The Client: A listed global American-based hospitality chain with properties in more than 90 countries, including a portfolio of corporate and franchise-owned properties.
The client was managing its SOX and internal audit management processes manually and in silos. This caused collaboration and efficiency issues across teams and locations. MetricStream’s internal audit and SOX compliance management apps helped the client automate and integrate audits and SOX compliance processes.
The client evaluated many audit and SOX compliance solution providers, and eventually selected MetricStream’s cloudbased GRC platform, on which the MetricStream Internal Audit Management and SOX Compliance Management Apps are built.
Below is a description of how the MetricStream apps are helping the client:
Risk Assessment and Analysis: The app helps the client identify, record, and map risks, objectives, controls, and auditable units in a unified framework, while configurable algorithms help measure, rate, and score risks. This gives the client’s auditors a clear picture of risks which, in turn, helps them plan audit strategies and control tests, and allocate resources effectively
Audit Planning and Execution: The app helps the client define a clear and comprehensive audit plan with precise objectives and scope based on the results of the risk assessment. It facilitates the logical organization of audit tasks, deadlines, checklists, and evaluation criteria. The app also enables the client to conduct audits and record their findings in predefined formats. Issues identified during the audit process triggers a systematic and closed-looped process of investigation and analysis leading up to corrective actions.
Audit Resource Management: The app enables the client to effectively manage audit resources, team assignments, and budgets. Tasks can be allocated based on a clear view of each auditor’s skill set and availability, as well as budgets of time and effort. The app keeps in check instances of audit overbooking or conflicts, and also provides intuitive tools for audit pool management, shared calendars, and audit milestone tracking. A time tracking capability captures the time spent in auditing, and supports transparent timesheet reporting.
Audit Reporting: The app makes audit status tracking simple for the client, and provides them with real-time access to audit data, history, and analyses of audit results. With the app, the client can also generate configurable draft and final audit reports with clearly defined review and approval workflows. The app also supports post-audit surveys to help the client monitor the performance of internal audit activities.
SOX Control Design: The MetricStream SOX Compliance Management App has been built to let the client structure their SOX compliance and control hierarchy in a logical manner. It allows users to create a link between objectives based on audit results, risks assessments, and control testing activities.
SOX Control Testing and Documentation: The app’s inbuilt system helps users create tests to identify risks or weak areas, and take measures to implement stronger financial controls. The app has templates and forms that make it easy for the users to record test results. A centralized repository helps users store and access documents quickly.
Control Monitoring: With the app’s control monitoring features, the client can monitor key control attributes, control test plans, control design status, process ownership, and test results in real time.
SOX Reporting: The app’s inbuilt reporting facility helps the client track the key characteristics of controls, tests, and self-assessment plans easily. The client can also drill down to access the data at finer levels of detail. Any issues detected is directed to the issue management functionality within the MetricStream GRC Platform.
With thousands of properties across the globe - the company has more than 10 brands and multiple franchised hotels, resorts, and time-share properties - there were varied auditing and compliance requirements and limited cross functional/ location collaboration. This made it difficult for the corporate audit team to track audit processes and findings efficiently.
To assess SOX compliance processes, auditors had to manually define and test controls, assemble the results from disparate properties, and then compile this data into reports. The whole process took significant time and effort. Added to that, most internal audit and SOX compliance data was scattered across numerous spreadsheets, emails, and presentations which, in turn, made data integration and management a challenging task for the client.
As the client was expanding faster and opening or franchising properties in newer locations, they needed a mature internal audit and SOX compliance management system that would not only help them improve visibility into audit and SOX compliance processes but also identify risks and areas of non-compliance proactively, strengthen controls, and address issues in an integrated and timely manner.