A Remedy for Decentralized Audit Approaches

Is your organization still struggling with manual audit processes? Do you have audit projects, past audits, and workpapers strewn about in various shared network folders (or worse, on various hard drives)? Do your auditors have to rely on email to collaborate and share documents? How about your naming convention—has your audit group standardized the way that documentation is labeled to help you to keep the information organized and easy to reference? Speaking of standardization, have audit processes been standardized across the organization or does each location or division manage their own audit program? And what would you say about your review and approval process? Is it clearly mapped, followed, and approvals communicated? Are audit findings routinely rolled up and reported?

RGP’s policyIQ addresses each of these challenges so that you can realize more effective and efficient management of your organization’s audit function. Leverage predefined Templates, Folders, Workflow, Reports, and Audit Trail for your compliance, audit, or policy management documentation. It is also simple to customize the structure to accommodate ongoing changes or characteristics that are unique to your organization, program, or team.

Configuration adjustments are at your fingertips. You do not have to reach out to a support desk or technical team to add templates for specialized workpapers, IPEs (Information Provided by Entity), or for your PBC (Provided by Client) process. Adjustments can be made directly by users authorized in your organization. If you haven’t yet incorporated those templates into the flow of your work and want some help getting them set up, we do have support and configuration specialists who are happy to walk you through the setup of your custom program.

We expect all of RGP’s policyIQ audit clients to be enjoying these benefits in your audit program:

  • Consistent enterprise-wide audit process
  • Centralized access to workpapers and IPEs
  • Simplified administration of PBCs and audit process
  • Ability to easily locate and leverage audit templates/projects and previous audits
  • Streamlined communication among management, auditors (internal and external), and approvers
  • Real-time monitoring capability and status reporting
  • Simplified management and audit committee reporting

We’re ready to help you reach your goals!

Whether you are an existing policyIQ user or a new one, we want to help you to improve and automate your audit program. Perhaps you are new to the administration of your site or you are not sure how to make adjustments to the configuration of your site’s templates or structure. Reach out to us and we’ll be happy to help you get started or to optimize your implementation. Support@policyIQ.com.

5 Steps to a More Efficient Internal Control Environment

Is your team overwhelmed with activities that feel unnecessary?

How confident are you that the energy spent on testing is focused on the necessary controls?

Leverage policyIQ to systematically focus on the critical controls for management and testing. More efficiently analyze which Financial Statement Assertions, relative to each of your 10K line items, are adequately controlled, which are left vulnerable and which of your relevant assertions is over-controlled! See, plainly, the gaps in your coverage and leverage the evidence to justify the reduction of waste, and plan to concentrate effort on work that matters.

This process really starts with your risk assessment. If you have not leveraged policyIQ to bring automation and reliability to your risk assessment process and want to walk through the policyIQ solution (including the just-released feature that makes cumulative risk calculations possible), reach out to schedule a free working meeting with us! After completing your risk assessment, identifying significant accounts and relevant assertions, and determining which of your processes and objectives are in scope (all steps that can be managed in policyIQ), you can begin the process of rationalizing your controls.

Next, leverage policyIQ to move through these five Control Rationalization steps:

Each step is made more efficient with policyIQ. We can support you to customize templates for the attributes that are critical and unique to your organization. The import, linking, calculations, workflow, and reporting features will allow you to more quickly examine the effectiveness and priority of your procedures. Having confidence in your Control Rationalization process and your internal control environment then allows you to come full circle to look at the bank of risks that you previously identified. You might conclude that some process risks that have consumed time and attention for years are actually not in scope. This Control Rationalization process will help you to be more effective and more efficient through each testing cycle.

Would you like to see sample templates and schedule a working meeting to get the ball rolling? Contact us and reap the benefits by your next testing cycle!

Have you automated your Narrative reviews?

Are you paying employees to inventory email responses or spend hours in update meetings to accomplish tasks that can be automated? With the application of policyIQ forms, your employees can take back time that was spent on tedious tasks and focus on work that matters.

If your team is still using Word, Excel, and email to manage 302 CertificationsControl Self Assessments and Narrative Reviews, they are engaging in the frustrating task of having to inventory the responses from their inbox and then babysit and pester people to complete their work. As responses do arrive, they evaluate who they’ve heard from, who hasn’t responded, and evaluate whether/which follow-up activities are warranted. They are likely also having to pull together routine assessments regarding the status of responses to share with management and others.

Before anyone invests another minute on the effort of pulling together the Narrative Reviews for next quarter, contact us to help your team realize these benefits right away:

  • Simplified roll-out of questions/certifications each quarter
  • Easy access to real-time information for monitoring of status
  • Automation of reminders going out to outstanding respondents
  • Automated compiling of results
  • Effortless reporting for management

There are lots of products out there that will set you back $50-$500k annually that promise efficiency gains in your compliance processes. For a fraction of that cost, we’ll deliver on that promise in a matter of weeks—not months or years. Work smarter. Spend smarter. Contact us today to schedule your configuration session. 

Your Risk Assessment spreadsheets are costing you!

Are your employees still manually managing Risk Assessments using spreadsheets?
If you answered yes, they are likely struggling to work with others efficiently, they are frustrated by version control issues, and they are wasting time trying to figure out who has given input and who still needs to provide information.

The data in spreadsheets is difficult to aggregate. Performing analyses within a spreadsheet is limited, and across multiple spreadsheets it is nearly impossible. There are nearly always issues with data entry and, therefore, data integrity. So, your employees are likely also spending time having to validate and track down information and they’re likely performing rework to shore up assessments and findings. For all of these reasons, spreadsheets prolong the time and expense of audits.

RGP’s policyIQ team has developed features that help you to automate questionnaires, inventories, risk ratings, capability measures, track gaps and roll-up findings. Your management and audit teams can begin collaborating on their finance, operational, fraud and enterprise risk assessments right away.  Contributors from your locations can work together in one flexible and easy to use tool with confidence in the security and accuracy of their information and analyses. Templates for various risk assessments are easy to customize. Notes and assumptions from previous assessments can be easily referenced and considered in current risk calculations.

Your auditors can remotely review the content that you choose to make available to them and only after it has completed the review process that you enforce using policyIQ.

Reach out to us to request your free trial site and to learn more about how your team can end their reliance on spreadsheets. Work smarter.

Here’s the trick for crushing your stretch goals…

Declare this “time for a fresh start” and get organized!

Is everyone stirring and antsy at the thought of kids running out of school, hooting and hollering, and throwing papers in the air? Well, I’m a momma and my kiddos have been off kilter and frazzled with anticipation of summer break for at least two weeks! One of our practices that we carry out a couple of times each year—and every year at this time—is to clean out backpacks, cubbies, bookshelves, and the desks at school and at home. We organize items into the “this will be useful in the coming year” pile, “keep forever in the scrapbook” pile, “how in the world did this get in here?” laundry pile, and into the “recycle/retire to final resting place” pile. They are super anxious to run off to their friends’ houses, ride bikes, or dive into their latest Minecraft creation, but mom forces them to hit the skids until they have completed this chore.

Having a clean slate and getting organized for a fresh start in the next life chapter is one of our strategies for setting ourselves up for success. They might grumble and sulk for a short time, but they’ll thank me for these habits one day. That’s my hope, anyway.

Being disciplined about hitting the pause button and making time to lay the groundwork for future success is not just a chore for school children and moms. You’ll hear the same guidance from the policyIQ team as you embark on your goal to better manage your Governance, Risk, and Compliance initiatives.

Take time to organize content and users.

One of the most obvious benefits of policyIQ is that you can be up and running—actually using the tool in your organization—on the same day that you submit your order form. Our recommendation, though, is that you tap the breaks a bit and set up your site in a way that more likely ensures your long term success.  The fundamental questions to consider for any policyIQ implementation are:

  1. What are we planning to capture or manage in policyIQ?
  2. Who needs to have access [and what type of access do they need]?
  3. How can we organize information in a manner that is intuitive to our users?

Thinking of the overarching goal of the initiative or documentation and considering how the pieces of documentation may be broken down and related to adjoining processes will give your team the flexibility to home in on specific details for analysis while also overseeing completeness and performance at a high level. If you’re drawing your plan on a whiteboard and feel the need to branch off into several related items, that might be an indication that you could design more than one template to capture the different types of documentation.

Similarly, taking the time to create an organization chart, so to speak, that logically accommodates all of the hats that are worn by your policyIQ users will go a long way to simplifying access to policyIQ content going forward. Creating groups for Control Owners, Asia-Pac Approvers, 302 Respondents, and the Board of Directors, for example, makes it easy to ensure accuracy while minimizing maintenance as employees move into new roles within the company or new employees are brought on board.

This org chart does not have to match a traditional org chart with departments and position titles. That hierarchy might be a part of the structure. A tip that makes life much easier, when it comes to maintenance in the future, is to consider the other hats worn by your employees. Is the Business Unit Manager also a Process Owner or a Control Owner? Does she respond to 302 Sub-certification Questions? Does she lead any committees or projects? If those initiatives are managed in policyIQ (and they can be), then it will help to have the roles of all the players represented in your Groups structure. With a well-planned group structure, only the users require adjustment when there is turnover, not all of the documentation and responsibilities of the people coming and going.

Do you feel like you don’t have time…to save time??

That’s the perfect time to contact us! There is a standard policyIQ configuration for many GRC solutions and the experienced implementers on the policyIQ team have helped hundreds of companies to set up policyIQ for various solutions. We can help you to get started—or re-started—quickly. If you’re strapped for resources while the organization is trying to squeeze in a change in process or shifting from manual processes in Word, Excel, and email to a centrally accessible cloud solution with workflow management tools and you just don’t have time to really focus on the effort to save time, then let us put you in touch with a subject matter expert who can help you with the design of your Risk Management or Compliance or Audit process, or our professional consultants can lead your project team, or they can take on the lion’s share of the work to transition documentation. We can help you to assess your needs and close the gaps.

Happy Summer Break!

We hope that you enjoy some fun time with family and friends this summer. Let us know where we can support you to work more efficiently and more effectively to help free up some time.

Who has access to your critical documentation?

Think, for a moment, about your human resources policies, risk documentation, safety specs, audit issues, training materials, accounting procedures or your IT controls.

  • Do external audiences, as well as internal employees, need access?
  • And do these audiences require access to different subsets of your content?
  • Does the intended audience know exactly where and how to locate all relevant content?
  • Is the latest version of the content available to your audience?
  • What steps do you have to take to disseminate content changes to your audience?

These are among the information governance considerations that RGP systematically addresses using policyIQ.

One of the lesser known perks of policyIQ is the ease with which you can provide free, simple, secure and tailored read-only access to your audience.

In this related blog post, we described one feature of policyIQ that gives organizations an easy-to-setup and easy-to-use solution for presenting and disseminating content to your read-only users.

If you are trying to develop a plan for appropriately sharing different types of documentation with their respective audiences, get in touch with us! We enjoy brainstorming and problem-solving challenges like this!

Not all roads lead to successful IPO

Welcome guest blogger, Jason Chiang. With RGP for nearly 8 years, Mr. Chiang has more than 20 years of experience and expertise in Audit, Risk and Compliance. He has consulted with a range of companies from financial services, biotech, manufacturing, healthcare and other industries. Mr. Chiang is a Certified Public Accountant (inactive) and Certified Internal Auditor. He has served on both sides of the house as a senior audit manager and senior auditor as well as a risk manager. It is evident that he understands the motivations and hurdles facing these organizations and approaches their complex issues with integrity and professionalism.

The following article was written by Jason Chiang (with editing support from Stephenie Buehrle). The approach and recommendations are his.


Not all roads lead to successful IPO

When a company approaches their initial public offering (IPO), it enters a very different arena. Having access to public funds, that is the retirement savings of Main Street USA, the company must meet quarterly SEC filing requirements. This is a significant amount of work. An investment in the people experienced with technical accounting, SEC financial reporting, and Sarbanes Oxley Compliance (SOX) evaluations combined with an investment in systems and tools to do the work efficiently and with completeness and accuracy is crucial to meet the filing deadlines.

One cannot audit all internal controls over financial reporting (ICFR). Thus, performing a SOX risk assessment is necessary to identify the significant accounts and their relevant assertions. If you happen to be one of these companies developing a road-map to your IPO, SOX may not be the place where you want to focus significant time and financial resources, but you realize that it has to get done. Be sure that you consider, at minimum, these critical components:

Risk Assessment                                  

A risk assessment is the process of identifying significant accounts and disclosures and their respective relevant assertions as they relate to financial statements. A properly done risk assessment will allow the company work smart by focusing its internal controls evaluation on the areas where there is a possibility of a material error.

The Risk Assessment must include:

  • Quantitative factors such as account balance, frequency of transactions, dollar value of each transaction; and
  • Qualitative factors such as complexity of related transactions, subjectivity of accounting rules over related transactions, and fraud considerations.
  • As business and risks change, the risk assessment needs to be updated.

Narrative                                                                

A narrative provides mid-level detail of the transactions and internal controls within a business process and includes who, how frequent, and in what location the transactions and controls are being performed. The initial creation of narratives provides the process owners an opportunity to revisit and reflect on the current processes, and make improvements for operational efficiency or control effectiveness. It is a written document that can be read by internal employees, internal auditors, and external consultants and auditors to gain a preliminary understanding of the process. As processes change, the narrative provides a format to document the change.

What critical things must be considered regarding Narratives?

  • The narrative should be written knowing that auditors will be a primary reader and will be looking for controls that mitigate risks.
  • When describing management review processes in the narrative, articulating how the manager gains assurance of the completeness and accuracy of the supporting evidence before signing off. If the manager is using judgment, describing the factors considered.
  • Narratives should be updated as changes are implemented in the organization. The updates should follow a workflow where there is a review process for significant changes.

Control Matrix                                      

A control matrix lists the controls the company has identified to mitigate risks. The control matrix serves as evidence that identified risks are mapped to controls which are to be evaluated for management’s assessment of internal controls. The control matrix also is a primary client document auditors leverage to perform their independent test of controls.

Take care to ensure that:

  • The controls in the Controls Matrix are mapped to risks.
  • The Controls Matrix is in a format where it is sortable or reportable by controls mapped to risks for test of controls purposes, and risks are mapped to controls for an evaluation whether risks are mitigated by controls.
  • Controls in the Controls Matrix should be labeled and provided an abbreviated title (10 words max) for ease of reporting and reference purposes.

Testing                                                                      

Testing is the evaluation of design and operating effectiveness of the company’s controls. The results of testing of controls provide company management with a baseline to that might have impacts to strategic and operational decisions. For publicly held companies, testing is an SEC requirement.

Critical considerations for testing:

  • Important, if deemed necessary, to be able to re-perform the actual control performed by the employee (e.g. for 3-way match of purchase order, invoice, and shipping docs, test that an employee had performed this and has evidence of such, rather than the auditor requesting the 3 docs and testing oneself).
  • When testing management review controls, cannot just accept sign-off, but need to understand the steps and judgments used by the manager, and test accordingly.
  • The documentation of testing should allow someone else to reasonably re-perform the testing. If testing is being relied upon by external auditors, then the breadth of documentation is more important. If not, not all needs to be retained, but should be readily retrievable when needed.

Certifications                                        

Control owners certify to the CFO and CEO that controls are operating effectively on a quarterly basis, and if not operating effectively, the remedial action plans. The control owners are held directly accountable for their controls as they are certifying to the top two officers of the company.

Recommendations for certifications:

  • The number and level of person certifying to the CFO and CEO should be carefully considered. The level should be their direct reports and one level removed to maintain the efficiency and integrity of the certification. If it is a larger organization, there can also be sub-certifications up to the senior manager level.
  • The certification questions should have a combination of checklist questions, as well as, open ended questions to encourage a thoughtful process.
  • Utilizing software for tracking, follow-up, and retention purposes is advised.

Depending on the number of people involved with the inputs into the various components, one might decide that performing and capturing the work in Excel is sufficient, while others might prefer utilizing a SOX tool where there are extra protections in version control while allowing multiple users to perform inputs simultaneously in multiple locations. A SOX tool may also provide management with options for review, analysis and oversight that are not available in Excel.

To avoid unexpected setbacks, be sure to plan enough time into your IPO readiness map for SOX evaluations. The initial SOX program development and implementation is likely to require six months and can vary depending on your access to subject matter experts. Coordination and alignment of the SOX efforts and objectives among the audit committee, senior management, process owners, and internal and external auditors is paramount for a successful implementation.


If your organization is approaching your initial public offering and you’re interested in learning more about how RGP can support you with subject matter expertise and a tailored technology solution to help ensure that you are prepared for your SEC filing and financial reporting requirements, reach out to us (Information@policyIQ.com, 412.263.3330) and we’ll connect you with our RGP colleagues near you!

How many spreadsheets are you trying to manage for ASC 606?

RGP is hearing from Public and Private companies who are working to get a handle on their Revenue Recognition compliance efforts. As with many new initiatives, most of those tasked with the responsibility of rolling out a contract review process began with authoring the process in Excel. This particular process, more than some, requires a number of people with varying technical skills and technical accounting expertise to work through a long checklist or multiple spreadsheets full of questions and considerations. And, like many others, these teams are racked with frustration over the common ills of spreadsheet-based processes:

  • Almost as soon as the tool is put to use, the version is out of date and the data does not reconcile with other versions.
  • It is difficult to track and understand which version is the latest or the “best”.
  • Often, spreadsheets are not properly secured and suffer unintended changes.
  • Changes to data attributes in the spreadsheets can have significant impact on conclusions.
  • Sharing and communicating lessons and conclusions is a massive and disjointed effort.
  • It is difficult to roll-up the results from multiple spreadsheets for analysis and reporting to management and auditors.
  • If multiple people must work in and make adjustments to the spreadsheet, it can be remarkably challenging to trace the changes back to the appropriate party.
  • It is virtually impossible to dictate order of responsibilities and to consistently communicate and enforce an approval process.

RGP has a few remedies that can help you to treat or avoid these ills.

Private Companies –  RGP has a proven Revenue Recognition solution that can help companies from your early assessment through planning how you will fill gaps in policies and systems and can aid your team with the implementation of agreed upon solutions, controls, policies and associate training and communication.

Public Companies – Those who worked to tackle ASC 606 compliance on your own in year one can certainly still call on us to evaluate your program and to identify and guide you to address and close gaps.

All Companies can take advantage of RGP’s proprietary tool, policyIQ, to remedy the ills associated with spreadsheet based processes. Companies have the option of

  1. leveraging the flexible and configurable policyIQ to automate your own checklist or questionnaire or
  2. you can adopt the RGP solution with pre-built templates that guide the reviewers through the contract review process.

In either case, you can put your spreadsheet worries to rest and bring centralized access, version control, workflow, reporting for analysis and management review to your Revenue Recognition program.

Contact us to learn more about our technical accounting expertise, project support, and proprietary technology: support@policyIQ.com.

Suffering low morale and a disconnect between executives and those doing the work every day?


 

 

 

 

Art Weeast has helped a number of organizations to “think beyond the task of documenting policies and procedures to the intelligence of the information that is in those documents.” In other words, think of the value or purpose that the documents serve. One of his objectives, as he trains organizations on how to create valuable documentation, is to “keep what’s in it for me, from the end user’s or the employee’s perspective, in mind as you develop content”. The end user and all stakeholders might consider, “What problems and questions can this documentation solve?”

To demonstrate the application of Process Intelligence practices (as Mr. Weeast termed his work), consider three common problems:

  1. Employees and Management do not value the documentation (mainly the procedures).
  2. Work tasks are not clearly connected to executive priorities.
  3. Business Units/Departments/Functions do not collaborate on cross-functional processes, often leading to tension and decreased productivity.

With Art Weeast’s help, let’s tackle each of these problems one at a time.

The problem faced by many (maybe most) organizations: Employees and Management do not value the documentation.

Consider how you can make your documentation useful. Follow this three step process:

  1. Set a course to establish more comprehensive documentation. Rather than tracking just the steps of the procedure, frequency, who performs…think of all of the everyday business questions that come up related to the procedures. Add Roles and Responsibilities, Applications Used, Definitions, Procedure Input and Output–these fields will help you to address common problems. Read further to see how.
  2. Make it easy for process owners and your front-line doers to capture the documentation. You don’t have to complete the fields in consecutive order. Starting with the procedure, then considering what leads into the procedure and what the outcome of the procedure is before moving on to the purpose and other data is a much easier thought process.
  3. Make use of the intelligence that is inherent in your documentation to solve business problems. With updated, comprehensive procedures, you can address common problems…effectively and efficiently!

Put your information to work for you!

Another common problem: Work tasks are not clearly connected to executive priorities. 

The front line doers, on a day to day basis, do more repeatable processes than executives do. At the executive level, it is unlikely that you will see procedures. This is the root cause of the disconnect between the tasks and executive priorities. It’s no wonder that executives generally don’t feel the value of the documentation and therefore, the employees don’t feel the priority from the executives to create and maintain the documentation. So, per human nature, documentation becomes an unwelcome task to do, and usually it is tackled at the last minute with a mad rush to get it done.

The solution?

Help your organization to establish the connection between top priorities of the business and the tasks that hardworking employees carry out day after day.

A master at translating the complex into simple steps, Art Weeast developed a method for creating this connection. He calls it an Operational Map. To build your Operational Map you will:

  • Interview the Business Owner and document Primary Functions and Sub-functions from her perspective
  • Prepare List of Procedures for each Process Owner’s Area
  • Create a visual representation of Functions and their related Sub-functions
  • Map Procedures to related Sub-Function by playing “Operational Bingo” with Process Owners—you hold and call out the Procedures while she identifies the related Sub-function.
  • Validate the mapping with the Business Owner.

The result?

  • Executives come down to a level that they rarely visit—they better understand what it takes to get things done! They begin to appreciate the value—and the NECESSITY—of the documentation in a more highly regulated and complex world.
  • Process Owners (the everyday do-ers) appreciate the collaboration with executives. They sense the tone from the top and the priority becomes clear. The do-ers begin to understand the bigger picture—the risks that the organization faces and the importance of what they’re being asked to do. And they are very curious about what other departments do!

The final problem we aim to address: Breakdown in cross-functional processes.

Frustrations build in an organization when communication and collaboration breaks down or does not exist among certain parties. You can tell this is happening when you or others can easily blame someone for inadequate, inconsistent or untimely inputs into your process—or others who put disruptive demands on you to produce an output with a nearly impossible delivery date and provide inadequate information needed to meet the demand. It is natural for all of us to personalize the process under these circumstances.

The art of establishing collaboration among cross-functional parties can be reduced to four main steps. The following steps serve to “de-personalize” the process and issues, and allow parties to focus on the desired end result.

  1. Meeting: Bring functional representatives together for a collaborative process review mediated by a neutral party.
  2. Current state: Have them describe the standard process; first without the history, exceptions or problems. Then revisit the standard process with issues.
  3. Future state: What does it look like? How is it better?
  4. Transition state: Outline steps to get from where we are today to where we need to be.

Think about what’s happening here. Typically, if anyone ever does dare to address the communication breakdown among parties, what do they typically do? They work to identify the issue(s) and to problem solve against those issues. The process outlined by Mr. Weeast, an expert in operational and change management, takes an opposite approach; helping parties to very quickly begin working together effectively.

Applying these practices outlined by Art Weeast results in an efficient and effective organization that can:


Art Weeast has decades of impressive experience in enterprise-wide leadership, technology & data expertise, Lean Six Sigma methodologies, organizational change management, and in defining and refining operational processes. Art has been a client of policyIQ with three different organizations. When I met Art, I had been involved in the work of streamlining, refining, re-engineering, and automating processes for many years, myself, and—while it was my responsibility and mission to help him in any way that I could to solve his organization’s business problems using our software—I was forever changed by what he taught me!

This post was originally shared following a policyIQ-sponsored webinar in which Mr. Weeast shared his Process Intelligence practices. The policyIQ team continues to share the lessons of his Process Intelligence session year after year. If you’re interested in more information or hands-on support with applying Mr. Weeast’s methodology, reach out to us and we’ll connect you with the appropriate tools, information, and resources!

Support@policyIQ.com, 866.753.1231