Markus Keil
I. Auditing of the internal controlling system
Auditing of the internal controlling system at the service provider’s facility (outsourcing/multi-tenant service providers)
We are happy to audit the internal controlling system for service providers, such as data centre operators, application operators and shared service centres (with functions such as accounting, human resources management, IT operations and call centres).
The basis for this could be:
IDW audit standard: Auditing of the internal controlling system at the service provider’s facility for functions outsourced to the service provider (IDW PS 951) or the international counterparts, ISAE 3402 or SSAE 18.
The object is the (accounting-relevant) services provided by the service company.
The basis for the audit is the service provider’s documented controlling system.
The results are documented in a report that serves the statutory auditors of the service company’s clients as third-party audit results.
The audit is based on a specific period and can be limited to certain services. The audit may relate in terms of depth to:
Type A: Assessing the adequacy (in relation to the pursued objectives) and design of the described controls (reporting type A) or
Type B: Additionally assessing the effectiveness of the controls in the internal controlling system (reporting type B).
Audit type A requires further audits by the respective client/outsourcing companies. What type of test is meaningful here must be assessed in each case based on the services offered and the contracts concluded with the outsourcing company.
The service provider thus offers its customers an additional service which can be used by these customers to streamline the annual audit and internal auditing. Additionally, the auditing overhead for the service provider is minimised by avoiding the need for each customer to exercise its right to perform a full audit.
II. Setting up an appropriate ICS at the service provider for auditing in accordance with IDW PS 951
Internal controlling system (ICS) for service providers (outsourcing/multi-tenant service providers)
Legal representatives must manage the risks arising from the use of IT to achieve the objectives defined in business policy through appropriate arrangements. Driven by needs, the control system must be oriented around common standards such as COBIT (Control Objectives for Information and Related Technology), ITIL (IT Infrastructure Library) and other national (e.g. IDW standards, Institute of Public Auditors in Germany) and international standards (e.g. SOX, Sarbanes-Oxley Act).
We offer to collaborate with you in establishing adequate monitoring and control systems that cover the requirements in the area of conflict between
- Legislative/regulatory compliance
- Efficiency
- Effectiveness
- Reproducibility
as driven by need.