Improving risk transparency, audit quality, and business value
The Client: Societe Generale
In a drive towards more consistent audit tools, methods, and processes, the global audit group at Societe General undertook an effort to streamline all different audit teams under one single unique group, as well as establish a common internal audit process for the global enterprise.
Today, Societe Generale Internal Audit is regarded as both a trusted advisor and important guide to the business that provides recommendations that are critical to the firm’s strategic decisions and management operations. This is largely due to the group’s efforts related to streamlining its global operations, and increasing their visibility into enterprise-wide risks.
Prior to 2010, there were 1,500 auditors scattered across 101 different teams spread throughout 50 countries and managed by local entities. Each team had different audit processes, systems, and methodologies. The resulting audit information was scattered across different spreadsheets and documents, which made it time-consuming to find the right data quickly.
By 2010, as a result of increasing complexity across these audit processes, coupled with growing regulatory pressure, the internal audit group begin to re-think and re-imagine their internal audit function. A global audit department was created, gathering all audit teams worldwide. Leveraging the function’s independence, its credibility across the organization, and a desire to drive more consistent audit tools, methods, and processes, the new audit department undertook an effort to streamline all different audit teams under one single unique group, as well as establish a common internal audit process for the global enterprise.
Towards a New Internal Audit Strategy
As Societe Generale defined its new audit road map, the organization capitalized on the best practices that were already established across various audit teams. A three-fold strategy was devised:
(a) Create working groups to define audit processes based on best practices
(b) Select tools to manage those processes
(c) Roll out the solutions selected.
Based on this strategy, the organization took several steps to strengthen each of the following audit processes.
Societe Generale already had in place robust risk assessment processes. However, the internal audit group wanted to implement a common risk assessment framework and language that would facilitate risk assessments at any level of granularity, while also enabling comparisons of risk across the enterprise. The objective was to gain a consolidated view of risk at any desired level (e.g. business level, regional level, process level, organizational level), so that internal auditors would be better positioned to plan audits, prioritize tasks and assignments, and ensure that high risk entities were audited more frequently than low-risk entities, in conformance with IIA standards.
The internal audit group took six months to define and crystallize their risk assessment process. Alongside, they deployed the new Risk Assessment and Definition of Audit Review (RADAR) solution which would integrate all risk assessments in a centralized framework, and help standardize the risk language and methodologies.
As a result of these efforts, the internal audit group now has a common view of their risks across the enterprise. This risk data can be leveraged to help the management team make more data-driven and risk-informed strategic decisions. Based on this data, the management team has been able to plan its regional investments more efficiently.
Audit mission management
One of the biggest challenges facing the internal audit group was with significant volumes of audit mission data such as diagnoses and work papers. Audit teams needed to be able to easily enter their findings and reviews, as well as search through data, maintain audit trails, and respond to regulatory requests for audit information. The goal guiding their mission was to implement a more efficient and consistent approach to organizing and sorting the data collected on each audit mission.
Six working groups were established to define common templates for each step of the audit mission, with specific attention on the diagnosis phase. Today, these templates have simplified and accelerated audit missions considerably. These templates are stored in a solution that auditors can access from anywhere across the enterprise. A lot of careful thought has gone into the quality and ergonomics of the solution to ensure that auditors don’t encounter any performance or user issues. Alongside, strong security and access controls have been implemented to protect the audit data.
The internal audit group was determined to reduce the time taken to close audit recommendations, which included reviewing evidence that the recommendations had been implemented. At the same time, they wanted to ensure that the solution used to communicate and follow up with auditees on recommendations was intuitive and easy to use.
Four working groups were established to define common audit recommendation templates, workflows, and access rights. Within six months, a single, unique, and intuitive database had been implemented in a new solution to manage all audit recommendations. Today, the database can be easily accessed and used by 15,000 auditees worldwide. Inbuilt capabilities to support 15 languages help ensure that any auditee across the world can easily understand the recommendations.
Knowledge management and best practices sharing
The internal audit group felt that it was important to create a common audit knowledge repository that would provide accurate and up-to-date information on audit methodologies.
Communities of internal audit experts helped manage, update, and ensure the quality of the audit methodologies. A central repository for these methodologies was built in an intranet solution. It was designed to allow comments from other auditors, thereby encouraging interactivity, and creating more up-to-date and accurate data.
Due to this initiative, the internal audit group has been able to reduce from 80% methodology documents within one year. They have also been able to get 80% of the organization’s auditors to consult the methodology space to review, share, or comment on the information at regular intervals.
The internal audit group’s plan for 2014 is to use RADAR to support continuous monitoring so that stakeholders can regularly review their audit plan. In order to enable more proactive risk management, a continuous risk feed is important.
Reporting to the management team will also be strengthened through graphical automated reports and enriched dashboards.
To support the achievement of its audit objectives, Societe Generale turned to MetricStream for a comprehensive internal audit risk assessment solution. Configured to meet the financial service provider’s unique needs, the RADAR solution provides the following core capabilities:
“By October 2011, we had a complete, consolidated picture of risk across the group. Therefore, during our meetings with organizational executives, we could point out which auditable entity was more risky than others. Providing this kind of feedback was new. It enabled us to add value to the management team, and act as partners to the business.” Pierre Josse, Head of internal audit tools, trainings, and methodologies at Societe Generale.