iAP GRC

Audit & Certification

Audit & Certification

Due to the constant development of IT technologies and applications and frequent organisational changes, IT systems of companies and public authorities are subject to permanent change. As a result, after each change or adaptation of the IT environment, the effect of these change on the underlying business processes and the protection goals of information security has to examined. Additional uncertainties arise from the multitude of threat scenarios and their further development into increasingly sophisticated variants.

Current and potential customers, suppliers, auditors, authorities, and other stakeholders have a fundamental interest in comprehensive information security of the company concerned and the correct functioning of its business and accounting-relevant processes. Specific verification obligations also result from regulatory and legal requirements for corporate IT.

Verification and confirmation of the correct functioning of the IT environment, compliance with information security and fulfilment of the legal requirements often require auditing support and expertise from external specialists.

Our experts support you in auditing your IT environment on the basis of the legal requirements, along international and national auditing standards, as well as using best practice and profiting from many years of experience.

The following audits, certifications and attestations services are part of our portfolio:

  • IT audit as part of the annual audit of auditors’ financial statements  
  • Audit and certification of information security based on the relevant standards 
  • Compliance audits for legal/regulatory requirements 
  • Audit and certification of cloud security  
  • Audit and certification of data centers 
  • Software audits and certification 
  • Audit and certification of internal control systems of service providers 

Based on your specific problem, objectives, and the current status quo, we define in close cooperation with you the approach for the audit and assessment in order to obtain the respective certification.  

Our experts have many years of experience in establishing audit and certification readiness as well as in the efficient execution of IT audits parallel to the ongoing day-to-day business of the IT department. 

We work closely with you and always offer you transparency and clarity about the status of our audits and the progress of the certification activities. 

iAP | Prüfung und Zertifizierung
Within the scope of the audit of the annual financial statements by auditors, ISA 315 requires a risk-oriented IT audit for complex IT systems (revised 2019) in order to exclude risks of material misstatements. IT audits according to ISA 315 usually include at least an audit of the controls for adequacy as well as for effectiveness of controls. In addition, the audit may also include data analyses of the ERP system used by the client in order to verify the integrity of the data processing by the ERP system.
We support our clients and professional colleagues in conducting IT audits in accordance with the auditing standard ISA 315 (revised).
Auditing standard IDW PS 860 was created for IT audits outside the annual audit and with a focus on specific topics. An audit based on this standard can refer to a complete IT system or an IT environment, or to specific topics, such as new technologies and trends:
  • Industry 4.0
  • Big Data
  • Internet of Things (IoT)
  • Web 3.0
  • Blockchain
As these topics increasingly affect not only the big players but also SMEs, a review and audit of the IT environment based on IDW PS 860 can make a significant contribution to information and process security for SMEs. However, the exact scope of the audit always depends on the objectives you are pursuing for the IT audit.
We support you in safeguarding your risks through our audits based on IDW PS 860.

 

External project audits are suitable for avoiding undesirable developments, minimising risks and thus significantly supporting the success of the project through the neutral perspective of an external auditor. The IDW has developed the auditing standard IDW PS 850 for this purpose, which specifies the methodology and key topics for a project audits.
Whether migration projects, the development/introduction of new software and applications (such as an ERP system), the outsourcing of IT infrastructure to the cloud or the introduction of more complex topics such as blockchain technology or artificial intelligence – risk monitoring or a project audits by an neutral external party ensures the success of your project.
We support you by auditing your project before and during implementation, keep an eye on information security and implementation risks and take over the acceptance of project milestones or the entire project.
The verification of the GoBD is the responsibility of the responsible tax & finance office and their auditors. In tax law, it is generally assumed that digital accounting is correct. However, in order not to experience any surprises during the audit by the tax office, the entire digital process of record keeping and processing as well as the software used in the process should be audited for compliance.
We support you in auditing your procedures and solutions for record keeping and processing and certify GOBD compliance.
A software test and certificate according to IDW PS 880 proves whether the software you have developed or you are using meets the criteria of regularity and configurations are set up properly. The software certificate can be used to prove that the software processes data in a proper manner, which must be verified by auditors and clients, e.g. in the context of annual audits. Furthermore, a software certificate is a fundamental prerequisite for the success of sales activities for your software.
We support you with audit and certification of your software according to IDW PS 880.
Companies must control outsourced services just as effectively as they control their own internal processes. Cloudbased software solutions can be audited for German customers according to IDW PS 880, and a corresponding software certificate can be issued.
For international clients, a software audit in accordance with the SOC 1 standard in conjunction with ISAE 3000 is more appropriate. This involves checking whether the controls of the service provider and the software as a whole are appropriately designed (type 1 report) and also effective over time (type 2 report) in order to exclude risks for the accounting of the customers who use the cloud-based software solution for their business processes.
We support you in the audit of your cloud-based software solution as well as the surrounding internal control system according to SOC 1 / ISAE 3000 and the certification by one of our certified public accountants (CPAs).
With the outsourcing of services, the question always arises for companies as to whether the customer data is securely processed by the outsourcing service provider and whether the customer data is adequately protected.
By certifying their internal control system (ICS) based on a recognised standard, outsourcing service providers can prove to their customers that an internal control system with appropriately designed controls exists (type 1 report) and that it is also effective over time (type 2 report).
We support you as an outsourcing service provider in auditing your internal control system according to ISAE 3000/3402, SOC 2 or IDW PS 951 and certification by one of our certified public accountants (CPAs).

 

Whether SaaS, PaaS or IaaS – in order to survive in the market for cloud services and win new customers, cloud providers must not only implement good cloud solutions, but in particular prove to their current and potential customers that the processing of customer data in the cloud is secure.
In order to avoid a multitude of customer-specific audits, cloud providers can prove the security of their cloud solutions with a certification of the internal control system of their cloud solution by an external auditor based on an internationally recognised standard. Several standards are available for the implementation of cloud security, which can also serve as a basis for the testing and certification of cloud solutions (BSI C5, CSA CCM, ISO27017/18 and others).
We guide you through the implementation and testing of the internal control system for your cloud solution and support you in establishing cloud security according to the specifications of relevant cloud security standards and certification by one of our certified public accountants (CPAs).
Regardless of the size of the company, the number of locations or the sector in which it operates – whenever data is processed, risks regarding information security (confidentiality, availability and integrity) must be minimised. With a certification according to DIN ISO/IEC 27001:2022, companies can prove that an information security management system (ISMS) is established and operated that is compliant to the standard.
We prepare you for the certification of your company’s ISMS on the basis of the current standard DIN ISO/IEC 27001:2022 and certify the ISMS for the scope defined in advance.
Some German clients require certification evidence for their customers’ ISMS according to DIN ISO 27001 based on BSI-Grundschutz. The audit carried out according to BSI specifications and the certificate issued by the BSI can be used to prove that an ISMS is being operated and has been audited by an independent auditor that complies with BSI-Grundschutz:
  • Definition of scope of the ISMS
  • Structural analysis
  • Assessment of protection needs
  • Modelling
  • Baseline protection check
  • Risk analysis
  • Consolidation of measures
  • Implementation of the basic protection measures
We prepare you for the certification of your company’s ISMS according to DIN ISO/IEC 27001 based on BSI Grundschutz and, together with our partners, certify your ISMS for the predefined scope.

 

Operators of critical infrastructures (KRITIS) are obliged under Section 8a (3) BSIG to have their IT security checked every two years to determine whether their IT is state of the art. This applies to organisations and facilities from the following sectors:
  • Energy
  • Information technology and telecommunications
  • Transport and traffic
  • health
  • Media and Culture
  • Water
  • Food and Nutrition
  • Finance and insurance
  • Municipal waste management
  • State and administrations
We check the state of IT security in your company in cooperation with our partners according to the requirements of the German IT Security Act and verify whether your IT systems, processes and components are secured according state of the art.
The Tobacco Products Directive (2014/40/EU) was set to force on 19 May 2014 and became applicable law in EU Member States on 20 May 2016. It contains rules on the manufacturing, presentation and sale of tobacco products. It also establishes an EU-wide system for monitoring and tracing to reduce illicit trade in tobacco products.
We are listed EU auditors and audit your company according to the requirements of 2014/40/EU and related implementing provisions.
The DIN EN 50600 standard is the first Europe-wide standard that defines comprehensive specifications for the planning, construction and operation of a data centre.The standard defines requirements for the following topics:
  • General conception
  • Building construction
  • Power supply
  • Regulation of environmental conditions
  • Telecommunications cabling infrastructure
  • Security systems
  • Information for management and operation
  • Requirements for key performance indicators and energy-related indicators
Data centre providers on the European market are increasingly being asked by their customers not only for ISO 27001 certification or additionally for an ISAE or SOC report, but also for compliance and certification of their data centre based on DIN EN 50600.
We support you in establishing certification readiness as well as in certifying your data centre according to DIN EN 50600 or the TSI requirements derived from the DIN standard.
The use of information technology in companies operating in the financial sector has central significance and will continue to gain even more importance. In several focused executive instructions, the German Federal Financial Supervisory Authority (BaFin) has defined specific requirements to be met or implemented for the implementation of secure design of IT systems as well as for associated processes and corporate governance (BAIT, VAIT, KAIT, xAIT).
Within the scope of their auditing activities, certified public accountants (CPAs) verify compliance with the requirements resulting from the regulatory and statutory requirements, e.g. guidelines EBA, ESMA, EIOPA, MaRiks, KaMaRisk, etc., as well as from further requirements within the scope of xAIT.
We support our professional colleagues in risk-based IT audits of institutions and companies in the financial sector along the regulatory and statutory requirements and – where applicable – taking into account the principle of proportionality.

AAELogo

AAE – Audit Advisory Evolution

Manual audits were yesterday!

AAE – Audit Advisory Evolution analyzes your ERP system data customized to your individual need without limiting the number of records.

Results are gained from the analyses in order to

  • answer questions from the auditors during the year-end audits.
  • Management assessments are conducted.
  • Processes are visualized interfacing for optimization.
  • Anomalies are identified
  • and much more

AAE combines a complete and automated digital ERP data audit with a reliable IT audit.Manual samples are not needed and the audit risk and duration are significantly reduced. The analyses data are visualized appealingly in dashboards.

Highest safety standards during the data processing are mandatory. Your own infrastructure and personnel are not needed.

AAE is based on Business Intelligence combined with a comprehensive test questionnaire, which was developed together with auditors.

With this iAP service, your audit will become AAEasy!

You have questions? We have answers!