Efficiency Throughout the SOX Process

In a number of blog posts, we’ve highlighted the ways that policyIQ can be used throughout the entire SOX process – from risk assessments through issue remediation.  This past Thursday, July 28th, we took an hour to walk through the entire process in a CPE webinar to highlight ways to create efficiency at each step.

Did you miss it?

Before we hit the highlights below, we want to point you to the session recording and the slides, both of which are available for download.

The Big Picture

We highlighted a number of big picture advantages of using policyIQ not just for SOX, but for all of your compliance initiatives.  We talked about…

  • Simplicity of rolling out and managing a cloud-based
  • Advantages of being able to assign security and access
  • And the efficiency of a single source of information through the entire compliance and audit environment.

A single source means that when you make a change in one place, that change feeds all of the different perspectives on the data.

Controls

Efficiency at Every Step

We also dug into the efficiency that can be gained at every step of the process.  Just some of those ideas are presented below.  We also mentioned additional training available for some steps, and have linked those training sessions.

process

  1. Risk Assessments
    • Tie risk assessments at the 10K line item level to your risks and controls for ease of scoping.
  2. Control Updates & Review
    • Allow your control owners to make updates directly in policyIQ as things change, or require regular reviews of control documentation.
  3. Walkthroughs & Testing
    • Collaborate early (and often) with external auditors to ensure that your testing is capturing all of the detail expected.
  4. Issue Tracking & Remediation
    • Assign remediation plans to owners and use automated reminders to ensure responses are provided.
  5. Conclusions & Reporting
    • Utilize flexible reporting capabilities to trace issues back to the vulnerable risks and compensating controls to make a final determination about significant deficiencies or material weaknesses.

 

We also included the supporting functions that feed the process.

 

We’re ready to help you build more efficiency into your SOX program.  Contact us today and ask to speak with our client service team to walk you through implementing some new ideas!  Not yet a policyIQ client?  Contact us and ask us for a personalized demonstration!

Save time with Audit Evidence Collection in policyIQ!

For many years, we have been encouraging our clients to utilize policyIQ for all aspects of their compliance programs – from the assessment of risk through the remediation of issues.  However, during a recent conversation with long-time client, Travis Heyer (Director of Internal Audit at Great Lakes Dredge and Dock), we realized that we had not yet clearly illustrated in a live training session how to effectively request and capture audit evidence within policyIQ.

Travis graciously agreed to work with us to create a training session – and brought his colleague, Amit Patel (Senior Auditor) along with him.  On Thursday, March 31, we presented this session to a large number of very active participants.  (You can check out the recording of the session, or download the slides for a quick overview.)

quoteHeyer

It’s really all about saving time

Automating the requests for audit evidence can allow your internal audit team to…

  • Avoid playing “Match the evidence to the request!”
  • Minimize risk of using an old version of a file
  • Waste time sending annoying follow-ups
  • Secure documentation more effectively

It comes down to a huge time savings, freeing up internal audit resources to do the real, value-add work that your organization needs.

Pages or Forms?

While the training presentation focused on an evidence collection process in policyIQ pages, a similar process can be built within policyIQ forms.

evidencerequest

Pages offer the advantage of a two-way link between the Evidence Request and the Test page, so that your internal auditors can simply leave the files attached to the Evidence Request.  Pages also allow more than one individual user to contribute directly to the same Request.  However, utilizing Pages requires that all users who participate in the process of providing evidence are Advanced Users, a more expensive license in policyIQ.

Forms offer their own advantages, allowing for a simple issuing and follow-up process.  However, the link between the Evidence Request form and the Test page is less visible.  Evidence files will need to be downloaded and re-uploaded to the Test page by the auditor.  The significant advantage of the Forms process is that any individual providing evidence needs only to have a Standard User license, a less expensive license that can keep costs low!

Getting started in 5 easy steps

Our training session focused on how to get started in just five easy steps:

  1. Create Evidence Request template
  2. Build list of evidence in Excel
  3. Import evidence request list
  4. Assign requests
  5. Track progress and follow-up

We encourage you to check out the recording or the slides for more details on these steps – and reach out to us to help you to get your bearings and get started!

It’s true! policyIQ is a misfit among typical software providers.

Have you been burned by a software provider?

Sheesh—who hasn’t?!

You worked for months (years for some), listening to promises from several different people who kept handing you off and never addressing your concerns. You found yourself with more time and money invested than you care to admit and you have grown to look at all software providers with skepticism (if not disgust).

Does this sound familiar?

I hear you. Your frustration was echoed by countless people that I spoke with at a national conference in March. Because a number of people felt compelled to share their horror stories about other providers with me, I got comfortable jumping quickly to the things that make us different than the typical software company:

  • All-in-one_BubblesRGP is NOT a software company! Integrity is at the core of our firm. We want to create great relationships and serve you so impressively that, when you need a consultant, you already know the quality that you can expect from us.
  • We don’t have a huge policyIQ booth at conferences and our software does not have the huge price-tag required to pay for that presence (policyIQ starts at <$5k/year).
  • We don’t sell multiple modules or products and aim to upsell you. policyIQ really does accommodate multiple business areas and needs in one affordable tool.
  • Our goal is to solve for your information, content, process, and workflow challenges across the Governance, Risk and Compliance (GRC) space, not to land a sale.
  • Your sales person does not make commission or hand you off to an implementation team that’s unaware of promises made during the sales process—we walk alongside you the whole way and help to tailor the implementation to your organization’s needs.
  • Our product does what we tell you it does (and we answer truthfully if you ask us about something we don’t do or plan to develop).
  • We have a support team that truly cares to give you excellent and timely service.

We think of our clients as part of our community with whom we will have a long partnership. We listen to your needs, plans, wishes and heartaches and work continuously to problem solve with you.

We’re proud to be a misfit among typical software providers.

pIQ_Misfit_smWe’re ready to prove it and to earn your trust.

We encourage you to take a peek at this introduction to policyIQ, and then reach out to us!  We’d be glad to schedule a personalized tour of policyIQ. Also, we invite you to kick the tires! Sign up for a 30-day trial, completely risk-free.

We look forward to working with you!

Enterprise Risk Management: Technology, Expertise and Tactical Support with RGP

If you haven’t explored how you can use policyIQ to implement or enhance your Enterprise Risk Management (ERM) program, we need to talk!  policyIQ’s Governance, Risk and Compliance (GRC) platform provides the flexible infrastructure that you need to…

  • conduct risk surveys and assessments,
  • document your risk tolerance and metrics, and
  • capture activities that take advantage of risk opportunities or that mitigate excessive risk, or
  • take action on organizational issues.

RGP’s Enterprise Risk Management Expertise!

RGP’s GRC practice works with companies around the world to implement ERM programs.  In some cases, starting with a complete cultural survey to better understand the real appetite (or perception of appetite) for risk across the organization.  RGP recently presented a webinar, “Enterprise Risk Management: Are you optimizing your ERM program?”  The webinar drew hundreds of attendees from companies around the world, anxious to learn how they could improve their ERM program and confidently answer that question with a solid “YES!”

Alongside GRC Practice Leader Les Sussman, risk management expert and Washington DC office Managing Director, Eric Gerner, provided an overview of a successful, efficient and sustainable ERM process – as well as practical keys to ERM success.

View the recording of that webinar at any time – or share with your colleagues.

Sustainable ERM Process

In that webinar, Mr. Sussman and Mr. Gerner walk through a six phase ERM cycle that provides a sustainable framework in which a company can identify, prioritize, implement and monitor ERM activities.

Enterprise Risk Management Sustainable Process

We have integrated the use of policyIQ into these six phases, ensuring that ERM practices are efficient every step of the way!

Are you working on Enterprise Risk Management initiatives?  Contact us and let’s talk about how RGP and policyIQ can help you to be more efficient, provide visibility into enterprise risk and risk appetite throughout the company, and create an on-going, sustainable ERM process.

policyIQ a big hit at the GAM Conference!

GAM BannerAs the IIA has been known to do, their General Audit Management (GAM) Conference was packed with many high caliber speakers again this year! Presenters provided a wide array of insights falling within five tracks:

  • Talent & Resource Strategies
  • Regulatory & Compliance Issues
  • Risk Management
  • Innovation & Technology
  • Stakeholder Relationships & Expectations

Click here to check out the 2015 GAM Twitter highlights!

This year’s conference drew a record crowd and it seemed that the number of visitors to the RGP booth reflected that—we kept very busy talking about the things that differentiate us from other firms, such as

  • 3,000+ professionals in 70+ wholly owned offices (not affiliates) worldwide
  • Consultants have 10-20 years’ experience
  • 87 of the Fortune 100 served
  • 100% retention of top 50 clients
  • Served more than half the Fortune 1000

RGP_PartnersWe had more inquiries about policyIQ this year than at any previous conference. This was in keeping with a theme at the conference regarding leveraging technology to help audit to be more effective and more efficient. Our GAM audience seemed pleasantly surprised and asked the most follow-up questions when they realized that policyIQ can serve several Governance, Risk and Compliance needs within one tool—we do not require, cajole or have to finagle unsuspecting clients into purchasing additional tools or modules to meet their needs. Unlike other audit and GRC tool providers, we are focused on solving their problems and helping them to be more efficient—not on trying to milk them for multiple software applications and upgrades!

pIQ_All-in-oneOther policyIQ qualities that caught the attention of GAM attendees:

  • policyIQ is significantly less expensive than other tools
  • Implementation takes 4-6 weeks (not months or years)
  • Expert configuration support is included
  • Our team is known for “Excellent” service and support

There are some things that you DON’T get with policyIQ that stunned some technology shoppers, too:

  • No extra modules to buy
  • No up-front license fee
  • No upgrade fees
  • No hardware to purchase
  • No IT resources required

This summed up my experience at GAM this year:

GAM_FriendsIf I didn’t have an opportunity to address your questions at GAM and/or you’d like to talk more about how you can employ policyIQ to make your team more efficient, reach out to us at Support@policyIQ.com or 866-753-1231. We’ll have you up and running within the next quarter!

Maybe “policyIQ” should be called “grcIQ” or “auditIQ”!

Policy Management ProcessI’ve told the story a few (hundred) times…the development of policyIQ started nearly 15 years ago with its roots in “Effective Policy Management”. It then grew with intention into the Risk, Compliance and Testing arenas—with the signing of the Sarbanes Oxley (SOX) Act—only to be discovered as the easiest to access and use tool on the market and, therefore, wildly exploited for innumerable uses.

Outside of the SOX and Audit world, the tool that was “in the cloud” before “cloud” was a technical term, began to gain popularity for administration of Account Reconciliations and Contracts and was used for the automation of a wide range of processes, such as Capital Appropriations Project Review and Environmental Health and Safety documentation and certifications.

A few years ago, amidst the noise of demand pulling us in many different directions, the policyIQ team made a commitment to focus the development of our product squarely on serving Governance, Risk and Compliance needs. While it was already possible to track the results of risk assessments (the assessment performed outside of policyIQ at that time), associated risks, controls, tests, deficiencies, remediations, policies, and any number of other types of pages in policyIQ with our easy to customize templates, we knew that there was a gap we needed to fill to make policyIQ more accessible, user friendly and refined for our compliance and audit clients. We set our sights on the seventh generation of policyIQ and, since spring of 2013, moved forward with four GRC-focused releases, plus version 7.4 which is now in testing.

GRC Focus

Check out some of the related benefits for the compliance and audit communities!

Prior to version 7

Leading up to the development and release of policyIQ’s seventh major installment, our product and account managers met with many of our clients in exploratory interviews learning what they thought was missing or could be greatly improved in our product. We learned quite a lot about the “real world” practices of our users and considered ways that we could better represent their processes in a streamlined fashion in policyIQ. Prior to the introduction of GRC-related features, we set out to help companies better prepare Page Templates and the Folder structure to capture Audit Projects/Programs and the resulting Audit Test pages. While there are many “right” ways to organize, assign, review and finalize testing work, we helped many companies to better configure policyIQ to support their desired process.

Features Already Released to the policyIQ Community

In the last year and a half, policyIQ has added some features to close the gap between the more generic policyIQ “content management” community and GRC community. Now policyIQ users can…

  •  Access policyIQ from any major browser
  •  Automate their Risk Assessments by taking advantage of Calculated Fields
  •  Better handle workpapers and evidence with the improved file upload features
  •  Streamline and track multiple auditors’ and reviewers’ contributions using these features:
    • Track Changes to identify the contributor and their adjustments with a date and time stamp
    • “Approvers Can Edit” content without having to be added as Page Administrators and then carrying out multiple Check-In, Check-Out steps.  Much more streamlined!
    • Comments – this functionality used in policyIQ Forms has been added to Pages.  We also plan to further integrate comments into the page body in a future release.

Coming Soon

We are very excited about a number of developments in the next release of policyIQ—version 7.4. This release is so significant that we have wondered if it should be called version 8! Look at what’s coming soon!

  • Work offline – The ability to work offline and to otherwise simplify the addition of content to policyIQ will be possible with an enhancement to our Import utility that supports the updating of policyIQ pages (not just the addition of content, but the ability to change content using imports).
  • More easily review and monitor status – Version 7.4 includes the ability to run your policyIQ Reports on a schedule and then to email the results to you and any number of others.
  • More simply review Testing-related workpapers with several new reporting filters and display options, including the ability to list Page Attachments and Links in report results.
  • Support Time and Expense Tracking – You heard that right…we are introducing an entirely new set of features dedicated to supporting companies with tracking estimated and actual time and expenses by audit project, test or task. It is possible to summarize and total the estimates and actuals, to relate them to specific Tests and to focus on T&E related to a specific auditor. This is just the beginning—we expect to continue to refine and enhance this functionality in policyIQ to help users in our audit community to work more effectively and efficiently!

And more on the horizon

We continue to seek feedback from our compliance and audit communities and have marked more than a dozen related features as high priorities for our development team to get started on. Many of our higher priced competitors have a bad habit of overpromising and underdelivering. Members of the policyIQ community know that we work hard to have the opposite reputation–letting users know exactly when their suggested features are in development, considered a priority, and even when a request might be identified as out of scope. We are sincerely grateful for our partnership with our user community! So, while I can’t make any promises, I am also hopeful that we might be able to sneak a couple more “high priorities” into version 7.4 that I have spoken with clients about in recent weeks. We’ll keep you posted!

Thank you!

Thank you for your ongoing partnership to make policyIQ your GRC tool of choice. We couldn’t do it without you and look forward to hearing from you soon with more feedback and feature requests. And maybe with suggestions for a more appropriate product name!

Participate now in the 2013 GRC Solution Strategy Survey!

basic2-225If anyone follows our blog, you know that we frequently reference research and blog posts by Michael Rasmussen at GRC 20/20.  Mr. Rasmussen has been in the GRC “biz” for almost 20 years – in fact, defining the Governance, Risk and Compliance model and market while an analyst with Forrester.

GRC 20/20 announced their 2013 Solution Strategy Survey – and we would invite all of our clients in the areas of compliance to take part.

Launch the survey here.

Let your voice be heard about the current state and the future of GRC Strategy and Technology.  The survey aims to discover how organizations use GRC technology to meet their needs – or how they plan to use GRC technology in the future.

We also really like that in lieu of a chance to win prizes, every completed survey equals a $20 donation to one of five charitable organizations.  Let your voice be heard – and give back at the same time!

Auditors, can management relate to your reports?

Audit-ReportNorman Marks either struck a chord or struck a nerve, depending on your perspective in reading his recent post recommending that auditors speak in the language of the business. While it might seem elementary or fundamental to some auditors that all reports will undoubtedly include what some refer to as the 4Cs—Condition, Criteria, Cause, and Consequence—others acknowledge that not all reports are easily understood by management.

Do the findings in your reports speak to management’s objectives in a way that helps them to effectively manage and respond to your findings?

Check out Marks’ post, “Audit reports should be written in the language of the business”, and weigh in on the discussion.

New Iranian Business Disclosures – Are you impacted?

In August of last year, the United States Congress passed H.R. 1905: Iran Threat Reduction and Syria Human Rights Act of 2012.  The stated purpose of the bill is…

To strengthen Iran sanctions laws for the purpose of compelling Iran to abandon its pursuit of nuclear weapons and other threatening activities, and for other purposes. (Full text of bill available here.)

iranOne specific area of note for US businesses is section 219, which requires disclosures to the SEC related to “sanctionable activities”.  Sanctionable activities are those in violation of the Iran Sanctions Act of 1996, the Comprehensive Iran Sanctions, Accountability and Divestment Act of 2010, several Executive Orders, and the Code of Federal Regulations.    The language of the bill requires disclosures if those activities occurred within the corporation or within any affiliate of the corporation.

Take a Closer Look and Reinforce Your Policies

The new disclosure requirements – in effect for all SEC reporting due after February 6, 2013 – are prompting companies to take a closer look at the activities of their affiliates – and many may choose to reinforce their internal policies on Iranian business activities as well as to require attestations or disclosures from their affiliates.

As with all new regulations, your legal and compliance teams should review and determine your obligations, including which organizations you would define as “affiliates” under section 219.  With that guidance in mind, consider taking the following steps:

  • Formalize and document internal policies based on your legal requirements under these regulations
  • Communicate your policies or position to affiliate organizations
  • Require attestations (or disclosures) from affiliate organizations via electronic forms

Need a place to manage those policies, attestations or disclosures?  Contact us.