Our training team recently hosted the first in our series of "solution-based" policyIQ training sessions. Every month we will be choosing a new area of your business for which policyIQ can offer you solutions to your business needs. In addition to the opportunity to learn about a new way to extend your policyIQ application, attendees earn CPE credit for their participation.
This month, our topic was Sarbanes-Oxley in policyIQ – boy, did we have participation! Many thanks to all of you who did attend for the great questions that kept coming throughout the hour long training session. We had so many great questions, that I've been forced to split this blog post into two parts. (That's definitely not a complaint!) Even if you were on the training session and had your question answered, check out the responses below, as we've tried to put a little more detail around those answers than we were able to provide in our limited time on Tuesday.
In Part 1, we'll address those questions that were asked in the first half of the training class, as we discussed
- Using Forms for 302 Certifications and Control Self-Assessments
- Ideal configuration for 404 Documentation, including recommended Templates
If you did not have a chance to attend this month’s training, you can listen to the recorded training session available now within our training center – and watch for an announcement of next month’s CPE training event with an overview of Enterprise Risk Management in policyIQ.
In conjunction with the release of the training session, we have also put together a new chapter in our online Help guide under Training & Support that is all about using policyIQ for Sarbanes-Oxley. (As we present other solutions in future months, this area will grow.)
Now onto those questions…
Using Forms for 302 Certifications and Control Self-Assessments
Forms can be used in a variety of ways within your Sarbanes-Oxley process. We showed you examples of 302 Certification Questions and Control Self-Assessments. You all had some questions.
Question: Can documents be attached to a Form in response to a question?
Answer: Yes! When issuing Forms, you first create a Form Template with all of the fields (or questions) that you need to have filled out by the respondent. One of these fields can be a "File Upload" field type, which allows the respondent to upload supporting documentation to their Form.
Question: Are respondents required to be users in policyIQ?
Answer: Yes, in order to respond to Forms in policyIQ a user must be at least a Standard User in the application.
It is understandable that all organizations are looking to maximize the value they get from policyIQ while minimizing their cost. Consider the time and effort that you currently put into managing the 302 Certification process or the review and self-assessment of your Controls. policyIQ can save you time and reduce the risk of error or misplaced responses, which will add a great deal of value to your organization! And if you can extend policyIQ Forms into other areas of your business or use Forms for more business processes, that value continues to grow.
Question: Can I send my Form to different people at the same time? Or can I only send the Form out to users one by one?
Answer: Yes, you can absolutely send your Form to a Group of users at the same time.
For example, those Forms that are related to your 302 Certification process probably need to be distributed to a number of individuals. We recommend creating a Group in your policyIQ structure to help you to organize your users into a "302 Respondents" Group for ease of maintenance. If you have some questions that only get answered by a few people, while other questions get answered by a larger Group, separate those questions into different Form Templates and then gather them up into a Form List to make it easier to distribute.
If you’d like some more detail about how to set up Forms in policyIQ for 302 Certifications or Control Self-Assessments, check out your policyIQ Help guide for more information.
Ideal configuration for 404 Documentation, including recommended Templates and Folder Structure
After reviewing how Forms can help with your 302 Certifications or Control Self-Assessments, we tackled the big question: How do I manage my Risks, Controls, Testing, Deficiencies and other SOX 404 documentation?
Question: How do you identify Key Controls?
Answer: Your organization will create Templates in policyIQ for Risks, Controls, Tests, Deficiencies and various other types of SOX content. On your Control Template, you will be creating fields to capture all of the relevant information about your Controls – including whether or not that Control is "Key". Often this is a simple dropdown labeled Key Control? with Yes or No options, while some clients choose to refer to this field as the Control Significance with Key or Non-Key choices.
Question: If you choose to index Controls to multiple Processes, what is the best way to determine the number of Controls in each process and the total number of Controls without double-counting your Controls?
Answer: Our recommendation is that when documenting a Control, index that Control into the Process folder(s) to which it applies. If the same Control exists in more than one Business Process, document it just once. That way you can minimize the total number of Controls that you have to manage and test, while still clearly communicating the existence of the Control in the appropriate Processes. However, one of our attendees asked a great question about how to properly count the total number of Controls. policyIQ Reports will allow you to both report on an individual Process (How many Controls do I have in the Procure to Pay process?, for example) or report on all Controls in the entire organization, with a column in those report results to show you the Process(es) in which the Control exists.
Question: There is a "Reference Number" field on your Risk Template. Is that necessary? It seems like it would be cumbersome to maintain a reference number.
Answer: To be fair, this wasn’t originally in the form of a question. One of our participants had commented on the existence of this field on our examples – and it was a great opportunity to address the issue of customizable Templates and Fields.
Our policyIQ team has a great deal of experience in helping clients implement policyIQ for Sarbanes-Oxley compliance, so we do have some suggestions for your Risk, Control, Test, Deficiency and other types of Templates. However, every organization has unique needs when it comes to gathering that information. Some companies are moving into policyIQ from an existing system or spreadsheets, where they already have a numbering convention for Risks or Controls. The Reference Number field can be very helpful as a way to cross-reference the policyIQ page with the older documentation, if necessary. The beauty is that you decide what is important and what data you just do not need to capture.
Question: Can you comment on how Pages are rolled-forward for one year/period to another? Can we customize the extent to which the information is carried forward?
Answer: This is SUCH a great question that we’d like to spend an entire half an hour talking about it. We’ve scheduled a 30 minute training session for March 9th at 4 PM ET / 1 PM PT to talk about how you might roll-forward for a new testing period. You can register today! We will also be creating Help documentation to talk about the roll-forward process and will make it available in our online Help guide in conjunction with the March 9 training session.
Question: Is there a feature allowing for cross-reference with complementary, compensating and/or Entity Level controls?
Answer: I love this question, because there isn’t a simple, single answer. We would love to see some of our existing SOX clients comment on this blog post to share how they might manage this very situation. The best answer is likely to be a combination of Template fields and link relationships between your Controls.
For example, you might have a multi-select list field on your Control Template that is labeled Type of Control, with choices for Primary, Complementary, and Compensating. If a Control is flagged as Complementary or Compensating, it would then be linked to the other Control that is the Primary Control for a specific Risk. You would then be able to create a Risk / Control Matrix (a "Detail Link" report type) that is filtered for Risks in your first data set, Primary Controls in the second data set, and Complementary or Compensating Controls in the third data set.
In my experience, Entity Level Controls are often handled a little differently – either by having a Business Process Folder that contains all Controls that are identified as Entity Level, or by having a unique Entity Level Control Template that captures different fields than your standard Control Template. The best solution for you depends on your reporting needs and the structure of your process.
Does anyone reading this have a different way of handling this that they'd like to share? Post a comment and let us know!
Question: Is there a way to restrict the view of users to certain pages only? For example, can I restrict my external auditors from being able to view anything but completed and reviewed pages?
Answer: Yes, absolutely! policyIQ allows you to restrict access to your content in a number of ways.
For your External Auditors, we suggest creating a Group in your Group structure called External Auditors. This group can then be added as a Viewer on all of the relevant SOX content – Risks, Controls, Tests, Deficiencies, Narratives, etc. (If you are just getting started, you can add this Group to your Default Viewers on your content Templates, so that you don’t have to add them later!)
When creating the individual user accounts for your External Auditors, we would suggest giving those users an Advanced user account with a Role of "Reporting User." The "Reporting User" Role has access to create and run Reports, but will not be able to see any content that is not yet published. If you aren’t quite ready to give your External Auditor an Advanced user account, you can also set him/her up as a Standard user. The Auditor will have the ability to create Advanced Searches (similar to "Detail Reports"), and as a Standard user, he/she will not have access to any unpublished content.
Question: Is there audit trail capability? For example, can I keep track of what changes are made in key controls and test plans for SOX documentation?
Answer: Yes, absolutely! That is a key feature in policyIQ. All changes to a page are tracked in the "Change History" with a user and date/time stamp. There is also a "Version History" that will save an exact copy of the page as a "Version" every time you publish the page.
Question: In the examples, it looks like the same icon, "C", is used for business controls and IT controls - how does that work?
Answer: This question was specifically directed to our training site, where we have different Templates for Financial Controls and IT Controls. As you probably know, each Template is assigned an icon to help users identify it quickly. policyIQ allows you to reuse those icons for as many Templates as you'd like. We thought it made it easier to identify "Controls" (be it Financial or IT) if we used the same "C" icon.
Question: Is there an auto-save feature to save input on your pages if you get logged out or lose your connection?
Answer: There is not an auto-save feature on pages in policyIQ. There is a Save option available from your toolbar while you are working on a Page that will save your work so far. If your connection might be problematic, you may wish to save your work periodically. (If you find yourself frequently losing your connection to policyIQ, please contact your IT department or our policyIQ support team for some assistance.)
Question: What is the maximum size of external files that can be attached within a page?
Answer: When uploading a file as an attachment to a Page or Form, the maximum size permitted is about 10 MB per file. (Your upload connection will time out for larger files.) There is no limit to how MANY 10 MB files you can upload, however.
Question: What is the difference between Any Approver and All Approver?
Answer: This question was asked in reference to the Content Approver options that are available when setting up a content Template. "Any Approver" means that only one of the users identified as an Approver needs to approve the page. "All Approvers" means that approval must be granted by all of those users before it is approved and published.
Even more questions related to Reports, further training and other uses of policyIQ are available in Part 2!