Are public projects doomed to failure from the start? – Transformation Assurance

Public projects have a bad reputation. Is it deserved, or more a matter of expectations and the way success and failure are defined? In this critical review we take a close look at what makes public-sector IT and transformation projects different from those in other areas, the specific challenges they face, and tried-and-tested approaches to making them a success. Read more…


Marc Lahmann
Director and Leader Transformation Assurance
+41 58 792 27 99

SWIFT Customer Security Programme – mandatory specifications to protect your local SWIFT infrastructures

The growing number of cyber-attacks, including those on the local infrastructures of SWIFT participants, has prompted SWIFT to create a security programme for its participants in order to fight together against cyber threats.

SWIFT published its Customer Security Programme in April 2017. It defines specific requirements to be met by all connected participants. The programme aims to improve the exchange of information within the SWIFT community, to ensure a high level of security for the local SWIFT infrastructure of participants, and to put in place an assurance framework to counter the ever growing number of cyber threats and strengthen the ability of SWIFT participants to combat cyber-attacks.

SWIFT Customer Security Programme

The programme calls upon all SWIFT participants to implement a control and assurance framework. The control framework consists of a set of 16 mandatory and 11 advisory security controls. The controls are based on existing SWIFT security guidelines, and are in line with good practice standards such as NIST, ISO/IEC 27002 and PCI-DSS. The mandatory controls establish a security baseline for the entire SWIFT community. SWIFT also recommends implementing the advisory controls to provide optimal protection for local SWIFT infrastructures.

Demands placed on SWIFT participants

The SWIFT Customer Security Programme will come into force on 1 January 2018. As well as applying to financial service providers, it is also valid for all companies that participate in the SWIFT network. Before the introduction of the programme, each SWIFT participant must conduct a self-assessment and notify SWIFT of its status regarding compliance with the controls (by the end of 2017). From 2018, all participants must confirm their compliance with controls on an annual basis. This confirmation can be provided via a self-assessment (self-attestation), internal audit (self-inspection) or external audit (third-party inspection). Participants are free to choose the type of confirmation they wish to submit. SWIFT will however also carry out regular spot checks of confirmations via internal or external audits for quality assurance purposes.

SWIFT participants must consider the following points in particular:

  • Should only the mandatory controls be implemented, or also the advisory ones?
  • How should the assurance framework be structured? Is self-assessment sufficient, or should an internal or external audit be conducted on a regular basis?
  • Should the status regarding compliance with controls be made public to other SWIFT participants?
  • How can it be ensured that controls continue to be adhered to in the future?

The support we offer you

SWIFT Readiness Assessment

We can help make sure you comply with the SWIFT requirements by 1 January 2018 by assessing your current status and highlighting any gaps.

SWIFT control support

We can provide support for the implementation of controls by means of a post-implementation review.

SWIFT compliance confirmation

We can assist you with your annual confirmation of compliance with SWIFT requirements.

Please feel free to contact our experts if you are interested in the topic.

More information


Jens Probst
Director, Systems & Process
+41 58 792 29 59

Claudia Hösli
Senior Manager, Specialist Cyber Security
+41 58 792 14 85

Marco Schurtenberger
Senior Manager, Specialist Cyber Security
+41 58 792 22 33

Auditing Corporate Culture

Recent ethical scandals have put corporate culture in the spotlight. They reveal that a weak or toxic corporate culture may encourage inappropriate behavior across the organization. PwC held an Internal Audit Roundtable in Geneva to take on this topic. Here are some pieces of advice and best practices from the roundtable to help you achieve a healthier and stronger culture.

What is the role of Internal Audit in restoring trust in and within the organization?

There is an increasing expectation from the Board and Senior Management for Internal Audit functions to provide cultural assurance to the organization. Indeed, Internal Audit functions are well positioned to provide an independent assessment of corporate culture, while leveraging on their understanding of the organization.

How should it be performed?

As there is no “one size fits all” approach to auditing culture, Internal Audit plays a key role in helping the Board define the scope of the assessment (e.g. culture, risk culture), the framework to assess against (e.g. corporate values, behaviors, strategic priorities, etc.) and design the approach. To get a good coverage across high cultural risk areas, Internal Audit will likely use a combination of approaches including discrete culture reviews, thematic reviews and/or incorporating a cultural component into regular audits. It can also draw on a variety of data from different sources such as focus groups, employee surveys, desktop reviews and behavioral observations.

What value does it bring to the organization?

Culture assessments help the Board identify how the ‘intended’, ‘expressed’ and ‘actual’ culture is aligned within the organization. The ultimate value delivered to the business is the identification of behaviors having positive or detrimental impact and the drive for embedding positive behaviors across all layers of the organization.

In short, auditing corporate culture is not so much a one-time audit but rather a tool to assess the existing corporate culture and to start the journey for a healthier and stronger culture.

What Internal Audit Leaders in Switzerland think about it:

“ Our corporate culture is not strong enough. However, the organization is not yet ready for this type of assessment. ”

“ When I audited this local entity, I could feel that people wanted to talk to me about something that was wrong. ”

“ In my organization, this could work if we do not call it an audit, but rather an assessment. ”

“ We already started this type of cultural audit through a thematic review on fraud. ”

“ This type of assessment would probably highlight that our intended culture (purpose, vision, values) is not aligned with our expressed culture (leadership action, objectives, etc). ”

What are the top 3 questions you may ask yourself if you want to further explore this topic within your organization?

  1. Where is there cultural risk in my organization?
  2. What criteria do I assess against and what is in scope?
  3. How do I get Management buy-in and establish the mandate?

In our Internal Audit roundtable in Geneva, it was noted that not very many Internal Audit functions in Switzerland have actively addressed culture within their audit plans. At the same time, Chief Audit Executives recognize the value of culture and how it can play a key role in fostering good governance and a healthy control environment. A diverse array of approaches and techniques can be used by Internal Audit to assess culture and provide additional value add for Management and Boards.

Download the PDF version of this article here:

To learn more about this topic, please feel free to contact our Internal Audit Services team.

Dominique Perron
Partner, Internal Audit Services, PwC Geneva / +41 58 792 94 48

Richard Thomas
Partner, Internal Audit Services, PwC Zurich / +41 58 792 27 82

Nicolas Gaillard
Director, Internal Audit Services, PwC Geneva / +41 58 792 98 52

Céline Hartenberger
Manager, Internal Audit Services, PwC Geneva / +41 58 792 96 23

Adapt your SAP authorisation concept to S/4HANA

S/4HANA is SAP’s next-generation business suite that is built on SAP’s proprietary operational database system and in-memory computing platform called SAP HANA. S/4HANA is intended to be easier to use and administer while helping to solve more complex problems and handle vastly larger amounts of data than ist predecessors. S/4HANA is available in on-premises, cloud and hybrid deployment models.

With the release of S/4HANA SAP consolidates the integration and harmonisation of functionalities and processes and further reduces barriers between SAP modules facilitating system integration. New technologies, such as Fiori, enhance the user interface for both desktop and mobile devices. The in-memory HANA database lets you collect, store, and process high volumes of operational and transactional data in real time.

Implementation of S/4HANA will affect your current environment, and not just technologywise because processes are also subject to change. Both – the new technology and the change in processes – will result in new requirements for your current authorisation concept. Whereas parts of your existing authorisation concept can be easily transformed and implemented 1:1 in the SAP S/4 HANA system, other parts need to be changed and adapted to meet the new requirements.

PwC has a proven track record in Switzerland and globally in implementing and transforming SAP authorisation models in the SAP S/4HANA environment. Our GRC Technology Team in Switzerland led and executed the authorisation implementation part of the ninth S4/HANA implementation worldwide from the authorisation concept, to implementation and operation. Our experts have the required skill-set, tools, techniques and experience to discuss your challenges with you, and to actively support you throughout the whole project.

Download the PDF by clicking the image below:

Please contact our team for more details:

Dominik Götz
Senior Manager
+41 58 792 28 93

Erik Trouillet
+41 58 792 23 64

PwC Actuarial Services Newsletter – March 2017

This will mark the third year of our European collaboration on our Actuarial Newsletter. We want to take this opportunity to look back on an interesting year for actuaries and as well as take a glance at what awaits actuaries in the months and years ahead. New regulatory requirements have confronted European insurers in the past year. We take a closer look at how our clients deal with this paradigm shift.

Key points in brief:

  • Article #1: Model Validation
  • Article #2: Solvency II after Year One: Snapshot of the current status
  • Article #3: ORSA – “Never hate your enemies, it affects your judgment.” – The Godfather

Download the PwC Actuarial Services Newsletter here.

Good, but could do better – Key learnings from the FAFT AML&CFT Mutual Evaluation Report of Switzerland

On 7 December 2016, the Financial Action Task Force (FATF) published the results of the Mutual Evaluation Report on Switzerland, concluding their assessment performed from 25 February to 11 March 2016. The results, extending to 245 pages, make interesting reading for AML practitioners and compliance officers.

FAFT concluded,Overall, Switzerland’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regime is technically robust and has achieved good results. It would still benefit from some improvements in order to be fully effective.”

PwC  analysed the key findings and identified learnings for regulated firms together with options for regulatory development. The key learnings concern:

  1. Suspicious Transaction Reporting (“STR”)
  2. Due diligence on longstanding customers
  3. AML&CFT customer risk classification
  4. AML&CFT Risk Assessment
  5. Penalty Sanctions

Read our findings and perspective here

For more information please contact our experts

Michèle Hess
Assurance Director
+41 58 792 46 67

Daniel Cicetti
Assurance Senior Manager
+41 58 792 23 92

Alister Smith
Advisory Senior Manager
+41 58 792 47 96

Are large-scale transformation initiatives doomed by default?


Against a backdrop of ubiquitous change, successful transformation is essential for survival in a highly dynamic and competitive environment. However, there is overwhelming evidence that most such initiatives end in some degree of failure. We examine the trends and forces driving these processes and the factors crucial to their success.

Read more …

Zurich Treasury Conference 2017

The 18th edition of our annual  Zurich Treasury Conference.

We are pleased to send you the invitation for our annual Zurich Treasury Conference on the 4th of April 2017 at the Swissôtel. We are delighted to provide you with the full programme and an excellent line-up of speakers.

We have covered many themes over the years, and our 2017 programme will again live up to this diversity of topics. We will open the afternoon with the impact of banking regulation on corporations and cover two corporate case studies on treasury integration and transformation. Following our PwC Global Treasury Survey highlighting this as a key topic, we will have a presentation on liquidity forecasting, and we will also cover the challenges of the low interest rate environment. Finally we will have a corporate treasurers panel to discuss challenges of midsized treasuries. Of course the event is also an important moment to connect amongst peers, for which there will be ample time provided.

PwC’s Treasury Solutions Group looks forward to welcoming you at the 18th edition of this event.

Tuesday, 4 April 2017, 13:00 to 18:00, followed by an apéro

Swissôtel, Schulstrasse 44, 8050 Zurich

Participation fee:

The price will be CHF 350 per participant (VAT, documentation and refreshments included).

Register by clicking here

Redefining the risk management and internal control system requirements – the new FINMA circular on corporate governance

The new requirements should not be underestimated

The Swiss Financial Market Supervisory Authority FINMA published on 1 November 2016 its new circular 2017/1 ‘Corporate governance – banks’, consolidating the FINMA’s requirements relating to corporate governance, risk management and internal control systems.

Read more…


Andrin Bernet
+41 58 792 24 44

Yousuf Khan
Senior Manager
+41 58 792 15 62

Alena Nicolai
Senior Manager
+41 58 792 27 28

Alexandra Burns
Senior Manager
+41 58 792 46 28

PMI Event Bern

Critical success factors for successful project management in public industries

Why do so many public-sector transformation projects struggle to achieve their objectives? What can other industries learn from the public sector’s project experience? These are just two of the many questions we want to address at a presentation we are hosting jointly with the Project Management Institute (PMI) at PwC in Bern on 18 January 2017.

Please register online

Wednesday, 18st of January, 2017, 18:30

PwC Bern, Bahnhofplatz 10, 3001 Bern


This event is held in English.

More details here