each representing a higher degree of structure, integration, and effectiveness:

Fig. 2: ICS maturity levels based on the CMMI

1693820b.jpg

Source: Bungartz: Handbook Internal Control Systems (ICS), 6th Ed., p. 502.

The maturity levels in this model are progressive, meaning that each higher level incorporates all the characteristics of the one before it. According to the literature, an organization's ICS should reach at least "Level 3´: Defined", indicating that the system is formally documented, standardized, and integrated into core business processes. However, given the requirement that the effectiveness of the ICS must be continuously monitored, a maturity level of at least "Level 4: Managed" is generally recommended. This level reflects a system that is not only established and standardized, but also actively monitored, measured, and continuously improved.

Outlook: Digital ICS Certification with Certinova

While COSO provides the theoretical foundation, practical experience shows that organizations require efficient, standardized, and digitally supported certification processes. The Certinova methodology for ICS certification offers an innovative solution to meet this need. The platform enables the certification of ICS based on both international and national standards (COSO and IDW PS 982), combining robust control principles with digital efficiency and global comparability:

  • Digitally enabled and resource-efficient execution, utilizing state-of-the-art technology
  • Full compatibility with international and national audit standards
  • Scalable maturity models and benchmark comparisons, tailored to the organization's specific ICS structure and requirements
  • High credibility and reputation through an independent, practice-proven assessment methodology backed by decades of professional experience
  • Visible reinforcement of trust in governance and compliance, combined with a market-effective external presentation through an officially recognized quality seal

By doing so, the Certinova certification approach effectively combines legal assurance with economic efficiency, while simultaneously enhancing the reputation and competitiveness of certified organizations.

The certification of ICS is gaining strategic significance worldwide. It builds trust, mitigates risks, and strengthens organizational competitiveness. An ICS certified in accordance with international standards demonstrates accountability, transparency, and sustainable corporate governance. In light of increasing regulatory complexity and global expectations, ICS certification is set to become a central pillar of modern corporate governance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Oliver Bungartz
Oliver Bungartz
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More