How BNY Mellon Dramatically Reduced Key SOX Testing Controls
As part of our Spotlight on Success series, we had the opportunity to speak with Scott Cronin, Global Head of SOX Compliance & Controls at BNY Mellon, about how he and his team have streamlined their process from using a disconnected set of tools to centralizing their data in AuditBoard. Watch the video, read the highlights, and download the full BNY Mellon Success Story PDF below.
Tell us a little bit about The Bank of New York Mellon and your role there.
The Bank of New York Mellon considers itself the bank for other banks, as most of its clients are other large financial institutions and we help manage and safeguard their assets. Right now we have about $37 trillion in assets under custody that we help manage. I lead the SOX controls and compliance team for BNY Mellon, and we have about 65 people on our team spread out around the globe in the US, Europe, and India.
What were some of the challenges you were facing that led you to implement AuditBoard at BNY Mellon?
When I joined BNY Mellon a few years ago, one of the most surprising things I found was that we didn’t have a centralized SOX tool and the team relied on a combination of spreadsheets, Word documents, some home grown tools, and one vendor-supplied application which we used to store workpapers. We had no centralized repository to manage the SOX framework from beginning to end, including process flows, narratives, control inventory, and our testing and testing results. That became quite a strain on the team because they had to use a number of tools just to get simple tasks completed, and it also created a strain with our business partners, the folks who we’re auditing and reviewing, and the control owners because the absence of a strong centralized tool inhibited us from really opening up that data to the business.
During your search for a new solution, what differentiated AuditBoard from other options?
The primary factor that stood out to me about AuditBoard was that it really was a tool that was built for a SOX program and an audit program. We definitely evaluated a number of other tools and I’ve used other tools at prior employers for similar purposes. One of the challenges I’ve always seen in the past, particularly with some of the bigger tools, is that they’re okay at doing a little bit of everything. But they’re not great at doing any one particular thing and the user community would tend to get frustrated because the tools would only meet 50 or 60% of their needs. I think where AuditBoard stood out to me was that it really was built for purpose. It didn’t require much, if any, customization off the shelf, which streamlined our implementation process. We ended up with a tool that the team and our business partners were happy with because it was suited for the purpose for which we purchased it.
Are there specific parts of your workflow where you can see definite improvements after implementing AuditBoard?
One of the ways AuditBoard has helped us this year has been to manage our population of controls by having all of our controls in one software package in one place. It’s allowed me and my leadership team to really take a critical look at what our control environment looks like and we can link it to things like our financial statement line items, our processes and really slice and dice that data in whatever way we feel is appropriate. Because we now have that capability, one of the undertakings we’re going through this year is to take a step back and rationalize our control structure. Where do we have too many controls, where do we have too few controls, and where do we have what we feel is the right amount of controls. And really focus on that for a line of business, for a given process, for a given financial statement report line. We have much better visibility than we ever had before into that type of data.
And what it’s resulted in for us is that we’ve set a somewhat ambitious target and we’re close to achieving a notable reduction in our key testing controls across the company by realizing that we have duplicative controls embedded in different processes. Do we need three controls all to touch on the same lower risk item? We probably don’t, and being able to leverage AuditBoard to see that data right in front of our face and really execute against a rationalization target has been a huge win for us so far.
Are you using AuditBoard to track issues and, if so, how has that helped you?
We’ve been able to age issues more easily. We’ve been able to get more predictive for our business partners as to when issues are coming due and give them a nice crisp dashboard saying, “Here’s your view one quarter out. Here’s your view, six months out.” We’re helping the business get more predictive and less reactive. In the past, everyone would react to past due issues. But the challenge was, if I’m the business, how come you don’t tell me about these things before they’re already past due, before they’re already a problem?
AuditBoard has really streamlined that process for us at BNY Mellon and we’re able to get much more predictive and much more forward looking as far as issues go with our business partners as well as within the team. I can manage the team more efficiently by saying “Person A on my team has 13 open issues that they’re responsible for partnering with the business on — Person B only has two issues. Maybe that’s not balanced.” Maybe we need to shift a little bit of the ownership within the SOX team, and having the tool with the data for me in real time makes that possible for us in a way that it just wasn’t possible in the past.
What advice would you give to someone evaluating AuditBoard?
I’ve worked for a number of companies and I’ve been through more software implementations and GRC implementations then I would like to remember. One of the challenges that I’ve seen consistently in the past has been tools that might work for the auditor, whether it’s internal audit or SOX, but they don’t work for the general business folks — they become very difficult to navigate. They’re not very intuitive if you’re not a power user. So for the folks that are in the tool every day, anyone can get used to something if they use it every day. But you don’t want a tool that you just have to get used to. You want a tool that actually empowers you and something that makes your life easier, and also something that you can put in front of your business partners and tell them “This is where you can get your data. This represents our team and this is what we want you to use” and you don’t have to do it kind of with your head hung low and your tail between your legs saying, “I know the software is painful to use, but it’s the best that we have.” With AuditBoard, we’re able to go in proudly to our business partners and show them this is what we have and it’s actually an enabler for you to run this part of your business better.
Stay tuned for more AuditBoard Spotlight on Success video interviews with audit, risk, and compliance community leaders about industry issues, insights, and experiences!
