IT assurance

The implementation of effective IT-supported controls in business processes (ITAC) and the secure operation of accounting-relevant IT applications are essential for digitally operating companies, not only for the effectiveness of the internal control system (ICS), but also for an efficient audit.

Many companies struggle with the introduction or hardening of ITGC and ITAC. We support our clients in the description or implementation of controls and in strengthening the provision of evidence in regular operations. The scope of support can range from a few workshops to the long-term deployment of resources for implementation or optimisation projects.

Changes to your accounting-relevant IT systems generally require consideration by the auditor. This requirement is derived from the applicable auditing standards (see ISA [DE] 315 REVISED 2019, para. A64). This consideration can take the form of a downstream or project-related audit.

In the interest of early consideration of compliance and security requirements, it is recommended that IT projects be audited during the project. This typically has the following advantages for the project:

• Compliance with commercial and tax law requirements
• Avoidance of undesirable effects on the audit
• Safeguarding the project process: We create transparency regarding project risks and enable management to counter risks in a timely and appropriate manner.

Digitalisation is not bypassing the tax authorities either. The digital tax audit complements the previous tax audit. Companies that use electronic data processing are obliged to keep the corresponding data in digital form. With the "Principles for the proper keeping and storage of books, records and documents in electronic form and for data access" (GoBD, see BMF letter dated 28 November 2019), the tax authorities have specified the requirements of the German Fiscal Code (AO).

These relate not only to the audit-proof storage of documents, but also to the entire processing procedure from the creation and recording of a business transaction to its processing in the business processes (and IT applications) through to the tax balance sheet and therefore affect not only financial accounting directly, but also upstream processes and systems.Put simply, all companies must fulfil GoBD requirements,

• that use business software,
• that exchange electronic tax-relevant data, i.e. data that is received electronically, e.g. by email or as an electronic invoice, is also processed electronically and
• in which electronic data is generated by the IT system itself, e.g. accounting records from financial accounting.

We support you in the implementation of all GoBD requirements with appropriate, customised solutions and the use of interdisciplinary teams consisting of tax and IT experts. In accordance with the applicable auditing standards, we focus on

• procedural documentation and general IT controls (basic element)
• the relevant processes (supplementary elements)
  - Audit of incoming documents
  - Audit of electronic outgoing documents
  - Audit of electronic storage
  - Audit of data access by the tax authorities

More and more companies are outsourcing parts of their IT to external service providers. Examples include the operation of data centres (e.g. at Google or Microsoft) or IT applications in the SaaS (Software as a Service) model. This regularly involves outsourcing processes and controls of the internal control system (ICS) that affect the accounting-relevant IT system. The following principle applies: outsourcing does not release the company from its control obligations.

Outsourcing companies must therefore consider whether the outsourced service-related ICS at the service provider is appropriate and / or effective. Service Organisation Control 1 (known as SOC 1 or "Sock One") reports are the tool for this. In the international environment, the IAASB (International Auditing and Assurance Standards Board) has created the ISAE 3402 standard (International Standard on Assurance Engagements No. 3402) for this purpose.

The subject of an audit in accordance with ISAE 3402 is the accounting-related services provided by service companies. The basis for the audit is the description to be prepared by the service provider of the service-related accounting-related internal control system.

The audit can be performed at a point in time or over time, i.e. in two versions or with two different results reports:

• ISAE 3402 Type 1 report only confirms the adequacy of internal controls and processes at a specific point in time.
• The ISAE 3402 Type 2 report goes one step further and confirms not only the adequacy of the controls, but also their effectiveness over a certain period of time.

Grant Thornton assumes the role of service auditor here. The IT service provider uses our ISAE 3402 report to confirm to its clients or their auditors that an appropriate and/or functioning internal control system is in place with regard to the outsourced processes.

In the early phases of IT outsourcing, we also help you prepare for an ISAE 3402 audit as part of a readiness project.

According to the definition of the German Federal Office for Information Security (BSI), critical infrastructures (KRITIS) are organisations and facilities that are important for the state community and whose failure or impairment would result in long-term supply bottlenecks, significant disruptions to public safety or other dramatic consequences. The requirements for KRITIS operators are defined in Section 8a (1) and (1a) BSIG.

The BSI's catalogue of requirements "Specification of the requirements for the measures to be implemented in accordance with Section 8a (1) BSIG" offers KRITIS operators and auditing bodies a specification of the requirements of Section 8a (1) and (1a) BSIG. In addition, the catalogue of requirements provides the auditing bodies with suitable criteria for an appropriate audit of the security measures used in order to be able to provide the required evidence in accordance with Section 8a (3) BSIG. As part of this audit, the catalogue of requirements can be used as a basis for testing, although it must also be adapted to the specific operational circumstances of the KRITIS operators.

The catalogue of requirements is an update of the catalogue of requirements developed in cooperation with the Expert Committee for Information Technology (FAIT) of the Institute of Public Auditors in Germany (IDW) on the basis of C5 2016.

Together with the catalogue of requirements, the supplementary audit procedures of IDW PH 9.860.2 provide operators of critical infrastructures and auditing bodies with guidance on suitable criteria for conducting an appropriate audit of the security measures used in order to be able to provide the required evidence in accordance with Section 8a (3) BSIG. Nevertheless, it is up to the operator and the auditing body to decide for the specific application whether these requirements are appropriate within the organisation or whether additional, more extensive requirements are necessary.