After the client evaluated multiple audit and SOX compliance solution providers, MetricStream was selected for their ability to offer a comprehensive, cloud-based GRC Platform that would cut across geographic and enterprise siloes, integrating risk assessments, audits, and SOX compliance processes and data in a common environment. This approach would provide a better view of audits and SOX compliance, while also enhancing collaboration and information-sharing across dispersed audit teams.
Built on the GRC platform is the MetricStream Internal Audit Management App and the MetricStream SOX Compliance Management App which streamline and automate audit and SOX compliance workflows, thereby improving efficiency, and minimizing costs. The Internal Audit Management App also enables a risk-based approach to auditing with support for assessing and rating risks across the EHS, Finance and Operations, and IT groups.
Issues that are identified either through audits or SOX control testing processes can be effectively managed and resolved through an integrated issue management and remediation functionality.
Below is a detailed look at how the MetricStream Apps are helping the client:
Risk Assessments: The MetricStream Internal Audit Management App captures and maps the client’s risks, objectives, controls, and auditable entities in a unified framework. It also provides configurable methodologies and algorithms to assess, rate, and score risks. Risk assessments are enabled across the EHS, Finance and Operations, and IT groups. Thus, auditors get a clear view of the organization’s risk profile, including highrisk areas, and can accordingly plan and prioritize their audit strategies and resources.
Audit Planning and Scheduling: The MetricStream App enables the client to create a comprehensive audit plan with a well-defined objective and scope. Each plan is logically structured with audit tasks, checklists, and evaluation criteria. Users can also leverage the App to schedule audits, select auditors, and assign responsibilities. Automated notifications are then sent to the auditor and auditee notifying them of the audit.
Resource and Time-Sheet Management: Gantt charts and reports in the MetricStream App provide details of audit schedules, resources, and activities, enabling the client to efficiently allocate audit resources to each project. Comprehensive timesheets automatically capture the time and money spent in auditing, helping the client identify ways to improve audit efficiency and cost-effectiveness.
Audit Execution: The MetricStream App enables a streamlined approach to control assessments. It also provides multiple capabilities to prepare, organize, review, and store audit work papers. During the audit, the App records audit findings, observations, and recommendations. It also supports information exchange and collaboration across multiple auditors.
The MetricStream App generates draft audit reports with the details of audit findings and recommendations. These reports are routed through the App for review and approval, and the final audit report generated, which can then be shared with internal stakeholders, as well as the external auditor.
Control Design: The MetricStream SOX Compliance Management App enables the client to structure the SOX compliance and control hierarchy in a logical manner with tightly mapped links between processes, sub-processes, objectives, risks, controls, and control testing activities.
SOX Control Testing: The App streamlines the process of creating and assigning control tests, selecting control samples, conducting the tests, scoring the controls, and recording the details (including non-compliance issues and control deficiencies). Based on this data, the client can proactively identify areas of weakness or risk, and take steps to implement stronger financial controls.
Documentation: Standard templates and forms in the MetricStream App make it easy for the client to document test results. Supporting documentation and evidence of control findings are stored centrally, and can be easily and securely accessed.
Control Monitoring: The MetricStream App supports real-time monitoring of key control attributes, as well as control test plans, control design status, process ownership, test results, and other critical factors. All this information is displayed on graphical charts that can be drilled down by stakeholders to view data at finer levels of detail, and to track if SOX compliance and controls are optimally effective.
Issues that are discovered either during the audit process or SOX compliance evaluations are routed to an integrated issue management functionality. Here, a systematic and closed-loop process is triggered for issue investigation, root cause analysis, and corrective action. The system also captures the corresponding risk impact and likelihood to arrive at an overall risk score. Based on this data, the client can determine the best course of corrective action. Action plans are created, implemented, and routed for review and approval through the MetricStream system. Automated workflows and notifications accelerate the whole process, enhancing efficiency.
Tracking, Monitoring, and Reporting
Powerful dashboards and reports with drill-down capabilities offer the client comprehensive visibility into audit and SOX compliance processes. Users can view data such as SOX control deficiencies and issues, audit result trends, summary of audit findings by business unit, region, or control, and highlights of audit plans. Users can also slice and dice the data from multiple perspectives to glean deeper insights into their audit and SOX processes, and thereby enable continuous improvements. The App also generates SOX control reports.