-
Internal audit
In today's increasingly competitive and regulated market place, organisations - both public and private - must demonstrate that they have adequate controls and safeguards in place. The availability of qualified internal audit resources is a common challenge for many organisations.
-
IFRS
At Grant Thornton, our International Financial Reporting Standards (IFRS) advisers can help you navigate the complexity of financial reporting so you can focus your time and effort on running your business.
-
Audit quality monitoring
Having a robust process of quality control is one of the most effective ways to guarantee we deliver high-quality services to our clients.
-
Global audit technology
We apply our global audit methodology through an integrated set of software tools known as the Voyager suite.
-
Looking for permanent staff
Grant Thornton's executive recruitment is the real executive search and headhunting firms in Thailand.
-
Looking for interim executives
Interim executives are fixed-term-contract employees. Grant Thornton's specialist Executive Recruitment team can help you meet your interim executive needs
-
Looking for permanent or interim job
You may be in another job already but are willing to consider a career move should the right position at the right company become available. Or you may not be working at the moment and would like to hear from us when a relevant job comes up.
-
Practice areas
We provide retained recruitment services to multinational, Thai and Japanese organisations that are looking to fill management positions and senior level roles in Thailand.
-
Submit your resume
Executive recruitment portal
-
Update your resume
Executive recruitment portal
-
Available positions
Available positions for executive recruitment portal
-
General intelligence assessments
The Applied Reasoning Test (ART) is a general intelligence assessment that enables you to assess the level of verbal, numerical reasoning and problem solving capabilities of job candidates in a reliable and job-related manner.
-
Candidate background checks
We provide background checks and employee screening services to help our clients keep their organisation safe and profitable by protecting against the numerous pitfalls caused by unqualified, unethical, dangerous or criminal employees.
-
Capital markets
If you’re buying or selling financial securities, you want corporate finance specialists experienced in international capital markets on your side.
-
Corporate simplification
Corporate simplification
-
Expert witness
Expert witness
-
Family office services
Family office services
-
Financial models
Financial models
-
Forensic Advisory
Investigations
-
Independent business review
Does your company need a health check? Grant Thornton’s expert team can help you get to the heart of your issues to drive sustainable growth.
-
Mergers & acquisitions
Mergers & acquisitions
-
Operational advisory
Grant Thornton’s operational advisory specialists can help you realise your full potential for growth.
-
Raising finance
Raising finance
-
Restructuring & Reorganisation
Grant Thornton can help with financial restructuring and turnaround projects, including managing stakeholders and developing platforms for growth.
-
Risk management
Risk management
-
Transaction advisory
Transaction advisory
-
Valuations
Valuations
-
Human Capital Consulting
From time to time, companies find themselves looking for temporary accounting resources. Often this is because of staff leaving, pressures at month-end and quarter-end, or specific short-term projects the company is undertaking.
-
Strategy & Business Model
Strategy & Business Model
-
Process Optimisation & Finance Transformation
Process Optimisation & Finance Transformation
-
System & Technology
System & Technology
-
Digital Transformation
Digital Transformation
-
International tax
With experts working in more than 130 countries, Grant Thornton can help you navigate complex tax laws across multiple jurisdictions.
-
Licensing and incentives application services
Licensing and incentives application services
-
Transfer pricing
If your company operates in more than one country, transfer pricing affects you. Grant Thornton’s experts can help you manage this complex and critical area.
-
Global mobility services
Employing foreign people in Australia, or sending Australian people offshore, both add complexity to your tax obligations and benefits – and we can guide you through them.
-
Tax compliance and tax due diligence review services
Tax compliance
-
Value-Added Tax
Value-Added Tax
-
Customs and Trade
Customs and Trade
-
Service Line
グラントソントン・タイランド サービスライン
-
Business Process Outsourcing
Companies, large and small, need to focus on core activities. Still, non-core activities are important, and they need to be leaner and more efficient than most companies can make them sustainably. For Grant Thornton, your non-core activities are our core business. Grant Thornton’s experienced outsourcing team helps companies ensure resilience, improve performance, manage costs, and enhance agility in resourcing and skills. Who better to do this than an organisation with 73,000 accountants? At Grant Thornton we recognise that that outsourcing your F&A functions is a strategic decision and an extension of your brand. This means we take your business as seriously as we take our own.
-
Technology and Robotics
We provide practical digital transformation solutions anchored in business issues and opportunities. Our approach is not from technology but from business. We are particularly adept at assessing and implementing fast and iterative digital interventions which can drive high value in low complex environments. Using digital solutions, we help clients create new business value, drive efficiencies in existing processes and prepare for strategic events like mergers. We implement solutions to refresh value and create sustainable change. Our solutions help clients drive better and more insightful decisions through analytics, automate processes and make the most of artificial intelligence and machine learning. Wherever possible we will leverage your existing technologies as our interest is in solving your business problems – not in selling you more software and hardware.
-
Technical Accounting Solutions
The finance function is an essential part of the organisation and chief financial officer (CFO) being the leader has the responsibility to ensure financial discipline, compliance, and internal controls. As the finance function is critical in every phase of a company’s growth, the CFO role also demands attention in defining business strategy, mitigating risks, and mentoring the leadership. We offer technical accounting services to finance leaders to help them navigate complex financial and regulatory environments, such as financial reporting and accounting standards, managing compliance requirements, and event-based accounting such as dissolutions, mergers and acquisitions.
-
Accounting Services
Whether you are a local Thai company or a multinational company with a branch or head office in Thailand you are obliged to keep accounts and arrange for a qualified bookkeeper to keep and prepare accounts in accordance with accounting standards. This can be time consuming and even a little dauting making sure you conform with all the regulatory requirements in Thailand and using Thai language. We offer you complete peace of mind by looking after all your statutory accounting requirements. You will have a single point of contact to work with in our team who will be responsible for your accounts – no matter small or large. We also have one of the largest teams of Xero Certified Advisors in Thailand ensuring your accounts are maintained in a cloud-based system that you have access to too.
-
Staff Augmentation
We offer Staff Augmentation services where our staff, under the direction and supervision of the company’s officers, perform accounting and accounting-related work.
-
Payroll Services
More and more companies are beginning to realize the benefits of outsourcing their noncore activities, and the first to be outsourced is usually the payroll function. Payroll is easy to carve out from the rest of the business since it is usually independent of the other activities or functions within the Accounting Department. At Grant Thornton employees can gain access to their salary information and statutory filings through a specialised App on their phone. This cuts down dramatically on requests to HR for information by the employees and increases employee satisfaction. We also have an optional leave approval app too if required.
-
IBR Optimism of Thailand Mid-Market Leaders Suggests Potential Underestimation of Challenges Ahead: International Business Report, Q1 2024Bangkok, Thailand, April 2024 — The Grant Thornton International Business Report (IBR) for Q1 2024 unveils a strikingly optimistic outlook among Thailand's mid-market business leaders, juxtaposed with the looming challenges that will shape the nation's economic future. With a Business Health Index score of 13.5, Thailand outperforms its ASEAN, Asia-Pacific, and global counterparts, signaling a robust confidence that may overshadow critical issues such as demographic changes, skills shortages, and the necessity for digital advancement.
-
Workshop Corporate Strategy and Company Health Check WorkshopThroughout this workshop, we will delve into the life cycle of companies, examining the stages of growth, maturity, and adaptation. Our focus will extend to the current business environment, where your Company stands today, and how our evolving strategy aligns with the ever-changing market dynamics.
-
Tax and Legal update 1/2024 Introducing the New “Easy E-Receipt” Tax scheme with up to THB 50,000 in Tax DeductionsThe Revenue Department has introduced the latest tax scheme, the “Easy E-Receipt”, formerly known as “Shop Dee Mee Kuen”. This scheme is designed to offer individuals tax deductions in 2024.
-
TAX AND LEGAL Complying with the PDPA – A Balancing ActOrganisations must be aware of the circumstances in which they are allowed to collect data to comply with Thailand’s Personal Data Protection Act.
The most cutting-edge companies harness customer preference data for a range of reasons, including to create personalised services and targeted marketing campaigns; to scrutinise employee performance data to drive productivity; and to analyse supply chain information to drive efficiencies. And that’s just the tip of the iceberg, with digitised data embedded across business practices.
Digital information offers businesses huge potential, but owing to the increased use of personal data, it also creates vulnerabilities and interdependencies between two previously discrete threats – data privacy and security. For example, data breaches can result from a cyber attack, but have data privacy implications.
GDPR and other international data privacy regulations have started to bite, meaning businesses are starting to feel the commercial cost of data privacy violations. So it is perhaps no surprise that we see data privacy rising up the business agenda. Grant Thornton’s research of over 4,500 international business leaders found that 2 in 3 agreed that due to new regulation there has been a greater focus on privacy issues than there has on cyber security in recent years in their business.
However, it’s important to not lose focus on the real and growing cyber security risk - the number of cyber attacks causing losses in excess of $1m has increased by 63% during the past three years.[i]
Vishal Chawla, Grant Thornton’s global head of cyber security emphasises that data privacy and cyber security have never been more interlinked.
“In today’s data-driven world, data privacy and cyber security simply cannot be considered in isolation,” he says. “They should be viewed instead as part of a wider digital risk function.”
An integrated response to breaches
The interconnection between data privacy and cyber security is never more painfully obvious than immediately following a data breach. Businesses need to know how the breach occurred and which cyber defences (if any) failed. But, crucially, they also need to understand which data were compromised and whether it was personal or sensitive. If so, they will need to disclose it.
Most businesses are not fully equipped to do this. Only 28% of businesses surveyed by Grant Thornton are ‘highly satisfied’ with their ability to protect against the risk of a serious breach and just 26% with their ability to respond consistently to a major breach across the entire business, no matter when or where it takes place.
Integrate privacy and security into one function, and businesses will be able to respond more effectively to data breaches due to their combined resources and holistic understanding of the threat.
“Privacy and cyber security are complex because they are crashing together in the real world,” says Mike Harris, partner, cyber security services, Grant Thornton Ireland. “A data breach could start off as something very technical in an outsourced cloud provider. But in responding to the incident you need to consider whether personal data are involved and what regulatory disclosures need to be made.
“All of a sudden, the two have become interconnected. Rather than two separate cyber and privacy functions responding to a breach, it makes sense to have one integrated function with the specialised skills to manage the process, so that nothing falls through the cracks.”
Managing supply chain and third-party digital risk
The increased interconnectedness of cyber security and privacy has implications for how third-party risk is managed. For example, data privacy regulation such as GDPR requires businesses to get robust guarantees from suppliers that handle data on their behalf.
“It would make a lot of sense for organisations to merge cyber security aspects of third-party risk management with privacy controls,” says Harris. “It’s just a matter of asking about both at the same time. It’s relatively straightforward, but it’s not happening widely at the moment. Cyber security teams and privacy teams are doing this separately.”
Of course, this ‘one-stop’ third-party risk management will remove duplication of effort and create efficiencies. More importantly, however, it will produce a more joined-up understanding of digital risk.
Benefits of an integrated digital risk approach
Taking an integrated business approach to managing digital risk delivers a number of key benefits to organisations –
Firstly, it can help to bring forward digital transformation initiatives because the data classification and compliance that companies are undertaking across the business for various purposes is aligned and co-ordinated.
Secondly, a digital risk function that conducts comprehensive assessments of third-party and supply chain digital risk is better positioned to ensure that risk is considered across the organisation. One way to do this is by pre-approving vendors from a risk perspective.
“Businesses can digitally transform quicker if they do the supplier approval process up front,” says James Arthur, partner, head of cyber consulting, Grant Thornton UK. “It’s a lot easier to do this if you have a single digital risk function that proactively assesses cyber security and privacy risk together.”
Thirdly, businesses continue to use new technologies to seek out commercial advantage, meaning their approach to data privacy and cyber security also needs to continually evolve, to address new threats and vulnerabilities. An integrated digital risk function is better placed to scrutinise some of these new technologies, such as blockchain.
“It’s vital that risk teams are involved right from the outset, because with any technology database there’s always the risk of attacks by third parties that want to steal the information” says Michel Besner, general manager of Catallaxy, a blockchain subsidiary of Raymond Chabot Grant Thornton. “To combat this, risk teams can ensure that there are proper governance structures around how the blockchain is implemented, managed and supported. Get this right, and you’ll avoid security issues further down the line.”
Board oversight is key, combined management essential
The case for an integrated digital risk function is clear. But who should oversee and manage it?
At the moment, there is confusion about where responsibility ultimately lies, and this is hampering digital risk management. Tellingly, surveyed businesses say that a lack of understanding about which risks individuals and teams are responsible for is their second-greatest weak point in managing digital risk.
The first important thing to consider is who manages digital risk from a day-to-day point of view. Most companies put the chief risk officer or chief technology officer in charge of this. But, as explained in our Digital risk: Technology is no silver bullet article, effective digital risk management relies on a lot more than technology. Chief risk officers report on more holistic risk to business – strategic, financial and operational. So what’s the answer?
Enter the chief digital risk officer function. “Organisations are starting to create digital risk functions headed by a chief digital risk officer,” confirms Arthur. “This is where responsibility for managing digital risk should lie. But at the moment they are still organisationally distinct at most companies.”
Once the day-to-day digital risk management is in place, its essential to consider who provides oversight. As with financial risk, the gravity of digital risk means that the board must take an active role. While the board needs to oversee it, they may not always have the technical expertise to understand the nature of the threat. Therefore ideally, a specific digital risk committee should be established within the board to oversee this risk, with representation from experts.
“Digital risk oversight should be at board level,” confirms Christos Makedonas, technology risk leader at Grant Thornton Cyprus. “There should also be a committee that discusses digital risk.
“Digital risk is multifaceted, so many people need to feed into this process. At the moment, this only happens in large, heavily regulated companies – especially those in financial services.”
Three steps to integrated digital risk management
- Combine the data privacy and cyber security functions, to create a single digital risk function. This new team should be governed by a single model and follow the same set of processes, goals and practices connected to wider business commercial drivers.
- Work out who is responsible for managing and overseeing digital risk, map out their activities and daily workflows, and see if there is any overlap. Identify synergies and strip out duplicated processes.
- Ensure that digital risk processes are managed on an end-to-end basis. For example, should assess both cyber security and data privacy. Both factors should also be evaluated when classifying data.
_____________________________________
[i] Linklaters, Global cyber-incidents soar by 63% in the last three years - January 2019.
[ii] Eur-Lex - General Data Protection Act.
[iii] Information Commissioner’s Office - Data protection by design and default.
Businesses have ploughed billions of dollars into technology that promises to keep cyber threats at bay. Gartner claims that end-user spending for the information security market is estimated to grow at a CAGR of 8.5% between 2017 and 2022, reaching $170bn.[i]
While technology undoubtedly plays a major role in combating digital threats, other areas have been neglected. Tellingly, mid-market business leaders surveyed in Grant Thornton’s International Business Report (IBR) say that over-reliance on software is their weakest point in managing cyber and privacy-related threats.
It’s encouraging that business leaders acknowledge this. But now they must act, by improving their employees’ awareness and specialist skills in cyber security.
This doesn’t necessarily mean spending more money. In many cases, companies will be able to taper technology spending as they strengthen and invest in their business acumen, processes and in-house skills.
Customer trust is built on more than technology
“It is essential that businesses understand that investing in technology alone is not the only answer to reducing digital risk, and it will not protect them from losing customer trust should the worst happen” says Vishal Chawla, global head of cyber security at Grant Thornton. “A key starting point for companies is understanding the type of business they’re in, and the value they deliver to the customer”.
Once this is understood, companies will have a clearer idea of the potential impact a breach would have on that relationship, and can better work out how to mitigate this, through a range of measures. Internal governance, processes and people are the other crucial ingredients here.
Take a casino chain as an example. Many casino customers are high-net-worth individuals, who take the security of their financial data – such as transaction history and payment information – extremely seriously. The casino can have the best technology systems in place to protect this data, but it is not enough in isolation.
The company must have robust governance procedures, customer relationship managers and trust policies in place to complement the technology and to protect the company’s reputation in the event of a breach. In this example, the value the casino provides to its customer revolves around customer service, trust and entertainment – with technology acting simply as an enabler to make this happen. Therefore, the company’s approach to digital risk must mirror this – with robust trust procedures around in place, complemented by top-class technologies.
Identify vulnerabilities first, invest later
Businesses need to understand where they are vulnerable to cyber attacks and data-protection breaches before investing in preventive software. This requires specialised skills that most cyber security functions don’t have.
“Businesses need cyber security and privacy-related skillsets to help map out their data and understand their regulatory requirements – particularly in a cloud environment,” says Mike Harris, partner, cyber security services, Grant Thornton Ireland. “They also need cyber technology skills around the technologies they are using.
“For example, if you are using cloud services provided by Amazon or Azure, you need to have the security skills in house to work out what they will and will not do regarding cyber security. That skills component is often overlooked.”
Advanced analytical tech needs advanced analytical minds
Many businesses have invested heavily in advanced analytical cyber security technologies that help identify new threats and vulnerabilities. But these are only as good as the workforce that can interpret the results and implement corresponding changes.
“Lots of people look to technology as a silver bullet, but it isn’t,” says James Arthur, partner, head of cyber consulting, Grant Thornton. “Many companies spend a lot of money on AI-driven, behavioural analytics cyber security software, which can be really useful in some circumstances. However, you normally need to spend an awful lot of human time training it to ensure it delivers useful insights. Then, you need a human at the end of that chain who can look at the output and make/approve changes.”
Insure against the inevitable
“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
These are the words of former FBI director Robert Mueller back in 2012.
His message is clear – and just as relevant today as it was seven years ago: a breach is inevitable. It makes a strong case for investing in insurance as another way to manage digital risk.
“Any reasonable cyber security programme has to have an element of detection, response and insurance, because cyber events will happen,” says Harris. “We see increased adoption of insurance that covers both cyber attacks and data privacy regulatory breaches. But while it’s imperative and its use is increasing, the majority of businesses still don’t have this type of insurance or aren’t protecting the right data assets.”
Understand your most valuable data assets and protect accordingly
Businesses should undertake a structured programme to assess and understand their data assets, using a categorisation and classification process. Then, they can identify their ‘crown jewels’ and invest in appropriate insurance cover.
But how do you do this? One way to identify your most critical data is to think like a hacker and then consider the maximum damage they could cause. “The current data security environment is consistently evolving with new threats and vulnerabilities,” says Chawla. “Leaders have to be willing to step into the shoes of cyber criminals, understand the threats these groups pose and come up with proactive strategies to protect their business’ interests.”
Which email threads could a former employee leak to embarrass their former managers? What intellectual property and trade secrets would be of interest to a foreign power? And how might a cyber criminal use your data to try to extort money from your business? These are just some of the questions you need to ask before purchasing insurance as part of your digital risk management plan.
Five recommendations for balanced cyber risk management
- Companies must understand that the increasing amount of data that customers share with brands means that trust is more important than ever. It’s essential that businesses understand the necessity of trust management, and that digital risk policies and procedures go a long way to ensuring this.
- Traditional approaches to cyber training are not working. Businesses should develop shorter, more frequently distributed training videos and simulate phishing attempts to better educate their workforces.
- Businesses need to identify and map out their digital vulnerabilities. They need to recruit staff with specialised cyber skills that complement cyber security technical skills. This will ensure that their investment in preventive software is focused on the right areas.
- All businesses will suffer a cyber attack – no matter how much they invest in preventive software. Investing in insurance can bolster your risk management but it is crucial to insure your most valuable data assets and explore specific insurance that covers both cyber attacks and data-privacy breaches.
- Once insurance is secured, businesses must be vigilant about adhering to the terms and conditions. If they fail to install updates, it could nullify the insurance.
These recommendations must be implemented in the context of businesses’ specific digital risk environments. The first step for business leaders is to understand their specific vulnerabilities and threats. Only then can they implement the most relevant technologies, training initiatives and insurance coverage.
[i] gartner.com - Forecast for Information Security Worldwide, 2016-2022 - 25 July 2018