Articles in this section

Compliance Cross Program Linking

User question: How do I link a single control, risk, or system to multiple different projects or compliance programs without creating duplicates?

Cross-program data linking is a structural update to FloQast's compliance management product allowing you to link records—such as risks, controls, key systems, and key reports—across different programs throughout the application.

↑ Jump to Top

How to Use Cross-Program Data Linking

The process for linking data across programs is integrated into the existing edit workflows for various record types.

Linking Key Systems and Reports to Controls

  1. Navigate to the Key Systems or Key Reports page.
  2. Select the specific system or report you wish to link.

Click Edit.

In the editing interface, proceed with the following step to select your controls:

  1. In the control selection field, you can now pull in and select controls from any program across the application, not just the current program.
  2. View the linkages on the record page; controls from other programs will be clearly listed, often showing the program they belong to in bold.

Linking Risks to Controls

  1. Navigate to the Risk page.
  2. Select the risk you want to map to controls.
  3. Click Edit.

  1. Select controls from any program throughout the application.

Note: Cross-program linking is restricted to records within the same fiscal year. You cannot link a risk from a 2024 program to a control in a 2026 program.



 

↑ Jump to Top

Key Use Cases

You often have a number of multi-level compliance programs in your accounts for a variety of reasons. Creating the compliance program hierarchy now enables you to create multi-level compliance programs (up to 3 levels denominated as Program > Project > Sub-project). This is an example of the program hierarchy that can be created:

  • SOX Program
    • Entity Level Controls Project
    • IT Controls Project
    • Business Process Controls Project
      • Payroll Sub-Project

(In the example above, you may ask why you would not house all your payroll, business process controls, and IT controls in one project to avoid duplication. This is because different teams of people are doing the work and there is a need to restrict PII in payroll data both within app and CSPs. Both reasons require you to create separate projects to maintain appropriate permissions.)

 

Use Case 1: FSLI Scoping

Prior to cross program linking, you can link processes, risks, and controls to line items within a scoping table. However, they must all belong to the same compliance program/project. If you have your SOX program set up in the same manner as outlined in the top of this section, you would not be able to link your FSLI Scoping table housed in the SOX program to any risk or control that is housed in a project or sub-project.

With cross program linking, you will be able to:

  1. Create an overarching FSLI Scoping table in the SOX Program.
  2. Link an FSLI in your scoping table to a risk housed in any of your projects and sub-projects.
  3. Link an FSLI in your scoping table to a control housed in any of your projects and sub-projects.

Use Case 2: Key Systems used across a SOX program

Using the program hierarchy set up above for a SOX program, a key system like NetSuite would need to be linked to controls in your Payroll sub-project, business process project, and IT controls project. Prior to cross program linking, a separate instance of each system would need to be created in each project, making it frustrating and tedious to maintain since you no longer had a single source of truth.

With cross program linking, you can:

  1. Add “NetSuite” as a key system in the SOX Program (or any other project you wish to).
  2. Link “NetSuite” to IT Controls that it is “dependent on” that are housed in your IT Controls Project.
  3. Link Business Process controls and Payroll controls that are in other projects that are “depended on by” “NetSuite”.
  4. Link key reports that are generated from “NetSuite” that are housed in your other projects.

Use Case 3: Key Reports used across a SOX program

The GL Report is commonly documented as a key report used across multiple reconciliation controls across multiple processes.

With cross program linking, you can:

  1. Add the “GL Report” as a key report in your SOX Program (or any other project you wish to).
  2. Link the “GL Report” as a key report “used by” a Payroll control in your Payroll Sub-project.
  3. Link the “GL Report” as a key report “used by” an accounts payable control in your Business Process Project.
  4. Link the "GL Report" as a key report "generated from" NetSuite sitting in the same program (or sitting in a different program/project).
    • Since this “GL Report” is generated from NetSuite, you can also link the underlying IT controls (housed in the IT Controls Project) that cover the accuracy and completeness of the Key Report.

Use Case 4: Risks used across a SOX program or ERM program

  • SOX Program: Similarly, using the same program hierarchy described above, you were restricted to having a distinct risk and control matrix (RCM) per project. That meant you would have to have all of your Payroll risks and controls live in one project. This rigidity prevents you from being able to have a Payroll risk that can be addressed by both controls in the payroll process (that would live in your Payroll sub-project) and controls that are part of another business process (that would live in the Business Process Controls Project).

With cross program linking, you will be able to:

  1. Add a Payroll risk to the Business Process Controls Project.
  2. Link the payroll risk to a cash disbursement control in the same project.
  3. Link the payroll risk to a specific Payroll control housed in your Payroll Sub-Project.
  • ERM Program: While you may not currently use your platform for Enterprise Risk Management, you can choose to expand your usage and set up your ERM programs into FloQast. Prior to this feature release, you would have to maintain a separate risk listing for your ERM program and duplicate those same risks in other programs, even if they are identical.

With cross program linking, you will be able to:

  1. Add a risk to your ERM program (e.g., a Governance/Compliance risk of Management override of controls or an operational risk).
  2. Link this governance/compliance risk to a SOX entity level control housed in your Entity Level Controls Project.
  3. Link the operational risk to a control housed in your Operational Audit Program.

Use Case 5: Multi-entity hierarchy structure

  • SOX Program
    • Corporate Entity Project
      • BPC sub-project
      • ITGC sub-project
      • ELC sub-project

    • EU Entity Project

      • BPC sub-project
      • ITGC sub-project
      • ELC sub-project

       

↑ Jump to Top

Linking Across Top-Level Programs

This feature also supports mapping data between entirely different top-level programs. For example, if you are performing an Enterprise Risk Assessment, you can link risks in that program to existing controls within your SOX program without creating duplicates.


 

↑ Jump to Top

Access Management and Visibility

FloQast continues to respect your defined roles and permissions. Users with limited access can see that a linkage exists to a record in a restricted program to provide broader context. However, these users cannot drill down into or view the details of the specific records they do not have permission to access.

If you have any questions about Compliance Cross Program Linking or need help please contact support@floqast.com