Fierce Competitors are Built on Strong Core Processes

If your goal is to be a fierce competitor and to protect and defend your organization against the never-ending barrage of risks and change, a great place to start is by strengthening your core processes.

Policy management is the backbone of successful and sustainable organizations.

What do you think of when you think of policies? Does your Human Resources department manage a set of company policies that you have to attest to annually? Maybe you recognize the fact that your organization has a password policy and a policy regarding the use of social media on company equipment and company time.

In our recent webinar with guest presenter Michael Rasmussen, we heard a whole host of examples and reasons why organizations should be concerned with policies. If, up until now, you have not been particularly concerned about the value of your organization’s policies, you might want to lean in and peruse these notes from the Blueprint for Effective Policy Development and Management session:

Raise your hand if you are aware of where to find your organization’s index of official policies representing all areas of your business. Mr. Rasmussen asked a similar question of his audience at a recent conference and just 2% of attendees acknowledged awareness of an index maintained at the enterprise level of the organization’s policies.

Only a very small number of organizations see policies as the critical documents that they are. Mr. Rasmussen noted that policies are often not given proper attention and are strewn about in various systems, websites, shared drives and so on. Employees don’t know where to go to find documents or whether the document they found holds the latest version of the policy. In our session, Rasmussen emphasized why employees and leaders should value policies and highlighted some examples of how policies are at the core of every organization’s critical work:

  • Policies are GOVERNANCE documents.
    • Policies are critical documents.
    • They help to set boundaries to reliably achieve objectives
    • Policies ensure consistent business behavior and transactions.
  • Policies are RISK documents.
    • The existence of each policy was preceded by the identification of a risk!
    • Still, many business leaders do not think of risks when they think of policies and many do not tie organization policies to risks.
    • Policies help to identify risks and control risks within certain boundaries.
  • Policies are COMPLIANCE documents.
    • Policies help us to act with integrity as it relates to
      • Regulatory requirements
      • Contract obligations
      • Code of conduct
      • Values and Ethics
      • Corporate social responsibility
      • And so much more

Policies are at the core of all Governance, Risk, and Compliance work.
If the advantages of effective policy development and management are not compelling enough to motivate your leaders to establish policies throughout the organization, this regulatory environment might force the issue. An evidence trail is critical in today’s regulatory environment. Policy management requires a complete system of record and an audit trail.

policyIQ provides company and division leaders with a highly adaptable technology for managing the full range of policy, compliance, and audit needs in one cost-effective platform scalable from specific regulatory environments and department functions to division business units and at the enterprise level. Maintaining a clear and defensible audit trail is paramount to the service and benefit provided by our GRC technology.

In part I of the policy management educational series hosted by RGP’s policyIQ team, Michael Rasmussen highlighted the considerations that are critical for development of a policy management strategy, the roles that contribute to policy management, and he drilled deep into the effective policy management lifecycle.

In part II, Michael will concentrate on the second half of the effective policy management lifecycle. The attendees of our first session gave rave reviews of the presentation. Be sure to register for Part II: Engage the Front Lines Through Effective Policy Communication.

We also encourage you to peruse upcoming events hosted by the policyIQ team. This audience, in particular, might be interested in our Introduction to policyIQ session that is delivered quarterly and demonstrates how organizations leverage policyIQ to establish consistent documentation templates, prescribe workflow and approval processes, communicate and distribute policies, monitor and enforce compliance with policies, and to establish a maintenance process for your critical documentation.

Click here to register for the sessions that interest you and we invite you to reach out to us (information@policyIQ.com or 866.753.1231) with questions about effective policy management, policyIQ (our governance, risk, and compliance technology), or if you could use the support and expertise of a RGP professional to help get your program off the ground.

We look forward to seeing you in future sessions!

Which part of your SOX program do you want to improve this year? This list of resources will help.

Soup to nuts—or Risk Assessment to Review of Evidence, we are ready to help you make your 2016 Sarbanes Oxley compliance work more efficient than ever! You will notice that we have another post this month that talks about rolling forward last year’s SOX work to create the baseline for your 2016 work. Some of you might not want to repeat last year’s work. Maybe you didn’t use policyIQ last year or you’d like to make improvements on what was done in previous years and take advantage of all that policyIQ has to offer. We have some tips and tools to help you:

chart1

  • Risk Assessment – We previously shared a sample template with you that you might want to implement for 2016. If you already have your Financial Statement Risk Assessment complete, we can help you with your plan to import and tie the results of that assessment to relevant assertions and controls. Capturing the full cycle in one place will not only help your organization to be much more efficient, it will also save time and money when your external auditors are looking to connect.
  • PCAOB’s Auditing Standard No. 5 – Are you looking to make improvements to your process and work more efficiently this year? Check out this visual summary or watch the full recording of the webinar that walks through the application of AS5.
  • chart2Link related compliance elements and utilize various reports to monitor progress, analyze performance, and stay on top of your program. We have lots of ideas about SOX reporting. Check out you online Help manual and this post for some ideas.
  • Automate supporting processes – are you still using Word, Excel, and email to manage your 302 Certifications, Control Self Assessments and Narrative Reviews? One of the most frustrating parts of this work is having to inventory the responses and pester people to get their work done. You can literally perform the setup of these tasks one time and then consider it complete forever after using policyIQ’s Forms functionality to automate the inventory and reminders.
  • consultantsGrant External Auditors access to only that content which you want them to see! Have you done this yet? I recall being scolded by a client who told me that we don’t brag about this benefit enough. He felt that he could have saved a significant amount of time and money over the years and wished he had granted their external auditors access much sooner. It’s really easy to bring them into the fold and show them only what you want them to be able to review. Here’s how.
  • Evidence gathering – If you find that a lot of time is spent by auditors, managers—everyone—rounding up information, perhaps it is time to commit to one main holding place for your evidence. You can even use policyIQ to help automate and monitor the collection of evidence. We have some posts discussing what has been done in the past and we’ll be taking a fresh look at options surrounding the Evidence Collection effort in an upcoming training session—please join us!

E012649We hope that this list of resources is helpful to you or at least has you thinking about things that you’d like to manage more efficiently. We often work with people who feel like they just don’t have time to figure out how to save time! We get it. That’s what we’re here for! If you don’t have time to read posts and play around in policyIQ, but want to realize the benefits sooner than later, reach out to us and we’ll walk you through some simple adjustments that you can make to gain relief and command over your information right away!

Stop Costly Mining of Information for Each Audit

Many organizations have seen a shift in their SOX environment in recent years. SOX has become commoditized and leadership is concerned about buckling down on the level of work and on the cost of SOX. While many companies have reviewed, rationalized and streamlined their controls down to a more manageable level, focusing on testing only the key controls amounting to less than 150 in most cases, we still see that many have not entirely streamlined their management of the full cycle of analysis and documentation. Have you?

  • FinancialStatementsWho performs your Financial Statement Risk Assessment? Where is the documentation of that process and the conclusions regarding significant accounts and relevant assertions kept?
  • Have you plainly identified and documented your Financial Statement Risks and are you able to demonstrate which Controls are critical to their mitigation?
  • Of course, tests are being performed; but how are you tracking the evidence associated with those tests and does it seem that the process of defining and assigning audits is as efficient as it could be?
  • Do you have historical record of your audit findings, issues and methods of remediation? Can you easily review and determine the most cost effective approaches to remediation?
  • Can you pull up evidence of COSO coverage as simply as you can share your Risk-Control matrix?
  • Apart from the staples of SOX documentation, where do you document things such as considerations and assumptions for key decisions, exceptions or overrides?

Probably the most simple question yielding the most telling answer regarding whether your SOX program is as effective and efficient as it can be is this: do you perform and maintain all of this documentation in one system or is it someone’s responsibility to mine information and evidence for each external audit? piggybankIf each of these processes is happening in different mediums, stored in different repositories and managed with a wide range of workflows and procedures that are in place simply because “it’s always been that way”, then you have a significant opportunity to save time and money while more effectively managing your SOX program and, therefore, improving the bottom line of your company.

Of course, this message is for those organizations that have yet to bring automation and the power of a database to their SOX processes and documentation. Still, this message should not be lost on the many policyIQ clients who already experience how easily the collaboration of work, hand-offs, review and approval can be managed in policyIQ. We work with many companies who still have portions of their SOX cycle in various systems. Aside from the plain-to-see expense of paying for many different systems, there is cost associated with ongoing maintenance, training, and the time required to bring all of the information together and to relate the key components that paint the picture of an effective internal control environment.

Reach out to us and we’ll provide you with a free demonstration and configuration guidance on streamlining the various segments of your SOX program into one efficient and manageable cycle. We can schedule your configuration session within the week and have you up and running in the next 4-6 weeks! Talk to you soon!

Let us help you implement the COSO 2013 structure in policyIQ in under an hour!

If you have not already implemented policyIQ to more efficiently work through your transition to COSO’s 2013 Internal Control – Integrated Framework, we can help you to get started!  Companies with a calendar year-end are rushing to map their controls and address gaps with appropriate controls so that they are ready for testing in Q4.

Have policyIQ COSO-Ready in Under an Hour

The adjustments to your policyIQ site and import of the COSO Principles and Points of Focus can all be completed in under an hour and in these four steps:

4 Steps to policyIQ COSO Readiness_blog
NOTE: We have pre-populated spreadsheets that we are happy to share with you. Or, if you prefer, our policyIQ Support team can complete the entire COSO setup and import for you. Contact us for more information: Support@policyIQ.com.

Mapping, Analysis, Rationalization and Evidence

Now you are ready to begin the COSO mapping process. You may run a report of your Controls and link each one to the appropriate Principle or Point of Focus. You may already be aware that companies following the COSO Framework must demonstrate that all 17 COSO Principles are “Present” and “Functioning”. The Points of Focus, while not required, are uploaded and included in the mapping process by many companies, as they provide added assurance and justification for your control mapping decisions.

Once all of your Controls (typically Entity Level Controls) are properly mapped, you can use policyIQ’s Detail Link Report to see a view of all Principles, linked Points of Focus and Linked Controls. This report provides an excellent foundation for Gap Analysis and for Control Rationalization. It also can serve as evidence of coverage for your external auditors.

Let us connect you with the experts!

If you find that your team is struggling to find time, resources or the necessary subject matter expertise for your COSO Transition Project, contact us and we’ll align you with a subject matter expert who can help you in the areas where you need it most (from the initial setup, mapping, gap analysis, establishment of new controls—or documentation of controls that have, to this point, been less formal—to control rationalization and testing).

Contact us today—for your free copies of the import spreadsheets, to request the import to be completed by our support team or to learn more about working with one of our subject matter experts!

 

Addressing COSO Principle #8: Assess Fraud Risk

P8_Call_to_actionRisk and Compliance professionals generally agree that the updated 2013 COSO Internal Control – Integrated Framework is not, in essence, different from the 1992 version. And by now, we recognize that the most notable change requiring action is the formalization of COSO’s 17 Principles that were introduced by language embedded in the earlier version. Public companies subject to Sarbanes Oxley (SOX) requirements that utilize the COSO framework and have a calendar year-end will need to demonstrate that all 17 COSO Principles are “present and functioning” by the end of 2014. COSO_Principles At the conclusion of the mapping process, what many of our clients are finding is that they do already have the necessary controls in place. We are helping some clients to also identify where they have more than adequate controls and can use this thorough review as an opportunity to rationalize and reduce the number of controls that they are testing—and, in turn, reduce costs! And, in some cases, companies recognize that the practices are in place, but the controls may not be formally documented and tested. One of the Principles that is garnering a lot of attention is Principle #8: Principle8If you haven’t before, this will likely be the year that you perform a formal Fraud Risk Assessment. You may need to reinforce documentation around your related Entity Level Controls and will want to ensure that those include measurable indicators of appropriate “Tone at the Top”. If you are not sure that you have the appropriate competencies or subject matter experts on your team, we can help to lead or supplement your assessment and documentation of your related controls. Reach out to us if you’d like more information. Additionally, most companies required to comply with SOX likely already have a fraud hotline in place. Did you know that policyIQ also includes an electronic “WhistleBlower” module that is accessible to all company employees for anonymous submission of suspected financial reporting issues (or other issues, if you choose to rebrand the feature)? The WhistleBlower module is already available in all policyIQ sites and can be enabled at any time at no additional charge. Each case is assigned a 16 character code that is revealed only to the submitter of a case so that he or she may periodically review the progress of any associated investigation and even correspond anonymously with an investigator. This feature provides whistle blowers with greater assurance that their voice or accent will not give away their identity if they wish to remain anonymous. WhistleBlower It is very simple to use policyIQ to demonstrate the presence of preventive and detective fraud mitigating controls. Simply run a report of your Controls and include those two variables as columns in your display. If you haven’t already setup your policyIQ site to capture these items, here are the steps that we recommend:

  1. Add a field to your policyIQ Control Page Template to track whether a Control is fraud mitigating.
  2. Add a field to your policyIQ Control Page Template to track whether a Control is Preventive or Detective (most policyIQ clients already include this).
  3. Review your controls and update the pages to reflect whether they are fraud mitigating and whether they are preventive or detective (note that you can use the Edit Fields option from the Table Toolbar to make bulk changes and save time).
  4. Use a policyIQ Page Detail or Page Detail Link Report to list your Fraud Mitigating Controls and whether they are EvidenceforP8Preventive or Detective
    1. Use the report results to perform your gap analysis
    2. Use the report results as evidence of your compliance or coverage of COSO’s Principle #8!

If you’d like some support from a subject matter expert, have questions about the mapping process, or would like help with properly setting up policyIQ to support your transition to the 2013 COSO Framework, contact us and we’ll put you in touch with the appropriate resource in your area.