Cornerstone Building Brands Reconstructs Internal Audit and SOX Compliance, Saves $1M+
- Forced to manage SOX program using 2,500 different Excel files across 25 business units
- Spent an average of 30 hours per control
- Faced with less than 10 months to fully implement a new, combined SOX program
- Executive team has high level of visibility not previously available when these were performed manually
- Reduced time spent per control by 77%
- Went from $1.5 million in SOX consultant costs in FY 2019 to zero in FY 2020
Why They Chose Workiva
- Internal Audit Management
- SOX Compliance
Cornerstone Building Brands (Cornerstone), the largest manufacturer of exterior commercial and residential building products in North America, was created through the merger of NCI Building Systems and Ply Gem and continues to grow through acquisitions.
Whenever organizations merge to create a new entity, efficiencies and redundant functions are given tight scrutiny. For Nancy Jordan, VP of Internal Audit for Cornerstone, the merger was also the perfect opportunity to cement Workiva in the new organization's risk function.
An impressive recommendation
Nancy was first tipped toward Workiva by an unlikely source—one of her audit committee members. As a board member and former CFO of a company using Workiva, he recognized the potential of the platform for Cornerstone, who was still juggling hundreds of Microsoft® Excel and Word files at the time.
Looking back on the situation, Nancy knew Workiva was the right choice. "That, to me speaks volumes, when I have an audit committee member coming to me and saying, 'You really need to look at Workiva,'" she said.
After onboarding Workiva, the efficiencies Nancy saw with the platform were incredible. She quickly realized this solution was the only path forward to harmonize two disparate control programs. She had less than 10 months to fully implement a new, combined SOX program—which included documented process narratives, walkthroughs, and all control testing.
Workiva: "A game-changer"
Before Workiva, Cornerstone's situation was complex at best, said Nancy. Cornerstone is divided into two halves—commercial and residential—with legacy elements from the commercial and residential components of the premerger companies.
"Even just from the legacy commercial side," she said, "every time we tested, we were using Excel spreadsheets for 200 controls, and each one of them sometimes had up to five tests."
All totaled, there were about 2,500 different Excel files, over 25 business units, plus time tracking, plus shared drive management, plus receiving and sending each file by email. And, her team of eight spent an average of 30 hours per control.
That's just one side of the business.
"I don't know what we would be doing right now without Workiva," said Nancy. "Now, we've been able to harmonize it. We do all of our PBCs, walkthrough phases, and population requests in Workiva. Everything we have is in Workiva, and it has literally been a game-changer for us because of this."
Additionally, the quarterly sub-certification and foreign sales questionnaires are completed within Workiva. Feedback from the executive team has been tremendous. They've praised how much easier it is for them to not only complete the forms, but also have visibility into support not previously available when these were performed manually.
Cementing efficient external audit work
When Cornerstone was created, the two previous entities shed their external auditors and signed up with a new one. Nancy took the opportunity for this new partnership to flex the capabilities of Workiva and construct a better working relationship with their new external auditor.
One simple capability of Workiva opened incredible new doors for Cornerstone and their external auditor: the ability to access hundreds of large spreadsheet files through a single spot.
"Can you imagine sharing these files electronically through email?" said Nancy. "It just wouldn't have happened."
Aside from the ease of use, granting their external auditor access into the Workiva platform cut back on the ad hoc requests her team received—where is this file, has this file been tested, and so on. The external auditor also has access to view the PBC report that provides status of the request, as well as access to view and download any support provided by the control owner.
"As we're doing our testing, they can go ahead and do their testing. Then they don't have to bother us," said Nancy. "So that's been much more efficient, and it's made the process owner that much happier because they have one system they can go to."
"Huge efficiencies" in time and cash savings
Given the complexities of Cornerstone's compliance process—exacerbated through numerous business units, hundreds of controls, and disconnect with external parties—much of the SOX process relied on resource assistance and support from consultants.
With the time savings gained from Workiva throughout their process, they've taken that work back from outside SOX consultants, and saved a ton in the process
"We spent $620,000 in consultants to help us with SOX in FY 2018. In FY 2019, I spent $1.5 million. In FY 2020, the year COVID hit and life as we knew it changed, I spent zero. We were only able to do this because of the Workiva solution."
Aside from the purely financial savings from using Workiva, the team has also been able to quantify a time savings through the platform's time tracking capabilities.
"For FY 2019, we spent roughly 30 hours per manual (business process) control, which is way too high," said Nancy. "I am happy to share we averaged seven hours per control during FY 2020, which included first time testing for five business units. Again, huge efficiencies within the team."
Helping paint a beautiful picture
In FY 2020, the team implemented and completed the SOX risk assessment within Workiva. This effort involved mapping over 20 different balance sheets and income statements with controls while considering materiality. The risk assessment was shared with their external auditors for agreement, and a plan developed for what would be in scope for FY 2020.
The development of the risk assessment within Workiva brought to light four business units never previously in scope for SOX for certain controls. Per Nancy, “This was an eye-opener for everyone as these had historically been assumed to be immaterial.”
With the blueprints in place, the team at Cornerstone can take what they've accomplished this year and replicate it next year, said Nancy.
"That's what's so beautiful about Workiva," she said. "Now that this is set in place and it's in Workiva, we just have to drop in the financial data, and it will just update itself."
And it's not just her team that has taken notice—her hard work and bottom-line impact has piqued the interest of Cornerstone executives, including the CFO.
"He loved it," Nancy said about her risk assessment presentation to the company's CFO. "He was so impressed, he wanted me to share it with the executive committee and all the divisional business unit presidents. You show a president of an operating unit, then they get the picture."
And, Nancy and team are not stopping there. For FY 2021, they are implementing 1) quarterly control certifications that will require each control owner to certify their controls, 2) process owners receiving tasks within Workiva to review and update process narratives 2–3 weeks in advance of process walkthroughs, and 3) leveraging, as part of the roll forward feature, the standard PBCs that were created in FY 2020.
Microsoft® Excel and Word are trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.