Cyber Security White Paper
Cyber Security: A fundamental component of Enterprise Risk Management (ERM)
While cyberattacks have hit virtually every industry, the two industries most impacted by cyber security incursions, breaches and theft of data, are financial services and health care. Financial services and the medical world are inexorably connected to the world-wide internet.
In a recent speech OCC Head Thomas Curry said,” The financial-services industry is one of the more attractive targets of cyberattacks, and unfortunately the threat is growing.” Further, one growing area of concern is the potential for criminals to target smaller banks.
Analysts at the Gartner research group estimate that the health care industry is generally about ten years behind the financial services sector in terms of protecting consumer information.
Basic components of cyber controls framework, and ERM (Risk Management):
- Governance: Cyber Security Companies in all industries need to establish a cybersecurity governance framework which is a central leg of the ERM infrastructure.
- Cyber Risk Assessment: Through risk assessments, companies understand the specific risks to their organizational infrastructure and operations.
- Technical Controls: The selection of specific controls by any company is dependent the company’s individual risks.
- Vendor management: At every touch point vendors can introduce cyber threats (e.g. – viruses) into a company’s systems and data bases.
- Incident Response Planning: The primary objective of an incident response plan is to provide a framework to manage a cybersecurity event in a way that limits the damage, and deals with the legitimate concerns of third parties.
- Staff Training: Without adequate staff training and related awareness, the rest of a company’s cybersecurity program can be easily compromised.
- Cyber Insurance: While almost unknown five years, many companies have chosen to obtain cyber risk insurance.
The above has been extracted from a White Paper by Tom Van Lenten, Director, CFO Consulting Partners. Download PDF
Would You Give Your Accounting Department an A?
Dear Mr. CFO, would you give your accounting department an A?
If you can answer YES to 9 out of 10 items, then you may have an “A” functioning accounting department. The following questions are addressed to the CFO, but can generally be answered by the CEO and many other senior executives?
1. Do you provide answers to requests in two hours?
2. Are you able to close the books in a maximum of 7 days?
3. Do you have written comprehensive policies and procedures for main processes, and are they followed?
4. Do all members of the senior management team have a solid understanding of the key business drivers?
5. Would your CEO and other senior executives consider you to be their partner?
6. Do you have a budget and report monthly variances against it?
7. Are you generally able to complete your tasks and goals on time?
8. Do you have a mentor?
9. Do you report bad news within 2 hours?
10. Are your receivables less than 45 from the last day of work completion (not from when you send out the invoice)?
CFO Consulting Partners unlocks the full potential of accounting and finance functions in small and midsized public and private companies.
If you would like a confidential, no obligation meeting with one of our partners, please email Allan Tepper at atepper@cfoconsultingpartners or call him at 646-650-2028 X701.
Fin Tech Case Study
CFO Consulting Partners was engaged by a start-up Fin Tech Company to assist in setting up their entire financial infrastructure, including establishing and documenting GAAP and regulatory policies, establishing and documenting internal controls and procedures, and constructing the regulatory reporting process. CFO CP also assisted in the preparation of US GAAP financial statements for a Review and eventual audit by the company’s external audit firm. The Company is a pioneer in its industry and needed the Review report to be included in its application for regulatory approval.
CFO CP assisted in developing the workpapers and supporting documentation for the Review and eventual audit. In particular, CFO CP reviewed the trial balance, general ledger from date of inception to the Review period and all the underlying accounting records for propriety and accuracy/completeness. CFO CP ensured that the information requested by the audit firm was prepared in advance and reviewed by management, that it was accurate, and that it had a well-documented audit trail. CFO CP also prepared the relevant schedules and analyses for some account balances. Since the client is a start-up, CFO CP prepared the financial statements from date of inception to the relevant period end, including detailed footnotes. CFO CP worked closely with the auditors throughout the duration of fieldwork and assisted in resolving Review issues with the auditors.
The auditors completed the Review process and issued their Review report within five business days and, the materials required for regulatory approval were filed on time. As a result of CFO CP’s involvement, the books and records have clear Review trails and the Company has a chart of accounts that is specifically designed for its business. Also, all the significant accounting policies and internal controls were well documented. CFO CP was commended by the Company’s CFO, senior management and the CPA firm for exceptional work.
From time to time, we read about accounting errors in public companies. Often these result in restatements and may even result in a shareholder lawsuit.
- Weak internal controls
- Deficiencies in its management reporting practices
- A lack of a solid understand of the industry by its board and audit committee
- An over-reliance on excel worksheets and/or a corporate culture that lives for “quarter to quarter” earnings.
Prepare Now for Revenue Recognition Implementation
In May, 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2014-09, Revenue from Contracts with Customers, (Topic 606). The Update takes effect essentially in 2017 and establishes a comprehensive revenue recognition standard for almost all of the various industries. Prior to the promulgation of this standard, certain companies followed their industry-specific revenue recognition standards such as software and real estate.
Revenue is an important number to users of financial statements in assessing an entity’s financial performance and position. However, previous revenue recognition requirements in US Generally Accepted Accounting Principles (GAAP) differed from those of International Financial Reporting Standards (IFRS). Hence the FASB is making these amendments to the Accounting Standards Codifications (ASC), and the International Accounting Standards Board (IASB) is issuing IFRS 15, Revenue from Contracts with Customers.
The issuance of these documents completes the joint effort by the FASB and the IASB to meet the objectives of removing inconsistencies and weaknesses in revenue requirements, provide more useful information to users of financial statements through improved disclosure requirements and generally improve financial reporting by creating common revenue recognition guidance for US GAAP and IFRS.
Summary of the New Rules
Under the new rules companies will follow a five-step approach to apply the standard:
Step 1: Identify the contract(s) with the customer. A contract is an agreement between parties that creates enforceable rights and obligations. It can be written, oral, or implied by an entity’s customary business practice. Generally, any agreement that creates enforceable rights and obligations will meet the definition of a contract.
Step 2: Identify the separate performance obligations in the contract. A performance obligation is a promise to transfer a distinct good or service (or a series of distinct goods or services that are substantially the same and have the same pattern of transfer) to a customer. The promise can be explicit, implicit, or implied by an entity’s customary business practice. The objective of identifying distinct performance obligations is to describe the transfer of goods or services to the customer.
Step 3: Determine the transaction price. The transaction price is the amount of consideration that an the company expects to be entitled to in exchange for transferring promised goods or services to a customer, excluding amounts collected on behalf of a third party. Determining the transaction price will be more complex if the contract involves variable consideration, a significant financing component, or noncash consideration.
Step 4: Allocate the transaction price to separate performance obligations. The transaction price is allocated to the separate performance obligations in a contract based on the relative standalone selling prices of the goods or services in the contract. The allocation is made at contract inception and not adjusted to reflect subsequent changes in the standalone selling prices of those goods or services. The best source of standalone selling price is the observable price of a good or service when the entity sells that good or service separately.
Step 5: Recognize revenue when (or as) each performance obligation is satisfied. The new revenue recognition model culmination is recognizing revenue. A company will recognize revenue when (or as) a good or service is transferred to the customer and the customer obtains control of that good or service. Control of an asset refers to a company’s ability to direct the use of and obtain substantially all of the remaining benefits (that is, the potential cash inflows or savings in outflows) from the asset. Directing use of an asset refers to a customer’s right to deploy that asset, to allow another entity to deploy that asset in its activities, or to restrict another entity from deploying that asset.
- For a public entity, the amendments are effective for annual reporting periods beginning after December 15, 2016, including interim periods within that reporting period. Early application is not permitted.
- For all other entities (non-public entities), the amendments are effective for annual reporting periods beginning after December 15, 2017, and interim periods within annual periods beginning after December 15, 2018. Early application is permitted under certain circumstances.
- An entity should apply these amendments using one of the following two methods:
- Retrospectively to each prior reporting period presented
- Retrospectively with the cumulative effect of initially applying this standard recognized at the date of initial application.
Even though implementation seems far away, it is highly recommended that companies begin to prepare now for implementation
The new standard will likely affect the measurement, recognition and disclosure of revenue, which is often the most important financial performance indicator. Since an entity’s objective is to generate revenue, it is not surprising that changes to the accounting for revenue could affect multiple business functions. To prepare for implementation companies should:
- adjust or add controls to address increased judgments and estimates in revenue amounts, including documentation and testing of those new controls
- update policies and procedures to conform to the new standard,
- consider internal controls optimization for all revenue-related controls.
It Pays to Do It Right the First Time
By Art Finnel, Head of Life Sciences Practice
Prior to joining CFO Consulting Partners, I held a CFO position with a company that was planning to go public and hired a new accounting firm for the audit. The company had planned for this possibility five years before my arrival. Everything seemed in order. I was going to have great fun, so I thought.
Shortly after joining, we began to prepare for the next audit. During my review, I found that a series of shortcuts had been taken in certain critical accounts during the year. This turned out to be totally unsatisfactory in satisfying a proper audit and preparing for a set of filings with the SEC.
Further, the documentation supporting the entries on the company’s books was very thin and in certain cases non-existent, which then required exhaustive research of the issues and relevant accounting rules. In many instances, an entire redo of the calculations and a determination of the proper entries had to be made. Besides the significant investment of my time and energy to correct the deficiencies, it cost the company dearly to comply with the auditing standards of the new accounting firm.
My takeaway from this experience is pretty simple. Do it right the first time around! Don’t shortcut. Make sure you and your accountants understand the accounting rules. If there is ambiguity, then find the right expertise to provide the necessary advice and support. And finally, Document! Document! Document! By following these simple rules, you should feel confident that your company can present its accounts properly and handle any questions or due diligence that might be undertaken in the future.
Is Your Company Getting Ready for an Exit?
By Allan Tepper, Co-Founder and Managing Director
Since the Great Recession, 2014 may be the best year yet for an exit. This is true for sales of companies as well as IPOs. For private equity transactions, average hold periods are at an all-time high of nearly six years. These companies must be sold at some point. See BB&T Capital Markets video for macro developments over the past decade here.
For IPOs, 2013 proved to be one of the best years for the IPO market since the tech boom of the early 2000s, and PWC reports that 2013 has been the most active IPO environment since 2007. See PWC’s article, “Being Prepared in a Hot IPO Market” for references and additional information here.
In preparing for your exit, we suggest the gathering of both historical and projected numbers. Historical data should include all your key numbers and should present a clear picture of your business. Your forecast data should be driven by the key drivers of your business, and all forecast numbers should be supported by sound assumptions.
Unfortunately, some of the information required in producing historical and forecasted numbers may not be available in your accounting system. We recommend that companies would be wise to develop processes to capture those “non-accounting system numbers” on an ongoing and consistent basis.
CFO Consulting Partners’ pre-audit services helps public and private companies produce workpapers and a full set of GAAP financial statements, including footnotes, for review by its independent auditors. Workpapers are cross-referenced and references are made to supporting documentation. For public companies, CFO Consulting Partners offers SEC report preparation services (i.e., 10-Qs and 10-Ks, including MD&As).
Typically in a Pre-Audit engagement we:
- Prepare or assistance in preparing a full set of GAAP financial statements, including footnotes, and if applicable, the MD&A section
- Research of GAAP and disclosure issues and the application of accounting principles to a company’s facts and circumstances
- For public companies, draft Form 10-Ks, 10-Qs, registration statements and proxy reports
- Provide support related to SEC Comment Letters
- Financial statement restatement
- Assist with preparing delinquent SEC filings
- Assure a high level of quality control
Benefits to include:
- Potential cost savings due to lower staffing needs or lower outside accounting fees
- More available time for CFO and Controllers to focus on internal company needs
- Provision of accounting research. Many accounting firms do not provide this service to their clients due to independence issues
- Development of accounting analyses, such as goodwill impairment, fair value accounting and IFRS reporting
- Resource to answer SEC and auditor comments
Our firm is a team of senior financial executives. We provide a broad range of financial management services to public and private companies. We work for CEOs, CFOs, Controllers, as well as audit committees and boards.
Our mission is to apply our consultants’ considerable collective experience to resolve client issues in a professional and efficient manner.
Further information is available at: www.cfoconsultingpartners.com.
Compromise for Lease Accounting Overhaul Has Been Rejected by the Leasing Industry Accountants and Analysts
Since 2006, the U.S. Financial Accounting Standards Board and the IASB have been working on a lease accounting overhaul. This effort has been spurred by investor complaints that huge off-balance sheet leases can blur a company’s true financial obligations. On May 16, 2013, the FASB and IASB issued their joint Exposure Draft (“ED”) on lease accounting. Comment letters were due to the FASB/IASB in September 2013. The May 2013 ED would have brought virtually all leases with a tenor of one year or more onto the balance sheets of both lessors and lessees. The SEC estimated that the accounting proposed by this ED would add an average of $1 billion in new assets to the balance sheets of S&P 500 companies.
Reacting to prior criticism about the income and expense recognition patterns in the 2010 ED, the MAY 2013 ED proposed a complex framework of dual lease classification. Leases would either be classified as either Type A or Type B. Under a Type A lease the amortization would look similar to that of a financial asset. Whereas, Type B leases, which were created in response to complaints that not all leases are like asset financings, would allow expense recognition on a straight-line basis.
The Boards received 638 comment letters on the May 2013 ED. Based on the mostly critical feedback in these comment letters, the Boards decided to begin re-deliberations of all significant issues in the first quarter 2014. The more significant topics discussed at the meeting are summarized below:
- There are serious concerns about the complexity of the proposal as it relates to numerous issues, including lease classification and subsequent measurement.
- The majority of constituents do not support changing the existing lessor accounting model, expressing a position that the existing lessor model is not fundamentally flawed. Those constituents do not think that consistency between the lessee and lessor accounting models is necessary.
- Many respondents support the concept that lessees should recognize lease assets and liabilities on their balance sheets. However, there are mixed views regarding the income statement and cash flow statement proposals. Some support a single lessee accounting model; others support a dual lessee accounting model.
On January 23, 2014 the FASB and the IASB began their re-deliberations of the proposals included in the May 2013 Leases Exposure Draft. The objective of the meeting was to have an in-depth discussion of the following:
– Lessor accounting model
– Accounting for “Type A” leases by lessors
– Lessee accounting model
– Lessee small-ticket leases.
The Boards did not make any decisions at this meeting.
Implications of the Volcker Rule
Five Governmental agencies (The Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Securities & Exchange Commission, and Commodity Futures Trading Commission) concluded their three year collaboration passing the final Volcker rule on December 10, 2013. It ushered in a ban on proprietary trading for banking entities. The rule is effective April 1, 2014, with a conformance timeline running through July 21, 2015, unless extended.
The ban on proprietary trading will affect the banking entity’s relationship with hedge funds, private equity, and covered funds, in many instances terminating the relationship. A myriad of exemptions apply for all prohibited actions – proprietary trading, hedging, covered funds, etc. The affected firms will have to look closely at the exemptions in order to completely understand the proper actions to take.
The Volcker Rule restrictions on covered funds may impact community banks that invest in Collateralized Debit Obligations (CDO’S), Collateralized Mortgage Obligations (CMO’s) and/or Collateralized Loan Obligations (CLO’s). Trust preferred CDO’s issued prior to May 19, 2010 are exempt from the Rule. Aside from that exception, banks which have invested in CDO, CMO and CLO securities will be required to identify their specific hedging risks, and monitor the effectiveness of those hedges as consistent with their policies.
The final Rule exempts Community and Regional banks with less than $10 billion in total consolidated assets from trading restrictions and compliance requirements with respect to trading in U.S. Treasuries, GSE Agencies, Municipals, and FDIC obligations. Even with an exemption or exclusion in every aspect of the Volcker Rule, all banking entities would be wise to review their portfolios, risk policies and procedures and draft a compliance program.
Wall Street Journal: The Volker Rule with Notes:
Debevoise & Plimpton Client Update: The Volker Rule: An Overview:
Sandler O’Neill + Partners: The Volcker Rule’s Impact on Regional and Community Banks:
Wall Street Journal: Regulators May Again Clip Volcker
Private Equity Case Study
A private equity firm desired to sell one of its portfolio companies. The company, with sales of $75 million, was a leader in the fashion industry. The incumbent Chief Financial Officer and Controller left at the start of the sale process.
The company could not hire another full-time Chief Financial Officer and Controller as it was actively engaged in the sale process. It needed two people for the short term who could work with its PE owner, the investment banker, the potential buyers, lenders and other stakeholders, and at the same time, continue to produce required financial information and to liaison with its auditors.
The PE firm reached out to CFO Consulting Partners (CFOCP) to provide an Interim CFO who could handle both the CFO and controllership responsibilities, and who could provide financial management leadership to the company during the sale process. One of CFOCP member’s was retained by the company.
During the initial phase of the engagement, the Interim CFO took total charge of the Finance Area. The Interim CFO’s direct areas of responsibility included Accounting & Finance, Information Technology, Human Resources and Legal. He was instrumental in accelerating the closing process by up to two weeks, and he enhanced the HR area by outsourcing a portion of the function. In addition, he was able to recover certain funds by investigating nuances of certain long term contracts and participated in direct negotiations of certain contracts and leases.
During the potential buyers’ due diligence processes, the Interim CFO fielded and directed all due diligence responses. He also played an active role in the Management Presentations. This posed a tremendous challenge as the sale process was not disclosed throughout the Company.
CFOCP, which specializes in providing senior-level financial management services, provided such an experienced CFO from its team. CFOCP supported the Company with various accounting and M&A services. The CFOCP member became an integral member of the management team. The needs of all stakeholders were met, and the sale was successfully completed. Subsequent to the sale, the buyer group retained the CFOCP member to assist with accounting integration, purchase price accounting and a subsequent refinancing. In addition, the CFOCP member provided valuable institutional knowledge to the buyer group.
Basel III Affects Community Banks
The final Basel III rules for US banks were issued by the bank regulators in July, 2013. These rules require all banks to maintain higher capital levels, and generally add complexity to the US regulatory capital framework. All banks will need to strategically manage to the higher capital levels.
Implementation of the new rules for Community and most other banks and bank holding companies begins January 1, 2015. Implementation for “Advanced Approaches” Banking organizations, which include all banks and bank holding Companies with $250 billion or more in consolidated assets or $10 billion or more of on-balance sheet foreign exposure, begins January 1, 2014. For all banks, there are detailed phase-in requirements in the implementation framework that need to be considered in planning and analyzing Basel III implementation.
The Final Basel III rules a) significantly increase required minimum capital ratios, b) introduce a new common equity ratio, c) create the concept of “capital buffers,” d) narrow what is permitted as capital and e) change the risk based assets calculation. The new common equity ratio is called “Common Equity Tier 1” or “CET1”. The minimum “CET1” ratio for Non-Advanced Approaches banking institutions, which include Community Banks, increases from 4.5% at January 1, 2015 to 7.0% at January 1, 2019. This calculation includes a “capital conservation buffer” which is added to the minimum ratio of CET1 to risk weighted assets of 4.5%, and is phased in from 0.0% in 2015 to 2.5% in 2019, resulting in an effective CET1 to risk weighted asset ratio of at least 7.0% in 2019.
CET1 is defined by reference to 13 criteria, but is essentially common equity with limitations on distributions. Tier 1 Capital is defined by 14 criteria, with the most common qualifying Tier 1 instrument being noncumulative perpetual preferred stock. Tier 2 Capital is defined by reference to 11 criteria, with the principal criteria being subordination to depositors and general creditors, original maturity of at least 5 years, and no credit-sensitive features. There are special rules and some phase outs for Trust Preferred Securities.
Computations for the capital ratio denominator (risk adjusted assets) are equally complex, with special rules for residential mortgages, commercial estate, corporate exposures, and securitizations.
The following are links to useful publications and analysis available from regulators and industry participants.
OCC Community Bank Guide:
SEC Case Study #1
A $100 million publicly-held service Company had not filed its SEC reports (10-Ks, 10-Qs) on a timely basis. The CFOs attention had been focused on non-financial reporting operational matters.
The Company, wishing to bring its reporting current, engaged CFO Consulting Partners LLC to prepare the financial sections of its 10-K, including the MD&A section. Before completing the SEC statement, various reconciliations and other accounting matters needed to be addressed and completed. CFO Consulting Partners accomplished those operational and accounting needs, developed practices to assure such matters could be addressed in a timely manner on an ongoing basis, and prepared the financial statements, footnotes and MD&A section.
All objectives were completed.
SEC Case Study #2
A public-company community bank had aggressively expanded its commercial lending business. The growth in this product line outstripped the Bank’s staffing and internal controls in its credit and accounting areas. Symptoms at the Bank included significant loan losses, errors in its calculation of its Allowance for Loan and Lease Losses (ALLL), and its lack of adequate training and oversight of the credit administration function. When CFO Consulting Partners was engaged, the Bank did not have a Chief Financial Officer.
The Bank’s Board engaged CFO Consulting Partners LLC to provide it with a CFO who was acceptable to the regulator and who could provide the senior-level financial management support needed to mitigate the internal control weaknesses. We found that some of the errors were so significant that reports to the SEC (10-Qs) and reports to bank regulators (Call Reports) were materially inaccurate, and we suggested to the Board that those financial reports be restated.
We restated SEC financial statements, implemented controls and policies and procedures to resolve the internal control weaknesses, reviewed and corrected various analyses, and trained credit department staff in the preparation of the ALLL analysis. We frequently communicated our many reviews and changes to the Board and to Senior Management. Finally, we assisted in the hiring of a permanent CFO, and developed a transition and knowledge transfer plan which we executed during an overlap period with the new CFO.
CFO Consulting Partners LLC is a boutique financial management consulting firm providing accounting and risk management services to CEOs and CFOs of small and midsized public and private companies. For more information, please contact Allan Tepper at 609-309-9307, x701 or visit us on the web at www.cfoconsultingpartners.com
Automation – Do Accounting Departments Need This?
Many of us in accounting prepare monthly and quarterly financial reports. Some are specifically prepared for internal management, some for shareholders, and some for regulators and other stakeholders. These reports, by their very nature, require repetitive processes, many of which are fairly stable from period to period.
The question then for many of us preparers is: Why does it take so long to prepare these reports? Part of the answer may be that there is little time to sit back, think about and then streamline the report preparation process. Pre-automation processes usually consist of capturing all the necessary information, and entering it, sometimes manually, into some spreadsheet application software, such as Excel, to produce an intermediary report, the output of which may then have to be entered into another spreadsheet, and on and on before the final product is complete.
In an automated process, inputs are seamlessly downloaded from sources, such as a trial balance, applicable subledgers and other databases into an input sheet specifically geared to the type of report to be created. The input sheet data is then linked, uploaded or directly connected to a pre-formatted report application program to produce the final report. Audit trails are well maintained. Many times, it is best to have the pre-formatted report application program programmed in a more advanced software language than Excel.
Some of the benefits of automation, which are likely obvious to the readers of this article, include faster report preparation, more time for analysis, better controls and more accurate reporting.
While consulting with and servicing our many clients, CFO Consulting Partners observes and understands the pressures that force finance staffs to go from task to task, constantly putting out fires. However, although initially requiring up-front investment dollars, such investments directed at improvement of process will almost always pay large dividends in the months and years ahead.
I would appreciate your feedback and questions. Please send your feedback and questions to firstname.lastname@example.org.