New Company, New Controls: policyIQ Handled it All

Any quick look around the marketplace reveals that companies big and small are constantly acquired, bought, sold and merged on a constant basis.  Many of these public companies then have to figure how how their SOX compliance will be affected, and this can put a ton of stress on the audit teams that bear the responsibility of “making compliance happen”.

Fortunately for companies using policyIQ that have purchased or merged with others, the SOX issue goes from, “Can we make this transition in policyIQ, as well?” to “WOW.  That was pretty easy!”

A recent long time policyIQ client acquired a company, and each had their own set of risks and controls.  Ultimately, their goal was to combine these two separate entities into one SOX environment, and easily distinguish between SOX work from Company A and Company B.


Our team and product made this easy.  To begin, we simply added a single-select field on their controls and risks called “Entity”, with options for Company A or B.  By doing so, we created an  easily reportable way of sorting content from one company to another.  This was conducted by an Import to Update (via an Excel document), meaning that much of the work was easily done in a simple spreadsheet offline.  Simple!

All new documentation from Company B was then mass imported into policyIQ a few days later.


Some companies might like this arranged differently, and that makes total sense.  We had discussed using additional folders to distinguish the risks and controls from company to company.  Advantages?  One less field per page, and a more organized folder structure-less content per folder.  Disadvantages?  There are more folders, and some folks like a really simple structure.  A difference in results or reporting?  None!

Do you feel like you should partner with a policyIQ expert to work on your SOX work this year?  Do you have  a couple of ideas you’d  like to run by us?  Send us an email!

It’s true! policyIQ is a misfit among typical software providers.

Have you been burned by a software provider?

Sheesh—who hasn’t?!

You worked for months (years for some), listening to promises from several different people who kept handing you off and never addressing your concerns. You found yourself with more time and money invested than you care to admit and you have grown to look at all software providers with skepticism (if not disgust).

Does this sound familiar?

I hear you. Your frustration was echoed by countless people that I spoke with at a national conference in March. Because a number of people felt compelled to share their horror stories about other providers with me, I got comfortable jumping quickly to the things that make us different than the typical software company:

  • All-in-one_BubblesRGP is NOT a software company! Integrity is at the core of our firm. We want to create great relationships and serve you so impressively that, when you need a consultant, you already know the quality that you can expect from us.
  • We don’t have a huge policyIQ booth at conferences and our software does not have the huge price-tag required to pay for that presence (policyIQ starts at <$5k/year).
  • We don’t sell multiple modules or products and aim to upsell you. policyIQ really does accommodate multiple business areas and needs in one affordable tool.
  • Our goal is to solve for your information, content, process, and workflow challenges across the Governance, Risk and Compliance (GRC) space, not to land a sale.
  • Your sales person does not make commission or hand you off to an implementation team that’s unaware of promises made during the sales process—we walk alongside you the whole way and help to tailor the implementation to your organization’s needs.
  • Our product does what we tell you it does (and we answer truthfully if you ask us about something we don’t do or plan to develop).
  • We have a support team that truly cares to give you excellent and timely service.

We think of our clients as part of our community with whom we will have a long partnership. We listen to your needs, plans, wishes and heartaches and work continuously to problem solve with you.

We’re proud to be a misfit among typical software providers.

pIQ_Misfit_smWe’re ready to prove it and to earn your trust.

We encourage you to take a peek at this introduction to policyIQ, and then reach out to us!  We’d be glad to schedule a personalized tour of policyIQ. Also, we invite you to kick the tires! Sign up for a 30-day trial, completely risk-free.

We look forward to working with you!

Which part of your SOX program do you want to improve this year? This list of resources will help.

Soup to nuts—or Risk Assessment to Review of Evidence, we are ready to help you make your 2016 Sarbanes Oxley compliance work more efficient than ever! You will notice that we have another post this month that talks about rolling forward last year’s SOX work to create the baseline for your 2016 work. Some of you might not want to repeat last year’s work. Maybe you didn’t use policyIQ last year or you’d like to make improvements on what was done in previous years and take advantage of all that policyIQ has to offer. We have some tips and tools to help you:


  • Risk Assessment – We previously shared a sample template with you that you might want to implement for 2016. If you already have your Financial Statement Risk Assessment complete, we can help you with your plan to import and tie the results of that assessment to relevant assertions and controls. Capturing the full cycle in one place will not only help your organization to be much more efficient, it will also save time and money when your external auditors are looking to connect.
  • PCAOB’s Auditing Standard No. 5 – Are you looking to make improvements to your process and work more efficiently this year? Check out this visual summary or watch the full recording of the webinar that walks through the application of AS5.
  • chart2Link related compliance elements and utilize various reports to monitor progress, analyze performance, and stay on top of your program. We have lots of ideas about SOX reporting. Check out you online Help manual and this post for some ideas.
  • Automate supporting processes – are you still using Word, Excel, and email to manage your 302 Certifications, Control Self Assessments and Narrative Reviews? One of the most frustrating parts of this work is having to inventory the responses and pester people to get their work done. You can literally perform the setup of these tasks one time and then consider it complete forever after using policyIQ’s Forms functionality to automate the inventory and reminders.
  • consultantsGrant External Auditors access to only that content which you want them to see! Have you done this yet? I recall being scolded by a client who told me that we don’t brag about this benefit enough. He felt that he could have saved a significant amount of time and money over the years and wished he had granted their external auditors access much sooner. It’s really easy to bring them into the fold and show them only what you want them to be able to review. Here’s how.
  • Evidence gathering – If you find that a lot of time is spent by auditors, managers—everyone—rounding up information, perhaps it is time to commit to one main holding place for your evidence. You can even use policyIQ to help automate and monitor the collection of evidence. We have some posts discussing what has been done in the past and we’ll be taking a fresh look at options surrounding the Evidence Collection effort in an upcoming training session—please join us!

E012649We hope that this list of resources is helpful to you or at least has you thinking about things that you’d like to manage more efficiently. We often work with people who feel like they just don’t have time to figure out how to save time! We get it. That’s what we’re here for! If you don’t have time to read posts and play around in policyIQ, but want to realize the benefits sooner than later, reach out to us and we’ll walk you through some simple adjustments that you can make to gain relief and command over your information right away!

Stop Costly Mining of Information for Each Audit

Many organizations have seen a shift in their SOX environment in recent years. SOX has become commoditized and leadership is concerned about buckling down on the level of work and on the cost of SOX. While many companies have reviewed, rationalized and streamlined their controls down to a more manageable level, focusing on testing only the key controls amounting to less than 150 in most cases, we still see that many have not entirely streamlined their management of the full cycle of analysis and documentation. Have you?

  • FinancialStatementsWho performs your Financial Statement Risk Assessment? Where is the documentation of that process and the conclusions regarding significant accounts and relevant assertions kept?
  • Have you plainly identified and documented your Financial Statement Risks and are you able to demonstrate which Controls are critical to their mitigation?
  • Of course, tests are being performed; but how are you tracking the evidence associated with those tests and does it seem that the process of defining and assigning audits is as efficient as it could be?
  • Do you have historical record of your audit findings, issues and methods of remediation? Can you easily review and determine the most cost effective approaches to remediation?
  • Can you pull up evidence of COSO coverage as simply as you can share your Risk-Control matrix?
  • Apart from the staples of SOX documentation, where do you document things such as considerations and assumptions for key decisions, exceptions or overrides?

Probably the most simple question yielding the most telling answer regarding whether your SOX program is as effective and efficient as it can be is this: do you perform and maintain all of this documentation in one system or is it someone’s responsibility to mine information and evidence for each external audit? piggybankIf each of these processes is happening in different mediums, stored in different repositories and managed with a wide range of workflows and procedures that are in place simply because “it’s always been that way”, then you have a significant opportunity to save time and money while more effectively managing your SOX program and, therefore, improving the bottom line of your company.

Of course, this message is for those organizations that have yet to bring automation and the power of a database to their SOX processes and documentation. Still, this message should not be lost on the many policyIQ clients who already experience how easily the collaboration of work, hand-offs, review and approval can be managed in policyIQ. We work with many companies who still have portions of their SOX cycle in various systems. Aside from the plain-to-see expense of paying for many different systems, there is cost associated with ongoing maintenance, training, and the time required to bring all of the information together and to relate the key components that paint the picture of an effective internal control environment.

Reach out to us and we’ll provide you with a free demonstration and configuration guidance on streamlining the various segments of your SOX program into one efficient and manageable cycle. We can schedule your configuration session within the week and have you up and running in the next 4-6 weeks! Talk to you soon!

Sarbanes-Oxley Compliance – Are you taking advantage of all that policyIQ has to offer?

Public companies managing their Sarbanes-Oxley compliance program make up the largest section of our policyIQ client base.  Over the past few years, we have added a number of new features and pricing options that make it easier than ever to utilize policyIQ for everything from scoping and planning to issue reporting and communications.

If you aren’t utilizing policyIQ from the risk assessment to remediation, contact us today and let us show you how easy (and inexpensive!) it can be to extend your implementation to capture all aspects of the process.


Risk Assessment

Starting at the top, evaluate your financial statement line items and determine what is in scope for the coming year.

  • Calculate a risk score based on predetermined factors
  • Quickly move processes and controls in or out of scope based on risk assessments

Control Reviews and Documentation Updates

Documenting your controls is not a one-time task.  policyIQ’s electronic forms or the distribution of pages makes it easy for you to distribute control documentation to your control owners, and capture any changes or adjustments.

  • Low cost and simple tracking of electronic forms makes it easy to capture updates
  • Full audit trail of changes, with user, date and time stamps, and approval workflow allows an organization to distribute the work efficiently and safely

Links to COSO Framework

In 2013, a new COSO Framework was released and compliance with the framework is a key part of SOX compliance.

  • Easily import the framework to policyIQ and link controls to COSO Principles
  • One-click reporting to prove compliance with the framework, from COSO Principle to audit testing results

Evidence Collection

Much time can be spent by auditors collecting evidence and reports that are required for their testing.  policyIQ can make that process much simpler.

  • Low cost and simple tracking of electronic forms to track all requests for audit evidence, with automated follow-up emails for any non-responses
  • Audit trails of requests and a central place for all files means fewer lost requests

Audit Testing

Create your test plans in policyIQ, link to existing SOX controls, and easily bring testing in or out of scope for the year based on risk assessment results.

  • Simple ad-hoc and standard reporting on testing progress and results
  • All evidence uploaded into policyIQ and accessible from test pages
  • Annual roll forward process that is ready to go within minutes

Issue Tracking and Remediation

In a perfect world, your audit testing reveals a perfectly designed and perfectly operating control environment.  But perfection is hard to come by.

  • Document any issue and link it to the audit test or control from which it was identified
  • Assign remediation plans, utilize policyIQ communication alerts, and take advantage of  simple real-time reporting for updated issue status

Audit / Project Time & Expense Tracking

Internal audit teams have limited resources and need to track time and expenses so that they can most effectively use those resources in high risk areas.

  • Build audit projects and assign resources
  • Allow auditors to enter time and expenses directly from audit test documentation, with simple reporting to track budgeted versus actual hours and costs

302 Certification Processes

While the Sarbanes Oxley Act section 302 only specifies that the CEO and CFO must sign and take responsibility for the control environment, most executives require a sub-certification process to go out to management level employees across the company.

  • Create consistent certification forms and distribute to employees at multiple levels
  • Automated emails follow-up on non-responses, while administrators can quickly report on any exceptions

policyIQ can help you to manage it all in a single place, with audit trails and reporting at every step of the process.  If you use policyIQ for your Sarbanes-Oxley compliance program and you aren’t doing all of the above in the tool yet, contact us right away and let us help you to plan for expansion.  In many cases, you will be able to expand at no cost – or very low costs.

And if you aren’t using policyIQ at all yet – please reach out today!  We would love to help  you to better manage your SOX compliance.

policyIQ a big hit at the GAM Conference!

GAM BannerAs the IIA has been known to do, their General Audit Management (GAM) Conference was packed with many high caliber speakers again this year! Presenters provided a wide array of insights falling within five tracks:

  • Talent & Resource Strategies
  • Regulatory & Compliance Issues
  • Risk Management
  • Innovation & Technology
  • Stakeholder Relationships & Expectations

Click here to check out the 2015 GAM Twitter highlights!

This year’s conference drew a record crowd and it seemed that the number of visitors to the RGP booth reflected that—we kept very busy talking about the things that differentiate us from other firms, such as

  • 3,000+ professionals in 70+ wholly owned offices (not affiliates) worldwide
  • Consultants have 10-20 years’ experience
  • 87 of the Fortune 100 served
  • 100% retention of top 50 clients
  • Served more than half the Fortune 1000

RGP_PartnersWe had more inquiries about policyIQ this year than at any previous conference. This was in keeping with a theme at the conference regarding leveraging technology to help audit to be more effective and more efficient. Our GAM audience seemed pleasantly surprised and asked the most follow-up questions when they realized that policyIQ can serve several Governance, Risk and Compliance needs within one tool—we do not require, cajole or have to finagle unsuspecting clients into purchasing additional tools or modules to meet their needs. Unlike other audit and GRC tool providers, we are focused on solving their problems and helping them to be more efficient—not on trying to milk them for multiple software applications and upgrades!

pIQ_All-in-oneOther policyIQ qualities that caught the attention of GAM attendees:

  • policyIQ is significantly less expensive than other tools
  • Implementation takes 4-6 weeks (not months or years)
  • Expert configuration support is included
  • Our team is known for “Excellent” service and support

There are some things that you DON’T get with policyIQ that stunned some technology shoppers, too:

  • No extra modules to buy
  • No up-front license fee
  • No upgrade fees
  • No hardware to purchase
  • No IT resources required

This summed up my experience at GAM this year:

GAM_FriendsIf I didn’t have an opportunity to address your questions at GAM and/or you’d like to talk more about how you can employ policyIQ to make your team more efficient, reach out to us at or 866-753-1231. We’ll have you up and running within the next quarter!

Wishing to Automate Control Self-Assessments?

It’s that time of year again—when we’re seeing a wave of companies hoping to finally manage their Control Self-assessments more efficiently. Yes, we can help you to set up your policyIQ site to automate the process of issuing the questionnaires, simplify the submission of responses and take away the laborious, albeit tedious, activity of having to inventory responses and determine who you’ve heard from, who has not yet responded, and to identify any outliers that require follow-up work.

gearsIf you’re ready to dive in and just want a few pointers, we’ve written about this topic a number of times. Feel free to pull from these tips or reach out to us and we’ll schedule a quick working call to walk you through the steps.

If you’re not sure where to begin, but you recognize that it’s time to get off the gerbil wheel, we can help you to start the conversation and put all of the necessary pieces in place. Following are some common project management-like questions that may help to move the policyIQ implementation for Control Self-assessments forward:


  • Do you have a project manager in charge of the implementation of policyIQ?
    • If yes, great! We can guide your PM through the steps for implementation and have you up and running by next quarter!
    • If not, no problem—we have project management expertise and can connect you with a subject matter expert to help you get the job done by next quarter.
  • Do you already have policyIQ Site Administrators? We recommend having no less than two so that each has a back-up and that you limit the number of Site Administrators to avoid “too many cooks in the kitchen”.
  • We can import content from Excel. On that note…self assessment
    • What is the condition of your data? Is it up-to-date and accurate or does it require “scrubbing”?
    • Do you have a current Risk/Control Matrix?
    • Is your data in several decentralized spreadsheets with varying degrees of completeness and consistency…or organized and readily accessible?
  • Do you know what questions you want to ask in your Control Self-assessment Questionnaire(s)?
    • Related/furthermore – do you plan to ask one set of generic questions of all respondents or do you have several questionnaires with specific questions for each relevant respondent?
  • Do you know who needs to answer questions (and which questions they have to answer)?
  • Do you have a formal review or approval requirement (or do you wish that you did)? If so, who needs to approve the responses? Does it depend on the business unit, role or location of the Control Owner or do you have a single office responsible for overseeing the responses?

With this information, we can pretty easily get you set up! Contact us at or 866.753.1231 and we’ll schedule some time to work together through your questions and get started on saving you time (and, therefore, money) asap!

Guidance for Streamlining Audits by Granting Access to External Auditors

Each year we notice more and more policyIQ clients are engaging their external auditors to perform their audits electronically using policyIQ. Earlier this year, we shared how data from policyIQ could be extracted to share it with external auditors. Many organizations find it helpful to give auditors direct access to policyIQ so that they can use the functionality of policyIQ to locate documentation.

Tips for Granting External Auditors Access to policyIQ

If it’s been some time since you implemented or expanded your use of policyIQ, you might have forgotten how to set things up so that new users have appropriate access to content. Here are the critical steps for granting viewing rights to appropriate content to your external auditors:

1. Add Group for External Auditors – policyIQ sites included a group for External Auditors by default, so you might start by locating the group in your structure. If it has been deleted, it is simple to drill down to the position in your Groups and Users structure where you would like to add the group and choose Add > New Group from the table toolbar. Going forward, rather than adding any individual auditors to view Pages, you will only have to manage the users added to this group—this will simplify maintenance.

2. Add Group as Viewers on Pages – Remember that Pages are the root of security in your policyIQ site. The easiest way to grant your new External Auditors group viewing rights to your Pages is to create a report that will pull back all relevant Pages and use the reporting toolbar options to make the change in bulk.

Bulk Report Change

3. Verify Folder Security is Properly Set – Many companies have chosen to allow policyIQ Folders to be visible to all users. If the security of your policyIQ Folders has been restricted to viewing by only specific groups, then you will want to ensure that the External Auditors Group that you added is also among the Viewers of your Folders.

Folder Security

Remember that Page security trumps Folder security. Removing Viewers from a Folder will only make the appearance of the Folder in the left navigation disappear from the Viewers—Search and Report results will still return all Pages upon which any users have been granted rights as Viewers.

4. Ensure Pages are Published – Note that Viewers on Pages are only able to see those Pages once the Pages are Published. Your team can comfortably continue performing their work and updating content knowing that it is only visible to those with appropriate security access rights (Administrators and Editors of the Page and anyone with Global Permissions to view Pages in the site—such as your Site Administrators). When you’re ready to share with your external auditors and any other Viewers of the Pages, be sure to Publish the Pages.

A Bonus Tip Regarding User Profiles

If you are unsure of which type of Access to grant your External Auditors, here’s a reminder of some characteristics of each profile that might be helpful to you:

Read Only Users – These accounts can be shared and are always free. Read-only users do not have access to Advanced Search or Reports. They must use the Folder Structure or Search capability to locate content.

Standard Users – There is a small fee for Standard Users (contact us to look at your agreement). These users will have access to Advanced Search—the option in the left navigation that is a slimmed down version of Reports. It allows users to create a list of Pages narrowed down by any number of Filters.

Advanced Users – There is a fee for Advanced Users (contact us to look at your agreement). Advanced Users have access to both Advanced Search and the Reports module. This is the type of account that can utilize Reports such as a Risk-Control-Test Matrix (a Detail Link Report) to view and analyze content.

If you have any questions about granting access to your External Auditors, contact us at and we’ll get you started right away!


Pre-IPO? RGP and policyIQ Help with Preparations to Go Public

Are you considering going public and beginning to think about all of the steps you should take to prepare? RGP and our GRC tool, policyIQ, can help you to ensure that you have a solid offering and that you are presenting your company in the best possible light.

RGP creates true partnerships with our clients—educating while advising

RGP can help with a range of needs including shoring up your processes and documentation comprising of things like helping you to properly document processes, and ensuring that necessary policies and procedures are in place. This would, almost certainly, include working with you to build a sound financial reporting foundation and solid internal control environment.

We can support your organization with activities that are specific to preparing for SEC Registration such as performing an accounting review to ensure your company meets all necessary financial requirements, helping with the development of your Prospectus, and the performance of a Legal Review.

If your need is more closely related to people resources, such as the need for an interim CFO or adjustments to your Board of Directors, we can help you to make those selections, as well.


policyIQ: powerful, easy to use and have up and running in no time

RGP’s Governance, Risk and Compliance tool, policyIQ, is easy configure, implement, roll-out and maintain for a range of purposes that serve companies who are seeking public offering. For more than ten years, policyIQ has served clients for the development and maintenance of their SOX 404 documentation, policies and procedures, and automation of their management certification processes.

Clients also take advantage of policyIQ’s flexibility, security features and accessibility to serve their related needs; including as a data room for their Board of Directors and for the development and review of their Prospectus.

Recently, we have worked with clients to make a fresh start, helping them to automate their Financial Statement Risk Assessment and relating their significant accounts and disclosures to relevant assertions and associated risks, controls and tests. We have also made quick work of capturing the 17 Principles required by the 2013 COSO Framework, the associated 87 Points of Focus and helping clients through their transition process—mapping to relevant controls, identifying gaps, performing rationalization and strengthening documentation and procedures, where necessary.

A different kind of software provider—in the best possible way

While many other products have come and gone, been bought and sold, and experienced lags in support, development and testing that have proven difficult for their users, policyIQ has a very different history. RGP has owned policyIQ and supported policyIQ clients in the marketplace for more than a decade. Our software has undergone 29 major and more than 30 minor releases in that time, carrying out thorough testing prior to each release, without ever charging our clients for the latest enhancements or upgrades. We operate differently than a typical software provider; we work hard to keep our software up to date (offering the latest in technology and services) while keeping the cost very affordable.

Reach out to us with any questions regarding RGP’s Pre-IPO services or software. We have approximately 3,000 professionals in nearly 70 offices around the world—someone near you—ready to help you take the next step!

COSO in policyIQ – “It was really as simple as you said it would be.”

For those of you looking to use the 2013 COSO Framework as the model for your Internal Control Environment, we want to remind you that you can use policyIQ to make quick work of capturing the COSO Principles and Points of Focus, as well as your Controls, Tests and other related documentation. We have shared some guidance on how existing policyIQ users can easily make adjustments that accommodate the new framework.

Existing policyIQ users, we can help you to get things set up in policyIQ

You don’t even have to create and populate your own spreadsheets to import the framework into policyIQ—we’ve already done the work for you, and will share it with you for FREE!


When we reached out to one of our clients to see if he had any questions about the spreadsheets or import process, he had this to say in his reply: “Once I had your template, it took just about 5 minutes to have policyIQ populated with the principles and points of focus.  It was really as simple as you said it would be.”

If you can’t spare any time to import the COSO content, we can do that part for you, too. Contact us to make arrangements.

Not a policyIQ client yet? Your new COSO-ready site can be available within the afternoon!


(Usually. Contractually, we have to say within 48 hours, but a new site is often up and running within the same day!)

For those who are not yet policyIQ users, but are considering the value of a tool now that you have to take on yet another relationship to your Controls, we have the COSO Framework ready to go in new policyIQ sites—you can move right on to the mapping part of your transition project.

Not sure what your plans are for transition to the 2013 COSO Framework?

We also want to remind you of a couple of webinars hosted by policyIQ and RGP that have been well received. Within the following posts, you will find links to the recordings.

Efficiently Transition to the 2013 COSO Internal Control – Integrated Framework Using policyIQ

Lessons Learned from Early Adopters of the 2013 COSO Framework

We have subject matter experts all across the country (and world) ready to get to work. Reach out to us and we’ll help you to get connected!