MGO CPA | Tax, Audit, and Consulting Services

Topic: Internal Controls

5 Reasons Your Private Company Should Adopt Public Company Controls

Key Takeaways:

  • Implementing public-company-level internal controls early on can help your private company prepare for a potential IPO or acquisition, ultimately reducing the risk of adverse disclosures and easing your transition.
  • Private companies experiencing fast growth can benefit from stronger controls to prevent fraud and other errors, so that financial data remains reliable no matter how big they scale.
  • If you enhance your internal controls, you can increase your credibility with investors, banks, and other stakeholders — potentially lowering costs and adding financial security.
  • If you are in an industry with public peers or high security standards (like utilities or tech), you might benefit from adopting similar control measures to maintain competitiveness and stakeholder confidence.

~

Often viewed as a “public company problem,” private organizations may want to consider implementing internal controls similar to Sarbanes-Oxley (SOX) Section 404 requirements. The inherent benefits of a strong control environment may be significant to a private company; they enhance accountability throughout the organization, reduce risk of fraud, improve processes and financial reporting, and provide more effective engagement with the board of directors. 

While not always smaller, private organizations often have limited resources in specialty areas, including accounting for income tax. This resource constraint — with the work being performed outside the core accounting team — combined with the complexity of the issues means private companies are ideal candidates for, and can achieve significant benefit from, internal controls enhancements.

Thinking ahead, there are five reasons private companies may want to adopt public-company-level controls:

  1. Initial Public Offering (IPO) — Walk before you run! If the company believes an IPO may be in its future, it’s better to “practice” before the company is required to be SOX compliant. A phased approach to implementation can drive important changes in company culture as it prepares to become a public organization. Recently published reports analyzing IPO activity and first-time internal control over financial reporting (ICFR) assessments reveal that adverse disclosures on internal controls are three times more likely to be made during a first-time assessment. Making a rapid change to SOX compliance without proper planning can place a heavy burden on a newly public company.
  2. Private Equity (PE) Buyer — If it is possible that the company will be sold to a PE buyer, enhanced financial reporting controls can provide the potential buyer with an added layer of security or confidence regarding the company’s financial position. Further, if the PE firm has an exit strategy that involves an IPO, the requirement for strong internal controls may be on the horizon.
  3. Rapid Growth — Private companies that are growing rapidly, either organically or through acquisition, are susceptible to errors and fraud. The sophistication of these organizations often outpaces the skills and capacity of their support functions, including accounting, finance, and tax. Standard processes with preventive and detective controls can mitigate the risk that comes with rapid growth.
  4. Assurance for Private Investors and Banks — Many users other than public shareholders may rely on financial information. The added security and accountability of having controls in place is a benefit to these users because the enhanced credibility may affect the organization’s cost of borrowing.
  5. Peer-Focused Industries — While not all industries are peer-focused, some place significant weight on the leading practices of their peers. Further, some industries require enhanced levels of security and control. For example, utility companies, industries with sensitive customer data (financial or medical), and tech companies that handle customer data often look to their peer groups for leading practices, including their control environment. When the peer group is a mix of public and private companies, a private company can benefit from keeping pace with the leading practices of their public peers.

Private companies are not immune from intense stakeholder scrutiny into accountability and risk. Companies with a clear understanding of the inherent risks that come from negligible accounting practices demonstrate the ability to think beyond the present and to be better prepared for future growth or change in ownership.

How MGO Can Help

We offer a comprehensive approach to internal control implementation, personalized to meet your private company’s unique needs. Our team’s experience in audit, risk management, and advisory can help your business establish robust controls that enhance accountability, reduce fraud risk, and prepare for the future — whether that looks like growth or a public offering.

Whether you are preparing for an IPO, meeting private equity expectations, or merely enhancing your operational efficiency, our team provides the guidance and the tools needed to help you navigate any complexity with confidence. To learn more about how we can assist your business, reach out to us today.

Tech IPOs: Steering Clear of Common Pitfalls on Your Path to Becoming a Public Company

Key Takeaways:

  • For tech founders, taking a company public can provide significant benefits like increased capital, visibility, and liquidity, but the process is complex and comes with risks, such as increased regulatory scrutiny and reduced control.
  • There are several common pitfalls to avoid during the IPO journey, including underestimating timelines, not building a strong financial foundation, and not having the right leadership in place.
  • Tech companies should focus on a few things to facilitate post-IPO success as a public entity: investor relations, internal controls, and cultural shifts. These maintain trust and compliance across the board.

~

For many tech founders, the prestige and promised rewards of taking a company public are strong motivators to pursue an initial public offering (IPO).

But IPOs, however attractive, are extremely complicated and can be overwhelming — especially if you’re not a transaction expert and have never navigated the full process. Without the right information, tech founders are liable to experience delays, derailments, and disappointments on their road to an IPO.

Are you a tech founder looking to IPO for the first time? Read our guide to understand what the IPO process looks like for tech companies like yours — and what pitfalls you’ll need to avoid along the way.

Should You Go Public?

While an IPO can be a great avenue to grow your business, it isn’t the right strategy for every company — or every founder. To make an informed decision, you need to understand the benefits and drawbacks of pursuing an IPO.

Benefits

  • Increased access to capital. An IPO can offer a massive influx of capital, enabling substantial, accelerated growth.
  • Greater visibility. Going public can improve a tech company’s market visibility and credibility, which can in turn improve brand reputation and recognition.
  • Increased liquidity for shareholders. An IPO allows early investors to cash out, while stock options remain an incredibly attractive incentive for many employees, even during times of market volatility. The stock options unlocked by an IPO can be key to attracting and retaining top talent.
  • Access to a market valuation. Being listed on the stock market means the public markets offer a valuation of the tech company, which may be seen as more objective and credible than a privately sourced valuation.

Drawbacks

  • Greater regulatory and compliance requirements. Publicly traded tech companies are subject to more regulatory and compliance requirements than their privately owned counterparts, and the transition to a publicly traded company can cause compliance costs to skyrocket. Public companies also face scrutiny from regulatory bodies like the SEC. Any mistake, like a reporting misstatement, is highly public and can damage the company’s reputation — and stock price.
  • Less control. Public tech companies must answer to shareholders and regulators, impacting how much control a founder will have over their company. Founders also often find they have less control over their finances after going public, as the IPO process can “lock up” their cash.
  • Vulnerability to market volatility. Market conditions and other external factors can cause stock prices to fluctuate, whereas private company valuations are more insulated from such forces.
  • Increased disclosure requirements. Public tech companies have additional disclosure requirements, which means competitors will have access to more information about the company. This dynamic could impact a company’s competitive advantage in the marketplace.

Are You Asking the Right IPO Questions?

Preparing for an IPO means investigating every aspect of your business. Asking the right questions will help you see beyond the obvious to gain an in-depth understanding of how investors will think about your company and how you can set yourself up for success throughout the IPO process.

Ready to get started?

Read This IPO Checklist

Stage 1

IPO Readiness Assessment

A readiness assessment can help you identify gaps or issues that could prevent your organization from successfully operating as a public company. For most tech companies, the readiness assessment will uncover substantial changes required to facilitate a transition to a public company, such as implementing more robust internal controls or developing specialized accounting capabilities in house. BDO recommends clients assess readiness in the following key areas:

  • Accounting & SEC reporting
  • Ta
  • Risk
  • Technology
  • Operations
  • People
  • Financial planning & analysis

Common Pitfalls:

  1. Failure to develop a compelling story. Before a leader even considers pursuing an IPO, they need to create a narrative that gets potential investors excited about the future of the company. They must define success, determine what metrics will be used to track it, and put systems in place to measure and report on progress. These steps are key to securing investor interest and confidence. Common success metrics for tech companies include annual recurring revenue (ARR), customer retention, the Rule of 40, customer acquisition costs, daily active users, and monthly active users.
  2. Overestimating existing resources. Tech companies often fail to understand what resources they already have and what resources they still need to secure. For example, pursuing an IPO requires specialized skills related to investor relations, treasury, income tax, technical accounting, SEC reporting, and internal controls, which most private tech companies don’t have in house. Failing to conduct a proper resource assessment can lead to a delayed IPO filing, as the company will have to make up ground and secure those resources later.
  3. Lack of IPO experience. As they prepare for an IPO, tech founders should prioritize building a leadership team that includes professionals who have experience taking tech companies public. IPO veterans can help guide the rest of the team through the process while identifying and addressing potential issues before they happen.
  4. Relying on private-company experience. Private tech company founders sometimes underestimate the depth and breadth of the requirements that come with going public. They may even make the mistake of believing that a private company approach will be sufficient post IPO. Instead of relying on what they already know, founders must continuously assess their policies, procedures, and governance structures and compare them to public-company requirements to identify and proactively address gaps.
  5. Failure to protect intellectual property (IP). IP is a major asset for many tech companies and can significantly impact their valuations. Before tech leaders take their company public, they must assess their current protections and deploy tactics like developing a strong patent portfolio to ensure their IP is secure.

Stage 2

Roadmap and Program Management

Once you understand your current state, it’s time to develop a roadmap to guide your transformation from a privately held company to a public company. A strong roadmap will require input from numerous people and functions across the company, as well as reasonable estimates around the time and effort required to meet your objectives. Effective program management is critical to developing your roadmap as quickly and efficiently as possible.

Common Pitfalls:

  1. Underestimating timelines. Tech leaders often underestimate the time needed to prepare a company for an IPO, which can take as long as 18-24 months. A successful transformation depends on a realistic and carefully planned timeline. Attempting to rush the process can lead to expensive and public mistakes like financial misstatements.
  2. Missing inputs. A successful IPO process relies on participation from the full organization. Failing to include specific departments or professionals in the roadmap stage can lead to process gaps that later derail progress. For example, failure to include IT in the roadmap stage can lead to errors when it comes time to upgrade or rationalize back-office technology in advance of the IPO filing.
  3. Lack of a change management plan. Poor change management can lead to unnecessary disruption. For example, lack of a change management plan can create employee discontent during the transition, causing the company to lose key talent and disrupting operations at a crucial juncture.

Stage 3

March to IPO

At this stage, your goal is to get ready for the IPO filing, which entails executing your roadmap to prepare your organization to operate as a public company. This is also the point at which you will begin preparing for the IPO filing process itself, including selecting an underwriter, pricing the IPO, and conducting a roadshow.

Common Pitfalls:

  1. Failure to build a strong financial foundation. Tech companies preparing to go public need to review their financial statements to verify they are accurate, audited, and up to date. Many tech leaders opt to review three years of financials, even if regulations allow for fewer, to help bolster investor and regulator confidence. Failure to build a strong financial foundation can delay SEC filings, which may impact filing status and result in expensive fines.
  2. Inadequate pro forma reporting plans. Tech company leaders must vet their post-IPO reporting plans against SEC reporting rules to ensure they will meet all relevant requirements. They must also design a comprehensive reporting process, building in checks and balances to ensure all numbers are accurate.
  3. Misaligning compensation structures. As tech leaders revisit their compensation structures, they must make sure that compensation plans don’t conflict with shareholder interests. For example, option-based compensation for CEOs can encourage excessive risk-taking behavior that may damage customer relationships and firm performance, decreasing shareholder value.
  4. Skipping the trial run. Tech companies should practice operating like a public company before filing for an IPO. This trial run can help uncover hidden or overlooked issues like a lack of uniform controls and reporting policies. Companies that skip the trial run often find themselves surprised by requirements and challenges post IPO, which can take significant time and money to address.

Stage 4

Post-IPO Support

After the IPO has been filed, it’s time for your tech company to start operating as a public company. At this stage, you need to ensure you are delivering on your promises, managing expectations with your new shareholders, and meeting your new reporting requirements as a public company.

Common Pitfalls:

  1. Lack of forecasting capabilities. As private companies transform themselves to prepare for an IPO, they need to adopt strong revenue forecasting capabilities. Unfortunately, newly public tech companies often struggle with revenue forecasting, which can cause investor distrust and reputational damage.
  2. Failure to maintain investor relations. Investor expectations will expand after going public, as shareholders await regular updates on company performance. Failing to build strong relationships with investors through proactive, comprehensive communication can breed mistrust.
  3. Failure to manage the cultural shift. When private tech businesses transition into public companies, a major cultural shift often follows. Failure to manage that shift correctly can lead to employee dissatisfaction and talent retention issues.
  4. Poor internal controls. Once a tech company goes public, it will have to comply with new reporting requirements and regulations, notably Sarbanes-Oxley (SOX). Prior to filing the IPO, the company should have all necessary internal controls in place — without them, the company may experience issues like material misstatements that can negatively impact stock price.

How MGO Can Help

There’s no question that going public is an exciting “next step” in your company’s evolution. With an IPO comes additional opportunities to transform the business, but it can also come with more challenges. MGO’s team is here to support you at every stage, from IPO planning and readiness assessments to execution and post-IPO acquisition services.

With today’s rapidly evolving technology, you want to stay at the forefront of developing products that transform how we work, think, and engage with the world. Reach out to our Technology team today to find out how we can help you achieve your goals.

Written by Hank Galligan and Jim Clayton. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

Unlocking Capital: 5 Key Strategies for First-Time Biotech Fundraising

Executive Summary:

  • Build investor trust through financial transparency, strong leadership, and solid internal controls to overcome the “first-time fundraising roadblock” in biotech.
  • Showcase your product’s potential with a compelling pitch and clear value proposition, backed by data and a talented research team.
  • Leverage your professional network and industry connections to get noticed by the right investors in the biotech space.

~

The biotech landscape is currently divided into the “haves” and “have-nots” when it comes to fundraising. Those who have successfully brought products to market or secured previous funding rounds have a substantial advantage. They possess the track record, relationships, and trust investors crave.

But what if you don’t have that? If your biotech company is preparing to raise capital for the first time, not to worry — you can still stand out and secure funding. Here are five key strategies to help you get around the first-time fundraising roadblock and gain the attention of investors.

1. Build Trust with Financial Transparency

Investors need to trust your company is financially sound. Without a track record, demonstrating your fiscal responsibility is essential. Start by having a quality audit of your financial statements, conducted by a reputable auditor with experience in the biotech space. Accurate, clear financial reporting builds investor confidence, showing you are serious about managing capital effectively.

If you have already raised seed funding or received a grant, highlight how you have used those resources responsibly. A grant audit, for example, can showcase you have maximized the value of previous funds—something investors will look for as they evaluate your business.

2. Strengthen Your Leadership and Team

Investors are not just funding an idea; they are funding the people behind it. If you lack in-house knowledge or experience, consider hiring or partnering with experienced professionals. A strong chief financial officer (CFO) — even an outsourced one — can make a significant difference. Outsourced accounting support allows you to tap into the knowledge of seasoned professionals without the full-time cost. A skilled CFO will strengthen your financial reporting and operations, further enhancing trust with investors.

Additionally, if you don’t have an executive with capital-raising experience, bring in someone who does. Investors are more likely to bet on a team with a proven track record in biotech, especially when that person has a Rolodex of contacts and a history of success. Just remember: there is no silver bullet. Even bringing in a seasoned executive won’t move the needle if the fundamentals aren’t in place. Investors will see through any attempts to paper over weaknesses.

3. Demonstrate Your Product’s Potential 

At the core of any capital raise is the product you are developing. Investors want to know your biotech solution has potential. Your value proposition should be clear, well-researched, and backed by data. Whether you are creating a novel drug or pioneering a new treatment technology, demonstrate the market need, potential impact, and your path to commercialization. A strong, well-articulated product concept, supported by a talented research team, will help you stand out. 

This is where you must focus on having a polished pitch deck and elevator pitch. If you do secure a meeting with potential investors, being prepared with a compelling and concise presentation can make or break the deal. Your pitch should clearly communicate your company’s vision, market potential, and how their investment will drive growth. 

4. Establish Strong Internal Controls 

Investors not only want to see financial transparency and a strong product, they also want to know your business is structured for long-term success. Demonstrating you have solid internal controls — related to compliance with regulations like the Sarbanes-Oxley Act (SOX) — shows you are prepared to scale responsibly.  

An internal controls evaluation can identify areas for improvement and help strengthen your company’s operational documentation, efficiency, and security. This is a crucial step in building investor trust and positioning yourself as a mature, trustworthy business. 

5. Leverage Your External Network 

Building your company is just one part of the equation. The next step is expanding your personal network so you are speaking to the right investors. Start by identifying the key players in your biotech niche. Look at competitors and peers who have successfully raised capital and find out who their investors were. This will help you target the right people and increase your chances of getting noticed. 

Once you have a list of potential investors, begin outreach. Attend industry events, schedule informal meetings, and use every opportunity to introduce yourself and your business. This is where your external network can become an invaluable resource. Don’t hesitate to tap into your legal, financial, and banking partners for introductions to investors. These professionals often have established relationships with investors and can open doors you would not be able to access on your own. If you don’t have all these partners in place, one can often connect you with the others. For example, at MGO, we can refer you to trusted legal and banking partners to help you get the full support you need.

Breaking Down Barriers to Secure First-Time Funding 

Raising capital for the first time is undoubtedly challenging, but it’s far from impossible. By focusing on building a strong company, demonstrating your value, and strategically expanding your network, you can bridge the gap between the “haves” and “have-nots” of biotech fundraising — securing that essential first round of funding. 

How MGO Can Help 

Navigating your first capital raise can be daunting, but you don’t have to go it alone. We’re here to help you build the strong foundation you need to attract investors and take your groundbreaking ideas to the next level.  

Our experienced biotech practice offers a range of services tailored to meet your specific needs, including: 

  • Audit and assurance services to validate your financial statements 
  • Outsourced CFO services to strengthen your financial operations 
  • Internal control evaluations to enhance your operational efficiency 
  • Strategic advisory services to help you navigate the fundraising landscape 

Don’t let being a first-time fundraiser hold you back. Reach out to our team today to learn how we can support your journey from promising startup to funded success story. 

How to Prepare Your Tech Company for a Financial Audit 

Key Takeaways:

  • A financial audit is crucial for tech companies seeking investment or acquisition, providing credibility and insights into financial health and processes.
  • Proper preparation involves assembling the right team, establishing solid financial systems, and gathering comprehensive documentation.
  • Approaching the audit as an opportunity rather than an ordeal can lead to stronger financial practices and a clearer path toward business objectives.

~

You have taken your tech company to the next level with a groundbreaking idea and compelling vision. Now, you are eyeing the next big move — going public, courting major investors, or positioning for an acquisition. But innovation alone will not seal the deal; you need a captivating financial story that stands up to public scrutiny and due diligence.

Enter the financial audit. A well-executed financial audit can be a powerful tool for your business, providing credibility to investors and partners while offering valuable insights into your financial processes. With the right preparation, you can transform an audit from a perceived hurdle into a launchpad for your next phase of growth.

Understanding the Goal of a Financial Audit

A financial audit is an independent examination of your company’s financial statements and underlying records, conducted by a certified public accountant (CPA) or CPA firm. The goal is to provide reasonable assurance that your financial statements are free from material misstatement and fairly represent your company’s financial position.

For tech companies eyeing future fundraising, acquisitions, or public offerings, an audit is more than a compliance exercise — it is a crucial step in telling your financial story accurately and building trust with potential investors or acquirers.

Building an Audit-Ready Foundation

Your audit journey begins long before the auditors arrive. Set your business up for success by having these elements in place:

  • Human resources: Staff your team with personnel who have solid financial accounting backgrounds. Their knowledge will be essential in maintaining accurate financial records and complying with relevant accounting standards.
  • Internal systems: Implement accounting platforms to accurately track transactions, inventory, and sales. An efficient accounting system will streamline the process of gathering and presenting financial data.
  • Formation documents: Maintain comprehensive records from your company’s inception with complete capitalization tables, including intellectual property (IP) documentation. This will make all foundational aspects of your business well-documented and easily accessible.
  • Legal support: Engage an attorney knowledgeable in your industry to help protect your IP. They can also assist with contract reviews and regulatory compliance, which are often scrutinized during an audit.
  • Regular period closes: Establish a routine for closing your financial periods (monthly or quarterly) to keep your books consistently up to date. This practice will facilitate the audit process by providing timely and reliable financial information.

Assembling Your Audit Team

Choosing the right team is critical to how efficiently your audit is conducted. Selecting your external team typically includes:

  • CPA firm: Choose a reputable CPA firm with experience in your industry and the ability and resources to grow with your entity. A CPA firm with relevant industry experience will have a better understanding of the specific challenges and requirements of your business.
  • Investment banker: Depending on your transaction type, you might need an investment banker. Investment bankers can provide valuable insights and assistance in structuring and executing your financial transactions.
  • Unrecognized transactions or errors: These may require significant time to research and correct. Proactively reviewing, identifying, and addressing any unrecognized transactions or errors early on will help in avoiding delays during the audit.

Timeline and Planning

Establish a realistic timeline for your audit and subsequent transactions. A well-planned timeline will help in managing the audit process so that all necessary steps are completed on time.

  • Audit duration: Allocate at least one to three months for the audit process, factoring in elements like company size and complexity, quality of accounting records, and completeness of your documentation.
  • Public offering timeline: Keep in mind that going public can take at least three months, and unexpected issues can cause delays.
  • Regular reviews: Regularly review your timeline with your service providers to adjust, as necessary.

Gathering Your Documentation

The success of your audit hinges on the quality and completeness of your documentation. From the C-suite to your front-line employees, all your documentation needs to be up to date and accurate. Prepare:

  • Financial statements: Have your income statement, balance sheet, and cash flow statement up to date to accurately reflect your financial position. Accurate financial statements are essential in providing a clear picture of your company’s financial health.
  • Supporting schedules and notes: Prepare detailed breakdowns of major accounts and transactions, along with explanatory notes for complex items. Supporting materials provide additional context and clarity to your financial statements.
  • Internal controls documentation: Compile documentation of your financial policies, procedures, and risk assessment activities. Internal controls documentation demonstrates your company has effective processes in place to manage financial risks.
  • Contracts and agreements: Gather all significant contracts, including customer agreements, vendor contracts, and loan documents. These documents provide evidence of your company’s legal obligations and financial commitments.
  • Tax filings and records: Have your tax returns and related documentation ready for review. Tax filings and records are essential in verifying your company’s compliance with tax regulations and identifying any potential tax liabilities.

Common Pitfalls (and How to Avoid Them)

Be aware of potential challenges that can delay your audit:

  • Complex transactions: Tech companies often deal with complex financial instruments like preferred stock, stock options, or convertible instruments. Proper accounting for these is crucial. Equip your team with the necessary knowledge to handle complex transactions.
  • Revenue recognition: Follow appropriate guidelines, especially for Software as a Service (SaaS) companies where revenue recognition can be complex. Accurate revenue recognition is critical in providing a true and fair view of your company’s financial performance.
  • Inadequate documentation: Lack of proper documentation can significantly slow down the audit process. Have all required documents complete and readily accessible to avoid delays.

Best Practices for a Smooth Audit Process

Once the audit begins, your role shifts to facilitating the auditors’ work. Your team can contribute to the speed and efficiency of the audit by employing these practices:

  • Respond promptly: Provide requested information and documents in a timely manner. Delays on your end can derail the entire timeline.
  • Maintain open communication: Be transparent with your auditors about any issues or concerns.
  • Stay focused on your objectives: Remember the audit is a means to an end — whether that is preparing for an acquisition, going public, or attracting investors. Keep this perspective to maintain a positive attitude throughout the process.

Embracing the Audit as an Opportunity

Your financial audit doesn’t need to be a stressful ordeal. By approaching it with thorough preparation, open communication, and a focus on your long-term objectives, you can turn this process into a valuable opportunity for growth and improvement.

Remember, the goal is not just to get through the audit — it is to emerge with stronger financial practices, increased credibility, and a clearer path toward your business objectives. With the right mindset and preparation, your audit can be a pivotal step in your company’s journey to success.

How MGO Can Help

We have extensive experience working with tech companies, including serving as the auditor for companies preparing for IPOs, mergers, acquisitions, and other capital-raising activities, as well as tech companies that need an annual audit for a bank or investor.

Our approach includes:

  • Rapid response times: Echoing our firm’s fundamental “Be a Fanatic About Response Time,” we prioritize quick response to all your requests.
  • Automated processes: We integrate automation into our audit process to minimize the burden on your team.
  • Network of resources: We can help connect you with attorneys, investment bankers, and other professionals to meet your needs.

If you need assistance preparing for your financial audit or an experienced auditor who understands your needs, reach out to MGO today. We are here to support you in achieving your objectives and guide you through a successful audit process.

How to Protect Your Business Against Asset Misappropriation

Key Takeaways:

  • Asset misappropriation involves the theft or misuse of an organization’s physical and digital assets, posing a major threat to businesses.
  • Red flags of asset misappropriation include unexplained shortages, unauthorized transactions, altered records, excessive resource use, and employees living beyond their means.
  • Strategies to combat asset misappropriation include strong internal controls, employee education, surveillance technology, promoting an ethical culture, and data analytics for fraud detection.

~

In the dynamic landscape of modern business, asset misappropriation remains a pervasive threat, undermining the financial stability and integrity of organizations across industries. As part of MGO’s fraud series, this article delves into the critical issue of asset misappropriation — offering your business the knowledge and tools needed to safeguard your valuable assets.

Understanding Asset Misappropriation

Asset misappropriation, a prevalent form of fraud, involves the theft or misuse of an organization’s assets. Unlike financial statement fraud, which distorts the truth on paper, asset misappropriation manifests in the direct pilfering or misuse of physical and digital assets. From cash and inventory to intellectual property and digital data, no resource is immune to this fraudulent activity.

Red Flags of Asset Misappropriation

  • Unexplained shortages or discrepancies: Whether it is cash, inventory, or other assets, unexplained shortages are classic signs of theft or embezzlement. For instance, casinos might notice discrepancies in chips or cash, pointing toward internal theft.
  • Unauthorized transactions: Any unauthorized withdrawals or transfers, especially in sensitive environments like casino accounts or gaming tables, should raise immediate concerns about asset misappropriation.
  • Alteration of records: Manipulating gaming records, player accounts, or payout systems can facilitate theft, often going unnoticed without rigorous audits.
  • Excessive use of company resources: When employees use company vehicles, equipment, or facilities beyond their professional needs, it suggests potential misuse of organizational assets for personal gain.
  • Lifestyle inconsistencies: Employees exhibiting a lifestyle significantly above their income level can be a red flag for embezzlement or fraud, often funded by stolen assets.

Strategies to Combat Asset Misappropriation

To effectively shield your organization from the perils of asset misappropriation, a multifaceted approach is necessary. These strategies are designed to fortify your defenses, helping your business operate with the highest standards of integrity and security. By implementing these measures, you can create a resilient barrier against fraudulent activities and safeguard your organization’s future.

Here are some pivotal strategies to combat asset misappropriation:

  • Establishing robust internal controls is the first line of defense. Professionals with experience enhancing internal controls can assist your organization in assessing and refining its practices — including segregation of duties, regular audits, and securing access to sensitive areas and systems. This approach establishes a solid foundation for preventing asset misappropriation.
  • Educating employees about the signs of fraud and the importance of ethical behavior is essential to deter potential fraudsters and empower your staff to report suspicious activities. Training programs, which can be supported by advisory firms, effectively communicate the risks of fraud and the importance of vigilance, helping to build a knowledgeable and proactive workforce.
  • Utilizing technology like surveillance cameras, advanced access controls, and cybersecurity measures can significantly reduce the risk of asset theft or misuse. Cybersecurity and physical security professionals can integrate cutting-edge solutions to protect your assets from both internal and external threats, providing a comprehensive defense strategy.
  • Promoting a corporate culture that values honesty and transparency can discourage fraudulent behavior. Developing policies and practices that foster open communication and a strong ethical foundation is crucial. Establishing a whistleblowing policy that encourages reporting without fear of retaliation can be an integral part of this effort.
  • Deploying data analytics and fraud detection software to monitor for unusual patterns or anomalies can indicate asset misappropriation. Advanced data analytics and forensic accounting services can identify and investigate suspicious activity, using sophisticated tools to detect early signs of fraud and prevent asset loss.

Safeguarding Your Assets Against Pervasive Threats

Asset misappropriation poses a significant risk to businesses, draining resources and eroding stakeholder trust. By understanding the red flags and implementing a comprehensive strategy to detect and prevent asset misappropriation, your organization can protect its assets and maintain its financial integrity.

MGO’s Business Advisory solutions offer a pathway to strengthen your defenses against the risks of asset misappropriation. For a deeper dive into how we can help protect your business, reach out to our team today.

This article is part of our ongoing fraud series, “Alert Signals: Uncovering the Spectrum of Fraud,” aimed at educating your business on identifying and preventing fraudulent activities. Read the previous article in the series on spotting red flags of financial reporting fraud and stay tuned for more insights and strategies to protect your organization.

Red Flags of Financial Reporting Fraud for Your Business

Key Takeaways:

  • Financial reporting fraud poses a significant threat by misleading stakeholders about a company’s true performance and financial health.
  • Warning signs that may indicate fraudulent financial reporting include unexplained fluctuations in revenues or expenses, discrepancies between financial records and supporting documentation, and intense pressure to hit financial targets.
  • Combating financial statement fraud requires strong internal controls, specialized fraud investigation support, and regular assessments to adapt to changing risks.

~

In the modern business environment, transparency and accuracy in financial reporting are not merely regulatory requirements — they are fundamental to maintaining stakeholder trust and ensuring the longevity of your organization.

Despite this, financial reporting fraud continues to pose a critical threat with far-reaching implications. It is a sophisticated malpractice, designed to create a facade of robust financial health by deliberately misleading stakeholders about a company’s performance, financial position, or cash flows.

Recognizing Common Red Flags of Financial Statement Fraud

Identifying financial statement fraud typically starts with noticing red flags, such as:

  • Unexpected revenue or expense fluctuations
  • Document mismatches (like ledger entries not aligning with system records or inconsistent invoices)
  • Undue pressure to meet financial targets

These signs — alongside vague financial reporting and insufficient disclosures — demand deeper investigation as they may indicate efforts to manipulate figures to present a misleading financial performance.

Understanding the Mechanisms of Financial Statement Fraud

At its core, financial statement fraud involves the manipulation of accounting records and financial statements. This can take several forms:

  • Overstating revenues — By recognizing revenue prematurely or recording fictitious sales, a company can appear more profitable than it is, misleading investors and creditors about its growth prospects.
  • Understating expenses — Deliberately delaying the recognition of expenses or not recording them at all inflates earnings, painting a picture of a company that is more efficient and financially stable than in reality.
  • Misrepresenting assets and liabilities — Overvaluing assets or not fully disclosing liabilities can significantly alter a company’s apparent net worth and financial solidity.

Each type of manipulation has one goal in common: to deceive users of financial statements. Whether it is investors, creditors, or regulators, the deception aims to create an illusion of success and stability, often for personal gain, to secure financing, or to maintain a company’s share price.

How You Can Combat Financial Statement Fraud

The fight against financial statement fraud requires a multi-faceted approach, encompassing the following measures:

  • Strong internal controls — Combatting fraud all starts with a strong internal control environment that includes checks and balances, rigorous accounting policies, and a corporate culture of integrity.
  • Fraud investigation support — Even with the best controls in place, the possibility of fraud cannot be eliminated entirely. This is where specialized fraud investigation services become indispensable. Advisory firms offer comprehensive fraud and litigation support that can uncover and address these fraudulent activities. Teams of professionals use forensic accounting techniques, data analysis, and investigative expertise to peel back the layers of financial deception.
  • Regular assessments — In addition to the services above, your business must also regularly evaluate its internal controls. It is not enough to have controls in place; they must be effective and adaptive to changing risks.

Recognizing the red flags of financial statement fraud and understanding its various forms are the first steps in prevention and detection. But beyond awareness, it is the proactive and reactive measures — strong internal controls, regular assessments, and skilled investigative support — that can help protect your company against such threats.

If you are looking to safeguard your financial integrity, services offered by third-party firms are invaluable assets in the continuous effort to uphold the truth in your financial reporting.

How MGO Can Help

MGO’s Business Advisory solutions offer a path to strengthen your organization’s financial defenses. For more detailed information on our approach and how we can help protect your business, let’s talk.

This article is part of our ongoing fraud series, “Alert Signals: Uncovering the Spectrum of Fraud,” aimed at educating your business on identifying and preventing fraudulent activities. Stay tuned for more insights and strategies to protect your organization.

Internal Controls: Keys to Limiting Fraud and Boosting Your Company Value

Executive Summary:

  • Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
  • The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
  • Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.

~

As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.

In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.

The Importance of Internal Controls in Fraud Prevention

A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:

Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.

Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.

Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.

Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.

Improve employee accountability by implementing checks and balances that discourage unethical behavior.

When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.

Fraud Prevention Starts with the “Tone at the Top”

The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.

There are four elements to fraud: pressure, rationalization, opportunity and capability.

Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.

Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.

Proper Segregation of Duties for Internal Controls

The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.  

Fraud Controls 

There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.

  • Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.  
  • Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.  
  • Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.  

Preventing Misappropriation of Assets 

An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets: 

  • Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
  • Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
  • Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
  • Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
  • Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).

The Importance of Policies and Procedures

The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).

The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.

A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.

How We Can Help

As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.

Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed

Defense Wins Championships – Why Your Government Needs Internal Auditing on Its Team

Executive Summary:

  • State and local governments need defensive strategies to protect against risks like fraud, financial loss, and reputational damage, and checks to ensure those strategies are working.
  • The Three Lines Model executes three levels of protection designed to prevent risks from disrupting your operations and causing damage or loss.
  • As the third-line defense, internal auditing analyzes the entire field to identify potential weaknesses and ensure your defensive strategies are effective at averting risks.

~

At the start of the football season, sports analysts spend a lot of time talking about who will be the player to lead their team to a championship. Yet, as we learn year after year, championships are not won by a single player. It is a collective effort, based on an assembly of individuals pooling their talents together in pursuit of a common goal.

In sports, the common goal is a championship. In business, the goal is to generate profit by establishing customer loyalty for your products or services. In government, the goal is to make our communities ideal places to live, work, and play. To win in all these instances, you need a strong team with contributions from every player.

Football fans often hear the refrain, “offense wins games, but defense wins championships.” Government teams looking to achieve their goals should not overlook the necessity of a robust defense — with internal auditing giving you the upper hand over your opponent.

What is Internal Auditing?

According to The Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditing provides a systematic approach to evaluating and improving the effectiveness of governance, risk management, and controls processes.

To simplify: Your organization has goals (objectives). However, obstacles (risks) may exist that keep your organization from reaching its goals. You should develop strategies (internal controls) to prevent those obstacles from occurring, and continuously check to make sure your strategies are working properly (monitoring). To avoid confirmation bias — where you only seek and accept information that supports your goals — you should seek validation from an objective entity (internal audit) to evaluate if your strategies truly position your organization to succeed.

To accomplish all this, you need a coalition of talented individuals that can identify risks, strategize against them, prevent or detect risk infiltration, and consistently monitor emerging risks to provide guidance on how to stay ahead of the curve. In football terms, you need a strong defensive line!

Three Lines of Defense 

Let’s say that risk is the offensive team. Its goal is to get into your organization’s end zone to disrupt operations. The quarterback could be a hacker, fraudster, or unintentional human error. The offensive team also has other formidable players: fraud risks, cyber-attack risks, liquidity risks, etc.

Organizations need a more skilled, agile, and experienced defensive team to counteract the activity of the risk offense. Enter IIA’s Three Lines Model. This defensive strategy executes three levels of protection designed to keep risk from causing extreme financial or other damage.

The Three Lines Model defines defensive roles and responsibilities as follows:

  • First Line of Defense – develops strategies to address risks
  • Second Line of Defense – monitors strategies
  • Third Line of Defense – provides assurance that strategies are truly effective at mitigating risks

Let’s look at the organizational playbook to understand the goals of the offensive and defensive teams and the Three Lines defensive strategy.

Understanding the Offensive Opponent

Organizations are trying to prevent risks from disrupting operations and causing financial and/or other damages. If the risk team scores in your end zone, that means they have exposed a weakness in your organization. Depending on the weakness, it could cost you a little (inefficient operations) or it could cost you a lot (major cyberbreach with financial and reputational damages) … but it will cost you!

Defining Each Line of Defense

First Line of Defense: Management, Staff, and Internal Controls

The first line of defense consists of the organizational staff associated with daily operations, delivery of goods and services, and identifying and addressing risks. For example, to minimize the risk of hacking via password breaches, this line would create a password policy and accompanying procedure, set up systems requirements accordingly, and follow the policy and procedures in daily operations.

Second Line of Defense: Risk Management and Compliance Functions

The second line of defense consists of the organizational staff that monitor your organization’s adherence to its own policies and procedures and other required guidance (e.g., regulations, laws, etc.). For example, to ensure that your organization is following its policies and procedures for minimizing hacking via password breaches, this line would periodically analyze data to ensure compliance with internal guidance, industry best practices, etc.

Third Line of Defense: Internal Audit

The third line of defense consists of internal audit professionals with knowledge in various industries. Internal audit conducts real-time assessments and communicates any weaknesses in the first two lines. Using the prevention of hacking example from above, in addition to assessing password protocols and practice, internal audit may identify that your organization has improper access controls that increase the risk of hackers infiltrating your organization’s systems. Internal audit would provide recommendations for improvement and express urgency for corrective action.

Defensive Benefits of Internal Auditing

Internal audit is not an adversary, it is part of your team. Internal audit collaborates with your management and staff, in real time, to understand your organizational goals, concerns, strengths, and weaknesses. Where external audit provides your management with an analysis of a snapshot in time, internal audit continuously and systematically provides value-added feedback to your management and your board and/or audit committee.

Internal audit assists with ensuring your organizational playbook(s) remain relevant. As the third or last line of defense, it analyzes the entire field (the organization) to make sure your defensive strategies (internal controls) are effective at averting risks from scoring (causing financial, operational, reputational, etc., losses).

Part of the analyses conducted by internal audit include (but are not limited to):

  • Conducting risk assessments to identify the likelihood and potential impact of risks to assist the organization in focusing resources on prioritized areas for improvement.
  • Assessing your information technology and cybersecurity environments to identify and advise on protecting organizational data, improving IT infrastructure, preparing disaster recovery strategies, etc.
  • Assisting in preparing for external audits by assessing if the organization’s financial statements are accurate, complete, compliant with regulations, and free from material misstatement. 
  • Conducting performance assessments to identify areas for efficiency and effectiveness improvements.

Internal audit strengthens your organization’s improvement efforts by bringing reinforcements to your already stellar team. The internal audit group delivers additional resource capacity, skills, and perspectives — including extensive knowledge about various industry standards as internal audit professionals are required to maintain continuing education in their specific areas of focus.

How MGO Can Strengthen Your Team’s Defense

MGO has a defensive line that is ready and motivated to support your organization. Stacked with professionals experienced in areas like state and local government, fraud, audit and assurance, government audit, and cybersecurity, our team is diverse in thought, knowledge, and culture — and we bring those perspectives to the field for you. Contact us today to learn how our internal auditing solutions can boost your organization’s defense.

How to Elevate Your Company’s IPE Documentation to Optimize SOX Compliance

By Jonathan Bayeff, CPA & Cesar Reynoso, CPA

Executive Summary:

  • The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
  • IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
  • Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

~

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

  1. Is the data complete?  
  1. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk   

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE? 

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.  

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

  1. Match the list of individual debt instruments to the signed agreements.  
  1. Validate the reconciliation and each individual schedule for mathematical accuracy.  
  1. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

  1. Send confirmations to outside counsel (where possible).  
  1. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

  1. Have you identified the report or saved search that was used?   
  1. What parameters were used to generate this report?   
  1. In what format is the data exported?   
  1. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

  1. PDF (portable document format) 
  1. Excel  
  1. CSV (comma-separated values)   
  1. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

  1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  
  1. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   
  1. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

  1. Totals (dollar amounts, hash amounts, etc.)   
  1. Lines count   
  1. Parameters utilized 
  1. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.   

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.

SEC Adopts Rules on Cybersecurity Risk Management

Executive Summary

  • The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
  • The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
  • The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
  • Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K.
However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “material” disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why is the SEC implementing this rule change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What are the requirements for risk management, strategy, and governance disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How will the SEC cybersecurity rules affect you?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How we can help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.