-
Financial statements audits
Financial statement audits
-
Compliance audits
Compliance audits
-
Compilations and reviews
Compilations and audit
-
Agreed-upon procedures
Agreed-upon procedures
-
Corporate and business tax
Our trusted teams can prepare corporate tax files and ruling requests, support you with deferrals, accounting procedures and legitimate tax benefits.
-
International tax
Our teams have in-depth knowledge of the relationship between domestic and international tax laws.
-
Tax compliance
Business Tax
-
Individual taxes
Individual taxes
-
Estate and succession planning
Estate and succession planning
-
Global mobility services
Through our global organisation of member firms, we support both companies and individuals, providing insightful solutions to minimise the tax burden for both parties.
-
Sales and use tax and indirect taxes
SUT/ VAT & indirect taxes
-
Tax incentives program
Tax incentives program
-
Transfer Pricing Study
The laws surrounding transfer pricing are becoming ever more complex, as tax affairs of multinational companies are facing scrutiny from media, regulators and the public
-
Business consulting
Our business consulting services can help you improve your operational performance and productivity, adding value throughout your growth life cycle.
-
Forensic and investigative services
At Grant Thornton, we have a wealth of knowledge in forensic services and can support you with issues such as dispute resolution, fraud and insurance claims.
-
Fraud and investigations
The commercial landscape is changing fast. An ever more regulated environment means organizations today must adopt stringent governance and compliance processes. As business has become global, organizations need to adapt to deal with multi-jurisdictional investigations, litigation, and dispute resolution, address the threat of cyber-attack and at the same time protect the organization’s value.
-
Dispute resolutions
Our independent experts are experienced in advising on civil and criminal matters involving contract breaches, partnership disputes, auditor negligence, shareholder disputes and company valuations, disputes for corporates, the public sector and individuals. We act in all forms of dispute resolution, including litigation, arbitration, and mediation.
-
Business risk services
We can help you identify, understand and manage potential risks to safeguard your business and comply with regulatory requirements.
-
Internal audit
We work with our clients to assess their corporate level risk, identify areas of greatest risk and develop appropriate work plans and audit programs to mitigate these risks.
-
Service organization reports
As a service organization, you know how important it is to produce a report for your customers and their auditors that instills confidence and enhances their trust in your services. Grant Thornton Advisory professionals can help you determine which report(s) will satisfy your customers’ needs and provide relevant information to your customers and customers’ auditors that will be a business benefit to you.
-
Transaction advisory services
Transactions are significant events in the life of a business – a successful deal that can have a lasting impact on the future shape of the organizations involved. Because the stakes are high for both buyers and sellers, experience, determination and pragmatism are required to bring deals safely through to conclusion.
-
Mergers and acquisitions
Globalization and company growth ambitions are driving an increase in M&A activity worldwide as businesses look to establish a footprint in countries beyond their own. Even within their own regions, many businesses feel the pressure to acquire in order to establish a strategic presence in new markets, such as those being created by rapid technological innovation.
-
Valuations
We can support you throughout the transaction process – helping achieve the best possible outcome at the point of the transaction and in the longer term.
-
Recovery and reorganization
We provide a wide range of services to recovery and reorganisation professionals, companies and their stakeholders.
Addressing the threat within
16 Sep 2019The right way to combat insider cyber threats
News coverage of cyber breaches tends to focus on external threats like cybercriminals, paid hackers or state-sponsored actors. But threats from insiders—employees, contractors and others with sanctioned access to your systems and data—are every bit as real and every bit as dangerous. Insiders face much lower barriers when committing cybercrime. Where external actors must devise ways to break into a target organization’s system, insiders enjoy ready, sanctioned access. Unfortunately, organizations pay insider threats little heed and exacerbate the issue by failing to report insider incidents. Yet the FBI notes that damages from individual insider incidents that it investigates range up to $3 million. Losses include:
- the value of stolen data
- the significant costs of IT services and countermeasures
- legal fees
- lost customers and revenue
- credit monitoring services for customers and employees affected by insider incidents
Identifying and addressing threats
Insider threats fall into three broad categories:
- IT sabotage: An insider uses access to IT systems to harm the organization; an associated organization, such as a supplier or customer; or an individual, such as a senior executive.
- Theft of IP: An insider uses IT to steal the organization’s IP, such as account information, trade secrets or financial or strategic plans. This category includes industrial espionage involving outsiders who recruit insiders.
- Fraud: An insider uses IT for the unauthorized modification, addition or deletion of an organization’s data (not programs or systems) for personal financial gain, or to steal information associated with crimes such as identity theft or credit card fraud.
Getting it right
An effective insider security program will affect more than security. It also impacts the relationship between your people and your organization and potentially the efficiency with which they can do their jobs. Therefore, addressing insider security requires a broader team and a more nuanced approach than dealing with external threats. As with external security programs, this effort should involve their chief information security officer’s (CISO’s) function, the chief risk officer (CRO) and the chief legal officer (CLO) or general counsel. But an internal security program should also involve the chief human resources officer (CHRO) to ensure that the impact on and communications with your personnel are appropriately addressed.
This multi-disciplinary team should begin by determining which positions need access to which systems and data. This involves interviews and surveys of functions throughout the business to drive a disciplined analysis of business needs and interrelationships. The team must then establish procedures for appropriately granting and controlling access to and use of the data and systems in question, including methods for ongoing monitoring to ensure future compliance. Next, communicate the program to all employees and contractors in ways that both support the organization’s compliance and legal concerns and that engender acceptance and cooperation.
An effective program for controlling insider cyber risk addresses each of the five following issues:
- Program governance. The first step toward an effective insider threat management function is to develop and deploy the right frameworks, policies and procedures, access, and activity monitoring and response protocols.
- Vetting processes. The degree of vetting should be scaled to the sensitivity and value of the data and systems to which individuals in specific functions and positions have access. One size does not fit all, yet this is the approach many organizations employ.
- Controlling access. For any given role, access to systems and data should be grounded in an analysis of what is actually required to perform that function. For reasons mainly related to convenience and a fear of insulting otherwise trusted insiders, many organizations fail to appropriately limit access.
- Communication. Communication concerning an insider risk program requires sensitivity and diplomacy. You do not wish to give the impression that insiders are not trusted, but instead seek to clearly communicate the need for an internal risk control program and explain its role in mitigating threats.
- Enhanced monitoring. An effective insider risk program can build out appropriate investigation and response models based on behavioral patterns, data movements, incidents and breaches. These should address the need to monitor people in different roles who use different data, and activities within a given environment.
Trust, but verify
In today’s digitalized environment, employees, contractors and partners understand the need for an organization to protect its digital assets. Oddly, in our experience it is often senior management that fails to understand that need, or to act on that understanding.
The risks are real and serious due to the growing value of an organization’s data, IP and processes. Management can readily address these risks, with the right expertise, experience and assistance. But management commonly overlooks these risks, often with serious consequences.
Source:
Grant Thornton library articles
