This Audit Trail will Reduce Organization Liability

Many organizations have pockets of well-developed and maintained policies and procedures. Leaders in various business units might have overseen the development of certification processes (“I have read and understood the policy…”, “I have not observed fraud…”). Fewer, though, are the number of organizations that have a coordinated enterprise strategy on policies.

GRC 20/20’s Michael Rasmussen had this to say about a strategy on policies:

We could write a series of posts delineating how policyIQ provides powerful technology support for a coordinated enterprise Policy Management strategy. For this post, however, let’s focus on Rasmussen’s last sentence in the paragraph above. policyIQ houses a comprehensive audit trail comprised of a number of features that allow the history of changes and versions to be examined from a variety of perspectives.

Historical Review

Version History is retained on all policyIQ content. It is possible to examine exactly what was presented in any version at any point in the content’s history. Attachments to documentation (evidence, forms, supplier documentation, etc) are also retained for historical review.

Change History is even more specific than Version history. This feature of policyIQ tracks specifically who made changes to content, what change was made, and when—dating all the way back to the inception of the documentation.

The viewing history of each page in policyIQ is also tracked. Do you want to know if that employee or the external auditor accessed the content last week as was reported? policyIQ can tell you.

Certifications

The ability to create and tailor certifications, attestations, and questionnaires and to customize how they are made available or scheduled for delivery leaves endless possibilities for organizations wishing to gather information from employees (and third parties) on their commitments, agreements, observations, performance, opinions and on and on. The “Forms” functionality in policyIQ eliminates the risk that an employee’s response will be overlooked in the sea of email.

Reporting Capability

All of these changes are made evermore valuable with the associated reporting features. Do you want to know who made changes to Accounting policies in the most recent quarter? Maybe you escalate a monthly review of any Exceptions documented on Information Security policies. Can you easily identify all procedures, projects, divisions or positions that will be impacted by the technology that you’re scheduled to replace? Yes—with policyIQ, you can.

Snapshot at a Point in Time

And if all of that wasn’t enough, policyIQ also allows organizations to schedule the capture of a complete backup of their database, called a Snapshot, containing all data at the time the Snapshot was captured.  Snapshots are a free benefit to policyIQ clients. While it is not common, it is an invaluable service to be able to present and review content as it was two years ago on that day in May, let’s say. For a small fee, clients also have the option to request an electronic extract of all content from their policyIQ site that they may provide in the event of an investigation or audit.

Safe and Direct Access

If the need presents itself, it is possible to provide investigators, auditors, litigators or other specified parties with direct access to your policyIQ site. This type of access would allow them to review documentation in the application and save on legal fees or administrative fees for copying or making information

RGP has received positive reviews for the breadth and depth of the audit trail provided in policyIQ. And while we have a number of testimonies to value that these features and services have yielded for various functions and divisions of our clients, that value is exponentially greater when applied enterprise-wide.

Maybe we’ll have to circle back to talk more about Michael Rasmussen’s related blog post and how policyIQ can help you to combine Case Management and Policy Management without sinking a huge investment of time and money into a big GRC platform. RGP has you covered with the subject matter expertise and technology there, too. Feel free to reach out to us directly if you’d like to know more or explore your options sooner than later!

Our policies have been created…now what?

Many organizations have used policyIQ for their Policy Management needs, and each client of ours has their own unique needs and for providing transparent and accessible policies to their users, public website, auditors, or other audience type.  However, the process is largely the same, regardless of the unique needs.

In nearly all cases, the policy content is created in policyIQ, reviewed, approved, and then published.  Making that content available is where the differences come in to play.  There are a few options for doing so:

A shared, Read-only account:

Create a Read-only user account in your policyIQ site (which is free, by the way), and apply the Read-only account as a viewer only on all applicable pages in your site.  Be sure to make sure that this account also has view access to the necessary folders, as well.

Then, share the Read-only account credentials with your user base.  Once logged in, the policyIQ view this user will have is a scaled down look – just folders and policy content, in this case.  Because the very nature of the account is Read-only, there is minimal risk in sharing the credentials with a large group of people.

A shared, Read-only account accessed via policyIQ Reader:

A similar process to the one above, but with a different look to the program and no login needs.

After creating the Read-only user profile and applying the user to security where necessary, edit the user profile.  Under the “required” tab of the Edit User window, scroll to the bottom to find a unique link called “policyIQ Reader“.  This hyperlink can be placed anywhere you like: bookmarked in your browser, stored on your desktop, placed in a shared network drive, or even on your intranet.  Once a location is selected, anyone that clicks the link will gain instant, read-only access to your policyIQ site.  No login required, and the “reader” look – a straightforward, no nonsense look at content, which is displayed in the table area to the right instead of a separate window, as seen below.

pIQ_Reader

Individual Read-only accounts:

Create an individual Read-only account per-user, which allows for greater flexibility in terms of seeing policies that are applicable to certain divisions, but not others.  Perhaps your finance and accounting folks have policies and procedures that apply to them, but not to the vast majority of other employees.  Creating separate accounts for everyone ensures the user experience in the product is directly related to their role.

 Individual policies accessed from an outside source:

Some of our clients choose to have their policies accessed from their primary company website.  In this case, the policyIQ pass-through link is ideal: eliminate login needs, access individual policies, and don’t display the main policyIQ site from which the policies were created.  Instead, display only the pages themselves.

Create a primary Read-only user account, and again add it to the view security on all applicable pages.  Now, view a page of your choice that is published.  A the very bottom, the page ID sits, and contains a link.  Click the link to open a small window that contains the policyIQ Passthrough link .  Copy and paste this link to the destination of your choice.  Selecting this link from an outside source will open the policy page only, and not require a login to the system.

Next steps:

Did you know policyIQ also handles Policy Sign-offs, as well?  It’s a simple process at a minimal cost.  Add Standard Users to your site in bulk (50 to over 10,000+) to completely revamp the way your organization automates creating, approving and storing certifications and sign-offs.

Does something here sound like it might be right for you?  If so, let’s talk about it!  Scheduling a half hour with a policyIQ expert on our team is not only free of charge, but will pay dividends moving forward as the management of your processes becomes easier by the day.  Many adjustments to existing sites take minutes to change, and new sites are even simpler!  Contact us at Support@policyIQ.com or 412-263-3330 to begin.