Fortune 500 Chemical Manufacturer Integrates and Automates Global Internal Audits and SOX Compliance Processes Using MetricStream’s Cloud-based Apps

The Client: A leading specialty chemical company with customers and operations across the globe.

Overview

Realizing that their audit and SOX compliance processes could no longer be managed using a manual and siloed approach, the client adopted MetricStream’s Internal Audit and SOX Compliance Management Apps. With these Apps, they were able to integrate and automate audits and SOX compliance processes, and strengthen efficiency, collaboration, and visibility into audit and compliance data.

The Solution

After the client evaluated multiple audit and SOX compliance solution providers, MetricStream was selected for their ability to offer a comprehensive, cloud-based GRC Platform that would cut across geographic and enterprise siloes, integrating risk assessments, audits, and SOX compliance processes and data in a common environment. This approach would provide a better view of audits and SOX compliance, while also enhancing collaboration and information-sharing across dispersed audit teams.

Built on the GRC platform is the MetricStream Internal Audit Management App and the MetricStream SOX Compliance Management App which streamline and automate audit and SOX compliance workflows, thereby improving efficiency, and minimizing costs. The Internal Audit Management App also enables a risk-based approach to auditing with support for assessing and rating risks across the EHS, Finance and Operations, and IT groups.

Issues that are identified either through audits or SOX control testing processes can be effectively managed and resolved through an integrated issue management and remediation functionality.

Below is a detailed look at how the MetricStream Apps are helping the client:

Internal Audit

Risk Assessments: The MetricStream Internal Audit Management App captures and maps the client’s risks, objectives, controls, and auditable entities in a unified framework. It also provides configurable methodologies and algorithms to assess, rate, and score risks. Risk assessments are enabled across the EHS, Finance and Operations, and IT groups. Thus, auditors get a clear view of the organization’s risk profile, including highrisk areas, and can accordingly plan and prioritize their audit strategies and resources.

Audit Planning and Scheduling: The MetricStream App enables the client to create a comprehensive audit plan with a well-defined objective and scope. Each plan is logically structured with audit tasks, checklists, and evaluation criteria. Users can also leverage the App to schedule audits, select auditors, and assign responsibilities. Automated notifications are then sent to the auditor and auditee notifying them of the audit.

Resource and Time-Sheet Management: Gantt charts and reports in the MetricStream App provide details of audit schedules, resources, and activities, enabling the client to efficiently allocate audit resources to each project. Comprehensive timesheets automatically capture the time and money spent in auditing, helping the client identify ways to improve audit efficiency and cost-effectiveness.

Audit Execution: The MetricStream App enables a streamlined approach to control assessments. It also provides multiple capabilities to prepare, organize, review, and store audit work papers. During the audit, the App records audit findings, observations, and recommendations. It also supports information exchange and collaboration across multiple auditors.

Audit Reporting

The MetricStream App generates draft audit reports with the details of audit findings and recommendations. These reports are routed through the App for review and approval, and the final audit report generated, which can then be shared with internal stakeholders, as well as the external auditor.

SOX Compliance

Control Design: The MetricStream SOX Compliance Management App enables the client to structure the SOX compliance and control hierarchy in a logical manner with tightly mapped links between processes, sub-processes, objectives, risks, controls, and control testing activities.

SOX Control Testing: The App streamlines the process of creating and assigning control tests, selecting control samples, conducting the tests, scoring the controls, and recording the details (including non-compliance issues and control deficiencies). Based on this data, the client can proactively identify areas of weakness or risk, and take steps to implement stronger financial controls.

Documentation: Standard templates and forms in the MetricStream App make it easy for the client to document test results. Supporting documentation and evidence of control findings are stored centrally, and can be easily and securely accessed.

Control Monitoring: The MetricStream App supports real-time monitoring of key control attributes, as well as control test plans, control design status, process ownership, test results, and other critical factors. All this information is displayed on graphical charts that can be drilled down by stakeholders to view data at finer levels of detail, and to track if SOX compliance and controls are optimally effective.

Issue Management

Issues that are discovered either during the audit process or SOX compliance evaluations are routed to an integrated issue management functionality. Here, a systematic and closed-loop process is triggered for issue investigation, root cause analysis, and corrective action. The system also captures the corresponding risk impact and likelihood to arrive at an overall risk score. Based on this data, the client can determine the best course of corrective action. Action plans are created, implemented, and routed for review and approval through the MetricStream system. Automated workflows and notifications accelerate the whole process, enhancing efficiency.

Tracking, Monitoring, and Reporting

Powerful dashboards and reports with drill-down capabilities offer the client comprehensive visibility into audit and SOX compliance processes. Users can view data such as SOX control deficiencies and issues, audit result trends, summary of audit findings by business unit, region, or control, and highlights of audit plans. Users can also slice and dice the data from multiple perspectives to glean deeper insights into their audit and SOX processes, and thereby enable continuous improvements. The App also generates SOX control reports.

The Challenges

Every year, the client’s internal audit department conducts audits across multiple business units, including Environment, Health, and Safety (EHS), Finance and Operations, and IT. The department is also responsible for testing the controls of the Finance group to evaluate compliance with SOX requirements.

Earlier, audit activities were performed using a basic software system wherein the functionality was limited merely to work-paper management and time recording. The core audit processes, including risk assessments for audit planning, audit scheduling, and reporting were managed in a manual and siloed manner that was both laborious and resource-intensive. The client did not have an integrated risk assessment procedure which could help consolidate risk rating and scoring methodologies, and enable an effective, risk-based approach to audits.

For SOX compliance management as well, auditors had to manually define and test controls, aggregate the results, and then painstakingly mitigate issues, and consolidate the data into reports - all of which took considerable time and effort.

The other challenge was that most audit and SOX compliance processes were conducted in a fragmented, ad hoc manner. Being a global company, the client has a team of around 40 internal auditors who conduct 75-100 audits every year across offices in multiple countries.

Managing these dispersed resources, coordinating their activities, and tracking the time and expenses spent on audits were difficult without a unified system. Moreover, there was so much data on audit and SOX processes that was scattered across spreadsheets, emails, presentations, and other systems. The client found it increasingly challenging to efficiently manage and integrate this data in order to conduct planned and efficient risk-based audits, and share the reports with their external auditor.

Considering that the company was expanding its audit presence to the Asia-Pacific region, the impetus to establish an integrated audit and SOX compliance system was greater than ever. Not only did the auditors need to improve datasharing and collaboration, but also gain sufficient visibility to optimize the use of resources.

WHY METRICSTREAM

The client chose MetricStream for the following reasons:

• Successful Track Record: Some of the largest and most well-known manufacturers use MetricStream Apps to power their GRC programs
• Integrated Approach: The MetricStream GRC Platform scales across the global enterprise, unifying audit and compliance processes in a single system.
• Tightly Mapped Risk Taxonomy: Risks, controls, audits, processes, business units, regulations, and other data elements are linked together in the MetricStream Apps, so that companies can manage GRC as one integrated discipline.
• Cloud-based Apps: MetricStream GRC Apps can be implemented over the highly secure MetricStream GRC Cloud, enabling companies to realize faster time to value and flexibility.
• Extensibility: The MetricStream SOX Compliance management App can be extended in the future to support compliance certification and attestation under SOX section 302 and 404. The Audit Management App can also be extended to include functionalities for offline and mobile audits. In addition, the underlying MetricStream GRC Platform can be extended to add other GRC Apps and Solutions such as the IT-GRC Solution, or the Enterprise Risk Management App - all of which come together to enable a holistic approach to GRC.

Benefits

• A Single Platform to Manage up to 100 Global Audits and 300 Control Tests
  The MetricStream GRC Platform provides a single point of reference to manage SOX compliance, as well as audits across business units. Users from across Europe, America, and the Asia-Pacific region can view audit schedules, conduct audits, test SOX controls, monitor issues, and more, from one centralized, web-based system.
• Better Data Visibility, Timelier Reporting
  The MetricStream Apps enable users to track the status of risks, internal audits, and SOX compliance processes and controls in real time. Comprehensive reports provide a 360-degree view of audit and SOX findings, issues, and trends, enabling managers to proactively spot opportunities for improvement.
• Greater Collaboration
  Since users from across locations have a common, unified system for both SOX compliance and internal audits, they can easily communicate with each other, and share important risk and control data, thereby strengthening reporting and data analysis.
• Improved Audit and SOX Compliance Efficiency
  No more do users have to waste valuable time and effort on manual processes. The MetricStream Apps have streamlined and automated audit and SOX compliance lifecycles, thereby saving time and effort. As soon as audit or control testing tasks are completed, the findings are automatically consolidated and populated into reports. Audit timesheet management has also been automated, helping the client optimize the time and budgets spent on audits.
• Stronger Financial Controls
  With the SOX Compliance Management App, the client has strengthened control testing and monitoring. Timely, actionable insights on control test results, key control attributes, and deficiencies enable stakeholders to make informed decisions on which controls need to be improved.
• Enhanced Compliance with IIA Standards and External Auditor Requirements
  By enhancing the efficiency and effectiveness of their audits with the help of the MetricStream Apps, the client is better able to comply with IIA standards. Moreover, the quality of their SOX compliance reporting to external auditors has also improved.