March seems like an odd time to be talking about fresh starts. The new year has come and gone, leaving us firmly entrenched in 2010. (By now you have probably even stopped instinctively writing “2009” when you write out a check!) But March is a key month for many of our clients who are using policyIQ to manage their Sarbanes-Oxley or SOX-like compliance documentation. If your fiscal year ended in December, you’ve recently finished up your 2009 testing and you are wrapping up the reporting on that last testing cycle. And now? Well now it starts all over again. Lucky you!
Every year at this time, the prevalent question on the minds of many of our clients is “What is the most efficient way for me to roll-forward to start my new testing cycle?” That’s a GREAT question.
There’s no right answer (but some answers are better than others)
When it comes to how you should roll-forward for a new testing cycle, there is no one right answer. However, we do have some popular alternatives that we’ve outlined below, with the benefits and potential complications of the different options.
1.) Unpublish Test pages and clear out data for a new version
If you choose to unpublish your existing Test pages for the new testing cycle, you are choosing to create a new version of the Test page for the new testing period. Your previous period’s testing results will be retained in the version history, but will not be accessible in reporting.
+ Fewest number of pages in your policyIQ site (compared to other roll-forward options)
+ Testers will have easy access to last year’s test results in the version history on the same page
Watch out for:
– Does not allow for reporting in policyIQ on past period’s testing results. You can only report on the current period.
– Attachments will be retained when the Test is unpublished, so Testers should be reminded to remove any old supporting documentation before beginning the new test cycle.
– Test pages will have a vast version history, which cannot be purged. Not optimal with regards to database retention or size management.
We do tend to steer clients away from this process, specifically because of the reporting limitations when it comes to prior year’s testing results. While it seems to be the most efficient, keeping prior years’ Test results in the version history puts a lot of constraints on your ability to create comprehensive reports. That version history will also become “heavy” with lots of versions and older attachments, which cannot be purged from policyIQ. However, if you are using this process, you can maximize your success by:
a.) Utilizing the “Database Snapshots” to capture a point in time view of your data at the end of each testing cycle. If you need to report on a prior period, you can ask our policyIQ team to restore the snapshot in order to run those reports.
b.) Keep copies of key reports stored as Excel or PDF files in policyIQ. Once you have run the period end reports, export the files to Excel and then save that Excel file back to policyIQ. You will always have access to the report results from the policyIQ site as a static point in time result set.
c.) Keep your attachment sizes small when possible. This is just good sense for any site, but if database size management is a concern, consider issuing standards for attachments: Excel files should be zipped and PDF scans should be at the lowest reasonable resolution or quality. (Stay tuned for a blog post later this month on database size management!)
2.) Copy Test Pages
Rather than unpublishing your Test pages for the next testing period, many clients will copy those Test pages to create a brand new page for their new Test results. With the ability to create a report of all Test pages from your last testing period and the ability to “bulk” copy all of those Test pages, this process is very efficient. Even better – when copying your Test pages, you get to decide which fields will be copied over and which fields will be left blank. Copy Test Steps, but leave Test Results blank!
When it comes to the Narratives, Risks, and Controls, you are unpublishing, updating and republishing only as necessary when changes are required. Risks tend to be pretty static, while Narratives and Controls may change just slightly from year to year. Those changes are captured, with older versions accessible in the version history of those pages.
+ Ability to report on all Test Results period over period.
+ Copy only the specific details on your Test pages that are consistent from one testing period to another.
+ Retain only one copy of the Narratives, Risks and Controls pages to minimize the number and duplication of pages (compared to option 3 below)
Watch out for:
– As you continue to use policyIQ year over year, the number of Test pages that reside in your Folders will continue to grow, as will the number of linked Tests on your Control pages.
This is a really great option for most clients, as it provides a fresh start in testing with each testing period. By choosing what to copy and what to leave blank, you can give your testers the testing steps, but you won’t distract them by requiring that they overwrite last period’s testing results. Most importantly, you have the flexibility to report on your testing results period over period. Using this process, you can maximize your success by:
a.) Utilizing “Database Snapshots.” Because your Narratives, Risks and Controls will not be copied, your auditors may still decide that they would like to see a complete “point in time” of a previous testing period, which is possible by restoring a snapshot.
b.) Determine your retention policy for how long you will keep Test pages in policyIQ. Because the number of Test pages will grow, you may decide to keep just the past two years and the current year for reporting purposes – and export reports to retain the older results on file.
3.) Copy your entire SOX Folder structure, including Narratives, Risks, Controls, Tests, etc.
Rather than just copying the Test pages, some clients choose to copy their entire SOX Folder structure from year to year. They will have new copies of the Narratives, Risks, Controls AND Tests to start the new fiscal year. Those items that haven’t changed – like Risks – might get published right away, while Narratives and Controls and sent out for revisions and published when any necessary changes have been made. Test pages get “cleaned up” and readied for the new testing cycle.
The “Copy Folder” option in policyIQ makes this extremely easy – and if you copy things like Deficiencies or Remediation Plans, it’s also easy to delete the unnecessary copies.
+ Every year you “force” your organization to revise and republish all of the content involved in your SOX process. Controls get reviewed. Narratives get revised.
+ When it comes to reporting, you have the most flexibility, because very little is locked into version history, but rather last year’s Controls are available to report on side by side with this year’s Controls.
+ You have the most flexibility when it comes to database size management and retention, as well. You can choose how many years you keep information in policyIQ, and delete the older years as that content becomes irrelevant.
Watch out for:
– When you’re running reports or working with content, you will always need to be careful to filter your reports or searches for the appropriate fiscal year. This will be a simple Folder filter – which is possible on Reports, Advanced Search and simple Search.
– When you make your copies for the new fiscal year, you will want to be sure that everything that needs to be reviewed is reviewed and then published.
– Be sure to delete pages like Deficiencies and Remediation Plans in your newly copied folder. These will not be relevant year to year.
– If you have a large number of pages in your SOX process or a deep Folder structure, you may find that the Copy Folder action takes quite some time to complete. Consider copying the information during off hours (early morning or evening) when fewer people are accessing policyIQ. If you receive a “time out” error, contact our support team for assistance.
This option offers the most flexibility around reporting, as you can report period over period not only on Test results, but also on Controls, Risks, etc. This option also offers the most control in database size management and retention. And even if you haven’t been following this course of action all along, it’s easy to get started simply by creating a top level folder for “2009 and earlier,” and then copying that folder to rename it “2010.” Maximize your success by:
a.) Determining your retention policy and keeping only the necessary years in policyIQ.
b.) Communicating with your audience about your structure – particularly your external auditors – so that reports are always generated to include the appropriate filters.
Want to talk to us about your specific situation?
There is no one right answer, but there is a “best” answer for your organization. Is year over year reporting critical? Is it better for your audience to just have less distractions in the form of last year’s results? If you aren’t sure which answer is right for you – or if you’d like to update your current configuration to accommodate a new process like copying the entire year’s data – contact us! Give your account manager a call or email support and ask to be in touch with a team member to talk through your situation.
Get more training and information on year to year roll-over!
1.) Join us for live web training!
We’re hosting a live session on March 9th at 4 PM ET (1 PM PT). This 30 minute session will follow alternatives 2 & 3 and walk through the steps to roll-forward your data from 2009 to 2010.
2.) Check out our online Help documentation
If you haven’t discovered it already, check out the new SOX Solution section of our online Help guide for lots of great information on managing your Sarbanes-Oxley compliance work in policyIQ. We have expanded this manual for your SOX work to include more information about how to roll-forward for a new testing cycle.
3.) Stay tuned for more blog posts!
Throughout this month, the topic of rolling forward for a new year will come up in a number of different blog posts. After our March 9th training session, we’ll be following up here in our blog to list all of the questions that were asked during the training session and give you all the answers and ideas they generated. We are also planning to share some tips for regular maintenance activities that you should undertake to review your users, deleted pages, and hints to reduce your overall database size.
If you have a process in place that you love and you want to share some ideas with others, please comment! We’d love to hear from you.