hospital internal audit 2011
TRANSCRIPT
Bermuda Hospitals Board
Response to RFP for Internal Audit Services
ADVISORY
Ms. Delia BasdenChief Financial OfficerBermuda Hospitals Board7 Point Finger RoadPaget DV 04
January 14, 2011
Dear Ms Baden
KPMG is delighted to present our qualifications to provide internal audit services. We hope that our proposal demonstrates how we can will value and also reflects our desire to develop a long term realtionship with you as your internal audit services provider. A clear understanding of your needs, the right people, the right experience, and the strongest commitment to serving you – these are the principles that permeate our response, and which will guide our service to you as your internal auditors.
What sets KPMG apart is the breadth and depth of our dedicated risk management/internal audit team, combined with unrivalled expertise in the healthcare industry. We will bring a client centric focus, an independent view and fresh perspective to BHB’s internal audit function leveraging off a sound understanding of your organization developed through our previous working relationships. We will deliver a cost effective internal audit that focuses on key risk, improves governance and improves operational efficiency.
The Right Team. Your KPMG service team combines risk management, information technology, business improvement and healthcare expertise. It will deliver a best practice, value-added and robust internal audit function. Stephen Woodward (Engagement Director), and Julie Twynholm (Engagement Manager) have significant experience leading risk management and internal audit engagements including the effective management of outsourced internal audit functions. Our team also brings healthcare industry and healthcare internal audit experience of Darren Skolnick (Healthcare Internal Audit Advisor) who has over 20 years of experience providing internal audit and enterprise risk management services to leading healthcare organizations. Malcolm Butterfield will serve as client relationship partner.
© 2011, KPMG, a Bermuda partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
Bermuda Hospitals BoardJanuary 14, 2011
Page 2
The right approach. Our track record for delivering value-added internal audit services is
based on a tried and tested approach that combines methodology, knowledge and technology in a powerful package. Our proprietary Enterprise Risk Management (ERM)/Risk Assessment methodology will provide you with a top down, strategically driven, risk assessment that examines key business risk in the context of your strategic organizational objectives. ERM/Risk Assessment forms the foundation of a risk based internal audit plan and performance improvement program. A clearly defined internal audit plan will give management and the Board the confidence that we are focused on the areas of greatest risk to the organization, identify strengths and weaknesses in internal controls and drive operational improvement.
Healthcare Knowledge. KPMG’s healthcare industry practice has extensive knowledge of every type of healthcare provider, from primary and urgent care to post-acute care, research and education. The diversity and depth of our client experience has enabled us to develop substantive knowledge of the business, accounting, internal controls, and operational practices of successful healthcare organizations. We will bring this depth of experience to bear in benchmarking and delivering recommendations for improvement.
Healthcare Information Technology Experience. As the healthcare industry becomes increasingly automated, knowledge of technology is essential. Our multi-disciplinary team will include professionals who have IT audit experience and specific technology skills, including clinical information and billing systems, security, business continuity management/disaster recovery planning, change and configuration management and quality assurance.
Value. Our approach to fees is based on the premise of a long-term, mutually beneficial relationship. Our proposed fee structure, the investment we will make in the long-term relationship, the caliber of our people and our focused approach will contribute to realizing the maximum value from your investment in internal audit. Our proposed approach to fees is flexible and scaleable, based on your needs and your risk portfolio and we will leverage technology to help you get the best value. We commit to doing our utmost to contribute to BHB’s success by providing you with priority access to human, technical and knowledge resources.
We submit this proposal to you, subject to the standard terms and conditions outlined in Appendix C, the completion of our customary client acceptance process, and issuance of a specific engagement letter for the services described herin upon selection as your internal audit outsource provider.
We look forward to adding value by helping to appropriately develop and align the internal audit
Bermuda Hospitals BoardJanuary 14, 2011
Page 3
function with BHB’s overall objectives and are ready and eager to begin. All on the team wish to emphasize their personal commitment to meet and exceed your expectations.
Should you have any questions concerning our proposal or any other matter, please do not hesitate to contact Stephen Woodward on 294-2675, or Malcolm Butterfield on 294-2609.
Yours sincerely
Stephen WoodwardDirector
Malcolm ButterfieldManaging Director
Contents
KPMG Understands BHB’s Needs 5
KPMG Overview 6
KPMG’s Internal Audit Practice 9
Team Overview 13
KPMG’s Philosophy and Methodology 17
KPMG’s Information Technology Audit Resources 25
KPMG Value 29
KPMG’s Knowledge Leadership 31
KPMG’s Independence 34
KPMG’s Sample Internal Audit Plan 35
Appendices
A. Engagement Team Resumes
B. Sample Reports
C. KPMG Standard Terms and Conditions
© 2011, KPMG, a Bermuda partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
4
KPMG Understands BHB’s Needs
RFP Request:
A description of your understanding of our engagement requirements.
You want the Internal Audit function to provide assurance that risks are being
effectively managed, enhance corporate governance, and to drive improvements
and efficiencies in process across the organization.
In our previous work with BHB you have indicated that you have aspirations to
improve the control environment around the key finance and operational
procedures performed by BHB staff and to implement best practice where it is
appropriate to do so.
Although the internal audit plan will be driven by the risk assessment, we predict
that the majority of the internal audit work will focus on areas that have been of
concern to BHB executive management historically. These areas of interest are
fraud, procurement and vendor selection, inventory management and accounts
payable.
Coordinating with External Auditor
Managing internal audits in an outsourced environment can present challenges
in communication and coordination efforts, including maximizing the efforts
between the external auditors and the internal auditors. Your KPMG service
team has a very successful track record of providing services to many of its
clients who have different external audit firms. We will provide our full
cooperation to your external auditors and work closely with them and you to
make certain that our efforts are not duplicated and that the lines of
communication are always open. In particular, we will discuss the scope of our
work to see to it that your external auditors can obtain maximum leverage from
the work we do. This typically involves sharing internal and external audit plans
and coordinating the focus and timing of work on risk and controls which give rise
to both internal and external audit risk. This minimizes duplication of effort and
drives maximum reliance by external audit on internal audits work.
KPMG Overview
RFP Request:
Name of the firm, business address, contact person, telephone and email addresses.
Give a short history of the company. Include names and addresses of parent and divisions (if applicable).
Name of the person in each of the following top management positions. Give the correct title of office and the time that the person has held the position.
1. President/CEO/Managing Partner
2. Director of Auditing Services
KPMG International
KPMG is a global professional services organization that works with our clients to
turn understanding of information, industries and business trends into value.
With more than 100,000 people worldwide, KPMG member firms provide
assurance, tax and advisory services from more than 715 cities in 148 countries.
KPMG Bermuda
KPMG in Bermuda was the first accounting practice established in Bermuda,
over 60 years ago. We are now a firm of 12 partners and approximately 180 staff
delivering audit, tax and advisory services to the international business and
Bermuda business, Government and quango sectors. We have a dedicated
advisory practice of 25 professionals, including specialists in risk management
and internal audit services. The key to our success in the Bermuda internal audit
market is the talent of our people and focus on the issues. We believe the depth
of our dedicated advisory group is unrivalled in Bermuda.
6
KPMG’s Healthcare Practice
Your Internal Audit Service Team will be backed by a firm-wide network of more
than 1,000 healthcare professionals in the U.S that we will utilize as a knowledge
source, for benchmarking best practice.
We serve nearly 50% of the top 150 U.S healthcare systems
We serve 62% of the 78 healthcare companies in the Fortune 1000
We serve 100% of the top 15 global pharmaceutical companies
We serve 68% of the top 25 global biotech companies
We serve 80% of the top 10 managed care companies
Contact persons
Stephen Woodward
Director, KPMG Enterprise
(441) 294-2675
Malcolm Butterfield
Managing Director, KPMG Advisory
(441) 294-2609
Business address
Crown House
4 Par-la-Ville Road,
Hamilton, HM 08
Bermuda
7
Senior Management
Neil Patterson is the Managing Partner of KPMG in Bermuda and has held this
position since 2009. Neil was previously the head of the firm’s Investment
Banking practice, and has overall responsibility for KPMG’s internal and external
audit services.
KPMG’s audit practice is sub-divided across three main functions – Insurance,
Investments & Banking and Enterprise. Stephen Woodward is Director of Audit
Services for KPMG Enterprise which services our Bermuda clients in the
domestic business, government, healthcare and not-for-profit sectors.
8
KPMG’s Internal Audit Practice
RFP Request:
A description of your firm’s internal audit practice and experience, as well as any details about how your internal audit service is different from others.
Internal Audit, Risk and Compliance Services (IARCS)
We have a multi-disciplined group of 25 professionals within our advisory
practice. These include internal audit, risk management, IT, business
improvement, corporate governance, treasury, supply chain management,
human resources, fraud and forensics specialists. The members of our Bermuda
internal audit practice have successfully performed the following services:
Design and evaluation of risk and control frameworks, guiding principles, organizational structure and policies and procedures
Comprehensive business risk assessments
Development of and execution of multi-year risk-based internal audit plans
Development of Audit Committee best practices charter/mission statement
Development of internal audit best practices charter/mission statement
Business process improvement, bench-marking and advisory services for revenue assurance, product development, supply chain and inventory
Operational reviews involving compliance with underwriting, claims and investment guidelines as well as benchmarking
Information technology controls, application controls and security reviews
Design and testing of disaster recovery and business continuity plans
Re-design of treasury functionality
Operational reviews of foreign exchange trading, money wire and transfer, investment management, portfolio management, credit operations, including counterparty and country risk
Special investigations requiring fraud and forensic skills
Design and development risk awareness training for business managers
Design and implementation of internal audit quality assurance programs
Development of key performance indicators for board reporting
9
Focus on Healthcare
KPMG has been providing audit, tax, regulatory compliance, investigative, and
other advisory services to healthcare providers, payers, and suppliers for more
than 30 years. The model of our healthcare industry practice is a strength and
unique characteristic that sets us apart from competitor firms that provide similar
healthcare regulatory advisory services. Our interaction with healthcare clients
enables KPMG to obtain and share a broad base of knowledge.
Healthcare Internal Audit Services
Our internal audit service will make a positive difference by focusing on the right
projects and the techniques to identify control deficiencies. Our internal audit
projects can help realize performance improvement opportunities by:
Preventing revenue leakage
Reducing costs
Improving productivity
Mitigating business risk
Driving efficiency
Promoting regulatory compliance
Enhancing internal controls
Our Healthcare Advisory professionals, many of whom come directly from
industry, offer a powerful blend of industry insight, practical experience, and
technical skills. Our Healthcare practice conducts ongoing research on the
identification and management of healthcare risks so that we can refine our
understanding of emerging issues for the benefit of our clients.
The marketplace has long recognized KPMG’s depth of knowledge in the areas
of financial management, regulatory compliance and remediation, internal
control, transaction support, treasury, stakeholder reporting, technology, and
process improvement. With this experience, we are well positioned to deliver
relevant and effective business insights and bring the right resources to bear to
help your organization achieve its goals.
10
Representative KPMG Hospital Clients
Adventist Health System
Alegent Health
Alexian Brothers Health System
Allina Health System
Banner Health
BayCare Health System
Baylor Health Care
Bermuda Hospitals Board
Bon Secours Health System
CareGroup
Catholic Healthcare West
Catholic Health Services of Long Island
Community Health Systems
Dartmouth-Hitchcock Alliance
Duke University Health System
Emory Healthcare
Froedtert
Health Management Associates
HCA
Hospital Sisters Health System
Integris Health
Intermountain Healthcare
Kaiser Health Plan & Hospitals
Johns Hopkins Health System
Kaleida Health
Legacy Health System
LifeBridge Health
Lifespan Corporate Services
MedStar Health
Methodist Le Bonheur Healthcare
Memorial Hermann Health System
Mission Health, Inc.
MultiCare Health System
Nebraska Methodist Health System
New York Health & Hospital Corporation
North Shore Long Island Jewish Health System
North Mississippi Health Services
Oregon Health Sciences University
OSF HealthCare
Palmetto Health Alliance
Peace Health
Provena Health
Providence Health System
Resurrection Health Care
Robert Wood Johnson University Hospitals
Saint Barnabas Health System
Saint Vincent Catholic Medical Centers
Sentara Healthcare
St. John Health
SSM Health Care
Texas Health Resources
The Nebraska Medical Center
Tufts New England Medical Center
University Health System (Tennessee)
University Hospitals Health System
University of Connecticut Health Center
University of Maryland Medical System
University of Missouri Health
University of Washington Medical Center
Upper Chesapeake Health
Vanderbilt University Medical Center
VCU Health System
WellStar Health System
Wellmont Health System
Western Maryland Health System
Wheaton Franciscan Services
11
Keeping You Informed
Our team will keep you informed about emerging market trends, regulatory and
legislative changes, leading practices, and effective approaches. Our healthcare
practice, like all of our other industry practices, keeps our professionals at the
forefront of industry thinking. As part of our commitment to the business of
healthcare, our partners and other professionals actively participate in and
support national industry associations such as:
American College of Healthcare Executives (ACHE)
American Health Information Management Association (AHIMA)
American Health Lawyers Association (AHLA)
American Hospital Association (AHA)
Association of Healthcare Internal Auditors (AHIA)
Healthcare Compliance Association (HCCA)
Healthcare Financial Management Association (HFMA)
Healthcare Information and Management Systems Society (HIMSS)
Health Management Academy (HMA)
National Quality Forum (NQF)
Association of Healthcare Internal Auditors (AHIA)
Canadian College of Health Leaders (CCHSE)
Ontario Hospitals Association (OHA)
Community Care Access Center (CCAC)
Canadian Institute for Health Information (CIHI)
[[[
12
Team Overview
RFP Request:
Resumes of proposed senior personnel, as it pertains to their internal audit experience (see Appendix A)
Team Overview
We have selected a service team comprised of professionals from our
Internal Audit, Risk Management, and IT practices along with professionals
with significant healthcare experience. We are confident that based on the
experience and skill sets of the people selected for this project, we have the
ability to produce the quality analysis, recommendations, and improvements
needed to drive value for BHB.
.
13
Finance Committee of the BHB Board of Directors
Core Internal Audit Team
Stephen WoodwardEngagement Director
Julie TwynholmEngagement Manager
Chantal OosthuizenSenior Manager, Finance
Delia BasdenChief Financial Officer
Malcolm ButterfieldClient Relationship
Partner
Subject Matter Professionals
Darren SkolnickDirector, Healthcare Practice
Paul O’NeillSenior Manager, Forensics
IT Team
David CieraSenior Manager
Key KPMG Resources
Core Internal Audit Team Members (Full Bios attached as Appendix A)
Stephen Woodward, Director of KPMG Enterprise, will serve as the
Engagement Leader and will attend all Finance Committee meetings. His
primary role is to oversee the provision of internal audit and risk
management resources and act as BHB’s primary client service point of
contact. Stephen has extensive experience of working with not for profit
organizations and NGO’s and understands the specific needs of these types
of organsations.
Malcolm Butterfield, Managing Director, will serve as the Client Relationship Partner to lead our efforts by monitoring your satisfaction
with the KPMG experience and to help ensure that BHB has access to
KPMG’s best resources.
David Ciera, Senior Manager, will serve as Project Manager. David
will be BHB’s day-to-day point of contact and overall manager of project
activities David will monitor the performance of project tasks and the project
schedule, and will be the primary point of communication between BHB and
the KPMG project team. David will also take the lead on the provision of IT
risk services.
Julie Twynholm, Manager, will manage the Internal Audit engagements and will be the day-to-day contact for all Internal Audits. Julies core experience is internal audit controls
assurance and evaluating business processes and IT systems. Julie will
monitor the progress of internal audit tasks and provide guidance and advice
to internal audit staff.
Paul O’Neill, Senior Manager will be the lead for all Forensic Services
provided. Paul will monitor the performance any forensic work and will be
the point of contact between BHB and the KPMG.
Darren Skolnick, Director in KPMG’s Advisory Services practice in New
York, will serve as Healthcare Internal Audit Advisor. He has more than 20
years of experience providing internal audit, enterprise risk management,
regulatory compliance and internal control assistance services to leading
healthcare and government organizations.
The core team will be supported by specialists on an as needed basis depending upon the nature of the
internal audit being performed.
14
s
RFP Request:
A list of three references for which your firm has performed internal audit services, currently or in the recent past, including contact name address and telephone number.
List three clients where Internal Audits have been performed over the past three years. Provide names of clients employees to contact for references.
Client referees and contact details
Referee 1.
Company Name: Montefiore Medical Center111E 210th StreetBronx, NY 10467-2401
Contact: Chris Panczner,Title: Senior Vice President and General Counsel
Contact details: Tel 1 718-920-7787.
Referee 2.
Company Name: Keytech Address 30 Victoria Street,
Hamilton HM 12, Bermuda
Contact: Sheila LinesTitle: Chief Executive Officer
Contact details: Tel: 441 295-5009
E-mail: [email protected]
Referee 3.
Company Name: Montpelier Re Address Montpelier House
94 Pitts Bay Road Pembroke, Bermuda, HM08
Contact: Louis GuttierezTitle: Head of Internal AuditContact details: Direct:: +1.441.299.7540
Fax: +1.941.296.8777E-mail: [email protected]
15
Referee 4.
Company Name: Bermuda Monetary AuthorityAddress BMA House
43 Victoria StreetHamilton HM 12
Contact: Marcia Woolridge AllwoodTitle: Director, Corporate & Financial ServicesContact details: Tel: +1441 278 0207
Email: [email protected]
16
KPMG’s Philosophy and Methodology
RFP Request:
A description of your firm’s general philosophy and methodology to be used in the provision of internal audit services, including plans for communication with the Finance Committee.
RFP Request:
A description of your risk assessment process and whether your methodologies can be customized for use in our organization.
KPMG’s Philosophy
Our philosophy is open communication with management, no surprises and clear reporting to the Board. We will be focused on the key risks, deliver pragmatic improvement recommendations and be a catalyst for positive change.
KPMG’s Internal Audit Methodology
OverviewDesigned to be flexible and scalable, KPMG’s Internal Audit Methodology (IAM)
balances a risk based approach with the fundamentals of compliance and
control. By selecting the components that are relevant to BHB’s needs, the
methodology can be adapted to meet any specific circumstances.
BHB is to develop its internal audit function in order to monitor risk, assess
internal controls and ultimately to accomplish its financial and quality objectives.
Our methodology is designed to help you accomplish each of these goals.
Our methodology analyzes risk from a business perspective and focuses on key
processes and controls. It employs a scalable, top down, risk based approach
designed to drive value by delivering efficient and effective audits that are directly
tied to our client’s strategic objectives. It also allows us to identify potential cost
saving opportunities, compare existing practices with better practices, and
generate recommendations to further improve performance and operations.
Other key features of our methodology include:
A focus of efforts on the areas of greater risk, importance, and value to the
organization.
Active involvement and buy in of client management in the risk assessment
process and the resulting outcomes.
17
The incorporation of subject matter professionals where needed and relevant.
Leveraging of KPMG’s business models, knowledge bases, control catalogs,
and other firm resources.
KPMG performs internal audit services consistent with the Institute of Internal
Auditors (IIA) Standards.
Risk Assessment Process
As your internal audit outsource provider, our first step in assisting BHB in
managing its risks and controls would be to review and update your existing risk
assessment to help develop a more comprehensive and strategic internal audit
plan. This would be performed at no charge as part of KPMG’s investment
toward a long-term relationship.
Using the Enterprise Risk Assessment, an approach that we have derived from
KPMG’s broad Enterprise Risk Management methodology, KPMG can help
management find the right balance between risk and control by linking risk back
to BHB’s objectives, and building the foundation for risk management and risk
communication. We will assist you in identifying an assessment of the risks that
affect various entities and business processes associated with maintaining or
achieving business objectives.
In the context of KPMG’s Internal Audit Methodology, the purpose of the
enterprise risk assessment is to help you:
Gain an understanding of the risks that threaten BHB’s achievement of
strategic objectives
Examine risks in five categories: Strategic, Operational, Financial, Information
Technology (IT) and Regulatory
18
Develop foundations that will assist in identifying your key business
processes that mitigate strategic risks and to focus on process-level
assessment
Develop the basis for the internal audit plan
C-level executives and senior management, together with the Internal and IT
Audit team, in collaboration with Compliance, focus on identifying strategic risks
that have the greatest potential effect on the organization. In addition to risk
identification, KPMG’s Internal and IT Audit professionals provide risk awareness
and education to their clients through our experience and industry knowledge.
An enterprise risk assessment, when performed as part of the Internal Audit
Methodology, focuses on the existing risk profile and drives the development of
an internal audit plan that can help the BHB assess the design and operating
effectiveness of the business processes and controls put in place as part of
management’s response to the organization’s key strategic risks.
Key Strengths of KPMG Enterprise Risk Assessment
We believe the key strengths of KPMG’s Internal Audit and Enterprise Risk
Assessment Methodology are:
Focuses on both strategic and process-level risks and assists in
identification of “disconnects” between corporate objectives and activities at
the process level.
The approach and techniques used to deliver the assessment are flexible,
adaptable and easily tailored to the client’s culture and organizational
structure.
Includes use of diagnostic interviews, data analytics, and comparison to
industry benchmarks by subject matter professionals who can probe the
details of the most important risk areas. Using of healthcare industry
professionals help ensure completeness of risks identified and the
identification of “real” industry specific business issues.
Provides a risk profile that identifies key business risks faced by the
organization and an analysis of the risks in a manner that is easily
understood by management.
Assists management in developing a prioritized internal audit plan that
focuses on significant areas of residual risk.
19
The chart below depicts typical risks facing not-for-profit health care
organizations. KPMG has surveyed over 200 Health Care Providers across the
U.S. and has developed an industry list of existing and emerging risks. We would
utilize this list as a guide when we are updating or revising your existing risk
assessment and internal audit plan.
This chart provides an example of how an institution might inventory and
prioritize its own risks, based on importance/potential cost and the likelihood of
occurrence near term.
Based on the results of Business Risk Assessment, our next step is to assist you
in developing/updating an internal audit plan. This phase has the aim of linking
the key risks with the processes and controls that the organization seeks to
strengthen.
20
Among the key processes for which we have conducted internal audits at other
health care clients are the following:
Managed Care
Information Technology
Research
Patient care revenue (i.e., charge capture)
Materials management (supplies)
Financial close and reporting
Regulatory Compliance (i.e., documentation, billing, etc.)
Employee compensation (payroll)
Regulatory compliance
Capital purchasing
Treasury activities (investing, financing, and cash management)
Physician relationships
Insurance (malpractice and workers’ compensation)
Benefit plans and related accruals
Income taxes and exempt status
Quality Data Reporting
Internal Audit Setps
Phase I: Audit Planning and Continuous CommunicationThe tasks described in this phase of the work plan relate to understanding the
processes, policies, and procedures which support BHB, and communicating the
goals of the project to its various stakeholders. We would provide status reporting
at a frequency agreed with you that would identify all work performed and any
issues that arose.
Our initial efforts will be in project planning, which will include the following tasks:
21
Conduct a Project Initiation Meeting – We will conduct an initial planning meeting
which will include the KPMG Project Team and BHB Administration. This meeting
will set the tone for the project. At this meeting, we will:
Introduce members of the team;
Confirm work plan steps and the timeline for completion, including dates for
Interim and Final Report deliverables;
Convey an initial list of requested documents and put into place a process for
additional documentation requests;
Develop an initial contact list and discuss notification of stakeholders;
Coordinate efforts between BHB and the KPMG team to facilitate the review
of deliverables and monitor the project’s progress;
Identify and understand the key inputs, outputs, activities and related
business risks;
Identify the internal business and financial controls in place to reduce those
risks to an acceptable level; and
Identify key performance indicators that measure the processes, integrity and
reporting and assess the accuracy of these measurements and their effective
use by management.
Review Existing Documentation – We will review existing document focused on
(1) the management practices, operating processes, and internal controls of audit
area components; (2) strategy, mission and key policies; (3) current processes
and operating characteristics; and (4) the organizational structure.
22
Phase II: FieldworkDuring this phase, we will gather process, policy and procedure information from
staff and management through meetings and documentation review. This phase
will help enable us to gain an understanding of the current activities performed
within each audit area. Additionally, this activity will help enable us to identify and
highlight non-value added activities that may impact overall efficiency.
We will conduct an assessment of each audit area to:
Determine the impact and probability that the identified business risks are
likely to occur;
Measure and prioritize the identified business risks in quantitative and
qualitative terms;
Identify the critical controls and individuals accountable for managing these
risks;
Identify key performance indicators that can be utilized in building a
continuous auditing program at BHB;
Obtain management consensus with the process risk profile; and
Develop a risk based control and internal audit program for the selected
processes, functions or systems that focus on optimizing risk management.
Conduct Interviews – With your assistance, we will finalize a list of personnel
within each component of the audit area to be interviewed. We understand that
some areas and departments are more complex than others and may require
additional interviews and focus groups. Structured interviews will serve to provide
a greater understanding of the processes, organizational structure as well as
system support for BHB’s operations. In addition, we will gain an understanding
of key risks and controls.
Perform a Process Level Risk Assessment and Create an Audit Program – Using
industry knowledge and information gathered from BHB in the previous steps, the
team will identify the key risks and controls for each audit area and perform tests
of design effectiveness to evaluate the residual risk as Acceptable or
Unacceptable, using criteria agreed with by BHB Management. If the residual risk
is Acceptable, a test of the operating effectiveness of the related control will be
included in our audit program. If the residual risk is deemed Unacceptable, we
will develop recommendations to enhance the control(s). BHB Management will
define the terms “acceptable” and “unacceptable” prior to the start of each
internal audit.
Identify Preliminary Observations – We will meet with the relevant business
process owner(s) to present, and confirm the preliminary observations
developed, based upon our analysis of the data and information gathered. We
will also begin facilitating discussions regarding assessment recommendations.
23
Refine Observations – Using the information gathered during previous tasks, the
Project Team will refine the observations identified. In refining the observations,
the Project Team will map validated processes, polices, and procedures to
identify innovative improvements that will achieve improvement targets while
respecting any constraints stipulated by BHB’s business process owner(s).
Outline Policy and Operational Recommendations – As recommendations are
developed, the Project Team and BHB’s business process owner(s) may identify
a series of policy and operational changes required to help enable the adoption
of the new processes or procedures. In this context, “policies” refer to either
external regulation or internal policies that guide the day-to-day employee
decisions and behaviors.
Validate Recommendations – The Project Team will present recommendations to
BHB’s Administrators and other key management and staff for their feedback.
This validation exercise is essential to the effectiveness of this project. The
validation may be performed in several ways (e.g., presentation with a question
and answer session, process “walkthrough,” workshops, etc.).
Phase III: ReportingFor us, the hallmark of our approach is that our observations and
recommendations present no “surprises.” We will have discussed with
you issues and results more than once. Within the body of the report,
observations will be organized according to functional area. For each
observation, we will identify recommendations for improvement, and
measurable implementation goals. Our Action Plan will address
recommendations and short- and long-range plans and actions for
implementation of those recommendations. Each observation and
agreed-upon management action will be vetted with the relevant
process owner(s) prior to issuance of a final report. Our experience
shows that this transparency and communication increases the
likelihood that the recommendations will be implemented. Our report
will be agreed with management and a summary report presented to the
Board in a clear and concise manner. The final report will be reviewed
with BHB management prior to finalization.
24
KPMG’s Information Technology Audit Resources
RFP Request:
Details of information technology audit resources available.
Information Technology Qualifications
IT plays a critical role for BHB as it supports key operational processes. To be
effective, your internal audit service team should be structured to address the
role IT plays as a core element of the business processes. Our multi-disciplinary
team includes specialist IT auditors with both operational and consulting IT
backgrounds in IT operations management, systems development, project and
programme management , business continuity, disaster recovery, change
management and sourcing. We firmly believe that it is essential that our IT
auditors have an operational IT background to ensure that our IT related audits
add value to our clients.
David Ciera will lead the IT audit team and will ensure that there is continued
focus on the risks inherent in the technology systems used to support BHB’s
business objectives.
KPMG’s Distinct IT Audit Methodologies
KPMG has distinct IT audit methodologies, as summarized and explained below.
For each primary IT audit methodology, we have developed specific process
assessment programs and for each Enterprise Resource Planning (ERP)
platform. KPMG has specific proprietary control catalogs, and testing tools and
techniques.
David Ciera will lead the IT audit team which will focus on the risks inherent in
the technology systems used to support BHB’s business objectives. KPMG’s IT
Audit knowledge and experience will help BHB reduce and manage security
vulnerabilities and business continuity risks.
25
KPMG’s Specific IT Audit Methodologies and Services Can Help Address BHB’s Key IT Audit Issues
IT General Controls Assessments IT Project Advisory IT Governance Business System
Controls IT Security Business Continuity Management
Information Security Administration
Network Security
Computer Operations
Physical and Environmental Controls
Change Management
Program Development
Ongoing quality assurance assessments of the project
Business Requirements Planning Assistance
Project Management Assistance
Program Management Office Assistance
Project Risk Assessment and Monitoring
Selection Assistance
Understanding IT Governance Context and Strategy
Assessing IT Governance Activities
Mapping Process Maturity
Recommending Process Improvements
Pre-implementation review of the system
Post-implementation review of the system
Services for applications focused on risks associated with:
Business Process Analysis
Data Management
Data Integrity Controls
Information Security
Enterprise Security
Network Penetration Testing
Database Security Systems Monitoring and Intrusion Detection Capability
Application Security and Enterprise Identity Management
Business Impact Analysis
Enterprise High Availability
Recovery site capability
Disaster Recovery Plans
Third-party service level compliance
Physical and Environmental Controls
| 26
Experienced at Executing Integrated Audits
Our confidence in being able to address your needs comes from our extensive
experience in providing internal audit services to many other large organizations.
KPMG offers BHB valuable ideas regarding best practices, improvements of key
internal controls, and information on the internal audit trends and practices being
implemented within leading companies.
KPMG integrates IT into its audit work by focusing on the business process to be
audited, as well as the technology supporting the process. We consider the
controls in place that manage these processes and mitigate the associated risks
– regardless of the nature of the control (manual or automated). Our approach is
depicted in the table below:
IT Support of Internal Audit
Joint Planning
Considering IT and business issues when planning the audit and considering risk
Collaborating on inherent risks within the environment
Determining the appropriate mix of resources needed to execute the testing
Collaborative Delivery
Developing one audit program, focused on the control objective, not testing technique
The actual level of IT focus within the audit program is driven by the nature of the audit
Giving management risk based control- and process focused audit reporting, not reporting on isolated IT or operational functions
Project Risk Management
Our methodology can assist BHB by assessing how effectively critical projects are managed, and how well project management processes are designed. The significant cost and potential impact make project management a critical competency within an organization. Focus areas include:
Quality Assurance
Enterprise Project Management Office
Project Risk Management Assessment
Outsource Planning and Risk Management
Information Technology Performance Improvement
Our assessments are designed to help corporate executives improve the business value for IT dollars invested, mitigate risk, and improve control over IT expenditures.
| 27
A Suite of Technology Tools that Effectively Helps Enable Your Internal
Audit Delivery
In keeping with our integrated approach to internal audit, KPMG has a suite of
innovative, secure, Web based tools that serve various functions within an
internal audit engagement. The adoption of a Web based platform helps enable
us to design our technology approach to meet your specific needs. Our
technology suite is specifically designed to:
Helps enable our methodology to help drive efficiency throughout the internal
audit
Provide knowledge at the right time, in the right place and in the right context
Helps enable collaboration across both KPMG and BHB
| 28
KPMG Value
RFP Request:
Indicate the total fee for the engagement, including your firm’s billing rates and pricing strategy for such an engagement, as well as rates for ad hoc requests.
The value of working with KPMG
Value can be measured in many ways. We believe the real value derived is
through the depth of expertise and service commitment the team bring. We
wish to build a long-term relationship with BHB and will, at all times, strive to
deliver the greatest value for our professional fees.
We understand your operating environment – an environment which makes
the need to carefully review and support your service provider selections and
cost decisions even more important. As with our service approach, we are
open and transparent in our fees.
Investment in a long term relationship
As a demonstration to our long-term commitment to BHB we have
constructed a fee matrix which we believe is both extremely competitive as
well as completely scalable and transparent.
Up-front investment
We will conduct the update of the risk assessment at NO FEE. This risk
assessment will involve senior members of the team meeting with BHB
management and the development of a risk assessment for communication
to both management and the board. We estimated the value of this upfront
investment to be approximately $50,000
Transparent approach to fees
The table below sets out the scale rates for the levels of professionals
involved in the engagement. These represent a significant discount to our
standard rates.
29
Position Hourly Rate
Partner / Director$450
Senior Manager $325
Manager $250
Staff $180
The typical staffing mix for internal audit work will likely drive a blended rate
per hour of approximately $230-$250 per hour, This will include senior team
members debriefing with management, communicating to the Finance
Committee and developing recommendations for improvement.
Each internal audit will be scoped and a detailed budget prepared so that
you can clearly see how you budget is allocated by audit area. Based on our
knowledge of BHB and our experience we believe that we would be able to
drive significant value to the organization with this fee structure within a
budget allocation of $100,000.
Philosophy on fees
We do not want fees to be a barrier to our relationship and would be happy
to discuss further to deliver a value added service within your budget
allocation.
Ad-hoc requests
Fees for ad-hoc requests will be billed in accordance with the above scale rates. Depending on the nature of the request the work may involve proportionately more or less senior time and therefore influence the effective rate per hour. We will discuss the scope and nature of work to be performed and before beginning the engagement and be completely transparent with the fee structure.
| 30
KPMG’s Knowledge Leadership
RFP Request:
A description of how your firm would maintain current knowledge of hospital, risk and internal control issues, internal and external to the Bermuda Hospitals Board.
Knowledge Transfer and Development of BHB’s In-House Resources
We will devote significant time during the audit process to bring pragmatic
opportunities for improvement, best practice and benchmarking to you. We will
also keep the Finance Committee and management abreast of developments in
the areas of governance and internal audit through our Audit Committee Institute
and publications.
We will maintain our knowledge of BHB’s internal control issues and priorities by
working closely with the heads of each function. Prior to beginning an internal
audit we will meet with the head to thoroughly explain the process and
understand their concerns and issues. After completion of an internal audit we
will debrief the head and will work with the him/her to implement improvements.
We will follow up to discuss post implementation progress.
BHB can choose to include some of its personnel in our internal audits. We will
give you the option to include them as part of our internal audit team so that they
can learn our approach and methodologies develop their skill sets and provide
BHB with trained, in-house resources.
Board Education
The key value we bring is the experience of the engagement team which will be
working closely with you year round. The engagement team will be supported by
31
KPMG’s Global Healthcare practice which will ensure that the team is kept
abreast of the latest developments in the industry which are relevant to BHB.
Twice a year, Darren Skolnick or another member of KPMG’s Global Healthcare
practice will be available to discuss current trends and leading practices with you,
members of BHB management team and the Finance Committee. This time can
be used to focus on your priority areas or to provide Board education.
KPMG’s Audit Committee Institute (ACI)
Your Finance Committee members may be particularly interested in the
additional resources available from KPMG’s Audit Committee Institute (ACI).
Recognizing the importance of audit committees, KPMG has created the ACI to
serve and educate. Historically, committees have been largely on their own in
their efforts to keep pace with rapidly changing information related governance,
audit issues, accounting and financial reporting and legal issues. Wholly
sponsored by KPMG, the ACI provides guidance and is dedicated to sharpening
committees’ awareness of their evolving responsibilities and risks. Board
members can turn to the Institute at any time for help as a technical resource or
sounding board for current issues or to share knowledge.
The ACI has teamed up with associations focused on serving and educating
directors including the Conference Board, National Association of Corporate
Directors, and the Center for Board Leadership, Board Member and Directors
Round table. The ACI has made numerous presentations to other governance
and industry associations.
Drawing upon KPMG’s resources, the ACI offers committee members a support
mechanism which was previously unavailable. Our commitment to knowledge
transfer includes the comprehensive book, Sharing the Audit Committee Agenda,
which examines current issues in the business marketplace and addresses the
roles and responsibilities of audit committees. We also publish quarterly, the
Audit Committee Update which examines technical issues of concern to audit
committee members, including current developments in accounting and auditing.
Recently published articles include:
What is Driving Continuous Auditing and Continuous Monitoring Today?
The Evolving Role of the Internal Auditor, Value Creation and
Preservation from an Internal Audit Perspective
| 32
You can see the latest activities of the ACI at their web site:
http://www.kpmg.com/aci/home.html
KPMG Healthcare and Pharmaceuticals Institute (KHPI)
You may find the KHPI can assist you in identifying and understanding emerging
trends, risks and opportunities in healthcare. KPMI does this by creating an open
forum where peers can exchange insights, share leading practices, and access
the latest thought leadership. As a result, corporate executives, business
managers, industry leaders, government officials, academics, and others have
access to the thought leadership and knowledge they can use to make better
informed decisions and meet the challenges of the healthcare and
pharmaceuticals market.
Recently published healthcare articles include:
Centralization of Healthcare Functions: A Key to Reducing Costs and
Improving Efficiency
Improving the Performance of Healthcare Construction: A Systematic
Approach
Assessment of Key Risks for Hospitals and Healthcare Systems –
Spring 2010
The Path to Value: Enhancing the Relevance, Reliability, and
Transparency of Reporting in the Healthcare Industry
You can visit the KPMG Healthcare and Pharmaceuticals Institute at:
http://www.kpmginstitutes.com/healthcare-pharma-institute/
| 33
KPMG’s Independence
RFP Request:
Details of any conflicts of interest.
Independence
We confirm that we are independent of BHB and we are not aware of any
conflicts of interest with BHB.
Conflicts of Interest Policy
KPMG uses comprehensive procedures and a suite of technology tools to help
ensure that the firm and applicable personnel are independent of the firm’s audit
clients. In addition, the firm provides mandatory annual independence training for
all professionals and holds them personally accountable for their independence.
Our independence procedures meet or exceed standards set by the SEC and all
other applicable regulatory bodies.
KPMG has acted as an advisor to BHB during the Public Private Partnership.
KPMG is the external audit director for Atlantic Medical International. Neither of
these engagements represent a conflict of interest.
34
KPMG’s Sample Internal Audit Plan
RFP Request:
A sample of a representative internal audit plan.
35
36
37
38
Appendices
A. Engagement Team Resumes
B. Sample Reports
C. KPMG Standard Terms and Conditions
Appendix AEngagement Team Resumes
Appendix BSample Reports
Appendix CKPMG Standard Terms and Conditions
KPMG Standard Terms and Conditions
1 Services; Client Responsibilities. (a) It is understood and agreed that KPMG’s services may include advice and recommendations; but all decisions in connection with the implementation of such advice and recommendations shall be the responsibility of, and made by, Client. KPMG will not perform management functions or make management decisions for Client. References herein to Client shall refer to the addressee of the Proposal or Engagement Letter to which these Standard Terms and Conditions are attached (the “Engagement Letter”). (b) In connection with KPMG’s provision of services under the Engagement Letter, Client agrees that Client, and not KPMG, shall perform the following functions: (i) make all management decisions and perform all management functions; (ii) designate an individual who possesses suitable skill, knowledge and experience, preferably within senior management, to oversee such services, and to evaluate the adequacy and results of such services; (iii) accept responsibility for the results of such services; and (iv) establish and maintain internal controls over the processes with which such services are concerned, including monitoring on-going activities.
(c) Subsequent to the completion of this engagement, KPMG will not update its advice, recommendations or work product for changes or modifications to the law and regulations, or to the judicial and administrative interpretations thereof, or for subsequent events or transactions, unless Client separately engages KPMG to do so in writing after such changes or modifications, interpretations, events or transactions. 2. Payment of Invoices and Tax on Services. Client agrees to pay properly submitted invoices within thirty (30) days of the invoice date, or such other due date as may be indicated in the Engagement Letter. KPMG shall have the right to halt or terminate entirely its services under the Engagement Letter until payment is received on past due invoices. All fees, charges and other amounts payable to KPMG under the Engagement Letter do not include any sales, use, excise, value added or other applicable taxes, tariffs or duties, payment of which shall be Client’s sole responsibility. 3. Term. The terms of the Engagement Letter shall apply to all work carried out by KPMG which occurs prior to our receipt of the signed Engagement Letter, which is in connection with the services covered herein, and which is not otherwise covered by a previous client agreement. Unless terminated sooner in accordance with its terms, the engagement shall terminate on the completion of KPMG’s services under the Engagement Letter. In addition, either party may terminate the Engagement Letter at any time by giving written notice to the other party not less than 30 calendar days before the effective date of termination. In the event of such notification, Client agrees to pay KPMG for time charges at standard hourly rates and expenses incurred to the date of notification to the extent the amount so computed exceeds payments previously made by Client for the engagement. 4. Ownership and Use of Deliverables. (a) KPMG has created, acquired, owns or otherwise has rights in, and may, in connection with the performance of services under the Engagement Letter, use, provide, modify, create, acquire or otherwise obtain rights in, concepts, ideas, methods, methodologies, procedures, processes, know-how, techniques, models, templates and software (collectively, the “KPMG Property”). KPMG retains all ownership and use rights in the KPMG Property. Client shall acquire no rights or interest in the KPMG Property, except as expressly provided in the next paragraph. In addition, KPMG shall be free to provide services of any kind to any other party as KPMG deems appropriate, and may use the KPMG Property to do so. KPMG acknowledges that KPMG Property shall not include any of Client’s confidential information or tangible or intangible property, and KPMG shall have no ownership rights in such property. (b) Except for KPMG Property, and upon full and final payment to KPMG under the Engagement Letter, the tangible items specified as deliverables or work product in the Engagement Letter including any intellectual property rights appurtenant thereto (the “Deliverables”) will become the property of Client. If any KPMG Property is contained in any of the Deliverables, KPMG hereby grants Client a royalty-free, paid-up, non-exclusive, perpetual license to use such KPMG Property in connection with Client’s use of the Deliverables. (c) Client acknowledges and agrees that any advice, recommendations, information or work product provided to Client by KPMG in connection with this engagement is for the sole use of Client and may not be relied upon by any third party. Client agrees that if it makes such advice, recommendations, information or work product available to any third party other than as expressly permitted by the Engagement Letter the provisions of Paragraph 8(b) shall apply unless Client provides the written notice to the third party in
substantially the form of Appendix A hereto (the “Notice”), which Notice shall be acknowledged in writing by such third party and returned to Client. Upon request, Client shall provide KPMG with a copy of the foregoing Notice and acknowledgement and any notice and acknowledgement sent to Client by such third party as contemplated by the Notice. Notwithstanding the foregoing, (i) in the event of a disclosure made by Client that is required by law, that is made to a regulatory authority having jurisdiction over Client, no acknowledgement of the Notice shall be required and (ii) no Notice or acknowledgement shall be required with respect to disclosures expressly authorized by the Engagement Letter. 5. Warranties. KPMG’s services under the Engagement Letter are subject to and will be performed in accordance with American Institute of Certified Public Accountants (“AICPA”) and/or other professional standards applicable to the services provided by KPMG under the Engagement Letter and in accordance with the terms thereof. KPMG disclaims all other warranties, either express or implied. 6. Limitation on Damages. Except for each party’s indemnification obligations herein, neither Client nor KPMG shall be liable to the other for any actions, damages, claims, liabilities, costs, expenses or losses in any way arising out of or relating to the services performed under the Engagement Letter for an aggregate amount in excess of the three times the amount of professional fees paid or owing to KPMG under the Engagement Letter. In no event shall either party be liable for consequential, special, indirect, incidental, punitive or exemplary damages, costs, expenses, or losses (including, without limitation, lost profits and opportunity costs). The provisions of this Paragraph shall apply regardless of the form of action, damage, claim, liability, cost, expense, or loss, whether in contract, statute, tort or otherwise. In the event of any dispute or claim arising from the provision of services, any action for damages or otherwise shall only be taken against KPMG and not against an employee (irrespective of whether that employee was acting under a labor contract or representing the Client).
7. Infringement. (a) KPMG hereby agrees to indemnify, hold harmless and defend Client from and against any and all claims, liabilities, losses, expenses (including reasonable attorneys’ fees), fines, penalties, taxes or damages (collectively "Liabilities") asserted by a third party against Client to the extent such Liabilities result from the infringement by the Deliverables (including any KPMG Property contained therein) of such third party's patents issued as of the date of the Engagement Letter, trade secrets, trademarks or copyrights. The preceding indemnification shall not apply to any infringement arising out of (i) use of the Deliverables other than in accordance with applicable documentation or instructions supplied by KPMG or other than in accordance with Paragraph 4(c); (ii) any alteration, modification or revision of the Deliverables not expressly agreed to in writing by KPMG; or (iii) the combination of the Deliverables with materials not supplied or approved by KPMG. (b) In case any of the Deliverables (including any KPMG Property contained therein) or any portion thereof is held, or in KPMG’s reasonable opinion is likely to be held, to constitute infringement, KPMG may, within a reasonable time, at its option either: (i) secure for Client the right to continue the use of such infringing item; or (ii) replace, at KPMG’s sole expense, such item with a substantially equivalent non-infringing item or modify such item so that it becomes non-infringing. In the event KPMG is, in its reasonable discretion, unable to perform either of options described in (i) or (ii) above, Client shall return the Deliverable to KPMG, and KPMG’s sole liability shall be to refund to Client the amount paid to KPMG for such item; provided that the foregoing shall not be construed to limit KPMG’s indemnification obligation set forth in Paragraph 7(a) above. (c) The provisions of this Paragraph 7 state KPMG’s entire liability and Client’s sole and exclusive remedy with respect to any infringement or claim of infringement. 8. Indemnification. (a) Each party agrees to indemnify, hold harmless and defend the other from and against any and all Liabilities for physical injury to, or illness or death of, any person regardless of status, and damage to or destruction of any tangible property, which the other party may sustain or incur, to the extent such Liabilities result from the negligence or willful misconduct of the indemnifying party. (b) In accordance with Paragraph 4(c) Client agrees to indemnify, defend and hold harmless KPMG from and against any and all Liabilities incurred or suffered by or asserted against KPMG in connection with a third party claim to the extent resulting from such party’s use or possession of or reliance upon KPMG’s advice, recommendations, information or work product as a result of Client’s disclosure of such advice, recommendations, information or work product without adhering to the notice requirements of Paragraph 4(c) above.
(c) The party entitled to indemnification (the “Indemnified Party”) shall promptly notify the party obligated to provide such indemnification (the “Indemnifying Party”) of any claim for which the Indemnified Party seeks indemnification. The Indemnifying Party shall have the right to conduct the defense or settlement of any such claim at the Indemnifying Party's sole expense, and the Indemnified Party shall cooperate with the Indemnifying Party. The party not conducting the defense shall nonetheless have the right to participate in such defense at its own expense. The Indemnified Party shall have the right to approve the settlement of any claim that imposes any liability or obligation other than the payment of money damages. 9. Cooperation; Use of Information. (a) Client agrees to cooperate with KPMG in the performance of the services under the Engagement Letter and shall provide or arrange to provide KPMG with timely access to and use of the personnel, facilities, equipment, data and information to the extent necessary for KPMG to perform the services under the Engagement Letter. The Engagement Letter may set forth additional obligations of Client in connection with this engagement. Client acknowledges that Client's failure to perform these obligations could adversely affect KPMG’s ability to provide the services under the Engagement Letter.
Client acknowledges and agrees that KPMG will, in performing the services under the Engagement Letter, base its conclusions on the facts and assumptions that Client furnishes and that KPMG may use data, material, and other information furnished by or at the request or direction of Client without any independent investigation or verification and that KPMG shall be entitled to rely upon the accuracy and completeness of such data, material and other information. Inaccuracy or incompleteness of such data, material and other information furnished to KPMG could have a material effect on KPMG’s conclusions.
Any oral advice or draft reports which we might provide (including those given in meetings and presentations and by telephone and video link) shall not constitute our definitive opinion or conclusion as such opinion or conclusion shall only be communicated via final advice in writing. Where the Client wishes to rely on the advice provided, the Client shall inform KPMG and KPMG shall supply written confirmation of the relevant advice.In case of any claim, allegation or investigation by Authorities or any other third party resulting or arising from or relating to the provision of services, you shall inform KPMG thereof and afford all opportunity for our services and the written result thereof to be adequately defended.
10. Independent Contractor. It is understood and agreed that each of the parties hereto is an independent contractor and that neither party is or shall be considered an agent, distributor or representative of the other. Neither party shall act or represent itself, directly or by implication, as an agent of the other or in any manner assume or create any obligation on behalf of, or in the name of, the other.
11. Confidentiality. (a) “Confidential Information” means all documents, software, reports, data, records, forms and other materials obtained by one party (the “Receiving Party”) from the other party (the “Disclosing Party”) or at the request or direction of the Disclosing Party in the course of performing the services under the Engagement Letter: (i) that have been marked as confidential; (ii) whose confidential nature has been made known by the Disclosing Party to the Receiving Party; or (iii) that due to their character and nature, a reasonable person under like circumstances would treat as confidential. Notwithstanding the foregoing, Confidential Information does not include information which: (i) is already known to the Receiving Party at the time of disclosure by the Disclosing Party; (ii) is or becomes publicly known through no wrongful act of the Receiving Party; (iii) is independently developed by the Receiving Party without benefit of the Disclosing Party’s Confidential Information; (iv) the Receiving Party determines is required to be maintained or disclosed by the Receiving Party under any provisions of the laws of Bermuda or other jurisdiction or (v) is received by the Receiving Party from a third party without restriction and without a breach of an obligation of confidentiality. (b) The Receiving Party will deliver to the Disclosing Party all Confidential Information of the Disclosing Party and all copies thereof when the Disclosing Party requests the same, except for one copy thereof that the Receiving Party may retain for its records. The Receiving Party shall not use or disclose to any person, firm or entity any Confidential Information of the Disclosing Party without the Disclosing Party’s express, prior written permission; provided, however, that notwithstanding the foregoing, the Receiving Party may disclose Confidential Information to the extent that it is required to be disclosed pursuant to a statutory or regulatory provision or court order or to fulfill professional obligations and standards.
(c) Each party shall be deemed to have met its nondisclosure obligations under this Paragraph 11 as long as it exercises the same level of care to protect the other’s information as it exercises to protect its own confidential information but in no event less than reasonable care, except to the extent that applicable law or
professional standards impose a higher requirement. (d) If the Receiving Party receives a subpoena or other validly issued administrative or judicial demand requiring it to disclose the Disclosing Party’s Confidential Information, the Receiving Party shall provide prompt written notice to the Disclosing Party of such demand in order to permit it to seek a protective order. So long as the Receiving Party gives notice as provided herein, the Receiving Party shall be entitled to comply with such demand to the extent permitted by law, subject to any protective order or the like that may have been entered in the matter. (e) It may be necessary to disclose Confidential Information as necessary to perform normal review processes, such as second partner review or a quality review program performed on behalf of KPMG International and/or the KPMG member firms' regional KPMG governing body or as required by other laws, professional rights or duties.
12. Assignment; Use of Member Firms. Neither party may assign, transfer or delegate any of its rights or obligations without the prior written consent of the other party, such consent not to be unreasonably withheld. Notwithstanding the foregoing, to the extent any of the services under the Engagement Letter will be performed in or relate to a jurisdiction outside of Bermuda, Client acknowledges and agrees that such services, may be performed by the member firm of KPMG International practicing in such jurisdiction. Accordingly, Client consents to KPMG’s disclosure to a member firm and such member firm’s use of data and information received from or at the request or direction of Client for the purpose of completing the services under the Engagement Letter. 13. Governing Law; Severability. The Engagement Letter and these Standard Terms and Conditions shall be governed by and construed in accordance with the laws of Bermuda and it is agreed that the courts of Bermuda shall have final jurisdiction to settle any disputes which may arise out of, or in connection with, our engagement in accordance with the terms of this letter. In the event that any term or provision of the Engagement Letter or these terms shall be held to be invalid, void or unenforceable, then the remainder of the Engagement Letter and these terms shall not be affected, and each such term and provision shall be valid and enforceable to the fullest extent permitted by law. 14. Alternative Dispute Resolution. Any dispute or claim arising out of or relating to the Engagement Letter between the parties, the services provided there-under, or any other services provided by or on behalf of KPMG or any of its subcontractors or agents to Client or at its request (including any dispute or claim involving any person or entity for whose benefit the services in question are or were provided) shall be resolved in accordance with the dispute resolution procedures set forth below which constitute the sole methodologies for the resolution of all such disputes. By operation of this provision, the parties agree to forego litigation over such disputes in any court of competent jurisdiction. Mediation, if selected, may take place at a place to be designated by the parties. Arbitration shall take place in Bermuda. Either party may seek to enforce any written agreement reached by the parties during mediation, or to confirm and enforce any final award entered in arbitration, in any court of competent jurisdiction.
Notwithstanding the agreement to such procedures, either party may seek injunctive relief to enforce its rights with respect to the use or protection of (i) its confidential or proprietary information or material or (ii) its names, trademarks, service marks or logos, solely in the courts of Bermuda. The parties consent to the personal jurisdiction thereof and to sole venue therein only for such purposes.
The following procedures are the sole methodologies to be used to resolve any controversy or claim (“dispute”). If any of these provisions are determined to be invalid or unenforceable, the remaining provisions shall remain in effect and binding on the parties to the fullest extent permitted by law.
Mediation
Any party may request mediation of a dispute by providing a written Request for Mediation to the other party or parties. The mediator, as well as the time and place of the mediation, shall be selected by agreement of the parties. If the parties cannot agree on a mediator, a mediator shall be designated by the Appointments Committee of the Chartered Institute of Arbitrators Bermuda Branch or Bermuda Mediation and Arbitration Association at the request of a party. Any mediator so designated must be acceptable to all parties. The parties agree to discuss their differences in good faith and to attempt, with facilitation by the mediator, to reach a consensual resolution of the dispute. The mediation shall be treated as a settlement discussion and shall be confidential. The mediator may not testify for any party in any later proceeding related to the dispute. No recording or transcript shall be made of the mediation proceeding. Each party shall bear its own costs in the mediation. Absent an agreement to the contrary, the fees and expenses of the mediator shall be shared equally by the parties.
Arbitration
Arbitration shall be used to settle the following disputes: (1) any dispute not resolved by mediation 90 days after the issuance by one of the parties of a written Request for Mediation (or, if the parties have agreed to enter or extend the mediation, for such longer period as the parties may agree) or (2) any dispute in which a party declares, no more than 30 days after receipt of a written Request for Mediation, mediation to be inappropriate to resolve that dispute and initiates a Request for Arbitration. Once commenced, the arbitration will be conducted either (1) in accordance with the procedures in this Engagement Letter and the relevant Bermuda laws as in effect on the date of this Engagement Letter, or (2) in accordance with other rules and procedures as the parties may designate by mutual agreement. In the event of a conflict, the provisions of this document will control.
The arbitration will be conducted before a panel of three arbitrators, one arbitrator to be selected by each party, and those two arbitrators to select the third arbitrator, provided, however, that in the case of a dispute involving a claim for less than $100,000, a sole arbitrator shall be agreed by the parties and, in the event that there is no such agreement after 30 days of the Request for Arbitration, the sole arbitrator shall be appointed by the Appointments Committee of the Chartered Institute of Arbitrators Bermuda Branch. Any issue concerning the extent to which any dispute is subject to arbitration, or concerning the applicability, interpretation, or enforceability of these procedures, including any contention that all or part of these procedures are invalid or unenforceable, shall be governed by the Bermuda International Conciliation and Arbitration Act 1993 and resolved by the arbitrators. No potential arbitrator shall be appointed unless he or she has agreed in writing to abide and be bound by these procedures.
The arbitration panel shall issue its final award in writing. The panel shall have no power to award non-monetary or equitable relief of any sort. Damages that are inconsistent with any applicable agreement between the parties, that are punitive in nature, or that are not measured by the prevailing party’s actual damages, shall be unavailable in arbitration or any other forum. In no event, even if any other portion of these provisions is held to be invalid or unenforceable, shall the arbitration panel have power to make an award or impose a remedy that could not be made or imposed by a court deciding the matter in the same jurisdiction.
Discovery shall be permitted in connection with the arbitration only to the extent, if any, expressly authorized by the arbitration panel upon a showing of substantial need by the party seeking discovery.
All aspects of the arbitration shall be treated as confidential. The award reached as a result of the arbitration will be binding on the parties, and confirmation of the arbitration award may be sought in any competent court having jurisdiction.
The seat of the arbitration is Bermuda and the venue shall be Bermuda save that the panel may choose to hold hearings at any place for the convenience of the parties and/or the panel.
15. Data Privacy Where necessary to enable us to deliver the services under this letter, for such purposes, we shall have your authority to process personal data on your behalf in accordance with this clause. We shall otherwise act on your instructions when processing your personal data, save as required by law or the order of competent court or tribunal. When we do so, we shall take appropriate technical and organisational measures designed to protect against unauthorised or unlawful processing of personal data and against accidental loss, destruction of, alteration of, or damage to, personal data. We shall not sub-contract our processing of personal data (save that we may subcontract and, in doing so, transfer personal data, to KPMG Persons or third parties who are bound by appropriate confidentiality and security obligations) without your prior written consent. We shall answer your reasonable enquiries to enable you to monitor our compliance with this clause. In making personal data available to us, you confirm that you have complied with applicable laws. In this clause, personal data means any information relating to an individual.Information about contacts we have at your organisation may be used by KPMG Persons to provide our services to you and to occasionally provide marketing communications, which we believe may be of interest. Any person who does not wish to receive this information can at any time request that such communications cease by emailing us at [email protected].
16. Miscellaneous. (a) Except as otherwise set forth in the Engagement Letter, in accepting this engagement, Client acknowledges that completion of this engagement or acceptance of deliverables resulting from this engagement will not constitute a basis for Client’s assessment or evaluation of internal control over financial reporting and disclosure controls and procedures, or its compliance with its principal officer certification requirements under Section 302 of the Sarbanes-Oxley Act of 2002 (the “Act”). The services under the
Engagement Letter shall not be construed to support Client’s responsibilities under Section 404 of the Act requiring each annual report filed under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report from management. (b) KPMG may communicate with Client by electronic mail or otherwise transmit documents in electronic form during the course of this engagement. Client accepts the inherent risks of these forms of communication (including the security risks of interception of or unauthorized access to such communications, the risks of corruption of such communications and the risks of viruses or other harmful devices) and agrees that it may rely only upon a final hardcopy version of a document or other communication that KPMG transmits to Client unless no such hard copy is transmitted by KPMG to Client. (c) Where KPMG is reimbursed for expenses, it is KPMG's policy to bill clients the amount incurred at the time the good or service is purchased. If KPMG subsequently receives a volume rebate or other incentive payment from a vendor relating to such expenses, KPMG does not credit such payment to Client. Instead, KPMG applies such payments to reduce its overhead costs, which costs are taken into account in determining KPMG's standard billing rates and certain transaction charges that may be charged to clients. (d) Except as permitted by law or the terms of the Engagement Letter, neither party shall acquire hereunder any right to use the name or logo of the other party or any part thereof. Any such use shall require the express written consent of the owner party.
17. Force Majeure. Neither Client nor KPMG shall be liable for any delays resulting from circumstances or causes beyond its reasonable control, including, without limitation, fire or other casualty, act of God, strike or labor dispute, war or other violence, or any law, order or requirement of any governmental agency or authority.
18. Limitation on Actions. No action, regardless of form, arising out of or relating to this engagement, may be brought by either party more than one year after the cause of action has accrued, except that an action for non-payment may be brought by a party not later than one year following the date of the last payment was due to such party under the Engagement Letter.
19. Survival. The provisions of Paragraphs 1, 2, 4, 6, 7, 8, 9, 11, 12, 13, 14, 15, 18 and 20 hereof shall survive the expiration or termination of this engagement. 20. Entire Agreement. The Engagement Letter and these Standard Terms and Conditions, including the Exhibits and Appendices hereto and thereto, constitute the entire agreement between KPMG and Client with respect to the services under the Engagement Letter and supersede all other oral and written representation, understandings or agreements relating thereto. Any variation of the terms of this letter shall be made in writing and will not be effective unless signed by a partner of KPMG and by a duly authorized representative of Client.