Case studies by service

Nothing speaks louder and helps us build stronger relationships with our clients than the feedback we get. Detailed below are examples of how we have added value when working with our clients.

Internal Audit

Third Party Assurances

IT & Project Assurance

Performance Governance, Risk and Compliance

Addressing Internal Audit issues

Case study 1

Issue

As the business of this provider of enterprise management products and related consulting expanded, management concluded that outsourcing the company’s internal audit department would both reduce costs and enhance IA effectiveness. The company chose PwC for the job.

Action

The client wanted an internal audit function that not only focused on what was important to the company, but also kept an eye on relevant happenings in the software industry. We’ve delivered to that requirement, and also to the company’s interest in alternative delivery models. The IA function, now fully outsourced to PwC, includes both SOX/404 testing and internal audit work.

Impact

The client’s CFO, controller and finance and accounting teams are achieving their goal of cost reduction, having saved $500K by outsourcing their internal audit work to PwC. In addition, our leadership in the IA profession positions us to bring management a steady stream of usable intelligence.
 

Addressing Third Party Assurance issues

Better Controls Reporting Gives Brokerage Services Company
a Leg Up

Issue

Spurred by recent financial-sector turmoil, a company providing brokerage and clearing services to alternative funds and broker-dealers wanted to enhance its controls reporting to clients.

The company saw that clarity on the scope of services reported to clients, and a sharper focus on those offering greater transparency and controls comfort, could be market differentiators. PwC was called in.

Action

We asked our client’s alternative-fund and broker-dealer clients what reporting they wanted from their brokerage and clearing service providers. After comparing our client’s scope of services against the responses, we developed an outline of the services users valued.

We also issued a custom attestation report detailing our client’s internal controls in place. This report positioned the company to respond to its clients’ requests for increased transparency as well as meet contractual commitments.

Impact

The company’s ability to provide a report on internal controls easily understood by market participants enabled it to give its alternative-fund and broker-dealer clients the information they required.

Helping a Multinational Meet High Demand for Attestations

Issue

A major US multinational with extensive international operations has a large presence in the IT services industry. Using a common set of processes and controls, it delivers services from multiple locations across the globe.

With standards such as Sarbanes-Oxley and kindred requirements in Japan and Canada, the company has seen mushrooming demands for third-party attestations from its customers, and currently provides hundreds of SSAE16s or equivalent reports worldwide. We were engaged to help meet these expanding demands.

Action

Through tight global coordination, PwC was able to help our client enhance the consistency and efficiency of the reporting process via Type II SSAE 16s, issued several times each year. The reports cover hundreds of customers and multiple delivery centers in several countries.

Impact

Our solution significantly reduced two expenses: 1) the cost of being audited by hundreds of customers every year; and 2) the cost of issuing separate reports by country, data center or customer. In addition, our client now receives an independent controls assessment and reaps the strategic benefits of global consistency.

Users and their auditors also receive what they need: control reports that include an opinion from an independent third party.

Supporting Storm Damage Claims

Issue

Due to a natural disaster, a client incurred significant costs for repairs, insurance recovery procedures, and post-disaster resource needs. The client asked PwC to help provide information to third parties on the accuracy, validity and completeness of its claimed storm costs.

Action

We began by gaining an understanding of the control environment, internal business processes and specific procedures created for disaster-related costs. We also evaluated management criteria for costs and performed independent calculations of cost components. We then issued an opinion on management assertions.

Impact

Our client provided needed assurance to third parties and met its stated objectives. In the end, the utility emerged better prepared to deal with any future disasters and related cost recovery.
 

Addressing IT & Project Assurance issues

Case study 1

Issue

A company was moving from its legacy Enterprise Resource Planning (ERP) software to SAP. Having set an ambitious schedule, the company was concerned about project slippage and compliance with SOX requirements. The external vendor implementing SAP lacked controls experience, so the company engaged PwC to support the SAP implementation team with an independent quality review of project, controls, security and compliance.

Action

Deploying a cross-discipline team incorporating SAP, business process and SOX compliance skills, we focused on enhancing the client’s SOX controls to create a streamlined compliance process, leveraging SAP to enhance the future control environment and providing independent oversight to support a smooth implementation.

Impact

Phase I of the project was completed on spec, on time and on budget. The automated controls now in place are expected to bring a substantial reduction in compliance costs. Phase II, focusing on the future controls environment, is underway.

Case study 2

Issue

A large bank needed to strengthen the internal auditing and risk management of its complex, multilocation information technology group. The bank retained PwC for an internal audit co-sourcing arrangement and to help the existing IA department carry out several large-scale projects.

Action

Marshaling experience with the IA departments of several large banks, we performed audits spanning such areas as general computer controls; automated application controls; mainframe, network and operating system security; attack and penetration; and data privacy. The resulting reports provided key strategic guidance for management and the audit committee.

Impact

Senior management is armed with important information for managing the bank’s current technology risk and allocating resources to mitigate future risk.

Case study 3

Issue

A leading financial institution had identified information security as the number one risk it faced. Compounding this concern, the company relied heavily on a shared service model for IT operations and much of its information security processes and controls. PwC was brought in to assess whether the company had appropriate personnel, processes and technologies to address the related risks.

Action

PwC’s assessment helped identify risks to the client's data assets and gaps in the security organization’s staffing, processes and technologies. Using an approach that included interviews of business line and IT leadership, we helped pinpoint the high-risk data assets and infrastructure requiring strong security controls and processes.

Through technical reviews and comparisons against industry best practices, we reviewed the IT security organization in the areas of strategy and governance, security architecture, threat and vulnerability management, incident monitoring and response, application system development lifecycle, compliance and education and access administration.

Impact

Our feedback outlined gaps in staff skills and identified process and technology enhancements that could yield a more mature and capable IT security organization. By adopting these recommendations, the client has implemented stronger security controls and is better equipped to meet challenges to its information technology security.
 

Addressing Performance Governance, Risk and Compliance

Case study 1

Issue

With rapid expansion at a Midwestern US restaurant franchise, management realized the company needed a more effective risk management process, which would both foster better decisions and help in implementing strategy. Similarly, the audit committee was looking for a more defined risk management program that would give them comfort that significant risks were being identified and managed. The company decided to bring PwC in.

Action

In discussions with management, we suggested an approach we considered a good fit with the organization’s size and culture. They accepted our approach and engaged our help in implementing it. We worked closely with risk management and internal audit leadership to develop an ERM program.

Impact

The company has a sustainable risk management process that gets on-point risk information to the people who need it, raises risk-consciousness and produces smarter decisions.

Case study 2

Issue

A large US bank’s consumer lending group was getting ready for an onsite exam by the Office of the Comptroller of the Currency (OCC). The exam was to focus on the new consumer lending laws, and the bank was concerned that its implementation of the new regulations was insufficiently comprehensive. After a rigorous competitive evaluation, management chose PwC both to review the bank’s comparison of current controls against the new requirements and to conduct validation testing of the new controls put in place to address the regulations.

Action

Our team reviewed the client's initial gap analysis and business requirements documents to gauge whether all regulatory requirements were included in the implementation project. We also reviewed existing policies for comprehensiveness in addressing the regulations. Based on those findings, we developed a detailed design and operational effectiveness assessment approach, beginning with walkthroughs of each of the key processes, followed by detailed transaction testing. During the review we advised the bank of the need for comprehensive policies and procedures (P&P) to avoid similar issues in the future. The OCC supported this view and requested that the company document its P&Ps in these areas. Accordingly, we executed a remediation phase and built out multiple policies and procedures across various areas of regulation.

Impact

Equipped with our findings, the bank was able to go to the OCC with an action plan rather than wait for the agency to present the issues. This was well received. In addition, the bank, which lacked the needed resources in-house, was able to react quickly to the OCC's remediation request.