Information Risk Management

The basic prerequisite is the establishment of reliable IT systems, efficient IT-supported business processes and cost-optimised support processes. The linkage with effective control and monitoring mechanisms enables proper information processing for the long term.

KPMG’s audit and advisory services make the use of information technologies manageable and can significantly reduce risks. We develop customised approaches to meet technical requirements, improve the quality of information processing and increase the value contribution of IT. In particular, we advise on the organisation, management and control of IT and the appropriate design of IT-supported processes as well as the certification of products and services with a view to regulatory requirements.

• The banking supervisory authorities are increasing the requirements for IT processes and systems and demand proof of compliance with established standards.
• Institutions have to standardise and consolidate their system landscape in order to withstand the competition. System and data migration projects are becoming increasingly complex.
• Financial institutions are outsourcing more and more IT and business processes to provide services more effectively.

In conjunction with IT Consulting and IT Assurance, we support our clients in the assessment of IT strategies, the analysis of IT architectures and data sets as well as with technical and IT concepts, software selection, test management and IT due diligence. We can advise you on the implementation of regulatory requirements (e.g. Basel III/CRD IV, Solvency II) and the implementation of appropriate IT governance and IT compliance structures. We develop process strategies with you, design core processes in the IT area and design systems and processes in compliance with laws and contracts - taking into account national requirements and international best practice.

• Assessment and further development of the internal (IT) control system for IT-supported procedures
• Assessment of document management systems and electronic archiving procedures
• Audit or preparation of certificates regarding the suitability of the privacy-relevant internal control system within the framework of commissioned data processing in accordance with the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)
• Performance of risk-oriented business impact analyses
• Assessment and elaboration of appropriate access protection procedures
• Design and documentation of integrated instruction systems
• Review and/or benchmarking of IT processes according to national and international standards and best practice:
  • Audit or preparation for certification of outsourced accounting-related business units according to standards such as ISAE 3402 and IDW PS 951 as well as other selected business units according to ISAE 3000.
  • Preparation for certification according to the following standards: ISO/IEC 27001 (Information security management systems), ISO 20000 (IT Service Management), BS 25999 (Business Continuity Management), ISO 9001 (Quality Management) and PCI DSS (Payment Card Industry Data Security Standard). Our specialists achieve special synergies when these voluntary certifications are combined with audits according to the above standards.
  • Support in setting up appropriate business continuity management based on established standards (BS 25999, BSI Standard 100-4).
  • Certification of applications according to adequacy standards (IDW PS 880) or according to other verifiable criteria.
  • Audit and quality assurance monitoring during projects to ensure proper project procedures and results (IDW PS 850).

• Alignment of IT processes with business strategy and integration into a holistic corporate governance approach.
• Design, setup and implementation of IT governance and IT compliance systems based on recognised IT frameworks such as COBIT or CMMI.
• Establishment, assessment and further development of concepts for IT control and performance management.
• Implementation of control and monitoring systems for IT risk management.
• Project reviews to identify causes and reasons for project delays and budget overruns.
• Support in the development of suitable sourcing strategies and in the establishment of efficient outsourcing controlling that meets the requirements for the outsourcing of essential banking transactions.
• Support for IT auditing in ensuring data security, completeness and correctness and/or takeover of IT auditing (as a sub-area of internal auditing).
• Setup and review of identity & access management systems at all stages, including gap analysis, strategy building support, architecture design, implementation roadmap and governance model.