Skip to main content

Audit and Risk Outlook for 2023: A Conversation with KPMG on ESG, Efficiency, and More

Policy Perspectives
Internal Controls
Building effective ESG governance and internal controls
6 min read
Grant Ostler
Industry Principal
Published: January 31, 2023
Last Updated: September 15, 2023

There’s no denying that this past year has brought new challenges. Between increasing investor demands, market volatility, and expanding regulations—especially around ESG—there is a slew of new risks to consider.

And given that expectations were already increasing for audit and risk teams, figuring out how to manage ESG risk on top of everything else may feel a bit overwhelming.

When it comes to new risks like ESG, sometimes the hardest part is knowing where to start. That’s why I sat down with Sue King, Partner at KPMG LLP, to get insight into what organizations can do now to stay ahead of ESG and other emerging risks. During our conversation, we discussed how to create robust internal controls and governance for ESG, bring key teams together to build effective ESG programs, and increase internal control over financial reporting (ICFR) efficiency.

Here are a few highlights from our conversation, keep reading to learn more!

With the Corporate Sustainability Reporting Directive (CSRD), which will impact not only companies in the European Union but also organizations with subsidiaries in the region, and the SEC’s pending climate and cyber disclosure rules, there’s no denying that ESG reporting is here to stay. And that means ESG data will be under the microscope like never before (to leverage SOX terms, the data needs to be complete and accurate).

To some extent, many organizations already disclose ESG-type data in the 10-K, a press release, or a CSR report. To ensure the completeness and accuracy of this data (and any additional data that companies may need to disclose in the future), Sue said now is the time to build appropriate internal controls.

It's never too soon to start. While we don't know exactly when the SEC will finalize the climate and cyber rules, companies really need to start thinking about having the right robust ESG controls in place.

Sue King
Partner, KPMG LLP

And as organizations start to think about how to build a solid foundation for ESG controls, they also need to consider the critical collaboration it will take—how will internal audit, accounting and finance, ESG and sustainability, legal, investor relations, and more come together to deliver investor-grade ESG reporting? ESG reporting truly takes a village, and having the appropriate governance around your program is just as important as having the right controls embedded throughout your processes.

“One of the biggest things to really think about is the governance around ESG reporting,” Sue said. “Given we have environmental, social, and governance—we already have a G in there—but I'm talking about building program governance around ESG. How do we start defining policies? What will our process look like to set targets or decide what commitments we’ll make externally?”

“As new rules or regulations come out, you’ll have a team to go to, and you can start making decisions and driving action,” Sue said, “as well as having one central point to make decisions on standard policies, definitions, process, and systems in order to standardize and streamline the reporting.”

The good news is that many of us have been here before when we formalized internal control processes around financial reporting in response to section 404 of the Sarbanes-Oxley Act (SOX) 21 years ago, and there are many lessons we’ve learned that can be applied to ESG.

The biggest lesson? Standardize, standardize, standardize! Instead of immediately diving into documenting, remediating, and testing, Sue said it’s critical to standardize first. While many of us jumped right into documenting processes in response to SOX, there’s a lot your team can benefit from when you take a step back to standardize ESG processes first. Then, look to automate as much as possible.

“Let's make sure that we stop and spend the time standardizing the processes across geographies, across teams, across systems so that we can really drive better automation and efficiency around the reporting process,” Sue said.

With ESG, you can start to standardize various data inputs to help with data collection and assurance. Take carbon emissions for example. If your organization only reimburses travel when booked through a designated travel company, that will help facilitate and streamline data capture from all airlines.

If tackling ESG feels daunting, it will get better—remember that SOX was new and unfamiliar to us in the beginning! Plus, you don’t have to go on the journey alone. There are trusted advisors that can help and technology available that can connect data across your finance, audit and risk, ESG, and legal teams, allowing all stakeholders to collaborate and work from a single source of truth.

Increasing efficiency, especially in ICFR programs, is top of mind for many audit and risk leaders. A lot of teams find themselves bogged down with manual, repetitive tasks that get in the way of doing more strategic, value-added work. 

When it comes to driving efficiency, automation is one surefire way to make an immediate impact. Before looking into new tools, Sue suggests optimizing within your current tools and systems, whether an ERP or GRC platform. She said many organizations haven’t taken full advantage of the automation capabilities within these types of systems, making it the best place to start.

“Now is the time to say, ‘How do we truly start using all of those tools to their full advantage?’ to make sure we've really transformed the first line,” Sue said. “Ultimately, the more efficiency you can drive into the first line, that then flows through the second and third lines.”

Another point Sue emphasized about efficiency: building the right culture. And it comes down to accountability, she said.

“It’s really important to get everyone bought in—that it's everybody's responsibility, not just the SOX director or the ESG director. I think focusing on your culture can be really beneficial from an efficiency perspective.”

Sue and I discussed these topics in even more detail during the "Hot Topics in Risk and Compliance: ESG and Navigating Economic Headwinds", which you can watch on demand here! For key takeaways and tips on these topics, download our white paper "5 Tips to Stay Ahead of Risk".



Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.

Take a break from reading about audit and risk and join the discussion virtually at Amplify 2023 on Sept. 21st. Access 13 sessions, and get the chance to earn up to 8 CPE credits! Register now.

About the Author
Grant Ostler headshot
Grant Ostler

Industry Principal

Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance and operations experience, primarily in internal audit, enterprise risk management, and process improvement. Ostler served as the chief audit executive over almost two decades for entities ranging from Fortune 500 companies to a pre-IPO technology company, including building internal audit programs from scratch and leading the implementation of SOX 404 compliance programs for three companies. He is an active member of the Twin Cities Chapter of the IIA where he’s held numerous leadership positions, including Chapter President, over the past 20-plus years.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at