In our Spotlight on Success series, Michael Geiger-Wolf, Director of Risk and Compliance at Ceridian, shares how his team has leveraged CrossComply by AuditBoard to save time by mapping controls across multiple frameworks, consolidating requests to reduce stakeholder touchpoints by over 80%, and supporting a growing organization without having to add staff.
Tell us a bit about Ceridian’s Compliance program, and how CrossComply by AuditBoard has helped you save time by mapping controls across multiple frameworks?
Ceridian has been performing client-facing audits for decades, back when they were the SAS 70 audit. Of course, those have now changed to SOC and SSAE 18. We also perform ISO audits, NIST audits, and FedRAMP certifications, as well as a number of locally-required backend taxing authority and payroll audits.
What we really wanted was a platform that offered workflow, which AuditBoard had. The key difference for AuditBoard was it also offered the ability to create a document and maintain an audit library of our evidence that we were capturing from our control owners. We then use that audit evidence that we captured in AuditBoard and deploy it across the various frameworks so we don’t have to ask control owners multiple times for the same thing.
Because we’re a fairly mature organization, we had all of our frameworks established and all the controls established as well. We utilize CrossComply within AuditBoard to map the controls across the various frameworks. We’re lucky that the timing worked out and we were able to transition to CrossComply for all of our frameworks and for our client-facing audits.
What was the AuditBoard adoption experience like for your stakeholders?
Some of the control owners who work on SOX were already quite used to AuditBoard, and were asking us, “Why can’t you use this tool as well?” We were using a combination of manual requests and SharePoint workflows for a very small amount of things, but the users were asking us to adopt something similar to AuditBoard — so they were obviously very easy to get onto the AuditBoard platform with CrossComply. But those who were new to AuditBoard also found it very intuitive and straightforward, and were very appreciative.
What has been the biggest ROI for your organization since implementing AuditBoard?
We manage all this with the same number of people while we’re undergoing a significant global expansion. One of the advantages that we saw in terms of costs was that because our auditors were able to reuse evidence, we could now combine a couple audits together. Our Shared Services audit could be combined into one overarching audit, which took 16 touchpoints down to 2 annually for our shared controls.
Our external audit fees dropped significantly, such that our savings was actually more than what we paid for AuditBoard.
We’ve certainly experienced lots of benefits on my team, and we’re an organization that’s growing very quickly, adding new frameworks, and expanding globally. We’ve been able to support that growth with our existing staff because we have AuditBoard.
How has AuditBoard helped you reduce audit fatigue for business stakeholders?
One of the biggest benefits that isn’t financial in nature, but is still very real involves our control owners. They used to always say, “When am I supposed to do my day job?” — they just felt inundated by audit request after audit request. With AuditBoard, we don’t get that anymore — we get timely responses. The workflow makes it easy for them to provide the evidence.
The way we’ve structured our audits and our evidence library means that in some cases, they put us on a regular distribution list and they don’t hear from us for literally months at a time. Our relationships with our control owners have improved significantly. If you’ve ever been tired of hearing control owners say, “When am I supposed to do my job?” — AuditBoard solved that problem for us.