Efficiency Throughout the SOX Process

In a number of blog posts, we’ve highlighted the ways that policyIQ can be used throughout the entire SOX process – from risk assessments through issue remediation.  This past Thursday, July 28th, we took an hour to walk through the entire process in a CPE webinar to highlight ways to create efficiency at each step.

Did you miss it?

Before we hit the highlights below, we want to point you to the session recording and the slides, both of which are available for download.

The Big Picture

We highlighted a number of big picture advantages of using policyIQ not just for SOX, but for all of your compliance initiatives.  We talked about…

  • Simplicity of rolling out and managing a cloud-based
  • Advantages of being able to assign security and access
  • And the efficiency of a single source of information through the entire compliance and audit environment.

A single source means that when you make a change in one place, that change feeds all of the different perspectives on the data.


Efficiency at Every Step

We also dug into the efficiency that can be gained at every step of the process.  Just some of those ideas are presented below.  We also mentioned additional training available for some steps, and have linked those training sessions.


  1. Risk Assessments
    • Tie risk assessments at the 10K line item level to your risks and controls for ease of scoping.
  2. Control Updates & Review
    • Allow your control owners to make updates directly in policyIQ as things change, or require regular reviews of control documentation.
  3. Walkthroughs & Testing
    • Collaborate early (and often) with external auditors to ensure that your testing is capturing all of the detail expected.
  4. Issue Tracking & Remediation
    • Assign remediation plans to owners and use automated reminders to ensure responses are provided.
  5. Conclusions & Reporting
    • Utilize flexible reporting capabilities to trace issues back to the vulnerable risks and compensating controls to make a final determination about significant deficiencies or material weaknesses.


We also included the supporting functions that feed the process.


We’re ready to help you build more efficiency into your SOX program.  Contact us today and ask to speak with our client service team to walk you through implementing some new ideas!  Not yet a policyIQ client?  Contact us and ask us for a personalized demonstration!

New Company, New Controls: policyIQ Handled it All

Any quick look around the marketplace reveals that companies big and small are constantly acquired, bought, sold and merged on a constant basis.  Many of these public companies then have to figure how how their SOX compliance will be affected, and this can put a ton of stress on the audit teams that bear the responsibility of “making compliance happen”.

Fortunately for companies using policyIQ that have purchased or merged with others, the SOX issue goes from, “Can we make this transition in policyIQ, as well?” to “WOW.  That was pretty easy!”

A recent long time policyIQ client acquired a company, and each had their own set of risks and controls.  Ultimately, their goal was to combine these two separate entities into one SOX environment, and easily distinguish between SOX work from Company A and Company B.


Our team and product made this easy.  To begin, we simply added a single-select field on their controls and risks called “Entity”, with options for Company A or B.  By doing so, we created an  easily reportable way of sorting content from one company to another.  This was conducted by an Import to Update (via an Excel document), meaning that much of the work was easily done in a simple spreadsheet offline.  Simple!

All new documentation from Company B was then mass imported into policyIQ a few days later.


Some companies might like this arranged differently, and that makes total sense.  We had discussed using additional folders to distinguish the risks and controls from company to company.  Advantages?  One less field per page, and a more organized folder structure-less content per folder.  Disadvantages?  There are more folders, and some folks like a really simple structure.  A difference in results or reporting?  None!

Do you feel like you should partner with a policyIQ expert to work on your SOX work this year?  Do you have  a couple of ideas you’d  like to run by us?  Send us an email!   Support@policyIQ.com

Sarbanes-Oxley Compliance – Are you taking advantage of all that policyIQ has to offer?

Public companies managing their Sarbanes-Oxley compliance program make up the largest section of our policyIQ client base.  Over the past few years, we have added a number of new features and pricing options that make it easier than ever to utilize policyIQ for everything from scoping and planning to issue reporting and communications.

If you aren’t utilizing policyIQ from the risk assessment to remediation, contact us today and let us show you how easy (and inexpensive!) it can be to extend your implementation to capture all aspects of the process.


Risk Assessment

Starting at the top, evaluate your financial statement line items and determine what is in scope for the coming year.

  • Calculate a risk score based on predetermined factors
  • Quickly move processes and controls in or out of scope based on risk assessments

Control Reviews and Documentation Updates

Documenting your controls is not a one-time task.  policyIQ’s electronic forms or the distribution of pages makes it easy for you to distribute control documentation to your control owners, and capture any changes or adjustments.

  • Low cost and simple tracking of electronic forms makes it easy to capture updates
  • Full audit trail of changes, with user, date and time stamps, and approval workflow allows an organization to distribute the work efficiently and safely

Links to COSO Framework

In 2013, a new COSO Framework was released and compliance with the framework is a key part of SOX compliance.

  • Easily import the framework to policyIQ and link controls to COSO Principles
  • One-click reporting to prove compliance with the framework, from COSO Principle to audit testing results

Evidence Collection

Much time can be spent by auditors collecting evidence and reports that are required for their testing.  policyIQ can make that process much simpler.

  • Low cost and simple tracking of electronic forms to track all requests for audit evidence, with automated follow-up emails for any non-responses
  • Audit trails of requests and a central place for all files means fewer lost requests

Audit Testing

Create your test plans in policyIQ, link to existing SOX controls, and easily bring testing in or out of scope for the year based on risk assessment results.

  • Simple ad-hoc and standard reporting on testing progress and results
  • All evidence uploaded into policyIQ and accessible from test pages
  • Annual roll forward process that is ready to go within minutes

Issue Tracking and Remediation

In a perfect world, your audit testing reveals a perfectly designed and perfectly operating control environment.  But perfection is hard to come by.

  • Document any issue and link it to the audit test or control from which it was identified
  • Assign remediation plans, utilize policyIQ communication alerts, and take advantage of  simple real-time reporting for updated issue status

Audit / Project Time & Expense Tracking

Internal audit teams have limited resources and need to track time and expenses so that they can most effectively use those resources in high risk areas.

  • Build audit projects and assign resources
  • Allow auditors to enter time and expenses directly from audit test documentation, with simple reporting to track budgeted versus actual hours and costs

302 Certification Processes

While the Sarbanes Oxley Act section 302 only specifies that the CEO and CFO must sign and take responsibility for the control environment, most executives require a sub-certification process to go out to management level employees across the company.

  • Create consistent certification forms and distribute to employees at multiple levels
  • Automated emails follow-up on non-responses, while administrators can quickly report on any exceptions

policyIQ can help you to manage it all in a single place, with audit trails and reporting at every step of the process.  If you use policyIQ for your Sarbanes-Oxley compliance program and you aren’t doing all of the above in the tool yet, contact us right away and let us help you to plan for expansion.  In many cases, you will be able to expand at no cost – or very low costs.

And if you aren’t using policyIQ at all yet – please reach out today!  We would love to help  you to better manage your SOX compliance.

Have you adopted the new COSO Framework?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released their updated framework for assessing and reporting on the design and operating effectiveness of internal controls in May of this year. Have you adopted COSO’s new framework and adapted your policyIQ structure to accommodate it? The original integrated framework published by COSO and followed by the majority of public companies subject to the Sarbanes-Oxley Act was released in 1992. The foundation and guidance of the 1992 framework is considered valid and will continue to be made available until the committee (COSO) officially replaces it on December 15, 2014.

So, the clock is ticking.

RGP has helped a number of clients to adopt the new COSO framework and to use our in-house GRC application, policyIQ, to manage the documentation and processes associated with compliance. The process starts with seventeen principles that were introduced with the original framework, but were only highlighted and explicitly called out this year with the release of the new framework. Refer to COSO’s 2013 Internal Control—Integrated Framework for a detailed list and explanation of the seventeen principles.

Plan to transition – we can guide you

Our professional consultants can certainly help you with methodology including the assessment and development (or verification) of controls, as well as testing to ensure that the principles are met. Here are some simple steps you can take to plainly demonstrate consideration and alignment with the seventeen principles within policyIQ:

1.   We recommend establishing an independent template for capturing them in your policyIQ site.


2.   You may also wish to establish a separate Folder structure to easily trace each principle and related controls back to their associated COSO component.


Combining these steps with your ability to link related controls, tests and deficiencies will allow you to build reports illustrating those relationships and to present a complete picture of where you are meeting and, perhaps more importantly, where you are deficient in meeting the COSO principles.

Take 15 minutes today to set up your site—we can help!

If you have any questions or would like some help with implementation of the new COSO integrated framework or with documentation, reach out to us and we’ll put you in touch with the appropriate contact.