,

Secret to success: hire people smarter than you

Last week RoseRyan CEO and CFO Kathy Ryan and 99 other women leaders chosen as Women of Influence by the San Jose/Silicon Valley Business Journal were celebrated, wined and dined. Here’s what she had to say about the honor and how business has changed for women since she started her career.

What makes this a real honor for you?
At first I thought of it as kind of a PR gimmick, I have to admit. Then I began getting comments from people—and a lot of them I hadn’t seen or heard from in years. Then, so many people were at the event, from big companies to small, and people were so excited—I realized it really is an honor. These women have done a lot of great things, and it was a genuine honor to be in such a great crowd of talented individuals.

What was the event like?
It was very festive! Almost 1,000 people were there, and I think 96 of the 100 women who were honored showed up.

We [the honorees] were asked to answer the question, “What’s the best advice you’ve ever received?” in 10 words or less. There was a lot of variety but most were along the lines of, follow your heart, work hard, don’t listen to people who say you can’t do it. Some were really funny—for instance, someone said her mother told her, “Don’t marry the pilot. Be the pilot.” Someone else said she came home after a hard day and her husband said, “If it was easy, Paris Hilton would do it.” They held people’s attention—that’s amazing with an audience of 1,000.

What did you say?
Hire people who are more talented than you are and you’ll always be successful. That has guided me with RoseRyan. I think that’s what makes us a great community of talented individuals, and it’s made us a lot better as a company. I’m relying on other people’s talents to move this company forward. It also makes me a better person, a better CEO, manager, owner—the whole bit.

Could something like this have happened 20 years ago, when RoseRyan began?
I don’t know. Move that to 30 years ago, and I’d say no. When I was at Price Waterhouse there were very few women partners anywhere. Accounting was a man’s world. At Quantum, I saw women start to take more of a managerial role. Now I’m seeing more CEOs and CFOs who are women. There are more women’s business organizations that are serious and are respected.

Do women in business really have more influence?
Women have more influence, but I don’t think we’re where we need to be quite yet. Women do have more choices and power than they’ve had in the past. We’ve become part of the regular cycle of business—and it’s no longer a surprise that women are in top roles and are recognized for their leadership and smarts rather than being the lone female in the C suite.

/by

Business Journal honors Kathy Ryan as ‘Woman of Influence’

The San Jose/Silicon Valley Business Journal named Kathy Ryan, the firm’s co-founder, CEO and CFO, as a 2012 Women of Influence. The Business Journal published the list of 100 women leaders Friday, April 6.

We are quite pleased Kathy is included in such prestigious company, which includes women in astronomy, computing, academics, government, the arts, finance, health care, law, solar power, communications, social media, education and more.

The award, says Kathy, “reminds me of how proud I am of what RoseRyan has contributed to this region’s vibrant business ecosystem over nearly 20 years.” (You can read more about her in our press release or check out her website bio.)

The list, says the Business Journal, is a response to the fact that women in corporate leadership have yet to reach parity in numbers with men. Research from UC Davis, which annually publishes a report on women leaders at California public companies, shows that women comprise 9.7 percent of leadership roles at the state’s big public companies—and in Silicon Valley, they make up only 7.4 percent.

The Business Journal, however, considers public and private companies, government and academia. Some of the better-known 2012 Women of Influence include Van Dang, VP of law and deputy general counsel, Cisco; Lisa Nash, CEO, Blue Planet Network; Madison Nguyen, vice mayor, San Jose; Julie Packard, executive director, Monterey Bay Aquarium; Joan Parsons, head of U.S. banking, Silicon Valley Bank; Jennifer Simmons, executive director, Habitat for Humanity Silicon Valley; Dawn Smith, SVP, VMware; Meg Whitman, CEO, Hewlett-Packard; and Sharon A. Williams, executive director, JobTrain.

It’s particularly satisfying that the list also includes a number of women leading new (or newish) companies, such as Wendy Arienzo, CEO, ArrayPower; Anne Bonaparte, president and CEO, Xora; Stina Ehrensvard, founder and CEO, Yubico; Mar Hershenson, founder and CEO, Revel Touch; and Laura Yecies, CEO, SugarSync.

And of course, we’re pleased to see there are two other CFOs: Robyn Denholm of Juniper Networks and Lumin Chang at Wyse Techology. By our count, past lists have recognized a total of about eight CFOs; maybe there will be more of us financial types in the future.

 

/by
, , ,

The JOBS Act: Who are they kidding?

The JOBS Act (Jumpstart Our Business Startups Act) purports to foster the growth of small businesses, allowing them easier access to funding by lowering bureaucratic hurdles and thus enabling the growth of their business and their ability to hire more people.

In reality, the bill—passed overwhelmingly by the House last week and now awaiting President Obama’s signature—allows small companies to avoid scrutiny of their financial statements for the first five years because compliance is too costly. What is “small”? Companies with revenues of less than $1 billion. Yep—that’s most of Silicon Valley.

These small companies need access to funding. VC funding (with astute financial inquiries) isn’t readily available, so they go to the public market where we, the investors, have only the financial statements, press releases, website content and other information the company produces. We have to trust that it is accurate, but the JOBS Act says the internal controls and third-party independent oversight mandated by SOX legislation is “too costly.” Too costly for whom?

A well-designed SOX program is not too expensive—it’s too expensive not to have those controls. Any idea how expensive a restatement is? (Think audit fees, legal fees, the army of accountants crunching through your books, regulatory inquiries, shareholder litigation, the list goes on.) Nearly one-third of companies that have had IPOs since 2004 have had to issue financial restatements—that’s a staggeringly high number.

Why do small companies get it wrong?

For starters, finance isn’t viewed as a strategic business function—it’s viewed as overhead. That means it’s often not properly funded, so there’s not enough horsepower to make sure the books are accurate, not enough access to expertise to understand complex accounting regulations and not enough rigor in the close process. Bottom line: the financial statements are not accurate. They do not serve as a basis for understanding the financial position of the business—either for making investment decisions or making management decisions about running the business.

JOBS Act advocates say that most companies will be fine without the discipline of solid internal controls. Really? Did you see the latest from Groupon? First it stumbled with its IPO, and now it has stumbled with its first 10-K. See any patterns? In this last trip-up, the company identified a material weakness in internal controls related to the financial close process and cited three contributing factors: 1) an inadequate close process, resulting in a number of manual post-close adjustments; 2) account reconciliations not performed and/or reviewed; and 3) inadequate policies for timely, adequate review of estimates and assumptions. These are pretty basic controls that every company should perform as part of its normal close process—nothing fancy or tricky here—yet Groupon doesn’t seem embarrassed about missing these controls. (And it certainly isn’t embarrassed to be taking investor money.) While Groupon wouldn’t benefit from the JOBS Act because it has revenues of $1.6 billion, it’s a great example of what often happens with young, newly public companies and the challenges they face in providing accurate financial information to the investor community.

In the wake of the massive frauds perpetrated by Enron, WorldCom, Adelphia, and others, we got SOX. In the wake of the massive frauds perpetrated by Wall Street—which drove us into the deepest recession since the Great Depression—we got Dodd-Frank. Who are we kidding with the JOBS Act? Get ready: we’ve paved the way for a lot more fraud and financial misstatements.

/by

New gurus boost RoseRyan bench strength

RoseRyan’s first quarter was bustling—six new gurus joined the team and jumped right into new assignments. They all have extensive senior finance experience and most have substantive CPA stints with Big Four firms. Here’s a bit about them:

Linda Clements Linda has great technical chops and mix of public/private experience as CFO, VP of finance and corporate controller in technology, manufacturing, software and health care. Her first RoseRyan gig is CFO for a public biotech company.

Maddy Gatto  A rev rec and SOX guru, Maddy was recently at National Semiconductor as a controller. She’s also done stints with KPMG and as internal audit manager at NSC, along with work on foreign accounting entities. She’s starting with RoseRyan as accounting ops director for a technology firm.

Cindy Nathan An alum of E&Y and RoseRyan (she was our Employee No. 7!), Cindy’s a fan of start-ups and their challenges—and she returns to RoseRyan with not one but three emerging growth clients. Her past experience, focused on biotech and medical technology, includes work at the controller and accounting manager level.

Barbara Rescino Barbara’s covered lots of ground: companies big and small, public and private, in solar, biotech, software, medical devices and other industries. Past posts include corporate accounting manager, controller and director of finance; payroll migration for a technology company is her first RoseRyan assignment.

Ray Solari Ray’s been with Deloitte and served as CFO for smaller companies and at the director level with larger ones. His strength is the technology sector. That’s good: his first RoseRyan gig is FP&A for a technology client. Ray’s storied past includes IPO, M&A, audit, SEC, forecasting and more.

Maisha Wilson Among other things, Maisha’s into start-ups, implementing systems, and consolidations foreign and domestic. A PwC alum, she’s also served as VP of finance and CFO for emerging growth companies. Her first RoseRyan gigs: controller for a new start-up and SEC/10K for a newly minted public company.

/by
,

Seminar gets real about XBRL

RoseRyan, along with Ernst & Young and Morrison & Foerster, is presenting a free breakfast seminar, “XBRL: It’s Time to Get Real,” on May 2 in Palo Alto.

We all know that XBRL implementation can be tough—especially if you’re not crystal clear on the process, don’t know what’s possible and aren’t sure where the pitfalls are. Of course you want best practices, but who can say what they are when the rules keep changing? On top of that, maybe your limited liability is expiring—and what exactly does that mean? Perhaps most of all, what does the SEC really want?

“XBRL: It’s Time to Get Real” will give you the answers from people who’ve been toiling in the XBRL trenches and have done the sweating for you. These experts will provide concise, practical advice on key accounting, legal and audit do’s and don’ts, illustrated with plenty of real-world examples. The presenters are:

Lucy Lee, XBRL practice chief, RoseRyan: Lucy is the chief architect of RoseRyan’s XBRL practice, an elected member of the XBRL US 2012 Domain Steering Committee and a voting member of the XBRL Global Ledger Working Group of XBRL International.

David M. Lynn, partner, Morrison & Foerster: David, a leading authority on SEC matters, is co-chair of his firm’s global public companies practice and former chief counsel of the division of corporation finance at the SEC.

Natalie Zimmer, senior audit manager, Ernst & Young: Natalie, a recognized XBRL expert, advises on XBRL implementation and has presented on the subject in multiple forums.

The seminar will be held 7:30–9:30 a.m. at the Garden Court Hotel in Palo Alto. Attendees receive 1 CPE credit. Get details and register here.

/by
,

MF Global’s ‘vaporized’ funds point to lack of internal controls

I recently read an article discussing how approximately $1.2 billion in cash went missing from the coffers of MF Global Holdings, simply “vaporizing” in the wake of the company’ s collapse, according to The Wall Street Journal. It seems astonishing that they didn’t have the internal controls  in place that would have prevented this from happening: the CEO and CFO certified that the company’s internal controls were effective less than 90 days before the company went bankrupt.

The following controls—which are always part of our standard reviews—could have prevented this massive loss.

Segregation of duties (SOD): Traditional internal control systems rely on assigning certain responsibilities to different individuals or segregating incompatible functions. The general premise of SOD is to keep an employee or group of employees from being in a position to perpetrate and conceal errors or fraud in the course of their duties by preventing one person from having both access to assets and the responsibility for maintaining the accountability of those assets. The principal duties to be segregated are custody of assets, authorization or approval of transactions affecting those assets, and recording or reporting related transactions.

Monitoring controls: Monitoring can refer to evaluations of internal controls, either ongoing or separate. These evaluations enable management to determine whether the components of internal control continue to function over time, identifying deficiencies and communicating them in a timely manner to the people responsible for taking corrective action and to management and the board.

Fraud controls: The risk of fraud can increase significantly when three factors—pressures/incentives, opportunity and rationalization, commonly referred to as the “fraud triangle”—are all present. Of the three, opportunity can most effectively be managed to address fraud risks by designing and implementing a control environment that prevents, detects and deters most fraudulent behavior, whether it’s conducted by employees, vendors, consultants or senior management.

Simply put, if these three controls had been in place, the money would not have disappeared. Therefore, the internal controls never existed.

/by
, , ,

Did Sarbanes-Oxley kill the tech IPO?

In a March 2 CNBC interview, Marc Andressen was asked what one thing Washington could do to increase job creation and innovation in Silicon Valley. He replied by saying “attack regulation” and went on to specifically mention Sarbanes-Oxley. In his view, Sarbanes-Oxley was put in place to prevent the next Enron or WorldCom but, in reality, it has just about killed the tech IPO. Founders want to keep their companies private for as long as possible, or forever.

I can certainly understand and applaud that founders desire to keep their companies private—but I think that has more to do with keeping control over the operations and direction of the company, focusing on long-term strategic goals and not being distracted by short-term returns to investors. Focusing on the business rather than the return to investors seems like a healthy approach to running a company.

When asked what specifically is the problem with Sarbanes-Oxley, Andreessen stated that it introduces an entirely new category of regulations, controls and responsibilities for companies’ finance staff, legal staff, board and audit committees—which translates into an enormous amount of time, energy and attention on the part of management when they are trying to focus on building their business. He went on to say that he is not in favor of another Enron or WorldCom, but the companies he works with are not out to defraud anybody. The big frauds haven’t come out of Silicon Valley.

I suspect Marc Andreessen knows more about the companies he invests in than the average investor knows about the companies in their portfolios. And that, I think, is the point of Sarbanes-Oxley: providing accurate and timely financial information to investors and to management. The Enrons and WorldComs may not have come out of Silicon Valley, but I believe we were the poster children for the stock option backdating scandals a few years back. While I agree that the vast majority of companies are not out to defraud anyone, it’s a slippery slope. In my experience, small private companies are not staffed appropriately to deal with the accounting implication of unusual transactions, and not adequately staffed to make sure mistakes are detected and corrected before publishing financial statements. Without proper objective oversight, the pressure to achieve certain operating results—or to be viewed as someone who believes in and supports the business—can cause a well-intentioned person to go astray. While founders are busy building their business, they won’t fund finance appropriately if they do not value it as a strategic part of the business. That’s fine if it’s just the founders’ money at risk, but when you are raising money in the public market you’ve taken on additional obligations and responsibilities. Those additional categories of regulations, controls and responsibilities that Sarbanes-Oxley brings to the table become essential.

/by

Disclosures tell only half the story of data privacy and protection

Facebook did things right in its S-1 disclosures relating to data protection and privacy as it relates to business risk. Among other things, the myriad disclosures warn investors of risks related to unfavorable media coverage of its privacy practices and concerns about privacy, sharing and security. They also note that unauthorized access to or improper use of user information could damage Facebook’s reputation and result in legal or regulatory action, which could be expensive and require Facebook to modify its business practices. (This has happened before, as the disclosures point out: last year a 20-year settlement agreement with the Federal Trade Commission required the company to establish and refine policies related to user data and privacy settings, submit to privacy audits every two years and take other measures.) The company says complex, evolving laws and regulations for privacy and data protection could harm its business.

This seems to be as it should be—at least for the SEC, which last fall issued disclosure guidance on cybersecurity risk that all public companies should be aware of (private companies should take note too). But while Facebook followed this disclosure guidance, these disclosures are aimed protecting investors; they reveal the potential effects of problems after the fact. That’s not reassuring to Facebook users.

As more and more data moves online and into the cloud, companies need to actively protect their customer data. Cyber attacks happen with increasing frequency, and only the big cases (like Zappos.com last month) are publicized. It’s critical: our finances, medical records, credit cards, employment, passwords and other aspects of our personal lives are online. Companies that don’t take data protection and cyber security seriously are gambling with risks that may be very expensive or change how they do business.

At least some relief may be in the works. The Federal Trade Commission will soon release its final staff report of recommended controls and standards for the online protection of consumers’ privacy. The report is expected to expand the scope of what may constitute consumer data and propose sweeping new standards.

It’s unlikely, however, that U.S. regulations will be as stringent as the proposed Data Protection Directive issued Jan. 25 for the European Union. Those regulations would apply to anyone processing data in the EU—including those outside Europe who offer goods or services to EU citizens. Key points include:

  • Significant fines for organizations that don’t follow basic knowledge/consent obligations or requirements to adopt good policies and procedures
  • A requirement to appoint a data protection officer who must ensure that the organization adopts good data governance policies and procedures
  • Regular data protection audits and privacy impact assessments
  • A requirement to notify data protection authorities within 24 hours of a data breach

We’ll be watching to see if the FTC grasps the severity of problem and fully addresses the need to protect consumer information.

Whether it does or not, companies should pay full attention to both their privacy and data protection measures and their disclosures around it. Building customer trust and goodwill takes a lot of corporate resources; losing that trust can have a significant adverse impact to any business. With better protections in place, transparency and disclosure will follow more easily—and those companies will be trusted more by customers and investors alike.

/by

Facebook’s IPO is truly special

Speaking as someone who’s been engaged with tons of IPO filings, Facebook’s was the most interesting S-1 read ever. IPOs, in general, typically provide a high-energy, exciting, positive environment, but this one is special—the theme throughout seems to emanate “we’re here for the greater good.”

Here’s a summary of the highlights:

  • Making business decisions over financial results: Perhaps one of the reasons Facebook stayed private as long as it did, and continues to maintain significant ownership by the executive team (a focus of today’s press coverage), is that it maintains a focus on what’s best for the business. That, in turn, does not always result in short-term financial performance. In its S-1 filing, Facebook states: “Our culture emphasizes rapid innovation and prioritizes user engagement over short-term financial results.”
  • Control: Not only is CEO Mark Zuckerberg going to maintain significant ownership in Facebook post-IPO, but he will also own a majority of the voting power. That means Facebook will qualify as a “controlled company,” which will allow it to keep the board closely held (no independent directors).
  • Letter from Zuckerberg: In a new twist to IPO filings, at the end of the MD&A (page 67) is a letter from the CEO explaining his mission, vision and so on. Nice touch! In his letter, Zuckerberg says, “Simply put: we don’t build services to make money; we make money to build better services.” It’s a refreshing focus.
  • Culture disclosures: Companies are required to disclose certain information about employee headcount and related information, and as an added bonus, Facebook discloses a description of its corporate culture. The company stresses the importance of its culture, calling it a “hacker culture” defined as “a work environment that rewards creative problem solving and rapid decision making.” Perhaps this should be a new SEC disclosure requirement!
  • Focus on the future: SEC filings are usually based mainly on historical results, which are not always indicative of future performance. Not Facebook. It is clearly focused on the future, and its filing says, “We also have posted the phrase ‘this journey is 1% finished’ across many of our office walls, to remind employees that we believe that we have only begun fulfilling our mission to make the world more open and connected.”
  • Mark takes a pay cut! In Q1 2012, Facebook’s comp committee discussed and approved Zuckerberg’s request to reduce his base salary to $1 per year, effective Jan. 1, 2013. And he was the only named executive officer who did not receive stock-based comp in 2011.

Read the filing for yourself at the SEC website.

/by

New COSO Framework improves guidance, provides focus; update processes now

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently released for comment a draft 2012 Internal Control—Integrated Framework. The 2012 framework, expected to be released later this year, addresses changes in the globalization of markets, operations, and business models; rapidly changing technology; increasingly complex regulatory requirements; and growing expectations for governance oversight that have evolved since the original was implemented in 1992.

The revised framework retains the original five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) but incorporates additional principles and attributes intended to provide clarity in the design and development of internal controls, and that can support the assessment of the effectiveness of internal controls.

The new draft provides what I believe is improved guidance and clarity for completing a comprehensive risk assessment in a number of areas:

  • Most significant is the clarification that the risk assessment process includes risk identification, risk analysis (for example, the probability of occurrence and potential impact), and risk response (such as how the risk should be managed, with acceptance, avoidance, reduction and sharing).
  • Identifying risks is clearly linked to the achievement of an entity’s objectives.
  • Risk is considered within the overall entity and within its subunits (HR, legal, purchasing, etc.).
  • Risk tolerances are incorporated into the assessment of acceptable risk levels.
  • The new framework emphasizes the need for management to understand significant changes in internal and external factors that may impact the overall system of internal controls (external factors may include economic changes that impact financing or availability of capital; internal factors may include significant changes in management responsibilities or disruptions in information systems processing that can adversely impact operations).
  • The new framework considers not only fraud risks related to financial reporting or safeguarding of assets, but also risks related to corruption and specific attributes in identifying and evaluating such risks.

Don’t wait—update now
Even though the 2012 Internal Control—Integrated Framework is still in draft form, I believe there is much that management can leverage in updating their risk assessment processes in the new year. The new framework provides a much more robust process that covers risk assessment against stated business objectives; risks associated with fraud and corruption and safeguarding assets; and risk appetite as an integral part of control activities. It adds value by ensuring that you’re focusing on the right internal controls so your company meets objectives and sustains and improves performance.

This means now is the time to take a fresh perspective and evaluate current processes, rather than waiting until the new framework is released. Making sure your activities are in alignment with the new framework now will put you ahead of the game.

To read the draft 2012 Framework and provide comments, go to the COSO website.

/by