Skip to main content

MaGo – Function of the internal audit

MaGo – function of the internal audit- Irrespective of a division of departments, original entrepreneurial management tasks remain in the overall responsibility of the board of directors as non-delegable management tasks. With regard to the audit, these original management tasks can be of a conceptual and organizational nature, such as the adoption or changes to the written guideline for internal auditing in accordance with Section 23 VAG, but also event-related, such as dealing with the audit planning or with audit results of considerable relevance to the enterprise.

MaGo – Function of the internal audit

MaGo – Function of the internal audit

  • All companies must set up an internal audit. Exceptions to this are not possible.
  • The internal audit assignment relates to the entire business organization, including outsourced areas and processes.
  • Compliance with the audit plan, i.e. fulfillment of the audit function, takes precedence over the advisory function. In this respect, the internal audit may restrict the advisory activities.


MaGo – Function of Internal Audit – Independence

Internal Audit is not subject to any influences (controls, restrictions or other influences) that could impair its independence and impartiality in the performance of its tasks (= improper influences).
The internal audit must be independent of all departments in the company. This applies to the person responsible for the internal audit function and to all persons who work for the internal audit.
In particular, the internal audit must not be impaired, not even indirectly, in the performance of the audit, the evaluation of the audit results and the reporting of these results. The internal audit must be able to communicate its results, insights, concerns, recommendations for improvement, etc. to the entire management immediately, without prior changing influence.

MaGo – function of the internal audit – management’s right to issue instructions

Management’s right to issue directives with regard to internal audit planning does not conflict with the independence of internal auditing. Article 271 paragraph 3 sentence 2 DVO remains unaffected.
Internal auditing may not take on any operational functions or activities (Section 30 (2) sentence 1 VAG). This applies equally to all companies; Aspects of proportionality play no role in this respect.
Cooperation between the other key functions and internal auditing is permitted. Inappropriate influences from the other key functions are to be ruled out, among other things, by defining clear responsibilities.
The person who is internally responsible for the function of internal auditing can also be the internal person responsible for other key functions if the conditions specified in Article 271 (2) DR are cumulatively met. The more key functions are affected, the more precisely the companies have to demonstrate that this structure is appropriate to their risk profile and that the independence of the internal audit cannot be impaired. Article 258 paragraph 1 letter g DR also applies (see 9.1.1).

MaGo – Further information from BaFin

With Circular 2/2017 (VA), BaFin published the minimum requirements for the business organization of insurance companies (MaGo). The current circular on the MaGo includes the following essential regulations:

  1. purpose of the circular
  2. Scope and definition of terms
  3. Relationship of the circular to EIOPA guidelines and other BaFin publications/entry into force
  4. proportionality principle
  5. Material Risks
  6. Overall responsibility of the management
  7. Group level governance requirements
  8. General Governance Requirements
  9. key functions
  10. risk management system
  11. Business organization requirements related to own funds
  12. Internal control system
  13. spin-off
  14. emergency management


New  data protection law DS-GVO  – MaGo – Function of the internal audit

The following 10 points are essential innovations  of the European General Data Protection Regulation (GDPR). In the future, the market location principle, so-called spatial scope, new principles of data processing, a list of all data processing activities, the extension of information obligations, the right to be forgotten, protection of personal data of children, data protection impact assessment, the principle of the “one-stop shop”, the stricter obligation to report “data breaches” as well as significantly tightened sanctions and fines. With our  series of seminars on data protection  in companies, you will receive all the new features in a compact format.

Compliance & Money Laundering  Officer – MaGo – Function of the internal audit

Our practical  seminars Money Laundering and Fraud – Basic Seminar ,  Money Laundering and Fraud – Advanced Seminar ,  Money Laundering & Fraud – Update  and  Money Laundering & Fraud – Forum  provide you with a comprehensive overview of the current legal innovations and support you in recognizing and evaluating money laundering and fraud structures prevent in time.

Internal Audit – MaGo – function of the internal audit

In the compliance seminars such as  compliance ,  compliance for sales representatives ,  new compliance function in accordance with MaRisk  or  compliance in the focus of banking supervision  , you will learn more about the design of the interfaces between compliance, data protection, IT, the central office and internal auditing. The minimum requirements for setting up an overall ICS are also explained in more detail here, for example.
After attending the seminars, you also have the opportunity to complete the certification courses to become a  Compliance Officer ,  AML & Fraud Officer  or  Money Laundering Officer  .

MaGo – function of the internal audit

If you´re interested in this topic, the following seminars might be just right for you!

Certified Compliance Officer (S+P) course

Are you newly appointed as a compliance officer in a non-financial company? With the Certified Compliance Officer course, the S+P Entrepreneur Forum conducts training to become a certified Compliance Officer (S+P).  This certified program offers well-founded  training at the highest level with top-class speakers with practical experience  – with maximum reference to entrepreneurial practice.


Your added value with the S+P certification program:

Our certification offer with a focus on your company:

  • Fast and direct implementation instructions from practice for practice
  • Modular structure of the certification
  • Flexible scheduling of the individual modular building blocks
  • The S+P Tool Box provides you with assistance for safe implementation in your own company practice
  • Sample guidelines, assessment tools and checklists guide you in putting what you have learned into practice.


Your practical implementation is our goal and with the certification offer we pave the way for you.

Book the Certified Compliance Officer (S+P) course. Convenient and easy with the  online seminar form and product no. A 14.


IT Compliance Manager

Are you fit & proper as an IT compliance manager? With the New IT Compliance Manager course, participants learn the following technical skills:


Book the New IT Compliance Manager course conveniently and easily with the online seminar form  and product no. A16.

Target group for the New IT Compliance Manager course

  • Board members and  managing directors  at banks, financial service providers, capital investment and fund companies, leasing and factoring companies
  • Executives and specialists from the areas of information security management, outsourcing controlling, risk controlling, compliance, data protection and  internal auditing


Your advantage over the New IT Compliance Manager course

Each participant receives the following S+P products with the seminar:

+ Organization manual for the information security guideline (approx. 30 pages)

+ S+P Tool Risk Assessment: Determination of IT protection requirements

+ S+P Check: User authorization management

+ S+P organization handbook data protection management (approx. 40 pages)

+ S+P Check: data protection, IT security and cyber risks


Program for the New IT Compliance Manager course

Implementing IT compliance securely

  • You need to know these “red lines”: implement the minimum requirements from BAIT, VAIT, DIN EN ISO 2700x and BSI basic protection in an audit-proof manner
  • Which risks are “material”? Differentiation of terms from Section 25b KWG; § 26 ZAG and § 32VAG
  • Outsourcing or outsourcing? Correct evaluation of software and IT services
  • IT compliance at a glance: dovetailing of IT strategy, IT governance, information security and information risk management
  • AT 7: Audit focus on IT compliance : IT strategy, IT environment and IT organization in the focus of the new MaRisk, MaGO, KAMaRisk and BCBS 239


With the New IT Compliance Manager course, participants receive the S+P Tool Box:

+ S+P Test: Is the IT system compliant?

+ Organization manual for the information security guideline  (approx. 30 pages)

+ S+P Check: Systemprüfung zum IT-System


IT governance: Risk analysis to determine the need for IT protection

  • Risk analysis in information management
  • Implementation of the qualitatively tightened IT risk analysis based on uniform scoring criteria
  • Assessment of the need for protection with a view to integrity, availability, confidentiality and authenticity
  • New BaFin requirements for cloud computing: strategy, risk analysis and materiality assessment
  • Information security management: Creation of the catalog of target measures and derivation of risk-reducing measures


With the New IT Compliance Manager course, participants receive the S+P Tool Box:

+ S+P Tool Risk Assessment: IT protection requirements with scoring and risk-oriented  derivation of the catalog of target measures


Obligations in data protection: Actively control interfaces between compliance, information security, money laundering prevention and data protection

  • Modules of an effective data protection system: Interface management to
    • Processing directory Art. 30 EU-DSGVO
    • Data protection impact assessment Art. 35 EU-DSGVO
    • Deletion concept Art. 17 EU-DSGVO and DIN standard 66398
  • Safe handling of self-developed IT applications, access rights, IT approvals and changes in the IT system
  • Efficient communication to outsourcing, data protection, money laundering and information security officers
  • Compliance control plan  – The most important monitoring and control actions
  • Compliance requirements for control and reporting obligations in the IT area


Each participant receives the S+P Tool Box with the New IT Compliance Manager course:

+ Checklist: data protection for practitioners in accordance with the new GDPR

+ Checklist: Monitoring and documentation of control actions

+ Job description for information security officer


In addition to the New IT Compliance Manager course, the participants were also interested in the following seminars:

Compliance management in the company

Compliance Update 2019

Outsourcing in the focus of banking supervision

MaRisk 2017 – risk-bearing capacity – SREP – ICAAP

MaRisk 6.0 – new requirements for risk management

Risk management and internal control system

Compliance and risk management for entrepreneurs

Quality management course with certification

Data protection – duties for directors and compliance

MaGo – Function of the internal audit