The Client: International Financial Services Giant


The client was using multiple cumbersome spreadsheets and manual processes to manage their SOX controls testing, regulatory compliance, and internal audits. This approach became increasingly time-consuming and resource-intensive. With MetricStream solution, the client was able to automate and streamline their processes for optimal efficiency. They were also able to integrate all risk, compliance, and audit data in common repositories, making it easy to track, analyze, and respond to trends, issues, and concerns.

Download the Case Study


MetricStream helped the client replace manual tools and spreadsheets with integrated, automated solutions. The client was able to simplify and accelerate their regulatory compliance, SOX, and internal audit processes, while also gaining more visibility into the right data at the right time.

MetricStream provided the client with three solutions:

SOX Compliance Management Solution
The SOX compliance management solution provides a common framework for 350 users across the global enterprise to manage their internal controls testing processes. The solution has helped streamline procedures for surveys and certifications which are used to test 1,000+ controls on a quarterly basis. These processes, in turn, affirm the strength of internal controls and adherence to compliance requirements. 

All SOX data is consolidated in one, common system. This integrated data model enables a consistent and standardized process for managing internal controls across the enterprise. It also simplifies data management and tracking. 

Using MetricStream Solution, users can design, assess, improve internal controls, and monitor their compliance processes at any level of detail. Since control testing is automated, a lot of time and effort is saved.

Users can manage the entire survey process for control assessments through the solution—right from developing the surveys, to distributing them to relevant business owners, collecting responses, and routing them for review and executive certifications. 

Any controls deficiencies or non-compliance issues that arise from the assessment process are automatically routed through a systematic process of investigation and remediation that can be tracked in real time through the solution. Issues are marked for remediation and/or disclosure, and assigned to owners within the business unit. Control managers/ issue owners can modify the controls, define new controls, or recommend treatment plans to address each issue.

The senior management has continuous visibility into the SOX compliance process through dashboards and charts that display real-time information. The reports provide a consolidated view of SOX metrics by a variety of parameters such as process, test results, key controls, and remediation status. Thereby, the solution provides greater control over and clear visibility into compliance issues, statuses, and plans.

Regulatory Compliance Management Solution
The MetricStream compliance management solution offers the client a centralized environment to manage their entire regulatory compliance process– ranging from risk assessments, to anti-money laundering surveys, to compliance control testing, to incident management, and issue management. 

All regulatory compliance data and processes are integrated in one system for complete transparency and accountability. Moreover, the different groups managing each process can easily communicate and collaborate with each other over a web-based interface. 

Each global and local regulatory body is mapped to the relevant business units in the solution. Therefore, at one glance, the compliance team can determine which business unit needs to comply with which regulation. Accordingly, they can plan and schedule compliance risk assessments. 

The solution maintains a set of 9 regulatory compliance risk factors based on which users can automatically calculate the inherent risk, control risk weighting, and other requirements. These risk assessment results are aggregated from across business units, and rolled up to the compliance team who can identify issues and areas of concern, and trigger an investigation process. Any compliance incidents that arise are also captured and tracked in real time through the solution. 

As part of the compliance process, the solution is used to develop and distribute anti-money laundering surveys to officers across the enterprise every month. These officers assess the risks in their business units, fill out the survey over the solution’s web-based interface, and route it back to the compliance team for review.

Powerful reports and dashboards display comprehensive, in-depth, and real-time information on regulatory compliance risks, results of risk assessments, control testing findings, anti-money laundering survey responses, issues, incidents, and other key data. The compliance team can effectively slice and dice this data to uncover trends and areas of concern, and deal with them quickly and efficiently. 

The solution is used by 400 users across the enterprise, and can be easily scaled up to accommodate more.

Audit Management Solution
The audit management solution facilitates a centralized and integrated approach to the complete internal audit management process across the globe. The solution, which has 700 users, helps the audit team check the operational readiness of internal controls.

It streamlines internal audits, beginning with audit planning and scheduling, and extending to audit execution, issue management, and reporting. It also supports risk-based audits, following a top-down approach. The corporate audit group gets an overall view of the risk assessment results across the organization. This enables them to easily determine which areas are high-risk, and accordingly prioritize their audits for optimal efficiency. 

Users have the flexibility to plan and schedule both ad hoc and periodic audits (annual/ semi-annual) depending on the nature of the audit and the risk assessment results. They can use the solution to efficiently plan and allocate audit resources and budgets, and manage checklists and tasks for executing the audit. They can also elect an auditor or a team of auditors, and assign audit responsibilities with due dates. Automatic notifications are sent to the auditor as well as the entity to be audited.

Auditors can record their findings with detailed observations and recommendations in pre-defined formats along with task checklists. This data is then routed for review and approval. Auditors can also provide coaching notes and comments for in-progress tasks.

A unique offline audit capability allows internal auditors to enter their findings in notebook computers and other handheld devices at remote field sites that don’t have access to the corporate network. They can later synchronize the data with the central audit repository when they return to the office, and can again access the network.

A timesheet capability allows auditors to record the time spent in each audit task. This data can be tracked against pre-defined milestones to ensure that the audit process is meeting the expected deadlines. A failure to complete the audit by the due date triggers escalations to quality heads or supervisors. 

The solution provides comprehensive functionalities for managing internal audit issues/ findings. Once the issues are identified, as well as documented and prioritized, the solution triggers a systematic mechanism of investigation and remediation, supported by automatic alerts and notifications.

When it comes to reporting, the whole process is simplified, as a series of customized reporting templates can be automatically populated with data. The system provides complete historical and real-time access to all audit data, as well as an analysis of auditor performance and audit results. Users can generate draft and final audit reports with review and approval workflows in configurable formats.


Bring an international financial services company, the client has to comply with regulations from over 200 local and global authorities, ranging from the CBRC in China, to AUSTRAC in Australia, to the CSSF in France, the FSA in the UK, and the SEC in the US. 

The client also has to ensure that internal controls are tested regularly to comply with SOX requirements. In addition, they have to conduct a series of internal audits every year to evaluate the effectiveness of their internal controls, and ensure efficient risk mitigation. 

Coordinating these various risk, regulatory compliance, SOX, and audit processes among multiple business units scattered across different geographies, was extremely exhausting and complex – more so, because these processes were managed manually. For instance, the SOX team would use spreadsheets to enter, manage, and track control testing data. Or they would create control evaluation surveys on word documents, and distribute them to respondents via email. This manual approach took up a lot of time and effort, and often delayed reporting.

Moreover, data from risk, regulatory compliance, SOX, and audit processes ended up being scattered across multiple different documents. This made it difficult for users to find the information they needed at the right time. It also limited enterprise-level visibility into things like the status of SOX compliance status or the number of audit issues. This, in turn, impacted strategic decision-making.

Why MetricStream was Selected?

The client chose MetricStream for the following reasons:

Experience and expertise:MetricStream solutions have been deployed at some of the biggest and most well-known financial services institutions worldwide.

Integrated approach: The solutions integrate all relevant data, processes, and stakeholders on a common platform for greater consistency, transparency, and accountability.

Scalability: Hundreds of users across the global enterprise can use the MetricStream solution to manage their risk and compliance processes.

Flexibility: The solutions can be configured to meet the client’s specific business requirements. For instance, the compliance incident management capability was built from scratch to suit the client’s needs.


  • Increased agility and efficiency:
    The solution has simplified and accelerated SOX, regulatory compliance, and audit processes by replacing manual processes and spreadsheets with automated tools.
  • Better visibility:
    Since SOX, regulatory compliance, and audit data is consolidated in common repositories, it is easy for users to track down or locate the information they need. The centralized information model also makes processes more consistent.
  • Improved collaboration:
    All users are integrated on a common platform. This makes it easy to share information, and communicate and coordinate activities among different teams.
  • Faster decision-making:
    The audit, SOX, and compliance teams get real-time and in-depth insights into their processes. They can quickly identify areas of concern and opportunity, and respond proactively.

Get a demo Download RFP Template Pricing Contact