IT Audit

Digitalisation is an important building block for the success and growth of a company. It takes determination, vision and discipline to break down and digitally transform traditional departmental processes. You need a strong partner at your side when introducing new digital solutions – from large ERP systems through to small web-based tools – or when improving existing processes. At Kleeberg, we provide support during your digital projects and vigorously protect the open flanks to risk, compliance and IT security.

Advisory and audit approach

We are structurers, we are auditors. We effectively apply our knowledge and experience as a whole to your company and your project. On the one hand, we never lose sight of the big picture, but on the other hand we also attend to the small, important details in order to put your IT system or your business process on a stable footing. We are system-independent and ensure the greatest compatibility for the task at hand. Whether blockchain or document processing, Robotic Process Automation (RPA) or procedure documentation, tax compliance or user management: When implementing your innovative digital strategy, our primary goal is to provide you with the necessary process and legal security. If we don’t already know where the risks lie, we will find them and put an internal control system in place to get them under control.

Quality assurance

We strive to provide you with the best possible service. We achieve this because we constantly exchange information and ideas with the other specialist areas of Tax, Audit, Legal and Advisory and have been able to build up a wealth of experience through many joint projects in different sectors. We understand you and your business and can implement your requirements in the IT world. Transparent communication is one of our key skills. We work in an agile and flexible way and are just as enthusiastic about the latest digital tools as you are.

Range of services

Digitalization of business processes

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Digital travel expense reporting speeds up the sluggish and paper-intensive process within the company and simplifies the work of everyone involved. As the recording and processing of travel expenses is relevant under commercial and tax law, important prerequisites must be clarified before setting up and operating the system.

We will support you in your project to digitise travel expenses. It is about choosing a suitable solution and then deciding how the supporting documents are to be submitted in digital form and whether, for example, they can be stored abroad. There are also a few things to consider when travel expense reports are outsourced to service providers or when portal solutions are used.

We analyse your existing IT business processes and identify inefficiencies and weaknesses. With a view to advancing digitalisation in your company, we show you how hidden potentials can be leveraged and processes improved.

We naturally also keep an eye out for legal aspects. During our audits, we measure your processes against applicable accounting regulations and tax requirements. But also the fulfilment of the requirements of the IT Security Act or the EU General Data Protection Regulation is analysed during our audit. Due to the increase in sector-specific requirements, the conformity of your processes or IT systems with industry standards, ISO standards or generally recognised frameworks such as COSO or COBIT is also becoming increasingly important.

What would digitisation be without data? Data is the gold of our time. It’s no longer just search engines that glimpse into the future with their stock of big data. Even company ERP systems no longer handle the processes today without producing vast amounts of data for every procedure, every process step. This data documents what has happened and thus allows extensive analyses to be carried out in order to identify weaknesses in the internal control system, faulty procedures in the process/at interfaces, fraudulent actions in the company and future developments (predictive analysis).

With our data analysis and process mining tools, we support companies in evaluating and optimising their core processes such as purchasing or sales or their authorisation concepts. We also support our  professional peers with data analyses during an annual audit of financial statements or an internal audit and evaluate process flows, critical authorisations or conflicts involving the segregation of functions.

Processing documents such as incoming invoices must always comply with the requirements of commercial and tax legislation. A major advantage is that the requirements are kept technology-neutral, which means that the use of certain systems or technologies is not mandatory for your company.

The GoBD (principles for the proper keeping and storage of books, records and documents in electronic form and for data access) set the pace for a legally compliant design of digital document processing. These principles contain essential guidelines that every process must follow. But the Value Added Tax Act also contains important guidelines for dealing with (electronic) invoices.

IT security and compliance

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Cyber security therefore requires a whole-system approach within the company. Threats have long since arisen not only at a technical level. And they do not only affect the IT department. Cyber security is a global corporate risk that is present in all areas of the company, in all departments and at all times. It is the task of corporate management to set the tone.

Each IT system must be individually assessed and protected. In a cyber security assessment, we analyse the current IT situation in your company and identify process-related weak points in a total of 13 domains. In doing so, we proceed with the utmost sensitivity and professionalism. We compare the level of maturity identified with our target concept and on this basis provide recommendations for action for you. With our assessment, decision-makers can better align IT security management with business objectives. Overall, IT security becomes more flexible, scalable and efficient. Threats are averted before anything happens.

Phishing Prevantation

With our customized and controlled phishing tests you can evaluate the effectiveness of your existing security measures and identify potential vulnerabilities in your organization even before cybercriminals can exploit them. By simulating realistic phishing scenarios, we can analyze your employees’ response to this threat and provide you with valuable insights into how well your company is prepared for such attacks.

Advantages of our controlled phishing attacks:

Early detection of vulnerabilities: By conducting controlled phishing tests, we can identify potential vulnerabilities in your security systems early and help you to address them before they are exploited by real attackers.

Employee awareness: our simulated phishing attacks serve as an educational tool to raise your employees’ awareness of the dangers of phishing. They learn to recognize suspicious emails and respond appropriately.

Strengthening your security measures: Our comprehensive post-phishing reports allow you insight into the effectiveness of your current security protocols. Thus, you can improve and optimize your security strategies in a targeted manner.

Trust in relationship with customers and partners: By demonstrating that you are proactively improving your company’s security and raising employee awareness, you are building trust in your relationship with customers, partners, and other stakeholders.

Regulatory compliance: Many industries have regulatory requirements that require proper security screening. Our phishing tests help you to comply with these regulations and fully meet all necessary industry standards.

With our team of experienced IT auditors and cybersecurity experts, we are by your side throughout the entire process, from planning and conducting tests to evaluating results and making recommendations to improve your security measures.

The security of your company’s data and systems is our top priority. With our controlled, staged phishing tests, you’ll be well-equipped to protect yourself from ever-growing cyber threats and minimize the risk of security breaches.

Contact us today for more information about our phishing testing services. Together, we can strengthen your cyber defenses and protect your business from the dangers of the digital world.

Well-functioning user management is the cornerstone for access to an IT system. A standardised process for creating and deleting users should therefore be set up in the company involving the HR department. Logging on to the system should meet stringent security requirements, such as a strong password or two-factor authentication.

Authorisations control access to the data in a system. Protecting this data is of key importance. Therefore, a regulated process for the definition of roles and rights as well as a documented authorisation concept are beneficial (access management).

The experts at Crowe Kleeberg IT Audit examine the user management and access management in your company. We identify weaknesses in processes and examine individual rights with the aid of data analysis. At the same time, we also check compliance with the segregation of functions and thus the compatibility between functions in the company. In particular, we ensure that operational functions are not combined with controlling functions. For example, an order (operational task) and the corresponding receipt of goods (controlling task) should not be recorded by one and the same person.

The provisions of the EU General Data Protection Regulation (EU GDPR) and the new German Federal Data Protection Act (BDSG-neu) have been in force since 25 May 2018. Although the regulations are basically nothing new, especially the much stricter penalties for non-compliance are prompting companies to bring their data protection up to date.

When it comes to the sensitive issue of data protection, you want to do everything right. Kleeberg is your competent partner for achieving this. Together with our IT and legal experts, we are an unbeatable team that can understand and correctly assess the (IT) processes in your company.

Nowadays, companies have to be flexible. For this reason, they outsource important functions and business processes to service providers who have specialised in a particular line of business and offer their services in a cost-saving and efficient manner (outsourcing). In addition to classic services such as payroll accounting or logistics, IT and digital services via the cloud such as hosting/housing, operation of ERP systems or travel expense platforms are gaining in importance.

Service providers are very important. This is because companies can outsource (sub-) processes, but they cannot delegate responsibility for the correctness and security of the outsourced processes. Service providers must therefore be trustworthy for outsourcing companies. And trust can only be gained and maintained with a high degree of transparency. Audits according to ISAE 3402 and IDW PS 951 have been put in place for this very purpose.

We have many years of expertise in audits according to ISAE 3402 and IDW PS 951. Internal control systems are our speciality. We can advise you competently on the development and implementation of your internal control system. We carry out our audits with modern digital tools, saving time and resources and, of course, also by video conference on request.

Data analysis is suitable for detecting and tracing fraudulent actions in the company. Weaknesses in the internal control system, ingrained workflows and a long-standing position of trust often open up an opportunity that, coupled with a motive and personal reasons, causes financial damage to the company or destroys its reputation. But in the vast majority of cases, such events leave digital traces in the systems, which we examine for anomalies with the aid of data analyses.

Financial and tax audit

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Companies have the opportunity to invalidate any accusation of intent or negligence in the violation of their tax obligations if they have set up what is known as an internal control system – the term tax compliance management system (Tax CMS) is also used in this context. To this end, tax risks must be identified and suitable, if necessary also IT-supported, control measures implemented.

The goal is always to submit timely and correct tax returns and to fulfil other tax obligations without losing sight of the legally permissible scope.

For companies, a Tax CMS is an essential instrument for managing tax risks. However, a tax compliance management project should not only be seen from the perspective of the tax authorities. It should, ultimately, also bring added value to the company.

A major driver for a functioning Tax CMS is therefore also tax optimisation from the company’s perspective and the achievement of this goal through a high degree of standardisation and automation.

  • We can support you and your company in implementing a functioning tax compliance management system.
  • To offer you our services in the best and most effective quality, we work hand in hand with our experts in IT Audit.
  • If you already have a tax compliance management system in place, we will support you with an audit. This gives you the assurance that the processes put in place are appropriate and effective and that you can continue to have confidence in them.

Functioning IT is essential for your company. You cannot afford to have any failures or errors in processes. IT does not only have a supporting function! Demanding that “IT simply has to work!” is no longer sufficient. IT is the driving force in the company. Just like in the other departments of your company, it is important to recognise and control risks in this connection.

This usually involves complex issues such as authorisations, data backups or interfaces. The findings from an audit not only help the  auditor of the financial statements during his audit, it also serves as a yardstick for your company and shows strengths and weaknesses.

Our IT audit is based on the auditing standard 330 of the IDW (Institute of Public Auditors in Germany – IDW PS 330) and basically covers the following areas:

  • IT strategy and IT organisation
  • IT environment
  • IT infrastructure with the subareas of “Physical protection”, “Logical access controls”, “Data backups” and “Emergency concept”
  • IT applications
  • IT-supported business processes
  • IT monitoring and
  • IT outsourcing

We attach great importance to communicating our results in a way that is appropriate for the target group. In doing so, we not only point out weak points, but also give recommendations for action for rapid implementation and improvement.

We are happy to support professional colleagues.

Software certifications target software manufacturers who would like to have the functionality of their software certified by an independent body so that they can present themselves as competent partners on the market. Naturally, the focus in this context is first and foremost on financial accounting systems that are subject to stringent legal requirements.

Software audits are also interesting for other systems, such as document management or archiving systems tasked with the storage of documents relevant for accounting. In this case, it is not only important to store the documents unchanged, but also to guarantee this state for a long time.

Another current example of software audits are cash register systems. These must have effective technical protection against manipulation for proper use. The new blockchain technology is used for such purposes, which makes the individual cash register transactions verifiably unalterable.

Software audits are not tied to any particular sector. Therefore, apps that place special emphasis on reliability or confidentiality, such as for messaging or FinTech transactions, are also eligible. Start-ups in particular can benefit from this.

Let’s jointly consider whether it makes sense to have a software audit for your product.

The term “due diligence” is usually used in connection with company acquisitions when the legal situation and financial circumstances of a company are subjected to a risk analysis with “due diligence”. The classic components of a due diligence are finances, legal matters and tax. But this alone would not yet include everything: With an “IT due diligence”, the opportunities and risks within a company’s IT can be examined. Essential components of this are as follows:

  • Future sustainability of the existing IT infrastructure and organisation
  • Complexity of IT processes
  • Application development (Software Development Life Cycle, SDLC)
  • Process security within IT applications
  • Security within IT systems
  • Data protection compliance of IT systems
  • Change management
  • Licence management
  • Open source management: Especially when internally developed software is a major factor in the acquisition of a company, the handling of open source software, the use of which is often free of charge but not free of certain obligations, plays a key role in the context of IT due diligence.

Within the framework of IT due diligence, the experts at Crowe Kleeberg IT Audit use a standardised and tried-and-tested list of questions that can be used to quickly identify red flags.

Internal controls and risk management

Procedure documentation is now requested in every tax audit. Due to complex tax-relevant processes such as the connection of web shops, cash register systems or the processing of electronic invoices, this is an understandable step. After all, the tax auditor needs to gain an overview of the systems used within a reasonable period so that he can conduct a precise audit. If no procedure documentation can be presented, this has a negative effect on the audit atmosphere and the results. In the worst case, there is a risk of the accounts being rejected and additional estimates being made. We can set you up for a tax audit so that you can tick off the topic of procedure documentation with peace of mind.

Most companies have documentation such as work instructions, user guides, technical manuals or process descriptions of their main workflows. These are just not yet summarised under the uniform term of procedure documentation. With the professional support of our IT experts, procedure documentation can be set up in five standardised steps.

Companies face the challenge of minimising various risks in connection with their internal business activities. Rules and regulations for employees can only partially prevent these. For example, an internal control system and monitoring system are required in order to manage processes in finance as smoothly as possible. An internal control system (ICS) consists of both preventive and detective controls, most of which can be carried out on the system side within the IT framework.

As a first step, we analyse the current state of your business processes, create an awareness among your employees of any weaknesses with the help of a risk-control matrix and then implement an ICS in cooperation with you, taking into account ISA [DE] 330, which can ensure secure and smoother processes.

Business models, processes and systems are becoming increasingly complex, global and digital. As complexity increases, so does the need for an adequate monitoring of processes through internal control systems. A well-functioning Internal Audit ensures efficient core business processes. As a rule, in addition to actually conducting the IT audits, we perform the following tasks specifically tailored to the performance of the internal IT audit:

  • Set-up an Internal Audit function
  • Examine Internal Audit systems
  • Identify the risks and controls relevant for the audit based on a comprehensive understanding of the nature of the business
  • Define a control-based audit strategy
  • Submit reports on the audit of internal controls
  • Conduct an IT audit
  • Ensure compliance and risk management
  • Provide support during certifications (e.g. IDW PS 951, ISO 27001)
  • Support and prepare for SOX audits
  • Conduct data analyses (IDEA)
  • Investigate fraudulent and illegal activities

In the course of performing our audits, we work in close cooperation with Internal Audit and/or the audited entities through timely and personal communication. The results of our audit are provided in detailed lists of findings and recommendations. These are coordinated with the audited unit and appropriate measures to remedy the weaknesses are discussed and then set down in writing.


Your contact for IT Audit