Governance, Risk & Compliance Management (GRC) summarises the three most important levels of action of a company for its successful leadership:
- Governance is the management of a company through defined guidelines. This includes the definition of corporate goals, the methods for their implementation and the planning of the necessary resources to achieve the goals.
- Risk stands for risk management with known and unknown risks through defined risk analyses. An important component is dealing with risks at an early stage, providing strategies for minimising risks and taking precautions in the event of risks occurring.
- Compliance is the observance of internal and external rules for the provision and processing of information. This includes, among other things, the access regulations for data as well as the legal framework for its use.
With our audits and consultations in the audit-related environment, we provide impulses and indications for sustainable corporate governance.
IT Audit (PS 330)
Within the audit framework of financial statements, the consideration of IT risks resulting from the use of IT is necessary. Therefore, iAP supports clients and professional colleagues in conducting IT audits.
The migration audit is a partial audit of the project-accompanying audit. In the course of a migration, an “old” system landscape is transferred to a “new” system landscape. Usually, master data (e.g. customer data), transaction data (e.g. account movements and account transaction figures) and control data (e.g. data for account determination, control keys) are transferred across all affected systems.
Software audit (PS 880)
The aim is to obtain a statement as to whether the developed or used software, when properly used and set up, meets the criteria of regularity agreed as a benchmark for the assessment, e.g. from the German Commercial Code. This way, the auditor, the client and the client’s customer have security through the audit certificate and the investment.
ICS audit according to ISAE (ISAE 3000/3402) or IDW PS 951
Companies must control outsourced services just as effectively as they control in-house processes. The management of the service provider confirms this annually in a standardised report. An auditor confirms this management assurance. We check the IT-related internal control system (ICS) and work with the auditor accordingly.
Internal revision (other IT/ non IT)
We offer outsourced internal revision and support you with spontaneous or continuous control tasks in your company. Our experts help in IT-related and non-IT-related areas, including fraud prevention and other investigations.
When processes are to be optimised or systems streamlined, these projects are always associated with high risks. It does not matter whether a new ERP or archiving system or payroll accounting is being introduced. A project-accompanying revision can help to save costs.
ISMS audit (ISO 27001)
We identify the real processes in companies with a structured ACTUAL STATE analysis. With a pragmatic TARGET concept, we create the basis for optimising the processes. Industry-specific knowledge enables us to develop your solution approaches. We prepare you for certification according to ISO/IEC 27001 as well as BSI basic protection.
IT audit (PS 860)
With the auditing standard IDW PS 860, an audit or assessment of adequacy up to a holistic IT system audit can be applied for sub-areas or for the IT landscape outside the audit of the financial statements.
The implementation of an Information Security Management System (ISMS) supports all obligations of operators of critical infrastructures. In addition to IT-related aspects, the focus is also on all relevant external factors influencing information security. These include, for example:
- Organisational and personnel security or
- Physical security
Compliance Management System
Compliance management is the effective administration of the various external and internal rules for the company. The functionality and effectiveness of compliance to legal requirements should be auditable at all times. We identify synergies and design a management basis for you.
Control systems serve to ensure process safety. Risks are transparent and controlled by the ICS. New challenges arise with Cloud applications. The BSI has issued a current standard – Cloud Criteria C5. We guide you through the implementation and testing. Also, we support you in establishing Cloud security according to the specifications of the relevant Cloud security standards as well as safeguarding compliance.
ICS Consulting (ISAE 3000/3402)
Internal control systems serve to ensure process safety. Risks are transparent and controlled by the ICS. We tell you which controls you need and how they can be implemented effectively. A standardised certificate also proves this to the customers.
IAM – Identity and Access Management
A professional authorisation management is the basic prerequisite for meeting all information security requirements. Central mechanisms can be used to ensure comprehensive access control.
ISMS audit (ISO 27001, KRITIS, IT SG)
Increasing demands on information security require a methodical approach to managing the risks involved. The quality of a risk management system determines the effectiveness and efficiency of the Information Security Management System (ISMS).
Risk Management (IT)/ Protection needs analysis
The risks of processing information are unknown and unassessed in the company and thus difficult to assess. The limitation to expensive individual measures leads to disappointing results and risky gaps. The adequacy of necessary measures cannot be assessed. In many cases, this leads to bad investments. A structured IT risk management system facilitates decisions and saves money.
Track and Trace
The Tobacco Products Directive (2014/40/EU) entered into force on 19 May 2014 and became applicable law in EU Member States on 20 May 2016. It contains rules on the manufacture, presentation and sale of tobacco products. It also sets out the introduction of an EU-wide monitoring and tracking system to curb illicit trade in tobacco products. We assume the inspection obligations contained therein and are listed with the EU as an inspector.