FAQ

If, in addition to the auditor's certificate (Service Auditor's Assurance Report i, S. d. ISAE 3402.53 if.), an audit report is also prepared, corresponding special features can be presented in the latter. This could also include a particularly high level of control standards.

In our opinion, a certificate (Service Auditor's Assurance Report) should be based on the examples given in ISAE 3402 (see Appendix 2 f.). However, these sample certificates are to be understood explicitly only as "guidance", so that the auditor can include deviating formulations within the scope of his own responsibility.

An inclusion of the audit results of internal audits of the client (e.g. by an internal audit) is only possible under the conditions stated in ISAE 3402.30 if. and A37 if.

The requirements for an ISAE 3402 report, i.e. the individual report components and contents required, are derived exclusively and directly from the regulations in the standard itself. The concrete form of the report content, i.e. the explanations on the report content and its level of detail, depends, among other things, on the respective circumstances of the company to be audited and the audit procedure. If the auditor of the outsourcing company considers further information necessary that goes beyond the reporting requirements of ISAE 3402 (such as a list of all samples taken or similar), this can of course be included in the ISAE 3402 report. The auditor's requirements for this additional information should be coordinated with the auditor, as this is not "standards-based" but voluntary.

ISAE 4302 requires the auditor of the outsourcing entity to obtain an understanding of the nature and significance of the service provided by the service provider and its impact on the outsourcing entity's ICS relevant to the audit of the financial statements, sufficient to identify and assess the risks of material misstatement and to plan and perform audit procedures to address those risks.

In order to identify and assess the risks of misrepresentations in the financial statements of the outsourcing company due to the outsourcing, it is generally not necessary for the service company to present optimization potential in the audit certificate. ISAE 3402 does not provide for a corresponding disclosure of optimization potential with regard to either Type I or Type II.

The need for optimization is only mentioned in the following cases:

• ISAE 3402.54 - In the case of a Type II certification, the auditor of the service company must present the nature, scope and result of its functional tests. Any deficiencies identified should be disclosed, even if they do not affect the auditor's opinion.

• ISAE 3402.55 - If the auditor of the service provider has modified its audit opinion, the reasons for the limitation or refusal should be disclosed.

ISAE 3402 provides in sections 30-37 for the possibility of involving the internal audit of the service provider in the audit.

The external auditor is responsible for deciding the extent to which the results of the internal audit are incorporated into his work. In addition to the scope and relevance of the controls and processes audited by Internal Audit, the objectivity, competence and diligence of Internal Audit must also be assessed. On this basis, the external auditor must come to the conclusion that, by using the results of the internal audit's work, he is able to make an independent judgment on the client's service-related internal control system.

Changes to the subject matter at the initiative of the client shall be dealt with in accordance with ISAE 3402.14.

Changes to the control set by the auditor are possible in order to enable an economical audit performance. If the auditor only discovers in the course of the audit that a particular control is not related to financial reporting, for example, or is redundant because the subject matter to be controlled may be more efficiently audited by a higher level control, this should be taken into account accordingly in the further audit process.

In terms of content and scope, ISAE 3402.45 states that the audit documentation shall be prepared in a manner sufficient to enable an experienced auditor who has not previously been involved in the audit to understand

• The nature, timing and scope of the audit activity,

• the results of the audit procedures performed and the audit evidence obtained,

• significant matters arising during the examination, the conclusions reached thereon and significant judgments made in the course of the examination in accordance with professional standards.

With regard to the documentation of the nature, timing and extent of the audit procedures, ISAE 3402 para. 46 stipulates that the auditor must record:

• the characteristics of the elements or matters being audited,

• by whom the audit work was carried out and when it was completed, and

• by whom, when and to what extent the audit work carried out was reviewed.

Accordingly, it is not necessary, for example, in the context of a control audit using random samples, to take copies of the samples taken for the working papers. The audit evidence drawn only needs to be documented in an identifiable manner by means of characteristic features.

The "Service Organisation Assertion" does not replace the client's customary declaration of completeness. The latter is explicitly regulated in ISAE 3402.38 et seq. and is addressed to the auditor in order to confirm the completeness of the information provided. A reference to the separation of "Service Organisation Assertion" and the letter of representation can be found in ISAE 3402.A42.

The nature and extent of any impact on the accounting or financial statements depends on the nature of the third party's activities in each individual case. If, for example, the third party provides accounting services, the auditor must assess the correctness of the accounting in accordance with § 317 (1) HGB by means of suitable auditing procedures, such as obtaining appropriate third-party confirmations in accordance with ISAE 3402. In this respect, the failure to submit a certificate in accordance with ISAE 3402 in conjunction with a lack of suitable alternative audit procedures can have an influence on the auditor's certainty of judgement with regard to the accounting.

Insofar as the certificates represent a declaration of the examination result within the meaning of § 48 (1) sentence 2 WPO, they can be sealed optionally. However, there is no obligation to do so.

Regardless of the size classification in accordance with § 267 HGB, a financial services institution within the meaning of § 1 KWG in conjunction with § 340 HGB is subject to audit. An auditing company that wants to carry out the above-mentioned statutory audit requires a certificate of participation (alternatively a certificate of exemption) in the quality control according to § 57a WPO. If the client subject to the audit is not a company of public interest (according to § 264d HGB), this certificate must be limited to six years.

In principle, the two certifications are by definition not congruent in terms of objectives and focus. In order for the results of an ISO 27000/27001 certification to be considered within the scope of an ISAE 3402 audit, it must be ensured that the audit objectives and procedures are identical or meet the requirements of an ISAE 3402 audit. For example, audit procedures performed in the context of ISO certification and the resulting audit results for specific controls should be of the same nature and scope and be performed with the same objective in a "pure" ISAE 3402 audit.

Since, on the one hand, an ISO audit report contains more detailed information on the subject of the audit, such as audit procedures, minor irregularities discovered or suggestions for improvement which may be relevant from the point of view of the ISAE 3402 auditor, and, on the other hand, the ISAE 3402 auditor should familiarize himself specifically with the contents of these audits, both in the case of ISO audits and audits by internal audit or other auditors, the use of the ISO audit report is recommended.

The use of an external auditor's report is acceptable, provided that the regulations in ISAE 3402 on the work of internal auditors (ISAE 3402.30 et seq., A37 et seq.) - applied analogously - are observed.

There is no reason why a German auditing company should not carry out such a compliance audit. This would be considered a business audit within the meaning of § 2 (1) WPO. The requirements in this regard are evident from the so-called "pilot audit program" of the HHS Office of Civil Rights (OCR) for auditing the controls and processes of the companies concerned.

As a rule, there is no reason why the results of a previous audit should not be used in a subsequent audit in accordance with general professional principles. However, it should be ensured that any changes in the client's systems and processes that have occurred in the meantime are identified and acknowledged.

For the internal implementation of an ITSM, there are various approaches from world leading IT frameworks. It is recommended that a framework is chosen that provides a formalized service level management process between the customer and the service provider.

The framework should be continuously aligned with business requirements and priorities and allow a common understanding between customer and provider. The framework should include processes for creating service requests, service definitions and SLAs. These attributes should be organized in a service catalog.

The framework should define the organizational structure for service level management and cover the roles, tasks and responsibilities of internal and external service providers and customers.

The Information Technology Infrastructure Libary (ITIL) and Control Objectives for Information and Related Information (COBIT) are leading in this respect. These frameworks provide support for operational implementation within the company.

However, it makes sense to think about the implementation of an ITSM already when founding a company. In particular, the leading framework for IT architecture, The Open Group Architecture Framework (TOGAF), should be integrated.

Within these leading frameworks, the detailed consideration of agreements with service providers is one of the most relevant points.

Yes, the authority of auditors and certified public accountants (WP/vBP) to conduct company audits (§ 2 para. 1 WPO) also includes the audit of IT systems. WP/vBP are subject to the professional duties of the WPO and in particular the cardinal duties of independence, conscientiousness, confidentiality, personal responsibility and impartiality. Auditors and certified public accountants as well as their professional firms are therefore the "born" auditors.