Solution

The client was keen to implement a new audit management system, and had considered multiple technology vendors. Eventually, MetricStream was chosen because they offered the most comprehensive, advanced, and flexible audit management solution. Built on a scalable GRC platform, the solution extends across the client’s global organization, providing a single system of record to manage and track each audit from start to finish.

The solution provides capabilities to efficiently plan, schedule, and conduct audits. It also allows audit findings to be reviewed and analyzed, enables initiation of follow-up activities when needed, and provides the ability to monitor the entire audit process. The solution maintains and maps together all global audit data (including auditable entities, processes, risks, controls, and auditor details) in a centralized repository. These data elements are common across business units, functions, processes, and risks thereby helping ensure audit data consistency.

Below are the capabilities of the solution:

Risk-based Audit Planning: The solution helps plan and prioritize audits based on the risk score of the processes. Configurable risk methodologies and algorithms in the solution help assess, rate, and score the risks in each business process. Those processes with a high risk score are selected for an audit in that particular quarter. This way, the audit team can plan its audit cycles in a targeted, risk-based manner. Alongside, a resource management capability helps the central audit team determine how audit resources and budgets should be distributed across various audit projects and locations.

Audit Fieldwork: The solution streamlines audit process workflows. Once a risk assessment is completed, audit managers create audit plans in the solution, and route them to the central audit team for review and approval. Thereafter, the audit manager and lead auditors in each business unit develop audit tasks for assessing or testing controls as per the audit plan, and assign these tasks to the team. Automatic notifications are sent to the auditor as well as the entity to be audited. The assigned auditors then perform the required tasks, record their findings and observations in the form of work-papers, and send them for review and approval.

During audit execution, the time-sheet management capability captures the time spent by each auditor on a task. It supports recording of audit hours on a daily or weekly basis. This helps ensure timely audit task completion. A unique feature of the solution is the Audit Briefcase which can be used to conduct audits even in remote locations where there is no access to the corporate network. Once auditors download the audit forms onto their systems, they can go out into the field, and enter their findings as usual without Internet connectivity. This data can later be synchronized with the audit database once the auditors are connected to the corporate network.

Audit Issue Management: The solution supports recording and tracking of all audit issues in real time as they move through various stages of investigation and remediation, right up to closure. It also archives all audit issues, including legacy issues. The issues remains open till the actions plan are carried out, and the results are verified for effectiveness.

Audit Reporting: The solution provides the ability to generate draft and final audit reports with review and approval workflows at appropriate stages of the audit cycle. The platform’s embedded reporting engine provides complete visibility into the audit process with comprehensive aggregate reporting as well as individual status tracking in real-time. Graphical dashboards with drill-down capabilities provide a variety of statistics based on risk category, entity, assessment results, issues triggered, and other key metrics.