Internal controls in the EU: expected, monitored, checked.

By the RiskForge team · June 2026

The EU baseline: two directives.

Two pieces of EU law set the floor. The Accounting Directive (2013/34/EU, Art. 20) requires listed companies to publish, in their corporate governance statement, a description of the main features of their internal control and risk management systems in relation to the financial reporting process. You cannot describe what does not exist, so the disclosure duty is in practice a duty to have a working system. The Audit Directive (2006/43/EC, as amended by 2014/56/EU) obliges the audit committee to monitor the effectiveness of the undertaking's internal quality control and risk management systems. Monitoring effectiveness presumes the system produces evidence of operation that a committee can actually review.

How member states sharpen it.

National law builds on that floor, and Germany built highest. The Financial Market Integrity Strengthening Act (FISG), passed in 2021 after the Wirecard collapse, made an appropriate and effective internal control and risk management system an explicit legal duty of the management board of listed companies (§ 91 Abs. 3 AktG), with IDW PS 982 as the audit standard for testing effectiveness. Corporate governance codes in other member states, such as France and the Netherlands, expect boards to report on risk management and control. And statutory auditors everywhere work to the same international standards, ISA 315 and ISA 330, which require them to understand and respond to the control environment in every audit, in every country, regardless of listing.

Why it reaches unlisted companies.

A family-owned company is rarely bound by these provisions directly. But its statutory auditor applies the same raised expectations to every engagement. Its bank's credit committee asks about controls. Its advisory and supervisory board members sit on listed boards and import the standard. In practice, "appropriate and effective" has become the bar for any company of meaningful size, listed or not, in every EU member state.

What "effective" means when someone checks.

• Controls are defined against actual risks, not copied from a template
• They demonstrably operated throughout the period, which requires evidence of operation, not of design
• Violations were detected, escalated and resolved, with a traceable record
• The system covers IT and process change, not only financial postings

The second point is the trap. Most companies can show a control matrix. Very few can show, for any given week of the year, that the control actually fired. Continuous monitoring is the only economical way to produce operation evidence across a full period, because a sample proves a moment, not a year.

The pragmatic path.

Start with the processes where money actually leaves: payments, vendor master, journal entries. Instrument them for continuous operation evidence. Extend to IT general controls, and to change management in particular, because IT change is where most control bypasses originate. Keep evidence in a form your auditor can verify independently, whichever member state's rules you answer to. That order delivers a defensible control narrative fastest, whatever tooling you choose. It is also, not by accident, the order in which RiskForge deploys.