Regulatory environments are constantly changing, influenced by economic, political and environmental factors beyond your company’s control. It might seem like a daily battle to deal with the push and pull of complying with changing regulations. So how do you stay focused, prepared and sane in the world of regulatory compliance?
One critical step is to ensure that you have well documented, well communicated and well understood corporate policies.
Policies provide the foundation, governing the way in which your employees will work and how they will meet new regulatory requirements. When the foundation is strong, with clear policies that are followed and enforced consistently, additional external expectations and requirements are much easier to incorporate.
Here are just a few best practices to consider:
- Ensure that policies are written clearly. Avoid company jargon or acronyms that may be unclear to new employees or external regulators.
- Make policies easily accessible to all employees. If you are already using policyIQ, ensure that a policyIQ link is posted or communicated regularly.
- Clarify whether any exceptions might be approved to the policy, and communicate the process for approval for exceptions. If it is not clear, employees may be more likely to decide it will be easier to ask for forgiveness than permission.
- Document how policy violations will be addressed or how policies will be enforced.
- Revisit, review and revised policies regularly. Do not allow policies to become outdated or appear to be outdated. Even if no changes are made, regularly note that content has been reviewed, so that employees
- Map policies to your regulatory requirements or other compliance programs. As regulations change, you can more easily identify any changes that must be made in your policies to address those changes.
What other best practices would you highlight for a clear corporate policy platform? Add yours in the comments and share ideas! Learn more about how to utilize policyIQ’s various read-only options by checking out a recent blog post by policyIQ Product Manager, Travis Whalen.
In a number of blog posts, we’ve highlighted the ways that policyIQ can be used throughout the entire SOX process – from risk assessments through issue remediation. This past Thursday, July 28th, we took an hour to walk through the entire process in a CPE webinar to highlight ways to create efficiency at each step.
Did you miss it?
Before we hit the highlights below, we want to point you to the session recording and the slides, both of which are available for download.
The Big Picture
We highlighted a number of big picture advantages of using policyIQ not just for SOX, but for all of your compliance initiatives. We talked about…
- Simplicity of rolling out and managing a cloud-based
- Advantages of being able to assign security and access
- And the efficiency of a single source of information through the entire compliance and audit environment.
A single source means that when you make a change in one place, that change feeds all of the different perspectives on the data.
Efficiency at Every Step
We also dug into the efficiency that can be gained at every step of the process. Just some of those ideas are presented below. We also mentioned additional training available for some steps, and have linked those training sessions.
- Risk Assessments
- Tie risk assessments at the 10K line item level to your risks and controls for ease of scoping.
- Control Updates & Review
- Allow your control owners to make updates directly in policyIQ as things change, or require regular reviews of control documentation.
- Walkthroughs & Testing
- Collaborate early (and often) with external auditors to ensure that your testing is capturing all of the detail expected.
- Issue Tracking & Remediation
- Assign remediation plans to owners and use automated reminders to ensure responses are provided.
- Conclusions & Reporting
- Utilize flexible reporting capabilities to trace issues back to the vulnerable risks and compensating controls to make a final determination about significant deficiencies or material weaknesses.
We also included the supporting functions that feed the process.
- Map to COSO 2013
- Link Entity Level Controls to COSO Principles
- Evidence Collection
- Assign evidence requests, utilize automated reminders, and track receipt of documentation
- Time & Expense Tracking
- Report on budgeted versus actual hours and cost, and use the data for next year’s planning
- SOX 302 (Sub)Certification
- Assign role-specific questionnaires, utilize automated reminders, and report on exceptions
We’re ready to help you build more efficiency into your SOX program. Contact us today and ask to speak with our client service team to walk you through implementing some new ideas! Not yet a policyIQ client? Contact us and ask us for a personalized demonstration!
Go to our website, www.policyIQ.com, to learn more, download datasheets, request a trial, demo, or to buy policyIQ! You may also reach out to us directly at 1.866.753.1231 or info@policyIQ.com.
For many years, we have been encouraging our clients to utilize policyIQ for all aspects of their compliance programs – from the assessment of risk through the remediation of issues. However, during a recent conversation with long-time client, Travis Heyer (Director of Internal Audit at Great Lakes Dredge and Dock), we realized that we had not yet clearly illustrated in a live training session how to effectively request and capture audit evidence within policyIQ.
Travis graciously agreed to work with us to create a training session – and brought his colleague, Amit Patel (Senior Auditor) along with him. On Thursday, March 31, we presented this session to a large number of very active participants. (You can check out the recording of the session, or download the slides for a quick overview.)
It’s really all about saving time
Automating the requests for audit evidence can allow your internal audit team to…
- Avoid playing “Match the evidence to the request!”
- Minimize risk of using an old version of a file
- Waste time sending annoying follow-ups
- Secure documentation more effectively
It comes down to a huge time savings, freeing up internal audit resources to do the real, value-add work that your organization needs.
Pages or Forms?
While the training presentation focused on an evidence collection process in policyIQ pages, a similar process can be built within policyIQ forms.
Pages offer the advantage of a two-way link between the Evidence Request and the Test page, so that your internal auditors can simply leave the files attached to the Evidence Request. Pages also allow more than one individual user to contribute directly to the same Request. However, utilizing Pages requires that all users who participate in the process of providing evidence are Advanced Users, a more expensive license in policyIQ.
Forms offer their own advantages, allowing for a simple issuing and follow-up process. However, the link between the Evidence Request form and the Test page is less visible. Evidence files will need to be downloaded and re-uploaded to the Test page by the auditor. The significant advantage of the Forms process is that any individual providing evidence needs only to have a Standard User license, a less expensive license that can keep costs low!
Getting started in 5 easy steps
Our training session focused on how to get started in just five easy steps:
- Create Evidence Request template
- Build list of evidence in Excel
- Import evidence request list
- Assign requests
- Track progress and follow-up
We encourage you to check out the recording or the slides for more details on these steps – and reach out to us to help you to get your bearings and get started!
Have you been burned by a software provider?
You worked for months (years for some), listening to promises from several different people who kept handing you off and never addressing your concerns. You found yourself with more time and money invested than you care to admit and you have grown to look at all software providers with skepticism (if not disgust).
Does this sound familiar?
I hear you. Your frustration was echoed by countless people that I spoke with at a national conference in March. Because a number of people felt compelled to share their horror stories about other providers with me, I got comfortable jumping quickly to the things that make us different than the typical software company:
- RGP is NOT a software company! Integrity is at the core of our firm. We want to create great relationships and serve you so impressively that, when you need a consultant, you already know the quality that you can expect from us.
- We don’t have a huge policyIQ booth at conferences and our software does not have the huge price-tag required to pay for that presence (policyIQ starts at <$5k/year).
- We don’t sell multiple modules or products and aim to upsell you. policyIQ really does accommodate multiple business areas and needs in one affordable tool.
- Our goal is to solve for your information, content, process, and workflow challenges across the Governance, Risk and Compliance (GRC) space, not to land a sale.
- Your sales person does not make commission or hand you off to an implementation team that’s unaware of promises made during the sales process—we walk alongside you the whole way and help to tailor the implementation to your organization’s needs.
- Our product does what we tell you it does (and we answer truthfully if you ask us about something we don’t do or plan to develop).
- We have a support team that truly cares to give you excellent and timely service.
We think of our clients as part of our community with whom we will have a long partnership. We listen to your needs, plans, wishes and heartaches and work continuously to problem solve with you.
We’re proud to be a misfit among typical software providers.
We encourage you to take a peek at this introduction to policyIQ, and then reach out to us! We’d be glad to schedule a personalized tour of policyIQ. Also, we invite you to kick the tires! Sign up for a 30-day trial, completely risk-free.
We look forward to working with you!
If you haven’t explored how you can use policyIQ to implement or enhance your Enterprise Risk Management (ERM) program, we need to talk! policyIQ’s Governance, Risk and Compliance (GRC) platform provides the flexible infrastructure that you need to…
- conduct risk surveys and assessments,
- document your risk tolerance and metrics, and
- capture activities that take advantage of risk opportunities or that mitigate excessive risk, or
- take action on organizational issues.
RGP’s Enterprise Risk Management Expertise!
RGP’s GRC practice works with companies around the world to implement ERM programs. In some cases, starting with a complete cultural survey to better understand the real appetite (or perception of appetite) for risk across the organization. RGP recently presented a webinar, “Enterprise Risk Management: Are you optimizing your ERM program?” The webinar drew hundreds of attendees from companies around the world, anxious to learn how they could improve their ERM program and confidently answer that question with a solid “YES!”
Alongside GRC Practice Leader Les Sussman, risk management expert and Washington DC office Managing Director, Eric Gerner, provided an overview of a successful, efficient and sustainable ERM process – as well as practical keys to ERM success.
Sustainable ERM Process
In that webinar, Mr. Sussman and Mr. Gerner walk through a six phase ERM cycle that provides a sustainable framework in which a company can identify, prioritize, implement and monitor ERM activities.
We have integrated the use of policyIQ into these six phases, ensuring that ERM practices are efficient every step of the way!
Are you working on Enterprise Risk Management initiatives? Contact us and let’s talk about how RGP and policyIQ can help you to be more efficient, provide visibility into enterprise risk and risk appetite throughout the company, and create an on-going, sustainable ERM process.
As the IIA has been known to do, their General Audit Management (GAM) Conference was packed with many high caliber speakers again this year! Presenters provided a wide array of insights falling within five tracks:
- Talent & Resource Strategies
- Regulatory & Compliance Issues
- Risk Management
- Innovation & Technology
- Stakeholder Relationships & Expectations
This year’s conference drew a record crowd and it seemed that the number of visitors to the RGP booth reflected that—we kept very busy talking about the things that differentiate us from other firms, such as
- 3,000+ professionals in 70+ wholly owned offices (not affiliates) worldwide
- Consultants have 10-20 years’ experience
- 87 of the Fortune 100 served
- 100% retention of top 50 clients
- Served more than half the Fortune 1000
We had more inquiries about policyIQ this year than at any previous conference. This was in keeping with a theme at the conference regarding leveraging technology to help audit to be more effective and more efficient. Our GAM audience seemed pleasantly surprised and asked the most follow-up questions when they realized that policyIQ can serve several Governance, Risk and Compliance needs within one tool—we do not require, cajole or have to finagle unsuspecting clients into purchasing additional tools or modules to meet their needs. Unlike other audit and GRC tool providers, we are focused on solving their problems and helping them to be more efficient—not on trying to milk them for multiple software applications and upgrades!
- policyIQ is significantly less expensive than other tools
- Implementation takes 4-6 weeks (not months or years)
- Expert configuration support is included
- Our team is known for “Excellent” service and support
There are some things that you DON’T get with policyIQ that stunned some technology shoppers, too:
- No extra modules to buy
- No up-front license fee
- No upgrade fees
- No hardware to purchase
- No IT resources required
This summed up my experience at GAM this year:
If I didn’t have an opportunity to address your questions at GAM and/or you’d like to talk more about how you can employ policyIQ to make your team more efficient, reach out to us at Support@policyIQ.com or 866-753-1231. We’ll have you up and running within the next quarter!
I’ve told the story a few (hundred) times…the development of policyIQ started nearly 15 years ago with its roots in “Effective Policy Management”. It then grew with intention into the Risk, Compliance and Testing arenas—with the signing of the Sarbanes Oxley (SOX) Act—only to be discovered as the easiest to access and use tool on the market and, therefore, wildly exploited for innumerable uses.
Outside of the SOX and Audit world, the tool that was “in the cloud” before “cloud” was a technical term, began to gain popularity for administration of Account Reconciliations and Contracts and was used for the automation of a wide range of processes, such as Capital Appropriations Project Review and Environmental Health and Safety documentation and certifications.
A few years ago, amidst the noise of demand pulling us in many different directions, the policyIQ team made a commitment to focus the development of our product squarely on serving Governance, Risk and Compliance needs. While it was already possible to track the results of risk assessments (the assessment performed outside of policyIQ at that time), associated risks, controls, tests, deficiencies, remediations, policies, and any number of other types of pages in policyIQ with our easy to customize templates, we knew that there was a gap we needed to fill to make policyIQ more accessible, user friendly and refined for our compliance and audit clients. We set our sights on the seventh generation of policyIQ and, since spring of 2013, moved forward with four GRC-focused releases, plus version 7.4 which is now in testing.
Check out some of the related benefits for the compliance and audit communities!
Prior to version 7
Leading up to the development and release of policyIQ’s seventh major installment, our product and account managers met with many of our clients in exploratory interviews learning what they thought was missing or could be greatly improved in our product. We learned quite a lot about the “real world” practices of our users and considered ways that we could better represent their processes in a streamlined fashion in policyIQ. Prior to the introduction of GRC-related features, we set out to help companies better prepare Page Templates and the Folder structure to capture Audit Projects/Programs and the resulting Audit Test pages. While there are many “right” ways to organize, assign, review and finalize testing work, we helped many companies to better configure policyIQ to support their desired process.
Features Already Released to the policyIQ Community
In the last year and a half, policyIQ has added some features to close the gap between the more generic policyIQ “content management” community and GRC community. Now policyIQ users can…
- Access policyIQ from any major browser
- Automate their Risk Assessments by taking advantage of Calculated Fields
- Better handle workpapers and evidence with the improved file upload features
- Streamline and track multiple auditors’ and reviewers’ contributions using these features:
- Track Changes to identify the contributor and their adjustments with a date and time stamp
- “Approvers Can Edit” content without having to be added as Page Administrators and then carrying out multiple Check-In, Check-Out steps. Much more streamlined!
- Comments – this functionality used in policyIQ Forms has been added to Pages. We also plan to further integrate comments into the page body in a future release.
We are very excited about a number of developments in the next release of policyIQ—version 7.4. This release is so significant that we have wondered if it should be called version 8! Look at what’s coming soon!
- Work offline – The ability to work offline and to otherwise simplify the addition of content to policyIQ will be possible with an enhancement to our Import utility that supports the updating of policyIQ pages (not just the addition of content, but the ability to change content using imports).
- More easily review and monitor status – Version 7.4 includes the ability to run your policyIQ Reports on a schedule and then to email the results to you and any number of others.
- More simply review Testing-related workpapers with several new reporting filters and display options, including the ability to list Page Attachments and Links in report results.
- Support Time and Expense Tracking – You heard that right…we are introducing an entirely new set of features dedicated to supporting companies with tracking estimated and actual time and expenses by audit project, test or task. It is possible to summarize and total the estimates and actuals, to relate them to specific Tests and to focus on T&E related to a specific auditor. This is just the beginning—we expect to continue to refine and enhance this functionality in policyIQ to help users in our audit community to work more effectively and efficiently!
And more on the horizon
We continue to seek feedback from our compliance and audit communities and have marked more than a dozen related features as high priorities for our development team to get started on. Many of our higher priced competitors have a bad habit of overpromising and underdelivering. Members of the policyIQ community know that we work hard to have the opposite reputation–letting users know exactly when their suggested features are in development, considered a priority, and even when a request might be identified as out of scope. We are sincerely grateful for our partnership with our user community! So, while I can’t make any promises, I am also hopeful that we might be able to sneak a couple more “high priorities” into version 7.4 that I have spoken with clients about in recent weeks. We’ll keep you posted!
Thank you for your ongoing partnership to make policyIQ your GRC tool of choice. We couldn’t do it without you and look forward to hearing from you soon with more feedback and feature requests. And maybe with suggestions for a more appropriate product name!
If anyone follows our blog, you know that we frequently reference research and blog posts by Michael Rasmussen at GRC 20/20. Mr. Rasmussen has been in the GRC “biz” for almost 20 years – in fact, defining the Governance, Risk and Compliance model and market while an analyst with Forrester.
GRC 20/20 announced their 2013 Solution Strategy Survey – and we would invite all of our clients in the areas of compliance to take part.
Let your voice be heard about the current state and the future of GRC Strategy and Technology. The survey aims to discover how organizations use GRC technology to meet their needs – or how they plan to use GRC technology in the future.
We also really like that in lieu of a chance to win prizes, every completed survey equals a $20 donation to one of five charitable organizations. Let your voice be heard – and give back at the same time!