A common and easy use of policyIQ is to collect certifications for Sarbanes-Oxley Section 302 compliance. For companies already using policyIQ to manage SOX Risks, Controls and Testing, expanding the scope to include 302 certifications is a natural step. But even if you are not already using policyIQ for your SOX work, consider the savings – in both cost and time – that can be gained by putting your certification process online in policyIQ.
What is SOX 302 certification?
On a quarterly basis companies will send up to a few dozen questions to managers and other individuals, across all of their departments, to be completed before the CFO and CEO certify to the financial statements.
These questions are often similar to the Audit Representation Letter that an external audit firm will collect from a company’s top financial officer prior to issuing an audit opinion. That letter asks questions about subsequent events, significant changes to accounting policies, and other material events. In fact, in the first year of SOX we saw a number of companies copy that letter and get it signed by various department managers before the CFO or Controller signed the copy for the auditors.
That process has evolved over time to where now a typical employee will answer two types of questions: those general questions that are answered by everyone, and those that are specific to their position (i.e. HR will answer some HR-specific questions). Our own company, Resources Global Professionals, has over 100 people across the world answer 10 or more questions for our quarterly certification.
How would I go about setting this up in policyIQ?
Using policyIQ to collect these answers is a straightforward use of our Forms functionality.
- Create a Form Template for each set of questions, organized by topic. For example, our Compliance with Laws and Regulations Form Template has 3 questions that everyone answers such as:
- As a manager, I am responsible (along with other members of management) for my location(s)’ compliance with all laws and regulations.
- I am not aware of the company’s violation of any laws or regulations during the most recently completed fiscal quarter, or from the last day of the completed fiscal quarter until today.
- I am not aware that the company has received any communication from the government or other regulatory agencies regarding an investigation of the Company’s operations.
- Assign each Form Template to the appropriate user groups. Remember also that the group you will assign to a Form Template will answer all the questions on the Template – so when creating your Form Templates per #1 above you should group questions by both topic and by what users are going to be answering them.
- Add those Form Templates to a Form List to make assigning them each quarter just a few clicks.
- When you are ready, Run the Form List and then monitor your answers! Remember, users only need to be Standard users, not Advanced, to be able to answer these questions.
Do you have some best practices or recommendations?
A number of policyIQ clients are already using Forms to manage their SOX 302 process, and there are a few lessons to learn from their experience.
- Word the questions for consistent “positive” responses. For ease of reporting, most companies will write their questions consistently so that it is easier to identify answers that indicate issues. For example, at Resources Global, questions are written with Agree/Disagree answers, where Agree is an “affirmative” answer and Disagree indicates a potential problem.
- Use Groups. Use groups and not individual names if possible, even if you have a group like “HR Director” with only one person in it. When your organization experiences turnover, you just assign the user to the appropriate group and you don’t have to change any of the Form Templates.
- Build fields for issue resolution. Create one or two fields on each Form Template that can be seen only by the person administering the questions. For example, at the end of each Form Template you can create a Dropdown field with choices for “Issue reported” or “Not an issue”, and then a Rich Text field for “Follow-up Comments”. If a person provides a negative answer to one of the questions, these fields can be used to document the investigation and to identify whether it is an issue that the CFO or others need to be made aware of.
Is your organization already using policyIQ for SOX 302 certifications? Share any additional tips or advice in our comments. If you’d like to learn more about using policyIQ for SOX 302, please feel free to comment or contact support to speak with one of our team members.