Skip to content

You are here:

Information technology audit and certification

We audit and certify IT-supported processes, IT applications, selected IT-supported functions, the IT environment, the IT organisation and IT projects as well as many other audit areas in the IT environment in accordance with generally recognised national and international auditing standards.

PKF’s procedure model

  • Our procedure model is risk-orientated and complies with the generally accepted auditing standards.
  • We discuss our findings promptly with our clients. This allows us to clean up audit findings and re-examine the areas concerned before we form our opinion.
  • PKF employs highly qualified IT auditors. If necessary, an extended team can be called on, in which special expertise (e.g. data protection law, industry law, specific IT applications, such as SAP IS-U) is constantly available.
  • PKF’s audit approach is based on a comprehensive analysis of audit-relevant data. The audit findings are substantiated by evaluating available data.
  • It goes without saying that PKF works with the tools provided by the client. This can involve collaboration platforms and data analysis or project management tools and reporting packages. PKF operates its own ERP systems for development, testing and training purposes, ensuring in this way that its IT auditors are always highly qualified and experienced.

Project-accompanying audit using information technology

IT projects that are relevant to accounting and tax pose considerable risks. Failure to implement project requirements can threaten regularity, security risks can emerge and the entire probative value of accounting systems could be at risk. Furthermore, expensive change requests can arise if the company’s obligations to co-operate are incorrectly assessed, the contractor's obligations are not determined or the wrong type of contract is used. One method of ensuring that project goals are achieved and that regulatory and security requirements are met is to have the project audited by an expert third party.

PKF offers project audits on the basis of national and international auditing standards (IDW PS 850 and others). The audit approach is criteria-based and risk-orientated.

Security and regularity criteria are used as a basis here (sec.145 – 147 of the Fiscal Code of Germany (AO, Abgabenordnung), sec. 238 et seqq. of the German Commercial Code (HGB, Handelsgesetzbuch, etc.). These criteria are typically supplemented by additional criteria for each individual mandate. In the project environment, these are especially criteria such as compliance with the company’s project management specifications, portability of software developments, conformity with labour and data protection regulations and user comprehensibility/accessibility.

The result of the audit is presented in a certificate showing the project results and explaining that the project was carried out in accordance with the specifications, that defined project goals have been achieved and that the project results comply with the applicable compliance and security requirements. The audit and the results of the audit are addressed to management bodies responsible for projects, members of steering committees, but also to bodies authorised to participate (data protection officer, works council, etc.).

Management in charge fulfils its monitoring duties by commissioning an audit to accompany the project. In addition, a project-accompanying audit ensures that projects are carried out in accordance with the company’s specifications, that project requirements are fully and correctly implemented and that a high degree of agreement among all stakeholders and instances is guaranteed. This inevitably leads to greater project efficiency.

The procedure model:

During the project audit, the project results presented below will form the subject matter of our audit:

Information technology audits outside the financial statement audit

Due to growing requirements for compliance, risk management and IT landscape security, there is a need to certify IT processes and IT systems outside the scope of the financial statement audit. Certification is scalable, ranging from the assessment of the appropriateness of data migration to a comprehensive IT system check for certain areas or for the entire IT landscape. One frequent application is system certification according to tax requirements (GoBD, Generally accepted principles for keeping and storing accounts, records and documents in electronic form and for data access). However, recognised standards and frameworks or criteria developed by the company itself can also be used as assessment criteria.

Examples of criteria for auditing according to this IDW auditing standard include:

  • Conformity of IT systems with tax requirements (sec. 14, 14b of the Value-added Tax Law (UStG, Umsatzsteuergesetz) , sec. 146, 147 AO, GoBD), with GoBD requirements (see link: IT-Advisory – GoBD)
  • Compliance with statutory or regulatory requirements outside the scope of the financial statement audit, e.g. compliance with MaRisk, the IT Security Act or the Federal Data Protection Act (BDSG, Bundesdatenschutzgesetz) or the EU General Data Protection Regulation (EU-GDPR)
  • Security in the software development process
  • Conformity of IT systems with industry standards, e.g. Payment Card Industry Data Security Standard (PCI DSS), archiving standards, etc.
  • Conformity of IT systems with ISO and DIN standards
  • Conformity of IT systems with generally recognised frameworks, e.g. COSO16, COBIT17, ITIL®.
  • Conformity of projects or processes with generally recognised or other frameworks, e.g. PRINCE2®19, Guide to the Project Management Body of Knowledge (PMBOK Guide)20

Examples of IT-supported processes and systems:

  • Financial accounting
  • Electronic invoice receipt
  • Archiving
  • Goods management
  • Migration
  • Interface processing

PKF offers audits on the basis of national and international auditing standards (IDW PS 860, ISAE 300, and others). Audits according to IDW PS 860 can be designed as indirect or direct audits and as adequacy (type 1) or adequacy and effectiveness (type 2) audits.

  • Indirect audit           
    A statement by the client's management regarding the principles, procedures and measures of the IT system to be audited forms the basis for an indirect audit. PKF examines whether this statement is free of errors in all material respects. In a second step, PKF examines the principles, procedures and measures described in the statement against the specified criteria.
  • Direct audit  
    PKF maps the IT system as defined by the client and audits it on the basis of the specified criteria.
  • Adequacy audit (type 1)    
    Assessment of the adequacy of the principles, procedures and actions in order to meet the defined criteria at a predetermined point in time.
  • Adequacy and effectiveness audit (type 2)       
    In addition to the scope of the type-1 audit, the effectiveness of the principles, procedures and actions is assessed within a pre-defined audit period.

Auditing adherence to compliance and security requirements in software products

Accounting-related software:

Software audit and certification according to IDW PS 880 is an effective quality assurance tool for software manufacturers and users. An appropriately certified software product assures users that legal requirements have been met. That’s why software certification is a suitable tool for marketing your product.

The audit ensures that the software to be audited complies with the applicable legal requirements of the German Commercial Code, tax laws or industry-specific requirements.

Other software products

The client determines the criteria that form the basis for the software audit. This makes it possible to audit software according to other quality criteria and to certify its compliance.

Audit scope

Software audits include the assessment of the program functions necessary for the tasks of software products. The software audit may cover the entire software product or only individual, definable software modules.

The following aspects are considered in the audit: 

  • Software development
  • Documentation
  • Software security
  • Program features

Audit of the internal control system of service companies

When accounting-related business processes and data are outsourced, it must be ensured that these processes and data comply with accounting compliance requirements. Outsourcing operational processes does not release the outsourcing company from its obligation to ensure an adequate internal control system within these processes. This means that the company should monitor whether the contractor properly fulfils its contractual obligations. This can be very costly for the client, but even more so for the contractor.

One way for the contractor to provide evidence that it has fulfilled its contractual obligations is to have the internal control system audited.

Examples of criteria for a corresponding audit:

  • Conformity of IT systems with tax requirements (sec. 238 et seqq. of the German Commercial Code HGB, sec. 14, 14b UStG, sec. 140 et seqq., GoBD), (see link: IT-Advisory – GoBD)
  • Compliance with statutory or regulatory requirements, e.g. compliance with MaRisk, the IT Security Act or the Federal Data Protection Act (BDSG) or the EU General Data Protection Regulation (EU-GDPR)
  • Security of cloud services, e.g. Cloud Computing Compliance Control Catalogue (C5) of the Federal Office for Information Security
  • Conformity of IT systems with industry standards, e.g. Payment Card Industry Data Security Standard (PCI DSS), archiving standards, etc.
  • Conformity of IT systems with ISO and DIN standards
  • Conformity of IT systems with generally recognised frameworks, e.g. COSO16, COBIT17, ITIL®.
  • Conformity of projects or processes with generally recognised or other frameworks, e.g. PRINCE2®, Guide to the Project Management Body of Knowledge (PMBOK Guide)

A certificate in accordance with IDW PS 951 documents the appropriate establishment of an internal control system (type I) and also confirms compliance with the defined controls (type II). The resulting audit report can be made available to all clients and their auditors. This possibility is currently also seen as a quality criterion for service providers and can provide a competitive advantage.

IT audit as part of the financial statement audit

IT errors can lead to material misstatements in accounting. That’s why PKF’s IT audit approach is especially geared to assessing and evaluating accounting-relevant error risks in the IT system. The audit therefore focuses on the adequacy and effectiveness of IT controls.

In addition to confirming functional requirements for the regularity and security of the IT system audited, the results of our IT audit also serve to assess the appropriateness and effectiveness of the internal control system and are therefore included in the determination of separate audit procedures for the financial statement audit. It also provides management with important information on the design of the internal control system compared to good practices, as well as details of weaknesses and effective suggestions for improvement.

The assessment of financial information systems is usually based on criteria which typically include security and regularity. These criteria can, however, be supplemented to include industry-related specifications and framework conditions as well as other criteria (e.g. portability, compliance with data protection requirements).

PKF audits and assesses accounting-relevant IT systems on the basis of national and international criteria-based auditing standards (IDW PS 330, ISA 315/330, etc.). PKF applies a risk-orientated audit approach. In accordance with IDW’s PS 330 auditing standard, our audit includes all IT system levels that are relevant to accounting.

Back to top of page