MGO CPA | Tax, Audit, and Consulting Services

Topic: Risk Management

Your Guide to Navigating the Intoxicating Hemp Market

Key Takeaways:

  • The intoxicating hemp industry offers exciting opportunities for innovation and revenue growth, but navigating its complex and changing regulatory landscape requires adaptability and strategic planning.
  • While consumer demand for intoxicating hemp products is surging, businesses face challenges like a changing regulatory environment, banking hurdles, and the need for extensive consumer education.
  • Success in this evolving market demands a comprehensive strategy addressing compliance, financial management, and risk mitigation to capitalize on opportunities while navigating regulatory changes.
  • Whether you agree with how these products came to market, many now believe that they will survive the regulatory process in some form, most likely in an environment with state-by-state regulations.

~

Intoxicating hemp products have had explosive growth but are now facing regulatory and other headwinds, with states like California, Missouri, and New Jersey introducing new regulations to control their sale and distribution. For intoxicating hemp companies, or those considering entering this space, you are navigating a complex landscape that offers both significant opportunities and substantial challenges. In this evolving industry, it is essential to understand the market dynamics, regulatory environment, and how to manage your business effectively.

The Rise of Intoxicating Hemp

Intoxicating hemp products are the result of wording in the 2018 Farm Bill, which created a gray area where alternative cannabinoids — such as Delta-8 THC, Delta-10 THC, HHC, and a host of other compounds — have come into existence.

Since then, due to the ability to access traditional retail channels (including direct-to-consumer) and a lower tax and regulatory burden compared to cannabis, the market for intoxicating hemp products has exploded. These products, which offer consumers a legal alternative to traditional cannabis, have gained popularity in the form of beverage, tinctures, vapes, and other consumables. While this boom presents exciting opportunities, it also introduces a host of challenges for those entering or already operating in the intoxicating hemp industry.

Opportunities in the Intoxicating Hemp Market

The intoxicating hemp industry offers several key opportunities for companies looking to expand or diversify their product lines:

1. Rising Consumer Demand

The demand for intoxicating hemp products has skyrocketed. Products such as Delta-8 THC and Delta-9 THC are increasingly popular due to their similar effects to cannabis while staying within a legal gray area and being more widely available. Gummies and beverages, in particular, have emerged as popular product forms — with beverages providing an appealing alternative as younger generations report decreased alcohol consumption. This creates a growing market for your business to tap into.

Curaleaf, Kiva, Medterra, Wyld, 1906, and Tilray — which just recently launched a lineup of hemp-derived Delta-9 THC mocktails, seltzers, and sparkling drinks in the U.S. — are among the cannabis companies that have already entered the hemp market. In a recent Cannabis Business Times survey, 17% of participants from state-legal cannabis businesses said they are currently growing or selling intoxicating hemp-derived cannabinoid products and 26% said they are considering or would consider growing or selling intoxicating hemp products.

2. New Revenue Streams

For cannabis operators and hemp sellers, the intoxicating hemp market offers a way to diversify revenue streams. If you are already in the cannabis business, adding hemp-derived products can provide a complementary line that broadens your market reach. While regulations continue to evolve, potential remains to sell in more mainstream retail spaces — further increasing revenue opportunities.

3. National Scaling and Partnerships

One of the key advantages of intoxicating hemp is the ability to scale your brand nationally through interstate commerce. Unlike cannabis, which faces strict state-by-state regulations, intoxicating hemp can be legally shipped across state lines. Additionally, forming strategic partnerships with other brands, such as those in the food and beverage industry, can further enhance your product offerings and brand visibility.

Infographic-Growing-Intoxicating-Hemp_v01

Challenges Facing Intoxicating Hemp Companies

Despite the many opportunities, the intoxicating hemp industry is not without its challenges — including:

1. Regulatory Uncertainty

Perhaps the most significant challenge facing intoxicating hemp businesses is regulatory uncertainty. While the update to the 2018 Farm Bill appears to be deferred, many states have moved to restrict intoxicating hemp derivatives like Delta-8.

For example, New Jersey recently mandated that intoxicating hemp goods fall under the same regulatory system as cannabis. California has implemented emergency regulations, while Missouri’s governor ordered the removal of intoxicating hemp products from the market. Other states, like Louisiana and Connecticut, are implementing new restrictions without outright bans.

This regulatory landscape is likely to continue evolving, with the possibility of stricter federal oversight in the future. Your business model and product offerings need to be flexible enough to adapt to these changes — and the potential uncertainty ahead.

2. Market Saturation and Consumer Confusion

The initial boom in Delta-8 and other intoxicating hemp products has led to market saturation in some regions, increasing competition and potentially driving down profit margins. Adding to this challenge is consumer confusion. Many customers still struggle to differentiate between hemp, cannabis, CBD, and various THC isomers. As a result, educating consumers about products is crucial to building trust and expanding your customer base.

3. Financial Hurdles

While intoxicating hemp companies generally face fewer banking restrictions than cannabis companies, many financial institutions remain hesitant to work with businesses in this space. This can make basic operations challenging — from processing payments to securing loans. You may need to work with specialized financial service providers or explore alternative banking solutions. It is also crucial to maintain meticulous financial records and be prepared for extra scrutiny from financial institutions.

Navigating the Industry’s Complexities

While the intoxicating hemp market offers exciting opportunities for growth and innovation, it also comes with its fair share of challenges. To succeed in this evolving industry, it is crucial to have a comprehensive strategy that addresses compliance, financial management, and risk mitigation. With the right support, you can navigate these complexities and position your business for growth in this fast-growing market.

How We Can Help

Our dedicated Cannabis team understands the unique challenges you face in the intoxicating hemp landscape. We offer a range of services to help guide your efforts — from inventory accounting to tax strategy to help obtaining banking services. Reach out to our team today to learn how we can help you thrive in the intoxicating hemp market.

How to Master Cost Management for Your Winery

Key Takeaways:

  • Effective cost management involves proper inventory costing methods, accurate accounting of tasting room operations, and appropriate financial reporting practices.
  • Wineries of different sizes face unique challenges, from implementing GAAP-based inventory costing for small wineries to comprehensive risk management strategies for large wineries.
  • Understanding production costs, distribution expenses, and potential risks helps wineries make informed financial decisions and achieve sustainable growth.

~

As a winery owner, mastering cost management is crucial for profitability. Understanding your expenditures and employing the right strategies can improve your financial health and boost your operational efficiency.

Whether you are a small, medium, or large winery, here are some key factors to keep in mind:

Inventory Costing Methods

For small wineries — which make up 49% of the market — U.S. generally accepted accounting principles (GAAP) inventory costing methods are invaluable. These methods enable you to assign a monetary value to your inventory, providing the exact cost data capture you need to manage production and distribution expenses effectively. If you are a medium-sized (or larger) winery, you can benefit from more comprehensive financial models and robust accounting systems.

Tasting Room Operations

For wineries of all sizes, accurately accounting for tasting room activities is critical. This includes tracking your inventory, managing sample losses, and accounting for both owner and employee samples. Proper financial controls and expense categorization will provide you clear insights into profitability. Understanding these challenges, you should consider comprehensive solutions like inventory costing, financial modeling, and tax preparation to enhance your operational efficiency and profitability.

Audit Versus Review

As your winery grows, the need for independent Certified Public Accountant (CPA) audits or reviews becomes more important. This decision hinges on the level of assurance needed and the specific needs of lenders, investors, or creditors. While audits offer the highest level of assurance and can enhance credibility with stakeholders, they are also more costly. Reviews, on the other hand, are less expensive but provide more limited assurance. Tailored audit and review services can help meet the unique requirements of your winery, supporting accuracy and compliance in financial reporting.

Tax Return Considerations

Proper inventory valuation and tracking of production activities are essential for correct tax preparation. Formal inventory valuation methods — such as those adhering to U.S. GAAP — can aid in exact tax reporting and provide a reliable template for management. This appropriately accounts for all production costs, helping to minimize tax liabilities and avoid potential issues with tax authorities. Specialized tax preparation services tailored to the unique needs of your winery can help you meet compliance requirements and improve financial outcomes.

Small Wineries: Accurate Inventory Accounting

If your winery produces fewer than 1,000 cases annually and lacks extensive accounting resources, you may choose to keep books on a tax basis. However, implementing U.S. GAAP-based inventory costing — even if not needed — can offer valuable insights into your production costs and help you secure debt or equity financing. Accurate cost tracking allows you to make informed decisions about your operational efficiency and financial management, giving you a competitive edge in the crowded market.

Medium Wineries: Proactive Risk Management

For medium-sized wineries, effective risk management is crucial to safeguarding financial stability. Finding potential risks such as climate impacts or market fluctuations requires a proactive approach, including investing in insurance and strategic planning. Although these measures involve upfront costs, they can prevent substantial financial losses overall. Implementing robust risk management practices will help your winery keep consistent production quality and protect your financial health against unforeseen challenges, ultimately supporting sustainable growth and operational resilience.

Large Wineries: Strategic Risk Mitigation

Large wineries, with extensive operations and market reach, face significant risks from climate change and volatile market conditions. Investing in comprehensive risk management strategies, including climate-resilient infrastructure, diversified revenue streams, and market analysis tools, is essential. Upfront costs for insurance and strategic planning are necessary to mitigate these risks. By addressing potential vulnerabilities proactively, your winery can protect its substantial investments, maintain market stability, and set the table for long-term profitability despite external uncertainties. This approach will help you preserve your reputation and sustain growth in a competitive industry.

Distribution and Growth Considerations

For small wineries, distributing wine introduces challenges that require a clear understanding of both production and distribution costs. Increased production often involves significant investments in equipment and facilities, affecting the cost per case until production volumes grow sufficiently. Before entering any distribution channel, it is crucial to understand the full cost of production, develop a solid pricing strategy, and account for the costs involved in various sales channels to support profitability and growth.

Elevate Your Winery’s Profit Potential

Effective cost management is vital for wineries of all sizes to navigate the complexities of the market and achieve sustainable growth. By implementing robust financial practices, correct cost tracking, and comprehensive risk management strategies, your winery can enhance its operational efficiency and profitability.

How MGO Can Help

MGO’s tailored solutions can help you meet these challenges and thrive in this competitive industry. Reach out to our Vineyards and Wineries team today to learn how we can support you.

Revolutionizing Your Risk Strategy: ERM for Modern Government

Key Takeaways:

  • Enterprise Risk Management (ERM) is a critical strategy for public sector entities, providing a comprehensive framework to identify, assess, and manage risks across the entire organization.
  • ERM offers numerous benefits, including enhanced risk awareness, improved operational efficiency, and better alignment of risk tolerance within acceptance levels.
  • ERM’s structured approach helps public sector leaders make informed management decisions, facilitate crucial conversations, and maintain a proactive stance in addressing emerging risks.

~

State and local government leaders face more complex challenges than ever before. Cybersecurity threats, regulatory complexity, budget constraints, and unexpected safety issues are just a few of the risks that can derail your ability to serve your community effectively. To manage these risks, you need a comprehensive strategy. That’s where Enterprise Risk Management (ERM) comes in.

ERM is a powerful tool that gives you a clear, organization-wide view of the risks you face. With ERM, you can identify, assess, and manage risks across your entire organization. This helps you make better decisions, allocate resources more effectively, and focus on what really matters — delivering essential services to your constituents.

The Need for ERM in the Public Sector

Governments, especially large and complex ones, often lack formal ERM programs. Yet, the breadth of internal and external services state and local governments provide, combined with the critical role they play in society, makes this risk management practice indispensable.

Unlike in the private sector — where ERM is more of a standard practice — organizations in the public sector frequently miss out on the benefits of a coordinated risk management strategy. The absence of ERM can lead to fragmented risk management efforts, where key risks are not addressed or are not managed within the organization’s risk appetite.

By implementing ERM, you can help management gain an organization-wide view of the risks they face. This approach creates a pragmatic, focused strategy for managing risks — where the most critical issues are addressed.

ERM also facilitates essential conversations and decision-making processes, encompassing board reporting and input, which ultimately links executive management’s risk handling to the board’s defined risk philosophy.

Benefits of ERM for Your Public Sector Entity

Implementing ERM in your organization brings several significant benefits:

  1. Enhanced risk awareness and management: ERM fosters a culture of openness and transparency around risk management. This improved candor translates into better understanding and management of the critical challenges your state or local government faces.
  1. Alignment to risk appetite: Through ERM, you can align your organization’s risk management practices within the organization’s risk threshold. This alignment helps you make informed decisions that reflect the organization’s capacity to manage risks effectively.
  1. Improved operational efficiency: By managing risks proactively, ERM helps you better navigate tough decisions. This proactive approach reduces the likelihood of adverse events disrupting daily operations, leading to smoother and more efficient service delivery.
  1. Comprehensive risk coverage: ERM encompasses a broad spectrum of risks, including operational, financial, information technology (IT) and cybersecurity, human capital, and compliance risks. This comprehensive focus helps prevent you from overlooking critical risk areas.

ERM Process for Public Sector Entities

Implementing ERM involves a systematic process that includes the following steps:

  1. Understand the board’s philosophy: The first step is to gain a clear understanding of the board’s risk philosophy and approach. This involves discussing and defining what levels of risk are acceptable.
  1. Risk assessment and prioritization: Conduct a thorough risk assessment to identify and prioritize the risks that should be included in the ERM program. This step involves evaluating the potential impact and likelihood of various risks.
  1. Evaluate risk responses: Once risks are identified and prioritized, the next step is to document and evaluate the responses to these risks. This includes determining if the residual risk — risk remaining after management actions — is within the board’s acceptance levels.
  1. Report to the board: Regular reporting to the board is crucial to keep them informed about risk management efforts and maintain alignment with their risk philosophy.
  1. Continuous improvement: ERM is not a one-time activity. It requires continuous risk assessment, monitoring, and program improvement. Regular reviews and updates enable your ERM program to remain relevant and effective in addressing emerging risks.

Key Challenges and Roadblocks

While the benefits of ERM are clear, several challenges can impede its successful implementation in the public sector:

  • Board maturity around risk: The board’s understanding and commitment to risk management are critical. A mature and proactive board is essential for effective ERM implementation.
  • Management commitment: ERM requires buy-in and active participation from executive management. Without their commitment, the program is unlikely to succeed.
  • Accountability gaps: Clear roles and responsibilities must be established to address accountability when residual risks and organizational risk acceptance levels do not align.

Implementing ERM in Your Organization

ERM is not just a best practice; it is a critical strategy for navigating the complexities of modern governance. By adopting ERM, you can enhance risk management, improve operational efficiency, and better prepare your organization to serve the public effectively.

How MGO Can Help

Implementing an effective ERM program can be daunting, but you don’t have to do it alone. Our experienced team can assist you at every step of the ERM process:

  • Project management and facilitation: We can act as project managers, overseeing the entire ERM process from start to finish. This includes coordinating with your internal teams to align the program with your organizational goals.
  • Risk assessment: We can conduct comprehensive risk assessments, both initial and ongoing, to identify and prioritize the risks your organization faces. Our thorough approach aims to cover all critical risk areas.
  • ERM program development: We can help you develop and implement a robust ERM program tailored to your organization’s unique needs. This includes creating a risk management framework, defining risk tolerance levels, and establishing reporting mechanisms.
  • Continuous monitoring and improvement: ERM is an ongoing process, and we can provide support for continuous monitoring and improvement. This helps your ERM program remain effective and responsive to changing risk landscapes.
  • Training and capacity building: We can provide training and capacity building for your teams, equipping them with the skills and knowledge needed to sustain the ERM program independently.

If you are ready to take the next step in securing your organization’s future, we are here to help. Contact us today to learn more about how we can support your ERM journey.

Essential IPO Questions: Your Comprehensive Checklist

Key Takeaways:

  • Proactive planning means focusing on the “how” instead of just the “what” — turning basic questions into actionable strategies for effective implementation.
  • An ecosystem perspective involves considering the broader impact on third-party stakeholders to ensure the entire supply chain is prepared for going public.
  • Holistic risk management requires cross-functional collaboration to coordinate risk mitigation, enhancing organizational resilience against new public company risks.

Preparing for your initial public offering (IPO) means investigating every facet of the business — not only to obtain the best possible valuation, but also to make the changes necessary to operate as a public company and achieve long-term growth. Asking the right questions can help you see beyond the obvious, illuminating factors you may have otherwise overlooked and setting your organization up for post-IPO success.

Here are five ways to take common IPO questions from a basic 101 level up to a more advanced 201 to deepen readiness and unlock new value.

IPO Checklist: 5 Ways to Level Up Your IPO Questions

1. Ask “How”, Not “What

Don’t plan passively. Approach key questions in a way that mandates proactive action rather than reactive changes. A seemingly small alteration — a “how” instead of a “what” — can transform a basic inquiry into a forcing function that spurs teams to take concrete steps.

  • 101: What new reporting obligations will we face as a public company?
  • 201: How can we resource and connect our finance, IT, and legal teams to meet new reporting requirements on time and without misstatements?

While the 101 question can establish new reporting needs and responsibilities, the 201 question goes further, pushing leaders to actively plan toward these goals.

2. Think About Your Ecosystem, Not Just Your Organization

Going public brings scrutiny from new stakeholders, such as boards, shareholders, and regulators. It is no longer enough for leaders to focus on their organization alone. Instead, they must broaden their perspective to consider the effects of all changes — new regulations, reporting requirements, cybersecurity risks, and more — on their third-party ecosystem.

  • 101: What new laws and regulatory bodies apply to our business as a public company?
  • 201: Are we prepared to validate that our third-party providers, in addition to our own organization, are complying with any new requirements?

Answering the 201 question requires looking beyond the organization to consider the risks posed by third-party partners. Financial institutions, for example, will need to verify that any third-party service providers comply with existing consumer protection laws under Dodd-Frank.

Cutting across all industries, the Securities and Exchange Commission (SEC) adopted new rules in 2023 requiring public companies to disclose any material cybersecurity intrusions or breaches, as well as information about their cyber risk management, governance, and security. Companies pursuing an IPO must prepare to comply with these new requirements themselves and be ready to validate that any third-party providers can also remain compliant.

3. Adopt a Holistic View of Risk

Effective risk management requires cross-functional cooperation and communication. No matter the business area — cybersecurity, operations, supply-chain management — identifying risks is not enough; nor is simply naming the strategies to mitigate risks.

  • 101: What new risks are most relevant to our business as we prepare for operations as a public company?
  • 201: What is each department’s risk mitigation responsibility, and where are there opportunities for coordination?

Every department has a role to play in risk mitigation. Clearly defining those roles and the interconnections between them can build resilience in the lead up to an IPO and help companies adapt to new risks after going public.

4. Move from the Abstract to the Specific

Tailoring approaches to specific objectives will help you manage more variables and define what kind of public company you want to be. Whenever possible, leaders should design questions to address specific challenges, rather than using general terms.

  • 101: Who are the new stakeholder audiences (e.g., board members and regulators) with whom we need to establish communications as a public company?
  • 201: How will we communicate with board members, shareholders, and regulators? What tools, channels, and reporting structures will we build?

The 101 question identifies an important consideration, but it stops there. The 201 question addresses finding and filling in the gaps. You can use what you know to pave the way toward learning what you don’t.

5. Think About Your Price on Day 100

The IPO is not an end-state; it is the beginning of a new chapter. Every action taken in service of a public offering must also include a path to further growth.

  • 101: How do we obtain the best possible valuation for our company?
  • 201: How can we leverage our momentum to improve our valuation 100 days after going public?

The 101 question speaks to an important need, but its focus is limited. Success as a public company demands growth beyond the IPO event. Asking the 201 question can help you embed a future-focused mindset into all planning decisions. The day one valuation matters, but so does valuation on day 100 — and beyond.

How MGO Can Help 

Navigating the complexities of an IPO requires guidance and a comprehensive strategy. MGO’s Transaction Advisory Services team supports you throughout the process, from proactive planning to risk management, so that your entire ecosystem is ready for the transition. Reach out to our team today to discover how MGO can help you achieve your long-term growth objectives and post-IPO success.

Charting Your Financial Path Beyond the Game 

Key Takeaways:

  • Many professional athletes go on to achieve even greater financial success in their lives after sports through pro-active financial planning and capitalizing on post-career opportunities.
  • Having the right financial advisory team is crucial for transitioning athletes to make smart money decisions across areas like investments, business ventures, taxes, estate planning, and risk management.
  • With proper guidance, athletes can turn their playing careers into lifelong financial stability and growth through entrepreneurship, investments, and other lucrative second careers.

~

As a professional athlete, you’ve spent years honing your skills, building your career, and making a name for yourself. But what happens when the final whistle blows and your playing days are behind you?

The good news is many athletes move on to highly successful and lucrative ventures after their time in sports — some even making more money than they did during their athletic careers. With the right financial support and strategic planning, you can be one of them.

From Athlete to Entrepreneur: Maximizing Post-Career Opportunities 

The transition to life after sports can be incredibly rewarding, opening doors to new and exciting opportunities. Many professional athletes have not only avoided the financial pitfalls often associated with post-career life but have also thrived financially.

Here are a few notable examples of athletes who’ve achieved significant financial success with their second careers:

Kenny Smith

Kenny “The Jet” Smith played 10 years in the National Basketball Association (NBA), winning back-to-back championships with the Houston Rockets in 1994 and 1995. While Smith made just under $12 million over his playing years, as an analyst on the Inside the NBA alongside Ernie Johnson, Charles Barkley, and Shaquille O’Neal, Smith reportedly takes home $16 million per year.

Maria Sharapova

While Sharapova earned over $300 million during a career where she became just the tenth woman to win all four major championships, she retired at the young age of 32 in 2020. Since that time, she has established herself as an investor and entrepreneur — working with health and wellness brands like Therabody and Tonal — while also serving on the board of directors for luxury fashion house Moncler Group.

Derek Jeter

Jeter played 20 seasons at shortstop for the New York Yankees, winning 5 World Series titles before retiring in 2014. After earning over $265 million in MLB salary, Jeter went on to found Jeter Publishing with Simon & Schuster and the media company The Players’ Tribune in 2014, which publishes first-person stories from athletes. From 2017, he became part-owner and CEO of the Miami Marlins. 

David Beckham

Playing 21 seasons of professional soccer for teams like Manchester United, Real Madrid, the LA Galaxy, Beckham racked up league titles and millions in contract dollars. Retiring in 2013, he transitioned into a successful business career — starting the management company DB Ventures and collaborating with brands like HUGO BOSS. In 2018, Beckham brought Major League Soccer to Miami as co-owner of Inter Miami CF.

These examples demonstrate the wealth creation potential that exists long after an athletic career ends. Of course, it’s not just about what you do after your playing days are over; it’s also about what you do with your money.

The Role of Financial Advisors in Your Post-Career Success

The right financial advisors can help you navigate the complex financial landscape, assisting you to make smart decisions that will benefit you in the long term. Here are some key areas where advisors can support you:

Investment Planning

Post-career, it’s essential to make your money work for you. Financial advisors can help you develop a diversified investment portfolio tailored to your risk tolerance and long-term goals. This could include stocks, bonds, real estate, and business ventures.

Business Ventures

Many athletes transition into entrepreneurship. Advisors can provide invaluable support in evaluating business opportunities, developing business plans, and managing your ventures. Whether you’re interested in starting a restaurant, a retail chain, or a tech startup, having the right guidance can make all the difference.

Tax Planning

High earnings often come with complex tax obligations. A financial advisor can help you navigate these complexities, enabling you to take advantage of tax-saving opportunities and stay compliant with regulations.

Estate Planning

Protecting your wealth for future generations is crucial. Advisors can assist you in creating an estate plan that distributes your assets according to your wishes, minimizing tax liabilities and providing for your loved ones.

Retirement Planning

Even if you’re transitioning into a second career, planning for retirement is essential. Advisors can help you set up retirement accounts, plan for long-term care, and establish a steady income stream throughout your retirement years.

Risk Management

Life is unpredictable, and managing risk is a crucial part of any financial plan. Advisors can help you select the right insurance policies and develop strategies to protect your assets against unforeseen events.

Taking the Next Step in Your Post-Playing Journey

Transitioning from a professional athlete to a successful entrepreneur, broadcaster, coach, or executive is not just a dream; it’s a reality for many who have walked in your shoes. With strategic planning and the right financial support, you can turn your athletic success into lifelong financial stability and growth.

Remember, the game doesn’t end when you leave the field; it simply evolves. Embrace the opportunities ahead and put the right team in place to guide you through every step of your post-career journey.

How We Can Help

Our dedicated Entertainment, Sports, and Media team has extensive experience guiding professional athletes through all phases of their career journeys. We offer comprehensive financial services tailored to help you achieve continued success. Reach out to our team today to discuss how we can support your post-career goals.

CFOs and CISOs: Boost Your SEC Cybersecurity Compliance with These 5 Best Practices

Key Takeaways:

  • New SEC cybersecurity rules require public companies to disclose material cybersecurity incidents, risk management processes, and governance.
  • Determining “materiality” of cyber incidents for disclosure is challenging and requires close collaboration between CISOs providing technical context and CFOs/executives making final determinations.
  • To comply, companies should take steps such as designating accountable leadership, adding specialized cybersecurity knowledge, and updating financial processes.

~

For years, chief financial officers (CFOs) could afford to be removed from the daily cybersecurity efforts led by chief information security officers (CISOs). But, with new Securities and Exchange Commission (SEC) cybersecurity rules, those days are gone.

Adopted on July 26, 2023, the SEC’s “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules recognize cyber incidents can significantly impact public companies’ operations, finances, and reputations. The requirements push companies to be more transparent and accountable about cybersecurity.

While compliance with these rules falls squarely on publicly traded organizations, the impact extends to private-owned companies as well. If your company is a vendor or partner to public firms, you can expect inquiries and audits to verify you meet their security standards. Liabilities and risks permeate the entire supply chain.

SEC Cybersecurity Disclosure Requirements

If you are a public company, what do you need to report under the new rules? Here are the main requirements:

Cybersecurity Incident Disclosure

  • Report within four business days of determining the incident is “material”
  • Describe the nature, scope, timing, and impacts (or potential impacts)
  • Note any undetermined details at time of filing
  • Compliance required for SEC registrants as of December 18, 2023; smaller reporting companies (SRCs) have until June 15, 2024, to comply

Annual Risk Management & Strategy Disclosure

  • Outline processes to identify, assess, and manage material cyber risks
  • Explain how these processes integrate with overall risk governance
  • Detail impacts from previous material incidents
  • Disclose use of third-party security consultants/auditors and procedures
  • Compliance required for all registrants (including SRCs) beginning with annual reports for fiscal years ending on or after December 15, 2023

Annual Governance Disclosure

  • Describe board oversight and committee responsibilities for cyber risk
  • Identify management roles accountable for cybersecurity programs
  • Specify escalation protocols to board/committees on cyber issues
  • Compliance required for all registrants for fiscal years ending on or after December 15, 2023

Determining Cybersecurity “Materiality”

A central tenet of the SEC guidelines is the “materiality” concept regarding incident reporting. Essentially, cybersecurity events are considered “material” and require disclosure if they could sway investment decisions or shareholder votes. Think of materiality as anything significant enough to concern your board and executive team.

The tricky part is that materiality determinations do not solely rest with technology and security leaders. Corporate officers and boards make the ultimate call, despite often lacking full context into security event ramifications on financials and operations. Bridging this disconnect through close CISO collaboration is critical to set appropriate disclosure thresholds aligned with your company’s true risk profile. Ideally, final decisions should also be independently verified by an outside, nonbiased service provider.

The SEC final rule also makes extensive (more than 40) references to “third party” impacts. A breach or attack affecting a key vendor could very well represent a material event for your organization that necessitates SEC disclosure. Do not let third-party cybersecurity shortcomings undermine compliance.

Best Practices to Comply with New SEC Cybersecurity Rules

While no one-size-fits all checklist exists, your company and relevant vendors should consider these best practices on the path to cybersecurity rule compliance:

1. Designate Accountable Leadership

Empower specific business leaders as security program owners, not just technical teams. These individuals need to establish clear reporting and communication between security operations and the board/c-suite. Executive working sessions focused on cybersecurity scenario planning are also advised.

2. Add Cybersecurity Knowledge

The rules do not explicitly require it, but it is wise to have dedicated cybersecurity oversight at the board level. Bringing in third-party advisors can help boards understand cyber responsibilities and implement improved processes. This knowledge is often lacking today despite its importance.

3. Update Financial Processes

The speedy 8-K cybersecurity incident reporting necessitates updates to disclosure management procedures. Public companies should already have 8-K drafting processes, so adjusting for cyber specifics presents a modest lift. The key is removing bottlenecks to rapidly describe incident details.

4. Dedicate Compliance Resources

CISOs in many companies oversee skeletal teams lacking the bandwidth for major initiatives like interpreting new regulations, implementing new disclosures processes, conducting risk assessments, and more. Ensure your team has the resources needed to achieve compliance.

5. Build Cybersecurity Culture

Equip your leadership team, board, and financial executives with a comprehensive understanding of cyber risks and disclosure nuances. Implement ongoing education and guidance programs to keep them well-versed in cybersecurity threats, response procedures, and the latest developments in the field.

How MGO Can Expedite Your Compliance Journey

The SEC cybersecurity rules are a wake-up call to take cyber preparedness as seriously as any other existential risk to your organization. Let our team of security, financial, and regulatory professionals guide you toward proactive, comprehensive compliance. Reach out today to discuss your roadmap.

Internal Controls: Keys to Limiting Fraud and Boosting Your Company Value

Executive Summary:

  • Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
  • The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
  • Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.

~

As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.

In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.

The Importance of Internal Controls in Fraud Prevention

A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:

Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.

Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.

Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.

Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.

Improve employee accountability by implementing checks and balances that discourage unethical behavior.

When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.

Fraud Prevention Starts with the “Tone at the Top”

The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.

There are four elements to fraud: pressure, rationalization, opportunity and capability.

Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.

Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.

Proper Segregation of Duties for Internal Controls

The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.  

Fraud Controls 

There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.

  • Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.  
  • Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.  
  • Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.  

Preventing Misappropriation of Assets 

An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets: 

  • Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
  • Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
  • Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
  • Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
  • Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).

The Importance of Policies and Procedures

The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).

The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.

A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.

How We Can Help

As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.

Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed

Defense Wins Championships – Why Your Government Needs Internal Auditing on Its Team

Executive Summary:

  • State and local governments need defensive strategies to protect against risks like fraud, financial loss, and reputational damage, and checks to ensure those strategies are working.
  • The Three Lines Model executes three levels of protection designed to prevent risks from disrupting your operations and causing damage or loss.
  • As the third-line defense, internal auditing analyzes the entire field to identify potential weaknesses and ensure your defensive strategies are effective at averting risks.

~

At the start of the football season, sports analysts spend a lot of time talking about who will be the player to lead their team to a championship. Yet, as we learn year after year, championships are not won by a single player. It is a collective effort, based on an assembly of individuals pooling their talents together in pursuit of a common goal.

In sports, the common goal is a championship. In business, the goal is to generate profit by establishing customer loyalty for your products or services. In government, the goal is to make our communities ideal places to live, work, and play. To win in all these instances, you need a strong team with contributions from every player.

Football fans often hear the refrain, “offense wins games, but defense wins championships.” Government teams looking to achieve their goals should not overlook the necessity of a robust defense — with internal auditing giving you the upper hand over your opponent.

What is Internal Auditing?

According to The Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditing provides a systematic approach to evaluating and improving the effectiveness of governance, risk management, and controls processes.

To simplify: Your organization has goals (objectives). However, obstacles (risks) may exist that keep your organization from reaching its goals. You should develop strategies (internal controls) to prevent those obstacles from occurring, and continuously check to make sure your strategies are working properly (monitoring). To avoid confirmation bias — where you only seek and accept information that supports your goals — you should seek validation from an objective entity (internal audit) to evaluate if your strategies truly position your organization to succeed.

To accomplish all this, you need a coalition of talented individuals that can identify risks, strategize against them, prevent or detect risk infiltration, and consistently monitor emerging risks to provide guidance on how to stay ahead of the curve. In football terms, you need a strong defensive line!

Three Lines of Defense 

Let’s say that risk is the offensive team. Its goal is to get into your organization’s end zone to disrupt operations. The quarterback could be a hacker, fraudster, or unintentional human error. The offensive team also has other formidable players: fraud risks, cyber-attack risks, liquidity risks, etc.

Organizations need a more skilled, agile, and experienced defensive team to counteract the activity of the risk offense. Enter IIA’s Three Lines Model. This defensive strategy executes three levels of protection designed to keep risk from causing extreme financial or other damage.

The Three Lines Model defines defensive roles and responsibilities as follows:

  • First Line of Defense – develops strategies to address risks
  • Second Line of Defense – monitors strategies
  • Third Line of Defense – provides assurance that strategies are truly effective at mitigating risks

Let’s look at the organizational playbook to understand the goals of the offensive and defensive teams and the Three Lines defensive strategy.

Understanding the Offensive Opponent

Organizations are trying to prevent risks from disrupting operations and causing financial and/or other damages. If the risk team scores in your end zone, that means they have exposed a weakness in your organization. Depending on the weakness, it could cost you a little (inefficient operations) or it could cost you a lot (major cyberbreach with financial and reputational damages) … but it will cost you!

Defining Each Line of Defense

First Line of Defense: Management, Staff, and Internal Controls

The first line of defense consists of the organizational staff associated with daily operations, delivery of goods and services, and identifying and addressing risks. For example, to minimize the risk of hacking via password breaches, this line would create a password policy and accompanying procedure, set up systems requirements accordingly, and follow the policy and procedures in daily operations.

Second Line of Defense: Risk Management and Compliance Functions

The second line of defense consists of the organizational staff that monitor your organization’s adherence to its own policies and procedures and other required guidance (e.g., regulations, laws, etc.). For example, to ensure that your organization is following its policies and procedures for minimizing hacking via password breaches, this line would periodically analyze data to ensure compliance with internal guidance, industry best practices, etc.

Third Line of Defense: Internal Audit

The third line of defense consists of internal audit professionals with knowledge in various industries. Internal audit conducts real-time assessments and communicates any weaknesses in the first two lines. Using the prevention of hacking example from above, in addition to assessing password protocols and practice, internal audit may identify that your organization has improper access controls that increase the risk of hackers infiltrating your organization’s systems. Internal audit would provide recommendations for improvement and express urgency for corrective action.

Defensive Benefits of Internal Auditing

Internal audit is not an adversary, it is part of your team. Internal audit collaborates with your management and staff, in real time, to understand your organizational goals, concerns, strengths, and weaknesses. Where external audit provides your management with an analysis of a snapshot in time, internal audit continuously and systematically provides value-added feedback to your management and your board and/or audit committee.

Internal audit assists with ensuring your organizational playbook(s) remain relevant. As the third or last line of defense, it analyzes the entire field (the organization) to make sure your defensive strategies (internal controls) are effective at averting risks from scoring (causing financial, operational, reputational, etc., losses).

Part of the analyses conducted by internal audit include (but are not limited to):

  • Conducting risk assessments to identify the likelihood and potential impact of risks to assist the organization in focusing resources on prioritized areas for improvement.
  • Assessing your information technology and cybersecurity environments to identify and advise on protecting organizational data, improving IT infrastructure, preparing disaster recovery strategies, etc.
  • Assisting in preparing for external audits by assessing if the organization’s financial statements are accurate, complete, compliant with regulations, and free from material misstatement. 
  • Conducting performance assessments to identify areas for efficiency and effectiveness improvements.

Internal audit strengthens your organization’s improvement efforts by bringing reinforcements to your already stellar team. The internal audit group delivers additional resource capacity, skills, and perspectives — including extensive knowledge about various industry standards as internal audit professionals are required to maintain continuing education in their specific areas of focus.

How MGO Can Strengthen Your Team’s Defense

MGO has a defensive line that is ready and motivated to support your organization. Stacked with professionals experienced in areas like state and local government, fraud, audit and assurance, government audit, and cybersecurity, our team is diverse in thought, knowledge, and culture — and we bring those perspectives to the field for you. Contact us today to learn how our internal auditing solutions can boost your organization’s defense.

How to Elevate Your Company’s IPE Documentation to Optimize SOX Compliance

By Jonathan Bayeff, CPA & Cesar Reynoso, CPA

Executive Summary:

  • The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
  • IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
  • Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

~

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

  1. Is the data complete?  
  1. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk   

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE? 

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.  

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

  1. Match the list of individual debt instruments to the signed agreements.  
  1. Validate the reconciliation and each individual schedule for mathematical accuracy.  
  1. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

  1. Send confirmations to outside counsel (where possible).  
  1. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

  1. Have you identified the report or saved search that was used?   
  1. What parameters were used to generate this report?   
  1. In what format is the data exported?   
  1. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

  1. PDF (portable document format) 
  1. Excel  
  1. CSV (comma-separated values)   
  1. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

  1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  
  1. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   
  1. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

  1. Totals (dollar amounts, hash amounts, etc.)   
  1. Lines count   
  1. Parameters utilized 
  1. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.   

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.