Welcome guest blogger, Jason Chiang. With RGP for nearly 8 years, Mr. Chiang has more than 20 years of experience and expertise in Audit, Risk and Compliance. He has consulted with a range of companies from financial services, biotech, manufacturing, healthcare and other industries. Mr. Chiang is a Certified Public Accountant (inactive) and Certified Internal Auditor. He has served on both sides of the house as a senior audit manager and senior auditor as well as a risk manager. It is evident that he understands the motivations and hurdles facing these organizations and approaches their complex issues with integrity and professionalism.
The following article was written by Jason Chiang (with editing support from Stephenie Buehrle). The approach and recommendations are his.
Not all roads lead to successful IPO
When a company approaches their initial public offering (IPO), it enters a very different arena. Having access to public funds, that is the retirement savings of Main Street USA, the company must meet quarterly SEC filing requirements. This is a significant amount of work. An investment in the people experienced with technical accounting, SEC financial reporting, and Sarbanes Oxley Compliance (SOX) evaluations combined with an investment in systems and tools to do the work efficiently and with completeness and accuracy is crucial to meet the filing deadlines.
One cannot audit all internal controls over financial reporting (ICFR). Thus, performing a SOX risk assessment is necessary to identify the significant accounts and their relevant assertions. If you happen to be one of these companies developing a road-map to your IPO, SOX may not be the place where you want to focus significant time and financial resources, but you realize that it has to get done. Be sure that you consider, at minimum, these critical components:
A risk assessment is the process of identifying significant accounts and disclosures and their respective relevant assertions as they relate to financial statements. A properly done risk assessment will allow the company work smart by focusing its internal controls evaluation on the areas where there is a possibility of a material error.
The Risk Assessment must include:
- Quantitative factors such as account balance, frequency of transactions, dollar value of each transaction; and
- Qualitative factors such as complexity of related transactions, subjectivity of accounting rules over related transactions, and fraud considerations.
- As business and risks change, the risk assessment needs to be updated.
A narrative provides mid-level detail of the transactions and internal controls within a business process and includes who, how frequent, and in what location the transactions and controls are being performed. The initial creation of narratives provides the process owners an opportunity to revisit and reflect on the current processes, and make improvements for operational efficiency or control effectiveness. It is a written document that can be read by internal employees, internal auditors, and external consultants and auditors to gain a preliminary understanding of the process. As processes change, the narrative provides a format to document the change.
What critical things must be considered regarding Narratives?
- The narrative should be written knowing that auditors will be a primary reader and will be looking for controls that mitigate risks.
- When describing management review processes in the narrative, articulating how the manager gains assurance of the completeness and accuracy of the supporting evidence before signing off. If the manager is using judgment, describing the factors considered.
- Narratives should be updated as changes are implemented in the organization. The updates should follow a workflow where there is a review process for significant changes.
A control matrix lists the controls the company has identified to mitigate risks. The control matrix serves as evidence that identified risks are mapped to controls which are to be evaluated for management’s assessment of internal controls. The control matrix also is a primary client document auditors leverage to perform their independent test of controls.
Take care to ensure that:
- The controls in the Controls Matrix are mapped to risks.
- The Controls Matrix is in a format where it is sortable or reportable by controls mapped to risks for test of controls purposes, and risks are mapped to controls for an evaluation whether risks are mitigated by controls.
- Controls in the Controls Matrix should be labeled and provided an abbreviated title (10 words max) for ease of reporting and reference purposes.
Testing is the evaluation of design and operating effectiveness of the company’s controls. The results of testing of controls provide company management with a baseline to that might have impacts to strategic and operational decisions. For publicly held companies, testing is an SEC requirement.
Critical considerations for testing:
- Important, if deemed necessary, to be able to re-perform the actual control performed by the employee (e.g. for 3-way match of purchase order, invoice, and shipping docs, test that an employee had performed this and has evidence of such, rather than the auditor requesting the 3 docs and testing oneself).
- When testing management review controls, cannot just accept sign-off, but need to understand the steps and judgments used by the manager, and test accordingly.
- The documentation of testing should allow someone else to reasonably re-perform the testing. If testing is being relied upon by external auditors, then the breadth of documentation is more important. If not, not all needs to be retained, but should be readily retrievable when needed.
Control owners certify to the CFO and CEO that controls are operating effectively on a quarterly basis, and if not operating effectively, the remedial action plans. The control owners are held directly accountable for their controls as they are certifying to the top two officers of the company.
Recommendations for certifications:
- The number and level of person certifying to the CFO and CEO should be carefully considered. The level should be their direct reports and one level removed to maintain the efficiency and integrity of the certification. If it is a larger organization, there can also be sub-certifications up to the senior manager level.
- The certification questions should have a combination of checklist questions, as well as, open ended questions to encourage a thoughtful process.
- Utilizing software for tracking, follow-up, and retention purposes is advised.
Depending on the number of people involved with the inputs into the various components, one might decide that performing and capturing the work in Excel is sufficient, while others might prefer utilizing a SOX tool where there are extra protections in version control while allowing multiple users to perform inputs simultaneously in multiple locations. A SOX tool may also provide management with options for review, analysis and oversight that are not available in Excel.
To avoid unexpected setbacks, be sure to plan enough time into your IPO readiness map for SOX evaluations. The initial SOX program development and implementation is likely to require six months and can vary depending on your access to subject matter experts. Coordination and alignment of the SOX efforts and objectives among the audit committee, senior management, process owners, and internal and external auditors is paramount for a successful implementation.
If your organization is approaching your initial public offering and you’re interested in learning more about how RGP can support you with subject matter expertise and a tailored technology solution to help ensure that you are prepared for your SEC filing and financial reporting requirements, reach out to us (Information@policyIQ.com, 412.263.3330) and we’ll connect you with our RGP colleagues near you!
Many organizations have pockets of well-developed and maintained policies and procedures. Leaders in various business units might have overseen the development of certification processes (“I have read and understood the policy…”, “I have not observed fraud…”). Fewer, though, are the number of organizations that have a coordinated enterprise strategy on policies.
GRC 20/20’s Michael Rasmussen had this to say about a strategy on policies:
We could write a series of posts delineating how policyIQ provides powerful technology support for a coordinated enterprise Policy Management strategy. For this post, however, let’s focus on Rasmussen’s last sentence in the paragraph above. policyIQ houses a comprehensive audit trail comprised of a number of features that allow the history of changes and versions to be examined from a variety of perspectives.
Version History is retained on all policyIQ content. It is possible to examine exactly what was presented in any version at any point in the content’s history. Attachments to documentation (evidence, forms, supplier documentation, etc) are also retained for historical review.
Change History is even more specific than Version history. This feature of policyIQ tracks specifically who made changes to content, what change was made, and when—dating all the way back to the inception of the documentation.
The viewing history of each page in policyIQ is also tracked. Do you want to know if that employee or the external auditor accessed the content last week as was reported? policyIQ can tell you.
The ability to create and tailor certifications, attestations, and questionnaires and to customize how they are made available or scheduled for delivery leaves endless possibilities for organizations wishing to gather information from employees (and third parties) on their commitments, agreements, observations, performance, opinions and on and on. The “Forms” functionality in policyIQ eliminates the risk that an employee’s response will be overlooked in the sea of email.
All of these changes are made evermore valuable with the associated reporting features. Do you want to know who made changes to Accounting policies in the most recent quarter? Maybe you escalate a monthly review of any Exceptions documented on Information Security policies. Can you easily identify all procedures, projects, divisions or positions that will be impacted by the technology that you’re scheduled to replace? Yes—with policyIQ, you can.
Snapshot at a Point in Time
And if all of that wasn’t enough, policyIQ also allows organizations to schedule the capture of a complete backup of their database, called a Snapshot, containing all data at the time the Snapshot was captured. Snapshots are a free benefit to policyIQ clients. While it is not common, it is an invaluable service to be able to present and review content as it was two years ago on that day in May, let’s say. For a small fee, clients also have the option to request an electronic extract of all content from their policyIQ site that they may provide in the event of an investigation or audit.
Safe and Direct Access
If the need presents itself, it is possible to provide investigators, auditors, litigators or other specified parties with direct access to your policyIQ site. This type of access would allow them to review documentation in the application and save on legal fees or administrative fees for copying or making information
RGP has received positive reviews for the breadth and depth of the audit trail provided in policyIQ. And while we have a number of testimonies to value that these features and services have yielded for various functions and divisions of our clients, that value is exponentially greater when applied enterprise-wide.
Maybe we’ll have to circle back to talk more about Michael Rasmussen’s related blog post and how policyIQ can help you to combine Case Management and Policy Management without sinking a huge investment of time and money into a big GRC platform. RGP has you covered with the subject matter expertise and technology there, too. Feel free to reach out to us directly if you’d like to know more or explore your options sooner than later!
After three days filled with auditors, firms, software vendors and everything in between, the 2018 GAM was a special blend of thought leaders from around the globe. Some of the brightest minds in the industry were on hand to provide insight and perspective on all things audit – with a few areas sticking out to all of those in attendance.
AI – Artificial Intelligence/Robotics
For the second time in as many years, Artificial Intelligence was a topic impossible to avoid – much like its expected impact on the industry’s future. While many speakers touched on the impact it has had in test environments and early adopters, a common trend was something that wasn’t immediately expected – fear! Most attendees are auditors themselves, or lead audit teams in a Chief/Director of Audit role. The implementation of AI and Robotic systems will ultimately lead to the decrease in demand for audit work hours, and surely, auditors themselves. As the thought of audit team size shrinking in coming years looking like a sure thing, a few speakers provided some comfort and reassurance to those in attendance.
In short, automated systems like AI and Robotics are going to be great for taking repetitive, manual tasks out of human hands. However, these systems will need to be observed and checked for accuracy a LOT early on. Furthermore, the systems themselves are a source for additional auditing needs – creating additional work for perhaps smaller audit teams in the future. Finally, a few of the Chief Audit Officers in attendance are expecting that, while the repetitive parts of the audit team jobs may move to automated systems, their newly found “free time” won’t necessarily translate to job loss or going home early! In face, these executives plan to challenge their teams to spend their newly freed up time into areas that are maybe not investigated as thoroughly as they should be – providing a more complete audit of the business, aided in part by AI.
Another hot trend continues to be the need for analytics, and finding the appropriate ways to use graphical representations of data. As more and more companies seek software packages to provide documentation sharing, workflow and reporting capabilities, the visual representation of this data becomes even more critical. Executive teams don’t wish to look through numbers and decipher data – instead, graphics provide a high level overview of the audit and quickly show where gaps may be, tests have failed, or any other arrangement of data.
Agile – EVERYONE Needs to be!
On more than one occasion, attendees pointed out that their small audit team was “too small to be agile”, and could invest time/effort into becoming more agile. This is exactly the reason why you’d want to be more agile! Small audit teams particularly don’t have the luxury of moving work from one group to another. In fact, many auditors work long hours and are overworked during “crunch time”. Investing time in automating as many processes as possible and improving communication will greatly improve agility and reduce the overload of work that many teams feel.
Stay tuned for more information from the 2018 General Audit Management Conference, trends, analysis, and what we can look forward to next year!
RGP is hearing from Public and Private companies who are working to get a handle on their Revenue Recognition compliance efforts. As with many new initiatives, most of those tasked with the responsibility of rolling out a contract review process began with authoring the process in Excel. This particular process, more than some, requires a number of people with varying technical skills and technical accounting expertise to work through a long checklist or multiple spreadsheets full of questions and considerations. And, like many others, these teams are racked with frustration over the common ills of spreadsheet-based processes:
- Almost as soon as the tool is put to use, the version is out of date and the data does not reconcile with other versions.
- It is difficult to track and understand which version is the latest or the “best”.
- Often, spreadsheets are not properly secured and suffer unintended changes.
- Changes to data attributes in the spreadsheets can have significant impact on conclusions.
- Sharing and communicating lessons and conclusions is a massive and disjointed effort.
- It is difficult to roll-up the results from multiple spreadsheets for analysis and reporting to management and auditors.
- If multiple people must work in and make adjustments to the spreadsheet, it can be remarkably challenging to trace the changes back to the appropriate party.
- It is virtually impossible to dictate order of responsibilities and to consistently communicate and enforce an approval process.
RGP has a few remedies that can help you to treat or avoid these ills.
Private Companies – RGP has a proven Revenue Recognition solution that can help companies from your early assessment through planning how you will fill gaps in policies and systems and can aid your team with the implementation of agreed upon solutions, controls, policies and associate training and communication.
Public Companies – Those who worked to tackle ASC 606 compliance on your own in year one can certainly still call on us to evaluate your program and to identify and guide you to address and close gaps.
All Companies can take advantage of RGP’s proprietary tool, policyIQ, to remedy the ills associated with spreadsheet based processes. Companies have the option of
- leveraging the flexible and configurable policyIQ to automate your own checklist or questionnaire or
- you can adopt the RGP solution with pre-built templates that guide the reviewers through the contract review process.
Contact us to learn more about our technical accounting expertise, project support, and proprietary technology: support@policyIQ.com.
policyIQ Product Manager Travis Whalen will be representing policyIQ at the 2018 GAM (General Audit Management) Conference on March 12-14 at the Aria in Las Vegas! Come by the RGP booth to learn more about RGP’s premier consultation services, professional service lines, and areas of expertise – all across the globe.
In addition, Travis will be on hand representing policyIQ – RGP’s SaaS (software as a service) for many areas of the Governance, Risk and Compliance world. Stop by to learn about our highly customizable software solutions for organizations large and small, public and private, including:
Stop by the RGP booth to say hi to Travis, learn about RGP, and take a peak at policyIQ! We hope to see you there.
We’ve talked a lot about the breadth of industries that are served by policyIQ, and the diversity of our users. When it comes to who can benefit from policyIQ, we have yet to find an organization for which we have no value to add. We also recognize that some industries and niches need our product more than others, and community credit unions are a perfect fit.
Community Credit Unions Need policyIQ
While financial regulations can be intense and difficult to navigate, community credit unions need compliance technology that is simple and easy to use.
- Fast and easy setup
- Simple navigation, with little user training required
- Flexibility that allows a single technology to be used for many needs
- Incredibly low cost for small teams
- Dedicated user support team committed to exceptional service
Are you exploring compliance technology for your organization? Find out how policyIQ meets your needs by contacting us today!
With policyIQ 7.9 just around the corner, customers have been asking, “What’s next?” The answers are exciting, and a welcome sight as they enhance current policyIQ features and provide increased flexibility moving, and a better user experience that saves time and clicks moving forward.
Many clients have sought a way for their users to access critical business information – faster than we have before. Common questions have centered around their users’ folders – “How can my users get to THEIR content faster and with less clicks?” The answer comes in the form of Favorite Folders in policyIQ 7.9. Each user’s account will be able to mark any number of folders in the structure as favorites, and access them from a separate, smaller structure – making the process of accessing their relevant content easier than ever.
With the addition of Field Rules and Calculations in policyIQ in version 7 releases, double checking the proper application of these properties is imperative – especially with several of each going on at once. The Page Template preview window will now operate much like a “test page” of sorts – with Rules and Calculations each operating within the template preview window. Historically, a user would need to create a few actual pages to test out the application of their rules/calculations. This can now all be done in preview, requiring less steps to ensure your work has been added how you like.
Have a field on one template that you want to use on another? Getting this set up has never been easier. Fields can now be copied from one template to another with just a few flicks of the mouse! Easier maintenance, and much faster work.
And finally, policyIQ will introduce a new HTML editor for long text field on pages and forms! Complete with a new pasting option, the enhanced editor is a simpler and easier to work with HTML editor. The new pasting option is specifically designed to aid users that copy content from Microsoft Word and paste directly into policyIQ HTML fields. This copy feature is built with code that targets, reads, and aligns the formatting challenges that many web HTML editors face when having content from another program pasted into them. Formatting is copied over to the editor with near perfect results, regardless of where the content comes from!
We also have developed several smaller additions that will help administrators clean up their sites, including a fast way to strip file attachments, copy pages and so much more!
There’s a lot to look forward to in policyIQ 7.9. Please send us your questions, comments and you’ll be hearing from us very soon.