How to choose the rightinternal control toolsto optimize your process

The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.

Is this guide for you?

This e-book is an introduction to how and why companies

are leveraging new internal control tools and technology to

optimize collaboration and increase focus on the productivity

of those involved in the internal control process.

The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.

Overview

Pros and cons:

Desktop-based spreadsheets

GRC systems

The move to the cloud

Next steps

Contents

The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.

Internal controls management has been in the spotlight for two decades,

but companies have yet to master their processes.

Due to increased requirements from the PCAOB, the adoption of the 2013 COSO

Framework, and board focus on risk and compliance processes, many programs continue to

undergo major modifications.

In order for companies to come out on top, they need to implement internal control tools that:

• Optimize collaboration

• Enhance productivity of all involved in the process

Most companies have undergone several attempts to master their processes utilizing several

types of tools. Keep reading to find out how—and why—companies have made the move to

different platforms.

The information contained herein is proprietary to Workiva and cannot be copied,

published, or distributed without the express prior written consent of Workiva © 2016.

The Case for Desktop-BasedSpreadsheets

When the internal control requirement was initially

implemented, Sarbanes-Oxley (SOX), internal

control, audit, and finance teams were already

major users of desktop-based spreadsheets. It

was an obvious choice to use spreadsheets for

the new requirements, too.

The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.

Why Desktop-Based

Spreadsheets Haven't Held Up

There's a catch with the traditional methods. Additional complexities in finance and internal

control regulations have proven spreadsheets to be lacking in several key areas, including data

quality, time-savings, and mobility.

Version control

Only one user may edit a document at a time, causing tight deadlines

and increased pressure for all involved. There's no way to determine if

every single change has been captured or if the information is accurate

and current.

Lack of transparency

With spreadsheets, it's difficult to show the vital relationships between

risks, controls, testing, and risk-acceptance decisions. Transparency is

critical to internal control processes.

Security and reliability risks

Desktop spreadsheets exist on hard drives, on file servers, and in email

attachments—without user permissions and comprehensive audit trails.

Additional costs

Even though most companies and their auditors have enterprise-level

licenses, companies need to factor in time consumed by internal staff,

costs of any consultants, and the time charged by external audit.

The information contained herein is proprietary to Workiva and cannot be copied,

published, or distributed without the express prior written consent of Workiva © 2016.

The Rise of GRC Platforms

Governance, risk, and compliance (GRC) platforms offered an

alternate approach to internal control tools, like desktop-based

spreadsheets, by unifying information in a single environment.

For the internal control management process,

GRC platforms promised:

• Streamlined risk, compliance, and control activities

• A singular, connected environment to house control information

• Simplification of complex processes

The information contained herein is proprietary to Workiva and cannot be copied,

published, or distributed without the express prior written consent of Workiva © 2016.

Where GRC Platforms Went Wrong

The promise was not all it was cracked up to be, and many

organizations learned the hard way.

The productivity and simplification that was advertised gave way to the following shortcomings:

Lack of optimization for internal controls

Structured by design, legacy GRC platforms end up defining

the process. Companies pay for features they may not even use.

Costly implementation and maintenance investments

Built for on-premise deployment, many systems come with high

internal IT costs and maintenance investments.

Regular, painful upgrades

Legacy software models focus on major releases every 12–18 months,

typically resulting in business disruptions, downtime, costs, and

difficult roll forwards of previous customizations.

Lost productivity

GRC platforms were built for structure, not productivity. They often

leave much to be desired: automation, broad standardization, and

ease of engaging all contributors to the risk and control process.

The information contained herein is proprietary to Workiva and cannot be copied,

published, or distributed without the express prior written consent of Workiva © 2016.

What's the next stage in the software saga? The answer is in the cloud.

Cloud-based, productivity-driven solutions have changed the game by allowing companies to

simplify collaboration while keeping data in sync. Freeing companies from costs, complexity, and

on-going maintenance and upgrades, cloud-based internal control tools offer:

Moving to the Cloud

Streamlined evidence

collection and testing

Send digital requests to control

owners, and attach samples

directly to testing documents.

Review and annotate evidence,

and store marked-up samples in

a single location that's easily

accessible and protected.

Complete collaboration

Bring all users—including process

owners, control owners, and

auditors—together into a single

environment to create and edit

documents. Use the cloud-based

solution as a repository of all controls

and testing documentation.

Automated certifications

Eliminate babysitting and

automate the sign-off process

to meet deadlines, improve

compliance, and gain consensus

of large groups with ease.

Single source of the truth

Hyperlink text, control identifications,

and other information across all SOX

documentation. This ensures updates

are made seamlessly across risk

assessments, risk control matrices,

flowcharts, process narratives, testing

documents, dashboards, and audit

committee presentations.

The information contained herein is proprietary to Workiva and cannot be copied,

published, or distributed without the express prior written consent of Workiva © 2016.

What Now?

Regardless of your internal control process's maturity, resist the temptation

of a quick-fix using desktop-based spreadsheets or legacy GRC platforms.

Instead, look for a long-term answer: a cloud-based productivity solution.

As your business and processes mature and requirements become more

complex, companies need to invest in internal control tools that focus on and

drive efficiencies.

The information contained herein is proprietary to Workiva and cannot be copied,

published, or distributed without the express prior written consent of Workiva © 2016.

Find out how and why companies are leveraging technology,like Wdesk, to optimize collaboration, improve the quality of documentation, and create an efficient process.

Wdesk is designed to help organizations transform the internal controls planning and scoping, design, testing, certification, and reporting process.

workiva.com | info@workiva.com | +1.888.275.3125The information contained herein is proprietary to Workiva and cannot be copied,published, or distributed without the express prior written consent of Workiva © 2016.