10K Risk Assessment and Control Rationalization using policyIQ

Major-Tom-MessageWith the market busting past 12,000, many small public companies’ market cap has been immediately impacted. Other companies are experiencing growth or facing acquisition. Together, all of these companies may find their filing status changing from non-accelerated to accelerated and, consequently, they are having to prepare their internal controls environment to be evaluated by external auditors this year.

Leslie Tamayo, an experienced Accounting and Finance and Sarbanes Oxley expert, developed a tried and true process for assessing risk starting with the 10K and rationalizing which controls are necessary and which no longer require testing. To put it simply, her process makes sense, is repeatable, and proven to solidify an organization’s internal control environment. The policyIQ Team is grateful to have had the opportunity to learn and walk through the details of Leslie’s process and to partner with her to develop a method for capturing, tracking and analyzing the information in policyIQ.

The Risk Assessment Process

Use the AS5, top-down, risk-based approach to help you focus on what truly matters. Identify risks underlying relevant financial statement assertions. Then perform a thorough analysis to determine which controls really matter and, therefore, which tests are necessary.


Bring automation to your process using policyIQ

You can capture your Risk Assessment in policyIQ. We created a “K” Template in policyIQ to represent the 10K Line Item Risks. By creating a Template for our 10K Line Item Risks, rather than having a Drop Down field or representing each line item within a Folder structure, we are able to illustrate the relationship between each line item to relevant business processes and to locations more easily. This is also the best way to demonstrate the relationship between each line item risk and the relative controls for your control rationalization process.

By indexing the line item risks to the appropriate Folders in policyIQ, we “mapped” them to relevant Business Processes (and you could map them to relevant location folders, too).

A very important step is to link 10K Risks to Control Activities in policyIQ. You may also wish to break down your Financial Statement Assertion field on your Control Template—instead of having a Multi-Select field, you could capture each assertion as its own field with a Yes/No choice. These two steps make the Detail Link Report simple to create and to view from different perspectives for your Control Rationalization process.


Use policyIQ Reports to see the “big picture” and to create a “dynamic” view of your Control Environment in real time.

  • Create a list of each line item’s rating for various Risk Assessment Factors and to calculate the risk
  • Validate your assessment of which Business Processes are significant by listing your 10K Line Item Risks with related Business Process Folders
  • Review complete lists of your Process Risks and your Control Activities
  • Add Financial Statement Assertions to your Controls list so that you can verify that each Control addressing an assertion is, indeed, identified as a Key Control (later, in your analysis, you may determine that some can be downgraded if they are redundant Controls)
  • Analyze coverage of Financial Statement Assertions by Controls for each of your Financial Statement Line Items

With the automation of the Risk Assessment Process you will spend less time on the manual preparation of your assessment and more time on analysis. Create a process that is more effective and more efficient by spending valuable time identifying Gaps, Redundancies and determining which Controls are truly important.

Documenting your Process Risks, Controls, Tests and Deficiencies

SOX-in-HelpSome attendees expressed an interest in hearing more about how to capture their SOX documentation in policyIQ. If you prefer to watch, listen and learn, we have a video recording of our Sarbanes Oxley Solution training that you may review at your leisure. We also have a section in our policyIQ Help guide devoted to this topic. If you would like to talk to someone live and make arrangements for additional assistance with your policyIQ implementation or your SOX program, feel free to contact us via email or call us (toll-free) at 1-866-753-1231.

We can help you to get started this cycle!

Written Guidance
Our online Help guide walks through the Automation of Risk Assessment process, provides specific guidance on how to configure your site and how to build the Reports that we presented in our session. You will also notice that the session’s presentation deck and a link to the recording of the session are available in Help. Click here to go directly to the Risk Assessment related Help content.

On-site Expertise
Contact us and we can connect you with experts in your area who can hit the ground running and work with you to perform and document your assessment. They can help you to begin with your 10K Risk Assessment and to work through the full cycle which brings you back to confidence in your internal control environment.

policyIQ Assistance
Of course, we also can connect you with policyIQ experts to address your policyIQ implementation questions. We’re looking forward to hearing from you (support@policyIQ.com, or 1-866-753-1231).

This entry was posted in Solutions and tagged , by Stephenie Buehrle. Bookmark the permalink.

About Stephenie Buehrle

Stephenie is the “solutions” expert on the policyIQ team. With RGP since 2004, she designs and develops solutions that capitalize on the best practices of the hundreds of companies that she has touched, while tailoring each configuration to meet the unique needs of each client. Before joining RGP and the policyIQ team, Stephenie enjoyed working as an independent consultant in the non-profit sector. Stephenie also previously performed analyst services for a major brewer ranging from roles in biological and chemical services to analytical roles in business process improvement and innovation. Stephenie quips that she still doesn’t know what she wants to be when she grows up, but hopes to spend her days helping others (companies, individuals, and communities) to realize their full potential.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s