Two years ago, a nationally known oil and gas company came to RGP and the policyIQ team seeking some much needed help with their existing one-dimensional SOX environment. In addition, they were acquiring a smaller oil and gas company, meaning they would be supporting two different Risk and Control environments for a period of two years.
The company met with me for a period of two hours, and we discussed their then-current Risk and Control environment. It was a flat world, with a mix of internal drives, Word documents, Excel documents, and various versions of all risks and controls were being confused by members of their organization. Version control was a constant uphill battle, and organizing all these documents into an easily accessible file for their audit teams was a struggle, as well.
In a matter of four total weeks, we had designed Page Templates for each kind of document they wanted to store: Process Narratives, Risks, Controls and Tests. These templates were completed with fields of varying characteristics, capturing essential details of each document type. Each Risk, Control, and Narrative were uploaded to Excel spreadsheets by document type, and mass-imported to policyIQ. Hundreds of Risks, Controls and Narratives were built into the site within a matter of minutes. Organizing the Excel files was done with the help of a policyIQ expert, while the input of data and manipulation of various content was done by the client on their own time. Within each import, we were also able to link Risks to the appropriate Controls. All documents were organized within the folder structure by process area to ensure a familiarity with their organization. Because they were acquiring a smaller oil/gas company at the time, we were able to separate all Company A documents from Company B documents.
Users from both companies were granted various levels of access to the policyIQ site, and to each document type. While we presented them with several really locked-down, intricate security options, they elected to go a more generic route. A common phrase we kept coming to was, “Keep it simple.” In this way, their group and user structure was easily understood by all members of their management group.
Today, the company continues to enjoy the paperless world of policyIQ, and the reporting capabilities it offers. Many reports are saved once they’re built, so running these reports on-demand is one click. Results of the reports can be exported out of the system, emailed, or accessed by other users, if desired.
Finally, once all necessary testing on controls has been completed for the year, we open up the Narrative, Risk, Control and Test Pages to external audit users. We set up these particular external users so that they see the finished product of SOX work only, and don’t have access to other solutions areas of policyIQ that the company takes advantage of: Policy Management, Contract Management and many more.
Have you found yourself in a similar situation? This is just one of hundreds of success stories that we see every year. Give us a call at 412.263.3330 or send an email to support@policyIQ.com to schedule a free, no hassle custom demonstration with a policyIQ expert, and see if policyIQ can help your organization.