-
Audit of stand-alone annual accounts
At Grant Thornton Luxembourg, our team of experts is specialised in audits of stand-alone annual accounts.
-
Audit of consolidated annual accounts
Grant Thornton Luxembourg team of experts is specialised in providing audit services to a lot of multinational which have their administrative center located in Luxembourg for whom the consolidated annual accounts have to be audited.
-
Agreed-Upon Procedures Engagements
In the case of agreed-upon procedures engagement, Grant Thornton Luxembourg performs procedures particularly requested by the client/bank and reports on the findings.
-
GDPR-CARPA Certification
Grant Thornton Audit and Assurance is accredited by the Commission Nationale pour la Protection des Données (CNPD) to provide GDPR-CARPA certifications for organisations.
-
Forensic Audit
Grant Thornton Luxembourg has the forensic and business skills to deal with the most complex situations. A multi-disciplinary team of dedicated accountants in consultation with lawyers, IT consultants, insurance experts, valuation specialists and actuaries may be engaged when necessary.
-
Supervisory Auditor (Commissaire)
Grant Thornton Luxembourg has a dedicated team of experts committed to deliver services to reserved to Supervisory Auditor or "Commissaire aux Comptes".
-
Liquidation Audit
Grant Thornton Luxembourg has a dedicated team of experts committed to deliver services to reserved to liquidation audit "Commissariat à la liquidation".
-
Assurance Engagements
Grant Thornton Luxembourg have a dedicated team of experts committed to work on audit and assurance special engagements.
-
IFRS Services
At Grant Thornton Luxembourg, our experts can help you navigate the complexity of International Financial Reporting Standards (IFRS).
-
Valuation
Grant Thornton Luxembourg helps clients evaluate and implement various strategic alternatives through our comprehensive suite of corporate value consulting services. From opinions, board solutions and services, to valuation and modeling, we can assist you with value added services throughout the transaction lifecycle.
-
Governance, Risk & Compliance
Grant Thornton Luxembourg offers comprehensive services in Governance, Risk & Compliance (GRC) tailored to meet the evolving needs of businesses in today's dynamic regulatory environment. Our commitment is to provide personalised guidance and global expertise, ensuring that your company establish robust internal controls and navigates governance challenges effectively.
-
Structuring & Modeling
Grant Thornton Luxembourg offers workable solutions to maximise your value and deliver sustainable growth. Transactions or reorganisations are significant events in the life of a business, so the stakes are high for both buyers and sellers.
-
Data Protection and Privacy
EU General Data Protection Regulation (GDPR) - The real challenge consists of remaining compliant with GDPR and in being able to prove this compliance (accountability principle). Grant Thornton Luxembourg can help you with a tailored phase approach.
-
Sustainability services and impact reporting
At Grant Thornton, we recognise the need of our clients to operate responsibly and to meet the high standards posed by the sector they operate. We offer pragmatic, tailor-made solutions to our clients and we assist them to make the required transitions towards the implementation of sustainable business practices.
-
Whistleblowing services
Since May 2023, the Whistleblower Law has become effective in Luxembourg. What does this mean for your business? Our experts can advise and help you to set-up internal reporting channels and to comply with the new law.
-
Alternative Investment Services
Grant Thornton Luxembourg is a bespoke business partner to established Alternative Investment Fund (“AIF”) Managers (“AIFM”) as well as independent Managers launching start-up Funds and seeking for a single entry point in Luxembourg in order to set-up and manage their Luxembourg domiciled Funds.
-
Fund Administration
Fund Administration - Grant Thornton Luxembourg offers a full range of tailored solutions to our clients.
-
Registrar & Transfer Agency Services, Client Reporting
Grant Thornton Luxembourg provides investors with confirmations, final Contract Notes and regular statements upon finalisation of the Fund’s Net Asset Value, We handle all wire payments and transfers, including the processing of distribution dividend payments, and perform in-depth Anti-Money Laundering Counter Terrorism Financing and Know-Your Client due diligence checks on investors.
-
Fund set-up, Launch & Corporate life
High-quality product structuring and legal services have become a crucial tool enabling industry players to get through the major changes impacting their business development, strategy and organisation as a whole. Our Investment Management practice at Grant Thornton Luxembourg is your one-stop place for expert advice combining pragmatism and a unique in-depth knowledge of the Luxembourg market.
-
AML Compliance Services
Grant Thornton Luxembourg helps its Clients to keep compliant with AML-CTF laws and regulations and provide an expert skilled team.
-
Regulatory Reporting Delivery
Grant Thornton Luxembourg has set up a Business Process Outsourcing Solution that manages and mutualises regulatory expertise, reporting solutions and skilled human resources
-
Legal Support & Corporate Services
Grant Thornton Luxembourg delivers Legal Support & Corporate services.
-
Accounting & Reporting Services
Grant Thornton Luxembourg may explore the specific characteristics of your company in order to provide a personalised assistance in the fields of Accounting & Reporting services.
-
Corporate Tax Compliance
Grant Thornton Luxembourg may explore the specific characteristics of your company in order to provide a personalised assistance in the fields of corporate tax compliance.
-
Direct Corporate Tax Advice
Grant Thornton Luxembourg understand the complexity of national and international tax laws. We can unlock your potential for local and international growth.
-
VAT and Other Indirect Tax Compliance
Handling the day-to-day VAT compliance obligations requires being close to your business. Our VAT compliance business line assists you to ensure that long term reporting processes are implemented and respected with the aim of safeguarding a proper and timely VAT filing. This is important for achieving a VAT compliant environment and mitigating local VAT risks.
-
VAT and Other Indirect Tax Advice
Our VAT advisory business line is dedicated to keeping you up to date with amended VAT legislation and changes in the administrative practice in Luxembourg and worldwide with our Grant Thornton global VAT network. Specialists review and comment on new EU directives and the latest case law by the Court of Justice of the European Union in order to provide you with advice tailored to your specific needs.
-
Transaction & Reorganisation
Reorganisations - Transaction Planning - Tax Structuring - M&A. Companies strive to improve their market position with take-overs, mergers and demergers. Strategy and financial tactics are important elements in this respect. Grant Thornton tax specialists may intervene in all stages of the transaction.
-
Transfer Pricing
The laws surrounding transfer pricing are becoming ever more complex, as tax affairs of multinational companies are facing scrutiny from media, regulators and the public. Grant Thornton Luxembourg can help you manage your transfer pricing risks and find opportunities.
-
Tax - Financial Services & Operational Tax
Our Tax - Financial Services team provides tax advisory services relevant for the Financial Services Industries and Operational Tax assistance. This includes tax advice, automatic exchange of information (FATCA, CRS, DAC 6, DAC 7 and DAC 8), advisory and compliance assistance regarding the US Qualified Intermediary (QI) regime, assistance regarding withholding tax reclaims, investor tax reporting and tax structuring in the context of Islamic finance.
-
Personal Tax
Our experienced multilingual Personal Tax Team is keen to give you tailored solutions, optimise your situation and help you make decisions. We could assist you with: income tax returns, vat returns, tax assessments, contacts with the tax authorities and assistance by tax audit or tax litigation, tax matters advices, inheritance tax matters, international assignments and trainings.
-
Cross-Border Tax
Tax policies are constantly evolving and there are a number of complex changes on the horizon that could significantly affect your business. We can help you with practical advice such as VAT and direct tax.
-
Corporate Finance
Exploring the strategic options available to you as a business or shareholder, advising and project managing the chosen solution, Grant Thornton Luxembourg provide a truly integrated corporate finance offering. Merger & acquisition, buying a business, selling a business, transaction piloting,raising finance to support your business plans.Vendor due diligence, acquisition due diligence, reporting accountant work,operational due diligence, management assessment.
-
Expatriate Tax
Although international employment has become a standard practice in business life, employers and their assignees are still faced with numerous questions in this area. Grant Thornton Luxembourg can help you to be one step ahead.
-
Set-up, Restructuring & Business Planning
Grant Thornton Luxembourg is delighted to add value during the implementation of your businesses and to be given the opportunity to grow together with you. Relying on our professionals’ financial expertise will allow you to take dynamic but sustainable decisions.
-
Corporate Secretarial Services
Grant Thornton Luxembourg provides corporate secretarial services to enable our clients to comply with their legal and administrative obligations in Luxembourg.
-
Liquidation & Insolvency
Grant Thornton Luxembourg can draw on years of experience in the areas of liquidation and insolvency and then make sensible recommendations on how best to deal with your financial crisis.
-
Human Resources Management & Payroll
Grant Thornton Luxembourg has been delivering since 1987 Payroll and Human Resources services to private and institutional clients. A team of highly qualified collaborators manages around 7 000 payslips per month and offers related consulting services.
-
Information Security
Grant Thornton Luxembourg offers Information Security services with a strong security expertise to avoid data breaches. We also have dedicated resources for all your cybersecurity challenges.
-
MySmartOffice
Grant Thornton Luxembourg offers a new complete online accounting and consulting solution for SMEs named MySmartOffice to access financial and operational information instantly online.
GDPR-CARPA Evaluation approach
GDPR-CARPA stands for GDPR-Certified Assurance-Report based Processing Activities certification mechanism
It is developed by the Commission Nationale pour la Protection des Données (the ‘CNPD’) in Luxembourg with the objective to provide the data controllers and/or data processors with a high level of reasonable assurance that they have set up, implemented and that they are operating technical and organisational measures to comply with the GDPR for the processing activities in scope of the certification.
The GDPR-CARPA certification scheme is a voluntary process to assist controllers and/or processors in supporting their demonstration of compliance with the GDPR to other businesses, to a supervisory authority or to the data subjects, meaning that they demonstrated the existence and implementation of appropriate measures for the protection of personal data as required by the GDPR.
Grant Thornton Audit and Assurance S.A., Luxembourg as a certification body
Grant Thornton Audit and Assurance S.A., Luxembourg (“GTAA”) is officially accredited by the Commission Nationale pour la Protection des Données (the ‘CNPD’) in Luxembourg to provide GDPR-CARPA certification services against the GDPR-CARPA certification criteria.
Certification process
GTAA has defined a step-by-step approach toward certification.
- Application for certification and acceptance
- Engagement set-up
- Execution of the audit and evaluation
- Assurance report
- Certification decision and delivery of the certification
- Monitoring of the certified activities
- Annual re-certification
1. Application for certification and acceptance
Any applications for GDPR certification services are reviewed by GTAA to make sure that the subject matter of certification is aligned with the admissibility criteria of the GDPR-CARPA scheme, and that there are no professional or independence restrictions for GTAA to get involved in the attestation engagement.
GTAA may reject an application for GDPR certification services, or refuse to maintain a contract with an existing client, if fundamental or demonstrated reasons exist (as specifically related to the scope of certification), such as:
- The (potential) client participating in illegal activities, having history of repeated non-compliances with certification requirements, or similar client related issues, OR
- The application, the (potential) client, the requested services or the existing services conflict with GTAA’s standards and polices established on a local or group level; OR
- The (potential) client and/or engagement (no longer) satisfy GTAA’s acceptance and continuance requirements.
Once the certification application is accepted, GTAA adheres to drafting and sharing the proposal, including relevant details about the scope, fee and planning.
2. Engagement set-up
Upon confirmation of the proposal, GTAA will propose an engagement letter which outlines the terms of the ISAE 3000 attestation engagement in alignment of the professional standards applicable to the audit profession, as well as the GDPR-CARPA specific requirements of the GDPR-CARPA certification scheme. Depending on the arrangements with the prospect client, the engagement could envisage the issuance of an ISAE 3000 report on the test of design first, and an ISAE 3000 report on the test of design and operational effectiveness at a later point in time.
The ISAE 3000 engagement on the test of design provides assurance over the fairness of the presentation and description of the client entity’s system and the suitability of design and implementation of the controls as at a specific date. The ISAE 3000 engagement on the test of design and operational effectiveness provides additional assurance over the operating effectiveness of the controls throughout the evaluated period.
The ISAE 3000 report on the test of design might be used in a transition phase towards obtaining an ISAE 3000 assurance report on the test of design and operational effectiveness. A GDPR certificate is effectively supported only by an ISAE 3000 assurance report on the test of design and operational effectiveness.
3. Execution of the audit and evaluation
During the audit GTAA focuses on evaluating the design and operational effectiveness of the data protection controls in place for the processing activities in scope based on the GDPR-CARPA certification criteria. During the evaluation GTAAuses appropriate evaluation methods as defined by ISAE3000 that consider the specifics of the mandate’s scope and client’s organisation. The evaluation methods may involve different procedures or a combination thereof (inspection, observation, confirmation, re-performance and inquiry).
4. Assurance report
This phase involves the review of the audit activities by the lead auditor and the quality reviewer. The output of this phase results in a certification decision.
5. Certification decision and delivery of the certification
The certification decision in based on the evaluation documented in the ISAE3000 assurance report.
A positive certification decision is issued if the assurance report contains an unqualified opinion. In case of a qualified opinion, a positive certification decision could be issued for a reduced scope limited to the part of the subject matter that is not affected by the qualification.
The positive certification decision is followed by the issuance of a GDPR certificate. Information for all certification decisions is kept public on GTAA’s website.
6. Monitoring of the certified activities
GTAA performs monitoring on the certified activities within the period of the initial certification. The monitoring is the annual re-performance of the assurance audit for the purposes of extending the validity with one more year within the overall three-year certification period.
7. Annual re-certification
The initial GDPR certificate is valid for a period that equals the period covered by the ISAE 3000 assurance engagement (minimum 6 months, and maximum 1 year) and could be renewed for up to 3 years. Every year (at the ISAE 3000 engagement anniversary) GTAA performs a new ISAE3000 assurance engagement for the same scope of processing activities covered by the initial GDPR certificate.
Evaluation approach
GTAA plans and implements the evaluation activities to allow performance of a review in an effective manner in terms of scope, timing, direction of the engagement.
Evaluation methods include, where applicable:
- A method for assessing the necessity and proportionality of processing operations in relation to their purpose and the data subjects concerned;
- A method for evaluating the coverage, composition and assessment of all risks considered by controller and processor with regard to the legal consequences pursuant to Articles 30, 32 and 35 and 36 GDPR, and with regard to the definition of technical and organisational measures pursuant to Articles 24, 25 and 32 GDPR, insofar as the aforementioned Articles apply to the object of certification, and
- A method for assessing the remedies, including guarantees, safeguards and procedures to ensure the protection of personal data in the context of the processing to be attributed to the object of certification and to demonstrate that the legal requirements as set out in the criteria are met; and
- Documentation of methods and findings.
The evaluation methods are reviewed and re-adjusted at the occurrence of relevant changes, such as changes in the legal framework, the relevant risks, the state of the art and the implementation costs of technical or organisational measures.
Process to ensure impartiality
GTAA has well established processes to ensure the impartiality of the certification services all along the certification process. Risks to impartiality are monitored and identified in accordance with the procedures in place. In order to safeguard impartiality, GTAA follows the restrictions on providing audit and not-audit services to the client.
Any potential impartiality or conflict of interest issues are documented and resolved prior to client and/or engagement acceptance.
Any questions should be addressed to: gdpr.carpa@lu.gt.com
