Skip to main content

What SOX Can Teach Us About ESG

Delivering ESG Results
Connecting SOX to ESG
7 min read
Grant Ostler
Industry Principal
Published: February 28, 2022
Last Updated: November 7, 2023

At first glance, tackling ESG can seem like a daunting task. There are new measurements, policies, and processes, and the huge task of embedding ESG goals into the day-to-day operations. 

I sat down with Sue King, partner at KPMG, to get some advice on the best way to start the ESG reporting process (and how to calm down without needing to breathe in a paper bag.)

We talked about SPAC and IPO transactions, 20 years of SOX, and lessons learned from SOX that we can apply to ESG. Here are a few highlights from the conversation.

2021 was an incredibly active year for companies moving from private to public, including a surge in SPAC mergers. 

When it comes to developing effective internal controls for financial reporting, CFOs, controllers, and other company leaders preparing for that transition need to keep two main elements in mind: culture and standardization. 

The first element regarding culture is ensuring that everybody is aware of and understands all of the changes coming. Employees at every level need to understand what the risks are and how the controls relate to them so they can commit to the changes, and there needs to be a clear governance structure that enables an effective control program.

“This tone starts at the top,” Sue said. “The cultural shift that needs to trickle down is that everyone is responsible for controls, and that everyone clearly understands not only what is required of them, but why they’re doing that control activity.” 

The second area leaders need to focus on is standardization. Sue said that when SOX was first rolled out, everyone jumped to documenting and testing existing processes. “And what we should have done is to say, ‘how do we standardize?’ And frankly, ‘how do we automate as many processes as we possibly can?’” 

Any efforts spent on standardization now will increase efficiency in testing and monitoring year over year. 

There’s no such thing as “too far in advance” when it comes to documenting your controls in preparation for a PCAOB-level audit.  

Whether they’re going through a traditional IPO process or an accelerated SPAC transaction, many companies are so busy trying to complete all of the other things related to going public that they don’t spend time on the controls. 

But a lot goes into a cultural shift and developing an effective system of internal controls—it’s not a step to be considered at the last minute. Even before educating your people and diving straight into the controls, take a beat and ask yourself if you have the right structure.

Structural questions to ask yourself before starting a SPAC transaction: 

  • Do we have the right people? 
  • Do we have enough people who have SOX or public accounting experience? 
  • Do we have the right technology? 

As Sue said, “It's never too soon to start because there's a lot of culture change that comes with becoming a public company, irrespective of which route you take to going public.”

They grow up so fast—corporate disclosure laws, that is. And before we dig into Sue’s predictions of the next evolution for the first and second lines of defense, let’s take a step back and look at how far we’ve come. Twenty years ago, there wasn’t a fraction of the technology available that there is today. We couldn’t take massive datasets and easily process or analyze them on our laptops. And now we can—pretty neat!

Sue pointed out that to guide the evolution of the first and second lines of defense, we need to take advantage of all the technology now available. We need to run analytics on 100 percent datasets as part of the close process. This root cause analysis and anomaly identification will streamline the process over time. 

Automating the first line of defense allows for that in-depth monitoring by the second line, as well as: 

  • Process mining
  • Advanced analytics 
  • Using bots to do the testing

“I think there's an enormous opportunity for us to really change the way that we do some of this testing move away from kind of the dreaded, random sample of 25 and start saying, ‘how do we take the entire population and really get a good sense of exactly what's going on with all of the transactions.’”

There’s uncertainty surrounding ESG regulations, and you may be wondering how to approach the mapping, tracking, validating, and reporting. They say what’s past is prologue, which is why we have to keep SOX in mind when planning for ESG.  

“When SOX was first rolling out, one of the first things we considered was, what's the governance structure going to be, and how do we pull together a multidisciplinary team? That’s even more true for ESG,” Sue said.  

While SOX tended to be centered around finance, accounting, and IT,  ESG encompasses the entire organization. With that, it’s important that you ask:

  • What’s our governance structure going to be?
  • Who will have the final say on the commitments we make?
  • What are our measurable metrics?
  • Who is responsible?

These questions will create a flow around governance, resulting in operationalizing best practices and measuring the important data to inform better decision-making.
If this seems intimidating, don’t worry! The majority of companies are struggling with the basic questions around who and how they are going to govern the whole ESG reporting process. 

Sue said it’s important to pause and consider lessons learned from SOX. “A lot of us have reflected and thought, ‘what would I have done differently if I could do SOX again?’” And now we have our opportunity with ESG. She said to take a beat, “and spend time to truly standardize and automate processes.” Rather than simply rush to document everything and place controls in place, think about “if we’re going to create new metrics, we have to create new policies and new systems to capture that data.” 

This is a fantastic opportunity to standardize and automate what you’re capturing, which will drive effectiveness from a control perspective and efficiency on an ongoing basis. 


Now is the time to start. We know many people are going to wait for the guidance or see what the regulators settle on. But ESG is here to stay. It’s time to think about how you set up governance and controls. As Sue said, “This isn't a wait-and-see game. This is a ‘get started now’ because this is a huge endeavor.” 

But you don’t have to do it on your own. Today’s GRC platforms enable connecting data and automating processes—automation really is the name of the game as you’re putting your ESG programs together. There is no other practical answer to implementing an effective and efficient ESG program without serious automation.

This isn’t 20 years ago, and we don’t have to use Excel and Word to capture data. Utilize that GRC-type tool, like the Workiva platform, for certifying, surveying, and gathering data to collate all of those reports and information in a single source of truth. There’s also excellent guidance and trusted advisors that weren’t available 20 years ago. 

Sue also joined Hillary Eckert, Workiva’s VP of Solutions, Global Capital Markets, and SEC Reporting, in a webinar where they explored Hot Topics in Corporate Governance for 2022. Watch it on demand

If you liked this post, there's more where that came fromsubscribe to the blog, so you don't miss a thing.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.

Excel and Word are registered trademarks of the Microsoft group of companies in the United States and/or other countries. 

About the Author
Grant Ostler headshot
Grant Ostler

Industry Principal

Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance and operations experience, primarily in internal audit, enterprise risk management, and process improvement. Ostler served as the chief audit executive over almost two decades for entities ranging from Fortune 500 companies to a pre-IPO technology company, including building internal audit programs from scratch and leading the implementation of SOX 404 compliance programs for three companies. He is an active member of the Twin Cities Chapter of the IIA where he’s held numerous leadership positions, including Chapter President, over the past 20-plus years.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at