In a number of blog posts, we’ve highlighted the ways that policyIQ can be used throughout the entire SOX process – from risk assessments through issue remediation. This past Thursday, July 28th, we took an hour to walk through the entire process in a CPE webinar to highlight ways to create efficiency at each step.
Did you miss it?
Before we hit the highlights below, we want to point you to the session recording and the slides, both of which are available for download.
The Big Picture
We highlighted a number of big picture advantages of using policyIQ not just for SOX, but for all of your compliance initiatives. We talked about…
- Simplicity of rolling out and managing a cloud-based
- Advantages of being able to assign security and access
- And the efficiency of a single source of information through the entire compliance and audit environment.
A single source means that when you make a change in one place, that change feeds all of the different perspectives on the data.
Efficiency at Every Step
We also dug into the efficiency that can be gained at every step of the process. Just some of those ideas are presented below. We also mentioned additional training available for some steps, and have linked those training sessions.
- Risk Assessments
- Tie risk assessments at the 10K line item level to your risks and controls for ease of scoping.
- Control Updates & Review
- Allow your control owners to make updates directly in policyIQ as things change, or require regular reviews of control documentation.
- Walkthroughs & Testing
- Collaborate early (and often) with external auditors to ensure that your testing is capturing all of the detail expected.
- Issue Tracking & Remediation
- Assign remediation plans to owners and use automated reminders to ensure responses are provided.
- Conclusions & Reporting
- Utilize flexible reporting capabilities to trace issues back to the vulnerable risks and compensating controls to make a final determination about significant deficiencies or material weaknesses.
We also included the supporting functions that feed the process.
- Map to COSO 2013
- Link Entity Level Controls to COSO Principles
- Evidence Collection
- Assign evidence requests, utilize automated reminders, and track receipt of documentation
- Time & Expense Tracking
- Report on budgeted versus actual hours and cost, and use the data for next year’s planning
- SOX 302 (Sub)Certification
- Assign role-specific questionnaires, utilize automated reminders, and report on exceptions
We’re ready to help you build more efficiency into your SOX program. Contact us today and ask to speak with our client service team to walk you through implementing some new ideas! Not yet a policyIQ client? Contact us and ask us for a personalized demonstration!
Soup to nuts—or Risk Assessment to Review of Evidence, we are ready to help you make your 2016 Sarbanes Oxley compliance work more efficient than ever! You will notice that we have another post this month that talks about rolling forward last year’s SOX work to create the baseline for your 2016 work. Some of you might not want to repeat last year’s work. Maybe you didn’t use policyIQ last year or you’d like to make improvements on what was done in previous years and take advantage of all that policyIQ has to offer. We have some tips and tools to help you:
- Risk Assessment – We previously shared a sample template with you that you might want to implement for 2016. If you already have your Financial Statement Risk Assessment complete, we can help you with your plan to import and tie the results of that assessment to relevant assertions and controls. Capturing the full cycle in one place will not only help your organization to be much more efficient, it will also save time and money when your external auditors are looking to connect.
- PCAOB’s Auditing Standard No. 5 – Are you looking to make improvements to your process and work more efficiently this year? Check out this visual summary or watch the full recording of the webinar that walks through the application of AS5.
- Link related compliance elements and utilize various reports to monitor progress, analyze performance, and stay on top of your program. We have lots of ideas about SOX reporting. Check out you online Help manual and this post for some ideas.
- Automate supporting processes – are you still using Word, Excel, and email to manage your 302 Certifications, Control Self Assessments and Narrative Reviews? One of the most frustrating parts of this work is having to inventory the responses and pester people to get their work done. You can literally perform the setup of these tasks one time and then consider it complete forever after using policyIQ’s Forms functionality to automate the inventory and reminders.
- Grant External Auditors access to only that content which you want them to see! Have you done this yet? I recall being scolded by a client who told me that we don’t brag about this benefit enough. He felt that he could have saved a significant amount of time and money over the years and wished he had granted their external auditors access much sooner. It’s really easy to bring them into the fold and show them only what you want them to be able to review. Here’s how.
- Evidence gathering – If you find that a lot of time is spent by auditors, managers—everyone—rounding up information, perhaps it is time to commit to one main holding place for your evidence. You can even use policyIQ to help automate and monitor the collection of evidence. We have some posts discussing what has been done in the past and we’ll be taking a fresh look at options surrounding the Evidence Collection effort in an upcoming training session—please join us!
We hope that this list of resources is helpful to you or at least has you thinking about things that you’d like to manage more efficiently. We often work with people who feel like they just don’t have time to figure out how to save time! We get it. That’s what we’re here for! If you don’t have time to read posts and play around in policyIQ, but want to realize the benefits sooner than later, reach out to us and we’ll walk you through some simple adjustments that you can make to gain relief and command over your information right away!
We want to thank everyone who joined us this week for our latest training session, Enterprise Risk Management in policyIQ. In this 60 minute webinar, we highlighted how to apply the policyIQ technology to your ERM program.
ERM – A Six Phase Approach
RGP’s Governance, Risk and Compliance practice has developed a six phase approach based on years of working with companies around the world to implement effective Enterprise Risk Management. In policyIQ, we use the same six phases to organize and structure ERM.
Use policyIQ Technology to add Efficiency Every Step of the Way
In this training session, we covered ways that clients use policyIQ within each phase of the ERM process. For more information, reach out and schedule some time to talk about your ERM needs!
Preparation: Corporate Goals & Objectives and Cultural Evaluation
ERM should be implemented to support corporate goals and objectives, so ensure that you have those goals clearly documented and made available to all employees. Remember – policyIQ provides free read-only access, allowing you to easily make that information available to all at no additional cost!
And if you aren’t certain whether your organization is ready for ERM, use policyIQ to survey your employees and better understand the current risk environment. Perhaps you’ll find that most employees are risk adverse, while you may later find that your corporate goals require an aggressive risk approach. Knowing that there is a disconnect allows your team to provide additional training, tailored mentoring or even to think about some new hires in key positions.
Phase 1: Risk Inventory
Before you can start prioritizing your risk, you need to really understand all of the risks that impact your business. We discussed two possible approaches:
a. Use a standard list of risks and ask employees to tell you if the risks apply
b. Start with a blank slate and ask employees to think of all of the risks that keep them up at night.
In either case, policyIQ aggregates all of the responses, including aggregating the contents of Excel files that might be sent out to capture risks in that “blank slate” approach. And remember – don’t just survey your executives and senior management! Employees at all levels of the organization will provide different insight into risk, and asking a cross-section of individuals will help to identify risks that you may otherwise not be aware of.
Phase 2: Consistent and Specific Risk Measures
When prioritizing risks, be sure that the measurements used are specific and consistently applied. Ranges of dollar amounts, for example, represent the impact of a risk.
Phases 3 & 4: Clear Risk Appetite Statement and measurable Risk Tolerance
Effective ERM requires a clearly articulated Risk Appetite Statement, describing the amount of risk and kinds of risks that the company is willing to accept. Are you risk adverse? Risk Aggressive? Do you accept some risk, but have zero tolerance for others?
High level Risk Appetite Statements can then be broken down into specific and measurable Risk Tolerance statements. Risk Tolerance is something that can be measured, tested and adjusted for a certain type of risk.
Phase 5: Reviewing Risk KPIs / Auditing Risk Tolerance
Regularly review actual performance against those Risk Tolerance measures. Document your audit results in policyIQ, remembering to include the data that was tested as attachments to your test results.
Phase 6: Incorporate ERM into the rest of your business
Finally, it is critical that your ERM program doesn’t exist in a silo. Risk management is happening all around your business, and the results are feeding your ERM program. Link those lower level process risks and mitigation procedures to your ERM program, giving full visibility into all levels of risk management.
We are looking forward to working with many of you to implement Enterprise Risk Management into policyIQ! Contact us to schedule a meeting – no cost and no obligation – so that we can discuss the specific aspects of your ERM program that can be improved through technology.
Many organizations have seen a shift in their SOX environment in recent years. SOX has become commoditized and leadership is concerned about buckling down on the level of work and on the cost of SOX. While many companies have reviewed, rationalized and streamlined their controls down to a more manageable level, focusing on testing only the key controls amounting to less than 150 in most cases, we still see that many have not entirely streamlined their management of the full cycle of analysis and documentation. Have you?
- Who performs your Financial Statement Risk Assessment? Where is the documentation of that process and the conclusions regarding significant accounts and relevant assertions kept?
- Have you plainly identified and documented your Financial Statement Risks and are you able to demonstrate which Controls are critical to their mitigation?
- Of course, tests are being performed; but how are you tracking the evidence associated with those tests and does it seem that the process of defining and assigning audits is as efficient as it could be?
- Do you have historical record of your audit findings, issues and methods of remediation? Can you easily review and determine the most cost effective approaches to remediation?
- Can you pull up evidence of COSO coverage as simply as you can share your Risk-Control matrix?
- Apart from the staples of SOX documentation, where do you document things such as considerations and assumptions for key decisions, exceptions or overrides?
Probably the most simple question yielding the most telling answer regarding whether your SOX program is as effective and efficient as it can be is this: do you perform and maintain all of this documentation in one system or is it someone’s responsibility to mine information and evidence for each external audit? If each of these processes is happening in different mediums, stored in different repositories and managed with a wide range of workflows and procedures that are in place simply because “it’s always been that way”, then you have a significant opportunity to save time and money while more effectively managing your SOX program and, therefore, improving the bottom line of your company.
Of course, this message is for those organizations that have yet to bring automation and the power of a database to their SOX processes and documentation. Still, this message should not be lost on the many policyIQ clients who already experience how easily the collaboration of work, hand-offs, review and approval can be managed in policyIQ. We work with many companies who still have portions of their SOX cycle in various systems. Aside from the plain-to-see expense of paying for many different systems, there is cost associated with ongoing maintenance, training, and the time required to bring all of the information together and to relate the key components that paint the picture of an effective internal control environment.
Reach out to us and we’ll provide you with a free demonstration and configuration guidance on streamlining the various segments of your SOX program into one efficient and manageable cycle. We can schedule your configuration session within the week and have you up and running in the next 4-6 weeks! Talk to you soon!
Public companies managing their Sarbanes-Oxley compliance program make up the largest section of our policyIQ client base. Over the past few years, we have added a number of new features and pricing options that make it easier than ever to utilize policyIQ for everything from scoping and planning to issue reporting and communications.
If you aren’t utilizing policyIQ from the risk assessment to remediation, contact us today and let us show you how easy (and inexpensive!) it can be to extend your implementation to capture all aspects of the process.
Starting at the top, evaluate your financial statement line items and determine what is in scope for the coming year.
- Calculate a risk score based on predetermined factors
- Quickly move processes and controls in or out of scope based on risk assessments
Control Reviews and Documentation Updates
Documenting your controls is not a one-time task. policyIQ’s electronic forms or the distribution of pages makes it easy for you to distribute control documentation to your control owners, and capture any changes or adjustments.
- Low cost and simple tracking of electronic forms makes it easy to capture updates
- Full audit trail of changes, with user, date and time stamps, and approval workflow allows an organization to distribute the work efficiently and safely
Links to COSO Framework
In 2013, a new COSO Framework was released and compliance with the framework is a key part of SOX compliance.
- Easily import the framework to policyIQ and link controls to COSO Principles
- One-click reporting to prove compliance with the framework, from COSO Principle to audit testing results
Much time can be spent by auditors collecting evidence and reports that are required for their testing. policyIQ can make that process much simpler.
- Low cost and simple tracking of electronic forms to track all requests for audit evidence, with automated follow-up emails for any non-responses
- Audit trails of requests and a central place for all files means fewer lost requests
Create your test plans in policyIQ, link to existing SOX controls, and easily bring testing in or out of scope for the year based on risk assessment results.
- Simple ad-hoc and standard reporting on testing progress and results
- All evidence uploaded into policyIQ and accessible from test pages
- Annual roll forward process that is ready to go within minutes
Issue Tracking and Remediation
In a perfect world, your audit testing reveals a perfectly designed and perfectly operating control environment. But perfection is hard to come by.
- Document any issue and link it to the audit test or control from which it was identified
- Assign remediation plans, utilize policyIQ communication alerts, and take advantage of simple real-time reporting for updated issue status
Audit / Project Time & Expense Tracking
Internal audit teams have limited resources and need to track time and expenses so that they can most effectively use those resources in high risk areas.
- Build audit projects and assign resources
- Allow auditors to enter time and expenses directly from audit test documentation, with simple reporting to track budgeted versus actual hours and costs
302 Certification Processes
While the Sarbanes Oxley Act section 302 only specifies that the CEO and CFO must sign and take responsibility for the control environment, most executives require a sub-certification process to go out to management level employees across the company.
- Create consistent certification forms and distribute to employees at multiple levels
- Automated emails follow-up on non-responses, while administrators can quickly report on any exceptions
policyIQ can help you to manage it all in a single place, with audit trails and reporting at every step of the process. If you use policyIQ for your Sarbanes-Oxley compliance program and you aren’t doing all of the above in the tool yet, contact us right away and let us help you to plan for expansion. In many cases, you will be able to expand at no cost – or very low costs.
And if you aren’t using policyIQ at all yet – please reach out today! We would love to help you to better manage your SOX compliance.
Public companies subject to Sarbanes Oxley (SOX) requirements with a calendar year-end are wrapping up their projects to transition to the 2013 COSO Framework. Among the seventeen Principles formalized in the 2013 framework is Principle 8, which states, “The organization considers the potential for fraud in assessing risks to the achievement of objectives.”
Track Fraud Mitigating Controls
One step that many policyIQ clients are taking to demonstrate evidence that they have adequately addressed this principle is to “flag” their controls that are fraud mitigating. If you do not already have one, we recommend adding a field to your Control template in policyIQ to track whether a Control is fraud mitigating. This allows you to easily report on all Controls where the answer is yes and to relate those Controls to Principle 8 (unless you are linking to Points of Focus, in which case you will link each of the Controls to the most appropriate of the four Points of Focus related to Principle 8).
Address Revenue Recognition Fraud
In addition to feeling greater pressure in the last couple of years from the Public Company Accounting Oversight Board (PCAOB) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO), most companies will also be affected by the new Revenue Recognition Standard. The new standard is the result of a joint effort by the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) that aims to improve upon and to address inconsistencies between the previously held International Financial Reporting Standards (IFRS) and US Generally Accepted Accounting Principles (GAAP). No doubt, some of the most notorious cases of corporate fraud have been directly related to revenue recognition fraud.
Complying with the new standard is a big undertaking for companies. We have written on our blog about the application of policyIQ to better monitor your contracts and agreements and the work that RGP has done to prepare a deep pool of Revenue Recognition subject matter experts around the country to walk alongside accounting professionals and help them to close gaps in their practices. Here, also, is a link to access the recording of RGP’s recent webcast: The New Revenue Recognition Standard Webcast Series (Part 2): How to Begin Implementing the New Standard.
Formally Assess the Risk of Fraud
Additionally, many companies are finally formalizing their fraud programs by instituting a dedicated Fraud Risk Assessment, documenting mitigating controls, identifying gaps, and filling gaps, and so on. Whether using your methodology and questionnaires or RGP’s, we can help you to manage the process more efficiently in policyIQ.
Using policyIQ, it is simple to capture and deploy your fraud questionnaire(s) to the relevant employees, inventory responses and analyze results. Similar to other compliance work in policyIQ, you can link your capabilities or controls to any Fraud Risks that were identified and use policyIQ reporting to easily highlight any gaps in coverage.
Interested in bringing automation to your program or need a subject matter expert to help you develop your Fraud Prevention Program? Reach out to us and we’ll put you in touch with the right person in your area.
Are you considering going public and beginning to think about all of the steps you should take to prepare? RGP and our GRC tool, policyIQ, can help you to ensure that you have a solid offering and that you are presenting your company in the best possible light.
RGP creates true partnerships with our clients—educating while advising
RGP can help with a range of needs including shoring up your processes and documentation comprising of things like helping you to properly document processes, and ensuring that necessary policies and procedures are in place. This would, almost certainly, include working with you to build a sound financial reporting foundation and solid internal control environment.
We can support your organization with activities that are specific to preparing for SEC Registration such as performing an accounting review to ensure your company meets all necessary financial requirements, helping with the development of your Prospectus, and the performance of a Legal Review.
If your need is more closely related to people resources, such as the need for an interim CFO or adjustments to your Board of Directors, we can help you to make those selections, as well.
policyIQ: powerful, easy to use and have up and running in no time
RGP’s Governance, Risk and Compliance tool, policyIQ, is easy configure, implement, roll-out and maintain for a range of purposes that serve companies who are seeking public offering. For more than ten years, policyIQ has served clients for the development and maintenance of their SOX 404 documentation, policies and procedures, and automation of their management certification processes.
Clients also take advantage of policyIQ’s flexibility, security features and accessibility to serve their related needs; including as a data room for their Board of Directors and for the development and review of their Prospectus.
Recently, we have worked with clients to make a fresh start, helping them to automate their Financial Statement Risk Assessment and relating their significant accounts and disclosures to relevant assertions and associated risks, controls and tests. We have also made quick work of capturing the 17 Principles required by the 2013 COSO Framework, the associated 87 Points of Focus and helping clients through their transition process—mapping to relevant controls, identifying gaps, performing rationalization and strengthening documentation and procedures, where necessary.
A different kind of software provider—in the best possible way
While many other products have come and gone, been bought and sold, and experienced lags in support, development and testing that have proven difficult for their users, policyIQ has a very different history. RGP has owned policyIQ and supported policyIQ clients in the marketplace for more than a decade. Our software has undergone 29 major and more than 30 minor releases in that time, carrying out thorough testing prior to each release, without ever charging our clients for the latest enhancements or upgrades. We operate differently than a typical software provider; we work hard to keep our software up to date (offering the latest in technology and services) while keeping the cost very affordable.
Reach out to us with any questions regarding RGP’s Pre-IPO services or software. We have approximately 3,000 professionals in nearly 70 offices around the world—someone near you—ready to help you take the next step!
For those of you looking to use the 2013 COSO Framework as the model for your Internal Control Environment, we want to remind you that you can use policyIQ to make quick work of capturing the COSO Principles and Points of Focus, as well as your Controls, Tests and other related documentation. We have shared some guidance on how existing policyIQ users can easily make adjustments that accommodate the new framework.
Existing policyIQ users, we can help you to get things set up in policyIQ
You don’t even have to create and populate your own spreadsheets to import the framework into policyIQ—we’ve already done the work for you, and will share it with you for FREE!
When we reached out to one of our clients to see if he had any questions about the spreadsheets or import process, he had this to say in his reply: “Once I had your template, it took just about 5 minutes to have policyIQ populated with the principles and points of focus. It was really as simple as you said it would be.”
If you can’t spare any time to import the COSO content, we can do that part for you, too. Contact us to make arrangements.
Not a policyIQ client yet? Your new COSO-ready site can be available within the afternoon!
(Usually. Contractually, we have to say within 48 hours, but a new site is often up and running within the same day!)
For those who are not yet policyIQ users, but are considering the value of a tool now that you have to take on yet another relationship to your Controls, we have the COSO Framework ready to go in new policyIQ sites—you can move right on to the mapping part of your transition project.
Not sure what your plans are for transition to the 2013 COSO Framework?
We also want to remind you of a couple of webinars hosted by policyIQ and RGP that have been well received. Within the following posts, you will find links to the recordings.
We have subject matter experts all across the country (and world) ready to get to work. Reach out to us and we’ll help you to get connected!
If you have not already implemented policyIQ to more efficiently work through your transition to COSO’s 2013 Internal Control – Integrated Framework, we can help you to get started! Companies with a calendar year-end are rushing to map their controls and address gaps with appropriate controls so that they are ready for testing in Q4.
Have policyIQ COSO-Ready in Under an Hour
The adjustments to your policyIQ site and import of the COSO Principles and Points of Focus can all be completed in under an hour and in these four steps:
NOTE: We have pre-populated spreadsheets that we are happy to share with you. Or, if you prefer, our policyIQ Support team can complete the entire COSO setup and import for you. Contact us for more information: Support@policyIQ.com.
Mapping, Analysis, Rationalization and Evidence
Now you are ready to begin the COSO mapping process. You may run a report of your Controls and link each one to the appropriate Principle or Point of Focus. You may already be aware that companies following the COSO Framework must demonstrate that all 17 COSO Principles are “Present” and “Functioning”. The Points of Focus, while not required, are uploaded and included in the mapping process by many companies, as they provide added assurance and justification for your control mapping decisions.
Once all of your Controls (typically Entity Level Controls) are properly mapped, you can use policyIQ’s Detail Link Report to see a view of all Principles, linked Points of Focus and Linked Controls. This report provides an excellent foundation for Gap Analysis and for Control Rationalization. It also can serve as evidence of coverage for your external auditors.
Let us connect you with the experts!
If you find that your team is struggling to find time, resources or the necessary subject matter expertise for your COSO Transition Project, contact us and we’ll align you with a subject matter expert who can help you in the areas where you need it most (from the initial setup, mapping, gap analysis, establishment of new controls—or documentation of controls that have, to this point, been less formal—to control rationalization and testing).
Contact us today—for your free copies of the import spreadsheets, to request the import to be completed by our support team or to learn more about working with one of our subject matter experts!