The Client: Leading Consumer Goods Company
Headquartered in the U.S., the client has a large team of lead auditors and guest auditors who perform internal audits for operations and subsidiaries spread across multiple countries and continents. While this audit team previously had an audit management system in place, they struggled with challenges related to ineffective automation, multiple siloes of information, and a lack of collaboration across audit projects and activities.
When the team decided to implement a new audit solution, MetricStream was chosen because of their ability to offer a solution that could not only improve the effectiveness and efficiency of audit programs, but could also be extended to manage other global GRC initiatives. The client would eventually be able to bring together / integrate all GRC processes and systems. This unified approach would provide a host of benefits to the client– most importantly, giving them complete visibility into enterprise risks and the compliance environment which, in turn, would enable stakeholders to make informed strategic decisions.
In the first phase of the project, the client implemented MetricStream’s solution for audit management and compliance assessments. The solution has helped the client unify all global internal audit and compliance assessment processes, entities, and data. This integration has enhanced audit/ compliance coordination and collaboration across business units and geographies, and has also improved top-level visibility into the status and findings of audits and compliance assessments. The solution has also enabled a systematic and automated approach to the audit and compliance assessment lifecycle, helping the client minimize redundancies, accelerate workflows, and improve overall efficiency.
MetricStream Audit Management Solution was seamlessly configured to meet the client’s comprehensive requirements for audit planning and scheduling, audit execution, analysis of findings, issue management, follow-up, and reporting. The solution has streamlined, integrated, and automated global audit processes and compliance assessments. It has also improved audit visibility, coordination, and control.
Below, in greater detail, are the capabilities of the solution:
Centralized audit universe
The MetricStream solution provides a common, global audit library which maps the client’s auditable entities to the corresponding risks (with parent-child relationships), controls, audit processes, questions, procedures, and other critical information. This centralized and tightly-mapped data model makes it easy for the audit team to understand the relationships between different audit elements (e.g. the type of risks relevant to each auditable entity). It has also helped standardize the risk and control language across the global enterprise. Since the audit universe can be accessed from anywhere across the world over the solution’s web-based interface, auditors can easily refer to the information whenever required.
Audit planning and scheduling
The MetricStream solution has been configured to enable audit planning at the organizational level. All that auditors need to do is to select the organizations within the enterprise that need to be audited. The more specific details such as the type of auditable entities and risks are only selected during the time of audit execution. This approach makes the audit plan more dynamic, and provides the flexibility for auditors to make changes to the plan even after it is published.
When the audit team creates the plan, the solution helps them determine which organizations need to be audited, and in what time-frame. Accordingly, the audits are scheduled and routed for review and approval.
For each audit plan, the MetricStream solution provides a list of options for audit supervisors to select the specific auditable entity that needs to be audited, along with the related risks. Once this data has been updated and finalized, the solution facilitates the creation of audit work papers.
Audit project management
The MetricStream solution provides “audit project management” functionalities for lead auditors and audit supervisors to manage audit projects, edit audit scopes, change audit schedules, and perform other top-level audit process functions.
The solution has also facilitated a novel approach to store, handle, and identify “business contacts” (users who are not part of the audit team but are involved in the audit process in some way). The solution automates the search and selection of such users, and enables audit data or roles to be assigned to them as required.
During the audit execution phase, the MetricStream solution enables auditors to enter qualitative and quantitative data in the system, and attach evidence of findings. This data is then routed to the lead auditors for review and approval. An offline audit briefcase allows for audit findings to be entered even in remote sites where there is no connection to the corporate network. These findings can be later synchronized with the central audit repository when the auditor is able to connect to the network.
The MetricStream solution supports compliance control assessments and testing performed by the audit team, as well as assessment teams and business control facilitators. The solution helps them test each control, and document their findings. Advanced reports roll up these findings to provide enterprise-level visibility into which controls are not working, what issues could arise, which areas of the business are at risk, and other key findings. This data is then routed to the MetricStream issue management module for investigation and remediation. Alongside, a centralized control library standardizes and simplifies the control assessments by mapping all controls to the relevant processes, organizations, auditable entities, risks, questions, and procedures.
Audit task reassignment
In the client organization, the vast size and scope of each audit requires more than one auditor to work on a single audit task. In other words, each audit task is distributed among multiple auditors. Every time an auditor completes his/ her portion of a task, it can be reassigned to the next auditor without any loss of data. This way, the next auditor can seamlessly pick up from where the previous auditor left off. Each task is smoothly reassigned through the MetricStream solution till the last designated auditor completes the task, and routes all the data for review and approval.
Issue management and follow-up
All issues that are identified and documented during the audit process are routed by the solution’s underlying workflow engine through a streamlined process of issue investigation and resolution. Automatic alerts and notifications are sent to the appropriate personnel to implement audit recommendations, and keep the process on track.
The solution also enables follow-up audits to track the status of issues or non-conformances that were identified in a previous audit. The audit team can create an audit checklist, and use it to determine if an issue has been effectively closed, and if corrective/ remediation action has been initiated and completed as recommended.
Audit reporting and closure
The MetricStream solution provides a rich range of audit reports with complex tables and color coded charts to efficiently track the status and findings of each audit. Powerful dashboards with drill-down functionalities offer real-time visibility into the audit process, and throw light on various audit statistics and trends.
The audit process remains open in the MetricStream solution till (a) all work papers have been completed, approved, and closed, or cancelled (b) at least one audit report is published. When the report comes out, the solution enables auditors to select business contacts who need to be notified. An automatic alert is then sent to these contacts with details of the report.
Before upgrading to MetricStream’s solution, the client encountered the following challenges:
The client selected MetricStream for the following reasons:
MetricStream’s GRC platform provides the extensibility for companies to progressively implement multiple GRC solutions that can be linked with each other to seamlessly share information, and to build an integrated and agile GRC environment.
Scalable, web-based approach
The MetricStream solution spans organizational functions and users across multiple locations. As the organization grows, the MetricStream solution can also scale up to meet their needs. A web-based interface makes it easy for teams across the globe to communicate with each other, view tasks, share information, and perform other collaborative activities.
The MetricStream solution provides the configurability to meet each client’s specific needs and processes. It can be seamlessly mapped to various organizational structures, risks, controls, testing processes, auditable entities, and other elements.
Role-based authorization and access controls help keep a check on who gets to access what information in the solution. For instance, guest auditors have limited data access compared to internal auditors. These controls keep information secure.