HomeIT ServicesIdentity & Security ConsultingKPMG
Identity & Security ConsultingAmstelveen, Netherlands

KPMG Review 2026 — Identity & Security Consulting

4.1/ 5.0 from 1,950 verified buyer references
Founded
1987 (current form)
Headquarters
Amstelveen, Netherlands
Employees
~273,000 (FY2024)
Regions Served
143 countries
Industries
Financial services, public sector, energy
Typical Engagement
$400K–$35M+ programmes

Overview

KPMG is one of the Big Four professional services networks, formed in its current global structure in 1987 through the merger of Peat Marwick International and Klynveld Main Goerdeler. The network reported US$38.4 billion in aggregate revenue for FY2024 across approximately 273,000 employees in 143 countries, operated as KPMG International Limited with member firms in each major market. Bill Thomas serves as Global Chairman and CEO. Cyber and identity work sits within the Advisory practice and is anchored by KPMG US, KPMG UK, KPMG Germany, KPMG Australia, and KPMG India.

Within identity and security consulting, KPMG runs a mature Big Four practice with particular strength in identity governance, segregation-of-duties (SoD) analytics, and audit-grade access controls testing. The firm holds top-tier partner status with SailPoint, SAP, Microsoft, Okta, Saviynt, and CyberArk, and operates a proprietary IGA accelerator built on SailPoint and SAP Identity Access Governance. Cyber and identity work is heavily concentrated in financial services, energy, public sector, and life sciences. KPMG also runs a meaningful incident response practice through KPMG Cyber Defence Services.

KPMG is typically a fit for regulated buyers running SAP-anchored landscapes or for organisations that need identity work paired with internal audit, SoD remediation, or controls modernisation. The firm is rarely the lowest priced option, and its cyber bench is the smallest of the Big Four in absolute terms. Smaller single-platform IGA deployments under US$1 million are usually better served by Optiv, SailPoint Professional Services, or a regional specialist.

Services Offered

Typical Engagement

Engagement TypeModelTypical Range
IAM strategy and target state designFixed-fee project$200K–$900K (6–12 weeks)
IGA or PAM implementationFixed-fee or T&M$1.5M–$8M (8–16 months)
Enterprise identity transformationMulti-year outcome contract$8M–$35M+ (24–42 months)
Managed identity servicesMonthly retainer$60K–$700K per month
Staff augmentation (Certified IAM)Hourly bill rate$165–$315/hour blended

Pricing ranges verified May 2026 from public procurement records, identity vendor channel benchmarks, and reference checks. KPMG Delivery Network centres in India, Hungary, and Poland lower blended rates by 20–35%.

Strengths

  • Top-tier IGA bench with proprietary segregation-of-duties (SoD) analytics across SailPoint, Saviynt, and SAP IAG
  • Deep SAP-anchored identity capability — preferred Big Four for SAP IAG and GRC Access Control
  • Audit-aligned controls testing methodology for SOX, SOC2, ISO 27001, and DORA
  • Strong delivery footprint in continental Europe, particularly Germany, Netherlands, and the Nordics
  • KPMG Delivery Network centres in India, Hungary, and Poland deliver competitive blended rates
  • Mature managed identity capability for SAP-heavy enterprises with cross-application access certifications

Limitations

  • Smallest cyber bench among the Big Four in absolute terms, particularly outside Europe
  • Audit-client independence rules restrict the addressable buyer base in the US for non-audit clients only
  • Premium pricing — partner rates frequently exceed US$375/hour onshore
  • Methodology-heavy delivery can slow product-led IGA work compared with specialist firms
  • Recent US public-cloud licence-fee settlement and KPMG UK partnership restructuring have created episodic senior consultant turnover

Regions Served

United States United Kingdom Germany Netherlands India Australia Canada Switzerland Singapore

Alternatives

Deloitte
Larger Big Four cyber practice, deeper non-SAP industry coverage
4.2
PwC
Big Four peer, stronger in financial services audit territory
4.1
EY
Big Four peer, deeper coverage in energy and life sciences cyber
4.1
Optiv
Specialist alternative, 15–25% lower pricing, vendor-agnostic
4.3
Accenture Security
Largest non-Big-Four practice, deeper systems integration capability
4.2

Compare KPMG

KPMG vs Deloitte → KPMG vs PwC → KPMG vs EY →

Frequently Asked Questions

What is KPMG's typical identity project size?
KPMG rarely accepts identity engagements below US$400,000 in total contract value. Most IAM strategy and target-state projects land between US$200,000 and US$900,000 over six to twelve weeks. SailPoint, Saviynt, SAP IAG, or CyberArk implementations typically run US$1.5 million to US$8 million over eight to sixteen months. Enterprise identity transformation programmes combining IGA, PAM, and SoD remediation span US$8 million to US$35 million or more over 24 to 42 months and often involve blended onshore and KPMG Delivery Network resources.
How does KPMG price managed identity services?
KPMG prices managed identity services on monthly retainers typically between US$60,000 and US$700,000 per month, scaled to platform scope, identity population, and SLA targets. Most retainers cover Level 2 and Level 3 platform administration, scheduled access certifications, SoD ruleset maintenance, and a defined hours pool for connector and workflow enhancements. KPMG Delivery Network centres in Bangalore, Budapest, and Krakow are used for most run-state operations.
How does KPMG compare to Deloitte for identity?
Deloitte has a larger overall cyber bench and broader industry coverage. KPMG has comparable depth on identity governance, particularly for SAP-anchored environments, and is the preferred Big Four for SAP Identity Access Governance and GRC Access Control programmes. KPMG pricing is broadly comparable to Deloitte but generally lower than PwC and Accenture for SoD analytics and audit-aligned IGA work. KPMG tends to win more often when SAP access risk drives the engagement.
Which industries does KPMG specialise in for identity?
KPMG has the deepest Big Four identity assets for SAP-anchored manufacturers, energy and utilities, financial services, and public sector. The firm maintains pre-built process accelerators for SOX, DORA, NIS2, NIST 800-53, FERC and NERC CIP, and ISO 27001. KPMG Government Institute serves the US public sector with cleared personnel. The firm is comparatively lighter in retail and consumer goods than Deloitte and Accenture for identity work.
Can KPMG deliver onshore-only identity programmes?
Yes. KPMG maintains onshore identity capacity in the United States, United Kingdom, Germany, Netherlands, Switzerland, Canada, and Australia, with cleared US federal personnel for public sector engagements. Onshore-only delivery runs roughly two to three times higher than blended pyramids that use the KPMG Delivery Network. Senior architect capacity is constrained for complex SailPoint, Saviynt, and SAP IAG programmes, with staffing lead times of 60 to 90 days.
Last updated: May 2026

About KPMG

Current global structure formed 1987 (merger of Peat Marwick International and Klynveld Main Goerdeler). Headquarters: Amstelveen, Netherlands (KPMG International Limited). Approximately 273,000 employees. Revenue: US$38.4B (FY2024). Global Chairman and CEO: Bill Thomas. Top-tier partner across SailPoint, SAP, Microsoft, Saviynt, and CyberArk.

All Identity & Security Consulting Providers → Identity Consulting in United States → Identity Consulting in Germany →

Related Categories

Cybersecurity Services IT Governance & Compliance Data Privacy & GDPR SAP Implementation ServiceNow Implementation

Research

Identity Consulting RFP Guide 2026 Identity Consulting Pricing Benchmark Best Identity Consultancy for Financial Services
Last updated: