IT Audit & Assurance
IT is paving the way for digitization. It plays a key role in a company’s success. That’s why IT is so trusted. But IT is also disruptive and complex. Changes to systems, constant threats from inside and outside, and the risk that errors go undetected, require a strong IT organization.
An IT audit is a useful means of gaining security. Security that is needed to rely on systems, processes and employees. An IT audit identifies weak points in processes and can use this as a basis for improvements.
Audit as an Opportunity for your Company
We at Kleeberg see an audit as an opportunity for the company to identify weak points and bring about improvements. We see our counterpart as a partner with whom we can jointly achieve positive results for security in IT systems, reliability in business processes and trust among employees.
Confidence in our IT and the processes is enormously important for the success of our company.
Process Analysis and Process Optimization
We analyze your existing IT business processes and uncover inefficiencies and weaknesses. We show you how to leverage hidden potentials and improve processes with a view to the ongoing digitalization of your company.
Of course, we also have an eye on the legal side. In our audits, we measure your processes against the applicable accounting regulations and tax requirements. But our audits also analyse compliance with the requirements of the IT security law or the EU data protection basic regulation. Due to growing industry-specific requirements, the conformity of your processes or IT systems with industry standards, ISO standards or generally recognized frameworks such as COSO or COBIT is becoming increasingly important.
A functioning IT is essential for your company. You cannot afford failures or errors in processes. IT does not only have a supporting function! The claim: “IT must simply run” is no longer enough. IT is the driving force in a company. Just like in the other departments of your company, it is important to recognize and control risks.
These are usually complex topics such as authorizations, data backups or interfaces. The findings from an audit not only help the → Auditor in the context of his audit, but it also serves your company as a yardstick and shows strengths and weaknesses.
Our IT audit is based on the audit standard 330 of the Institute of Public Auditors in Germany (IDW PS 330) and basically covers the following areas
- IT strategy and IT organization
- IT environment
- IT infrastructure with the sub-areas “physical protection”, “logical access controls”, “data backups” and “emergency concept”
- IT applications
- IT-supported business processes
- IT monitoring and
- IT outsourcing
We attach great importance to communicating our results in a way that is appropriate for the target audience. We not only point out weak points, but also provide recommendations for rapid implementation and improvement.
In June 2019, Martin Lamm, Managing Director of Crowe Kleeberg IT Audit, et al., published the book “SAP®-IT-Prüfung im Rahmen der Abschlussprüfung” (“SAP® IT audit as part of the statutory audit”) in the series “Praxistipps IT” (“Practical IT Tips”) published by IDW-Verlag. The book is written in a particularly practical manner and enables every auditor to follow a standardized procedure when auditing an SAP® system. It contains a detailed description for each audit step, combines the respective audit steps with concrete risks for the security and correctness of the bookkeeping and gives recommendations for the elimination of findings as well as for alternative audit procedures for addressing the respective risk.
IT Due Diligence
The term “due diligence” is usually used in connection with company acquisitions. The legal and financial circumstances of a company are subjected to a risk analysis with the “due diligence required”. The classic components of due diligence are finance, law and taxes. But this would not cover everything: With an IT due diligence the chances and risks within the IT of the enterprise can be examined. Essential components are:
- Sustainability of the existing IT infrastructure and organization
- Complexity of IT processes
- Application development (Software Development Life Cycle, SDLC)
- Process security within IT applications
- Security of IT systems
- Data protection conformity of IT systems
- Change management
- License management
- Open Source Management: Especially when self-developed software is a major factor in the acquisition of a company, the handling of open source software, the use of which is often free of charge but not free of certain obligations, plays a central role in an IT due diligence.
Within the scope of an IT due diligence, the experts at Crowe Kleeberg IT Audit fall back on a standardized and proven list of questions that can be used to quickly determine red flags
Data Analysis and Process Mining
What would digitalization be without data? Data is the gold of our time. But it is no longer just search engines that look to the future with their big data stock. Even the ERP systems in a company no longer handle the processes today without producing vast amounts of data for each process, each process step. This data documents what has happened and thus allows comprehensive analyses to be carried out to uncover weaknesses in the internal control system, faulty process/interface processes, fraudulent actions within the company and future developments (predictive analysis).
With our data analysis and process mining tools, we support companies in the evaluation and optimization of their core processes such as purchasing or sales or their authorization concepts. We also support our → colleagues with data analyses as part of an annual audit or an internal audit and evaluate process flows, critical authorisations or conflicts over the separation of duties.
Data analysis is also suitable for detecting and tracing fraudulent actions in the company. Weaknesses in the internal control system, well established processes and a long-term position of trust often open up an opportunity which, together with a motive and personal justification, causes financial damage to the company or destroys its reputation. But in the vast majority of cases, such processes leave digital traces in the systems, which we examine for anomalies by means of data analysis.
In March 2018, the second edition of the “Handbuch Bilanzrecht” (Handbook on Accounting Law) from the Bundesanzeiger Verlag was published. The handbook focuses on essential problems in connection with the accounting of small and medium-sized accounting firms and explains cases that go beyond the standard of accounting.
Martin Lamm, Managing Director of Crowe Kleeberg IT Audit, is one of the authors. The article “Data Analysis in the Audit of Financial Statements” deals with the opportunities and risks of data analysis in a modern audit of financial statements. Clear practical examples show the analysis process in different areas of application during the preliminary and main audit and describe the influence of data analysis on efficiency, security and quality in an audit..
User and Access Management
A well-functioning user management is the cornerstone for access to an IT system. A standardized process for creating and deleting users should therefore be set up in the company, involving the human resources department. Login to the system should meet high security requirements such as a strong password or two-factor authentication.
Authorizations control access to data in a system. The protection of this data is of central importance. For this reason, a regulated process for designing roles and rights as well as a documented authorization concept (access management) make sense here as well.
The experts at Crowe Kleeberg IT Audit examine user management and access management in your company. We identify weak points in the process and examine the individual rights using data analysis. We also check the adherence to a separation of duties and thus the compatibility of functions in the company. In particular, we make sure that operative duties are not combined with controlling duties. For example, the order and the corresponding goods receipt should not be recorded by the same person.
SAP Authorization Check
With our self-developed SAP tool we examine the authorizations in SAP. This enables us to carry out the check offline in our offices. All we need for this are a dozen tables that you make available to us. We then evaluate both critical basic authorizations and process-related authorizations, e.g. in purchasing, sales or financial accounting.
Software certificates are aimed at software manufacturers who wish to have the functionality of their software certified by an independent body in order to be able to present themselves competently on the market. Of course, financial accounting systems, which are subject to high legal requirements, are the first focus here.
Software audits are interesting, however, also for other systems, as for example document management and/or archiving systems, to which the storage of accounting-relevant documents is entrusted. Here it applies not only to file the documents unchanged but to guarantee this condition also for a long time.
A further current example for software audits are cash register systems. For proper use, these must be equipped with effective technical protection against manipulation. For such purposes, the new blockchain technology will be used, which demonstrably makes the individual POS transactions unchangeable.
Software audits are not tied to any particular industry. Therefore, apps that attach particular importance to reliability or confidentiality, such as for messaging or FinTech transactions, are also possible. Start-ups in particular can benefit from this.
Let us consider together whether a software audit makes sense for your product.