IT Audit

CIO Advisory

The IT strategy is pivotal in driving the core corporate objectives – especially in a constantly changing market.

• We see ourselves as your strategic partner, offering a grounded entry point for developing a future-proof IT strategy. We translate strategic questions into a pragmatic roadmap and concrete digitalization initiatives. We help align business objectives and technology investments, establishing a clear vision for your future enterprise architecture.
• Our service is designed to secure long-term competitiveness and increase the adaptability (resilience) of your organization. We proactively integrate regulatory risks (e.g., EU NIS2 Directive) and create the foundation for insight-driven decisions using data and analytics.
• We support the implementation of your IT strategy – from defining major transformation paths (e.g., cloud migration, digitalization of core processes) to operational scaling. We combine strategic advice with technical expertise, industry knowledge, and operational process proficiency to ensure your strategy is implemented successfully, measurably and sustainably.

Target Operating Model (TOM) Design

An optimized Target Operating Model (TOM) is the foundation for aligning IT organization and processes to the corporate strategy in an agile, efficient, and scalable manner.

• We support the conception and implementation of a future-proof operating and governance model that increases agility and accelerates decision-making. This includes organizational realignment, defining design principles, and measurable goals for the entire organization.
• The development of the TOM considers the alignment of the entire value chain in product management along the customer journey and the definition of necessary technological and operational rewiring. We model end-to-end processes using a DevOps approach, harmonize handovers, identify automation and AI potential, and create the foundation for scalable deployment of organizational capabilities.
• We define the organizational design, talent strategy, and governance model to prepare your company for continuous reinvention. This includes role/responsibility definitions, talent and change management strategies, sourcing decisions (make-or-buy), and performance management via KPIs and reporting. This ensures that the organization is not only transformed but that changes are implemented operationally and long-term scalable.

Disruption is the new normal – Innovation is the answer. We help you strategically deploy emerging technologies such as artificial intelligence (AI) and automation solutions to achieve new performance levels and structurally build out your innovation capability.

• We guide you in identifying, prioritizing, and managing digitalization and automation initiatives and support the development of new products, services, and business models – from initial ideation to validated prototype and scalable operating model.
• We assess suitability for public funding programs (e.g., KfW Digitalization Funding, stages 2 and 3) and provide holistic advice on investing in emerging technologies and executing complex, profound digitalization programs.
• The objective is the transformation of critical core business functions and supporting operating processes, promoting operational excellence through insight-driven decisions. This involves establishing structured innovation processes, agile methodologies, and a robust governance framework to make innovations scalable, steerable, and sustainably wired.

The connection of data, artificial intelligence (AI), and engineering enables the transformation of business-critical processes and creates new levers for growth, efficiency, and competitive advantage.

• We modernize your data and infrastructure landscape by establishing a robust data foundation, securing data quality, and implementing scalable AI foundries that provide the necessary infrastructure and tools for reliable, performant, and secure AI applications.
• Our services include solution architecture, data engineering, DevOps, and cloud infrastructure, designed to accelerate, operationalize, and scale AI and Advanced Analytics initiatives company-wide – from initial pilots to productive deployment in core processes.
• We consistently integrate AI governance, risk management, and compliance mechanisms (e.g., the EU AI Act) to ensure transparency, traceability, and trust in AI systems and provide regulatory assurance for their deployment.

The success of major IT implementations requires professional steering, planning, and monitoring throughout the entire project lifecycle – from ideation to go-live.

• We provide comprehensive functional, methodological, and technological expertise to holistically manage your IT projects, programs, and portfolios (PPM). This encompasses both classic and agile project methodologies, helping you effectively align strategic objectives, resources, and value contribution.
• We support all phases – from requirements analysis through design and development to implementation – ensuring projects are executed purposefully, risk-aware, and in line with time and budget requirements. We integrate modern instruments such as PMO structures (Project Management Office), agile frameworks (e.g., SAFe), and scalable PPM tooling.
• Effective PPM and governance structures are essential for transparent and steerable project execution. They also form the basis for project assurance audits (e.g., IDW PS 850) and enable effective risk management, quality assurance, and reporting.

Successful transformations are a team effort and only succeed when people are actively engaged, enabled, and continuously supported – especially during profound changes in work structures, processes, and technologies.

• We help you establish a culture of change and ensure the acceptance of digital solutions and new processes (e.g., within the scope of ERP implementations or new Target Operating Models).
• Our focus is on building future skills and business capabilities to strategically develop employees and rewire the organization to ensure an optimal interplay of data, technology, and people.
• The goal is to increase productivity, engagement, and organizational resilience by harmonizing technology and human behavior, and ensuring changes are sustainably embedded in the organization.

(Pre-Deal) IT Due Diligence (IT DD)

Technology is a central value driver, risk factor, and integration lever in M&A transactions, as IT stability, security, and scalability decisively determine the purchase price, future performance, and success of the transaction.

• We conduct comprehensive IT Due Diligence (IT DD) to identify technological risks, cybersecurity vulnerabilities, data and applications quality, IT costs, synergy potential, and integration impediments early on. This includes evaluating IT infrastructure, application landscape, data architecture, cloud and DevOps models, as well as the technological operating model of the target company.
• We analyze carve-out requirements, investment needs, compliance, and data protection risks, as well as PMI implications, to secure the strategic and financial rationale of the deal and optimally prepare the subsequent Post-Merger Integration.
• We create transparency for informed investment decisions, enhance transaction security, and ensure all relevant technological, legal, tax, and audit-related aspects are considered – to minimize risks and maximize the transaction’s value contribution.

Post-Merger Integration (PMI)

 Technology is a crucial lever for success after Mergers & Acquisitions (M&A), as processes and underlying IT infrastructure must be integrated quickly, securely, and with value enhancement.

• We guide the entire Post-Merger Integration (PMI) process to efficiently transition the acquired technology and process landscapes into the existing organization.
• This includes analyzing and integrating IT infrastructure, harmonizing data, and realigning the organization and processes to fully realize the intended synergies, as well as the strategic and financial business benefits from the transaction.
• We ensure transaction security and guarantee that all technical, legal, tax, and audit-related aspects of the IT integration are considered, to minimize risks and ensure long-term business success.

IPO (Initial Public Offering) Readiness

A successful Initial Public Offering (IPO) requires a robust, transparent, and regulatorily compliant technology and data landscape, as IT systems, reporting processes, and governance structures are subject to stricter requirements in the capital markets environment.

• We guide the entire IPO process to strategically align your IT, data, process structures, and governance with the operating model of a publicly listed company. This includes an IPO readiness assessment, the modernization of capital market-ready reporting, controlling, and compliance processes, the strengthening of IT governance, cybersecurity, and data quality, as well as ensuring compliance with financial reporting standards (IFRS) and additional regulatory requirements (e.g., ESG).
• Furthermore, we support the establishment of an internal control system (ICS), the management of capital market-relevant KPIs, the implementation of required ERP and financial consolidation systems, and the coordination of all IPO stakeholders, including auditors, banks, legal advisors, analysts and rating agencies, financial investors (institutional and retail), and internal business functions.
• We enhance IPO transparency, strengthen compliance, reduce regulatory and reporting risks, and ensure that all technological, organizational, regulatory, and audit-related requirements are met – enabling a seamless and successful transition to operating as a publicly listed company.

The outsourcing of IT services, including to cloud hyperscalers or FinTech providers, requires compliance with specific regulatory and contractual obligations. The responsibility for the internal control system (ICS) remains with the outsourcing company.

• We offer audit and attestation services (third-party reports) based on internationally recognized standards such as ISAE 3402 and SOC 1 (regarding financial reporting), as well as SOC 2, 3 (regarding non-financial criteria such as security, privacy, and availability).
• These assurance services serve as an essential tool for managing and overseeing service providers and provide confidence to customers, external auditors, and supervisory authorities regarding the design and operating effectiveness of the IT control systems.
• The goal is to ensure compliance with commercial and tax regulations regarding the proper processing of data within outsourced IT operations.

The management of risks, compliance requirements, and governance structures is an integral component of future-proof corporate management.

• We conduct comprehensive internal controls assessments and audits of integrated GRC systems within multi-layered process and system architectures – such as ERP systems (e.g., SAP) or cloud platforms – where increased levels of automation and complexity require heightened audit intensity.
• Our analyses are based on leading frameworks such as COSO (supporting organizations in achieving business objectives through an integrated risk and control framework), COBIT (with a focus on IT governance, risk management, and compliance), ITIL (for ITSM / IT Service Management and the delivery of high-quality IT support), and TOGAF (to ensure a coherent and efficient IT architecture that supports business requirements), as well as on applicable regulatory requirements, including IT-SiG 2.0 (German IT Security Act), the GDPR (General Data Protection Regulation of the European Union), risk management regulations (e.g., KonTraG, IDW PS 340), and whistleblowing regulations (e.g., the EU Whistleblower Directive, HinSchG).
• We support organizations in optimizing strategic decision-making and in assessing the effectiveness of GRC systems, including audits in accordance with IDW PS 982, to ensure maximum transparency and control.

Given rising cyber risks and new regulations, ensuring information security has become a critical survival factor for organizations.

• We perform information security audits as well as comprehensive maturity and gap analyses to strengthen your organization’s cyber resilience.
• Our consulting services include compliance with and implementation of standards such as ISO/IEC 27001 ff., as well as for the EU NIS2 Directive (Network and Information Security Directive) and DORA (Digital Operational Resilience Act).
• Our approach provides practically proven recommendations for your cybersecurity strategy and risk management. Additional services: phishing tests (social engineering), security awareness trainings, Identity & Access Management (IAM), fraud prevention, technical pentests.

Data, analytics, and AI models are critical to competitiveness, yet they require the highest standards of transparency, reliability, and regulatory assurance to preserve sustainable success.

• We provide independent validation and assurance for business-critical metrics like business model KPIs, ESG data, as well as AI models and algorithms.
• We help you optimize the quality assurance of your reporting and analysis processes while minimizing risks associated with use of AI.
• Our services prepare you for current and emerging regulatory requirements, particularly the EU AI Act and the CSRD and ESRS (Corporate Sustainability Reporting Directive; European Sustainability Reporting Standards), which impose stringent requirements for data reliability (e.g., ESG data), data governance, and the auditability of analyses and AI applications, building trust in data-driven decision-making.

Outsourcing IT operations up to moving complete IT to the cloud requires compliance with specific regulatory and contractual obligations.

• We audit the control systems of your third-party providers (TPP) in areas like cloud (e.g., hyperscalers), innovative XTech solutions (e.g., FinTech, RegTech, MarTech, InsurTech, PropTech), and established SaaS providers whose product portfolios are continuously expanding with AI-supported solutions (e.g., ServiceNow, Salesforce, Workday). We ensure that the responsibility for the internal control system (ICS) remains with the outsourcing company.
• Our services address sector-specific compliance requirements and supervisory regulations, such as BaFin’s BAIT (Bank Supervisory Requirements for IT), MaRisk AT 9 (Minimum Requirements for Risk Management – Outsourcing), and the EU DORA (Digital Operational Resilience Act). Additionally, relevant information security standards like ISO 27001, which are mandatory or useful for assessing service provider security measures, are considered – depending on the industry and client-specific requirements.
• By holistically assessing the maturity level of the service providers’ IT organization, we create transparency and enable effective service provider management.

IT General Controls (ITGC)

The effectiveness of general IT Controls (ITGCs) is critical for the reliability of financial reporting and is inseparable from core business operations.

• We analyze, evaluate, and test IT processes and the control environment to ensure the security, completeness, and accuracy of financial reporting data.
• This includes audit services within the scope of the Annual Financial Statements (AFS) audit according to standards such as ISA 315 (International Standards on Auditing – Identifying and assessing the risks of material misstatements in financial reporting) and ISA 330 (Planning and performing audit procedures to mitigate risk), and IDW PS 330 (Institute of Public Auditors in Germany – Audit standard for risk-based IT system audits within annual financial statement audits), making the dependence of business processes on IT systems transparent.
• Through our risk-based audit and the targeted use of data analytics and process mining, we identify risk indicators that could jeopardize the availability, integrity, and confidentiality of your data.

Application Controls (ACs)

Application controls (ACs) are essential to ensure the correct processing of financial reporting-relevant transactions within specific enterprise applications.

• We focus on auditing system-side controls, particularly in complex ERP Systems (enterprise resource planning) – such as SAP (S/4HANA, Business One), Microsoft Dynamics 365, Sage, DATEV, or NetSuite – to attest to the regularity of processing and compliance with legal requirements.
• These audits are a necessary component of the IT audits within the scope of the Annual Financial Statements (AFS) audit and form the basis for assessing the internal control system (ICS) in place.
• We ensure that your IT-supported business processes function reliably and meet business requirements, for example, for GoBD-compliant (German principles for the proper management and storage of books, records, and documents in electronic form, as well as for data access) electronic invoicing (e-invoices) or when using tax CMS (compliance management systems).

Internal Controls System (ICS)

An effective internal control system (ICS) is crucial for ensuring the steering and monitoring of IT-supported business processes and securing compliance with legal requirements.

• We assist you in the analysis and optimization of IT-supported business processes as well as the internal control landscape.
• Our audits encompass preventive and detective controls, which in the context of digital processes can largely be performed system-side.
• We assess the design and effectiveness of your ICS according to relevant standards like ISA 330 to ensure the secure and seamless processing of business-critical operations.

Internal Audit

A high-performing Internal Audit enables companies to identify risks early, strengthen governance structures, and continuously improve the effectiveness of processes and controls. With our managed services, we flexibly support you in efficiently expanding and scaling your Internal Audit function – for example, through demand-oriented extensions with fraud analyses and software audits – and ensuring its long-term performance.

• We take over individual audit mandates or entire audit programs in a co-/outsourcing model, ensuring a risk-oriented, methodologically sound execution.
• Our experts support you in the continuous development of your Internal Audit function – from planning and auditing to quality assurance in accordance with current standards, such as GIAS (Global Internal Audit Standards), the new international standards of the IIA (Institute of Internal Auditors).
• Through the deployment of modern technologies and data-driven audit approaches, we sustainably increase the effectiveness, transparency, and value of your audit function.

Project-Related IT Audits

For major IT implementations or system migrations (e.g., ERP, Cloud), early assurance of compliance and security is critical.

• We conduct project-related IT audits according to standards like IDW PS 850 (Institute of Public Auditors in Germany – Audit Standard: Project-related audits for IT applications) to attest to the compliance and transaction security of your implemented systems and associated business processes.
• As an independent third party, we support you in all project phases, from conception to implementation, including the integration of due diligence audits in IT projects, covering the analysis of IT infrastructure, security requirements, and change management. We ensure that all compliance and security requirements are met.
• The goal is risk minimization and ensuring that new IT projects align with your corporate objectives and comply with regulatory requirements.