Ensuring Digital Signature Licitness for Quality Assurance in United Kingdom

How to eSign a document: digital signature licitness for Quality Assurance in United Kingdom

hello my name is jeff hughes and i lead the audit quality and risk functions for grant thornton in the u.s i'm responsible for the implementation and continued assessment of our system of quality management under isqn1 so like you i am very interested party in the solution we're going to show you it's interesting when we began this journey of implementing isqm1 we determined pretty quickly we needed a tool so we built one internally and that tool was going to work really well for us and then we started getting some inquiries from our member firms around grant thornton international as well as other firms about what we were using so we headed down this path of turning our tool into a commercial tool that could be easily used by others and that's how we created qm.x qm.x was actually forked off another tool we built called sock.x and the reason that's important is we were able to leverage proven capabilities and security so during the demo you're going to see some of the rich features and capabilities but just a few things for you to think about as we do that the tool was built to be scalable that is it can be used by any size firm regardless of the level of complexity it's not a matter of tailoring the tool rather it's a it's based on the use by a firm based on what the firm does because it was kind of built by accountants four accountants so it's ready to be able to capture and continually assess the firm's system of quality management we built it to comply with the standards but so that could be easy and easy as possible to operate it can be used to comply with any of the standards so if you need it for isqm1 and eventually the aicpa and pcob standards or even any localized standards you can do that all at the same time it can be localized for any language requirements and it's available in the azure marketplace which makes it easily accessible so the key here i think is made by accountants for accountants and scalable regardless of size and complexity and really we're going to walk through the features so let's take a look at the tool and uh let me just turn it over to you at this point today we're going to spend about 90 percent of our time actually in the test environment for the tool so this is the environment that we're working in day-to-day testing things um you know developing new features off of and then we'll also spend some time in my demo slides which will showcase some features that we have in progress but aren't yet integrated into our environment here first what i'm going to do is do a quick overview of how we have um everything in is qm1 structured within qm.x and then i'll move into kind of our background admin functionality before moving through the rest of the day-to-day application so at this view here this is our overview and what we have here is a hierarchy view and so this view is really meant to show you know kind of step by step how the items within the system of quality management are structured and the relationships that those items have to other items within the system so at the top level here i have components and i can drill down and sitting at that component level i have component activities objectives requirements and findings so component activities are something we added you know to our qm.x tool where you can essentially optionally break down your component into like further buckets of you know business processes like functions um you know other organization you know to really kind of organize your risks and responses so for something like relevant ethical requirements i have independence you know whistle blowing complaints and allegations in a bucket and then just other ethical requirements and this really helps us you know keep our risks and responses a little bit more organized we also have objectives so these are going to be the objectives coming out of the isqm1 standard or any other standards that your firm may be needing to implement over the next few years and then we have requirements which are going to be non-objective requirements or stuff like member firm obligations where we may not have a risk associated with that requirement but we would have a response in place so for instance for relevant ethical requirements here these are the requirements to implement specified responses for items in independence kind of within the relevant ethical requirement component and then finally we will have findings so findings are going to sit at the component level um but as we know findings are going to be connected to risks responses and objectives and then derived from testing work within the system so really findings are that sort of thing that are really actually connected to everything else so getting down into kind of our structure from here what we're able to do is either from a component activity or objective toggle into our risk response trees so coming out of independence i have you know a set of six example risks in here and i can view all six of my independent risks coming out of this independence component activity but what i can also do is i know that these risks are risks to achieving quality objectives so they have a relationship to the quality objectives um that they're at risk for so what i can do is i can also drill into a specific objective to see the risk response tree there so out of these six risks and independence four relate to this oe1 objective that i have within the system and then you know coming through our risks we can drill into our responses and then finally down into our testing work um so this is really meant to show kind of all the interconnected um relationships that exist within the system and then also you know in the event we have cross-component relationships also show those there so we know that we're going to have risks that respond to objectives you know in the component that they probably sit in but also objectives that sit in other components we know independence is going to hit acceptance and continuance for example and then coming out of this hierarchy view we can also view the underlying detail of all of these items so if i click into a risk click into a response it's going to pull me into the underlying item detail page for that item and so here we have all of the underlying information that we're capturing for this risk as well as the relationships that this risk has to other items within the system and its ownership and going into a response again capturing a lot of information here um this is really you know representative of all the work we're all going through to capture our risks and responses that exist at our firms so coming from here um you know moving away from this hierarchy view now that we have an understanding of how our system equality management is structured i'm going to talk about kind of all the underlying features that make the app actually work and so i'll head into our admin section so the first thing within our admin section is going to be an audit log and so what we're doing in the system is as people are making updates um changes deleting items anything within the system of quality management it's going to be tracked in this audit log which provides underlying details of like who changed what and when and it's also available as a download to excel um so this ensures we have like kind of that full audit trail we need um coming through our system of quality management within our default section this is a way for firms to essentially configure and tailor qm.x to work for them and so what we have here is the list of standards that we're working under and so within the us i mean there's a lot of standards in here right now that we're testing with but in the u.s we're going to be working with isqm1 probably an aicpa standard that's coming down a pcob standard or gt member firm obligations firms are going to need a way to customize the list of standards that they're actually you know working under and a way to tag their objectives and requirements to these specific standards um so this standards defaults configuration allows like firms to do that and then what we also have is a risk level configuration so right now in qm.x we have one overall assessment of risk three levels of risk we have a higher lower and normal risk right now what we can do is we can relabel those risks for whatever word choice that a firm wants to use um however we are building out like full scale risk configuration so it can be a separate assessment for likelihood and magnitude we'll have anywhere from three to nine levels of risk for all of those items um and firms will essentially like kind of any sort of risk you know structure that they're using they'll be able to configure and custom tailor qm.x to use so that's where we're headed over the next few sprints in development our export data feature is going to allow um people to actually export data out of qm.x so if they want to use a data export to just send like an email to someone really quick or develop more reporting they'll be able to export data here and then we also have um data exports that are really meant to help with like gap analysis making sure that your system equality management is really complete i call these like maintenance queries and what we're also working on with kind of our data export feature is integration with power bi as well so that any additional reporting that you don't see in qm.x that you want um you'll have the tools you need to actually like build that out you know if you have power bi and that's something you use at your firm our import data function is probably the best way to get data into qm.x so qm.x doesn't come with any data you know it's really up to individual firms to go through that effort of gathering data at their firm and uploading it into the tool and so our import data function makes it really easy to get your data into the tool so if i open up my template here what we have within the template is a way to upload everything from components all the way down to what we call our testing plans and so these upload tabs are really simple to use you fill out your information within the tabs we have import instructions on all the data standardization we need and what we can also do within the import function is also import in all the relationships so if we have something like a risk that relates to multiple objectives we can actually list out every single objective that that risk impacts and it will automatically create those relationships in qm.x for you um so the import template is really you know the best it takes a little bit of time up front you know a little bit of effort to get your data into the import template uploaded in the tool but once you do that um it's all kind of automatic within qm.x from there doing all that relationship mapping getting the data into the tool and then we can also upload our testing plans in advance so this is going to be stuff like the name description the due date um kind of the testers and reviewers we've identified for testing work and then those tests are also available in qm.x so that testers can actually go in and start filling out the tests up next we have our periods function and so this is going to be keeping track of evaluation periods and so for instance right now we're working in our 2022 period and so we've can set up evaluation periods within the system and then what we can also do is freeze and roll forward evaluation periods so freezing an evaluation period is essentially once your evaluation is completed for the year you want to freeze it so that you can access it at a later date but not change any of the information in there and so that's going to enable you to view prior periods but not make any edits to them roll forward is how you roll forward your data from one year to the next evaluation period just because we know that we're not going to want to go through like an import template process every single year to get data into the tool um so we'll be able to roll over everything that's relevant for the next evaluation period and we also have a hard delete in here i'm using the hard delete a lot right now just because we're testing things and i'm getting data into the tool um re-importing but what hard delete is actually there for is for once you're past retention periods and actually want to like delete it out of the system you can use the hard delete um to completely wipe the database of you know the data that is in your system of quality management our users function is how we assign users to qm.x we've got some standard user roles here you know such as system administrator you know the person who has access to this whole admin panel editor has like global edit access to the items reader can come in and read um items in the system of quality management but can't make edits a report reader only has access to the report tab so maybe they don't need to see the day-to-day detail but want to see kind of the overall reports and then we have a concept of an item owner and an item owner is a person who owns a particular item within the system of quality management and so they have edit access to that particular item or items that they own but not any of the other items within the system we also have some export functionality here as well okay so getting back into kind of the day-to-day work in the application we'll go to our items tab next so within the items tab we have an item search where you can search for particular items in your system of quality management you buy item type by particular owners actually selecting down to a particular item if i select down to a particular item it's going to pull that specific item and then all of the items that relate to that item as well so another instance where we're really showing the relationships that exist between these items and what we also have is a create new item page and so our create new item page is how you would manually add information to the system equality management and not have to go through the import template process if you're adding something incrementally and so what we have here is a template for every single item within the system of quality management except for a finding which gets added elsewhere and within these templates um you know they are templates for that particular item so you can add your ownership all of your underlying detail you know getting back to our default configuration this is like an area where those you know items that you've configured in the defaults like become the items you can select from um when you're manually adding items or also in the import template and then you can also do the relationship mapping manually as well coming back to the item search what we also have is our tests and findings workflow and so again you know we've uploaded our test plans in advance possibly through the import template if i want to go in and actually fill out a test i can click into a test and it's going to pull me to our testing page and so here we're capturing different information about the test kind of the basic information that we've already captured we're concluding on design and operating effectiveness and then what we're doing is we're actually uploading our underlying testing detail so we know that testing is not necessarily something that we can just create one template to rule them all in qm.x it's going to be you know the testing work that's performed is going to be different depending on what the response is the level of testing especially depending on what the response is to these risks and so we have an upload function that allows you to upload all that underlying testing work you know sample detail and so on into qm.x so it's available for reference and then within the tool itself we are capturing you know our overall conclusion so that we can see that you know through our reporting coming out of the application a test is one way one area where you can also create a finding the other place you can create a finding is from our components page since we know that not all findings are going to be derived necessarily from testing work and so um if designer operating effectiveness coming out of our testing work is going to be a no we're going to need to generate a finding and so i can do that um you know through this workflow and so if i just create a finding i can come through here and get it into the system and then that's going to save and so then if i click into this finding um i can i have more options right so at that first finding level i am assessing my finding so i'm going through i'm you know discovering the nature of the finding the pervasiveness and magnitude documenting those details um setting up all the relationships and so this finding you know really has three different paths forward it can stay a finding it can stay a finding but we decide to remediate that finding in which case i would add my remediation section to my finding report or it can be elevated to the status of a deficiency and so if it gets elevated to the status of the deficiency i would add my deficiency details section the evaluation changes to a deficiency and then i would also be adding my remediation to my deficiency since i know that you know once i've done my root cause analysis for my deficiency i also am required to remediate um so that goes through kind of our test findings and deficiencies like workflow as well what we have next is going to be our reporting functionality and so within qm.x we're going to have these six reports and then we'll also have a seventh report for response details um which just hasn't been added to the system yet and so these reports um represent kind of that core reporting functionality that like everyone is going to want to see and so within our reports i can click into my risk and response matrix and within our reporting setup we have kind of the same set of filters that we're working with so what we can do is we can filter by component in order to see kind of the specific risks and responses we want to see and we have options to multi-select as well as select all and then we can optionally use either the component activity filter knowing that maybe not every firm is going to necessarily have component activities it's optional to use this filter or we can filter by a particular objective and what it's going to do is it's going to pull all the risks related to that objective component or component activity and then it's going to pull all the responses that respond to those risks and then within this report you can export these reports to excel as well as pull up the underlying item detail which are all available as hyperlinks our risk heat map report shows the risk heat map for a various component component activity or objective including the description of the risk the overall risk assessment of those risks and then showing kind of that aggregate breakdown by risk level our test status view is going to pull a list again same sort of filters but we have some additional filters to really narrow down that population so what our test status view is going to do is it's going to pull the results of all the testing work that's within the system the responses that that test is actually testing you know the key dates the statuses and then whether a finding and deficiency has been derived from that testing work as well as show you you know for the tests testing these responses the ultimate risk breakdown of the risks that these responses are responding to our objectives report is going to show four particular objective the ultimate responses and testing work that are indirectly related to those objectives through the relationships with the risks as well as any findings and deficiencies that are ultimately hitting those objectives and then this over on the right side here we're working on these visuals here but these are going to be ultimate breakdowns of if i have an objective where are my responses sitting as far as my components and component activities go so really a way to show kind of these cross component relationships within this report but the requirements report is a report that shows for all the requirements in the system the ultimate response and then findings and deficiencies like work stream coming out of that as well as showing you all your specified responses and so this is a way to show for your specified responses if you have any findings derived you know from those you know specified responses and themselves and then finally we have the findings and deficiencies report and so this is going to keep track of all the findings within the system of quality management so here i've got three findings that i've added to relevant ethical requirements three which are you know evaluation in progress some of the associated items i think it's just pulling one of the associated items right now it'll eventually pull all of them you know the overall nature of the finding shows that as like kind of this aggregate bar as well and then once the finding gets elevated to a deficiency it'll move on to the deficiencies tab and then for any finding or deficiency that's remediated that remediation detail is going to show on this remediation tab here kind of the last piece within the application itself before we move into some of our upcoming features is evaluations and so within isq m1 we know that we have to at least annually evaluate our system equality management um to make sure that the quality objectives are being achieved so we've built in a mechanism for evaluating the system equality management and so what we can do is create a new evaluation and so an evaluation is going to have a name and then it's going to have an as that date saying that you know as at as of this date this is when we've performed our evaluation of the system equality management and so our evaluations work in three tiers so first there's a component evaluator assessment and so what we can do for every component is have the component owners be listed as evaluators as well as add any additional evaluators you want to um to like take a second look at that component and then once all the component owners evaluate it moves on to the person who has the operational responsibility of the system of quality management and then to the ultimate system of quality management owner so if i click into one of these that's in progress you know this one here is a component owner evaluation and so for instance i'm listed as a component owner here i'm able to go in and click into any component that i'm an evaluator of and so if i click into this i can come in and fill out this form sarah is also a component owner and so she would also be coming in and filling out this form as she does her evaluation and so here we're confirming you know quality objectives quality risks responses any self-monitoring testing work it's going to pull out automatically any of the deficiencies that have been created within the component so it pulls the list of the findings that you can actual or the deficiencies that you can actually click into and see and then it lists those all out so you can confirm that you have reviewed all of these and then you ultimately um you know perform your overall conclusion once all the component owners evaluate um the tab becomes available for the operational owner let me see if i have one i don't think i have one that's like actually in progress um but once the component owners evaluate it moves to the operational owner evaluator that tab becomes about available once the operational evaluator evaluates um the system equality management owner tab becomes available they perform their evaluation and similar you know form um that they're filling out with like optional text boxes to add more detail but once an evaluation is complete it comes to this read-only version of the evaluation and so it has all of the information um that you know an operational evaluator system equality management evaluator component owners the actual individual responses here um this is a copy of their responses as well as we have this like icons to indicate you know for instance here i have you know an except for so i'm concluding that this is good except for a few items um that i've documented um so we really have kind of that full view of you know how the system equality management was evaluated going into our demo slides next um you know we created these demo slides kind of at the beginning of our journey and so most of these items here you've actually seen within the application itself but there's a few screens i want to make sure that i touch upon so i can click into my status screen here this is going to be the um other view on our overview tab so we've seen the hierarchy view but we're also building out the status view that gives a more like high level overview of what is happening component by component and so what we can do is we can you know click to see different views and so right now this is showing me some test statuses of my component and then i can also um you know see something like my findings click into that drawer and then i can drill down into my components to see you know overall statuses for all these different items so here this view shows me the findings the risk assessments the response types and the test statuses of those items that have relationships you know within this component another view we're working on is the my items view and so this is going to be really tailored person to person of the items that they own within the system of quality management similar to our status view it's really showing kind of like overall views of these items of these items that you own and the relationships that these items have to other items and so if i scroll down for instance i have requirements so it's going to show me the cumulative response types of all the responses that respond to my requirements as well as for each requirement itself all of the related responses similar views for the objectives with showing kind of the overall status of the risk assessments of the risks related to that objectives as well as the responses that respond to those risks you know risks you know the important relationship there is going to be the responses like responding to those risks the responses will show kind of the test status of the tests that are testing those responses and then any ultimate findings that are being derived from that testing work and then tests and findings as well have information about where those tests are in progress and kind of where those findings and deficiencies are so this view is really tailored to the items that a person particularly owns and cares about within the system of quality management so that they don't have to dig around and find them kind of elsewhere within the tool finally i think the last screen i want to show here is our commenting feature so this is a feature that we developed in sock.x that we really loved and that we wanted to pull over into qm.x and make sure that we have here as well and so comments allow you for any item within the system to pass comments back and forth about that item maybe their review notes you can at mention people so that they'll get a notification we have a notification bar up here um you know you can create threads resolve threads and so on and this is a way to add a little bit more project management to qm.x and then what we'll also have is a comments tab over in the navigation pane where you can click into the comments tab see all the comments of people who are responding to you have mentioned you comments on items that you own so that you can keep track of you know kind of the discussion that's happening within the system