PS 951

More and more organisations are outsourcing supporting business processes to specialised service providers such as SaaS vendors, asset managers, or real estate management firms. The national standard PS 951 provides a reliable foundation for security and transparency: it defines how services are delivered, how protective measures are implemented, and how anti fraud controls are integrated. A PS 951 report serves as evidence that effective controls are in place and is therefore a key tool for mitigating risk in outsourcing. In this way, service providers are required to maintain robust control frameworks—something essential in sensitive sectors such as financial services.

Understand the requirements

Familiarise yourself with the PS 951 requirements and assess their relevance for your organisation and your clients.

Prepare for the audit

Select an independent auditor and define the scope of the audit, including the key processes and controls.

Documentation and analysis

Record all existing controls and develop a risk control matrix. Then conduct a gap analysis to identify potential weaknesses.

Internal reviews

Perform internal testing of the controls and update your documentation based on the test results.

Execution of the external audit

Compile the required documentation for the external auditor and provide access to relevant processes and records.

Analyze results and improve

Receive the auditor’s report, evaluate the findings, and implement the recommendations to continuously optimize processes and controls.

Key components of aPS 951report

A PS 951 report typically includes:

Close-up of paint roller applying dark pink paint on a white wall.

Auditor’s opinion

Specifies the scope and audit period and states whether the report was issued with qualifications (qualified) or without qualifications (unqualified).

Abstract smooth red shape with subtle curved lines on a lighter red background.

Additional information

An optional section containing any further relevant details.

Diagram showing flow of personal data from collection to deletion with GDPR compliance steps.

System description

Outlines the risk management processes, including key IT controls (GITCs) such as access management, change management, and physical security measures.

PS 951

What is PS 951 and which service organisations need to comply with it?

PS 951 applies to service organisations whose activities have an impact on their clients’ financial reporting. The standard focuses on the assessment and documentation of internal financial controls and is often used by companies in areas such as accounting, asset management, and business process outsourcing (BPO), where services directly affect clients’ financial reporting. The core aim is to ensure that a company’s internal controls enable accurate and reliable financial reporting. Auditors provide an independent opinion on these controls, and PS 951 also helps companies demonstrate compliance with external regulatory requirements in the context of financial reporting.

Background on PS 951

2009

Introduction

PS951 is a German auditing standard published by the Institute of Public Auditors in Germany (IDW). It is aimed at service companies whose activities affect their clients' financial reporting. The standard describes how auditors assess and report on internal controls at such service providers.

Alignment with PS 951

PS 951 is aligned with international frameworks such as ISAE 3402 but provides a national interpretation and application for German auditors. It gives companies a recognised framework for demonstrating the adequacy and effectiveness of their internal controls.

2019

2016

International Recognition

The standard is regularly updated by the IDW to reflect new regulatory requirements and technological developments—for example, in IT security and risk management. In doing so, PS 951 helps service organisations build trust, transparency, and accountability with their clients and partners.

PS 951 Overview

PS 951

How to achieve aPS 951report