Digitisation and compliance

Outsourcing standard ISAE 3402 (IDW PS 951)

The ISAE 3402 certificate serves the service provider as recognised proof of the correctness of the services provided by them and is regarded as a quality criterion and quality feature for distinguishing themselves from competitors. An ISAE 3402 audit is based on established management systems and controls and ensures auditor acceptance for audits of annual financial statements of outsourcing companies.

Our services focus on the analysis, establishment, certification and optimisation of internal control systems (ICS) at service providers or shared service centres. We will support you in setting up control frameworks that are ready for certification or certify their effectiveness for you with a uniform report that is accepted by all auditors in accordance with international auditing standards.

Here we offer you our module support services as all-round support:

  • „Our many years of experience in the client-specific structure of compliance certificates guarantees that these are successfully introduced and implemented in a targeted manner, on time and with minimal effort.“

    − André Schneider −

    IT Manager, CISA

    Detail

Module 1:
Outsourcing health check & GAP analysis

In a brief review and joint evaluation, an initial status quo on the current level of compliance maturity is drawn up. For this purpose we will take a look at existing process descriptions, guidelines and documentation.

By means of interviews, the existing service processes are examined with regard to the establishment of internal controls and initial potential for improvement is identified (GAP analysis).

Our aim is to further secure your services and thus increase the effectiveness and efficiency of internal processes. To this end, together with ISAE employees with many years of experience, we will support you in active audit preparation and ensure the sustainable development and successful implementation of certifications.

Our sector-oriented and established sample controls cover the requirements of the current auditing standards and serve as a starting point for our health check.

As a project manager (PMO function), we are happy to help you implement the individual audit phases, ensure smooth and timely ISAE report delivery and minimise your internal workload.

  • GAP process analysis and understanding
  • Identification, establishment and documentation of internal controls
  • Assessment of regularity and level of compliance maturity
  • Presentation of concrete sample controls that can be individually adapted to business processes and services (control templates)
  • Project plan and process model for the introduction of an internal control system with on-time certification according to ISAE 3402 type 1 and 2
  • Assumption of the ISAE project management (PMO)

Module 2:
Coaching and advice for establishing ICS

A practical compliance management system can only be implemented if the risks that are relevant to the company have been considered.

During interview appointments we will identify the responsible control owners and define suitable control objectives with associated controls to ensure that processes are implemented in practice. Together with you, we will create an individualised risk control matrix (RCM), which will also form the basis for future certification.

When setting up the appropriate internal control system (ICS), we will pay attention both to compliance with regulatory requirements and to the requirements of clients and their auditors, including

  • Ensuring the effectiveness of business activities
  • Regularity and reliability of financial accounting
  • Compliance with relevant internal and external regulations (compliance)


Existing control frameworks (e.g. sub-areas implemented according to ISO 27001 or internal risk control matrices) can be used to set up an ICS that is to be certified in order to reduce internal and external costs.
 
As a preliminary stage of an effectiveness review (type 2, period-related), a "pre-audit" as an adequacy review (type 1, reporting date-related) is appropriate. This involves getting to know the process of an outsourcing certification in advance by all those responsible and practising the necessary requirements. We will identify suggestions for improvement, point out concrete measures, check these subsequently and thus ensure the necessary level of maturity for certification.

  • Establishment of an appropriate internal control system (ICS)
  • Harmonisation and optimisation of controls to strengthen process safety
  • Creation and customisation of the risk control matrix (RCM)
  • Catalogue of measures to achieve certification readiness and timely fulfilment of client requirements
  • Optional: Preceding adequacy review (reporting date-related auditing of the establishment of controls according to ISAE 3402 type 1)

Module 3:
Certification & attestation

We will confirm the control effectiveness for an individual scope of audit specified by you according to accepted outsourcing audit standards (e.g. ISAE 3402 or IDW PS 951) and issue a corresponding certificate for a predefined period of time. This certificate serves as an official, central audit certificate for the services provided (e.g. managed services or cloud services) and thus replaces a large number of audits by different clients and their auditors.

In addition to such "standard reporting", we will also support you in creating individual certificates for premium clients. To this end client-specific services and their process controls are additionally audited as part of our main audit and individually certified in a separate report. Our multi-client approach serves as a basis.

The cost of such a premium certification is usually charged to the respective clients on a pro rata basis, thus shifting the total cost of the ISAE basic audit to the service provider.

Further added values of a central ISAE outsourcing certification are:

  • Certification as a quality criterion and differentiation from competitors (sales-oriented use and proof of quality)
    • Use and decision criteria for private or public tenders
      • Promotion of the service provider's reputation through insight into processes and their external evaluation ("CIO/CFO business card")
        • Reduction of audit work by avoiding audit tourism and reducing the workload of those responsible for the process


        In addition, we are available to you and the auditors of your clients at any time and free of charge for any questions (including those relating to our reporting, execution of the audit, explanations of the results and scope coordination) within the context of our assignment.

         
  • Audit of the appropriateness and effectiveness of the control system with reporting according to ISAE 3402 type 2 ("standard reporting")
  • Management reporting with concrete suggestions for improvement to optimise and further strengthen the control system
  • Free support for enquiries from your clients and their auditors (e.g. relating to our reporting, the execution of the audit, explanations of the results and scope coordination).
  • Optional: "Multi-client premium reporting “
    • Tailor-made and flexible scope extensions and individual reporting variants for premium business partners with certified periods during the year (e.g. January 1 to september 30 and January 1 to December 31) and/or
    • Customised reporting variants with individual control areas of selected / supplementary audit topics based on a central ISAE template (using significant synergy effects)
    • Transparent cost model at fixed flat rates for core process audit, reporting variants during the year and individual reporting

Module 4:
Optimisation of process and system controls

Due to our many years of project experience in successful initial certifications, we are specialists in the company-specific establishment of optimal process and system controls.

With our expertise we will support you in the further improvement of your implemented processes and their monitoring. We will continuously check whether control procedures can be further harmonised or automated. This can be achieved, for example, by summarising them in the form of high-level controls or by introducing suitable compliance management tools.

At the same time, we will give concrete advice on how to simplify and optimise control activities and the documentation thereof in order to reduce the daily workload of those responsible for the process and minimise internal administrative work.


Corporate governance ensures good corporate management and monitoring. We will show how the audited ICS can be integrated into existing compliance management systems (CMS) or how they can be set up and formally integrated as a separate sub-area. Common sub-areas are anti-corruption, taxes, data protection or information security.

For example, an IT ICS certified according to ISAE 3402 (general IT controls for   audits of annual financial statements, GITC) serves as the basis for further compliance management confirmation of information security according to ISAE 3000. Audit evidence, interviews and results already provided in the ISAE 3402 audit can be used for the audit of information security so that double audits and unnecessary interviews are avoided for those responsible for the process; cost saving potentials are the result.

  • Harmonisation of process controls and revision of control procedures (PDCA cycle)
  • Automation of control activities and their monitoring (CMS tools)
  • Suggestions for minimising documentation and avoiding unnecessary interviews
  • Optional: Integration into other CMS sub-areas (e.g. CMS information security / data protection) and the confirmation thereof according to ISAE 3000

Why do I need an ISAE certificate when outsourcing processes?

As part of their outsourcing and digitisation strategy, companies are increasingly outsourcing business processes and operational functions to external service providers or centralising them at group-internal shared service centres.

Irrespective of which specific service is provided in an outsourcing solution, this has an impact on the financial accounting and annual financial statements of the outsourcing company.

Typical examples are

  • Outsourcing of IT operations (data centre hosting)
  • Cloud services
  • (ERP) application support (application services)
  • Business processes (BPO), among others in the areas of
    • Accounting (accounts receivable management)
    • Invoice processing (payment services)
    • Receivables management
    • Financial accounting
    • Warehouse management and logistics (fulfilment services)
  • „Our proactive assistance in preparation and implementation of compliance projects reduces the daily workload by avoiding unnecessary documentation and at the same time ensures the success of the project.“

    − Tobias Ullmann −

    Senior IT Consultant, CISA

    Detail

By outsourcing business-relevant functions to a service provider or to the cloud, the outsourcing company remains responsible for regularly checking the service provider's compliance with the relevant internal controls and proving that they are compliant.

The internal control system established by the service provider is important for the audits of the annual financial statements of the outsourcing companies and is the subject of on-site audits by the auditor for each client.

However, this is time-consuming, expensive and burdens the service provider's daily business. Multiple audits by clients and their auditors take place throughout the year; a kind of "audit tourism" arises.


Established service providers are therefore increasingly using the outsourcing standard ISAE 3402, which offers both the service provider and the outsourcing company a high degree of security and advantages as external proof of quality.

An ISAE 3402 certification builds on existing quality management certifications and ensures auditor acceptance for audits of annual financial statements. A central audit can lead to considerable cost savings, reduce audit work and achieve competitive advantages.

Which audit standards are accepted?

The "International Standard on Assurance Engagements, Assurance Reports on Controls at a Service Organisation" (ISAE 3402) constitutes reporting with a uniform report structure that is accepted by all auditors.

In contrast to other certifications, the service providers themselves determine the individual scope of the audit based on existing controls and specify the control areas to be audited.

Experience has shown that it is becoming more and more a must to present such a certificate, also to distinguish oneself from competitors.

In addition to submission in invitations to tender (as a further basic requirement in addition to ISO/IEC 27001 certification), auditing companies regularly require certification according to the following outsourcing standards:

  • German standard IDW PS 951 (national reporting in German)
  • SOC 1 Reporting (System and Organization Controls); this is a US standard based on SSAE 18 (Statement on Standards for Attestation Engagements)
  • Internationally accepted standard ISAE 3402

Here two different types of certification are possible:

  • Type 1 assesses the appropriateness (suitability), the control design (structure) and the implementation of internal controls on a key date (e.g. date-related implementation as of June 30).
  • Type 2 additionally confirms the effectiveness over a certain period of time, which usually corresponds to the financial year of the client (e.g. January 1 to December 31; at least six months)


If a type 2 certificate is available, it is sufficient for the client's auditor as proof of auditing and documentation. This means that an individual on-site audit is not necessary.

In addition to ISAE 3402, there is also the basic ISAE 3000 standard, which can be used for all certifications with the exception of financial reporting. This includes, for example, the effectiveness of the internal control system, compliance with regulatory requirements or specific contractual provisions.

We'd be delighted to advise you