Outsourcing controlling: introduction of the new ISA standard 402

Outsourcing controlling: Introduction of the new ISA standard 402.  With the ISA [DE], the IDW has translated the International Standards on Auditing (ISA) into German and added the national peculiarities to be observed. In principle, the ISA [DE] apply uniformly for the first time for the audit of financial statements for periods beginning on or after December 15, 2021 . According to Section 317 (5) HGB, the international auditing standards adopted by the European Commission must be applied when carrying out a commercial audit. The International Standards on Auditing (ISA) are internationally recognized auditing standards. 

With the introduction of the ISA standard ISA [DE] 402, a new standard applies to outsourcing controlling and the auditing of service companies. The aim of the ISA standard ISA [DE] 402 is to gain an understanding of the outsourcing unit , including the internal controls relevant to the audit , that is sufficient to identify and assess the risks of material misstatements and to plan and carry out further audit procedures to counter these risks.

What are the advantages of introducing the ISA [DE] for outsourcing controlling ?

The following compilation deals with frequently asked questions associated with the introduction and application of the ISA [DE] within the framework of the new principles of proper auditing (GoA). With the ISA [DE], uniform and clearly structured principles of proper auditing (GoA) are made available, which consist of standards with requirements formulated as briefly as possible and extensive application instructions as well as clearly recognizable national peculiarities.

There are the following four groups of standards, which together form the German Principles of Proper Auditing (GoA) established by the IDW:

1. ISA [DE]
2. IDW audit standards relevant for the audit of the degree
3. IDW audit standard relevant for the audit of the management report
4. Requirements for the practice of auditors (IDW QS)

From the point of view of the IDW, the following advantages result from the introduction of the ISA [DE]:

• Elimination of the coexistence of national and international standards through the direct use of globally recognized standards,
• increasing the uniformity of exams,
• Increasing confidence in the auditing standards through a larger (worldwide) public involved in the ISA Due Process ,
• Easier proof for international clients (especially German subsidiaries of international groups) that the audit is based on international standards,
• Use of uniform examination manuals and quality assurance procedures in the international network
• Elimination of double work through parallel application of ISA and IDW examination standard

The ISA are structured according to a uniform format that adheres to the following structure of the standards:

• Introduction ( Introduction ) including scope and first time of application,
• Objective of the auditor ( Objective ),
• Definitions
• Requirements
• Application notes ( Application Material ).

Outsourcing controlling: introduction of the new ISA standard ISA [DE] 402

ISA [DE] 402 applies for the first time to the audit of financial statements for periods beginning on or after December 15, 2021. This International Standard on Auditing (ISA [DE]) addresses the responsibility of the outsourcer’s auditor to obtain sufficient appropriate audit evidence in cases where an outsourcer uses the services of one or more service providers.

The aim is to obtain an understanding of the outsourcing entity, including the internal controls relevant to the audit, that is sufficient to identify and assess the risks of material misstatement and to plan and perform further audit procedures to counter these risks.

The services of a service provider are part of the accounting-related information system of an outsourcing entity, including the related business processes if they affect one of the following areas:

1. the types of business transactions in the outsourcing entity’s operations that are significant to the outsourcing entity’s financial statements;
2. the procedures, in the form of IT-supported and manual systems , by which the business transactions of the outsourcing unit are triggered, recorded, processed, corrected if necessary, transferred to the general ledger and reflected in the financial statements;
3. the related accounting records in electronic or manual form, supporting information and certain accounts in the outsourcing entity’s financial statements used to initiate, record, process and reflect the outsourcing entity’s transactions; this includes the correction of incorrect information and the manner in which the information is transferred to the ledger;
4. the manner in which the outsourcing entity’s information system captures significant events and circumstances that are not transactions;
5. the accounting process used to prepare the outsourcing entity ‘s financial statements, including significant accounting estimates and financial statement disclosures;

Controls related to journal entries , including non-standard journal entries to record non-recurring, unusual business transactions or adjustments.

Do you know your duties as an outsourcing officer?

With the seminar expertise for outsourcing officers: outsourcing management 2.0 you will learn the following technical skills:

• Solid governance regulations as a basis for outsourcing management
• Interface between outsourcing officer and information security officer
• Pre-outsourcing analysis according to MaRisk AT 9 and EBA guidelines

Book the seminar on expertise for outsourcing officers online. Convenient and easy with the  online seminar form and product no. A21.

Target group for the outsourcing controlling seminar

• Board members and managing directors at  banks, financial service providers, capital investment and fund companies,  leasing and factoring companies
• Managers and specialists from the areas of outsourcing management, risk controlling, compliance, IT security and internal auditing

Your benefit:

• Solid governance regulations as the basis for outsourcing controlling
• Interface between outsourcing officer and information security officer
• Pre-outsourcing analysis according to MaRisk AT 9 and EBA guidelines

Your S+P Tool Box:

Each participant receives the following S+P products with the seminar Expertise for outsourcing officers:

• Guidelines for central outsourcing management (approx. 30 pages)
•  Sample reporting for outsourcing officers
• S+P Check: Requirements for KPIs and service level agreements

Your program:

Solid governance regulations as the basis for outsourcing controlling

• Stricter requirements for the risk assessment of outsourcing agreements:
  • Which outsourcing must be classified as critical/essential?
  • Operational risks and reputational risks
  • Step-in risk assessment
  • Company and sector specific concentration risks
  • Control and/or Conflict of Interest
• Evaluation of contract design, performance controls and organizational requirements:
  • MaRisk Protocol 03/2018: New specification of reservations of consent and far-reaching information rights
  • New requirements for control and reporting obligations for service providers and outsourcing officers
  • Optimization of key figures for  risk and performance measurement  (KPIs)
• New FISG specifications  for outsourcing controlling

Interface between outsourcing officer and information security officer

• FISG + EBA guidelines for outsourcing: Extended requirements for outsourcing controlling
  • What are other institute-typical services?
  • BAIT requirements  for individual data processing
  • Stricter requirements for outsourcing to third countries
• Risk assessment for  external IT procurement :
  • Determination of the IT protection requirements and determination of a catalog of target measures
  • EBA ICT guideline:  5 categories for serious ICT risks

Pre-outsourcing analysis according to MaRisk AT 9 and EBA guidelines

• Minimum requirements for the due diligence check of a future service provider:
  • Implementation of the qualitatively tightened risk analysis based on uniform scoring criteria
  • When is a classification as critical/essential outsourcing mandatory?
  • Assessment of risk content and  risk concentration  when outsourcing several activities to a service provider
• ICS controlling with ISB, data protection, BCM and emergency plan:
  • Standards for management and control activities and their implementation
  • Audit-proof assessment  of exit strategies and contingency plans
  • Definition of a maximum poor performance of an external service provider
  • Monitoring of service delivery
• Outsourcing controlling : introduction of the new ISA standard 402