Alexandre Blanc
CISO - VARS | Digital and technology consulting

An IT security audit measures all of the aspects that contribute to mitigate risks and maintain the confidence of your customers and partners.

Companies need to make IT security a priority in order to limit the risk of data loss or fraud. With cyberattacks on the rise and so many organizations transitioning to remote work, businesses of all sizes are facing major challenges.

Issues linked to your technology, processes or human error could impact customer or partner confidence in your company and ultimately damage your business’ reputation. Then, of course, there’s the costs that could arise from any incidents.

Here are some questions to ask yourself:

• Has your business already adopted IT security best practices?
• Are these practices documented and communicated effectively?
• Is your incident response plan up to date?
• Have you implemented proper controls such as data backups or workstation and server protection?

An IT security audit is a comprehensive security check-up aimed at answering all these questions. The exercise helps identify which best practices should be maintained and what mitigation measures are needed to address detected vulnerabilities.

What’s the purpose of an IT security audit?

Security audits are sometimes wrongly perceived as a punishment or criticism, especially if company management requests one without the technical teams being in agreement. But in fact, IT audits are a great way to gain the support of decision makers, to put in place the right processes and solutions for the organization, and to highlight the return on investment.

First and foremost, an IT security audit is an open discussion with the organization’s key people, providing a clear understanding of any operational issues, risks, and existing or potentially missing mitigation measures.

This exercise aims to produce a market standard gap analysis and to guide the organization to comply with the requirements certifications, such as ISO27001.

With active threats all around, security incidents are even hitting the major players that should have robust protections in place experience security incidents. No matter how big or small your organization is, you can’t turn a blind eye to your vulnerabilities.

Even if everyone in the company takes their responsibilities very seriously, security checks and balances can be unintentionally overlooked. An IT security audit helps you make sure your organization has set up the right prevention, detection and corrective measures to remain resilient in the face of cyberincidents.

What are the advantages of an IT security audit?

IT security audits are based on existing guidelines and industry standards (ISO, CIS, etc.). By comparing your company’s current situation to a specific reference baseline, we perform what’s called a gap analysis. The idea is to identify missing control measures along with their associated risks and potential impacts on your organization.

The audit also gives you the chance to set up recurring verification processes so that your organization’s growth or evolution remains aligned with any requirements identified during the audit.

There are several advantages to a third-party audit. For example, it can :

  • Give you an expert assessment of your organization’s cybersecurity maturity;
  • Formalize processes and ensure that everything is properly documented;
  • Provide a starting point for implementing a continuous improvement process;
  • Strengthen the organization’s security, optimize processes and make the company more resilient;
  • Lead to practical recommendations that support changes;
  • Increase partner and customer confidence through active IT security management;
  • Facilitate relationships with insurers thanks to formally established processes;
  • Reduce the risks associated with cyber threats by implementing recommendations;
  • Strengthen trust and alignment between management and the provider (internal or external) regarding IT management.

The team of experts who will assist you in this exercise will also be a key partner in the event of an incident, offering you effective support.

We’re living in a digital age and the transformation is occurring at breakneck speed. Your company’s ability to inspire confidence in its technology management is critical to its long-term viability and success. IT security affects all business industries and is key for operational continuity. An experienced external expert will point out any critical aspects you may have missed and direct you to the best available solutions for your organization.

01 Sep 2021  |  Written by :

Alexandre Blanc is a cybersecurity expert at Raymond Chabot Grant Thornton.

See the profile

Next article

IAS 36 Impairment of Assets is not a new standard, and while many of its requirements are familiar, an impairment review of assets (either tangible or intangible) is frequently challenging to apply in practice. This is because IAS 36’s guidance is detailed, prescriptive and complex in some areas.

The Insights into IAS 36 series have been written to help preparers of financial statements and those charged with the governance of reporting entities understand the requirements set out in IAS 36, and revisit some areas where confusion has been seen in practice.

The first three publications in the Insights into IAS 36 series are:

  • Overview of the Standard;
  • Scope and structure of IAS 36;
  • If and when to undertake an impairment review.

The first publication Overview of the Standard provides an “at a glance” overview of IAS 36’s main requirements and outlines the major steps in applying those requirements.

The second publication Scope and structure of IAS 36 looks at the scope of the impairment review (i.e., the types of assets that are included) and how the review is structured (i.e., the level at which assets are reviewed).

The third publication mentioned above explains if and when a detailed impairment test as set out in IAS 36 is required.

The publications mentioned above follow this IFRS Adviser Alert.

Next article

An agreement on global tax reform was announced at the recent G7 meeting. On July 1, 2021, the G20 issued a statement on proposed solutions and provided additional details (the “July Proposals”).

The Organization for Economic Co-operation and Development (“OECD”) has been leading discussions on international tax reform under the Base Erosion and Profit Shifting initiative, better known as BEPS, for many years. The July Proposals provide details on how to implement Pillar 1 which relates to taxing the digital economy and Pilar 2 which relates to a minimum global tax rate.

Pilar One – Taxing rights transfer

The Pilar One proposals apply to multinational enterprises (“MNEs”) with a turnover of more than €20 billion and a profit margin of more than 10%. These thresholds will be determined based on the accounting results of MNEs, with some adjustments. MNEs subject to Pillar One will not be limited to companies operating in the digital economy. However, extractive industries and regulated financial services will be excluded.

The objective of Pillar One is to shift the taxation rights from the home countries to the market jurisdictions (where the customers are located). The exact portion of profits that will be shifted has not yet been confirmed. The July Proposals indicate that between 20% and 30% of profitability in excess of 10% will be allocated to jurisdictions in which an MNE is deemed to have a sufficient presence, a concept known as “nexus”. The allocation will use a turnover-based distribution formula.

Profits will be allocated to a market jurisdiction if revenues in that jurisdiction exceed a certain threshold that depends on its GDP, i.e.:

  • GDP lower than €40 billion: €250,000
  • GDP equal to or greater than €40 billion: €1 million

Revenue will be sourced to the end market jurisdictions where goods or services are used or consumed. To facilitate the application of this principle, detailed source rules for specific categories of transactions will be developed.

In many cases, because of its current structure, the residual profits of an in-scope MNE are already taxed in a market jurisdiction. In this case, a marketing and distribution profits safe harbour will cap the residual profits allocated to the market jurisdiction. Further work on the design of the safe harbour will be undertaken.

The application of the arm’s length principle to in-country baseline marketing and distribution activities will be simplified and streamlined. This work will be completed by the end of 2022.

The Pilar One proposal will result in a significant transfer of profits between jurisdictions and will require the use of exemptions or credits to avoid double taxation of MNEs. One reason for the risk of double taxation is that different jurisdictions will not necessarily impose the rules in the same way.

Pilar One will be implemented through the use of a multilateral instrument, the same recently used to implement changes to tax treaties. The OECD expects that the multilateral instrument will be opened for signature in 2022 and come into effect in 2023.

The turnover threshold of €20 billion is expected to be reduced to €10 billion seven years after the implementation of the agreement.

Pilar Two – Global Minimum Tax

Pilar Two establishes a minimum tax on a country-by-country basis. It introduces Global anti-Base Erosion Rules (“GloBE”). These proposals will apply to MNEs that meet the €750 million threshold as determined for the country-by-country reporting of transfer pricing declaration.

The July Proposals state that countries are free to tax MNEs that do not meet the €750 million threshold. The Proposals could potentially apply the small and medium-sized enterprises (“SMEs”). Government entities, international organizations, non-profit organizations, pension funds or investment funds that are Ultimate Parent Entities (“UPE”) are not subject to the GloBE Rules. Only the international shipping industry is excluded from these proposals.

The minimum tax will be 15%, using on a common definition of covered taxes and a tax base determined by reference to financial accounting income (with agreed adjustments consistent with the tax policies of Pilar One).

Some types of income (for example, interest and royalties) could be subject to a lower rate (between 7.5% and 9%).

The July Proposals reiterate the range of mechanisms that can be used to achieve a global minimum tax. These mechanisms are:

  • Income Inclusion Rule (“IIR”): which imposes top-up tax on a parent entity in respect of low income of a constituent entity.
  • Undertaxed Payment Rule (“UTPR”): which denies deductions or requires an equivalent adjustment to the extent the low tax income of a constituent entity is not subject to tax under an IIR. This is a measure similar to the U.S. base erosion and anti-abuse tax (BEAT).
  • Subject to Tax Rule (“STTR”): a treaty-based rule that allows source jurisdictions to impose limited source taxation on certain related party payments subject to tax below a minimum rate. The STTR will be creditable as a covered tax under the GloBE rules.

It is agreed that Pillar Two will apply a country-by-country minimum rate. In this context, the July Proposals will take into account the conditions under which the U.S. GILTI regime will coexist with the GloBE rules. This concession is important to ensure U.S. participation in the Pillar Two proposals.

According to the OECD, the July Proposals will establish a robust minimum tax with limited impact on MNEs that engage in real economic activities with substance. A plan to implement Pillar Two is expected by 2022 and it will take effect by 2023.

The next steps

The July Proposals provide the tax community with additional information on Pillars One and Two. However, several details remain to be worked out. The OECD is expected to finalize a detailed implementation plan by October 2021.

Next article

Taxation in Quebec 2021: Favourable Measures to Foster Investment is a brochure intended for foreign companies considering investing in Quebec.

Produced by Investissement Québec in collaboration with our experts, this document summarizes the main tax measures that apply to companies operating in Quebec. This brochure is for information purposes only. It does not substitute for legislation, regulations or orders adopted by the Québec government.

Our team of tax experts can meet your business needs. Contact us to achieve your full growth potential.

For more information, download the document below.