Big-4 Consulting · Cyber Security · Tech Risk

KPMG Cybersecurity Interview Pack

KPMG Cyber sits inside Risk Consulting and the interview loop blends technical depth with audit-trained rigour. Expect strong emphasis on controls, evidence and IT-audit fluency.

// hiring focus
- Cyber Strategy & Governance - Technology Risk + IT Audit - Identity & Access - Cloud Security - Cyber Response
KPMG's cyber practice is tightly coupled to Tech Risk and the audit practice — many engagements support SOC 1 / SOC 2 / ISAE 3402 attestations. As a result interviewers will probe your ability to operate inside a controls framework, not just deliver outcomes. The behavioural framework is KPMG's 'Our Values' + capability model. Senior hires get a values-led partner round.
// hiring loop
- Recruiter screen - Online assessments (Launch Pad — situational + numerical) - Capability interview (competency + technical) - Partner / Director final round — case + values + Q&A - Offer
// interviewer style + signals
Methodical, controls-oriented, audit-adjacent. Expect 'walk me through how you would test the design and operating effectiveness of a privileged-access control' style questions. Less theatrical than Deloitte/PwC, more substance-led.
// recent themes & hot topics
Continuous auditing / control automation, AI governance attestation, cloud security posture mgmt for audit reliance, FS operational resilience, third-party assurance (post-Snowflake / MOVEit), DORA + NIS2 readiness assessments.

Sample interview questions

  1. 01

    How would you design a SOC 2 Type II audit programme for a SaaS client?

    Show strong-answer outline

    Scope TSCs (Security mandatory + chosen), control mapping to AICPA criteria, sampling strategy, evidence catalogue, walkthroughs, design + operating effectiveness testing, exceptions handling, opinion drafting.

  2. 02

    Explain the difference between design effectiveness and operating effectiveness testing.

    Show strong-answer outline

    Design = is the control suitably designed to achieve the objective (walkthrough, 1 sample). Operating = is it operating consistently over the period (sample size per frequency: daily 25, weekly 10, monthly 2-5, etc.).

  3. 03

    A client's privileged access control fails operating effectiveness. What's your response?

    Show strong-answer outline

    Document the exception with evidence, assess compensating controls, evaluate severity (isolated vs systemic), discuss with audit partner, draft the management response, consider impact on opinion.

  4. 04

    How do you keep technical credibility in an audit-heavy practice?

    Show strong-answer outline

    Maintain a delivery rotation (red-team week, IR shadowing), invest in certifications (OSCP, GIAC), contribute to internal knowledge base, publish externally.

  5. 05

    Tell me about a time you found a finding the client didn't want to accept.

    Show strong-answer outline

    STAR with evidence, escalation, partner alignment and final resolution. Show ethics and commerciality.

Frequently asked questions

Do I need IT audit experience?

Not mandatory, but helpful at Manager+. Tech Risk hires often come from internal audit, advisory or cyber consulting backgrounds.

Is the loop different across UK regions?

Largely consistent. Watford / Canary Wharf hubs run more financial-services cases.

Run the KPMG loop as a graded mock

Premium members get the full round structure, signals, and AI-graded practice.

Start free