Frequently Asked Questions About the PS 951 Report

What do I need to do to obtain a PS 951 certification?

Strictly speaking, there is no such thing as a “PS 951 certification.” PS 951 is not a certificate but an auditing standard on which a formal report is based. This report confirms that the outsourced processes of a service organization are controlled in a way that ensures accurate and complete financial reporting. Unlike an ISO 27001 certification, PS 951 is not a credential but an audit report. To produce a PS 951 report, all relevant controls that affect financial reporting must be documented and reviewed. An external auditor evaluates these controls and issues the report. The report specifies whether the controls are appropriately designed and in place (Type I) or, in addition, have been operating effectively over a defined period (Type II). Companies can prepare the required control documentation internally or engage specialized consulting firms to support them. A PS 951 report requires that internal processes and controls are sufficiently formalized and transparent so that they can be examined and confirmed by an auditor.

Why does my client require a PS 951 report from my company?

IT processes and other operational activities are increasingly being outsourced to service providers. When data is handled by external vendors, the demands on information security and oversight of these processes rise significantly. Many organizations focus on their core business and delegate supporting tasks to third parties. Because these dependencies can reduce the level of trust between a company and its service providers, there is a growing need for transparent and effective control measures. This ensures that outsourced processes are managed in a secure and reliable manner. A PS 951 report provides clients with the assurance that appropriate controls are in place and that the service organization meets the required standards for security and risk management.

Can we produce a PS 951 report?

A PS 951 report is reviewed by an independent auditor and must be prepared in accordance with the applicable auditing standards. Having staff members with auditing experience can make the preparation process significantly easier. In addition, specialized service providers can assist you in compiling the report and guide you through the audit process to ensure that all requirements regarding controls and documentation are fully met.

Is it appropriate for my client to request a PS 951 report?

If certain processes within your company have a significant impact on the service organization’s financial reporting, obtaining a PS 951 report is highly relevant. Organizations that operate under the supervision of regulatory bodies—such as the FSA—must also be able to demonstrate that outsourced processes are effectively monitored. A PS 951 report provides this assurance by confirming that internal controls are properly implemented and operating effectively.

How can my company benefit from PS 951?

PS 951 is the German auditing standard for assessing outsourced processes. In both national and international tenders, a PS 951 report is often required when outsourcing, as it provides evidence that key control requirements are being met. Beyond that, implementing the standard helps companies streamline and formalize their internal processes, improving overall efficiency and enhancing transparency within the organization.

Should General IT Controls be included in a PS 951 report?

Yes. It is required that General IT Controls and the related information systems are addressed in a PS 951 report (see PS 951 Section 16, based on ISAE 3402.16).

What sample sizes are required for a PS 951 audit?

This generally follows common European practice. In principle, PS 951 requires that the selected sample sizes are sufficient to reduce audit risk to an acceptable level. For example, PCAOB guidance suggests a sample size of 25 for daily controls. However, such specific figures are not explicitly defined within the PS 951 standard itself.

What is a subservice providers and what exactly is a carve-out?

A subservice organization is an external provider that performs certain processes on behalf of a service organization. For example, an asset management company might outsource its server hosting to a third party—this hosting provider would then be considered the sub-service organization. When a service organization applies a carve-out approach, it means that the controls operated by the sub-service organization are not included within the scope of the primary organization’s PS 951 report. These controls are therefore not audited as part of that report and, if required, must be evidenced separately—for instance, through the subservice providers’s own PS 951 report.

Is “PS 951 certification” the correct term?

This is really a matter of terminology. Strictly speaking, a PS 951 report is not a certification but an audit report for service organizations prepared in accordance with the PS 951 standard. In practice, however, people often refer to a “PS 951 certification,” even though what is actually meant is an audit report.

What is Corporate Governance?

Corporate governance generally refers to sound, efficient, and responsible management of a company. In the United States, corporate scandals such as those involving Enron and WorldCom led to the introduction of the Sarbanes-Oxley Act (SOx), which sets requirements for internal controls and corporate management for publicly listed U.S. companies. In addition to the annual financial statements, these companies must include a section in their annual report assessing the effectiveness of internal controls. Companies outside the U.S. that are listed on the NYSE are also required to comply with SOx provisions. In Germany, the German Corporate Governance Code (DCGK) establishes comparable requirements for good corporate governance for all publicly listed companies.

Frequently Asked Questions

MORE INFORMATION