Risk & Compliance

The control and monitoring of risks and the management of compliance functions are becoming increasingly important for companies. The outsourcing of important business processes and the monitoring of service providers are becoming increasingly important. Increasing transparency and documentation requirements as well as the digitization of the business world are challenging companies. Also on the legal side, new requirements such as the General Data Protection Regulation (GDPR, EU-DSGVO) or tax aspects such as tax compliance management systems are constantly coming up.

We only have our risks under control together

Audits according to ISAE 3402 and IDW PS 951

Today companies have to act flexibly. For this reason, they outsource important functions and business processes to service providers who have specialized and offer their services cost-effectively and efficiently. In addition to classic services such as payroll accounting, central settlement or logistics, digital services via cloud computing (see right) are becoming increasingly important.

The service provider is of great importance. Because companies can outsource (sub) processes, but they cannot hand over responsibility for the correctness and security of outsourced processes. The service provider must therefore create trust in the outsourcing company. And trust can only be won and maintained with a high degree of transparency. For this purpose there are audits according to ISAE 3402 and IDW PS 951.

Types of Cloud Computing

Provision of computer infrastructure, usually in a dedicated data center. Offers high scalability because additional storage capacity or computing power requirements can be quickly met. In particular, the service provider must provide sufficient physical protection measures, an emergency concept, data backup measures and change management.

Provision of software. Access and use are via the Internet. The advantage for the company is that it does not need its own IT infrastructure. However, the company has less influence as a result. The storage location of the data has to be regulated. Also important are coordinated interfaces, proper parameterization of the software and functioning user and access management.

Provision of a platform for the development or operation of self-developed applications. Such an environment provides the necessary hardware and software and, in addition to the production system, also offers development and test environments for implementing the entire Software Development Life Cycle (SDLC). Sufficient change management, a strong authorization concept and multi-client capability are important here.

“Everything as a Service” is the collective term for all services that can be provided digitally. Also the three already mentioned services belong to it. There are fine gradations in this range. The most important are probably “Security as a Service” (SecaaS), in which security components such as a firewall or an intrusion detection system can be used via the cloud, or “Compliance as a Service”, in which compliance with legal requirements is supported or monitored by the service.

Our Strengths

The experts at Crowe Kleeberg IT Audit support and audit service providers from the following areas

  • Data center operations
  • SAP Basis and Hosting
  • Managed Services
  • Mobile Payment
  • IAM Identity and Access Management
  • Central regulation
  • Billing processes
  • Document management
  • Money and value services
  • Property management

We also actively support you in the implementation of your ISAE 3402 or IDW PS 951 project. We should start with a workshop in which we determine the legal requirements, create the framework for an internal control system and make you fit for the audit.

Get in touch with us and get a quote.

    Assurance reports on controls at a service organization according to ISAE 3402 and IDW PS 951

    To prove that their service is provided in a continuously high quality, service providers can undergo an audit, better known under the terms ISAE 3402 or IDW PS 951. This audit takes a close look at the service provider’s internal control system (ICS). The ICS contains measures and controls that are intended to control the main risks that have an impact on the outsourced business process and thus on the actual service.

    An audit answers the following questions:

    • Is the internal control system of the service provider based on suitable legal and industry-specific requirements? This could be, for example, the case:
      • GoB (principles of proper accounting)
      • GoBD (Principles for the compliant keeping and storage of books, records and documents in electronic form as well as for data access),
      • ISO 27001 (Information Security Management Systems)
      • COBIT (Framework for IT Governance)
      • SOC 2 (Trust Services Criteria/AICPA, see here for more details)
      • MaRisk (Minimum Requirements for Risk Management)
      • PCI-DSS (security standard for credit card payments).
    • Is the description of the internal control system at the service provider presented fairly and comprehensibly?
    • Are the controls described suitably designed and actually in place?
    • Have the controls described also been operated effectively over a certain period of time? (This question will only be answered during an audit according to type 2.)

    Reporting provides the necessary transparency for the outsourcing company and the certainty that the service provider has his risks under control. The audit according to ISAE 3402 or IDW PS 951 has meanwhile also become an essential requirement for selection procedures. Many companies require such an audit at regular intervals. For the service provider it is thereby also an important marketing instrument.

    Are you a service provider?

    We have many years of expertise in audits according to ISAE 3402 or IDW PS 951. We provide you with competent advice on setting up an internal control system and carry out our tests with modern digital tools to save time and resources. Of course we will, if possible, carry out a remote audit (e.g. via video conference).

    Book Tip

    In April 2018, in the series “Praxistipps IT” (“Practical IT Tips”), the book “Jahresabschlussprüfung bei Outsourcing und Cloud-Computing” (Financial audit with outsourcing and cloud computing) was published by IDW-Verlag, in which Martin Lamm, Managing Director of Crowe Kleeberg IT Audit, contributed as author. The book offers a comprehensive insight into the procedure for an audit when essential functions and processes have been outsourced to a service provider. It illustrates typical use cases with practice-relevant examples, which donate a high use also for service provider.

    → You can order the book here

    Risks lurk everywhere


    of companies are believed
    to be the victims of an attack.
    61% are definitely.

    (“Live Security Study 2017/2018” of the Bitkom Research GmbH)

    Cyber Security

    The increasing opening of IT systems through interfaces, electronic communication and outsourcing is increasingly required by business partners. Experts forecast an exponential increase in the number of networked devices and systems to 25 billion by 2021. Because every IT system can have security gaps, the risk of data theft, encryption and sabotage by cyber criminals also increases.

    Cyber security therefore requires a holistic approach within the company. Threats have long since arisen not only at the technical level. And they don’t just affect the IT department. Cyber security is a global corporate risk that is present in all areas of the company, in all departments and at all times. It’s up to management to set the tone.

    A Cyber Security Assessment brings assurance

    Every IT system must be individually evaluated and protected. A Cyber Security Assessment by Crowe Kleeberg IT Audit analyses the current IT situation in your company and identifies weak points in a total of 13 domains (see right). Based on the maturity level determined, a comparison is made with the target concept. The findings from this form the basis for recommendations for action.

    Our security and risk specialists are independent experts in their field and proceed with the utmost sensitivity and professionalism. We take your security concerns seriously and work together to find the best solutions.

    After our assessment, decision-makers can better align IT security management with business objectives. Overall, IT security is becoming more flexible, scalable and efficient. The goal is to detect and manage threats before they happen.

    13 Domains

    The Cyber Security Assessment by the experts of Crowe Kleeberg IT Audit covers the following 13 domains:

    • Strategy
    • IT Architecture
    • Governance & Compliance
    • Policies
    • Awareness
    • Asset Management
    • Risk Management
    • Third Party Management
    • Data Protection
    • Identity & Access Management
    • Host & Network Security
    • Software Security
    • Incident and Business Continuity

    We have to be on the safe side from a tax point of view

    Tax Compliance

    Companies have the opportunity to refute a possible allegation of intent or recklessness in violating their tax obligations if they have set up a so-called internal control system. To this end, tax risks must be identified and suitable IT-supported management measures implemented if necessary. From the legislator’s point of view, the aim is to submit timely and correct tax returns and to fulfil other tax obligations.

    For companies, an internal control system (ICS) – in this context, the term Tax Compliance Management System (Tax CMS) is also used – is an indispensable instrument for controlling tax risks. However, a tax compliance management project must not only be seen from the point of view of the tax authorities. Finally it should bring also an increase in value for the enterprise. A big driver for a functioning tax ICS is therefore also the tax optimization from view of the enterprise and the achievement of this goal by a high standardization and automation degree.

    Your Chance

    “If the taxpayer has set up an internal control system designed to ensure compliance with tax obligations, this may be an indication that there is no intention or recklessness, but it does not exempt the taxpayer from examining the individual case”. (see → Anwendungserlass zu § 153 AO, Tz. 2.6, German version only)

    Components of a Tax CMS

    The culture within the framework of a Tax Compliance Management System forms the framework for the basic attitude and behaviour of all persons involved in the company. It is about the individual employees and their qualifications, their behaviour in accordance with the rules and their cooperation and communication with the management, superiors and colleagues.

    The objectives in a tax compliance management system are the decisive factor for the identification of risks and the establishment of suitable measures. Objectives are basically derived from the legal requirements, here primarily from the Tax Code. For an effective Tax CMS, however, it is crucial that these objectives are coordinated with each other and that further industry-specific and company-specific objectives are included.

    A strong tax compliance management system needs a strong organization. Roles and responsibilities as well as the distribution of tasks are to be regulated via the organizational structure. Rules must be defined for efficient process organization. The tax department in particular is of central importance, as it is often regarded only as the receiving office. It is important, however, that a tax department is included in all business processes and that it is allowed to help shape those processes that have tax relevance.

    The risks in a tax compliance management system are of central importance because they determine the measures to be taken. Risks relating to the individual tax obligations (notification, cooperation, declaration, storage, etc.) must be analysed and evaluated taking into account the possible effects (administrative offence up to tax evasion).

    The programme is a central, albeit not the only, section defining the measures themselves. With the individual risks in mind, the individual measures used for risk management are described here. There are preventive measures to avoid errors in the control process and detective measures to detect errors as soon as possible so that the necessary corrections can be initiated in good time.

    Regulated communication within the framework of a tax compliance management system is aimed at identifying and communicating risks to the tax cosmos of a company. Even more important, however, is the introduction of a regulated process for handling and communicating a tax violation. This can include a correction up to reports to internal or also external places like authorities.

    Once set up, a Tax CMS is not a self-runner. Constant changes of the business processes and the organization require a continuous update of the Tax CMS. The risks and the measures implemented must be put to the test regularly and on a rolling basis. Were new risks added because the company’s tax cosmos has expanded? Do the existing measures still make sense and fulfil their purpose? Have measures been replaced by other/better ones in the meantime?

    Setup of a Tax Compliance Management System

    A tax compliance management system consists of a multitude of different measures, procedures, guidelines and controls that are individually adapted to the company and its tax cosmos. In order to define these measures properly, the experts at Crowe Kleeberg IT Audit start by identifying the risks.

    To this end, we have developed a catalogue comprising more than 300 questions and risk areas. Of course, the focus here is on VAT and payroll tax, because these tax types affect every company and harbor the highest risk potential. Other fields covered by our questionnaire include income taxes, transfer pricing documentation, document retention, IT and personnel as well as external audits. We work hand in hand with the tax and legal experts at → Dr. Kleeberg & Partner so that we can offer you the best quality of our services.

    Starting in your tax department, we record the existing tax processes and document them. It is always important to identify existing measures. If we discover that an important control mechanism is missing and risks continue to exist as a result, we develop recommendations for action that contribute to the improvement of your tax ICS.

    Minefield VAT

    The area of value added tax in particular involves a high risk potential for the company. This is mainly due to the following factors:

    • Both inbound and outbound are mass operations whose VAT treatment is controlled by system configurations and parameterization, with the proviso that they reflect the complexity of VAT law.
    • In addition to accounting, other specialist areas (mainly purchasing, sales, marketing) are confronted with VAT matters, but sufficient tax know-how is not consistently guaranteed.

    In order to ensure that your VAT-related facts are fully correctly accounted for and that the monthly VAT returns are not a stumbling block, we deal with our VAT experts from  → Dr. Kleeberg & Partner GmbH for you the following tasks:

    • In-depth analysis of your service relationships and building a sales tax cosmos
    • IT-supported review of existing VAT discovery rules in your systems
    • Creation / update of a VAT Rule Set for the complete and correct determination of VAT for your service relationships
    • Configuration of your ERP system based on the VAT Rule Set for automatic VAT discovery
    • Implement meaningful and automated test routines to detect errors

    Audit of a Tax Compliance Management System

    If you already have a Tax Compliance Management System, we will support you with an audit. This gives you the assurance that the processes set up are appropriate and effective and that you can continue to rely on them.

    Data protection puts each individual in the centre of attention

    Data Protection

    Since 25 May 2018, the provisions of the General Data Protection Regulation (GDPR, EU-DSGVO) and the new Federal Data Protection Act (BDSG-neu) have applied. Although the regulations in this regard are nothing new, the significantly increased catalogue of penalties for non-compliance in particular will lead companies to bring their data protection situation up to date.

    Your data protection project

    BeiWhen it comes to the sensitive issue of data protection, you want to do everything right. Crowe Kleeberg IT Audit is your competent partner. Together with the legal experts at → Dr. Kleeberg & Partner, we form an unbeatable team to understand and correctly assess the (IT) processes in your company. We offer you:

    • Data protection quick check: We assess the data protection declaration on your website and scan all relevant contracts with customers, suppliers and service providers for possible data protection risks.
    • Competent advice on individual questions: Often these are small questions with a big impact. Should we prohibit WhatsApp in the company? Are we processors when we provide support services via remote access? Our legal experts answer every question.
    • Data protection training: In order to promote a uniform understanding among employees and to identify and avoid the main risks involved in processing data within the company, we conduct employee training courses on the subject of data protection.
    • Development of records of processing activities: An essential component of an effective data protection management system in the company are the records of processing activities, in which the handling of personal data, the affected parties, the addressees and other procedural information are described. The obligation to draw up records of processing activities cannot be circumvented in principle. They must be submitted to the data protection supervisory authorities on request.
    • Data Protection Management System (DSMS): A DSMS comprises all measures in the company that are necessary to comply with data protection requirements. These are – based on the processing directories and a possible data protection impact assessment – in particular the establishment of technical and organisational measures (TOM) to protect the data. These measures can be process-related or cross-process. We support you in setting up, revising or auditing your DSMS.

    Personal Data

    According to Art. 4 No. 1 GDPR, “personal data” means any information relating to an identified or identifiable natural person. This includes in particular:

    • Name, age, marital status, date of birth
    • Address, telephone number, e-mail address
    • Account number, credit card number
    • Vehicle registration number

    The processing of the following personal data is subject to strict conditions pursuant to Art. 9 GDPR:

    • Racial or ethnic origin, political opinions, religious or philosophical beliefs,
    • Trade union membership,
    • the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,
    • data concerning health or data concerning a natural person’s sex life or sexual orientation

    Get in contact with us