-
Aviation Advisory
Our dedicated Aviation Advisory team bring best-in-class expertise across modelling, lease management, financial accounting and transaction execution as well as technical services completed by certified engineers.
-
Consulting
Our Consulting team guarantees quick turnarounds, lower partner-to-staff ratio than most and superior results delivered on a range of services.
-
Business Risk Services
Our Business Risk Services team deliver practical and pragmatic solutions that support clients in growing and protecting the inherent value of their businesses.
-
Deal Advisory
Our experienced Deal Advisory team has provided a range of transaction, valuation, deal advisory and restructuring services to clients for the past two decades.
-
Forensic Accounting
Our Forensic and Investigation Services team have targeted solutions to solve difficult challenges - making the difference between finding the truth or being left in the dark.
-
Financial Accounting and Advisory
Our FAAS team designs and implements creative solutions for organisations expanding into new markets or undertaking functional financial transformations.
-
Restructuring
Grant Thornton is Ireland’s leading provider of insolvency and corporate recovery solutions.
-
Risk Advisory
Our Risk Advisory team delivers innovative solutions and strategic insights for the Financial Services sector, addressing disruptive forces, regulatory changes, and emerging trends to enhance risk management and foster competitive advantage.
-
Sustainability Advisory
Our Sustainability Advisory team works with clients to accelerate their sustainability journey through innovative and pragmatic solutions.
-
Asset management Asset management of the futureIn today’s global asset management landscape, there is an almost constant onslaught of change and complexity. To combat such complex change, asset managers need a consolidated approach. Read our publication and find out more about what you can achieve by choosing to work with us.
-
Internal Audit Maintaining Compliance with New EU Pension Directive IORP IIOn 28 April 2021, the Irish Government transposed IORP II (Institution for Occupational Retirement Provision), an EU directive on the activities and supervision of pension schemes, into law.
-
Risk, Compliance and Professional Standards FRED 82 – Periodic Updates to FRS 100 – 105The concept of a new suite of standards for the UK and Ireland, aligning with international financial reporting standards, was first conceived in 2002
-
Audit and Assurance Auditor transition: how to achieve a smooth changeoverAppointing new auditors may seem like a daunting task that will be disruptive to your business and a drain on the finance function. Nevertheless, there are a multitude of reasons to consider a change, including simply seeking a ‘fresh look’ at the business.
-
Corporate Tax
Our Corporate Tax team is made up of more than 40 highly experienced senior partners and directors who work directly with a wide range of domestic and international clients; covering Corporation Tax, Company Secretarial, Employer Solutions, Global Mobility and Tax Incentives.
-
Financial Services Tax
The Grant Thornton team is made up of experts who are fully up to date in terms of changing and evolving tax legislation. This is combined with industry expertise and an in-depth knowledge of the evolving financial services regulatory landscape.
-
Indirect Tax Advisory & Compliance
Grant Thornton’s team of indirect tax specialists helps a range of clients across a variety of sectors including pharmaceuticals, financial services, construction and property and food to navigate these complexities.
-
International Tax
We develop close relationships with clients in order to gain a deep understanding of their businesses to ensure they make the right operational decisions. The wrong decision on how a company sells into a new market or establishes a new subsidiary can have major tax implications.
-
Private Client
Grant Thornton’s Private Client Services team can advise you on all areas of financial, pension, investment, succession and inheritance planning. We understand that each individual’s circumstances are different to the next and we tailor our services to suit your specific needs.
In September 2016 the Central Bank of Ireland (CBI) issued guidance in relation to IT and cybersecurity governance and risk management for regulated firms in Ireland. This guidance was based on supervisory work carried out by the CBI and contains some worrying insights from a Board of Directors viewpoint.
The CBI reiterated that it expects the Boards and Senior Management of regulated firms to fully recognise their responsibilities in relation to IT and cybersecurity governance and risk management and place these among their top priorities.
Whilst the cybersecurity elements of this guidance have rightly received significant coverage due to the more public and newsworthy nature of issues such as hacking, ransomware, denial of service etc., the CBI’s findings concerning general IT service management, IT outsourcing, IT governance and IT risk make for alarming reading. In essence, the CBI has found that:
IT Outsourcing continues to rise but there is inadequate due diligence being carried out on prospective service providers and that service level agreements and contracts are not robust. Given the impact on the regulated firm and its customers of poor systems performance and/or systems failure, this is a significant omission. Furthermore, the CBI points out that service levels and performance are neither being well monitored nor reported to the Board. The guidance also refers to Cloud services and contracts in this context.
The quality of IT Service Management and Operations is a cause of concern to the CBI. The supervisory work identified issues in areas such as, inter-alia, Incident Management; IT Change Management; IT Project Management, Planning & Documentation and Disaster Recovery/Business Continuity Planning and highlighted the expectation that best practices such as ITIL are incorporated. As with outsourcing above, the CBI notes that deficiencies in board reporting exist in these areas.
The IT Applications that firms rely upon to provide or underpin service to customers also drew cautionary commentary from the CBI. In particular, the major risks concerning legacy systems were highlighted. Such risks include an increased likelihood of system failure, difficulty in maintaining outdated technology and sourcing appropriate skill sets to develop and support legacy systems. Furthermore, the guidance notes the difficulty in obtaining timely and accurate management information from legacy systems due to complexities caused by older designs and configurations. The CBI also points to weaknesses in testing of systems, patches, new technologies, upgrades and products, prior to deployment – with the obvious customer and regulatory implications.
IT Strategy in regulated firms is also reported by the CBI as being, in some cases, deficient and not aligned with business strategy.
The CBI guidance addresses all issues through the lens of IT Risk and Governance. Of deep concern to boards and management of regulated firms should be the finding that there is insufficient ongoing and active IT risk management. Specifically, the CBI finds that risk management is not proactive, risks are poorly monitored and not being mitigated effectively if at all, multiple risk tools are not co-ordinated and, surprisingly, IT risk registers are not up-to-date or do not exist at all. Similarly, there are findings of weak IT asset management and inadequate data governance. The CBI also observes that reviews of IT policies are insufficient and deficient and are treated as ‘box ticking’ exercises. Given the pace of technology change, this is a dangerous habit to form from a risk management viewpoint. Finally, the Central Bank states that it expects that a firm’s governance structure provides for independent assurance on the effectiveness of the IT risk management, internal controls and governance processes.
Next Steps
The Central Bank have stated that these findings and guidelines will form the basis for future supervisory work. So what does a regulated entity do? We recommend you find start by finding out where your firm currently stands on:
Service Delivery and Management
- if outsourcing and/or cloud computing forms part of your service delivery model then carry out vendor risk assessment to include: vendor viability, vendor technology and business strategy, vendor contract review, SLA and KPI review, vendor management/governance model. Make sure to also assess your own vendor management capabilities. The outputs of this assessment should form a coherent and targeted action plan;
- review your IT service management approach against an industry-standard framework such as ITIL. While it is not always necessary to adopt full ITIL processes, benchmarking against this framework will provide excellent insight into areas of high risk; and
- examine your methodology for project and programme management. Is it appropriate for the current environment?
Strategy
- carry out an IT strategy assessment and make plans to align it with your business strategy;
- ask yourself if your IT infrastructure fit for purpose to support this? Do you have an infrastructure strategy?;
- examine your approach to IT applications. If you have an applications strategy then assess it particularly in terms of application lifecycle (pre-acquisition to retirement), legacy systems maintenance, criteria for development, acquisition, upgrade of applications and skills requirement. As part of this, determine if your QA/test approach is effectively aligned. If you don’t have an applications strategy and test strategy, consider creating and implementing these; and
- review your MIS and reporting capabilities.
Risk and Governance
- carry out an independent assessment of IT governance, IT risk management and IT policies;
- create a risk management framework if none exists;
- implement an IT asset management process if none exists;
- assess your data governance approach. As well as being a CBI guideline, GDPR regulations make this an imperative; and
- review board reporting. Is the board getting what it needs? Is it useful and readable?
The Central Bank have stated that these findings and guidelines will form the basis for future supervisory work. We advise that you carry out the above assessments and prioritise your actions based on the results.