-
Audit of annual and consolidated financial statements
We place particular emphasis on customized solutions and international service and adapt our services to your needs.
-
Assurance related advisory services
Assurance related advisory services are based on the knowledge and expertise that are the staff of life of our auditors.
-
Global audit technology
We apply our global audit methodology through an integrated set of software tools known as the Voyager suite.
-
Accounting related consulting
Accounting in accordance with UGB, US-GAAP or IFRS is in constant motion. The integration of new regulations into their own accounting systems poses special challenges for companies.
-
Corporate Tax
We are your problem solvers for corporate tax issues
-
Restructuring, Mergers & Acquisition
Expertise and creativity for the perfect structure
-
International Tax
We are here, whenever our clients require our assistance
-
Transfer pricing
We are your experts for an optimal transfer pricing structure
-
Indirect Tax & Customs
We take care of your indirect taxes so you can take care of your business
-
Private Wealth
We are your competent partner in the field of Private Wealth Tax Services
-
Real Estate Tax
We are a valuable partner at every stage of your property's life
-
Global Mobility Services
Local roots and global networking as a secret for successful assignment management
-
Advisor for Advisor
As advisors for advisors, we support in complex situations
-
Accounting & Tax Compliance Services
Grant Thornton Austria - Your Partner for Experts for Accounting & Tax Compliance Services. In an evolving regulatory landscape, efficient accounting, tax compliance, and financial statement preparation processes are crucial for maintaining an accurate and up-to-date view of your company’s financial position while ensuring compliance with all legal requirements. We provide tailored solutions that not only save your time and resources but also ensure compliance with complex regulations. Our experts are here to support you, allowing you to focus on your core business.
-
Payroll & People Advisory Services
Ensuring Compliance, Efficiency, and Strategic HR Solutions In an evolving legal landscape, it is crucial for companies of all sizes to have efficient and legally compliant payroll accounting systems. The ever-changing regulations and increasing complexity make this an ongoing challenge. At Grant Thornton Austria, we provide comprehensive, precise payroll processing as part of our Payroll & People Advisory Services. Additionally, we offer customized advisory services to help clients optimise their HR strategy, improve operational efficiency, and minimize potential risks.
-
Tax Controversy Services
Your Partner when it matters most! In increasingly complex environment and considering frequent changes in tax regulations, businesses are facing intensified scrutiny from tax authorities. This has resulted in a significant rise of complex tax audits, investigations and potential disputes. Our Tax Controversy Services are tailored to help you navigate these challenges proactively and effectively. Our experts will guide you through all stages of tax proceedings, ensuring robust defence of your position and advising you on preventive measures to minimize the risk of future tax disputes.
-
Tax Technology Services
Your digital partner for an efficient future! In an increasingly digitalised business world, companies must constantly look for optimisations and adjustments to ensure their long-term success. In order to best prepare for the future and to achieve efficiency increases and process optimisations in the digital area, the experts at Grant Thornton Austria are at your side as a reliable partner as part of our Tax Technology Services.
-
Valuation
Valuations are a core competence of Grant Thornton Austria. As auditors and tax advisors we combine profound know-how with our practical experience to offer you customized solutions for your valuation assignment. Our industry expertise is based on years of services to our clients, including listed companies as well as owner-managed companies with an international focus. We advise on valuation matters related to arbitration and provide expert opinions.
-
Forensic Services
When it comes to risks in business, our experts are on hand. We support you not only in suspicious cases or in disputes, but also develop suitable strategies in the area of prevention to avoid serious cases as far as possible. Our Cyber Security team helps you to keep your networks and applications secure and is quickly on hand in the event of a security leak.
-
Cyber Security
Cyber incidents, IT system failures, the resulting business interruptions and the loss of critical data are one of the greatest business risks for companies. Recent cases underline the need for strategic protection and awareness of the issue and require a holistic approach and technical expertise that takes into account all legislative, regulatory and technical aspects of cyber security to protect companies against the daily increase in cybercrime incidents.
-
Sustainability Services
Sustainability is no longer a trend, but the only way to create a future worth living. Our experts will support you in successfully developing your sustainability strategy and preparing your sustainability reporting in compliance with regulations.
-
Transaction Support
We can support you throughout the transaction process – helping achieve the best possible outcome at the point of the transaction and in the longer term.
-
Merger & Acquisition
Companies start new activities and separate from old ones, cooperate and merge. Markets and competitive conditions are subject to constant and increasingly rapid change. As a result, existing business models are changing. Some companies have to restructure and reorganize. But new business opportunities also open up.
-
Restructuring & Going Concern Forecast
Restructuring & Going Concern Forecast: Bundled services for your strategic, operational and financial decisions offer the right answers for companies, banks, shareholders and investors.
-
Internal Audit
Internal Audit helps companies and organisations to achieve their goals by analysing and evaluating the effectiveness of risk management, controls and management and monitoring processes. Internal Audit focuses on independent and objective audit (assurance) and consulting services that improve the value creation and business activities of your company.
-
Expert dispute resolution & advisory
Grant Thornton Austria offers comprehensive services in the field of business-oriented expert services with a broad range of competencies from banking to communication. The core activity of experts is the objective recording of findings and the preparation of expert opinions - regardless of all external circumstances. Our experts Gottwald Kranebitter and Georg H. Jeitler, as sworn and court-certified experts, ensure that the highest professional standards and the principle of objectivity are observed.
-
Blockchain and Crypto-Asset
Blockchain as a carrier technology for crypto currencies and smart contracts, among other things, is becoming increasingly important. Grant Thornton Austria offers comprehensive audit and confirmation services for block chain technologies and business models.
-
Corporate & Brand Strategy
We support you in developing growth strategies for a sustainably successful future and in maximizing the potential of your brand.
-
International Project Coordination
Our International Engagement Management team is your central point of contact for international projects in all our service lines. We take care of operational project management for you and act as a central point of contact and coordination for your projects. We support companies that start international projects from Austria as well as companies from abroad that want to gain a foothold in Austria or use Austria as a hub for their international projects, especially in the DACH (Germany, Austria and Switzerland) and CEE region.
-
International Desks
As a member of the Grant Thornton network, we guarantee direct access to resources from our worldwide circle of partners. This global connection enables us to seamlessly integrate highly qualified specialists and industry experts from different countries around the world into our teams. Through our broad perspective and diverse expertise, we ensure that we can optimally meet the individual requirements of our clients in an increasingly globalised economy.
Businesses of all shapes and sizes are trying to carve out a competitive advantage by leveraging digital information. The most cutting-edge companies harness customer preference data for a range of reasons, including to create personalised services and targeted marketing campaigns; to scrutinise employee performance data to drive productivity; and to analyse supply chain information to drive efficiencies. And that’s just the tip of the iceberg, with digitised data embedded across business practices.
Digital information offers businesses huge potential, but owing to the increased use of personal data, it also creates vulnerabilities and interdependencies between two previously discrete threats – data privacy and security. For example, data breaches can result from a cyber attack, but have data privacy implications.
GDPR and other international data privacy regulations have started to bite, meaning businesses are starting to feel the commercial cost of data privacy violations. So it is perhaps no surprise that we see data privacy rising up the business agenda. Grant Thornton’s research of over 4,500 international business leaders found that 2 in 3 agreed that due to new regulation there has been a greater focus on privacy issues than there has on cyber security in recent years in their business.
However, it’s important to not lose focus on the real and growing cyber security risk - the number of cyber attacks causing losses in excess of $1m has increased by 63% during the past three years.[i]
Mike Harris, cyber security services, Grant Thornton Ireland, emphasises that data privacy and cyber security have never been more interlinked.
“In today’s data-driven world, data privacy and cyber security simply cannot be considered in isolation,” he says. “They should be viewed instead as part of a wider digital risk function.”
But what is digital risk?
Digital risk is a business-driven model that proactively considers the business risks associated with digitised data across business processes, including cyber security and data privacy, along with other considerations such as regulation, automation and ethics.
Think about how you secure your own home. Do you one day focus on locking all of the doors, but happily leave the windows and open? And on another day, would you ignore setting the alarm, because you are too busy focusing on securing access from the garden? Of course not – all of these risks need to be considered together, or your protection measures will qickly fail.
It’s a similar story when assessing a company’s digital risk profile – focusing on each of the threats separately is no longer effective, and instead they must be proactively integrated and managed together. It’s only when a business takes a holistic approach like this that real progress can be made.
Indeed this integrated best practice is embedded in the regulation. The General Data Protection Act (GDPR) states that, in order to be compliant, companies should implement ‘data protection by design and default’ measures. The Information Commissioner’s Office explains that this means companies must “integrate or ‘bake in’ data protection into… business practices, from the design stage, right through the lifecycle”. It would be very difficult indeed to ‘bake in’ such privacy measures across the business without a single, integrated function.
So it is critical for businesses to effectively and efficiently get to grips with digital risk. Yet they are struggling, because data privacy and cyber security are often managed by different teams. Typically the Chief Privacy Officer (CPO) takes responsibility for the data privacy; while the Chief Information Security Officer (CISO) for cybersecurity.
It would be far better for both to be managed by the same team or an integrated team with new governance model which provides a direct reporting structure to the CEO/CRO (Chief Risk officer) with oversight from a board. After all, a lot of work that ensures compliance with data privacy can be used to bolster cyber security, and vice versa. In addition to helping businesses manage digital risks, this approach adds value by enabling them to bring forward digital transformation initiatives.
Optimising data classification
A single digital risk team will also ensure the data classification that companies are undertaking across the business for various purposes is aligned and co-ordinated.
Data classification means understanding what data is held by the business, the processes it connects to, and who manages it. It is a crucial part of compliance with data privacy regulations such as GDPR, but can also be used to enhance cyber security.
By undertaking a structured programme to assess and understand their data assets - using a categorisation or classification process - business can identify their key data and build effective security around them.
Harris adds: “We see that the Pareto principle applies to data risk in many businesses, with 20% of a business’s data carrying 80% of the risk. It is almost impossible to make all systems hack-proof, so why not focus on the data for which security is absolutely essential to your business and to your customer?”
Hans Bootsma, partner, cyber risk services at Grant Thornton Netherlands, agrees that an integrated approach to privacy and cyber security extends to the classification process.
“Most companies never classified data before GDPR,” he said. “But they started to because they had to categorise personally identifiable information and other types of data in order to comply. If you run a programme like this, then it’s easy to extend it and combine it with other types of data to identify your data crown jewels and then link this with your cyber programme.”
Unless data privacy and cyber security are aligned, the classification process will happen in isolated silos and the benefits will not be shared.
An integrated response to breaches
The interconnection between data privacy and cyber security is never more painfully obvious than immediately following a data breach. Businesses need to know how the breach occurred and which cyber defences (if any) failed. But, crucially, they also need to understand which data were compromised and whether it was personal or sensitive. If so, they will need to disclose it.
Most businesses are not fully equipped to do this. Only 28% of businesses surveyed by Grant Thornton are ‘highly satisfied’ with their ability to protect against the risk of a serious breach and just 26% with their ability to respond consistently to a major breach across the entire business, no matter when or where it takes place.
Integrate privacy and security into one function, and businesses will be able to respond more effectively to data breaches due to their combined resources and holistic understanding of the threat.
“Privacy and cyber security are complex because they are crashing together in the real world,” says Harris. “A data breach could start off as something very technical in an outsourced cloud provider. But in responding to the incident you need to consider whether personal data are involved and what regulatory disclosures need to be made.
“All of a sudden, the two have become interconnected. Rather than two separate cyber and privacy functions responding to a breach, it makes sense to have one integrated function with the specialised skills to manage the process, so that nothing falls through the cracks.”
Managing supply chain and third-party digital risk
The increased interconnectedness of cyber security and privacy has implications for how third-party risk is managed. For example, data privacy regulation such as GDPR requires businesses to get robust guarantees from suppliers that handle data on their behalf.
“It would make a lot of sense for organisations to merge cyber security aspects of third-party risk management with privacy controls,” says Harris. “It’s just a matter of asking about both at the same time. It’s relatively straightforward, but it’s not happening widely at the moment. Cyber security teams and privacy teams are doing this separately.”
Of course, this ‘one-stop’ third-party risk management will remove duplication of effort and create efficiencies. More importantly, however, it will produce a more joined-up understanding of digital risk.
Benefits of an integrated digital risk approach
Taking an integrated business approach to managing digital risk delivers a number of key benefits to organisations –
Firstly, it can help to bring forward digital transformation initiatives because the data classification and compliance that companies are undertaking across the business for various purposes is aligned and co-ordinated.
Secondly, a digital risk function that conducts comprehensive assessments of third-party and supply chain digital risk is better positioned to ensure that risk is considered across the organisation. One way to do this is by pre-approving vendors from a risk perspective.
“Businesses can digitally transform quicker if they do the supplier approval process up front,” says James Arthur, partner, head of cyber consulting, Grant Thornton UK. “It’s a lot easier to do this if you have a single digital risk function that proactively assesses cyber security and privacy risk together.”
Thirdly, businesses continue to use new technologies to seek out commercial advantage, meaning their approach to data privacy and cyber security also needs to continually evolve, to address new threats and vulnerabilities. An integrated digital risk function is better placed to scrutinise some of these new technologies, such as blockchain.
“It’s vital that risk teams are involved right from the outset, because with any technology database there’s always the risk of attacks by third parties that want to steal the information” says Michel Besner, general manager of Catallaxy, a blockchain subsidiary of Raymond Chabot Grant Thornton. “To combat this, risk teams can ensure that there are proper governance structures around how the blockchain is implemented, managed and supported. Get this right, and you’ll avoid security issues further down the line.”
Board oversight is key, combined management essential
The case for an integrated digital risk function is clear. But who should oversee and manage it?
At the moment, there is confusion about where responsibility ultimately lies, and this is hampering digital risk management. Tellingly, surveyed businesses say that a lack of understanding about which risks individuals and teams are responsible for is their second-greatest weak point in managing digital risk.
The first important thing to consider is who manages digital risk from a day-to-day point of view. Most companies put the chief risk officer or chief technology officer in charge of this. But, as explained in our Digital risk: Technology is no silver bullet article, effective digital risk management relies on a lot more than technology. Chief risk officers report on more holistic risk to business – strategic, financial and operational. So what’s the answer?
Enter the chief digital risk officer function. “Organisations are starting to create digital risk functions headed by a chief digital risk officer,” confirms Arthur. “This is where responsibility for managing digital risk should lie. But at the moment they are still organisationally distinct at most companies.”
Once the day-to-day digital risk management is in place, its essential to consider who provides oversight. As with financial risk, the gravity of digital risk means that the board must take an active role. While the board needs to oversee it, they may not always have the technical expertise to understand the nature of the threat. Therefore ideally, a specific digital risk committee should be established within the board to oversee this risk, with representation from experts.
“Digital risk oversight should be at board level,” confirms Christos Makedonas, technology risk leader at Grant Thornton Cyprus. “There should also be a committee that discusses digital risk.
“Digital risk is multifaceted, so many people need to feed into this process. At the moment, this only happens in large, heavily regulated companies – especially those in financial services.”
Three steps to integrated digital risk management
- Combine the data privacy and cyber security functions, to create a single digital risk function. This new team should be governed by a single model and follow the same set of processes, goals and practices connected to wider business commercial drivers.
- Work out who is responsible for managing and overseeing digital risk, map out their activities and daily workflows, and see if there is any overlap. Identify synergies and strip out duplicated processes.
- Ensure that digital risk processes are managed on an end-to-end basis. For example, should assess both cyber security and data privacy. Both factors should also be evaluated when classifying data.
Find out more: https://www.youtube.com/watch?v=RO7ITJ2f1ss&feature=youtu.be
If you would like to discuss any of the areas raised in this article, please contact our Business Risk expert Georg H. Jeitler