Service provider audits
– IDW PS 951 / ISAE 3402

Whether you are operating a computing center or handling wage and payroll accounting: There are many circumstances in which companies outsource (sub)processes in the IT area and internal data to external service providers. However, the company still retains responsibility for ensuring that processes are secure and conform with the law, and that the data remains available.

We support business owners, service providers and professional colleagues alike in this area.

The standard IDW PS 950, which applies to the work of German auditors, is based on the international standard ISAE 3402 (International Standard on Assurance Engagements 3402), and verifies that the selected service provider is performing outsourced processes properly. If a service provider is not able to provide this verification, then an audit of the service provider must be conducted by its customers during the course of their year-end audits.

The option to evaluate an audit report in accordance with IDW PS 951 (“the audit of the service provider’s internal controlling system for functions outsourced to the service provider company”) has been created to ensure that each auditor does not have to carry out the same audit activities with the service provider. If the service provider can submit this kind of verification, then the auditor does not have to complete the audit again.

Because of this, we complete audits for service providers in accordance with the standard IDW PS 951. If an audit is required under international standards, we apply the regulations of ISAE 3402. Based on the control description, we review the service provider’s processes and provide an assessment of the internal controlling system that auditors can rely on.

Then, we prepare a detailed report addressing the individual controlling objectives, the controls completed, and the results of audit activities. Here as well, we not only deliver the results of our audit, but also provide information and recommendations on how processes and controls can be optimized. This contributes to an ongoing process of optimization. In addition, the audit report also serves as an attribute of quality which the provider can use for advertising purposes, helping differentiate the service provider from its competitors.

For business owners, the verification guarantees that the service provider does fulfill legal requirements, and that the service provider’s internal controlling system is appropriate and effective. This provides security for process outsourcing.

Our services

  •  Audit report and verification according to the standard IDW PS 951, or the international standard ISAE 3402 that a service provider’s ICS is appropriate and effective, as certification for the auditor that outsourced processes are completed properly.
  • Feedback on options for optimizing internal processes.

Auditing the outsourcing agreement

For mid-sized businesses, in particular, maintaining their own IT systems and employing dedicated IT personnel can result in significant costs. Even if they use the services of external providers, the business still remain responsible for ensuring that IT and processes are compliant. We offer you the security you need with our auditing services.

The standard IDW PS 951 also includes auditing the outsourcing agreement. We review, for example, whether BDSG-related aspects have been taken into consideration appropriately, and ensure that you don’t have any surprises in carrying out the agreement.

Our services:

Auditing the outsourcing agreement

Auditing the service provider’s internal controlling system

Auditing the control description

Auditing compliance with controls (functional audit)

Auditing using a criteria-based approach

Our experience – Your added value

Your experts for IT & system auditing