Content 1100 styling change to allow custom header

Transparency Report

Quality control and risk management

KPMG is committed to quality and service excellence in all that we do, helping to bring our best to clients and earning the public’s trust through our actions and behaviours both professionally and personally.

The UK firm has numerous policies and procedures in place to enable its compliance with professional standards. Partners and employees are responsible for complying with these policies and procedures, and there are internal controls and processes in place to help them do so.

The Board annually assesses both the effectiveness of the firm’s internal controls and its compliance with independence policies and confirms the firm’s compliance with the Audit Firm Governance Code.

The Board has overall responsibility for risk management and internal control:

  • The assessment and management of risk is supported by the Risk Committee.
  • Monitoring of internal controls is supported by the Audit Committee.

The firm has adopted KPMG’s Global Independence Policies:

  • All partners and partner equivalents are subject to a compliance audit at least once every five-year period, and those partners in a Chain of Command role are audited at least once every three years.
  • We provide all relevant personnel with annual firm independence, personal independence and conflicts of interest training.
  • Training on compliance with laws, regulations, professional standards and our Code of Conduct (Our Code) is issued to all partners and employees on joining the firm and annually thereafter.

The firm’s Internal Audit plan is reviewed and approved by the Audit Committee:

  • Internal Audit provides the Audit Committee with independent and objective assurance on the adequacy and effectiveness of our governance, risk management and internal control processes.
  • The firm’s Internal Audit function was subject to an external quality assessment in FY21 and received a ‘Generally Conforms’ report against the professional standards for internal audit.

Our quality control and risk management systems

Policies and procedures

KPMG International has established a quality framework across its network of member firms based on the International Standard on Quality Control 1 (ISQC1) issued by the International Auditing and Assurance Standards Board (IAASB) and the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA), which apply to professional services firms that perform statutory audits and other assurance and related services engagements.

The policies and associated procedures within this framework enable member firms to comply with relevant professional standards, and with regulatory and legal requirements, and help our partners and employees act with integrity and objectivity, performing their work with diligence.

KPMG in the UK supplements KPMG International’s quality framework with additional policies and procedures that address its specific business risks as well as rules and standards issued by the FRC, the ICAEW and other relevant regulators, such as the US Public Company Accounting Oversight Board.


We have continued working during the year, in collaboration with KPMG International (“KPMGI”), to implement the new International Standard on Quality Management (ISQM1), which supersedes ISQC1.

ISQM1 was issued by the International Auditing and Assurance Standards Board (IAASB) and became effective on 15 December 2022, together with the UK version of the standard issued by the Financial Reporting Council (“FRC”). For each component in the standard, KPMGI has established globally consistent quality objectives, quality risks and responses. The objective of this centralised approach is to drive consistency, robustness, and accountability of responses for processes implemented across our global organisation. Where necessary, we have supplemented the KPMGI requirements with additional quality objectives, quality risks and responses identified through a UK risk assessment process.

Our Audit Quality Framework (see here) outlines how we deliver quality at KPMG. The principle of ‘Perform quality engagements’ sits at its core along with our commitment to continually monitor and remediate our processes as necessary.

Under ISQM1 we are required to evaluate the effectiveness of our system of quality management on an annual basis. Our first evaluation will be performed as at 30 September 2023.

Responsibility for quality and risk management

Quality control and risk management are the responsibility of all KPMG personnel, whether they are based in the UK or in one of our offshore locations. This responsibility includes the need to understand and adhere to policies and associated procedures in carrying out their day-to- day activities.

Our Chief Executive assumes ultimate responsibility for the UK’s system of quality control, in accordance with the principles in the revised ISQC1 issued by the FRC.

Operational responsibility for the system of quality control, risk management and compliance is delegated to the Chief Risk Officer, who is responsible for setting overall professional risk management and quality control policies and for monitoring compliance for KPMG in the UK.

The Chief Risk Officer has a direct reporting line to the Chief Executive and sits on the Executive Committee of KPMG in the UK, underlining the importance of the role.

The Chief Risk Officer is supported directly by a team of partners and professionals, including a Risk Management Partner in each of the Capabilities.

The Ethics Partner is supported by a core team to help ensure that we apply robust and consistent ethics and independence policies, processes and tools.

The Head of Audit, Head of Tax and Legal, Head of Deal Advisory and Head of Consulting are accountable to the Chief Executive for the quality of service delivered in their respective capability areas. While many of our quality control processes are cross-Capability and apply equally to tax and advisory work, the primary focus of the Transparency Report requirements relates to Audit. Our Audit Quality Framework (see here) provides more detail on the way it helps ensure the delivery of quality statutory audits.

In the case of the Audit practice, the Head of Audit Quality chairs the Audit Quality Council which met on a monthly basis during the year. These meetings, together with the monthly Emerging Issues Meeting chaired by the Chief Auditor, addressed external regulatory matters (including progress on AQR and QAD reviews and actions to address their findings), our internal quality reviews, emerging audit quality issues and current matters from the central quality teams.

The Audit Leadership Team Risk & Quality sub-committee meets monthly to consider risk within the audited entity portfolio and to ensure there are sufficient and appropriate controls and mitigations in place to support engagement leaders in performing a quality audit and in managing risk. Other focus areas of the sub-committee include monitoring of regulatory matters, assessment of the risk watchlist and consideration of other emerging risk areas.

Our UK Audit practice is also a key contributor to our global thinking, with representatives on all major global audit quality and development councils and teams. We use these forums to understand how other member firms have tackled similar issues, share our experiences, and facilitate common solutions.

At KPMG, audit quality is not just about reaching the right opinion, but how we reach that opinion. It is about the processes, thought and integrity behind the audit report.

We view the outcome of a quality audit as the delivery of an appropriate and independent opinion that complies with auditing standards. This means, above all, being independent, objective and compliant with relevant legal and professional requirements.

Risk management principles

The following statements articulate the principles through which we manage the risk we take across the firm, ensuring we act responsibly, in the public interest and in the interest of the entities we audit, our clients, our people, our regulators, and the markets and communities we work in.

We will:

  • Establish and maintain high standards in leadership, accountability, ethics and governance.
  • Act as stewards for the KPMG brand and take proactive steps to ensure that we support one another, both within the UK and across our member firms, in doing so.
  • Work with trusted partners and alliances, as well as engaging in mergers and acquisitions to obtain capability, where it meets our trust and growth objectives.
  • Carefully consider the clients, audited entities and the engagements we choose to accept, within the context of our ‘ACCEPT’ framework, a refreshed set of client and engagement acceptance guidance embedding our values, risk appetite and ESG commitments.
  • Comply with applicable laws, regulations and codes of conduct, including KPMG’s global standards and policies and KPMG’s tax principles.
  • Manage actual and perceived conflicts of interest.
  • Protect confidential information and ensure business service continuity.
  • Live Our Values through high standards of behaviour, and promote a culture of trust, empowerment, accountability and mastery that supports Our Values.
  • Anticipate and respond to changes in the competitor landscape, macro-economy and clients’ needs.
  • Deliver high-quality services – through experienced and appropriately resourced teams, integrated solutions and the use of robust technology.
  • Set financial targets that are consistent with achieving both the trust and growth elements of our strategy.
  • Be courageous in undertaking work in the public interest and in support of our wider purpose.
  • Be brave in working together, contributing to important issues in accordance with Our Values.
  • Develop our diverse, talented and motivated people through inclusive leadership.

Risk management

The identification, evaluation, management and monitoring of the most significant risks that face our firm and could threaten the achievement of our strategic objectives, or our business model, future performance or solvency, is the responsibility of our Board. The principal risks and uncertainties that the UK firm faces are set out in, and managed under, the firm’s Enterprise-Wide Risk Management (ERM) Framework. This framework is used by the Board throughout the year to ensure the timely identification of new and emerging risks and the development of appropriate mitigations and action planning, in line with the firm’s strategy.

The current framework was put in place at the beginning of FY22 following a comprehensive review in the prior year of how the information provided under it is used by the relevant governance bodies. The work undertaken as part of this review included:

  • Robust challenge of the firm’s risk taxonomy, reflecting developments in the firm’s risk landscape (current and longer term), changes made to KPMG International’s Risk Framework during the year and the results of a Dynamic Risk Assessment undertaken through facilitated workshops with the Board.
  • Setting of risk appetite, at firm-wide and Capability level.
  • Implementation of an automated Governance Risk and Compliance (GRC) tool to support specific aspects of our risk management.
  • The development of a horizon scanning tool, using input from the firm’s own experts in political, economic, social, technology, legal and environmental risks.
  • A review of the firm’s regular risk reporting to various governance groups.

The framework established and in place throughout FY22 was further reviewed by the Board Risk Committee in September 2022 to reflect the impact of external events during the year on the firm’s risk landscape, changes to our Markets structure, additional guidance issued by KPMG International and emerging best practice. A small number of changes to the firm’s risk appetite were approved to reflect the current political, economic and regulatory environment and specific risks within the FY23 Business Plan.

The firm’s Assurance Map, developed during the year to document the relationship between the firm’s risks, its controls and compliance and assurance activities across the first, second and third line of defence, was also approved in September 2022 and objectives were set for further improvement of the framework in FY23, including the extension of the firm’s risk analysis within the GRC tool and further enhancements to our ESG risk reporting.

Principal risks

The firm’s principal risks are set out within the firm’s four key risk ‘families’ of: Reputation, Regulation and Legal; Strategic; Operational; and Financial. For the year ending 30 September 2022, KPMG in the UK identified 11 principal risks across these four key risk ‘families’:

Reputation, Regulation and Legal

  • Trust
  • Regulation
  • Legal


  • Growth
  • Clients and audited entities


  • Execution – Quality
  • Execution – Delivery
  • People, Talent and Culture
  • Technology and information management
  • Business operation, resilience and controls


  • Financial management

The risks are not shown in order of priority.

During the year, further progress has been made in strengthening the firm’s governance, with additional investment in the firm’s second line of defence and regulatory compliance teams. These steps have all contributed to the mitigation of our principal risks.

Our assessment of how these risks have moved over time (trend), the current risk landscape and the mitigating actions we have put in place to address each risk can be found here.

Audit Regulatory Compliance

Our partner-led Audit Regulatory Compliance (ARC) function, established during FY21, is the main point of contact with the firm’s primary regulator, the FRC, maintaining an overview of all interactions with Audit Market Supervision and Audit Firm-wide Supervision and ensuring that all commitments, requirements and actions are fulfilled.

ARC incorporates a Compliance Monitoring function whose purpose is to deliver a dedicated compliance programme, providing independent assurance that the processes, procedures and controls in place to meet audit regulatory requirements are operating effectively. A monitoring plan is developed and presented for approval to the Audit Executive at the start of the year and updated where necessary during the year to ensure it remains focused on appropriate risk areas.

Internal Audit

On 1 July 2022 the firm appointed a dedicated Head of Internal Audit to this role. Internal Audit provides independent and objective assurance on the adequacy and effectiveness of our governance, risk management and internal control processes. The Internal Audit plan was approved at the start of the year and was updated during the year to ensure that it remained appropriate and reflected changes to business risks including the heightened risks presented by the current external environment and the continuing risks presented by COVID-19 pandemic. The plan is devised by understanding the risk profile of the firm (whether strategic, operational or in relation to change risks), considering other risk management, compliance and assurance activities and based on this, agreeing what internal audit work is required.

In reviewing and approving the internal audit plan, the Audit Committee ensured a balance between coverage of the highest priority risks and maintaining appropriate coverage of the core business processes.

Maintaining an objective and independent mindset

We have adopted the KPMG Global Independence Policies which are derived from the International Ethics Standards Board for Accountants’ Code of Ethics for Professional Accountants (the IESBA Code) and incorporate other applicable regulatory standards. For KPMG in the UK, we supplement these policies with other processes to ensure compliance with the FRC’s 2019 Ethical Standard (FRC’s 2019 ES).

These policies and processes cover areas such as firm independence, personal independence, firm financial relationships, post-employment relationships, partner rotation and approval of audit and non-audit services. In the UK, the Ethics Partner is supported by a core team to help ensure that we apply robust and consistent independence policies, processes and tools. Ethics and independence policies are set out in our intranet-hosted Quality & Risk Management Manual as well as various guidance materials on the internal UK portal and reinforced through training.

Failure to comply with the firm’s independence policies, whether identified in the rolling compliance review, self-declared, or otherwise, is in the case of engagement leaders and managers, reflected in their individual ethics and compliance metrics. The Ethics Working Group oversees policies and procedures in relation to ethical matters and breaches of the requirements of the FRC’s 2019 ES.

Personal independence

KPMG International policy extends the IESBA Code restrictions on ownership of audited entity securities to every member firm partner in respect of any audited entity of any member firm. KPMG in the UK has a policy whereby all staff who are involved in delivering professional services engagements are also prohibited from holding securities in companies audited by KPMG.

Our professionals are responsible for making appropriate inquiries to ensure that they do not have any personal financial, business or family interests that are restricted for independence purposes and we use a web-based independence compliance tracking system to assist our professionals in their compliance with personal independence investment policies.

We monitor partner and employee compliance with these requirements through a programme of audits on a sample of professionals. In the year ended 30 September 2022, we enhanced our programme with 984 (2021: 497) of our people subject to checks. This included approximately 20% of our partners as well as an increase in the number of non-partner individuals selected for review. In accordance with KPMG International policy, all partners and partner equivalents are compliance audited in a five-year period, and those partners in a Chain of Command role are audited every three years.

In addition, all direct-entry partners are subject to a compliance audit as a condition of their admission to the partnership and are subject to a further audit after 12 months in the firm.

The policy we apply to members of the audit team who are recruited by entities we audit goes beyond the requirements of the FRC’s 2019 ES. It requires any member of an audit team to inform the Ethics & Independence team of any situation involving their potential employment with an entity where they are part of the audit engagement team. We also prohibit all partners in our firm from accepting a director or key management position role at an entity that we audit within two years of retiring from the partnership.

Business relationships/suppliers

We have policies and procedures in place to ensure that business relationships are maintained in accordance with the FRC’s 2019 ES and the IESBA Code. Consultation with our ethics and independence professionals is required for any proposed business relationship with an entity we audit, or its management, to ensure compliance with the relevant independence regulations. Compliance with these policies and procedures is reviewed periodically.

Independence training and confirmations

We provide all relevant colleagues (including all partners and staff who are involved in delivering professional services engagements) with independence training appropriate to their grade and business area and provide all new personnel with relevant training when they join the firm.

All personnel are required to sign an independence confirmation upon joining the firm. Thereafter, all personnel confirm annually they have remained in compliance with applicable ethics and independence policies throughout the period. Partners and partner equivalents make an additional confirmation at the mid-year in respect of their personal investment compliance.

Audit engagement leader rotation

All audit engagement leaders are subject to periodic rotation of their responsibilities for entities we audit under applicable laws and regulations and independence rules, which limit the number of years that engagement leaders may provide audit services to an audited entity. KPMG rotation policies comply with the requirements of the FRC’s 2019 ES (and, where applicable for certain engagements, the rules of the PCAOB). For example, under the FRC’s 2019 ES the audit engagement leader for a public interest entity cannot serve in that role for more than five years and once they have rotated off of the audit cannot participate in the audit again for a further five years.

We monitor the rotation of audit engagement leaders and any other key roles where there is a rotation requirement, including the Engagement Quality Control Reviewer, and have transition plans to enable us to allocate partners with the necessary competence and capability to deliver a consistent quality of service to audited entities.

Firm rotation

PIEs, as defined in the FRC’s 2019 ES, are required to rotate their firm of auditors. Mandatory Firm Rotation (MFR) rules in the UK require that all PIEs must tender their audit contract at least every 10 years and rotate their auditor at least every 20 years. We have processes in place to track and manage MFR.

Non-audit services

We have policies regarding the scope of services that can be provided to entities for whom we are auditors which are consistent with the FRC’s 2019 ES and the IESBA Code, and, where applicable, the rules of the SEC and PCAOB. KPMG policies require the audit engagement leader to evaluate the threats arising from the provision of non-audit services and the safeguards available to address those threats, including whether an objective, reasonable and informed third party would consider it appropriate for the auditor to provide the non-audit service.

Every engagement intended to be entered into by a KPMG member firm is required to be included in our Sentinel™ tool, prior to starting work, enabling group lead audit engagement partners to review and approve, or deny, any proposed service for those entities worldwide.

To maintain auditor independence, no individual with the ability to influence the conduct and outcome of an audit can be rewarded for selling non-audit services to entities we audit.

Fee dependency

KPMG International’s policies recognise that self-interest or intimidation threats may arise if the total fees from an entity which we audit represent a large proportion of the total fees of the member firm expressing the audit opinion.

No entity to whom we provide audit services accounted for more than 10% of the total fees received by the firm in either of the last two years.

Conflicts of interest

To perform a professional services engagement both KPMG and all members of the engagement team need to be objective in both fact and in appearance. This means that before accepting any engagement it is necessary to identify if there are any conflicts of interest (or any other threats to objectivity) associated with taking on that work and to determine if these can be safeguarded to an acceptable level such that the conflict can be managed, and the engagement accepted. Our Conflicts of Interest Policy and procedures are designed to ensure that we meet these requirements. During 2022 we refreshed our Conflicts of Interest Policy and procedures. As part of the refresh process, we took input from an external law firm and their recommendations are reflected in the Policy and procedures which we now operate across our firm.

Our Conflicts of Interest Policy sets out how to identify, assess and safeguard threats to objectivity as well as setting out situations where conflicts would always be unmanageable, the escalation requirements for specific conflict situations and what the special considerations are with respect to conflicts involving audited entities. Where a conflict of interest involves an audited entity, our policy requires consideration of how accepting that service might give rise to a condition or relationship (or conflict) that would (or would be perceived to) impact on KPMG’s independence as auditors. The overarching principle is that we would not accept an engagement where it was clear at acceptance that it would involve the client or KPMG (on behalf of or to support the client) taking an adversarial position against a statutory audited entity of KPMG on a matter that was material to its financial statements or involved challenging the accounting for any matters that were material to the audited financial statements.

Sentinel™ is used to identify and manage potential conflicts of interest within and across member firms. Any potential conflict issues identified are resolved in consultation with other parties as applicable and the outcome is documented. Where conflicts of interest are identified it is necessary to consider how they can be safeguarded for example through establishing formal dividers between engagement teams serving different entities and/or seeking consent. If a potential conflict issue cannot be safeguarded though, the engagement is declined or terminated.

More complex conflicts require escalation, and the most complex conflicts are considered by our firm’s Conflicts Working Group, which is chaired by our Ethics Partner and is one of the enhancements to our processes that we introduced this year.

All partners and client-facing personnel received mandatory training during the year on the refreshed conflicts policy and processes.

Compliance with laws and regulations

We provide training on compliance with laws (including those relating to anti-bribery and corruption, money laundering and sanctions), regulations and professional standards (including conflicts of interest) and our code of conduct (Our Code) to all partners and employees on joining the firm and annually thereafter. Other topics, including Fraud Risk Awareness, Corporate Criminal Offences and Modern Slavery are run bi-annually for all partners and employees.

All partners and employees are asked to confirm annually, in our Ethics and Independence Confirmation, that: “I understand that at KPMG we are all committed to behaving ethically, to demonstrate that we are trustworthy – which I do by pro-actively living Our Values – and adhering to Our Code which includes upholding our firm's commitments to comply with our professional, ethical and quality standards at all times.”

Statement by the Board on the effectiveness of internal controls

Internal controls statement

The Board is responsible for the firm’s system of internal controls and for reviewing its effectiveness. Such a system manages, rather than eliminates, the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement, loss, or non-compliance with relevant regulatory or legislative requirements. The day-to-day responsibility for managing our operations rests with the Executive Committee.

In accordance with the Audit Firm Governance Code, the Board has reviewed the effectiveness of its systems of internal control. In reviewing the systems of internal control and their effectiveness, it has adopted the approach prescribed within the UK Corporate Governance Code.

This monitoring covers risk management systems and all key controls, including those relating to finance, operations, quality, compliance and culture. It is based principally on the consideration and review of reports from relevant Executive Members and reports from the Audit, Risk and People Committees as well as from the Executive Committee and Audit Board to consider whether significant risks are identified, evaluated, managed and controlled.

During 2022, the Board has:

  • Considered risk reporting under the firm’s Enterprise Risk Management Framework.
  • Reviewed regular reports by the Chief Operating Officer and Chief Financial Officer on the firm’s financial performance and on any emerging financial risks and issues, including COVID-19.
  • Reviewed regular reports from the Chair of the Risk Committee on regulatory, risk and compliance matters, including the findings and associated action plans arising from the various compliance programmes operated by the firm and external regulatory inspections and reviews.
  • Considered reports to the Board made by the People, Audit, Risk Committees and the Audit Board on how each has discharged its duties in the year which included:
    • Results of internal audit work commissioned as part of the approved annual internal audit plan, and the progression on resolving weaknesses identified. In the reporting period, reviews have been completed covering key internal controls.
    • Progress reports from the group’s external auditors, Grant Thornton UK LLP on its annual audit and discussions with them on any control issues they have identified; and
    • Updates relating to the Audit Transformation Programme and other quality improvement programmes relating to audit quality.


The Board of KPMG LLP confirms that internal reviews of the effectiveness of internal controls and of independence practices within our firm have been undertaken. Our compliance and internal audit programmes identify deficiencies and opportunities for improvement, and in such instances, remediation activities are agreed with subsequent follow up to assess the extent to which the matters identified have been addressed satisfactorily.

However, matters arising from these activities are not considered, either individually or in aggregate, to undermine the overall system of internal control in place.

Compliance with requirements of Audit Firm Governance Code

The Board has reviewed the provisions of the 2016 Audit Firm Governance Code and confirms that the firm complied with these provisions throughout the year ended 30 September 2022.