Certification of service companies: IDW PS 951 n.F. / ISAE 3402

The digitalisation of processes and the use of cloud computing mean that (sub)process and company data are increasingly being outsourced.

As a service company that offers outsourcing options, it is important that you obtain a certificate in accordance with IDW PS 951 n.F. / ISAE 3402. This builds trust with your customers.

RESPONSIBILITY REMAINS WITH THE OUTSOURCING COMPANY

Responsibility for the outsourced processes and information always remains with the outsourcing company. As sensitive customer information and therefore personal data is often affected by outsourcing, control measures must be implemented by the outsourcing company. This involves checking compliance with the contractually agreed and legally enforceable requirements. The service provider is often also audited by the auditor as part of the annual audit. Professional service providers can therefore be subject to a large number of external requirements and audits.

CERTIFICATION AS PROOF OF SERVICE QUALITY

It is therefore often worthwhile for the service company to commission an audit of the internal control system (ICS) by an independent auditing company.

Following the successful completion of an audit in accordance with audit standard IDW PS 951 or ISAE 3402, the appropriateness (type 1) or appropriateness and effectiveness (type 2) of the service-related internal control system is certified.

Please click to enlarge

An audit and certification of the internal control system has two decisive advantages.

ONE AUDIT FOR ALL

The audit can greatly reduce the resources required by the service company's employees for external audits, as the certificate can be used for all customers.

Instead of answering an individual catalogue of questions for each customer or accompanying an individual audit, there is only one audit by qualified auditors.

The ‘Audit of the internal control system at the service company for functions outsourced to the service company’ (IDW PS 951 as amended) provides a comprehensive audit and certification of the effectiveness of an appropriate ICS, meaning that further audits by external auditors in the areas covered are generally no longer necessary.

CERTIFICATION OF SERVICE QUALITY AS A MARKETING TOOL

The importance of IT security and transparency is increasing significantly, especially for service providers. Proof of an appropriate level of IT security not only offers competitive advantages over competitors, but is now required as standard. A lack of certification can quickly be a knock-out criterion.

Due to the IT Security Act and the special public interest in cyber and data protection risks, an increased sensitivity can be felt. The pressure is now also increasing for small and medium-sized enterprises (SMEs) due to numerous regulations and legal requirements as well as sanctions for non-compliance (e.g. GDPR).

The IDW PS 951 standard and its international counterpart ISAE 3402 have already proven their worth as proof of a professional organisation and a functioning internal control system (ICS) for service providers in all sectors.

IDW PS 951 N.F. / ISAE 3402 - A CERTIFICATE FOR MORE SECURITY

Regardless of whether you are a customer or service provider and have handed over or taken over outsourced functions: You benefit from a certificate in accordance with IDW PS 951.

As a customer, you can be sure that your processes are in good hands. When selecting a new service provider, you should therefore always ask for appropriate certification.

As a service provider, you can demonstrate your high quality standards to potential new customers and thus gain demanding new customers and strengthen the loyalty of your existing customers. You will also benefit from the expertise of the auditor, who will often be able to point out ways to increase efficiency based on their experience with comparable companies.

An internal control system does not work in all cases - however, if something does happen, the regular audit will provide you with proof that you have implemented the necessary risk management measures - and can therefore deny organisational culpability.

If you have any questions about the structure and documentation of an internal control system or about auditing in accordance with IDW PS 951 n.F. or the international standard ISAE 3402 (Type I / Type II), we will be happy to assist you.