Regulatory environments are constantly changing, influenced by economic, political and environmental factors beyond your company’s control. It might seem like a daily battle to deal with the push and pull of complying with changing regulations. So how do you stay focused, prepared and sane in the world of regulatory compliance?
One critical step is to ensure that you have well documented, well communicated and well understood corporate policies.
Policies provide the foundation, governing the way in which your employees will work and how they will meet new regulatory requirements. When the foundation is strong, with clear policies that are followed and enforced consistently, additional external expectations and requirements are much easier to incorporate.
Here are just a few best practices to consider:
- Ensure that policies are written clearly. Avoid company jargon or acronyms that may be unclear to new employees or external regulators.
- Make policies easily accessible to all employees. If you are already using policyIQ, ensure that a policyIQ link is posted or communicated regularly.
- Clarify whether any exceptions might be approved to the policy, and communicate the process for approval for exceptions. If it is not clear, employees may be more likely to decide it will be easier to ask for forgiveness than permission.
- Document how policy violations will be addressed or how policies will be enforced.
- Revisit, review and revised policies regularly. Do not allow policies to become outdated or appear to be outdated. Even if no changes are made, regularly note that content has been reviewed, so that employees
- Map policies to your regulatory requirements or other compliance programs. As regulations change, you can more easily identify any changes that must be made in your policies to address those changes.
What other best practices would you highlight for a clear corporate policy platform? Add yours in the comments and share ideas! Learn more about how to utilize policyIQ’s various read-only options by checking out a recent blog post by policyIQ Product Manager, Travis Whalen.
Many organizations have used policyIQ for their Policy Management needs, and each client of ours has their own unique needs and for providing transparent and accessible policies to their users, public website, auditors, or other audience type. However, the process is largely the same, regardless of the unique needs.
In nearly all cases, the policy content is created in policyIQ, reviewed, approved, and then published. Making that content available is where the differences come in to play. There are a few options for doing so:
A shared, Read-only account:
Create a Read-only user account in your policyIQ site (which is free, by the way), and apply the Read-only account as a viewer only on all applicable policy pages in your site. Be sure to make sure that this account also has view access to the necessary folders, as well.
Then, share the Read-only account credentials with your user base. Once logged in, the policyIQ view this user will have is a scaled down look – just folders and policy content, in this case. Because the very nature of the account is Read-only, there is minimal risk in sharing the credentials with a large group of people.
A shared, Read-only account accessed via policyIQ Reader:
A similar process to the one above, but with a different look to the program and no login needs.
After creating the Read-only user profile and applying the user to security where necessary, edit the user profile. Under the “required” tab of the Edit User window, scroll to the bottom to find a unique link called “policyIQ Reader“. This hyperlink can be placed anywhere you like: bookmarked in your browser, stored on your desktop, placed in a shared network drive, or even on your intranet. Once a location is selected, users anyone that clicks the link will gain instant, Read-only access to your policyIQ site. No login required, and the “reader” look – a straightforward, no nonsense look at content, which is displayed in the table area to the right instead of a separate window, as seen below.
Individual Read-only accounts:
Create an individual Read-only account per-user, which allows for greater flexibility in terms of seeing policies that are applicable to certain divisions, but not others. Perhaps your finance and accounting folks have policies and procedures that apply to them, but not to the vast majority of other employees. Creating separate accounts for everyone ensures the user experience in the product is directly related to their role.
Individual policies accessed from an outside source:
Some of our clients choose to have their policies accessed from their primary company website. In this case, the policyIQ pass-through link is ideal: eliminate login needs, access individual policies, and don’t display the main policyIQ site from which the policies were created. Instead, display only the pages themselves.
Create a primary Read-only user account, and again add it to the view security on all applicable pages. Now, view a page of your choice that is published. A the very bottom, the page ID sits, and contains a link. Click the link to open a small window that contains the policyIQ Passthrough link . Copy and paste this link to the destination of your choice. Selecting this link from an outside source will open the policy page only, and not require a login to the system.
Did you know policyIQ also handles Policy Sign-offs, as well? It’s a simple process at a minimal cost. Add Standard Users to your site in bulk (50 to over 10,000+) to completely revamp the way your organization automates creating, approving and storing certifications and sign-offs.
Does something here sound like it might be right for you? If so, let’s talk about it! Scheduling a half hour with a policyIQ expert on our team is not only free of charge, but will pay dividends moving forward as the management of your processes becomes easier by the day. Many adjustments to existing sites take minutes to change, and new sites are even simpler! Contact us at Support@policyIQ.com or 412-263-3330 to begin.
Spreadsheets, email, shared network drives…
…this is where most of our critical work starts! With the deadline to comply with the Revenue Recognition Standard now in our sights, many of your corporate accounting peers have met the harsh reality that these commonly used tools are not meeting their contract review needs. Disconnected spreadsheets do not keep their reviewers in-step with each other’s developments. They are habitually shared via insecure channels and we often find, even with the best of intensions and development, lists, formulas, and formatting within a spreadsheet can be compromised resulting in an unreliable tool. Aggregation of data for analysis and consolidation of conclusions for management review are nearly impossible feats with dozens (or, certainly, thousands) of manual spreadsheets.
For those of you who are relatively new to the policyIQ community, you might not have heard that policyIQ has been a constant in the RGP toolbox, serving to solve our clients’ problems for nearly 15 years. We don’t make commission on software sales and are not incentivized to upsell you or to sell you a new tool or module. In fact, we work hard to make it possible to serve all areas of your business within one platform—we don’t have extra modules to sell you!
The flexibility of policyIQ to be easily customized for various initiatives has made it possible for our clients to hit the ground running in applying our web-based technology to their pressing Revenue Recognition needs.
A company may utilize policyIQ for the full contract cycle or simply as a contract repository, centralizing access and simplifying assignment of contracts to reviewers for ASC 606 analysis. In addition to guiding the reviewer through the 5 Steps outlined in ASC 606 required for each detailed review of contracts that are in scope, policyIQ also provides a place to document evidence of the reviewer’s considerations and tools to leverage that information for necessary analysis. Key conclusions from each step are automatically pulled out into a summary. Reviewers add final notes to the summary and systematically route all related content for review and approval, as desired and customized for each client.
The ability to report on results of contract reviews in aggregate gives way to analyses not possible in spreadsheets. Look across all Performance Obligations by Revenue Stream, Geography, Business Division, Over Time vs Point in Time, Sales Channel, or Reviewer, for example. Reports also aid in the management of contract reviews—in the assessment phase and with ongoing reviews. Report on issues as they are being identified, assignment of contract reviews, progress of reviews, and impact of the standard on various divisions or revenue streams. Use reports to easily identify those contracts that warrant follow-up action.
We delivered many new features in 2016 and some were developed specifically to sharpen the Revenue Recognition solution. We are wrapping up another release for spring and have an impressive road map that will go into development while the spring release is undergoing formal testing. And did you hear that upgrades are included free-of-charge?
We’re here to serve and grow with you.
Can you say that about your Revenue Recognition tool? Reach out to schedule a tour of policyIQ’s capabilities for ASC 606, compliance, audit, policy management or your other pressing information management needs!
Auditors and testing teams have been asking for an even easier way to view information about the associated Control or Procedure that they are testing. Rather than having two screens open side by side in policyIQ, auditors would prefer to see critical details about the control that they are testing right there on their test screen.
Now you can make that happen – with NO DUPLICATION OF DATA! And it literally takes less than 2 minutes, with no additional data entry required.
How? If you are a Site Administrator, you need just 2 minutes, I promise!
On your Test page template, simply add a new field and select “Linked Field” as the field type. Select the field that should be linked from another page template, save it and VOILA!
If you’ve added the Control Description field from the Control template, for example, you’ll automatically see the Control Description displayed on a Test page for any Control that is linked to it. If there are multiple controls linked to a single Test, you’ll see multiple Control Descriptions, identified by the page name.
This function does not apply to audit testing alone! Consider these other ideas:
- Pull vendor information into a Contract page.
- Bring risk descriptions to Control pages.
- Create Process pages that pull in linked Control Descriptions.
- Pull project task descriptions into Action Items.
- Bring issue details into a Remediation Plan.
Want more information? Contact us at support@policyIQ.com.
In a number of blog posts, we’ve highlighted the ways that policyIQ can be used throughout the entire SOX process – from risk assessments through issue remediation. This past Thursday, July 28th, we took an hour to walk through the entire process in a CPE webinar to highlight ways to create efficiency at each step.
Did you miss it?
Before we hit the highlights below, we want to point you to the session recording and the slides, both of which are available for download.
The Big Picture
We highlighted a number of big picture advantages of using policyIQ not just for SOX, but for all of your compliance initiatives. We talked about…
- Simplicity of rolling out and managing a cloud-based
- Advantages of being able to assign security and access
- And the efficiency of a single source of information through the entire compliance and audit environment.
A single source means that when you make a change in one place, that change feeds all of the different perspectives on the data.
Efficiency at Every Step
We also dug into the efficiency that can be gained at every step of the process. Just some of those ideas are presented below. We also mentioned additional training available for some steps, and have linked those training sessions.
- Risk Assessments
- Tie risk assessments at the 10K line item level to your risks and controls for ease of scoping.
- Control Updates & Review
- Allow your control owners to make updates directly in policyIQ as things change, or require regular reviews of control documentation.
- Walkthroughs & Testing
- Collaborate early (and often) with external auditors to ensure that your testing is capturing all of the detail expected.
- Issue Tracking & Remediation
- Assign remediation plans to owners and use automated reminders to ensure responses are provided.
- Conclusions & Reporting
- Utilize flexible reporting capabilities to trace issues back to the vulnerable risks and compensating controls to make a final determination about significant deficiencies or material weaknesses.
We also included the supporting functions that feed the process.
- Map to COSO 2013
- Link Entity Level Controls to COSO Principles
- Evidence Collection
- Assign evidence requests, utilize automated reminders, and track receipt of documentation
- Time & Expense Tracking
- Report on budgeted versus actual hours and cost, and use the data for next year’s planning
- SOX 302 (Sub)Certification
- Assign role-specific questionnaires, utilize automated reminders, and report on exceptions
We’re ready to help you build more efficiency into your SOX program. Contact us today and ask to speak with our client service team to walk you through implementing some new ideas! Not yet a policyIQ client? Contact us and ask us for a personalized demonstration!
An often under-utilized part of policyIQ sites is the Snapshot feature, found in the Tools & Settings menu on the left hand navigation.
A Snapshot is a virtual and complete backup of your policyIQ site database, containing all of your data at the time the Snapshot was captured. Clients can schedule and store up to 5 Snapshots for FREE each year.
Many clients will elect to have Snapshots taken at quarter-end, or after testing periods and a large amount of work has been completed in the site. As various testing periods continue and build up over time, old ones can be deleted off of the site. To schedule a Snapshot, simply click Snapshots, and then click Add in the toolbar. Select a date that you’d like to have the Snapshot taken. Because you are able to schedule many in advance, you could, in theory, schedule your whole year in just a couple of minutes. Then, click Save.
So what do you do with Snapshots once they’ve been taken, and how do you access them? Snapshots can be restored and reviewed for free for a period of 30 days (once each year). The Snapshot will be presented as a standard, up-to-date policyIQ site (even for older versions of policyIQ) and made available via a separate, unique URL.
Clients that want to go back and review previous year’s work that has since been deleted can rest easy knowing that they took Snapshots along the way.
Questions? Give us a call at 866-753-1231, and we can talk you through the process.
For many years, we have been encouraging our clients to utilize policyIQ for all aspects of their compliance programs – from the assessment of risk through the remediation of issues. However, during a recent conversation with long-time client, Travis Heyer (Director of Internal Audit at Great Lakes Dredge and Dock), we realized that we had not yet clearly illustrated in a live training session how to effectively request and capture audit evidence within policyIQ.
Travis graciously agreed to work with us to create a training session – and brought his colleague, Amit Patel (Senior Auditor) along with him. On Thursday, March 31, we presented this session to a large number of very active participants. (You can check out the recording of the session, or download the slides for a quick overview.)
It’s really all about saving time
Automating the requests for audit evidence can allow your internal audit team to…
- Avoid playing “Match the evidence to the request!”
- Minimize risk of using an old version of a file
- Waste time sending annoying follow-ups
- Secure documentation more effectively
It comes down to a huge time savings, freeing up internal audit resources to do the real, value-add work that your organization needs.
Pages or Forms?
While the training presentation focused on an evidence collection process in policyIQ pages, a similar process can be built within policyIQ forms.
Pages offer the advantage of a two-way link between the Evidence Request and the Test page, so that your internal auditors can simply leave the files attached to the Evidence Request. Pages also allow more than one individual user to contribute directly to the same Request. However, utilizing Pages requires that all users who participate in the process of providing evidence are Advanced Users, a more expensive license in policyIQ.
Forms offer their own advantages, allowing for a simple issuing and follow-up process. However, the link between the Evidence Request form and the Test page is less visible. Evidence files will need to be downloaded and re-uploaded to the Test page by the auditor. The significant advantage of the Forms process is that any individual providing evidence needs only to have a Standard User license, a less expensive license that can keep costs low!
Getting started in 5 easy steps
Our training session focused on how to get started in just five easy steps:
- Create Evidence Request template
- Build list of evidence in Excel
- Import evidence request list
- Assign requests
- Track progress and follow-up
We encourage you to check out the recording or the slides for more details on these steps – and reach out to us to help you to get your bearings and get started!
This simple feature isn’t glamorous, but it might save you some time and headache!
If you’re a policyIQ Site Administrator and have edited a user account, you may have noticed an option called “policyIQ Contact” on the appropriately named “Optional” tab of the Edit User window (on Site Administrator Accounts only). This box should be checked for a user that you would like to designate in charge of resetting passwords.
Moving forward, when users need their password reset, they can click the “Forgot Password” link on the login screen. A prompt will display for the user to input their email address, and an automatic email will be sent to the policyIQ Contacts in your organization. At this point, the policyIQ Contact users can log in and reset the users passwords.
policyIQ Contacts that get notified (or any Site Administrator, for that matter) can reset passwords by searching for the user’s name in the toolbar, or by drilling into the Groups and User tree in the left hand navigation. When the user is selected, go to the toolbar and edit the user. Go to the password tab and select “Change Password”. Type in a new temporary password for the user, confirm the password, and then select “Save and Notify”.
An automatic email will be generated-edit this text as you see fit, and send the email. The user will receive the email, and will use it to log in to policyIQ the next time, where they will then be prompted to create a new, full time password moving forward.
Questions? Shoot us a message! Support@policyIQ.com