PS 951 Overview

PS 951

More and more organizations are outsourcing supporting business processes to specialized service providers such as SaaS vendors, asset managers, or real estate management firms. The national standard PS 951 provides a reliable foundation for security and transparency: it defines how services are delivered, how protective measures are implemented, and how anti fraud controls are integrated. A PS 951 report serves as evidence that effective controls are in place and is therefore a key tool for mitigating risk in outsourcing. In this way, service providers are required to maintain robust control frameworks—something essential in sensitive sectors such as financial services.

How to achieve a PS 951 report

right-dot

1.Understand the requirements

Familiarize yourself with the PS 951 requirements and assess their relevance for your organization and your clients.

2. Prepare for the audit

Select an independent auditor and define the scope of the audit, including the key processes and controls.
right-dot
right-dot

3. Documentation and analysis

Record all existing controls and develop a risk control matrix. Then conduct a gap analysis to identify potential weaknesses.

4. Internal reviews

Perform internal testing of the controls and update your documentation based on the test results.
right-dot
right-dot

5. Execution of the external audit

Compile the required documentation for the external auditor and provide access to relevant processes and records.

6. Analyze results and improve

Receive the auditor’s report, evaluate the findings, and implement the recommendations to continuously optimize processes and controls.
right-dot

Key components of a PS 951 report

A PS 951 report typically includes:

Auditor’s opinion

Specifies the scope and audit period and states whether the report was issued with qualifications (qualified) or without qualifications (unqualified).

Additional information

An optional section containing any further relevant details.

System description

Outlines the risk management processes, including key IT controls (GITCs) such as access management, change management, and physical security measures.

PS 951

image
PS 951 applies to service organizations whose activities have an impact on their clients’ financial reporting. The standard focuses on the assessment and documentation of internal financial controls and is often used by companies in areas such as accounting, asset management, and business process outsourcing (BPO), where services directly affect clients’ financial reporting. The core aim is to ensure that a company’s internal controls enable accurate and reliable financial reporting. Auditors provide an independent opinion on these controls, and PS 951 also helps companies demonstrate compliance with external regulatory requirements in the context of financial reporting.

Background on PS 951

2009

Introduction

PS 951 ist ein vom Institut der Wirtschaftsprüfer (IDW) herausgegebener deutscher Prüfungsstandard. Er richtet sich an Dienstleistungsunternehmen, deren Tätigkeiten die Finanzberichterstattung ihrer Kunden beeinflussen. Der Standard beschreibt, wie Wirtschaftsprüfer interne Kontrollen bei solchen Dienstleistern beurteilen und darüber berichten.

2013

Alignment with PS 951

PS 951 is aligned with international frameworks such as ISAE 3402 but provides a national interpretation and application for German auditors. It gives companies a recognized framework for demonstrating the adequacy and effectiveness of their internal controls.

2016

International Recognition

The standard is regularly updated by the IDW to reflect new regulatory requirements and technological developments—for example, in IT security and risk management. In doing so, PS 951 helps service organizations build trust, transparency, and accountability with their clients and partners.