-
Audit of stand-alone annual accounts
At Grant Thornton Luxembourg, our team of experts is specialised in audits of stand-alone annual accounts.
-
Audit of consolidated annual accounts
Grant Thornton Luxembourg team of experts is specialised in providing audit services to a lot of multinational which have their administrative center located in Luxembourg for whom the consolidated annual accounts have to be audited.
-
Agreed-Upon Procedures Engagements
In the case of agreed-upon procedures engagement, Grant Thornton Luxembourg performs procedures particularly requested by the client/bank and reports on the findings.
-
GDPR-CARPA Certification
Grant Thornton Audit and Assurance is accredited by the Commission Nationale pour la Protection des Données (CNPD) to provide GDPR-CARPA certifications for organisations.
-
Forensic Audit
Grant Thornton Luxembourg has the forensic and business skills to deal with the most complex situations. A multi-disciplinary team of dedicated accountants in consultation with lawyers, IT consultants, insurance experts, valuation specialists and actuaries may be engaged when necessary.
-
Supervisory Auditor (Commissaire)
Grant Thornton Luxembourg has a dedicated team of experts committed to deliver services to reserved to Supervisory Auditor or "Commissaire aux Comptes".
-
Liquidation Audit
Grant Thornton Luxembourg has a dedicated team of experts committed to deliver services to reserved to liquidation audit "Commissariat à la liquidation".
-
Assurance Engagements
Grant Thornton Luxembourg have a dedicated team of experts committed to work on audit and assurance special engagements.
-
IFRS Services
At Grant Thornton Luxembourg, our experts can help you navigate the complexity of International Financial Reporting Standards (IFRS).
-
Valuation
Grant Thornton Luxembourg helps clients evaluate and implement various strategic alternatives through our comprehensive suite of corporate value consulting services. From opinions, board solutions and services, to valuation and modeling, we can assist you with value added services throughout the transaction lifecycle.
-
Governance, Risk & Compliance
Grant Thornton Luxembourg offers comprehensive services in Governance, Risk & Compliance (GRC) tailored to meet the evolving needs of businesses in today's dynamic regulatory environment. Our commitment is to provide personalised guidance and global expertise, ensuring that your company establish robust internal controls and navigates governance challenges effectively.
-
Structuring & Modeling
Grant Thornton Luxembourg offers workable solutions to maximise your value and deliver sustainable growth. Transactions or reorganisations are significant events in the life of a business, so the stakes are high for both buyers and sellers.
-
Data Protection and Privacy
EU General Data Protection Regulation (GDPR) - The real challenge consists of remaining compliant with GDPR and in being able to prove this compliance (accountability principle). Grant Thornton Luxembourg can help you with a tailored phase approach.
-
Sustainability services and impact reporting
At Grant Thornton, we recognise the need of our clients to operate responsibly and to meet the high standards posed by the sector they operate. We offer pragmatic, tailor-made solutions to our clients and we assist them to make the required transitions towards the implementation of sustainable business practices.
-
Whistleblowing services
Since May 2023, the Whistleblower Law has become effective in Luxembourg. What does this mean for your business? Our experts can advise and help you to set-up internal reporting channels and to comply with the new law.
-
Alternative Investment Services
Grant Thornton Luxembourg is a bespoke business partner to established Alternative Investment Fund (“AIF”) Managers (“AIFM”) as well as independent Managers launching start-up Funds and seeking for a single entry point in Luxembourg in order to set-up and manage their Luxembourg domiciled Funds.
-
Fund Administration
Fund Administration - Grant Thornton Luxembourg offers a full range of tailored solutions to our clients.
-
Registrar & Transfer Agency Services, Client Reporting
Grant Thornton Luxembourg provides investors with confirmations, final Contract Notes and regular statements upon finalisation of the Fund’s Net Asset Value, We handle all wire payments and transfers, including the processing of distribution dividend payments, and perform in-depth Anti-Money Laundering Counter Terrorism Financing and Know-Your Client due diligence checks on investors.
-
Fund set-up, Launch & Corporate life
High-quality product structuring and legal services have become a crucial tool enabling industry players to get through the major changes impacting their business development, strategy and organisation as a whole. Our Investment Management practice at Grant Thornton Luxembourg is your one-stop place for expert advice combining pragmatism and a unique in-depth knowledge of the Luxembourg market.
-
AML Compliance Services
Grant Thornton Luxembourg helps its Clients to keep compliant with AML-CTF laws and regulations and provide an expert skilled team.
-
Regulatory Reporting Delivery
Grant Thornton Luxembourg has set up a Business Process Outsourcing Solution that manages and mutualises regulatory expertise, reporting solutions and skilled human resources
-
Legal Support & Corporate Services
Grant Thornton Luxembourg delivers Legal Support & Corporate services.
-
Accounting & Reporting Services
Grant Thornton Luxembourg may explore the specific characteristics of your company in order to provide a personalised assistance in the fields of Accounting & Reporting services.
-
Corporate Tax Compliance
Grant Thornton Luxembourg may explore the specific characteristics of your company in order to provide a personalised assistance in the fields of corporate tax compliance.
-
Direct Corporate Tax Advice
Grant Thornton Luxembourg understand the complexity of national and international tax laws. We can unlock your potential for local and international growth.
-
VAT and Other Indirect Tax Compliance
Handling the day-to-day VAT compliance obligations requires being close to your business. Our VAT compliance business line assists you to ensure that long term reporting processes are implemented and respected with the aim of safeguarding a proper and timely VAT filing. This is important for achieving a VAT compliant environment and mitigating local VAT risks.
-
VAT and Other Indirect Tax Advice
Our VAT advisory business line is dedicated to keeping you up to date with amended VAT legislation and changes in the administrative practice in Luxembourg and worldwide with our Grant Thornton global VAT network. Specialists review and comment on new EU directives and the latest case law by the Court of Justice of the European Union in order to provide you with advice tailored to your specific needs.
-
Transaction & Reorganisation
Reorganisations - Transaction Planning - Tax Structuring - M&A. Companies strive to improve their market position with take-overs, mergers and demergers. Strategy and financial tactics are important elements in this respect. Grant Thornton tax specialists may intervene in all stages of the transaction.
-
Transfer Pricing
The laws surrounding transfer pricing are becoming ever more complex, as tax affairs of multinational companies are facing scrutiny from media, regulators and the public. Grant Thornton Luxembourg can help you manage your transfer pricing risks and find opportunities.
-
Tax - Financial Services & Operational Tax
Our Tax - Financial Services team provides tax advisory services relevant for the Financial Services Industries and Operational Tax assistance. This includes tax advice, automatic exchange of information (FATCA, CRS, DAC 6, DAC 7 and DAC 8), advisory and compliance assistance regarding the US Qualified Intermediary (QI) regime, assistance regarding withholding tax reclaims, investor tax reporting and tax structuring in the context of Islamic finance.
-
Personal Tax
Our experienced multilingual Personal Tax Team is keen to give you tailored solutions, optimise your situation and help you make decisions. We could assist you with: income tax returns, vat returns, tax assessments, contacts with the tax authorities and assistance by tax audit or tax litigation, tax matters advices, inheritance tax matters, international assignments and trainings.
-
Cross-Border Tax
Tax policies are constantly evolving and there are a number of complex changes on the horizon that could significantly affect your business. We can help you with practical advice such as VAT and direct tax.
-
Corporate Finance
Exploring the strategic options available to you as a business or shareholder, advising and project managing the chosen solution, Grant Thornton Luxembourg provide a truly integrated corporate finance offering. Merger & acquisition, buying a business, selling a business, transaction piloting,raising finance to support your business plans.Vendor due diligence, acquisition due diligence, reporting accountant work,operational due diligence, management assessment.
-
Expatriate Tax
Although international employment has become a standard practice in business life, employers and their assignees are still faced with numerous questions in this area. Grant Thornton Luxembourg can help you to be one step ahead.
-
Set-up, Restructuring & Business Planning
Grant Thornton Luxembourg is delighted to add value during the implementation of your businesses and to be given the opportunity to grow together with you. Relying on our professionals’ financial expertise will allow you to take dynamic but sustainable decisions.
-
Corporate Secretarial Services
Grant Thornton Luxembourg provides corporate secretarial services to enable our clients to comply with their legal and administrative obligations in Luxembourg.
-
Liquidation & Insolvency
Grant Thornton Luxembourg can draw on years of experience in the areas of liquidation and insolvency and then make sensible recommendations on how best to deal with your financial crisis.
-
Human Resources Management & Payroll
Grant Thornton Luxembourg has been delivering since 1987 Payroll and Human Resources services to private and institutional clients. A team of highly qualified collaborators manages around 7 000 payslips per month and offers related consulting services.
-
Information Security
Grant Thornton Luxembourg offers Information Security services with a strong security expertise to avoid data breaches. We also have dedicated resources for all your cybersecurity challenges.
-
MySmartOffice
Grant Thornton Luxembourg offers a new complete online accounting and consulting solution for SMEs named MySmartOffice to access financial and operational information instantly online.
Rules on the granting, validity, monitoring, renewal, suspension and withdrawal of GDPR-CARPA certification
Grant Thornton Audit and Assurance S.A., Luxembourg (“GTAA”) is responsible for and will retain authority for its decisions relating to certification, including the issuance, review, renewal or withdrawal of GDPR certification against the GDPR-CARPA criteria approved by the Commission Nationale pour la Protection des Données (the ‘CNPD’).
Granting a GDPR-CARPA certificate
The certification decision is taken after considering the information related to the evaluation (the fieldwork and its conclusions), its quality review and the issuance of the audit report. The certification decision in based on the evaluation documented in the ISAE3000 assurance report.
A positive certification decision is issued if the assurance report contains an unqualified opinion. In case of a qualified opinion, a positive certification decision could be issued for a reduced scope limited to the part of the subject matter that is not affected by the qualification.
The positive certification decision is followed by the granting of a GDPR certificate.
Summarised information for the certification decisions made by GTAA(whether or not they resulted in the granting of a GDPR certificate) is published on the GTAA’s website.
Validity, monitoring and renewal of the GDPR-CARPA certificate
Initial validity of the GDPR-CARPA certificate
The initial GDPR certificate:
- Is valid for a period that equals the period covered by the ISAE3000 assurance engagement (minimum 6 months, and maximum 1 year), provided that no significant changes to the certified activities occur in the processing activities during the period of validity of the certificate;
- Is valid from the date starting on the first day following the end of the period under review (Example: if the reviewed period was 1 January 2020 to 31 December 2020, the GDPR certificate is valid from 1 January 2021 through 31 December 2021).
Monitoring of the GDPR-CARPA certificate
GTAA performs monitoring on the certified activities within the period of the initial certification.
For the avoidance of doubt, the monitoring is not surveillance as defined by the ISO standards. The monitoring is the annual re-performance of the assurance audit for the purposes of extending the validity with one more year within the overall three-year certification period.
A GDPR-CARPA certificate could be renewed for up to 3 years, subject to:
- Yearly (at the ISAE3000 engagement anniversary) GTAA performs a new ISAE3000 assurance engagement with the same scope of processing activities covered by the initial GDPR certificate;
- Each assurance audit ends up with a positive certification decision;
- Should any of the subsequent assurance audits from the maximum 3-year period end up with a negative decision, the GDPR certificate could be suspended, reduced, terminated or withdrawn.
In practice:
Year 1: Evaluation of Year 0 and Certificication Year 1
Year 2: Evaluation of Year 1 and Certificication Year 2
Year 3: Evaluation of Year 2 and Certificication Year 3
Example: A GDPR certificate with a total validity of 3 years, period covered by the ISAE3000 assurance engagements is 12 months (starting 1 January)
|
Year 0 |
|
|
Year 1 |
Complete evaluation of year 0 (01 Jan Y0 through 31 Dec Y0) In case of a positive decision – GDPR certificate issued for 1 year (01 Jan Y1 through 31 Dec Y1) |
|
Year 2 |
Complete evaluation of year 1 (01 Jan Y1 through 31 Dec Y1) In case of a positive decision – GDPR certificate issued for year 2 (01 Jan Y2 through 31 Dec Y2) |
|
Year 3 |
Complete evaluation of year 2 (01 Jan Y2 through 31 Dec Y2) In case of a positive decision – GDPR certificate issued for year 3 (01 Jan Y3 through 31 Dec Y3) |
During the evaluations of each subsequent year within the overall 3-year period, the GTAA:
- Completes the acceptance procedures defined above, to ensure continuous independence and impartiality of the engagement team
- Performs the evaluation
- Performs an independent quality review
- Issues an assurance report and a certification decision.
When a GDPR certificate is renewed after its initial validity period, a new certification ID provided by the CNPD will be issued.
Changes affecting the certification
Changes not related to the client
Changes not related to the client may affect the GDPR certification by introducing changes to the certification mechanism. Such changes could originate (among others) from:
- Amendments to the data protection legislation
- Decisions of the EDPB
- Adoption of delegated acts of the European Commission in accordance with Article 43(8) and 43(9) from the GDPR (related to certification mechanisms)
- Court decisions related to data protection, etc.
In the event of such changes, the CNPD publishes the changes to the certification mechanism and communicates to the certification bodies (GTAA included) the conditions under which those changes shall be implemented, as well as a transition phase (at the end of which the implementation needs to be finalised).
At the occurrence of such changes, GTAA:
- Makes appropriate communication to all clients with active GDPR certificates
- Takes such actions that may be required by the CNPD
- Elaborates together with the client a corresponding action plan to ensure future compliance with the updated certification mechanism by implementing appropriate changes to be implemented in due course
- Verifies the implementation of the changes by the certified clients
- Plans respective actions during the next planned audit.
The implementation of the changes is assessed by GTAA in the course of the next planned audit. If the client fails to implement any or appropriate changes, during the subsequent audit GTAA may temporarily suspend or withdraw (partially or entirely) the GDPR certificate or issue a certification decision with a reduced scope.
Changes initiated by the client
Changes affecting the GDPR certification may be result from changes that have occurred at the client’s organisation, e.g., new information related to the fulfillment of the certification requirements obtained by GTAA after the certification has been established.
The client has a contractual obligation to inform GTAA of any and all changes affecting the client’s certified processing activities, prior to the changes’ occurrence and if this is not possible - immediately after the changes’ occurrence.
Upon receiving a notification that certain changes have occurred at the client’s, GTAA may require further information. Such additional information may require completion of formatted questionnaires or self-assessment forms to facilitate monitoring, and assessment of the impact of the changes and the respective further actions to be taken.
For the avoidance of doubt, GTAA does not have an obligation to exercise a constant surveillance over the client’s processing activities and changes thereto.
Upon client’s notification for the occurrence of new changes that affect the certification, GTAA undertakes the actions specified in the previous section above.
Termination, reduction, suspension or withdrawal of the certification
Termination and actions in case of non-conformity
Upon substantiating non-conformities with the certification criteria during an active GDPR certification (either as a result of an audit, or otherwise), the certification could be terminated, reduced, suspended or withdrawn.
- A GDPR certification could be terminated prior to the expiry of the certification’s validity upon the client’s request. No prior consultation with the CNPD is required.
- When a non-conformity with the certification requirements is substantiated (be it as a result of monitoring or otherwise) GTAA decides upon the appropriate actions in consultation with the CNPD. Appropriate actions could be:
- Continuation of the certification under conditions specified by GTAA
- The non-conformity concerns all or some of the certified processing activities;
- It is a minor non-conformity which does not affect the reasonable assurance provided on the ISAE 3000 report on the test of design and operating effectiveness Type 2 report; fixing the non-conformity is a process improvement;
- Possible conditions determined by GTAA and approved by the CNPD could be increased monitoring;
- The conditions determined by GTAA are assigned a specific deadline for completion. If the client fails to comply with the conditions/improve within the defined deadline, GTAA adheres to one of the following actions.
- Reduction in the scope of certification to remove the non-conforming processing activities
- The non-conformity concerns only part of the certified processing activities;
- The rest of the processing activities remain unaffected by the non-conformity and could continue to exist without connection to the defaulting processing activities;
- The certification scope gets reduced to remove the non-conforming processing activities:
- If a certificate has already been issued before, it is reissued with a new revision ‘ID’ for the same duration (i.e., ends on the same date as that initial certificate) but with a reduced scope.
- Suspension of the certification pending remedial action by the client
- The non-conformity concerns all certified processing activities, or the client as a whole;
- The non-conformity is of temporary nature and has a potential to be corrected within a reasonable fixed term (which by all means does not extend beyond the validity of the certificate);
- GTAA determines precise remedial actions to be actioned by the client and the certificate is suspended pending the remedial action;
- The certificate may be suspended also in case of pending investigation by GTAA or the CNPD;
- GTAA communicates to the client:
- The actions needed to end suspension and restore the certification
- Any other actions required by the certification mechanism, if any.
- If the non-conformity that caused the suspension is remediated by the client within the prescribed period, or if the investigation cleared the client, the suspension is lifted, and the certification remains valid;
- Client’s failure to action the remedial actions in the prescribed period, or the investigation allowed to reveal any non-conformities, results in reduction of the scope or withdrawal of certification.
- Withdrawal of the certification
- The non-conformity concerns all certified processing activities, or the client as a whole;
- The client has failed to satisfy the conditions or the remedial actions specified by GTAA, or
- The non-conformity is so grave that it is not worthy the above interim measures.
- Continuation of the certification under conditions specified by GTAA
GTAA reperforms the above re-evaluations only if the client agrees to remunerate the additional efforts according to a new offer prepared by GTAA. Client’s refusal to pay for the additional evaluation, review and certification decision shall be treated as a refusal of monitoring and/or refusal to rectify the non-conformity. This will result in reducing the scope or withdrawal of the existing certification.
Procedure in case of termination, suspension, reduction or withdrawal
(*) GTAA informs the CNPD of its decisions in the context of a change in a client’s certification status or scope and provides all relevant documentation to the CNPD.
Reinstatement of GDPR certification
Reinstatement of the (full) certification is possible after:
- Suspension, or
- Reduction in scope.
GTAA makes the necessary modifications to the formal certification documents, public information and the authorisations to use marks, in order to ensure that all appropriate indications exist that:
- The processing activities continue to be certified, or
- The reduced scope of certification is clearly communicated to the client and clearly specified in the certification documentation (and the updated GDPR certificate) and public information.
Any questions with respect to this procedure should be addressed to: gdpr.carpa@lu.gt.com
