-
Internal audit
In today's increasingly competitive and regulated market place, organisations - both public and private - must demonstrate that they have adequate controls and safeguards in place. The availability of qualified internal audit resources is a common challenge for many organisations.
-
IFRS
At Grant Thornton, our International Financial Reporting Standards (IFRS) advisers can help you navigate the complexity of financial reporting so you can focus your time and effort on running your business.
-
Audit quality monitoring
Having a robust process of quality control is one of the most effective ways to guarantee we deliver high-quality services to our clients.
-
Global audit technology
We apply our global audit methodology through an integrated set of software tools known as the Voyager suite.
-
Looking for permanent staff
Grant Thornton's executive recruitment is the real executive search and headhunting firms in Thailand.
-
Looking for interim executives
Interim executives are fixed-term-contract employees. Grant Thornton's specialist Executive Recruitment team can help you meet your interim executive needs
-
Looking for permanent or interim job
You may be in another job already but are willing to consider a career move should the right position at the right company become available. Or you may not be working at the moment and would like to hear from us when a relevant job comes up.
-
Practice areas
We provide retained recruitment services to multinational, Thai and Japanese organisations that are looking to fill management positions and senior level roles in Thailand.
-
Submit your resume
Executive recruitment portal
-
Update your resume
Executive recruitment portal
-
Available positions
Available positions for executive recruitment portal
-
General intelligence assessments
The Applied Reasoning Test (ART) is a general intelligence assessment that enables you to assess the level of verbal, numerical reasoning and problem solving capabilities of job candidates in a reliable and job-related manner.
-
Candidate background checks
We provide background checks and employee screening services to help our clients keep their organisation safe and profitable by protecting against the numerous pitfalls caused by unqualified, unethical, dangerous or criminal employees.
-
Valuations-migrated
Valuations
-
Capital markets
If you’re buying or selling financial securities, you want corporate finance specialists experienced in international capital markets on your side.
-
Corporate simplification
Corporate simplification
-
Expert witness
Expert witness
-
Family office services
Family office services
-
Financial models
Financial models
-
Forensic Advisory
Investigations
-
Independent business review
Does your company need a health check? Grant Thornton’s expert team can help you get to the heart of your issues to drive sustainable growth.
-
Mergers & acquisitions
Mergers & acquisitions
-
Operational advisory
Grant Thornton’s operational advisory specialists can help you realise your full potential for growth.
-
Raising finance
Raising finance
-
Restructuring & Reorganisation
Grant Thornton can help with financial restructuring and turnaround projects, including managing stakeholders and developing platforms for growth.
-
Risk management
Risk management
-
Transaction advisory
Transaction advisory
-
Valuations
Valuations
-
Human Capital Consulting
From time to time, companies find themselves looking for temporary accounting resources. Often this is because of staff leaving, pressures at month-end and quarter-end, or specific short-term projects the company is undertaking.
-
Strategy & Business Model
Strategy & Business Model
-
Process Optimisation & Finance Transformation
Process Optimisation & Finance Transformation
-
System & Technology
System & Technology
-
Digital Transformation
Digital Transformation
-
International tax
With experts working in more than 130 countries, Grant Thornton can help you navigate complex tax laws across multiple jurisdictions.
-
Licensing and incentives application services
Licensing and incentives application services
-
Transfer pricing
If your company operates in more than one country, transfer pricing affects you. Grant Thornton’s experts can help you manage this complex and critical area.
-
Global mobility services
Employing foreign people in Australia, or sending Australian people offshore, both add complexity to your tax obligations and benefits – and we can guide you through them.
-
Tax compliance and tax due diligence review services
Tax compliance
-
Value-Added Tax
Value-Added Tax
-
Customs and Trade
Customs and Trade
-
Service Line
グラントソントン・タイランド サービスライン
-
Business Process Outsourcing
Companies, large and small, need to focus on core activities. Still, non-core activities are important, and they need to be leaner and more efficient than most companies can make them sustainably. For Grant Thornton, your non-core activities are our core business. Grant Thornton’s experienced outsourcing team helps companies ensure resilience, improve performance, manage costs, and enhance agility in resourcing and skills. Who better to do this than an organisation with 73,000 accountants? At Grant Thornton we recognise that that outsourcing your F&A functions is a strategic decision and an extension of your brand. This means we take your business as seriously as we take our own.
-
Technology and Robotics
We provide practical digital transformation solutions anchored in business issues and opportunities. Our approach is not from technology but from business. We are particularly adept at assessing and implementing fast and iterative digital interventions which can drive high value in low complex environments. Using digital solutions, we help clients create new business value, drive efficiencies in existing processes and prepare for strategic events like mergers. We implement solutions to refresh value and create sustainable change. Our solutions help clients drive better and more insightful decisions through analytics, automate processes and make the most of artificial intelligence and machine learning. Wherever possible we will leverage your existing technologies as our interest is in solving your business problems – not in selling you more software and hardware.
-
Technical Accounting Solutions
The finance function is an essential part of the organisation and chief financial officer (CFO) being the leader has the responsibility to ensure financial discipline, compliance, and internal controls. As the finance function is critical in every phase of a company’s growth, the CFO role also demands attention in defining business strategy, mitigating risks, and mentoring the leadership. We offer technical accounting services to finance leaders to help them navigate complex financial and regulatory environments, such as financial reporting and accounting standards, managing compliance requirements, and event-based accounting such as dissolutions, mergers and acquisitions.
-
Accounting Services
Whether you are a local Thai company or a multinational company with a branch or head office in Thailand you are obliged to keep accounts and arrange for a qualified bookkeeper to keep and prepare accounts in accordance with accounting standards. This can be time consuming and even a little dauting making sure you conform with all the regulatory requirements in Thailand and using Thai language. We offer you complete peace of mind by looking after all your statutory accounting requirements. You will have a single point of contact to work with in our team who will be responsible for your accounts – no matter small or large. We also have one of the largest teams of Xero Certified Advisors in Thailand ensuring your accounts are maintained in a cloud-based system that you have access to too.
-
Staff Augmentation
We offer Staff Augmentation services where our staff, under the direction and supervision of the company’s officers, perform accounting and accounting-related work.
-
Payroll Services
More and more companies are beginning to realize the benefits of outsourcing their noncore activities, and the first to be outsourced is usually the payroll function. Payroll is easy to carve out from the rest of the business since it is usually independent of the other activities or functions within the Accounting Department. At Grant Thornton employees can gain access to their salary information and statutory filings through a specialised App on their phone. This cuts down dramatically on requests to HR for information by the employees and increases employee satisfaction. We also have an optional leave approval app too if required.
-
IBR Optimism of Thailand Mid-Market Leaders Suggests Potential Underestimation of Challenges Ahead: International Business Report, Q1 2024Bangkok, Thailand, April 2024 — The Grant Thornton International Business Report (IBR) for Q1 2024 unveils a strikingly optimistic outlook among Thailand's mid-market business leaders, juxtaposed with the looming challenges that will shape the nation's economic future. With a Business Health Index score of 13.5, Thailand outperforms its ASEAN, Asia-Pacific, and global counterparts, signaling a robust confidence that may overshadow critical issues such as demographic changes, skills shortages, and the necessity for digital advancement.
-
Workshop Corporate Strategy and Company Health Check WorkshopThroughout this workshop, we will delve into the life cycle of companies, examining the stages of growth, maturity, and adaptation. Our focus will extend to the current business environment, where your Company stands today, and how our evolving strategy aligns with the ever-changing market dynamics.
-
Tax and Legal update 1/2024 Introducing the New “Easy E-Receipt” Tax scheme with up to THB 50,000 in Tax DeductionsThe Revenue Department has introduced the latest tax scheme, the “Easy E-Receipt”, formerly known as “Shop Dee Mee Kuen”. This scheme is designed to offer individuals tax deductions in 2024.
-
TAX AND LEGAL Complying with the PDPA – A Balancing ActOrganisations must be aware of the circumstances in which they are allowed to collect data to comply with Thailand’s Personal Data Protection Act.
Technology companies must adopt a new approach to digital risk
Jutting out into Austria’s skyline, emerging from the surrounding forest, lies an ancient medieval wonder – Hochosterwitz Castle. The thousands of tourists that flock here every year soon learn a surprising fact: it is one of only a very small number of castles around the world that has never been breached.
Its inhabitants thank Baron George Khevenhüller. He knew that holding the castle was strategically important to the region. Fearing an onslaught of marauding armies, he ordered the construction of a series of 14 fortified gates on its gentlest slope, the most likely avenue of attack. Each has a unique defence structure designed to flummox invaders. It worked. The most successful conqueror only reached the fourth gate.
Today’s technology companies can learn something from Khevenhüller. They may not fear foreign conquerors, but they do face attack from malicious actors that are set on stealing their IP or the personal data they hold.
Like Khevenhüller, they must identify the assets that are most important, consider the most likely lines of attack, and tailor a defensive strategy accordingly.
Of course, a holistic digital risk strategy (which should span cyber security and data privacy risk across the enterprise) must incorporate more than defending against cyberattack. Ever stricter data protection regulation, not to mention the public’s growing awareness of privacy, means technology companies must regularly reexamine privacy controls. Data asset categorisation is essential in this process too.
Technology companies are most vulnerable
The annual global cost of cybercrime is estimated to hit US$6tn in 2021, up from US$3tn in 2015.(i) James Arthur, partner and head of cyber consulting at Grant Thornton UK agrees. “Technology companies are particularly impacted.”
“It is important for technology companies to develop a digital risk strategy based on their most strategically important data assets,” says James. “After all, they typically hold more data than non-tech companies and often lead the way in adopting new technologies, which can create cyber vulnerabilities.”
B2C technology companies also house and process huge volumes of sensitive, personal information. It is therefore no surprise that IT was the most targeted sector for web application cyber-attacks last year.(ii)
Added together (and as revealed in our previous cyber research) this means that technology companies are now more vulnerable to cyber attacks and customer data breaches than ever before. This not only exposes them to hefty regulatory fines, but also business-crippling reputational damage.
Get ahead of regulators
In the last three years, technology companies made great efforts to comply with new data privacy and protection regulations, not least GDPR. Most large technology companies are now compliant, but they must remain vigilant. Data protection regulations are becoming stricter and the penalties for non-compliance are increasing. What’s more, customers are becoming more aware of privacy issues and are prepared to punish companies for not taking it seriously.
Technology companies must respond by going above and beyond the minimum required by the regulator on privacy. “Tech companies today need to go beyond the basics to ensure compliance because these companies service their clients in a regulated industry and are largely data controllers, while their clients may be data processors,” confirms Akshay Garkel, advisory partner at Grant Thornton India.
“Cloud service providers may be required to maintain 10 out of 20 (for example) data controls for minimum compliance. But they shouldn’t stop there. In the spirit of ensuring security and privacy they might want to go at least four or five notches above the minimum expected from the regulator because clients will demand it.”
The tightrope between privacy and analytics
But a careful balance must be struck. Customers will appreciate technology companies going the extra mile on privacy, but not if it restricts their ability to receive personalised offers or the development of products tailored to their individual needs.
Individual companies aside, overbearing privacy law prevents the use of data to drive positive societal outcomes, be that in relation to healthcare, disease monitoring or traffic accident reduction. So, governments and regulators must also be careful not to enact overly restrictive privacy laws.
“The balance between data protection and using data for the public good is a key debate for society,” says Nick Watson, partner and technology sector lead at Grant Thornton UK. “Germany has very strong privacy rules, but this has resulted in traffic accident data not being collected on particular stretches of roads. Therefore, they weren’t able to collect data that would have pinpointed a particular accident hotspot. You could take data privacy to a level where even non-personalised data is not collated on a group-wide, anonymous basis. In this case society would lose out.”
The middle-man in surveillance
Judging how far to go on privacy has become more complex because, like it or not, many technology companies are now surveillance intermediaries. Whether it be messages sent on social media, recordings from Echo devices or location data stored on smart phones, technology companies possess information that is useful for fighting crime.
There is no question that they must comply with the law regarding requests for information, but they have discretion over how swiftly they reply and the depth of information they provide.
Many now wonder whether law enforcement data requests should be processed without question, or heavily scrutinised in the interest of preserving privacy.
In the past, some technology companies resisted rather than cooperated with law enforcement. But as technology companies unwittingly accumulate more and more vital evidence, there is controversy in some markets about which data is shared, how much and for what purpose.
After all, being perceived as uncooperative with counter-terrorism forces is far more damaging than not adhering to the absolute strictest privacy standards.
Strengthen protection of digital assets
How should technology businesses respond to rising digital risk? First and foremost, they must classify, categorise and map out their digital assets to understand the specific risks and value associated with them.
Armed with this insight, they should develop and implement a nuanced, risk-based digital risk strategy that fortifies the digital crown jewels – those deemed most critical to the business and its customers.
Of course, one company’s most valuable data may be completely unimportant to another. For example, fintech companies highly value customers’ financial information, entertainment technology companies place high importance on consumer preference data and high-tech companies treasure their IP.
This approach sounds sensible. But a surprisingly large number of technology companies do not do this, and instead rely on an outdated one-size-fits-all approach to cyber security and data privacy based on perimeter security.
Orus Dearman, managing director of risk advisory services at Grant Thornton US, explains how this classification process can lead to practical change that reduces vulnerability.
“We assisted a technology company client in performing a data categorisation process to enable them to efficiently identify sensitive and personal information within their databases and networks as part of an overall data inventory. This allowed the company to deploy data protection resources where they are needed and would have the most impact,” he says. “Now, if anyone wants to change anything to do with this data or these systems, the privacy team is brought into the process as part of the workflow.”
Bin useless data
In contrast, data revealed to be not at all useful to the business and not required for regulatory and compliance purposes should be deleted or appropriately anonymised. This reduces the risk of it being compromised.
Naturally, technology companies can be reluctant to delete information due to concerns they might need it for an audit or that it is essential for something they are unaware of. Data mapping helps realise interdependencies, which can assist in deleting data.
But data asset categorising doesn’t just reduce risk. It also creates value. This exercise might identify a dataset or combination of datasets that can be used to improve the efficiency of internal operations or gain insight into customer preferences.
When strategy changes, so should data categorisation
Technology companies must remember two things when profiling data assets. First, it is not a one-off exercise. They must constantly map out their digital assets as the nature of the threat changes and as their business priorities evolve.
Second, this task cannot be left to the information security officer or head of IT. It is a critical business decision that must align to business objectives. Senior business leaders must be involved in the process.
Drive competitive advantage through trust
There is a real opportunity for B2B technology companies to market themselves around digital trust. Those that demonstrate readiness to respond to a cyber threat, responsibly handle customer data and empower customers to manage privacy controls stand to gain a competitive advantage.
To start building trust, technology companies must offer value-added cyber security solutions such as malware and ransomware screening that plugs vulnerabilities as part of their core offering. Customers will also be impressed with suppliers that conduct comprehensive cyber security audits and produce independent assurance reports.
“Reports that demonstrate capability, security, and a serious commitment to risk management (such as SOC2 or ISAE3402) are without question a way for technology companies to differentiate themselves from the competition,” says Matthew Green, technology advisory partner at Grant Thornton Australia. “The more astute clients are now starting to ask for the validation and the ongoing assurance that the organisation is maintaining an appropriate level of data security and are requesting those reports as a way of demonstrating it.”
There are a number of security standards that technology companies can use to demonstrate best practice digital resilience. But because every technology company is different, these merely provide a starting point. Technology companies should evaluate what their customers want when it comes to privacy and security and prioritise this.
Consumers value control
The jury is out on whether B2C technology can truly differentiate themselves through digital trust. Still, there is no harm in making it incredibly easy for customers to identify and delete data that is held about them and manage privacy settings.
B2C technology companies must also make privacy policies crystal clear. Today, most are displayed in tiny lettering across multiple pages, making them impossible to decipher.
“Privacy should be an enabler and not hinder innovation. Companies who have embraced good privacy practices should use that as a branding platform in the market,” confirms Orus.
“Clearly communicating privacy policies in a transparent way is essential. The general trend for technology companies is to develop a user hub that allows users to see what data is being held about them and allows them to opt in and out of various things."
"Privacy regulations such as the GDPR and upcoming California Consumer Privacy Act (CCPA) require clear and concise privacy notices for applicable data subjects. However, for those of us that don’t fall into the GDPR or CCPA buckets, many user agreements are over a hundred pages long, so they can still be made more user-friendly.”
Our five recommendations
Technology companies should implement the following recommendations to build and maintain digital trust:
- Categorise data assets according to their strategic importance. Those that will disrupt the business or customer experience or cause untold reputational damage if compromised should be heavily protected.
- Regularly review your data asset categorisation in collaboration with senior business leaders. This categorisation must align with business objectives, which may change over time.
- Don’t just think about the minimum required from the regulator when implementing data protection controls. Instead, consider what regulations may look like in the future.
- Collaborate fully with valid requests for data and information and know the extent to which data should be provided.
- Demonstrate your commitment to data protection by having your cyber risk practices tested regularly by an independent third-party. This will help to build trust.
When it comes to protecting your business to become immune to a cyber attack or data breach, one size does not fit all. However, technology companies can bolster their resilience by applying some or all of these recommendations so long as they tailor their actions to suit their unique position, and that of their clients.
Footnotes