Headquartered in Pennsylvania, New Enterprise Stone & Lime Co., Inc. (NES&L Co.) is a privately held construction materials supplier and heavy/highway construction contractor serving Pennsylvania and western New York. The company is also a nationwide provider of traffic safety services and equipment.
In 2013, NES&L Co. issued public debt, which triggered requirements to comply with the Sarbanes-Oxley Act (SOX). The company needed to establish an automated system that would allow the internal audit department to document the testing of internal controls, from the document request phase through the reporting of audit results. An ancillary goal was to allow business process owners to attest to the effectiveness of controls for which they are responsible in a systematic and automated manner. After evaluating several solution providers, the company selected the Protiviti Governance Portal in January 2014. In addition to stakeholders recognizing the capabilities of the solution, a key factor in the decision was the previous positive experience of one of the decision makers in working with Protiviti.
The Governance Portal automated and brought dashboard visibility to a number of manual, time-consuming internal audit processes. For example, prior to the Governance Portal’s adoption, auditors relied on email to notify business line managers and process owners of the documentation necessary for the audit process. The internal audit team would receive the documentation by email and then manually populate a spreadsheet with the controls that were tested and the results of the tests. This created the potential for manual errors and required considerable time to track responses. The Governance Portal automated these functions, relieving auditors from chasing emails and typing entries, and allowing them to focus on the results of the testing.
Business process owners can also attest to the effectiveness of controls using the easy-to-use, built-in survey functionality of the Governance Portal. It enables the audit staff to set up the surveys quickly and automatically generate email notifications to business users. The users then fill out the survey directly in the Governance Portal, saving time for the internal audit team and reducing the possibility of errors. The Governance Portal also allows responses (and nonresponses) to be tracked and monitored.
Just four months after the initial implementation, the audit team and more than 100 business users began increasing the use of the Governance Portal, applying its functionality to a variety of new tasks. “The Governance Portal has become a one-stop shop for all things audit- and compliance-related. It has allowed us to automate several processes, including sending out surveys, documenting testing results, requesting documentation from management, creating action plans for audit exceptions, and reporting,” said William S. Dunkleberger, Director of Internal Audit at NES&L.
Documenting Testing and Test Results
The audit team documents all of its testing results in the Governance Portal and, using the Portal’s reporting capability, can generate a summary of testing results and progress at any point in time. All the testing results, work papers and supporting evidence are stored in the Governance Portal, making the documentation and history of testing activities easily accessible by the audit team.
Prior to the Governance Portal, the audit team would collect documentation from managers by listing the required documents in a spreadsheet and sending it out to the appropriate managers via email. Now the team simply creates tasks in the Governance Portal. The tasks are automatically emailed to the appropriate business users, who upload the requested documents directly into the Protiviti system.
Internal Control Action Plans
The Governance Portal also allows the audit team to document and handle audit exceptions identified through testing activities. Using the Governance Portal, the team creates action plans, assigns remediation tasks to appropriate managers, and recommends a course of action for addressing the exceptions. A notification email is automatically sent to the appropriate individual, who can also use the Governance Portal to respond to the action plan and update the status of the remediation. The system makes it easy for the audit team to review the status of an action plan and produce a report summarizing the status of all plans.
A Single Source of Truth
The Governance Portal has enabled NES&L Co. to maintain all internal controls, including the objectives, associated risks for each control, and action plans, in a single repository. The audit team can view the controls by division, control owner and even the person performing the control. The company also plans to use the Governance Portal for governance, risk and compliance (GRC) initiatives, such as enterprise risk and compliance management. This functionality was configured in their Governance Portal by the Protiviti implementation team with this future need in mind.
“The Governance Portal has become a one-stop shop for all things audit- and compliance-related. it has allowed us to automate several processes, including sending out surveys, documenting testing results, requesting documentation from management, creating action plans for audit exceptions, and reporting”