-
Audit
Auditing increases the reliability of your company information for decision-makers and users – it’s a matter of credibility and trust.
-
Technology consulting
Receive customised technology consulting
-
Operational excellence and restructuring
Advisory for businesses, whatever situation they’re in
-
Deal Advisory
We’ll advise you on national and international transactions
-
Valuation & economic and dispute advisory
We’ll value your business fairly and realistically
-
Tax for businesses
Because your business – national or international – deserves better tax advice.
-
Private Clients
Wealth needs trust, transparency and clever minds. We can do that!
-
Business Process Solutions
Measuring and utilising company data
-
Real estate tax
Real estate taxation – we provide answers to your questions!
-
Tax for financial institutions
Financial services tax – for banks, asset managers and insurance companies
-
Tax in the public sector
Advisory and services for the public sector and non-profit organisations
-
Employment law
Representation for businesses
-
Commercial & distribution
Making purchasing and distribution legally water-tight.
-
Compliance & directors’ liability
Avoiding liability at your company
-
Inheritance and succession
Don’t leave the future to chance.
-
Financial Services | Legal
Your Growth, Our Commitment.
-
Business legal
Doing business successfully by optimally structuring companies
-
Real estate law
We cover everything on the real estate sector.
-
IT, IP and data protection
IT security and digital innovations
-
Litigation
Designing solutions – we’re your partner for successfully resolving disputes
-
Mergers & acquisitions (M&A)
Your one-stop service provider focusing on M&A transactions
-
Restructuring & insolvency
Securing the future in the crisis.
-
Technology consulting
IT enables business
-
IT assurance
Rapid technological change is a sign of our times.
-
Tax Technology
Digitalisation for tax and finance departments
-
IT, IP and data protection
IT security and digital innovations
-
Public sector
Digitalisation, processes & projects
-
Cyber Security
Advice and services for the mid-market in Germany
-
Security consulting
Stay on course, even in stormy times
-
Sustainability strategy
Laying the cornerstone for sustainability.
-
Sustainability management
Managing the change to sustainability.
-
Legal aspects of sustainability
Legal aspects of sustainability
-
Sustainability reporting
Communicating sustainability performance and ensuring compliance.
-
Sustainable finance
Integrating sustainability into investment decisions.
-
Grant Thornton B2B ESG-Study
Grant Thornton B2B ESG-Study
-
International business
Our country expertise
-
Entering the German market
Your reliable partners.
Technological transformation: the driver of our modern business world
Technological change is rapidly transforming the business world and presenting companies with new challenges. Legal requirements, complex IT systems and increasing compliance demands require fast and secure adaptations. With our IT Assurance Services, we ensure that your IT systems not only meet the latest standards, but also optimally support your company.
From ITGC and GoBD audits to data migrations and system rollouts - we offer customised solutions that combine security, efficiency and compliance.
Our IT assurance services
As your auditors and consultants, we combine in-depth expertise with practical solutions to ensure that your IT systems meet the highest standards and optimally support your company.
The implementation of effective IT-supported controls in business processes (ITAC) and the secure operation of accounting-relevant IT applications are essential for digitally operating companies, not only for the effectiveness of the internal control system (ICS), but also for an efficient audit.
Many companies struggle with the introduction or hardening of ITGC and ITAC. We support our clients in the description or implementation of controls and in strengthening the provision of evidence in regular operations. The scope of support can range from a few workshops to the long-term deployment of resources for implementation or optimisation projects.
Changes to your accounting-relevant IT systems generally require consideration by the auditor. This requirement is derived from the applicable auditing standards (see ISA [DE] 315 REVISED 2019, para. A64). This consideration can take the form of a downstream or project-related audit.
In the interest of early consideration of compliance and security requirements, it is recommended that IT projects be audited during the project. This typically has the following advantages for the project:
- Compliance with commercial and tax law requirements
- Avoidance of undesirable effects on the audit
- Safeguarding the project process: We create transparency regarding project risks and enable management to counter risks in a timely and appropriate manner.
Digitalisation is not bypassing the tax authorities either. The digital tax audit complements the previous tax audit. Companies that use electronic data processing are obliged to keep the corresponding data in digital form. With the "Principles for the proper keeping and storage of books, records and documents in electronic form and for data access" (GoBD, see BMF letter dated 28 November 2019), the tax authorities have specified the requirements of the German Fiscal Code (AO).
These relate not only to the audit-proof storage of documents, but also to the entire processing procedure from the creation and recording of a business transaction to its processing in the business processes (and IT applications) through to the tax balance sheet and therefore affect not only financial accounting directly, but also upstream processes and systems.Put simply, all companies must fulfil GoBD requirements,
- that use business software,
- that exchange electronic tax-relevant data, i.e. data that is received electronically, e.g. by email or as an electronic invoice, is also processed electronically and
- in which electronic data is generated by the IT system itself, e.g. accounting records from financial accounting.
We support you in the implementation of all GoBD requirements with appropriate, customised solutions and the use of interdisciplinary teams consisting of tax and IT experts. In accordance with the applicable auditing standards, we focus on
- procedural documentation and general IT controls (basic element)
- the relevant processes (supplementary elements)
- Audit of incoming documents
- Audit of electronic outgoing documents
- Audit of electronic storage
- Audit of data access by the tax authorities
More and more companies are outsourcing parts of their IT to external service providers. Examples include the operation of data centres (e.g. at Google or Microsoft) or IT applications in the SaaS (Software as a Service) model. This regularly involves outsourcing processes and controls of the internal control system (ICS) that affect the accounting-relevant IT system. The following principle applies: outsourcing does not release the company from its control obligations.
Outsourcing companies must therefore consider whether the outsourced service-related ICS at the service provider is appropriate and / or effective. Service Organisation Control 1 (known as SOC 1 or "Sock One") reports are the tool for this. In the international environment, the IAASB (International Auditing and Assurance Standards Board) has created the ISAE 3402 standard (International Standard on Assurance Engagements No. 3402) for this purpose.
The subject of an audit in accordance with ISAE 3402 is the accounting-related services provided by service companies. The basis for the audit is the description to be prepared by the service provider of the service-related accounting-related internal control system.
The audit can be performed at a point in time or over time, i.e. in two versions or with two different results reports:
- ISAE 3402 Type 1 report only confirms the adequacy of internal controls and processes at a specific point in time.
- The ISAE 3402 Type 2 report goes one step further and confirms not only the adequacy of the controls, but also their effectiveness over a certain period of time.
Grant Thornton assumes the role of service auditor here. The IT service provider uses our ISAE 3402 report to confirm to its clients or their auditors that an appropriate and/or functioning internal control system is in place with regard to the outsourced processes.
In the early phases of IT outsourcing, we also help you prepare for an ISAE 3402 audit as part of a readiness project.
According to the definition of the German Federal Office for Information Security (BSI), critical infrastructures (KRITIS) are organisations and facilities that are important for the state community and whose failure or impairment would result in long-term supply bottlenecks, significant disruptions to public safety or other dramatic consequences. The requirements for KRITIS operators are defined in Section 8a (1) and (1a) BSIG.
The BSI's catalogue of requirements "Specification of the requirements for the measures to be implemented in accordance with Section 8a (1) BSIG" offers KRITIS operators and auditing bodies a specification of the requirements of Section 8a (1) and (1a) BSIG. In addition, the catalogue of requirements provides the auditing bodies with suitable criteria for an appropriate audit of the security measures used in order to be able to provide the required evidence in accordance with Section 8a (3) BSIG. As part of this audit, the catalogue of requirements can be used as a basis for testing, although it must also be adapted to the specific operational circumstances of the KRITIS operators.
The catalogue of requirements is an update of the catalogue of requirements developed in cooperation with the Expert Committee for Information Technology (FAIT) of the Institute of Public Auditors in Germany (IDW) on the basis of C5 2016.
Together with the catalogue of requirements, the supplementary audit procedures of IDW PH 9.860.2 provide operators of critical infrastructures and auditing bodies with guidance on suitable criteria for conducting an appropriate audit of the security measures used in order to be able to provide the required evidence in accordance with Section 8a (3) BSIG. Nevertheless, it is up to the operator and the auditing body to decide for the specific application whether these requirements are appropriate within the organisation or whether additional, more extensive requirements are necessary.