Schellman’s Single-Provider Project Management Methodology
Remember when Tom Brady signed with the Tampa Bay Bucs? They clearly felt he could lead their team to new heights, as they agreed to pay Brady $30 million a season. Such an investment was no doubt made easier given Brady’s playing history—the quarterback had previously led the New England Patriots to 17 division titles and six Super Bowl titles. The Bucs knew he was a proven winner, and elected to trust Brady could do the same with his new team.
What does football have to do with compliance? Choosing an auditor to help you with compliance is a similar investment. And while selecting a firm to do one job or assessment is one thing, trusting a single provider with all of your assessments is a whole other level of trust.
There are big benefits to bringing all your compliance projects under one assessor, but—just like Tom Brady proved he could bear the pressure and lead a team well in his 20 years on the field—you’d probably feel better about working with a single provider if you knew how they would handle it all.
Schellman is a single-provider cybersecurity assessment firm—our complete suite of services is broad and many organizations have opted to use us for their entire slate of compliance needs, but are we your Tom Brady?
To help with your decision, we’re going to describe what our project methodology looks like when we manage several different projects for a single organization. We have a catchy name for it in CODE, but in detailing our approach, we’ll provide you with the transparency you need to make the best decision for you.
The Foundation of Schellman’s Assessment Methodology – Our C.O.D.E
When we approach any new compliance project for a client, we customize our project management approach to best suit them, but—of course—those with a large portfolio of engagements, covering multiple systems and multiple types of services, inherently require significantly more focus and attention.
Because it’s not just about “managing” so much at once—you want a collaborative audit partner capable of managing and executing these projects in a coordinated fashion that enables you to maximize efficiencies and minimize the internal level of effort.
Schellman has a proven track record of this, and in fact, it’s one of the main reasons our clients choose to partner with us.
And when we do work with clients that have a large portfolio of compliance reports—including many of the Fortune 500—we’ve found that several core concepts form the foundation for our effective project management.
We call them our Schellman project management C.O.D.E.—Consistency, Organization, Dedication, and Experience.
When we say consistency, we mean that we maintain continuity of the account management team, project management teams, project leads, and other project resources so as to foster consistent performance, communication, and deliverables.
We understand it’s easier for you to work with the same personnel on projects—especially when there are multiple initiatives at once, to help keep everything straight—and so, we assign capable employees in roles to achieve continuity. (This is admittedly easier for us due to our low turnover rates.)
You may be thinking that this is obvious, but at Schellman, our value of an efficient, orderly approach to tasks pushes a bit beyond the norm.
For employees to advance in their careers here, they must demonstrate their organizational skills and attention to detail, and this plays into the selection of managers and other resources to staff engagements for clients with large portfolios—given the size of their responsibility, we do use organizational skills as a metric to select individuals for these assignments.
If you’ve worked with other firms, you might’ve noticed how they shift resources around from client to client, and those staff members often work on multiple engagements at a time.
At Schellman, we dedicate management teams to oversee clients for their tenure—our people are dedicated to one client and one project at a time, for the duration of our engagement together.
The last critical pillar of our project methodology is our arguably unparalleled experience. Our assessment staff is entirely comprised of experienced talent that has come over from the Big 4 and other large firms. On average, our experience levels average out like this:
But it’s not enough to have experience—once assessors come aboard, we further train and equip them internally—we don’t rely on our clients to do that. During this regimented process, we expose our people to myriad systems and environments so they can quickly develop the understanding needed to audit new systems, outfitting us with a versatile staff capable of effectively and efficiently assessing everything one client with multiple compliance projects might need.
How Does Schellman Manage Multiple Compliance Projects at Once?
With our C.O.D.E as a solid foundation, we’re positioned to collaborate effectively with clients using a systematic approach to achieve the desired results for their engagements, which involves the following:
1. Planning Period
It starts with thorough planning. Our leadership team will work together with you and our project managers to create a holistic plan that—if necessary—encompasses potential enterprise-wide testing for each audit or group of audits. Before we can compile that, we’ll work diligently to:
- Understand your systems and environments in advance.
- Centrally coordinate meetings for a system that’ll be involved in multiple audits.
- Map requests to eliminate redundancy, as our managers will be tasked with ensuring that requests are tailored to specific systems.
- We’ve found that reviewing controls with contacts to refine requests in advance of fieldwork helps ensure that our requests are clear and concise and are in line with our contact and SME expectations without becoming redundant, allowing us all to avoid confusion or delays during fieldwork.
There’s no getting around the impact audits have on your internal control owners and subject matter experts—they’ll need to answer questions and pull evidence, and that’s time that could be spent on products. But, at Schellman, we focus on minimizing disruption wherever possible, including eliminating unnecessary meetings and duplicate requests—and those aren’t just empty promises.
Regarding our approach to requests alone, we’ve seen a reduction rate of 50% or more when consolidating similarly scoped assessments such as SOC 2 and ISO. And while some separate documentation and reporting are still required for the component reports, we still see a reduction of 15% or more time in that area, generating time and cost savings for our clients.
In doing this, our centralized management team and project leads will serve as your primary contacts for engagements—everything from questions on the aforementioned requests to status updates will be filtered through them. These leads will also help ensure project teams are coordinated in the execution of audits and not operating in silos so that you receive consistent, organized communication during your experience.
Moreover, throughout each assessment, we continuously review and evaluate established mappings and project timing to identify additional efficiencies to be gained and potential synergies to further optimize audits. With such well-established habits and the groundwork done, should you need to scale up and add more assessments, we’ll be able to meet those needs without any further impact on you.
Further Benefits to Schellman’s Single-Provider Methodology
If you’re an organization with a lot of compliance needs, we understand that identifying key metrics and meeting / exceeding them is crucial for you to achieve internal objectives. We always prioritize these and hold ourselves accountable in various ways:
- Fixed Fee Pricing Model, which ensures our goals are consistently aligned with yours in providing high-quality, efficient engagements.
- Flexible Reporting through our AuditSource tool, which provides real-time visibility into project-level key performance indicators (KPIs)—we’re also able to provide separate status reports to address other KPIs of interest, depending on what best suits your needs.
- Live Comparisons as we encourage our clients to develop metrics for our performance. In the past, we’ve been evaluated against other firms—including the Big 4—and have proven to save organizations time and money with our efficiency.
Consolidating Your Assessments with Schellman
Managing different audits being performed by different vendors can be exhausting for your internal compliance team, making consolidation under one assessor an attractive option. As just one of your options, we understand that your making such a move will mean placing all your trust in the right firm.
Tom Brady was a similarly huge investment for the Buccaneers, and as it turns out, it paid off—with his leadership and experience, they won a Super Bowl in his second year with the team. While Schellman isn’t capable of a Super Bowl, we do have a proven methodology for scaling as a single assessment provider, as you’ve just learned—methodology our client Lumen has already trusted to great success.
But, we also can appreciate that you’re not just going to bank completely on our team and process without a more detailed conversation, and we encourage you to reach out to us so that you can determine more certainly if we’re the right firm for you. In the meantime, you’ll also be considering your other options, and our other free resources can help you vet those as well:
About Andrew Broderick
Andrew Broderick is a Manager in the SOC Services practice of Schellman. As a part of the SOC Services group, Andrew helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. Prior to joining Schellman, Andrew worked in internal audit for six years, including four years in IT audit performing NIST SP 800-53 assessments, ITGC evaluations, and application development consulting engagements. During this time, Andrew attained the Certified Information Systems Auditor (CISA) certification and gained experience with numerous control frameworks, platforms, and databases including Windows, Unix, and DB2. In addition, his experience includes nearly four years of financial statement audit and tax compliance at a regional Certified Public Accountant firm in Columbus, OH. He attained his CPA license while serving clients in the manufacturing, hospitality, and not-for-profit industries.