Canada - English

Internal Audit, Risk & Compliance Services 

Faced with new market opportunities, ongoing economic challenges, increased pressure to improve risk management effectiveness, and unprecedented regulatory requirements, many organizations are recognizing the need to transform their internal audit and risk management functions to turn these disruptive forces into opportunities.


Leading organizations acknowledge that meeting these new challenges can actually protect and enhance business value and drive operational efficiencies. They need to envision and implement a holistic model that adds value and meets the demands of regulators, the board of directors, and key stakeholders.


KPMG’s Internal Audit Risk & Compliance Services (IARCS) deploys multidisciplinary teams of professionals experienced in financial and operational internal auditing, IT, fraud analytics and risk assessment, shared services, finance management, treasury and financial instruments, and the supply chain to augment and enhance an organizations’ existing internal audit capabilities.


Our IARCS practice works to make internal audit functions, enterprise risk management programs, and risk and controls management more efficient and effective.


Hot button issues for business leaders include a range of complex matters, including:


  • IA strategic sourcing (right resources, right place, right time)
  • enterprise risk management (structure, risk identification, monitoring, reporting, optimizing)
  • regulatory compliance (including SOX)
  • contract compliance
  • corporate governance
  • global sustainability/climate change
  • continuous auditing/monitoring
  • Integrated assurance.

How We Can Help

The internal audit function and risk and controls management are often at the forefront in dealing with these matters. Their effectiveness and efficiency can have a major influence on corporate performance and business outcomes.


KPMG's IARCS practice works with internal audit directors and audit committees to develop a quality internal audit function that delivers strategic business assurance, identifies business opportunities and enhances organizational value. Our member firms' services include:


  • evaluating internal audit functions and providing co-sourcing and outsourcing services
  • deploying continuous auditing/monitoring techniques
  • designing, executing and advising on the use of enterprise risk management
  • driving Sarbanes-Oxley and equivalent regulations compliance
  • rationalizing monitoring functions and governance practices
  • enhancing recoveries and compliance with contracts
  • advising on social responsibility and climate change reporting


KPMG's IARCS team is a trusted adviser to many of the world's leading enterprises. We aim to deliver a consistent, cost-effective and high-quality set of services based on:


  • a network of over 7,500 financial and operational internal auditors and IT auditors across the globe
  • subject matter professionals teaming with internal auditors to enhance value
  • experience in CA/CM, ERM, GRC and broader risk and controls management
  • IAS practices in over 50 countries
  • Access to the resources of one of the world's leading professional advisory networks.


KPMG member firms are located in key financial and commercial centers and developed markets. We also have a dynamic presence in the emerging economies of Central and Eastern Europe, Russia, Latin America, India, China and elsewhere in Asia. These resources offer clients a rich supply of information, contacts and business opportunities.

Achieving leading internal audit (IA) capabilities requires significant investment in skilled resources, methods, training, career paths, and technical infrastructure. Maintaining those capabilities requires sustained investment during both good and challenging economic times. As both a critical business operation and a function often perceived as a cost center, IA can be a prime candidate for strategic sourcing.


KPMG's Internal Audit Methodology (IAM) is the firm's global approach to providing internal audit outsourcing and co-sourcing services. It is a risk-based approach that focuses on clients' objectives and impediments to achieving those objectives. Sourcing the IA function takes on a variety of forms, each presenting its own degree of "ownership" and mix of fixed and variable costs.


Like many other functions, IA has become highly sophisticated and virtually a business in itself. Achieving effective IA capabilities requires a significant level of investment in skilled resources, methods, training and technical infrastructure.  With organizations being driven to do more with less, the internal audit (IA) function has become a prime candidate for strategic sourcing. This can include outsourcing the entire function or just certain critical elements.


Internal audit sourcing with KPMG can provide you with the opportunity to tap into specific skill sets, industry knowledge and global resources on an ‘as needed’ basis. KPMG firms’ can provide you with the specific skills you need on demand — achieving a level of flexibility which can be critical in effectively dealing with a range of operational issues.


KPMG's IA services can help organizations manage internal audit activity and costs by:


  • Improved flexibility and agility – Improved capacity to respond to Audit Committee requests for special and ad-hoc audits and investigations by leveraging a global team of resources during peak cycles; providie the scalability and flexibility to adapt to ever-changing and emerging risks
  • Access to specialized skills – Improved ability to access a pool of talented resources with various skillsets and industry experiences without adding headcount.  KPMG can provide access to professionals who can provide additional value in the audit process through their technical skills (IT, forensic, treasury, risk management, procurement, etc.) and industry knowledge
  • Quicker turnaround – Extension of workday by adding global resources working on different time zones thereby improving turnaround time for audits
  • Increased leverage - Ability to access a team of specialized resources with experience in internal audit, risk and compliance management to meet growing regulatory compliance needs.
  • Manage internal audit costs – Providing access to professionals on an "as needed" basis - the company is therefore not required to bear the fully loaded annual payroll costs (i.e., converting fixed costs to variable costs, providing additional flexibility to react to changing business needs).

KPMG's Sarbanes Oxley Advisory Services (SOAS) can help an organization with the implementation and maintenance of sustainable CEO/CFO certification process to achieve compliance with SOX 404, MI 51-109 or voluntary certification requirements through readiness assessments, through documentation and testing assistance and through sustainability assessments. In each of these services KPMG firms' professionals work closely with clients to establish compliance programs, transfer knowledge and provide training to support a successful CEO/CFO certification process.


Readiness assessments are used to determine how well prepared the organization is to implement a CEO/CFO certification process. It is designed to highlight gaps, and make recommendations, to help clients ensure implementation of a successful CEO/CFO certification process.


Documentation and testing assistance is designed to help management support their assessment of their organization’s compliance with CEO/CFO certification process.


Sustainability assessments are designed to help clients evaluate and improve on their initial CEO/CFO certification process.


For each of these services, KPMG takes a risk-based approach to identify the internal controls over financial reporting risks (ICFR) that the organization either has in place, or needs, to address its key financial reporting risks and to support the implementation of its chosen control framework (e.g. COSO).


SOAS projects for our member firms’ clients are based upon our global SOAS methodology and supplemental materials — e.g. the point of view (POV) documents that have been created as a result of the SEC’s Interpretive Guidance for management. SOAS projects are delivered by our Internal Audit Risk & Compliance Services (IARCS) personnel, supported by appropriate subject matter professionals, throughout the KPMG network.


KPMG’s SOAS services can help clients:


  • prepare for an initial compliance program that takes advantage of the most recent guidance to create a cost effective approach to SOX 404 compliance that is suited to the organization.
  • create clearer links between risks and management’s decisions and judgments about how those risks are managed through a company’s approach to ICFR.
  • reduce documentation and testing hours through the use of a more focused testing strategy that accounts for the impact of new or existing direct and monitoring entity-level controls and only testing process level controls that are directly related to identified financial reporting risks at the assertion level.
  • identify and implement year-on-year improvements to the SOX 404 compliance to reduce costs and improve effectiveness of a client’s on-going SOX 404 compliance efforts.


In addition, KPMG' Global Services (KGS) offshore resources can be utilized in the delivery of SOAS engagements to allow our local professionals to leverage offshore resources in a cost effective manner.


KGS is a joint venture between KPMG International, KPMG US, KPMG Europe LLP and KPMG India. Seeded as a global capability hub, KGS provides professional services to KPMG member firms to help clients meet complex business challenges. The use of KGS allows KPMG US to quickly deploy specialist resources who can work seamlessly on cross-border engagements, to support key client opportunities. KGS provides services across all key areas of Internal Audit/Sarbanes Oxley Advisory Services (SOAS) sourcing engagements including process and risk analysis, financial analysis, business modeling, specialized research on clients and industries, IT and business controls testing, data analysis, reporting, and project management assistance.

The recent global economic crisis proved that many businesses did not take a strategic and coordinated approach to risk management. Coming out of the crisis, organizations are pressured to be more proactive and rigorous in how they manage risks and to provide assurance to internal and external stakeholders about their risk management effectiveness. Companies that can clearly articulate and quantify the risks they face and their likely impact on performance will ultimately make better business decisions. A comprehensive Governance, Risk, and Compliance (GRC) approach, enabled by technology, can drive new compliance and performance capabilities-and new organizational resilience.


Governance, Risk, and Compliance (GRC) services help clients develop a wide-ranging vision and approach for their organizations' multiple governance, risk, and compliance processes. The key focus is to help improve the sustainability, effectiveness, efficiency, and transparency for GRC processes; align the processes with the organization's strategic goals and objectives; and drive both competitive advantage and shareholder value.


KPMG can help with…


  • Strengthening the GRC organization and processes to address renewed stakeholder focus on governance and risk management
  • Enhancing economic business value by helping improve cost efficiencies
  • Capitalizing on opportunities and helping to minimize losses through enhanced risk management and informed decision making
  • In addition, KPMG's Holistic Model for GRC provides an integrated approach for developing and establishing a successful and sustainable GRC framework within the organization.


In addition, KPMG's Holistic Model for GRC provides an integrated approach for developing and establishing a successful and sustainable GRC framework within the organization.


Potential benefits to an effective approach to GRC:


  • Protect and enhance business value by fostering a risk-aware culture, supporting informed decision making, and addressing multiple compliance and assurance layers
  • Enhance operational efficiency by rationalizing risk management, controls, and assurance structures and processes, and intelligent use of IT and data management structures
  • Enable the organization to quickly, consistently, and efficiently respond to challenges provided by evolving risk profiles and rapidly changing regulatory requirements
  • Enable a company to meet compliance objectives while improving performance by using an integrated framework in support of its strategic objectives

As companies worldwide address their stakeholders' new demands to enhance how they manage risks, they are giving Enterprise Risk Management (ERM) new consideration.


ERM services can help provide an organization-wide approach to the identification, assessment, communication, and management of risk. The ERM framework addresses five risk elements: risk governance, risk assessment, risk quantification and aggregation, risk monitoring and reporting, and risk and control optimization. KPMG can help facilitate and perform an enterprise risk assessment that identifies and assesses an organization's current risk inventory. We can also review and assess the current state of maturity of their risk management program, providing observations and recommendations for improvement.


KPMG helps by offering…


  • Well-established, globally accepted risk management framework, and global network of professionals
  • Understanding of the client’s business strategies and related risks
  • Actionable and practical approaches to embedding ERM within the organization
  • Multi-disciplinary team to define the risk profile


KPMG ERM Assessment and Implementation services can help organizations:


  • Improve risk information needed to support strategic decision making throughout the organization
  • Understand risks and interrelationships to help drive performance, value, and brand
  • Get out in front on global regulatory change
  • Consistently identify and assess risks
  • Define risk governance structure with clear roles and responsibilities
  • Cleary align strategic objectives and organizational risks
  • Access information that supports risk-based performance measurement

Management and internal audit departments continue to actively seek new ways to gain access to valuable and timely information to manage risk and improve performance. Such efforts increasingly include Continuous Auditing and Continuous Monitoring (CA/CM) of organizational systems, processes, transactions, and controls.


Companies who deploy Continuous Auditing (CA) can leverage technology to more efficiently analyze risk data on a frequent basis. This approach helps the detection of anomalies, outliers, inconsistencies and other factors to more efficiently focus audit resources.


Continuous Monitoring (CM) provides management with information on key performance metrics in close to real-time, allowing them to have better insight into issues as they arise, thereby improving their ability to manage risks and opportunities.


KPMG's CA/CM Services are delivered by multidisciplinary teams to help clients assess, design, implement, and evaluate continuous auditing and continuous monitoring systems and processes focusing on control effectiveness, fraud and misconduct prevention and detection, policy and regulatory compliance, and performance improvement. KPMG professionals can assist with all phases of the CA/CM implementation process, including among others: Developing a CA/CM strategic plan; building an effective CA/CM business case; identifying key stakeholders and assisting with defining success criteria and related measurements; and performing risk assessment and data analytics to identify valuable CA/CM areas.


KPMG’s CA/CM Services bring greater efficiency, enhanced controls, earlier information, and reduced complexity, and offer the following potential Benefits:


  • A globally consistent, multidisciplinary team approach, integrated with Governance, Risk, and Compliance
  • Depth and breadth of R&C and Advisory functional skills to drive content development including an array of advisory, accounting, finance, tax, and technology professionals with deep industry knowledge
  • Objective and pragmatic advice to evolve a customized program
  • Ability to leverage alliances with key tool vendors for teaming

When it comes to third-party contracts, the axiom is "trust, but verify." What's more, recovery of money is not the exception, it is the norm in most cases. Some organizations lose revenue, license fees, royalties, or pay higher amounts to partners than they should to third parties with which they have contractual arrangements. Contract Compliance Services (CCS) can help them recover those funds and improve internal processes to help ward off further losses and over-payments. In addition, other non-financial benefits can be achieved, such as process enhancement and improved relationships between business partners, among others.


CCS helps clients identify financial misreporting and reset the compliance baseline underpinning contractual relationships with business partners, which can result in potential collections or savings with significant return on investment (ROI). CCS can help increase the communication and understanding of contractual terms and obligations between the client and its business partner, leading to improved reporting processes and partner relationships. CCS services include:


  • Vendor Contracts — advises on management of vendor relationships and reviews payments to identify overbillings for goods or services or missed revenue opportunities.
  • Royalty Compliance — aims to recover fees, help strengthen licensing relationships and identify opportunities for mitigating risk.
  • Software End-User License Review — monitors license compliance for software vendors, leading to increased current and future licensing and maintenance revenue.
  • Ad Agency Contract Compliance — aims to identify significant cost recoveries or other improvement opportunities.
  • Reseller and Distributor Review — assists with the enforcement of contracts with channel partners.
  • Digital Distribution — assists digital content owners in assessing the completeness and accuracy of self-reporting of content distribution.
  • Software Asset management (SAM) — can include a review of people, process and technology areas against industry standards.
  • Intellectual Property (IP) Audit — assistance in assessing and optimizing processes of the IP governance throughout different stages of the IP lifecycle.


Gaining the full value that is due from contracts is clearly a chief concern for many companies — in terms of enhancing income and reducing costs. KPMG’s CCS professionals can help our clients by advising on:


  • recovered cash from overpricing and overpayments
  • better protection of intellectual property
  • mitigating and managing risks within the extended enterprise
  • more effective financial reporting controls
  • improved relationships with key business partners
  • increased confidence in vendor’s contract compliance process
  • identified opportunities to enhance contract language
  • in-depth industry experience and a dedicated practice

Be first to know

Get the latest information from KPMG.

Bruce W. Willis

Bruce W. Willis

Partner, Advisory Services


  • Subscribe to related feeds