Case Study

Automating Compliance Management

The Client: A Large Organization that Provides Internet Infrastructure Services


As a global leader, the foremost concern is the security and stability of the Internet infrastructure. The company advocates for the policies that strengthen security, protect and improve Internet infrastructure, and promote stable governance. Being a regulated company, the organization is subjects its services to regular and thorough audits to maintain compliance with regulations, such as the Sarbanes-Oxley Act of 2002 (SOX) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as rigorous internal service testing.


MetricStream was the chosen solution based on its robust compliance methodology, scalable risk management capabilities, and its intuitive and easy-touse design. Within the limited time-frame, MetricStream’s project team mapped the company’s business flows to the MetricStream solution, so that the installation would best reflect the company’s internal processes. The steps, covered in this process, included:

Standard Internal Controls: The MetricStream solution provided a central repository for all types of company’s control systems, including those for operational efficiency, regulatory compliance, and financial reporting.

Work Flows: The MetricStream solution provided built-in and customizable workflow capabilities which allowed for creation of user-defined workflows for approvals/ reviews based on the organizational hierarchy levels. The system enabled automatic routing of information or email notifications to the issue assignor about issue creation, modification and/or closure.

Process Flows: The MetricStream’s Process Flow Designer tool facilitated application design and development by graphically modeling business processes.
The solution accommodated COSO elements, including planning, risk assessment, control activities, information and communication and monitoring, within the company’s business processes.

Reporting Capabilities: The MetricStream solution featured executive dashboards which provided enterprise-wide visibility into the internal controls and processes, and highlighted the high-priority cases that needed to be addressed. The solution provided complete real-time visibility into exception data with analytics for trend analysis. Reports for status tracking, scorecards and compliance dashboards could be readily accessed. Flexible reports with drilldown capability provided statistics and data by a variety of parameters such as business units, processes, and divisions.

Operational Testing: The MetricStream solution established testing as an integral part of the enterprise-wide processes and controls. Moreover, the solution provided distinct definition and scheduling of self assessment (control performance monitoring), design evaluations (whether internal or external), and operational effectiveness testing. The ability to export information from reports into spreadsheets simplified the overall operational testing process.

Risk Assessment Capabilities: The MetricStream solution allowed the Audit Management department to integrate with the Risk Management solution and supported risk assessment based on parameters such as severity and likelihood of occurrence for calculating the risk index of a finding. The solution supported computations based on configurable methodologies and algorithms giving auditors a clear view into organizations risk profile. The system allowed for customized risk and relevance criteria, risk templates, and scoring methodology
to be developed at any level of the organization.

Regulatory Compliance: The MetricStream solution supported various statistics required in 404 Assessment reports, such as number of controls by controls sets,
number of controls tested in each phase, number of exceptions in each phase, number of Auto/Manual Controls by control set. The solution also provided for ‘quarterly 302 certification’, by supporting online questionnaire/surveys and making reporting tools available to consolidate and analyze questionnaire/surveys.

Easy-to-Use User Interface: The MetricStream framework provided a rich feature set for configuring the solution according to the company’s established processes, allowing the company to tailor the solutions to business specific standards and requirements. With the MetricStream solution's user-friendly interface and drag and drop functionality, the company’s managers could get simple breakdowns and complex combinations instantaneously; document types, status, audit history, in-process documents, approval cycle times, document usage summaries, and average review times could all be obtained quickly and easily within a few drags and clicks on field data. Multiple tables or graphs could be generated giving a bird's eye preview to the risk portfolio.

Why MetricStream was Selected

Consolidated enterprise-wide compliance dashboard providing a common framework and an integrated approach to manage all compliance requirements

Automated information flows, assessments and testing, and remediation assignments to reduce over-all compliance costs

Streamlined controls management enabling process owners to take direct responsibility for managing controls

Enhanced regulatory reporting capabilities to affirm the strength of the internal controls and adherence to policies

Integrated document management with change control capabilities to keep compliance documentation and business processes in sync.


The company embarked on an initiative to fully comply with Sarbanes-Oxley regulations. As the company evaluated its current state of compliance preparedness, it identified a number of inherent challenges. The company managed regulatory changes in silos, focused narrowly on compliance, and used compartmentalized regulatory controls. The internal control structure was not sustainable and lacked co-ordination with the corporate governance objectives. Moreover, many of company's business units relied on desktop productivity tools such as standalone spreadsheets and manual processes to document their internal controls. These tools and the associated manual processes were not capable of meeting Sarbanes-Oxley's standards for documentation of controls and processes. With no clear definition of internal control roles and responsibilities, the company lacked a formal mechanism to review internal controls continually. The risk managers struggled to perform compliance work on a continual basis, and periodically assure the effectiveness of internal controls. Furthermore, the company lacked the ability to accurately report and analyze data across the enterprise, leading to disparate and incomplete reports. This lack of visibility hindered the corporate-wide continuous improvement initiatives.

According to the Senior Management, “With a deluge of threats targeting internet infrastructures, achieving regulatory compliance was critical to us. We were looking for a solution that could serve as the basis of our SOX compliance initiatives and provide a comprehensive platform to manage financial and nonfinancial controls.”


  • Streamlined Compliance Initiatives: 
    The MetricStream solution delivered an automated, integrated and fully configurable solution set that allowed the company to build a best-in-class enterprise risk and compliance management program. The solution empowered the company to consolidate business intelligence across divisions, and provide management with global visibility into their risk and compliance initiatives.
  • Structured and User Friendly User Interface: 
    The MetricStream solution provided a sophisticated tool that facilitated in-depth risk data analysis and proactive benefit risk management. Through the userfriendly web interface of the solution, the company can easily control information access, brand the user interface, streamline workflow processes, and create powerful dashboards.
  • Increased Efficiency and Collaboration:
    Risk-related controls groups are now able to carry out team activities in a productive manner with the collaborative environment that the MetricStream solution provides.
  • Automated and Simplified Internal Control Management:
    A COSO-based internal control management framework is established by virtue of which internal controls can be defined, scheduled and managed automatically. A full internal control reporting feature set is also made available.
  • Enhanced Transparency and Visibility:
    Comprehensive visibility provided by the MetricStream solution has lowered the risk of non-compliance, assuring the executives of higher customer and investor confidence.
  • Improved Reporting Capabilities:
    The MetricStream solution provided compliance dashboards and risk heat maps to enable enterprise-wide visibility into the financial controls management and compliance process, and highlight issues that need to be addressed.

Ready to get started?

Speak to our experts Let’s talk