"Building trust extends beyond mere words – it's about providing independent confirmations that resonate with clients, regulators, and the wider public. Our Digital Assurance team, empowers them to showcase their commitment to excellence and earn the trust of the ecosystem they operate in."
Ivy Heusdens, Senior Manager, Advisory, at KPMG in Belgium, explores the importance of building trust against the backdrop of technological advancements propelling business transformation at an unprecedented rate.
Why is your role crucial in today's age, especially with the emergence of Generative AI (GAI) like ChatGPT, which could arguably conduct this interview better than either of us could?
Ivy Heusdens: Well, I agree that ChatGPT could probably take over this interview and ace these questions. But I’d like to think that my years of expertise and ability to read between the lines add a certain je ne sais quoi that algorithms just can't replicate!
Ok, jokes aside. While GAI is here to stay and can certainly make our work more efficient by leveraging all the available information, it still requires skilled experts to review and interpret both the data that goes into it and the data that comes out of it. Crafting correct and relevant prompts demands a certain level of expertise and knowledge. Similarly, interpreting the results generated by GAI tools also necessitates professional insight. Therefore, my role, and that of other experienced colleagues, remains crucial in guiding and optimizing the use of GAI to ensure it serves its purpose effectively and reliably.
Trust is paramount in this new era dominated by GAI, particularly given the competitive landscape of today's market. The level of control that business leaders once felt is no more. Service providers and their clients are now looking for assurance that stringent controls are in place to safeguard their information, ensuring its proper processing and secure storage, while guaranteeing accurate transaction handling. This confidence in operational integrity not only distinguishes a provider but also serves as a compelling unique selling proposition, offering a distinct competitive edge.
I’m starting to get a déjà vu with all this mumbo-jumbo! What is it exactly that you do?
Ivy Heusdens: My bad! My team and I basically help companies prove that they're strong and ready to handle challenges by attesting to their ability to manage their operations and protect against online threats. Service organizations manage critical systems, store, and process private and/or confidential client information and/or process transactions for several clients at a time. Each of these clients want a guarantee that the appropriate internal controls and systems are in place to protect their data. Our independent reviews help them reply to the market’s ever-increasing demands for more accountability and transparency in all aspects of their business.
If you think about it, there are several challenges that might arise, for example, increasing concerns regarding (cyber)security breaches or requests to demonstrate compliance with the General Data Protection Regulation (GDPR). Can you imagine how much time would be lost if each client sent an auditor to inspect the facilities of their service provider and asked them to prove the operating effectiveness of their control environment? And not just to them, but to the authorities as well! If your clients have the impression that you’re not able to conduct business securely and responsibly, then you have a serious problem at hand! And trust me, they will promptly seek out a company that demonstrates competence in these areas!
We can help companies demonstrate their ability to meet the compliance needs of their clients, thereby strengthening the confidence and trust that their clients have in them.
Interesting! Ok, you answered the “what”. But “how” do you actually go about this?
Ivy Heusdens: We provide a range of services related to assurance and certification. Firstly, our attestation readiness assessments thoroughly examine a company’s current situation, offering insightful observations and recommendations to address any gaps in their control environment. These insights are crucial for potentially qualifying for further Service Organization Controls – or SOC - assurance reports.
We also conduct attestation audits, producing ISAE 3402 and ISAE 3000 reports, depending on specific client needs. For instance, ISAE 3402 reports are tailored to risks and controls concerning the preparation of financial reports. They're commonly requested to meet third-party requirements during IT environment audits, providing assurance to users and auditors alike.
On the other hand, ISAE 3000 reports focus on operational controls, including for example security, availability, confidentiality, processing integrity, and privacy. These reports cater to a broader range of processes and systems, offering assurance not only to auditors but also specified users that are making (or will be making) use of these processes and systems. These reports are particularly crucial for service providers handling client data, ensuring their security measures are up to standard.
In addition to attestation services, we conduct ISO 27001 (Information Security Management Systems) certification audits and eArchiving audits, further fortifying the organizational resilience and cybersecurity maturity of our clients. KPMG Certification is accredited by BELAC, the Belgian accreditation body, which reassures clients of our independence and that they can trust us.
That makes sense! Tell me, why should companies choose KPMG over another assurance provider or certification body?
Ivy Heusdens: That’s a valid question and I don’t want to bore you with all the technical details! Our biggest advantage is our multi-disciplinary approach and the fact that our auditors are not just auditors. They are also consultants who implement control frameworks, bringing best practices from various sectors. For example, our cyber experts might implement an identity and access management tool at one client and use that knowledge to test controls and report on their effectiveness at another client. We offer the best of both worlds!
We provide valuable feedback and insights into our clients' maturity levels, often identifying areas for improvement. However, we must always maintain our independence. We cannot help clients fix the areas we identify as lacking, as it would be like being paid to review our own work!
Lastly, since we offer a wide range of services, we can provide clients with combinations of various reports, such as a combination of ISAE3402 and ISAE3000, and even certification, thereby making the audit process much more efficient.
Now, you know the drill – my final question is: how do you think you make a difference?
Ivy Heusdens: By committing to conducting independent operational reviews, we empower companies to pinpoint and strengthen weaknesses within their systems, fostering refinement and optimization of processes. We help guide them towards earning the trust of their stakeholders.
Building Trust in Technology: The Human Touch in a Digital World
In a world where technology is rapidly evolving, the need for robust Risk, Compliance, and Assurance frameworks has never been greater. Naomi and Ivy explore the critical role of trust in business success and how the human element remains indispensable in tech projects.
Explore
Connect with us
- Find office locations kpmg.findOfficeLocations
- kpmg.emailUs
- Social media @ KPMG kpmg.socialMedia
