1.1 2.

  Theoretical Framework
This section will elaborate on the relationships between the variables. More specifically, the
relationships between the variables will be assessed with hypotheses. The relationship between
the variables are explained below.

2 2.1 GRC-tooling 

3 2.1.1 Definition of GRC and GRC-tooling

“Governance, Risk and Compliance (GRC) helps an organization to align information technology
with business objectives, while managing risks and meeting regulatory requirements” (IBM
Cloud Education, 2020).GRC is an organizational strategy to manage the governance, risk
management and compliance within industries and regarding governmental regulations (Nyhuis,
2020). 

Governance, Risk and Compliance used to be seen primarily as three independent separate
components:
- Governance: Governance is the set of policies, procedures and measures to enable an
organization to function as a control component and auxiliary to strategic goals(Çolak & Hasib,
2009). Governance connects activities across the company and aligns the activities with
strategic goals. Governance supports a coordinated, productive workplace and helps internal
and external stakeholders to understand how they contribute to the objectives and how these fit
with other stakeholders. Governance tries to guard against redundancies, contradictory
initiatives, and the appearance of unnecessary costs. The goal of corporate governance is to
ensure the effectiveness of operations, compliance to corporate values and the business ethics.
The mechanism of governance tries to reduce risk and validate, manage and handle information
and resources (SAP Insights, n.d.). 

- Risk: the set of procedures and measures aimed at systematically identifying risks, taking
mitigating measures and reporting on the performance of risk management to
management(Çolak & Hasib, 2009). Any risk that could have a negative outcome for a company
falls under risk management. For example, committing negative eco-harmful activities that can
cause reputational damage(Flammer article). Risk includes, on the one hand, risks over which
the company has no control, for example, the COVID-19 pandemic (CDC, 2020). On the other
hand, it can come from operational, procedural or technical weaknesses. But also external risks
such as cyber hacks and fraud. Technology is important in detecting risk, however, risk is seen
as a broader concept. All values, processes and commitment within the organization are
important and vulnerable in managing risk. Types of risk are performance risk, compliance risk, it
risk, financial risk and reputational risk (SAP Insights, n.d.)
- Compliance: compliance with laws and regulations, or the set of measures and procedures that
ensure that an organization complies with laws and regulations and is accountable for them.
accountable (Çolak & Hasib, 2009). Regulatory compliance failures lead to financial losses and
damage to the organizational reputation. Compliance failures lead to fines, which, for example
EU-based organizations whom payed 4% of their annual global revenue on GDPR fines (SAP
Insights, n.d.). General Data Protection Regulation (GDPR) requires businesses to protect the
personal data and privacy of data subjects who physically reside or are located within the EU
(U.S. International Trade Commission (USITC), 2019). New technologies and modern GRC
software solutions add value to data management, predictive analytics, and actual insights that
are needed to maintain an optimal compliance strategy (SAP Insights, n.d.).

GRC integrates systems and processes to control all aspects of governance, enterprise risk
management and compliance. GRC provides an approach to align business strategy with
information technology, which enables organizations to manage risk and compliance
requirements. GRC has no direct influence on manufacturing, the supply chain and services, but
has influenced how the organization wants to fulfill its mission and create an ethical, prudent and
responsible business.

2.1.2 Importance of GRC-tooling 

The Global Business Risk Report (GBRR) ranks the biggest risks to businesses, based
on the potential impact on companies. Businesses who are operating cross -border
continue to face high levels of uncertainty. After the high risks, a score of 332,
experienced in Q2 and Q3 in 2020 due to the COVID-19 pandemic, the Global Business
Impact score increased from 315 in Q2 2022 to 321 in Q3 2022. The increasing score of
321 is above the long-term average of 271. Thus, businesses operating cross-border
continue to face high levels of risk.
First, stagflation, low growth and high inflation, is seen as an important risk since Q2
2022. The longer the period of inflation to normalize, the greater the expectation that
successive rate hikes are higher. Additionally, the Russia-Ukraine conflict impacts the
supply for energy to businesses and creates high potential risks. Also supply chain
difficulties, climate policies and cyber vulnerability create higher risks for businesses. 
Supply disruption caused by the conflict between Russia and Ukraine continues and
intermittent Chinese port and factory closures mean that supplies from the global factory
remain interrupted, leading to continued shortages of goods and raw materials well into
the second half of 2022.
The energy crisis and rising gas and oil prices leave countries with a choice to focus
more on fossil fuels or the commitment to renewable energy. This also creates confusion
over energy policy. Climate commitments and trade interests are under pressure. This
results in difficult investment decisions and higher risks for companies. 

Furthermore, cybercrime is predicted to create damage totaling 6 trillion dollars in 2021.

Cybersecurity Ventures expect global cybercrime costs to grow by 15% per year,
reaching 10.5 trillion dollars in 2025. The increasing threat of cybercrimes results in
higher risks and therefore the cybersecurity market is expanding (Morgan, 13). 

In addition, Flammer examined how eco-friendly and eco-harmful activities affect

shareholder reaction. It shows that organizations should focus on corporate social
responsibility (CSR) by focusing on eco-friendly activities and avoiding eco-harmful
activities. The effects of eco-harmful activities result in negative shareholder reaction
and eco-friendly activities have a positive effect on shareholder reaction. In addition,
shareholders are expected to expect organizations to go along with the standard within
an industry. This is evidenced by increasing negative reactions in eco-harmful activities
and decreasing positive reactions in eco-friendly activities (Flammer, 2013).

The interplay between external and internal actions regarding corporate social
responsibility is necessary for the CSR strategy and performance. Both internal activities
and external activities must be aligned for optimal performance. Excess of internal
activities results in a depreciation of the organization and excess of external activities
can result in greenwashing. GRC helps to align both internal and external activities to
optimize the performance of the CSR strategy (Hawn & Ioannu, 2016).

What is GRC? | Governance, risk, and compliance in detail | SAP Insights 

2.2. Environment, Social and Governance (ESG)

McKinsey-on-Finance-number-73.pdf 

2.2.1 ESG definition 

ESG has multiple approaches and definitions. In this study, ESG is divided into Environmental,
Social and Governance.
Environmental: Environmental includes the following activities; the energy a company
consumes, the waste it discharges, the resources it requires, its impact on the environment and
it includes carbon emissions and climate change.
Social: Refers to social criteria, such as the relationships between the organization and
consumers, institutions and other businesses. Additionaly, to what extent the organization
performs in labor relations, diversity and inclusion.  
Governance: The internal system of practices and controls. The procedures within the company
to make effective decisions, comply with the law and meet the needs of stakeholders.

2.2.2 ESG importance

Companies need to establish a strong proposition for managing environmental, social and
governance(ESG) concerns. Companies with strong ESG propositions experience higher
returns. ESG-oriented investing has reached 30 trillion dollars which is an increase of 68%
relative to 2014 and ten times more than 2004(Global sustainable investment review 2018,
Global Sustainable Investment Alliance, April 2019, gsi-alliance.org). A strong ESG proposition
van reduce costs, facilitate top-line growth, minimize regulatory and legal interventions, increase
employee productivity and optimize investment and capital expenditures. A strong ESG
proposition results in higher returns ( Mozaffar Khan, George Serafeim, and Aaron Yoon,
“Corporate sustainability: First evidence on materiality,” Accounting Review, November 2016,
Volume 91, Number 6, pp. 1697–724, aaapubs.org; Altaf Kassam, Linda-Eling Lee, and Zoltán
Nagy, “Can ESG add alpha? An analysis of ESG tilt and momentum strategies,” Journal of
Investing, Summer 2016, Volume 25, Number 2, pp. 113–24, joi.pm-research.com)., reducing
risks and higher credit ratings.(Sara A. Lundqvist and Anders Vilhelmsson, “Enterprise risk
management and default risk: Evidence from the banking industry,” Journal of Risk and
Insurance, March 2018, Volume 85, Number 1, pp. 127–57, onlinelibrary.wiley.com). 

Companies with social engagement activities have 

 
 

2.2.3 ESG strategy, risk and performance

2.3.1 GRC and ESG-strategy

GRC is linked to ESG goals and processes because GRC helps to set, measure and achieve
ESG goals in a detailed and structured way. The biggest common denominator between GRC
and ESG is the G, governance. This shows that governance is used to establish clear
commitments and well-defined objectives, allowing uncertainty and risk to be managed.
Therefore, it is recommended that GRC be integrated into ESG reports. The use of GRC tools,
gives organizations the tools to learn, to align, perform and review the pathway to report ESG
targets (ESGenterprise, 2022).
Organizations that optimize and implement an efficient GRC tool increase the ability to cut costs,
avoid duplication of effort and provide quality information. GRC tooling therefore contributes to a
sustainable way of doing business (ESGenterprise, 2022). 

GRC-tooling

-          Meaning and definition and importance

-          Possibilities

-          Focus on Governance, Compliance and Risk management seperately à And explain the
overlap

-          Development GRC-tooling

-          Influence of GRC on companies/company performance

Governance is used to become one organisation

Risk management capabilities à Covers control and compliance assessment is the same

GRC processes à Regulation risk incident policy control framework issue action management

Exception management continuous control monitoring

ESG  environment is climate risk à Performing risk management

ESG corresponds with risk

Every regulation in ESG will need GRC and risk assessments

The internal control framework for ESG

GRC is those subprocesses

8 processes are generic processes for organizations, customized for the organizations

Sometimes its good to customize process,

How more specific, how harder to upgrade in the future?

Easy to understand, Ensure it is not heavy customized and coded.

Sustainable and maintainable.

GRC-tool gartner

Sub modules

Risk assessment

Means and for risk and compliance processes

Regulation management

Risk assessment

Risk mitigation and monitoring

Incident and response management

Assurance

Follow up and overall reporting

 

Governance, risk and compliance (GRC) is a set of processes and procedures to help
organizations achieve business objectives, address uncertainty and act with integrity. The
purpose of GRC is to instill ‘good’ business practices into everyday life. GRC covers multiple
disciplines, including risk management, compliance, third-party risk management and internal
audit (Çolak & Hasib, 2009).

Demonstrating compliance with external laws and regulations, Risk Management or other
Corporate Governance measures is complex. Different departments in different countries with
local regulations are involved, which often makes it more complex. GRC tools are used to
document processes, identify risks and communicate them together with associated control
measures quickly and efficiently (Inouye, 2021).

Many companies and institutions do not approach implementing internal controls and being
accountable for their effectiveness as a stand-alone one-off project. They see the connection
between various Governance, Risk and Compliance (GRC) activities within their organization. In
this context, GRC refers to;

- Governance: the set of policies, procedures and measures to enable an organization to

function in accordance with its strategic objectives.

- Risk management: the set of procedures and measures aimed at the systematically identifying
risks, taking mitigating measures and reporting on the performance of risk management to
management.

- Compliance: compliance with laws and regulations, or: the set of measures and procedures
that ensure that an organization complies with laws and regulations and is accountable for them.
accountable. (Çolak & Hasib, 2009)

Previously, simplistic ways, such as working with programs like Excel, were used to try to meet
compliance laws and Governance, Risk and Compliance were approached as separate activities
(Riskconnect, 2020). This resulted in inefficiencies, redundancies, and inaccuracies, for
example:

Lack of visibility into the complete risk landscape, Conflicting actions, Unnecessary complexity,
Inability to assess the cascading effects of risk (Riskconnect, 2020).

 
However, there is overlap between Governance, Risk, and Compliance. Each of the three
disciplines creates information of value to the other two. All three impact the same organization,
same technologies, people, processes, and information. When the three components of GRC
are managed separately, it results in the duplication of tasks.

Disconnected processes and a lack of transparency leave an organization blind to insights and
relationships between risks, which undermine the system by allowing gaps and redundancies of
controls to go unnoticed. Without an integrated view of all GRC-related activities, it’s nearly
impossible to identify issues and inconsistencies. A damaging risk can easily slip by undetected
and unaddressed because you couldn’t gauge the full impact until it was too late.

Virtually every organization is engaged in risk management, even if the risk management system
is nascent. There is no correct way to manage risk and compliance, but when the used systems
can’t keep up with changing business needs, the systems need to be constantly updated.

To look at the GRC position, the risk maturity model (RMM) is often used. It compares the
current state of the organization and where the organizations want to be and which further
investments could be made. The more mature the GRC program, the more effective an
organization is in making decisions, taking the right risks, and achieving better outcomes for the
organization (Risk Maturity Assessment Explained | Risk Maturity Model).

One  Ad hoc  The management of risk is undocumented, in flux, and depends on individual
heroics.

Two  Preliminary      Risk is defined in different ways and managed in silos. Process discipline
is unlikely to be rigorous.

Three   Defined A common risk assessment/response framework is in place. An organization-

wide view of risk is provided to executive leadership and the board in the form of a list of ‘top’
risks. Action plans are implemented in response to high-priority risks.

Four  Integrated       GRC activities are coordinated across business areas. Common
risk management tools and processes are used where appropriate, with enterprise-wide risk
monitoring, measurement, and reporting. Alternative responses are analyzed with scenario
planning and other techniques, such as Monte Carlo simulation. Process metrics are in place.
But the emphasis remains on managing a list of risks. Discussion of risk at executive committee
and board levels is separate from the discussion of strategy and performance.

Five  Optimized        The focus shifts from managing a list of risks outside the context of
enterprise objectives to managing for the successful achievement of objectives. The
consideration of what might happen is embedded in strategic planning, capital allocation, and
other processes, as well as in daily strategic and tactical decision-making. There is a reasonable
level of assurance that decision-makers are taking the right level of the right risks necessary for
success and not just to avoid failure. Early-warning systems exist to notify board and
management both of specific risks above established risk appetite or risk-capacity thresholds –
and where the likelihood of achieving enterprise objectives is less than acceptable. Reporting to
management and the board integrates performance reporting (where we are now) and risk (what
might happen) to project the likelihood of achieving each enterprise objective. Discussion of risk
at top management and board levels (what might happen) is not separate from the discussion of
strategy and performance.

Een van de meest belastende elementen van SOX is sectie 404, waar organisaties de
verantwoordelijkheid nemen om een deugdelijke interne controlestructuur voor financiële
verslaglegging aanhouden en dat accountants de verantwoordelijkheid hebben om te verklaren
dat de beoordeling van het management deugdelijk is en het algemene financiële controle
systeem goed functioneert. Vanaf het moment dat de SOX act van kracht was, voelden
leidinggevenden de druk om een interne hervorming te kunnen realiseren. Organisaties
ervoeren toen pas de zwakheden van de controles en het gebrek aan handhaving van het
bestaande beleid, die onnodig complex was en een zwakke naleving cultuur erop nahield. 

Nadat bedrijven de SOX-act omarmden werden de positieve ontwikkelingen zichtbaar:

Organisaties hebben hun financiële processen gestandaardiseerd(bron). Overbodige
informatiesystemen werden geëlimineerd. De nadruk werd gelegd op het minimaliseren van
inconsistenties in de gegevens. Handmatige processen werden geautomatiseerd. Werknemers
werden sneller op de hoogte gebracht van interne ontwikkelingen. SOX geïnspireerde
procedures werden gezien als een houvast voor de naleving van wettelijke regelingen.

Strengthening the Control Environment

Bedrijven die goed besturen zorgen voor discipline, structuur, brengen medewerkers ethische
waarden bij, geven het juiste voorbeeld en verschaffen de juiste training. Deze elementen van
de controleomgeving zijn de basis van de interne controle. Een goed ingerichte
controleomgeving wordt door een externe accountant beoordeeld in section 404, waar de
interne controle over financiële verslaglegging wordt geëvalueerd.
Organisaties zijn van mening dat een sterke controleomgeving bijdraagt aan goed bestuur.
Zowel het bestuur als medewerkers worden geacht om op een verantwoordelijke en ethische
manier af te wegen of hun acties kloppen. Investeerders nemen bijvoorbeeld de beoordeling van
de controleomgeving mee hun hun algemene evaluatie. De scores van deze diensten hebben
een positief of negatief effect op de interesse van investeerders en de kapitaalkosten van de
onderneming.

Improving documentation
Na de intreding van de SOX-act hebben organisaties operation manuals bijgewerkt, hebben het
personeelsbeleid herzien en hebben controleprocessen vastgelegd. Artikelen 302 en 404, die de
verantwoordelijkheid van de interne controle leggen bij de CEO's en CFO’s’,, hebben gezorgd
voor een toenemende focus op de naleving van de interne documentatie. Onder andere door de
bijbehorende sancties voor de organisatie en persoonlijke sancties voor de CEO en CFO
verhogen de druk op interne verslaglegging en interne documentatie.  
Een voorbeeld komt van de beleggingsmaatschappij Audet, waar voormalig CFO Paul Audet
merkte dat functiebeschrijvingen moesten worden bijgewerkt. De herziene documentatie zorgde
voor nieuwe medewerkers om sneller te wennen en duidelijk te maken welke
verantwoordelijkheden werknemers hebben binnen de organisatie, waardoor binnen het interne
controleprogramma en het opleiden, het toezicht en de prestatie evaluatie makkelijker werden
geëvalueerd.

Sinds het intreden van de SOX-act is het positieve directe effect van SOX302 op financial
reporting quality duidelijk geworden. Compliance to SOX302 enhances the quality of financial
reporting and increase corporate governance responsibilities. However, compliance with
SOX404 does not increase financial reporting, vanwege de specifieke kosten die gemaakt
moeten worden(Krishnan et al., 2008). 

De toenemende aandacht voor ESG is ontstaan door het aantal wereldwijde challenges die
invloed hebben op organisaties wereldwijd. Bijvoorbeeld klimaatverandering, de lineaire
economie en toenemende ongelijkheid zijn uitdagingen waar dringend verandering nodig is.
Steeds meer organisaties implementeren ESG elementen in hun investeringsbeslissingen,
waardoor ESG belangrijker wordt voor de securing van capital, zowel debt als equity. (Deloitte,
n.d.) 

Uit onderzoek is gekomen dat organisaties met een sterke ESG propositie hogere returns
hebben. Daarom zijn onder andere investeringen omtrent ESG zijn gestegen naar 30 trillion in
2019, een stijging van 68 procent in 2014 (GSIA, 2019). Een sterke ESG propositie kan
resulteren in een top-line growth, reduce of costs, minimize regulatory and legal interventions,
increase employee productivity and optimize investment and capital expenditures (Henisz et al.,
2020). Daarnaast correleert een sterke ESG propositie met hogere equity returns en reduced
downside risks (Landry et al., 2018).

ESG reporting verschaft investeerders informatie om hun beslissingen te maken en of de

doelstellingen omtrent sustainability aligned zijn met hun eigen values. Daarnaast helpt ESG
reporting bedrijven om sustainable bedrijfsactiviteiten te implementeren door hun cultuur te
veranderen, risico’s te verlagen en meer awareness te creëren, zowel intern als extern
(ESGReport, n.d.).

Internal Audit heeft een belangrijke rol in ESG reporting vanwege de mogelijkheid om objective
assurance and advise te verschaffen. Over de jaren heen is er namelijk een grotere focus
gekomen op maximising shareholder value in plaats van maximising shareholder return. The
Institute of Internal Auditors(IIA) hebben verschillende factoren gevonden die deze shift
versnellen, namelijk investor and public interest, regulation and frameworks.
Investors and the public expect organizations to manage their ESG risks and evaluate the
factors separately. Door te falen in het managen van ESG risks kan reputatie schade ontstaan,
kan financiele schade ontstaan en wordt de kans op lawsuits en andere legal risks verhoogd
(KPMG, 2020).
Regulation, de regulation van ESG activities wordt voor steeds meer bedrijven van toepassing.
Sinds 1 july 2020 is er een nieuw ESG framework uitgegeven for publicly listed organizations.
Hierin worden environmental and social KPI;s disclosed (KPMG, 2020).
Frameworks worden steeds belangrijker. Op dit moment is er geen standaard framework, maar
meerdere frameworks die guidance verschaffen voor het monitoren, rapporteren en evalueren
van environmental-related disclosures. De frameworks zijn useful, maar meer accurate data is
nodig omdat policymakers, financial regulators and investors deze informatie gebruiken om
beslissingen te maken.

    

First, the results of regressing the composite model (integrated model) support the direct effect
hypothesis that compliance with SOX302 enhances the quality of 

 Currently, there is a growing focus on Environmental, Social and Governance(ESG) activities.

This is evident from the 2019, 2020 and 2021 data that expenses increased from $285 billion, to
$542 billion and finally reached $649 billion, respectively (Kerber & Jessop, 2021). The chief
executives of large organizations are under pressure to adopt a more inclusive and broader
stakeholder strategy. ESG helps to achieve this by protecting employees and improving work
ethics, creating more diversity, good privacy and data management, and working toward a
climate-neutral environment. Climate change remains the most pressing issue and companies
want to focus on sustainability (Thomson Reuters, 2021) (Economist, 2022). 

Environment, Social and Governance (ESG) is characterized as a framework that helps

stakeholders to understand how an organization is managing risks and opportunities related to
the pillars environment, social and governance criteria (Peterdy, 2022). Organizations evaluate
potential risks and opportunities in their activities to create a sustainable organization (Peterdy,
2022).
Environmental pillar heeft betrekking op de directe en indirecte effecten van de
bedrijfsactiviteiten op het milieu. Hieronder vallen onder andere het koolstof verbruik,
veroorzaakte emissies , gebruik van hulpbronnen en het effect op de biodiversiteit en
ecosystemen.
Social pillar heeft betrekking op de sociale omgeving. Hier wordt gekeken naar de relatie met
werknemers, de invloed van het bedrijf op verschillende samenlevingen en de politieke
omgeving. De focus ligt bij de pillar ‘Social’ op de mensen en hun welzijn.
Governance pillar heeft betrekking op de prestaties van de onderneming op het gebied van
corporate governance. Hierbij ligt de focus op het management, de leidinggevenden en het
bestuur. De focus ligt op de manier waarop keuzes gemaakt worden en of de beslissingen in lijn
liggen met de waarden van de onderneming en de belangen van alle belanghebbenden. De
nadruk ligt bij governance meestal op het belastingbeleid van de onderneming, de beloning van
bestuurders, de diversiteit structuur van de raad van bestuur en medewerkers en de potentiële
aanwezigheid van lobbyen, corruptie en omkoping. 

De term ESG wordt steeds vaker gebruikt binnen organisaties en neemt een belangrijke rol in
het identificeren van risico’s en financiële prestaties. De reden voor organisaties om ESG
activiteiten te rapporteren, heeft verschillende voordelen. ESG-reporting heeft onder andere een
positieve invloed op effectiveness, transparency and compliance van bedrijven (Cloudsonmars,
2022). Voldoen aan de eisen van de SOX-act heeft óók als voordeel dat de effectiveness,
transparency and compliance worden verhoogd (SoxLaw, n.d.) (Wagner, 2006). In dit onderzoek
wordt onderzocht of het moeten voldoen aan de SOX-act een positieve invloed heeft op ESG-
reporting en bijbehorende scores dus hoger uitvallen dan bedrijven die geen ervaring hebben
met de strenge regelgeving van de SOX-act.
In dit hoofdstuk wordt allereerst het kader geschetst waar dit onderzoek binnen valt en worden
termen uitgelegd hoe de SOX-act en ESG-reporting vallen binnen (financial reporting), internal
audit en internal control. Vervolgens worden de termen over de Sarbanes Oxley act en ESG
verder uitgewerkt en wordt een verband gelegd tussen the Sarbanes Oxley act en ESG-
reporting om zo de desbetreffende hypotheses te kunnen formuleren.