-
Privacy and Data Protection
Our digital risk team is made up of a combination of subject matter experts and technical specialists who can help your business comply with the GDPR.
-
Governance, Risk and Compliance (GRC)
While business goals and strategies evolve, our services support you wherever you are in your business cycle. The digital economy is simultaneously increasing the magnitude of new business opportunities while increasing the difficulty of getting it right.
-
ISO 27001 and ISO 27701
Grant Thornton’s ISO 27001 and ISO 27701 specialists will arrange and oversee the formal audit process.
-
SOC 1,2,3
As a service organization there are many ways to provide assurance to your customers and in turn other stakeholders over your control environment. One of the most effective and cost-efficient ways is to issue a Service Organization Control (SOC) Report.
-
Incident Response
Grant Thornton’s Cyber Incident Response Team can support your business in the event of a cyberattack or data loss event. We work alongside your existing IT and Legal teams to provide a co-ordinated, timely and efficient investigation and remediation.
-
Hacking Services
At Grant Thornton, our cyber security experts can develop a bespoke penetration testing plan to meet your business needs and unique IT environment. We can undertake the full suite of testing or conduct individual assessments, as required.
-
Cyber Health Check
Approximately 54% of organizations report that they have experienced at least one cyber-attack during the past year. Grant Thornton’s cyber health check provides you with an objective, jargon-free assessment of your current cyber security, drawing on both qualitative and quantitative elements.
-
Dark Web Threat Intelligence
We use a variety of dark and deep web monitoring tools that continuously scans illegal sites to discover any mention of your data, ranging from breached security credentials such as usernames and passwords to leaked confidential documents of your company.
-
Digital forensics and electronic discovery
We offer a full suite of digital forensics and data acquisition services in investigations related to cybercrime, disputes, fraud and regulatory investigations.
-
Insolvency
If you're facing a time of personal or corporate financial crisis you need advice from someone who listens, who understands your specific issues and deals with them in a supportive and sensitive manner.
-
Crisis stabilisation and turnaround
In periods of financial distress, management teams often face considerable challenges, with many directors having little or no experience of similar conditions.
-
Operational and financial restructuring
Companies challenged by underperformance often need support in identifying options for financial or operational restructuring. Tapping this type of advice helps them create a stable platform for business turnaround.
-
Accelerated M & A
Even fundamentally sound businesses run into difficulties. Cash flow can come under pressure from the loss of a big client, or a dip in performance can threaten a breach of banking covenants if there is insufficient headroom.
-
Indirect Tax
Our experienced VAT specialists are available to assist companies and entrepreneurs of all industries and sizes in meeting their obligations.
-
Direct Tax
We can help you ensure a bespoke balance between tax compliance and effective tax planning for your special circumstances.
-
Life at Grant Thornton
At Grant Thornton Cyprus, we are taking a holistic approach and reimagining the way we work, continually assessing it and making necessary changes to better support our people.
-
In the community
Unlocking the potential for growth in our local communities.
-
Diversity and inclusion
Diversity helps us meet the demands of a changing world. We value the fact that our people come from all walks of life and that this diversity of experience and perspective makes our organisation stronger as a result.
-
Global talent mobility
One of the biggest attractions of a career with Grant Thornton Cyprus is the opportunity to work on cross-border projects all over the world.
-
Learning and development
At Grant Thornton we believe learning and development opportunities allow you to perform at your best every day.
-
Our values
We are a values-driven organisation and we have more than 56,000 people in over 140 countries who are passionately committed to these values.
As a service organisation there are many ways to provide assurance to your customers and in turn other stakeholders over your control environment. One of the most effective and cost efficient ways is to issue a Service Organisation Control (SOC) Report.
Today, outsourcing has become the norm in many industries. Outsourced service providers play a vital role in contributing to an organisation’s efficiency and profitability. Business processes are becoming more complex and organisation’s are focusing on dynamic service delivery models as a way of managing increased technical complexity, scarcity of expertise and competitive pressures.
Cloud computing, IT managed services and data centre hosting are in many cases default business solutions for most sectors, most especially financial services, property management, technology and healthcare. Instilling confidence in outsourced business models equates to a need to assure oversight of outsourced services. By choosing the SOC route as your optimum assurance mechanism, it undoubtedly delivers a number of benefits most notably:
- time and cost savings in having a single solution to address multiple assurance requests
- enhanced credibility in having a best practice assurance solution in place to retain and attract business
- evidenced oversight of your outsourced providers to appease regulators and other stakeholders.
Deciding on the configuration of your SOC reporting solution starts with deciding which SOC report or collection of SOC reports you require to meet your broad stakeholder needs.
We outline below a simple decision-making diagram that can be used to determine your SOC 1, SOC 2 and SOC 3 reporting requirements.
SOC types
SOC reports report under two primary best practice standards; SSAE 18 and ISAE 3000.
SOC 1
SOC 1 reports provide a vehicle for reporting on a service organisation’s systems of internal controls that are relevant to a user organisation’s internal controls over financial reporting and are intended to be auditor to auditor communications. At a high level the following are the basic elements of a SOC 1 report:
- an independent service auditor’s report
- management’s assertion letter
- a description of the system
- a section containing the service auditor’s tests of the operating effectiveness of controls and the related test results (Type II report only).
Additional information provided by the service organisation, but not covered by the service auditor’s opinion, may also be included within a SOC 1 report.
SOC 2
SOC 2 reports offer service auditors and service organisations a reporting option they can use when the subject matter is not relevant to controls over financial reporting. The SOC 2 report addresses controls at a service organisation that are pertinent to the joint American Institute of Certified Public Accountants (AICPA) – Canadian Institute of Chartered Accountants (CICA) Trust Services Criteria (TSC). These TSC cover five categories - security, availability, processing integrity, confidentiality and privacy. In a SOC 2 report, management identifies one or more TSC categories that it believes it has achieved and the criteria upon which it will base its assertion of achievement. While SOC 2 reports are intended for user organisation management, other stakeholders (eg, business partners, customers) along with regulators, may also benefit from the information contained within a SOC 2 report. The structure of the report includes many of the same elements as a SOC 1 report but is more prescriptive than a SOC 1 when it comes to control scoping under the TSC regime.
SOC 3
Like SOC 2 reports, SOC 3 reports allow service organisations to provide user organisations and other stakeholders with a report on controls that are relevant to security, availability, processing integrity, confidentiality and privacy. Unlike SOC 1 and SOC 2 reports, SOC 3 reports do not include a description of the system or the detailed description of the tests of controls and related test results. Unlike the other two types, SOC 3 reports are short-form, publicly available documents and tend to be aimed at the un-informed user. SOC 3 reports can be freely distributed or posted on service organisations’ websites with a seal.
What SOC report?
Deciding how the three types of SOC reports will best meet the varying needs of different audiences and cover different subject matter can be challenging. As your service auditor, Grant Thornton can assist you with all your SOC requirements. For instance, determining which SOC report or reports are appropriate, may mean for some organisations that the answer is contrary to the type of report the organisation obtained in the past.
Additionally, in instances where obtaining multiple reports might satisfy the organisation’s various needs, the level of effort needed to obtain more than one report will vary based on the specific scope and coverage of the report. If controls overlap, we can leverage the work from one audit for another and the necessary work will only be incremental.
Not covered by SOC?
If your organisation needs to address subject matter that does not appear to be satisfied by the description of SOC reports, a customised attestation report using another AICPA attestation standard may be the answer. Our dedicated team can discuss with you the alternative standards to find the one that will best address your unique needs.
The SOC decision
The market place has become much more informed in recent years when it comes to SOC reporting and the tangible benefits of such. It is seen as best practice to provide/obtain a SOC report as part of a risk management and oversight regime and in many cases is now a pre-requisite in securing and deploying client solutions.
SOC reports in effect provide a transparent and cost effective means for assuring internal control accountability and for addressing multiple stakeholder assurance demands.
We would recommend that service organisation’s have an open discussions with their user organisations in order to understand exactly why a certain SOC report is being requested. This information will inform the question as to which SOC report or reports are appropriate to the needs of user organisation’s and others.
Grant Thornton Cyprus is happy to clarify these options for you. This will ensure that you have a full appreciation for the subject matter and in turn that you have chosen the best fit report/reports for your specific needs.
Understanding your third party reporting options will go a long way toward providing your clients and their auditors with the information they require, instilling confidence in the services that you provide and delivering brand enhancing and commercial reward for your business.
