7 Features to Boost Efficiency in Your Daily Work

In case you were out enjoying your summer and missed announcements on the latest policyIQ release, we’re here to share the highlights! The theme of policyIQ’s version 7.9 is Convenience. We rolled out 7 features that help to boost efficiency in the flow of your daily work.

  1. Navigation continues to get easier and faster! Save time by leveraging “Favorite Folders” to lift your critical work to the top of the list.
  2. Is yours one of the organizations that uses policyIQ primarily for Account Reconciliations, 302 Certifications, or Policy Sign-offs? Perhaps you’d like to have Form Management as your top navigation option? Site Administrators, you can highlight your prioritized activities that your organization engages in most by reordering items in the left navigation pane.
  3. Paste content into policyIQ from a range of other document and file types and retain your formatting with this upgraded HTML/Rich Text Editor.
  4. Perform calculations on multiple figures originating in related content (Calculated Linked Fields). This allows you to perform activities like determining cumulative risk calculations and arriving at the sum of Standalone Selling Prices for each Performance Obligation linked to the contract.  The flexibility of policyIQ to provide more custom solutions for a wide range of business initiatives just got a boost with this feature!
  5. Approvers – we’re thinking of you.
    1. Some people rely on email to keep them apprised when their attention is needed and others loathe the ever-growing number of items in their inbox. Now, policyIQ lets you decide which approvers in the approval string will be automatically notified via email when items have been submitted for their review.
    2. Prior to this release, an individual could only occupy one step in the approval process. It was not historically possible to approve, pass the content to other approvers, and then bring it back around for final approval. If a process requires the same person to step in multiple times, policyIQ now supports that process.
  6. Rolling forward just got easier! If your organization likes to leverage the previous period’s tests rather than starting from blank templates, you can accomplish roll forward in fewer steps with the ability to Remove Attachments in Bulk.
  7. Take advantage of the flexibility of policyIQ! Changes in process, regulation, org structure, or responsibilities might lead to the need for adjustments to solutions and templates. Solution designers (policyIQ administrators) will be happy to learn that it is now possible to copy fields from one template to another, making it easier to leverage the work of previous solutions for new or improved solutions.

Would you like some help taking advantage of features that were rolled out after your original configuration (from this summer’s release or past releases)? Contact us and we’ll be happy to walk you through the steps!

5 Steps to a More Efficient Internal Control Environment

Is your team overwhelmed with activities that feel unnecessary?

How confident are you that the energy spent on testing is focused on the necessary controls?

Leverage policyIQ to systematically focus on the critical controls for management and testing. More efficiently analyze which Financial Statement Assertions, relative to each of your 10K line items, are adequately controlled, which are left vulnerable and which of your relevant assertions is over-controlled! See, plainly, the gaps in your coverage and leverage the evidence to justify the reduction of waste, and plan to concentrate effort on work that matters.

This process really starts with your risk assessment. If you have not leveraged policyIQ to bring automation and reliability to your risk assessment process and want to walk through the policyIQ solution (including the just-released feature that makes cumulative risk calculations possible), reach out to schedule a free working meeting with us! After completing your risk assessment, identifying significant accounts and relevant assertions, and determining which of your processes and objectives are in scope (all steps that can be managed in policyIQ), you can begin the process of rationalizing your controls.

Next, leverage policyIQ to move through these five Control Rationalization steps:

Each step is made more efficient with policyIQ. We can support you to customize templates for the attributes that are critical and unique to your organization. The import, linking, calculations, workflow, and reporting features will allow you to more quickly examine the effectiveness and priority of your procedures. Having confidence in your Control Rationalization process and your internal control environment then allows you to come full circle to look at the bank of risks that you previously identified. You might conclude that some process risks that have consumed time and attention for years are actually not in scope. This Control Rationalization process will help you to be more effective and more efficient through each testing cycle.

Would you like to see sample templates and schedule a working meeting to get the ball rolling? Contact us and reap the benefits by your next testing cycle!

Your Risk Assessment spreadsheets are costing you!

Are your employees still manually managing Risk Assessments using spreadsheets?
If you answered yes, they are likely struggling to work with others efficiently, they are frustrated by version control issues, and they are wasting time trying to figure out who has given input and who still needs to provide information.

The data in spreadsheets is difficult to aggregate. Performing analyses within a spreadsheet is limited, and across multiple spreadsheets it is nearly impossible. There are nearly always issues with data entry and, therefore, data integrity. So, your employees are likely also spending time having to validate and track down information and they’re likely performing rework to shore up assessments and findings. For all of these reasons, spreadsheets prolong the time and expense of audits.

RGP’s policyIQ team has developed features that help you to automate questionnaires, inventories, risk ratings, capability measures, track gaps and roll-up findings. Your management and audit teams can begin collaborating on their finance, operational, fraud and enterprise risk assessments right away.  Contributors from your locations can work together in one flexible and easy to use tool with confidence in the security and accuracy of their information and analyses. Templates for various risk assessments are easy to customize. Notes and assumptions from previous assessments can be easily referenced and considered in current risk calculations.

Your auditors can remotely review the content that you choose to make available to them and only after it has completed the review process that you enforce using policyIQ.

Reach out to us to request your free trial site and to learn more about how your team can end their reliance on spreadsheets. Work smarter.

Flexible Risk Assessment Frameworks with World-class Subject Matter Expertise

When deploying a technology platform for any GRC process, many questions are considered during the procurement process.

“How long will this take to get up and running?”

“Is it customizable?”

“Is this software affordable – and what if we choose to expand the scope of our deployment?”

Within the scope of GRC, policyIQ can be used to implement nearly any type of risk assessment – and can be done quickly (with custom tailored content), all at an affordable price.  It’s a system that grows as you grow.  But as you likely know, risk assessments are an area that has a seemingly infinite number of options on how to get from A to Z.  Fraud Risk?  Financial Risk?  Third Party Risk?  And the various methodologies to achieve each can be staggering.  

Can I implement my own methodology, or am I forced to use the software’s built-in items?

You’d be surprised to find that for many software platforms, the response to this doesn’t always yield positive answers.  One of the benefits of utilizing policyIQ is that the keys are in your hand for making this decision.  We have clients from all corners of the globe that choose to use their own methodologies when leveraging our software – and are able to do so with excellent results.  Likewise, many organizations have sought subject matter expertise, looking for a proven methodology and guidance to help them get the ball rolling. 

Regardless of the approach, policyIQ’s flexible platform is fine-tuned by the client to become the go-to place for establishing a consistent and reliable risk assessment environment, year after year.

Learn more about RGP’s professional services, or have a look at policyIQ’s solutions for GRC initiatives.

Not all roads lead to successful IPO

Welcome guest blogger, Jason Chiang. With RGP for nearly 8 years, Mr. Chiang has more than 20 years of experience and expertise in Audit, Risk and Compliance. He has consulted with a range of companies from financial services, biotech, manufacturing, healthcare and other industries. Mr. Chiang is a Certified Public Accountant (inactive) and Certified Internal Auditor. He has served on both sides of the house as a senior audit manager and senior auditor as well as a risk manager. It is evident that he understands the motivations and hurdles facing these organizations and approaches their complex issues with integrity and professionalism.

The following article was written by Jason Chiang (with editing support from Stephenie Buehrle). The approach and recommendations are his.


Not all roads lead to successful IPO

When a company approaches their initial public offering (IPO), it enters a very different arena. Having access to public funds, that is the retirement savings of Main Street USA, the company must meet quarterly SEC filing requirements. This is a significant amount of work. An investment in the people experienced with technical accounting, SEC financial reporting, and Sarbanes Oxley Compliance (SOX) evaluations combined with an investment in systems and tools to do the work efficiently and with completeness and accuracy is crucial to meet the filing deadlines.

One cannot audit all internal controls over financial reporting (ICFR). Thus, performing a SOX risk assessment is necessary to identify the significant accounts and their relevant assertions. If you happen to be one of these companies developing a road-map to your IPO, SOX may not be the place where you want to focus significant time and financial resources, but you realize that it has to get done. Be sure that you consider, at minimum, these critical components:

Risk Assessment                                  

A risk assessment is the process of identifying significant accounts and disclosures and their respective relevant assertions as they relate to financial statements. A properly done risk assessment will allow the company work smart by focusing its internal controls evaluation on the areas where there is a possibility of a material error.

The Risk Assessment must include:

  • Quantitative factors such as account balance, frequency of transactions, dollar value of each transaction; and
  • Qualitative factors such as complexity of related transactions, subjectivity of accounting rules over related transactions, and fraud considerations.
  • As business and risks change, the risk assessment needs to be updated.

Narrative                                                                

A narrative provides mid-level detail of the transactions and internal controls within a business process and includes who, how frequent, and in what location the transactions and controls are being performed. The initial creation of narratives provides the process owners an opportunity to revisit and reflect on the current processes, and make improvements for operational efficiency or control effectiveness. It is a written document that can be read by internal employees, internal auditors, and external consultants and auditors to gain a preliminary understanding of the process. As processes change, the narrative provides a format to document the change.

What critical things must be considered regarding Narratives?

  • The narrative should be written knowing that auditors will be a primary reader and will be looking for controls that mitigate risks.
  • When describing management review processes in the narrative, articulating how the manager gains assurance of the completeness and accuracy of the supporting evidence before signing off. If the manager is using judgment, describing the factors considered.
  • Narratives should be updated as changes are implemented in the organization. The updates should follow a workflow where there is a review process for significant changes.

Control Matrix                                      

A control matrix lists the controls the company has identified to mitigate risks. The control matrix serves as evidence that identified risks are mapped to controls which are to be evaluated for management’s assessment of internal controls. The control matrix also is a primary client document auditors leverage to perform their independent test of controls.

Take care to ensure that:

  • The controls in the Controls Matrix are mapped to risks.
  • The Controls Matrix is in a format where it is sortable or reportable by controls mapped to risks for test of controls purposes, and risks are mapped to controls for an evaluation whether risks are mitigated by controls.
  • Controls in the Controls Matrix should be labeled and provided an abbreviated title (10 words max) for ease of reporting and reference purposes.

Testing                                                                      

Testing is the evaluation of design and operating effectiveness of the company’s controls. The results of testing of controls provide company management with a baseline to that might have impacts to strategic and operational decisions. For publicly held companies, testing is an SEC requirement.

Critical considerations for testing:

  • Important, if deemed necessary, to be able to re-perform the actual control performed by the employee (e.g. for 3-way match of purchase order, invoice, and shipping docs, test that an employee had performed this and has evidence of such, rather than the auditor requesting the 3 docs and testing oneself).
  • When testing management review controls, cannot just accept sign-off, but need to understand the steps and judgments used by the manager, and test accordingly.
  • The documentation of testing should allow someone else to reasonably re-perform the testing. If testing is being relied upon by external auditors, then the breadth of documentation is more important. If not, not all needs to be retained, but should be readily retrievable when needed.

Certifications                                        

Control owners certify to the CFO and CEO that controls are operating effectively on a quarterly basis, and if not operating effectively, the remedial action plans. The control owners are held directly accountable for their controls as they are certifying to the top two officers of the company.

Recommendations for certifications:

  • The number and level of person certifying to the CFO and CEO should be carefully considered. The level should be their direct reports and one level removed to maintain the efficiency and integrity of the certification. If it is a larger organization, there can also be sub-certifications up to the senior manager level.
  • The certification questions should have a combination of checklist questions, as well as, open ended questions to encourage a thoughtful process.
  • Utilizing software for tracking, follow-up, and retention purposes is advised.

Depending on the number of people involved with the inputs into the various components, one might decide that performing and capturing the work in Excel is sufficient, while others might prefer utilizing a SOX tool where there are extra protections in version control while allowing multiple users to perform inputs simultaneously in multiple locations. A SOX tool may also provide management with options for review, analysis and oversight that are not available in Excel.

To avoid unexpected setbacks, be sure to plan enough time into your IPO readiness map for SOX evaluations. The initial SOX program development and implementation is likely to require six months and can vary depending on your access to subject matter experts. Coordination and alignment of the SOX efforts and objectives among the audit committee, senior management, process owners, and internal and external auditors is paramount for a successful implementation.


If your organization is approaching your initial public offering and you’re interested in learning more about how RGP can support you with subject matter expertise and a tailored technology solution to help ensure that you are prepared for your SEC filing and financial reporting requirements, reach out to us (Information@policyIQ.com, 412.263.3330) and we’ll connect you with our RGP colleagues near you!

ICYMI: Assessments and Scoping in policyIQ

Did you miss our recent training session on completing our SOX Risk Assessments and scoping exercises in policyIQ?  Not to worry – we have you covered!

How Can I Catch Up?

If you want to get into the details, we have the training session and materials available for download!

  • You can access the slides here.
  • You can also view the recording from our policyIQ training page.
    The training page is linked from your policyIQ login page – and available from within the online Help Guide.  If you don’t have access to the training page, please reach out and we’ll send you the link!

Just the Highlights, Please!

This training session aimed to ensure that participants are able to…

rascope1

We discussed common SOX risk assessments at the financial statement line item level, targeting risk factors like…

rascope3

In addition to illustrating how to create the calculation directly in policyIQ, we also acknowledged that some folks love their MS Excel process.  policyIQ can handle that, too, through the import option!

rascope4

Then we took a close look at the relationships between the content that allows for the most effective scoping options.

rascope2

And finally, we walked through the reports that provide the final step in the scoping process.

rascope5

We would love to help YOU get started on your risk assessments in policyIQ, so that we can link into your SOX work for ease of annual scoping.  Contact us today and we’ll meet with you at no cost to help you get on your way!

Which part of your SOX program do you want to improve this year? This list of resources will help.

Soup to nuts—or Risk Assessment to Review of Evidence, we are ready to help you make your 2016 Sarbanes Oxley compliance work more efficient than ever! You will notice that we have another post this month that talks about rolling forward last year’s SOX work to create the baseline for your 2016 work. Some of you might not want to repeat last year’s work. Maybe you didn’t use policyIQ last year or you’d like to make improvements on what was done in previous years and take advantage of all that policyIQ has to offer. We have some tips and tools to help you:

chart1

  • Risk Assessment – We previously shared a sample template with you that you might want to implement for 2016. If you already have your Financial Statement Risk Assessment complete, we can help you with your plan to import and tie the results of that assessment to relevant assertions and controls. Capturing the full cycle in one place will not only help your organization to be much more efficient, it will also save time and money when your external auditors are looking to connect.
  • PCAOB’s Auditing Standard No. 5 – Are you looking to make improvements to your process and work more efficiently this year? Check out this visual summary or watch the full recording of the webinar that walks through the application of AS5.
  • chart2Link related compliance elements and utilize various reports to monitor progress, analyze performance, and stay on top of your program. We have lots of ideas about SOX reporting. Check out you online Help manual and this post for some ideas.
  • Automate supporting processes – are you still using Word, Excel, and email to manage your 302 Certifications, Control Self Assessments and Narrative Reviews? One of the most frustrating parts of this work is having to inventory the responses and pester people to get their work done. You can literally perform the setup of these tasks one time and then consider it complete forever after using policyIQ’s Forms functionality to automate the inventory and reminders.
  • consultantsGrant External Auditors access to only that content which you want them to see! Have you done this yet? I recall being scolded by a client who told me that we don’t brag about this benefit enough. He felt that he could have saved a significant amount of time and money over the years and wished he had granted their external auditors access much sooner. It’s really easy to bring them into the fold and show them only what you want them to be able to review. Here’s how.
  • Evidence gathering – If you find that a lot of time is spent by auditors, managers—everyone—rounding up information, perhaps it is time to commit to one main holding place for your evidence. You can even use policyIQ to help automate and monitor the collection of evidence. We have some posts discussing what has been done in the past and we’ll be taking a fresh look at options surrounding the Evidence Collection effort in an upcoming training session—please join us!

E012649We hope that this list of resources is helpful to you or at least has you thinking about things that you’d like to manage more efficiently. We often work with people who feel like they just don’t have time to figure out how to save time! We get it. That’s what we’re here for! If you don’t have time to read posts and play around in policyIQ, but want to realize the benefits sooner than later, reach out to us and we’ll walk you through some simple adjustments that you can make to gain relief and command over your information right away!

We’re handing it to you: Risk Assessment Template for policyIQ

The policyIQ Team has discussed the benefits of bringing automation to the full cycle of work and documentation associated with your Sarbanes Oxley Compliance program in previous posts. You might recall training sessions or posts that introduced the application of policyIQ for your Risk Assessment process. If you haven’t had time to play around with your content and tying everything together in your policyIQ site, we want to help you with an example of a Risk Assessment Page Template that could provide you with a good starting place.

RiskAssessment Template

Of course, your template could include different fields, different risk factors that are weighted differently and you might have different thresholds for your risk ratings. I hope that you already know that virtually everything in your policyIQ Page Templates is customizable.

With that disclaimer, I would also like to highlight some things in our example. We have captured a template that would be used to rate the risk for a single Financial Statement Line Item. The six risk factors included here are simply Whole Number fields for entering a rating. Most of the text in this template is content that we captured in a policyIQ “Static Text” field—really, just to provide guidance and clarification to those performing and reviewing the assessment. The critical field in the Risk Assessment Financial Statement Line Item Page Template is the Calculated numeric field used to take all of the Risk Factor ratings and weights of each factor into account. When adding this type of field to your Page Templates, you are prompted to enter the formula for the calculation. Math formulas are not your thing? Feel free to reach out to one of us on the policyIQ team and we’ll help you to pull it together.

Okay, you’re really close now! Build the template (or ask us to build it with you) and then we’ll help you to see how you can import your latest Risk Assessment results into policyIQ and link them to the relevant Assertions and related Controls. Most of this initial setup can be performed in bulk via the policyIQ Import utility. Really, it could be in policyIQ within the next week. Really. What are you waiting for?

Get in touch with us: 1-866-753-1231, support@policyIQ.com.

Stop Costly Mining of Information for Each Audit

Many organizations have seen a shift in their SOX environment in recent years. SOX has become commoditized and leadership is concerned about buckling down on the level of work and on the cost of SOX. While many companies have reviewed, rationalized and streamlined their controls down to a more manageable level, focusing on testing only the key controls amounting to less than 150 in most cases, we still see that many have not entirely streamlined their management of the full cycle of analysis and documentation. Have you?

  • FinancialStatementsWho performs your Financial Statement Risk Assessment? Where is the documentation of that process and the conclusions regarding significant accounts and relevant assertions kept?
  • Have you plainly identified and documented your Financial Statement Risks and are you able to demonstrate which Controls are critical to their mitigation?
  • Of course, tests are being performed; but how are you tracking the evidence associated with those tests and does it seem that the process of defining and assigning audits is as efficient as it could be?
  • Do you have historical record of your audit findings, issues and methods of remediation? Can you easily review and determine the most cost effective approaches to remediation?
  • Can you pull up evidence of COSO coverage as simply as you can share your Risk-Control matrix?
  • Apart from the staples of SOX documentation, where do you document things such as considerations and assumptions for key decisions, exceptions or overrides?

Probably the most simple question yielding the most telling answer regarding whether your SOX program is as effective and efficient as it can be is this: do you perform and maintain all of this documentation in one system or is it someone’s responsibility to mine information and evidence for each external audit? piggybankIf each of these processes is happening in different mediums, stored in different repositories and managed with a wide range of workflows and procedures that are in place simply because “it’s always been that way”, then you have a significant opportunity to save time and money while more effectively managing your SOX program and, therefore, improving the bottom line of your company.

Of course, this message is for those organizations that have yet to bring automation and the power of a database to their SOX processes and documentation. Still, this message should not be lost on the many policyIQ clients who already experience how easily the collaboration of work, hand-offs, review and approval can be managed in policyIQ. We work with many companies who still have portions of their SOX cycle in various systems. Aside from the plain-to-see expense of paying for many different systems, there is cost associated with ongoing maintenance, training, and the time required to bring all of the information together and to relate the key components that paint the picture of an effective internal control environment.

Reach out to us and we’ll provide you with a free demonstration and configuration guidance on streamlining the various segments of your SOX program into one efficient and manageable cycle. We can schedule your configuration session within the week and have you up and running in the next 4-6 weeks! Talk to you soon!

Sarbanes-Oxley Compliance – Are you taking advantage of all that policyIQ has to offer?

Public companies managing their Sarbanes-Oxley compliance program make up the largest section of our policyIQ client base.  Over the past few years, we have added a number of new features and pricing options that make it easier than ever to utilize policyIQ for everything from scoping and planning to issue reporting and communications.

If you aren’t utilizing policyIQ from the risk assessment to remediation, contact us today and let us show you how easy (and inexpensive!) it can be to extend your implementation to capture all aspects of the process.

soxprocess

Risk Assessment

Starting at the top, evaluate your financial statement line items and determine what is in scope for the coming year.

  • Calculate a risk score based on predetermined factors
  • Quickly move processes and controls in or out of scope based on risk assessments

Control Reviews and Documentation Updates

Documenting your controls is not a one-time task.  policyIQ’s electronic forms or the distribution of pages makes it easy for you to distribute control documentation to your control owners, and capture any changes or adjustments.

  • Low cost and simple tracking of electronic forms makes it easy to capture updates
  • Full audit trail of changes, with user, date and time stamps, and approval workflow allows an organization to distribute the work efficiently and safely

Links to COSO Framework

In 2013, a new COSO Framework was released and compliance with the framework is a key part of SOX compliance.

  • Easily import the framework to policyIQ and link controls to COSO Principles
  • One-click reporting to prove compliance with the framework, from COSO Principle to audit testing results

Evidence Collection

Much time can be spent by auditors collecting evidence and reports that are required for their testing.  policyIQ can make that process much simpler.

  • Low cost and simple tracking of electronic forms to track all requests for audit evidence, with automated follow-up emails for any non-responses
  • Audit trails of requests and a central place for all files means fewer lost requests

Audit Testing

Create your test plans in policyIQ, link to existing SOX controls, and easily bring testing in or out of scope for the year based on risk assessment results.

  • Simple ad-hoc and standard reporting on testing progress and results
  • All evidence uploaded into policyIQ and accessible from test pages
  • Annual roll forward process that is ready to go within minutes

Issue Tracking and Remediation

In a perfect world, your audit testing reveals a perfectly designed and perfectly operating control environment.  But perfection is hard to come by.

  • Document any issue and link it to the audit test or control from which it was identified
  • Assign remediation plans, utilize policyIQ communication alerts, and take advantage of  simple real-time reporting for updated issue status

Audit / Project Time & Expense Tracking

Internal audit teams have limited resources and need to track time and expenses so that they can most effectively use those resources in high risk areas.

  • Build audit projects and assign resources
  • Allow auditors to enter time and expenses directly from audit test documentation, with simple reporting to track budgeted versus actual hours and costs

302 Certification Processes

While the Sarbanes Oxley Act section 302 only specifies that the CEO and CFO must sign and take responsibility for the control environment, most executives require a sub-certification process to go out to management level employees across the company.

  • Create consistent certification forms and distribute to employees at multiple levels
  • Automated emails follow-up on non-responses, while administrators can quickly report on any exceptions

policyIQ can help you to manage it all in a single place, with audit trails and reporting at every step of the process.  If you use policyIQ for your Sarbanes-Oxley compliance program and you aren’t doing all of the above in the tool yet, contact us right away and let us help you to plan for expansion.  In many cases, you will be able to expand at no cost – or very low costs.

And if you aren’t using policyIQ at all yet – please reach out today!  We would love to help  you to better manage your SOX compliance.