Payment Giant Automates Internal Audit Management for Improved Visibility, Risk Mitigation, and Resource Management

The Client: Payment Giant

Overview

The company has its global headquarters in the United States and offices in various regions across the world. The company provides services in hundreds of countries and territories.

The company’s cardholders use their cards at millions of acceptance locations around the world. Processing billions of payments seamlessly across the globe, the company is a critical link among financial institutions and millions of businesses, cardholders and merchants worldwide.

The financial services sector in general and the payments sector in particular are exposed to numerous challenges such as evolving payment standards, harsher regulatory scrutiny, increased security requirements, newer input devices, changing consumer trends and more. Security and reliability are the watch words for organizations in these sectors.

Being a leader and innovator in this increasingly challenging space, the company faced rising demands to comply with a huge number of regulations and manage varied risks while ensuring clear visibility and suitable distribution of available resources. Auditing various areas in the organization to accomplish this was proving to be a complex endeavour.

Managing its enormous worldwide network of global operations that includes financial institutions and merchants spread across the globe, the company experienced the need to take necessary steps towards automation and implementation of risk-based auditing.

Solution

The company needed to create a central system with an integrated GRC platform architecture for managing its internal audit requirements with a sharp focus on risk. The selection team at the company chose MetricStream as the solution provider based on MetricStream’s industry leadership position as well as its functional and technical capabilities to provide a scalable and integrated GRC platform and configure its solution to fit the specific requirements of the company.

MetricStream delivered to the company its Internal Audit Management solution for risk-based auditing. Integrated on MetricStream GRC Platform 6.0, the solution is a comprehensive, web-based application which includes a common framework, automated workflows, a centralized risk library and specific modules for resource management and issue management. The solution provides the company an integrated approach to manage its entire audit environment based on a risk-focused approach.As part of the second phase of the engagement, MetricStream will deliver Enterprise Risk Management (ERM) solution to the company.

MetricStream’s platform supports the company’s organizational model across all business divisions, units and departments, as well as their mapping to different roles and reporting relationships. The portal views are based on the user’s profile and organizational mapping. Users have a role-based portal access with options required for initiating actions, scheduling tasks, viewing reports and dashboards, limited to their roles and responsibilities. The MetricStream Briefcase option allows the auditors at the company to conduct audits in cases of lack of internet access.

Risk-based auditing: MetricStream Solution consolidated and automated the entire audit process beginning right with risk assessment and going on to audit planning, resource scheduling, executing fieldwork, recording results and observations, management reporting, time tracking, and issue management for the company’s audit department.

The solution delivers intelligence for risk-based auditing through powerful capabilities such as audit advisor, audit proposal planning and risk scenarios analysis, effectively leveraging operational and risk metrics for defining the enterprise audit strategy.

Apart from internal audits, the solution supports a wide range of audits including operational audits, IT audits, and quality audits. Backing the risk-based approach to internal audit, the solution provides the company’s audit team complete automation and functionality to assess risks. This risk assessment serves as groundwork for the team to identify areas or entities that need to be audited at regular intervals or on a need basis, depending on the severity of the associated risk. The solution integrates with various SOx and ERM applications in the organization to extract relevant risk-related information and upload it into the solution.

Auditors at the company can plan their yearly, quarterly, monthly and other regular as well as ad-hoc audits based on the assessment results using the MetricStream solution. The solution supports setting up a Multi-Audit (Annual or Multi Year) plan and allows creating an audit program with a well-defined objective and scope tied to compliance and risk management processes. The scheduling team at the company can implement the audit plan created in the MetricStream solution and schedule audits using the audit calendar. Relevant auditors and audit entities are notified with automatically triggered emails and alerts.

The solution supports closed-loop audits with capabilities to analyze audit issues/findings and track recommendations and action plans for issues identified.

Resource planning and timesheet management: The audit management solution allows interactive resource planning based on resource availability. The solution provides functionality for assignment and management of the resources required for each audit. The auditors at the company can assess the availability and match the skill set of required resources and assign them to specific audits for a particular period of time using the audit calendar and automatic email notification facility in the solution.

The solution allows team managers to allocate auditors while panning yearly audits as well as at different phases and tasks level. The solution provides various tools and reports for resource planning, including audit assignments and schedules for each auditor, time budgeting and tracking information.

Auditors can log their time and maintain timesheets where they can also indicate future assignments. This helps the team managers to assess the resource availability for future audits in advance. Additionally, the timesheets give visibility to the team managers into the amount of time spent on various audits by each auditor and take steps for better time managementimproving the overall efficiency and productivity.

Issue management: MetricStream issue management software has helped the company to institute and follow consistent procedures for managing incidents and issues discovered during internal audits. The solution supports issue capture, identification, evaluation, investigation, tracking, task management, and status reporting. Elaborate remediation and corrective action process is followed to close the loop.

Each department team can log in and check the number of issues affecting their department. The system assigns a unique ID to each issue, making it easy to track it from one stage to the next. Detailed information about each issue is provided and issues are categorized based on predefined criteria. Action owners are assigned for particular issues and automatic alerts and notifications are sent to the appropriate personnel for remedial action through built-in workflows.

Failure investigations are conducted to determine the root cause of the issue. The investigation is performed using collaborative workflow with investigative tasks assigned to appropriate individuals. The issue closes only after the action plan is carried out.

Reporting capabilities: The MetricStream solution provides analytics with graphical dashboards that give the managers at the company complete real-time visibility into the audit process.

The solution generates reports for varied audit-related requirements of the company, provides enterprise wide visibility into the process and highlights issues that need to be addressed on priority. Based on zone, country, business unit, region and market, the solution allows the auditors to generate reports for audit entities. Reports such as audit plan report, audit details report, audit summary report, audit status report, issue logs report, follow-up status report and various customized reports can be generated.

The managers at the company can obtain reports on the status of issues and incidents, audit resource efficiency and track time spent on various audits by each resource.

Challenges

Manual processes: Most processes related to audit management at the company were mainly manual or semi-manual. Spreadsheets were used for auditing information and compliance levels. Various teams at the company collaborated using phone calls and emails.

Lack of an integrated system: Being a large global organization, the company needed to conduct regular audits covering diverse areas and involving thousands of entities. Lack of an integrated system across all locations impacted the visibility, efficiency and time spent on a number of audit-related tasks.

Resource management: The company has a small internal audit team that manages the entire internal audit requirements of the company. As a huge organization with offices across the globe, the company needed to audit a large number of entities. With a comparatively small audit team to handle the complete range of audit activities, efficient resource management for its internal audit requirements posed a challenge for the company.

Need to streamline GRC: Operating in the payments industry and handling a huge number of transactions every day, the company needed to streamline its GRC activities and introduce a risk-based approach for more secure business operations. The company needed to enhance its audit and risk management capabilities by streamlining GRC activities.

Why the Company Selected MetricStream?

MetricStream has deep domain experience in the financial services space with in-depth understanding of internal audit management and GRC.

MetricStream’s solution is built and deployed on MetricStream GRC Platform which provides key functionalities such as workflows, configurable forms, real-time exception tracking, email alerts and notifications, integration, management reports, executive dashboards, business intelligence, analytics, and secure access control.

MetricStream’s solution includes an adaptive and flexible data model, which makes it easier for businesses to model and configure complex audit projects such as scoping new audits, modeling organizations, designing new products or delivering new processes.

MetricStream’s solution provides a cohesive approach to meet overall GRC objectives and also map itself to manage specific requirements of organizations.

Benefits

• Clearer visibility:
  Centralized dashboards, risk heat maps, and advanced reporting capabilities of MetricStream Solution keep the management well informed about the exact status of the company’s audit and risk processes. Role-based access to the application ensures that all personnel have the optimum visibility into the system to take intelligent decisions appropriate to their roles and responsibilities.
• Efficient resource and time management:
  MetricStream Solution’s capability to assess and track availability of resources throughout the year allows auditors at the company to manage their resources efficiently, enabling collaboration and better prioritization of audit activities. Audit calendar ensures that everyone in the audit management process has a clear and real-time picture of audit schedules and assignments. Time-tracking tools such as time-sheets and related reporting allows the team managers to track and manage time more effectively.
• Superior risk mitigation:
  The central repository of risks with links to KRIs, controls, assessments, results and mitigation plans enables the company’s team to manage its risks more successfully. The wide range of reports helps the risk team to identify the risks associated with auditable entities, prioritize auditable entities and risks for planning and scheduling audits in a more gainful way. The built-in best practices content allows the team to refine and realign the processes for more productive risk management.