-
Governance advisory
We guide boards and management teams in frameworks, team processes and leadership dynamics to deliver sustainable value.
-
Financial services advisory
Get market-driven expertise to achieve your goals in banking, insurance, capital markets, and investment management.
-
Business risk services
Our market-driven expertise helps firms keep growing and manage risk in an evolving regulatory landscape.
-
Risk
Meet risks with confidence and transform your business – we support you to manage risk and deliver on your goals.
-
Economic consulting
Bespoke guidance grounded in complex economic theory and practical sector insight to help you make the right decisions.
-
Government and public sector
Experience and expertise in delivering quality public sector advisory and audits.
-
Business consulting
Partnering with you to deliver sustainable business change that helps you realise your ambitions.
-
Transaction advisory services
Whether buying or selling, we help you get the deal done with our comprehensive range of transaction advisory services.
-
Financial accounting advisory services (FAAS)
Our FAAS team can support your finance function with the flexible resource they need to get results.
-
Corporate finance advisory
Building a business is never easy. We help you maximise the value of your business and find the right option.
-
Valuations
Help to understand or support the valuation of a business or asset.
-
Insolvency and global asset recovery
We provide asset tracing and seamless cross-border global recovery for clients.
-
Forensic and investigation services
Market-driven expertise in investigations, dispute resolution and digital forensics.
-
Restructuring
Our restructuring team help lenders, investors and management navigate contingency plans, restructuring and insolvency.
-
Transformation consulting
Is business transformation a priority for your organisation? Our expert insight and guidance can help you achieve it.
-
Pensions assurance
A tailored service that responds to evolving risks and regulations.
-
Accounting services
Optimise your growth with expert accounting services. Contact us today.
-
Royalty and intellectual property (IP) audits
Enhance IP asset protection with our royalty and IP audit services. Expertise in licensing, revenue detection, and compliance improvements.
-
Business consulting
Partnering with you to deliver sustainable business change that helps you realise your ambitions.
-
Corporate Simplification
Release value, reduce compliance complexity, and improve tax efficiency by streamlining your group structure.
-
Economic consulting
Bespoke guidance grounded in complex economic theory and practical sector insight to help you make the right decisions.
-
Financial accounting advisory services (FAAS)
Our FAAS team can support your finance function with the flexible resource they need to get results.
-
Governance advisory
We guide boards and management teams in frameworks, team processes and leadership dynamics to deliver sustainable value.
-
International
Unlock global opportunities with our local expertise and worldwide reach.
-
People advisory
Driving business performance through people strategy and culture.
-
Strategy Group
Successful business strategy is rooted in a clear understanding of the market, customer segmentation and how purchase decisions vary.
-
Respond: Data breach, incident response and computer forensics
Are you prepared for a cyber failure? We can help you avoid data breaches and offer support if the worst happens.
-
Comply: Cyber security regulation and compliance
Cyber security regulation and compliance is constantly evolving. Our team can support you through the digital landscape.
-
Protect: Cyber security strategy, testing and risk assessment
Cyber security threats are constantly evolving. We’ll work with you to develop and test robust people, process and technology defences to protect your data and information assets.
-
Corporate finance advisory
Building a business is never easy. We help you maximise the value of your business and find the right option.
-
Debt advisory
Working with borrowers and private equity financial sponsors on raising and refinancing debt. We can help you find the right lender and type of debt products.
-
Financial accounting advisory services (FAAS)
Our FAAS team can support your finance function with the flexible resource they need to get results.
-
Financial modelling services
Financial modelling that helps you wrestle with your most pressing business decisions.
-
Operational deal services
Enabling transaction goals through due diligence, integration, separation, and other complex change.
-
Our credentials
Search our transactions to see our experience in your sector and explore the deals advisory services we've delivered.
-
Transaction advisory services
Whether buying or selling, we help you get the deal done with our comprehensive range of transaction advisory services.
-
Valuations
Help to understand or support the valuation of a business or asset.
-
The ESG agenda
Shape your ESG agenda by identifying the right metrics, sustainable development and potential business value impact.
-
ESG driven business transition
Whatever your ESG strategy, we can support your organisation as it evolves while maximising efficiency and profitability.
-
ESG programme and change management
Do you have the right capabilities to drive the delivery of your ESG strategy to realise your targets?
-
ESG risk management
You must protect, comply, understand and influence to successfully manage the risk involved with ESG issues. We can help.
-
ESG strategy, risk and opportunity identification
We can help you clearly define your ESG Strategy, with the risks and opportunities identified and managed.
-
Create value through effective ESG communication
Building trust and engagement with your stakeholders on your ESG strategy.
-
ESG metrics, targets and disclosures
The pressure to report your ESG progress is growing. Do your targets measure up?
-
ESG governance, leadership and culture framework
Make the most of ESG opportunities by effectively embedding your strategy across your organisation.
-
ESG and non-financial assurance
Support your board to be confident in supplying robust information that withstands scrutiny.
-
Transition planning to net zero
Supporting your organisation in the transition to net zero.
-
Actuarial and insurance consulting
We consult extensively to the life insurance, general insurance, health insurance and pensions sectors.
-
Business risk services
Our market-driven expertise helps firms keep growing and manage risk in an evolving regulatory landscape.
-
Financial crime
Helping you fight financial crime in a constantly changing environment
-
Financial services business consulting
Leverage our diverse capabilities to manage challenges and take opportunities: from assurance to transformation
-
Financial services tax
Helping financial services firms navigate the global financial services and funds tax landscape.
-
Regulatory and compliance
Providing an exceptional level of regulatory and compliance to firms across the financial services industry.
-
Corporate intelligence
Corporate intelligence often involves cross-border complexities. Our experienced team can offer support.
-
Litigation support
Industry-wide litigation support and investigation services for lawyers and law firms.
-
Disputes advisory
Advising on quantum, accounting and financial issues in commercial disputes.
-
Forensic investigations and special situations
Do you need clarity in an uncertain situation? If you're accused of wrongdoing we can help you get the facts right.
-
Forensic data analytics
Our forensic data analytics team are helping businesses sift the truth from their data. See how we can help your firm.
-
Monitoring trustee and competition services
Monitoring trustee services to competition, financial and regulatory bodies.
-
Financial crime
Supporting your fight against financial crime in an ever-changing environment
-
Public sector advisory
To deliver excellent public services, local and central government need specialist support.
-
Public sector consulting
Helping public sector organisations maintain oversight of services and understand what's happening on the ground.
-
Public sector audit and assurance
As a leading UK auditor, we have unparalleled insights into the risks, challenges and opportunities that you face.
-
Contentious estates and family disputes
We manage complex and sensitive disputes through to resolution.
-
Digital Asset Recovery
Get guidance and technical expertise on digital finance and cryptoasset recovery from our dedicated crypto hub.
-
Grant Thornton Offshore
Grant Thornton Offshore is our one-stop global solution for insolvency, asset recovery, restructuring and forensics services.
-
Insolvency Act Portal
Case information and published reports on insolvency cases handled by Grant Thornton UK LLP.
-
Litigation support
Industry-wide litigation support and investigation services for lawyers and law firms.
-
Personal insolvency
We can support you to maximise personal insolvency recovery and seek appropriate debt relief.
-
South Asia business group
Supporting your growth in the UK-India economic corridor and beyond.
-
US business group
Optimise your trans-Atlantic operations with local knowledge and global reach.
-
Japan business group
Bridging the commercial and cultural divide and supporting your ambitions across Japan and the UK.
-
Africa business group
Connecting you to the right local teams in the UK, Africa, and the relevant offshore centres.
-
China-Britain business group
Supporting your operations across the China – UK economic corridor.
-
Asset based lending advisory
Helping lenders, their clients and other stakeholders navigate the complexities of ABL.
-
Contingency planning and administrations
In times of financial difficulty, it is vital that directors explore all the options that are available to them, including having a robust ‘Plan B’.
-
Corporate restructuring
Corporate restructuring can be a difficult time. Let our team make the process simple and as stress-free as possible.
-
Creditor and lender advisory
Whether you're a creditor or lender, complex restructurings depend on pragmatic commercial advice
-
Debt advisory
Our debt advisory team can find the right lender to help you in restructuring. Find out how our experts can support you.
-
Financial services restructuring and insolvency
Financial services restructuring and insolvency is a competitive marketplace. Our team can help you navigate this space.
-
Pensions advisory services
DB pension-schemes need a balanced approach that manages risk for trustees and sponsors in an uncertain economy.
-
Restructuring and insolvency tax
Tax will often be crucial in a plan to restructure a distressed business. Our team can guide you through the process.
-
Restructuring Plans
Market leading experience in advising companies and creditors in Restructuring Plan processes.
-
Controls advisory
Build a robust internal control environment in a changing world.
-
Data assurance and analytics
Enhancing your data processes, tools and internal capabilities to help you make decisions on managing risk and controls.
-
Enterprise risk management
Understand and embrace enterprise risk management – we help you develop and connect risk thinking to your objectives.
-
Internal audit services
Internal audit services that deliver the value and impact they should.
-
Managing risk and realising ESG opportunities
Assess and assure risk and opportunities across ESG with an expert, commercial and pragmatic approach.
-
Project, programme, and portfolio assurance
Successfully delivering projects and programmes include preparing for the wider impact on your business.
-
Service organisation controls report
Independent assurance provides confidence to your customers in relation to your services and control environment.
-
Supplier and contract assurance
Clarity around key supplier relationships: focusing on risk, cost, and operational performance.
-
Technology risk services
IT internal audits and technology risk assurance projects that help you manage your technology risks effectively.
-
Capital allowances (tax depreciation)
Advisory and tools to help you realise opportunities in capital allowances.
-
Corporate tax
Helping companies manage corporate tax affairs: delivering actionable guidance to take opportunities and mitigate risk.
-
Employer solutions
We will help you deliver value through your employees, offering pragmatic employer solutions to increasing costs.
-
Indirect tax
Businesses face complex ever changing VAT regimes, guidance and legislation. We can help you navigate these challenges.
-
International tax
Real-world international tax advice to help you navigate a changing global tax landscape.
-
Our approach to tax
We advise clients on tax law in the UK and, where relevant, other jurisdictions.
-
Private tax
Tax experts for entrepreneurs, families and private business. For now and the long term.
-
Real estate tax
Stay ahead of real estate tax changes with holistic, tax-efficient solutions.
-
Research and development tax incentives
We can help you prepare optimised and robust research and development tax claims.
-
Tax dispute resolution
We make it simple to stay compliant and avoid HMRC tax disputes
-
Tax risk management
We work with you to develop effective tax risk management strategies.
-
Skills and training
Get the right support to deliver corporate and vocational training that leads the way in an expanding market.
-
Private education
Insight and guidance for all businesses in the private education sector: from early years to higher education and edtech.
-
Facilities management and property services
Get insight and strategic support to take opportunities that protect resilience and drive UK and international growth.
-
Recruitment
Helping recruitment companies take opportunities to achieve their goals in a market where talent and skills are key.
-
Food and beverage (F&B)
We can help you find the right ingredients for growth in your food and beverage business.
-
Travel, tourism and leisure
Tap into our range of support for travel, tourism and leisure businesses in this period of challenge and change.
-
Retail, e-commerce and consumer products
With multiple challenges and opportunities in the fast-evolving retail sector, make sure you are ready for them.
-
Banking
Our expertise and insight can help you respond positively to long term and emerging issues in the banking sector.
-
Capital markets
2020 is a demanding year for capital markets. Working with you, we're architecting the future of the sector.
-
Insurance
Our experienced expert team brings you technical expertise and insight to guide you through insurance sector challenges.
-
Investment management
Embracing innovation and shaping business models for long-term success.
-
Pensions
Pension provision is an essential issue for employers, and the role of the trustee is becoming increasingly challenging.
-
Payments advisory and assurance
Payment service providers need to respond to rapidly evolving technical innovations and increased regulatory scrutiny.
-
Central and devolved government
Helping central and devolved governments deliver change to improve our communities and grow our economies.
-
Infrastructure and transport
Delivering a successful transport or infrastructure project will require you to balance an often complex set of strategic issues.
-
Local government
Helping local government leverage technical and strategic expertise deliver their agendas and improve public services.
-
Regeneration development and housing
We provide commercial and strategic advice to assist your decision making in pursuing your objectives.
-
Health and social care
Sharing insight and knowledge to deliver transformation and improvement to health and social care services.
-
Charities
Supporting you to achieve positive change in the UK charity sector.
-
Education and skills
The education sector has rarely faced more risk or more opportunity to transform. You need to plan for the future.
-
Social housing
We are committed to helping change social housing for the better, and can help you make the most of every opportunity.
-
Technology
We work with dynamic technology companies of all sizes to help them succeed and grow internationally.
-
Telecommunications
Take all opportunities to realise your goals in telecommunications: from business refresh to international expansion.
-
Media
Media companies must stay agile to thrive in today’s highly competitive market – we’re here to support your ambitions.
DevOps is a combination of tools, practices and cultural philosophies around software development and operations that increases an organisation's ability to deliver applications and technology services at a higher speed than traditional software development models. Internal audit and risk functions have a pivotal role to play, not just in change strategy and overall governance, but also in identifying risks and opportunities in improving security throughout the entire software development life cycle.
Growth of DevOps in large organisations
The adoption of DevOps practices is increasing among large corporate organisations, especially in those that internally develop software for business or customer-facing applications. According to Gartner, the adoption of DevOps within organisations has grown from 10% of companies using this model in 2020, to 40% by 2023. By breaking down silos and fostering a culture of collaboration, DevOps is intended to help organisations achieve faster time-to-market, improved quality, and enhanced customer satisfaction. This shift has been accelerated by the increasing use of public cloud infrastructure, with public cloud providers offering a plethora of tools to help organisations leverage DevOps practices.
Adopting such practices can be challenging, though. Gartner also estimated that in 2022, ‘75% of DevOps initiatives would fail to meet expectations due to issues around organisational learning and change’. Other risks may be exacerbated, too: around data security, misalignment of software with business or customer requirements, insufficient documentation, and difficulty in meeting compliance or regulatory requirements. Organisations are addressing the security risk around DevOps by implementing security activities and governance at multiple steps in the DevOps process – a methodology which has been named DevSecOps.
Traditional audit methods may not apply
While DevOps brings numerous benefits, it also poses challenges for internal auditors. These arise due to the rapid pace of development, increased automation, and changes in the traditional software delivery life cycle. This leads to certain traditional audit methods becoming in some places incompatible with the pace of change led through DevOps and may lead to less effective assurance.
We have identified several key areas of challenge:
Lack of documentation
DevOps engineers heavily rely on automated processes, configuration management and infrastructure-as-code. In our experience, version controls over the organisation’s software development methodology often present weaknesses. These conditions can lead to a lack of traditional documentation, such as logs or activity reports, making it difficult for auditors to trace changes, assess controls and ensure compliance.
Frequent and rapid releases
DevOps promotes frequent and rapid software releases, sometimes multiple times a day. This creates a dynamic environment where controls and risks can change rapidly, making it challenging for auditors to keep up and assess the effectiveness of controls.
Distributed and decentralised infrastructure
DevOps is enabled by technology advancements, such as cloud computing, containerisation, and micro-services, resulting in a distributed and decentralised infrastructure. Application programming interfaces (APIs) are becoming more critical for organisations, as these connect various technology applications and services. Auditors must understand the complexities of these architectures to identify and assess risks accurately.
Automation and self-service
DevOps heavily relies on automation and self-service capabilities. While automation improves efficiency, this helps reduce risk only if the configurations are made and maintained in line with good practice guidelines. Auditors need to adapt their approach to assess automated processes.
Collaboration and roles
Segregation may not be maintained between developers and implementers due to more frequent, iterative changes and multi-skilled roles within DevSecOps teams. Developers may also have elevated access to directly change production environments. Auditors need to assess whether automated guardrails are in place to require secondary approvals before changes are implemented.
Read more about technology risk trends
Case study: how we adapted our assurance for DevOps
Over the last few years, we have developed an audit framework to help organisations gain assurance over their use of DevOps and DevSecOps methodologies. This has been refined and put to practice with large organisations, tailoring our approach based on the particularities of each organisation’s DevOps adoption and maturity levels. The framework is aligned with the key stages in the DevOps process and encourages assessment of security at every step in the DevOps practice. We used guidance from the Cloud Security Alliance, and the Well-Architected Frameworks of the major cloud vendors, such as Amazon Web Services, Microsoft Azure, and Google Cloud.
We performed an audit of a manufacturing client’s DevSecOps processes, risks, and controls. Some of the key risks we considered included:
- whether organisational constraints prevent reaching acceptable maturity of DevOps practices and slow realisation of benefits
- low maturity of continuous deployment practices leading to delayed testing, rework, or poor releases
- lack of transparency and governance over existing DevOps practices leading to incidents and regulatory non-compliance.
There was a lack of strategic alignment between teams, which led to solutions developed not generating the expected value for the business. Through collaboration and early involvement, the auditors could identify in a timely manner areas where DevOps adoption was not meeting its intended objectives.
Security testing required enhancements to ensure the use of open-source software would not introduce critical vulnerabilities to the main codebase. The auditors also leveraged the existing tools and automations to better quantify and report on the business impact and risks associated with technology services.
The existing DevOps operating and support models could be expanded to realise the intended benefits. The auditors are continuously learning and upskilling through industry events and close collaboration with DevSecOps specialists to advise management on DevOps good practice guidelines.
Six steps to enhance your assurance practices
We also found ways to flip the DevOps challenges into opportunities for better, more robust assurance. There are several ways to leverage the innovations in DevOps and DevSecOps to improve the assurance process:
1 Increase collaboration
Encourage collaboration and communication between auditors, engineers and other teams in IT. Auditors should leverage the knowledge of specialists in the business to guide assessments of risk and whether appropriate mitigations are in place.
2 Maturity assessments
Perform a review of the maturity of DevOps and DevSecOps practices across the organisation, identifying strengths and weaknesses, with a view to adapting assurance practices and procedures. Auditors can also leverage the results of such a review when considering whether suggested audit actions could be feasibly implemented enterprise wide.
3 DevOps audit procedures
Taking learnings from how the technology function has adapted legacy software development practices to DevOps, tailor audit procedures to fit the DevOps context. Auditors should ensure that controls are designed and tested to accommodate the characteristics of DevOps environments.
4 Embedding security considerations
The DevOps industry is now ‘shifting left’ on security in a deliberate effort to embed security activities earlier in the process. Auditors should assess whether security controls are considered throughout the DevOps cycle, from requirements definition, access to tooling and the source code, to testing and handover to security teams for ongoing monitoring.
5 Continuous monitoring and reporting
Leveraging the existing automated monitoring tools, work with DevOps engineers to continuously assess controls, detect anomalies, and generate real-time reports. Auditors should use these to stay informed and provide timely insights to management.
6 Iterative audits
Regularly review and refine audit procedures based on feedback from the development and operations. As DevOps practices encourage iterative work patterns, auditors should also be prepared to update their scopes and testing in a similarly iterative manner.
DevOps practices are here to stay
DevOps can be used by organisations to drive innovation and a faster pace of software development and releases to meet business and customer needs. As such, this methodology is here to stay, and we can expect it to be adopted a lot more widely, especially across organisations that maintain their own software.
Audit and risk functions should be aware of the challenges this poses, and gaining assurance over DevSecOps controls is now a key concern. Addressing issues arising from DevOps adoption can also bring the potential for organisations to flip these challenges and create opportunities for better, more robust assurance in a dynamic environment.
For more insight and guidance, get in touch with Cristiana Mirosanu.
Get the latest insights, events and guidance, straight to your inbox.