Case Study Archives

Usage Grows to Address IT Risk and Audits

Business challenge: Manual processes were hindering visibility and efficiency around SOC and SOX compliance, with the CIO and Chief Accounting Officer pushing for improved insight.

Solution: ZenGRC provides a single, automated system of record for all programs, going beyond compliance to improve risk
management and internal audits. With an enterprise-wide source of truth, Bluegreen has insights and analysis to simplify audit and compliance management with easy access to information and continuous monitoring.

“ZenGRC was simple, yet powerful, and it was clear after seeing just the first product demo that the solution could address what we were trying to get done — quickly and affordably, Then, the ZenGRC implementation team made it clear they understood our pain points and had people in place, including GRC experts, to get us deployed ASAP.”

William Haines – Director, IT Risk and Compliance at Bluegreen

Manual Processes Hinder Visibility — and Speed

“When I started at Bluegreen, we conducted our SOC and SOX audits with spreadsheets and emails, as is the norm at many organizations, We were getting the job done, but it was cumbersome, requiring ongoing exchanges with internal staff and auditors to ensure individuals had what was needed to move the audit towards completion.” — William Haines, Director, IT Risk and Compliance with Bluegreen

Manual processes also impeded real-time visibility into audit progress. For example, the company’s SOX audit is run in multiple phases, each having upwards of 250 requests. Bluegreen’s CIO and the company’s Chief Accounting Officer wanted instant audit insight, with information at their fingertips about status and remaining outstanding tasks. In addition, the final 60 days of the audit period would be a mad rush to finalize items to meet the deadline, leading to the organization to seek out a trusted GRC solution to be done with spreadsheets for good.

A Cost-benefit Analysis

When conducting its search for a GRC solution, Bluegreen was focused on functionality, but also cost. Yes, features were key, but so was a fast and easy implementation without extravagant licensing fees, as the infosec team had to secure management buy-in to get the purchase approved.

ZenGRC was simple, yet powerful, and it was clear after seeing just the first product demo that the solution could address what we were trying to get done — quickly and affordably, Then, the ZenGRC implementation team made it clear they understood our pain points and had people in place, including GRC experts, to get us deployed ASAP.”

Two Buyers Better Than One

To broaden the value of ZenGRC across Bluegreen, the IT group asked the mortgage department to also participate in the ZenGRC demo, recognizing the potential benefits the solution could bring to their mortgage-focused SOC audit.

“We wanted a business stakeholder to get on board with ZenGRC, so the purchase wasn’t purely IT-driven. And, no surprise, the mortgage department loved it, resulting in us becoming co-sponsors of the solution, which proved instrumental in getting us implemented.”

Enterprise Risk Management — an Added Bonus

Bluegreen’s solution requirements were initially focused on supporting its SOC and SOX audits. However, once ZenGRC was in place, the organization realized the same automation, visibility and efficiency benefits could help reduce its risk exposure — addressing vulnerabilities from a single application.

“Risk was not a criterion we were trying to solve, but when we started using ZenGRC, we saw an opportunity to broaden usage and reduce any lingering manual IT risk management processes. Today, we use the platform to help identify, track and remediate risks, and have fast visibility through reporting to see where we stand at any given time — and communicate that insight to management.”

Internal Audits Benefit, Too

But Bluegreen didn’t stop with compliance and risk. The organization is also using ZenGRC to support internal audits of its 100-plus enterprise applications, enhancing data privacy, particularly among newly onboarded SaaS solutions.

In addition, while the mortgage department was an early user of ZenGRC for SOX, Bluegreen’s accounting group continued to use their own processes for the framework — a massive undertaking with more than 100 business process controls. When the organization decided to decommission the application used by accounting, the group was left looking for a new solution.

“Accounting started talking about the need for compliance software and we were quick to say, ‘Wait a minute, we have a solution in place and ready to go. And the beauty of it was that our internal auditors on the IT side, who are involved with SOX controls processes, had already been using ZenGRC for internal audits, resulting in an extremely fast transition.”

Kudos from CIO — and Third-Party Auditing Firm

The feedback from Bluegreen’s executive team has been fantastic, with the CIO maintaining up-to-date visibility into risk status, risk posture and which risk areas require the most attention. In addition, the company’s third-party SOX auditor, a regular user of ZenGRC, finds the platform intuitive and simple to use, driving efficiency for internal and external users.

“Knowing exactly where we are during the course of any audit, at any point in time, has been a game changer. The time and effort it took us to manage audits and compliance has easily been cut in half, replaced with newfound efficiency and a trusted GRC foundation that benefits our entire organization.”

Download Case Study

How Three Industry Leaders United to Deliver Comprehensive GRC Solutions, Elevating Client Success through Seamless Integration and Expert Services.

Organizations often navigate duplicative requests and inefficient procedures when confronting GRC (Governance, Risk, and Compliance) audits. Compliance teams must locate paperwork for each control and ensure policies are enforced – a cumbersome project when attempted without professional help. This is where ZenGRC and its partners come in.

ZenGRC bridges the gap between GRC teams and auditors, allowing them to communicate effectively through an easy-to-use platform that clearly displays all risks, controls, and procedures in a single source of truth. This simplifies audits into a pain-free process. With ZenGRC and strategic audit and GRC partners, the audit process becomes a cohesive effort supported by experts.

“I regard GRC knowledge as highly specialized. I needed Steel Patriot Partners and ZenGRC to focus on the GRC aspect, so that I could focus on what I do best, which is the administration and support of patient-oriented healthcare.”

Scott Gould – CEO, Mountain Lake Associates

Introducing Our Partners

360 Advanced is a leading independent audit firm conducting audits and offering customized GRC consulting aligned with each business’s individual needs. 360 Advanced helps clients reach their GRC goals by addressing control needs and identifying risks before they are realized.

Steel Patriot Partners is a third-party GRC firm providing organizations without dedicated GRC teams with expert practice. With over 25 years of experience helping clients implement controls and procedures, Steel Patriot Partners can help any client become compliant with all cybersecurity frameworks.

A Synergistic Partnership

Without ZenGRC, there is often a communication gap between auditors and GRC teams. “If a customer does not have a GRC tool, we automatically implement ZenGRC,” says Amy Ford, COO of Steel Patriot Partners. “One of the great features is allowing auditors to get access to ZenGRC; that way, my team doesn’t have to provide a package. We just tell the auditor everything they need is in ZenGRC.”

When Mountain Lake Associates (MLA), an administrative services organization in the healthcare industry, needed help implementing their GRC requirements, they turned to Steel Patriot Partners – and began using ZenGRC.

Scott Gould, CEO of Mountain Lake Associates, says, “I regard GRC knowledge as highly specialized. I needed Steel Patriot Partners and ZenGRC to focus on the GRC aspect, so that I could focus on what I do best, which is the administration and support of patient-oriented healthcare.”

Auditors, too, are slowed down when controls are ineffective, and evidence collection becomes a laborious process of searching through shared drives. Eric Ratcliffe, Director of Compliance Strategy at 360 Advanced, expands on these difficulties from the auditor’s perspective, saying “As an auditor, we must look at it from a risk perspective. Higher risk means we have more uncertainty, the chance that the client is not well prepared, and the chance that the client has been ill-advised. Our comfort level drops quite a bit when we know that we can’t rely on other trusted, vetted parties.”

Fortunately, this wasn’t the case for Mountain Lake Associates and Steel Patriot Partners when it was time for 360 Advanced to conduct their independent audit; the process was smooth and pain-free thanks to ZenGRC. Eric Ratcliffe elaborated on the benefits of having clients use ZenGRC, saying, “By the time the audit gets to us, ZenGRC streamlines communications and reduces any problem areas. We want a happy client and ZenGRC helps us improve our efficiencies and reduce duplicative requests.”

Through this impressive collaboration between Steel Patriot Partners, 360 Advanced, and ZenGRC, Mountain Lake Associates was able to achieve a rigorous HITECH SOC-2 certification on their first audit – a feat that typically takes 2-3 times to complete.

This is the benefit of ZenGRC as a trusted tool, vetted by GRC experts, and dedicated to being partner-friendly. ZenGRC allows auditors to have a higher degree of comfort with visibility into all evidence for controls and how they tie back to framework requirements, all in a central location. No more spreadsheets, no more hassle.