Optimizing SOX Compliance Through Wdesk ImplementationDallas IIA Super Conference

October 22, 2018

• Introductions• Overview• Background• Implementation Challenges • After Year 1 Implementation• Benefits • Key Take-Aways• Q & A

2

AGENDA

Introductions and Overview1

Robin StephensonVP Internal Audit,

Tribune Publishing Company

Erika MartinezManager, Advisory Services,

KPMG LLP

Optimizing SOX Compliance through Wdesk Implementation

Objective of today’s session is

to share lessons learned and

benefits obtained from

implementing the cloud-based

SOX compliance tool, Wdesk

®2018 Tribune Publishing Company 4

Overview

Background2

6

Prior to implementing Wdesk:• SOX tool - Excel based templates• Sharepoint site for storing some

documentation but not all• Home built repository for storing

some SOX evidence

~ 300 SOX business process controlsMultiple systems/ applications

Challenges included:• Acquisitions, organizational changes/ restructuring

• Changes in control owners, new controls, new systems• Multiple stakeholders

• Corporate Compliance group, Internal Audit, External Audit• Tracking evidence requests

Optimizing SOX Compliance Through Wdesk Implementation – Background

Implementation Challenges3

8

Optimizing SOX Compliance Through Wdesk Implementation – Implementation Challenges

Implementation Challenges Resolution

Not having a dedicated project manager (vendor or tronc)

Took over responsibility, dedicated project manager, regular mtgs with vendor

SOX evidence repository – separate build

Specifically noted in contract, monitored closely

Readiness / go-live – data loaded, basic system set-up vs ready to use

Adjusted timeline, Regular touch pts/ mtgs including in-person mtgs

Customizing walkthrough templates and test plans

Specifically requested a separate hands-on demo, regular follow up mtgs to answer questions

9

Optimizing SOX Compliance Through Wdesk Implementation – Implementation Challenges

Implementation Challenges Resolution

Building tables for reporting, charts and Dashboard – understanding how to build, how data flows

Specifically requested a separate hands-on demo, regular follow up mtgs to answer questions

Technical issues (pages freezing, slow load time, other issues)

Regular touch pts/ mtgs, including in-person mtgs, with detailed list of questions. Developed issues log for tracking issues & resolution

Original training was limited (generic, high level, technical how to’s), not a detailed program user manual

Developed our own user manual, providing more education on how the data flows, impact on dashboards, etc

Permissioning/ User Access –understanding roles (admin, manager, tester, control owner). Customizing for restricted external auditor access

Regular discussions and testing of access

After Year 1 Implementation4

11

Optimizing SOX Compliance Through Wdesk Implementation – After Year 1 Implementation

Refining processes

Integrating reporting by other users

• Compliance and issues management reporting

• Control owner certifications

Policies and procedures

• On boarding• Control guidance

documents

Refining existing reporting

• Audit committee slides

• Controls status by tester

12

Optimizing SOX Compliance Through Wdesk Implementation – After Year 1 Implementation

After Year 1 Challenges Resolution

Change log not user friendly Review change log on weekly basis and perform back-end reconciliation periodically of latest Risk & Control Matrix (RCM) to Walkthrough templates

Inability to lock down control description of completed tests – (live feed from RCM)

Review Change logs, recon noted above – add note to test plan (original control wording vs new). If minor change, no further steps. If major change, will need to re-open test plan and re-test.

Post go-live, Upgrades, lack of notification

Requested to be added to notification list (not done automatically)

Benefits5

14

Optimizing SOX Compliance Through Wdesk Implementation – Benefits

• On demand reporting - Live data- Dashboard, Leadership/Audit Committee slides

- Screenshot 1- Outstanding PBC/ evidence requests

- Screenshot 2- Status of control testing

- By stage of completion; By due date, by tester, by reviewer- Screenshot 3, Screenshot 4

• Program management- Tasks by user

- Screenshot 5• Year end control owner inquiry/ certification process

- Screenshot 6

• Access to documentation- Control owner, management- Internal Auditors - External auditors

• Live data updates- Changes to RCM (e.g., control description), updates Narratives, test plans

- Also has challenges (changes control wording even if test complete) as noted earlier

15

On Demand Reporting –Dashboards,

Audit Committee slides

Optimizing SOX Compliance Through Wdesk Implementation – Benefits Screenshot 1

16

Optimizing SOX Compliance Through Wdesk Implementation – Benefits Screenshot 2

Tracking requests - evidence,

populations, samples, other

17

Optimizing SOX Compliance Through Wdesk Implementation – Benefits Screenshot 3

On Demand Reporting -

Status of control testing, by stage

of completion

18

Optimizing SOX Compliance Through Wdesk Implementation – Benefits Screenshot 4

On Demand Reporting - Status of control testing,

by due date, by tester, with control ID

®2016 tronc 19

Optimizing SOX Compliance Through Wdesk Implementation – Benefits Screenshot 5

Managing Tasks/ Workflow – By User

®2016 tronc 20

Optimizing SOX Compliance Through Wdesk Implementation – Benefits Screenshot 6

Certification Process – year end control owner

confirmation

21

Optimizing SOX Compliance Through Wdesk Implementation – Benefits

• On demand reporting - Live data- Dashboard, Leadership/Audit Committee slides- Outstanding PBC/ evidence requests- Status of control testing

• Program management- Tasks by user

• Year end control owner inquiry/ certification process

• Access to documentation- Control owner, management- Internal Auditors - External auditors

• Live data updates- Changes to RCM (e.g., control description), updates Narratives, test plans

- Also has challenges (changes control wording even if test complete) as noted earlier

Key Take-Aways6

Optimizing SOX Compliance through Wdesk Implementation

• Project Management

• Lead efforts, dedicated project manager• Plan for extra time for customizing reports,

templates, user access

• Track Issues & Resolution

• Develop issues log, discuss at regular meetings with vendor (Workiva)

• Training

• Develop user manual

• Utilize on-going support to enjoy further

efficiencies

• On demand reporting• External auditor reliance• Integration with other users, stakeholders

®2018 Tribune Publishing Company 23

Key Take-Aways

Q & A7

THANK YOU.

Robin StephensonVP Internal Audit,

Tribune Publishing Company

Erika MartinezManager, Advisory Services,

KPMG LLP