Welcome guest blogger, Jason Chiang. With RGP for nearly 8 years, Mr. Chiang has more than 20 years of experience and expertise in Audit, Risk and Compliance. He has consulted with a range of companies from financial services, biotech, manufacturing, healthcare and other industries. Mr. Chiang is a Certified Public Accountant (inactive) and Certified Internal Auditor. He has served on both sides of the house as a senior audit manager and senior auditor as well as a risk manager. It is evident that he understands the motivations and hurdles facing these organizations and approaches their complex issues with integrity and professionalism.
The following article was written by Jason Chiang (with editing support from Stephenie Buehrle). The approach and recommendations are his.
Not all roads lead to successful IPO
When a company approaches their initial public offering (IPO), it enters a very different arena. Having access to public funds, that is the retirement savings of Main Street USA, the company must meet quarterly SEC filing requirements. This is a significant amount of work. An investment in the people experienced with technical accounting, SEC financial reporting, and Sarbanes Oxley Compliance (SOX) evaluations combined with an investment in systems and tools to do the work efficiently and with completeness and accuracy is crucial to meet the filing deadlines.
One cannot audit all internal controls over financial reporting (ICFR). Thus, performing a SOX risk assessment is necessary to identify the significant accounts and their relevant assertions. If you happen to be one of these companies developing a road-map to your IPO, SOX may not be the place where you want to focus significant time and financial resources, but you realize that it has to get done. Be sure that you consider, at minimum, these critical components:
A risk assessment is the process of identifying significant accounts and disclosures and their respective relevant assertions as they relate to financial statements. A properly done risk assessment will allow the company work smart by focusing its internal controls evaluation on the areas where there is a possibility of a material error.
The Risk Assessment must include:
- Quantitative factors such as account balance, frequency of transactions, dollar value of each transaction; and
- Qualitative factors such as complexity of related transactions, subjectivity of accounting rules over related transactions, and fraud considerations.
- As business and risks change, the risk assessment needs to be updated.
A narrative provides mid-level detail of the transactions and internal controls within a business process and includes who, how frequent, and in what location the transactions and controls are being performed. The initial creation of narratives provides the process owners an opportunity to revisit and reflect on the current processes, and make improvements for operational efficiency or control effectiveness. It is a written document that can be read by internal employees, internal auditors, and external consultants and auditors to gain a preliminary understanding of the process. As processes change, the narrative provides a format to document the change.
What critical things must be considered regarding Narratives?
- The narrative should be written knowing that auditors will be a primary reader and will be looking for controls that mitigate risks.
- When describing management review processes in the narrative, articulating how the manager gains assurance of the completeness and accuracy of the supporting evidence before signing off. If the manager is using judgment, describing the factors considered.
- Narratives should be updated as changes are implemented in the organization. The updates should follow a workflow where there is a review process for significant changes.
A control matrix lists the controls the company has identified to mitigate risks. The control matrix serves as evidence that identified risks are mapped to controls which are to be evaluated for management’s assessment of internal controls. The control matrix also is a primary client document auditors leverage to perform their independent test of controls.
Take care to ensure that:
- The controls in the Controls Matrix are mapped to risks.
- The Controls Matrix is in a format where it is sortable or reportable by controls mapped to risks for test of controls purposes, and risks are mapped to controls for an evaluation whether risks are mitigated by controls.
- Controls in the Controls Matrix should be labeled and provided an abbreviated title (10 words max) for ease of reporting and reference purposes.
Testing is the evaluation of design and operating effectiveness of the company’s controls. The results of testing of controls provide company management with a baseline to that might have impacts to strategic and operational decisions. For publicly held companies, testing is an SEC requirement.
Critical considerations for testing:
- Important, if deemed necessary, to be able to re-perform the actual control performed by the employee (e.g. for 3-way match of purchase order, invoice, and shipping docs, test that an employee had performed this and has evidence of such, rather than the auditor requesting the 3 docs and testing oneself).
- When testing management review controls, cannot just accept sign-off, but need to understand the steps and judgments used by the manager, and test accordingly.
- The documentation of testing should allow someone else to reasonably re-perform the testing. If testing is being relied upon by external auditors, then the breadth of documentation is more important. If not, not all needs to be retained, but should be readily retrievable when needed.
Control owners certify to the CFO and CEO that controls are operating effectively on a quarterly basis, and if not operating effectively, the remedial action plans. The control owners are held directly accountable for their controls as they are certifying to the top two officers of the company.
Recommendations for certifications:
- The number and level of person certifying to the CFO and CEO should be carefully considered. The level should be their direct reports and one level removed to maintain the efficiency and integrity of the certification. If it is a larger organization, there can also be sub-certifications up to the senior manager level.
- The certification questions should have a combination of checklist questions, as well as, open ended questions to encourage a thoughtful process.
- Utilizing software for tracking, follow-up, and retention purposes is advised.
Depending on the number of people involved with the inputs into the various components, one might decide that performing and capturing the work in Excel is sufficient, while others might prefer utilizing a SOX tool where there are extra protections in version control while allowing multiple users to perform inputs simultaneously in multiple locations. A SOX tool may also provide management with options for review, analysis and oversight that are not available in Excel.
To avoid unexpected setbacks, be sure to plan enough time into your IPO readiness map for SOX evaluations. The initial SOX program development and implementation is likely to require six months and can vary depending on your access to subject matter experts. Coordination and alignment of the SOX efforts and objectives among the audit committee, senior management, process owners, and internal and external auditors is paramount for a successful implementation.
If your organization is approaching your initial public offering and you’re interested in learning more about how RGP can support you with subject matter expertise and a tailored technology solution to help ensure that you are prepared for your SEC filing and financial reporting requirements, reach out to us (Information@policyIQ.com, 412.263.3330) and we’ll connect you with our RGP colleagues near you!
The policyIQ team joined our RGP colleagues at the Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, Florida on March 20th-22nd. Once again, this was a great event packed with learning and networking opportunities!
Representatives from RGP included:
The conference was attended by more than a thousand audit professionals and we were only able to speak to about 200 of them. If we didn’t get to have a conversation with you, here’s what might have transpired had we connected:
The conference sessions inspired some great discussions!
We carried on the conversations started by the keynote speakers and others. We talked about the hats that auditors are asked to wear, the importance of the internal audit function and profession, and the value of independence, maintaining integrity and having the courage to do the right thing against, sometimes, great personal risk. With integrity being among the core values at RGP and 20+ years’ experience serving as a professional services firm in this field, we are charged by discussions in this vein and by the opportunity to encourage our clients and peers in the audit profession.
We talked about how the times have changed. Once upon a time, we recognized that not all companies were performing regular risk assessments and we were encouraging them to get started with annual risk assessments. In the last few years, we see that the demands of business, technology, competition, culture and so many more are requiring companies to be more nimble and to both assess and respond to risk on a continuous basis. We participated in discussions around what it takes to be prepared and resilient in these times and how RGP’s Data Solutions practice can help companies to better collect, manage, secure and leverage their data.
Cyber security was a hot topic again this year! We discussed the struggles that some companies experience in identifying and developing the necessary expertise to address the present and growing need to address cyber security. We heard that companies are looking across various functions to address their security concerns. RGP’s maturity in integrated solutions, leveraging expertise across information security, audit, data solutions, process improvement (and more) allows us to be responsive, provide a high quality service and to tailor comprehensive solutions to each client’s needs.
We shared our story…how RGP and policyIQ stand out from the pack.
Another theme in our conversations with other professionals at GAM: how RGP is different. There’s certainly no shortage of consulting firms and technology providers at these things, right? The vendor hall can be a little bit intimidating for the introverts among us. At the RGP booth and throughout the conference, we worked to jump quickly to how we at RGP and our GRC Technology are different from most others.
Our consultants have 10-20 years’ experience. They are true subject matter experts who can lead your initiative or project and work alongside your team with valuable knowledge to share and teach. Rather than the checklist approach, our consultants build tailored solutions and collaborative partnerships. Remember the mention of integrity being a core value? We have a track record of long-term, trusted partnerships, evidenced by a 100% retention rate of our top 50 clients.
RGP also has 70+ offices around the globe—these are our offices, not affiliates. This means our people, our culture, and our standards; therefore, we deliver consistently high quality results worldwide.
And our GRC technology, policyIQ, packs a powerful punch in a nimble and affordable, centrally accessible platform. We serve companies from risk assessment through compliance initiatives, testing, reporting of findings and remediation like many other enterprise GRC tools. We also provide solutions for ASC 606 contract review, lease data capture, contract administration, policy management, automation of evidence request and collection, 302 certifications, legal and data room, support for integration with mergers and acquisitions, account reconciliation management and many more ALL IN ONE TOOL. It’s a matter of security configuration (part of the information governance planning that we guide you through as a matter of course at no additional charge). People find it amazing that they can do so much in one easy to use tool.
What’s more, a solution or initiative can be implemented in policyIQ in 4-6 weeks—not months or years, like most other products. And policyIQ is so easy to setup and use that NO IT RESOURCES ARE REQUIRED. We like to include and engage IT in the early conversations because a company can better leverage policyIQ for various departments and initiatives when the IT department includes it among their suite of solutions for their stakeholders. (Pssst—it saves time and money for IT departments, too!)
Next year, we’re going to have the biggest booth and the loudest parties!
Just kidding. You know, I often start off feeling a little bit small at these huge conferences. We don’t have the biggest booth or the most extravagant events to woo attendees to come and visit with us. (Although we heard from a bunch of folks that we did have the best swag this year with our super cool phone charger pens.)
Still, every year, I leave energized!
We deliver excellence! We have amazing clients and valuable partnerships and we build on them every year. I don’t have to feel pressure to be bigger and flashier to land sales. The truth of who we are and what we have to offer at RGP holds tremendous value, builds solid relationships and is a great story to share.
If we didn’t get to shake hands at GAM or elsewhere, yet, and you’d like to hear the good news first-hand, please reach out to any of us. We’d love to buy you a cup of coffee and learn about your business issues that we’ll help to remedy.
RGP and the policyIQ team were honored to be invited to speak at the Atlanta chapter of the Institute of Internal Auditors (IIA)’s conference, held on Friday, September 16.
policyIQ’s Managing Director, Chris Burd, tackled the topic of “Ways that Technology Can Expedite Internal Audit’s Daily Work”. With attendance for the session well over 200, the topic was clearly one that generated a lot of interest.
An unscientific “show of hands” poll of the audience found that only about half of the attendees currently utilize a software application that is designed for Internal Audit or Governance, Risk and Compliance programs. For those not utilizing an application, the session generated a number of ideas and stressed the value of having a tool to expedite and streamline the process.
For those that do use an internal audit application, however, the conversation also allowed the attendees to ask and offer suggestions to others of ways to improve their current audit work. The discussion followed the following steps in the Audit Cycle:
Two specific areas that were called out as areas of interest by the attendees were the work of Evidence Collection and that of Issue Tracking.
In evidence collection, we talked about ways to automate the evidence collection process, as well as some of the challenges of doing so. While a fully automated evidence collection process is the ideal end goal, the discussion touched on making sure that you also provide the right amount of training and oversight to those individuals participating in the process, to alleviate stress of a new process and minimize the risk of invalid evidence submission.
The topic of issue management focused primarily on the idea that issues are most effectively managed when they can be easily linked to the audit testing, controls, processes, or risks from which they originated. Having a central system to manage risk assessments, internal controls and procedures, audit testing and issues allows for this flow of information.
Looking for Technology that is Simple to Use and Implement!
As a sponsor, RGP was also able to meet with attendees as they stopped by to say hello. Folks that stopped by to talk about technology almost invariably said the same thing – they wanted to find software that was easy to use and easy to implement. Long and costly implementations caused many to simply continue doing things in the same Microsoft Office tools that they have always used.
Do you want to learn more about how to make your internal audit team more efficient and effective? Contact us today and we’d be happy to meet to talk about some of the specific ideas and how policyIQ can meet those needs!
Go to our website, www.policyIQ.com, to learn more, download datasheets, request a trial, demo, or to buy policyIQ! You may also reach out to us directly at 1.866.753.1231 or info@policyIQ.com.
Go to our website, www.policyIQ.com, to learn more, download datasheets, request a trial, demo, or to buy policyIQ! You may also reach out to us directly at 1.866.753.1231 or info@policyIQ.com.
Have you been burned by a software provider?
You worked for months (years for some), listening to promises from several different people who kept handing you off and never addressing your concerns. You found yourself with more time and money invested than you care to admit and you have grown to look at all software providers with skepticism (if not disgust).
Does this sound familiar?
I hear you. Your frustration was echoed by countless people that I spoke with at a national conference in March. Because a number of people felt compelled to share their horror stories about other providers with me, I got comfortable jumping quickly to the things that make us different than the typical software company:
- RGP is NOT a software company! Integrity is at the core of our firm. We want to create great relationships and serve you so impressively that, when you need a consultant, you already know the quality that you can expect from us.
- We don’t have a huge policyIQ booth at conferences and our software does not have the huge price-tag required to pay for that presence (policyIQ starts at <$5k/year).
- We don’t sell multiple modules or products and aim to upsell you. policyIQ really does accommodate multiple business areas and needs in one affordable tool.
- Our goal is to solve for your information, content, process, and workflow challenges across the Governance, Risk and Compliance (GRC) space, not to land a sale.
- Your sales person does not make commission or hand you off to an implementation team that’s unaware of promises made during the sales process—we walk alongside you the whole way and help to tailor the implementation to your organization’s needs.
- Our product does what we tell you it does (and we answer truthfully if you ask us about something we don’t do or plan to develop).
- We have a support team that truly cares to give you excellent and timely service.
We think of our clients as part of our community with whom we will have a long partnership. We listen to your needs, plans, wishes and heartaches and work continuously to problem solve with you.
We’re proud to be a misfit among typical software providers.
We encourage you to take a peek at this introduction to policyIQ, and then reach out to us! We’d be glad to schedule a personalized tour of policyIQ. Also, we invite you to kick the tires! Sign up for a 30-day trial, completely risk-free.
We look forward to working with you!
Soup to nuts—or Risk Assessment to Review of Evidence, we are ready to help you make your 2016 Sarbanes Oxley compliance work more efficient than ever! You will notice that we have another post this month that talks about rolling forward last year’s SOX work to create the baseline for your 2016 work. Some of you might not want to repeat last year’s work. Maybe you didn’t use policyIQ last year or you’d like to make improvements on what was done in previous years and take advantage of all that policyIQ has to offer. We have some tips and tools to help you:
- Risk Assessment – We previously shared a sample template with you that you might want to implement for 2016. If you already have your Financial Statement Risk Assessment complete, we can help you with your plan to import and tie the results of that assessment to relevant assertions and controls. Capturing the full cycle in one place will not only help your organization to be much more efficient, it will also save time and money when your external auditors are looking to connect.
- PCAOB’s Auditing Standard No. 5 – Are you looking to make improvements to your process and work more efficiently this year? Check out this visual summary or watch the full recording of the webinar that walks through the application of AS5.
- Link related compliance elements and utilize various reports to monitor progress, analyze performance, and stay on top of your program. We have lots of ideas about SOX reporting. Check out you online Help manual and this post for some ideas.
- Automate supporting processes – are you still using Word, Excel, and email to manage your 302 Certifications, Control Self Assessments and Narrative Reviews? One of the most frustrating parts of this work is having to inventory the responses and pester people to get their work done. You can literally perform the setup of these tasks one time and then consider it complete forever after using policyIQ’s Forms functionality to automate the inventory and reminders.
- Grant External Auditors access to only that content which you want them to see! Have you done this yet? I recall being scolded by a client who told me that we don’t brag about this benefit enough. He felt that he could have saved a significant amount of time and money over the years and wished he had granted their external auditors access much sooner. It’s really easy to bring them into the fold and show them only what you want them to be able to review. Here’s how.
- Evidence gathering – If you find that a lot of time is spent by auditors, managers—everyone—rounding up information, perhaps it is time to commit to one main holding place for your evidence. You can even use policyIQ to help automate and monitor the collection of evidence. We have some posts discussing what has been done in the past and we’ll be taking a fresh look at options surrounding the Evidence Collection effort in an upcoming training session—please join us!
We hope that this list of resources is helpful to you or at least has you thinking about things that you’d like to manage more efficiently. We often work with people who feel like they just don’t have time to figure out how to save time! We get it. That’s what we’re here for! If you don’t have time to read posts and play around in policyIQ, but want to realize the benefits sooner than later, reach out to us and we’ll walk you through some simple adjustments that you can make to gain relief and command over your information right away!