Alexandre Blanc
CISO - VARS | Digital and technology consulting

Updated on July 13, 2023

An IT security audit contributes to mitigating risks and maintaining the confidence of your customers and partners.

Companies need to make IT security a priority in order to limit the risk of data loss or fraud. With cyberattacks on the rise and so many organizations transitioning to remote work, businesses of all sizes are facing major challenges.

Issues linked to your technology, processes or human error could impact customer or partner confidence in your company and ultimately damage your business’ reputation. Then, of course, there’s the costs that could arise from any incidents.

Here are some questions to ask yourself:

• Has your business already adopted IT security best practices?
• Are these practices documented and communicated effectively?
• Is your incident response plan up to date?
• Have you implemented proper controls such as data backups or workstation and server protection?

An IT security audit is a comprehensive security check-up aimed at answering all these questions. The exercise helps identify which best practices should be maintained and what mitigation measures are needed to address detected vulnerabilities.

What’s the purpose of an IT security audit?

Security audits are sometimes wrongly perceived as a punishment or criticism, especially if company management requests one without the technical teams being in agreement. But in fact, IT audits are a great way to gain the support of decision makers, to put in place the right processes and solutions for the organization, and to highlight the return on investment.

First and foremost, an IT security audit is an open discussion with the organization’s key people, providing a clear understanding of any operational issues, risks, and existing or potentially missing mitigation measures.

This exercise aims to produce a market standard gap analysis and to guide the organization to comply with the requirements certifications, such as ISO27001.

With active threats all around, security incidents are even hitting the major players that should have robust protections in place experience security incidents. No matter how big or small your organization is, you can’t turn a blind eye to your vulnerabilities.

Even if everyone in the company takes their responsibilities very seriously, security checks and balances can be unintentionally overlooked. An IT security audit helps you make sure your organization has set up the right prevention, detection and corrective measures to remain resilient in the face of cyberincidents.

What are the advantages of an IT security audit?

IT security audits are based on existing guidelines and industry standards (ISO, CIS, etc.). By comparing your company’s current situation to a specific reference baseline, we perform what’s called a gap analysis. The idea is to identify missing control measures along with their associated risks and potential impacts on your organization.

The audit also gives you the chance to set up recurring verification processes so that your organization’s growth or evolution remains aligned with any requirements identified during the audit.

There are several advantages to a third-party audit. For example, it can :

  • Give you an expert assessment of your organization’s cybersecurity maturity;
  • Formalize processes and ensure that everything is properly documented;
  • Provide a starting point for implementing a continuous improvement process;
  • Strengthen the organization’s security, optimize processes and make the company more resilient;
  • Lead to practical recommendations that support changes;
  • Increase partner and customer confidence through active IT security management;
  • Facilitate relationships with insurers thanks to formally established processes;
  • Reduce the risks associated with cyber threats by implementing recommendations;
  • Strengthen trust and alignment between management and the provider (internal or external) regarding IT management.

The team of experts who will assist you in this exercise will also be a key partner in the event of an incident, offering you effective support.

We’re living in a digital age and the transformation is occurring at breakneck speed. Your company’s ability to inspire confidence in its technology management is critical to its long-term viability and success. IT security affects all business industries and is key for operational continuity. An experienced external expert will point out any critical aspects you may have missed and direct you to the best available solutions for your organization.

01 Sep 2021  |  Written by :

Alexandre Blanc is a cybersecurity expert at Raymond Chabot Grant Thornton.

See the profile

Next article

IAS 36 Impairment of Assets is not a new standard, and while many of its requirements are familiar, an impairment review of assets (either tangible or intangible) is frequently challenging to apply in practice. This is because IAS 36’s guidance is detailed, prescriptive and complex in some areas.

The Insights into IAS 36 series have been written to help preparers of financial statements and those charged with the governance of reporting entities understand the requirements set out in IAS 36, and revisit some areas where confusion has been seen in practice.

The first three publications in the Insights into IAS 36 series are:

  • Overview of the Standard;
  • Scope and structure of IAS 36;
  • If and when to undertake an impairment review.

The first publication Overview of the Standard provides an “at a glance” overview of IAS 36’s main requirements and outlines the major steps in applying those requirements.

The second publication Scope and structure of IAS 36 looks at the scope of the impairment review (i.e., the types of assets that are included) and how the review is structured (i.e., the level at which assets are reviewed).

The third publication mentioned above explains if and when a detailed impairment test as set out in IAS 36 is required.

The publications mentioned above follow this IFRS Adviser Alert.

Next article

An agreement on global tax reform was announced at the recent G7 meeting. On July 1, 2021, the G20 issued a statement on proposed solutions and provided additional details (the “July Proposals”).

The Organization for Economic Co-operation and Development (“OECD”) has been leading discussions on international tax reform under the Base Erosion and Profit Shifting initiative, better known as BEPS, for many years. The July Proposals provide details on how to implement Pillar 1 which relates to taxing the digital economy and Pilar 2 which relates to a minimum global tax rate.

Pilar One – Taxing rights transfer

The Pilar One proposals apply to multinational enterprises (“MNEs”) with a turnover of more than €20 billion and a profit margin of more than 10%. These thresholds will be determined based on the accounting results of MNEs, with some adjustments. MNEs subject to Pillar One will not be limited to companies operating in the digital economy. However, extractive industries and regulated financial services will be excluded.

The objective of Pillar One is to shift the taxation rights from the home countries to the market jurisdictions (where the customers are located). The exact portion of profits that will be shifted has not yet been confirmed. The July Proposals indicate that between 20% and 30% of profitability in excess of 10% will be allocated to jurisdictions in which an MNE is deemed to have a sufficient presence, a concept known as “nexus”. The allocation will use a turnover-based distribution formula.

Profits will be allocated to a market jurisdiction if revenues in that jurisdiction exceed a certain threshold that depends on its GDP, i.e.:

  • GDP lower than €40 billion: €250,000
  • GDP equal to or greater than €40 billion: €1 million

Revenue will be sourced to the end market jurisdictions where goods or services are used or consumed. To facilitate the application of this principle, detailed source rules for specific categories of transactions will be developed.

In many cases, because of its current structure, the residual profits of an in-scope MNE are already taxed in a market jurisdiction. In this case, a marketing and distribution profits safe harbour will cap the residual profits allocated to the market jurisdiction. Further work on the design of the safe harbour will be undertaken.

The application of the arm’s length principle to in-country baseline marketing and distribution activities will be simplified and streamlined. This work will be completed by the end of 2022.

The Pilar One proposal will result in a significant transfer of profits between jurisdictions and will require the use of exemptions or credits to avoid double taxation of MNEs. One reason for the risk of double taxation is that different jurisdictions will not necessarily impose the rules in the same way.

Pilar One will be implemented through the use of a multilateral instrument, the same recently used to implement changes to tax treaties. The OECD expects that the multilateral instrument will be opened for signature in 2022 and come into effect in 2023.

The turnover threshold of €20 billion is expected to be reduced to €10 billion seven years after the implementation of the agreement.

Pilar Two – Global Minimum Tax

Pilar Two establishes a minimum tax on a country-by-country basis. It introduces Global anti-Base Erosion Rules (“GloBE”). These proposals will apply to MNEs that meet the €750 million threshold as determined for the country-by-country reporting of transfer pricing declaration.

The July Proposals state that countries are free to tax MNEs that do not meet the €750 million threshold. The Proposals could potentially apply the small and medium-sized enterprises (“SMEs”). Government entities, international organizations, non-profit organizations, pension funds or investment funds that are Ultimate Parent Entities (“UPE”) are not subject to the GloBE Rules. Only the international shipping industry is excluded from these proposals.

The minimum tax will be 15%, using on a common definition of covered taxes and a tax base determined by reference to financial accounting income (with agreed adjustments consistent with the tax policies of Pilar One).

Some types of income (for example, interest and royalties) could be subject to a lower rate (between 7.5% and 9%).

The July Proposals reiterate the range of mechanisms that can be used to achieve a global minimum tax. These mechanisms are:

  • Income Inclusion Rule (“IIR”): which imposes top-up tax on a parent entity in respect of low income of a constituent entity.
  • Undertaxed Payment Rule (“UTPR”): which denies deductions or requires an equivalent adjustment to the extent the low tax income of a constituent entity is not subject to tax under an IIR. This is a measure similar to the U.S. base erosion and anti-abuse tax (BEAT).
  • Subject to Tax Rule (“STTR”): a treaty-based rule that allows source jurisdictions to impose limited source taxation on certain related party payments subject to tax below a minimum rate. The STTR will be creditable as a covered tax under the GloBE rules.

It is agreed that Pillar Two will apply a country-by-country minimum rate. In this context, the July Proposals will take into account the conditions under which the U.S. GILTI regime will coexist with the GloBE rules. This concession is important to ensure U.S. participation in the Pillar Two proposals.

According to the OECD, the July Proposals will establish a robust minimum tax with limited impact on MNEs that engage in real economic activities with substance. A plan to implement Pillar Two is expected by 2022 and it will take effect by 2023.

The next steps

The July Proposals provide the tax community with additional information on Pillars One and Two. However, several details remain to be worked out. The OECD is expected to finalize a detailed implementation plan by October 2021.

Next article

Updated on April 21, 2022

Sustainable development is no longer an option. Is your organization prepared to integrate ESG factors and climate risks in its management process?

On April 7, 2022, the federal government released its 2022 budget, which includes significant measures to build a low-carbon economy and achieve national net zero by 2050.

Mandatory reporting by 2024

Among these new measures, the government is committed to moving towards mandatory reporting of environmental, social and governance (ESG) factors and climate risks across a broad spectrum of the economy based on the Task Force on Climate-related Financial Disclosures (TCFD) framework.

Federally regulated institutions (banks and insurers) will be required to provide climate disclosures based on the TCFD framework by 2024 under the supervision of the Office of the Superintendent of Financial Institutions (OSFI).

This commitment comes a few months after the G7 endorsed a possible mandatory climate change disclosure. The group had stated its support “towards mandatory climate-related financial disclosures that provide consistent and decision-useful information for market participants” and that are based on the TCFD recommendations.

The TCFD framework, first published by the Financial Stability Board in 2017, addresses four key areas aimed at embedding climate-related risk into the financial system and beyond. It encourages companies and institutions to take a holistic approach to the challenges by integrating them into existing business structures of governance, strategy, risk and performance management and publish disclosures on the steps taken.

A measure anticipated by investors

This type of measure has already been implemented by many countries such as France, the United Kingdom, and recently, the United States, by extending TCFD mandatory disclosure to registered public corporations.

Investors have been awaiting this measure. The Canadian federal government is laying the groundwork for the disclosure requirements that every player in the economy will face in the coming years. OSFI also expects “financial institutions to collect and assess climate change risk and emissions information from their clients”. The pressure is expected to increase on Canadian companies and how they manage climate change risks and exposures.

The federal government welcomed the International Financial Reporting Standards (IFRS) Foundation’s selection of Montreal to host one of the two central offices of the new International Sustainability Standards Board (ISSB). This Board will develop standards to enhance the quality and comparability of ESG reporting.

Beyond simply reporting sustainability data, the TCFD recommendations necessitate businesses to consider the wider impacts of climate change, understand the physical and transitional risks on their operating model in order to mitigate them and seize new business opportunities.

This requires input from all departments, the creation of appropriate scenarios and management buy-in. The various players in the organizations, both the board of directors and senior management, have a role to play.

The board of directors’ role

Risk management has become increasingly complex in recent years, and organizations have seen the emergence of new types of risk associated with climate change. Boards of directors must understand and fulfill their fiduciary responsibilities in monitoring these risks and implementing sound governance.

This may involve training these members or recruiting members with the right skills to provide oversight of the measures implemented for management to respond to climate-related risks and opportunities.

The board could consider matters such as:

  • How does it oversee the entity’s overall risk management?
  • How does it monitor climate change risks and opportunities?
  • How does it ensure that all members are aware of and understand climate risk?
  • How does it integrate climate change risks and opportunities into overall enterprise risk management?
  • Are there specific climate change risks or opportunities that require special attention by the board?
  • Do external stakeholder expectations, such as investor mandates or changing client preferences, warrant special attention by the board?

Senior management and managers: accountable for implementing tangible measures

While the board of directors is responsible for the governance of climate-related risks and opportunities, management is responsible for designing, implementing and carrying out the entity’s response to these risks. The challenge is twofold.

From the senior manager’s perspective, the challenge is to understand the impact of climate change on the entity and its long-term sustainability and how to communicate the efforts being made to mitigate it. By asking the right questions, management will be able to identify and prioritize risks and put in place the right measures:

  • How does climate change impact the value chain?
  • What is the entity’s level of dependence on suppliers?
  • Where are these suppliers located?
  • What natural resources are at risk in the production chain?
  • How are products moved along the value chain and what is the impact of climate change at each stage?
  • What is the impact of climate change on the entity’s infrastructure?

For its part, the board must be able to assess the appropriateness of management’s approach by asking the right questions:

  • How is climate risk integrated into the entity’s enterprise risk management program?
  • What climate-related demands have come from investors and other stakeholders?
  • What are the risks and opportunities along the entity’s value chain? For example, are key suppliers at risk? Are there opportunities to increase market share related to investment in renewable technologies? Are key clients seeking more sustainable options?
  • How does the staff perceive the entity’s commitment to environmental sustainability?

Directing external disclosures

Companies have become more aware of the importance of climate change, as evidenced by increased voluntary disclosures of climate risks and opportunities.

Climate change risk disclosure has grown rapidly in recent years; in their 2020 sustainability statements, 397 Russell 1000 companies said they responded to the CDP (formerly Carbon Disclosure Project), and of the 92% of Russell 1000 companies that produce a sustainability report, 38% referenced the TCFD for climate-related financial disclosure.

Private company directors and management are facing increased attention on sustainability and climate risk from private equity firms, lenders, and clients. This is expected to increase with the new federal disclosure requirement. While the disclosure rules do not apply directly to private companies, and inconsistent disclosures still lead to comparability issues, there are many expectations for these companies to report on their ESG and climate strategies.

Other risks to monitor in 2022

Biodiversity risks

This integrated approach is key to ensuring a sustainable future for business, and with the launch of the Taskforce for Nature Related Financial Disclosures (TCND) on June 10, 2021, also supported by the G7, this model will tend to become the norm.

Organizations are becoming aware of their impact on biodiversity and the financial impact of natural losses.

Supply chain risks

This is the financial impact of the supply chain being interrupted or slowed down as a result of weather disasters. This means the organization needs to ask the right questions to support long-term production.

Human capital risks

Consider this risk and the pressure that can be exerted throughout the value chain.

In light of recent federal and foreign regulatory developments, as well as existing climate change risks and opportunities, now is the best time to begin your approach to addressing TCFD recommendations.

Our Management Consulting team has the expertise and experience to help you address these new risk management and sustainability challenges and ESG issues.

This article was written in collaboration with Alicéa Reck, Senior Business Process Transformation Consultant.

[class^="wpforms-"]
[class^="wpforms-"]