Transparency Report Quality Control and Risk Management

FY23 UK Transparency Report
Quality Control and

Risk Management
January 2024
Introduction Accountability
We have numerous policies and procedures The Board has overall responsibility for risk management
in place within the UK firm to enable our and internal control:
compliance with professional standards. — The assessment and management of risk is supported
Partners and employees are responsible for by the Risk Committee.
complying with these policies and procedures, — Monitoring of internal controls is supported by the
and there are internal controls and processes in Audit Committee.
place to help them do so. The Firm has adopted KPMG’s Global
The Board annually assesses both the Independence Policies:
effectiveness of the firm’s internal controls and — All partners and partner equivalents are subject to a
its compliance with independence policies, and compliance audit at least once every five-year period,
and those partners in a Chain of Command role are
confirms the firm’s compliance with the Audit
audited at least once every three years.
Firm Governance Code.
— We provide all relevant personnel with annual firm
independence, personal independence and conflicts of
interest training.
— Training on compliance with laws, regulations,

professional standards and our Code of Conduct is
issued to all partners and employees on joining the
Firm and annually thereafter.
The Firm’s Internal Audit plan is reviewed and approved by

the Audit Committee:
— Internal Audit provides the Audit Committee with

independent and objective assurance on the adequacy
and effectiveness of our governance, risk management
and internal control processes.
— The Firm’s Internal Audit function was subject to an

external quality assessment in FY21 and received a
‘Generally Conforms’ report against the professional
standards for internal audit.
© 2024 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG global organisation of independent
member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
2
Quality Control and Risk Management
Our quality control and risk management systems

Policies and procedures there are any additional risks relevant to the System of Quality
Management (SoQM) that may require the implementation
KPMG International (“KPMGI”) has established a quality
of additional controls or formal inclusion of existing controls
framework across its network of member firms based on the
within the SoQM. Once identified, controls are subject to
International Standard on Quality Management (ISQM1) issued
monitoring and evaluation activities as outlined here:
by the International Auditing and Assurance Standards Board
Global Quality Framework (1. Perform quality engagements –
(IAASB) and the Code of Ethics for Professional Accountants
Internal monitoring).
issued by the International Ethics Standards Board for
Accountants (IESBA), which apply to professional services firms Under ISQM1 we are required to evaluate the effectiveness of
that perform statutory audits and other assurance and related our system of quality management on an annual basis. Our first
services engagements. evaluation was performed as of 30 September 2023.
The policies and associated procedures within this framework Find out more about the approach we take to the monitoring
enable member firms to comply with relevant professional and evaluation of our SoQM here: Global Quality Framework
standards, and with regulatory and legal requirements, and help (1. Perform quality engagements – Internal monitoring).
our partners and employees act with integrity and objectivity,
performing their work with diligence. Statement on the effectiveness of the System
of Quality Management of KPMG UK LLP as at
KPMG in the UK supplements KPMG International’s quality
30 September 2023
framework with additional policies and procedures that address
its specific business risks as well as rules and standards issued As required by the International Auditing and Assurance
by the FRC, the ICAEW and other relevant regulators, such as Standards Board (IAASB)’s, International Standard on Quality
the US Public Company Accounting Oversight Board (PCAOB). Management (ISQM1), the Financial Reporting Council (FRC)’s
International Standard on Quality Management (UK) 1 (ISQM
ISQM1
(UK) 1), and KPMG International Limited Policy, KPMG UK LLP
ISQM1 was issued by the IAASB and became effective on (the “Firm” and/or “KPMG UK”) has responsibility to design,
15 December 2022, together with the UK version of the implement and operate a System of Quality Management for
standard issued by the Financial Reporting Council (FRC) audits or reviews of financial statements, or other assurance or
(the International Standard on Quality Management (UK) 1 related services engagements performed by the Firm.
(ISQM (UK) 1)). References to the application of ISQM 1 are
The objectives of the System of Quality Management are to
in accordance with ISQM (UK) 1 For each component in the
provide the Firm with reasonable assurance that:
standard, KPMGI has established globally consistent quality
objectives, quality risks and responses. The objective of this a) The Firm and its personnel fulfil their responsibilities in
centralised approach is to drive consistency, robustness accordance with professional standards and applicable legal
and accountability of responses for processes implemented and regulatory requirements, and conduct engagements in
across our global organisation. Where necessary, we have accordance with such standards and requirements; and
supplemented the KPMGI requirements with additional quality
b) Engagement reports issued by the Firm or engagement
objectives, quality risks and responses identified through a UK
partners are appropriate in the circumstances.
risk assessment process.
KPMG UK outlines how its System of Quality Management
Our Global Quality Framework outlines how we deliver quality
supports the consistent performance of quality engagements in
at KPMG. The principle of ‘Perform quality engagements’ sits at
the 2023 Transparency Report.
its core along with our commitment to continually monitor and
remediate our processes as necessary. Integrated quality monitoring and compliance programmes
enable KPMG UK to identify and respond to findings and quality
The Chief Executive assumes ultimate responsibility
deficiencies both in respect of individual engagements and the
and accountability for the UK’s System of Quality
overall System of Quality Management.
Management (SoQM).
If deficiencies are identified when KPMG UK performs its
The Head of Audit and Chief Operating and Financial Officer
annual evaluation of the System of Quality Management, KPMG
(COFO) assume operational responsibility for the UK’s SoQM.
UK evaluates the severity and pervasiveness of the identified
The Ethics and Independence Partner is responsible for deficiencies by investigating the root causes, and by evaluating
compliance with independence requirements under the UK’s the effect of the identified deficiencies individually and in
SoQM and also has operational responsibility in relation to the the aggregate, on the System of Quality Management, with
UK Firm’s ethics and independence requirements. consideration of remedial actions taken as of the date of the
evaluation.
The Chief Risk Officer has monitoring and remediation
responsibility for the UK Firm’s SoQM. Based on the annual evaluation of the Firm’s System of Quality
Management as of 30 September 2023, the System of Quality
In line with the KPMG Global SoQM Methodology, the Firm
Management provides the Firm with reasonable assurance
conducts an iterative risk assessment process (iRAP). This
that the objectives of the System of Quality Management are
continuous process, overseen by those with operational
being achieved.
responsibility for the SoQM and the Audit Committee looks
at a range of internal and external sources to assess whether
3

Continued
Responsibility for quality and risk management We view the outcome of a quality audit as the delivery of
an appropriate and independent opinion that complies
Quality control and risk management are the responsibility
with auditing standards. This means, above all, being
of all KPMG personnel, whether they are based in the UK or
independent, objective and compliant with relevant legal and
in one of our offshore locations. This responsibility includes
professional requirements.
the need to understand and adhere to policies and associated
procedures in carrying out their day-to- day activities.
Risk management principles
The Chief Risk Officer is responsible for setting overall
The following statements articulate the principles through
professional risk management and monitoring quality control
which we manage the risk we take across the Firm, ensuring we
policies and compliance for KPMG in the UK.
act responsibly, in the public interest and in the interest of the
The Chief Risk Officer has a direct reporting line to the Chief entities we audit, our clients, our people, our regulators, and the
Executive and sits on the Firm’s Executive Committee, markets and communities we work in.
underlining the importance of the role.
We will:
The Chief Risk Officer is supported directly by a team of
— Establish and maintain high standards in leadership,
partners and professionals, including a Risk Management
accountability, ethics and governance.
Partner in each of the Capabilities.
— Act as stewards for the KPMG brand and take proactive
The Ethics Partner is supported by a core team to help ensure
steps to ensure that we support one another, both within the
that we apply robust and consistent ethics and independence
UK and across our member firms, in doing so.
policies, processes and tools.
— Work with trusted partners and alliances, as well as
The Head of Audit, Head of Tax and Legal, Head of Deal
engaging in mergers and acquisitions to obtain capability,
Advisory and Head of Consulting are accountable to the
where it meets our trust and growth objectives.
Chief Executive for the quality of service delivered in their
respective capability areas. While many of our quality control — Carefully consider the clients, audited entities and
processes are cross-Capability and apply equally to Tax and engagements we choose to accept, within the context
Advisory work, the primary focus of the Transparency Report of our ‘ACCEPT’ framework (a refreshed set of client and
requirements relates to Audit. Our Global Quality Framework engagement acceptance guidance embedding our values,
provides more detail on the way it helps ensure the delivery of risk appetite and ESG commitments).
quality statutory audits.
— Comply with applicable laws, regulations and codes of
In the case of the Audit practice, the Head of Audit Quality conduct, including KPMG’s global standards and policies
chairs the Audit Quality Council which met on a monthly basis and KPMG’s tax principles.
during the year. These meetings, together with the monthly
— Manage actual and perceived conflicts of interest.
Emerging Issues Meeting chaired by the Chief Auditor,
addressed external regulatory matters (including progress on — Protect confidential information and ensure business
AQR and QAD reviews and actions to address their findings), service continuity.
our internal quality reviews, emerging audit quality issues and
— Live our values through high standards of behaviour, and
current matters from the central quality teams.
promote a culture of trust, empowerment, accountability
The Audit Leadership Team Risk & Quality sub-committee and expertise that supports them.
meets monthly to consider risk within the audited entity
— Anticipate and respond to changes in the competitor
portfolio and to ensure there are sufficient and appropriate
landscape, macro-economy and clients’ and audited
controls and mitigations in place to support engagement
entities’ needs.
leaders in performing a quality audit and in managing risk.
Other focus areas of the sub-committee include monitoring — Deliver high-quality services – through experienced and
of regulatory matters, assessment of the risk watchlist and appropriately resourced teams, integrated solutions and the
consideration of other emerging risk areas. use of robust technology.
Our UK Audit practice is also a key contributor to our global — Set financial targets that are consistent with achieving both
thinking, with representatives on all major global audit quality the trust and growth elements of our strategy.
and development councils and teams. We use these forums
— Be courageous in undertaking work in the public interest
to understand how other member firms have tackled similar
and in support of our wider purpose.
issues, share our experiences and facilitate common solutions.
— Be brave in working together, contributing to important
At KPMG, audit quality is not just about reaching the right
issues in accordance with our values.
opinion, but how we reach that opinion. It is about the
processes, thought and integrity behind the audit report. — Develop our diverse, talented and motivated people
through inclusive leadership.
4

Continued
Risk management Principal risks

It is the responsibility of our Board to identify, evaluate, The Firm’s principal risks are set out within the four key risk
manage and monitor the most significant risks that face our ‘families’ of: Reputational; Strategic; Operational; and Financial.
firm and could threaten the achievement of our strategic For the year ending 30 September 2023, KPMG in the UK
objectives, or our business model, future performance or identified 11 principal risks across these four areas:
solvency. The principal risks and uncertainties that the UK firm
faces are set out in, and managed under, the Firm’s Enterprise-
Wide Risk Management (ERM) Framework. This framework is
used by the Board throughout the year to ensure the timely Reputational
identification of new and emerging risks and the development
— Trust
of appropriate mitigations and action planning, in line with the
Firm’s strategy. — Regulation
The ERM framework is subject to a comprehensive review and — Legal

refresh on an annual basis. This involves robust challenge of
the Firm’s risk taxonomy, reflecting developments in the Firm’s Strategic
risk landscape (current and longer term), changes made to
— Growth
KPMG International’s Risk Framework during the year, and the
results of a Dynamic Risk Assessment. In September 2023, we — Clients and audited entities
provided an update on this to the Board Risk Committee. Key
developments during the prior year included: Operational
— Reviewing and updating our risk appetites at firm-wide and — Execution – Quality
Capability level to align to the actual appetite more closely
— Execution – Delivery
in individual Capabilities.
— People, Talent and Culture
— Reviewing the impact of changes to the Coverage/Markets
leadership model on the ERM framework and embedding — Technology and information management
these in the framework.
— Business operation, resilience and controls
— Further engagement with Level 1 risk owners to enhance
communication/oversight of Level 2 risks and actions Financial
across the matrix of firm-wide, Markets and Capability
ownership. — Financial management
— Introduction of an emerging themes section into the

monthly Watch List for emerging risks that require
separate focus. The risks are not shown in order of priority.
— Identifying any inconsistencies in the reporting of Level 2 Our assessment of how these risks have moved over time, the
risks by Capabilities and Markets. current risk landscape and the mitigating actions we have put in
— Further work with the relevant ESG, Operations and place to address each risk can be found below.
Corporate Affairs teams to ensure that an appropriate level
of information is captured in relation to climate risks to
satisfy increasing external requirements.
— Implementation of an automated Governance, Risk and

Compliance (GRC) tool to support specific aspects of our
risk management.
— Identifying and agreeing Level 3 risks ready for inclusion in

the ERM framework.
The Firm’s Assurance Map documents the relationship between

the Firm’s risks, its controls and compliance and assurance
activities across the first, second and third line of defence, and
is reviewed and updated on an annual basis.
5

Continued
Risk Current and emerging risk Mitigations

landscape
Reputational risks
1. Trust — Continued regulator, public — A tone at the top which emphasises quality, ethics and integrity,
(FY23 Trend: No change) and colleague scrutiny of with Ethics Champions embedded in the business.
the Firm in the context
— Roll out of revised Partner balanced scorecard as part of FY24 goal
of both audit quality and
FY21 FY22 FY23 setting, strengthening the link between behaviours and rewards.
the outcome of historic
This will also be incorporated into FY24 goals for all colleagues.
regulatory investigations.
KPMG in the UK fails to
— A culture ambition guided by Our Values, Our KPMG, Our Impact,
maintain the trust of external — Eroding of societal trust in
a Culture Steering Committee and Conflicts of Interest Working
stakeholders, due to a failure professional services from
Group. Measurement of progress using culture metrics (incl. regular
to embed trust into the firm’s negative media coverage
colleague surveys) and oversight from a Culture Steering Committee.
strategy, failure to define and of issues, litigation, or
communicate the standards regulatory enforcement — Values Week (held in November 2022) and Values Immersion
of conduct expected by the in our competitors. sessions designed to ensure all partners and colleagues
Firm, and failure to develop a take greater ownership of living our values.
— A culture ambition
culture aligned to the Firm’s
centred on being values- — Refreshed Conflicts of Interest policy supported by mandatory
core values, resulting in led, operating to the training to relevant teams and Conflicts of Interest Working Group.
negative impact on the Firm’s highest ethical and
reputation at local, national quality standards. — Global ethical health survey to identify successes
and international levels. and areas for continued focus.
— Increasing importance of,
and societal expectations — Implementation of a ‘Trust index’ to aid with
surrounding, ESG and IDE. monitoring of external reputation.
— A need to embed and — A refreshed Code of Conduct (reviewed by the Institute

sustain improvement of Business Ethics) and set of Values, on which all
in our AQR results. colleagues receive annual mandatory training.
— Head of Professional & Ethical Standards and a Partner

Conduct Verification Dashboard process to support
performance management of partners, ensuring an appropriate
link between conduct and partner remuneration.
— Embedded whistleblowing processes and promotion of a

Speak Up hotline overseen by a third-party ombudsman.
— An Inclusion, Diversity and Equity Policy, employee networks

which host a range of diversity focused learning events throughout
the year and published diversity target zones, with regular
progress reporting. Firm-wide training on inclusion, diversity
and equity provided to all KPMG partners and employees.
— A Global and UK Impact plan which set out our environmental,

social and governance (ESG) commitments — holding us
accountable for progress toward a more sustainable future.
— Continued focus on increasing social mobility, with the

Firm now publishing its socio-economic background
pay gaps and setting ambitious targets to increase
the socio-economic diversity of its workforce.
— Continued focus on the environment, with all

UK offices certified to ISO 14001:2015.
— A mandated Global Quality Framework, encompassing global

methodologies, mandatory training (including KPMG Audit University),
accreditation requirements (including for specialists) and audit
quality review programmes (see further detail in Principal Risk 6).
6

Continued

landscape
Reputational risks (continued)
2. Regulation — New and changing — A dedicated Regulatory Affairs function, with constructive and proactive
(FY23 Trend: No change) regulatory requirements arrangements to meet our regulatory commitments introduced.
and expectations or
— Regular engagement with regulators and relevant government bodies
changing interpretations
FY21 FY22 FY23 to understand and plan for the developing regulatory landscape.
(in respect to historical
practices). — Monitoring of regulatory compliance by relevant regulatory
affairs specialists and the firm’s Public Interest Committee.
meet the expectations of — More proactive,
our regulators, due to poor intrusive and better- — Regulatory horizon scanning introduced with regular
relationships with regulators, connected regulatory reporting to relevant governance groups.
regulatory non-compliance supervisors leading to
increased monitoring — Money Laundering Risk Officer function to meet our
and lack of regulatory horizon
and reporting to ensure obligations in relation to anti-money laundering and financial
scanning to prepare for
the Firm is compliant. crime, and regular financial crime training provided on topics
incoming regulatory changes,
such as money laundering, bribery and corruption.
resulting in regulatory
— Continued enhanced
sanctions and enforcement supervisory approach as — Maintenance of firm-wide and personal independence policies and
action. FRC transitions to ARGA. systems (Sentinel™, KPMG Independence Compliance System,
etc.) to ensure compliance, and additional approvals required for PIEs
— Incoming and significant (Public Interest Entities) and OEPIs (Other Entity of Public Interest).
regulatory changes affecting
multiple parts of the Firm, — Regular updating of firm policies and procedures to ensure compliance
including audit reform and by all our people, on all our clients, with all applicable regulations.
the transition to ARGA. — Annual mandatory firm and personal independence training
— FRC published updated and annual personal independence confirmation by all
principles and timeline partners, colleagues and (where relevant) contractors.
for operational separation — Rolling programme of personal compliance audits and compliance
of the Audit practice. monitoring of certain key areas by the firm-wide independence team.
— Emerging regulation — ESG Corporate Reporting team, focused on ensuring
regarding innovations such timely adoption and compliance with developing
as artificial intelligence (AI). ESG regulatory and reporting requirements.
— Greater public attention/
interest and changing
regulatory standards
as to how we assess
which clients we choose
to do business with.
7

Continued

landscape
Reputational risks (continued)
3. Legal — Increasing complexity of — In-house Office of General Counsel team to assist the business
(FY23 Trend: No change) contracting environment, with contracting and compliance with regulation, including
in particular in relation to specialists in regulation, data privacy and employment law.
long-term nature of large
FY21 FY22 FY23 — Close liaison with KPMG Global through International
advisory engagements
Office of General Counsel and liaison with other
and increasingly complex
KPMG in the UK fails to network firms’ offices of General Counsel.
legal and regulatory
comply with legal obligations, frameworks (e.g., in — Active participation in Global Governance and Committees to oversee
including contractual relation to liability caps network controls and potential reputational and other risks.
obligations with clients, and information security
audited entities, third parties and data requirements). — Legal input to both Deal Boards, Client and Engagement Acceptance
and colleagues etc., due and Continuance Committee and Conflicts Working Group, to
— Increased complexity ensure that the appropriate approvals are in place and legal/
to a failure to identify and
of global sanctions contracting risks are considered before pursuing new opportunities
understand these obligations,
framework post Russia- and agreeing scope and terms of engagement deliverables.
or put in place appropriate
Ukraine conflict.
controls and monitoring — Comprehensive client and engagement acceptance
frameworks to ensure that — Sanctions environment procedures, including in relation to contracting with all
these obligations are met, has continued to evolve stakeholders and recipients of our services/deliverables.
resulting in litigation, legal due to the war in Ukraine.
costs and reputational — Framework of policies, underpinned by regular training, in relation
— Risk of damage to the UK to compliance with external regulation and legal requirements
damage.
firm’s reputation through (including in relation to financial crime and fraud management).
The UK firm fails to negative media coverage
appropriately monitor and of issues, litigation, or — Engagement Quality Control Reviewers (EQCRs) and
mitigate the impact of regulatory enforcement other ‘first line’ quality control processes, including
reputational damage arising within the KPMG Global in relation to legal and contracting matters.
from actions taken by other network of firms. — Annual ‘second line’ compliance processes (including QPR and
KPMG member firms. Global KQCE) in relation to contracting and legal compliance.
— Specific policies, procedures and controls

related to complying with sanctions.
8

Continued

landscape
Strategic risks
4. Growth Continued levels of market — Board approved three-year planning exercise with
(FY23 Trend: Increasing) uncertainty in relation to yearly refreshes and regular review.
the external environment,
— Our Board and Executive Committee continuously monitor the
including:
FY21 FY22 FY23 performance of our firm and appropriate management action
— the impacts of ongoing is taken when necessary to adjust to market conditions.
KPMG in the UK fails to global conflicts;
— Defined strategies (at Firm and Capability/Market level) approved
define and execute a strategy
— the wider political by leadership with Board input and oversight and aligned
that is supported by an
landscape and growing with Global strategy and Our Impact plan (see below).
appropriately resourced
economic uncertainty;
operational plan, that is — Executive Committee sponsorship of strategic growth
underpinned by further — UK economic performance. initiatives with an investment allocation and governance
development of relevant While the worries about a process to prioritise and monitor investment.
services and propositions, deep recession have largely
gone away, the prospects — Enterprise-Wide Risk Management Framework with matrix reporting
and which can be measured
of high interest rates, across Capability, Market and Firm-wide risks to support Board and
objectively. In addition, the UK
continued uncertainty, and Committee governance and Executive decision-making. Capability,
firm fails to design its strategy
low productivity are set Market and Regional risk officers in place to support second line
to be able to adapt or respond
to provide headwinds to management/oversight of risk policies, practices and decision-making.
to changes in the external
economic and regulatory growth in the near term; — Separate governance for Audit, including Audit Board, with
environment, or to maximise — Impact of operational impact of operational separation on delivery of the Firm’s strategy
opportunities from the KPMG separation of audit on reflected in both Audit and firm-wide business planning.
global network, resulting in a our growth strategy; — A Global and UK impact plan which set out our own environmental,
failure to achieve the desired
— Increasing importance social and governance (ESG) commitments – holding us
levels of growth.
of, and stakeholders’ accountable for progress towards a more sustainable future.
expectations — Globally aligned ESG solutions to address
surrounding, ESG. current market demand and needs.
9

Continued

landscape
Strategic risks (continued)
5. Clients and audited — New and changing business — Comprehensive acceptance procedures undertaken before
entities models and service needs engaging with clients and audited entities for the provision of
(FY23 Trend: No change) at scale and speed from services, including KYC checks and global conflict checking
clients/audited entities to support the management of independence when working
arising from changing with audited entities or potential audit targets.
FY21 FY22 FY23
market and their responses
— Client and Engagement Acceptance and Continuance Committee
to the current external and
KPMG in the UK fails to work consideration for higher risk clients and engagements to
economic environment,
with the right clients and ensure that risks are considered, and appropriate internal
increasing digitalisation
audited entities, maintain approvals obtained, before pursuing new opportunities.
and growth in importance
a balanced portfolio across of the ESG agenda. — Conflicts Working Group (as sub-committee of the Risk
sectors and industries,
Executive) and mandatory annual firm-wide Conflicts of Interest
optimise its use of strategic — Changes in client/audited
training to support adherence to conflicts of interest policy.
alliances and build both a entity portfolio mix and/
unique and innovative brand or focus that could result — Continued challenge of audited entities where improvements
proposition and a holistic go- in over-concentration in to systems, controls and governance are required and careful
to-market strategy, resulting sectors/industries/clients. management of transition where we decide to resign from audited
in declining market share or entities, with reference to our public interest responsibilities.
— Accepting clients/audited
over-concentration in specific entities because of the — ACCEPT framework to further support colleagues in making
sectors and a failure to current external and decisions about who we work with and what work we do
achieve its strategy and ESG economic environment in line with Our Impact plan, supported by firm-wide and
commitments. and potential impacts on engagement leader training and communications.
perceived public interest/
reputational risk. — Monitoring period of audit tenure for audited PIEs in order to
comply with mandatory tendering and rotation requirements.
— Impact of the firm’s ESG
strategy on the acceptance — Extensive independence policies, guidance and processes
and delivery of services to supported by annual mandatory firm-wide training on
clients and audited entities. personal and firm independence and regular compliance
monitoring (see further details in Principal Risk 2).
— Regular portfolio strategy and account planning, with Executive

Committee oversight of plans for major accounts.
— Investment programme to oversee the development of new

service lines and propositions, in line with Our Impact plan
and reflecting market and client need developments.
— Regular review of Client Insights programme feedback, including

to inform development of future service propositions.
— Investment in technology and specialists e.g., climate, IT audit

and data scientists to ensure our audit approach is responsive
to changes in the external environment and new markets.
10

Continued

landscape
Operational risks
6. Execution – Quality — Sustained public and — System of Quality Management (SoQM) to drive the assessment
(FY23 Trend: No change) regulatory scrutiny of the of risks and controls and to ensure audit quality.
firm’s ability, independence
— Programme to implement ISQM1 as part of the firm’s System of
and qualification to
FY21 FY22 FY23 Quality Management, in advance of mandatory adoption date in
deliver engagements
December 2022, including close liaison with KPMG International’s
to a high standard.
KPMG in the UK fails to meet ISQM1 Programme team and creation of newly established System
the expectations of clients, — Impact of changing ways of Quality Management team to support the annual ISQM1 risk
audited entities, regulators of working on the ability to assessment and oversee our compliance post implementation.
and other interested parties in deliver quality services.
— Continued investment in our Audit Quality Plan which prioritises
relation to the quality of work
— Pressure on audit actions with the biggest impact on audit quality, and the Banking
delivered.
profession potentially Audit Quality Improvement Plan, supported by the development
leading to fewer people and implementation of the KPMG Clara Audit workflows.
joining the profession, and
— Mandated Global Quality Framework, encompassing
experienced professionals
global methodologies, mandatory training (including KPMG
leaving the profession
Audit University), accreditation requirements (including for
which may negatively
specialists) and audit quality review programmes.
impact audit quality.
— Mandated engagement quality controls including the use of
— Increased risk of failure
standardised methodologies and tools, accreditation requirements,
of clients/audited entities
targeted involvement of Engagement Quality Control reviewers,
due to challenging
Accounting and Auditing specialists, Risk Panels and Deal Boards.
economic environment.
Enhanced processes for complex, longer-term engagements.
— Increasing complexity of
— Audit Regulatory Compliance function, with a remit to deliver a
products and services,
dedicated audit compliance programme, testing outcomes to
as well as contracting/
provide assurance that the processes, procedures and controls in
commercials, or new and
place to meet regulatory requirements are operating effectively.
innovative service lines
(where expertise is limited), — Regular review of Client Insights programme and requests
posing challenges to the for feedback in relation to quality of delivery.
quality of work delivered.
— Engagement watchlists maintained at Capability and Risk Executive
Committee level, with escalation of issues as appropriate.
— Firm-wide quality compliance programmes including QPR and Annual

Root Cause Analysis programme. Established quality function in
Consulting, with appointed quality leads for each performance group.
— Rigorous recruitment, training and staff development procedures.
11

Continued

landscape
Operational risks (continued)
7. Execution – Delivery — Increasingly competitive — Global Quality & Risk Management Manual supplemented
(FY23 Trend: No change) market for recruitment by UK requirements set out in Capability-specific risk
of talent. management manuals, policies and guidance.
FY21 FY22 FY23 — Increased reliance on — Comprehensive client and engagement acceptance
reliable and appropriate procedures, including ACCEPT framework for decision-
KPMG in the UK experiences technology and connectivity making, Client and Engagement Acceptance and Continuance
failures in its delivery of due to hybrid working. Committee and Conflicts Working Group as described
services to clients and under Principal Risk 5: Clients and Audited Entities.
— Increasing complexity
audited entities due to taking
of the work we are — Engagement watchlists maintained at Capability and Risk Executive
on inappropriate clients or
performing, the client/ Committee level, with escalation of issues as appropriate.
engagements, ineffective
audited entity situations
engagement setup, — Increased monitoring (including in-flight reviews)
we are supporting.
poorly managed projects, and reporting of higher risk engagements.
contracting and financials, — Increased complexity of
— The roll-out of ProFinda, which provides a single inventory of all
lack of adequate resourcing commercial models and
colleagues’ skills and experience so we can be more rigorous when
or identification and contracting processes,
resourcing projects, matching skills and resources effectively.
management of third parties in particular in relation
in its supply chain, resulting to multi-year framework — Template engagement letters and Office of General
in preventable losses and services and work delivered Counsel/risk review requirements for contracting.
missed opportunities. for the public sector.
— Inter-firm contracting protocols when working with
— Increased use of other KPMG International member firms.
technology to deliver
services or licensing of — Input from Commercial teams on pricing and terms, as well as
technology to clients. Deal Boards for non-audit engagements, and controls in place
when working with sub-contractors and alliance partners.
— Greater collaboration
with third parties/alliance — Significant investment in our colleague proposition, Our KPMG, and
partners in engagement recruitment, performance management and wellbeing support, to
delivery, increasing the ensure we can continue to attract and retain the talent we need to meet
challenges around quality, demand now and in the future (see further detail in Principal Risk 8).
independence, security, — Contractors and associates receive training on Our
and contracting. Code and Our Values on joining and annually.
— Compliance programmes including Global GCR, QPR and Compliance

Assurance Programme, with appropriate root cause analysis
undertaken and action plans implemented and monitored.
12

Continued

landscape
8. People, Talent and — Intense competition — Significant investment in colleague reward, and an
Culture for talent and skills attractive employee value proposition, Our KPMG,
(FY23 Trend: No change) shortage, impacting on against results of annual salary benchmarking.
ability to recruit at all
— Range of projects ongoing to ensure we are able to recruit and retain
colleague levels. Evolving
FY21 FY22 FY23 the skills we need in the current environment, including in relation
expectations of employees
to improving our people systems, workforce planning strategy
including the need for
KPMG in the UK fails to and addressing complexities in immigration and onboarding.
a comprehensive talent
appropriately attract and
management programme — Defined performance management cycle and processes which
recruit, engage, develop,
and succession planning, includes goal setting, feedback and performance appraisal.
retain and reward talent at all risks the attractiveness Regular training delivered to Performance Managers and
levels of seniority, resulting in of the firm reducing 360 feedback programme for leaders across the Firm.
a lack of expertise, capability over time. Increased
and capacity (onshore immigration complexity. — Inclusion, Diversity and Equity Policy and firm-wide mandatory
and offshore) to meet the training for all KPMG partners and employees. Several dedicated
medium- and long-term — Management of, and ability programmes including GROW, Black Heritage Allyship Programme
demands of the business, to meet, expectations in and Cross Company Allyship Programme. Ambitious leadership
loss of top talent and gaps relation to the medium- 2030 targets across six historically under-represented groups
in key leadership roles and to-long term, changing with supporting firm-wide and local action plans in place.
succession plans. In addition, ways of working,
including the move — Our Social Mobility Network – UpBringing – empowers colleagues
the UK firm fails to define and
towards hybrid working. from lower socio-economic backgrounds to achieve tangible personal
develop a culture in alignment
and professional development goals, raise their profile within the firm
with its core values and — Current challenging and in the marketplace and make an impact across our communities.
strategy. economic environment Opening Doors to Opportunities aims to empower the next generation
and impact of increased to thrive by inviting schools into our offices across the UK, as part of a
cost of living on employee new commitment we’re making to give one million young people the
wellbeing and morale. opportunity to develop their skills by 2030. Comprehensive wellbeing
offering including mental wellbeing, bereavement support, a Domestic
— Continued focus on
Violence and Abuse Policy statement, an employee assistance
developments in Inclusion,
programme, remote GP, private medical insurance (for relevant
Diversity and Equity (IDE)
colleagues), counselling service and number of wellbeing apps.
and ability to meet IDE
improvement objectives — Employee networks to support and engage with the various
(including social mobility). communities across the firm and an Employee Business Forum,
which represents views within the firm to leadership.
— Increasing importance
of reaching our Culture — Regular feedback on People strategy and practices sought
Ambition and maintaining through annual Global People Survey and regular Pulse
an environment where Surveys, with action plans in place where required.
poor employee or partner
conduct is identified — Culture Ambition guided by Our Values, and a refreshed
and addressed. Code of Conduct (reviewed by Institute of Business Ethics). Firm-
wide Culture Steering Committee responsible for approving and
steering the firm-wide culture strategy, plan and priorities – which
include a firm-wide Values Week and People Awards, building trust
through developing a speak-up culture and a psychologically safe
environment and building out our leadership and management
capability to support our magnet for talent agenda.
— Monitoring and review of key performance indicators

by the Board, People sub-committee, and Executive
Committee via the Culture Dashboard that includes staff
survey results and people-related data points.
— Succession plans in place for members of Executive leadership. Board

succession monitored and managed through Nominations Committee.
13

Continued

landscape
9. Technology and — Increased risk of cyber- — Governance/approval requirements in place for technology investment
information management attacks as a result of and changes: Technology Assurance Group, DMTAP (Demand
(FY23 Trend: Increasing) global political conflicts. Management and Technology Assurance Process) and CTO Forum.
— Increasing complexity — Data Protection Officer and Chief Information

FY21 FY22 FY23 of technology solutions Security Officer, each with specialist teams.
provided to clients.
— Range of projects ongoing to improve technology inventory and
— Increased importance of protections (Backup & Restore, Cloud Migration, Smart Networks, etc.).
provide the technology
developing and investing
solutions required by the — Ongoing programme of training and awareness of
in IT infrastructure for
business to support its the end-to-end Technology Assurance process and
the future to support
operations, reputation and refreshed Technology Assurance Policy.
changing business needs.
growth, or to adequately
— Multi-year Information Security Transformation Programme,
protect existing technology — Continued reliance on
introducing and embedding a new set of information security
solutions, resulting in a technology and increased
capabilities and services that can provide a more effective response
breach of the confidentiality, complexity of managing
to evolving cyber security threats and changes in regulations.
integrity and availability of information risk in hybrid
these solutions. This may working environment. — Three lines of defence model for management of information
lead to an inability to provide risk, including a central Information assurance team and
— Increasing technology and
key services to internal and an Information Governance Oversight Committee.
security requirements in
external stakeholders, and
contractual arrangements — Ongoing mandatory training, covering information security,
reputational or financial loss.
with clients and data protection and information management.
audited entities.
— Additional training/learning support on confidentiality
— Increased focus on the was covered as a separate mandatory training module
ethical use of data, AI within our November 2023 Building Trust release.
and other technology.
— Widespread use of Information Protection Plans in
— Increased public, client/ engagements and introduction of Data Champions, and
audit entity and regulatory continued progress in our Data Remediation Programme.
scrutiny in respect of data/
confidentiality because of — ISO 27001, Cyber Essentials/+, SOC2 (eAudit) certification and regular
high-profile external events. external and internal audits to identify and address control deficiencies.
— Insider policy and risk assessment reviewed annually.
— Programme of ongoing phishing resilience testing, security

awareness focused on a range of themes including
passwords, patching, phishing and social engineering.
— Rolling compliance programme (as part of second

line assurance activities) in relation to Information
Protection Controls and Policy Compliance.
— Enterprise focus on Operational Resilience, including the

identification of a Minimum Viable Firm (MVF) to provide
greater focus for recovery planning and resourcing.
14

Continued

landscape
10. Business operations, — Importance of maintaining — Three lines of defence model, including internal audit, to review
resilience and controls robust business processes the design and operating effectiveness of key controls.
(FY23 Trend: Increasing) and controls and adapting
— Enterprise-Wide Risk Management Framework with matrix reporting
where appropriate so that
across Capability, Market and firm-wide risks to support Board and
they remain fit for purpose
FY21 FY22 FY23 Committee governance and Executive decision-making. Capability,
in the current environment.
Market and Regional risk officers in place to support second line
KPMG in the UK fails to — Conclusion of ISQM1 management/oversight of risk policies, practices and decision-making.
define, implement and implementation programme
— Regular updates to the Board on operational performance based on
monitor the effectiveness and transition to ‘business
extensive MI; three-year business planning with yearly refreshes
of its policy, procedure and as usual’ System of
and regular review by Operations Executive and COOs.
control framework, including Quality Management.
in relation to its suppliers, — Operations Executive oversight of both internal
— Impact of rising global
and to ensure continuity and external operational quality reviews.
costs and increasing
in business operations. In
global political conflicts on — Operation Executive oversight role in reviewing KPIs, performance
addition, the UK firm fails to
the ability of third-party and risk at its regular meetings which is a core mechanism for
manage change effectively, suppliers to deliver goods overall performance and operational risk management.
resulting in control failure, and services to KPMG.
and disruption to business — Defined business continuity and crisis management
operations and the services — Importance of ensuring plans, and controls in place to support IT, Third Party,
provided to clients and business processes and People, Facilities & Data disaster recovery.
audited entities. controls align to the firm’s
ESG strategy, as well — Specialist Operational Resilience team which follows business
as the expectations of continuity best practice guidelines and complies with ISO
external stakeholders. 22301 (as confirmed by independent internal audit).
— Ability to successfully — EPMO (Enterprise Project Management Office) to manage

manage multiple and investment and transformational change programmes.
significant transformation — Supplier management centre of excellence and Supplier Code of
programmes, with Conduct is in place which is being incorporated into new contracts.
appropriate governance
and investment controls. — Third party risk assessment for new subcontractors supporting the
delivery of client engagements. Risks are reassessed on a regular basis.
— Policies on Procurement, Subcontractors,

Alliances and Contingent Workers.
— New Enterprise Transformation SteerCo and governance and

oversight over change programmes with risk representation.
— Continued focus on embedding ISQM1, in close coordination

with KPMG International and establishing the UK’s System of
Quality of Management (SoQM) under business as usual.
— Compliance programmes including Global GCR and Global

KQCE, with appropriate root cause analysis undertaken
and action plans implemented and monitored.
— Further work with the relevant ESG, Operations and Corporate Affairs
teams to ensure that an appropriate level of information is captured in
relation to climate risks to satisfy increasing external requirements.
15

Continued

landscape
Financial risks
11. Financial management — Need to continually invest — Budgets which are subject to various levels of approval, through a
(FY23 Trend: Increasing) in our services, people thorough budgeting process, with appropriate sensitivity analysis
and processes to ensure and planning based on emerging economic landscape.
that the business model
FY21 FY22 FY23 — Board role in budget and performance oversight and
is fit for the future.
Executive Committee budgetary challenge.
The UK firm fails to execute — Current challenging external
— Monthly financial analysis at firm and functional
against financial targets economic environment
level, including regular refresh of downside scenario
or manage medium- to with impact on demand for
planning based on early warning indicators.
long-term financial position KPMG services, increasing
and performance, for cost base and ability to — Appointment of new Capability FDs and Chief Accounting Officer
example due to delivering collect payment for the to bring rigour and discipline to accounting treatments.
unprofitable services, poor services delivered to clients
and audited entities. — Pricing panels, pipeline monitoring, WIP management processes and
investment decisions, and
regular tracking of overdue invoices. Tools available across the firm.
failure to ensure a resilient
— Inherent uncertainty with
balance sheet, resulting in respect to any outstanding — Approval and monitoring controls over investments,
poor business performance, regulatory investigations investment decisions and capital retention strategy.
inability to achieve growth and civil litigation matters — Closely controlled procurement process and
and negative impacts to the although this is reducing approvals, via technology platform.
financial health of the firm. as we resolve our legacy
regulatory cases. — Finance policies, including the Spend Control Policy,
Timesheet Policy and Expenses Policy.
— Anti-Fraud Policy, and annual training on fraud for all colleagues.

Fraud risk assessment conducted annually by the MLRO.
— Professional Indemnity Insurance in place.
Audit regulatory compliance Internal audit

Our partner-led Audit Regulatory Compliance (ARC) function, Internal Audit, which is led by a dedicated Head of Internal
established during FY21, is the main point of contact with the Audit, provides independent and objective assurance on
firm’s primary regulator, the FRC, maintaining an overview the adequacy and effectiveness of our governance, risk
of all interactions with Audit Market Supervision and Audit management and internal control processes. The Internal Audit
Firm-wide Supervision and ensuring that all commitments, plan was approved at the start of the year and was updated
requirements and actions are fulfilled. during the year to ensure that it remained appropriate and
reflected changes to business risks including the heightened
ARC incorporates a Compliance Monitoring function whose
risks presented by the current external environment. The
purpose is to deliver a dedicated compliance programme,
plan is devised by understanding the risk profile of the firm
providing independent assurance that the processes,
(whether strategic, operational or in relation to change risks),
procedures and controls in place to meet audit regulatory
considering other risk management, compliance and assurance
requirements are operating effectively. A monitoring plan is
activities, and - based on this - agreeing what internal audit
developed and presented for approval to the Audit Executive at
work is required.
the start of the year and updated where necessary during the
year to ensure it remains focused on appropriate risk areas. In reviewing and approving the internal audit plan, the Audit
Committee ensured a balance between coverage of the highest
priority risks and maintaining appropriate coverage of core
business processes.
16
Maintaining an objective and independent mindset

We have adopted the KPMG Global Independence Policies The policy we apply to members of the audit team who are
which are derived from the International Ethics Standards recruited by entities we audit goes beyond the requirements
Board for Accountants’ Code of Ethics for Professional of the FRC’s 2019 ES. It requires any member of an audit team
Accountants (the IESBA Code) and incorporate other applicable to inform the Ethics and Independence team of any situation
regulatory standards. For KPMG in the UK, we supplement involving their potential employment with an entity where
these policies with other processes to ensure compliance with they are part of the audit engagement team. We also prohibit
the FRC’s 2019 Ethical Standard (FRC’s 2019 ES). all partners in the firm from accepting a director or key
management position role at an entity that we audit within two
These policies and processes cover areas such as firm
years of retiring from the partnership.
independence, personal independence, firm financial
relationships, post-employment relationships, partner rotation
Business relationships/suppliers
and approval of audit and non-audit services. In the UK, the
Ethics Partner is supported by a core team to help ensure We have policies and procedures in place to ensure that
that we apply robust and consistent independence policies, business relationships are maintained in accordance with
processes and tools. Ethics and independence policies are set the FRC’s 2019 ES and the IESBA Code. Consultation with
out in our intranet-hosted Quality & Risk Management Manual our ethics and independence professionals is required for
as well as various guidance materials on the internal UK portal any proposed business relationship with an entity we audit,
and reinforced through training. or its management, to ensure compliance with the relevant
independence regulations. Compliance with these policies and
Failure to comply with the firm’s independence policies,
procedures is reviewed periodically.
whether identified in the rolling compliance review, self-
declared, or otherwise, is, in the case of engagement
Independence training and confirmations
leaders and managers, reflected in their individual ethics
and compliance metrics. The Independence Working Group We provide all relevant colleagues (including all partners and
(formerly the Ethics Working Group) oversees policies and staff who are involved in delivering professional services
procedures in relation to ethical matters and breaches of the engagements) with independence training appropriate to their
requirements of the FRC’s 2019 ES. grade and business area and provide all new colleagues with
relevant training when they join the firm.
Personal independence
All colleagues are required to sign an independence
KPMG International policy extends the IESBA Code restrictions confirmation upon joining the firm. Thereafter, all personnel
on ownership of audited entity securities to every member confirm annually they have remained in compliance with
firm partner in respect of any audited entity of any member applicable ethics and independence policies throughout the
firm. KPMG in the UK has a policy whereby all staff who are period. Partners and partner equivalents make an additional
involved in delivering professional services engagements are confirmation at the mid-year in respect of their personal
also prohibited from holding securities in companies audited investment compliance.
by KPMG.
Audit engagement leader rotation
Our professionals are responsible for making appropriate
inquiries to ensure that they do not have any personal All audit engagement leaders are subject to periodic rotation
financial, business or family interests that are restricted of their responsibilities for entities we audit under applicable
for independence purposes. We also use a web-based laws and regulations and independence rules, which limit
independence compliance tracking system to assist our the number of years that engagement leaders may provide
professionals in their compliance with personal independence audit services to an audited entity. KPMG rotation policies
investment policies. comply with the requirements of the FRC’s 2019 ES (and, where
applicable for certain engagements, the rules of the PCAOB).
We monitor partner and employee compliance with these
For example, under the FRC’s 2019 ES the audit engagement
requirements through a programme of audits on a sample
leader for a public interest entity cannot serve in that role for
of professionals. In the year ended 30 September 2023, 1,258
more than five years and once they have rotated off the audit
(2022: 984) of our people were subject to a compliance audit.
cannot participate in the audit again for a further five years.
This included approximately 27% of our partners as well as
an increase in the number of non-partner individuals selected We monitor the rotation of audit engagement leaders and any
for review. other key roles where there is a rotation requirement, including
the Engagement Quality Control Reviewer, and have transition
In accordance with KPMG International policy, all partners
plans to enable us to allocate partners with the necessary
and partner equivalents are compliance audited in a five-year
competence and capability to deliver a consistent quality of
period, and those partners in a Chain of Command role are
service to audited entities.
audited every three years.
In addition, all direct-entry partners are subject to a compliance

audit as a condition of their admission to the partnership and
are subject to a further audit after 12 months in the firm.
17

Continued
Firm rotation Conflicts of interest

PIEs, as defined in the FRC’s 2019 ES, are required to rotate To perform a professional services engagement, both
their firm of auditors. Mandatory Firm Rotation (MFR) rules in KPMG and all members of the engagement team need to be
the UK require that all PIEs must tender their audit contract at objective in both fact and appearance. This means that before
least every 10 years and rotate their auditor at least every 20 accepting any engagement it is necessary to identify if there
years. We have processes in place to track and manage MFR. are any conflicts of interest (or any other threats to objectivity)
associated with taking on that work and to determine if
Non-audit services these can be safeguarded to an acceptable level such that
the conflict can be managed, and the engagement accepted.
We have policies regarding the scope of services that can
Our Conflicts of Interest Policy and procedures are designed
be provided to entities for whom we are auditors which are
to ensure that that we meet these requirements. In 2022, we
consistent with the FRC’s 2019 ES and the IESBA Code, and,
commissioned an external legal firm to undertake a detailed
where applicable, the rules of the SEC and PCAOB. KPMG
review of our conflicts policies and procedures. During 2023
policies require the audit engagement leader to evaluate the
they completed a follow-on phase of work which was to
threats arising from the provision of non-audit services and
undertake actual testing on the outcomes of our systems and
the safeguards available to address those threats, including
controls to manage conflicts of interest. They made a small
whether an objective, reasonable and informed third party
number of recommendations from this phase, all of which have
would consider it appropriate for the auditor to provide the
been implemented.
non-audit service.
Our Conflicts of Interest Policy sets out how to identify, assess
Every engagement intended to be entered into by a KPMG
and safeguard threats to objectivity, as well as setting out
member firm is required to be included in our Sentinel™ tool,
situations where conflicts would always be unmanageable.
prior to starting work, enabling group lead audit engagement
The policy also details the escalation requirements for specific
partners to review and approve, or deny, any proposed
conflict situations and what the special considerations are
service for those entities worldwide. As reported in the FRC’s
with respect to conflicts involving audited entities. Where
public report, during the year we identified and reported
a conflict of interest involves an audited entity, our policy
instances where other KPMG member firms had commenced
requires consideration of how accepting that service might
and performed non-audit services without receiving
give rise to a condition or relationship (or conflict) that would
necessary approvals from UK audit engagement partners.
(or would be perceived to) impact on KPMG’s independence as
We commissioned a third-party firm to perform a root cause
auditors. The overarching principle is that we would not accept
analysis of this issue. In addition, a root cause analysis was
an engagement where it was clear at acceptance that it would
also undertaken by KPMG International. Our controls have
involve the client or KPMG (on behalf of or supporting the
now been enhanced to prevent this issue from happening in
client) taking an adversarial position against a statutory audited
the future.
entity of KPMG on a matter that was material to its financial
To maintain auditor independence, no individual with the statements or involved challenging the accounting for any
ability to influence the conduct and outcome of an audit can be matters that were material to the audited financial statements.
rewarded for selling non-audit services to entities we audit.
Sentinel™ is used to identify and manage potential conflicts of
interest within and across member firms. Any potential conflict
Fee dependency
of interest issues identified are resolved in consultation with
KPMG firms have agreed to consult with their Regional Risk other parties as applicable and the outcome is documented.
Management Partner where total fees from an audit client Where conflicts of interest are identified, it is necessary to
are expected to exceed 10%of the annual fee income of the consider how they can be safeguarded - for example, through
KPMG firm for two consecutive years. If the total fees from a establishing formal dividers between engagement teams
public interest entity audit client and its related entities were serving different entities and/or seeking consent. If a potential
to represent more than 15% of the total fees received by a conflict issue cannot be safeguarded, the engagement is
particular KPMG firm in a single year, this would be disclosed declined or terminated.
to those charged with governance at the audit client. Where
More complex conflicts require consultation and escalation,
the total fees continued exceeding 15% for two consecutive
and the most complex conflicts are considered by our firm’s
years, we would engage a partner from another KPMG firm
Conflicts Working Group, which is chaired by our Ethics Partner
as the engagement quality control (EQC) reviewer and the fee
and is one of the enhancements to our processes that we
dependency would be publicly disclosed.
introduced last year.
All partners and client-facing personnel received mandatory

training during the year on the process for identifying,
assessing, documenting and safeguarding conflicts of interest,
along with the need to be alert throughout the engagement for
new conflicts or threats to objectivity.
18

Continued
Compliance with laws and regulations

We provide training on compliance with laws (including those
relating to anti-bribery and corruption, money laundering and
sanctions), regulations and professional standards (including
conflicts of interest) and our Code of Conduct to all partners
and employees on joining the firm and annually thereafter.
Other topics, including Fraud Risk Awareness, Corporate
Criminal Offences and Modern Slavery are run bi-annually for
all partners and employees.
All partners and employees are asked to confirm annually, in

our Ethics and Independence Confirmation, that: “I understand
that at KPMG we are all committed to behaving ethically
and to demonstrate that we are trustworthy – which I do by
proactively living Our Values, upholding the highest ethical and
professional conduct standards and adhering to Our Code.”
19
Statement by the Board on the

effectiveness of internal controls
Internal controls statement — Received regular reports from the Chair of the Audit
Committee including:
The Board is responsible for the firm’s system of internal
controls and for reviewing its effectiveness. Such a system — Results of the evaluation of the SoQM as at
manages, rather than eliminates, the risk of failure to achieve 30 September 2023 (see here) and the design and
business objectives and can only provide reasonable and status of the remediation plans relating to identified
not absolute assurance against material misstatement, loss, deficiencies;
or non-compliance with relevant regulatory or legislative
— The findings and associated action plans arising from
requirements. The day-to-day responsibility for managing our
testing of our compliance with our Global Quality and
operations rests with the Executive Committee.
Risk Management Manual policies;
In accordance with the Audit Firm Governance Code, the
— Results of internal audit work commissioned as part
Board has reviewed the effectiveness of its systems of internal
of the approved annual internal audit plan, and the
control. In reviewing these systems and their effectiveness, it
progression on resolving weaknesses identified; and
has adopted the approach prescribed within the UK Corporate
Governance Code. — Progress reports from the group’s external auditors,
Grant Thornton UK LLP, on its annual audit and
This monitoring covers risk management systems and all
discussions with them on any control issues they
key controls, including those relating to finance, operations
have identified.
and compliance. It is based principally on the consideration
and review of reports from relevant Executive Members and — Considered reports to the Board made by the Risk, Audit,
reports from the Audit, Risk and People Committees as well Nominations and People Committees and the Audit Board
as from the Executive Committee and Audit Board to consider on how each has discharged its duties in the year.
whether significant risks are identified, evaluated, managed
and controlled.
During 2023, the Board has:
— Received regular reports from members of the Executive Conclusions

Committee, including:
The Board of KPMG LLP confirms that internal
— Chief Operating and Financial Officer on the firm’s reviews of the effectiveness of internal controls
financial performance and on any emerging financial and of independence practices within our firm
and operational risks and issues; have been undertaken. Our compliance and
— Head of Audit on the Audit Quality Transformation internal audit programmes identify deficiencies
Programme and other quality improvement and opportunities for improvement, and, in such
programmes relating to audit quality; and instances, remediation activities are agreed with
subsequent follow-up to assess the extent to
— Chief Risk Officer who provides updates on emerging which the matters identified have been addressed
regulatory, risk and compliance matters and quarterly satisfactorily.
reporting under the firm’s Enterprise-Wide Risk
Management Framework; However, matters arising from these activities are
not considered, either individually or in aggregate,
— Received regular updates with regards to ethics and to undermine the overall system of internal control
independence matters directly from the Ethics and in place.
Independence Partner, including updates on the firm’s
Ethical Health Plan and matters identified through the Compliance with requirements of Audit Firm
Speak Up hotline; Governance Code
— Received regular reports from the Chair of the Risk The Board has reviewed the provisions of the 2016
Committee including: Audit Firm Governance Code and confirms that the
— Regulatory, risk and compliance matters; and firm complied with these provisions throughout
the year ended 30 September 2023.
— External regulatory inspections and reviews.
kpmg.com/uk
© 2024 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated
with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Designed by CREATE | CRT150794 | November 2023

Transparency Report Quality Control and Risk Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Transparency Report Quality Control and Risk Management

Uploaded by

Copyright:

Available Formats

FY23 UK Transparency Report

Quality Control and

— Training on compliance with laws, regulations,

The Firm’s Internal Audit plan is reviewed and approved by

— Internal Audit provides the Audit Committee with

— The Firm’s Internal Audit function was subject to an

Our quality control and risk management systems

Our quality control and risk management systems

Our quality control and risk management systems

Risk management Principal risks

The ERM framework is subject to a comprehensive review and — Legal

— Introduction of an emerging themes section into the

— Implementation of an automated Governance, Risk and

— Identifying and agreeing Level 3 risks ready for inclusion in

The Firm’s Assurance Map documents the relationship between

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

— A need to embed and — A refreshed Code of Conduct (reviewed by the Institute

— Head of Professional & Ethical Standards and a Partner

— Embedded whistleblowing processes and promotion of a

— An Inclusion, Diversity and Equity Policy, employee networks

— A Global and UK Impact plan which set out our environmental,

— Continued focus on increasing social mobility, with the

— Continued focus on the environment, with all

— A mandated Global Quality Framework, encompassing global

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

Reputational risks (continued)

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

Reputational risks (continued)

— Specific policies, procedures and controls

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

Strategic risks (continued)

— Regular portfolio strategy and account planning, with Executive

— Investment programme to oversee the development of new

— Regular review of Client Insights programme feedback, including

— Investment in technology and specialists e.g., climate, IT audit

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

— Firm-wide quality compliance programmes including QPR and Annual

— Rigorous recruitment, training and staff development procedures.

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

Operational risks (continued)

— Compliance programmes including Global GCR, QPR and Compliance

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

Operational risks (continued)

— Monitoring and review of key performance indicators

— Succession plans in place for members of Executive leadership. Board

Our quality control and risk management systems

Risk Current and emerging risk Mitigations

Operational risks (continued)

— Increasing complexity — Data Protection Officer and Chief Information

— Insider policy and risk assessment reviewed annually.

— Programme of ongoing phishing resilience testing, security

— Rolling compliance programme (as part of second

— Enterprise focus on Operational Resilience, including the

Our quality control and risk management systems

Risk Current and emerging risk Mitigations