The Client: Societe Generale



In a drive towards more consistent audit tools, methods, and processes, the global audit group at Societe General undertook an effort to streamline all different audit teams under one single unique group, as well as establish a common internal audit process for the global enterprise.


Today, Societe Generale Internal Audit is regarded as both a trusted advisor and important guide to the business that provides recommendations that are critical to the firm’s strategic decisions and management operations. This is largely due to the group’s efforts related to streamlining its global operations, and increasing their visibility into enterprise-wide risks.

Prior to 2010, there were 1,500 auditors scattered across 101 different teams spread throughout 50 countries and managed by local entities. Each team had different audit processes, systems, and methodologies. The resulting audit information was scattered across different spreadsheets and documents, which made it time-consuming to find the right data quickly.

By 2010, as a result of increasing complexity across these audit processes, coupled with growing regulatory pressure, the internal audit group begin to re-think and re-imagine their internal audit function. A global audit department was created, gathering all audit teams worldwide. Leveraging the function’s independence, its credibility across the organization, and a desire to drive more consistent audit tools, methods, and processes, the new audit department undertook an effort to streamline all different audit teams under one single unique group, as well as establish a common internal audit process for the global enterprise.

Towards a New Internal Audit Strategy
As Societe Generale defined its new audit road map, the organization capitalized on the best practices that were already established across various audit teams. A three-fold strategy was devised:

(a) Create working groups to define audit processes based on best practices
(b) Select tools to manage those processes
(c) Roll out the solutions selected.

Based on this strategy, the organization took several steps to strengthen each of the following audit processes.

Risk assessment
Societe Generale already had in place robust risk assessment processes. However, the internal audit group wanted to implement a common risk assessment framework and language that would facilitate risk assessments at any level of granularity, while also enabling comparisons of risk across the enterprise. The objective was to gain a consolidated view of risk at any desired level (e.g. business level, regional level, process level, organizational level), so that internal auditors would be better positioned to plan audits, prioritize tasks and assignments, and ensure that high risk entities were audited more frequently than low-risk entities, in conformance with IIA standards.

The internal audit group took six months to define and crystallize their risk assessment process. Alongside, they deployed the new Risk Assessment and Definition of Audit Review (RADAR) solution which would integrate all risk assessments in a centralized framework, and help standardize the risk language and methodologies.

As a result of these efforts, the internal audit group now has a common view of their risks across the enterprise. This risk data can be leveraged to help the management team make more data-driven and risk-informed strategic decisions. Based on this data, the management team has been able to plan its regional investments more efficiently.

Audit mission management
One of the biggest challenges facing the internal audit group was with significant volumes of audit mission data such as diagnoses and work papers. Audit teams needed to be able to easily enter their findings and reviews, as well as search through data, maintain audit trails, and respond to regulatory requests for audit information. The goal guiding their mission was to implement a more efficient and consistent approach to organizing and sorting the data collected on each audit mission.

Six working groups were established to define common templates for each step of the audit mission, with specific attention on the diagnosis phase. Today, these templates have simplified and accelerated audit missions considerably. These templates are stored in a solution that auditors can access from anywhere across the enterprise. A lot of careful thought has gone into the quality and ergonomics of the solution to ensure that auditors don’t encounter any performance or user issues. Alongside, strong security and access controls have been implemented to protect the audit data.

Recommendation follow-up
The internal audit group was determined to reduce the time taken to close audit recommendations, which included reviewing evidence that the recommendations had been implemented. At the same time, they wanted to ensure that the solution used to communicate and follow up with auditees on recommendations was intuitive and easy to use.

Four working groups were established to define common audit recommendation templates, workflows, and access rights. Within six months, a single, unique, and intuitive database had been implemented in a new solution to manage all audit recommendations. Today, the database can be easily accessed and used by 15,000 auditees worldwide. Inbuilt capabilities to support 15 languages help ensure that any auditee across the world can easily understand the recommendations.

Knowledge management and best practices sharing 
The internal audit group felt that it was important to create a common audit knowledge repository that would provide accurate and up-to-date information on audit methodologies.

Communities of internal audit experts helped manage, update, and ensure the quality of the audit methodologies. A central repository for these methodologies was built in an intranet solution. It was designed to allow comments from other auditors, thereby encouraging interactivity, and creating more up-to-date and accurate data.

Due to this initiative, the internal audit group has been able to reduce from 80% methodology documents within one year. They have also been able to get 80% of the organization’s auditors to consult the methodology space to review, share, or comment on the information at regular intervals.

Next steps
The internal audit group’s plan for 2014 is to use RADAR to support continuous monitoring so that stakeholders can regularly review their audit plan. In order to enable more proactive risk management, a continuous risk feed is important.

Reporting to the management team will also be strengthened through graphical automated reports and enriched dashboards.


Lessons Learned
  • Get the support of your management team every step of the way.
  • Hire people who are experts in risk theories and statistical methods to develop your risk assessment model, so that regulators don’t find errors or inconsistencies in it.
  • Set up a test environment to get an idea of different audit and risk process volumes. Define targets accordingly.
  • Train people on the new processes and systems. Give them the time to get used to these changes.
  • While implementing a new process, try to retain some level of familiarity (e.g. data formats). It may take a long time to upload and map existing data files in a new system, but this is a key factor for success because it means that auditees will adapt to the system quickly.
  • Remember that transforming audit processes takes time. So, implement technology progressively. And set realistic implementation timelines so that your IT teams are not fatigued or stressed out by the process.
  • Ensure that your audit solution or system is stable and secure, so that auditors feel confident using it.
The Enabling Role of Technology

To support the achievement of its audit objectives, Societe Generale turned to MetricStream for a comprehensive internal audit risk assessment solution. Configured to meet the financial service provider’s unique needs, the RADAR solution provides the following core capabilities:

  • Streamlining and automating risk assessment processes for greater efficiency
  • Standardizing risk terminology across the organization through a single risk library
  • Centralizing the audit universe and data repositories mapped to Societe Generale’s organizational hierarchy and structure
  • Integrating qualitative and quantitative data to support risk scoring, audit planning, and prioritization
  • Providing powerful dashboards, reports, and analytics that show an aggregated view of risk, while also enabling users to drill down to view risks at various levels of granularity


  • Standardization of audit risk assessment process worldwide
    All auditors today follow a common and consistent approach to internal audits across every country. This has helped defining consistent audit plans anywhere across the globe.
  • Greater visibility into risk
    Risk assessments from across the global enterprise are integrated in a single framework. This makes it easier for the internal audit group to review and interpret the results, and prioritize audit plans and schedules so as to lower the organization’s overall risk exposure.
  • Added business value
    By improving the quality of audit processes, the internal audit group has also improved the quality of audit data. Information and results from various systems have been consolidated, and transformed into meaningful reports and dashboards that support decision-making at the highest level of the organization.


“By October 2011, we had a complete, consolidated picture of risk across the group. Therefore, during our meetings with organizational executives, we could point out which auditable entity was more risky than others. Providing this kind of feedback was new. It enabled us to add value to the management team, and act as partners to the business.” Pierre Josse, Head of internal audit tools, trainings, and methodologies at Societe Generale.



Ready to get started?

Speak to our experts Let’s talk