Information Risk Management

KPMG’s Information Risk Management practice is dedicated to assisting our clients in the identification, understanding, measurement and management of business risks resulting from their dependence on information technology to manage and evolve their businesses.

Such risks can result from the need for better governance and information management performance, partnering with third parties, management of change, and the implementation of controls at the technology layer.

Our suite of Information Risk Management services has been designed to assist our clients in addressing the risks they are facing throughout this continuum of risk drivers and are tailored to meet the specific needs of each client.

IRM services are focused under four areas:

• Information Management
• Information Protection
• Information Controls
• Information Audit

For further information about our services or if you would like one of our professionals to contact you, please contact us.

Information Management Services

Effectively Managing the Information Infrastructure by assisting clients with areas like:

• IT Governance
• IT Alignment
• IT Performance
• IT Processes
• Sourcing Risk
• Project Risk
• IT Financial Management
• Decision Risk
• IT Resource Management

Services include:

• Governance and Performance
• Project Risk
• Sourcing Risk
• Operations Risk

Information Management services are designed to help clients effectively manage the Information Infrastructure

1. Governance and Performance
   
   Effective IT Governance helps business systems deliver value to organizations and manage the unique risks inherent in technology through appropriate corporate governance.
   
   IT Performance is an assessment, benchmarking, and planning service that enables senior executives to determine how to materially improve their use of IT and enhance business performance
   
   
2. Project Risk Management
   
   Project Risk Management services help organizations identify and mitigate the risk of project failure.
   
   We help clients through programs of business change.
   
   We evaluate the deliverables of system integrators, contractors, planners and estimators for quality, completeness and timeliness.
   
   We help to improve the processes associated with developing new projects and products or managing a portfolio of projects.
   
   
3. Sourcing Risk Management
   
   Sourcing Risk Management services assist clients in identifying and managing outsourcing risks along the continuum of the outsourcing life cycle.
   
   This includes assistance with sourcing decisions, due diligence, transition management and metrics. KPMG helps clients identify, measure and manage the impacts of sourcing decisions.
   
   
4. Operations Risk Management
   
   Operations risks are those that affect the production aspects and operations of a business. Safeguarding against losses from data corruption, manufacturing inefficiencies and operational issues are a few of the areas where operations risk can be identified.
   
   KPMG helps clients identify and prioritize the operational risks that affect the strategic well being and performance of an organization. KPMG can help companies find the right balance between risk and control by directly linking operational process risk back to the organization’s strategic objectives.

Information Protection Services

Protecting Vital Information Assets by assisting clients with:

• Information Security
• Security System Integration
• Privacy Management
• Business Continuity
• Crisis Preparedness
• Regulatory Compliance

Services include:

• Security Services
• Business Continuity Management
• Privacy Risk Management
• Compliance Services

Information Protection services are designed to assist clients in protecting vital information assets.

1. Security Services
   
   Security services assist clients with developing solutions that help protect information assets. IRM incorporates the full life cycle model of security including:
   • Information Security Assessment
   • Penetration Studies
   • Enterprise Security Architecture
   • Security Monitoring and Implementation 
     
     
2. Business Continuity Management
   
   IRM identifies disruption risks due to both technology issues and potential disasters. We help an enterprise minimize the potential for disruption, and plan for the restoration of critical business functions should a disruption occur. BCM services include:
   • Business Continuity Planning - minimize downtime
   • Enterprise High Availability - infrastructure design
   • Service Level Management - infrastructure management and control
     
     
3. Privacy Risk Management
   
   Privacy Risk Management assist clients with developing solutions that help protect company and client information, health information and addressing global data privacy. We help clients with:
   • Risk and benefit analysis
   • Performing compliance assessment
   • Developing privacy strategy
     
     
4. Compliance Services
   
   KPMG Regulatory and Compliance Services help clients proactively comply with regulatory requirements, secure and monitor systems and data, mitigate risks that could lead to losses from non-compliance, litigation, or regulatory sanctions and fines.
   Regulatory and Compliance services can address risks associated with other service areas, including financial, information, operations and controls.

Information Controls Services

By effectively controlling information processes organizations verify that optimal systems controls relating to a major application implementation are in place and operating effectively. Specific areas include:

• Financial Reporting System Controls
• ERP System Controls 
• CRM/Supply Chain System Controls Effectively Controlling Information Processes
• Industry Proprietary System Controls

Services include:

• Business System Controls
• ERP Controls

Information Controls services are intended to help clients with effectively controlling information processes

1. Business Systems Controls
   
   Through Business Systems Controls we help organizations verify that optimal systems controls relating to a major application are in place and operating effectively.
   
   Our professionals use proven tools and methodologies, combined with detailed knowledge of major enterprise resource packages, to help implement targeted, specific and practical processes, allowing our clients to make full use of new technologies.
   
   We help provide greater security and controls, as well as increased functionality to these systems.
   
   
2. ERP Controls
   
   ERP Controls services relate to the identification and design of controls in connection with major application implementations, such as:
   • Oracle
   • PeopleSoft
   • SAP
   • JD Edwards
   • And Others
   KPMG assists clients by reviewing the risks presented by the project management structure, the changes in the business processes, how security is being managed, the impact on IT operations, and the quality and integrity of data conversion.

Information Audit Services

Assuring stakeholders of information reliability is the aim of KPMG Information Audit Services. KPMG helps clients through testing and agreeing upon specific information or procedures, or reviewing system configurations in the case of an IT environment. Specific areas of support include:

• IT Risk Assessment and Due Diligence
• IT Internal Audit
• Third-Party Reviews
• Web Assurance

Services include:

• IT Risk Assessment and Due Diligence
• IT Internal Audit
• Third Party Reviews
• Web Assurance

Information Audit Services are designed to assuring stakeholders of information reliability.

1. IT Risk Assessment and Due Diligence
   
   KPMG IT Risk Assessment and Due Diligence services are tailored to fit the requirements of our clients and work to identified risks that reside in a number of IT specific areas.
• IT Risk Assessment
• IT Risk Benchmarking
• IT Due Diligence
  
  
2. IT Internal Audit
   
   Outsourcing or co-sourcing IT Audit is a cost effective means of having the right skills at the right time.
   
   Our IT audit professionals bring a wealth of business and technology experience to provide clients with the skills they need, when they need them. IT Internal Audit services include:
• KSprint/IT
• IT Audit Plan Development
• IT Audit Execution Assistance
  
  
3. Third-Party Reviews
   
   Third-Party Review services are intended to provide independent assurance to third parties that systems are operating as designed. Services include:
   
   A SAS 70 review has typically been associated with the audit of a third party service provider. For example, organizations that provide an outsourced data center solution or process payroll information often obtain a third party audit of its operations. A SAS 70 report typically covers general IT controls such as physical and logical controls, system development and change control, backup and disaster recovery controls as well as actual transaction processing and application controls of the particular business processes.
   
   IRM is also a Qualified CISP Security Assessor, and can assist clients in meeting your Visa CISP compliance deadlines and preparing for annual certification.
   
   
4. Web Assurance
   
   The AICPA/CICA has established the Trust Services Principles and Criteria to provide a framework to provide assurance regarding systems reliability and e-commerce activities. These Principles and Criteria are the result of an effort to harmonize the criteria previously included in two separate but similar standards - WebTrust (which was applicable to electronic commerce systems) and SysTrust (which was applicable to any system).
   
   With WebTrust and SysTrust, an examination is performed using the Principles which are applicable to the system which is the subject of the examination. Our KPMG Seal was designed to provide information to consumers and assurance about the trustworthiness of web site engaged in commerce.