-
Governance advisory
We guide boards and management teams in frameworks, team processes and leadership dynamics to deliver sustainable value.
-
Financial services advisory
Get market-driven expertise to achieve your goals in banking, insurance, capital markets, and investment management.
-
Business risk services
Our market-driven expertise helps firms keep growing and manage risk in an evolving regulatory landscape.
-
Risk
Meet risks with confidence and transform your business – we support you to manage risk and deliver on your goals.
-
Economic consulting
Bespoke guidance grounded in complex economic theory and practical sector insight to help you make the right decisions.
-
Government and public sector
Experience and expertise in delivering quality public sector advisory and audits.
-
Business consulting
Partnering with you to deliver sustainable business change that helps you realise your ambitions.
-
Transaction advisory services
Whether buying or selling, we help you get the deal done with our comprehensive range of transaction advisory services.
-
Financial accounting advisory services (FAAS)
Our FAAS team can support your finance function with the flexible resource they need to get results.
-
Corporate finance advisory
Building a business is never easy. We help you maximise the value of your business and find the right option.
-
Valuations
Help to understand or support the valuation of a business or asset.
-
Insolvency and global asset recovery
We provide asset tracing and seamless cross-border global recovery for clients.
-
Forensic and investigation services
Market-driven expertise in investigations, dispute resolution and digital forensics.
-
Restructuring
Our restructuring team help lenders, investors and management navigate contingency plans, restructuring and insolvency.
-
Transformation consulting
Is business transformation a priority for your organisation? Our expert insight and guidance can help you achieve it.
-
Pensions assurance
A tailored service that responds to evolving risks and regulations.
-
Accounting services
Optimise your growth with expert accounting services. Contact us today.
-
Royalty and intellectual property (IP) audits
Enhance IP asset protection with our royalty and IP audit services. Expertise in licensing, revenue detection, and compliance improvements.
-
Business consulting
Partnering with you to deliver sustainable business change that helps you realise your ambitions.
-
Corporate Simplification
Release value, reduce compliance complexity, and improve tax efficiency by streamlining your group structure.
-
Economic consulting
Bespoke guidance grounded in complex economic theory and practical sector insight to help you make the right decisions.
-
Financial accounting advisory services (FAAS)
Our FAAS team can support your finance function with the flexible resource they need to get results.
-
Governance advisory
We guide boards and management teams in frameworks, team processes and leadership dynamics to deliver sustainable value.
-
International
Unlock global opportunities with our local expertise and worldwide reach.
-
People advisory
Driving business performance through people strategy and culture.
-
Strategy Group
Successful business strategy is rooted in a clear understanding of the market, customer segmentation and how purchase decisions vary.
-
Respond: Data breach, incident response and computer forensics
Are you prepared for a cyber failure? We can help you avoid data breaches and offer support if the worst happens.
-
Comply: Cyber security regulation and compliance
Cyber security regulation and compliance is constantly evolving. Our team can support you through the digital landscape.
-
Protect: Cyber security strategy, testing and risk assessment
Cyber security threats are constantly evolving. We’ll work with you to develop and test robust people, process and technology defences to protect your data and information assets.
-
Corporate finance advisory
Building a business is never easy. We help you maximise the value of your business and find the right option.
-
Debt advisory
Working with borrowers and private equity financial sponsors on raising and refinancing debt. We can help you find the right lender and type of debt products.
-
Financial accounting advisory services (FAAS)
Our FAAS team can support your finance function with the flexible resource they need to get results.
-
Financial modelling services
Financial modelling that helps you wrestle with your most pressing business decisions.
-
Operational deal services
Enabling transaction goals through due diligence, integration, separation, and other complex change.
-
Our credentials
Search our transactions to see our experience in your sector and explore the deals advisory services we've delivered.
-
Transaction advisory services
Whether buying or selling, we help you get the deal done with our comprehensive range of transaction advisory services.
-
Valuations
Help to understand or support the valuation of a business or asset.
-
The ESG agenda
Shape your ESG agenda by identifying the right metrics, sustainable development and potential business value impact.
-
ESG driven business transition
Whatever your ESG strategy, we can support your organisation as it evolves while maximising efficiency and profitability.
-
ESG programme and change management
Do you have the right capabilities to drive the delivery of your ESG strategy to realise your targets?
-
ESG risk management
You must protect, comply, understand and influence to successfully manage the risk involved with ESG issues. We can help.
-
ESG strategy, risk and opportunity identification
We can help you clearly define your ESG Strategy, with the risks and opportunities identified and managed.
-
Create value through effective ESG communication
Building trust and engagement with your stakeholders on your ESG strategy.
-
ESG metrics, targets and disclosures
The pressure to report your ESG progress is growing. Do your targets measure up?
-
ESG governance, leadership and culture framework
Make the most of ESG opportunities by effectively embedding your strategy across your organisation.
-
ESG and non-financial assurance
Support your board to be confident in supplying robust information that withstands scrutiny.
-
Transition planning to net zero
Supporting your organisation in the transition to net zero.
-
Actuarial and insurance consulting
We consult extensively to the life insurance, general insurance, health insurance and pensions sectors.
-
Business risk services
Our market-driven expertise helps firms keep growing and manage risk in an evolving regulatory landscape.
-
Financial crime
Helping you fight financial crime in a constantly changing environment
-
Financial services business consulting
Leverage our diverse capabilities to manage challenges and take opportunities: from assurance to transformation
-
Financial services tax
Helping financial services firms navigate the global financial services and funds tax landscape.
-
Regulatory and compliance
Providing an exceptional level of regulatory and compliance to firms across the financial services industry.
-
Corporate intelligence
Corporate intelligence often involves cross-border complexities. Our experienced team can offer support.
-
Litigation support
Industry-wide litigation support and investigation services for lawyers and law firms.
-
Disputes advisory
Advising on quantum, accounting and financial issues in commercial disputes.
-
Forensic investigations and special situations
Do you need clarity in an uncertain situation? If you're accused of wrongdoing we can help you get the facts right.
-
Forensic data analytics
Our forensic data analytics team are helping businesses sift the truth from their data. See how we can help your firm.
-
Monitoring trustee and competition services
Monitoring trustee services to competition, financial and regulatory bodies.
-
Financial crime
Supporting your fight against financial crime in an ever-changing environment
-
Public sector advisory
To deliver excellent public services, local and central government need specialist support.
-
Public sector consulting
Helping public sector organisations maintain oversight of services and understand what's happening on the ground.
-
Public sector audit and assurance
As a leading UK auditor, we have unparalleled insights into the risks, challenges and opportunities that you face.
-
Contentious estates and family disputes
We manage complex and sensitive disputes through to resolution.
-
Digital Asset Recovery
Get guidance and technical expertise on digital finance and cryptoasset recovery from our dedicated crypto hub.
-
Grant Thornton Offshore
Grant Thornton Offshore is our one-stop global solution for insolvency, asset recovery, restructuring and forensics services.
-
Insolvency Act Portal
Case information and published reports on insolvency cases handled by Grant Thornton UK LLP.
-
Litigation support
Industry-wide litigation support and investigation services for lawyers and law firms.
-
Personal insolvency
We can support you to maximise personal insolvency recovery and seek appropriate debt relief.
-
South Asia business group
Supporting your growth in the UK-India economic corridor and beyond.
-
US business group
Optimise your trans-Atlantic operations with local knowledge and global reach.
-
Japan business group
Bridging the commercial and cultural divide and supporting your ambitions across Japan and the UK.
-
Africa business group
Connecting you to the right local teams in the UK, Africa, and the relevant offshore centres.
-
China-Britain business group
Supporting your operations across the China – UK economic corridor.
-
Asset based lending advisory
Helping lenders, their clients and other stakeholders navigate the complexities of ABL.
-
Contingency planning and administrations
In times of financial difficulty, it is vital that directors explore all the options that are available to them, including having a robust ‘Plan B’.
-
Corporate restructuring
Corporate restructuring can be a difficult time. Let our team make the process simple and as stress-free as possible.
-
Creditor and lender advisory
Whether you're a creditor or lender, complex restructurings depend on pragmatic commercial advice
-
Debt advisory
Our debt advisory team can find the right lender to help you in restructuring. Find out how our experts can support you.
-
Financial services restructuring and insolvency
Financial services restructuring and insolvency is a competitive marketplace. Our team can help you navigate this space.
-
Pensions advisory services
DB pension-schemes need a balanced approach that manages risk for trustees and sponsors in an uncertain economy.
-
Restructuring and insolvency tax
Tax will often be crucial in a plan to restructure a distressed business. Our team can guide you through the process.
-
Restructuring Plans
Market leading experience in advising companies and creditors in Restructuring Plan processes.
-
Controls advisory
Build a robust internal control environment in a changing world.
-
Data assurance and analytics
Enhancing your data processes, tools and internal capabilities to help you make decisions on managing risk and controls.
-
Enterprise risk management
Understand and embrace enterprise risk management – we help you develop and connect risk thinking to your objectives.
-
Internal audit services
Internal audit services that deliver the value and impact they should.
-
Managing risk and realising ESG opportunities
Assess and assure risk and opportunities across ESG with an expert, commercial and pragmatic approach.
-
Project, programme, and portfolio assurance
Successfully delivering projects and programmes include preparing for the wider impact on your business.
-
Service organisation controls report
Independent assurance provides confidence to your customers in relation to your services and control environment.
-
Supplier and contract assurance
Clarity around key supplier relationships: focusing on risk, cost, and operational performance.
-
Technology risk services
IT internal audits and technology risk assurance projects that help you manage your technology risks effectively.
-
Capital allowances (tax depreciation)
Advisory and tools to help you realise opportunities in capital allowances.
-
Corporate tax
Helping companies manage corporate tax affairs: delivering actionable guidance to take opportunities and mitigate risk.
-
Employer solutions
We will help you deliver value through your employees, offering pragmatic employer solutions to increasing costs.
-
Indirect tax
Businesses face complex ever changing VAT regimes, guidance and legislation. We can help you navigate these challenges.
-
International tax
Real-world international tax advice to help you navigate a changing global tax landscape.
-
Our approach to tax
We advise clients on tax law in the UK and, where relevant, other jurisdictions.
-
Private tax
Tax experts for entrepreneurs, families and private business. For now and the long term.
-
Real estate tax
Stay ahead of real estate tax changes with holistic, tax-efficient solutions.
-
Research and development tax incentives
We can help you prepare optimised and robust research and development tax claims.
-
Tax dispute resolution
We make it simple to stay compliant and avoid HMRC tax disputes
-
Tax risk management
We work with you to develop effective tax risk management strategies.
-
Skills and training
Get the right support to deliver corporate and vocational training that leads the way in an expanding market.
-
Private education
Insight and guidance for all businesses in the private education sector: from early years to higher education and edtech.
-
Facilities management and property services
Get insight and strategic support to take opportunities that protect resilience and drive UK and international growth.
-
Recruitment
Helping recruitment companies take opportunities to achieve their goals in a market where talent and skills are key.
-
Food and beverage (F&B)
We can help you find the right ingredients for growth in your food and beverage business.
-
Travel, tourism and leisure
Tap into our range of support for travel, tourism and leisure businesses in this period of challenge and change.
-
Retail, e-commerce and consumer products
With multiple challenges and opportunities in the fast-evolving retail sector, make sure you are ready for them.
-
Banking
Our expertise and insight can help you respond positively to long term and emerging issues in the banking sector.
-
Capital markets
2020 is a demanding year for capital markets. Working with you, we're architecting the future of the sector.
-
Insurance
Our experienced expert team brings you technical expertise and insight to guide you through insurance sector challenges.
-
Investment management
Embracing innovation and shaping business models for long-term success.
-
Pensions
Pension provision is an essential issue for employers, and the role of the trustee is becoming increasingly challenging.
-
Payments advisory and assurance
Payment service providers need to respond to rapidly evolving technical innovations and increased regulatory scrutiny.
-
Central and devolved government
Helping central and devolved governments deliver change to improve our communities and grow our economies.
-
Infrastructure and transport
Delivering a successful transport or infrastructure project will require you to balance an often complex set of strategic issues.
-
Local government
Helping local government leverage technical and strategic expertise deliver their agendas and improve public services.
-
Regeneration development and housing
We provide commercial and strategic advice to assist your decision making in pursuing your objectives.
-
Health and social care
Sharing insight and knowledge to deliver transformation and improvement to health and social care services.
-
Charities
Supporting you to achieve positive change in the UK charity sector.
-
Education and skills
The education sector has rarely faced more risk or more opportunity to transform. You need to plan for the future.
-
Social housing
We are committed to helping change social housing for the better, and can help you make the most of every opportunity.
-
Technology
We work with dynamic technology companies of all sizes to help them succeed and grow internationally.
-
Telecommunications
Take all opportunities to realise your goals in telecommunications: from business refresh to international expansion.
-
Media
Media companies must stay agile to thrive in today’s highly competitive market – we’re here to support your ambitions.
By 2026, Gartner predicts 75% of organisations will use cloud computing services as a fundamental underlying platform. Public cloud spend is also increasing 21.7% year on year – although this represents only a fraction of the global IT spend (projected USD 4.7 trillion in 2023).
Over the past few years, we've seen growth at a rapid pace in cloud usage. The cloud risk increases for organisations that use it to host their critical systems, such as ERP and customer-facing applications, or sensitive data, such as personal data or intellectual property. They may face challenges around cloud controls and assurance, inconsistent approaches across teams, cloud concentration risks, and lock-in with vendors. There is also a shortage in the market for cloud risk specialists who can support organisations to review whether practices are aligned with recommendations from the Cloud Security Alliance and the cloud service providers.
Issues may also be compounded by the inherent complexity of cloud solutions, lack of visibility at all layers of the computing stack, limited understanding of shared responsibilities for managing cloud controls, and varying compliance requirements for companies operating across multiple jurisdictions.
How are companies tackling cloud assurance?
We talked to a range of financial services and corporate clients to discover how organisations perform their cloud control assurance.
The discussions confirm what analysts report: that established companies operating in financial services have been reluctant to deploy their core banking or systems of record into public cloud service providers (CSP). We also noted that cloud-native banks in the UK are operating core banking on public CSPs. New banking entrants to the UK are increasingly adopting payment aggregators to help them deploy UK subsidiary banks running on public CSPs. By contrast, the non-financial services companies that we spoke with typically run most, if not all, of their core applications on CSPs – typically in a software-as-a-service (SaaS) model.
Approach to cloud control assurance
There is currently no consistent approach to undertaking cloud control assurance in industry. Organisations adopt a range of strategies to ensure they operate with board risk appetite, management comfort and regulations. One common theme is that cloud control assurance activity can be overly manual, rather than using automated tools.
Companies that we spoke with also reported challenges around upskilling or recruiting the right people with technical expertise to provide assurance and challenge on controls.
Cloud concentration risks
We identified different perspectives on cloud concentration risk. While regulators are concerned about companies using a small number of public CSPs, the organisation themselves typically accept the risk of adopting one CSP for specific use cases. While there is acceptance of the risks to operating on one CSP, more could be done to test and prove specific IT disaster recovery plans as expected.
Exit strategy
Larger companies inevitably have multiple CSPs. However, different CSPs are used for different use cases and customer journeys. To mitigate cloud exit and CSP lock-in risks organisations could adopt several strategies, for example:
- review and amend contracts with CSPs, despite multiple organisations believing these contracts are non-negotiable
- monitoring CSP financial and non-financial health to get early visibility of CSP problems
- building methods to enable CSP services, data and infrastructure to be more easily copied or migrated and/or recreate infrastructure from code (coupled with partnerships to ensure the cloud technical capability and capacity is available to perform these changes and to provide oversight).
Cloud assurance good practices
Although there are a number of challenges and risks with cloud adoption, we've detailed a number of good assurance practices you can follow, supported by our discussions with several organisations. These good practices are enabled by companies upskilling internal teams around cloud risks and bringing in subject matter experts to review the proposed controls.
Cloud frameworks and control design
The organisations surveyed are drawing on a variety of control frameworks, such as NIST, ISO27001 and the Cloud Security Alliance Cloud Controls Matrix. One frequently used method is to start by using existing internal control frameworks and build on these by adding cloud-specific controls. The next step for companies should be to consolidate their controls, for example by embedding controls into tooling. This would reduce the manual effort to provide assurance and shift focus to more targeted continuous monitoring of controls.
Assessing cloud control design
Organisations typically provide their cloud service providers with supplier questionnaires and are typically directed to existing SOC2 reports for review, with the latter providing more reliable independent assurance around CSP controls. A key control is to reject the use of SaaS providers if they're not able to demonstrate that appropriate controls are in place.
Assessing cloud control operating effectiveness
Another theme is identifying the need to use automated controls to implement guardrails for cloud services. For example, using the cloud vendor’s recommended good practices, or using tailored blueprints and baselines, which are applied before a system goes live and monitored periodically thereafter.
Assessing cloud control monitoring
Organisations use tooling to help with maintaining compliant internal controls. Third-party assurance reports (eg, SOC2) are periodically reviewed by the organisations surveyed to understand shared responsibilities with cloud vendors and where gaps in controls need to be remediated. Nevertheless, these organisations have concerns about visibility and the inability to obtain real-time compliance from cloud service providers, rather than annual or semi-annual reports.
Practical steps across the lines of defence
When it comes to implementing cloud controls, a cloud assurance strategy and monitoring of cloud controls, there are practical steps that each line of defence can start to apply. Too much assurance can become a burden on the business, with a negligible increase in overall assurance and benefit to governance.
We recommend maintaining an assurance map that provides a point-in-time view of plans across the three lines of defence, and the overall status of activities and observations. This enables better visibility of the assurance being provided on a risk-by-risk basis and allows the relevant governance groups, including the Audit Committee, to make informed choices about whether the assurance is at the required level to meet the board’s risk appetite, including regulatory requirements.
First line of defence: operational management
- Implementing cloud controls and standards that align with industry good practices, such as the Cloud Security Alliance's Cloud Controls Matrix (CCM) or the National Institute of Standards and Technology's (NIST) Cloud Computing Security Reference Architecture (CCSRA)
- Engaging with cloud subject matter experts who can provide practical advice around implementing these frameworks and ensuring that controls are sustainable
- Regularly reviewing and updating cloud environment configurations, access controls, and activity logs to ensure they are aligned with internal policies and objectives, with a view to move towards more automated controls
- Conducting regular cloud training for employees and third-party contractors who have access to the company's cloud infrastructure, including security, resilience and shared responsibilities
- Implementing controls to ensure that all new system implementations to public cloud environments follow a defined due diligence process, including input from security and technology functions
- Agreeing clear roles and responsibilities, both internally and with vendors, for managing the cloud operations and controls
Second line of defence: risk management and compliance
- Conducting risk assessments and impact analyses of cloud environments to determine priority and frequency of reviews for the controls in these environments
- Regularly monitoring cloud environments for compliance with internal and regulatory requirements, and identifying areas for improvement
- Engaging with cloud subject matter experts who understand the unique risks of each cloud service provider and can advise cloud control owners on how to tailor controls to address these
- Collaborating with first-line management to develop and implement cloud controls that address identified risks and compliance gaps
Third line of defence: internal audit
- Conducting independent assessments of cloud environments and controls to provide assurance to senior management and the board of directors
- Augmenting audit teams with cloud subject matter experts who can provide challenge to technology functions on a peer-to-peer level around the design and effectiveness of cloud controls
- Testing the effectiveness of cloud controls and maturing assurance activities with increased levels of control testing automation and dashboarding capabilities
- Reviewing and evaluating third-party vendor risk management processes and controls related to cloud environments
Addressing the challenges
The rapid growth of cloud spend and adoption is set to continue, with organisations moving more applications to cloud infrastructure, including critical applications. At the same time, companies are facing challenges with cloud controls and assurance, such as inconsistent approaches across teams, cloud concentration risks, and lock-in with vendors.
To address these challenges, organisations need to adopt good practices across all three lines of defence. People are key enablers, therefore teams need to upskill around cloud risks and controls, and call on subject matter experts to provide in-depth, tailored insight and independent assurance for the chosen cloud solutions.
For more insight and guidance, contact Cristiana Mirosanu and Ian Greaves.
Get the latest insights, events and guidance, straight to your inbox.