Modern accounting processes are inconceivable without the use of IT systems, especially considering that nowadays accounting is much more than merely keeping books and recording inventories – instead it has become a management and monitoring instrument for companies. Complex and integrated IT systems support not only accounting processes, but also many processes for generating key decision-making information. For that reason information must be available to the addressees in a timely, reliable and meaningful manner in order to take decisions and manage companies. This means that accounting and IT systems are a foundation for the management and monitoring of a company and thus a critical factor for giving a company a successful competitive edge.
Bookkeeping as a means of recording a company’s commercial transactions is frequently managed through the use of IT systems, which in turn are closely and directly linked to the company’s operative systems. In many cases ERP systems such as SAP, Microsoft Dynamics NAV/AX (formerly Navision/Axapta), Diamant, Sage KHK etc. are used, and their technical integration means that they access a common data set. The data managed in these systems is condensed to produce the balance sheet or profit and loss statement (P&L) and forms the basis for the annual financial statements. These in turn are the focal point for a range of different interest groups who have one common requirement: billing and the annual financial statements must be reliable and correct.
IT AUDIT reviews the fitness for purpose (and security) of such systems in accordance with the provisions of commercial and tax law (sections 238 et seq. and 257 German Commercial Code (HGB) and sections 145 to 147 German Tax Code (AO)) as well as the supplementary statements issued in that respect, including IDW PS 330 in conjunction with IDW RS FAIT 1, FAIT 2, FAIT 3, GoBS, GDPdU and, where relevant, section 25a German Banking Act (KWG) and also MaRisk. Additionally, other national requirements such as the Swiss auditing standards or the Austrian professional guidelines must be used as a basis or supplement.
The following areas are the focus of an IT system audit:
Once such an audit has been initiated, a distinction can be drawn between audits that are subsequent to the implementation of an IT system (ex post) and project-supporting audits performed in parallel to the development/implementation (pursuant to IDW PS 850).
At the same time IT AUDIT audits the adequacy and functionality of internal control systems (ICS) pursuant to IDW PS 261 or IDW PS 951/SAS 70/ISAE 3402 (for service companies).
Possible topics of such IT system audits are (project excerpt) the appraisal/certification of