“All large companies on the global market need to act now, in their supply chains and in their own practice areas,” said Federal Employment Minister Hubertus Heil on the introduction of the German Supply Chain Act (Lieferkettengesetz (LkSG)). “We have fought hard and established a law that has legal consequences and packs a real punch.” In the future, a careful risk analysis needs to be carried out to determine whether a violation of human rights and environmental standards occurred in the past or can be expected in the future. From 1 January 2023 the Act will initially apply only to large companies with their administrative headquarters or statutory seat in Germany that normally have at least 3,000 employees in Germany [section 1 (1) sentence 1]. According to the Explanatory Memorandum on the SCDDA, this concerns approximately 600-700 companies. A year later, this threshold will drop to at least 1,000 employees [section 1 (1) sentence 3 SCDDA], and will concern approximately 2600-3500 companies, according to the Explanatory Memorandum on the SCDDA. 

On February 23, 2022, European Commission has adopted a proposal for a Directive on corporate sustainability due diligence. The proposal aims to foster sustainable and responsible corporate behavior throughout global value chains. 

The new due diligence rules will apply to the following companies and sectors 

  • EU companies
    • Group 1: all EU limited liability companies of substantial size and economic power (with 500+ employees and EUR 150 million+ in net turnover worldwide). 
    • Group 2: Other limited liability companies operating in defined high impact sectors, which do not meet both Group 1 thresholds, but have more than 250 employees and a net turnover of EUR 40 million worldwide and more. For these companies, rules will start to apply 2 years later than for group 1. 
  • Non-EU companies active in the EU with turnover threshold aligned with Group 1 and 2, generated in the EU. 

The proposal will be presented to the European Parliament and the Council for approval. Once adopted, Member States will have two years to transpose the Directive into national law and communicate the relevant texts to the Commission.

 

 January 1, 2023 

January 1, 2024 

Germany 

Large companies >3000 employees with admin headquarter or statutory seat 

Main Business areas and immediate suppliers 

Large companies >1000 employees with admin headquarter or statutory seat 

Date unknown, once law, to operationalize within 2 years

+2 years 

EU 

Limited Liability companies >500 employees and >150 M net turnover 

All Business areas and entire value chain 

Other limited Liability companies >250 employees and >40 M net turnover 

Differences and what you can do now 

The EU Supply Chain Directive is aimed at European-wide harmonized regulation. It is one of the numerous concrete implementations of the European Green Deal, which demands a sustainable corporate culture and is therefore ahead of the German LkSG. 

  • For now, the German Supply Chain Act is content with a policy statement, while the EU Directive sees ESG due diligence as an integral part of corporate policy. The EU directive will also require company management to take human rights, climate change and ecological consequences into account in all decisions. 
  • The German supply chain law has no direct regulation, although the BaFin issued a consultation paper in August 2021, in which the regulator sees ‘greenwashing’ as a big risk for the customers of investment funds. Greenwashing is when companies inflate their sustainability or “green” efforts typically through marketing or public relations activities. In its statement, the BaFin will conduct special audits and investigations if something seems amiss. 
  • Under the German LkSG, companies may only report on their own website, while under the EU directive, companies need to publicly communicate the exercised due diligence obligations. 
  • The German LkSG is satisfied with risk management that has been put in place, while the EU Supply Chain Directive provides for the establishment of a comprehensive compliance management system. In addition, due diligence processes are to be set up and monitored.

Mandatory / regulatory requirements 

  • The Board has to name a ‘Human Rights’ delegate 
  • The Board also has to set the ‘Human Rights’ strategy 
  • More work for the internal legal department as the international suppliers may have different laws and regulations to follow; increased reputational risk with more reliance on suppliers 
  • Agencies like BAFA (Bundesamt für Wirtschaft und Ausfuhrkontrolle), German regulator for economy and export control will be the new watchdog for this law. 

Highly advisable / recommendable 

  • Whistleblowing directive will also come into play as whole new playing field. 
  • CPI (Corruption Perception Index) – good reference to get started with supplier management 
  • Corporate Social Responsibility (CSR) reporting duty if listed so may not be applicable. 
  • Increased focus on supplier management and suppliers in general (direct vs indirect suppliers) 
  • Increased focus for HR department as regulatory Human Rights management new requirement 

The work plan has 6 planned phases. Onboarding requirements of suppliers; initial due diligence; checks, reviews and valuation of suppliers; risk mitigation of high vs low risk suppliers; transparency and controls aspects; and monitoring of all suppliers. 

Next steps 

It’s highly advisable to start as soon as possible if you are identified to be in scope. From the analysis above, we also recommend you not comply to the minimum requirements of the German LkSG, but rather start implementing a long-term strategy already thinking about the EU Directive. 

Our multidisciplinary teams will help you with the initial set up and implementation. Our expert knowledge of Compliance and Risk Management will support you in order to avoid missteps, potential fines and reduce conduct as well as reputational risk you may face. 

 

(Image: Mrzproducer/Adobe Stock)

Legal measures such as the Infection Protection Act made it necessary to record personal data such as access controls in accordance with the 3G regulation or even the vaccination status of employees as part of the Corona pandemic.

This legal protection measure has expired and therefore the retention of this collected data is considered so-called data retention.

Captured vaccination data or copies of vaccination cards are also sensitive health data that must be treated with special protection. Permanent retention no longer has a legal basis, and they would be obsolete for possible later use in the event of a new pandemic, for example in the winter of 2022/23.

Barbara Thiel, the data protection commissioner for Lower Saxony, is taking the lead in calling on all companies and authorities to delete personal data collected in connection with the corona pandemic now. It is expected that other state data protection authorities will take a similar position and threaten sanctions for non-compliance.

Review their collected data and delete any that are related to Corona pandemic regulations. (The slogan: less is more applies here).

Against the backdrop of ever-increasing threats from cyber attacks, companies and organizations are faced with the following questions:

  • Is my company sufficiently secured against cyber attacks?
  • Which unknown gaps and vulnerabilities lie dormant in the company’s IT and endanger my business processes or pose a significant risk to my company?
  • How can I increase information security in my company, if possible without additional costs, and bring it up to the state of the art?

Medium-sized and smaller companies in particular often find it difficult to address the issue holistically and bring information security to an appropriate level of protection across the board due to low staffing levels, a lack of expertise in IT security and limited budgets.
Outsourcing parts or all of the essential tasks for information security to an external specialist – a so-called Security Operation Center (SOC) or Cyber Defense Center (CDC) – offers a solution approach here that can be flexibly adapted to the requirements of each company.
A SOC/CDC is a service provider specializing in information security that is linked to the company’s IT and acts as a kind of security control center, taking over large parts or just selectively certain security services that would normally have to be covered by the company’s IT department:

  • Security-related monitoring of corporate IT
  • Proactive addressing of threat situations through threat intelligence
  • Detection and elimination of vulnerabilities in IT systems and processes
  • Detection and alerting in the event of cyber attacks
  • Defensive measures and damage limitation
  • Customer-related support and reporting on security issues

Highly specialized cybersecurity experts, including security architects, analysts and forensic specialists, work 24×7 on the premises of the SOC/CDC service provider. As in a command post, all security-related information is displayed on screens in real time and they can react immediately in the event of anomalies. The working method is characterized by optimal and integrated tool support, a high degree of automation of the analyses as well as the optimal team structure and communication of the SOC team.
Depending on the specific requirements of a customer, different service models of cooperation can be defined, which allow outsourcing only certain parts, or almost all security services to the SOC/CDC service provider. The advantages of using a SOC/CDC are obvious:

  • Fast and effective response through automation and use of specialists.
  • Protection against the current threat situation
  • Continuous documentation and traceability
  • No need to build up internal staff
  • Holistic protection concept and customized solutions possible depending on customer requirements
  • Demonstrable adherence to legal requirements and compliance

Especially for smaller companies and medium-sized businesses, outsourcing essential IT security services to an external specialist opens up the possibility of achieving a high level of protection and state-of-the-art IT security. Due to the different service models and great flexibility, the services of a SOC service provider can be ideally tailored to customer requirements. It is usually not necessary to build up additional internal resources or experts for information security.

 

Cyber-risks pose a major challenge to SMEs (Small Medium Enterprises). The impact is increasing. For management, this fact must be considered a top priority risk. 

Ransomware-attacks, where businesses are ‘crippled’ by their computer systems, have increased dramatically, almost doubling in the first half of 2021, while the average ransom to escape the dilemma has increased by 82%.  Globally, businesses of all sizes and types are being attacked by criminal ransomware. These attacks often bring business operations to a halt. Recovery takes time, becomes expensive, leads to image loss and can disrupt or even stop business operations. 

For example, JBS, the world’s largest meat processing company, had to pay a ransom of US $11 million to regain access to its data and systems. Ransomware led to shutdowns of water and water treatment plants at Norwegian energy technology company Volue, affecting 85% of the Norwegian population. Transnet, a South African port operator, was also affected by ransomware, causing disruptions and delays at one of South Africa’s major ports. In Germany, attacks on hospitals led to network problems and days of outages at the University Hospital in Düsseldorf or the Neuss Clinic. In hospitals in the USA, networks were reportedly disconnected due to ransomware in the first six months of 2021 – either through their own measures to avoid a security breach or because they were forced to do so by a severe malware infection. 

The problem with SMEs, unlike large companies, is that they do not have cybersecurity departments. Accordingly, they often only react after an attack, which can simply cripple business for many SMEs. 

A particularly worrying trend is that criminal cyber-attacks are taking shape in ways that were once the preserve of state actors. This is most common in so-called “supply chain attacks“, which affect the supply chain. Unknown flaws in the technology are exploited by companies that infect the company’s customers, bypassing traditional defences such as anti-virus software. 

Cyber technologies are exploited by states primarily to conduct economic espionage and intellectual property theft. State cyber operations have doubled since 2017, with a third of these attacks apparently targeting businesses. One of the most high-profile recent examples was the Russian attack on US technology company SolarWinds, which exploited security vulnerabilities in trusted technology products. 

SMEs are the engine of our society and unfortunately also the sore spot. It is all the more important that management recognises the risk and develops a good understanding of what it needs to protect and how much risk it wants to take. 

Important for the assessment is an independent evaluation of the cyber risk profile and the effectiveness of the current cyber security precautions in the company. Based on this, SMEs should invest in a cyber improvement programme and ensure they have access to the cyber skills they need, including independent third-party expert advice. 

What does the future hold for cyber security in SMEs? SMEs, especially growth companies, are potentially becoming real targets for attack as they expand. SMEs need to be more engaged in cyber security to effectively address the challenges in a timely manner. The Risk Management System (RMS) with all its processes needs to be rethought and implemented. Embedding a security culture in the company is the best protection against cyber threats and this needs to be exemplified from the top, top-down. 

Corporate IT in constant change 

Driven by technological change and entrepreneurial growth, many companies have the need to adapt their IT landscape and application environment to the new circumstances. Such adaptations almost always include changes to the underlying business processes as well as the introduction of new technologies, be it the replacement of legacy systems or the development/introduction of new software and applications (such as an ERP system), the outsourcing of the IT infrastructure to the cloud or the introduction of more complex topics such as blockchain technology or artificial intelligence. 

However, the modification of existing or the introduction of new IT systems is always associated with significant challenges. This applies both on a small and large scale and is to some extent independent of the type of project in question, although the risks increase in particular for medium-sized and large projects due to their increased complexity. 

Challenges in IT projects

The challenges in the implementation of IT projects consist first and foremost of the typical project risks such as schedule and budget overruns and quality risks. However, there are also other risks such as 

  • Risk of undesirable developments and non-fulfilment of requirements 
  • Gaps in information security and missing or inappropriate controls 
  • Migration risks 

Furthermore, when new processes and technologies are introduced, there is almost always uncertainty about the regulatory and legal requirements, which results in corresponding compliance risks. 

Possibilities of risk mitigation on the basis of IDW PS 850

A variety of project-related measures are possible to address these risks. Starting with classic project management activities such as the selection of a suitable project methodology, proper project planning and control as well as resource allocation, a clean requirements and quality management, up to appropriate testing and formal project acceptance. 

In addition, there is also the possibility of minimising project risks by involving an external, neutral authority that accompanies the project selectively for the acceptance of certain project milestones or for the entire duration of the project up to the final acceptance. 

The establishment of such a project-accompanying inspection by an external and neutral body offers the following opportunities: 

  • Early assurance that all requirements are taken into account in the specifications. 
  • Compliance requirements 
  • Compliance with relevant regularity requirements (e.g. balance sheet continuity) 
  • Security by design 
  • Adequate IT controls 
  • Coverage of requirements for future audits 
  • Neutral and independent assessment of project status (deliverables and milestones) 
  • Neutral and independent assessment of risks and measures during project implementation 
  • Additional quality assurance 
  • Overall acceptance of the project by an independent external body 

The procedure for such a project-accompanying audit is based on the auditing standard IDW PS 850 issued by the Institute of Public Auditors in Germany. This standard contains important specifications for auditing throughout the entire project life cycle: 

  • Project planning and organisation 
  • System design, development and test phases 
  • Data migration 
  • Rollout and go-live 

In addition, PS 850 also provides guidelines for the use of third-party examinations or audit results as well as for documentation and reporting. 

Conclusion

The early involvement of an external independent expert ensures compliance with the regularity requirements and balance sheet continuity, acts as a neutral authority for quality assurance and risk monitoring and may even serve as an institution for the acceptance of the overall project. 

The external auditing body can draw on experience from similar projects, provide valuable advice and recommendations for project implementation and thus significantly support the overall success of the project. 

Home office has been the policy solution since Covid-19 to minimise the spread of social distance in the workplace. In the past, working from a home office was unthinkable and had negative connotations. This is because the employer has little confidence in the employee. Self-discipline is a must here, as is the separation of work and private life. It can be seen that after the Corona pandemic, significantly more people are able to work on the move than before and want to keep it that way. Almost no one wants to go back to open-plan offices after Corona. New Work is the new buzzword. One could see that the productivity and work performance from the home office has not diminished, which is why many companies are more open to this topic. 

The growing interest in remote work also increases the temptation to move the home office abroad. However, certain regulations apply to a possible stay and the employer’s written consent is required. Within the EU, remote work is the least complicated. The reason for this is that no residence permit or work permit is required. Exceptions to this are third countries such as the United Kingdom. An A1 certificate is required so that social security contributions are not charged twice. With an A1 certificate, an employee proves that he/she is covered by social security in his/her home country during a business trip to another European country. This certificate is valid within the EU, the European Economic Area (EEA) and Switzerland. However, there is a social security challenge & risk for working from abroad. Here, the employer must familiarise himself with the social security regulations of the other country and implement the registration, reporting and contribution obligations correctly and on time. There is a risk of sanctions from the competent authorities if social security contributions are paid to the wrong social security system. 

In order to ensure that mobile working abroad can be legally regulated, a forward-looking plan should be drawn up together with the HR department and corresponding regulations, recorded in a supplementary agreement, should be made. If there are any concerns that the productivity or accessibility of the employee abroad will suffer, you can agree on a kind of test run. This does not apply to self-employed persons, as self-employed persons are freer to choose their workplace. 

Your tasks 

Your main task is to analyse and check company data. Furthermore, you evaluate the integrity, completeness and quality of the data in the processing process. You will take care of the use of services in projects in a diversified environment and actively participate. 

Your qualifications 

You have successfully completed a degree in (business) informatics, have a technical education or you are an experienced career changer. You have very good knowledge of SQL and at least one other database technology.
You have knowledge in at least one of these applications: 

  • SAP ERP / S4 / HANA
  • Navision / MS Dynamics 
  • proAlpha

Ideally, you can display and present data in clear cockpits. 

Our offer 

We offer you 

  • a working environment that you can actively help to shape and develop, 
  • the self-determination of your individual goals in our company, 
  • a varied working environment with good development prospects and appropriate remuneration, structured, sustainable training and further education at our academy in line with our common goals, 
  • attractive additional benefits, such as physiotherapy, sports, special leave for further training and a highly motivated team.

Working in a home office outside of client projects is possible, so relocation is not necessary. Please send us your informative profile or arrange a telephone appointment directly. We look forward to getting to know you better in a personal meeting. 

If you are interested, we look forward to hearing from you: 

iAP – Independent Consulting + Audit Professionals GmbH
Josef-Orlopp-Str. 54
10365 Berlin
Germany

Contact

Michaela Reichenbacher
Phone: +49 (0)30 4397 168-60
E-mail: bewerbung@audit-professionals.de

Take your chance – send us an unsolicited application 

You have everything you need for your success with us: Enthusiasm for IT consulting and testing, know-how, commitment, creativity and a lot of team spirit? But you can’t find the job of your dreams in our job offers? That doesn’t matter: simply become active yourself and send us your speculative application! It is important that you describe your desired field of activity as precisely as possible. It is always possible that the iAP is looking for you. 

Your documents will be examined individually by our respective department. We will then inform you as soon as possible about the next steps in the application process. 

We look forward to receiving your application and getting to know you! 

iAP – Independent Consulting + Audit Professionals GmbH
Josef-Orlopp-Str. 54
10365 Berlin
Germany

Contact

Michaela Reichenbacher
Phone: +49 (0)30 4397 168-60
E-mail: bewerbung@audit-professionals.de

As an IT management consultancy, we focus on governance and compliance issues with an emphasis on information security and data protection, IT auditing and information management. In addition, we carry out consulting projects for groups and medium-sized companies on the selection, development and introduction of IT solutions and processes. 

Our clients appreciate our demand-oriented consulting, practice-oriented solution finding and the staffing of the projects with experienced consultants. Since 2008, we have already carried out more than 520 projects for medium-sized, large companies and corporate groups, also in an international environment. 

Your tasks 

Your main task is to check the compliance of IT systems and procedures within the scope of audits as well as IT management consulting for medium-sized and large companies. Furthermore, you will advise our clients in the area of information technology and business processes with regard to alignment with business objectives, business efficiency and quality, possible risks as well as compliance with internal and external guidelines. 

Your qualifications 

You have a university degree and at least three to five years of experience in conducting IT audits and/or IT management consulting. You know the usual business, support and IT service processes in companies and their business contexts. 

You have one or more skills and corresponding project experience in the following areas: 

  • internal auditing and compliance audits of IT-supported processes and IT systems 
  • Application of process and control-based frameworks such as COBiT and ITIL 
  • Experience in compliance auditing of SAP systems 
  • Experience in the creation / quality assurance of authorisation concepts 
  • IT security / data protection requirements (BDSG and DS-GVO) 
  • Audit-proof archiving of data and documents 
  • Business analysis / requirements management 

Ideally, you can prove your skills through subject-related certifications: 

  • preferably Certified Information Systems Auditor (CISA) 
  • Certified Information Systems Security Professional (CISSP) 
  • Certified Information Systems Manager (CISM) or comparable certification 
  • Project Management Professional (PMP), PRINCE 2 or comparable certification 
  • ISO27001 / BSI-Grundschutz Auditor 
  • ITIL V2/3 certification 

Our offer 

We offer you: 

  • a working environment that you can actively help to shape and develop, 
  • a varied working environment with a high degree of responsibility, good development prospects and appropriate, success-oriented remuneration, 
  • structured, sustainable training and further education in line with our common goals, 
  • a balanced professional orientation in line with your expectations, 
  • attractive additional benefits such as a company car, special leave for further training and various success bonuses. 

Working in home office outside of client projects is possible, so relocation is not necessary. 

Please send us your detailed profile with your desired conditions. We look forward to getting to know you better in a personal interview. 

If you are interested, we look forward to hearing from you: 

iAP – Independent Consulting + Audit Professionals GmbH
Josef-Orlopp-Str. 54
10365 Berlin
Germany

Contact

Michaela Reichenbacher
Phone: +49 (0)30 4397 168-60
E-mail: bewerbung@audit-professionals.de

For our demanding projects in companies from industry, banks and insurance companies, public utilities as well as public clients, we are looking for experienced employees for consulting in the IT environment throughout Germany with immediate effect. 

Your tasks

Your main task is to advise medium-sized and large international companies at the interface of information technology and business administration. You will also analyse and evaluate our clients’ information technology with regard to its business efficiency and quality, possible risks and compliance with internal and external company requirements. 

Your qualifications

  • You have a university degree (or comparable) 
  • You have three to five years of experience in working on complex consulting projects 
  • You are familiar with the usual business and support processes in companies and their business management interrelationships 
  • You have knowledge in the recording and visualisation of internal company processes as well as the application of process and control-based frameworks such as COBiT, COSO, ISO 2700XX or similar. 
  • You have already gained experience in working with common ERP systems such as SAP, proAlpha, Microsoft Dynamics/Navision and topics such as audit-proof archiving, IT security and related standards and norms are fundamentally familiar to you. 

Ideally, you can prove your skills through subject-related certifications, such as: 

  • Certified Information Systems Auditor (CISA) 
  • Certified Information Systems Security Professional (CISSP) 
  • Project Management Professional (PMP)

Our offer 

We offer you: 

  • a working environment that you can actively shape and develop 
  • the self-determination of your individual goals in our company 
  • a varied working environment with good development prospects and appropriate remuneration 
  • structured, sustainable training and further education at our academy in line with our common goals 
  • attractive additional benefits, such as physiotherapy, sports, special leave for further training and a highly motivated team. 

Working in a home office is possible. Relocation is not necessary. Please send us your informative profile or arrange a telephone appointment directly. We look forward to getting to know you better in a personal interview. 

If you are interested, we look forward to hearing from you: 

iAP – Independent Consulting + Audit Professionals GmbH
Josef-Orlopp-Str. 54
10365 Berlin
Germany

Contact

Michaela Reichenbacher
Phone: +49 (0)30 4397 168-60
E-mail: bewerbung@audit-professionals.de