Automating 302 – Thank you for the rich discussion!

Sincere thanks to participants in our recent CPE session (addressing automation of the quarterly 302 certification process using policyIQ) for engaging in the conversation!  We covered the process and application from soup to nuts and encouraged the audience to not only ask questions, but to take advantage of the session, the audience and the chat feature to create a discussion.

You delivered. Thank you!

Read on for session highlights and to review some of the Q&A and discussion.

What is 302 Certification?
Sarbanes Oxley section 302 is all about accountability for an organization’s officers. It requires corporate management (the Chief Financial Officer and Chief Executive Officer) to:

  • certify financial and other information contained in the organization’s quarterly and annual reports
  • certify the internal controls over financial reporting
  • have designed internal controls, or caused such controls to be designed
  • provide reasonable assurance as to the reliability of the financial reporting process
  • disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter

Of course, nobody wants to sign off on something of such significance and consequence without confidence that all of these points have been investigated and each is, in fact, true! To this end, nearly every organization subject to SOX requirements executes some version of a sub-certification process.

The Process Steps
In our session, we talked about the processes of setting up and managing 302 Certifications leading up to and within policyIQ. Here’s a recap:

  1. Outside policyIQ
    1. Generate set of questions
      • High level, generic vs. detailed and specific
    2. Plan sub-certification process
      • How many levels required?
    3. Establish distribution lists
      • Based on level of question detail
      • Update: new hires, terminations, position changes
  2. policyIQ Setup and Management
    1. Add Groups to match Distribution lists
    2. Build a Form Template for each Group of respondents
      • Add Instruction, “Agree/Disagree” Questions, Comments Fields
      • Use “Common” (predefined drop-down fields) for useful reports
    3. Bundle into Form Lists to simplify and consolidate administration, distribute
    4. Monitor Activities for real-time status and to send reminders
    5. Use Reports to review responses and to create management summary

Interested in the details?
Our session highlighted the range of approaches to certification. Some organizations distribute a small number of more generalized questions, while others gather responses to very detailed question that get to the specific areas of the business.

We polled our audience and found:

  • A slightly larger percentage of organizations utilize   “A small number high level questions”,
  • Utilization of multi-level sub-certification is about the same as distributing all sub-certification questions at the same time,
  • And, by far, more organizations provide detailed support and guidance for managers to access relevant materials (Controls, Gaps, etc.) than those with a more hands-off approach.

We have captured example sets of questions in the policyIQ online Help guide (click on the link and scroll down to see the attachments). We also encourage you to check out this Help page for access to the recording of our session, the PowerPoint slides and other presentation materials.

A Picture’s Worth 10,000 Words
Want to help your respondents to more easily navigate the certification process while minimizing confusion and work required for administrators? Provide respondents with a visual aid or a cheat sheet that visually walks them through the process!

We have some great tools that make it relatively simple to create a guide like this tailored to your site and process for your users. Let us know if you’d like us to create one for you.

Lots of great questions and discussion!
We do not always post this level of detail from the Chat that takes place during our sessions, but this was an especially rich session! Here are some of the highlights from our discussion:

Q: Does the 302 certification practice vary from large accelerated filers versus smaller filers?

A: In interviewing our clients, it seems that the approach to 302 Certification depends largely on the culture of the organization and the process administrators and less on the size of the organization. Some organizations (both large and small) are relatively flat in their structures, so they do not require multi-level sub-certification.

Q: If you use multiple levels of sub-certifications, do the responses get shared or processed through the managers before they reply to “corporate”?

A: [A response from another attendee] Since the next level up is certifying all below, I’d want that in place.
The policyIQ Team has observed this to generally be the case among our clients, as well—key discoveries are reviewed before providing own responses and moving up to the next level.

Q: Sounds like this application is in the “cloud”. How can we be sure our info / responses are secure?

A: policyIQ is a hosted product, with a SAS 70 Type II certified data center.
Every user will also have a secure log-in to the site – and the site is secured via SSL encryption.  We’re happy to further address security issues for any organization.

Q: When you send reminder emails, does everyone see all people or can they see only their name?

A:  They will see only their own forms.  Each individual will receive an email with a list of forms that only that individual has outstanding.
If you send a custom message from your local email client, that’s a great way to send a general message, but hide the recipients.

Q: Regarding “Comments” fields: Is there a way to set it so that if they disagree a comment is required so that you don’t have review and follow up?

A: At this time, policyIQ does not have the ability to have a “conditionally required” field.  Therefore, we recommend the approach noted by another attendee, which is to add language to the text of the question that requests explanation for negative responses in the Comments field.

Q: We have 143 respondents, will they all need to be advanced users? And what would be the cost?

A: Respondents only need to be Standard Users in policyIQ.  You might also consider the option of using a monthly contract if you have a large number of periodic respondents.  Standard Users are $6 / user / month.

Q: Is there a way to focus on the specific response without panning through all their answers.  Can you drill down on the report to the answer?

A: You can definitely choose to create reports on just a specific field.  We showed reports that were more oversight reports and general – but you can definitely drill into a specific field or look for a specific answer.
[Answer from another attendee] The policyIQ Support Team has generated reports for me that are specific to all “disagree” responses and all “agree with comments”, so I don’t have to go through all of them.

Q: Does policy IQ allow for tracking how handler has cleared issue e.g. some type of status to clearing comments that come in to document you have appropriately handled response?

A: It is definitely possible to add such a field – even a field that is available only to the approver.
There is also a “Comments” tab on the form response where those comments can be logged. It also logs the date, time, and user who made the comment. Keep in mind that a field added to the Template is reportable while the discussion captured in the Comments tab is not reportable (it is retained and reviewable only within the specific Form).

Any additional questions? Add your Comment below or send your question directly to

Regarding LDAP: A couple of attendees also had an exchange regarding LDAP integration. From the policyIQ Help guide:

LDAP can be used to authenticate users by checking against your Directory Service instead of policyIQ authentication.  LDAP allows users to enter their network username and password to gain access to policyIQ.  The benefits of LDAP include A) Guaranteeing users are a part of your network, B) The ability to add users to policyIQ if they are a part of your network, C) Simplifying the login process since users do not need to remember a separate password, D) LDAP can be configured to also add information to a user’s profile such as contact information and Location/Position restrictions.

If you are interested in exploring LDAP integration for your organization, let us know and we’ll put you in touch with a technical support contact.

Thanks, again, everyone for a great and interactive session!
Hope to see you next month when we’ll be exploring Best Practices for implementing, maintaining and expanding the use of policyIQ.

This entry was posted in Solutions, Training and tagged , by Stephenie Buehrle. Bookmark the permalink.

About Stephenie Buehrle

Stephenie is the “solutions” expert on the policyIQ team. With RGP since 2004, she designs and develops solutions that capitalize on the best practices of the hundreds of companies that she has touched, while tailoring each configuration to meet the unique needs of each client. Before joining RGP and the policyIQ team, Stephenie enjoyed working as an independent consultant in the non-profit sector. Stephenie also previously performed analyst services for a major brewer ranging from roles in biological and chemical services to analytical roles in business process improvement and innovation. Stephenie quips that she still doesn’t know what she wants to be when she grows up, but hopes to spend her days helping others (companies, individuals, and communities) to realize their full potential.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s