Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
The role of Internal Audit in Business Continuity Management
Institute of Internal Auditors
April 22, 2020
PwC
Contents
2
1 Introduction 3
Objectives: Introduction by participants and understand their individual objectives and exposure to BCM.
2 Overview of Business Continuity Management
The Case for BCM: This section defines BCM and addresses the importance of Business Continuity Management.
Defining BCM: This section outlines BCM objectives and details the components of a BCM program.
The BCM lifecycle: This section provides an overview of the phases involved in implementing a BCM program.
Industry standards: This section provides an overview of the Business Continuity Institute Good Practice Guidelines.
6
3 How to audit a BCM program 31
The audit process: This section lists the key activities and procedures involved in auditing a BCM program.
4 The role of Internal Audit
Bringing value: This section gives insight into the ways that Internal Audit can bring value to a BCM program.
Notable considerations: This section highlights key areas of focus for Internal Audit.
38
5 Impact of COVID-19 on IA 41
Key considerations: This section provides a lifecycle and points to consider when auditing entities after COVID-19.
6 Guides and resources 45
Additional resources: This section lists publically available guides and resources for further information.
Introduction
PwC 4
With you today
Sarah is a Senior Manager with PwC’s Risk Assurance practice and
leads the firm’s BCM practice in the west. She has over 10 years of
experience working with public and private sector clients in Canada, the
U.S., and internationally to design, develop, implement, validate, and
audit BCM programs for small to mid-sized and fortune 100 companies.
Sarah has led multiple BCM engagements with global organizations
across major industry sectors including financial, insurance, energy,
utilities, oil and gas, retail, healthcare, and others. Sarah is a Certified
Business Continuity Professional (CBCP) and Member of the Business
Continuity Institute (MBCI). She is actively involved in the industry as
board member, researcher and author with organizations including the
Business Continuity Institute and the Disaster Recovery Information
Exchange (DRIE West).
Edward MatleyPartner, PwC
Ed is a Partner in PwC’s Risk Assurance practice and leads the firm’s
Business Continuity Management (BCM) practice in Canada. He has
more than 20 years of management and business advisory experience
with specialization in BCM, helping clients to develop Incident
Management, Emergency Management, Crisis Management, BCM, IT
Disaster Recovery, and Enterprise Risk Management programs. He has
led and delivered numerous BCM engagements ranging from Health
Check reviews to facilitating workshops and assisting clients in
developing, implementing, and auditing pragmatic BCM programs. He is
a member of the Canadian mirror committee for ISO Technical
Committee 292, which is responsible for the development of the ISO
standard for Business Continuity Management - ISO 22301.
+1 604 806 7634
+1 403 390 3888
[email protected] VakilSenior Manager, PwC
PwC 5
Objectives
Discuss ways to best audit the program 2
Provide an overview of a Business Continuity Management program 1
Discuss potential roles for IA in enhancing and sustaining a program3
Please participate by posting questions
or comments in the chat!
Discuss the impact of COVID-19 on IA 4
overview
BCM
PwC 7
The case for BCM
The world is becoming increasingly
complex and the disruptions
organizations face may come from
both natural and man-made hazards.
The purpose of BCM is to ensure that
you are more resilient to potential
threats and enable you to resume
operations under adverse conditions.
Shown here are the top global risks
society will face according to the
analysis of the World Economic
Forum, which maps the likelihood and
impact of these challenges.
PwC
“80% of businesses without Business Continuity Plans go out of business within 13 months of a major incident”
- BCI
8
Evolving
risks
Breach in
industry
regulation
Supply
chain
disruption
Loss of
market
share
Lack of
continuity
across
services
Damage to
reputation
Threat to
employee
safety
The case for a BCM program →
According to ISO, implementation of BCM may:
● Protect life, property and the environment
● Protect and enhance reputation and credibility
● Contribute to competitive advantage
● Reduce costs arising from disruptions
● Improve the capability to remain effective during disruptive incidents
● Assist in making interested parties more confident in the organization’s success
● Reduce legal and financial exposure
● Demonstrate the ability to manage risk and address operational vulnerabilities
PwC 9
What is Business Continuity Management (BCM)
The purpose of BCM is to ensure the entity is more resilient to potential threats and enable the entity to
resume or continue operations under adverse conditions.
BCM is a holistic process that:
Identifies potential
threats to an
organization and the
impacts to business
operations
Provides a
framework for
building
organizational
resilience and an
effective response
Safeguards the
interests of key
stakeholders,
reputation, brand
and value-creating
activities
PwC 10
Incident timeline
Time
Risk Reduction
Event
BIA
Strategy
Exercise
Awareness
Plans and
procedures
Prepare
(Business as Usual)
Business Continuity (BC)
Disaster Recovery (DR)
Crisis Management (CM)
Emergency Management (EM)
Respond Recover Restore
PwC 11
Defining components of BCM
BCMS: Part of the overall management system that establishes, implements,
operates, monitors, reviews, maintains and improves business continuity.
BCP: Guides
organizations to
respond, recover,
resume, and restore to
a pre-defined level of
operation following
disruption that impacts
its assets.
EM Plan: Designed to
respond to issues
where there may be a
threat to life safety of
staff or the public.
DR Plan: A written plan for
recovering one or more
information systems at an
alternate facility in
response to a major
hardware or software
failure or destruction of
facilities.
CM Plan: Outlines the processes
used to respond to a
critical situation that would
negatively affect an
organization's profitability,
reputation or ability to
operate.
Crisis Comms Plan: Provides policies and
procedures for the co-
ordination of
communications within the
organization and any
applicable outside agencies
in the event of an incident.
Owners
Health and
Safety
Business
FunctionsExecutive Team Communications Technology
Business Continuity
Management System
Emergency
Management
Plan
Business
Continuity PlanCrisis
Management
Plan
Crisis Comms
PlanDisaster
Recovery Plan
PwC 12
Policy and program management (PP1)
Policy and Program Management is the professional practice
that establishes the organization's policy relating to
business continuity and defines how the policy should be
implemented, controlled, and validated throughout the
business continuity program.
Key deliverables:
• BC Policy & Governance Framework
• Business Continuity Management System
(BCMS)
Embedding
Policy and program management
PwC
To communicate the framework
around which the BCM program is
designed and built and establishes
the organization’s principles,
guidelines & minimum standards
relevant to BC.
13
Primary objectives
● Define BCM program scope by
considering the organization’s
products and services to be
included in the program
● Top management action,
support, and commitment is
required to set up, draft and
review the policy
Key considerations
A clear and concise BC Policy that
has been communicated throughout
the organization and is accessible for
external scrutiny to be reviewed
every year.
Outputs
Policy and program management (PP1)BC policy
• BC policy
• BCMS
Policy and program
management
Defines the organizational policy relating
to BC and how that policy will be
implemented, controlled and validated
1
PwC
Policy and program management (PP1)BCMS
• BC policy
• BCMS
Policy and program
management
Defines the organizational policy relating
to BC and how that policy will be
implemented, controlled and validated
1
To successfully complete an
implementation of BC, but the long-
term goal of the BCM program is to
improve organizational resilience.
Primary objectives
● A BCMS is a formalised method
of ensuring the BCM program is
implemented and managed to a
recognised standard, usually
ISO 22301, which involves the
Plan-Do-Check-Act cycle
● Some companies may choose to
be certified, be aligned to these
standards, or not have a
formalized BCMS in place at all
Key considerations
● Documentation to provide an audit
trail including a BC policy
● Management processes and
controls to support the policy
● Formal management review of
BCMS performance and corrective
actions
Outputs
14
PwC 15
Embedding (PP2)
Embedding is the professional practice that defines how to
integrate business continuity awareness and practice into
business as usual activities.
Embedding
Policy and program management
Key deliverables:
• Training materials
• Awareness campaign
PwC 16
Embedding (PP2)Training and awareness
To raise awareness about business
continuity through communication,
encourage buy-in from interested
parties, ensure required
competencies and skills are in
place, and ensure appropriate
training and learning opportunities
are provided.
Primary objectives
Successfully embedding business
continuity is a result of:
● Understanding and influencing
organizational culture
● Developing BCM competencies
● Conducting training and
implementing awareness
campaigns
Key considerations
● Training materials
● Awareness campaign
Outputs
• Training
• Awareness campaign
Embedding business continuity
Integrates BC into day-to-day business
activities and organizational culture2
PwC 17
Analysis (PP3)
Analysis is the professional practice within the BCI BCM
Lifecycle that reviews and assesses an organization in terms of
what its objectives are, how it functions and the constraints of
the environment in which it operates.
Embedding
Policy and program management
Key deliverables:
• Business Impact Analysis (BIA)
• Threat assessment
PwC
Analysis (PP3)Business Impact Analysis (BIA)
• BIA
• Threat assessment
Analysis
Reviews and assesses an organization’s
objectives, how it functions and the
constraints of the environment in which it
operates
3
The BIA is the foundation on which the BCM program is
built. It identifies business continuity requirements,
providing information to determine the most appropriate
business continuity solutions. The BIA identifies the
urgency of each business activity undertaken by the
organization by assessing the impact over time of an
interruption to this activity on the delivery of products
and services.
Primary objectives
● What type of BIA should be conducted based on the
client’s needs and maturity?
● Impacts to which functions keep senior management
up at night?
● What is the scope of the BIA (e.g., what business
functions and process granularity should be included
in the BIA?)
● What impact categories are relevant to the client
(financial, regulatory / legal, reputational, customer,
employee, etc.)
● What variables will define the criteria for criticality of
each impact category to meet the needs of my
client’s organization?
Key considerations
18
PwC 19
• BIA
• Threat assessment
Analysis
Reviews and assesses an organization’s
objectives, how it functions and the
constraints of the environment in which it
operates
3
● A map of products and services in the organization and the processes and the operational activities that support them
● Standard framework to assess the impact of disruption and define unacceptable loss
● A list of most urgent products, services and processes and justification for exclusions
● The Maximum Tolerable Period of Disruption (MTPD) of products, services and processes
● A list of prioritized minimum resources needed for resumption and recovery of core and support business functions
● The gaps between resources needed and resources possessed
Outputs
Analysis (PP3)Business Impact Analysis (BIA)
PwC 20
Analysis (PP3)Threat assessment
To identify unacceptable levels of risk, single points of
failure, and where controls, mitigations, and
management processes are non-existent, weak or
ineffective by focusing on the potential for high
probability and high impact events.
Primary objectives
● Standard risk assessment framework and an
understanding of the entity's tolerance for risk
● A list of threats that could disrupt most urgent
activities prioritized by likelihood and severity
● Heat map to visualize priority of risks for mitigation
● Identification of any unacceptable single points of
failure and evaluation of current controls
Outputs
• BIA
• Threat assessment
Analysis
Reviews and assesses an organization’s
objectives, how it functions and the
constraints of the environment in which it
operates
3
PwC 21
Design (PP4)
Design is the professional practice within the business
continuity management lifecycle that identifies and selects
appropriate solutions to determine how continuity can be
achieved in the event of an incident.
Embedding
Policy and program management
Key deliverables:
• Continuity and Recovery Strategies and Tactics
• Threat Mitigation Measures
PwC
Design
Identifies and selects appropriate
strategies and tactics to determine how
continuity and recovery from disruption
will be achieved
4
• Continuity and recovery
strategies and tactics
• Threat mitigation
To design solutions that enable the
organization to respond to an
incident, and continue to provide its
prioritized activities, as identified in
the Analysis stage.
Primary objectives
Design plays a key role in BCM
program development by
consolidating selected solutions to
ensure that opportunities for
organization-wide collaboration are
considered prior to progressing to the
implementation stage.
Key considerations
● Business Continuity Solutions,
Strategies, and Tactics
Outputs
Design (PP4)Continuity and recovery strategies
22
PwC 23
Design
Identifies and selects appropriate
strategies and tactics to determine how
continuity and recovery from disruption
will be achieved
4
• Continuity and recovery
strategies and tactics
• Threat mitigation
To identify and select proactive
measures that can be implemented
to reduce the likelihood and/or
impact of disruption to the
organization’s most time critical and
urgent activities.
Threat mitigation measures are
targeted at unacceptable
concentrations of risk, single points
of failure and the main threats to the
organization’s most urgent activities,
all of which were identified and
prioritized in the Analysis stage of
the BCM Lifecycle.
Primary objectives
Collaboration with risk, physical
security, and information security
professionals should be undertaken
at this stage.
Key considerations
● Mitigation measures for main
threats, single points of failure and
unacceptable concentrations of
risk
Outputs
Design (PP4)Threat mitigation
PwC 24
Implementation (PP5)
Implementation is the professional practice within the BCM
Lifecycle that executes the agreed strategies and tactics
through the process of developing the Business Continuity
Plan (BCP). The aim is to identify and document the
priorities, procedures, responsibilities and resources to
assist the organization in managing a disruptive incident,
while implementing continuity and recovery strategies to a
predetermined level of service.
Embedding
Policy and program management
Key deliverables:
• Response Structure
PwC
Implementation
Executes the agreed strategies
and tactics through the process of
developing the Business Continuity Plan
(BCP)
5
• Response Structure
• Business Continuity
Plan
The purpose of establishing a
response structure is to ensure that
the organization has a clearly
documented and well understood
mechanism for responding to an
incident, regardless of its cause.
The response structure establishes
command, control, and
communication systems to help the
organization manage the incident
and minimise the impact of the
disruption.
Primary objectives
Outside of emergency management
organizations, people are not used to
operating in a direct command and
control type of environment, and
under duress will resort to what they
know. It’s best to align the response
structure with existing reporting lines
as much as possible.
Key considerations
Response structure outlining
● Number and capabilities of the
resources required
● Relationships between individuals
● Roles and responsibilities
● Communication methods.
Outputs
Implementation (PP5)Response Structure
25
PwC 26
Implementation (PP5)Business Continuity Plan (BCP)
To document procedures that guide organizations to
respond, recover, resume, and restore to a pre-defined
level of operation following disruption. The BCP can
accommodate any level of procedural detail and scope,
and can be structured by products, services, locations,
divisions or even scenarios.
Primary objectives
● BCPs should be direct, adaptable, concise, and
relevant
● Plans need to be flexible to adapt to specific
incidents that might occur
● Specific incident plans are appropriate in some
situations (e.g., evacuation, pandemic, or product
recall plan)
● Where activities are outsourced, a third party’s
BCM Program (or lack of) can affect the
organization’s overall resilience
● Varying degrees of plans are developing,
depending on the size and culture of the
organization, to meet strategic, tactical, and / or
operational needs
Key considerations
Implementation
Executes the agreed strategies
and tactics through the process of
developing the Business Continuity Plan
(BCP)
5
• Response Structure
• Business Continuity
Plan
PwC 27
Implementation
Executes the agreed strategies
and tactics through the process of
developing the Business Continuity Plan
(BCP)
5
• Response Structure
• Business Continuity
Plan
Business Continuity Plan(s) that includes:
● Purpose, scope, objectives, and assumptions
● Incident management structure (for the organization as a whole)
● Response team responsibilities and assigned roles, including individual responsibilities
● Team mobilisation instructions
● Plan Activation (procedures and authorization)
● Plan Escalation (of recovery strategies)
● Contact details (usually held as appendices)
● Communications (covering employees, contractors, media, meeting locations, command centre)
● Action lists and steps
● Procedures for standing down the team and organization once the disruptive incident has been resolved
Outputs
Implementation (PP5)Business Continuity Plan (BCP)
PwC
Validation (PP6)
Validation is the lifecycle that confirms the BCM Program
meets the objectives set in the BC Policy and that the
organization’s BCP is fit for purpose. The purpose of
Validation is to ensure that the BC capability reflects the
nature, scale and complexity of the organization it supports
and that it is current, accurate, and complete, and that
actions are taken to continually improve organizational
resilience.
Embedding
Policy and program management
Key deliverables:
• Exercise Program
• Maintenance and Review Program
28
PwC 29
Validation
Confirms the BCM Program meets the
objectives set in the BC Policy and that
the organization’s BCP is fit for purpose
6
• Exercise Program
• Maintenance Program
• Review Program
To ensure all aspects of incident
response have been exercised and
can be carried out. The frequency of
exercising is dependent on the
nature, scale and complexity of the
organization, but it is recommended
that every member of associated
response teams should be involved
in an exercise every 12 months at
minimum.
Primary objectives
● Organizations should develop an
exercise program to validate
selected recovery strategies and
continuously improve BCM
capabilities
● Five types of exercises can be
conducted to test program
readiness: discussion-based,
tabletop scenarios, command
post simulations, live simulation,
and pass/fail tests
Key considerations
● Exercise and test materials
including mock scenarios, event
injects, facilitator and participant
guides
Outputs
Validation (PP6)Exercise program
PwC
Validation
Confirms the BCM Program meets the
objectives set in the BC Policy and that
the organization’s BCP is fit for purpose
6
• Exercise Program
• Maintenance Program
• Review Program
To ensure, at planned intervals, that
the organization’s BCM program is
up to date. Maintenance and
periodic review of the business
continuity program ensures that the
organization remains ready to
respond to incident, despite
organizational change over time.
Primary objectives
● Since most of the maintenance
● needed will result from internal changes
in the organization, maintenance should
be embedded within the organization's
normal management processes
● Regularly review the BC policy and
program for continuity suitability,
adequacy and effectiveness
● Five types of review can be conducted
to ensure the program is current: audit
(internal and external), self assessment,
quality assurance, individual
performance appraisal, supplier
performance review against SLAs
Key considerations
● Updated policies and procedures
● Documented maintenance
schedule
Outputs
Validation (PP6)Maintain and review
30
BCM
Auditing
PwC
Key activities ● Ensure that your audit involves senior level staff.
● Senior staff are often busy, so make sure you give yourself
enough lead time to complete the audit.
32Ministry of Finance
The purpose of the planning
phase is to allow the Audit team
to establish the objectives and
outcome of the audit.
Planning
Key activities: Governance● Ensure a governance framework is in place to build and
manage the BCM program, defining required standardization
and providing accountability for effective preparedness,
response, and recovery.
● Ensure that ongoing management and governance
processes are in place, supported by top management, and
appropriately resourced to implement and maintain BCM.
● Governance processes should cover:
○ Policies and strategy: must be properly implemented
and processes correctly followed.
○ Roles, Responsibilities and Accountabilities: must
be defined and assigned at an appropriate level of
authority to carry out activities required for BCM.
ExecutionThere are five key areas of focus
when auditing a BCM program:
1. Governance
2. Business Impact Analysis
3. Documentation, including a
Business Continuity Plan,
Disaster Recovery Plan
and Crisis Management
Plan
4. Exercise Program
5. Continual Improvement
PwC 33
IMPORTANT TO CONSIDER:
Executive involvement in the BCM program is critical.
Not only does this encourage organizational commitment, it also introduces a filter to the
information that is collected and documented for the BIA. Business units or departments
can sometimes get stuck in the weeds or exaggerate the criticality of their own functions;
Senior staff often have a more holistic view of criticality across the organization and can
help lead the process by filtering out unnecessary information and offer a more realistic
assessment of the impacts following a disruption.
PwC 34Ministry of Finance
Key activities: Business Impact Analysis● Scope: Identify how much of the organization is considered in
the BIA.
○ Confirm that all critical functions are identified.
○ Evaluate each department’s BIA to ensure that adequate
and appropriate information has been collected for each
critical function.
● Reasonability: Review the Maximum Allowable Outages
identified by each department/unit to ensure that they are
reasonable.
● Alignment: Check if the BIA is aligned with a risk
management framework or impact thresholds.
There are five key areas of
focus when auditing a BCM
program:
1. Governance
2. Business Impact
Analysis
3. Documentation, including
a Business Continuity
Plan, Disaster Recovery
Plan and Crisis
Management Plan
4. Exercise Program
5. Continual Improvement
Key activities: Documentation● Verify if an assessment has been conducted on the current
capability of recovery times for systems, as per the BIA.
● Make sure gaps have been identified and documented.
● Evaluate the adaptability and usefulness of the business
continuity plan by ensuring that it is written as a consequence-
based document, rather than scenario-based.
● There is such a thing as too much information. Make sure all
plans are clear, concise and contain only information that is
essential during a response effort.
Execution
PwC 35Ministry of Finance
Key activities: Exercise program● Confirm the BCM Program meets the objectives set in the BC
Policy and that the organization’s BCP is fit for purpose
● Ensure processes are in place to periodically evaluate tasks,
teams and procedures through training, testing, and/or
exercising documented plans and capabilities
○ Check that a structured approach to training exists and is
conducted on a regular basis with relevant stakeholders.
○ Verify there is a documented exercise schedule and
exercises or drills are regularly conducted.
○ Confirm that a debrief to discuss lessons learned occurs
after each exercise or real event.
There are five key areas of
focus when auditing a BCM
program:
1. Governance
2. Business Impact Analysis
3. Documentation, including
a Business Continuity
Plan, Disaster Recovery
Plan and Crisis
Management Plan
4. Exercise Program
5. Continual Improvement
Key activities: Continual improvement● Verify BCM capabilities and documentation are maintained to
ensure continued effectiveness and alignment with business
priorities.
● Check if all identified gaps or improvements resulting from
debrief sessions are documented.
● Identify whether key performance indicators (KPIs) and / or
other metrics have been defined to measure and track
program and plan improvement at regular intervals.
Execution
PwC 36
IMPORTANT TO CONSIDER:
Internal audit reports on corrective action plans.
Learnings and action items that result from an exercise or real event must be integrated
into the BCM program and managed through to completion to ensure the continual
improvement of the program.
It is essential to test these improvements in subsequent exercises.
PwC 37Ministry of Finance
Key activities● Validate observations with key stakeholders to avoid any
surprises.
● Develop pragmatic and actionable recommendations for
management review.
● Present recommendations to management for discussion.
Reporting
Throughout the audit process,
it is imperative that the Audit
Team remain cognizant of the
audience for the report - in
most cases, it is top
management who seeks to
gain critical insights from the
outcomes of the report.
in BCM
of IA
Role
PwC
Roles of IA
IA as Advisor
IA is involved in an
organization’s BCM effort as
an advisor or counsellor,
reviewing the program in
light of the internal policy
and regulatory requirements.
IA as Compliance
Officer
IA drives compliance with the
existing documented policy
and identified regulatory
requirements.
IA can bring value to BCM programs in a variety of ways...
The role of Internal Audit
IA as BCM Driver
IA is positioned to drive
execution of a BCM program
and assist in aligning and
coordinating independent
BCM efforts across
emergency response, crisis
management, business
continuity, and/or disaster
recovery.
Lower BCM maturity Higher BCM maturity
39
PwC 40
Roles of IA
In a less mature environment, IA can help by:
Other Potential Roles for Internal Audit
● Conducting exercises
● Facilitating exercise and real event
debriefs to capture lessons observed
● Reporting progress on corrective action
plans
on IA
COVID-19
Impact of
PwC 42
Roles of IA
The following lifecycle serves as a guide for response to COVID-19:
COVID-19 response lifecycle
PwC 43
Roles of IA
In many circumstances, the design and operation of internal audit may be impacted
by COVID-19.
Impact:● An entity’s response to COVID-19 is likely to have impacted
and added complexity to its ability to sustain planned updates
or maintenance to the BCM program and related materials
Outcome: ● BCM program targets identified for prior years may no longer
be appropriate or may need to be paused for a period of time
● It is important to consider whether results from a review
reflect a one-time event or ongoing economic conditions that
prevent the entity from meeting BCM targets or KPIs in the
future
ExecutionQ: Does the impact of COVID-19
change how IA should review the
BCM program?
Impact of COVID-19 on IA
PwC 44
Roles of IAImpact of COVID-19 on IA
Impact: ● An entity may not have met its targets or followed its previously
identified plan / schedule for BCM program development,
maintenance or updates while responding to COVID-19
● It is important to impart a consistent approach to BCM IA year on
year in order to monitor and track progress against defined
targets
Outcome: ● While reporting should acknowledge potential strain from
COVID-19 and address operational impact, the audit should
cover the same controls as previous years, noting exceptions to
BCM program development, maintenance or updates in the
affected year
ReportingQ: Should IA findings be reported
differently given the potential impacts
from COVID-19?
Impact of COVID-19 on IA
In many circumstances, the design and operation of internal audit may be impacted
by COVID-19.
and resources
Guides
PwC
Guides and resources
The following are available for IIA / ISACA members:
● FFIEC booklet and work program● IIA GTAG (available to IIA members) ● ISACA IT Continuity Planning
The following are paid resources:
● BCI Good Practice Guidelines● DRI Professional Practices● ISO Standards (e.g., 22301, 22313,
22316, etc.)● CSA Z1600 & NFPA 1600● NIST Standards (e.g., SP 800-34)
46
pwc.com
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisers.
© 2020 PricewaterhouseCoopers LLP, an Ontario limited liability partnership. All rights reserved.
PwC refers to the Canadian firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see
www.pwc.com/structure for further details.
Thank you