Learn about financials from Allan Tepper’s webinar to Women in the Boardroom
CLICK HERE to view this webinar
CFO Consulting Partners LLC Cyber Security White Paper March 2015 1 Cyber Security: A fundamental component of Enterprise Risk Management (ERM)
Cyberattacks have hit virtually every industry and the two industries most impacted by incursions, breaches and theft of data are financial services and health care. Financial services and the medical world are inexorably connected to the internet, and they are therefore connected to hackers, cyber criminals and even nation states intent upon getting access to financial and medical records.
Banks are a particular focus of cyber criminals. In a recent speech OCC Head Thomas Curry said,” The financial-services industry is one of the more attractive targets of cyberattacks, and unfortunately the threat is growing.” Further, one growing area of concern is the potential for criminals to target smaller banks. In late 2014 New York State banking regulator Benjamin Lawsky asked the institutions he supervises to understand the increasing complexity and interconnectedness of the financial system, as well as the importance of strong controls and of carefully monitoring the ways in which they connect to third parties.
Banks routinely use advanced statistical models and behavior analytics programs that can spot possible fraud and, to some extent, have a cultural data governance advantage over other industries. Analysts at the Gartner research group estimate that the health care industry is generally about ten years behind the financial services sector in terms of protecting consumer information.
In the healthcare world, major cyber breaches go back to 2010 when the WellPoint medical records breach set two records: the number of members’ records exposed in a security breach, and the size of the settlement amount paid to the Federal Government. The WellPoint breach is estimated to have cost $143 million dollars. These costs were for legal recovery actions, new security control investments, and extended credit and protection services for victims. During an investigation of WellPoint’s information systems, The US Department of Health and Human Services (HHS) found that the Indianapolis-based insurer had not enacted the appropriate administrative, technical and physical safeguards for data which are required Health Insurance Portability and Accountability Act of 1996 (HIPPA).
More recently the dangers of health care cyberattacks were highlighted early in 2015 when Anthem, the nation’s second-largest health insurer, said hackers broke into a database storing information on eighty million people. The hack led to a particularly valuable trove of data because it exposed Social Security numbers.
Basic components of cyber controls framework, and ERM (Risk Management):
• Governance: Cyber Security Companies in all industries need to establish a cybersecurity governance framework which is a central component of the ERM infrastructure. Regular reporting to the Board of Directors will help assure active participation among the Board, Senior Management and IT Management. The visibility of the cybersecurity infrastructure and processes are an important driver of adequate resourcing, which is essential for companies to stay ahead of the many bad actors in the cyberattack world. CFO Consulting Partners LLC Cyber Security White Paper March 2015 2
• Cyber Risk Assessment: Through risk assessments, companies understand the specific risks to their organizational infrastructure and operations. Risk assessment processes identify and document vulnerabilities, highlight internal and external threats, and ultimately prioritize the risk and related responses. The related controls should be organized and implemented as preventive, detective and corrective.
• Technical Controls: The selection of specific controls by any company is dependent the company’s individual risk profile. Many companies use a “defense-in-depth” strategy in which they layer multiple independent security controls strategically throughout their technology systems. One way of looking at this approach is to view the components of a company’s technical infrastructure as residing in partially redundant layers.
• Vendor management: At every touch point vendors can introduce cyber threats (e.g. – viruses) into a company’s systems and data bases. While third party penetration testing is almost impossible with vendors, the company’s threat assessment must thoroughly evaluate each third party touch point for cyber risks.
• Incident Response Planning: An incident response plan is a framework to manage a cybersecurity event and limit the damage. A company’s incident response plan should establish a dedicated Cyber Security Incident Response Team, address all the possible attack vectors and take the legitimate concerns of third parties into account.
• Staff Training: Without adequate staff training and related awareness, the rest of a company’s cybersecurity program can be easily compromised. Companies must define cybersecurity training needs and requirements. Staff need to understand the possible vectors and techniques that the bad actors use to penetrate systems and data bases.
• Cyber Insurance: While almost unknown five years ago, many companies have chosen to obtain cyber risk insurance. Coverage is offered my most major insurance underwriters; premiums vary widely. Underwriting relies heavily on the quality of a company’s cyber control infrastructure. In other words, insurance premiums depend greatly on the quality and strength of the company’s cyber control infrastructure. Note: Cyber Control Framework items above extracted from FINRA 2014 “Report on Cybersecurity Practices”.
New York Event Brings Together ACCA, IMA Members and Organization Leaders
On Thursday evening, February 28, 2013, more than 100 IMA® and ACCA (the Association of Chartered Certified Accountants) members gathered in New York City for the first joint chapter event between members of the two partnering organizations. The event was planned in tandem with a special U.S. visit by ACCA CEO Helen Brand.
Following a warm introduction by IMA regional vice president Marc Palker, CMA, RTRP; and ACCA’s NYC Metro Area Chapter head Fuad A. Karimov, director of Transactions & Restructuring Services at KPMG LLP., members enjoyed a regulatory issues update by Ms. Polley, representing FAF. As the independent oversight body for the Financial Accounting Standards Board (FASB) and the Government Accounting Standards Board (GASB), FAF has an important responsibility to ensure the development of sound accounting standards that are relevant to stakeholders.
Pictured left: Helen Brand, ACCA CEO, welcomes an audience of IMA and ACCA members, the first joint chapter event between the two organizations.
“IMA has long echoed FAF’s belief that constituent input is a vital factor for creating the best possible accounting standards,” said Mr. Thomson. “IMA and ACCA are honored to have Ms. Polley join us for this landmark chapter event.”
“Successful partnerships are all about the relationship, shared values, and inspired visions. In the first year of our strategicpartnership, IMA and ACCA have delivered valuable research, thought leadership, and educational opportunities to our members around the world,” said Mr. Thomson “The two organizations share a wonderful partnership centered around the common philosophy of delivering value—to professionals, organizations, and society.”
The New York event was so well received that IMA is exploring the possibilities of organizing other joint events, either in New York or with ACCA’s 10 other U.S. chapters.
“ACCA is immensely proud of the work it does alongside IMA. Both organizations have a long history of seeking innovations in finance and accounting, recognizing that a strong global profession needs to innovate to be relevant in a fast-changing world. I look forward to working closely with IMA in the future and I am confident that together we will make an excellent contribution to the development of the accountancy profession around the world,” said Ms. Brand.
To learn about the latest initiatives of the IMA/ACCA strategic partnership and recent joint research reports, visit the partnership web page at www.imanet.org/acca.
When should a small business owner hire a CFO? While there is no right answer, there are certain indicators. I spoke with Marc P. Palker,CMA, about this topic. Marc is Director of CFO Consulting Partners, LLC – a firm that provides interim and part-time CFO services to small and midsized public and private companies – and a member of theIMA (Institute of Management Accountants) Board of Directors.
This interview has been edited and condensed.
Jeff Thomson: What are some internal indicators that a small business owner should hire a CFO?
Marc Palker: An important internal tipping point is when information that helps the business make timely and important decisions is not being prepared. Business owners make decisions at the pace of the business and must be able to rely on the accurate and timely information provided by CFOs. It‘s never too late to make a change.
In many small- to medium-sized companies, the CFO is responsible for the interpretation of the results, cost control measures, capital acquisition, and forward-thinking due to economic, industry, tax, government regulation and social issues. In some cases, the CFO can also be the OFO, or Only Financial Officer, and must rely on bookkeepers for accurate processing of financial information. The CFO must also be critical of the banking relationship – there can be no slip-ups.
MP: It will largely depend on the business and/or industry. A company generating $10 million in revenue might be ready for a CFO while a company generating $20 million may not be. One client could sell its product for $1.5 million each but only sells five units in one year, while another client might need 28,571 transactions to reach $10 million with an average transaction of $350. The complexity of the transactions can also determine the need for a higher level of experience or knowledge.
Rapid growth is another important indicator. Growth requires an expansion of automated systems to handle the growth, and additional capital and/or financing to finance the growth. A CFO is best suited to handle rapidly increasing growth due to the complexity involved. He or she must be able to interpret the investment and technology, and the terms of acquiring capital.
One final indicator is when a business is preparing for a merger or acquisition. In this situation, the CFO must be able to choose the correct team to evaluate a target acquisition. In many cases, that will result in outsourcing to a firm to perform the financial and regulatory due diligence. The CFO is the best person to interpret the report issued by the due diligence team so the terms can be tailored to the findings. A very important skill required of CFOs is the ability to feed a potential investor or lender. Preparing the information and anticipating their questions will shorten the process and eliminate further digging.
JT: What specific responsibilities should the CFO of a small business have?
MP: A CFO in a growth-oriented small business must be hands-on. Being in the weeds is critical to controlling growth and communicating results to those with money at stake. That could be the owners or shareholders, banks, insurance companies and – let’s not forget – the employees. As growth occurs, the company and its key customers, suppliers and employees will face new risks. Managing risk involves not only having insurance, but the CFO must also protect the company from regulatory, environmental and human capital risks.
This column offers CFOs and their teams insights and ideas related to challenges of the position, in light of market demands and global economic conditions. Jeff Thomson, CMA, is president and CEO ofIMA (Institute of Management Accountants), one of the largest and most respected associations focused exclusively on advancing the management accounting profession. Follow IMA on Twitter and visit IMA’s YouTube channel.
By Valentine Ejiogu, Director, CFO Consulting Partners
Late last year, the FASB and IASB released an exposure draft on the proposed new accounting standard, Topic 840. This will be the first significant change in lease accounting since FAS 13 was released in 1976.
If finalized, the exposure draft would converge FASB’s and IASB’s accounting for lease contracts in most significant areas. The few remaining differences pertain mostly to discrepancies with other existing standards.
Companies would face significant changes in how they account for leasing transactions if the exposure draft is adopted. For example, today if a company enters into a multi-year year lease for premises, the lease payments would normally be expensed evenly over the life of the lease. If the exposure draft is adopted, that lease would be capitalized, which would result in amortization and interest expense, with more interest expense recognized in the early years and less in the remaining years. Therefore, the Company’s income statement will suffer in the early years. Further, lease expense, which is now normally considered operating expense and which is included in EBITDA, would be shown after the EBITDA line.
Lessees would be required to perform significantly more monitoring and recordkeeping, particularly for leases currently classified as operating leases. Lessees will also need to apply lease requirements to all outstanding leases as of initial application (comparative periods would need to be restated). Lessees will need to apply the proposed transition requirements to leases currently accounted for as operating leases.
- All leases are to be capitalized. That is, all leases would result in asset and liability recognition. There is no exclusion from capitalization for short-term leases; though the Boards will permit leases with a total maximum lease term of 12 months or less to be capitalized at the undiscounted value of the rents. The exposure draft proposes the lessee recognize an asset for right to use the leased asset and a liability of its obligations to make future payments and in addition, amortization of the right-to-use asset and finance expense arising from the liability.
- The interest rate used for present valuing the rents and recognizing interest expense is the incremental borrowing rate, except that the “the rate the lessor charges the lessee” may be used if known. This is referred to as the implicit rate, which must now include contingent rents.
Definition of a Lease
A lease is a contract in which the right to use a specified asset (the underlying asset) is conveyed, for a period of time, in exchange for a consideration.
At the date of inception of a contract, an entity shall determine whether the contract is, or contains, a lease on the basis of the substance of the contract by assessing whether:
- The fulfillment of the contract depends on providing a specified asset or assets (the underlying asset); and
- The contract conveys the right to control the use of a specified asset for an agreed period of time
- The proposed requirements would affect any entity that enters into a lease, except that they would not apply to:
- Leases of intangible assets
- Leases to explore for or use minerals , oil, natural gas, and similar non regenerative resources
- Leases of biological assets
- Certain service components of leases
- Contracts that represent a purchase or sale of an underlying asset.
Impact on Accounting by Lessees
The following are the major differences for lessees in the new exposure draft:
- Cash payments for leases are considered financing activities in the statement of cash flows
- Existing operating leases will be capitalized by present valuing the remaining rents as of the date of application. Lessees will adjust the right-of -use asset for any existing deferred/prepaid rent liability or asset.
- Similar to FAS 13, the liability is amortized using the interest method; the asset is amortized like other property, plant and equipment. Interest and depreciation expense are reported separately from other interest and depreciation, but in the same place on the income statement. Lease expenses would no longer be recognized on a straight line basis, but rather replaced by amortization and interest expense.
- Initial direct costs are to be added to the asset to be depreciated over the life of the lease.
- The exposure draft provides that lessee disclosure in the financial statements should include:
- Description of leasing activities, including assumptions and judgments for valuing contingent rentals, sale and leaseback transactions and information about significant future leases.
- A reconciliation of opening and closing balances for right-of-use assets and lease liabilities.
- A maturity analysis of future rents, by year for 5 years and all remaining years combined. Minimum lease payments are to be separated from contingent rentals, termination penalties and residual guarantees.
- Initial indirect costs incurred during the reporting period.
Impact on Accounting for Lessors
The lessor would recognize an asset representing its right to receive lease payments and, depending on its exposure to risks or benefits associated with the underlying asset, would either
- Recognize a lease liability while continuing to recognize the underlying asset (performance obligation approach) or
- Derecognize the rights in the underlying asset that it transfers to the lessee and continue to recognize a residual asset representing its right to the underlying asset at the end of the lease term. (Derecognition approach).
- The derecognition approach is similar to the current accounting for sales-type leases under GAAP. However, the amount of the upfront profit recognized, as well as the measurement of the lease receivable and the residual asset, may be different from that recognized under the sales-type lease.Effective Date
The Boards are yet to determine the effective date.
By Eileen Xethalis, Director and Head of Entrepreneurial Services Practice, CFO Consulting Partners LLC, April 26, 2011
CFO Consulting Partners is often retained to fix broken Accounting and Finance functions. When a prospective client requests an exploratory meeting to gauge whether we can help, the request typically is the result of many months of frustration on the part of the CEO/COO in dealing with the Finance and Accounting area.
Our active practice with growth companies has yielded some common traits that we believe are the root cause of untimely and unreliable management reporting, and/or high audit fees due to a lack of preparation for the audit.
Here are my ten painful oversights: The Company:
1. Has a chart of Accounts that grows organically- lack of planning when setting up the chart of accounts results in a higher work load in producing financial reports.
2. Does not keep a record as to the changes to the chart of accounts- A lack of record keeping as to changes in the chart of accounts is a red flag for lack of controls at the IT level.
3. Never closes the books- Leaves the door open to current events being booked in prior periods.
4. Does not adequately train staff on the proper use of accounting software and accounting related applications- Not training the accounting staff may lead to many problems such as; incorrect inventory, incorrect payroll records ( if not using an outside service) incorrect billing.
5. Does not have a closing calendar- Closing impinges on the rhythm of the daily work load. A calendar provides direction for the staff.
6. Does not adequately describe the assets being depreciated (start date, number of months of depreciation and so forth) and the company does not maintain easily traceable support documents. Support for the depreciation schedules facilitates smooth financial, income tax and sales tax audits.
7. Does not register to pay use tax on out of state purchases- The Sales & Use tax return is frequently overlooked; many companies do not deal with a retail customer and mistakenly believe they have no liability.
8. Never set benchmarks to evaluate the adequacy of the finance staff- Growth companies frequently go bare bones at startup with accounting staff. When to add? Who to add?
9. Never setup a tickler file to remind it to file annual registrations- Timely filing of annual reports maintains a good standing status and the ability to do business within a State.
10. Never sets up a tax calendar- A tax calendar is crucial when you have a presence in multiple locations; inclusive of federal, states and city filing dates.
©2011 CFO Consulting Partners LLC/ Eileen Xethalis all rights reserved
By Joe Barkley, Director, CFO Consulting Partners LLC
Information Technology (IT) is the second largest cost – after Human Resource – to most firms. It is often misunderstood and can be ineffectively managed. IT is a business within the business, and it has significant bottom and top line impact.
Chief Financial Officers (CFOs) may regard IT as a “black box:” difficult to fully comprehend exactly which technologies are worth spending money on and how to properly utilize them. Firms and management can be enticed by the latest technology because it looks slick without understanding the full capabilities and controls involved.
Ask a CFO who is responsible for the management of the IT costs and the answer is usually the Chief Information Officer (CIO), or some equivalent position. While it is imperative that the CIO have a say in IT budgeting, the CFO has ultimate control and must be involved in IT cost management as well.
There is need for adequate, effective, and efficient control process for all aspects of IT. When fully implemented, each IT process needs to include budgeting, financial reporting and accounting, capital budgeting, project management, program management, acquisition approval,and control of IT procurement of equipment, services and personnel. This is in addition to the management of the IT specific facilities such as data centers, operations centers, and ancillary facilities. This financial control needs effective benchmarking and measurement to both internal and external standards.
The development of a successful, well-managed IT Financial Management program is a multi- phase process. Along the development path, there must be a controlled and logical progression of steps and decisions. Start by identifying all of the IT costs, resources, and effective reporting on those activities. This is not a trivial task. Progress reports on what is learned should be provided to Senior Management in a consistent and routine manner because numbers should and will change as more information is discovered.
Move on to budgeting, both operational and capital, including approval and authorization processes. Get control of the maintenance activities and costs, and the personnel approval processes for both internal and external resources. Consider building a specific set of job classifications for IT units and functions.
Continue building the IT control and management processes, measurements, and reporting phase by phase until there is a comprehensive program. The detailed program should be understood and reviewed by the firm’s senior management, who should have adequate authority and resources in the IT function to sustain the operation.
Remember the adage from Lou Gerstner, “Sooner is better than perfect.” Resist the temptation to jump to a sophisticated strategic prioritization process until the organization is mature enough to do it right.
CFO Consulting Partners specializes in developing and fixing these functions and processes. We can parachute in and have “wingtips on the ground” within days and begin to understand, listen, and build. Contact us to see how we can help improve the financial management of your firm’s Information Technology.
By Allan Tepper, Senior Managing Director, CFO Consulting Partners LLC
Should the CFO be at the table when the CEO is meeting with his executives? Apparently, according to the NY Post article by Keith Kelly on March 19, 2011 (page 25), some senior staff people at Time Inc. think so. See article at http://www.nypost.com/p/news/business/jack_last_stand_siRYOg7chEA54VzUCJCkcJ
Time Inc. CEO Jack Griffin, was dismissed after six months for apparently have a fight with General Counsel Maurice Edelson, who was speaking on behalf of himself, CFO Howard Averill and Editor & Chief John Huey. The confrontation was why the three were not invited to a meeting that Griffin was having with Time’s key revenue producers.
On the surface, a confrontation over being at meeting doesn’t seem plausible, but many senior staff people feel they need to be at the table when the discussion is likely to center around key strategic issues. In fact, not being at these types of meetings can often lead to communication issues within a company and ultimately to subpar company performance. It may also devalue the position of the CFO in the eyes of his or her peers.
So, the question in my mind is – should the senior staff people at Time Inc. have asked to be at the table? I think the answer is an absolute YES. What shouldn’t have happened is an altercation between the CEO and his direct report. The key takeaway is that the CFO is an important player in the organization, needs to be at important meetings, and he or she should argue for that right.