Risk focus helps pull up SOX

Sometimes a tool that’s good for one task can also help accomplish another. When Susquehanna Bancshares needed to ramp up its approach to Sarbanes-Oxley Act compliance audit, it found the solution close to home, in a “GRC”—Governance, Risk management, and Compliance—package that the $18 billion-assets institution had already started using to manage audits.

Susquehanna faced two challenges. One was finding software that would meet its increasing needs for automating aspects of these processes. The other was finding a common language among various user and support groups for addressing risk.

Ken Hobbs, chief information security officer at the Lititz, Penn., bank, had been looking for a SOX compliance tool and not found anything quite right for the company’s needs. Then he decided to look at a GRC package that Susquehanna was already using, provided by DoubleCheck LLC.

Hobbs felt that, with adaptation and other tweaks, the DoubleCheck package could also be applied to SOX compliance audit. One of the strengths of the package, he says, was its facilitation of an up and down view of risks in the organization. The package was already being used to audit operations, and Hobbs believed the compliance component would meet the company’s SOX reporting requirements.

“When we recognized the need to escalate GRC as a way of managing risk, and in addition needed a new SOX tool, we looked around at what was available and realized it made a lot of sense to leverage some of the good work that had gone into making the audit tool useful,” says Hobbs. Other vendor solutions were explored, but in the end the bank opted to work with DoubleCheck to tailor the software to meet the SOX needs.

Hobbs had had experience with an earlier version of the software at another employer, which gave him confidence in the package’s capabilities.

“We were able to translate the audit and SOX terminology into some common broader enterprise risk management-based language,” Hobbs explains. “This more coherent approach was critical for us to move forward with a system that contained efficient validation of processes and provided excellent visibility of data and management of risks. Establishing a consensus, parsing and keying data, and building risk algorithms were a very important part of this process.”

The process of adapting the package for the bank ran about eight months, much of that time devoted to achieving agreement on a common language for risk throughout the organization. In addition to producing essential audit reports, the system provides information for risk committee and board-level presentations and reporting. Dashboards and other aids can be generated for analysis. Requirements for certification of compliance with SOX Section 302—which deals with accuracy of financial reporting—are also met.

“It’s a very versatile tool,” says Hobbs. With the revisions supporting expanded use, now, when validating groups look at the audit and SOX data in the system, they concurrently see risks and controls in a common language.

[Subsequent to our interview with Hobbs, BB&T announced its agreement to acquire Susquehanna. Management anticipates that the deal will be consummated in mid-2015.]