Workiva Inc. (WK) Earnings Call Transcript & Summary

Well, hello, everyone, and thank you for attending today's webinar, where we are going to do a case study around digital transformation for stocks, internal audit and compliance. My name is Ernest Anunciacion. I'm going to be your host and moderator today. But before we get started, I do want to cover off on a few housekeeping items. At the bottom of your screen, you're going to see multiple application engagement tools for your disposal. All of these are going to enable you to resize and move some of the windows around. So feel free to play around with that and maximize the amount of space that you have on your desktop. You can also expand the slide area to maximize the flow screen by clicking on the arrows in the top-right corner. [Operator Instructions] We're going to try and get to as many of these as we can throughout the presentation. But if a more robust and fuller answer is acquired or if we run out of time, we'll be sure to e-mail you those responses at a later date. So please note that we are capturing all of your questions. Now for those of you who are looking to receive CPE credit for today, note that we are going to ask you for CPE multiple-choice questions throughout the presentation. And receiving that credit is going to be dependent upon submitting at least 3 answers to 4 of those questions as well as attending the full duration. So if you're watching this in a group, it's highly advised that you sign in or log in individually so that you are ensuring that you're going to get that credit. The questions will appear within the slide window, and there's going to be a limited time -- amount of time. We want to make sure that everybody has ample time to submit answers to those questions. So just be ready for when those questions appear. And once you've met those CPE requirements, your certificate will be available via download in the CPE Certificate Engagement tool on the screen. We'll also send it in a post-event e-mail. Unfortunately, if you have any technology issues and you're disconnected from the presentation or if there's anything else that happens that prevent you from qualifying, we're not able to issue that CPE as well as if you miss those polling questions. So again, want to reiterate to be on alert for those. Finally, when you do have a moment, there are some survey questions on the right side of the screen thereof the presentation. If there are more than 5 questions, you may need to scroll down. So let's be sure to provide that feedback. So let's go ahead and jump in into our introduction. So once again, I'm Ernest Anunciacion. I'm part of our product marketing team here at Workiva. I've been with the company for a little over 4.5 years now. And I come away after being a practitioner in the space of audit risk and compliance. So I was a former Chief Audit Executive. I've worked with a number of GRC tools in the past. I've done everything from Sarbanes-Oxley, internal controls, enterprise risk management and public accounting. So with me today, I am joined by a couple of gentlemen and scholars who are going to take us through that journey of digital transformation. I'll turn it over to Bill here from Clearwater Group (sic) [ Clearview Group ]. Bill, do you want to do a quick introduction to the audience here?

Sure. Thank you, Ernest, and thank you, everyone, for joining us today. My name is Bill Hatcher. I'm a senior manager with Clearview Group and also served as the President of the Northern Virginia chapter of the Institute of Internal Auditors. So I spend a lot of my time in the world that Ernest described of internal audits, Sarbanes-Oxley and IT advisory services. I have about 13 years of experience there on the professional services side. And just a quick tidbit about how Clearview fits into today's case study. Clearview is -- offers full service of consulting services, including fully outsourced and co-sourced engagements for SOX compliance. And it's really through those fully outsourced SOX compliance engagements that we were looking for a tool that could help us facilitate the process from end-to-end for our clients. So from documentation requests and collection to testing, to hand off to the external auditors. So we went through a very similar kind of requirements exercise that Robert will describe in just a moment. And we came across Workiva as the tool that worked best for us. So once we really got comfortable in the tool, it seemed logical that we should provide that same offering to our clients. And so we became certified implementation partners with Workiva, where we not only used the tool for our own fully outsourced engagements, but we also helped implement the tool for our clients that either perform the SOX engagements themselves or had us in a co-source capacity. So look forward to talking through more of that implementation process with you all, and thanks for joining us today.

Thanks for that, Bill. And the man of the hour here, the man, the myth, the legend, Robert Schmollinger. Would you like to do a quick introduction for the audience?

Yes. Sure, Ernest. Thanks. I'm Robert Schmollinger. I got 25 years of experience working with governance risk and controls. Most recently, I led the internal audit function at a global software company and partnered with Workiva and Clearview to implement the Wdesk tool to basically enhance and finalize our transformation effort at my former employer. So that's the story we're going to be telling today. And with that, I think we have a polling question before we get started.

So what organizational function -- oh, sorry. Go ahead.

Go right ahead. Yes, you got to love these live ones. Go right ahead, Bill. Go ahead with the question.

Yes. What organizational function do you represent? [Voting]

As we give folks a few seconds here, so whether you're part of internal audit, compliance, enterprise risk management, external audit, go ahead and submit your polling questions there. And I think we're captured just about all of them. Let's go ahead and shift gears now and talk about the agenda for today's presentation. So we started off with the introductions. We'll give you a little bit of an overview right now in terms of the landscape that we're seeing from kind of a risk management perspective. And then from there, we'll shift gears into the case study where Robert will talk about his implementation at that software company, not just from a technology standpoint, but also the process fixes and then the consultation that Clearview was able to provide. Then we're going to get into the latter part of our presentation, which will cover off on what the implementation process looks like. And Bill will go into kind of details of the different phases involved there. And then obviously, within the presentation, we'll wrap it up at the end with questions and answers. So first section for today, the digital transformation overview. Robert, do you want to give kind of a high-level talk track around what we're seeing within the market and how that complexity and the risk landscape looks today?

Yes. So I'll give kind of a historical perspective. As I stepped into the role in 2016 at my former employer, we were looking at a complete redesign of the internal audit function. And I was looking that to go through and make changes to both people, process and tools, all 3 of them. When I got there, the function itself was separate from the Sarbanes-Oxley program management office, which was separate from the enterprise risk management process, which was actually managed by our legal department. And there was no connection with our process owners who were actually executing the accounting transactions within the organization and creating the evidence that my team eventually would test for compliance reasons for SOX or for internal audit purposes. In addition, you layer in the emerging risks of GDPR in 2016, the new rev rec standard, ASC 606, had not yet been implemented. And it had a huge impact on our company as a software development and sales company. And then you also had all the existing risks that go into just big day-to-day operations. So we were going through that. And in addition, the company specifically was looking to transition from an on-prem software that was managed by the clients to a cloud-based solution and become a Software as a Service, SaaS tool that would be managed out of the cloud. And when you do those types of things and you're getting ready to make those types of changes, you increase a number of risks, specifically the cybersecurity risk around your client data and how you manage that and make sure it's protected. So we were -- that's what I faced when I stepped into the role in 2016. And my first order of business was to go through and assess my people, then we started looking at process and tools. So once I had the team that I wanted, I then started looking at different tools to support how we wanted to execute in the process that we wanted to put into place. And we went through the valuation process and landed on the Workiva Wdesk tool as the one that was the best fit for our organization. So I don't know if you want to add a little bit more color around the risk profiles that you're seeing in the broader market. But we were definitely facing some very specific risks. GDPR was emerging. The new rev rec standard was going to have a big impact on us. And by the way, we were changing the way we were doing business. So it was a very stable, well-managed organization, and we had no issues at the time.

Yes. Robert, so you bring up some of those things from a regulatory standpoint. That environment is always under scrutiny. And obviously, organizations are kind of under the microscope. But then you take into consideration other external factors that may not have been part of your risk assessment originally. Let's rewind back when we first did this presentation back in January, as Bill mentioned, he's the President of the Northern Virginia chapter. That was pre-COVID, and so the conversation around what some of those externalities look like has fundamentally changed drastically over that course of time. And so when you think about some of the initiatives that you had internally, and then you factor in all of the other things that are happening in the outside world, whether it is new accounting regulations, if it's new mandates and compliance laws that are coming into place, I think the kicker there is that, that risk landscape is so complex. And so for organizations who are looking to streamline their processes, looking to get ahead of risk starting off, like you said, with, first, your people then getting into your process and tools. That's something that we've seen quite a bit within the industry in terms of a framework to get into more operational excellence and efficiencies. So one of the other things that we want to highlight here with the audience is, when you think about the impact of a certain risk, whether it be something catastrophic or something that makes headline news, we want to quantify kind of that impact, what it means, not just in terms of dollars and cents to the organization or shareholder valuations, but there's also a reputational element there. And so we pulled a few of the headlines that have come out from newspapers over the past 1.5 years here, just to give the gravity and the scope, the depth and the breadth of what companies are kind of facing in this time. And so, Robert, any thoughts in terms of what we've seen in these headlines? And I mean, ultimately, I think as a former CAE, one of our missions is to stay out of the newspapers.

Yes. I think reputation risk is something that more and more Boards and Audit Committees are starting to factor into their considerations when it comes to how they want to manage the overall, I guess, portfolio of risk. And they're really worried about when their name gets dragged into the headlines in a negative way. I know that there's the saying, there's no such thing as bad publicity, but I think if you ask Wells Fargo and some of the other folks who have had compliance issues in the recent past, I think they would argue with that. From a specificity perspective for the entity that we were working with, we actually had 2 items that kind of acted as trigger points for our executives and Audit Committee. One was an issue with some inappropriate behavior by a subsidiary in Latin America. And we ended up having to do a fairly extensive investigation into the business operations in our Brazilian subsidiary. And then in 2018, we went through the SOX evaluation and ended up identifying a material weakness within our internal control framework. And when we came out of that material weakness at the end of 2018, I had gotten everybody's attention and had a tremendous amount of support to go through and work with you guys and with Clearview to make the process work better. And that's -- that was kind of the final push that kind of tipped my Audit Committee to go ahead and approve the implementation and spending the money to bring Wdesk into the organization. So that -- again, you hate to see negative things be the reason for why you do it. But unfortunately, I think that that's where we end up a lot of times, as you got to get your hands slapped or get yourself in some trouble before you're going to take action. It's unfortunate. And hopefully, those of you that are on the webcast today can persuade your Audit Committees and executives to maybe take action before something negative happens.

Yes. Too many times do we become victim of being more reactive versus proactive. And there's nothing quite as a forcing function like having an ethics violation or a fraud investigation, headline news like this or even a material weakness or a control deficiency coming up in your financial statements, right? So I think one of the biggest challenges today, when we look back at that risk landscape and the complexity of it, that is the fact, right? And so managing that risk in today's environment is complicated. And we've seen a lot of strategic priorities and organizational objectives being forced to shift in ways that people have never imagined before and even looking at those fundamental business models are being forced to innovate. But based on some data that we have gathered through multiple surveys, a lot of teams feel like they're focusing way too much time on efforts, on things that don't necessarily add that value to the organization. When you think about gathering data to support your testing or evidence, babysitting document requests or perhaps even doing the wrong audits, going back to the whole COVID and the global pandemic, how many of us had something that's massive on your risk assessments. I think the worst part about it today is that the tools that people are using have failed to change with those times. And so there's this latent source of discontent with the technologies that are currently available today. You don't get visibility into the information that you need in order to become trusted business advisers. And so Robert, I think you had a great example there where, look, you've got the Audit Committee's attention, and this became a priority for what you were doing at that company. I'm interested, though, Robert, we like to talk about universal process challenges. Does this look familiar to you at all?

Oh, yes. When you think about the different systems and processes that I inherited when I got to this organization, it was something that kind of made my head spin when I started trying to figure out where data sources were, what was the source of truth. Yes. The most frustrating thing that I've had was when we would go through and my team would execute a set of tests against data that were provided to us by the process owners. And we get through our test, and then the process owners would sheepishly come to us and say, "Oh, I'm sorry. I gave you the wrong schedule." And you kind of, okay, well, that's a couple of hours worth of work down the drain. And then we basically had to redo everything. It's one of those things that as a audit leader kind of pulls your -- you want to pull your hair out. I think the other thing is you also have to worry about the -- when you have questions about the authenticity and the data sources, then you've got to worry about, well, how much trust and confidence do the process owners have in the data that they're using on a day-to-day basis. So one thing that I really -- I think we'll talk a little bit about benefits on the back half of the presentation. But I am really -- one of the things that was really good for us as a team was we started closing things down so that if we may -- if we had a single source, it would populate throughout the tool. And we didn't have to worry about whether or not somebody had gone back in and updated to rack them because -- or I'm sorry, a risk and control matrix, because we had made a change on a process document within one of the individual process flows. And those types of things were also very frustrating internally. And those were self-inflicted wounds because we were using SharePoint and Excel and Word for all of the documentation for the SOX, processes and controls. So you'd have these great Visio flowcharts, these narratives that were written up in Word. You'd have flowcharts that were in Visio. And then your risk and control matrix was in an Excel document. Well, none of those things were connected. And so every time you made a change, you'd have to go through and make sure that all the other documents that were attached to wherever you made the change that they were updated and updated appropriately. So it was very time-consuming, back to your point, where instead of doing analysis and evaluating controls, my team was spending a lot of time making sure that our documentation was in sync across 3 or 4 different platforms of software. And that was extremely frustrating when we first got into the organization and started trying to make things more efficient and better. So again, this is one of those things where I think you -- that inefficiency is difficult to articulate in a way that resolves in dollars and cents, but once we had the new tool, it was very easy to show the CFO and the Audit Committee what we were doing because we had the tool. And now that we didn't have to kind of herd the tax of documentation, we were able to be more efficient and bring more work to the table and do more analysis -- do more in-depth analysis around controls, which added value to the organization. But it's really hard to sit there and put a dollar sign in front of that when you aren't -- when you're not doing it. Theoretically, I knew that we were spending a lot of time keeping all of the documentation in sync, but it was difficult to quantify. And that's one of those things that I think anyone who wants to go down this journey should definitely think about how much work are you doing to keep all of your Microsoft documentation in sync. Even if you've got a good tool, like SharePoint, to keep it housed and secure and version-controlled, it's still difficult to make sure that the change you make in a process narrative flows through to the flowchart appropriately and the risk and control matrix and ultimately, to your testing documentation.

Yes. I would -- go ahead, Bill.

I would just add to what you said that I think some of those efficiencies we gained actually led to more quality, too, because there's no hesitation to make updates when they're available. I think, in some cases, may be additional information is available, but there could be hesitation that, I don't want to add that to the narrative because then a lot is added to the RCM. And it's not out of laziness. It's out of wanting to focus where your time counts the most. So I think that the linked data that we'll talk about is really not just efficiencies, but also it contributes to quality in the documentation.

Yes. It's a great segue. When we talk about those disconnected processes, the disconnected documents and data within the system, it really leads to these unintended consequences. So whether it's introducing more risk or perhaps creating inefficiencies, not only to the teams involved but the company as a whole. This ties back to some of the challenges of managing that risk landscape that we talked about earlier. So let's get into our second polling question here for the audience. And this question is, which of the following best describes your role? And so you see the 4 options there. We'll give people a little bit of time to enter whether you're a staff or senior; perhaps you're on that manager or at that manager or senior manager level; Director, Senior Director or VP and above. And we'll give a few seconds here before we get into the next part of our presentation. [Voting]

And Bill, are you clicking? Stop clicking. We got to give people the ample time to get there or poll questions out there. You might be on mute.

Thanks, Ernest. I was submitting my answer.

There you go. Okay. Let's get into the next portion. And we're going to change it up just a little bit here and do kind of a panel discussion. We're going to throw some questions over to Robert that folks are interested. When we talk about this digital transformation, what did it really entail? We're getting some of the weeds. Robert did a great job of laying the foundation and the history and kind of the genesis for the project, but let's get into -- and put some meat on the bones here. So first question here: Robert, talk a little bit more about what the previous risk management environment look like for that company that you mentioned earlier. What was kind of the current state at that point in time before you went into the digital transformation initiative?

Great. So when I landed at the organization, there was a separate risk assessment process that was being done by the internal audit function to come up with their internal audit plan for the year. There was a SOX risk assessment that was done to help drive and prioritize the work within the compliance program -- the SOX compliance program. And then there was a third enterprise risk assessment process that was done that was managed by the legal department that looked at broader, more strategic risks, but also got into some of the more tactical risks that the internal audit function was looking at. Unfortunately, there wasn't cohesive and collaboration between the 3 business units. So you might have internal audit risk ranking something as being a lower risk, where the enterprise risk management team might have come back with it as being a higher risk. You also had some discrepancies between the way the financial team was looking at the SOX risk and the way the internal audit function was looking at it. So it definitely created some confusion amongst the stakeholders in the organization. They were wondering why did internal audit say that this wasn't a high risk, but yet is being tested for SOX purposes. Why were the enterprise risk management folks looking at something and asking for a management plan -- a risk management plan when internal audit has said that they weren't going to include it on their audit -- annual audit plan for the year. So those types of things were certainly, again, causing confusion within the organization and really diminishing the value that people saw from all 3 of the different groups and the risk assessments they were doing. So one of the first process changes that I was able to work through within the organization was to sync all of those up. And ultimately, I became the person -- and my internal audit team was solely responsible for the risk assessment process in the organization. And we used kind of a top-down where we kind of started with an enterprise risk approach and then slowly kind of peeled the onion back until we got to very specific financial statement risks that drove the Sarbanes-Oxley compliance program, but also helped direct the internal audit efforts -- the other internal audit efforts for the year outside of Sarbanes-Oxley. So that was, I think, a big win. It took us about 18 to 24 months to get there, but that was a big win from when I landed in 2016.

That's great. And so I think following up on that then, Robert, what was kind of the impetus for embarking on digital transformation? Why digital transformation? And what were some of the requirements that fed into the initiative?

Well, like I said before, when I stepped into the role, we had basically separate tools for the internal audit team, for the Sarbanes-Oxley team, for the enterprise risk management team. We also had our process owners and the stakeholders within our finance and accounting function who were housing their data in a completely separate and different location as well. And there was definitely some crossed wires because of all the differences in the tools that were being used. And the other thing, and we talked about that a little bit as well, that even within the internal audit function, the tools that we were using to collect and uses our evidence for our testing and our work, there wasn't -- it was Microsoft products. And the -- hold on. I got to stop. My cat is trying to get in the room. These are great things going live. Hopefully, we can cut that out. All right. Anyway...

You got to love COVID.

Yes. So anyway, the idea was that even within the internal audit team, we had tools that were not synced up. So we were using Microsoft Office products like Word and Excel, Visio. And there wasn't -- if you made a change in one, you'd have to manually go through and make changes in others. And quite honestly, in 2016 and 2017, when we were talking about this, that didn't make a whole lot of sense to me given the fact that the Wdesk tool was out there. There were other tools that were out there, where you can make a change once and it would flow through the rest of the documentation. So that, to me, was a big effort. The other thing is from a time of speed to get things done, if we could create a process where we could get electronic data into our testing tools and we didn't have to wait on our stakeholders and the process owners to push that data over to us: a, that would make it quicker; and then b, we could also -- we had a little bit more confidence that the data we were pulling was the data that we wanted and that when we conducted our tests and conducted our work, that there was going to be a good outcome on that work. So as far as the requirements go, given that landscape where I wanted to see a change made once flew through the documentation, where I wanted my stakeholders to be able to access and potentially become more of the owners of the process documentation. One aspect that I haven't talked about was the fact that the SOX program management office, which was really just one person with some contract help during busy times, that program management office became the de facto owner for process documentation. And what we had on a number of occasions were stakeholders who were actually executing the processes who started to get irritated because the documentation, the auditors were using to evaluate the controls were at a date, hadn't been updated. And it wasn't any one person's fault. It was just a fact that it just wasn't clear as to who is responsible to make sure that those documents were updated. And so -- because nobody was responsible, no one did it. So what the other requirement I wanted was to make sure that people who were executing the processes, those stakeholders, they would have access to the documentation. They would have the ability to go in and make conditional changes to documentation. And then my team and internal audit, they could go through and evaluate those changes, make sure that they were appropriate, that they met the appropriate criteria for control objectives and risk mitigation factors and that the -- and essentially act as quality assurance around the documentation. So that was another key factor for us. The other thing was use of -- ease of use. We -- my team, the background, most of them had never used an audit management tool before. I had previous experience with Wdesk and a couple of others in other assignments and with other clients when I was doing consulting work. So it was -- I knew what we were getting into, but my team was fairly naive around what they were going to be doing and how to use those tools. And I wanted something that they felt comfortable with and felt like it made sense to them and it was -- it made sense with the process and the approach that we were taking to both our internal audit work as well as our Sarbanes-Oxley work. So those were kind of the key requirements. And the last thing that we were trying to determine was how do we provide -- show that there was going to be value. And that's one where we -- again, it's difficult to put a dollar in cents. What I didn't want to say is, "Hey, if I implement this tool, I'll be able to reduce my headcount by X." To me, that's not one of the benefits of implementing an auto management tool. Really, what I want is my team to be able to do better analysis, get deeper into the processes because they don't have to do as much of the busy work to determine that the work is good and that the testing is sufficient and appropriate. So I think -- I'm not sure if I got all the requirements, Ernest, but I think those are the keys and the highlights.

Can I add one more for you, Robert?

Unfortunately, I didn't memorize my requirement document from when we did the initial approach a couple of years ago.

I mentioned Bill remembers it. What's up, Bill?

Yes. Robert, I recall -- I know your company had a large global footprint. So a lot of users and a lot of users in different locations. And I think that becomes even more relevant in the current pandemic environment. So just wondering if you could expound on that a little bit.

Yes. Bill, that's -- thanks. This is why you partner, right? Someone's always reminding you of something you might have forgotten.

It's hard.

That's a great point, Bill. That's a great point. Because we had locations in Europe, Asia, Latin America as well as North America that -- where we had accounting functions where there were Sarbanes-Oxley key controls being executed. And having a tool that was easily accessible, not only by my team when they're in those locations, but by those process owners and these stakeholders that were in those foreign locations, yes, that made life very, very easy, especially when we went to the COVID shutdown earlier this year, and we had to all work remotely. My team had already been doing that for almost a year, and our stakeholders had already been using the tool in that manner for almost a year. So that was a -- it's a great benefit, but it was one that -- I think we did -- we knew that we wanted to have it, but I don't think we knew how good it was until we got to March and April of this year.

Absolutely. All right, guys, I think in the interest of time, let's get into the next polling question because I know Bill is itching to go through the implementation process. So question #3 for the audience is, what function does your internal audit team report into? And so you got some options here. Does it report into the CFO Controller? Is it the Chief Compliance Officer or a compliance function? Is it the CIO or somewhere within IT? Is it with -- directly into the CEO? Or is it other? And we understand most organizations have the internal audit team directly reporting into the Audit Committee Chair and the Audit committee. This is not a trick question. We mean more of the dotted-line functionality or administrative function into the organization. So we'll give you a few seconds here to input your questions for this polling question. [Voting]

I would say, who does your CAE's performance review at the end of the year, whenever you guys do?

That's a much more eloquent way of asking.

Yes. I've never had an Audit Committee Chair provide me a performance review, and I've had 3 CAE roles.

So I actually had an Audit Committee Chair provide input into my performance review, and that was pretty interesting to get that feedback. But yes, most people don't get that.

Yes. The feedback, yes, but never directly sitting down with me and say, "Okay. You got a 5, Robert, because you were excellent this year."

You got to ask for it sometimes, Robert. All right. I think that's enough time there. Hopefully, everybody submitted their answers. Let's get into the next part of our presentation, where we will go through the implementation process. So Bill, why don't you kind of walk us through some of the milestones, and then we'll get into each of the phases as we go on here.

Sure. Thank you, Ernest. And Robert, you can keep me honest, too, if anything comes to mind that I don't mention as we go. But this first slide is just showing an overview of the different implementation milestones that we'll talk through. And when we do these projects, we try to divide them into kind of 4 distinct phases. The kickoff is really our time to meet your team and understand your control environment, perform some discovery there. So we know how many controls, how many locations, who are we going to work with as far as the testers, the control owners and just getting a feel for the landscape. And then we dive right into the projects that's setup. So implementing the database, understanding the kind of reporting that CAE and others, stakeholders are going to want out of the system. I think in that phase, we've achieved -- it was really powerful in Robert's case study, especially where we were able to generate metrics for the Audit Committee directly after -- directly out of the system so that we weren't always having to put pencils down and pivot to Excel spreadsheets and tabulate our status and put it into a PowerPoint and -- anyways, we got to a point that you could really go from work product to reporting instantly, and that's kind of power that we want to unlock here. The third phase is training. So getting -- training not just the internal audit team but also the users that are going to be providing PBCs. And a really nice thing about Workiva is they have a Wdesk University, which automates a lot of that training. But it's not just static training. It actually has interactive case studies that you can go in and attach a PBC and make sure you understand how that word actually click. And that, I think, is very powerful. And then we do some, obviously, UAT and troubleshooting. Because maybe the way it's designed out of the box is not the way Robert and team wanted it to work, and we're able to kind of manipulate some things and customize it to the user. The last phase is really just getting started in the tool. And as with anything, it's an ongoing world. So we, at some point, do hand off some of the administrative tasks to the customer success manager at Workiva. And the customer success manager is with us, though, throughout the implementation. So I know Robert, you knew our point person Lora by first name and had her e-mail. And I think that relationship worked really well. And then throughout the whole project, there's ongoing weekly status meetings, ongoing communication of where we are in the plan. And the idea is that there are no surprises and that we can get the tool up and running the way the customer wants. It's not just an out of the box, upload your RCM and you're done. So that's as far as kind of the overview. Yes.

Yes. Bill, I was just going to say, handle this implementation like you would any other system implementation, use some rigor. But I want to say we took approximately 6 weeks, maybe even less than that, to get -- from basically getting the contracts signed and everything finalized through our legal, which we'll talk about in a second, to actually having the system up and running and ready to go. And so if you've got a plan, you've got some rigor around it, it definitely makes it a lot easier. I would not educate that you go in and try to iterate by just dropping the system, flipping the switch on and figuring out how you're going to go. One of the other benefits, and I'll let you get to your next slide because I think in that next slide, we talk a little bit about the kickoff phase and the discovery phase. That was a great piece for my team because it really challenged us as far as the status quo. And what will we be doing from a SOX perspective? And I think we should be explicit. We implemented the SOX piece to the Wdesk tool first. And so we're talking a little bit about the -- when we have these conversations right now, it's essentially the -- all around our Sarbanes-Oxley process. So anyway, this kickoff in discovery phase really helped us challenge our status quo.

Great. Thanks, Robert. And so you mentioned the kickoff on discovery slide that we'll cover here. And I think really, you covered some of the big points here that a typical implementation takes us about 6 to 10 weeks. Like we said before, there can still be iterations on that work product. But that's usually about the amount of time from kickoff to actually working in the tool. And in that process, you also want to consider your different stakeholders and get them involved at the right point in time. It may be -- often, they'll roll it out in a couple of phases. First, you get your audit team up and running and familiar with the tool before you start inviting other stakeholders in, just so that when they come with questions and want that firsthand experience, you're up and running there. So we have this kind of example project plan, but we definitely sit down and customize that to understand any time line dependencies the client has.

Yes. And Bill, I would add that getting that stakeholder involvement, so your global controller, your CFO, the different directors the folks that are actually doing the work within the accounting team, making sure that you're familiarizing them with the tool and you just don't drop it on their heads when you're done and expect them to be able to work with it. I think that was a key for us as well as we did a good job of making sure that we communicated with non-internal audit stakeholders and making sure that they got their input into the system.

Yes. So on the next slide with the project setup data assessment, really, what we're talking about here is kind of the concept of good data versus bad data. So oftentimes in Excel, you can get away with fields that haven't been normalized and maybe don't have data validation controls. But part of the -- setting up the environment in Wdesk, where it really empowers linked data and being able to use these references from your process documentation to your control documentation, to your exception reporting, is getting all that information standardized. So when I say that, I mean, using the same nomenclatures, a good example, does a control pass or fail? Or is it ineffective or effective? And just kind of locking in on that standard verbiology. But also it's defining those meaningful relationships between the data. So I know in Robert's environment, we mentioned that they had a global footprint, multilocation. Sometimes you had one process that operated in multiple locations. Sometimes you had multiple locations operated in one process. And we were really able to sit down with him and his team and kind of unlock those relationships and streamline the data. And I think I just want to stress there that this isn't just taking your current environment and putting it into the tool. I think what I'd like to brag a little bit for our team. I think what we were able to do because we worked hand-in-hand with Robert's team as a co-source partners, we're able to really rationalize the control environment and say, "Hey, this one risk. Now we've got all the data in this one risk is mapped to 6 key controls. Is that appropriate? Should we kind of tailor these risks, so they're a little more specific? Or maybe can we rationalize some of these controls as non-key?" And we were able to achieve a lot of efficiencies by sitting down. And this was a good opportunity to perform that thought process.

Yes. Bill, so from the earlier comment about challenging the status quo, it was in Phase 2 where we really kind of got down to brass tax and determined what key controls we wanted to assess and evaluate. And we were able to reduce the number of key controls in our environment from somewhere around 250 closer to 200 and really narrow our testing to a much more focused and, I think, better set of key controls for financial statement purposes.

Yes. I'd agree. And I think, Robert, further to that, a lesson we learned here is when you're implementing the SOX compliance tool here, we direct -- to the extent possible, it's best to kind of implement in that Q1, Q2 area before all the walk-throughs start and a lot of the changes start flowing in and the testing is in process. I think it really allows you to take a step back and spend time with those kinds of considerations. When you're in kind of the heat of battle of testing, it can still be done. But just best practice-wise, I think that early part of the year, if you're at 12/31 year-end, would be the best time to sit down and go through this process.

Absolutely. Unfortunately, we had some issues with our legal department and some privacy issues around the tools. So when I talk about getting stakeholders involved early, I would recommend to everyone that you talk to your data privacy owners and champions and make sure that they're comfortable because you are going to have some data that's in the tool and you want to make sure that you've got all your bases covered there. So we were able to get over it, but it took us a little bit longer than we thought. And unfortunately, that pushed us on our calendar. And we were implementing at the same time we were doing walk-throughs, which I would certainly not recommend to anybody.

Yes. We got through it, but I agree. So this next slide on the project setup, data import and field test. Not -- I don't want to exhaust the details on this slide, but really, it's showing the kind of 5 different segments of information within the tool. So you have your data, which is really your RCM and your process narratives and flows. And it's kind of where you keep the information itself. The reports can become very powerful when you tailor them to, like I mentioned before, specific Audit Committee needs and what the Chief Audit Executive cares most about. A lot of times, that's making sure we know number of controls by phase and what the status is, as far as tested, and what's in the review queue and what's been provided to external audit. So all of that can be automated at the touch of a button. Then you have your Testing tab, which really organizes the test records. It makes sure you have all the fields that you want to track for your test. So sample methodology, sample size. Some of that can be automated so that if you select an annual control, it automatically fills out some of the other fields saying, we're going to test one sample. And then the dashboards are very powerful. So the dashboards are tailored to each individual user. And you can go in and see at any given time, these are the tasks in my to-do list. So Robert, I know when it got into that heavy review season and you and I were passing work papers back and forth that those dashboards were really helpful to sit down. When you finally got a quiet hour to sit down and say, "What else in my queue?" And at the touch of a button, you can see exactly what controls were waiting for you. And then...

Yes...

Yes. Go ahead, Robert.

Yes. I was just going to say, Bill, pre-COVID, that was awesome. Because if I had a team in Europe, they could get their work done, and I'd be reviewing their work papers in the afternoon in Virginia or on the East Coast. And they would come in first thing in the morning, and all my comments would be there for them. And they'd be able to knock them out before I'd get into the office and the following morning. So yes, it's great to be able to just see exactly what you need to look at from a review perspective.

Right. And if you're providing review comments, you can use the app symbol to tag an individual team member to the comments. So if Robert maybe was reviewing a person's work paper that he wanted input from his director of internal audit, he could tag her and she would get a notification saying, come look at this. So for better or worse, it even can send you e-mail notifications to your phone when Robert's reviewing your work papers. So it's a very powerful collaborative tool. And then on the project setup report development slide, Robert, I think this will be a good one for you to speak to, but I mentioned just the ability to tailor these reports to the organization. So for some organizations, maybe you want your satisfied location. Maybe you want it by test phase. Maybe you want all those views. And maybe your Audit Committee is interested in the 10,000-foot view, but I know Audit Committees are interested in progress by control count. So Robert, maybe you could add some color here, but I think we were able to get to some very powerful reporting metrics out of the tool.

Yes. Yes, Bill. So the reporting tools within Wdesk allow you to tailor it. I would put together -- we had information that we had for the CFO. We had information that we had for the global controller and her direct reports. The other thing, our organization -- the software that we developed was business intelligence software. So internally, we used our own tool to do a lot of management reporting. And Wdesk was flexible enough to create an API, where we could push the data into our internal management tool and then create dashboards for our executives using our internal management process. So again, it -- the reporting tools within Wdesk are great, and we use some of those, but it also has enough flexibility that you can create whatever you need within your own organization with APIs and other integrations.

Yes. And I personally found that invaluable. As a manager on engagement, when you get the question, where are we on testing. And suddenly, all the activities you had planned for the afternoon, you need to stop and put the pencils down and understand where everyone is. Wdesk enables you, like Robert said earlier on, to focus on the job that's providing the most value and not necessarily always that kind of retrospective. And once we got that up and running, I feel like we really turned the corner on efficiencies.

Yes. And it was not nearly as onerous to do that analysis as it had been in the past, right? Because you had a very quick visual picture that popped up and said, "Here's the testing by status. Here's where individual testers are with the work assigned to them." And you can drill down into it. I mean it made life much easier from my perspective as the leader to be able to see the forest and the trees.

Right. Yes, we could just focus on really the dependencies, the critical path and like the issues. So I think that was a great output. On Phase 3 training, I think we already spoke to most of this, but it's upfront. You have Workiva University, which is an online self-service, interactive training. And that gets you, I'd say, 75% of the way there. And then between our implementation team and the ongoing support from the customer success managers, you'd definitely get to the 110% of user. I think, Ernest, that's probably all I wanted to cover on the training. Unless Ernest, did you want to add anything on the customer success manager roles?

Yes. One of the things that we pride ourselves on as a company is the service levels that we provide to our customers. And so you mentioned that CSM or customer success manager really becomes an extension of our customers' teams. I've gotten feedback in the past where they've said, I don't know if Lindsay works for our company or if they work for Workiva. So definitely take advantage of them and service in terms of not just questions that can be asked, and they serve as a first point of contact, whether it be on new features that are coming out, if it is helped with building documentation or setting up a data model. It's one area we can't overemphasize enough.

Awesome. And then the last slide...

Yes. Tremendous amount of value in the CSMs. And all the way around, you guys did a great job working together and making sure that we got through the process.

Yes. And then the last page is really just getting started. Go ahead, Ernest.

Yes. No, why don't you cover off on this last slide here, Bill?

Yes. It's really just the handoff. So now we give you the keys to drive. And part of that is making sure you've established the right admin roles so that you can grant permissions to your users appropriate to their duties. As any kind of SOX compliance person, we all know the story there. So it's establishing those ongoing admins. And then we were able to create really a frictionless experience at Robert's former employer, which enabled single sign-on. So Wdesk, no one wants another user ID and password to remember. So part of getting their company on board, one of the requirements that was a must-have was single sign-on capabilities. And we were able to roll that out. So that was really it, Ernest, was just getting it out to the stakeholders and making -- and then you're still there as a CSM to provide support if there are any issues. So thanks for letting me walk through that.

I appreciate that, Bill. Let's get to our final CPE question here. We've been talking a lot about technology. We're all interested to learn more about the primary tools that your organization uses to support the compliance and internal audit process. So 3 options there: are you still using desktop applications like Microsoft office, maybe some Google documents? Perhaps you have a point solution software like Empty Insight or Teammate? Or the last option there being a broader GRC application. So give you guys a few seconds here as you're putting your answers in. [Voting]

And as that's going on, I do want to thank Bill from Clearview and Robert for providing the context here. I think it's a tremendous story when you think about the 3 legs of the stool. You have a company that has some pain points and some challenges that they've highlighted, looking to change their people, process and technology. You have a consulting firm like Clearview with a number of their clients in similar industries and best practices working with the technology companies, such as Workiva, to help really fortify and streamline a digital transformation overview. So I'll open it up. Any other parting comments because I know we're running over time? We won't be able to get to all the questions here or any of the questions, so we'll follow-up via e-mail. But Bill, Robert, any other last comments here before we wrap up?

Bill, you go first.

Don't be shy. Come on, guys.

Just thanking you guys for the opportunity. And like Ernest, we're available if you have any questions. I know we didn't get into the tool itself very much. So if you ever want to see a demo there, we're glad to do that or provide examples of the kinds of dashboards or test plans that are enabled within Wdesk. So thank you all.

I would just like to add that, as auditors, we're being challenged all the time to be more efficient and to get to more things. And if you're still using, whether it's Microsoft office, Google Docs, non-audit management tools to try and manage your function, you certainly should explore the audit tool world and find something that allows you to automate the process. We're -- we were able to find efficiencies that really allowed my team to dig deeper and do better analysis and become better auditors. And while I had mentioned earlier that you can't necessarily put a price tag on that, they certainly are stronger. And we're doing more valuable work for our organization. So again, I strongly advocate that if you are still using the early 21st century tools that you start looking for something that's a little bit newer and more automated.

Thanks for that. Again, guys, thank you very much to Bill and to Robert. Apologies to Mike Ross, but we are all out of time here. For any of the questions that you did submit, and appreciate everybody that did, we will respond via e-mail. If you have any more questions, get them in there in the engagement tool, and we'll be happy to respond. Finally, for the CPE credit, for those of you who qualified, you can download that certificate now and the engagement tool. We'll also send that as a post-event e-mail that you'll receive later today. So thanks, everyone, for attending in State Class of Humanoids.