Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Signals of change and the risk agenda

March 2022: Cybersecurity

Chief Audit Executives (CAEs) continuously assess how to deliver on their objectives to maintain trust of shareholders and stakeholders. This includes considering signals of change in risks faced by their organization and, in turn, changing the focus of the Internal Audit plan needed. Our complementary series, “On the CAE agenda,” provides a full view of top risks highlighted this period.

Signals of change

Cybersecurity is seen in the spotlight across most organizations in recent times. From a rapidly evolving technological landscape to ever-changing threats, cyberattacks are now seen as one of the greatest risks to a company’s health, and major cybersecurity investments are being made to protect organizations and maintain stakeholder trust.

According to the 2021 KPMG CEO Outlook, cybersecurity rose four places since 2020 and was selected as the greatest threat to an organization’s growth over the next three years. KPMG also found that CEOs plan to spend more on digital in 2021, with 52 percent prioritizing data security measures.

Risk considerations

  • The adoption of cloud, the increase in demand for intelligent automation, robotics, and the rise of the Internet of Things have added new and more complex security risks to the business environment. Internal Audit will be challenged with assessing the cyber risks of these new and emerging technology areas.
  • Ransomware has evolved to become increasingly prevalent, to the extent that organizations are developing stand-alone ransomware frameworks and asking Internal Audit to help them with the design and testing of effectiveness over ransomware-specific controls.
  • Business change is impacted by technology change; regulatory environment changes; new business models; and the impact of mergers, acquisitions (M&A), or divestitures and initial public offering/special-purpose acquisition company transactions. Internal Audit will need to consider in depth the cyber risk and its associated impact related to these business changes.
  • Some organizations have not been as prepared to address the changing regulatory landscape affecting every industry and, as such, have opened themselves up to the possibility of regulatory sanctions and fines. Internal Audit can play a key role in assessing the impact of new or existing regulations, as well as assessing the readiness of their organization in dealing with the new regulation, including assessing the first- or second-line cyber risk management and compliance capabilities.
  • Increased reliance on third-party vendors has increased cyber risk by allowing third parties to access the organization’s systems directly or through the processing of their private or confidential information or those of their customers. Internal Audit can perform assessments of their overall third-party program as well as perform detailed assessments of high-risk vendors.

Questions to ask/actions to take

  • Does the organization have a cyber risk management and assurance program? These programs provide a systematic and comprehensive approach to monitoring the extent to which cyber risks and stakeholder security requirements are being continually managed by the organization.
  • Has the organization responded to the evolving ransomware threats? Have they developed and assessed a control framework and a response playbook to protect the organization? Has Internal Audit assessed the adequacy of these safeguards?
  • Has a cyber maturity assessment been performed to review the organization’s ability to protect its information assets and its preparedness against cyberattacks? Such assessments provide an effective framework for Internal Audit to consider follow-up deep dives into areas of higher risk.
  • Internal Audit should assess the organization’s overall strategy for dealing with emerging threats from a governance, architectural, operational, and technology perspective.
  • Has the organization embraced security-by-design principles, and is the security organization undertaking design or technology reviews prior to final adoption and implementation of the technology?

Dive into our thinking:

Signals of change and the risk agenda

Download PDF

Explore more

Meet our team

Image of Michael A. Smith
Michael A. Smith
Partner, Advisory, and U.S. Internal Audit Solution Leader, KPMG US
Image of Richard Knight
Richard Knight
Principal, Advisory, and U.S. IT-Internal Audit Solutions Leader, Technology Risk Management, KPMG US

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline