IT Audit

Digitalisation is an important building block for the success and growth of a company. It takes determination, vision and discipline to break down and digitally transform traditional departmental processes. You need a strong partner at your side when introducing new digital solutions – from large ERP systems through to small web-based tools – or when improving existing processes. At Kleeberg, we provide support during your digital projects and vigorously protect the open flanks to risk, compliance and IT security.

Advisory and audit approach

We are structurers, we are auditors. We effectively apply our knowledge and experience as a whole to your company and your project. On the one hand, we never lose sight of the big picture, but on the other hand we also attend to the small, important details in order to put your IT system or your business process on a stable footing. We are system-independent and ensure the greatest compatibility for the task at hand. Whether blockchain or document processing, Robotic Process Automation (RPA) or procedure documentation, tax compliance or user management: When implementing your innovative digital strategy, our primary goal is to provide you with the necessary process and legal security. If we don’t already know where the risks lie, we will find them and put an internal control system in place to get them under control.

Quality assurance

We strive to provide you with the best possible service. We achieve this because we constantly exchange information and ideas with the other specialist areas of Tax, Audit, Legal and Advisory and have been able to build up a wealth of experience through many joint projects in different sectors. We understand you and your business and can implement your requirements in the IT world. Transparent communication is one of our key skills. We work in an agile and flexible way and are just as enthusiastic about the latest digital tools as you are.

Range of services

Nowadays, companies have to be flexible. For this reason, they outsource important functions and business processes to service providers who have specialised in a particular line of business and offer their services in a cost-saving and efficient manner (outsourcing). In addition to classic services such as payroll accounting or logistics, IT and digital services via the cloud such as hosting/housing, operation of ERP systems or travel expense platforms are gaining in importance.

Service providers are very important. This is because companies can outsource (sub-) processes, but they cannot delegate responsibility for the correctness and security of the outsourced processes. Service providers must therefore be trustworthy for outsourcing companies. And trust can only be gained and maintained with a high degree of transparency. Audits according to ISAE 3402 and IDW PS 951 have been put in place for this very purpose.

We have many years of expertise in audits according to ISAE 3402 and IDW PS 951. Internal control systems are our speciality. We can advise you competently on the development and implementation of your internal control system. We carry out our audits with modern digital tools, saving time and resources and, of course, also by video conference on request.

Here you will find → further information.

Processing documents such as incoming invoices must always comply with the requirements of commercial and tax legislation. A major advantage is that the requirements are kept technology-neutral, which means that the use of certain systems or technologies is not mandatory for your company.

The GoBD (principles for the proper keeping and storage of books, records and documents in electronic form and for data access) set the pace for a legally compliant design of digital document processing. These principles contain essential guidelines that every process must follow. But the Value Added Tax Act also contains important guidelines for dealing with (electronic) invoices.

Here you will find → further information.

Digital travel expense reporting speeds up the sluggish and paper-intensive process within the company and simplifies the work of everyone involved. As the recording and processing of travel expenses is relevant under commercial and tax law, important prerequisites must be clarified before setting up and operating the system.

We will support you in your project to digitise travel expenses. It is about choosing a suitable solution and then deciding how the supporting documents are to be submitted in digital form and whether, for example, they can be stored abroad. There are also a few things to consider when travel expense reports are outsourced to service providers or when portal solutions are used.

Here you will find → further information.

Procedure documentation is now requested in every tax audit. Due to complex tax-relevant processes such as the connection of web shops, cash register systems or the processing of electronic invoices, this is an understandable step. After all, the tax auditor needs to gain an overview of the systems used within a reasonable period so that he can conduct a precise audit. If no procedure documentation can be presented, this has a negative effect on the audit atmosphere and the results. In the worst case, there is a risk of the accounts being rejected and additional estimates being made. We can set you up for a tax audit so that you can tick off the topic of procedure documentation with peace of mind.

Most companies have documentation such as work instructions, user guides, technical manuals or process descriptions of their main workflows. These are just not yet summarised under the uniform term of procedure documentation. With the professional support of our IT experts, procedure documentation can be set up in five standardised steps.

Here you will find → further information.

Companies have the opportunity to invalidate any accusation of intent or negligence in the violation of their tax obligations if they have set up what is known as an internal control system – the term tax compliance management system (Tax CMS) is also used in this context. To this end, tax risks must be identified and suitable, if necessary also IT-supported, control measures implemented.

The goal is always to submit timely and correct tax returns and to fulfil other tax obligations without losing sight of the legally permissible scope.

For companies, a Tax CMS is an essential instrument for managing tax risks. However, a tax compliance management project should not only be seen from the perspective of the tax authorities. It should, ultimately, also bring added value to the company.

A major driver for a functioning Tax CMS is therefore also tax optimisation from the company’s perspective and the achievement of this goal through a high degree of standardisation and automation.

  • We can support you and your company in implementing a functioning tax compliance management system.
  • To offer you our services in the best and most effective quality, we work hand in hand with our experts in IT Audit.
  • If you already have a tax compliance management system in place, we will support you with an audit. This gives you the assurance that the processes put in place are appropriate and effective and that you can continue to have confidence in them.

Here you will find → further information.

Functioning IT is essential for your company. You cannot afford to have any failures or errors in processes. IT does not only have a supporting function! Demanding that “IT simply has to work!” is no longer sufficient. IT is the driving force in the company. Just like in the other departments of your company, it is important to recognise and control risks in this connection.

This usually involves complex issues such as authorisations, data backups or interfaces. The findings from an audit not only help the  → auditor of the financial statements during his audit, it also serves as a yardstick for your company and shows strengths and weaknesses.

Our IT audit is based on the auditing standard 330 of the IDW (Institute of Public Auditors in Germany – IDW PS 330) and basically covers the following areas:

  • IT strategy and IT organisation
  • IT environment
  • IT infrastructure with the subareas of “Physical protection”, “Logical access controls”, “Data backups” and “Emergency concept”
  • IT applications
  • IT-supported business processes
  • IT monitoring and
  • IT outsourcing

We attach great importance to communicating our results in a way that is appropriate for the target group. In doing so, we not only point out weak points, but also give recommendations for action for rapid implementation and improvement.

Here you will find → further information.
We are happy to support professional colleagues → here.

Software certifications target software manufacturers who would like to have the functionality of their software certified by an independent body so that they can present themselves as competent partners on the market. Naturally, the focus in this context is first and foremost on financial accounting systems that are subject to stringent legal requirements.

Software audits are also interesting for other systems, such as document management or archiving systems tasked with the storage of documents relevant for accounting. In this case, it is not only important to store the documents unchanged, but also to guarantee this state for a long time.

Another current example of software audits are cash register systems. These must have effective technical protection against manipulation for proper use. The new blockchain technology is used for such purposes, which makes the individual cash register transactions verifiably unalterable.

Software audits are not tied to any particular sector. Therefore, apps that place special emphasis on reliability or confidentiality, such as for messaging or FinTech transactions, are also eligible. Start-ups in particular can benefit from this.

Let’s jointly consider whether it makes sense to have a software audit for your product.

Here you will find → further information.

Cyber security therefore requires a whole-system approach within the company. Threats have long since arisen not only at a technical level. And they do not only affect the IT department. Cyber security is a global corporate risk that is present in all areas of the company, in all departments and at all times. It is the task of corporate management to set the tone.

Each IT system must be individually assessed and protected. In a cyber security assessment, we analyse the current IT situation in your company and identify process-related weak points in a total of 13 domains. In doing so, we proceed with the utmost sensitivity and professionalism. We compare the level of maturity identified with our target concept and on this basis provide recommendations for action for you. With our assessment, decision-makers can better align IT security management with business objectives. Overall, IT security becomes more flexible, scalable and efficient. Threats are averted before anything happens.

Here you will find → further information.

The term “due diligence” is usually used in connection with company acquisitions when the legal situation and financial circumstances of a company are subjected to a risk analysis with “due diligence”. The classic components of a due diligence are finances, legal matters and tax. But this alone would not yet include everything: With an “IT due diligence”, the opportunities and risks within a company’s IT can be examined. Essential components of this are as follows:

  • Future sustainability of the existing IT infrastructure and organisation
  • Complexity of IT processes
  • Application development (Software Development Life Cycle, SDLC)
  • Process security within IT applications
  • Security within IT systems
  • Data protection compliance of IT systems
  • Change management
  • Licence management
  • Open source management: Especially when internally developed software is a major factor in the acquisition of a company, the handling of open source software, the use of which is often free of charge but not free of certain obligations, plays a key role in the context of IT due diligence.

Within the framework of IT due diligence, the experts at Crowe Kleeberg IT Audit use a standardised and tried-and-tested list of questions that can be used to quickly identify red flags.

Here you will find → further information.

We analyse your existing IT business processes and identify inefficiencies and weaknesses. With a view to advancing digitalisation in your company, we show you how hidden potentials can be leveraged and processes improved.

We naturally also keep an eye out for legal aspects. During our audits, we measure your processes against applicable accounting regulations and tax requirements. But also the fulfilment of the requirements of the IT Security Act or the EU General Data Protection Regulation is analysed during our audit. Due to the increase in sector-specific requirements, the conformity of your processes or IT systems with industry standards, ISO standards or generally recognised frameworks such as COSO or COBIT is also becoming increasingly important.

Here you will find → further information.

What would digitisation be without data? Data is the gold of our time. It’s no longer just search engines that glimpse into the future with their stock of big data. Even company ERP systems no longer handle the processes today without producing vast amounts of data for every procedure, every process step. This data documents what has happened and thus allows extensive analyses to be carried out in order to identify weaknesses in the internal control system, faulty procedures in the process/at interfaces, fraudulent actions in the company and future developments (predictive analysis).

With our data analysis and process mining tools, we support companies in evaluating and optimising their core processes such as purchasing or sales or their authorisation concepts. We also support our → professional peers with data analyses during an annual audit of financial statements or an internal audit and evaluate process flows, critical authorisations or conflicts involving the segregation of functions.

Here you will find → further information.

Data analysis is suitable for detecting and tracing fraudulent actions in the company. Weaknesses in the internal control system, ingrained workflows and a long-standing position of trust often open up an opportunity that, coupled with a motive and personal reasons, causes financial damage to the company or destroys its reputation. But in the vast majority of cases, such events leave digital traces in the systems, which we examine for anomalies with the aid of data analyses.

Here you will find → further information.

Well-functioning user management is the cornerstone for access to an IT system. A standardised process for creating and deleting users should therefore be set up in the company involving the HR department. Logging on to the system should meet stringent security requirements, such as a strong password or two-factor authentication.

Authorisations control access to the data in a system. Protecting this data is of key importance. Therefore, a regulated process for the definition of roles and rights as well as a documented authorisation concept are beneficial (access management).

The experts at Crowe Kleeberg IT Audit examine the user management and access management in your company. We identify weaknesses in processes and examine individual rights with the aid of data analysis. At the same time, we also check compliance with the segregation of functions and thus the compatibility between functions in the company. In particular, we ensure that operational functions are not combined with controlling functions. For example, an order (operational task) and the corresponding receipt of goods (controlling task) should not be recorded by one and the same person.

Here you will find → further information.

The provisions of the EU General Data Protection Regulation (EU GDPR) and the new German Federal Data Protection Act (BDSG-neu) have been in force since 25 May 2018. Although the regulations are basically nothing new, especially the much stricter penalties for non-compliance are prompting companies to bring their data protection up to date.

When it comes to the sensitive issue of data protection, you want to do everything right. Kleeberg is your competent partner for achieving this. Together with our IT and legal experts, we are an unbeatable team that can understand and correctly assess the (IT) processes in your company.

Here you will find → further information.


Your contact for IT Audit