A Defense Contractor's GRC Offensive

What a difference four years make.

In March 2004, defense technology company DRS Technologies had no internal audit department, faced significant challenges in meeting its first Sarbanes-Oxley Section 404 deadline, and relied on consultants to handle much of its initial SOX groundwork.

When Boeing veteran Steve Patterson joined DRS as its vice president, internal controls, later that month, he recalls that “it almost felt like I was working for PwC rather than the other way around.” Patterson's mission was daunting: Build an internal audit department from scratch at one of the world's fastest-growing defense technology companies during the brunt of Year One Section 404 compliance while competition for internal audit talent was fierce.

To date, the mission has been a resounding success thanks to Patterson's work on three crucial fronts: people, process, and automation. “As we built up the internal auditing organization, my initial sense flipped and it felt as though the PwC internal consultants did work for me, not the other way around,” says Patterson, who emphasizes that the battle to strengthen governance, risk management, and compliance (GRC) never ends.

Other important changes, including a useful risk-assessment approach and movement toward a more centralized enterprise-wide GRC program, also accompanied the development of the internal audit function. The tactical precision with which Patterson, his colleagues, and his bosses, CFO Richard Schneider and CEO Mark Newman, made key GRC decisions enabled internal audit to blossom during a busy stretch.