Talk about mixed messages. The new presidential administration wants what they consider “costly and unnecessary regulations” wiped out. At the same time we have continued pressure by regulatory agencies to strengthen and improve internal controls over financial reporting (ICFR). Anyone who is involved in SOX compliance has to wonder: Is the almost 15-year-old law part of the discussion in Washington? And what should we all be doing in the meantime?

Our crystal ball isn’t any less cloudy than yours, but here’s some advice. Keep in mind SOX’s goal—to have in place a strong ICFR system that prevents a material misstatement of the financial statements. To what extent this is mandated may be in flux, but the benefits of such a program are foundational. It’s good for your valuation, as well as management, employees, investors and anyone you do business with.


To keep your SOX program doing what you need it to do, know that it needs to evolve. As your business expands, its interests and risks shift, and leaders come and go, your SOX program needs tending to as well. Here are five ways to make sure yours stays up-to-date, no matter what happens on Capitol Hill.

1. Pay attention to your culture.

Culture plays a huge role in ICFR. What are the expectations for ethical behavior in the workplace? Are these embedded in your workplace culture? Is the pressure to deliver results so great that a blind eye is turned to questionable behavior? These are important questions to ask regularly, as the answers may change when leaders come and go, and the company grows more complex.

No matter how strong your design of controls, without a healthy ethical environment, your ICFR program will be fighting an uphill battle. Tone at the top matters. “In most cases of alleged financial fraud, the CEO and CFO are named in the complaint,” according to a March report from the Center for Audit Quality. “[Securities and Exchange] Commission staff noted that the driver of earnings management—the catalyst for most fraud cases—is often top management, such that the focus on the CEO and CFO is not surprising.”

In addition to the tone set by the senior leadership at headquarters, look at the culture of remote offices, both foreign and domestic. Take into account both the local tone at the top as well as customs and practices and any incentives offered to local leadership for achieving performance goals.

2. Revisit your company’s risk profile.

Business risks change. Are you staying current? Identify anticipated changes in business processes, systems and key personnel, and make sure you are addressing any known areas of risks that need attention. Even if your internal environment is stable, assess how your business risks may have changed due to external factors.

3. Adopt a quarterly review process.

Keep the people responsible for key controls engaged all year long. By carrying out quarterly self-assessments, control owners can get a quick read on areas that are changing and controls that no longer serve the organization. These evaluations can also help prevent surprises when it comes time to test the controls.

4. Seek alignment with your external auditors.

Expectations can change, so stay fluid. The regulatory landscape will continue to evolve as new leadership takes shape at the SEC and the Public Company Accounting Oversight Board, and their priorities and interests are passed down to auditors. Understanding changes in your auditors’ expectations and having clear, proactive communication can make all the difference in your ability to retain an effective SOX program.

Some of the more recent areas of focus by your auditors may include IPE (information produced by the entity) and the related scrutiny to ensure that the data is complete and accurate. In considering the completeness and accuracy of information used in the execution of a control, it is important to pay attention to the relevant data elements.

5. Fold in insights from experts who bring another perspective.

When your external auditor asks for additional controls, how can you tell whether it’s a check-the-box request? What’s a reasonable risk-based response? You can use a co-sourcing finance team as a sounding board to help you formulate the appropriate answers. Experts who work with a variety of companies can offer a broader perspective of what is going on in the industry.

And for smaller companies that need to rely on a single employee for subject-matter expertise, outside experts can fill in knowledge with their “second set of eyes,” such as by evaluating the design of controls or reviewing a complex, nonstandard transaction.

Regardless of whether SOX as we know it goes away or is here to stay, savvy companies will want to keep the benefits of strong, right-sized internal controls.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client experience, ensuring all our clients are on the road to happiness. Pat previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 


The sound of a large public company hitting the wall can be deafening—i.e., a front-page news story or a radical stock drop. Or it may occur slowly, almost silently over time, perhaps from stealthy competitor moves, a slower pace of innovation or hundreds or thousands of employees trying to adjust to strategy shifts and confusing directives. No matter what the reason for the disruption, the finance team, sometimes with the help of outside experts, plays a major role in the enterprise’s ability to dust itself off and reinvent itself for the future.

Big changes at a mature enterprise—growth spurts and turnarounds or spinoffs and restatements—definitely put a strain on finance teams. It’s a time when what’s needed most is tenacity and the ability to shift gears, to help guide the company through the trouble spots and keep it on course.

After all, the finance team plays a critical role in crafting the company’s future. They intimately know the ins and outs of running the company, along with the history. If they are fully staffed with the right mix of talents and skills, they can pave the way for the true business strategists to make sound decisions based on thoughtful, practical analysis of the team’s robust data and intelligence. The team’s wisdom can really influence the decision making.

Coping with growth and complexity

Mature companies need to continually evolve their product lines to survive. It may be time to reach out to new markets—or risk losing market share. The competitive atmosphere changes rapidly, and they must be nimble to adjust to new realities.

One major issue for companies during times of fast growth is finding the talent they need. Companies can bridge the gap by bringing in sharp consultants to help them get through a growth spurt. One-time transactions can knock the wind out of a team and the workload can be daunting. That’s when experienced consultants can be extremely useful to pick up the extra load, manage velocity and augment the staff with specialized expertise.

Coping with a downturn

At some point, a deceleration typically happens. The natural nimbleness of the startup phase is long gone, rapid growth is no longer a given, and the hard-fought battle for the IPO or an acquisition has already played out. A bunch of employees might be heading for the door. A shift in strategy is causing chaos among hundreds or thousands of employees, and there are complex global product lines to manage. Companies trying to stem the tide of departing employees can fill the gaps using interim consultants, such as an outsourced controller, accounting manager, SEC reporting maverick or other savvy finance pro, who can help the business move forward.

This is the mature enterprise stage in the business lifecycle where the ups and downs of staying relevant and gaining ground are challenging. The challenges have grown along with the company’s maturity and complexity. The reporting, compliance and regulatory issues are piling up, along with the ever-increasing demands from the board and investors. The finance team feels the pain firsthand and leads the way by rebalancing the business plan, cutting expenses and extracting efficiencies from every process. The team has years of transactions and data to mine, and sharp analysis and insights are critical to help the company stay afloat and turn itself around.

Consider some of the big ways that the enterprise can fall off course:

  • Shifting regulatory environment: Companies must stay on top of changing compliance and regulations in their space. For instance, implementing a huge new accounting standard (like the new revenue recognition rules or leasing rules) usually is a multi-year effort involving various systems and teams from different departments.
  • A spin out: A divestiture can pack a wallop to internal finance teams as well. “When a large company takes on a complex transaction, like we did with the divestiture of our information management business, it requires a lot of support,” Maddy Gatto, corporate controller of Symantec, a RoseRyan client, told us. Indeed, the finance team of an evolving company often commissions the services of multiple consulting firms and advisors at the same time. It can be a complex challenge to manage those partnerships and make the most of their assistance.
  • A messy restatement: If internal controls aren’t tight and financial reports can’t be trusted, a restatement may result. Yikes! Frankly, this would be a disaster for any company, and a PR nightmare. Maverick corporate controllers can ensure reliable reporting, and SOX experts can get the company through the compliance needs.

Onward and upward

Keeping to the status quo is not an option for companies at any stage. Massive change is inevitable. When it’s time to pivot, the finance team has a chance to shine. By adding in specialized finance experts as needed to help them navigate the tough spots, a company’s finance team can breathe easier. They can together discover the path forward, make the company more efficient and hopefully raise the valuation of the company.

Whether it’s coping with a wild upswing or a dramatic downturn, the finest finance teams move into swift action to get through it.

Not yet at the mature-enterprise stage? See our blog posts on handling the balancing act of the startup, managing through rapid growth and accelerating through on an IPO or M&A deal.

Maureen Ryan, vice president at RoseRyan, heads up business development and helps companies calm the chaos. From meeting with hundreds of companies of all sizes and types, she has seen the emotional rollercoaster of the business lifecycle first hand. Maureen has seen the ups and downs during her early career in various engineering, sales and marketing roles. She’s held positions at Nortel Networks, Bay Networks, Quantum Corp and General Dynamics.

Stop us if you’ve heard this one before. A top executive of a public company suddenly resigns. This person had bypassed the company’s processes and procedures to move forward with a huge transaction that really should have been approved or at least communicated to the board. Other mishaps that could have been prevented with proper internal controls have come to light as well.

The stock price drops as the company’s worth and its future are questioned in the days that follow. The information the company has previously put out about its financials faces skepticism.

Such a public scenario is fairly rare to see over a decade after the passage of the Sarbanes-Oxley Act, but companies are at risk if something is off with their “tone at the top.” Set by the board of directors and carried out by senior management, the tone lays out the ethical climate as well as the foundation for internal controls.

A poor tone at the top opens up the company to a higher risk of fraudulent activity. It could feed the temptation or make it possible for someone or some people to successfully do something wrong and not get detected for a while. This is especially true at companies that discourage any questioning of authority.

To stay grounded and preserve a good tone at the top, companies need to do the following:

Communicate often: The board and the senior management team lead by example in the way they communicate. Have an open-door policy and be transparent with what’s going on at the company, with frequent updates, including regular company meetings. Under a culture of communication, employees are less likely to think secrecy is acceptable.

Give internal controls a voice: It’s a topic that should have a spot on the agenda of the audit committee for conducting free-flowing discussions with external auditors when management is not present. Also check in with outside experts on ideas for strengthening the company’s internal controls.

Expect accountability: Make it clear everyone is accountable for their actions and what they observe. Outline expected behaviors in the workplace with a code of conduct and business ethics policy that is revisited periodically.

Finally, a best practice is to have all employees annually acknowledge they have read the company’s code of conduct and send a reminder letting everyone know they have access to an anonymous whistleblower hotline and shouldn’t fear retaliation if they need to use it. SOX mandates that employees who report fraud suspicions are protected, but it’s up to the company to remind employees that the tool is available and that the board and senior management values it.

All of these points are in management’s interest. We were once brought in to help a company after an employee made a report on a whistleblower hotline that unraveled a two-year-old fraud. Six quarters of financial results had to be restated because two sales executives had orchestrated an environment to recognize revenue earlier than allowed under GAAP. Their orchestrations included colluding with the customer to take delivery of product earlier than needed, forged documents and misrepresentations to company management and auditors.

How could the executives get away with it? The company lacked a proper tone at the top. Without this key foundation, companies are in effect encouraging employees to break the rules.

Theresa Eng, a member of RoseRyan’s dream team, is a superstar whether she’s working with a client or rallying her coworkers to volunteer for a good cause. Her areas of expertise include financial planning and budgeting, finance operations, and SOX.

Michelle Perez was honored in 2012 with RoseRyan’s coveted TrEAT Award, which honors a guru who has best exemplified our firm’s values (Trustworthy, Excel, Advocate and Team) throughout the year. She excels at SOX testing and documentation, finance management, general accounting, audit prep and support.

Many people say life speeds up as you get older. Maybe that’s why the year-end crunch seems to keep getting tighter. The end of Q3 is upon us and year end is right around the corner. While the company’s SOX testing may be under control, we have some recommendations for your 2015 internal control checklist that expand beyond SOX, and should help set you up for a year end process that runs as smoothly as possible (yes, it is time to be thinking about these issues):

1. Check in on COSO
By now, most companies have transitioned to the 2013 version of the Committee of Sponsoring Organizations (COSO) internal-controls framework, although there are some holdouts. Before you go any further in this checklist, if your company has not yet made the transition, we recommend that you familiarize yourself with the new framework, map your existing controls and identify any gaps.

The Securities and Exchange Commission has not confirmed a timeline for going after companies that have not migrated to COSO 2013, but lack of COSO compliance can still lead to problems. From an internal control over financial reporting (ICFR) perspective, if one or more of the new framework’s 17 principles are not present and functioning, a major deficiency may exist. This would equate to a material weakness under Section 404 of the Sarbanes-Oxley Act. Not something that management, the board or investors are likely to want.

2. See if you need to expand enterprise risk reviews
The latest COSO framework calls on companies to have an operational risk assessment program, and to identify risks that may derail their ability to reach corporate objectives. Most companies record their significant risks in their 10-Qs and the 10-K, of course, but they may need to rethink or expand the information sources.

The assessment should include input from business units and appropriate levels of management. Has the company also created an upward/downward communication route for identifying, documenting and addressing lower level risks that impact smaller entities and regional operations? If not, now would be a good time to make a change.

3. Put out some fraud feelers
Another COSO requirement is consideration of fraud risk. A proven way to address the issue is to conduct fraud brainstorming sessions with various employee groups. It could provide a whole new perspective. When employees are asked to “think like a fraudster” and brainstorm “how a fraud could perpetrate itself at the company,” they may reveal gaps or risks that had never been contemplated on a companywide scale.

4. Evaluate how management reviews controls
For controls that require management review, particularly for complex processes, it’s important to document the steps taken as part of the review process. Supporting documentation will make any auditor questions that pop up easier to handle and could also make the process easier when next year rolls around, or in the event of a personnel change.

5. Touch base with your auditors
Management must evaluate the adequacy and completeness of the key reports used for preparing financial statements. By now, the company should have the list of key reports handy. If you have not already done so, we recommend meeting immediately with your external auditor to confirm that the list is appropriate, while there is still an opportunity to address gaps prior to fiscal year end.

6. Take a fresh look at related-party and significant or unusual transactions
A new auditing standard could bring this issue to the forefront, even for companies that may think they do not have such transactions. To head off extra questions by auditors, companies should consider: Is the board or audit committee aware of all related-party transactions, including suppliers, vendors and customers? What if employees haven’t disclosed them? Does the company have a documented process to assess related-party transactions and determine when disclosure is required?

Here’s a quick trick that could be revealing: Compare employee addresses to vendor addresses to see if there are any matches. While it may not turn out to be a problem, a match could be a flag that requires further investigation.

Be aware that external auditors need to conduct new procedures to comply with Auditing Standard 18—Related Parties (which became effective for audits occurring on or after December 15, 2014), and they will report their results to the audit committee. The report will include transactions they found that the company had not told them about, as well as deals that were not authorized or approved in accordance with company policies, or that appear to lack a business purpose.

Also make a point to review significant or unusual transactions. Is the company preparing memos or documenting the approval and controls process for significant or unusual transactions? Your external auditor needs to report on this as well.

Ideally, these internal control and compliance areas are already a part of your toward-the-end-of-the-year checklist. If they’re not, you may want to start right now. That clock keeps ticking!

Alisanne Gilmore-Allen is a member of the RoseRyan dream team. She is a Certified Internal Auditor, Certified Fraud Examiner, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.

There’s a tension for finance organizations that go public. Throughout the year, they are faced with new rules from accounting standard-setters, new guidance from accounting firms and new direction by regulators that could affect them directly.

Last year was no different as the Financial Accounting Standards Board issued 17 Accounting Standards Updates (ASUs), up from 12 in 2013, including a real biggie (the new revenue recognition standard), and the regulators continued to be active and forceful. On top of this, privately held companies are getting more rules sent their way, and an increasing number are considering whether they too should get involved in the public markets.

No matter where your organization lies in its cycle—whether you’re in a startup or a fully fledged publicly traded company past the early, shaky days of trading—you have many issues to face in the coming year as your team puts together its financial reports and communicates with investors. Here are recent changes you should keep in mind, depending on your situation:

Taking on the new revenue recognition rule: By now companies should be past the evaluation stage and their plan to implement should be nearing completion. They should start tracking their transactions to see how they’ll play out under the new guidance.

Until formal adoption in 2017, companies must disclose the anticipated effect the new standard will have on their financials, so knowing the magnitude of the change is a critical initial step. It could lead to adjustments in processes and affect how contracts are drafted. Moreover, companies need to have this type of data around now to decide whether to adopt the standard retrospectively (which will include 2015 financials) or prospectively (beginning January 2017).

The entire endeavor will go beyond the finance department. As we saw with the implementation of the previous revenue recognition standard, possibly business practices and certainly revenue accounting processes and systems will need to adapt to record revenue transactions correctly.

Simplifying matters for private companies: The good news for private companies is FASB’s Private Company Council (PCC), now a year into its Decision-Making Framework for determining the situations when private companies can use an accounting alternative, issued four PCC-consensus ASUs in 2014. With the goal of simplifying accounting and reporting for private companies, these new ASUs should reduce private companies’ cost of compliance.

      • 2014-02: allows private companies to evaluate goodwill impairment when a triggering event occurs rather than annually.
      • 2014-03: provides a simpler method of accounting for derivatives.
      • 2014-07: provides a simpler alternative than the variable interest entity (VIE) model for accounting for leases under common control.
      • 2014-18: hot off the FASB presses in time for Christmas, this ASU simplifies private company accounting for intangible assets acquired through a business combination.

Preparing for public-company life: Depending on your viewpoint, there has been a positive effect of the reduced reporting and SOX compliance provisions from the JOBS Act in the increased number of IPOs in 2014 (a 44% increase over the number of 2013 filings). And IPO and follow-on public market financing activity don’t seem to be tailing off so far as we start 2015, particularly in the Bay Area.

But before private companies rush to Wall Street, they need to remember that despite a one-year exemption from the requirement to have their auditors sign off on SOX, management must still include their own assertion regarding internal controls in SEC reports beginning with the second 10-K and will want to have effective internal controls way before then. The auditors will still want to get comfortable in knowing management is doing what they say they’re doing. (For more about braving the new world as a post-IPO business, see our recent intelligence report, Ensuring a smooth ride as a newly public company.)

Getting ready for the audit: Finally, the auditors also received their own flurry of new rules and warnings from the Public Company Accounting Oversight Board in 2014. Companies will end up feeling the effect as those changes trickle down, leading auditors to deepen their focus as they review certain accounting methods. The PCAOB has stated the new audit requirements and alerts were issued in response to insufficient audit procedures in areas that have a higher risk for misstatements and the incidence of deficiencies.

There is a new audit requirement surrounding transactions and financial relationships with related parties, including executive officers, as well as requirements that strengthen the auditing of significant unusual transactions.

Two new practice alerts were issued in the fourth quarter of 2014. One dealt with auditing revenue, specifically testing recognition and timing, evaluating the presentation (gross vs. net), internal controls, and the risk of fraud. Additionally, the alert addresses the application of audit sampling and analytic testing procedures.

The second alert reminds auditors about PCAOB standards related to auditing “going concern” with regard to the application of updated accounting and reporting guidance. The PCAOB’s agenda for 2015 includes a project to consider updating the auditing standard.

Companies will still need to be ready for the increased scrutiny by the auditors of their 2014 results as a result of the alert issued late in 2013 that seemed to sneak up on them as they went through audits last year. Be ready for testing of review controls, controls over system-generated data and reports, and management’s evaluation of identified control deficiencies.

We all recognize that the pace of change keeps accelerating and isn’t likely to slow down in 2015. Staying on top of what’s new and what applies to our specific situation requires quite a bit of focus. It is part of what makes your finance and accounting folks such valuable members of the team.

Julie Gilson is a senior consultant with RoseRyan and a CPA (inactive) with over 15 years working in finance and accounting with fast-moving public and private technology companies.

The JOBS Act granted some relief from the burdens of SOX for emerging growth companies, and while any relief was most welcome, the changes brought on some confusion. And it hasn’t abated even three years later. There’s so much for newly public companies to do as they gear up for their intro on the markets and so much they have to do afterward to be in compliance with the new overseer in their life (the SEC). Working in the middle of an active IPO market, we often get questions about what a newly public company actually needs to take care of to be in compliance with SOX under the JOBS Act.

I’ll get to that in just a moment. First, here’s a quick refresher. The JOBS Act granted a temporary exemption (generally five years, depending on certain factors) from SOX 404(b)—the requirement for external audit attestation on internal controls over financial reporting for so-called emerging growth companies (i.e., practically any Silicon Valley company that’s on the go-public track). There is no exemption from SOX 404(a)—management’s report on internal controls over financial reporting. For any new public company, regardless of size, management is responsible for designing effective internal controls over financial reporting, for testing the effectiveness of those controls, and reporting their take on them beginning with the company’s second 10-K.

There’s a good intent behind all this: Whether you are exempt from audit attestation or not, you still need to report accurate financials. Internal controls over financial reporting should prevent material misstatements in your financials. A restatement of financials would be disruptive to your business, demoralizing to your team and very expensive. Where compliance become a hairy endeavor is in the details. It’s not something you want to put off until the 11th hour before that second 10-K is due. And you don’t want to be blasé about the whole matter just because the auditors won’t be looking at this area until the five-year mark goes by.

After working with companies for years on their internal controls, we have some practical advice that’s useful for both newly public and soon-to-be public companies:

Expect a culture shift. The typical entrepreneurial mindset that pits “nimble, innovative and responsive” as the polar opposite of “discipline and documentation” should change. The attitude that helped create your success needs to evolve to a more disciplined state for this next phase of your organizational development. This, more than anything, can be the biggest challenge of SOX compliance. Approach it as a “check the box, bureaucratic nightmare” and that is what you likely will end up with when you’re done. View and treat SOX as a value-add contribution to the success of your business and you may be surprised by the value you get.

Map out your SOX timeline before you go public. The second 10-K sounds so far away, but it will sneak up on you. You’ll need to ideally have your first round of testing finished in the first or second quarter of the year prior to your second 10-K—that gives you time to remediate and retest before the end of the year. Work backwards from there, keeping in mind other business priorities, such as new system implementations, audit timelines, vacation schedules and other deadlines. Your SOX timeline needs to build in the design, testing and reporting aspects—and you need to manage all that while the business evolves and your first rounds of SEC reporting deadlines create their own challenges.

Design your controls. Take advantage of the processes you already have in place, and identify your existing controls (you might be surprised at how much you already have in place). You’ll need to map to the COSO framework, identify where you already have strong controls and where you need to shore up others. You can develop a “gap list” of controls that need to be implemented and prioritize them so you can work on them over time. Your IT controls and entity level controls need to be addressed as well. The twist for SOX compliance is that not only do you have to have controls, you have to be able to demonstrate that you perform the controls. Reviewing the payroll register isn’t sufficient; documenting your review becomes just as important.

Time to start testing—assume the best but plan for the worst. First-time SOX testing typically has a high failure rate, unfortunately. Most everyone is learning the ropes and still operating under the entrepreneurial mentality of “Let’s get things done fast, and don’t worry about the paperwork.” People may be performing the controls that you have designed but failing to document what they did. For that payroll register review, if the sign-off is missing, it’s hard to demonstrate the review actually happened. On the other hand, some controls may be new, and they may not get done reliably at first; it may take a while for new habits to take hold. “Trust, but verify,” and “test early” will be your mantras, so you can find out who may need more training and which controls are not workable in your environment and need to be redesigned. Remediate and retest. As often as needed.

For more hints on making the transition to a compliant, well-oiled organization, check out our intelligence report on Ensuring a smooth ride as a newly public company.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. 

We often hear more about fraud at large companies because of the hefty price tags involved and the large number of investors who may be affected. But the sad fact is that when small businesses experience a fraudulent event, they may be hit much harder and have more difficulty absorbing the losses. Innocent employees may lose their jobs, personal investments may be lost, and creditors may be wary of helping out the victimized business in the future. And smaller companies are more likely to experience a fraud than large ones.

In the past two years, nearly 30 percent of reported organizational fraud cases occurred at companies with fewer than 100 employees, and 24 percent of cases occurred at companies with between 100 and 999 employees, according to the Association of Fraud Examiners (ACFE) 2014 Report to the Nations.

And from a loss-to-revenue standpoint, their impact hurt more. Organizations with fewer than 100 employees had a median loss of $154,000, while those with 100-999 employees had a median loss of $130,000. The victim organizations with over 10,000 employees made up just 20 percent of the reported cases, experiencing a median loss of $160,000. (Keep in mind while all those median losses are at the six-figure level, one-fifth of all reported cases involved losses of over $1 million.)

The problem for many of these companies is they didn’t realize that fraud could be instigated by their most trusted employees.

A common thread
Smaller companies may underestimate their risk, thinking “it can’t happen to me.” And yet small organizations are disproportionately harmed by fraud losses, often due to employee misconduct, a lack of internal controls and segregation of duties.

And what kind of fraud is most prevalent? The fraud schemes most common in small businesses include corruption (33%), billing fraud (29%) and check tampering (22%). Embezzlement happens, particularly in organizations with inadequate controls or segregation of duties.

Awareness can reduce the risk
There are inexpensive and tangible actions that even the smallest of companies can take to reduce the risk of fraud:

  • Implement a code of conduct, and have employees acknowledge their compliance annually.
  • Perform supervisory or management reviews, particularly of complex, unusual or non-standard transactions.
  • Segregate duties that involve payments (e.g., adding vendors and employees to systems vs. paying them).
  • Separate cash handling, including bank deposits from bank reconciliation activities.
  • Hold employees accountable for the completeness and accuracy of financial statements (e.g., certification).
  • Provide a whistleblower hotline, keeping these points in mind:
    • While 68% of companies with over 100 employees have fraud hotlines, they are found only in 18% of companies with fewer than 100 employees, yet these simple tools reportedly reduced the median duration of fraud from 24 months to 12 months!
    • Posters improve hotline awareness within a company, and when the hotline can be accessed through the company extranet, customers and vendors have a vehicle to report potential fraud if necessary.
    • Educate employees on how best to raise flags and report suspicious activities.

The fact is that resource-strapped companies can prioritize activities that are proven to effectively reduce the risk and duration of frauds. For example, consider the feasibility of the following:

  • Fraud risk assessment: Identify your company’s fraud risks and brainstorm how a fraud might occur within company boundaries. If an insider wanted to do something inappropriate, would anyone take notice? Does the company have adequate controls to mitigate these potential risks? A formal fraud risk assessment tailored specifically to your company might be just what the doctor ordered and may help your organization avoid becoming the next victim.
  • Fraud training: Do employees know the warning signs of fraud? Teaching them the basics about fraud risks, red flags and the procedures for reporting suspicious activities may empower your team members to speak up or raise a concern.
  • Regular and surprise audits: Consider asking an internal auditor to conduct an occasional deeper dive audit in areas of potential risk. Should this include financial, cash handling processes, inventory or related party transactions?

It has been reported that companies lose 5% of their revenues to fraud. You don’t want your company to be the next one victimized or to be known for ineffective controls and management.

Alisanne Gilmore-Allen is a recent addition to the RoseRyan dream team. She is a Certified Fraud Examiner as well as a Certified Internal Auditor, Certified Information Systems Auditor, and she has a Certification in Risk Management Assurance. Alisanne spent over seven years helping Big 4 clients with enterprise risk management, and she has consulted for and headed the internal audit departments at Bay Area technology companies.

After more than a decade in the making, the FASB and the IASB finally issued new revenue recognition rules. Now if the boards needed that kind of a runway, how hard will it be for companies to implement? This is what management should be asking themselves.

But I get a sense that some are just in shock and aren’t asking the questions that need to get asked — maybe because they thought the guidance would never be issued or maybe because it’s just one more thing on the corporate plate right now. I get it. When anyone is in a state of shock, they tend to adopt a couple of go-to coping techniques — denial and procrastination. It’s been just over three months since the rules have been issued, and I have been witness to those coping techniques as companies battle implementation shock. What’s developed is a culmination of misconceptions, which we dispel below.

6 common misconceptions about the new rules

#1 The new rules don’t impact my business.
The new rules will apply to all entities that enter into contracts with customers, including long-term contracts and licenses. You cannot determine the impact until you truly evaluate each of your revenue models under the new guidance. Companies should also look ahead to how their business is growing and changing, and consider the new rules in connection with possible changes in their sales models between now and the adoption date. And, at the end of the day, even if your conclusion is “no impact,” you’ll also need to document your evaluation, vet it with your auditors, and update your financial statement disclosures and policy documentation so that they coincide with the new guidance.

#2 The implementation date is far away, so I can afford to wait.
While the standard is effective Q1 2017 for calendar-based public companies, the guidance does not allow for prospective adoption. You have some choices in terms of adoption methodology, but no matter what you decide you’ll still be looking back to 2016 and possibly 2015 if you choose full retrospective adoption…and 2015 is just around the corner. As a result, you will need to assess current contracts and those that commenced several years before the effective date. Then, when you begin to consider systems, processes, financial planning, investor communications, that date will no longer look so far off — especially when you know implementation duties will be in addition to your day job.

#3 Implementation of the new rules is just an accounting exercise.
So many people believe that it’s something that their accounting department will handle. Quite the contrary! Consider the following: debt covenants (treasury), sales incentives (HR), customer contracts (legal), investor communication (IR), systems (IT), and internal controls (internal audit). Companies big and small will need to think operationally where these rules are concerned. A successful implementation should be a collaborative effort across the organization.

#4 The standard only impacts the timing of revenue.
The fact is the new standard is comprehensive and changes the way we look at contracts with customers, the concept of delivery as well as many other aspects of the revenue process. For example, some of the collaboration revenue of life science companies may be excluded from the revenue guidance if the other party to the deal is not considered a “customer.” The new guidance also considers whether there is a financing component when an arrangement extends beyond one year. And any company opting for the modified retrospective adoption approach may have to record a cumulative effect of a change in accounting principle, which means it goes into the “black hole” of retained earnings, skipping the P&L, never to be seen again.

#5 My financial systems are savvy and can handle the rule changes.
With the complexity of contracts, there is no simple “flip-the-switch” scenario that can be employed. All types of revenue models will need to be evaluated. The new standard utilizes estimates and judgments, which can pose challenges in terms of automation. Companies may also want to look at additional reporting functionality to support their estimation process. And with all of this, internal control processes both in and around their system capabilities will need to be reviewed and updated.

#6 These changes always get delayed.
While some of us remember fondly the days when the internal controls part of SOX kept getting delayed, keep in mind that SOX was a U.S.compliance initiative. The new revenue rules, on the other hand, were developed in collaboration with the IASB in an effort to move closer to a single set of global accounting standards. The boards took great pains in developing the new standard and laying down the transition date so that reporting of revenue would be consistently applied on a global basis. So while companies may continue to lobby for postponement, this could result in nothing more than wishful thinking. Investors are going to want their companies to plan ahead — the “wait and see” approach will put delayers at high risk for financial misstatements and delayed filings.

In the face of a sweeping standard that could have extensive implications, it’s easy to understand why anyone would deploy coping strategies and try to look the other way. But as you can see from this list, there’s a lot to be done and only a certain amount of time to get it done right. The best approach is to tackle one step at a time. Start with assessing the impacts to your business — financial, operational and external. Then develop a plan. Knowing what needs to happen and how you can get there is certain to to take you away from the depths of denial to a clear path to compliance.

Kelley Wall leads RoseRyan’s Technical Accounting Group, which provides technical accounting and SEC expertise to public and private companies on complex accounting matters and implementation of new accounting pronouncements.

Regulators are not requiring companies to follow the new COSO framework even though the 1992 version is being retired later this year. While we encourage companies to adopt the new internal control framework and most of them have begun the process, the lack of an explicit mandate still has some dragging their feet.

For now, the Securities and Exchange Commission staff have said they are keeping a close watch on which framework companies will be following. During this upcoming transitional year of reporting, they won’t be questioning companies that haven’t migrated to the new framework even after the old one is superseded as of December 15, 2014. As it is, the Committee of Sponsoring Organizations of the Treadway Commission has given organizations a fair amount of time to make the move before the preceding 20-year-old guidance is no longer available.

Still, some companies delayed starting their transition until after their 2013 10K and 2014 first quarter 10Q were filed. By the time fiscal year-end 2014 filings are submitted, not all public companies will have been able to say they follow the more modern framework, as COSO had hoped they would.

If you fall into that camp, it might be too late to make the transition for fiscal year 2014. Making the move is different for each company. Let’s say you’ve followed best practices for internal controls, then you may only need to map your existing internal controls to the new framework. In that situation, your internal controls have been effective for the year and can be relied upon, and your transition is done. However, if you don’t fall into this category, there will be more time involved (how much time and resources will be required depends on the current state of your internal controls). At this point, it also means that the new controls put in place for the new framework have not been effective for the first eight months of the year, and therefore, reliance on these controls will be in question.

We’re not trying to make you feel bad. Procrastination—for whatever reason—happens. What really matters is what you do now. While the ideal path would have been to make your COSO transition sooner rather than later, this could also be the time if you haven’t started at all to begin the evaluation of the new COSO framework for fiscal year 2015.

Where to begin
If you have read the new framework, you will have noticed that it has 17 new principles for internal control, and within each of those principles, there are specific points of focus. The points of focus do help with identifying controls within your organization. Most of these internal controls will exist in your entity level controls. Entity level controls address those controls that apply across the organization, and most of the new principles are aimed at those internal controls that reside at the organizational level.

If you haven’t reviewed the 17 new principles and their corresponding points of focus, you should really start to familiarize yourself with them. Any controls identified that only need to be documented, improvements to existing controls, or the addition of new controls do need to be in place and working in order to be able to rely on them. Any of the controls you add or modify under the new framework should be in place and in working order. Otherwise, they cannot be relied upon.

Based on those companies that have already mapped their entity level controls to the new framework, here’s what will likely happen. We have seen our clients experience a combination of three possible outcomes:

  1. They need to take credit for what they already do, as their latest evaluation shows the control is already in place but not currently identified as an internal control. This involves formalizing the control and documenting it.
  2. They work on improving a control that already exists in order to make sure it covers the points of focus within the framework.
  3. They add a new control. This is the one that requires more time. You will need to get agreement from the organization that the control needs to be added, confirm that the control is documented accurately and will be performed, and then be able to test early enough to allow time to remediate the control in case something goes wrong.

If your company has been following best practices with identifying internal controls within its entity level controls, then you will likely see the transition to the new framework follows items 1 and 2 above. This will take time for documentation, but the controls are already being performed and additional training will not be needed.

However, if you haven’t been following best practices for internal controls as closely as you could have been, then you might find yourself working with all three points above. Item 3 does entail additional time and training that could go beyond the finance department. The sooner you start this process, the sooner you will position yourself to be prepared to make the switch.

With all of this said, if you are choosing to not migrate to the new COSO framework now, you will at the very least have to document your reasoning as to why you think your internal controls are sufficient as is. In addition, you will have to make sure your external auditors are in agreement with your rationale. In my opinion, it would be prudent to keep in mind that at some point, the new COSO framework will be required. Nobody wants to be caught without the time, resources, or remediation runway when that requirement is made.

Tracy Thames has been a member of the RoseRyan dream team since 2008. She excels at SOX, internal audit, accounting management and project management.

It’s time to test your current events knowledge: Which major retailer acknowledged having to spend $88 million related to a mega data breach in its most recent 10-Q, with more costs expected?

Target immediately comes to mind, right? The prevalence of the retailer’s troubles speaks to the far-reaching effect a cybersecurity attack can have on a company. That $88 million is just a drop in the bucket of expenses and problems Target continues to face following the exposure of its customer payment data over six months ago. The initial tally does not include the company’s anticipated claims for incremental fraud losses nor does it include litigation costs for the more than 100 legal actions filed in various jurisdictions to date or the reputational hit and the faltering loyalty by customers now worried about sharing their credit card information with their local store.

Every day there seems to be a new headline reporting another Internet security breach or data protection lapse – be it hacked credit card data, the Heartbleed Bug or well-crafted phishing scams luring victims to give up sensitive information. If there is an upside, it’s that such news may prompt other companies to do a full sweep of their internal processes and systems to minimize the probability of something like this happening to them.

But will they do a good job? Those companies that make such an effort go beyond the confines of their IT department are more likely to succeed in shrinking their risk. CFOs in particular should take responsibility for toughening up the organization’s cyber defenses if they haven’t already.

Regulators are demanding it: Three years after requiring companies to disclose cybersecurity risks and incidents that are specific to them – and to stay away from generic language – the Securities and Exchange Commission continues to focus attention on the topic. In fact, the SEC hosted a roundtable earlier this year to discuss the challenges of cybersecurity on market participants and public companies, and how they’re getting handled. Just a couple of months later, the SEC’s Office of the Investor Advocate announced that it would study how the SEC and other market participants are actually protecting investors from cybersecurity threats, which further puts pressure on the Commission to keep tabs on the risks.

On top of all this regulatory introspection is a call on auditors to pay more attention to how companies deal with the problem and what they say about it. The Center for Audit Quality recently issued an alert outlining independent auditors’ responsibilities related to cybersecurity risks. Such an alert may cause auditors to up their scrutiny of their clients’ forthrightness about their risks and what they disclose about them.

Data breaches at larger companies make the headlines, but smaller companies are not immune from this threat. In fact, smaller companies may be easier targets because they have fewer resources to deploy in preventing a breach. Think what a treasure trove a hacker could find on your servers — employee information, customer information, engineering design information, your financial information, etc.

What CFOs can do
CFOs can play a critical role in all of this, as the keeper and protector of their business’ sensitive information and internal controls. While your IT gurus, data protection officers and security and privacy experts are addressing “defense in depth” strategies to thwart would-be hackers, here’s what you should be doing.

  • Identify the crown jewels: No matter how good your firewall is, let’s assume that everything can be hacked. Hackers are looking for valuable information that isn’t adequately protected, so the first thing to think about is “what are your crown jewels?” This can include information such as engineering and design data, financial information, employee and HR information, and customer or client information. You want to make sure the full scope of your company’s sensitive data has extra security layers around it. And you’ll need to get input from all areas of your company for identifying your most sensitive information.
  • Control who has access to that valuable and vulnerable info: Now that you have identified what the critical data is, make sure you know where it resides. It is important to limit access to only the specific individuals who need it to perform their job duties. Do you have proper controls in place to ensure proper authorization is obtained before access is granted? Do you monitor access on an ongoing basis to make sure no unauthorized individuals have access to this data? Is your data backed up so that you are not vulnerable to ransom demands for stolen data? Depending on the size and complexity of your business, you may need to confer with your CIO on what measures are currently in place or you may need to bring in outside expertise.
  • Review third parties critically: You can’t outsource your responsibilities. When you use third parties to host, store or process your data, you need transparency in how they are protecting your data and complying with privacy laws. Don’t assume any third party has it all under control. Obtain and critically review SSAE16 reports (depending on the nature of the work being outsourced, you will want to review a SOC 1 report for internal controls over financial reporting or a SOC 2 report for data protection, security and privacy). You may want to reconsider using a company that refuses to share this information or that has questionable results.
  • Encrypt like crazy: Is all of your sensitive data encrypted? Not only is it important to encrypt data during transit, but it is also important to encrypt critical data at rest, meaning that information sitting on computer drives, laptops, flash drives and the like. Encryption won’t protect your data from being intercepted, but it can protect the contents from getting read.
  • Engage everyone in the effort: Do you have formal, companywide policies around data protection and security? Are they effectively communicated to employees (i.e., not just shared with new staff but distributed periodically)? Employees can unknowingly violate a carefully created data security effort by simply sending an unencrypted email that includes sensitive information. Ongoing training and education are key ways of ensuring that the procedures you have created to safeguard your data are correctly implemented.

If you consistently review and update your policies and systems, train your employees on those policies, and allocate sufficient resources to cybersecurity, you will have taken significant steps to reduce your risk. This should be an ongoing process, not a one-time reaction to a headline about a data breach. In this fast-moving era of hacks and viruses, a protective effort that occurs outside of IT needs to be a matter of course.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. Melette Evans, a RoseRyan senior IT guru, contributed to this blog post.