Audit & Certification

Due to the constant development of IT technologies and applications and frequent organisational changes, IT systems of companies and public authorities are subject to permanent change. As a result, after each change or adaptation of the IT environment, the effect of these change on the underlying business processes and the protection goals of information security has to examined. Additional uncertainties arise from the multitude of threat scenarios and their further development into increasingly sophisticated variants.

Current and potential customers, suppliers, auditors, authorities, and other stakeholders have a fundamental interest in comprehensive information security of the company concerned and the correct functioning of its business and accounting-relevant processes. Specific verification obligations also result from regulatory and legal requirements for corporate IT.

Verification and confirmation of the correct functioning of the IT environment, compliance with information security and fulfilment of the legal requirements often require auditing support and expertise from external specialists.

Our experts support you in auditing your IT environment on the basis of the legal requirements, along international and national auditing standards, as well as using best practice and profiting from many years of experience.

The following audits, certifications and attestations services are part of our portfolio:

IT audit as part of the annual audit of auditors’ financial statements
Audit and certification of information security based on the relevant standards
Compliance audits for legal/regulatory requirements
Audit and certification of cloud security
Audit and certification of data centers
Software audits and certification
Audit and certification of internal control systems of service providers

Based on your specific problem, objectives, and the current status quo, we define in close cooperation with you the approach for the audit and assessment in order to obtain the respective certification.

Our experts have many years of experience in establishing audit and certification readiness as well as in the efficient execution of IT audits parallel to the ongoing day-to-day business of the IT department.

We work closely with you and always offer you transparency and clarity about the status of our audits and the progress of the certification activities.

Annual IT Audit based on ISA 315 (revised)

Within the scope of the audit of the annual financial statements by auditors, ISA 315 requires a risk-oriented IT audit for complex IT systems (revised 2019) in order to exclude risks of material misstatements. IT audits according to ISA 315 usually include at least an audit of the controls for adequacy as well as for effectiveness of controls. In addition, the audit may also include data analyses of the ERP system used by the client in order to verify the integrity of the data processing by the ERP system.

We support our clients and professional colleagues in conducting IT audits in accordance with the auditing standard ISA 315 (revised).

IT Audit comprehensive / focused (IDW PS 860)

Auditing standard IDW PS 860 was created for IT audits outside the annual audit and with a focus on specific topics. An audit based on this standard can refer to a complete IT system or an IT environment, or to specific topics, such as new technologies and trends:

Industry 4.0
Big Data
Internet of Things (IoT)
Web 3.0
Blockchain

As these topics increasingly affect not only the big players but also SMEs, a review and audit of the IT environment based on IDW PS 860 can make a significant contribution to information and process security for SMEs. However, the exact scope of the audit always depends on the objectives you are pursuing for the IT audit.

We support you in safeguarding your risks through our audits based on IDW PS 860.

Project IT Audit / Risk Assessments (IDW PS 850)

External project audits are suitable for avoiding undesirable developments, minimising risks and thus significantly supporting the success of the project through the neutral perspective of an external auditor. The IDW has developed the auditing standard IDW PS 850 for this purpose, which specifies the methodology and key topics for a project audits.

Whether migration projects, the development/introduction of new software and applications (such as an ERP system), the outsourcing of IT infrastructure to the cloud or the introduction of more complex topics such as blockchain technology or artificial intelligence – risk monitoring or a project audits by an neutral external party ensures the success of your project.

We support you by auditing your project before and during implementation, keep an eye on information security and implementation risks and take over the acceptance of project milestones or the entire project.

Audit of GOBD Conformity

The verification of the GoBD is the responsibility of the responsible tax & finance office and their auditors. In tax law, it is generally assumed that digital accounting is correct. However, in order not to experience any surprises during the audit by the tax office, the entire digital process of record keeping and processing as well as the software used in the process should be audited for compliance.

We support you in auditing your procedures and solutions for record keeping and processing and certify GOBD compliance.

Software Certification (IDW PS 880)

A software test and certificate according to IDW PS 880 proves whether the software you have developed or you are using meets the criteria of regularity and configurations are set up properly. The software certificate can be used to prove that the software processes data in a proper manner, which must be verified by auditors and clients, e.g. in the context of annual audits. Furthermore, a software certificate is a fundamental prerequisite for the success of sales activities for your software.

We support you with audit and certification of your software according to IDW PS 880.

Software Certification for Cloud Solutions (SOC 1 / ISAE3000)

Companies must control outsourced services just as effectively as they control their own internal processes. Cloudbased software solutions can be audited for German customers according to IDW PS 880, and a corresponding software certificate can be issued.

For international clients, a software audit in accordance with the SOC 1 standard in conjunction with ISAE 3000 is more appropriate. This involves checking whether the controls of the service provider and the software as a whole are appropriately designed (type 1 report) and also effective over time (type 2 report) in order to exclude risks for the accounting of the customers who use the cloud-based software solution for their business processes.

We support you in the audit of your cloud-based software solution as well as the surrounding internal control system according to SOC 1 / ISAE 3000 and the certification by one of our certified public accountants (CPAs).

Audit of IT Service Providers (ISAE 3000/3402, SOC 2 or IDW PS 951 )

With the outsourcing of services, the question always arises for companies as to whether the customer data is securely processed by the outsourcing service provider and whether the customer data is adequately protected.

By certifying their internal control system (ICS) based on a recognised standard, outsourcing service providers can prove to their customers that an internal control system with appropriately designed controls exists (type 1 report) and that it is also effective over time (type 2 report).

We support you as an outsourcing service provider in auditing your internal control system according to ISAE 3000/3402, SOC 2 or IDW PS 951 and certification by one of our certified public accountants (CPAs).

Audit of Cloud Service Providers (BSI C5, CSA CCM, ISO 27017 / 27018)

Whether SaaS, PaaS or IaaS – in order to survive in the market for cloud services and win new customers, cloud providers must not only implement good cloud solutions, but in particular prove to their current and potential customers that the processing of customer data in the cloud is secure.

In order to avoid a multitude of customer-specific audits, cloud providers can prove the security of their cloud solutions with a certification of the internal control system of their cloud solution by an external auditor based on an internationally recognised standard. Several standards are available for the implementation of cloud security, which can also serve as a basis for the testing and certification of cloud solutions (BSI C5, CSA CCM, ISO27017/18 and others).

We guide you through the implementation and testing of the internal control system for your cloud solution and support you in establishing cloud security according to the specifications of relevant cloud security standards and certification by one of our certified public accountants (CPAs).

ISMS Certification (ISO 27001)

Regardless of the size of the company, the number of locations or the sector in which it operates – whenever data is processed, risks regarding information security (confidentiality, availability and integrity) must be minimised. With a certification according to DIN ISO/IEC 27001:2022, companies can prove that an information security management system (ISMS) is established and operated that is compliant to the standard.

We prepare you for the certification of your company’s ISMS on the basis of the current standard DIN ISO/IEC 27001:2022 and certify the ISMS for the scope defined in advance.

ISMS Certification based on ISO 27001 and BSI Gundschutz

Some German clients require certification evidence for their customers’ ISMS according to DIN ISO 27001 based on BSI-Grundschutz. The audit carried out according to BSI specifications and the certificate issued by the BSI can be used to prove that an ISMS is being operated and has been audited by an independent auditor that complies with BSI-Grundschutz:

Definition of scope of the ISMS
Structural analysis
Assessment of protection needs
Modelling
Baseline protection check
Risk analysis
Consolidation of measures
Implementation of the basic protection measures

We prepare you for the certification of your company’s ISMS according to DIN ISO/IEC 27001 based on BSI Grundschutz and, together with our partners, certify your ISMS for the predefined scope.

IT Security Certification based on EU/German IT Security Regulation (EU NIS1(2); KRITIS §8a BSIG)

Operators of critical infrastructures (KRITIS) are obliged under Section 8a (3) BSIG to have their IT security checked every two years to determine whether their IT is state of the art. This applies to organisations and facilities from the following sectors:

Energy
Information technology and telecommunications
Transport and traffic
health
Media and Culture
Water
Food and Nutrition
Finance and insurance
Municipal waste management
State and administrations

We check the state of IT security in your company in cooperation with our partners according to the requirements of the German IT Security Act and verify whether your IT systems, processes and components are secured according state of the art.

Audit and Certification of IT Security Tobacco Companies according 2014/40/EU (TPD 2 /Track & Trace)

The Tobacco Products Directive (2014/40/EU) was set to force on 19 May 2014 and became applicable law in EU Member States on 20 May 2016. It contains rules on the manufacturing, presentation and sale of tobacco products. It also establishes an EU-wide system for monitoring and tracing to reduce illicit trade in tobacco products.

We are listed EU auditors and audit your company according to the requirements of 2014/40/EU and related implementing provisions.

Data Center Certification (DIN EN50600 and TSI.EN5060 V2.0)

The DIN EN 50600 standard is the first Europe-wide standard that defines comprehensive specifications for the planning, construction and operation of a data centre.The standard defines requirements for the following topics:

General conception
Building construction
Power supply
Regulation of environmental conditions
Telecommunications cabling infrastructure
Security systems
Information for management and operation
Requirements for key performance indicators and energy-related indicators

Data centre providers on the European market are increasingly being asked by their customers not only for ISO 27001 certification or additionally for an ISAE or SOC report, but also for compliance and certification of their data centre based on DIN EN 50600.

We support you in establishing certification readiness as well as in certifying your data centre according to DIN EN 50600 or the TSI requirements derived from the DIN standard.

IT Compliance Audits for Financial Institutions and Insurances (BAIT / KAIT / VAIT/ xAIT / PCI DSS)

The use of information technology in companies operating in the financial sector has central significance and will continue to gain even more importance. In several focused executive instructions, the German Federal Financial Supervisory Authority (BaFin) has defined specific requirements to be met or implemented for the implementation of secure design of IT systems as well as for associated processes and corporate governance (BAIT, VAIT, KAIT, xAIT).

Within the scope of their auditing activities, certified public accountants (CPAs) verify compliance with the requirements resulting from the regulatory and statutory requirements, e.g. guidelines EBA, ESMA, EIOPA, MaRiks, KaMaRisk, etc., as well as from further requirements within the scope of xAIT.

We support our professional colleagues in risk-based IT audits of institutions and companies in the financial sector along the regulatory and statutory requirements and – where applicable – taking into account the principle of proportionality.

AAE – Audit Advisory Evolution

Manual audits were yesterday!

AAE – Audit Advisory Evolution analyzes your ERP system data customized to your individual need without limiting the number of records.

Results are gained from the analyses in order to

answer questions from the auditors during the year-end audits.
Management assessments are conducted.
Processes are visualized interfacing for optimization.
Anomalies are identified
and much more

AAE combines a complete and automated digital ERP data audit with a reliable IT audit. Manual samples are not needed and the audit risk and duration are significantly reduced. The analyses data are visualized appealingly in dashboards.

Highest safety standards during the data processing are mandatory. Your own infrastructure and personnel are not needed.

AAE is based on Business Intelligence combined with a comprehensive test questionnaire, which was developed together with auditors.