Welcome guest blogger, Jason Chiang. With RGP for nearly 8 years, Mr. Chiang has more than 20 years of experience and expertise in Audit, Risk and Compliance. He has consulted with a range of companies from financial services, biotech, manufacturing, healthcare and other industries. Mr. Chiang is a Certified Public Accountant (inactive) and Certified Internal Auditor. He has served on both sides of the house as a senior audit manager and senior auditor as well as a risk manager. It is evident that he understands the motivations and hurdles facing these organizations and approaches their complex issues with integrity and professionalism.
The following article was written by Jason Chiang (with editing support from Stephenie Buehrle). The approach and recommendations are his.
Not all roads lead to successful IPO
When a company approaches their initial public offering (IPO), it enters a very different arena. Having access to public funds, that is the retirement savings of Main Street USA, the company must meet quarterly SEC filing requirements. This is a significant amount of work. An investment in the people experienced with technical accounting, SEC financial reporting, and Sarbanes Oxley Compliance (SOX) evaluations combined with an investment in systems and tools to do the work efficiently and with completeness and accuracy is crucial to meet the filing deadlines.
One cannot audit all internal controls over financial reporting (ICFR). Thus, performing a SOX risk assessment is necessary to identify the significant accounts and their relevant assertions. If you happen to be one of these companies developing a road-map to your IPO, SOX may not be the place where you want to focus significant time and financial resources, but you realize that it has to get done. Be sure that you consider, at minimum, these critical components:
A risk assessment is the process of identifying significant accounts and disclosures and their respective relevant assertions as they relate to financial statements. A properly done risk assessment will allow the company work smart by focusing its internal controls evaluation on the areas where there is a possibility of a material error.
The Risk Assessment must include:
- Quantitative factors such as account balance, frequency of transactions, dollar value of each transaction; and
- Qualitative factors such as complexity of related transactions, subjectivity of accounting rules over related transactions, and fraud considerations.
- As business and risks change, the risk assessment needs to be updated.
A narrative provides mid-level detail of the transactions and internal controls within a business process and includes who, how frequent, and in what location the transactions and controls are being performed. The initial creation of narratives provides the process owners an opportunity to revisit and reflect on the current processes, and make improvements for operational efficiency or control effectiveness. It is a written document that can be read by internal employees, internal auditors, and external consultants and auditors to gain a preliminary understanding of the process. As processes change, the narrative provides a format to document the change.
What critical things must be considered regarding Narratives?
- The narrative should be written knowing that auditors will be a primary reader and will be looking for controls that mitigate risks.
- When describing management review processes in the narrative, articulating how the manager gains assurance of the completeness and accuracy of the supporting evidence before signing off. If the manager is using judgment, describing the factors considered.
- Narratives should be updated as changes are implemented in the organization. The updates should follow a workflow where there is a review process for significant changes.
A control matrix lists the controls the company has identified to mitigate risks. The control matrix serves as evidence that identified risks are mapped to controls which are to be evaluated for management’s assessment of internal controls. The control matrix also is a primary client document auditors leverage to perform their independent test of controls.
Take care to ensure that:
- The controls in the Controls Matrix are mapped to risks.
- The Controls Matrix is in a format where it is sortable or reportable by controls mapped to risks for test of controls purposes, and risks are mapped to controls for an evaluation whether risks are mitigated by controls.
- Controls in the Controls Matrix should be labeled and provided an abbreviated title (10 words max) for ease of reporting and reference purposes.
Testing is the evaluation of design and operating effectiveness of the company’s controls. The results of testing of controls provide company management with a baseline to that might have impacts to strategic and operational decisions. For publicly held companies, testing is an SEC requirement.
Critical considerations for testing:
- Important, if deemed necessary, to be able to re-perform the actual control performed by the employee (e.g. for 3-way match of purchase order, invoice, and shipping docs, test that an employee had performed this and has evidence of such, rather than the auditor requesting the 3 docs and testing oneself).
- When testing management review controls, cannot just accept sign-off, but need to understand the steps and judgments used by the manager, and test accordingly.
- The documentation of testing should allow someone else to reasonably re-perform the testing. If testing is being relied upon by external auditors, then the breadth of documentation is more important. If not, not all needs to be retained, but should be readily retrievable when needed.
Control owners certify to the CFO and CEO that controls are operating effectively on a quarterly basis, and if not operating effectively, the remedial action plans. The control owners are held directly accountable for their controls as they are certifying to the top two officers of the company.
Recommendations for certifications:
- The number and level of person certifying to the CFO and CEO should be carefully considered. The level should be their direct reports and one level removed to maintain the efficiency and integrity of the certification. If it is a larger organization, there can also be sub-certifications up to the senior manager level.
- The certification questions should have a combination of checklist questions, as well as, open ended questions to encourage a thoughtful process.
- Utilizing software for tracking, follow-up, and retention purposes is advised.
Depending on the number of people involved with the inputs into the various components, one might decide that performing and capturing the work in Excel is sufficient, while others might prefer utilizing a SOX tool where there are extra protections in version control while allowing multiple users to perform inputs simultaneously in multiple locations. A SOX tool may also provide management with options for review, analysis and oversight that are not available in Excel.
To avoid unexpected setbacks, be sure to plan enough time into your IPO readiness map for SOX evaluations. The initial SOX program development and implementation is likely to require six months and can vary depending on your access to subject matter experts. Coordination and alignment of the SOX efforts and objectives among the audit committee, senior management, process owners, and internal and external auditors is paramount for a successful implementation.
If your organization is approaching your initial public offering and you’re interested in learning more about how RGP can support you with subject matter expertise and a tailored technology solution to help ensure that you are prepared for your SEC filing and financial reporting requirements, reach out to us (Information@policyIQ.com, 412.263.3330) and we’ll connect you with our RGP colleagues near you!
Did you miss our recent training session on completing our SOX Risk Assessments and scoping exercises in policyIQ? Not to worry – we have you covered!
How Can I Catch Up?
If you want to get into the details, we have the training session and materials available for download!
- You can access the slides here.
- You can also view the recording from our policyIQ training page.
The training page is linked from your policyIQ login page – and available from within the online Help Guide. If you don’t have access to the training page, please reach out and we’ll send you the link!
Just the Highlights, Please!
This training session aimed to ensure that participants are able to…
We discussed common SOX risk assessments at the financial statement line item level, targeting risk factors like…
In addition to illustrating how to create the calculation directly in policyIQ, we also acknowledged that some folks love their MS Excel process. policyIQ can handle that, too, through the import option!
Then we took a close look at the relationships between the content that allows for the most effective scoping options.
And finally, we walked through the reports that provide the final step in the scoping process.
We would love to help YOU get started on your risk assessments in policyIQ, so that we can link into your SOX work for ease of annual scoping. Contact us today and we’ll meet with you at no cost to help you get on your way!
With our upcoming release of policyIQ version 7.7, we are rolling out an unexcitingly named feature we refer to as “Form Bundle Imports”. It might not have the flashiest name, but the feature can open new doors for your organization!
Form Bundles and Their Purpose
If you are familiar with forms in policyIQ, you know that you can pull forms together into bundles. Form bundles are really just collections of forms to be issued at the same time, and bundling them together can make it easier to push them out. Form bundles do serve another purpose, though. By creating a form bundle, you are able to add unique default data to each instance of the form that is being issued.
For example, if you issue Account Reconciliation Forms, you may add the account number and account name to the form, so that you ensure that each account is covered in the reconciliations. If you use a form bundle to collect Control Self-Assessments or Control Reviews, you will link each instance to a different Control page, so that each control is covered in the assessment.
Typically, the first set-up of the form bundle can be a bit cumbersome, as you likely either had to set up each individual instance by hand, or perhaps you engaged our support team to import the details for you. After the initial set-up, you probably just copied the form bundle for subsequent periods. Because of the cumbersome nature of the set-up, it is unlikely that you added new, customized data each time.
Now – Let’s Imagine Being Able to Import Detailed Default Data On Demand!
Account Reconciliations is the area where we expect that this import option offers the most dramatic change. Now, a simple import can pull in unique data on the first day of the month – including account name, account number, and current balance!
We also know that the controls that your organization manages do not always stay static. Being able to import based on your current list of in-scope key controls will allow you to more quickly create an accurate and complete Control Review or Control Self-Assessment process. And if you bring on a new entity or acquire a new company? No problem! A quick import will add their controls to the mix.
We’ve also recently talked to clients about automating Evidence Requests, and this import function will make it easy to create forms and push out requests when needed. Simply create your list of evidence required, who is required to provide it, and import. Boom.
Tell Us How You Will Use Form Bundle Imports!
We know that when we release a feature like Form Bundle Imports, we will have clients who will be thinking of new ways to use the feature that never occurred to use before. What do you think? How are you planning to use this new feature?
Does the task of updating control documentation in more than one location seem redundant and a drag on your day?
Changing the description or general governing details of any page in policyIQ can create a wave of changes that need to be made in other places in the site. Wouldn’t it be great to make the update once, and have that update be reflected everywhere?
It definitely would be. Consider it done!
The next update of policyIQ will include a new field type: Linked Fields. This field will be a field that is auto-populated with the data from an existing field on a linked page. For our SOX and Audit clients, think about things like control descriptions. These descriptions are periodically tweaked, and that change needs to be reflected anywhere the description appears. We’ll create a linked field on our test result pages that are likely linked to this control page, and point it at the description of the control page. Because of this setup, the control page can be updated, and the test page will automatically pick up those changes.
Creating new linked fields is easy, and it’s coming to your policyIQ site in the next few months! Please contact us with any questions or thoughts on how you may take advantage of this huge new feature.
In a number of blog posts, we’ve highlighted the ways that policyIQ can be used throughout the entire SOX process – from risk assessments through issue remediation. This past Thursday, July 28th, we took an hour to walk through the entire process in a CPE webinar to highlight ways to create efficiency at each step.
Did you miss it?
Before we hit the highlights below, we want to point you to the session recording and the slides, both of which are available for download.
The Big Picture
We highlighted a number of big picture advantages of using policyIQ not just for SOX, but for all of your compliance initiatives. We talked about…
- Simplicity of rolling out and managing a cloud-based
- Advantages of being able to assign security and access
- And the efficiency of a single source of information through the entire compliance and audit environment.
A single source means that when you make a change in one place, that change feeds all of the different perspectives on the data.
Efficiency at Every Step
We also dug into the efficiency that can be gained at every step of the process. Just some of those ideas are presented below. We also mentioned additional training available for some steps, and have linked those training sessions.
- Risk Assessments
- Tie risk assessments at the 10K line item level to your risks and controls for ease of scoping.
- Control Updates & Review
- Allow your control owners to make updates directly in policyIQ as things change, or require regular reviews of control documentation.
- Walkthroughs & Testing
- Collaborate early (and often) with external auditors to ensure that your testing is capturing all of the detail expected.
- Issue Tracking & Remediation
- Assign remediation plans to owners and use automated reminders to ensure responses are provided.
- Conclusions & Reporting
- Utilize flexible reporting capabilities to trace issues back to the vulnerable risks and compensating controls to make a final determination about significant deficiencies or material weaknesses.
We also included the supporting functions that feed the process.
- Map to COSO 2013
- Link Entity Level Controls to COSO Principles
- Evidence Collection
- Assign evidence requests, utilize automated reminders, and track receipt of documentation
- Time & Expense Tracking
- Report on budgeted versus actual hours and cost, and use the data for next year’s planning
- SOX 302 (Sub)Certification
- Assign role-specific questionnaires, utilize automated reminders, and report on exceptions
We’re ready to help you build more efficiency into your SOX program. Contact us today and ask to speak with our client service team to walk you through implementing some new ideas! Not yet a policyIQ client? Contact us and ask us for a personalized demonstration!
Go to our website, www.policyIQ.com, to learn more, download datasheets, request a trial, demo, or to buy policyIQ! You may also reach out to us directly at 1.866.753.1231 or info@policyIQ.com.
For many years, we have been encouraging our clients to utilize policyIQ for all aspects of their compliance programs – from the assessment of risk through the remediation of issues. However, during a recent conversation with long-time client, Travis Heyer (Director of Internal Audit at Great Lakes Dredge and Dock), we realized that we had not yet clearly illustrated in a live training session how to effectively request and capture audit evidence within policyIQ.
Travis graciously agreed to work with us to create a training session – and brought his colleague, Amit Patel (Senior Auditor) along with him. On Thursday, March 31, we presented this session to a large number of very active participants. (You can check out the recording of the session, or download the slides for a quick overview.)
It’s really all about saving time
Automating the requests for audit evidence can allow your internal audit team to…
- Avoid playing “Match the evidence to the request!”
- Minimize risk of using an old version of a file
- Waste time sending annoying follow-ups
- Secure documentation more effectively
It comes down to a huge time savings, freeing up internal audit resources to do the real, value-add work that your organization needs.
Pages or Forms?
While the training presentation focused on an evidence collection process in policyIQ pages, a similar process can be built within policyIQ forms.
Pages offer the advantage of a two-way link between the Evidence Request and the Test page, so that your internal auditors can simply leave the files attached to the Evidence Request. Pages also allow more than one individual user to contribute directly to the same Request. However, utilizing Pages requires that all users who participate in the process of providing evidence are Advanced Users, a more expensive license in policyIQ.
Forms offer their own advantages, allowing for a simple issuing and follow-up process. However, the link between the Evidence Request form and the Test page is less visible. Evidence files will need to be downloaded and re-uploaded to the Test page by the auditor. The significant advantage of the Forms process is that any individual providing evidence needs only to have a Standard User license, a less expensive license that can keep costs low!
Getting started in 5 easy steps
Our training session focused on how to get started in just five easy steps:
- Create Evidence Request template
- Build list of evidence in Excel
- Import evidence request list
- Assign requests
- Track progress and follow-up
We encourage you to check out the recording or the slides for more details on these steps – and reach out to us to help you to get your bearings and get started!
Any quick look around the marketplace reveals that companies big and small are constantly acquired, bought, sold and merged on a constant basis. Many of these public companies then have to figure how how their SOX compliance will be affected, and this can put a ton of stress on the audit teams that bear the responsibility of “making compliance happen”.
Fortunately for companies using policyIQ that have purchased or merged with others, the SOX issue goes from, “Can we make this transition in policyIQ, as well?” to “WOW. That was pretty easy!”
A recent long time policyIQ client acquired a company, and each had their own set of risks and controls. Ultimately, their goal was to combine these two separate entities into one SOX environment, and easily distinguish between SOX work from Company A and Company B.
Our team and product made this easy. To begin, we simply added a single-select field on their controls and risks called “Entity”, with options for Company A or B. By doing so, we created an easily reportable way of sorting content from one company to another. This was conducted by an Import to Update (via an Excel document), meaning that much of the work was easily done in a simple spreadsheet offline. Simple!
All new documentation from Company B was then mass imported into policyIQ a few days later.
Some companies might like this arranged differently, and that makes total sense. We had discussed using additional folders to distinguish the risks and controls from company to company. Advantages? One less field per page, and a more organized folder structure-less content per folder. Disadvantages? There are more folders, and some folks like a really simple structure. A difference in results or reporting? None!
Do you feel like you should partner with a policyIQ expert to work on your SOX work this year? Do you have a couple of ideas you’d like to run by us? Send us an email! Support@policyIQ.com