Making compliance a key element in a major utility’s transformation

Upgrading Sarbanes-Oxley (SOX) controls as part of an SAP-based customer service management implementation



A U. S. regional power utility


Power and utilities

Primary goal

Upgrade compliance along with new billing and service options

Primary platforms


When senior management at a U.S. power utility serving millions of customers decided to replace an outdated customer information system (CIS) platform, they didn’t think small. Along with the latest industry-specific software from SAP, the company commissioned three leading IT consultants to design and implement a new system offering far greater functionality. KPMG was one of them, assigned not only to oversee quality assurance to help the client manage program-level risks, but also to address a key risk challenge by integrating application security and controls to meet Sarbanes-Oxley (SOX) regulatory requirements.

After more than two years of work, the company successfully launched a new CIS and billing platform that quickly gained the trust of a range of stakeholders. Customers are getting new online options for paying bills, monitoring power usage, and receiving alerts. Management and investors are positioned to benefit by adding new services and rate structures. And, regulators are seeing accurate, detailed documentation on rapidly changing compliance requirements.

Key outcomes

80% reduction

in reported SOX risks

More than 75%

of controls are now automated

More than 3.5 million

customers have data protection

Client transformation journey

Click on each part of the journey to learn more about our client’s transformation.

  • Where they were
  • Where they are
  • Where they’re headed

Where they were

Looking for the “one way” forward after acquisition-fueled growth.

Albertsons is committed to “one way.” Meaning that, as large as the company becomes, it aims to remain unified in its vision and in the systems and tools that support it. 

Acquisition-fueled growth naturally opens the door to “many ways.” By 2019, different divisions and subsidiaries had their own back-office solutions. People, processes, and data were becoming more siloed.

A different kind of company might have assumed that decentralized processes are an acceptable consequence of multiple acquisitions. Or that you can’t be one of the biggest industry players and move with startling speed and agility when it comes to acquisitions. But accepting trade-offs like those is not the Albertsons way.

Company-wide opportunities

  • Replace nearly XX aging applications that differed across divisions and subsidiaries
  • Reduce manual, disparate processes freeing up more resources for advanced analytics
  • Enable enhanced reporting and make it more widely available across the enterprise
  • Act with greater speed and agility to capture value in acquisitions

Finance Opportunities

  • Process XXX,XXX transactions per month with greater efficiency
  • Reduce 10,000+ manual journal entries per period
  • Decrease >3-week close
  • Shorten the >3-month annual budgeting cycle
  • Provide better support for a growing e-commerce busines
  • Control rising finance function costs and derive greater value 

HR Opportunities

  • Decrease hiring and onboarding times to keep pace with staffing needs
  • Be more efficient in complying with more than 800 collective bargaining agreements and dozens of government contracts
  • Introduce enterprise-wide training programs
  • Unify and automate workforce administration processes across the enterprise

Where they are

290,000+ Albertsons employees come together every day in the cloud.

Today, cashiers at 2,200 stores all log their hours via the same mobile app. That data flows seamlessly to payroll, and across the enterprise-- where it’s available for everyone from store managers making data-driven staffing projections to CFOs reviewing budgets.

Back-office staff spend less time on manual processes and more on analyzing data in ways that help lower costs and improve performance every day, and inform due diligence during acquisitions.

HR executives and business managers find it easy to access candidate information, share observations and schedule interviews, quickly and easily moving the right candidates through the hiring process.

And candidates who become new hires, continue through the same efficient, cloud-based environment as they complete onboarding and get to work—already a part of Albertsons’ “one way.” 

Company-wide success

  • Installed a single, modernized digital platform serving the entire enterprise
  • Accelerated the project schedule by XX-months due to a dual-installation of Finance and HR
  • Migrated 290,000 employees from legacy systems to Oracle Cloud
  • Increased insight-driven decision making across functions, driving performance and growth gains

Finance Successes

  • Decreased balance sheet reconciliations by 85%
  • Achieved a consolidated retail and corporate close within a shortened period
  • Reduced the types of P&L statements from 100+ to 4
  • Reduced operations costs across the board
  • Enhanced availability of data-driven insights that help to capture maximum value during acquisitions

HR Successes

  • Installed an automated, central solution to efficiently administer 800+ complex union agreements for all employee populations
  • Deployed a custom application for union rule processing enabling a single HCM platform to administer benefits to all employee populations
  • Created a digital-first, digital anywhere experience resulting in higher employee engagement
  • Reduced new hire onboarding time
  • Reduced the time it takes to fill staffing vacancies
  • Streamlined and improved the process integration of new employees post-acquisition
  • Integrate processes and technology across the employee lifecycle from recruiting through compensation and performance

Where they’re headed

Making sure the “one way” continues to be the best way.

Long before the go-live date, Albertsons was collaborating with Oracle and KPMG about future initiatives. They wanted to know what to expect from upcoming product releases and how they should be planning to leverage new functionality.

The company’s agile mindset combined with its investment in Oracle Cloud and KPMG Powered Enterprise will keep it in a position to continue evolving, always finding the best way forward as one, strong enterprise.

Company-wide vision
  • Continue to enhance analytics-driven planning and forecasting
  • Optimize the supply chain

Finance Vision

  • Achieve a continuous, virtual accounting close
  • Increase data monetization 

HR Vision

  • Migrate payroll, benefits, and absence mangement to Oracle cloud for 2023
  • Insource benefits administration
We enabled the organization to reap more benefits from their investment in SAP, taking advantage of the opportunity to transform the control landscape even as the business was transforming its systems and processes.

– Jonathan Levitt, Director Advisory, KPMG Advisory GRC Technology

Focusing on compliance as part of a broader transformation


1. Vision phase

Seeking a better model for security and controls

With another contractor assigned to manage the planning, process development and technical implementation of the project as a whole, the KPMG Risk team focused on identifying existing risks in application security and SOX controls, defining how these risks should be remedied, and testing new approaches and technology in advance. Key steps included:

  • Identifying security, controls and GRC requirements needed to enhance the SAP S/4HANA system and its industry-specific solution for utilities, IS-U
  • Defining a leading-practice target operating model (TOM) for SAP-based security that allows users to perform their day-to-day responsibilities while helping ensure sustainability and eliminating unnecessary risk
  • Designing and documenting a control environment that takes full advantage of the inherent automated control capabilities of SAP and complies with regulatory requirements
  • Developing a compliant, leading-practice security model free from inherent separation of duties (SOD) violations
  • Integrating the SAP Access Control solution for the management of access and enforcement of SOD.

2. Construction and delivery

New structures and technologies deliver real results

After the design and validation phases of the project, our risk team began building a new security structure aimed at rationalizing and consolidating financial reporting risks in order to eliminate redundancies and create a more clearly defined risk landscape. Achieving this required:

  • Developing security and controls test scripts to support the effectiveness of identified control points
  • Executing SOD analysis on the configured security model
  • Introducing a solution to restrict access to personal information and comply with data privacy regulations
  • Revising any defects where necessary in the security and controls design
  • Supporting the training of control owners, security administrators, and SAP Access Control users
  • Validating the effectiveness of data conversion tools and functions
  • Providing governance over security and controls during deployment.

The new SAP-based system was successfully rolled out in early 2021, winning fast acceptance from consumers and employees, and establishing the client as an industry leader in customer support. Key security and compliance outcomes included:

  • With a SOX framework that had not been refreshed since initial implementation nearly 20 years ago, reported SOX risks fell from 92 to 16 as a result of risk rationalization activities
  • The share of automated controls rose from 11 percent to 77 percent, minimizing the amount of time and effort needed for control operation
  • Achieved compliance with data privacy regulations, protecting the personal data of more than 3.5 million customers
  • Established a scalable and sustainable security architecture that was free of SOD conflicts at a role level.

Taken together, these measures not only made the client’s risk and compliance structure more accurate, efficient, and adaptable but also advanced trust among management, employees, customers, and regulators.

3. Evolution phase

Monitoring today and planning for tomorrow

Post rollout, KPMG continued to provide support and stabilization services to the client through the end of 2021. We also established continuous tracking and monitoring functions for security, controls, and GRC.

To summarize how the new system had performed to date, our risk team also deployed data analytics in the form of process mining to show the client how processes had already been improved and where further efficiencies might be gained in the future.

Turning insights into opportunity

SAP solutions for utilities

SAP’s S/4HANA ERP platform and its industry solution for utilities (IS-U) helps digital transformation deliver real benefits by increasing efficiency, simplifying processes, and enabling delivery of new services. But implementing SAP’s solutions also means highly regulated utilities must adopt more robust risk, security, and compliance strategies. Learn more:

For forward-looking utilities, change brings opportunities

Let’s talk about where you are now and your goals for the future.

Mick McGarry

Mick McGarry

Principal, Advisory, GRC Technology, KPMG US

+1 214-840-8249
Jonathan Levitt

Jonathan Levitt

Managing Director, GRC Technology, KPMG US

+1 949-431-7246