External monitoring by our regulators
KPMG has a number of regulators due to the types of services we provide. This includes the Financial Reporting Council (FRC), the Institute of Chartered Accountants in England and Wales (ICAEW), the Financial Conduct Authority (FCA), the Solicitors Regulation Authority (SRA), audit third country regulators, and other regulatory and oversight bodies (including HM Government). We’re committed to meeting the expectations of our regulators and ensuring our regulatory engagement is based on the principles of openness, transparency, integrity and accountability.
The regulatory environment continues to evolve and change. We continue to scan the horizon and prepare the firm for incoming regulatory changes. In particular, we continue to engage and work with the FRC to help shape the future for a profession that produces high-quality audits and acts in the public interest.
The results from the FRC and ICAEW inspections together with the results of our own internal monitoring programme, and those of any other regulator including the Public Company Accounting Oversight Board (PCAOB) in the US, provide an overview of our performance of quality engagements. In addition, the FRC’s Audit Firm Supervision (AFS) and Audit Market Supervision (AMS) teams perform inspections, reviews and deep dives into our firm-wide and audit-wide policies and procedures. The results of this work are shared with us throughout the year and the findings are published annually in our Audit Quality Inspection and Supervision report.
Audit quality is our number one priority, and we value the constructive input and challenge from the FRC through their inspection and supervision process. We continue to work closely with the FRC to understand their identified areas of good practice, and importantly where we need to continue to focus to ensure that we build trust and confidence in our profession and the markets.
FRC - Audit Quality Inspection and Supervision Report findings
74% of FRC inspections required no more than limited improvements
2022/23
(2021/22: 84%)
(2020/21: 59%)
78% of FTSE 350 inspections required no more than limited improvements
2022/23
(2021/22: 91%)
(2020/21: 75%)
One audit inspected required significant improvements
2022/23
(2021/22: None)
(2020/21: One)
The FRC's AQR report listed areas of good practice and aspects where improvement was required.
In individual audits, good practice included examples relating to risk assessment and planning, execution, and completion and reporting. Areas for improvement included instances relating to impairment, expected credit losses in banking audits, and accounting judgements and disclosures.
The report also included a section on our firm-wide quality control procedures, with examples of good practice and areas for improvement.
The final section of the report focused on the FRC’s forward-looking supervisory approach – identifying and prioritising what firms must do to improve audit quality and enhance resilience. There, we saw recognition of our efforts in developing the Single Quality Plan:
The firm has positively embraced the SQP initiative and embedded it throughout their business, as a framework to deliver sustainable audit quality.”
FRC’s Audit Quality Inspection and Supervision Report, July 2023
The report also noted that further actions are necessary to implement a comprehensive and robust Root Cause analysis process. We have taken those actions and described them here.
The FRC's report is available to read here.
ICAEW - Monitoring review by the Quality Assurance Department
11 inspections were performed by the Quality Assurance Department of the ICAEW
2022
(2021: 12)
(2020: 10)
91% of the ICAEW reviews were assessed as “Good / generally acceptable”
2022
(2021: 75%)
(2020: 100%)
One audit reviewed required improvements
2022
(2021: Three)
(2020: None)
The ICAEW identified good practice across all but one of the files reviewed. Broad themes were:
- Effective use of internal specialists with clear linkage to audit work done and conclusions.
- Clear evidence of appropriate consultation with the firm’s technical department, particularly in areas of judgement.
- Comprehensive audit documentation in areas of estimation and judgement, including property and derivative valuations, and pension related work.
For a summary of the QAD’s review findings, refer to the FRC’s Audit Quality Inspection and Supervision report for KPMG LLP (July 2023).
PCAOB
KPMG in the UK is subject to inspection every three years by the US Public Company Accounting and Oversight Board (PCAOB). In accordance with this cycle, the PCAOB was due to inspect during 2021. However, as a result of the COVID-19 pandemic, the PCAOB deferred its inspection to 2022. We look forward to receiving the final report in 2024.
Regulatory investigations and sanctions
Ongoing FRC matters
There were no on-going FRC investigations into matters announced in previous years at the end of the year1.
New FRC matters or developments on ongoing matters during the year
One new FRC investigation in respect of KPMG was announced during the year, relating to the audit of Carr’s Group plc for the period ended 28 August 2021. This investigation is on-going.
FRC matters closed during the year
Four matters1 relating to periods between 2013 and 2020 were closed during the year:
- In April 2023, the FRC announced sanctions against KPMG LLP and a former employee relating to the audit of the financial statements of Luceco Plc for the financial year ended 31 December 2016. KPMG LLP was fined £875,000, severely reprimanded, and ordered to analyse the underlying causes of the breaches of relevant requirements and identify and implement any remedial measures necessary to prevent a recurrence. The former employee was fined £35,000 and severely reprimanded.
- In April 2023, the FRC announced sanctions against KPMG LLP and a former partner relating to the audit of the financial statements of The Works.co.uk plc for the financial year ended 26 April 2020. KPMG LLP was fined £1,023,750, severely reprimanded, and ordered to take action to mitigate the effect or prevent the recurrence of breaches of relevant requirements. The former partner was fined £43,875 and severely reprimanded.
- In June 2023, the FRC announced sanctions against KPMG LLP and a former partner relating to the audit of the financial statements of Eddie Stobart Logistics plc for the financial year ended 30 November 2017. KPMG LLP was fined £877,500, severely reprimanded, and ordered to take specified actions to prevent the re-occurrence of the contravention. The former partner was fined £45,500 and severely reprimanded.
- In October 2023 the FRC announced sanctions relating to the audits by KPMG Audit Plc and KPMG LLP of the financial statements of Carillion plc for the financial years ended 31 December 2013 to 2016, and additional audit work in 2017. In relation to the audit for the 2013 financial year, KPMG Audit Plc was fined £2,450,000 and severely reprimanded and a former partner was fined £70,000 and severely reprimanded. In relation to the audits for the 2014 to 2016 financial years and the additional audit work in 2017, KPMG LLP was fined £18,550,000, severely reprimanded and ordered to take remedial action aimed at preventing recurrence of the breaches of relevant requirements including evaluating and reporting whether the measures taken by the firm since 2017 are sufficient in this regard. A former partner was fined £350,000, severely reprimanded and excluded from membership of the ICAEW for 10 years.
ICAEW matters
Two ICAEW investigation outcomes were announced during the year. These related to audits of financial statements of entities and compliance with ethical standards by KPMG LLP and KPMG Audit Plc.
Internal monitoring
Quality monitoring and compliance programmes that are created by KPMG International are used by KPMG firms to identify quality issues, perform root cause analysis and develop remedial action plans, both for individual audits and for their overall System of Quality Management (SoQM). The programmes evaluate:
- Engagement performance in compliance with the applicable professional standards, applicable laws and regulations and key KPMG International policies and procedures;
- Our firm’s compliance with key KPMG International policies and procedures and the relevance, adequacy and effective operation of key quality control policies and procedures
The internal monitoring and compliance programmes also contribute to the evaluation of our SoQM operating effectiveness. These programmes include:
- Audit Quality Performance Review (QPR)
- KPMG Quality & Compliance Evaluation (KQCE)– formerly known as the Risk Compliance Programme (RCP).
- Global Quality & Compliance Review (GQCR)
The results and lessons from the integrated monitoring and compliance programmes are communicated at local, regional and global levels (as relevant) and we establish action plans to make improvements where needed. Results are also considered by KPMG International.
Audit Quality Performance Review (QPR) programme
The Audit QPR programme is the cornerstone of our efforts to monitor engagement quality. It assesses engagement level performance and identifies opportunities to improve engagement quality.
Risk-based approach
All engagement leaders of statutory and non-statutory audits and other assurance engagements are generally subject to selection for review at least once in a three-year cycle. A risk-based approach is used to select engagements.
We conduct the annual QPR programme in accordance with KPMG International QPR instructions, which promote consistency across the KPMG organisation. Reviews are overseen by an independent experienced lead reviewer from another KPMG firm. QPR results are reported to KPMG International.
Evaluations from Audit QPR programme
Across the global organisation, consistent criteria are used to determine engagement ratings and KPMG firm Audit practice evaluations. Definitions of engagement ratings are explained below:
Compliant
When the audit work performed, the evidence obtained and the documentation compiled fully comply with internal policies, auditing standards and legal and regulatory requirements; and key judgements concerning significant matters in the audit and audit opinion are appropriate.
Compliant - improvements needed (‘CIN ’)
When the auditor’s report is supported by evidence and is not incorrect in any material respects, but the independent reviewer required additional information to reach the same conclusion as the auditor; or where supplementary information obtained as part of the audit was not sufficiently documented in the audit; or where specific requirements of our audit methodology were not embedded. A ‘CIN’-rated engagement is not considered an adverse quality outcome.
Not Compliant
When the auditor did not perform the engagement in line with KPMG’s professional standards and policies in a more significant area, or where there are deficiencies in the related financial statements. Where appropriate, in a limited number of cases we remediate engagement files to ensure the audit evidence obtained is adequately documented. Engagement teams undertake specific incremental or remedial training. In addition, engagement leaders receiving a Not Compliant rating are subject to at least one follow-up review.
Reporting
Prior to the finalisation of the review, there is a rigorous moderation process to ensure consistency of grading. A remedial action plan is created for quality areas in which deficiencies were identified which are considered to be significant, applicable at an engagement and a firm level. We share our findings from the Audit QPR programme through internal training tools and in periodic partner, manager and team meetings. Any issues are also emphasised in subsequent monitoring and compliance programmes to gauge the extent of continuous improvement and the effectiveness of the implementation of remedial actions. Lead engagement partners are notified of Audit QPR not compliant ratings on their respective cross-border engagements.
Our Audit QPR programme is designed to hold audit teams to quality levels that assess not only compliance with auditing standards but also adherence to internal requirements such as the performance of specified procedures or completion of specific mandated consultations. As such, teams that perform audits that are very substantially compliant with auditing standards may receive a rating other than Compliant in our internal reviews. Accordingly, it is difficult to make direct comparisons between the results of our internal and external inspection processes.
- Percentage of gradings at Compliant / Compliant – Improvements Needed / Not Compliant: 61% / 25% / 14%
- Percentage of engagement leaders reviewed: 37%
- Number of engagements reviewed: 138
Rating / Compliant
Rating / Compliant - improvements needed
Rating / Not Compliant
Number of engagements reviewed
KPMG Quality and Compliance Evaluation (KQCE) programme
The KQCE programme encompasses the testing and evaluation requirements of a KPMG firm’s SoQM which are necessary to support both their compliance with ISQM 1, and compliance with the firm’s quality and risk management policies. KQCE programme requirements are mandated for all KPMG firms. The 2023 KQCE program covered the period from 1 October 2022 to 30 September 2023.
Monitoring, remediation and evaluation of the SoQM
Monitoring activities include:
- Testing of UK Member Firm SoQM controls performed in the UK and overseas, and at a Network level (including general IT controls);
- Review of ‘other sources’ e.g. QPR and GQCR findings, root cause analysis, regulatory developments etc.
The evaluation of the SoQM involves the identification and assessment of findings from monitoring, and of deficiencies. Judgement is required to assess whether findings result in a deficiency, and the severity and pervasiveness of any deficiencies, individually and in aggregate. Those judgements include considering both the significance of findings to the achievement of quality objectives and the extent to which actions taken up to the evaluation date mitigate the effects on the SoQM. Such judgements are made by the monitoring team, overseen by the Chief Risk Officer, and the final evaluation scrutinized and independently challenged by the Audit Committee.
Our evaluation of the effectiveness of our SoQM is set out here.
Compliance testing
During the year, member firms were required to self-assess their overall levels of compliance with quality and risk management policies not in scope of the SoQM as either compliant, substantially compliant or non-compliant.
For the year ended 30 September 2023, our approach to quality and risk management policies was rated substantially compliant (defined as where significant compliance findings are not pervasive in nature and action plans to address their identified causes have either already been implemented or substantially implemented or are planned to be implemented within a timeline which will allow for compliance testing in the succeeding period).
Action plans to address the identified root causes of SoQM Deficiencies and Compliance Findings have been developed and are in the process of being delivered. The status of remediation is monitored by the Risk, Operations and Audit Executives and is overseen by the Audit Committee.
Global Quality and Compliance Review (GQCR) programme
A GQCR is conducted by a KPMG International team, independent of the member firm. Firms are selected for review using a risk-based approach, which considers a number of factors, including financial conditions, country risks, results of monitoring programmes and people surveys, with each firm subject to a GQCR at least once in a four-year cycle.
The GQCR team performing the review comprises partners and managers who are independent of the firm subject to review. The overall objective of the GQCR programme is to assess the firm’s compliance with selected KPMG International policies, including those related to governance and SoQM.
The UK firm was subject to a GQCR review during 2021 when a number of opportunities for improvement were identified, including areas which were also generally identified by the UK firm’s Audit Quality and Banking Audit Quality Improvement Plans, Risk Compliance Programme (RCP)/KPMG Quality and Compliance Evaluation (KQCE) and other compliance and quality control processes. Implementation of these improvements is largely complete.
- Critically assess audit evidence, using professional judgement and scepticism.
- Direct, coach, supervise and review, including Second Line of Defence and EQCR.
- Appropriately support and document conclusions.
- Consult when appropriate.
How an audit is conducted is as important as the result. Everyone at KPMG is expected to demonstrate behaviours consistent with our values and follow policies and procedures in the performance of effective and efficient audits.
How we apply this in the UK
Critical assessment of audit evidence, exercise of professional judgement and professional scepticism
We consider all audit evidence obtained during the course of the audit, including consideration of anything that is contradictory or inconsistent. This analysis requires each of our team members to exercise professional judgement, maintain professional scepticism and demonstrate appropriate challenge to obtain sufficient and appropriate audit evidence.
Professional judgement and scepticism training is embedded in our core audit technical training programme for junior staff and ongoing training and workshops for more experienced staff.
Timely senior involvement and monitoring of milestones
The engagement leader is responsible for the overall quality of the audit engagement and therefore for its direction, supervision and performance. Involvement and leadership from the engagement leader early in the process helps set the appropriate scope and tone for the audit. To reinforce this, we mandate the completion and review of audit planning activities within specified timeframes to evidence completion of the relevant planning activities.
The engagement leader reviews key audit documentation – in particular, documentation relating to significant matters arising during the audit and conclusions reached. The engagement manager assists the engagement leader in meeting these responsibilities as well as in the day-to-day liaison with the audited entity and monitoring of engagement milestones.
Involvement of our Second Line of Defence
Our Second Line of Defence team is a group made up of senior auditors which supports our higher risk engagements with a focus on public interest and listed entities. The team performs in-flight reviews of audits to improve the quality of audit execution and documentation, including effective challenge of management in judgemental areas. These senior auditors also help throughout the audit cycle, to identify issues before they impact audit quality. This has a dual purpose: firstly, to enable coaching of teams and, secondly, to act as another level of review and challenge to help engagement teams in the delivery of high-quality audits. In addition, it informs our ongoing horizon scanning for emerging issues that may require broader responses.
Appropriate and timely involvement of specialists
Our engagement teams have access to a network of specialists, which may include involving UK specialists or those from other KPMG member firms. Our audit methodology requires the involvement of relevant specialists in the core audit engagement team when certain criteria are met or where the audit team considers it appropriate or necessary.
Appropriate involvement of the Engagement Quality Control Reviewer
Our Engagement Quality Control Reviewers (EQCRs) are independent of the engagement team and have appropriate experience and knowledge to perform an objective review and challenge of the more critical and judgemental elements of the audit. The audit report can only be released when the EQCR is satisfied that all significant questions raised have been resolved.
An EQCR is appointed for the audits, including any related review(s) of interim financial information, of all listed entities, non-listed entities with a high public profile, engagements that require an EQCR under applicable laws or regulations, and other engagements as designated by the Audit Risk Management Partner or the Chief Auditor.
Ongoing mentoring and on-the-job coaching, supervision and review
To invest in building the skills and capabilities of our professionals, we adopt a continuous learning environment. We support a coaching culture throughout KPMG as part of enabling colleagues to achieve their full potential.
Our Coaching for Quality programme, which was developed with the support of external behavioural psychologists, gives colleagues the tools they need for productive coaching conversations.
New engagement leaders are also provided with an experienced mentor to support their transition into this critical role.
Appropriately supported and documented conclusions
Audit documentation records the audit procedures performed, evidence obtained, and conclusions reached on significant matters on each audit engagement. Our policies require review of documentation by more experienced engagement team members.
Standardised approaches and workpapers assist our audit teams with appropriately supported and documented conclusions.
Monitoring our progress
The results of our external and internal monitoring processes can be found in ‘Activities during the year’ tab above.