ISAE 3402 in Germany: WPK Requirements and IDW Standards

A German Wirtschaftsprüfer (WP) receives an engagement to report on a service organisation's controls. The client expects an ISAE 3402 report. The WP opens the engagement acceptance checklist and finds two standards on the desk: the international ISAE 3402 issued by the IAASB, and IDW PS 951 issued by the Institut der Wirtschaftsprüfer. They are not identical. Knowing where they overlap, where they differ, and what the WPK and BaFin expect is the difference between a report that serves its purpose and one that generates questions from every user auditor who reads it.

An ISAE 3402 engagement performed in Germany follows IDW PS 951 (Prüfung des internen Kontrollsystems beim Dienstleistungsunternehmen), the German equivalent standard issued by the IDW, which aligns with ISAE 3402 while incorporating additional German professional requirements from the WPK and the Berufssatzung (professional statutes).

IDW PS 951 and its relationship to ISAE 3402

IDW PS 951 was developed to provide a German-language standard that corresponds to ISAE 3402. The structure mirrors the international standard: Type 1 reports (description and design of controls at a point in time) and Type 2 reports (description, design, operating effectiveness, and monitoring over a period). The scope and fundamental reporting requirements align.

Where IDW PS 951 adds to ISAE 3402, the additions reflect German professional practice rather than substantive disagreement with the international standard. IDW PS 951 incorporates references to the Berufssatzung (WPO, the Wirtschaftsprüferordnung), requiring the practitioner to comply with German independence, quality management, and ethical requirements in addition to the IESBA Code that ISAE 3402 references. For a German WP, this dual layer is automatic. For a non-German practitioner engaged to report on a German service organisation, it creates additional obligations.

IDW PS 951 also addresses the specific German professional environment regarding engagement acceptance. The WP must assess whether the engagement can be performed in compliance with both international standards and German professional law. Where a conflict exists (rare but possible in cross-border group scenarios), the IDW standard takes the position that German law prevails for the German WP.

The report format under IDW PS 951 follows the ISAE 3402 structure but uses German-language headings and terminology when the report is issued in German. The substance is the same: management's description of the system, the service auditor's opinion on the description and controls, and (for Type 2) the tests of operating effectiveness and results.

WPK requirements for practitioners

The Wirtschaftsprüferkammer (WPK) is the professional body for German Wirtschaftsprüfer and vereidigte Buchprüfer. Every WP performing an ISAE 3402/IDW PS 951 engagement must be registered with the WPK and comply with its ongoing obligations.

Registration is not specific to ISAE 3402 engagements. Any WP registered with the WPK is authorised to perform assurance engagements, including service organisation reports. There is no separate ISAE 3402 licence or accreditation. The WPK's quality assurance system (Qualitätskontrolle) applies to all assurance work performed by the WP or the WP's firm, and ISAE 3402 engagements fall within this scope.

The Qualitätskontrolle is a peer review system. WPK-registered firms undergo periodic quality inspections conducted by a Prüfer für Qualitätskontrolle (quality control reviewer). These inspections cover engagement selection, methodology, documentation, and compliance with professional standards. An ISAE 3402 engagement can be selected for review. If the firm performs a significant volume of service organisation reports, the probability of selection increases.

Continuing professional development (CPD) requirements apply. The WPK mandates ongoing education for all registered WPs. While there is no ISAE 3402-specific CPD module, the WP must maintain competence in the area of practice. A firm that has not performed an ISAE 3402 engagement before should consider whether its team has the requisite skills and knowledge (ISA 220 and ISQM 1 apply through the IDW's adoption of these standards as IDW QS 1).

For cross-border engagements, the WPK recognises reports issued under ISAE 3402 by non-German practitioners. A German user auditor relying on a report issued by (for example) a Dutch RA under ISAE 3402 does not need the report to have been issued under IDW PS 951. The international standard is accepted. The reverse is also true: an IDW PS 951 report issued by a German WP is accepted internationally as equivalent to an ISAE 3402 report, because IDW PS 951 conforms to the international standard.

IDW PS 860 and IT-specific considerations

Many ISAE 3402 engagements in Germany involve IT service organisations: data centres, payroll processors, ERP hosting providers, financial technology platforms. IDW PS 860 (IT-Prüfung außerhalb der Abschlussprüfung) provides the German framework for IT auditing outside of financial statement audits.

IDW PS 860 does not replace ISAE 3402 or IDW PS 951 for service organisation reports. It supplements them. Where the service organisation's controls are predominantly IT controls (logical access, change management, data backup, incident response), IDW PS 860 provides additional guidance on testing methodology, IT-specific risk assessment, and the evaluation of IT general controls (ITGCs) that IDW PS 951 addresses at a higher level.

In practice, a German WP performing an ISAE 3402 Type 2 engagement for a data centre will apply IDW PS 951 as the primary standard and draw on IDW PS 860 for the testing approach to IT controls. The report is issued under IDW PS 951 (or ISAE 3402). IDW PS 860 is not separately referenced in the report opinion, but its methodology informs the work.

The interaction matters most for sampling and testing frequency. IDW PS 860 provides guidance on testing automated controls (which may require only a single test if the ITGC environment is effective) versus manual IT controls (which require sample-based testing similar to any other manual control). This distinction aligns with ISAE 3402's general principles but is articulated more precisely in the German IT standard.

BaFin expectations for regulated entities

The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) supervises banks, insurance companies, and other regulated financial institutions in Germany. Many of these entities outsource critical functions to service organisations: payment processing, securities settlement, loan administration, cloud infrastructure.

BaFin's outsourcing requirements are set out in MaRisk (Mindestanforderungen an das Risikomanagement) for banks and MaGo (Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen) for insurers. Both frameworks require regulated entities to monitor and control outsourced activities. An ISAE 3402 or IDW PS 951 report is one mechanism for satisfying this monitoring obligation, but BaFin does not accept it as the sole mechanism.

BaFin expects regulated entities to perform their own risk assessment of the outsourced activity, maintain contractual audit rights, and conduct their own monitoring activities. An ISAE 3402 Type 2 report supplements this work. It does not replace the entity's own due diligence.

For the service auditor, BaFin's expectations create an indirect requirement. Regulated entity clients will demand that the ISAE 3402 report covers specific control objectives aligned with MaRisk or MaGo requirements. If the report's control objectives do not address the areas the regulated entity needs covered (for instance, if the report covers application controls but not logical access controls that MaRisk requires), the report may be insufficient for the regulated entity's purposes despite being technically compliant with ISAE 3402.

The ISAE 3402 template pack includes control objective structures that account for common regulatory expectations, including those arising from BaFin-supervised entities.

Language requirements: German vs English reports

German law does not mandate that an IDW PS 951 report be issued in German. The language of the report is a matter of agreement between the service organisation, the service auditor, and the intended user auditors.

In practice, three patterns exist. A German-language report for domestic use (the service organisation and all user entities are German). An English-language report for international use (user entities span multiple countries). A dual-language report where both a German and an English version are issued.

Dual-language reports require care. The service auditor must ensure both versions say the same thing. Differences in translation can create inconsistencies that user auditors notice. The German legal terminology (Wirtschaftsprüfer, Bestätigungsvermerk, Berufssatzung) does not always have a direct English equivalent. The standard approach is to include the German term in parentheses after the English equivalent on first use, then use the English term throughout.

If the report will be used by a BaFin-supervised entity, BaFin's documentation requirements may favour a German-language version (or a dual-language report with a German original). BaFin examiners conducting inspections at regulated entities will review documentation in German. An English-only ISAE 3402 report in the outsourcing file of a German bank may prompt the examiner to request a translation.

For the service auditor issuing a dual-language report, the engagement letter should specify which language version is the original and which is a translation. This avoids disputes if the two versions diverge on a point of substance.

Engagement acceptance: what a German WP checks before signing the letter

Engagement acceptance for an ISAE 3402 engagement in Germany involves checks that go beyond the international standard's requirements. The WP must confirm compliance with the WPO's independence provisions, which include financial interest restrictions, fee dependency thresholds, and prohibitions on certain non-assurance services to the service organisation.

The WPO §319 sets a fee dependency threshold: if the fees from a single client (or its affiliated entities) exceed 30% of the firm's total fee income over each of the past five financial years, the WP is not independent. For smaller WP firms that specialise in ISAE 3402 work, this threshold can become a constraint when one or two service organisation clients generate the majority of the firm's revenue. The check must be documented at engagement acceptance and monitored annually.

The engagement letter under IDW PS 951 must specify the applicable standard (IDW PS 951, with reference to ISAE 3402), the type of report (Type 1 or Type 2), the reporting period, the control objectives in scope, the responsibilities of management, and the intended users. German practice also requires the engagement letter to reference the Allgemeine Auftragsbedingungen (AAB, general terms of engagement) published by the IDW, which set out liability limitations and other contractual terms standard in German audit practice.

Management's written assertion (the Vollständigkeitserklärung, or completeness declaration) takes a specific form under German practice. It must confirm the accuracy of the system description, the design of controls, and (for Type 2 reports) the operating effectiveness of controls throughout the period. The declaration is signed by the service organisation's management board, not by a department head or IT manager.

What differs from the international baseline

The differences between IDW PS 951 and ISAE 3402 are narrow but real.

IDW PS 951 requires compliance with German professional law (WPO, Berufssatzung) in addition to the IESBA Code. For a German WP, this adds independence rules that may be stricter than the IESBA requirements in specific circumstances (partner rotation timelines, prohibited non-assurance services to assurance clients).

IDW PS 951 incorporates the German quality management framework. Since the IDW adopted equivalents of ISQM 1 and ISQM 2 (as IDW QS 1 and IDW QS 2), the firm-level quality management obligations apply to ISAE 3402 engagements. The international standard assumes compliance with ISQM 1, but the German implementation may include additional WPK-specific requirements around documentation and monitoring.

IDW PS 860 provides a testing methodology for IT controls that is more prescriptive than the general guidance in ISAE 3402. Firms applying both standards may find their IT control testing approach is more structured than firms working solely from ISAE 3402.

BaFin expectations create an indirect difference for service organisations serving regulated entities. The control objectives and coverage of the report may need to be broader in a German engagement than what ISAE 3402 minimally requires, because the regulated entity user needs the report to satisfy MaRisk or MaGo monitoring obligations.

Report language conventions differ. IDW PS 951 reports issued in German use German professional terminology, opinion wording, and legal references that do not appear in an ISAE 3402 report issued in English.

None of these differences make IDW PS 951 incompatible with ISAE 3402. An IDW PS 951 report meets and (in some respects) exceeds the international standard. A user auditor receiving an IDW PS 951 report can rely on it to the same extent as an ISAE 3402 report.

Worked example: Hoffmann Rechenzentrum GmbH

Scenario: Hoffmann Rechenzentrum GmbH is a German data centre and managed hosting provider based in Frankfurt, with €19 million revenue and 120 employees. The company provides IT infrastructure services to 35 clients, including four BaFin-supervised banks. The company's management requests an ISAE 3402 Type 2 report covering logical access controls, change management, backup and recovery, physical security, and incident management. The engagement is performed by a WPK-registered Wirtschaftsprüfungspraxis.

1. Engagement acceptance and standard selection. The WP accepts the engagement under IDW PS 951, which conforms to ISAE 3402. Because four clients are BaFin-supervised, the WP reviews MaRisk AT 9 (outsourcing requirements) to confirm the control objectives cover areas the banks need reported on. The scope is expanded to include a sixth control objective: data protection and access logging, which MaRisk specifically requires banks to monitor for outsourced IT services.

   Documentation note: Record the engagement acceptance assessment, including the confirmation that the firm's independence requirements (WPO and Berufssatzung) are met, and the rationale for adding the sixth control objective based on MaRisk AT 9 requirements of the regulated entity clients.

2. Determine reporting language. The client requests a dual-language report (German original, English translation) because 12 of its 35 clients are outside Germany. The engagement letter specifies that the German version is the authoritative version and the English version is a translation.

   Documentation note: Record the language agreement in the engagement letter. Note that the German version will use IDW PS 951 terminology and opinion wording, while the English version will reference ISAE 3402 equivalents.

3. Apply IDW PS 860 for IT control testing. For the five automated controls in scope (automated access provisioning, automated backup scheduling, automated change deployment checks, automated log aggregation, automated alert escalation), the WP tests each control once and confirms the ITGC environment supports reliance on a single test. For the nine manual controls (quarterly access reviews, monthly backup integrity checks, weekly change advisory board meetings, ad hoc incident response procedures), the WP applies sample-based testing with sample sizes derived from ISA 530 principles as incorporated in IDW PS 951.

   Documentation note: Document the distinction between automated and manual controls, the basis for single-test reliance on automated controls (ITGC effectiveness confirmed), and the sample size calculation for each manual control frequency.

4. Issue the report. The Type 2 report covers the twelve-month period ending 31 December 2025. The opinion is unmodified. The report includes management's description of the system, the WP's opinion under IDW PS 951, the test procedures performed and results, and supplementary CUECs. The German version references the Wirtschaftsprüferkammer, the Berufssatzung, and IDW PS 951. The English version references ISAE 3402 and notes the engagement was performed in accordance with both standards.

   Documentation note: File both language versions. Retain evidence of the translation review. Include the reconciliation confirming both versions convey the same opinion, test results, and exceptions.

A user auditor at one of the four banks receives the report and can confirm: the engagement complied with ISAE 3402 (through IDW PS 951), the control objectives address MaRisk-relevant areas, and the testing covered the full twelve-month period.

Practical checklist

1. Confirm the engagement is accepted under IDW PS 951 (not solely ISAE 3402) when the service auditor is a WPK-registered Wirtschaftsprüfer. IDW PS 951 incorporates ISAE 3402 and adds German professional requirements.

2. For service organisations with BaFin-supervised clients, review MaRisk AT 9 (banks) or MaGo (insurers) to confirm the control objectives cover areas the regulated entities need reported on. Add control objectives if the initial scope is insufficient.

3. Determine the report language at engagement acceptance. If dual-language, specify in the engagement letter which version is authoritative and plan for a translation review before issuance.

4. Where the engagement involves predominantly IT controls, apply IDW PS 860 methodology for the testing approach, distinguishing automated controls (single-test reliance with ITGC confirmation) from manual controls (sample-based testing).

5. Verify the firm's WPK registration and Qualitätskontrolle status is current. An ISAE 3402 engagement selected for peer review will be evaluated against both IDW PS 951 and the firm's quality management system (IDW QS 1).

6. In the report, reference both IDW PS 951 and ISAE 3402 to ensure international user auditors recognise the report's equivalence to the international standard.

Common mistakes

• Firms issue the report referencing only ISAE 3402 without mentioning IDW PS 951, creating confusion for German user auditors and BaFin examiners who expect the German standard reference. The WPK's quality inspection may also flag the omission as a non-compliance with domestic professional standards.

• The control objectives do not cover areas that BaFin-supervised user entities need for their MaRisk monitoring obligations. The report is technically compliant with ISAE 3402 but practically insufficient for its primary audience. This results in the banks requesting additional audit procedures or a supplementary report, creating cost and delay for the service organisation.

• Dual-language reports are issued without a clear designation of which version is authoritative. When the German and English versions diverge on a point (even a minor translation inconsistency), user auditors from different jurisdictions receive conflicting information.

Related content

• Service organisation. Glossary entry covering the definition under ISAE 3402 and ISA 402, including the distinction between Type 1 and Type 2 reports.
• ISAE 3402 template pack. Includes the control matrix, testing protocol, gap analysis, CUEC register, and bridge letter template for practitioners performing ISAE 3402 engagements.
• ISAE 3402 vs SOC 2: which report does your client need?. Comparison post covering the differences between the European and US service organisation report frameworks.