ICYMI: Assessments and Scoping in policyIQ

Did you miss our recent training session on completing our SOX Risk Assessments and scoping exercises in policyIQ?  Not to worry – we have you covered!

How Can I Catch Up?

If you want to get into the details, we have the training session and materials available for download!

  • You can access the slides here.
  • You can also view the recording from our policyIQ training page.
    The training page is linked from your policyIQ login page – and available from within the online Help Guide.  If you don’t have access to the training page, please reach out and we’ll send you the link!

Just the Highlights, Please!

This training session aimed to ensure that participants are able to…

rascope1

We discussed common SOX risk assessments at the financial statement line item level, targeting risk factors like…

rascope3

In addition to illustrating how to create the calculation directly in policyIQ, we also acknowledged that some folks love their MS Excel process.  policyIQ can handle that, too, through the import option!

rascope4

Then we took a close look at the relationships between the content that allows for the most effective scoping options.

rascope2

And finally, we walked through the reports that provide the final step in the scoping process.

rascope5

We would love to help YOU get started on your risk assessments in policyIQ, so that we can link into your SOX work for ease of annual scoping.  Contact us today and we’ll meet with you at no cost to help you get on your way!

Which part of your SOX program do you want to improve this year? This list of resources will help.

Soup to nuts—or Risk Assessment to Review of Evidence, we are ready to help you make your 2016 Sarbanes Oxley compliance work more efficient than ever! You will notice that we have another post this month that talks about rolling forward last year’s SOX work to create the baseline for your 2016 work. Some of you might not want to repeat last year’s work. Maybe you didn’t use policyIQ last year or you’d like to make improvements on what was done in previous years and take advantage of all that policyIQ has to offer. We have some tips and tools to help you:

chart1

  • Risk Assessment – We previously shared a sample template with you that you might want to implement for 2016. If you already have your Financial Statement Risk Assessment complete, we can help you with your plan to import and tie the results of that assessment to relevant assertions and controls. Capturing the full cycle in one place will not only help your organization to be much more efficient, it will also save time and money when your external auditors are looking to connect.
  • PCAOB’s Auditing Standard No. 5 – Are you looking to make improvements to your process and work more efficiently this year? Check out this visual summary or watch the full recording of the webinar that walks through the application of AS5.
  • chart2Link related compliance elements and utilize various reports to monitor progress, analyze performance, and stay on top of your program. We have lots of ideas about SOX reporting. Check out you online Help manual and this post for some ideas.
  • Automate supporting processes – are you still using Word, Excel, and email to manage your 302 Certifications, Control Self Assessments and Narrative Reviews? One of the most frustrating parts of this work is having to inventory the responses and pester people to get their work done. You can literally perform the setup of these tasks one time and then consider it complete forever after using policyIQ’s Forms functionality to automate the inventory and reminders.
  • consultantsGrant External Auditors access to only that content which you want them to see! Have you done this yet? I recall being scolded by a client who told me that we don’t brag about this benefit enough. He felt that he could have saved a significant amount of time and money over the years and wished he had granted their external auditors access much sooner. It’s really easy to bring them into the fold and show them only what you want them to be able to review. Here’s how.
  • Evidence gathering – If you find that a lot of time is spent by auditors, managers—everyone—rounding up information, perhaps it is time to commit to one main holding place for your evidence. You can even use policyIQ to help automate and monitor the collection of evidence. We have some posts discussing what has been done in the past and we’ll be taking a fresh look at options surrounding the Evidence Collection effort in an upcoming training session—please join us!

E012649We hope that this list of resources is helpful to you or at least has you thinking about things that you’d like to manage more efficiently. We often work with people who feel like they just don’t have time to figure out how to save time! We get it. That’s what we’re here for! If you don’t have time to read posts and play around in policyIQ, but want to realize the benefits sooner than later, reach out to us and we’ll walk you through some simple adjustments that you can make to gain relief and command over your information right away!

We’re handing it to you: Risk Assessment Template for policyIQ

The policyIQ Team has discussed the benefits of bringing automation to the full cycle of work and documentation associated with your Sarbanes Oxley Compliance program in previous posts. You might recall training sessions or posts that introduced the application of policyIQ for your Risk Assessment process. If you haven’t had time to play around with your content and tying everything together in your policyIQ site, we want to help you with an example of a Risk Assessment Page Template that could provide you with a good starting place.

RiskAssessment Template

Of course, your template could include different fields, different risk factors that are weighted differently and you might have different thresholds for your risk ratings. I hope that you already know that virtually everything in your policyIQ Page Templates is customizable.

With that disclaimer, I would also like to highlight some things in our example. We have captured a template that would be used to rate the risk for a single Financial Statement Line Item. The six risk factors included here are simply Whole Number fields for entering a rating. Most of the text in this template is content that we captured in a policyIQ “Static Text” field—really, just to provide guidance and clarification to those performing and reviewing the assessment. The critical field in the Risk Assessment Financial Statement Line Item Page Template is the Calculated numeric field used to take all of the Risk Factor ratings and weights of each factor into account. When adding this type of field to your Page Templates, you are prompted to enter the formula for the calculation. Math formulas are not your thing? Feel free to reach out to one of us on the policyIQ team and we’ll help you to pull it together.

Okay, you’re really close now! Build the template (or ask us to build it with you) and then we’ll help you to see how you can import your latest Risk Assessment results into policyIQ and link them to the relevant Assertions and related Controls. Most of this initial setup can be performed in bulk via the policyIQ Import utility. Really, it could be in policyIQ within the next week. Really. What are you waiting for?

Get in touch with us: 1-866-753-1231, support@policyIQ.com.

Stop Costly Mining of Information for Each Audit

Many organizations have seen a shift in their SOX environment in recent years. SOX has become commoditized and leadership is concerned about buckling down on the level of work and on the cost of SOX. While many companies have reviewed, rationalized and streamlined their controls down to a more manageable level, focusing on testing only the key controls amounting to less than 150 in most cases, we still see that many have not entirely streamlined their management of the full cycle of analysis and documentation. Have you?

  • FinancialStatementsWho performs your Financial Statement Risk Assessment? Where is the documentation of that process and the conclusions regarding significant accounts and relevant assertions kept?
  • Have you plainly identified and documented your Financial Statement Risks and are you able to demonstrate which Controls are critical to their mitigation?
  • Of course, tests are being performed; but how are you tracking the evidence associated with those tests and does it seem that the process of defining and assigning audits is as efficient as it could be?
  • Do you have historical record of your audit findings, issues and methods of remediation? Can you easily review and determine the most cost effective approaches to remediation?
  • Can you pull up evidence of COSO coverage as simply as you can share your Risk-Control matrix?
  • Apart from the staples of SOX documentation, where do you document things such as considerations and assumptions for key decisions, exceptions or overrides?

Probably the most simple question yielding the most telling answer regarding whether your SOX program is as effective and efficient as it can be is this: do you perform and maintain all of this documentation in one system or is it someone’s responsibility to mine information and evidence for each external audit? piggybankIf each of these processes is happening in different mediums, stored in different repositories and managed with a wide range of workflows and procedures that are in place simply because “it’s always been that way”, then you have a significant opportunity to save time and money while more effectively managing your SOX program and, therefore, improving the bottom line of your company.

Of course, this message is for those organizations that have yet to bring automation and the power of a database to their SOX processes and documentation. Still, this message should not be lost on the many policyIQ clients who already experience how easily the collaboration of work, hand-offs, review and approval can be managed in policyIQ. We work with many companies who still have portions of their SOX cycle in various systems. Aside from the plain-to-see expense of paying for many different systems, there is cost associated with ongoing maintenance, training, and the time required to bring all of the information together and to relate the key components that paint the picture of an effective internal control environment.

Reach out to us and we’ll provide you with a free demonstration and configuration guidance on streamlining the various segments of your SOX program into one efficient and manageable cycle. We can schedule your configuration session within the week and have you up and running in the next 4-6 weeks! Talk to you soon!

Sarbanes-Oxley Compliance – Are you taking advantage of all that policyIQ has to offer?

Public companies managing their Sarbanes-Oxley compliance program make up the largest section of our policyIQ client base.  Over the past few years, we have added a number of new features and pricing options that make it easier than ever to utilize policyIQ for everything from scoping and planning to issue reporting and communications.

If you aren’t utilizing policyIQ from the risk assessment to remediation, contact us today and let us show you how easy (and inexpensive!) it can be to extend your implementation to capture all aspects of the process.

soxprocess

Risk Assessment

Starting at the top, evaluate your financial statement line items and determine what is in scope for the coming year.

  • Calculate a risk score based on predetermined factors
  • Quickly move processes and controls in or out of scope based on risk assessments

Control Reviews and Documentation Updates

Documenting your controls is not a one-time task.  policyIQ’s electronic forms or the distribution of pages makes it easy for you to distribute control documentation to your control owners, and capture any changes or adjustments.

  • Low cost and simple tracking of electronic forms makes it easy to capture updates
  • Full audit trail of changes, with user, date and time stamps, and approval workflow allows an organization to distribute the work efficiently and safely

Links to COSO Framework

In 2013, a new COSO Framework was released and compliance with the framework is a key part of SOX compliance.

  • Easily import the framework to policyIQ and link controls to COSO Principles
  • One-click reporting to prove compliance with the framework, from COSO Principle to audit testing results

Evidence Collection

Much time can be spent by auditors collecting evidence and reports that are required for their testing.  policyIQ can make that process much simpler.

  • Low cost and simple tracking of electronic forms to track all requests for audit evidence, with automated follow-up emails for any non-responses
  • Audit trails of requests and a central place for all files means fewer lost requests

Audit Testing

Create your test plans in policyIQ, link to existing SOX controls, and easily bring testing in or out of scope for the year based on risk assessment results.

  • Simple ad-hoc and standard reporting on testing progress and results
  • All evidence uploaded into policyIQ and accessible from test pages
  • Annual roll forward process that is ready to go within minutes

Issue Tracking and Remediation

In a perfect world, your audit testing reveals a perfectly designed and perfectly operating control environment.  But perfection is hard to come by.

  • Document any issue and link it to the audit test or control from which it was identified
  • Assign remediation plans, utilize policyIQ communication alerts, and take advantage of  simple real-time reporting for updated issue status

Audit / Project Time & Expense Tracking

Internal audit teams have limited resources and need to track time and expenses so that they can most effectively use those resources in high risk areas.

  • Build audit projects and assign resources
  • Allow auditors to enter time and expenses directly from audit test documentation, with simple reporting to track budgeted versus actual hours and costs

302 Certification Processes

While the Sarbanes Oxley Act section 302 only specifies that the CEO and CFO must sign and take responsibility for the control environment, most executives require a sub-certification process to go out to management level employees across the company.

  • Create consistent certification forms and distribute to employees at multiple levels
  • Automated emails follow-up on non-responses, while administrators can quickly report on any exceptions

policyIQ can help you to manage it all in a single place, with audit trails and reporting at every step of the process.  If you use policyIQ for your Sarbanes-Oxley compliance program and you aren’t doing all of the above in the tool yet, contact us right away and let us help you to plan for expansion.  In many cases, you will be able to expand at no cost – or very low costs.

And if you aren’t using policyIQ at all yet – please reach out today!  We would love to help  you to better manage your SOX compliance.

The message is clear: “Focus on Fraud”

Public companies subject to Sarbanes Oxley (SOX) requirements with a calendar year-end are wrapping up their projects to transition to the 2013 COSO Framework. Among the seventeen Principles formalized in the 2013 framework is Principle 8, which states, “The organization considers the potential for fraud in assessing risks to the achievement of objectives.”

Track Fraud Mitigating Controls

One step that many policyIQ clients are taking to demonstrate evidence that they have adequately addressed this principle is to “flag” their controls that are fraud mitigating. If you do not already have one, we recommend adding a field to your Control template in policyIQ to track whether a Control is fraud mitigating. This allows you to easily report on all Controls where the answer is yes and to relate those Controls to Principle 8 (unless you are linking to Points of Focus, in which case you will link each of the Controls to the most appropriate of the four Points of Focus related to Principle 8).

Address Revenue Recognition Fraud

In addition to feeling greater pressure in the last couple of years from the Public Company Accounting Oversight Board (PCAOB) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO), most companies will also be affected by the new Revenue Recognition Standard.  The new standard is the result of a joint effort by the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) that aims to improve upon and to address inconsistencies between the previously held International Financial Reporting Standards (IFRS) and US Generally Accepted Accounting Principles (GAAP). No doubt, some of the most notorious cases of corporate fraud have been directly related to revenue recognition fraud.

Complying with the new standard is a big undertaking for companies. We have written on our blog about the application of policyIQ to better monitor your contracts and agreements and the work that RGP has done to prepare a deep pool of Revenue Recognition subject matter experts around the country to walk alongside accounting professionals and help them to close gaps in their practices. Here, also, is a link to access the recording of RGP’s recent webcast: The New Revenue Recognition Standard Webcast Series (Part 2): How to Begin Implementing the New Standard.

Formally Assess the Risk of Fraud

Additionally, many companies are finally formalizing their fraud programs by instituting a dedicated Fraud Risk Assessment, documenting mitigating controls, identifying gaps, and filling gaps, and so on. Whether using your methodology and questionnaires or RGP’s, we can help you to manage the process more efficiently in policyIQ.

Fraud Risk Assessment Sample

Using policyIQ, it is simple to capture and deploy your fraud questionnaire(s) to the relevant employees, inventory responses and analyze results. Similar to other compliance work in policyIQ, you can link your capabilities or controls to any Fraud Risks that were identified and use policyIQ reporting to easily highlight any gaps in coverage.

Interested in bringing automation to your program or need a subject matter expert to help you develop your Fraud Prevention Program? Reach out to us and we’ll put you in touch with the right person in your area.

 

Addressing COSO Principle #8: Assess Fraud Risk

P8_Call_to_actionRisk and Compliance professionals generally agree that the updated 2013 COSO Internal Control – Integrated Framework is not, in essence, different from the 1992 version. And by now, we recognize that the most notable change requiring action is the formalization of COSO’s 17 Principles that were introduced by language embedded in the earlier version. Public companies subject to Sarbanes Oxley (SOX) requirements that utilize the COSO framework and have a calendar year-end will need to demonstrate that all 17 COSO Principles are “present and functioning” by the end of 2014. COSO_Principles At the conclusion of the mapping process, what many of our clients are finding is that they do already have the necessary controls in place. We are helping some clients to also identify where they have more than adequate controls and can use this thorough review as an opportunity to rationalize and reduce the number of controls that they are testing—and, in turn, reduce costs! And, in some cases, companies recognize that the practices are in place, but the controls may not be formally documented and tested. One of the Principles that is garnering a lot of attention is Principle #8: Principle8If you haven’t before, this will likely be the year that you perform a formal Fraud Risk Assessment. You may need to reinforce documentation around your related Entity Level Controls and will want to ensure that those include measurable indicators of appropriate “Tone at the Top”. If you are not sure that you have the appropriate competencies or subject matter experts on your team, we can help to lead or supplement your assessment and documentation of your related controls. Reach out to us if you’d like more information. Additionally, most companies required to comply with SOX likely already have a fraud hotline in place. Did you know that policyIQ also includes an electronic “WhistleBlower” module that is accessible to all company employees for anonymous submission of suspected financial reporting issues (or other issues, if you choose to rebrand the feature)? The WhistleBlower module is already available in all policyIQ sites and can be enabled at any time at no additional charge. Each case is assigned a 16 character code that is revealed only to the submitter of a case so that he or she may periodically review the progress of any associated investigation and even correspond anonymously with an investigator. This feature provides whistle blowers with greater assurance that their voice or accent will not give away their identity if they wish to remain anonymous. WhistleBlower It is very simple to use policyIQ to demonstrate the presence of preventive and detective fraud mitigating controls. Simply run a report of your Controls and include those two variables as columns in your display. If you haven’t already setup your policyIQ site to capture these items, here are the steps that we recommend:

  1. Add a field to your policyIQ Control Page Template to track whether a Control is fraud mitigating.
  2. Add a field to your policyIQ Control Page Template to track whether a Control is Preventive or Detective (most policyIQ clients already include this).
  3. Review your controls and update the pages to reflect whether they are fraud mitigating and whether they are preventive or detective (note that you can use the Edit Fields option from the Table Toolbar to make bulk changes and save time).
  4. Use a policyIQ Page Detail or Page Detail Link Report to list your Fraud Mitigating Controls and whether they are EvidenceforP8Preventive or Detective
    1. Use the report results to perform your gap analysis
    2. Use the report results as evidence of your compliance or coverage of COSO’s Principle #8!

If you’d like some support from a subject matter expert, have questions about the mapping process, or would like help with properly setting up policyIQ to support your transition to the 2013 COSO Framework, contact us and we’ll put you in touch with the appropriate resource in your area.

PCAOB noted firms’ improper application of AS5

Are you feeling the effects of the PCAOB’s recent inspections report as external auditing firms are pushing down demands for more evidence, more testing and generally more work from companies subject to SOX requirements?

Special thanks to Les Sussman (Senior Practice Leader of RGP’s Governance, Risk and Compliance practice) and Jason Chiang (RGP Consultant for 4 years has more than 15 years experience as audit and risk mangement professional) for presenting the key findings of the recent PCAOB Inspections Report and discussing the root causes of their reported deficiencies in our recent webinar.

Check out the following graphic for a summary of key points presented, or go directly to the recording of the related webinar (60 minutes). Presentation slides may be accessed in your online policyIQ Help guide (download the slides from the Attachments/Links tab).

Infographic

10K Risk Assessment and Control Rationalization using policyIQ

Major-Tom-MessageWith the market busting past 12,000, many small public companies’ market cap has been immediately impacted. Other companies are experiencing growth or facing acquisition. Together, all of these companies may find their filing status changing from non-accelerated to accelerated and, consequently, they are having to prepare their internal controls environment to be evaluated by external auditors this year.

Leslie Tamayo, an experienced Accounting and Finance and Sarbanes Oxley expert, developed a tried and true process for assessing risk starting with the 10K and rationalizing which controls are necessary and which no longer require testing. To put it simply, her process makes sense, is repeatable, and proven to solidify an organization’s internal control environment. The policyIQ Team is grateful to have had the opportunity to learn and walk through the details of Leslie’s process and to partner with her to develop a method for capturing, tracking and analyzing the information in policyIQ.

The Risk Assessment Process

Use the AS5, top-down, risk-based approach to help you focus on what truly matters. Identify risks underlying relevant financial statement assertions. Then perform a thorough analysis to determine which controls really matter and, therefore, which tests are necessary.

10KRA-cycle

Bring automation to your process using policyIQ

You can capture your Risk Assessment in policyIQ. We created a “K” Template in policyIQ to represent the 10K Line Item Risks. By creating a Template for our 10K Line Item Risks, rather than having a Drop Down field or representing each line item within a Folder structure, we are able to illustrate the relationship between each line item to relevant business processes and to locations more easily. This is also the best way to demonstrate the relationship between each line item risk and the relative controls for your control rationalization process.

By indexing the line item risks to the appropriate Folders in policyIQ, we “mapped” them to relevant Business Processes (and you could map them to relevant location folders, too).

A very important step is to link 10K Risks to Control Activities in policyIQ. You may also wish to break down your Financial Statement Assertion field on your Control Template—instead of having a Multi-Select field, you could capture each assertion as its own field with a Yes/No choice. These two steps make the Detail Link Report simple to create and to view from different perspectives for your Control Rationalization process.

Control-Rationalization-Report.a

Use policyIQ Reports to see the “big picture” and to create a “dynamic” view of your Control Environment in real time.

  • Create a list of each line item’s rating for various Risk Assessment Factors and to calculate the risk
  • Validate your assessment of which Business Processes are significant by listing your 10K Line Item Risks with related Business Process Folders
  • Review complete lists of your Process Risks and your Control Activities
  • Add Financial Statement Assertions to your Controls list so that you can verify that each Control addressing an assertion is, indeed, identified as a Key Control (later, in your analysis, you may determine that some can be downgraded if they are redundant Controls)
  • Analyze coverage of Financial Statement Assertions by Controls for each of your Financial Statement Line Items

With the automation of the Risk Assessment Process you will spend less time on the manual preparation of your assessment and more time on analysis. Create a process that is more effective and more efficient by spending valuable time identifying Gaps, Redundancies and determining which Controls are truly important.

Documenting your Process Risks, Controls, Tests and Deficiencies

SOX-in-HelpSome attendees expressed an interest in hearing more about how to capture their SOX documentation in policyIQ. If you prefer to watch, listen and learn, we have a video recording of our Sarbanes Oxley Solution training that you may review at your leisure. We also have a section in our policyIQ Help guide devoted to this topic. If you would like to talk to someone live and make arrangements for additional assistance with your policyIQ implementation or your SOX program, feel free to contact us via email or call us (toll-free) at 1-866-753-1231.

We can help you to get started this cycle!

Written Guidance
Our online Help guide walks through the Automation of Risk Assessment process, provides specific guidance on how to configure your site and how to build the Reports that we presented in our session. You will also notice that the session’s presentation deck and a link to the recording of the session are available in Help. Click here to go directly to the Risk Assessment related Help content.

On-site Expertise
Contact us and we can connect you with experts in your area who can hit the ground running and work with you to perform and document your assessment. They can help you to begin with your 10K Risk Assessment and to work through the full cycle which brings you back to confidence in your internal control environment.

policyIQ Assistance
Of course, we also can connect you with policyIQ experts to address your policyIQ implementation questions. We’re looking forward to hearing from you (support@policyIQ.com, or 1-866-753-1231).