The services that KPMG offers vary hugely, with each project tailored to the specific needs of the client in question to deliver impactful results. Part of providing high-quality service means anticipating and meeting legal, regulatory, and client requirements.
With many KPMG clients in highly regulated industries such as finance and healthcare, KPMG must demonstrate its ability to easily and rapidly meet these and other enterprise Governance, Risk, and Compliance (eGRC) demands. This challenge is not a new one, and the company has long had policies in place to meet its own and clients’ requirements. However, these policies were stored in various repositories across the ITS organization, meaning it was difficult to map policies to new standards.
Irina Giller, Director, ITS Policy and Governance, KPMG, heads up the team responsible for ITS policies and compliance. She explains, “We were unable to easily confirm whether or not we could comply with a new client request using an existing policy, so there was a lot of manual work involved every time – even after we created a more centralized repository using available tools.”
KPMG needed a common eGRC platform with a fully centralized policy repository to both publish policies and map them to authoritative sources while maintaining a comprehensive overview of its eGRC capabilities.
Giller and her team addressed these requirements by deploying the Policy Management and Compliance Management modules of the RSA Archer eGRC Suite. These solutions enable KPMG to ensure comprehensive management of its policies, and any exceptions, as well as remediation tracking for compliance.
“With this solution, which includes a number of internal processes and the eGRC tool, we can carry out self-assessments to identify any gaps in our compliance stance, then easily work in amends to our policies to ensure we’re covered,” comments Giller. “Likewise, if a client has a new compliance requirement or wants to review our capabilities, it’s easy for us to show them online how our processes measure up against their expectations and make any necessary enhancements in an efficient manner.”
Implementation was carried out by KPMG’s ITS Policy and Governance team, following brainstorming sessions with KPMG’s Advisory team to develop a roadmap for rollout of RSA Archer modules. A consultant from RSA Archer was on site to help manage the implementation of both modules, and RSA also provided training to KPMG’s development and support groups.
The first test for the new platform came shortly after deployment, when a new client project required KPMG to affirm where it was necessary to enhance policies and procedures in alignment with the National Institute of Standards (NIST) 800-53 directive, which impacts data hosting for government organizations. KPMG won this new client’s business because RSA Archer mapped the requirements to its internal policies and procedures, performed gap analysis, and, where necessary, developed and published additional policies, procedures, and technical baselines, all in a reasonable timeframe.
“Previously, client audits necessitated the printing out and processing of reams of paper documentation,” says Giller, “which was time-consuming and unscalable. Now all the information we need is there on the system, so it’s much easier and quicker for us to find the policy or control standard we’re looking for. Not only has this accelerated our own ability to meet requests for information, but clients are reassured by our commitment to meeting their needs, especially when they come in to conduct on-site reviews and we navigate them through our online policy center.”
RSA Archer solution issues automatic alerts to KPMG’s ITS Policy Review Board whenever an exception is submitted for review and approval, or is due to expire. The board can then notify the individual of its decision to allow a time-limited exception where business justification warrants it and adequate compensating controls are in place, or direct individuals to either take the necessary steps to become compliant or remove the incompliant situation from the network. “This model means we have tighter control over our compliance capabilities and are able to reduce the risk of any inadvertent breaches of regulations,” says Giller.