Image

Information security is becoming increasingly important

Increasing connectivity and digitalisation are bringing about far-reaching changes in the business world. Modern accounting is no longer conceivable without complex IT systems. At the same time, however, this also increases the risks for companies, especially when handling data. Confidentiality, availability and integrity of data are key security requirements that must also be met with regard to the regularity of IT-supported accounting. Our IT auditors are experts in operational IT and develop targeted measures for you to counteract risks and check the security and reliability of your IT systems.

An IT system audit examines general IT controls (ITGC – IT General Controls) and covers the following areas:

  • IT organisation, IT environment and IT strategy
  • IT operations
  • Access authorisations
  • Change management (programme change, testing and release procedures)

We conduct separate IT audits for areas that require more in-depth and detailed examination. The scope and focus of the audit are agreed with you on an individual basis. This includes, among other things:

  • Auditing governance processes and governance structures
  • Auditing application controls
  • Auditing authorisations in IT systems
  • Auditing data interfaces between IT systems
  • Auditing data migrations during the conversion of ERP systems
  • Auditing IT projects
  • Auditing IT outsourcing

Methodology and reporting

We conduct our IT audits in accordance with nationally and internationally recognised guidelines and standards, such as ISA 315 and ISA 330, the DV1 and DV2 expert opinions of the Expert Committee for Data Processing of the Chamber of Public Accountants, selected guidelines of the IDW and COBIT.

The IT Audit Report presents the audit areas, audit procedures, assessment and evaluation methods, security criteria and findings in a transparent and comprehensible manner. Based on the findings, a follow-up plan is then drawn up in consultation with the client and those responsible for the processes and systems, in which measures to reduce risks are defined and prioritised. The implementation of the agreed measures is recorded systematically and in a structured manner (‘issue tracking’).

Your added value

Companies no longer expect auditors to simply provide professional assurance services, but also to make a meaningful contribution to optimising processes and increasing business success. An IT audit is a useful starting point, as the high level of IT penetration also provides a good overview of the company's business processes.

Special Attestation

Currently, virtually all types of IT services can be outsourced to service providers. Advancing technological developments, in particular the possibilities for virtualising server systems, are a key driver for companies increasingly outsourcing IT services. Interlocking outsourcing structures are also frequently encountered, in which service providers in turn outsource certain IT services to subcontractors.

When testing, a distinction must be made between Type I and Type II. Type I comprises the examination of the service-related internal control system and the investigation of the controls that have been put in place. Type II consists of the same content as Type I and additionally includes testing the effectiveness of the controls that have been put in place over a specified period of time.

The control objectives and internal controls are defined on the basis of a risk-based approach, in line with leading standards and frameworks such as COBIT, ITIL, ISO/IEC 20000:1, ISO/IEC 27001, etc. Methodologically, we are guided in particular by the standards IWP/PE-14, ISAE 3402, SSAE16/SSAE18, KFS/PG 13 and ISAE 3000.

With the increasing prevalence of IT systems based on ‘learning algorithms,’ the aspect of data processing traceability is becoming increasingly important. In IT applications for accounting, the traceability of data processing logic is a criterion for compliance. This includes both traditional ‘financial accounting systems’ and integrated ERP systems and so-called ‘preliminary systems’ such as those used in merchandise management and invoicing, from which transaction data is often automatically transferred to financial accounting.

Software testing in accordance with IDW PS 880 can bring added value and benefits both for companies that develop such ‘accounting-relevant’ software for their own use and for software development companies.

For a company, testing in accordance with ISAE and other recognised standards can represent a competitive advantage. Such testing is often one of the prerequisites for participation in larger tenders in particular.

Such testing essentially covers software products regardless of their implementation at a specific company. In particular, the following areas are covered by the test:

  • Assessment of the software development process
  • Testing the appropriateness and functionality of the program functions
  • Assessment of the correctness and security of the program functions (completeness, accuracy, timeliness, traceability, immutability, access protection)
  • The result of the testing is a test report on the defined version of the software and a software certificate with the test verdict.

Your contacts

Marlene Hanschitz-Halikias
Marlene Hanschitz-Halikias
Partner | Head of Audit
Vienna
View full profile
Ing. Christian Reischl, BA, MSc
Ing. Christian Reischl, BA, MSc
Senior Manager | Head of IT-Audit & Data...
Vienna
View full profile