|
Themes |
|
Audit quality |
|
Corporate culture |
|
Data security |
Our impact and strategy
At KPMG, we are committed to upholding high standards of governance in the way we conduct our business, both internally and externally. In our double materiality assessment (DMA), we identified five sustainability matters connected to business conduct. We have grouped these under three themes: corporate culture, which aligns with the ESRS G1 topical standard, and the two entity-specific matters of (audit) quality and data security. For more information on the DMA process and outcomes, see Table 2 in “Results of our DMA review” in the General information chapter.
|
G1 Business conduct |
Impact materiality |
Financial materiality |
Value chain |
||
|
Positive |
Negative |
Opportunity |
Risk |
||
|
(Audit) quality focus (incl. AQIs) |
|
|
|||
|
Corporate culture |
|||||
|
|
|
|
||
|
|
|
|
||
|
|
|
|
||
|
Data security |
|
|
|||
|
|||||
Ensuring high standards of business conduct at KPMG is a shared responsibility of the Board of Management and the Supervisory Board. The Board of Management develops and implements policies on integrity, ethics, and compliance, while the Supervisory Board monitors their effectiveness and reviews regular reports on compliance and incidents. This governance structure guarantees that business conduct is fully integrated into our culture and operations.
With backgrounds in governance, compliance, and ethics, board members are well equipped to oversee matters related to business conduct. Their expertise is continuously enhanced through relevant training and experience, enabling them to address risks and opportunities and maintain public trust.
In the following thematic sections, we outline our approach to managing material impacts, risks, and opportunities (IROs) related to business conduct.
Audit quality
|
Sustainability matter |
Key policies |
|
(Audit) Quality focus (including AQIs) |
Global Quality & Risk Management Manual |
|
Targets |
Key actions |
|
Audit quality indicators (see Table 40) |
Maintaining our System of Quality Management |
|
Undertaking digital audit transformation |
|
|
Implementing advanced technologies and AI tools |
|
|
Expanding engagement management life cycle initiative |
Our ambition is for KPMG to be the leading and most trusted professional services firm. To achieve this goal, we must deliver exceptional audit quality and communicate transparently with our stakeholders about our audit quality journey, in line with our values of Excellence and Integrity. Reductions in audit quality would result in a potential financial risk, as confirmed by our DMA. We have therefore identified audit quality as an entity-specific material sustainability matter for KPMG.
We define audit quality as the consistent delivery of assurance engagements that meet both the requirements and the intent of professional standards, underpinned by a system of quality management (SoQM). In 2024/2025, we maintained a dual emphasis on our people, who are essential to ensuring high audit quality and trust, and our technology, which continues to play a transformative role in our organization in general and in audit quality in particular.
Our approach to ensuring consistent audit quality is founded on the controls in our SoQM. This aligns with KPMG International's methods and policies and has been adapted to the needs of the Dutch market. During 2024/2025, we began preparing to ensure that our SoQM is compliant with the PCAOB’s QC 1000 standard, coming into effect in December 2026. We continue to operate in line with the International Standard on Quality Management (ISQM 1).
Key policies and actions
|
Policy name |
Key contents |
|
Global Quality & Risk Management Manual |
This manual covers the scope, requirements, and procedures related to quality and risk management for all KPMG member firms and personnel, including the System of Quality Management (ISQM1) and its components. |
KPMG’s approach to audit quality is anchored in the KPMG Global Quality Framework (see diagram on the next page), which underpins all related policies and actions. These are documented in the KPMG Quality & Risk Management Manual, which is aligned with European Union (EU) and Dutch legislation, as well as the requirements of the Royal Netherlands Institute of Chartered Accountants (NBA) and the US Public Company Accounting Oversight Board (PCAOB).
Global Quality Framework
While the Global Quality Framework applies to our entire workforce, it is particularly relevant for our Assurance teams, who are guided by its principles in their daily work. The framework is implemented by the Audit Quality Professional Practice department and overseen by the Head of Assurance. Information about the policy is available to relevant stakeholders through mandatory training, our intranet, and KPMG’s internal and external reporting channels.
During the year, we continued to take actions to meet the main objectives set out in the Global Quality Framework, focusing on sustained investment and innovation to drive ongoing improvements. This begins with applying a consistent, risk-based approach to our System of Quality Management (SoQM), thereby ensuring compliance with ISQM 1. We also launched initiatives to integrate new regulatory requirements and to proactively identify and remediate quality issues. In two key developments, we have begun adapting our quality control system to comply with the upcoming QC1000 regulation, which will take effect on December 15, 2026. We also prepared for the implementation of the new audit quality indicators (AQIs) as proposed by the Quartermasters.
In addition, we have rolled out comprehensive policies and guidelines for all our professionals, with dedicated protocols for the use of AI in audit engagements. Our approach includes a strong focus on training and development, covering both the technical application of audit tooling and the ethical considerations surrounding its use. This ensures our teams are well-equipped to apply these tools responsibly, with integrity, and professional skepticism.
We continued to foster a culture of integrity, professional skepticism, and continuous improvement by further embedding our Values First program – and our core values – into our training activities, daily operations, and in our SoQM. To support ethical decision-making in engagements, we adopted KPMG International’s Consider, Assess, Respond, Evolve (CARE) framework. Moreover, we distinguish between careless behavior and genuine human error, encourage open dialogue, and learn from mistakes. This mindset supports our commitment to maintaining public trust, especially in areas such as fraud and going-concern assessments. We also scaled up our engagement management life cycle initiative, which improves workload management for our people and enhances audit execution, from 200 projects to the majority of our audit engagements.
To improve the skills and expertise of our teams, our learning programs are now more tailored, allowing our professionals to select training that aligns with their roles and responsibilities. We invested in various programs during the year, including digital auditor training, ESG pathways, and accreditation for digital tools such as Alteryx. As a result of these investments, we were able to perform and issue independent limited assurance reports for 27 clients in 2024/2025, specifically focused on verifying compliance with the CSRD. In each of these engagements, a formal assurance report was provided to the client.
The KPMG Clara global platform, including KPMG Clara AI, is transforming the audit experience at KPMG. KPMG Clara delivers a digitally enabled approach that enhances quality, including by enabling AI-supported risk analysis, and insights as well as built-in guidance and training, supporting consistency and compliance in our audit work. We expanded the deployment of KPMG Clara, AI Transaction Scoring, and other (AI) tooling with human oversight in client engagements in 2024/2025, enabling full-population testing and deeper insights. While it is too early to quantify the impact on audit quality, early feedback from our clients and engagement teams has been positive. We also collaborate with partners such as Microsoft, AI4FinTech, Rossum, and MindBridge to further enhance quality across Assurance and/or Advisory.
The combination of these tools and the improvements implemented in 2024/2025 has led to progress in audit quality and efficiency. Within KPMG, audit quality indicators – such as internal quality review results and feedback from engagement teams – are closely monitored. The introduction of data-driven procedures has been linked to positive trends in these indicators.
Training programs for auditors
To support quality, our aim is to ensure that people can access relevant training at the optimal time in the audit cycle. Rather than mandating one-size-fits-all programs, we prefer to empower our workforce to focus on the skills they need to perform their work to the highest standards. In 2024/2025, we invested in five important training programs:
Digital auditor training: Our digital trainees are junior audit staff (not yet fully qualified audit professionals) who are trained in core technologies that enable them to create and run data and analytics (D&A) routines on their audit engagements.
ESG Pathway: Combining online and classroom training sessions, this course covers the CSRD and European Sustainability Reporting Standards (ESRS) and the methodology we apply in performing sustainability assurance engagements.
Digital MBA for partners: This two-day training is held in partnership with Vlerick Business School, where KPMG leaders and leading academics give lectures and classes on AI and digital platforms. This empowers partners and directors to lead their teams through a changing digital world.
Alteryx accreditation: Audit practitioners can be certified to use the Alteryx D&A tool in their engagements. Managers are also trained to review this work. This allows audit teams to combine their client-specific knowledge with cutting-edge data and analytics capabilities.
Annual immersive trainings: All KPMG audit professionals attend off-site training sessions on key topics like ESG, AI, fraud, accounting topics and cybersecurity. The classroom environment brings together people at different levels of seniority, facilitating the transfer of valuable knowledge.
Metrics, targets, and performance
Our audit quality performance during the year was strong, reflecting KPMG’s many years of investment in our SoQM. We have defined a set of AQIs to monitor and enhance audit quality (see Table 40). We review our performance against these indicators biannually and, where necessary, take specific actions in response. These metrics are not validated externally.
In 2024/2025, we continued to monitor our existing AQIs, with one key adjustment: “Financial statements with restatements as percentage of audit opinions issued” was replaced by two new indicators, “Number of restatements due to material errors as a percentage of the total number of audit opinions” and “Number of restatements due to fundamental errors – 362 BW2.” This split provides better insight into the severity of the restatements. Although we have a 1.5% restatement rate in total for 2024/2025 we had no case under Dutch Civil Code 362.6 involving fundamental errors. By replacing the original AQI with two separate indicators, one for material errors and one for fundamental errors, the distinction between the seriousness and impact of the restatements becomes clearer. For detailed definitions of our AQIs, see “Definitions of all metrics” in the appendices to this statement.
Target-setting is embedded in our annual business plan cycle and substantiated in the annual audit quality plan. Targets are proposed by the Head of Audit Quality, based on prior-year results, sector developments (such as Quartermaster recommendations), and future ambitions. These are reviewed and approved by the Assurance Leadership Team and the Board of Management.
In 2024/2025, we met or exceeded target thresholds for 11 of the 16 AQIs, resulting in an overall performance score of 69%.
|
Audit quality indicator |
Target for 2024/2025 |
2024/2025 |
2023/2024 |
|
Results of internal KPMG N.V. audit inspections |
100% |
92% |
94% |
|
Results of external inspections |
100% |
100% |
n/a |
|
Percentage of engagements involving engagement quality control review (EQCR) |
≥ 20% |
33% |
32% |
|
EQCR hours spent as percentage of total hours spent on EQCR engagements (scope: all EQCR engagements excl. three largest clients) |
≥ 1.2% |
1.2% |
1.2% |
|
Partner hours percentage: |
|||
|
- in public-interest entity (PIE) audit engagements (OOB) |
≥ 7% |
8% |
8% |
|
- in non-public-interest audit engagements (non-OOB) |
≥ 6% |
7% |
6% |
|
Average number of hours spent in training per client-facing professional in audit |
> 160 |
221 |
218 (restated)² |
|
Hours spent by IT and other specialists: |
|||
|
- in public-interest entity (PIE) audit engagements (OOB) |
≥ 9% |
17% |
18% |
|
- in non-public-interest entity (PIE) audit engagements (non-OOB) |
≥ 6% |
6% |
6% |
|
Technical resources support (FTEs) as percentage of total audit FTEs |
> 5% |
6% |
6% (restated)³ |
|
Number of technical consultations as percentage of total audit engagements |
≥ 10% |
18% |
16% |
|
Number of restatements due to material errors as a percentage of the total number of audit engagements¹ |
< 1% |
1.5% |
2.2% |
|
Number of restatements due to fundamental errors - 362.6 BW2 |
0% |
0.0% |
0.2% |
|
External independence violations as a percentage of total headcount |
0% |
0.2% |
0.3% |
|
Breaches of internal independence rules – not resulted in an external violation – as percentage of total headcount |
≤ 1% |
3.3% |
3.0% |
|
Global People Survey (GPS) results relating to audit quality |
≥ 85% |
80% |
79% (restated)⁴ |
Table 40
Key results
In general, the outcome of our Audit Quality Indicators for FY2024/2025 is positive. Important areas of attention are the outcome of the internal audit inspections and the breaches on internal independence rules. We analysed the results, performed root cause activities, and will work on remedial actions in 2025/2026.
Internal audit inspections rated “compliant” and “compliant – improvement needed” decreased to 92% in 2024/2025 (94% 2023/2024). Of the 51 total files reviewed, 38 were rated “compliant,” nine were rated “compliant – improvement needed,” and four were rated “non-compliant.”
We strive for 100% compliance and are implementing several initiatives to empower our audit teams to achieve this. In 2025/2026, we aim to improve further our internal Quality Performance Review (QPR) scores and further strengthen audit quality overall. Our planned approaches include enhancing root cause analyses of recurring findings and leveraging GPS insights to drive continuous improvements. This will be supported by workload management initiatives designed to foster the optimal conditions for delivering excellent quality. We will also maintain our focus on ethical culture and behavioral drivers and continue to provide targeted learning programs via online and in-person classrooms, coaching, and sector-specific training. These initiatives support the successful completion of our enhanced supervision phase, ensuring that strengthened governance and compliance practices remain embedded across the organization.
During its inspection, the PCAOB did not identify any engagement-level deficiencies that indicated insufficient audit evidence to support our audit opinions. The PCAOB found no issues that would call into question the basis of our audit opinions for three inspected engagements. The AFM finalized one thematic inspection on “Quality of audit procedures that address assessed fraud risks”. On one audit engagement file pertaining to a 2022 engagement, that was still documented in our former documentation tool, the AFM reported findings on the audit procedures to address this identified fraud risk. On the other three engagement files, no findings were reported. This year, the AFM conducted seven other thematic reviews or inspections. For two of these inspections, final reporting without regulatory findings were received after our year end. For more background information, see “External reviews, inspections, and interactions with regulators” in our management review.
Corporate culture
|
Sustainability matters |
Key policies |
|
Corporate culture (including organizational ethics and integrity) |
Global Code of Conduct |
|
Protection of whistleblowers |
Complaints and Reports Scheme (incl. Whistleblowing) |
|
Compliance with regulations |
Supplier Code of Conduct |
|
Global Quality & Risk Management Manual |
|
|
Personal Investigation Manual |
|
|
Targets |
Key actions |
|
Employee engagement score: 77% |
Mandating annual training on integrity, independence, and ethical conduct |
|
Psychological safety score: 73% |
Requiring annual confirmation of awareness of the Code of Conduct |
|
Providing anti-bribery and anti-corruption training |
|
|
Carrying out acceptance checks on all clients and engagements |
|
|
Investigating all complaints and whistleblowing reports |
|
|
Promoting a speak-up culture |
|
|
Assessing anti-bribery and anti-corruption annually |
As a professional services firm dedicated to earning and protecting trust, we place high value on the principles of organizational ethics and integrity, whistleblower protection, and regulatory compliance. These aspects of our corporate culture represent both material positive impacts for our stakeholders and potential financial risks for KPMG, including penalties, legal costs, and reputational damage.
In our approach to these matters, including mitigating associated risks, we are guided by our core values – Integrity, Excellence, Courage, Together, For Better – which underpin our ethical standards and contribute to positive impacts. Below, we set out KPMG’s structured approach to these principles.
Overarching approach
|
Policy name |
Key contents |
|
Global Code of Conduct |
The code serves as a comprehensive framework for ethical behavior and a positive corporate culture. |
For all three sustainability matters under this material theme, the Global Code of Conduct (see “Own workforce”) supports our commitment to transparency, accountability, and providing a safe workplace. The code is publicly available and serves as a key resource for ethical behavior, guiding actions and interactions throughout our organization. Our Ethics & Independence department provides oversight to ensure the code is upheld and implemented.
This framework is supported in turn by targeted policies, processes, and governance structures that address critical issues. In particular, we have developed mechanisms for detecting, preventing, and addressing unlawful behavior, protecting whistleblowers, and preventing corruption and bribery. These include dedicated committees and reporting channels that promote openness and address concerns in a timely and appropriate way. These mechanisms are explained in further detail below.
Corporate culture (including organizational ethics and integrity)
Key policies and actions
|
Policy name |
Key contents |
|
Supplier Code of Conduct |
This policy outlines principles related to business conduct, working conditions, human rights, and environmental responsibilities. It must be included in all contracts exceeding a total value of EUR 25,000. |
Our Supplier Code of Conduct provides a foundation for ethical business conduct and relationships with our suppliers. The Chief Operating Officer (COO) is responsible for its implementation and enforcement.
Internally, to ensure proper adherence to the Global Code of Conduct and strengthen our corporate culture, we require our people to undertake mandatory annual training. KPMG International member firms share many of the same risk, independence, and compliance training programs, ensuring consistency in international engagements and minimizing compliance risks. The “We do what is right” training is a required course, aimed at instilling integrity in both client-facing and non-client-facing employees.
Along with our other values, Integrity is central to our professional conduct, forming the foundation of quality control at KPMG. Accordingly, each training course begins by asking the participant to confirm they will complete the course and assessment independently. Since 2023/2024, internal monitoring has been introduced to prevent answer sharing.
In addition to formal policies, KPMG invests in strengthening its corporate culture throught the Values First program. This firm-wide initiative aims to embed our values into daily behavior and decision-making. For a detailed description of the program, refer to the chapters "Message from our CEO" and "Value created for our people" in the management review.
Metrics, targets, and performance
We track our performance on corporate culture through our GPS scores on engagement (77% in 2024/2025) and psychological safety (73% in 2024/2025). For more information, see "Mental health and safety." We also monitor diversity figures, retention rates, and levels of engagement with our ethical culture programs, as discussed in the chapter “Own workforce.”
Protection of whistleblowers
Key policies and actions
|
Policy name |
Key contents |
|
Complaints and Reports Scheme (incl. Whistleblowing) |
This policy empowers all internal and external stakeholders to report concerns related to unlawful behavior. |
|
Regulations on Undesirable Behavior |
These regulations apply to individuals with an employment contract at KPMG, including equity partners, interns, and contractors. They outline procedures to prevent and eliminate all forms of undesirable behavior, including discrimination. |
|
Regulations on how to deal with labor disputes |
These regulations outline a confidential, step-by-step procedure for resolving labor suits, involving confidential counselors, mediators, and a Complaints and Disputes Committee. The aim is to ensure careful, fair, and independent handling of conflicts, with strong safeguards for confidentiality and protection against disadvantage. |
|
Protocol for Personal Investigations |
This policy defines a personal investigation as a targeted inquiry into the actions, omissions, or behavior of individuals when there is a suspicion of a breach of internal or external rules. The purpose is to establish the facts in case of suspected misconduct or violation of company policies, laws, or regulations. Investigations may cover issues such as breaches of confidentiality, fraud, unacceptable behavior, or violations of codes of conduct. The process is conducted confidentially and fairly, with protection agains retaliation for whistleblowers. Based on the findings, KPMG may impose disciplinary measures or report findings to authorities, ensuring all actions are proportional and compliant with legal standards. |
Together with the Global Code of Conduct, which includes details of our reporting channels, our Complaints and Reports Scheme (including the Whistleblowing Scheme) enables people to raise concerns about unlawful behavior. We provide a separate whistleblowing channel for our workforce to report undesirable behavior and labor disputes. We actively promote awareness of these mechanisms through our intranet, integrated reports, and email updates.
The scheme is designed to be accessible and undergoes annual effectiveness testing. It is managed by experienced auditors in our Internal Audit & Compliance Office, with ultimate responsibility lying with the head of this department. For more information on our reporting safety net, see section “Reporting and remediating negative impacts” within “Own workforce.”
Our whistleblowing channel complies with the EU Whistleblower Protection Directive and provides secure avenues for reporting unethical conduct. Certified and specially trained auditors carry our subsequent investigations. The procedure for personal investigations follows our Protocol for Personal Investigations, ensuring integrity and confidentiality at every step.
We prioritize whistleblower protection and have put in place several safeguards, which we continuously review and update in line with evolving regulations:
Option to report anonymously
Legal protection for whistleblowers
Guarantees against unfair treatment of reporters
Legal safeguards against retaliation
Secure handling of data related to investigations
In 2024/2025, as in every year, our employees were required to confirm compliance with our internal policies. This includes explicitly acknowledging their awareness of our complaints and whistleblowing channels. Through our continued focus on psychological safety and ethics, we also promoted a culture where people feel safe to speak up about any concerns.
Metrics, targets, and performance
We do not currently have any targets or metrics related to whistleblower protection.
Compliance with regulations
Key policies and actions
|
Policy name |
Key contents |
|
Global Quality & Risk Management Manual |
The manual contains our anti-bribery and anti-corruption policies. These align with the UN Convention against Corruption and provide clear guidance to employees on preventing and responding to (potential) instances of bribery and corruption. The manual is supported by our Global Code of Conduct. |
Regulatory compliance is a fundamental part of our operations and an area of constant and significant attention for KPMG. We provide more information on our approach to managing this matter elsewhere in our sustainability statement, including “Audit quality,” “Data security,” and “Own workforce.”
Regarding anti-bribery and anti-corruption (ABC) in particular, employees must follow the Global Quality & Risk Management Manual, which is supported by our Global Code of Conduct. These policies align with the UN Convention against Corruption. The Internal Audit & Compliance Office conducts safeguarding to check that the policies outlined in the manual are properly applied at all levels of KPMG.
While we operate in a low-risk country and do not designate specific functions as being “high risk,” we conduct regular training for employees in departments such as Finance, Procurement, and Marketing. This raises awareness of bribery and corruption risks, enhances people’s ability to recognize and act on potential threats, and ensures compliance with ABC regulations.
We also carry out risk assessments as part of the client and engagement acceptance process (see “Consumers and end-users”). Our teams are trained to detect and address potential corruption. In high-risk cases, we engage forensic experts, with the Audit Quality Professional Practice department providing guidance.
Using the annual ABC assessment, which is mandatory for all KPMG member firms, we monitor fraud, bribery, and corruption. This assessment is carried out by the Forensics team and includes follow-up recommendations to ensure compliance with global standards.
Metrics, targets, and performance
We do not currently have any metrics or targets in place for this sustainability matter.
KPMG did not receive any convictions or fines for violations of ABC laws in 2024/2025.
Data security
|
Sustainability matters |
Key policies |
|
Data security |
Global information security policies, standards, and guidelines |
|
Acceptable Use Policy |
|
|
Information Classification Policy |
|
|
Targets |
Key actions |
|
Maintain ISO 27001:2022 certification |
Conducting regular risk assessments and monitoring |
|
Performing annual internal and external audits |
|
|
Carrying out regular penetration tests and cyber response exercises |
|
|
Implementing and updating awareness and training programs, such as our AI Awareness Week |
|
|
Reviewing and updating policies and controls |
|
|
Reporting and following up on incidents |
|
|
Classifying information according to confidentiality |
We are committed to providing a secure and safe environment for the (personal) data and information we hold, as well as to protecting the data of our clients, service providers, and other third parties. We regard this information and the associated information technology (IT) systems as valuable assets that are essential to KPMG’s business operations. Data security is not only a regulatory requirement, but also fundamental in upholding stakeholder trust and protecting our business continuity and reputation. We also recognize the potential risks associated with data threats and the mishandling of confidential information.
To address these risks, we base our information security and data protection practices on globally recognized and accepted security best practices. By obtaining ISO 27001:2022 certification – the standard for Information Security Management Systems (ISMS) – we ensure that our information security practices are mature and effective, up to date, and internationally benchmarked.
Securing and protecting data is everyone’s responsibility at KPMG. Our approach to information security requires all employees to implement policies and follow processes appropriately within their area of responsibility. We support our workforce in doing this by providing clear guidelines, tools, and regular training.
We manage risks related to data security using a “three-lines-of-defense” model, where internal stakeholders are actively involved in preventing, mitigating, and managing any information security risks within our organization before they can negatively impact operations.
|
Three lines of defence model |
|
|
First line of defense |
Business Management and Operations own and manage risks and controls. |
|
Second line of defense |
Risk & Compliance stablishes methodologies and frameworks; monitors risks, compliance, and controls in support of management; and typically owns IT and security risk mangement processes. |
|
Third line of defense |
The Internal Audit function provides assurance on the effectiveness of risk-mitigation controls. |
Table 41
At the organizational level, to ensure effective information management that is aligned with our business needs and regulatory requirements, KPMG has a well-defined governance framework for implementing and monitoring data protection policies, risk management, and compliance measures. Our National IT Security Officer leads our information security program, working closely with IT and other technology teams. By embedding security into the foundation of our digital architecture, we mitigate potential breaches and ensure resilience in the face of cyber risks.
Our cybersecurity strategy is underpinned by clear principles that apply to all layers of our operations – empowering decision-makers to balance risk and opportunity, while safeguarding our data assets. These principles include:
Risk-based decision-making: All decisions in relation to data management and protection balance risk with economic opportunity, in line with legal, regulatory, and contractual requirements.
Transparency: We maintain transparency in our risk posture and ensure clear communication of our security policies and incident response procedures.
Defense-in-depth: Multiple, reinforcing layers of technical and organizational controls are in place, including access management, encryption, monitoring, information classification, rules of acceptable use, a zero-trust approach, and incident response.
Security by design and breach preparedness: Security is integrated into all solutions and processes from the design phase. We operate under the principle of “assume breach,” meaning our systems and employees are prepared for incidents and know how to respond.
Awareness and culture: Security is an integral part of every employee’s mindset. Annual awareness training and clear communication about policy, incidents, and best practices are mandatory.
Compliance and auditing: Regular internal and external audits ensure that policies are followed and that we comply with relevant regulations, such as the EU Global Data Protection Regulation, and contractual obligations to clients.
Key policies and actions
|
Policy name |
Key contents |
|
Global information security policies, security policies, standards, and guidelines |
These are directly associated with ISO 27001:2022 controls and represent the minimum information security baseline for our IT operations. Together, they establish a baseline for protecting the information and systems of KPMG and our clients. |
|
Acceptable Use Policy |
This policy establishes the minimum standards for the acceptable and approriate use of information and technolgy assets by our people. It also sets out how we should protect KPMG's technology assets in our care. |
|
All users must accept responsibility for their actions regarding the use and safeguarding of KPMG information assets, data, and technology resources, in accordance with the global KPMG policies. In the event of a conflict, local laws and regulations take precedence. |
|
|
Information Classification Policy |
This policy describes the confidentiality classifications for KPMG's and clients' information and provides guidance on how to determine the appropriate level of classification. |
Our data security policies are all part of the Information Protection Policy Framework within our Global Quality & Risk Management Manual. Developed in consultation with stakeholders and topical experts, the policies are accessible to all employees and key stakeholders – who are required to read, understand, and apply them – via our intranet. They address potential vulnerabilities across all levels of our operations, from network infrastructure to employee access rights, and are supported by continuous monitoring, training, and incident response plans.
We safeguard our organization against data security risks through actions that apply to all our business activities and employees and are embedded in our day-to-day operations. Internally, we demonstrate compliance with the global information security policies in an annual review. Externally, our ISO 27001:2022 certification covers all KPMG services.
We follow a robust risk management process comprising four key steps: identification, assessment, control and treatment, and monitoring and review. During the identification and assessment phases, we evaluate potential threats to our assets, identifying vulnerabilities, assessing their impacts, and determining the likelihood of occurrence. If a risk exceeds the threshold, we promptly treat and control it, following our established protocols. We also conduct periodic reviews to monitor identified risks, assess the effectiveness of treatments, and detect new or emerging risks. When we identify risks that exceed our risk appetite, we address them accordingly. We also supplement monitoring activities with regular penetration tests and cyber response tests to ensure that our risk posture remains responsive and up to date.
To strengthen our resilience against cyberattacks and data breaches, and to support a safer working environment, we aim to promote a security-aware culture among our people. We therefore implement a program of awareness and education initiatives, empowering our workforce to identify and respond to security incidents in the IT sphere and beyond.
In 2024/2025, we ran frequent phishing awareness campaigns, offered e-learnings, organized the annual Safety Week, and communicated regularly with our people through news updates, screensaver messages, and other internal channels. We also continued to provide additional, targeted, training to employees in high-risk functions, such as IT, Finance, Legal, Procurement, Forensics, IT Development, and the Security Operations Center.
We continue to monitor developments around the delayed implementation of the EU’s Network and Information Security Directive into Dutch law. At the time of reporting, the Cybersecurity Act (Cyberbeveilingswet) is expected to enter into force in the second quarter of 2026. Organizations such as ours will need to strengthen their data security policies, monitoring, and incident handling to ensure compliance and avoid penalties once the law takes effect.
Since January 2025, our financial services clients must comply with the Digital Operational Resilience Act (DORA). Depending on the services we provide, this means we are asked to meet specific DORA requirements, which we handle on a case-by-case basis.
Metrics, targets, and performance
In 2025, we achieved our data security target of earning recertification under ISO 27001:2022. This international standard confirms the quality, safety, and efficiency of KPMG’s ISMS. We also track internal metrics related to data security; for security reasons, we do not disclose these metrics or results publicly.