Can your organization provide evidence that your house is in order?

Actions by the U.S. Securities and Exchange Commission (SEC) have amounted to more than a billion dollars in disgorgement, fines and penalties every year for nearly two decades. On average, nearly a quarter of actions filed also included named individuals as defendants. What does it mean for your organization if one of your employees engages in illegal activity? Well, that depends. Can your organization provide evidence that your house is in order?

The executives who sleep well at night know that 1) they have policies in place, 2) they have and enforce a process to ensure policies and procedures are kept up to date, and 3) the organization has gone to great lengths to ensure that all employees and third-party agents of the company are aware of the policies and procedures.

Upon request, managers in their organizations can provide the latest policies, proof of maintenance, access to previous versions, a list of all changes including who made them and when, as well as evidence of employee notification and certification.

Employees in these organizations can also rely on their policy management systems to help them work more effectively and efficiently. Their policies and procedures are appropriately linked to related regulations, risks, controls, and principles, and they include ties to responsible parties, departments, relevant locations, and systems touched. If a new employee, system, or regulation is introduced, they can see who and what is impacted.

The most adept organizations have a broadly communicated philosophy regarding policy documentation and practices that provides a shared foundation for all divisions, departments, and regulatory management teams throughout the enterprise. They utilize a centrally accessible policy management platform that supports collaborative authoring and monitoring while also providing all employees with easy access to the latest approved versions.

How well have you been sleeping? Reach out to us and soon you can rest, too, knowing your house is in order: 412.263.3330.

What comes to mind when you hear “digital evidence”?

Who cares?

I mean, who actually has to care about digital evidence? Consider the audiences or different roles of people who need to produce or rely on digital evidence: management and business unit leaders; auditors; information management, technology, compliance, and security professionals; and the officers of your organization. We are producing unstructured data, much of it valuable, at a breakneck pace. Do you know who your producers of quality digital evidence are?

When I hear digital evidence, I think of the artifacts that may be considered digital evidence such as raw data, reports, signed documents, test results, specifications, and performance receipts. Documentation of activities that provide assurance, including procedures, work instructions, training sessions and materials, and attestations are also critical. Have you identified which practices and assurances are closest to your significant accounts, risks, and controls?

How do we wrap our arms around digital evidence?

There are systems and practices that provide the bookends for ensuring relevant and reliable results contributing to digital evidence such as systematic management and monitoring of workflow, milestones, deadlines, analyses, and remediations. Digital evidence also relies on the trail of bread crumbs that show who touched what and when including the audit trail of changes, versions, handoffs, and approvals. Without a central portal or system in place, it is plain to see, we cannot reliably manage digital evidence.

Are you taking advantage of all that policyIQ has to offer in these areas?

Alerts, dashboard notifications, and email generated systematically by RGP’s policyIQ helps employees know when work is required of them. The taxonomy of the digital content is configurable and can be subject to the information governance preferences of your organization with appropriate read, write, and approve rights established during initial configuration. policyIQ can provide an enforceable framework to manage contributions, the complete capture, monitoring, and reporting on critical documentation and evidence.

If your opportunity has more to do with the quality of your existing evidence or the need for corroborating evidence, RGP’s subject matter experts can help to assess your need and to fill any gaps identified. Right now—whether related to technology, process, quality, or completeness—make a note of some of those gaps or pain points that just crossed your mind. And then reach out to us:; 412-263-3330.

Fierce Competitors are Built on Strong Core Processes

If your goal is to be a fierce competitor and to protect and defend your organization against the never-ending barrage of risks and change, a great place to start is by strengthening your core processes.

Policy management is the backbone of successful and sustainable organizations.

What do you think of when you think of policies? Does your Human Resources department manage a set of company policies that you have to attest to annually? Maybe you recognize the fact that your organization has a password policy and a policy regarding the use of social media on company equipment and company time.

In our recent webinar with guest presenter Michael Rasmussen, we heard a whole host of examples and reasons why organizations should be concerned with policies. If, up until now, you have not been particularly concerned about the value of your organization’s policies, you might want to lean in and peruse these notes from the Blueprint for Effective Policy Development and Management session:

Raise your hand if you are aware of where to find your organization’s index of official policies representing all areas of your business. Mr. Rasmussen asked a similar question of his audience at a recent conference and just 2% of attendees acknowledged awareness of an index maintained at the enterprise level of the organization’s policies.

Only a very small number of organizations see policies as the critical documents that they are. Mr. Rasmussen noted that policies are often not given proper attention and are strewn about in various systems, websites, shared drives and so on. Employees don’t know where to go to find documents or whether the document they found holds the latest version of the policy. In our session, Rasmussen emphasized why employees and leaders should value policies and highlighted some examples of how policies are at the core of every organization’s critical work:

  • Policies are GOVERNANCE documents.
    • Policies are critical documents.
    • They help to set boundaries to reliably achieve objectives
    • Policies ensure consistent business behavior and transactions.
  • Policies are RISK documents.
    • The existence of each policy was preceded by the identification of a risk!
    • Still, many business leaders do not think of risks when they think of policies and many do not tie organization policies to risks.
    • Policies help to identify risks and control risks within certain boundaries.
  • Policies are COMPLIANCE documents.
    • Policies help us to act with integrity as it relates to
      • Regulatory requirements
      • Contract obligations
      • Code of conduct
      • Values and Ethics
      • Corporate social responsibility
      • And so much more

Policies are at the core of all Governance, Risk, and Compliance work.
If the advantages of effective policy development and management are not compelling enough to motivate your leaders to establish policies throughout the organization, this regulatory environment might force the issue. An evidence trail is critical in today’s regulatory environment. Policy management requires a complete system of record and an audit trail.

policyIQ provides company and division leaders with a highly adaptable technology for managing the full range of policy, compliance, and audit needs in one cost-effective platform scalable from specific regulatory environments and department functions to division business units and at the enterprise level. Maintaining a clear and defensible audit trail is paramount to the service and benefit provided by our GRC technology.

In part I of the policy management educational series hosted by RGP’s policyIQ team, Michael Rasmussen highlighted the considerations that are critical for development of a policy management strategy, the roles that contribute to policy management, and he drilled deep into the effective policy management lifecycle.

In part II, Michael will concentrate on the second half of the effective policy management lifecycle. The attendees of our first session gave rave reviews of the presentation. Be sure to register for Part II: Engage the Front Lines Through Effective Policy Communication.

We also encourage you to peruse upcoming events hosted by the policyIQ team. This audience, in particular, might be interested in our Introduction to policyIQ session that is delivered quarterly and demonstrates how organizations leverage policyIQ to establish consistent documentation templates, prescribe workflow and approval processes, communicate and distribute policies, monitor and enforce compliance with policies, and to establish a maintenance process for your critical documentation.

Click here to register for the sessions that interest you and we invite you to reach out to us ( or 866.753.1231) with questions about effective policy management, policyIQ (our governance, risk, and compliance technology), or if you could use the support and expertise of a RGP professional to help get your program off the ground.

We look forward to seeing you in future sessions!

This Audit Trail will Reduce Organization Liability

Many organizations have pockets of well-developed and maintained policies and procedures. Leaders in various business units might have overseen the development of certification processes (“I have read and understood the policy…”, “I have not observed fraud…”). Fewer, though, are the number of organizations that have a coordinated enterprise strategy on policies.

GRC 20/20’s Michael Rasmussen had this to say about a strategy on policies:

We could write a series of posts delineating how policyIQ provides powerful technology support for a coordinated enterprise Policy Management strategy. For this post, however, let’s focus on Rasmussen’s last sentence in the paragraph above. policyIQ houses a comprehensive audit trail comprised of a number of features that allow the history of changes and versions to be examined from a variety of perspectives.

Historical Review

Version History is retained on all policyIQ content. It is possible to examine exactly what was presented in any version at any point in the content’s history. Attachments to documentation (evidence, forms, supplier documentation, etc) are also retained for historical review.

Change History is even more specific than Version history. This feature of policyIQ tracks specifically who made changes to content, what change was made, and when—dating all the way back to the inception of the documentation.

The viewing history of each page in policyIQ is also tracked. Do you want to know if that employee or the external auditor accessed the content last week as was reported? policyIQ can tell you.


The ability to create and tailor certifications, attestations, and questionnaires and to customize how they are made available or scheduled for delivery leaves endless possibilities for organizations wishing to gather information from employees (and third parties) on their commitments, agreements, observations, performance, opinions and on and on. The “Forms” functionality in policyIQ eliminates the risk that an employee’s response will be overlooked in the sea of email.

Reporting Capability

All of these changes are made evermore valuable with the associated reporting features. Do you want to know who made changes to Accounting policies in the most recent quarter? Maybe you escalate a monthly review of any Exceptions documented on Information Security policies. Can you easily identify all procedures, projects, divisions or positions that will be impacted by the technology that you’re scheduled to replace? Yes—with policyIQ, you can.

Snapshot at a Point in Time

And if all of that wasn’t enough, policyIQ also allows organizations to schedule the capture of a complete backup of their database, called a Snapshot, containing all data at the time the Snapshot was captured.  Snapshots are a free benefit to policyIQ clients. While it is not common, it is an invaluable service to be able to present and review content as it was two years ago on that day in May, let’s say. For a small fee, clients also have the option to request an electronic extract of all content from their policyIQ site that they may provide in the event of an investigation or audit.

Safe and Direct Access

If the need presents itself, it is possible to provide investigators, auditors, litigators or other specified parties with direct access to your policyIQ site. This type of access would allow them to review documentation in the application and save on legal fees or administrative fees for copying or making information

RGP has received positive reviews for the breadth and depth of the audit trail provided in policyIQ. And while we have a number of testimonies to value that these features and services have yielded for various functions and divisions of our clients, that value is exponentially greater when applied enterprise-wide.

Maybe we’ll have to circle back to talk more about Michael Rasmussen’s related blog post and how policyIQ can help you to combine Case Management and Policy Management without sinking a huge investment of time and money into a big GRC platform. RGP has you covered with the subject matter expertise and technology there, too. Feel free to reach out to us directly if you’d like to know more or explore your options sooner than later!

We’ve been taking “Change” for granted: Shining a spotlight on the Audit Trail

Ask any long time policyIQ client and they’ll tell you that it is unfathomable to imagine managing their content without that history of changes.  policyIQ has been around for 10 years and for 10 years, the Change History has been there providing an audit trail – making sure that every time a page is touched by a user, there is a record of what fields were changed, who made the change, and when the change was made.  The policyIQ Reporting tool allows you to build complex queries based on those changes -such as who made recent changes, what content was changed between a specified date range, what pages had a specific field updated in the last six months, and more.

An audit trail is a critical requirement of any content management application.  But in recent conversations with prospective clients and industry analysts, it has come up often that an audit trail is something that is difficult to implement with some content management solutions – particularly solutions built in-house or via Sharepoint – and we don’t want you to take this fantastic feature for granted!

Why do you need an audit trail?

There are lots of great reasons for having an audit trail, but it boils down to this: You want to know that the information in your system is accurate, updated appropriately and by the right people, and that nothing has been removed or deleted without appropriate approvals – and you want proof.

  • Fraud Prevention and Detection – I don’t like even having to mention this, but the potential for fraud is a fact of life. Knowing that there is an audit trail should prevent fraud attempts. If you can’t prevent it, though, you’ll be able to track down the source of the changes without much effort.
  • Oversight and Peace of Mind – With a complete audit trail, you don’t have to worry that changes are happening to your content without your knowledge – or that you won’t be able to track down the source of those changes.

Cautionary tale: The policyIQ audit trail is no joke. 

If you collaborate on content in policyIQ, you are familiar with the options to send emails as you pass content along to another user, customizing the message that gets sent out.  But did you know that the custom text you include in those emails is captured in the audit trail?  You might be tempted to think of these “Notes” as pure email text, but those words will be captured in policyIQ forever – and visible to anyone who may have edit rights to the page in the future.


Rule of thumb?  Don’t put anything in the “Notes” field of policyIQ that you wouldn’t be comfortable putting into an email that will be read by the entire company.

Effectively reporting on changes

If you’ve done any reporting in policyIQ, you know just how powerful our reporting tool is. Using filter selections, you can report on pretty much anything that is going on in your policyIQ site. And with our customizable column selections, you can display exactly the amount of detail that you need in your report results.

Change reports are not quite as well-known as our more standard report types, but they offer an extremely valuable insight! These reports give you a look at what changes have – or have not – occurred in your policyIQ site over a selected period of time. And when you look at the long list of change filters we provide, you’ll find that there are a ton of different changes you can report on.

First, let’s take a look at where you’ll find the change filters, so you can start building your very own change report.

Selecting Change filters

Create a new Page report, and then select Changes from the Add Filters dropdown list.  The Changes window will open, with a list of different change types you can select, as shown in the image to the right. change_filter

With all of these change options available, you may be wondering which of these would be most useful to you. As you can see, we’ve given you the ability to report on some very specific types of changes. When was an Administrator Group added or removed? When was an attachment or a linked item added or removed? When was the Page removed from a Folder?

But there are some change filters here that most users would find helpful, once they realize what they can do with them. For example, the Item Field Changed filter can let you see when a specific custom field on a Page has changed. You likely know how to create a report that lists all of your Key Controls within a selected process. The Item Field Changed filter takes your reporting a step further and lets you see when the Significance field on your Control Pages was changed from Key to another value (e.g., Secondary or Non-Key), or vice versa.

Tell me everything! Sometimes, you may just want a comprehensive list of all the changes that have occurred on a particular Page. In that case, you’ll find the Any Change filter to be extremely valuable. Of course, a report like that is likely to bring back quite a few results, so don’t be alarmed if the report takes a bit longer than usual to run.

Pick Columns to determine what detail you want to see in results

Once you’ve made your change filter selections, you’ll want to make sure you’re also choosing columns that will display the most important information related to the report results. There are a number of column selection options that go hand-in-hand with change filters.

Building on our example of changes to the Significance field, you’ll probably want to include a column selection of Change Details. In most cases, this will show you what the previous value in the field was. So within that column in our report results, we’ll see if a particular Page’s Significance changed from Key to Non-key, or from Secondary to Key, and so on. When applicable, this column will also display any notes that a user entered at the time they made a change.

Let us help!

Would you like some help creating a particular change report? Don’t forget that the policyIQ support team is here to assist. Send us an email any time at, and we’ll be happy to help you out!