Internal Audit Archives - MGO CPA | Tax, Audit, and Consulting Services

How to Protect Your Business Against Asset Misappropriation

Key Takeaways:

Asset misappropriation involves the theft or misuse of an organization’s physical and digital assets, posing a major threat to businesses.

Red flags of asset misappropriation include unexplained shortages, unauthorized transactions, altered records, excessive resource use, and employees living beyond their means.

Strategies to combat asset misappropriation include strong internal controls, employee education, surveillance technology, promoting an ethical culture, and data analytics for fraud detection.

In the dynamic landscape of modern business, asset misappropriation remains a pervasive threat, undermining the financial stability and integrity of organizations across industries. As part of MGO’s fraud series, this article delves into the critical issue of asset misappropriation — offering your business the knowledge and tools needed to safeguard your valuable assets.

Understanding Asset Misappropriation

Asset misappropriation, a prevalent form of fraud, involves the theft or misuse of an organization’s assets. Unlike financial statement fraud, which distorts the truth on paper, asset misappropriation manifests in the direct pilfering or misuse of physical and digital assets. From cash and inventory to intellectual property and digital data, no resource is immune to this fraudulent activity.

Red Flags of Asset Misappropriation

Unexplained shortages or discrepancies: Whether it is cash, inventory, or other assets, unexplained shortages are classic signs of theft or embezzlement. For instance, casinos might notice discrepancies in chips or cash, pointing toward internal theft.

Unauthorized transactions: Any unauthorized withdrawals or transfers, especially in sensitive environments like casino accounts or gaming tables, should raise immediate concerns about asset misappropriation.

Alteration of records: Manipulating gaming records, player accounts, or payout systems can facilitate theft, often going unnoticed without rigorous audits.

Excessive use of company resources: When employees use company vehicles, equipment, or facilities beyond their professional needs, it suggests potential misuse of organizational assets for personal gain.

Lifestyle inconsistencies: Employees exhibiting a lifestyle significantly above their income level can be a red flag for embezzlement or fraud, often funded by stolen assets.

Strategies to Combat Asset Misappropriation

To effectively shield your organization from the perils of asset misappropriation, a multifaceted approach is necessary. These strategies are designed to fortify your defenses, helping your business operate with the highest standards of integrity and security. By implementing these measures, you can create a resilient barrier against fraudulent activities and safeguard your organization’s future.

Here are some pivotal strategies to combat asset misappropriation:

Establishing robust internal controls is the first line of defense. Professionals with experience enhancing internal controls can assist your organization in assessing and refining its practices — including segregation of duties, regular audits, and securing access to sensitive areas and systems. This approach establishes a solid foundation for preventing asset misappropriation.

Educating employees about the signs of fraud and the importance of ethical behavior is essential to deter potential fraudsters and empower your staff to report suspicious activities. Training programs, which can be supported by advisory firms, effectively communicate the risks of fraud and the importance of vigilance, helping to build a knowledgeable and proactive workforce.

Utilizing technology like surveillance cameras, advanced access controls, and cybersecurity measures can significantly reduce the risk of asset theft or misuse. Cybersecurity and physical security professionals can integrate cutting-edge solutions to protect your assets from both internal and external threats, providing a comprehensive defense strategy.

Promoting a corporate culture that values honesty and transparency can discourage fraudulent behavior. Developing policies and practices that foster open communication and a strong ethical foundation is crucial. Establishing a whistleblowing policy that encourages reporting without fear of retaliation can be an integral part of this effort.

Deploying data analytics and fraud detection software to monitor for unusual patterns or anomalies can indicate asset misappropriation. Advanced data analytics and forensic accounting services can identify and investigate suspicious activity, using sophisticated tools to detect early signs of fraud and prevent asset loss.

Safeguarding Your Assets Against Pervasive Threats

Asset misappropriation poses a significant risk to businesses, draining resources and eroding stakeholder trust. By understanding the red flags and implementing a comprehensive strategy to detect and prevent asset misappropriation, your organization can protect its assets and maintain its financial integrity.

MGO’s Business Advisory solutions offer a pathway to strengthen your defenses against the risks of asset misappropriation. For a deeper dive into how we can help protect your business, reach out to our team today.

This article is part of our ongoing fraud series, “Alert Signals: Uncovering the Spectrum of Fraud,” aimed at educating your business on identifying and preventing fraudulent activities. Read the previous article in the series on spotting red flags of financial reporting fraud and stay tuned for more insights and strategies to protect your organization.

How Your Government Internal Audit Team Can Prepare to Meet New Global Standards

Key Takeaways:

The Institute of Internal Auditors (IIA) has issued new Global Internal Audit Standards that will take effect in January 2025.
The new Standards introduce 15 guiding principles across five domains, while Topical Requirements provide another new element for internal auditors to be aware of for specific audit areas like cybersecurity.
Public sector organizations aligning with Red Book standards will need to evaluate and realign their internal auditing practices to comply with these changes and should consider engaging experienced advisors to assist with the transition.

The auditing landscape is evolving, and a significant shift is on the horizon with the new Global Internal Audit Standards set to take effect in January 2025. Issued by The Institute of Internal Auditors (IIA), these comprehensive updates aim to align internal audit with an evolving risk landscape and improve the consistency and quality of audit services across industries and sectors.

What does this evolution mean for your public sector internal auditing function? It’s an opportunity to elevate your practices, establish consistency with a global professional framework, and ultimately, deliver more valuable insights to your organization. However, it also presents a significant challenge — one that will require a strategic and proactive approach to achieve full compliance by the 2025 implementation deadline.

Navigating New Internal Auditing Standards

At the core of the Standards are 15 guiding principles aimed at enabling effective internal auditing across organizations of all sizes and sectors.

These principles are organized into five domains — which also include mandatory practices for internal auditing, considerations for implementation, and examples of ways to demonstrate the requirements have been implemented.

Here is a brief summary of each of the five domains:

Purpose and positioning: Emphasizes the importance of establishing your internal audit function’s role, mandate, and degree of organizational independence.

Operating with proficiency: You must possess the necessary knowledge, skills, and competencies to deliver reliable assurance and advisory services effectively.

Planning and performing engagements: Outlines requirements for risk-based planning, effective execution of audit engagements, and quality assurance mechanisms.

Communicating results: You must communicate your findings clearly, concisely, and promptly to relevant stakeholders, fostering transparency and action.

Monitoring and improving: Continuous improvement is key; your internal audit function must monitor performance and implement measures to enhance its value proposition.

The IIA has also introduced a new component called “Topical Requirements“, which are a set of specific methodologies your internal audit team must apply when assessing the effectiveness of governance, risk management, and controls on a particular area. Designed to provide structure and consistency for common, higher risk topics, Topical Requirements help to define the potential scope of an internal audit engagement.

The first Topical Requirement, focused on cybersecurity audits, is already under development, with a draft open for public comments until July 3, 2024. This initial release offers a glimpse into what’s to come as the IIA rolls out additional Topical Requirements over the coming years, covering other specific areas that may be critical to your public sector operations.

Applying the Standards in the Public Sector Environment

Noting that internal auditors in the public sector may work in environments that differ from those in the private sector, the Standards contain a section titled “Applying the Global Internal Audit Standards in the Public Sector”. This section describes strategies for conforming to the Standards in conditions unique to your work in the public sector.

Public-sector specific information includes:

Situations in which laws or regulations may affect the ability of internal audit functions to conform with the Standards
Examples of governance and organizational structures in which internal audit functions may need to adjust the application of some standards
Public sector conditions that may limit the way chief audit executives may spend allocated funds

Preparing Your Team for the Auditing Transition

Compliance with the new Global Internal Audit Standards will require a review and update of your current policies, procedures, and practices. Here’s a high-level overview of the steps your team should consider:

Conduct a thorough gap analysis by mapping your existing internal audit methodologies against the new Standards and Topical Requirements. As a result, identify areas requiring enhancement or development.
Develop an implementation roadmap to address identified gaps including revisions to audit policies, procedures, and templates, as well as training plans for your team.
Establish mechanisms for continuous monitoring and improvement, keeping your internal audit function compliant with evolving Standards and Topical Requirements.
Collaborate with executive management and the audit committee to secure necessary resources and support for this transformation journey.

While this process may seem daunting, it presents a valuable opportunity to enhance your internal audit function and align with global best practices. If this process seems overly complex or — like many in the public sector — your team is facing persistent staffing shortages, engaging experienced advisors well-versed in the new Standards and public sector auditing can be a strategic investment.

An advisory firm with dedicated government and internal audit practices can offer valuable support during your transition to the new Standards by providing:

Gap assessments and tailored roadmaps for Standards implementation
Policy and procedure revisions, aligning with the new requirements
Training and knowledge transfer to upskill your internal audit team
Quality assurance reviews to validate your adherence to the updated Standards
Strategic guidance on enhancing your internal audit function’s efficiency and effectiveness

Charting Your Course: Next Steps for Standards Compliance

While the journey ahead may seem challenging, embracing change is crucial to staying relevant and delivering impactful insights. As the January 2025 implementation date approaches, now is the time to assess your readiness and develop a comprehensive strategy for compliance with the new Global Internal Audit Standards.

How MGO Can Help

With extensive experience in public sector auditing and a dedicated State and Local Government team, our knowledgeable advisors can guide you through this transition — enhancing the capabilities of your internal audit function and minimizing disruptions to your organization. Reach out to our team today to discuss how we can help you.

Are You Ready to Take Advantage of Rescheduling?

Key Takeaways:

The potential rescheduling of cannabis presents an opportunity to reevaluate your company’s tax structure and increase deductions, reduce income, and simplify accounting.
Rescheduling may open up access to previously unavailable tax credits, incentives, and deductions at various government levels.
With anticipated increased investment and cash flow after rescheduling, companies should prepare for potential mergers and acquisitions by seeking support in areas like financial due diligence and post-acquisition planning.

The rescheduling of cannabis from Schedule I to Schedule III will unlock new opportunities for cannabis businesses. Is your company positioned to capitalize?

Tax Restructuring

If your existing operating structure was optimized for Section 280E mitigation, now is the time to evaluate whether it will still be tax-efficient after rescheduling.

MGO’s dedicated cannabis tax team can analyze your current structure and identify opportunities to increase deductions, reduce income, simplify accounting, and eliminate unnecessary tax exposures. We will help you develop a strategy specific to your business needs that aligns with your operational goals and any regulatory considerations.

Tax Credits, Incentives, and Deductions

Rescheduling should open cannabis operators to a world of previously unavailable tax benefits.

Our tax professionals can comprehensively review your business operations to uncover tax credits, incentives, and deductions that you may qualify for at the federal, state, and local levels.

Financial and Internal Control Audits

While rescheduling will eliminate the Section 280E tax burden and attract new investors to the cannabis industry, it could also lead to a new regulatory framework.

Our audit services can provide assurance to investors that your company is effectively managing risks, complying with any regulatory changes, and maintaining transparency.

Mergers and Acquisitions (M&A)

The projected wave of investment and increased cash flow resulting from rescheduling means more M&A should be on the horizon.

If your company is considering an M&A deal (either as a buyer or seller), MGO can support your efforts with structuring, financial & tax due diligence, Quality of Earnings (QoE) assessments, accounting integration, strategic guidance, and post-acquisition planning.

With a dedicated cannabis team and a comprehensive line of services, MGO can help you take full advantage of the benefits made available by rescheduling. Reach out to our team today.

Internal Controls: Keys to Limiting Fraud and Boosting Your Company Value

Executive Summary:

Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.

As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.

In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.

The Importance of Internal Controls in Fraud Prevention

A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:

Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.

Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.

Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.

Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.

Improve employee accountability by implementing checks and balances that discourage unethical behavior.

When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.

Fraud Prevention Starts with the “Tone at the Top”

The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.

There are four elements to fraud: pressure, rationalization, opportunity and capability.

Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.

Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.

Proper Segregation of Duties for Internal Controls

The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.

Fraud Controls

There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.

Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.
Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.
Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.

Preventing Misappropriation of Assets

An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets:

Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).

The Importance of Policies and Procedures

The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).

The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.

A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.

How We Can Help

As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.

Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed

Defense Wins Championships – Why Your Government Needs Internal Auditing on Its Team

Executive Summary:

State and local governments need defensive strategies to protect against risks like fraud, financial loss, and reputational damage, and checks to ensure those strategies are working.
The Three Lines Model executes three levels of protection designed to prevent risks from disrupting your operations and causing damage or loss.
As the third-line defense, internal auditing analyzes the entire field to identify potential weaknesses and ensure your defensive strategies are effective at averting risks.

At the start of the football season, sports analysts spend a lot of time talking about who will be the player to lead their team to a championship. Yet, as we learn year after year, championships are not won by a single player. It is a collective effort, based on an assembly of individuals pooling their talents together in pursuit of a common goal.

In sports, the common goal is a championship. In business, the goal is to generate profit by establishing customer loyalty for your products or services. In government, the goal is to make our communities ideal places to live, work, and play. To win in all these instances, you need a strong team with contributions from every player.

Football fans often hear the refrain, “offense wins games, but defense wins championships.” Government teams looking to achieve their goals should not overlook the necessity of a robust defense — with internal auditing giving you the upper hand over your opponent.

What is Internal Auditing?

According to The Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditing provides a systematic approach to evaluating and improving the effectiveness of governance, risk management, and controls processes.

To simplify: Your organization has goals (objectives). However, obstacles (risks) may exist that keep your organization from reaching its goals. You should develop strategies (internal controls) to prevent those obstacles from occurring, and continuously check to make sure your strategies are working properly (monitoring). To avoid confirmation bias — where you only seek and accept information that supports your goals — you should seek validation from an objective entity (internal audit) to evaluate if your strategies truly position your organization to succeed.

To accomplish all this, you need a coalition of talented individuals that can identify risks, strategize against them, prevent or detect risk infiltration, and consistently monitor emerging risks to provide guidance on how to stay ahead of the curve. In football terms, you need a strong defensive line!

Three Lines of Defense

Let’s say that risk is the offensive team. Its goal is to get into your organization’s end zone to disrupt operations. The quarterback could be a hacker, fraudster, or unintentional human error. The offensive team also has other formidable players: fraud risks, cyber-attack risks, liquidity risks, etc.

Organizations need a more skilled, agile, and experienced defensive team to counteract the activity of the risk offense. Enter IIA’s Three Lines Model. This defensive strategy executes three levels of protection designed to keep risk from causing extreme financial or other damage.

The Three Lines Model defines defensive roles and responsibilities as follows:

First Line of Defense – develops strategies to address risks
Second Line of Defense – monitors strategies
Third Line of Defense – provides assurance that strategies are truly effective at mitigating risks

Let’s look at the organizational playbook to understand the goals of the offensive and defensive teams and the Three Lines defensive strategy.

Understanding the Offensive Opponent

Organizations are trying to prevent risks from disrupting operations and causing financial and/or other damages. If the risk team scores in your end zone, that means they have exposed a weakness in your organization. Depending on the weakness, it could cost you a little (inefficient operations) or it could cost you a lot (major cyberbreach with financial and reputational damages) … but it will cost you!

Defining Each Line of Defense

First Line of Defense: Management, Staff, and Internal Controls

The first line of defense consists of the organizational staff associated with daily operations, delivery of goods and services, and identifying and addressing risks. For example, to minimize the risk of hacking via password breaches, this line would create a password policy and accompanying procedure, set up systems requirements accordingly, and follow the policy and procedures in daily operations.

Second Line of Defense: Risk Management and Compliance Functions

The second line of defense consists of the organizational staff that monitor your organization’s adherence to its own policies and procedures and other required guidance (e.g., regulations, laws, etc.). For example, to ensure that your organization is following its policies and procedures for minimizing hacking via password breaches, this line would periodically analyze data to ensure compliance with internal guidance, industry best practices, etc.

Third Line of Defense: Internal Audit

The third line of defense consists of internal audit professionals with knowledge in various industries. Internal audit conducts real-time assessments and communicates any weaknesses in the first two lines. Using the prevention of hacking example from above, in addition to assessing password protocols and practice, internal audit may identify that your organization has improper access controls that increase the risk of hackers infiltrating your organization’s systems. Internal audit would provide recommendations for improvement and express urgency for corrective action.

Defensive Benefits of Internal Auditing

Internal audit is not an adversary, it is part of your team. Internal audit collaborates with your management and staff, in real time, to understand your organizational goals, concerns, strengths, and weaknesses. Where external audit provides your management with an analysis of a snapshot in time, internal audit continuously and systematically provides value-added feedback to your management and your board and/or audit committee.

Internal audit assists with ensuring your organizational playbook(s) remain relevant. As the third or last line of defense, it analyzes the entire field (the organization) to make sure your defensive strategies (internal controls) are effective at averting risks from scoring (causing financial, operational, reputational, etc., losses).

Part of the analyses conducted by internal audit include (but are not limited to):

Conducting risk assessments to identify the likelihood and potential impact of risks to assist the organization in focusing resources on prioritized areas for improvement.
Assessing your information technology and cybersecurity environments to identify and advise on protecting organizational data, improving IT infrastructure, preparing disaster recovery strategies, etc.
Assisting in preparing for external audits by assessing if the organization’s financial statements are accurate, complete, compliant with regulations, and free from material misstatement.
Conducting performance assessments to identify areas for efficiency and effectiveness improvements.

Internal audit strengthens your organization’s improvement efforts by bringing reinforcements to your already stellar team. The internal audit group delivers additional resource capacity, skills, and perspectives — including extensive knowledge about various industry standards as internal audit professionals are required to maintain continuing education in their specific areas of focus.

How MGO Can Strengthen Your Team’s Defense

MGO has a defensive line that is ready and motivated to support your organization. Stacked with professionals experienced in areas like state and local government, fraud, audit and assurance, government audit, and cybersecurity, our team is diverse in thought, knowledge, and culture — and we bring those perspectives to the field for you. Contact us today to learn how our internal auditing solutions can boost your organization’s defense.

SEC Adopts Rules on Cybersecurity Risk Management

Executive Summary

The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K.
However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “material” disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why is the SEC implementing this rule change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What are the requirements for risk management, strategy, and governance disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How will the SEC cybersecurity rules affect you?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How we can help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.

The Real Oversight is NOT Having an Audit Committee

By Jim Godsey, CPA, CGMA, Partner, MGO

Everything changes, except when it doesn’t

Time and time again we’ve seen reactions to various accounting scandals, after which new policies, procedures, and legislation are created and implemented. An example of this is the Sarbanes-Oxley Act (SOX) of 2002, which was a direct result of the accounting scandals at Enron, WorldCom, Global Crossing, Tyco, and Arthur Andersen.

SOX was established to provide additional auditing and financial regulations for publicly held companies to address the failures in corporate governance. Primarily it sets forth a requirement that the governing board, through the use of an audit committee, fulfill its corporate governance and oversight responsibilities for financial reporting by implementing a system that includes internal controls, risk management, and internal and external audit functions.

Governments experience challenges and oversight responsibility similar to those encountered by corporate America. Governance risks can be mitigated by applying the provisions of SOX to the public sector.

Some states and local governments have adopted similar requirements to SOX but, unfortunately, in many cases only after cataclysmic events have already taken place. In California, we only need to look back at the bankruptcy of Orange County and the securities fraud investigation surrounding the City of San Diego as examples of audit committees that were established in response to a breakdown in governance.

Taking your audit committee on the right mission

Governments typically establish audit committees for a number of reasons, which include addressing the risk of fraud, improving audit capabilities, strengthening internal controls, and using it as a tool that increases accountability and transparency. As a result, the mission of the audit committee often includes responsibility for:

Oversight of the external audit.
Oversight of the internal audit function.
Oversight for internal controls and risk management.

Chart(er) your course

Most successful audit committees are created by a formal mandate by the governing board and, in some cases, a voter-approved charter. Mandates establish the mission of the committee and define the responsibilities and activities that the audit committee is expected to accomplish. A wide variety of items can be included in the mandate.

Creating the governing board’s resolution is the first step on the road to your audit committee’s success.

Follow the leader(ship)

In practice we see a combination of these attributes, ranging from the full board acting as the audit committee, committees with one or more independent outsiders appointed by the board, and/or members from management and combinations of all of the above. While there are advantages and disadvantages for all of these approaches, each government needs to evaluate how to work within their own governance structure to best arrive at the most workable solution.

Strike the right balance between cost and risk

The overriding responsibility of the audit committee is to perform its oversight responsibilities related to the significant risks associated with the financial reporting and operational results of the government. This is followed closely by the need to work with management, internal auditors and the external auditors in identifying and implementing the appropriate internal controls that will reduce those risks to an acceptable level. While the cost of establishing and enforcing a level of zero risk tolerance is cost prohibitive, the audit committee should be looking for the proper balance of cost and a reduced level of risk.

Engage your audit committee with regular meetings

Depending on the complexity and activity levels of the government, the audit committee should meet at least three times a year. In larger governments, with robust systems and reporting, it’s a good practice to call for monthly meetings with the ability to add special purpose meetings as needed. These meetings should address the following:

External Auditors

Confirmation of the annual financial statement and compliance audit, including scope and timing.
Ad hoc reporting on issues where potential fraud or abuse have been identified.
Receipt and review of the final financial statements and auditor’s reports
Opinion on the financial statements and compliance audit;
Internal controls over financial reporting and grants; and
Violations of laws and regulations.

Internal Auditors

Review of updated risk assessments over identified areas of risk.
Review of annual audit plan, including status of the prior year’s efforts.
Status reports of ongoing and completed audits.
Reporting of the status of corrective action plans, including conditions noted, management’s response, steps taken to correct the conditions, expected time-line for full implementation of the corrective action and planned timing to verify the corrective action plan has been implemented.

Establish resources that are at the ready

Audit committees should be given the resources and authority to acquire additional expertise as and when required. These resources may include, but are not limited to, technical experts in accounting, auditing, operations, debt offerings, securities lending, cybersecurity, and legal services.

Taking extra steps now will save time later

While no system can guarantee breakdowns will not occur, a properly established audit committee will demonstrate for both elected officials and executive management that on behalf of their constituents they have taken the proper steps to reduce these risks to an acceptable tolerance level. History has shown over and over again that breakdowns in governance lead to fraud, waste and abuse. Don’t be deluded into thinking that it will never happen to your organization. Make sure it doesn’t happen on your watch.

Strategies for Mitigating Municipal Employee Fraud

The second article in a series for municipal executives: Avoiding the Headlines

By Scott P. Johnson, CPA, CGMA
Partner, State & Local Government, Advisory Services

As a public official for more than 24 years, I continuously strived to implement best practices, internal controls and policies and procedures to mitigate fraud, waste and abuse. Being a municipal finance officer responsible for literally billions of dollars, there were times when I would wake up in the middle of the night thinking about what could happen or what I may not know that could be occurring that could put the organization at risk. Fortunately throughout my municipal career the organizations I served did not experience headlines due to significant fraud. We had the appropriate “tone at the top” and practiced effective measures throughout the organization to mitigate potential fraud. However, from time-to-time, we would uncover the occasional lapse of an employee’s good judgement and detect inappropriate use of government funds, such as; improper procurement credit card use for personal purposes, time cards reporting that fraudulently claimed hours worked in excess of actual hours worked, and fictitious reimbursement claims for travel.

Employee fraud is a significant problem across industries and is faced by organizations of all types, sizes, locations, and industries. While employee fraud in private organizations rarely merits a mention in the local paper, the same fraud in a government agency will have editors competing to write the splashiest headlines and garner the highest reader traffic. It is critical for such organizations to maintain a positive reputation. Reputational risk can carry long-lasting damage in monetary losses, regulatory issues, and overall risk exposure. Frankly, all types of fraud are on the rise, and municipalities need an effective fraud mitigation strategy in place to protect against reputational and monetary harm.

Just a few recent examples of municipal fraud that have had significant press coverage and put the respective organizations in a challenging position: In 2014 officials in St. Louis County, IL, uncovered a $3.4 million embezzlement that escaped detection for more than six years. According to officials, a County Health Agency Division Manager overcharged for IT computer and technical services (unbeknownst to the County, the Division Manager owned the technology company). Unfortunately, the day after the suspected embezzlement was detected by County officials, the employee committed suicide, according to the County Medical Examiner.

The largest known municipal fraud in US history was uncovered in 2012 at the City of Dixon, IL. This embezzlement scheme of almost $54 million over a 22 year period was perpetrated by its Comptroller, Rita Crundwell, who used the proceeds to finance her quarter horse ranch business and lavish lifestyle. She was convicted and pleaded guilty to the crimes and is currently serving a 20 year sentence. Another recent case of an alleged fraud allegation is currently under trial in the Los Angeles Superior Court in which ex-Pasadena city employee, Danny Wooten and co-defendants are due back in court for arraignment on April 1, 2016, according to the Los Angeles County District Attorney’s Office. The criminal case involves allegations that more than $6 million in city money was embezzled over a decade in which Wooten is suspected of creating false invoices for the underground utility program between 2004 and March 2014.

Many factors can contribute to fraud, but the key factors are the improper segregation of duties, lack of management review, maintaining undocumented procedures, common exception processing, trust without verification and validation, and lack of accountability and monitoring. Employing proper risk assessments of events that could prevent, delay, or increase the costs of achieving organizational objectives and implementing a risk management plan not only ensure compliance, but strategically safeguard on organization against fraud. There are three important steps to earning a good night’s sleep.

1. Fraud Risk Assessment – understanding the organization as a whole and individual business units will lead to the most comprehensive risk management plan. Understand how resources flow as well as internal environments and processes. Conduct interviews, make observations and review all factors. Identify the possible and probable fraud schemes for all resource flows.

2. Prevention – “Tone at the Top” is critical. Inspiring employees to follow ethical standards starts with the tone at the executive level and must trickle down through the management level and ultimately throughout the entire organization. The organization needs to know that unethical practices will not be tolerated and when detected, will be dealt with in a timely and effective manner. One measure to communicate the “tone” is writing a fraud policy in concert with the employee conduct handbook will ensure the message is designed into the orientation, onboarding, and training process. Conduct management reviews, provide whistleblower channels, and communicate often with key business unit leaders, who in turn should communicate with their staff regarding fraud prevention, detection, and correction.

3. Detection – while assessment and prevention will create a strong defense against fraud, it is still important to seek out other measures to detect fraud that may not have been included in the fraud risk assessment plan. Only three percent (3%) of all fraud is discovered by accident or the good luck of the right person in the right place. Only six percent (6%) of fraud is discovered through account reconciliation. Clearly we cannot simply rely on these detection methods. In addition to account reconciliation and keeping your ears open, creating channels for detection are of the utmost importance. Eleven percent (11%) of fraud discoveries are due to an internal audit. Return to step one by assessing and re-assessing fraud risk regularly. Conduct meaningful management reviews on-time. Twelve percent (12%) of fraud detection were the result of properly conducted management reviews. Finally, be sure to enforce an open door policy and a culture of interest in detection and reporting. Fifty-four percent (54%) of all fraud detection comes through insider tips. Ensuring there are proper procedures in place to accept these tips is paramount when designing and especially, implementing the fraud management and detection plan.

Deceitful misconduct among employees significantly damages reputations, negatively affects resources, and limits the ability of any organization to effectively serve the consumer and their community. Following this roadmap on how to respond to and prevent employee fraud will not only protect the organization and its key objectives but will lead to an easier night’s sleep – even in the face of increasing fraud across all industries.

This article is only a small representation of the material presented during MGO’s “Case in Point” presentation at the 2016 CSMFO Conference. Special recognition to Ruthe Holden, Internal Audit Manager at the City of Pasadena for her contribution to the “Case in Point” presentation. Contact Scott Johnson at [email protected] if you have any questions or comments. Comments and opinions expressed in this article are those of the authors and may not reflect the positions, opinions, or beliefs of the CSFMO or MGO and should not be construed or interpreted as such.