The Client: Fortune 500 Food & Beverage (F&B) corporation

Overview

As a publically traded company and a trusted global brand, the company strives to maintain the highest standards of corporate governance and accountability through consistent compliance with SOX. Robust compliance controls are implemented and tested regularly by control owners across the company’s geographic sectors. The test results are then sent to the control and compliance headquarters where they are consolidated into reports and distributed to the relevant stakeholders, including internal auditors and compliance monitors.

The challenge for the client lay in the amount of time and effort it took to capture and report control test results. Each time a control was tested, the control owner would manually enter the results into spreadsheets, and route the data to the corporate control and compliance team. This team would end up confronting multiple bulky spreadsheets from where the data had to be manually aggregated and organized into reports.

This data consolidation and reporting approach became increasingly time-consuming and inefficient, prompting the client to search for a more automated and integrated system. After evaluating several vendors, the client chose MetricStream to implement a solution that would simplify and accelerate control testing and reporting, strengthen compliance with SOX, and provide risk intelligence to improve corporate governance.

MetricStream SOX Compliance Management Solution is used by the company’s operations across all the geographic sectors, providing a single, centralized framework to capture control test results, track testing processes in real time, automate test data management and reporting, and streamline the investigation and remediation of control failures. The solution rolled out over MetricStream GRC Cloud, has enabled the client to accelerate time-to-implementation and lower the total costs of ownership.

Download the Case Study

Solution

MetricStream has extensive experience in helping large global brands successfully manage their risk and corporate governance challenges. Based on this fact, as well as MetricStream’s richly equipped solutions, the client selected MetricStream from among multiple other vendors to implement a cloud-based SOX compliance and reporting solution.

Built on a scalable enterprise GRC platform, the solution provides the following capabilities:

Global risk and control matrix
The client has multiple IT and operational controls across geographic sectors to ensure compliance with SOX. For instance, there are backup and recovery schedules which are regularly reviewed and certified for accuracy and completeness. There are also vendor compliance reports which are evaluated to identify and resolve violations. Then there are mainframe security access controls which are reviewed on a quarterly basis to ensure that access is appropriate, and that all discrepancies are identified and resolved.

The MetricStream solution identifies each control as preventive/ detective, supporting/ key, manual/ automated, financial/ operating/ SOX/ non-SOX. It also maps these controls to the associated control categories, owners, and risks, as well as the associated testing processes, testing frequency, and start and end dates. This tightly integrated matrix of control data has enhanced testing transparency and accountability, while also helping ensure that the testing process is streamlined and structured.

Capture of control test results
The MetricStream solution provides a centralized framework to capture control test results from across sectors. Every control owner in the company from anywhere across the globe can log onto the MetricStream solution to record and share their control test data.

The solution also enables control owners to create testing schedules for IT and operational controls. Each sector can have a different schedule - be it daily, weekly, monthly, quarterly, or yearly. The solution helps in tracking these schedules, as well as changes in controls, and control implementation/ retirement dates.

Every time a control is tested, the owner can upload the testing evidence into the MetricStream solution which then automatically routes the data for review, approval, and reporting to various stakeholders such as process owners, control coordinators, and eventually, the control and compliance team. This consolidated data can be leveraged to provide evidence to internal auditors and compliance monitors that all controls were tested to the satisfaction of the corporate and compliance team.

Control failure tracking and remediation
If a control has failed -due its design, execution, evidence, or any other reason -- the MetricStream solution triggers a systematic mechanism of investigation, root cause analysis, and remediation. The solution captures comprehensive details about which control has failed, what the impact is (in terms of money, time, etc.), what the associated risks are, what remediation action should be taken, and other critical data. It also helps in tracking the control failure from initiation to resolution and follow-up to ensure that all the necessary action items have been completed. Automated notifications and alerts keep the process on track, and help ensure that the control failure is remediated in a timely manner.

Reporting
The MetricStream solution has been configured to meet the client’s complex reporting requirements around control testing. Based on the test results, the solution generates a series of reports to process owners, as well as corporate-level stakeholders. These reports include executive summaries of testing (e.g. what was tested, what was rolled forward, results, number of effective controls), as well as summaries of control deficiencies per sector, test results per process (including pass rate percentages and trends), chart testing summaries, annual testing schedules with test results from previous quarters, control change reports, and control trail reports.

The solution also provides a series of graphical charts and dashboards enabling executives to track the status of SOX controls, risks, testing processes, control scores, and failures across the global enterprise. Drill-down capabilities provide visibility into the finest details of control and compliance at not only the corporate and sector levels, but also the regional and market levels. In addition, trend reports help stakeholders identify areas of concern and opportunity.

Challenges

Before implementing MetricStream’s solution, the client faced the following challenges:

  • Inefficiencies: Each time a control was tested, the results were manually aggregated at the sector, regional, and market level, and reported to the local management and corporate compliance team using multiple different spreadsheets. This approach was cumbersome and time-consuming. It also resulted in a growing pile of spreadsheets spread across different systems, which made it difficult to sort through and find data.
  • Insufficient visibility: The client lacked a centralized, real-time view of control testing and compliance, as well as compliance risks and issues across the enterprise. Better visibility was needed to identify and mitigate problem areas in a timely manner.
  • Restrictive siloes: Each sector used different processes, formats, and templates to record their control test results, making it difficult to integrate all the data into one enterprise-level report for the corporate compliance team.
  • Lack of scalability: Existing compliance systems and applications could not scale up to meet the client’s increasing list of compliance and risk obligations.

Why MetricStream was Selected?

MetricStream has a strong track record in helping large global brands strengthen corporate governance and SOX compliance.

Leading analyst firms have consistently positioned MetricStream among the top GRC solution providers over the years.

The MetricStream solution enables an integrated and streamlined approach to control testing and reporting across the global enterprise.

Testing processes can be monitored in real time at both the corporate and sector level.

Powerful reports, charts, scorecards, and dashboards deliver in-depth visibility into control test results, support advanced data analyses, and help companies proactively mitigate compliance risks.

The solution is scalable -- in the future the client can add more users, and also extend the solution to include further capabilities such as enterprise/ operational risk management, internal audits, regulatory examinations management, and supplier governance.

Benefits

  • A single, integrated system for global SOX compliance management
    The MetricStream solution provides a common framework for control testing and reporting across more than 400 users worldwide. The solution cuts across functional and geographic boundaries, consolidating control, testing, and compliance data in a centralized point of reference for easy search and access. It also streamlines control testing and reporting workflows, minimizing redundancies and inefficiencies.
  • Balance between decentralized and centralized compliance management
    The MetricStream solution supports individual SOX compliance control testing at the sector/ region/ market level, while simultaneously rolling up test results to the corporate level for reporting.
  • Improved consistency in compliance data
    The solution has helped standardize control testing processes, data formats, and templates, thereby making it easier to consolidate test reports at the enterprise level. It has also improved the quality and speed of data analysis and reporting, enabling management to make more timely and informed decisions.
  • Better visibility into SOX compliance
    The MetricStream solution centralizes the client’s IT and operating control test results, and provides a range of robust reports to track the effectiveness of controls and testing processes. It also provides real-time information on control activities at a sector/ region/ market level, improving overall awareness and management of compliance.
  • Minimal manual intervention, greater cost-efficiency
    The solution has automated multiple time-consuming testing and reporting workflows, and helped speed up the consolidation and release of information. The time saved translates into significant cost savings, and enables resources to be redirected to more value-added activities.
  • Seamless control failure management
    Since the MetricStream SOX compliance management solution is integrated with an issue management module, the client can seamlessly route all control failures for timely investigation and remediation. The in-depth visibility provided by the solution enables the client to stay ahead of major risk/ compliance issues.
  • Faster time to value
    The MetricStream solution is rolled out over MetricStream GRC Cloud – a state-of-the-art and highly secure private cloud environment that enables quick and agile deployments, while enhancing flexibility, performance, and scalability.

Request a demo Download RFP Template Pricing Contact