Regulatory environments are constantly changing, influenced by economic, political and environmental factors beyond your company’s control. It might seem like a daily battle to deal with the push and pull of complying with changing regulations. So how do you stay focused, prepared and sane in the world of regulatory compliance?
One critical step is to ensure that you have well documented, well communicated and well understood corporate policies.
Policies provide the foundation, governing the way in which your employees will work and how they will meet new regulatory requirements. When the foundation is strong, with clear policies that are followed and enforced consistently, additional external expectations and requirements are much easier to incorporate.
Here are just a few best practices to consider:
- Ensure that policies are written clearly. Avoid company jargon or acronyms that may be unclear to new employees or external regulators.
- Make policies easily accessible to all employees. If you are already using policyIQ, ensure that a policyIQ link is posted or communicated regularly.
- Clarify whether any exceptions might be approved to the policy, and communicate the process for approval for exceptions. If it is not clear, employees may be more likely to decide it will be easier to ask for forgiveness than permission.
- Document how policy violations will be addressed or how policies will be enforced.
- Revisit, review and revised policies regularly. Do not allow policies to become outdated or appear to be outdated. Even if no changes are made, regularly note that content has been reviewed, so that employees
- Map policies to your regulatory requirements or other compliance programs. As regulations change, you can more easily identify any changes that must be made in your policies to address those changes.
What other best practices would you highlight for a clear corporate policy platform? Add yours in the comments and share ideas! Learn more about how to utilize policyIQ’s various read-only options by checking out a recent blog post by policyIQ Product Manager, Travis Whalen.
In a number of blog posts, we’ve highlighted the ways that policyIQ can be used throughout the entire SOX process – from risk assessments through issue remediation. This past Thursday, July 28th, we took an hour to walk through the entire process in a CPE webinar to highlight ways to create efficiency at each step.
Did you miss it?
Before we hit the highlights below, we want to point you to the session recording and the slides, both of which are available for download.
The Big Picture
We highlighted a number of big picture advantages of using policyIQ not just for SOX, but for all of your compliance initiatives. We talked about…
- Simplicity of rolling out and managing a cloud-based
- Advantages of being able to assign security and access
- And the efficiency of a single source of information through the entire compliance and audit environment.
A single source means that when you make a change in one place, that change feeds all of the different perspectives on the data.
Efficiency at Every Step
We also dug into the efficiency that can be gained at every step of the process. Just some of those ideas are presented below. We also mentioned additional training available for some steps, and have linked those training sessions.
- Risk Assessments
- Tie risk assessments at the 10K line item level to your risks and controls for ease of scoping.
- Control Updates & Review
- Allow your control owners to make updates directly in policyIQ as things change, or require regular reviews of control documentation.
- Walkthroughs & Testing
- Collaborate early (and often) with external auditors to ensure that your testing is capturing all of the detail expected.
- Issue Tracking & Remediation
- Assign remediation plans to owners and use automated reminders to ensure responses are provided.
- Conclusions & Reporting
- Utilize flexible reporting capabilities to trace issues back to the vulnerable risks and compensating controls to make a final determination about significant deficiencies or material weaknesses.
We also included the supporting functions that feed the process.
- Map to COSO 2013
- Link Entity Level Controls to COSO Principles
- Evidence Collection
- Assign evidence requests, utilize automated reminders, and track receipt of documentation
- Time & Expense Tracking
- Report on budgeted versus actual hours and cost, and use the data for next year’s planning
- SOX 302 (Sub)Certification
- Assign role-specific questionnaires, utilize automated reminders, and report on exceptions
We’re ready to help you build more efficiency into your SOX program. Contact us today and ask to speak with our client service team to walk you through implementing some new ideas! Not yet a policyIQ client? Contact us and ask us for a personalized demonstration!
Go to our website, www.policyIQ.com, to learn more, download datasheets, request a trial, demo, or to buy policyIQ! You may also reach out to us directly at 1.866.753.1231 or info@policyIQ.com.
For many years, we have been encouraging our clients to utilize policyIQ for all aspects of their compliance programs – from the assessment of risk through the remediation of issues. However, during a recent conversation with long-time client, Travis Heyer (Director of Internal Audit at Great Lakes Dredge and Dock), we realized that we had not yet clearly illustrated in a live training session how to effectively request and capture audit evidence within policyIQ.
Travis graciously agreed to work with us to create a training session – and brought his colleague, Amit Patel (Senior Auditor) along with him. On Thursday, March 31, we presented this session to a large number of very active participants. (You can check out the recording of the session, or download the slides for a quick overview.)
It’s really all about saving time
Automating the requests for audit evidence can allow your internal audit team to…
- Avoid playing “Match the evidence to the request!”
- Minimize risk of using an old version of a file
- Waste time sending annoying follow-ups
- Secure documentation more effectively
It comes down to a huge time savings, freeing up internal audit resources to do the real, value-add work that your organization needs.
Pages or Forms?
While the training presentation focused on an evidence collection process in policyIQ pages, a similar process can be built within policyIQ forms.
Pages offer the advantage of a two-way link between the Evidence Request and the Test page, so that your internal auditors can simply leave the files attached to the Evidence Request. Pages also allow more than one individual user to contribute directly to the same Request. However, utilizing Pages requires that all users who participate in the process of providing evidence are Advanced Users, a more expensive license in policyIQ.
Forms offer their own advantages, allowing for a simple issuing and follow-up process. However, the link between the Evidence Request form and the Test page is less visible. Evidence files will need to be downloaded and re-uploaded to the Test page by the auditor. The significant advantage of the Forms process is that any individual providing evidence needs only to have a Standard User license, a less expensive license that can keep costs low!
Getting started in 5 easy steps
Our training session focused on how to get started in just five easy steps:
- Create Evidence Request template
- Build list of evidence in Excel
- Import evidence request list
- Assign requests
- Track progress and follow-up
We encourage you to check out the recording or the slides for more details on these steps – and reach out to us to help you to get your bearings and get started!
Have you been burned by a software provider?
You worked for months (years for some), listening to promises from several different people who kept handing you off and never addressing your concerns. You found yourself with more time and money invested than you care to admit and you have grown to look at all software providers with skepticism (if not disgust).
Does this sound familiar?
I hear you. Your frustration was echoed by countless people that I spoke with at a national conference in March. Because a number of people felt compelled to share their horror stories about other providers with me, I got comfortable jumping quickly to the things that make us different than the typical software company:
- RGP is NOT a software company! Integrity is at the core of our firm. We want to create great relationships and serve you so impressively that, when you need a consultant, you already know the quality that you can expect from us.
- We don’t have a huge policyIQ booth at conferences and our software does not have the huge price-tag required to pay for that presence (policyIQ starts at <$5k/year).
- We don’t sell multiple modules or products and aim to upsell you. policyIQ really does accommodate multiple business areas and needs in one affordable tool.
- Our goal is to solve for your information, content, process, and workflow challenges across the Governance, Risk and Compliance (GRC) space, not to land a sale.
- Your sales person does not make commission or hand you off to an implementation team that’s unaware of promises made during the sales process—we walk alongside you the whole way and help to tailor the implementation to your organization’s needs.
- Our product does what we tell you it does (and we answer truthfully if you ask us about something we don’t do or plan to develop).
- We have a support team that truly cares to give you excellent and timely service.
We think of our clients as part of our community with whom we will have a long partnership. We listen to your needs, plans, wishes and heartaches and work continuously to problem solve with you.
We’re proud to be a misfit among typical software providers.
We encourage you to take a peek at this introduction to policyIQ, and then reach out to us! We’d be glad to schedule a personalized tour of policyIQ. Also, we invite you to kick the tires! Sign up for a 30-day trial, completely risk-free.
We look forward to working with you!
If you haven’t explored how you can use policyIQ to implement or enhance your Enterprise Risk Management (ERM) program, we need to talk! policyIQ’s Governance, Risk and Compliance (GRC) platform provides the flexible infrastructure that you need to…
- conduct risk surveys and assessments,
- document your risk tolerance and metrics, and
- capture activities that take advantage of risk opportunities or that mitigate excessive risk, or
- take action on organizational issues.
RGP’s Enterprise Risk Management Expertise!
RGP’s GRC practice works with companies around the world to implement ERM programs. In some cases, starting with a complete cultural survey to better understand the real appetite (or perception of appetite) for risk across the organization. RGP recently presented a webinar, “Enterprise Risk Management: Are you optimizing your ERM program?” The webinar drew hundreds of attendees from companies around the world, anxious to learn how they could improve their ERM program and confidently answer that question with a solid “YES!”
Alongside GRC Practice Leader Les Sussman, risk management expert and Washington DC office Managing Director, Eric Gerner, provided an overview of a successful, efficient and sustainable ERM process – as well as practical keys to ERM success.
Sustainable ERM Process
In that webinar, Mr. Sussman and Mr. Gerner walk through a six phase ERM cycle that provides a sustainable framework in which a company can identify, prioritize, implement and monitor ERM activities.
We have integrated the use of policyIQ into these six phases, ensuring that ERM practices are efficient every step of the way!
Are you working on Enterprise Risk Management initiatives? Contact us and let’s talk about how RGP and policyIQ can help you to be more efficient, provide visibility into enterprise risk and risk appetite throughout the company, and create an on-going, sustainable ERM process.
As the IIA has been known to do, their General Audit Management (GAM) Conference was packed with many high caliber speakers again this year! Presenters provided a wide array of insights falling within five tracks:
- Talent & Resource Strategies
- Regulatory & Compliance Issues
- Risk Management
- Innovation & Technology
- Stakeholder Relationships & Expectations
This year’s conference drew a record crowd and it seemed that the number of visitors to the RGP booth reflected that—we kept very busy talking about the things that differentiate us from other firms, such as
- 3,000+ professionals in 70+ wholly owned offices (not affiliates) worldwide
- Consultants have 10-20 years’ experience
- 87 of the Fortune 100 served
- 100% retention of top 50 clients
- Served more than half the Fortune 1000
We had more inquiries about policyIQ this year than at any previous conference. This was in keeping with a theme at the conference regarding leveraging technology to help audit to be more effective and more efficient. Our GAM audience seemed pleasantly surprised and asked the most follow-up questions when they realized that policyIQ can serve several Governance, Risk and Compliance needs within one tool—we do not require, cajole or have to finagle unsuspecting clients into purchasing additional tools or modules to meet their needs. Unlike other audit and GRC tool providers, we are focused on solving their problems and helping them to be more efficient—not on trying to milk them for multiple software applications and upgrades!
- policyIQ is significantly less expensive than other tools
- Implementation takes 4-6 weeks (not months or years)
- Expert configuration support is included
- Our team is known for “Excellent” service and support
There are some things that you DON’T get with policyIQ that stunned some technology shoppers, too:
- No extra modules to buy
- No up-front license fee
- No upgrade fees
- No hardware to purchase
- No IT resources required
This summed up my experience at GAM this year:
If I didn’t have an opportunity to address your questions at GAM and/or you’d like to talk more about how you can employ policyIQ to make your team more efficient, reach out to us at Support@policyIQ.com or 866-753-1231. We’ll have you up and running within the next quarter!