Finding your right internal control system software can be a challenging task. Especially when varying business requirements enter the equation, there’s hardly a one-size-fits-all solution, even if some vendors try to convince you there is.

In this blog post, we’re sharing our expertise on the matter – to help you make the best decision for your individual use case. Read on and explore our compact summary of fundamental criteria to watch out for when selecting your ICS tool. Be sure to grab a copy of our detailed criteria list at end, for simpler comparison of different vendors and easier pick of the best fitting solution for your business!

Your ICS software should be optimally tailored to your needs

The Internal control system has over time gained a reputation as an essential management system in companies. While its initial focus was on ensuring completeness and correctness of financial reporting, today it encompasses many other aspects too – from dealing with operational risks, to ensuring that business processes are carried out properly, and more. Considering its wide and highly important array of application scenarios, hardly any internal control system can truly function efficiently without proper tool support. Any organizational ICS set-up that builds on non-specialist tools, such as spreadsheets or manual checklists, will eventually face difficulties with successful implementation and sustainable execution.

Due to the large number of software providers, however, the process of selecting a suitable tool has now become a challenge for many organizations. Apart from the cost factor, which certainly plays a major role in the selection process, the tool should also be optimally tailored to your individual needs, in order to deliver the desired added-value. So before you start looking for an ICS provider, it makes sense to start with a list of key criteria, i.e. – a list of your major requirements.

A notebook with the ICS criteria catalog of the BOC Group

Preview of BOC Group’s ICS criteria catalogue

You’re probably already familiar with the basic requirements of an ICS system – including that your controls need to be recorded and described. You likely also know that they must be assigned to certain assets in your company, and that their implementation needs to be planned and controlled. But: if you define your criteria catalogue in this manner, you will have a hard time handling it efficiently, and at the same time making sure that you’ve adequately covered all important aspects.

For this reason, we’ve created a summary of the most important criteria and requirements that we have often come across in recent years with customers. If you find the below overview helpful, make sure to also download a copy of our criteria catalogue – to get an additional hand in comparing your ICS software vendors based on your prioritization. 

Choose your internal control system software by these 9 key criteria

Most criteria catalogues group requirements along the following 9 key dimensions:

  1. Transfer, capture and scoping
  2. Authorization concept
  3. Workflows
  4. Notifications, status reports and reminders
  5. Dashboards
  6. Monitoring, logging and historization
  7. Data processing, storage and validation
  8. Customization, integrations and extensions
  9. Individual and flexible reporting

We have listed specific requirements of each key dimension for you. Further requirements for an internal control system software can be found in our detailed criteria catalogue, which you can download free-of-charge below.

Transfer, capture and scoping

Not every beginning needs to be difficult. Make sure right from the start that your preferred internal control system software has an effortless process for transferring and capturing data, as well as for the entire scoping process. The concrete requirement could be something like:

  • Direct and easy transfer of existing content from documents and third-party systems
  • Flexible linking of controls, risks and measures based on organizational structure and business processes

Authorization concept

Questions about permissions are often a sensitive topic. Not all content should be freely accessible to every user. Therefore, it’s that much more important that your chosen internal control system software has a mature authorization concept. Include the following requirements in your evaluation:

  • Availability of comprehensive authorization concepts to specifically control access to elements in the repository
  • All access is strictly restricted to explicitly authorized users only


Workflows are an absolute must for your ICS – because the automated workflows are exactly what makes our daily work much faster and easier. They ensure that your processes run correctly. Therefore, make sure that the following requirements are covered by your internal control system software:

  • Free definition and standardization of release and processing procedures as well as the associated steps
  • Recurring activities are planned, started, processed and tracked by the system, for example, the assignment of tasks for testing control effectiveness

Notifications, status reports and reminders

In addition to the automated workflows, the associated notifications and reminders are also quite important. No user wants to constantly check the ICS tool just to verify if a task is pending. The following requirements are therefore helpful for evaluating the software:

  • Employees are informed automatically and individually about their respective tasks
  • The affected responsible persons are informed collectively about status changes at regular intervals


Dashboards also play a big role in our 9 key criteria. This is because they display the most essential information about specific objects in your company. Complex information should therefore be presented in an understandable way and key data needs to be visualized. It’s best to consider the following requirements:

All users are provided with an interactive, individual overview of their role-specific responsibilities and current tasks
Start and usability are deliberately kept simple and clear to facilitate the work of new users

An internal control system software should always provide role-specific dashboards

Monitoring, logging and historization

Monitoring, logging and historization – three powerful words. Only with these functionalities can the audit security be assured and the overview of all data maintained. For this reason, the internal control system software should meet the following requirements:

  • To ensure auditing security and for reasons of traceability, relevant changes are automatically logged and historized
  • The process, control, risk and measure portfolios can be sorted and filtered by status, impact, responsibility and timing

Data processing, storage and validation

Data entry errors are annoying and often difficult to correct. Therefore, accurate data processing, filing and validation in particular is vital in an internal control system software. Pay particular attention to the following requirements:

  • Individual validation checks help to avoid incorrect entries and ensure correct, standardized and comparable data
  • In order to provide a complete picture of the ICS-relevant situation, external test results or control evidence can be uploaded as documents

Customization, integrations and extensions

As already mentioned at the beginning of this blog post, the internal control system software should be ideally adapted to your specific framework conditions and needs. Consequently, the possibility of customization, integration and expansion is relevant. In particular, make sure that you do not opt for a highly rigid system! Consider the following requirements:

  • The software offers many configuration options, which can be carried out by a customer-side admin. The provider imparts all necessary knowledge via offered administration trainings
  • A broad portfolio of further functional and technical modules and extensions is available (e.g. connection to company portals or the specific requirements of data protection)

Individual and flexible reporting

The last key criterion is reporting. It’s not only you (as an expert) who should understand the content of the system and data. There are, of course, several other stakeholders in your company that need to be taken into account. For this reason, reports should cover all relevant target groups and be adaptable to individual information needs. Concrete requirements for this would be the following:

  • The portfolio of available reports covers all target groups and can be individually adapted to the company’s requirements
  • Reporting enables the linking of information from the organization and business processes with the risk, control and measures catalogues


There’s undoubtable evidence that an internal control system software can do wonders for your ICS practice. To ensure that you go with the right tool for your needs, a thorough assessment of various vendors is essential. Our free criteria catalogue spreadsheet can help you do that efficiently. Be sure to grab your free copy and don’t hesitate to reach out to one of our experts to discuss your individual needs and next steps!

Select the right-fit ICS tool for your needs!

Get the industry proven Compliance tool.

Get our weekly updates.

Never miss the freshest content.

"*" indicates required fields

Send me latest scoop on...
Terms & Conditions*
This field is for validation purposes and should be left unchanged.