Set up a compliance management system according to IDW PS 980: Seven basic elements, documented in an audit-proof manner
The IDW PS 980 defines seven basic elements for an effective CMS. This article shows how to document culture, goals, risks, program, organisation, communication and monitoring so that an appropriateness and effectiveness test can pass.
The auditing standard IDW PS 980 (as of 2022) published by the Institute of Public Accountants describes the principles of proper auditing of compliance management systems. It is not a law, but it actually shapes the market standard: Anyone who wants to demonstrate a Compliance Management System (CMS) to supervisory bodies, insurers or business partners should follow the seven basic elements of the standard. This is relevant for management who are liable for breaches of supervisory duties according to Section 130 OWiG.
This article explains how you can convert the seven basic elements into a workable system instead of just writing a manual. You will receive a sequence, a list of documents and a realistic assessment of what depth is acceptable in a medium-sized company. The focus is on documentation that supports the audit and on responsibilities that work in everyday life.
Key Takeaways
- The IDW PS 980 requires seven basic elements: culture, goals, risks, program, organisation, communication, monitoring and improvement.
- An adequacy test assesses the concept, an effectiveness test assesses the implementation over a defined period of time.
- A CMS only becomes viable when each compliance obligation has a named person, an appointment certificate and a documented reporting path.
What the IDW PS 980 demands and what it doesn't demand
The IDW PS 980 is a professional auditing standard for auditors. It specifies how a CMS should be checked, not what it necessarily has to look like. In practice, however, the structure has established itself as a reference because insurers (D&O), investors, supervisory boards and business partners want to rely on a uniform framework.
Three stages are tested: conception (appropriateness), implementation and effectiveness. The concept test assesses whether the seven basic elements are coherent. The implementation test determines whether the CMS was implemented by a deadline. The effectiveness test looks at a period of time, usually six to twelve months, and assesses whether the system was effective. Which level you commission depends on the occasion: reversal of the burden of proof after incidents, preparation of a transaction, request from a major customer.
It is important to differentiate between special topics. IDW PS 980 is a roof standard. A Money Laundering Officer under the AMLA, a Data Protection Officer under Art. 37 GDPR or an Information Security Officer under NIS-2 are separate duties with their own orders, reporting channels and Supervisory procedures. The CMS bundles these roles, but does not replace them.
Basic element 1: Compliance culture
The compliance culture is the basic attitude of management and the workforce towards compliance with the rules. Auditors assess them using the so-called tone-at-the-top, codes of conduct, employee surveys, participation in training and behaviour in specific conflict situations.
In practical terms, this means: A code of conduct is necessary, but not sufficient. You need documented approval by management, verifiable distribution to all employees (e.g. via an LMS with read confirmation), recurring training with participation rates and documented handling of violations. The latter is the toughest test: anyone who allows a manager's violation to have no consequences undermines any culture. The sanction practice should therefore be communicated in anonymized examples without violating personal rights.
A second lever is integration into HR processes: compliance as a criterion in target agreements, in promotion decisions, in bonus clawback clauses (clawback). This interlocking can be documented and is resilient in the event of an audit. Three to five core documents are sufficient for the culture dimension: Code of Conduct, training plan with participation rates, disciplinary guidelines, employee surveys (annual or biannual), tone-at-the-top message from management with a date.
Basic Element 2: Compliance Goals
Compliance goals are derived from business activities. They define which legal areas the CMS covers and which are deliberately excluded. A mechanical engineering company with sales in 40 countries has different compliance goals than a regional service provider with ten employees.
A two-stage target system makes sense. At level 1 there are categories: corruption prevention, antitrust law, data protection, money laundering, export control, occupational health and safety, IT security, supply chain diligence, ESG reporting obligations. At level 2, the individual obligations are specified, each with a legal basis, affected processes and responsible role. This specification prevents the most common CMS problem: generic goals that control nothing.
The management approves the goals in writing. A change (e.g. after entering a new market) is documented with a date. Auditors check whether the objectives match the risk situation: Anyone who sells in the USA but does not have any FCPA or OFAC references in their compliance goals signals a gap. The target documentation typically consists of ten to fifteen pages and is reviewed annually. For this inventory, CIVAC provides audit templates that pre-structure the typical duties per legal area and allow assignment to the 25 representative roles.
Basic Element 3: Compliance Risks
Risk analysis is the heart of the CMS. It answers where irregular behaviour can occur, how likely it is and what damage is at risk. The IDW PS 980 requires a systematic, documented and recurring analysis. In medium-sized companies, two workshops per year are sufficient if they are structured.
The combination of inherent risk assessment and the effectiveness of the existing controls has proven to be methodologically proven. Each risk item is evaluated in a heatmap with probability of occurrence (1 to 5) and extent of damage (1 to 5), once before and once after controls. This results in the residual risk. Risks with a residual value above a defined threshold (for example 12 out of 25) are included in the action plan.
Typical risks in medium-sized companies: kick-back payments in purchasing, incorrect export permits, data protection violations in marketing tools, undeclared work in subcontractor chains, inadequate information security in cloud services. Each risk item receives a person responsible, a date of the next review and a template for reporting to management. An honest risk analysis also gives reasons for risks that are consciously accepted. Others run compliance like a filing cabinet. We run it like software.
Basic Element 4: Compliance Program
The compliance program is the collection of all preventative and detective measures that follow from the risk analysis. It includes policies, processes, training, controls and sanctions. In practice, it is the most comprehensive module in the CMS and requires the greatest implementation effort.
A proven structure divides the program into five pillars. Firstly, guidelines: Group-wide policies (Code of Conduct, anti-corruption, data protection, IT security, gifts and invitations) with version status, entry into force date and proof of distribution. Second, processes: approval paths for gifts, donations, sponsorships, third-party onboarding, and travel expense approval. Third, training: Mandatory training per role, frequency (annual or biannual), participation rate as a KPI. Fourth, controls: four-eye principle, separation of functions, automated limits in ERP systems, random checks by internal audit. Fifth, consequences: disciplinary measures with escalation levels.
Each measure is assigned to a risk. In the audit case, you must show that every high residual risk is addressed by at least one effective measure. The list of measures is not an end in itself: templates that no one uses are worthless. It is therefore advisable to start with ten to fifteen core guidelines and keep them in a central workspace with versioning, rather than with two hundred PDFs in a network drive.
Grundelement 5: Compliance-Organisation
The organisation clarifies who is responsible for compliance. The management bears overall responsibility in accordance with Section 130 OWiG, but can delegate this through a written order. Thecompliance officerplays the central role, alongside the specialist officers for data protection, money laundering, occupational safety and other specialist areas.
An audit-proof organisation includes three elements. First, the appointment document: It states the appointed person, the area of responsibility, the resources, the reporting line and the dismissal rules. The appointment certificate, signed, filed, verifiable. Secondly, the reporting line: who reports to whom, in what rhythm, with what format. As a rule, it results in a quarterly report to the management and an annual report to the supervisory board. Thirdly, escalation: In the case of serious incidents, a direct reporting line to management must be possible, without intermediate levels.
The question of whether compliance is staffed internally or externally is a question of resources. Licence the workspace for your internal representatives, or have our representatives order it. The CIVAC model is a compliance platform and officer-as-a-service: If necessary, you combine internal employees with externally appointed officers and maintain all appointment certificates, reporting paths and audit templates in a workspace with EU data residency.
Basic element 6: Compliance communication
Communication involves two directions. Guidelines, training and information are distributed top-down. Reports, inquiries and indications of violations are received bottom-up. Both channels must be documented.
Top-down, you should not only prove distribution, but also knowledge. Read confirmations, tests after training, annual self-assessments about knowledge of the Code of Conduct. The quotas are a KPI for the culture dimension. Bottom-up you need a protected reporting channel according to the HinSchG. Since 2023, the Whistleblower Protection Act has required companies with 50 or more employees to have an internal reporting office. The internal reporting office is therefore not an optional feature, but a requirement.
The reporting channel must allow anonymous reports, confirmation of receipt within seven days, feedback within three months and protection against reprisals. The information received is kept in a case register with the date of receipt, status, person responsible and date of completion. In the event of an audit, the case register is a central evidence element: it shows that the system is alive. In addition, compliance newsletters, intranet pages and an annual compliance day are part of a professional communication routine. Consistency is important: A newsletter that appears twice and then falls silent is a negative finding in an audit.
Core Element 7: Monitoring and Improvement
The seventh pillar closes the circle. Monitoring means: You measure whether the CMS is working and adjust it if not. Classic instruments are self-assessments by departments, reviews by internal audit, external audits and the evaluation of incidents and tips.
A robust monitoring model combines three lines of defence. First line: The departments themselves (purchasing, HR, sales) check whether their controls are effective and document this in a self-assessment tool. Second line: The compliance function and designees review first line controls and conduct their own spot checks. Third line: Internal audit or external auditors independently assess the entire system. In medium-sized companies, an external auditor often takes over the third line because an internal audit is not economically viable.
The improvement comes from three sources: results of monitoring, external reasons (new regulations, industry cases, reports from authorities) and internal incidents. Every insight flows into an action plan with those responsible, deadlines and status. Effectiveness can only be assessed after six to twelve months. Anyone who sets up a new CMS on the deadline of an audit passes the concept test but fails the effectiveness test. That's why the order is: build it up first, let it run for six to twelve months, then have it checked.
From concept to order
A CMS according to IDW PS 980 is not a file folder, but a working system with documentation, responsible persons and routines. The effort required to set up a medium-sized company is typically six to nine months of project time and ongoing personnel expenses of 0.3 to 1.0 full-time equivalents in the compliance function, depending on risk exposure and group size. There are also specialist officers in their specialist areas.
CIVAC is a compliance platform and officer-as-a-service. In the workspace you manage the seven basic elements with 490 ready-to-use audit templates, store appointment certificates for all 25 representative roles, document risk analyses and measures and export auditable reports. If you don't want to set up your own compliance function, you can order individual roles externally, with a defined reporting line to management. Both models meet the requirements of the IDW PS 980, the effort is just shifted.
Turn reading into a mandate. Write to info@civac.de or use the contact form. In an initial conversation, we will clarify which of the seven pillars you already have in place, what gaps exist and whether a workspace setup, an external order or a combination is the fastest way to be ready for the exam.
FAQ
Is a CMS according to IDW PS 980 legally required?
No, the IDW PS 980 is a testing standard, not a law. However, a compliance obligation of the management results from Section 130 OWiG and Section 91 Paragraph 2 AktG. Anyone who wants to fulfil this obligation in a audit-proof manner is actually guided by IDW PS 980 because auditors, insurers and investors are familiar with this framework.
How much does a CMS audit according to IDW PS 980 cost?
A pure concept test typically costs between 25,000 and 60,000 euros for medium-sized companies. A combined adequacy and effectiveness test costs 80,000 to 250,000 euros, depending on the size of the group and the scope. The internal effort for preparation is usually higher than the auditor's fee.
How long does it take to set up a CMS in a medium-sized company?
Realistically six to nine months from project start to implementation of all seven basic elements. This is followed by six to twelve months of operational operation before an effectiveness test makes sense. Anyone who promises a CMS in three months is documenting a concept but not implementing one.
Can small companies build a CMS according to IDW PS 980?
Yes, the standard is scalable. In small companies, the basic elements are documented more slenderly, one person takes on multiple roles, and the reporting frequency is lower. It remains important that the seven pillars are present and documented. An external officer model is often more economical than an internal structure.
How do CMS and individual representative roles relate to each other?
The CMS is the framework, the representatives are operational functions within it. Data protection, money laundering, occupational safety and other specialist areas have their own legal ordering obligations and reporting channels. The CMS bundles them organizationally and ensures that all obligations are recorded, documented and monitored.
What role does software play in building a CMS?
Software does not replace a compliance function, it structures it. A workspace with versioning, audit templates, reporting modules and task management significantly reduces the maintenance effort and makes the documentation resilient in the event of an audit. Without tools, the CMS dissipates into emails and network drives.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.