IT and Business Resilience

As the business environment becomes more complex, resilience continues to climb the agenda of organisations.

There has been countless examples of businesses brought to their knees by a lack of foresight or poor IT and crisis management. These events highlight the shortcomings of traditional risk management and lack of capabilities, tools and approach in organisations needed to survive and prosper in an age of uncertainty. Business resilience builds on the principles of business continuity but extends much further to help enhance your organisation’s immune system so you are able to tackle challenges, fend off illness and bounce back more quickly.

IT Attestation Report / Assurance Report

IT Attestation Report / Assurance Report

Companies are more and more relying on systems and technology which are outsourced to specialised third party providers such as data providers, distributed ledger technology platform, IT infrastructure and cloud computing resources. They are also struggling keeping a sustainable and monitored internal IT control environment. IT attestation report is the solution to restore the level of trust with internal and external parties and, to take your IT control environment to the next level.

In addition, with the recent introduction of new regulatory and compliance requirements, many organisations are struggling to understand, react, and respond to the implications of these standards.

PwC’s IT Attestation practice helps organisations satisfy third-party risk and compliance assurance requirements and demonstrate the integrity of their control environment. Our team can provide IT controls reports using ISAE3000 and SOC2 standards on the following domains:

  • IT outsourced activities

  • NIST Framework

  • Cyber Security

  • Blockchain (Crypto and Smart Contract)

  • Swift CSP

  • Data management and Data Governance

  • ISO27001 controls

  • Local and European regulatory requirements

Business Continuity, Crisis Management and Resilience

"Business Resilience is the organisation's capacity to anticipate, prepare, react and adapt in periods of crisis."

The Covid-19 outbreak has been declared a public health emergency of international concern by the World Health Organisation, causing huge impact on people's lives, businesses and communities.

This situation has put in the spotlight, either positively or negatively, the organisations capacity to anticipate, prepare, react and adapt in periods of crisis. Business Resilience is all about that!

To assist you in this journey, our team has developed practical expertise and customised solutions to help organisations in Luxembourg, and around the world, build resilience solutions that work in practice, from capability reviews to crisis rehearsals.

Your Challenge

Business Continuity, Crisis Management and Resilience

Prepare to be Resilient

Prepare to be Resilient

  • BCMS & Crisis maturity assessments

  • Review and update of the Crisis Management, BCP and DRP plans

  • Test yourself through “Live” Crisis Simulations and Virtual Reality technics

  • Make your employees people aware and trained

  • Audit your IT systems and Critical Third Party Provider

  • Use new technology to facilitate your BCMS management

Respond to stay Resilient

Respond to stay Resilient

  • Use of Computer Security Incident Response Team

  • Use of Forensic support

  • Apply the right communication skills and have an adequate stakeholder mapping (incl. social networks)

  • Use of Data Breach detection & notification technics

  • Prepare your HR for psychologist assistance

  • Legal and regulatory (CNPD, CSSF, ECB)

Emerge Stronger, emerge Resilient

Emerge Stronger, emerge Resilient

  • New normal assistance (HBW) / Covid360° assessment

  • Update your plans with lessons learned (BCP / DRP)

  • Review your IT recovery strategy and “looking around the corner”

  • Review your insurance agreements

  • Market and brand review

Some practical questions to think about during Covid-19 period

Physical Security

  • What is the plan if someone infected or exposed to the virus comes to the office?

  • Should you activate your Business Recovery Center in a quarantine context?

  • Have you limited/stopped staff and clients events?

  • Are you carrying out training or information sessions to educate your team?

  • Have you implemented additional sanitary or health measures in your premises?

  • Do you have a crisis communication plan to notify stakeholders on the latest developments?

Sanitary measures

  • Have you hired a specialised disinfection company to clean up your building?

  • Have you placed hydroalcoholic gel in all key areas of your buildings (e.g. main entrances, stairs, toilettes)?

  • Do you have paper towels in restrooms?

Travel Advice

  • Is there a procedure for employees to declare professional and private travels?

  • Have you set up an information mechanism for your team to keep up to date on the latest developments of the outbreak, for instance, the list of countries considered as risky?

  • Are you monitoring travels in affected countries?

  • Have you defined procedures of guidance before, during and after a trip?

Remote working solutions

  • Are IT systems ready to handle a large amount of remote connections (i.e. VPN, Citrix)?

  • Do your employees know how to remotely connect flawlessly and the IT Security rules when teleworking?

  • Are key software applications available remotely?

  • Are your Business Continuity Planning (BCP) / Disaster Recovery Planning (DRP) up to date?

Social Security

  • How do you count a day at home? 

  • Where will the individual working at home be subject to social security (25% rule)? 

  • How to organise administrative obligations (e.g. A1)? 

  • What's the consequence of moving social security systems (cost benefits administration)?

  • Are there social security planning opportunities?

Personal Tax

  • How do you count a day at home? 
  • When doing remote work, have you defined:
    • How is income tax reported and paid? 
    • What relief, if any, is there for double taxation? 
    • Do employees need to complete any personal tax registrations? 
    • How to report Luxembourg source income/benefits in the country of residence?


Consider these questions when implementing the quarantine,

  • Have you given clear instructions to your employees on what they should do if:
    • they have travelled and just come back from an infected area;
    • their family/friends from an infected area are visiting (or returning back from a trip) them;
    • their partner is placed in quarantine;
    • they have planned a trip for professional/personal purposes in an area which is now infected;
  • they feel sick (cough, fever, breathing troubles…).
  • Do you have a specific plan for vulnerable/sensitive persons (e.g. pregnancy, intensive care, …)?
  • If your employee has been in close contact with an infected person:
    • What is the mechanism to declare it?
  • Contact with Social and Tax authorities.

IT risks management and audits

IT risks management and audits

Our reliance on technology to enable day to day activities has skyrocketed; we check into flights on-line, access hotel rooms with our mobiles, do online banking. We don’t really think about it until something goes wrong. In the past, companies could be forgiven for occasional system interruptions. Not anymore. With so much of our lives dependent on technology, the ability to “keep the lights on” is becoming a business imperative.

But organisations are challenged by the complexity of the IT services, with layers of infrastructure and multiple service and process interdependencies. And they face the increasing frequency and sophistication of cyber attacks. You need a holistic view of the IT landscape, of all your IT risks and you need to design the right IT governance and IT risk management processes to better manage the risk.

At PwC Luxembourg, we have developed a number of solutions and expertise that help you overcome these challenges and we can assist you on the following domain:

  • Cyber security audit (ISO27001, NIST, Swift CSP)

  • IT Licensing management review

  • Project / migration assurance

  • Data Privacy IT audit

  • End User Computing (EUC) management review

  • RPA audit

  • IT system audit (e.g. SAP, Olympic, T24, Avaloq…)

  • IT risk and regulatory gap assessment

  • Cloud Computing audit

  • IT Outsourcing review

IT for Internal Audit

IT for Internal Audit

The economic environment is changing, triggered by ongoing disruption from emerging technologies and new operating models, the change driven by new market entrants or an increase in the customer expectation level. 

In this context, the internal audit function has to deliver insight and value into key current and emerging risk areas of your business. 

Through the below process, PwC Internal Audit specialists can assist you to deliver insight and value the audit of your IT universe.


Your Challenge

  • Preliminary assessment of your IT universe from an internal audit view
  • Prioritisation of in scope areas for IT reviews
  • Developing your IT audit roadmap within your 3 years audit plan 
  • Designing of targeted and impactful work programs
  • Usage of new tools / new approaches during each mission
  • Keeping Internal skills and competencies up to date
  • Having deeper and more insightful findings, based on your IT universe.
  • Automation of audit observations followup

How we can help

Preliminary IT Assessment

We will support you to perform the preliminary IT assessment based on COBIT 2019 framework, in order to identify the most relevant IT domains for future IT Internal Audit missions.


IT Internal Audit Domains

In order to define the detailed scope of IT Internal Audit missions, we propose to use a set of 12 IT Internal Audit Domains, that is based on several best practice frameworks and regulatory requirements (e.g. COBIT, CIS, ISO 27k, NIST, EBA Guidelines), for which we have identified the key areas to be in scope of the review.


Mission setup

PwC can support you during the IT reviews, through different tailored solutions:

  • Outsourcing your IT Internal Audit activity
  • Co-sourcing on our IT Internal Audit activity
  • GAP analysis against specific frameworks / standards
  • Advisory / training / workshop

Enhancement of your internal audit activity

PwC can support your Internal Audit department to enhance his activity with new solutions:

  • Automation of data processing and dashboarding
  • Automated audit of financial and non-financial information
  • End User Computing identification and control
  • In-depth analyses of targeted processes
  • Review of system configurations and behaviours
  • Online follow-up platform for existing observations

Data enabled IA function

  • Use D&A techniques in the main steps of the Internal audit: Risk identification, planning, scoping, testing /sampling, reporting and monitoring
  • Define internal audit strategy and approach
  • Propose internal audit work program on the audit of data governance, RPA and AI
  • Develop and propose training plan for internal auditors

Contact us

Thomas Wittische

Audit Managing Director, Risk Assurance, PwC Luxembourg

Tel: +352 62133 41 81

Julien Melotte

Audit Partner, Industry & Public Sector, Sustainability, PwC Luxembourg

Tel: +352 49 48 48 5287

Stay Connected: