Study Update

Oct 21, 2020

Well, hello, everyone, and thank you for attending today's webinar where we are going to do a a case study around digital transformation for SOX internal audit and compliance. My name is Erneston Institute. I'm gonna be your host and moderator today. But before we get started, I do wanna cover off on a few housekeeping items. At the bottom of your screen, you're gonna see multiple application engagement tools for your disposal. All of these are, gonna enable you to resize and move some of the windows around. So feel free to play around with that and maximize the amount of, space that you have on your desktop. You can also expand the slide area to maximize it to full screen by clicking on the arrows in the top right corner. If you have any questions throughout this presentation today, submit them through that Q And A engagement tool on the bottom left side of your screen. We're gonna try and get as many of these as we can throughout the presentation, but if a more robust and fuller answer is required or if we run out of time, We'll be sure to email you those, responses at a later date. So please note that we are cashing all of your questions. Now for those of you who are looking to receive CPE credit for today, note that we are going to ask you for CPE multiple choice questions throughout the presentation. And receiving that credit is going to be dependent upon submitting at least three answers to 4 of those questions as well as attending the full duration. So if you're watching this in a group, it's highly advised that you sign in or log in individually so that you are, ensuring that you're gonna get that credit. The questions will appear, within the slide window, and there's gonna be a limited time, amount of time. We wanna make sure that everybody has ample time to submit answers to those questions. So just be ready for will be available via download in the CPE certificate engagement tool on the screen. We'll also send it in a post event email. Unfortunately, if you have any technology issues and you're disconnected from the presentation or if there's anything else that happens prevent you from qualifying. We're not able to issue that CPE, as well as if you miss those polling questions. So, again, wanna reiterate to be on alert for those Finally, when you do have a moment, there are some survey questions on the right side of the screen there or the presentation. If there are more than 5 questions, you may need scroll down, so let's be So once again, I'm Ernesto and Zessiano. I'm part part of our product marketing team here at Workiva. I've been with the company for a little over four and a half years now. And I come away after being a practitioner in the space of audit risk and compliance. So it was a former chief audit executive worked with a number of GRC tools in the past. We've done everything from Sarbanes Oxley internal controls, enterprise risk management, and public accounting. So With me today, I am joined by a couple of gentlemen and scholars, who are gonna take us through that journey of digital transformation. I'll turn it over to Bill here from Clearwater Group. Bill, do you wanna do a quick introduction to the to the audience here? Sure. Thank you, Ernest, and thank you, everyone, for joining us today. My name is Phil Hatcher. I'm a senior manager with Clearview Group and also serve as a president of the Northern Virginia chapter of the Institute of Internal Auditors. So I spend a lot of my time in the world, that Ernest described have internal audit Sarbanes Oxley and IT advisory services. I have about 13 years of experience there on the professional services side. And just a a quick tidbit about how ClearView fits into today's case study ClearView is offers full service of consulting services, including fully outsourced and co source engagements for SOX compliance. And was really through those fully outsourced SOX compliance engagements that we were looking for a tool that could help us facilitate the process from end to end for our clients. So from documentation requests in collection to testing to hand off to the external auditors, So we went through, a very similar kind of requirements exercise that Robert will describe, in just a moment. And we we came across Workiva as the tool that worked best for us. So once we really got comfortable in the tool, it it seems logical that we should provide that same, same offering to our clients. And so we became certified implementation partners with Workiva, where we not only use the tool for our own fully outsourced engagements, but we also helped implement the tool for our clients, that either perform the SOX engagements themselves or had us in a co source capacity. So Look forward to talking through more of that implementation process with you all, and thanks for joining us today. Thanks for that, Bill. And the man of the hour here, the man of the Myth legend Robert Smallinger. Would you like to do a quick introduction for the audience? Yeah. Sure. Thanks. I'm Robert Smallinger. I am, got a 25 years of experience working with governance, risk, and controls. Most recently, I led the internal audit function at a global software company and partnered with Workiva and ClearView to implement the Wdesk, tool to to basically enhance and finalize our transformation effort, at at my former employer. So, that that's the story we're gonna be telling today. And with that, I think we have a polling question before we get started. So what's the foundational function? Oh, sorry about that. Go go right ahead. Yeah. You gotta love these live ones. Go go right ahead, Bill. Go ahead with the question. Yeah. What what organizational function do you represent? As we give folks a few seconds here So whether you're part of internal audits, compliance, enterprise risk management, external audit, go ahead and submit your polling questions there. And I think we're captured just about all of them. Let's go ahead and shift gears now and talk about the agenda for today's presentation. So we started off with the introductions. We'll give you a little bit of of an overview right now in terms of the landscape that we're seeing from kind of a risk management perspective. And then from there, we'll shift gears into the case study where Robert talk about his implementation at that software company, not just from a technology standpoint, but also the process fixes and then the consultation that Clear Root ClearView was able to provide, then we're gonna get into the latter part of our presentation, which will cover off on what the implementation process looks like, and Bill will go into kind of details of the different phases involved there. And then, obviously, with any presentation, we'll wrap it up at the end with questions and answers. So first section for today, the digital transformation overview. Robert, do you want to give kind of a high level talk track around what we're seeing within the market and how that complexity and and the risk landscape looks today. Yeah. So I I'll I'll give kind of a historical perspective as I stepped into the rule in 2016. At, at my, former employer, we were, we were looking at a, complete redesign of the internal audit function. And I was looking that to go through and and make changes to both people, process, and tools, all all three of them. When I got there, the, the function itself was separate from the Sarbanes Oxley Program Management Office which was separate from the enterprise risk management, process, which was actually managed by our legal department And there was no, connection with our our process owners who were actually executing the accounting transactions within the organization and and creating the evidence that my team eventually would test for compliance reasons for SOX or for internal audit purposes. In addition, you layer in the emerging risks of GDPR, in 2016, the new rev rec standard ASC 606 had not yet, been implemented and, and it had a huge impact on, our company as a, as a software development and sales company. And then you also had the all the existing risks that go into, just big day to day operations. So we were, we were going through that. And in addition, the company specifically was looking to transition from an on prem, software that that was managed by the clients to a a cloud based solution and and become a software as a service, SaaS tool that would be managed out of the cloud. And and when you do those types of things and you're getting ready to make those types of changes, you increase a number of, of risks, specifically the cybersecurity risk around your, your client data and how you manage that and make sure it's it's protected. So we were that's what I faced when I when I stepped into the role in 2016. And my first, my first order of business was to go through and assess my my people then we started looking at process and tools. So once I had the team that I wanted, I then started looking at, different tools to support how we wanted to execute in the process that we wanted to put into place. And we went through an evaluation process, and and landed on on the work either Wdesk tool as the one that was the best fit for our organization. So I don't, I don't know if you wanna add a little bit more color around the, the the, risk profiles that you're seeing in the broader market, but Yeah. We, we were definitely, facing some very specific risks. GDPR was emerging. The new rev rec standard was was, gonna have a big impact on us. And, oh, by the way, we were changing the way we were doing business. So, you know, it was, it was a very, you know, stable, well, well managed organization. And, we had no, no issues at the time. Yeah. Robert, so you you bring up some of those things from a regulatory stamp point, you know, that environment is always, under scrutiny and and, obviously, organizations are kinda under the microscope But then you take into consideration other external factors that may not have been part of your risk assessment originally. You know, let's let's rewind back when we first of this presentation back in January. As Bill mentioned, he's the president of the north Northern Virginia chapter. You know, that was pre COVID And so the conversation, around what some of those externalities look like, has fundamentally changed drastically over that course of time. And so when you think about some of the initiatives that you had internally, and then you factor in all of the other things that are happening in the outside world, whether it regulations, if it's new mandates and compliance laws that are coming into place, I think the kicker there is that that risk landscape is is so complex. And so for organizations, who are looking to streamline their processes, looking to get ahead of risk you know, starting off, like you said, with with 1st year people then getting into your process and tools, that's something that we've seen quite a bit within the industry in terms of a framework to get into more operational excellence and efficiencies. So, you know, one of the other things that we we wanna highlight here with the audiences, when you think about the impact of a certain risk, whether it be something catastrophic or something that makes headline news, you know, we, we wanna quantify kind of the impact. What it means, not just in terms of dollars and cents to the organization or or shareholder valuations, but there's also a reputational element there. And so, you know, we've we've pulled a few of the headlines that have have come out from newspapers over the past year and a half here, just to give the gravity and the scope, you know, the depth and the breadth of what, companies are kind of facing in this time. And so Robert, any any thoughts in terms of, you know, what we've seen in these headlines? And, I mean, ultimately, I think as a former CAE, one of our one of our missions is to stay out of the newspapers? Yeah. I, I think reputation risk is something that more and more boards and audit committees are are starting to factor into their considerations when it comes to how they, how they wanna manage the overall, I guess, portfolio risk. And, and they're, they're really worried about when their name gets dragged into the the headlines in in a negative way, I I I know that there's the saying that there's no no such thing is bad publicity, but, you know, I I think, if if you ask, Wells Fargo and, and some of the other, folks who have, had compliance issues in the recent past. I think they would, they would argue with that. From a specificity perspective for for the entity that we were working with, we actually had 2 items that, that kind of acted as trigger points for, for our executives and, and audit committee. 1 was a, an issue with some some, inappropriate behavior by, subsidiary in Latin America. And we ended up having to do a fairly extensive investigation into the business operations in in our Brazilian subsidiary. And then, in 2018, we, we went through the SOX evaluation and ended up identifying a material weakness within our internal control, framework. And when we came out of that, material weakness in at the end of 2018, I had gotten everybody's attention and, and had, a tremendous amount of support to go through and, and work with you guys and and with ClearView to to make the process work better. And and that's that was, kind of the final the final, push that, that kind of tipped, my audit committee to go ahead and and approve the implementation and, and, spending the money to, to bring Wdesk into the, organization. So that that, again, you you hate to see negative things be, the reason for why you do it but, unfortunately, I think that that's, that's where we end up a lot of times is, is you gotta get your hands slapped. Or, or get yourself in some trouble before, before you're gonna take action. It's, it's, unfortunate. And hopefully, those of you that are on the webcast today, can, can, persuade your audit committees and executives to maybe take action before before something negative happens? Yeah. Too many times, do we become victim of being more versus proactive. And there's nothing, quite as a forcing function, like having, an ethics violation or a fraud litigation, you know, headline news like this or even a material weakness or a controlled deficiency coming up in your financial statements. Right? So I think one of the biggest challenges today when we when we look back at that, risk landscape landscape and the complexity of it, you know, that is the fact. Right? And so managing that risk in today's, in today's environment is complicated. And we've seen a lot of, strategic priorities and organizational objectives being forced shift in ways that people have never imagined before and and even looking at those fundamental business models, are being forced to to innovate but but based on some data that we have gathered through multiple survey surveys, a lot of teams feel like they're focusing way too much time on efforts on things that don't necessarily add that value to the organization. You know, when you think about gathering data to support your testing or evidence, you know, babysitting document requests, or or perhaps even doing the the wrong audits. You know, going back to the whole, COVID and the global pandemic, how many of us had something that's, massive on your risk assessments I think the worst part about it today is that the tools that people are using have failed to change with those times. And so there's this latent source of discontent with the technologies that are currently available today. You don't get visibility into the information that you need in order to become trusted business advisors. And so Robert, I think you had a great example there where, look, you got the audit committee's attention, and this became a priority for for what, you know, you you were doing at that company. I'm interested though, Robert, you know, we we we like to talk about universal process challenges Does this look familiar to you at all? Oh, yeah. You know, when you when you think about the, the different systems and and processes that I inherited when I when I got to, this organization it was, it was something that, kinda made my head spin when when I started trying to figure out where, where data sources were, what was the source of truth? Yeah, the most frustrating thing that that I I've had was when, you know, we would go through and my team would execute a set of tests against, data that that were provided to us by the process owners and we get through our test and, and, and then the process owners would cheap as soon as you come to us and say, Oh, I'm sorry. I gave you the wrong schedule. And and you're you're kinda okay. Well, that's, you know, that that's that's a couple hours, worth of work down the drain, and then we basically had to redo everything. And, and, you know, it's it's one of those things that, as a, as a, audit leader kind of pulls your you wanna pull your hair out. I think the other thing is, is you you also have to you know, worry about the when you have questions about the authentic authenticity and and this the sort of data sources, Then you've you've got, you know, worry about, well, how much, how much trust and and and confidence do the process owners have in the data that that they're using on a day to day basis? So one thing that that I really, I think we'll talk a little bit about benefits on, on the back half of the presentation, but I I am, really, you know, one of the things that was, was really good for us as a, as a team was we started closing things down so that if we may, you know, if we had a single source it, it would populate throughout the tool. And, and we didn't have to worry about whether or not somebody had gone back in and updated iracum, because or I'm sorry, a risk and control matrix, because we had made a change on a process document within one of the individual process flows. And, you know, those types of things were were also very frustrating internally And those were self inflicted wounds because we were using, SharePoint and Excel and and word for all of the documentation for the SOX processes and controls. So you'd have, you know, these great video flow charts these narratives that were written up in word, you'd have flu charts that were were in in, VIZIO And then your your risk and control matrix was in a in a Excel document. Well, none of those things were connected And so every time you made a change, you'd have to go through and and and make sure that all the other documents that that were attached to wherever you made the change that they were updated and updated appropriately. So it it it was very time consuming back to your point where, you know, instead of doing analysis and and evaluating controls, my team was spending a lot of time making sure that our documentation was in sync across 3 or 4 different platforms of software. And and that was that was extremely frustrating when we first got into the, into the organization and, and started trying to, to make things more efficient and better. So Again, this is, this is one of those things where I, I, I think you that inefficiency is difficult to articulate, in a way that that resolves in dollars and cents. But once we had the new tool, it was it was very easy to show the CFO, and in the audit committee, what we were doing, because we had the tool and, and now that we didn't have to kinda heard, heard the cats of, of documentation, we were able to, to be more efficient and and bring bring more work to the table and do more analysis, do more in-depth analysis around controls which added value to the organization, but it's, it's, it's really hard to sit there and put a dollar sign in front of that when, when you aren't, when when you're not doing it. You know, I, theoretically, I knew that we were spending a lot of time keeping all the documentation in sync, but it was, it was difficult to, to quantify and, and That's that's one of those things that that I think anyone who wants to go down this journey should definitely think about how much, work are you doing to to, to keep all of your Microsoft documentation in sync, even if you've got a good tool, like SharePoint to keep it housed and secure and and version controlled, it's still difficult to make sure that the change you make in a in a process narrative flows through to the flu chart appropriately and the risk and control matrix and and ultimately to your testing documentation. I would just add to what you said that I think some of those efficiencies we gain actually led to more quality too because there's not hesitation to make updates when when they're available. Like, in some cases, maybe additional information is available, but there could be hesitation that I don't wanna add that to the narrative because then I'll have to add it to the RCM. And it's it's not out of laziness. It's out of wanting to focus, you know, where your time counts the most. So I think that the length data that we'll talk about is really not just efficiencies, but also contribute quality in the documentation? Yes, it's a great segue. When we talk about, those disconnected processes, the disconnected documents and data within the system, you know, it really leads to these unintended consequences. So whether it's introducing more risk or perhaps creating inefficient sees, not only to the teams involved, but the company as a whole, you know, this ties back to some of the challenges of managing that risk landscape that we talked about earlier. So let's get into our second polling question here for the audience. And this question is which of the following best describes your role? And so you see the 4 options there will give people a a little bit of time to enter whether you're a staff or senior. Perhaps you're on that manager or at that manager, senior manager level, director, senior director, or VP, and above, and we'll give a few seconds here before we get into the next part of our presentation. And, Bill, are you clicking stop clicking? We gotta give we gotta give people the ample time to get there. Or poll questions out here. Thanks, Ernest. I was submitting my answer. There you go. Okay. Let's get into, the next portion. And we're going to change it up just a little bit here and do kind of a panel discussion. We're going to throw some questions over, to Robert that, you know, folks are interested when we talk about this digital transformation, what did it really entail? You know, we're getting some of the weeds, you know, Robert did a great job of lay in the foundation and the history and kind of the genesis for the project, but let's get into and put some meat on the bones here. So first question here. Robert, talk a little bit more about what the previous risk management environment look like for that company that you mentioned earlier. You know, what What was kind of the the current state at that point in time before you went into the digital transformation initiative? Right. So when I when I landed at the organization, the there was a separate risk assessment process that was being done by the internal audit function to come up with their internal audit plan for the year. There was a SOX risk assessment that was done to help drive and prioritize the, the, the work within the, the compliance program, the SOX compliance program And then there was a 3rd enterprise risk assessment process that was done that was managed by the legal department that looked at broader more strategic risks, but also got into some of the more tactical risks that the internal audit function, was looking at Unfortunately, there wasn't cohesive and, and, collaboration between the 3, 3 business units So you might have internal audit risk ranking something as being a lower risk where the enterprise risk management team might have come back with it as being a higher risk. You also had some discrepancies between the way the financial team was looking at the SOX risk the way the internal audit function was was looking at it. So it it it definitely created some confusion amongst the the stakeholders in the organization, they they, you know, were wondering why did why did internal audits say that this wasn't a high risk but yet it's being tested for for SOX purposes. Why were the enterprise risk management folks looking at something and asking for a, a management plan, a risk management plan when internal audit has said that they weren't gonna include it on their audit annual audit plan for the year. So those types of things, were were certainly again, causing causing confusion within the organization and really diminishing the value that people saw from all three of, of the, the different groups and the risk assessments that they were doing. So one of the first process changes that I was able to to work through within the organization was to to sync all of those up. And ultimately, I became the the person and and my internal audit team was the solely responsible for the risk assessment process in the organization. And, and we used kind of a top down where we we we kind of started with an enterprise risk approach. And then, and then slowly kind of peeled the onion back until we got to very specific financial statement risks that that drove the survey is actually compliance program, but also helped direct the internal audit efforts, the the other internal audit efforts for the year outside of of Sarbanes Oxley. So, you know, that, that was a, I think, a big win. It took us about 18 to 24 months to get there. But that was, that was a, a, a big win from from when I landed in 2016. That's great. And so I think following up on that then, Robert, what What was kind of the impetus for embarking on digital transformation? Why digital transformation? And what were some of the requirements that fed into the initiative? Well, like like I said before, when when I stepped into the role, we had, basically, separate tools for the internal audit team for the Sarbanes Oxley team, for the enterprise risk management team, We also had our, process owners and, and, and the stakeholders within our, our finance and accounting function who were housing their data in a completely separate and different, different location as well. And there was, there was definitely, some, some crossed wires, because of all the differences in, in the, the tools that were being used. And the other thing, we talked about that a little bit as well, the, even within the internal audit function, the tools that we were using to, collect and, and, and, uses our evidence for our testing and our work, there wasn't it was Microsoft products. And, the, Hold on. I gotta stop. My cat is trying to get in the room. These are great things to do in live. Hopefully, we can cut that out. Alright. Anyway, you got a little COVID. Yeah. So anyway, the, the, the idea was that that even within the internal audit team, we had tools that were were not synced up. So we were using Microsoft, Office products like Word and Excel, Visio, And and there was if you made a change in 1, you'd have to manually go through and make changes in others. And and quite honestly, in in 20 16, 2017, when we were talking about this, that, that didn't make a whole lot of sense to me given the fact that, you know, the WDS pool was out there. There were other tools that were out there where you could make a change once and it would flow through the, the rest of the, the documentation. So, you know, that that to me was was a a a big effort. The other thing is is from a from a time of, of, of speed to, to get things done, if we could create, a a process where we could get electronic data into our testing tools and we didn't have to wait on our, our stakeholders and, and the process owners to push that data over to us A, that that would make it quicker. And then B, we could also, we had a little bit more confidence that the data we were pulling was the data that we wanted and, and that when we conducted our tests and conducted our work that that there was going to be a good outcome on on that work. So as far as the requirements go, Given given that landscape where where I wanted to see, you know, a change made once flew through the documentation where I wanted my stakeholders to be able to access and, and, and potentially become more, more of the owners of the process documentation. One one aspect that I haven't talked about was the fact that the the SOX program management office, which was really just one person, with some contract help on, during, during busy times. That program management office became the de facto owner for, for process documentation. And what we had on a number of occasions were stakeholders who, who were actually executing the processes who, who started to, to get irritated because the documentation, the auditors were using to evaluate the controls, were at a date hadn't been updated. And, and it wasn't any one person's fault. It was just the fact that, you know, that they, it it just wasn't clear as to who was responsible to make sure that those those documents were updated. And, you know, so because nobody was responsible, no one did it. So what the the other requirement I wanted was to make sure that people who were executing the processes, those stakeholders, they would have access to the documentation. They would have the ability to go in and make conditional changes to documentation. And then my team and internal audit they could go through and and evaluate those changes, make sure that they were appropriate that they met the appropriate criteria for control objectives and risk mitigation factors and that the, and and essentially act as quality assurance around the documentation. So that that that was another key factor for us. The other thing was news of ease of use. And we, my team, the background, most of them had never used a, a audit manager tool before. I had had previous experience with Wdesk and, and a couple of others in, in other, assignments and, and with other, other clients when I was doing consulting work. So, you know, it was I knew what we were getting into, but my team was was fairly naive around what they were going to be doing and how to use those tools. And I wanted something that that they felt comfortable with and and felt like it it made sense to them And it, it was it made sense with the process and the approach that we were taking to both our internal audit work as well as our Sarbanes Oxlin work. So those, those were kind of the key requirements. And, you know, the, the last thing that we were trying to determine was you know, how do we how do we provide the show that there was going to be value? And and that's one where we again, it it's difficult to put a dollar in cents. What I didn't wanna say is, hey, if I implement this tool, I'll be able to reduce my headcount by x. To me, that that's not one of the benefits of of implementing an auto management tool. Really, what I want is my team to be able to do better analysis, get deeper into the processes, because they don't have to do as much of the busy work to, to, to determine that the work is good and, you know, that that the testing is is sufficient and and appropriate. So I think I'm not sure if I I got all the requirements, first, but I I I think those were those were the keys and the highlights. Did I add one for you, Robert? I didn't memorize my requirement document. From, when we when we did the initial approach a couple of years ago. I bet you, Bill, remember. Is that what's up, Bill? Yeah. Robert, I I recall I I know your company had a large global footprint, so a lot of users and a lot of users in different locations I think that becomes even more relevant in the current pandemic environment. So just wondered if you could expound on that a little bit. Yeah. Bill, that's it. Thanks. This is why you partner, right? You you somebody somebody's always reminding you of something you might have forgotten. But you're that's a great point, Bill. That's a great point. Because we we had, we had, locations in Europe Asia, Latin America, as well as North America, that, that, where we had accounting, functions where there were servings Oxley key controls being executed and, and having a tool that, that was easily accessible, not only by my team when they're in those locations, but by those process owners and and those stakeholders that were in, those foreign locations. Yeah. That that made life very, very easy, especially when we went to the COVID shutdown earlier this year. And we had to all work remotely. My team had already been doing that for, for almost a year and, and our stakeholders had already been using the tool in, in that manner for almost a year. So that was, that was a it's a great benefit, but it was one that I I I think we we did. We knew that we wanted to have it, but I, I don't think we knew how good it was until we got to March April of this year. Absolutely. Alright, guys. I think in the interest of time, let's get into the next polling question because I know Bill is itching to go through the implementation process. So question number 3 for the audience is what function does your internal audit team report into? And so you got some options here. Does it report into the CFO controller is it the chief compliance officer or a compliance function? Is it the CIO or somewhere within IT? Is it with the directly into the CEO, or is it other? And we understand, you know, most organizations have the internal audit team directly reporting into the audit committee chair and the audit committee. This is not a trick question. We mean more of the dotted line you know, functionality or administrative function into the organization. So we'll give you a few seconds here to input your questions for this polling question. I I would I would say who who does your CAE's, performance review at the end of the year or whatever you guys do? That's a that's a much more eloquent way of asking. Yeah. I I've never had an audit committee chair provide me a a performance review. And I've, I've had 3, 3 CAE roles. So I actually had an audit committee chair provide input into my performance, review. And that one's pretty interesting to get that feedback. But, yeah, most people don't don't get that. Yeah. The the the feedback, yes, but never, never directly, sitting down with me and and and saying, okay, you got you got a 5, Robert, because you were you were excellent. You gotta ask for it sometimes, Robert. Alright. I think that's enough time there. Hopefully, everybody submitted their answers. Let's get into the next part of our presentation where we will go through the implementation process. So, Bill, why don't you kind of walk us through some of the milestones and then we'll get into each of the phases as we, go on here? Sure. Thank you, Ernest. And Robert, you can keep me honest too, if anything comes to mind that I don't mention as we go. But this first slide is just showing an overview of the different implementation milestones that we'll talk through. And when we do these projects, we try to divide them into kind of 4 distinct phases. The kickoff is really our time to meet your team and understand your control environment. Perform some discovery there. So we know how many controls, how many locations, who are we work, who are we going to work with as far as the testers the control owners and just getting a feel for the landscape. And then we dive right into the projects that set up. So, you know, implementing the database, understanding the kind of reporting that the CAE and other stakeholders are gonna want out of the system. I think in that phase, we achieved, you know, it was really powerful in Robert's case study, especially where we were able to generate metrics for the audit committee directly after, you know, directly out of the system so that we weren't always having to put pencil down and pivot to Excel spreadsheets and tabulate our status and put it into a PowerPoint. And, anyways, we, you know, we got to a point that you could really go from work product to reporting instantly. And and that's kind of power that we wanna unlock here. The 3rd phase is training. So getting training, not just the internal audit team, but also the users that are going to be providing PBCs. And a really nice thing about Workiva is they have a Wdesk university, which automates a lot of that training, but it's it's not just static training. It actually has interactive interactive case studies that you can go in and attach a a PBC and make sure you understand how that where to actually click. And that I think is very powerful. Then we do some, obviously, UAT and troubleshooting, because maybe the way it's designed out of the box is not the way Robert and team wanted it to work and we're able to kind of manipulate things and and customize it to the user. But the last phase is really just getting started in the tool. And as with anything, it's it's an ongoing world. So you know, we we at some point do hand off some of the administrative tasks to the customer success manager at Workiva, and the customer success manager is with us, though, throughout implementation. So I know Robert, you knew our, our point person, Laura, by first name, and had her email. And, I think that relationship worked really well. And then throughout the whole project, there's ongoing weekly status meetings, ongoing communication of where we are in the plan. And you know, the idea is that there are no surprises and that we can get the tool up and running the way the customer wants. It's not just an out of the box. Upload your RCM and you're done. So that's kinda the overview. Yep. Yeah, Bill. I I was just gonna say, you know, handle handle this implementation like you would. Any other system implementation. Use some rigor. But I I I wanna say, you know, we we took approximately 6 weeks, maybe even less than that. To get, you know, from from basically getting the contract signed and everything finalized through our legal, which we'll talk about in a second, to to actually having the system up and running and ready to go. And, it so if if you've got a plan You've got some rigor around it. It it definitely makes it a lot easier. I would not, advocate that you go in and and try to iterate by just dropping the system, you know, flipping the switch on and and and and figuring out how you're gonna go. One of the other benefits, and and I'll I'll let you get to to your next slide, because I think, in that next slide, we talk a little bit about you know, the the kickoff phase and the discovery phase. That was a great piece for my team. Because it, it really challenged us as far as the status quo. And and what were what were we doing from a SOX perspective? And I think we should be explicit We implemented the SOX piece to the Wdesk tool first. And so we're talking a little bit about the when we when we've had these conversations right now, it's it's essentially the the all around our Sarbanes Oxley, process. So anyway, it the this kickoff and discovery phase really helped us challenge our status quo. Great. Thanks, Robert. And so you mentioned the kickoff and discovery slide that we'll cover here. And I think really you covered some of the big points here that a typical implementation takes us about 6 to 10 weeks. Like we said before, there there can still be iterations on that work product. But that's usually about the amount of time from kickoff to to actually working in the tool. And in that process, you also want to consider your different stakeholders and get them involved at the right points in time. It may be, you know, often they'll roll it out in a couple of phases first to get your audit team up and running and familiar with the tool. Before you start inviting other stakeholders in just so that when they come with questions and want that firsthand experience, you're up and running there. So we we have this kind of example project plan, but we definitely sit down and customize that to understand any timeline dependencies that the client has. Yeah. And, Bill, I would add that you know, the getting that stakeholder involvement, so your your global controller, your your CFO, the different directors, the, the folks that are actually doing the work within the accounting team, making sure that you're you're familiarizing them with the tool and you just don't drop it on their heads when you're done and expect them to be able to to work with it. I think that was a key for us as well is is we did a good job of making sure that we communicated with non internal audit stakeholders and, making sure that they got they got their their input into the system. Yep. So on the next slide with the project set at set up data assessment, really what we're talking about here is kind of the concept of good data versus bad data. So oftentimes in Excel, you can get away with fields that haven't been normalized and maybe don't have data validation control, but part of the setting up the environment in Wdesk where it it really empowers Link data and being able to use these references from your process documentation, to your control documentation, to your exception reporting is getting all that information standardized. So when I say that, I mean, using the same nomenclature as a good example, you know, does a control pass or fail, or is it ineffective or effective and just kind of locking in on that standard, herbiology. But also, it's, it's defining those meaningful relationships between the data. So I know in Robert's environment, we mentioned that they had global, a global footprint, multi location, sometimes you had one process that operated in multiple locations, sometimes you had multiple locations operated in one process and we were really able to sit down with him and his team and kinda unlock those relationships and streamline the data. And and I think I just wanna rest there that this isn't just taking your current environment and putting it into the tool. I think what I'd I'd like to brag a little bit for our team. I think what we were able to do because we worked hand in hand with Robert's team as a CoStar partner is we're able to really rationalize the control environment and say, you know, hey, this one risk now that we've got all the data in this one risk is mapped to 6 key controls, is that appropriate? Should we kind of tailor these risks so they're a little more specific, or maybe can we rational some of these controls as non key. And and we were able to achieve a lot of efficiencies by sitting down, and and this was a good opportunity to to perform that thought process. Yeah, Bill. So so from from the earlier comment about challenging the status quo, it was in phase 2 where we really kinda got down to brass tacks and determined what key controls we wanted to assess and and evaluate. And and we were able to reduce the number of key controls in our environment from somewhere around 250 closer to 200, and, and really narrow our, our testing to a much more, focused and, and I think better set of, of key controls for financial statement purposes. Yep. I'd agree. And I think Robert further to that, a lesson we learned here is when, when you're implementing the SOX compliance, tool, you know, we'd, we'd recommend to the extent possible it's best to kind of implement in that Q1, Q2 area before all the walk throughs start and a lot of the changes start flowing in and the testings in process I think it really allows you to take a step back and and spend time with those kinds of considerations when you're in kind of the heat of battle of testing. It can still be done, but just best practice wise, I think that early part of the year, if you're a twelvethirty 1 year end, would be the best time to, to sit down and go through this process. Absolutely. Unfortunately, we had we had some issues with our legal department and and some privacy issues, around the tool. So when I, when I talked about getting stakeholders involved early, I would I would recommend to everyone that you talk to your data privacy owners and champions and and make sure that they're comfortable because you are gonna have some, some data that's in the tool, and you wanna make sure that that, you've got all your bases covered there. So, we were able to get over it, but it took us a little bit longer than we we thought. And unfortunately, that pushed us on our, our calendar, and we were we were implementing at the same time we were doing walk throughs, which I would certainly not recommend to anybody. Yeah. We got through it, but I agree. So this next slide on the project setup data import and field test, not, you know, don't want to exhaust the details on this slide, but really it's showing the kind of 5 different, segments of of information within the tool. So you have your data, which is really your RCM and your process narratives and flows, and it's kind of where you keep the information itself. The reports can become very powerful when you tailor them to, like I mentioned before, you know, specific audit committee needs and what the chief audit executive cares most about. A lot of times that's, you know, making sure we know number of controls by, by phase and what the status is as far as tested and what's in the review queue and what's been provided to external audit. So all that can be automated at the touch of a button. Then you have your testing tab, which really organizes the, the test records. You know, it makes sure you have all the fields that you wanna track for your tests. So sample methodology, sample size. Some of that can be automated so that if you select an annual control, It automatically fills out some of the other fields saying we're gonna test one sample. And then the dashboards are very powerful. So the dashboards are tailored to each individual user, and you can go in and see at any given time. These are the tasks in my to do list. So, Robert, I know, you know, when it got into that heavy review season, and you and I were passing work papers back and forth that those dashboards were really helpful to sit down. And when you finally got a quiet hour to sit down and say, what else in my queue. And at the touch of a button, you could see exactly what controls were waiting for you. Yeah. Yeah. I was gonna say, Bill, pre pre COVID. That was that was awesome because if I had a team in in Europe, they, they could they could get their work done. And I'd I'd be reviewing their work papers in the afternoon and and Virginia or or on the East Coast, and they would come in first thing in the morning, and and all my comments would be there for them. And and they'd be able to knock them out before I'd get into the office in the in the the the following morning. So, yeah, it's it's a, It's great to be able to just see exactly what you need to look at from a review perspective. Right. And if you're providing review comments, you can use the at symbol to to tag an individual team member to the comments. So if if Robert maybe was reviewing a person's work paper, but he wanted input from his director of internal audit, he could tag her and she would get a notification saying, come look at this. So, you know, for better or worse, it even can send you email notifications to your phone when Robert's reviewing your work papers. So it's a very powerful collaborative tool. And then on, the project setup report development slide. Robert, I think this would be a good one for you to speak to, but I I mentioned just the ability to tailor these reports to, you know, the organization. So for some organizations, maybe you want your, your status by location. Maybe you want it by test phase. Maybe you want all those views. And maybe your audit committee is interested in the ten thousand foot view, but I know a lot of committees are interested in, you know, progress by control count. So, Robert, maybe you could add some color here, but I think we were able to get some very powerful reporting metrics out of the tool. Yeah. Yeah, Bill. So the, the reporting tools within Wdesk allow you to tailor it. I I would put together we we had information that we had for the CFO, We had information that we had for the global controller and her direct reports. The other thing, our organization the the software that we developed was was business intelligence software. So internally, we used our own tool to do a lot of the management reporting, and Wdesk was flexible enough to create an API where we could we could push the data into our internal management tool and then create dashboards for our executives. Using using our internal management, process. So, again, it it, the the the reporting tools within Wdesk are are great. And we use some of those, but it also has the enough flexibility that you can create, whatever you need within your own organization, with APIs and and other integration. Yeah. And I personally found that invaluable as a manager on engagement when you get that question, where on testing. And suddenly all the activities you had planned for the afternoon, you need to stop and put the pencils down and understand where everyone is. Wdesk enables you, like Robert said early on, to, to focus on the job that's providing the most value and not necessarily always that kind of retrospective. And once we got that up and running, I feel like we really turned the corner on efficiencies. Yeah. And it, it didn't, it, it was, it was not nearly as onerous to do that analysis as it had been in the past, right, because you had you had a very quick visual picture that popped up in said, here's the testing by status. Here's where, you know, individual testers are with the work assigned to them, and you could drill down into it. It I mean, it, it, it made life much easier from my perspective as as the leader to be able to to to see the the forest and the trees. Right. Yeah. We could just focus on really the dependencies, the the critical path, and, like, the the issues. So think that was a great output. On the phase 3 training, I think we already spoke to most of this, but it's, you know, upfront, you have Workiva University, which is an online self-service interactive training, and that gets you, I'd say, 75% of the way there. And then between our implementation team and the ongoing support from the customer success managers, You definitely get to the 110% of the user. I think, Ernest, that's probably all I wanted to cover on the training unless Ernest, did you want to add anything on the customer success manager roles? Yeah. You know, one of the things that we pride ourselves on as a as a company is the service levels that we provide to our customers. And so you mentioned that CSM or customer success manager really becomes an extension of our customers' teams you know, I I've gotten feedback in the past where they've said, I don't know if, you know, Lindsey works for our company or if they work for Workiva. So definitely take advantage of of them and, you know, service, in terms of not just, questions that can be asked and, you know, they they serve as a first point of contact, whether it be on on new features that are coming out, if if it is help with building documentation or setting up a data model, it's one one area we can't, overemphasize enough. Awesome. Yeah. And then the last slide is really the amount of value tremendous amount of value in in the CSMs and, and, you know, all the way around, you guys did a great job working together and, and, making sure that we got through the process. Yep. And then the last phase is really just getting started. Go ahead, Ernest. Yeah. No. Why don't why don't you cover off on this last slide here, Bill? Yeah. It's it's really just the the handoff now we give you the keys to drive, and part of that is making sure you've established the right admin roles so that you can grant permissions to your users appropriate to their duties. As as any kind of SOX compliance person, we all know the story there. So it's establishing those ongoing admins. And then we were able to create really a frictionless experience at Robert's former employer, which which enabled single sign on. So Wdesk, you know, no one wants another user ID and password to remember. So part of getting their, their company on board, one of the requirements that was a must have was single sign on capabilities, and we were able to roll that out. So that was really it. Ernest was just getting it out to the stakeholders and making and then you're still there as a CSM to to provide support if there are any issues. So thanks for letting me walk through that. I appreciate that, Bill. Let's get to our final CPE question here. We've been talking a lot about We're interested to learn more about the primary tools that your organization uses to support, the compliance and inter internal audit process So 3 options there, are you still using desktop applications like Microsoft Office, maybe some Google documents? Perhaps you have a point solution software, like MK Insight or teammate, or the last option there being a broader GRC application. So give you guys a few seconds here as you're putting your answers in. And as that's going on, I do wanna thank, Bill from Clearview and Robert for providing the context here, I think it's a tremendous story when you think about the three legs of the stool. You have a company that has some pain points and some challenges that they've related, looking to change their people, process, and technology. You have a consulting firm like ClearView with, a number of their clients in similar industries and best practices working with technology companies such as Workiva to help really fortify and streamline, a digital transformation overview. So I'll open it up. Any other parting comments? We can I know we're running over time? We won't be able to get to all the questions here or any of the questions. So we'll follow-up via email, but Bill, Robert, any other last comments here before we wrap up? Bill, you go first. Don't be shy. Thank you guys for the opportunity. And like Ernest said, we're available. If you have questions. I know we didn't get into the tool itself very much. So if you ever want to see a demo there, we're glad to do that or provide examples of the kinds of dashboards or test plans that are enabled within Wdesk. So thank you all. I I I would just like to add that, you know, as as auditors, we're we're being challenged all the time to be more efficient and to get to more things And if you're still using, you know, whether it's Microsoft Office, Google Docs, non audit management tools, to try and management manage your function, he certainly should ex explore, the audit tool world and and find something that that allows you to to automate the process. You know, we're we're we were able to find efficiencies that really allowed my team to dig deeper and do better analysis and become better auditors And while I, I had mentioned earlier that you can't necessarily put a price tag on that, they certainly are, are, stronger and and we're doing more valuable work for our organization. So, again, I I strongly advocate that if if you are Still using the early 21st century tools that you started looking for something that's a little bit, newer and, and, and, more automated. Thanks for that. Again, guys, thank you very much to Bill and to Robert. Apologies to Mike Ross, but we are all out of time here. For any of the questions that you did submit and appreciate everybody that did, we will respond via email. If you have any more questions, get them in there, and the engagement tool will be happy to respond. Finally, for the CTE credit, for those of you who qualify, you can download that certificate now and the engagement tool. We'll also send that as a post of an email that you'll receive later today. So thanks everyone for attending and stay class of humanoids.