How a critical IPO sprint helped put a company in control for the long run

Getting IPO ready—with no margin for error

For the leadership team at a large consumer goods company, the decision to go public wasn’t just about financial growth. It was about elevating the capabilities of their entire organization and firmly positioning the company and its people to thrive in a fiercely competitive market. 

But they faced a stark reality: The IT environment, which had served them so well as a privately held company, felt suddenly outdated, uncontrolled, and not ready for the rigorous compliance standards required of a public company. That posed an enormous risk to the executive team’s mission-critical goal of an IPO within 18 months. To meet that timeline, the company would need to deconstruct its current approach and rebuild a robust controls environment that could withstand the scrutiny of auditors and public markets, safeguard against operational risks, and ensure compliance with Sarbanes-Oxley (SOX) and other SEC requirements.

With little margin for error, the company asked KPMG to help it resolve the interconnected challenges in its existing controls framework, which included:

• Unmitigated financial risk: The existing controls framework contained gaps that could lead to unmitigated risks, audit findings, and material misstatements.
• Inconsistent technology controls: Without a standardized information technology general controls framework, the company was at risk of material weaknesses post-IPO. 
• Fragmented governance: SAP was managed by IT, but other critical systems were independently owned by HR, finance, and sales, creating operational silos and inconsistent controls, policies, and processes.
• Disparate access management: Highly customized and manual processes for managing access to programs and data heightened the risk of human error and security vulnerabilities. 
• Segregation of duties (SOD) conflicts: The lack of cohesive access controls in the core SAP environments posed significant SOD issues, increasing the risk of security breaches and compliance failures.

Building a culture of compliance and security

A big challenge facing the leadership team was a gap in the internal expertise needed to build an IPO-ready technology control environment. That’s why the company turned to KPMG for help. They knew they needed a partner who understood the technical requirements but also the strategic vision of a public company. More importantly, they needed an adviser that could empower their people with the knowledge and skills required to sustain the change long after the IPO.

Recognizing the urgency and complexity of the challenges, KPMG swiftly assembled a cross-functional team of specialists in IPO, SOX, controls, cybersecurity, and SAP. We worked closely with the key stakeholders—from the C-suite to IT to all required business units—to create a sense of ownership and accountability across the organization. In just 14 months, we helped the company deliver a strategic solution to standardize the control environment, enforce compliance, secure critical business processes, and keep them on schedule for their IPO. Using the compliance assessment as the initial phase, KPMG built a roadmap that led to our cyber team becoming the implementation team for the Saviynt rollout. Additional KPMG project management professionals were brought in to tie all of the pre-IPO workstreams together.

The results for the entire organization are significant:

• Unified, standardized controls: By centralizing monitoring and enforcement via the Saviynt IGA platform, the company has achieved a unified view of access governance while automating much of the control environment, which helps them reduce security risks and better support overall compliance operations. 
• A dynamic new compliance approach: With an enhanced risk and control matrix and standardized IT controls framework, the company has significantly elevated its overall compliance capabilities. They can meet and exceed SOX requirements, firmly positioning themselves to operate in the public market.
• Operational efficiency and resilience: The move from manual, customized processes to automated identity governance has helped their teams to work more efficiently, reducing administrative burdens and minimizing human error. 
• Strengthened SAP access and security: With redesigned SOD controls and enhanced privileged access management, the organization now has public-company-level confidence that their critical business systems are protected from unauthorized access. 

Equipped to lead: Empowering people for public market success

The company’s executive team set out to do more than just meet public market standards. They wanted to build a strong, scalable foundation for compliance success as a publicly traded company. Through this project with KPMG, the organization has standardized controls, enhanced security, and fostered a culture of accountability. KPMG-led change management and tailored training programs have also played a critical role, helping the company’s people navigate the changes in the new controls environment and adapt the skills and agility needed to embrace the new systems and processes as efficiently as possible. This has helped the finance team to ensure accurate reporting, the IT team to safeguard data integrity, the operations team to drive efficiency and collaboration—and the entire company to move ahead with confidence as a public company.