The German Commercial Code (HGB) and Tax Code (AO) place stringent requirements on commercial software applications in order to guarantee the fitness for purpose of bookkeeping and thus compliance with the Generally Accepted Accounting Principles (GoB). Developments in information processing over recent years have resulted in a change to the way that IT-based bookkeeping systems are managed. The ever-greater integration of software packages with automatic interfaces to upstream financial accounting software systems means that the function of “bookkeeping” can no longer be clearly demarcated on a technical level. This means that the fitness for purpose and security of the individual (integrated) software modules are increasingly important. Additionally, for instance (digital) archiving systems that are subject to requirements under commercial and tax law may be used to satisfy statutory retention periods. These include in particular ensuring that the archived data cannot be tampered with and also complying with the requirements arising from the amendment of the German Tax Code (“GoBD”).
Many renowned manufacturers of standard software have had the fitness for purpose and security of the accounting-related modules of their software products inspected by an auditor and confirmed in the form of a software certification ("software attestation" or "software certificate") in accordance with the IDW auditing standard “Auditing Software Products (IDW PS 880)”. Such external audits are not only important for the software manufacturer in order to strengthen its market position, but are also regarded a key component of an external quality assurance process. Potential users thus regard these audits as a key quality feature or decision-making criterion when selecting accounting-related software, and they are actively requested by software manufacturers. In Germany, software certificates are a recognized instrument that is expected by the market to give the potential user the certainty that the relevant requirements regarding fitness for purpose are satisfied. The general requirements regarding fitness for purpose are codified in sections 238, 239 and 257 HGB and identically in sections 145 and 146 AO. Accordingly, any IT process used in accounting must comply with the GoB.
Additional specified and relevant requirements include
Under IDW PS 880 the audit of the fitness for purpose of software products is geared toward the necessary processing functions (voucher, journal and account function), the programmed processing rules, software security, and documentation.
Our approach is tailored to the SMB sector but can be applied to projects of any size. In an initial step an appraisal of the audit object and an inspection of the principles of the fundamental formal fitness-for-purpose requirements are performed in a preliminary audit. We provide the outcome to you as a written opinion (incl. any recommendations) on the auditability of the application, and this is used to determine the further procedure. The subsequent main audit, which builds on the working outcomes of the preliminary audit, involves a more in-depth investigation of the processing functions and rules for individual functions as well as an examination and assessment of the integration as a whole.
The continuous reporting process enables the partial results and fault classifications established to date to be communicated and any recommendations and (best-practice) notes on the rectification of any defects prior to conclusion of the audit to be supplied. The final report is provided in the form of a detailed audit report as well as the submission of a summarized assessment in the form of the software certificate.
After granting the software certificate it is logical for more significant and/or functional (accounting-relevant) enhancements or fault rectifications of the attested version to be inspected in a follow-up audit that looks at fitness for purpose. This builds on the outcomes of the original certification and only considers the modifications ("Delta audit").
In addition to the general requirements regarding IT-based accounting systems (see above), sector-specific requirements can be included in the audit under IDW PS 880. For instance, these may include the German Municipal Code (GO) and the Municipal Budget Ordinance (GemHV) for the federal state North Rhine-Westphalia \[in accordance with the checklist of the association of heads of auditing offices in districts and autonomous municipalities of North Rhine-Westphalia (VERPA)].
At the same time an audit performed in accordance with IDW PS 880 with a corresponding grant of a software certification may also form the starting point for the implementation of further country-specific requirements (e.g. Austria, Switzerland) if the software is also intended to be marketed internationally. Here, too, the focus is exclusively on the varying, country-specific requirements.