Answers to frequently asked questions

Below you will find an overview of the most frequently asked questions, which BFMT agreed in consultation with the supervisory authorities.

  • May the high level of the client be explicitly mentioned in the audit report according to ISAE 3402 / SSAE 18 / IDW PS 951?

    If, in addition to the auditor's certificate (Service Auditor's Assurance Report i, S. d. ISAE 3402.53 if.), an audit report is also prepared, corresponding special features can be presented in the latter. This could also include a particularly high level of control standards.

    In our opinion, a certificate (Service Auditor's Assurance Report) should be based on the examples given in ISAE 3402 (see Appendix 2 f.). However, these sample certificates are to be understood explicitly only as "guidance", so that the auditor can include deviating formulations within the scope of his own responsibility.
  • May we include the audit results of internal audits of our client in our ISAE 3402 audit without further explicit review? If so, must there be special requirements on the part of the client?

    An inclusion of the audit results of internal audits of the client (e.g. by an internal audit) is only possible under the conditions stated in ISAE 3402.30 if. and A37 if.
  • What are the requirements for an ISAE 3402 report in terms of report components and content?

    The requirements for an ISAE 3402 report, i.e. the individual report components and contents required, are derived exclusively and directly from the regulations in the standard itself. The concrete form of the report content, i.e. the explanations on the report content and its level of detail, depends, among other things, on the respective circumstances of the company to be audited and the audit procedure. If the auditor of the outsourcing company considers further information necessary that goes beyond the reporting requirements of ISAE 3402 (such as a list of all samples taken or similar), this can of course be included in the ISAE 3402 report. The auditor's requirements for this additional information should be coordinated with the auditor, as this is not "standards-based" but voluntary.
  • Is it necessary to mention a need for improvement in the audit certificate or report as part of an ISAE 3402 audit?

    ISAE 4302 requires the auditor of the outsourcing entity to obtain an understanding of the nature and significance of the service provided by the service provider and its impact on the outsourcing entity's ICS relevant to the audit of the financial statements, sufficient to identify and assess the risks of material misstatement and to plan and perform audit procedures to address those risks.

    In order to identify and assess the risks of misrepresentations in the financial statements of the outsourcing company due to the outsourcing, it is generally not necessary for the service company to present optimization potential in the audit certificate. ISAE 3402 does not provide for a corresponding disclosure of optimization potential with regard to either Type I or Type II.

    The need for optimization is only mentioned in the following cases:

    • ISAE 3402.54 - In the case of a Type II certification, the auditor of the service company must present the nature, scope and result of its functional tests. Any deficiencies identified should be disclosed, even if they do not affect the auditor's opinion.

    • ISAE 3402.55 - If the auditor of the service provider has modified its audit opinion, the reasons for the limitation or refusal should be disclosed.

  • May the results of internal audits of clients be included in ISAE 3402 audits by the external auditor?

    ISAE 3402 provides in sections 30-37 for the possibility of involving the internal audit of the service provider in the audit.

    The external auditor is responsible for deciding the extent to which the results of the internal audit are incorporated into his work. In addition to the scope and relevance of the controls and processes audited by Internal Audit, the objectivity, competence and diligence of Internal Audit must also be assessed. On this basis, the external auditor must come to the conclusion that, by using the results of the internal audit's work, he is able to make an independent judgment on the client's service-related internal control system.
  • During an ISAE 3402 audit, is it permissible to modify the existing control set if it becomes apparent that individual controls or tests are obsolete?

    Changes to the subject matter at the initiative of the client shall be dealt with in accordance with ISAE 3402.14.

    Changes to the control set by the auditor are possible in order to enable an economical audit performance. If the auditor only discovers in the course of the audit that a particular control is not related to financial reporting, for example, or is redundant because the subject matter to be controlled may be more efficiently audited by a higher level control, this should be taken into account accordingly in the further audit process.
  • Is it appropriate to document controls of an ISAE 3402 control set as seen without written evidence in the working papers - simply by viewing audit evidence on site in the presence of several auditors - and at the same time classify underlying controls as passed?

    In terms of content and scope, ISAE 3402.45 states that the audit documentation shall be prepared in a manner sufficient to enable an experienced auditor who has not previously been involved in the audit to understand

    • The nature, timing and scope of the audit activity,

    • the results of the audit procedures performed and the audit evidence obtained,

    • significant matters arising during the examination, the conclusions reached thereon and significant judgments made in the course of the examination in accordance with professional standards.

    With regard to the documentation of the nature, timing and extent of the audit procedures, ISAE 3402 para. 46 stipulates that the auditor must record:

    • the characteristics of the elements or matters being audited,

    • by whom the audit work was carried out and when it was completed, and

    • by whom, when and to what extent the audit work carried out was reviewed.

    Accordingly, it is not necessary, for example, in the context of a control audit using random samples, to take copies of the samples taken for the working papers. The audit evidence drawn only needs to be documented in an identifiable manner by means of characteristic features.
  • Does the "Service Organisation Assertion" contained in an ISAE 3402 report replace the client's customary representation letter?

    The "Service Organisation Assertion" does not replace the client's customary declaration of completeness. The latter is explicitly regulated in ISAE 3402.38 et seq. and is addressed to the auditor in order to confirm the completeness of the information provided. A reference to the separation of "Service Organisation Assertion" and the letter of representation can be found in ISAE 3402.A42.
  • Is an ISAE 3402 audit relevant for financial reporting?

    The nature and extent of any impact on the accounting or financial statements depends on the nature of the third party's activities in each individual case. If, for example, the third party provides accounting services, the auditor must assess the correctness of the accounting in accordance with § 317 (1) HGB by means of suitable auditing procedures, such as obtaining appropriate third-party confirmations in accordance with ISAE 3402. In this respect, the failure to submit a certificate in accordance with ISAE 3402 in conjunction with a lack of suitable alternative audit procedures can have an influence on the auditor's certainty of judgement with regard to the accounting.
  • Is it permissible to provide ISAE 3402 & SSAE 18 certificates with an auditor's seal analogous to the procedure in the reports?

    Insofar as the certificates represent a declaration of the examination result within the meaning of § 48 (1) sentence 2 WPO, they can be sealed optionally. However, there is no obligation to do so.
  • Within what period is a quality assurance review of the auditor of the annual accounts of a financial services institution within the meaning of Section 1 of the German Banking Act (KWG) to be carried out?

    Regardless of the size classification in accordance with § 267 HGB, a financial services institution within the meaning of § 1 KWG in conjunction with § 340 HGB is subject to audit. An auditing company that wants to carry out the above-mentioned statutory audit requires a certificate of participation (alternatively a certificate of exemption) in the quality control according to § 57a WPO. If the client subject to the audit is not a company of public interest (according to § 264d HGB), this certificate must be limited to six years.
  • To what extent can audit results of an ISO 27000/27001 report based on ISO controls be used in an ISAE 3402 audit?

    In principle, the two certifications are by definition not congruent in terms of objectives and focus. In order for the results of an ISO 27000/27001 certification to be considered within the scope of an ISAE 3402 audit, it must be ensured that the audit objectives and procedures are identical or meet the requirements of an ISAE 3402 audit. For example, audit procedures performed in the context of ISO certification and the resulting audit results for specific controls should be of the same nature and scope and be performed with the same objective in a "pure" ISAE 3402 audit.
  • Can the existence of an ISO certificate be trusted without consulting the associated ISO audit report?

    Since, on the one hand, an ISO audit report contains more detailed information on the subject of the audit, such as audit procedures, minor irregularities discovered or suggestions for improvement which may be relevant from the point of view of the ISAE 3402 auditor, and, on the other hand, the ISAE 3402 auditor should familiarize himself specifically with the contents of these audits, both in the case of ISO audits and audits by internal audit or other auditors, the use of the ISO audit report is recommended.
  • In the context of an ISAE 3402 audit, can the audit report of an external auditor of the client be used which has been sent to a sub-service provider?

    The use of an external auditor's report is acceptable, provided that the regulations in ISAE 3402 on the work of internal auditors (ISAE 3402.30 et seq., A37 et seq.) - applied analogously - are observed.
  • Is a German auditor allowed to conduct a compliance audit according to HIPAA (Health Insurance Portability and Accountability Act)?

    There is no reason why a German auditing company should not carry out such a compliance audit. This would be considered a business audit within the meaning of § 2 (1) WPO. The requirements in this regard are evident from the so-called "pilot audit program" of the HHS Office of Civil Rights (OCR) for auditing the controls and processes of the companies concerned.
  • Is it possible to perform a HIPAA compliance audit based on an already completed ISAE 3402/SSAE 18 audit using appropriate ISAE 3402/ SSAE 18 audit controls, supplemented by mandatory HIPAA controls?

    As a rule, there is no reason why the results of a previous audit should not be used in a subsequent audit in accordance with general professional principles. However, it should be ensured that any changes in the client's systems and processes that have occurred in the meantime are identified and acknowledged.
  • What are the general conditions on which companies can rely when creating or implementing IT service management

    For the internal implementation of an ITSM, there are various approaches from world leading IT frameworks. It is recommended that a framework is chosen that provides a formalized service level management process between the customer and the service provider.

    The framework should be continuously aligned with business requirements and priorities and allow a common understanding between customer and provider. The framework should include processes for creating service requests, service definitions and SLAs. These attributes should be organized in a service catalog.

    The framework should define the organizational structure for service level management and cover the roles, tasks and responsibilities of internal and external service providers and customers.

    The Information Technology Infrastructure Libary (ITIL) and Control Objectives for Information and Related Information (COBIT) are leading in this respect. These frameworks provide support for operational implementation within the company.

    However, it makes sense to think about the implementation of an ITSM already when founding a company. In particular, the leading framework for IT architecture, The Open Group Architecture Framework (TOGAF), should be integrated.

    Within these leading frameworks, the detailed consideration of agreements with service providers is one of the most relevant points.
  • Are we allowed to act as an auditing company or as an external auditor within the scope of a company certification according to ISO/IEC 27001 and to use the professional seal in the process?

    Yes, the authority of auditors and certified public accountants (WP/vBP) to conduct company audits (§ 2 para. 1 WPO) also includes the audit of IT systems. WP/vBP are subject to the professional duties of the WPO and in particular the cardinal duties of independence, conscientiousness, confidentiality, personal responsibility and impartiality. Auditors and certified public accountants as well as their professional firms are therefore the "born" auditors.