Table of Contents

Compliance, Information Security and Software Certifications

This page complements the COSMO Docs App Development for Microsoft Dynamics 365 Business Central documentation. It provides clarity on information security standards, software certifications, and the responsibilities of software manufacturers versus system users.

Purpose of This Page

Customers, partners, auditors, and internal stakeholders frequently ask whether COSMO applications require or provide formal software certifications (for example, auditor test reports or certificates according to national audit standards).

This page explains:

  • Which international standards are followed by COSMO in product development and product management
  • Why COSMO applications do not provide software or auditor certificates for accounting compliance
  • How responsibilities between software manufacturer and software user are legally and practically separated

Information Security and Development Standards at COSMO

ISO/IEC 27001

COSMO CONSULT aligns its product development, product management, and operational processes with the requirements of ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS).

This includes, among others:

  • Protection of information assets
  • Defined access control and authorization concepts
  • Secure development, release, and change management processes
  • Risk-based security controls across development and operations

By following ISO/IEC 27001, COSMO ensures a high level of:

  • Confidentiality
  • Integrity
  • Availability

of information and software throughout the product lifecycle.

Important: ISO/IEC 27001 focuses on organizational, procedural, and technical security controls. It does not represent a functional or accounting-related audit of individual application features.

Software Certifications and Auditor Test Reports

There is no general legal requirement that software products, extensions, or apps must provide a formal software certificate or auditor test report (such as certificates issued under national auditing standards).

Audit standards that are sometimes mentioned by customers or auditors are voluntary assurance frameworks. They may support audits but are not mandatory for software manufacturers.

Responsibility for Accounting Compliance

A key principle under accounting and tax law is:

Responsibility for proper accounting, compliance with bookkeeping principles, and regulatory requirements always lies with the system user – not with the software manufacturer.

This means:

  • Compliance depends on the individual system configuration, usage, processes, and internal controls of the customer
  • Software alone cannot guarantee regulatory compliance
  • Even certified software requires:
    • Correct setup
    • Appropriate authorization concepts
    • Complete procedural documentation

Therefore, COSMO does not issue software certificates or auditor test reports for individual products or extensions.

COSMO Apps and Microsoft Dynamics 365 Business Central

COSMO applications are developed as extensions for Microsoft Dynamics 365 Business Central and:

  • Rely on the standard platform architecture and security mechanisms provided by Microsoft
  • Extend Business Central with additional functions
  • Do not replace the responsibility of the customer to operate the system in a compliant manner

Microsoft provides information and assurances for the Business Central platform itself. COSMO applications are designed to integrate seamlessly into this ecosystem.

Official COSMO Position (Summary)

  • COSMO CONSULT follows ISO/IEC 27001-aligned standards for information security, product development, and product management
  • There is no legal obligation for COSMO to provide software or auditor certificates for its applications
  • Compliance with accounting and regulatory requirements is always the responsibility of the system user
  • For this reason, COSMO does not issue software certifications or auditor test reports for individual apps
  • COSMO supports customers through transparent documentation, secure development practices, and alignment with the Microsoft Dynamics 365 Business Central platform

For Sales, Presales, and Customer Communication

If customers request formal software certificates or auditor attestations, this page can be referenced as the official explanation of COSMO’s position and responsibilities.

FAQ – Compliance and Software Certifications

This FAQ addresses common questions from auditors or customers regarding COSMO applications for Microsoft Dynamics 365 Business Central.

Does COSMO provide a software certificate or auditor attestation for its applications?

No. COSMO CONSULT does not provide software certificates or auditor attestations (for example, test reports under national audit standards) for individual applications or extensions.

Is a software certificate legally required for COSMO applications?

No. There is no legal requirement for software manufacturers to provide software certificates or auditor test reports for applications or extensions.

Such certifications are voluntary assurance instruments and are not mandatory under accounting or tax law.

Who is responsible for accounting and regulatory compliance?

Responsibility for proper accounting, compliance with bookkeeping principles, and regulatory requirements always lies with the system user, not with the software manufacturer.

Compliance depends on:

  • System configuration
  • Actual usage
  • Internal processes and controls
  • Procedural documentation

Software alone cannot ensure compliance.

Does COSMO follow recognized security and development standards?

Yes. COSMO CONSULT aligns its product development, product management, and operational processes with ISO/IEC 27001, the international standard for information security management.

ISO/IEC 27001 covers organizational, procedural, and technical security controls, but it does not represent an accounting or functional audit.

How do COSMO applications relate to Microsoft Dynamics 365 Business Central?

COSMO applications are extensions of Microsoft Dynamics 365 Business Central and:

  • Use the standard platform architecture and security mechanisms provided by Microsoft
  • Extend Business Central functionality
  • Do not replace the customer's responsibility for compliant system operation

Microsoft provides assurances for the core Business Central platform.

How can auditors assess compliance without a COSMO software certificate?

Auditors typically assess compliance based on:

  • The customer's system configuration and usage
  • Internal control mechanisms
  • Authorization concepts
  • Procedural documentation
  • Platform-related assurances provided by Microsoft

COSMO supports transparency through documentation and secure development practices.

Summary

  • COSMO does not issue software certificates or auditor attestations
  • There is no legal obligation for such certificates
  • Compliance responsibility lies with the system user
  • COSMO follows ISO/IEC 27001-aligned security and development standards
  • COSMO applications integrate into the Microsoft Dynamics 365 Business Central platform
Edit this page