Case Study

Oil and Gas Giant Strengthens Stakeholder Trust With a Holistic Approach to Assurance

A leading multinational energy company, with tens of thousands of employees, wanted to replace its manual and siloed risk, audit, SOX, compliance, and policy management processes with a streamlined and automated approach. The objective was to build a more integrated and strategic approach to assurance by bringing internal audit closer to compliance on a common platform, facilitating easy and immediate access to information.

With MetricStream, the company was able to achieve this goal, and manage its assurance requirements in a more holistic manner across 4,000+ users. The cloud-based platform automates assurance processes, improving the speed and efficiency of decision-making. Originally used for Audit and SOX, it has now been extended to other GRC use cases and business functions to help the company realize its vision of integrated GRC.

Fixing the Cracks

Over the years, the company’s assurance processes had become increasingly siloed. Audit, SOX, risk, compliance, and policy-related data was scattered across systems, making it difficult for teams to track key risks, such as trading, financial, sanctions, Environment, Health, and Safety (EHS), and other issues. Without a unifying platform, they couldn’t effectively coordinate and collaborate on assurance findings.

Redundancies in control data and testing efforts weren’t uncommon. What’s more, alignment between audit and compliance taxonomies was limited. This hampered efforts at comparing findings, and identifying risks.

Outdated systems and manual processes only added to the challenge, making the processes extremely time-consuming business functions. The company needed to revamp its systems, and enable a more cohesive approach to assurance—one that would help them cut across audit, risk, controls, and compliance silos to gain a consolidated view of risks across business units and geographies.

Setting It Up

MetricStream emerged as the preferred choice to meet these requirements. The MetricStream Platform provided a centralized foundation to integrate GRC processes, and strengthen risk visibility. Built on the platform were the MetricStream Internal Audit, SOX Compliance, Enterprise Risk, Regulatory Compliance, and Policy and Document Management products, which together helped the company streamline and automate workflows and enhance overall efficiency and resilience.

The products were implemented out-of-the-box with some minor changes to best fit their requirements. The company has a dedicated business unit that leverages Compliance Management, Policy and Document Management, and Enterprise Risk Management, while another part of the business is using Internal Audit and SOX Compliance products. It uses surveys for inherent and residual risk assessments.

With the implementation, the company has successfully completed over 300 risk assessments with results aggregated through automation. It has also considerably cut down on the efforts by consolidating metrics across 3,000 controls.



  • Outdated assurance systems and manual processes
  • Low visibility into risks
  • Siloed systems which limited collaboration between audit and compliance functions
  • Inconsistent risk and compliance taxonomies

Business Value Realized


A real-time and holistic view of risks across audit and compliance functions


Improved efficiency with automated assurance processes


Better coordination and communication through a common system


Smarter risk reporting and communication with standardized taxonomies


Single Source of Truth on Risk

MetricStream offers the company a unified view of risk, internal audit, SOX, compliance, and internal controls across the enterprise. The platform maps risks to compliance requirements, internal controls, control tests, assessments, processes, and other data elements in a single framework. This gives users a holistic and contextual view of risk.

The platform also standardizes risk, compliance, and control taxonomies, making risk reporting and communication much more consistent. Teams across assurance functions now have a common system to exchange data, and collaborate on risk findings. No more duplication of effort or information. Everything is clearly mapped and streamlined in the MetricStream Platform for optimal efficiency.

Enhanced Agility in Internal Auditing

MetricStream Internal Audit Management is helping the company improve its audit productivity, while also identifying and responding to risks faster. Auditors can create dynamic audit plans, assign tasks, record their findings, and attach supporting evidence all in one system.

The product supports a risk-based approach to auditing, enabling teams to prioritize and direct audit resources to the areas of highest risk. Since auditing has been integrated with SOX compliance, teams across both functions can effectively coordinate control testing activities to minimize redundancies.

MetricStream also strengthens visibility into audit findings, helping the audit team deliver valued, trusted advice to the board and leadership.

Improved Confidence in SOX Compliance

MetricStream SOX Compliance Management helps the company simplify compliance monitoring by unifying risk and control data management across financial processes. The product simplifies control testing, documentation, and certifications with systematic workflows. It also helps rationalize controls, thus reducing compliance efforts and costs. Real-time reporting enables teams to deliver swift assurance around SOX compliance, strengthening stakeholder confidence.

Streamlined Regulatory Compliance Management

The company has to ensure compliance with a plethora of regulations across jurisdictions, including those from the European Banking Authority in the EU, the Securities and Exchange Commission (SEC) in the U.S., and others. MetricStream Compliance Management has helped the company strengthen compliance by proactively identifying regulatory changes and assessing their impact on the business. Using the product, it can not only track the regulatory changes but also manually test the impact and ascertain how it needs to be implemented. Furthermore, the company is also better equipped to manage internal controls as well as identify issues and track them to closure.

Effective Policy Management

With MetricStream, the company now has a centralized repository to store and access the latest policies. The product has helped streamline and simplify the creation and communication of organizational policies. In addition, mapping policies to regulations, risks, and controls have significantly strengthened compliance while highlighting potential risks.

Better Insights to Drive Performance

To conclude, powerful analytics, reports, and dashboards in MetricStream give the company in-depth visibility into risks, internal audit results, SOX compliance findings, and regulatory changes, and internal controls. Decision-makers can leverage rich visualizations of the data to understand the top risks, issues, and opportunities. They can also slice and dice the information from various angles to compare findings across risk, internal audit, compliance, and more. The result is a strategic view of the company’s overall governance, risk and compliance (GRC) posture that enables leadership teams to make better-informed decisions.

Related Stories

Case Study

Major Insurance Company Uses a Holistic Approach to Engage All Lines of the Business in GRC

Case Study

U.S. Telco Giant Makes Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks

Case Study

Baptist Health Care Improves Audit Efficiency and Visibility With MetricStream

Ready to get started?

Speak to our experts