Solution
MetricStream was the chosen solution based on its robust compliance methodology, scalable risk management capabilities, and its intuitive and easy-touse design. Within the limited time-frame, MetricStream’s project team mapped the company’s business flows to the MetricStream solution, so that the installation would best reflect the company’s internal processes. The steps, covered in this process, included:
Standard Internal Controls: The MetricStream solution provided a central repository for all types of company’s control systems, including those for operational efficiency, regulatory compliance, and financial reporting.
Work Flows: The MetricStream solution provided built-in and customizable workflow capabilities which allowed for creation of user-defined workflows for approvals/ reviews based on the organizational hierarchy levels. The system enabled automatic routing of information or email notifications to the issue assignor about issue creation, modification and/or closure.
Process Flows: The MetricStream’s Process Flow Designer tool facilitated application design and development by graphically modeling business processes.
The solution accommodated COSO elements, including planning, risk assessment, control activities, information and communication and monitoring, within the company’s business processes.
Reporting Capabilities: The MetricStream solution featured executive dashboards which provided enterprise-wide visibility into the internal controls and processes, and highlighted the high-priority cases that needed to be addressed. The solution provided complete real-time visibility into exception data with analytics for trend analysis. Reports for status tracking, scorecards and compliance dashboards could be readily accessed. Flexible reports with drilldown capability provided statistics and data by a variety of parameters such as business units, processes, and divisions.
Operational Testing: The MetricStream solution established testing as an integral part of the enterprise-wide processes and controls. Moreover, the solution provided distinct definition and scheduling of self assessment (control performance monitoring), design evaluations (whether internal or external), and operational effectiveness testing. The ability to export information from reports into spreadsheets simplified the overall operational testing process.
Risk Assessment Capabilities: The MetricStream solution allowed the Audit Management department to integrate with the Risk Management solution and supported risk assessment based on parameters such as severity and likelihood of occurrence for calculating the risk index of a finding. The solution supported computations based on configurable methodologies and algorithms giving auditors a clear view into organizations risk profile. The system allowed for customized risk and relevance criteria, risk templates, and scoring methodology
to be developed at any level of the organization.
Regulatory Compliance: The MetricStream solution supported various statistics required in 404 Assessment reports, such as number of controls by controls sets,
number of controls tested in each phase, number of exceptions in each phase, number of Auto/Manual Controls by control set. The solution also provided for ‘quarterly 302 certification’, by supporting online questionnaire/surveys and making reporting tools available to consolidate and analyze questionnaire/surveys.
Easy-to-Use User Interface: The MetricStream framework provided a rich feature set for configuring the solution according to the company’s established processes, allowing the company to tailor the solutions to business specific standards and requirements. With the MetricStream solution's user-friendly interface and drag and drop functionality, the company’s managers could get simple breakdowns and complex combinations instantaneously; document types, status, audit history, in-process documents, approval cycle times, document usage summaries, and average review times could all be obtained quickly and easily within a few drags and clicks on field data. Multiple tables or graphs could be generated giving a bird's eye preview to the risk portfolio.