Case Studies
Understanding, experience and technology for success

 

Reputed Financial Services Provider Adopts an Integrated and Agile Approach to SOX Compliance and Internal Audits

Customer
Headquartered in the north-eastern U.S., the client is a leading financial services provider. They offer a range of financial solutions extending from personal and business banking, to mortgage loans, investment management services, and community development.

Overview
The client is deeply committed to maintaining a culture of integrity, accountability, and transparency across the enterprise. To that end, they invest considerable time and effort in maintaining consistent compliance with SOX requirements, assessing risks, and auditing internal controls.

Yet with multiple different business segments and offices spread across the east and west coast of the U.S., the client found it increasingly challenging to manage the growing demands of SOX and internal auditing. One of their biggest roadblocks was the lack of a cohesive structure to integrate and enable greater collaboration across key processes such as risk assessments and internal audit planning. In addition, the company’s audit team was keen to gain greater oversight of SOX compliance and internal auditing - and as a result, they chose to upgrade their compliance and audit systems.

After considering several solution providers, the client settled on MetricStream based on their extensive success in providing cutting-edge, flexible GRC solutions to top financial services providers. MetricStream enabled the client to strengthen SOX compliance and internal audit processes, and integrate them in a common framework for greater efficiency and transparency - all this, quickly and cost-effectively due to MetricStream’s cloud offering.

Challenge

Before implementing MetricStream’s solution, the company faced a number of challenges:

  • Lack of sufficient information sharing on risk and controls across departments and business segments
  • High costs of managing control tests, internal audits, documentation, and reporting
  • Substantial time and effort required to manually create audit checklists
  • Limited visibility to track the status and progress of SOX compliance, internal audits, and the issues that arose in these processes
  • Complexity of accurately mapping each risk to the relevant processes, controls, control tests, and other GRC objects

 

Solution
The client proactively chose to transition to a more integrated approach to SOX compliance and internal auditing. The first key step in that direction was to implement a technology solution that would help them in this endeavor. MetricStream emerged as their vendor of choice due to the rich functionalities of their SOX compliance and internal audit solution, as well as its ability to be configured to the client’s unique requirements.

The solution provided the following capabilities:

GRC Library
The MetricStream solution integrates all risks, controls, and associated processes in a centralized, Web-based library. It also enables the client to define a clear taxonomy for the SOX compliance and control hierarchy, including business processes, control objectives, risks, and controls. These various GRC objects can be mapped to each other in a many-to-many manner for greater visibility.

Why the company selected MetricStream

The client chose MetricStream as their solutions provider for SOX compliance and internal audit because:

The MetricStream solution facilitates an integrated, transparent, streamlined, and sustainable approach to SOX compliance and internal audits

It provides extensive, innovative tools and functionalities to manage each stage of SOX compliance and internal audits

Users have the flexibility to either choose from a wide variety of inbuilt reports, or configure and build their own reports in the solution

The audit team can make use of MetricStream’s extensive audit checklists, and simply make minor modifications

The solution seamlessly integrates with existing tools and systems to extract relevant data for SOX compliance and internal audits

SOX Compliance
The solution enables the client to streamline and automate control assessments and testing processes across the enterprise, thereby minimizing errors and redundancies. It also provides greater visibility into controls and compliance processes so that the audit team can monitor them at any level of detail, and proactively identify important issues/ non-compliant areas that have to be addressed.

Other capabilities include flexible compliance reports, information-rich dashboards, matrices, and templates. An advanced control matrix delivers comprehensive data about each control, along with the associated risks, control tests, and other related factors.

Integration with Financial Accounting Tool
The client already had in place a financial consolidation and reporting software which was used for SOX scoping. MetricStream has integrated their solution with this software to automatically capture financial information, and perform specific calculations (e.g. likelihood and impact) that will allow the SOX manager to easily identify important accounts, and accordingly decide in-scope and out-of-scope accounts for assessments/ testing.

Powerful Infolets or connectors in the solution integrate with the client’s financial software to extract the required data at periodic intervals, and maintain it in a centralized repository. This simplifies reporting, while also providing greater visibility into key financial metrics.

Risk Assessment, Ranking, and Categorization
The MetricStream solution enables the client to streamline processes for risk assessments, scoring, categorization, and documentation. It also generates risk ranking reports that highlight all risk scores for a particular year, along with the factor score for each of the qualitative and quantitative factors associated with a risk assessment. Reporting columns are dynamically generated based on the risks and factors involved in each risk assessment.

As part of the risk assessment process, users can download a risk inline report from the solution to determine all risk scores as part of their annual risk assessment process.

Internal Audits
The MetricStream solution enables the client to manage the full range of internal audit activities, data, and processes in a single, enterprise-wide framework. It facilitates a systematic, work-flow based approach to the complete audit lifecycle - extending from audit planning and scheduling, to field work and data collection, reporting, and review and implementation of audit findings and action plans.

The solution also closely integrates internal audits with risk assessment processes and results to enable risk-based auditing. The audit team can forecast their audits based on risk assessments, while highlighting risk ratings. If the risk rating of an auditable entity is high, an audit can be planned on priority using the solution’s scheduling tools and calendars.

The audit team can save time and effort by choosing from of a wide range of inbuilt and configurable audit checklists within the solution, instead of manually creating new checklists. The solution also offers them the flexibility of continuing to use the same spreadsheet-based reports that they are used to for reporting audit findings and recommendations.

At every stage, powerful dashboards with drill-down capabilities help track the status of the audit, and measure its progress against pre-determined milestones.

Issue Management
Any issues that are identified during internal audits or control testing activities are automatically routed by the MetricStream solution through a systematic and closed-loop process of investigation and remediation. The solution facilitates seamless collaboration across departments, business segments, and geographies, to quickly mitigate/ resolve these issues.  In addition, a powerful issue tracking and reporting functionality provides complete and real-time visibility into how each issue is being managed.

Benefits

With the help of the MetricStream solution, the client has achieved the following benefits:

Breakdown of silos: The MetricStream solution is built on a scalable GRC platform that extends across departments, business segments, and locations, unifying over 200 users in one framework. These users are able to easily coordinate SOX compliance and internal audit activities, share information, and work together towards meeting regulatory requirements, and lowering the organization’s risk exposure.

More streamlined and efficient audit planning: By integrating risk assessments and internal audit planning, the MetricStream solution has helped the client simplify audit forecasting, prioritize audit tasks more effectively, and distribute audit resources and costs more efficiently.

Greater top-level visibility: The MetricStream solution enhances oversight of SOX compliance and internal audit processes across the enterprise through real-time dashboards and reports. It also establishes clear relationships between risks, controls, tests, auditable entities, and other GRC objects, enabling the client to proactively identify gaps and loopholes, and facilitate accountability for risk-control processes.

Lowered costs: Using the MetricStream solution, the client has been able to minimize redundancies and duplicate effort, and automate various workflows, thereby saving time, and resources. The cost of maintaining and running the MetricStream solution has proved to be less than that of the client’s legacy systems. Further cost benefits have been realized by deploying the solution over the MetricStream Cloud - a state-of-the-art virtualization and private cloud technology that offers excellent reliability, security, and flexibility.