Now more than ever technology advancements are driving business transformation at a record pace, innovating business models are developed rapidly, and existing operating models are shifting and evolving. From mobile to blockchain, artificial intelligence, robotics and the Internet of Things, technology brings exciting new opportunities for transformation and growth. But adopting new technology also introduces new risks. Identifying risks and ensuring rapid response has in the last years proven to be a crucial organizational skill.
This makes it essential for companies to build their organizational resilience, strengthen their core controls and increase their cyber security maturity to meet the challenges of technology and information risk.
KPMG’s digital risk management services can help your organization through the entire transformation journey. We build, evolve and operate technology risk management capabilities to deliver key business objectives. Let us show you how our digital risk management services can help your organization accelerate technology adoption, gain confidence in business decisions and stay relevant in a rapidly evolving digital world.
IT governance, risk and compliance
Effective IT Governance, Risk, and Compliance (GRC) enables organizations to strengthen their governance and risk management, enhance their economic business value as well as capitalize on opportunities and reduce losses through informed decision making and supporting technology solutions.
Governance, risk and compliance continue to challenge businesses. As new laws and regulations are introduced, their requirements lead boards to greater levels of transparency, objectivity and professionalism. Increased accountability and potential exposure to liability force directors to ensure that corporate governance standards are adhered to and robust compliance management systems are in place.
Challenges you might face and key questions that need answering:
- How can risk and compliance functions dynamically respond to emerging risks, as well as increasingly complex regulations?
- How do I respond to stakeholder mistrust in how we handle their data, and how can the risk function allay their fears?
- How do I get value from my risk and compliance data and inform business decisions?
- How can I change the organization's mindset and culture to embed risk management across all operations?
- How do I proactively manage the magnitude of risks, compliance obligations and issues facing my business?
At KPMG, we understand the importance of determining how much risk your organization can accept without compromising returns. Our IT GRC team assists you in identifying risks, defining control frameworks, enhancing authorization concepts, selecting vendors and implementing GRC & IAM technology platforms to support their risk and compliance processes.
We help your business set up its risk control framework, with a focus on control improvements and compliance to regulations (SOX, PSD2, GDPR, COBIT, IT SREP, etc.)
- General IT controls design and setup
- IT business process controls design and setup
- Control framework redesign in light of system implementations
- Control framework redesign in light of external regulations
We (re)design a secure, transparent, yet flexible and maintainable authorization concept for your organization.
- Assessment and review of security setup and processes
- Design and setup user access management processes
- Authorization concept (re)design
Support your organization with your authorization and security considerations during ERP transformations.
We establish a compliant technology environment for ERP transformations and improvements.
- Process risk identification and mitigation during ERP transformation and improvement tracks
- Enhancement of business process risk appetite and level of compliancy
Our team selects the right GRC and/or IAM solution based on strategic, tactical and operational requirements. We assist you with implementing the chosen solution.
- GRC requirements identification
- GRC tool and vendor selection
- GRC tool business case
- GRC tool implementation and configuration setup
We enhance your organization’s compliance capabilities by leveraging ERP-embedded analytics and automation functionalities.
- Integrated control reporting for all management levels
- Automated process control execution and reporting (by leveraging RPA and Machine Learning functionalities)
- Leveraging RPA capabilities for continuous compliance monitoring
IT audit (IRMeA/ITIA)
Business processes are becoming more and more technology driven. As a result, financial and internal auditors often require increasing support from technology specialists to meet their goals of providing value-added insights to stakeholders. There is growing pressure to measure the management and mitigation of proliferating technology risks. Our technology in the audit service model is built to accommodate the technological needs of an organization’s (internal) audit obligations. Our key strengths lie in our ability to offer a team of qualified IT auditors, the latest auditing standards and cutting edge technology tools, combined with subject matter experts in diverse areas, who can globally source your technology audit commitments.
Challenges you might face and key questions that need answering:
- How do I get value from my IT audit and act on this?
- What are our IT risks?
- Is our IT strategy aligned with our business and IT risks?
- How mature are we in terms of IT Risks and IT Controls, and how are we doing compared to our peers?
- Do we need an internal IT audit function?
- Does our IT roadmap (incl. transformations and embedding new technologies) sufficiently address risks and controls associated with changes?
- Are there manual business controls that can be replaced by automated controls?
- Who is responsible or accountable for (new) risks arising from IT?
At KPMG, we understand the importance of determining how much risk your organization can accept without impacting FSA or (J)SOX audits. Our IT audit team can assist you with identifying risks, testing control frameworks and enhancing the controls approach for external audits to support the risk and compliance processes.
Audit of technology
We can help your organization assess the IT risks within your business environment, either through our Advisory service or as part of external FSA and (J)SOX engagements. Our scope of assessment and reporting covers the full range of IT related risks, controls, processes and technologies.
As part of the KPMG IT risk and business process risk assessments we audit General IT management Controls (GITC) and IT Application Controls (ITAC), including specific reports needed for financial and reporting purposes. We also cover high risk IT transformation projects, data migration and data quality projects, datacenters and cloud security audits.
Furthermore, we provide assessments on specific subject matters such as cyber security, RPA and algorithm assessments, regulatory reporting, data privacy, IT governance, ERP implementation (SAP S4HANA, Oracle, MS AX, JDE, Infor M3 etc.).
Audit with technology
We are continuously adapting our audit procedures to integrate new tools and technologies and provide valuable insights for your organization in the most efficient way.
Our global platform KPMG Clara, enables us to deliver a broad range of data analytics, including predictive analytics, continuous auditing and monitoring and KPI benchmarking.
Furthermore, we use cutting edge tools and software for specific purposes such as robotics (to minimize the manual workload) or Business Process Mining (to identify the different data flows within a process).
Digital assurance
Are you a service organization managing critical systems, storing and processing private and/or confidential client information and/or processing transactions for multiple clients? If so, you are among many who face today’s increased challenges on the need for more assurance for customers, auditors, and regulators, to guarantee that appropriate internal controls have been implemented.
Challenges you might face:
- Your clients are becoming increasingly sensitive to the measures taken to protect their private and/or confidential information and to ensure continued availability of their systems.
- Cyber security management and compliance with the General Data Protection Regulation (GDPR) have become some of your key challenges.
- Real or perceived security breaches may give your clients the impression that your organization is unable to conduct business securely and responsibly.
- You are confronted with multiple visits of clients’ auditors and requests to complete detailed security questionnaires or checklists about your controls environment.
- You must demonstrate your ability to meet the compliance needs of your clients and strengthen their confidence in your competences in an increasingly competitive environment.
- You must demonstrate the operating effectiveness of your control environment to your clients or the regulator.
At KPMG, we understand the importance of demonstrating trust and trustworthiness to your new and existing clients, regulators and broader public on risk-relevant topics such as cyber, cloud services, financial services, privacy and specified control objectives. Our digital assurance team will assist you in effectively dealing with a range of issues, from diagnostic reviews to reporting, and enable you to showcase your excellence.
Third party assurance
Organizations are increasingly reliant on outsourcing for the delivery of their services. This creates a complex situation, where new and existing risks need to be managed and monitored as a priority. Service providers are eager to demonstrate they are in control of these risks to prove to their clients that their trust is justified. That's where an assurance report can make the difference.
At KPMG we'll help you demonstrate the sturdiness of your organization's control environment by providing assurance through a Service Organization Controls report focused on:
- Financial reporting risks and controls (ISAE 3402/SOC1);
- Trust service principles: security, integrity, availability, confidentiality, data privacy (SOC2/SOC3/ISAE 3000);
- Information security and privacy, based on international recognized standards such as ISO 27001 and ISO 27701 or specified control objectives (ISAE 3000);
- ISO 27001 certification integrated with SOC 2 or ISAE 3000 reporting (multipurpose testing);
- Cloud services (SOC 2/ISAE 3000); and
- Agreed upon procedures.
Financial services assurance
The market and governments are demanding more accountability and transparency from financial services organizations in all aspects of their business. At KPMG we'll help you demonstrate your financial services organization’s compliance by providing assurance through an attestation report focused on topics such as: Payment Services Directive 2 (PSD2) and its underlying technical standards, the SWIFT Customer Security Program (CSP), European Banking Authority regulations and institutional frameworks, Know Your Client (KYC), Anti-Money Laundering (AML), etc.
KPMG Certification
KPMG Certification provides certification services, which allow you to showcase your excellence in information security management, GDPR Compliance, e-archiving trust services and/or asset management.
KPMG Certification is accredited by BELAC, the Belgian accreditation body, to certify compliance with the ISO/IEC 27001 – Information Security Management Systems. At the moment, we also provide certification services for the below standards/certification schemes:
- ISO/IEC 27701:2019 – Privacy Information Management Systems
- ISO/IEC 55001 – Asset Management
- BE e-Archiving Certification Scheme
Cyber
Dealing with a cyber threat is a complex challenge.
In today’s digital world, decision-makers can’t afford to be held back by cyber risks. They need to make bold decisions and feel confident that their cyber strategy, defenses and recovery capabilities will protect their business and support their growth strategies.
Across all sectors and in every geography, business executives are asking themselves the same questions:
- Can I balance information protection and accessibility?
- What does a “good” cyber security strategy look like in my sector?
- Can I prioritize cyber risks based on my company’s strategy?
- How do I determine the right level of investment?
- Where should I put my investments?
- How can I prevent or mitigate the disruption of a cyber event?
- How do I ensure that our business returns to normal as quickly as possible?
Turn cyber risk into opportunity
At KPMG, our global network of business-savvy cyber security member firm professionals understand that businesses cannot be held back by cyber risk. KPMG professionals recognize that cyber security is about risk management – not risk elimination.
No matter where you are on the cyber security spectrum, KPMG member firms can help you.
We can work with you so that you can operate without crippling disruption from a cyber security event. Working shoulder-to-shoulder with you, we can help you work through strategy and governance, organizational transformation, cyber defense and cyber response.
As cyber security professionals, we don’t just recommend solutions, we also help implement them. From penetration testing and cyber strategy to access management and cultural change, we guide you every step of the way.
Align your security agenda with your dynamic business and compliance priorities, enabling a forward-thinking security posture that proactively tackles risk.
- Cyber Maturity Assessment (CMA)
- Compliance assessment
- Cyber security strategy/target operating model (TOM)
- Chief Information security officer (CISO) metrics and reporting
- Third party security risk management
- Business resilience
By leveraging our alliances with industry leaders, we help you design, implement and improve your cyber processes and controls to meet regulatory standards and correlate with your cyber strategy.
- ISO 27001 ISMS implementation
- Identity and Access Management (IAM)
- Powered identity
- Security GRC
- Technology integration
- Program delivery
- Cloud security
Our ethical hacking specialists will help you to find your organization’s vulnerabilities before the criminals do:
- Technical assessments
- Penetration testing
- Red teaming
- Security operations and monitoring
- Security analytics
- Insider threat
We can help you prepare for cyber incidents and respond effectively when they occur through our global network of incident response experts:
- Incident response readiness and planning
- Digital investigations and remediation
- Threat intelligence
Privacy
Moving from a compliance exercise to delivering real business value
Since the introduction of the General Data Protection Regulation (GDPR), the regulatory landscape has been every day. The way organizations and individuals think about the protection and use of personal information has changed drastically.
The need to manage personal information in a secure and compliant way is greater than ever. New data protection laws, increasing levels of regulatory action and the changing cyber threat landscape, all drive an organization’s privacy compliance requirements. On top of these risk and regulatory drivers, other factors such as new technologies, greater focus on digital transformation and the changing public perception regarding the collection and use of individuals’ personal information, force organizations to adapt and enhance their privacy practices.
Challenges you might face and key questions that need answering:
- Do your compliance frameworks keep pace with or enable digital transformation?
- Do you know your regulatory landscape and the privacy risk you are exposed to?
- Do you use technology to automate and sustain your privacy processes?
- Can you confidently deploy privacy by design to manage personal information throughout its lifecycle?
- Do you have confidence that your products, new ventures or acquisitions are privacy compliant?
- Are you able to respond to personal data breaches in a timely manner?
At KPMG we believe that privacy and data protection offer real business opportunities and that privacy processes can be put in place to support the business in delivering core services. KPMG can work with you to get this right and solve the issues that you face. Our experienced team of risk advisory, privacy, legal and technology colleagues can quickly mobilize to help you transform your business and partner with you to operate your privacy processes.
Privacy is not a standalone exercise. KPMG will help your team to work across the enterprise in order to successfully manage complex interdependencies with other programs and connect to strategic priorities for your business. We support clients across the full lifecycle of their Ppivacy journeys.
At KPMG we can help you by:
- Assessing your exposure to key privacy issues, your level of privacy risk and identify steps to remediate key areas of weakness in line with your risk appetite;
- Transforming your privacy compliance by helping you to define your privacy strategy and to operationalize it by implementing the necessary policies, processes, tools and controls;
- Enhancing and operate your key privacy processes so that you can manage risk and drive innovation.
Data is the lifeblood of any organisation and should be treated as an asset. Quality and timely information helps leadership make vital business decisions timely and enact appropriate business change. Therefore, organizations must ensure status of the art information protection through the data lifecycle phases.
KPMG can assist you with:
- Management of effective collection, organization, storage, retrieval, and disposal of electronic data and content;
- Thorough data discovery, data classification and data loss prevention tooling;
- Safeguarding against data duplications, redundancy, and exposure;
- Set-up of robust pseudonymisation and anonymisation techniques.
Global operating and service delivery models are rapidly changing across the entire business and within the privacy and data protection sphere.
At KPMG we can provide you with:
- an all-inclusive privacy and data protection service, giving you the option to outsource the DPO role;
- a multitude of privacy managed services that allow your organization to outsource daily data protection and privacy supporting activities in a flexible way.
Leverage the leading practices in KPMG’s accelerated privacy methodology, which is a faster, smarter way to achieve privacy & data protection transformation goals through the use of OneTrust. KPMG’s accelerated privacy offering helps clients accelerate their privacy compliance transformation projects.
We bring leading practice operating models, process flows, role profiles and a standardized OneTrust configuration ready for validation by you. The result is an accelerated delivery, at lower risk, and with a higher degree of certainty and success.
Our KPMG legal services include privacy lawyers, who can work shoulder-to-shoulder with our advisors delivering a multidisciplinary team to provide support to meet your requirements.
We can help you in the areas of privacy litigation, contracting for data protection, international transfers and general legal advice and opinions.
For more information on our legal services we gladly refer to our privacy legal service pages.