Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Making compliance a key element in a major utility’s transformation

Upgrading Sarbanes-Oxley (SOX) controls as part of an SAP-based customer service management implementation


A U. S. regional power utility


Power and utilities

Primary goal

Upgrade compliance along with new billing and service options

Primary platforms


When senior management at a U.S. power utility serving millions of customers decided to replace an outdated customer information system (CIS) platform, they didn’t think small. Along with the latest industry-specific software from SAP, the company commissioned three leading IT consultants to design and implement a new system offering far greater functionality. KPMG was one of them, assigned not only to oversee quality assurance to help the client manage program-level risks, but also to address a key risk challenge by integrating application security and controls to meet Sarbanes-Oxley (SOX) regulatory requirements.

After more than two years of work, the company successfully launched a new CIS and billing platform that quickly gained the trust of a range of stakeholders. Customers are getting new online options for paying bills, monitoring power usage, and receiving alerts. Management and investors are positioned to benefit by adding new services and rate structures. And, regulators are seeing accurate, detailed documentation on rapidly changing compliance requirements.

Key outcomes

Making a measurable difference

80% reduction

in reported SOX risks

More than 75%

of controls are now automated

More than 3.5 million

customers have data protection

Client transformation journey

Click on each part of the journey to learn more about our client’s transformation.

Client transformation journey

Click on each part of the journey to learn more about our client’s transformation.

We enabled the organization to reap more benefits from their investment in SAP, taking advantage of the opportunity to transform the control landscape even as the business was transforming its systems and processes.

Jonathan Levitt

Director Advisory, KPMG Advisory GRC Technology

1. Vision Phase
Seeking a better model for security and controls

With another contractor assigned to manage the planning, process development and technical implementation of the project as a whole, the KPMG Risk team focused on identifying existing risks in application security and SOX controls, defining how these risks should be remedied, and testing new approaches and technology in advance. Key steps included:

  • Identifying security, controls and GRC requirements needed to enhance the SAP S/4HANA system and its industry-specific solution for utilities, IS-U
  • Defining a leading-practice target operating model (TOM) for SAP-based security that allows users to perform their day-to-day responsibilities while helping ensure sustainability and eliminating unnecessary risk
  • Designing and documenting a control environment that takes full advantage of the inherent automated control capabilities of SAP and complies with regulatory requirements
  • Developing a compliant, leading-practice security model free from inherent separation of duties (SOD) violations
  • Integrating the SAP Access Control solution for the management of access and enforcement of SOD.

2. Construction and Delivery
New structures and technologies deliver real results

After the design and validation phases of the project, our risk team began building a new security structure aimed at rationalizing and consolidating financial reporting risks in order to eliminate redundancies and create a more clearly defined risk landscape. Achieving this required:

  • Developing security and controls test scripts to support the effectiveness of identified control points
  • Executing SOD analysis on the configured security model
  • Introducing a solution to restrict access to personal information and comply with data privacy regulations
  • Revising any defects where necessary in the security and controls design
  • Supporting the training of control owners, security administrators, and SAP Access Control users
  • Validating the effectiveness of data conversion tools and functions
  • Providing governance over security and controls during deployment.

The new SAP-based system was successfully rolled out in early 2021, winning fast acceptance from consumers and employees, and establishing the client as an industry leader in customer support. Key security and compliance outcomes included:

  • With a SOX framework that had not been refreshed since initial implementation nearly 20 years ago, reported SOX risks fell from 92 to 16 as a result of risk rationalization activities
  • The share of automated controls rose from 11 percent to 77 percent, minimizing the amount of time and effort needed for control operation
  • Achieved compliance with data privacy regulations, protecting the personal data of more than 3.5 million customers
  • Established a scalable and sustainable security architecture that was free of SOD conflicts at a role level.

Taken together, these measures not only made the client’s risk and compliance structure more accurate, efficient, and adaptable but also advanced trust among management, employees, customers, and regulators

3. Evolution Phase
Monitoring today and planning for tomorrow

Post rollout, KPMG continued to provide support and stabilization services to the client through the end of 2021. We also established continuous tracking and monitoring functions for security, controls, and GRC.

To summarize how the new system had performed to date, our risk team also deployed data analytics in the form of process mining to show the client how processes had already been improved and where further efficiencies might be gained in the future.

Turning insights into opportunity

SAP’s S/4HANA ERP platform and its industry solution for utilities (IS-U) helps digital transformation deliver real benefits by increasing efficiency, simplifying processes, and enabling delivery of new services. But implementing SAP’s solutions also means highly regulated utilities must adopt more robust risk, security, and compliance strategies.

Dive into our thinking:

Making compliance a key element in a major utility’s transformation

Download PDF

Meet our team

For forward-looking utilities, change brings opportunities

Let’s talk about where you are now and your goals for the future.

Image of Mick McGarry
Mick McGarry
Principal, Advisory, GRC Technology, KPMG US
Image of Jonathan Levitt
Jonathan Levitt
Managing Director, GRC Technology, KPMG US

Explore other services tailored to your business

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.