A Remedy for Decentralized Audit Approaches

Is your organization still struggling with manual audit processes? Do you have audit projects, past audits, and workpapers strewn about in various shared network folders (or worse, on various hard drives)? Do your auditors have to rely on email to collaborate and share documents? How about your naming convention—has your audit group standardized the way that documentation is labeled to help you to keep the information organized and easy to reference? Speaking of standardization, have audit processes been standardized across the organization or does each location or division manage their own audit program? And what would you say about your review and approval process? Is it clearly mapped, followed, and approvals communicated? Are audit findings routinely rolled up and reported?

RGP’s policyIQ addresses each of these challenges so that you can realize more effective and efficient management of your organization’s audit function. Leverage predefined Templates, Folders, Workflow, Reports, and Audit Trail for your compliance, audit, or policy management documentation. It is also simple to customize the structure to accommodate ongoing changes or characteristics that are unique to your organization, program, or team.

Configuration adjustments are at your fingertips. You do not have to reach out to a support desk or technical team to add templates for specialized workpapers, IPEs (Information Provided by Entity), or for your PBC (Provided by Client) process. Adjustments can be made directly by users authorized in your organization. If you haven’t yet incorporated those templates into the flow of your work and want some help getting them set up, we do have support and configuration specialists who are happy to walk you through the setup of your custom program.

We expect all of RGP’s policyIQ audit clients to be enjoying these benefits in your audit program:

  • Consistent enterprise-wide audit process
  • Centralized access to workpapers and IPEs
  • Simplified administration of PBCs and audit process
  • Ability to easily locate and leverage audit templates/projects and previous audits
  • Streamlined communication among management, auditors (internal and external), and approvers
  • Real-time monitoring capability and status reporting
  • Simplified management and audit committee reporting

We’re ready to help you reach your goals!

Whether you are an existing policyIQ user or a new one, we want to help you to improve and automate your audit program. Perhaps you are new to the administration of your site or you are not sure how to make adjustments to the configuration of your site’s templates or structure. Reach out to us and we’ll be happy to help you get started or to optimize your implementation. Support@policyIQ.com.

5 Steps to a More Efficient Internal Control Environment

Is your team overwhelmed with activities that feel unnecessary?

How confident are you that the energy spent on testing is focused on the necessary controls?

Leverage policyIQ to systematically focus on the critical controls for management and testing. More efficiently analyze which Financial Statement Assertions, relative to each of your 10K line items, are adequately controlled, which are left vulnerable and which of your relevant assertions is over-controlled! See, plainly, the gaps in your coverage and leverage the evidence to justify the reduction of waste, and plan to concentrate effort on work that matters.

This process really starts with your risk assessment. If you have not leveraged policyIQ to bring automation and reliability to your risk assessment process and want to walk through the policyIQ solution (including the just-released feature that makes cumulative risk calculations possible), reach out to schedule a free working meeting with us! After completing your risk assessment, identifying significant accounts and relevant assertions, and determining which of your processes and objectives are in scope (all steps that can be managed in policyIQ), you can begin the process of rationalizing your controls.

Next, leverage policyIQ to move through these five Control Rationalization steps:

Each step is made more efficient with policyIQ. We can support you to customize templates for the attributes that are critical and unique to your organization. The import, linking, calculations, workflow, and reporting features will allow you to more quickly examine the effectiveness and priority of your procedures. Having confidence in your Control Rationalization process and your internal control environment then allows you to come full circle to look at the bank of risks that you previously identified. You might conclude that some process risks that have consumed time and attention for years are actually not in scope. This Control Rationalization process will help you to be more effective and more efficient through each testing cycle.

Would you like to see sample templates and schedule a working meeting to get the ball rolling? Contact us and reap the benefits by your next testing cycle!

Have you automated your Narrative reviews?

Are you paying employees to inventory email responses or spend hours in update meetings to accomplish tasks that can be automated? With the application of policyIQ forms, your employees can take back time that was spent on tedious tasks and focus on work that matters.

If your team is still using Word, Excel, and email to manage 302 CertificationsControl Self Assessments and Narrative Reviews, they are engaging in the frustrating task of having to inventory the responses from their inbox and then babysit and pester people to complete their work. As responses do arrive, they evaluate who they’ve heard from, who hasn’t responded, and evaluate whether/which follow-up activities are warranted. They are likely also having to pull together routine assessments regarding the status of responses to share with management and others.

Before anyone invests another minute on the effort of pulling together the Narrative Reviews for next quarter, contact us to help your team realize these benefits right away:

  • Simplified roll-out of questions/certifications each quarter
  • Easy access to real-time information for monitoring of status
  • Automation of reminders going out to outstanding respondents
  • Automated compiling of results
  • Effortless reporting for management

There are lots of products out there that will set you back $50-$500k annually that promise efficiency gains in your compliance processes. For a fraction of that cost, we’ll deliver on that promise in a matter of weeks—not months or years. Work smarter. Spend smarter. Contact us today to schedule your configuration session. 

Who wants to avoid redundant effort and rework?

RGP consultant, Jason Chiang, recently wrote:

Jason Chiang
Expert in risk management and audit

“A narrative provides mid-level detail of the transactions and internal controls within a business process and includes who, how frequent, and in what location the transactions and controls are being performed…

…Narratives should be updated as changes are implemented in the organization. The updates should follow a workflow where there is a review process for significant changes.”

For many clients, automating the process of updating compliance documentation is a critical but often overlooked part of their practices. Each year, various aspects of controls may change, such as steps of the control procedure, the control description, or control ownership.  As these critical bits of information are updated, it is important, as Mr. Chiang stated, that the associated narrative pages are also updated to reflect the latest information.

Who wants to avoid redundant effort and rework?!

If you haven’t already implemented policyIQ or you have policyIQ and you haven’t taken advantage of this feature, this is a good time to tune in and make a note: policyIQ has a “linked field” option that allows you to update control language (or other documentation) in one place and present the updated language in related documents—here’s the key: without redundant effort or rework!

Displaying all related Controls in the Narrative is probably the most common request, but you can also display Risk language in Controls, Control language in Tests, and the contract review conclusions in a management summary page, among a seemingly infinite number of options! No more hunting down related documents to make small tweaks–it’s already done!

To learn more about how reduce redundant effort and rework, contact our team at Support@policyIQ.com.

Your Risk Assessment spreadsheets are costing you!

Are your employees still manually managing Risk Assessments using spreadsheets?
If you answered yes, they are likely struggling to work with others efficiently, they are frustrated by version control issues, and they are wasting time trying to figure out who has given input and who still needs to provide information.

The data in spreadsheets is difficult to aggregate. Performing analyses within a spreadsheet is limited, and across multiple spreadsheets it is nearly impossible. There are nearly always issues with data entry and, therefore, data integrity. So, your employees are likely also spending time having to validate and track down information and they’re likely performing rework to shore up assessments and findings. For all of these reasons, spreadsheets prolong the time and expense of audits.

RGP’s policyIQ team has developed features that help you to automate questionnaires, inventories, risk ratings, capability measures, track gaps and roll-up findings. Your management and audit teams can begin collaborating on their finance, operational, fraud and enterprise risk assessments right away.  Contributors from your locations can work together in one flexible and easy to use tool with confidence in the security and accuracy of their information and analyses. Templates for various risk assessments are easy to customize. Notes and assumptions from previous assessments can be easily referenced and considered in current risk calculations.

Your auditors can remotely review the content that you choose to make available to them and only after it has completed the review process that you enforce using policyIQ.

Reach out to us to request your free trial site and to learn more about how your team can end their reliance on spreadsheets. Work smarter.

Who has access to your critical documentation?

Think, for a moment, about your human resources policies, risk documentation, safety specs, audit issues, training materials, accounting procedures or your IT controls.

  • Do external audiences, as well as internal employees, need access?
  • And do these audiences require access to different subsets of your content?
  • Does the intended audience know exactly where and how to locate all relevant content?
  • Is the latest version of the content available to your audience?
  • What steps do you have to take to disseminate content changes to your audience?

These are among the information governance considerations that RGP systematically addresses using policyIQ.

One of the lesser known perks of policyIQ is the ease with which you can provide free, simple, secure and tailored read-only access to your audience.

In this related blog post, we described one feature of policyIQ that gives organizations an easy-to-setup and easy-to-use solution for presenting and disseminating content to your read-only users.

If you are trying to develop a plan for appropriately sharing different types of documentation with their respective audiences, get in touch with us! We enjoy brainstorming and problem-solving challenges like this!

This Audit Trail will Reduce Organization Liability

Many organizations have pockets of well-developed and maintained policies and procedures. Leaders in various business units might have overseen the development of certification processes (“I have read and understood the policy…”, “I have not observed fraud…”). Fewer, though, are the number of organizations that have a coordinated enterprise strategy on policies.

GRC 20/20’s Michael Rasmussen had this to say about a strategy on policies:

We could write a series of posts delineating how policyIQ provides powerful technology support for a coordinated enterprise Policy Management strategy. For this post, however, let’s focus on Rasmussen’s last sentence in the paragraph above. policyIQ houses a comprehensive audit trail comprised of a number of features that allow the history of changes and versions to be examined from a variety of perspectives.

Historical Review

Version History is retained on all policyIQ content. It is possible to examine exactly what was presented in any version at any point in the content’s history. Attachments to documentation (evidence, forms, supplier documentation, etc) are also retained for historical review.

Change History is even more specific than Version history. This feature of policyIQ tracks specifically who made changes to content, what change was made, and when—dating all the way back to the inception of the documentation.

The viewing history of each page in policyIQ is also tracked. Do you want to know if that employee or the external auditor accessed the content last week as was reported? policyIQ can tell you.

Certifications

The ability to create and tailor certifications, attestations, and questionnaires and to customize how they are made available or scheduled for delivery leaves endless possibilities for organizations wishing to gather information from employees (and third parties) on their commitments, agreements, observations, performance, opinions and on and on. The “Forms” functionality in policyIQ eliminates the risk that an employee’s response will be overlooked in the sea of email.

Reporting Capability

All of these changes are made evermore valuable with the associated reporting features. Do you want to know who made changes to Accounting policies in the most recent quarter? Maybe you escalate a monthly review of any Exceptions documented on Information Security policies. Can you easily identify all procedures, projects, divisions or positions that will be impacted by the technology that you’re scheduled to replace? Yes—with policyIQ, you can.

Snapshot at a Point in Time

And if all of that wasn’t enough, policyIQ also allows organizations to schedule the capture of a complete backup of their database, called a Snapshot, containing all data at the time the Snapshot was captured.  Snapshots are a free benefit to policyIQ clients. While it is not common, it is an invaluable service to be able to present and review content as it was two years ago on that day in May, let’s say. For a small fee, clients also have the option to request an electronic extract of all content from their policyIQ site that they may provide in the event of an investigation or audit.

Safe and Direct Access

If the need presents itself, it is possible to provide investigators, auditors, litigators or other specified parties with direct access to your policyIQ site. This type of access would allow them to review documentation in the application and save on legal fees or administrative fees for copying or making information

RGP has received positive reviews for the breadth and depth of the audit trail provided in policyIQ. And while we have a number of testimonies to value that these features and services have yielded for various functions and divisions of our clients, that value is exponentially greater when applied enterprise-wide.

Maybe we’ll have to circle back to talk more about Michael Rasmussen’s related blog post and how policyIQ can help you to combine Case Management and Policy Management without sinking a huge investment of time and money into a big GRC platform. RGP has you covered with the subject matter expertise and technology there, too. Feel free to reach out to us directly if you’d like to know more or explore your options sooner than later!

A complete solution – presented in a policyIQ CPE event!

As part of our ongoing quarterly CPE event for policyIQ, we are putting together something a bit different – and bigger – than normal!

Join us on Thursday, November 30, 2017 at 12pm Eastern Time for the one hour CPE event presented via the web, showcasing policyIQ’s abilities, features and processes for all of your Policy Management needs.  Hosting this session will be Chris Burd, policyIQ Managing Director, and Travis Whalen, policyIQ Product Manager.  Learn more about policyIQ’s solution possibilities here.

In this Introduction to policyIQ CPE session, participants will be able to (among other milestones):

  • See how to utilize the import utility to centralize previously disparate content
  • Secure documentation with read, write and edit access – and approval processes
  • Apply search and reporting features to quickly gather information that is critical to decision-making

Sign up for this training here, and learn more about how policyIQ can be an effective solution for your organization’s Policy Management needs.

 

Enterprise-wide GRC made more powerful *and* simple with our new list fields!

By now, you likely are aware that policyIQ is a flexible GRC platform that can be easily configured and customized into various GRC and other solutions. One of policyIQ’s strengths is the ability to tailor security at a broad and granular level allowing organizations to implement policyIQ in many areas without stepping on each other’s toes, so to speak. Because of this security capability, with our user-based pricing (rather than the common software model of pushing multiple products or add-on modules), our clients have long been able to leverage policyIQ throughout the organization for multiple initiatives at a reasonable cost.

The latest release of policyIQ includes features that support robust enterprise-wide applications of policyIQ for a range of initiatives. In the past, users in different areas of the organization would create a folder, manual, dropdown or multi-select list to track different critical pieces of information pertinent for their documentation. And while this setup could have been perfect for the audit team’s testing documentation, the same location list, for example, would have to be recreated by the technical accountants performing ASC 606 contract reviews. That was then. Clients leveraging policyIQ’s version 7.8 are able to create and manage Global Lists that can be shared across the organization. If your list of Field Offices is leveraged in various types of content throughout the organization, it can now be centrally maintained and updated rather than having to be updated in several department-specific templates.

Similarly, clients historically had to create independent dropdown fields to track people or responsibilities in their content (i.e. Control Owners, testers, contract reviewers). Now, the lists of users created under Groups and Users and established as a part of user profiles can be leveraged as fields within templates. Once and done.

Here are more examples of where this might be pertinent to you. If you have fields or folders tracking these things and would like to save time and sanity managing them, we recommend looking into the new shared fields (Global Lists, Users Lists):

  • Currency
  • Location
  • Revenue Stream
  • Process Area
  • Business Unit
  • Control Owners
  • Significant Accounts
  • System Applications
  • Relevant Compliance Area
  • Prepared By

Of course, reach out to us if you have questions on how to make the adjustments to your policyIQ site.