Quality control and risk management

KPMG International has established a quality framework across its network of member firms based on the International Standard on Quality Control 1 (ISQC1) issued by the International Auditing and Assurance Standards Board (IAASB) and the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA), which apply to professional services firms that perform statutory audits and other assurance and related services engagements.

The policies and associated procedures within this framework enable member firms to comply with relevant professional standards, and with regulatory and legal requirements, and help our partners and employees act with integrity and objectivity, performing their work with diligence.

KPMG in the UK supplements KPMG International’s quality framework with additional policies and procedures that address its specific business risks as well as rules and standards issued by the FRC, the ICAEW and other relevant regulators, such as the US Public Company Accounting Oversight Board.

ISQM1

We have continued working during the year, in collaboration with KPMG International (“KPMGI”), to implement the new International Standard on Quality Management (ISQM1), which supersedes ISQC1.

ISQM1 was issued by the International Auditing and Assurance Standards Board (IAASB) and became effective on 15 December 2022, together with the UK version of the standard issued by the Financial Reporting Council (“FRC”). For each component in the standard, KPMGI has established globally consistent quality objectives, quality risks and responses. The objective of this centralised approach is to drive consistency, robustness, and accountability of responses for processes implemented across our global organisation. Where necessary, we have supplemented the KPMGI requirements with additional quality objectives, quality risks and responses identified through a UK risk assessment process.

Our Audit Quality Framework (see here) outlines how we deliver quality at KPMG. The principle of ‘Perform quality engagements’ sits at its core along with our commitment to continually monitor and remediate our processes as necessary.

Under ISQM1 we are required to evaluate the effectiveness of our system of quality management on an annual basis. Our first evaluation will be performed as at 30 September 2023.

Quality control and risk management are the responsibility of all KPMG personnel, whether they are based in the UK or in one of our offshore locations. This responsibility includes the need to understand and adhere to policies and associated procedures in carrying out their day-to- day activities.

Our Chief Executive assumes ultimate responsibility for the UK’s system of quality control, in accordance with the principles in the revised ISQC1 issued by the FRC.

Operational responsibility for the system of quality control, risk management and compliance is delegated to the Chief Risk Officer, who is responsible for setting overall professional risk management and quality control policies and for monitoring compliance for KPMG in the UK.

The Chief Risk Officer has a direct reporting line to the Chief Executive and sits on the Executive Committee of KPMG in the UK, underlining the importance of the role.

The Chief Risk Officer is supported directly by a team of partners and professionals, including a Risk Management Partner in each of the Capabilities.

The Ethics Partner is supported by a core team to help ensure that we apply robust and consistent ethics and independence policies, processes and tools.

The Head of Audit, Head of Tax and Legal, Head of Deal Advisory and Head of Consulting are accountable to the Chief Executive for the quality of service delivered in their respective capability areas. While many of our quality control processes are cross-Capability and apply equally to tax and advisory work, the primary focus of the Transparency Report requirements relates to Audit. Our Audit Quality Framework (see here) provides more detail on the way it helps ensure the delivery of quality statutory audits.

In the case of the Audit practice, the Head of Audit Quality chairs the Audit Quality Council which met on a monthly basis during the year. These meetings, together with the monthly Emerging Issues Meeting chaired by the Chief Auditor, addressed external regulatory matters (including progress on AQR and QAD reviews and actions to address their findings), our internal quality reviews, emerging audit quality issues and current matters from the central quality teams.

The Audit Leadership Team Risk & Quality sub-committee meets monthly to consider risk within the audited entity portfolio and to ensure there are sufficient and appropriate controls and mitigations in place to support engagement leaders in performing a quality audit and in managing risk. Other focus areas of the sub-committee include monitoring of regulatory matters, assessment of the risk watchlist and consideration of other emerging risk areas.

Our UK Audit practice is also a key contributor to our global thinking, with representatives on all major global audit quality and development councils and teams. We use these forums to understand how other member firms have tackled similar issues, share our experiences, and facilitate common solutions.

At KPMG, audit quality is not just about reaching the right opinion, but how we reach that opinion. It is about the processes, thought and integrity behind the audit report.

We view the outcome of a quality audit as the delivery of an appropriate and independent opinion that complies with auditing standards. This means, above all, being independent, objective and compliant with relevant legal and professional requirements.

The following statements articulate the principles through which we manage the risk we take across the firm, ensuring we act responsibly, in the public interest and in the interest of the entities we audit, our clients, our people, our regulators, and the markets and communities we work in.

The identification, evaluation, management and monitoring of the most significant risks that face our firm and could threaten the achievement of our strategic objectives, or our business model, future performance or solvency, is the responsibility of our Board. The principal risks and uncertainties that the UK firm faces are set out in, and managed under, the firm’s Enterprise-Wide Risk Management (ERM) Framework. This framework is used by the Board throughout the year to ensure the timely identification of new and emerging risks and the development of appropriate mitigations and action planning, in line with the firm’s strategy.

The current framework was put in place at the beginning of FY22 following a comprehensive review in the prior year of how the information provided under it is used by the relevant governance bodies. The work undertaken as part of this review included:

• Robust challenge of the firm’s risk taxonomy, reflecting developments in the firm’s risk landscape (current and longer term), changes made to KPMG International’s Risk Framework during the year and the results of a Dynamic Risk Assessment undertaken through facilitated workshops with the Board.
• Setting of risk appetite, at firm-wide and Capability level.
• Implementation of an automated Governance Risk and Compliance (GRC) tool to support specific aspects of our risk management.
• The development of a horizon scanning tool, using input from the firm’s own experts in political, economic, social, technology, legal and environmental risks.
• A review of the firm’s regular risk reporting to various governance groups.

The framework established and in place throughout FY22 was further reviewed by the Board Risk Committee in September 2022 to reflect the impact of external events during the year on the firm’s risk landscape, changes to our Markets structure, additional guidance issued by KPMG International and emerging best practice. A small number of changes to the firm’s risk appetite were approved to reflect the current political, economic and regulatory environment and specific risks within the FY23 Business Plan.

The firm’s Assurance Map, developed during the year to document the relationship between the firm’s risks, its controls and compliance and assurance activities across the first, second and third line of defence, was also approved in September 2022 and objectives were set for further improvement of the framework in FY23, including the extension of the firm’s risk analysis within the GRC tool and further enhancements to our ESG risk reporting.

The firm’s principal risks are set out within the firm’s four key risk ‘families’ of: Reputation, Regulation and Legal; Strategic; Operational; and Financial. For the year ending 30 September 2022, KPMG in the UK identified 11 principal risks across these four key risk ‘families’:

The risks are not shown in order of priority.

During the year, further progress has been made in strengthening the firm’s governance, with additional investment in the firm’s second line of defence and regulatory compliance teams. These steps have all contributed to the mitigation of our principal risks.

Our assessment of how these risks have moved over time (trend), the current risk landscape and the mitigating actions we have put in place to address each risk can be found here.

Our partner-led Audit Regulatory Compliance (ARC) function, established during FY21, is the main point of contact with the firm’s primary regulator, the FRC, maintaining an overview of all interactions with Audit Market Supervision and Audit Firm-wide Supervision and ensuring that all commitments, requirements and actions are fulfilled.

ARC incorporates a Compliance Monitoring function whose purpose is to deliver a dedicated compliance programme, providing independent assurance that the processes, procedures and controls in place to meet audit regulatory requirements are operating effectively. A monitoring plan is developed and presented for approval to the Audit Executive at the start of the year and updated where necessary during the year to ensure it remains focused on appropriate risk areas.

KPMG International policy extends the IESBA Code restrictions on ownership of audited entity securities to every member firm partner in respect of any audited entity of any member firm. KPMG in the UK has a policy whereby all staff who are involved in delivering professional services engagements are also prohibited from holding securities in companies audited by KPMG.

Our professionals are responsible for making appropriate inquiries to ensure that they do not have any personal financial, business or family interests that are restricted for independence purposes and we use a web-based independence compliance tracking system to assist our professionals in their compliance with personal independence investment policies.

We monitor partner and employee compliance with these requirements through a programme of audits on a sample of professionals. In the year ended 30 September 2022, we enhanced our programme with 984 (2021: 497) of our people subject to checks. This included approximately 20% of our partners as well as an increase in the number of non-partner individuals selected for review. In accordance with KPMG International policy, all partners and partner equivalents are compliance audited in a five-year period, and those partners in a Chain of Command role are audited every three years.

In addition, all direct-entry partners are subject to a compliance audit as a condition of their admission to the partnership and are subject to a further audit after 12 months in the firm.

The policy we apply to members of the audit team who are recruited by entities we audit goes beyond the requirements of the FRC’s 2019 ES. It requires any member of an audit team to inform the Ethics & Independence team of any situation involving their potential employment with an entity where they are part of the audit engagement team. We also prohibit all partners in our firm from accepting a director or key management position role at an entity that we audit within two years of retiring from the partnership.

We have policies and procedures in place to ensure that business relationships are maintained in accordance with the FRC’s 2019 ES and the IESBA Code. Consultation with our ethics and independence professionals is required for any proposed business relationship with an entity we audit, or its management, to ensure compliance with the relevant independence regulations. Compliance with these policies and procedures is reviewed periodically.

We provide all relevant colleagues (including all partners and staff who are involved in delivering professional services engagements) with independence training appropriate to their grade and business area and provide all new personnel with relevant training when they join the firm.

All personnel are required to sign an independence confirmation upon joining the firm. Thereafter, all personnel confirm annually they have remained in compliance with applicable ethics and independence policies throughout the period. Partners and partner equivalents make an additional confirmation at the mid-year in respect of their personal investment compliance.

All audit engagement leaders are subject to periodic rotation of their responsibilities for entities we audit under applicable laws and regulations and independence rules, which limit the number of years that engagement leaders may provide audit services to an audited entity. KPMG rotation policies comply with the requirements of the FRC’s 2019 ES (and, where applicable for certain engagements, the rules of the PCAOB). For example, under the FRC’s 2019 ES the audit engagement leader for a public interest entity cannot serve in that role for more than five years and once they have rotated off of the audit cannot participate in the audit again for a further five years.

We monitor the rotation of audit engagement leaders and any other key roles where there is a rotation requirement, including the Engagement Quality Control Reviewer, and have transition plans to enable us to allocate partners with the necessary competence and capability to deliver a consistent quality of service to audited entities.

PIEs, as defined in the FRC’s 2019 ES, are required to rotate their firm of auditors. Mandatory Firm Rotation (MFR) rules in the UK require that all PIEs must tender their audit contract at least every 10 years and rotate their auditor at least every 20 years. We have processes in place to track and manage MFR.

We have policies regarding the scope of services that can be provided to entities for whom we are auditors which are consistent with the FRC’s 2019 ES and the IESBA Code, and, where applicable, the rules of the SEC and PCAOB. KPMG policies require the audit engagement leader to evaluate the threats arising from the provision of non-audit services and the safeguards available to address those threats, including whether an objective, reasonable and informed third party would consider it appropriate for the auditor to provide the non-audit service.

Every engagement intended to be entered into by a KPMG member firm is required to be included in our Sentinel™ tool, prior to starting work, enabling group lead audit engagement partners to review and approve, or deny, any proposed service for those entities worldwide.

To maintain auditor independence, no individual with the ability to influence the conduct and outcome of an audit can be rewarded for selling non-audit services to entities we audit.

KPMG International’s policies recognise that self-interest or intimidation threats may arise if the total fees from an entity which we audit represent a large proportion of the total fees of the member firm expressing the audit opinion.

No entity to whom we provide audit services accounted for more than 10% of the total fees received by the firm in either of the last two years.

To perform a professional services engagement both KPMG and all members of the engagement team need to be objective in both fact and in appearance. This means that before accepting any engagement it is necessary to identify if there are any conflicts of interest (or any other threats to objectivity) associated with taking on that work and to determine if these can be safeguarded to an acceptable level such that the conflict can be managed, and the engagement accepted. Our Conflicts of Interest Policy and procedures are designed to ensure that we meet these requirements. During 2022 we refreshed our Conflicts of Interest Policy and procedures. As part of the refresh process, we took input from an external law firm and their recommendations are reflected in the Policy and procedures which we now operate across our firm.

Our Conflicts of Interest Policy sets out how to identify, assess and safeguard threats to objectivity as well as setting out situations where conflicts would always be unmanageable, the escalation requirements for specific conflict situations and what the special considerations are with respect to conflicts involving audited entities. Where a conflict of interest involves an audited entity, our policy requires consideration of how accepting that service might give rise to a condition or relationship (or conflict) that would (or would be perceived to) impact on KPMG’s independence as auditors. The overarching principle is that we would not accept an engagement where it was clear at acceptance that it would involve the client or KPMG (on behalf of or to support the client) taking an adversarial position against a statutory audited entity of KPMG on a matter that was material to its financial statements or involved challenging the accounting for any matters that were material to the audited financial statements.

Sentinel™ is used to identify and manage potential conflicts of interest within and across member firms. Any potential conflict issues identified are resolved in consultation with other parties as applicable and the outcome is documented. Where conflicts of interest are identified it is necessary to consider how they can be safeguarded for example through establishing formal dividers between engagement teams serving different entities and/or seeking consent. If a potential conflict issue cannot be safeguarded though, the engagement is declined or terminated.

More complex conflicts require escalation, and the most complex conflicts are considered by our firm’s Conflicts Working Group, which is chaired by our Ethics Partner and is one of the enhancements to our processes that we introduced this year.

All partners and client-facing personnel received mandatory training during the year on the refreshed conflicts policy and processes.