The Client: A leading specialty chemical company with customers and operations across the globe.
Realizing that their audit and SOX compliance processes could no longer be managed using a manual and siloed approach, the client adopted MetricStream’s Internal Audit and SOX Compliance Management Apps. With these Apps, they were able to integrate and automate audits and SOX compliance processes, and strengthen efficiency, collaboration, and visibility into audit and compliance data.
After the client evaluated multiple audit and SOX compliance solution providers, MetricStream was selected for their ability to offer a comprehensive, cloud-based GRC Platform that would cut across geographic and enterprise siloes, integrating risk assessments, audits, and SOX compliance processes and data in a common environment. This approach would provide a better view of audits and SOX compliance, while also enhancing collaboration and information-sharing across dispersed audit teams.
Built on the GRC platform is the MetricStream Internal Audit Management App and the MetricStream SOX Compliance Management App which streamline and automate audit and SOX compliance workflows, thereby improving efficiency, and minimizing costs. The Internal Audit Management App also enables a risk-based approach to auditing with support for assessing and rating risks across the EHS, Finance and Operations, and IT groups.
Issues that are identified either through audits or SOX control testing processes can be effectively managed and resolved through an integrated issue management and remediation functionality.
Below is a detailed look at how the MetricStream Apps are helping the client:
Risk Assessments: The MetricStream Internal Audit Management App captures and maps the client’s risks, objectives, controls, and auditable entities in a unified framework. It also provides configurable methodologies and algorithms to assess, rate, and score risks. Risk assessments are enabled across the EHS, Finance and Operations, and IT groups. Thus, auditors get a clear view of the organization’s risk profile, including highrisk areas, and can accordingly plan and prioritize their audit strategies and resources.
Audit Planning and Scheduling: The MetricStream App enables the client to create a comprehensive audit plan with a well-defined objective and scope. Each plan is logically structured with audit tasks, checklists, and evaluation criteria. Users can also leverage the App to schedule audits, select auditors, and assign responsibilities. Automated notifications are then sent to the auditor and auditee notifying them of the audit.
Resource and Time-Sheet Management: Gantt charts and reports in the MetricStream App provide details of audit schedules, resources, and activities, enabling the client to efficiently allocate audit resources to each project. Comprehensive timesheets automatically capture the time and money spent in auditing, helping the client identify ways to improve audit efficiency and cost-effectiveness.
Audit Execution: The MetricStream App enables a streamlined approach to control assessments. It also provides multiple capabilities to prepare, organize, review, and store audit work papers. During the audit, the App records audit findings, observations, and recommendations. It also supports information exchange and collaboration across multiple auditors.
The MetricStream App generates draft audit reports with the details of audit findings and recommendations. These reports are routed through the App for review and approval, and the final audit report generated, which can then be shared with internal stakeholders, as well as the external auditor.
Control Design: The MetricStream SOX Compliance Management App enables the client to structure the SOX compliance and control hierarchy in a logical manner with tightly mapped links between processes, sub-processes, objectives, risks, controls, and control testing activities.
SOX Control Testing: The App streamlines the process of creating and assigning control tests, selecting control samples, conducting the tests, scoring the controls, and recording the details (including non-compliance issues and control deficiencies). Based on this data, the client can proactively identify areas of weakness or risk, and take steps to implement stronger financial controls.
Documentation: Standard templates and forms in the MetricStream App make it easy for the client to document test results. Supporting documentation and evidence of control findings are stored centrally, and can be easily and securely accessed.
Control Monitoring: The MetricStream App supports real-time monitoring of key control attributes, as well as control test plans, control design status, process ownership, test results, and other critical factors. All this information is displayed on graphical charts that can be drilled down by stakeholders to view data at finer levels of detail, and to track if SOX compliance and controls are optimally effective.
Issues that are discovered either during the audit process or SOX compliance evaluations are routed to an integrated issue management functionality. Here, a systematic and closed-loop process is triggered for issue investigation, root cause analysis, and corrective action. The system also captures the corresponding risk impact and likelihood to arrive at an overall risk score. Based on this data, the client can determine the best course of corrective action. Action plans are created, implemented, and routed for review and approval through the MetricStream system. Automated workflows and notifications accelerate the whole process, enhancing efficiency.
Powerful dashboards and reports with drill-down capabilities offer the client comprehensive visibility into audit and SOX compliance processes. Users can view data such as SOX control deficiencies and issues, audit result trends, summary of audit findings by business unit, region, or control, and highlights of audit plans. Users can also slice and dice the data from multiple perspectives to glean deeper insights into their audit and SOX processes, and thereby enable continuous improvements. The App also generates SOX control reports.
Every year, the client’s internal audit department conducts audits across multiple business units, including Environment, Health, and Safety (EHS), Finance and Operations, and IT. The department is also responsible for testing the controls of the Finance group to evaluate compliance with SOX requirements.
Earlier, audit activities were performed using a basic software system wherein the functionality was limited merely to work-paper management and time recording. The core audit processes, including risk assessments for audit planning, audit scheduling, and reporting were managed in a manual and siloed manner that was both laborious and resource-intensive. The client did not have an integrated risk assessment procedure which could help consolidate risk rating and scoring methodologies, and enable an effective, risk-based approach to audits.
For SOX compliance management as well, auditors had to manually define and test controls, aggregate the results, and then painstakingly mitigate issues, and consolidate the data into reports - all of which took considerable time and effort.
The other challenge was that most audit and SOX compliance processes were conducted in a fragmented, ad hoc manner. Being a global company, the client has a team of around 40 internal auditors who conduct 75-100 audits every year across offices in multiple countries.
Managing these dispersed resources, coordinating their activities, and tracking the time and expenses spent on audits were difficult without a unified system. Moreover, there was so much data on audit and SOX processes that was scattered across spreadsheets, emails, presentations, and other systems. The client found it increasingly challenging to efficiently manage and integrate this data in order to conduct planned and efficient risk-based audits, and share the reports with their external auditor.
Considering that the company was expanding its audit presence to the Asia-Pacific region, the impetus to establish an integrated audit and SOX compliance system was greater than ever. Not only did the auditors need to improve datasharing and collaboration, but also gain sufficient visibility to optimize the use of resources.
The client chose MetricStream for the following reasons: