Special Attestation Services

Testing and certification of outsourced services

At present, practically all types of IT services can be outsourced to service providers. Advancing technological developments, especially the possibilities for virtualizing server systems, are a major driver for companies to increasingly outsource IT services. Frequently, nested outsourcing structures can also be found in which service companies outsource certain IT services to subcontractors.

In testing, a distinction must be made between Type I and Type II. Type I comprises the testing of the service-related internal control system as well as the examination of the established controls. Type II consists of the same content as Type I and additionally includes the testing of the established controls for their effectiveness for a defined period of time.

The control objectives and internal controls are defined on the basis of a risk-based approach, following leading standards and frameworks such as COBIT, ITIL, ISO/IEC 20000:1, ISO/IEC 27001, etc. Methodologically, we are particularly oriented to the standards IWP/PE-14, ISAE 3402, SSAE16/SSAE18, KFS/PG 13 and ISAE 3000.

Testing of a software according to IDW PS 880

With the increasing spread of IT systems based on "learning algorithms", the aspect of traceability of data processing is becoming more and more important. For IT applications in accounting, the traceability of the data processing logic is one of the criteria for compliance. This includes classic "financial accounting systems" as well as integrated ERP systems and so-called "upstream systems" such as in the areas of merchandise management and invoicing, from which transaction data is often automatically transferred to financial accounting.

Both for a company that develops such "accounting-relevant" software for its own use and for software development companies, software testing according to IDW PS 880 can provide added value and benefits.

For a company, testing according to ISAE and other recognized standards can represent a competitive advantage. Such testing is often one of the prerequisites for participation in larger tenders in particular.

The subject of such a certification are essentially software products independent of the implementation in a specific company. The following areas in particular are covered by the audit:

• Assessment of the software development process
• Examination of the appropriateness and functionality of the programme functions
• Assessment of the correctness and security of the program functions (completeness, correctness, timeliness, traceability, unchangeability, access protection)
• The result of the testing is a test report on the defined version of the software as well as a software certificate with the audit opinion.