KPMG Cyber sits inside Risk Consulting and the interview loop blends technical depth with audit-trained rigour. Expect strong emphasis on controls, evidence and IT-audit fluency.
How would you design a SOC 2 Type II audit programme for a SaaS client?
Scope TSCs (Security mandatory + chosen), control mapping to AICPA criteria, sampling strategy, evidence catalogue, walkthroughs, design + operating effectiveness testing, exceptions handling, opinion drafting.
Explain the difference between design effectiveness and operating effectiveness testing.
Design = is the control suitably designed to achieve the objective (walkthrough, 1 sample). Operating = is it operating consistently over the period (sample size per frequency: daily 25, weekly 10, monthly 2-5, etc.).
A client's privileged access control fails operating effectiveness. What's your response?
Document the exception with evidence, assess compensating controls, evaluate severity (isolated vs systemic), discuss with audit partner, draft the management response, consider impact on opinion.
How do you keep technical credibility in an audit-heavy practice?
Maintain a delivery rotation (red-team week, IR shadowing), invest in certifications (OSCP, GIAC), contribute to internal knowledge base, publish externally.
Tell me about a time you found a finding the client didn't want to accept.
STAR with evidence, escalation, partner alignment and final resolution. Show ethics and commerciality.
Not mandatory, but helpful at Manager+. Tech Risk hires often come from internal audit, advisory or cyber consulting backgrounds.
Largely consistent. Watford / Canary Wharf hubs run more financial-services cases.
Premium members get the full round structure, signals, and AI-graded practice.