Search Results

Division American Partners, IT, Professional Division December 28, 2018 Client Challenge One of the largest privately-held insurance companies in North America found themselves under increasing regulatory pressure as they expanded business lines into several key states previously dominated by their competition. Senior members of the CIS group and Project Management Office identified a core weakness specifically in IT Risk Management and Process and Compliance Management mostly due to the differences in compliance regulations for privately held vs. publicly traded companies. What they lacked was a process improvement manager and an IT Risk and Compliance Manager who had experience in publicly traded regulatory compliance. American Partners was engaged at this point. Alternatives Considered Our client had no plan B. In their mind, there was no other alternative. The only way to avoid unnecessary audits and market pressure from their publicly traded competition was to hold themselves to the exact same standards. Identified Resource American Partners quickly tapped its vast network of IT Professionals and in a matter of weeks was able to make several introductions to the PMO and CIS executives to further assess the daunting challenge of bringing a privately help insurance company into line with the same IT Risk and Compliance regulations of a publicly-traded company in order to avoid undue audits as market share increased across the country. American Partners provided the expertise of one IT Risk and Compliance Manager and one IT Process Improvement Manager who had both taken 2 of the largest companies in America from privately held to publicly traded and back again, directly addressing the process with “boots on the ground” experience. Consultant Action & Solutions Our consultants were immediately put to work tackling IT Risk and Security initiatives and a Process Improvement overhaul that included the formation of a Vendor Risk team. Our Security consultant increased penetration testing and facilitated internal and third-party attestations, audits, and certification efforts for the IT organization. They also rolled out a corporate-wide IT security training initiative while coordinating audit testing, documentation, self-assessment testing, and remediation activities All of this allowed the client to gain market share at a more rapid pace avoiding costly audits and delays in state licensing.

Division Career Tips, Company Culture, Executive Leadership, Team Building, Tomorrow's Talent December 12, 2018 Ethics can be an overused, buzzword in society today and we can become callused and non-responsive when we hear that term. Additionally, we can have a hard time knowing how to apply it in the various circumstances we face. By definition, ethics are the moral principles that govern a person’s behavior or the conducting of an activity. The word INTEGRITY is the quality of being honest and having strong moral principles. It is a trait that is also seen as being the same on the inside as shown on the outside. CHARACTER is the mental and moral qualities distinctive to an individual. To further delineate this, ethics is about integrity and integrity is about character. Character is the essence of who a person is and is more than talk; it is a choice to develop this principle. People can’t ultimately rise above severe problems in their character but the strong character in a person can usher in success. Consider using the terms character and integrity to keep this topic fresh and relevant to everyday actions. Furthermore, this topic should not be segmented by work, home or other areas. Integrity and character are who we are as a person and should be how we live in all areas of our life. Many employees in the realm of finance and accounting have been faced with situations where they were explicitly told or implicitly pressured to do something that contradicted their personal values. Dr. Mary Gentile, the creator, and director of Giving Voice to Values, after a career as a professor of ethics, chose to design a method of application, focusing on the implementation of ethics, so that decision making with integrity would become a habit. After years of lecturing, she determined that just teaching and talking about ethics was probably unethical, futile, and hypocritical as it just reiterated issues without helping individuals reach real solutions. She listed the following decades of scandals as historical references to the challenges we have faced: 1970’s – Defense Industry 1980’s – Insider Trading 1990’s – Dot-com Bubble 2000’s – Global Financial Crisis (Enron, WorldCom, Parmalat, Galleon Group) 2010’s – Wells Fargo, Volkswagen Discussion Groups From traditional teaching, she found that in discussion groups, thinking would become complicated and groups tend to focus on one- or two people’s voices who may not believe the most ethical path can be accomplished. She also discovered that almost all students had stories about being pressured to violate their own code of ethics, and, of these, none were from more troubled backgrounds, or had more organizational knowledge than others. The ones that succeeded were those who had made good choices and engaged in ethical practices earlier in their lives and careers. The writer thought leader, and leadership guru, John Maxwell purports that first, there needs to be a standard to follow and then the will to follow that standard. As for a standard, a common rule found in almost all cultures and religious organizations is to ‘do to others what you want to be done to you.’ This is commonly referred to as the Golden Rule. Golden Rule This Golden Rule is widely accepted, easily understood, mutually beneficial arrangement, and an internal compass for those times we need direction. If we contemplate how do we want to be treated and then, in turn, replicate that to others, usually we will be working a best-case scenario. Generally, we want to be valued, appreciated, trusted, respected, and understood. Moreover, we do not want others to take advantage of us. If we treat others this way, we will be walking in integrity, building good character, and making ethical decisions. The next step is the will to follow that standard or how to apply it. Dr. Gentile learned that rescuers from the Holocaust survived by having rehearsed ethical scenarios out loud with someone more senior than them at some point earlier in their life. They had identified behaviors that mattered to them, named them, and then voiced them to a leader. Behaviors and strategies enabled them to find better solutions to problems. Instead of teaching people (or ourselves) into thinking their way into a different way to act, we need to be acting to a different way of thinking. We need to rehearse these actions in the same way we may need to use it so that even if we temporarily stop or get distracted, we can still naturally move in the process. This is like an athlete who continually practices so they can be ready for in-game strategic plays, or a family who reviews emergency scenarios in their home so they will be able to act quickly in times of crisis. Successful outcomes to decision making during times of ethical crisis came down to being strategic and tactical, reframing the challenge and utilizing the tools already known. These tools can include, power, influence, negotiation skills, building coalitions, and applied education. Whereas the classroom lectures had taught models of reasoning, the alternate application of strategy allows for more practical implementation. Giving Voice to Value The basis of “Giving Voice to Value” is to create awareness, analysis and then continue this by a process with action. Case studies are intentionally short, based on people in all levels of the organizations, and from the protagonist view that has already decided on the ethical thing to do. The question asked is not WHAT is the right thing to do but HOW to get the right thing done. Answering the question “If the right thing to do is X, how can that get done?” This allows for creative thinking and problem-solving. Instead of the conversation being about the areas of ‘thou shalt not’, it’s about what we can do and how to go about that process. In doing this, we need to establish credibility based on the reality of the context and start from a position of respect. This is a nuanced, sophisticated and tactical approach which might include several different types of methods including: Writing a memo Asking questions Having someone talk for you to the decision-maker Making sure someone else is on the right committee or Building a distinct network over time Gentile states that the goal isn’t necessarily to change a person’s mind on what is or is not ethical but to give people the skills that they need to be who they already are at their best. Practice gives the opportunity to shape character and develop integrity. To reiterate, ethics is about integrity and integrity is about character. To make the best ethical decisions, we must practice good character and walk in integrity.

Division American Partners, Donovan & Watkins, Extrinsic, LJ Kushner & Associates, Professional Division, Vision Technology Services, Zycron December 5, 2018 An Executive Brief from Stephen Webster, MRE’s Chief Technology Officer Even a casual observer of the morning news is aware of the dangers hackers pose to American businesses. As an executive, you may be called upon to make decisions about how to protect your company’s data even if technology issues don’t normally fall under your responsibilities or expertise. Don’t worry — you don’t have to be a technology expert to make informed decisions about data protection. While every company has different security needs, a few simple guidelines can help give you a framework for making good decisions. KNOW YOUR DATA The first step in protecting your data is to know what data you have that might be valuable to cyber-thieves. Do you have volumes of private customer data? Do you have proprietary information that competitors could use to gain an advantage? Are you storing confidential data critical to your business strategy? The more valuable the data, the more security it will need. In addition, it is imperative to have working back-ups of the company’s key data and systems in place. With the rise of Ransomware and Malware aimed at these components, a backup is critical for protection and recovery in the case of an attack. Companies with large amounts of proprietary data, intellectual property, or other mission-critical information will need to consider stronger measures to safeguard their data. The more valuable the data, the more capable the intruder coming after it is likely to be. Also, be aware of what data you are legally required to protect. Privacy laws can allow corporate officials to be held personally liable if they don’t take adequate measures to secure certain sensitive information about customers and employees. If you don’t know what you are required to protect, ask information security or a legal expert for help. Remember, ignorance is no defense from the law. Expert advice can help you avoid legal troubles while you handle the setbacks that result from your data being compromised by hackers. SET THE RIGHT BUDGET How much money you need to spend to protect your data is a function of the value of that data. Spending too little on security can leave you and your firm open to some nasty surprises as motivated thieves circumvent your countermeasures. At the same time, it is possible to overprotect data out of fear and waste resources that could be better spent elsewhere. You have to decide on the proper balance to meet the needs of your firm. As a rule of thumb, firms should spend 5 to 12 percent of revenue on IT infrastructure. About 10 to 20 percent of that should be dedicated to IT security infrastructure. For many firms, this amounts to a sizeable expenditure. In such cases, it is a good idea to talk to outside IT security specialists to help establish what security level you need and what options are available. IT security is a specialty skill that is outside the expertise of many good IT departments. Security specialists can advise you on what you need to protect you from the most likely threats faced by your sensitive data. They can also recommend options that return greater security at a greater value. PUT THE RIGHT PROCESSES IN PLACE The human element is the single greatest risk in IT security. Good security is often foiled by the bad behavior of employees. Workers use weak passwords, lose laptops, open suspicious e-mail attachments, and sometimes let strangers access systems without thinking of the consequences. Employees can also forget to log out of computers and leave passwords lying out in the open. Furthermore, employees often download unapproved software, which can be a pathway for attackers. Most security breaches ultimately lead back to negligent behaviors. The best solution for this giant security hole is to have good procedures with proper controls and regular training in their use. Don’t count on technology to protect you from bad habits. THINK LAYERS No security system is foolproof. The key is to put enough layers of defense in place to discourage hackers and cause them to look for easier prey. Too many companies make the mistake of building a strong outer shell that they think is impenetrable. Once an intruder breaches that shell, the entire corporate data infrastructure is open. Instead, you want layers within layers of security. This greatly increases the chances of a hacker becoming frustrated or detected before he or she can reach sensitive information. A good system should also leave an extensive audit trail. If nothing else, this gives the security experts a clear path to follow in the event of a breach to track down and patch the hole in the defenses. STAY CURRENT You can never let your guard down. Cutting-edge viruses are constantly being developed to enable new methods of bypassing a system’s security. It is vital to stay up to date on current cyber-security trends and technology to prevent and prepare for security breaches. In their effort to stay current, software companies are constantly releasing new patches for their applications. Delaying an update allows cyber-criminals more time to become familiar with the targeted system and puts your system at greater risk. For example, the recent WannaCry and Petya ransomware attacks could have been prevented through proper and timely patching of the Microsoft operating system. RECOVERY So what do you do if all of your security fails, and you wake up one morning to find your company has been breached and its data stolen? The first rule is to stay calm. Figure out exactly what has happened and make sure you understand all the facts. The worst thing you can do is overreact. Don’t shut down your entire network in a panic and stay offline until you feel safe. Determine what was taken and who will be affected by the stolen data. Then alert those people as soon as possible. Trying to hide a data breach that puts other people in jeopardy can damage your corporate image and reputation, which in the end may do more injury to the firm than the data breach. Alerting the right people includes alerting the authorities, such as the FBI. Every country has an organization that should be contacted as soon as you assess what has happened. They can help deal with the problem and possibly help track down the threat. In cases of a virus requesting payment, it is recommended to never pay the ransom. Don’t try to solve the problem on your own or waste time thinking about striking back or taking revenge. Many hacking attacks are undertaken by criminal organizations and even foreign governments who likely have more resources than you. The best advice is to focus on patching the holes and taking care of your customers. Let the proper authorities find the perpetrator and take appropriate legal action. A security breach will often require outside experts to help resolve all the problems. Not only do IT security professionals have the specialized knowledge needed to help, but they can also provide good advice that isn’t tainted by the emotional shock of the breach that is affecting inside personnel. Don’t be afraid to admit when you need help. PUBLIC RELATIONS If members of the public were affected by the breach, the right thing to do is let them know with a public announcement. Be clear about who is at risk and reassure them that you are taking measures to fix it. Put measures in place to help them recover. If personal credit information was taken, offer to pay for a year of credit monitoring or some other compensation. Not only is this the responsible thing to do, but it can also further protect your brand from credibility damage. At this point in the crisis, a good public relations department can be invaluable in crafting a message and creating a proper response plan. If your company doesn’t have a public relations department, consider hiring a reputable outside firm to assist you. CONCLUSION You don’t have to be a technology expert to make good management decisions in regards to guarding data as long as you remember a few simple guidelines. Make sure you understand what your valuable data is and to whom it has value. Invest properly in data security and consult experts when needed. Support the technology you purchase with good policies that are monitored for compliance and constantly reinforced through training. Be proactive in ensuring that your defenses are properly layered and employees informed. In the event you do get hacked, respond appropriately and transparently with help from the proper authorities. The biggest thing to remember is to make it as hard as possible for unauthorized users to access your valuable data. Hackers seek out the path of least resistance. You don’t have to make your network an impregnable fortress. You have to make it just hard enough to discourage intruders so they seek easier targets elsewhere. About the Author: Stephen Webster, Chief Technology Officer, MRE Consulting, Ltd. Stephen is a recognized expert at designing and implementing infrastructure solutions and services for Global Fortune 250 companies. He has provided expert commentary on topics ranging from data security to cloud computing and has been featured on Bauer Business Focus, NPR and CBS Radio.

Division Accounting and Finance, BGSF, Career Tips July 10, 2018 With an estimated 7,500 state and local taxing jurisdictions and the complexity of state and local sales and use tax laws and regulations in these different jurisdictions, ensuring that your company is in compliance with these laws and regulations can be a difficult task. Recent research suggests that there may be as much as $26 billion in uncollected sales & use tax from e-commerce transactions alone. In an attempt to recover some of this uncollected sales & use tax, state and local taxing jurisdictions are increasing compliance activities and attempting to expand what constitutes business presence in their jurisdictions. In this increased compliance environment, companies need to be proactive rather than reactive in the area of sales and use tax compliance. The time to prepare for a sales & use tax audit is before an audit assignment is received. To prepare for a sales and use tax audit, companies need to conduct a thorough assessment of their business activities to determine in which taxing jurisdictions they have a compliance responsibility. Once that has been determined, the company needs to establish policies and procedures to ensure that they are in compliance with all applicable laws and regulations in those jurisdictions where a sales and use tax filing responsibility exists. To ensure compliance and reduce audit exposure, it is important for companies to maintain and leverage sales & use tax domain expertise, whether in-house or through a third-party professional services provider. Following is a list of best practices that can be adopted to ensure adequate sales and use tax compliance and minimize potential adverse audit assessments. Sales & Use Tax Best Practices Be proactive rather than reactive in sales & use tax compliance Perform nexus study to determine in which jurisdictions registration is required Review business activities to determine the taxability of products and services in applicable jurisdictions Register to collect and remit sales & use tax in all applicable jurisdictions Automate workflow from taxability determination to tax remittance to ensure timely and accurate compliance Automate tax rate updates to ensure accurate tax calculations Document exempt sales and maintain exemption certificate documentation Research all tax notices and audit findings to confirm the validity Stay current on laws and regulations

Division Accounting and Finance, Executive Leadership, Information Technology June 21, 2018 Auditing Transition Adjustments Obtaining an understanding of a company’s selection and application of accounting principles is part of the auditor’s procedures to identify and evaluate risks of material misstatement under PCAOB standards. Additionally, the auditor is required to evaluate a change in accounting principle to determine whether the method of accounting for the effect of a change in accounting principle is in conformity with generally accepted accounting principles and whether the disclosures related to the accounting change are adequate. The new revenue standard provides two transition options for applying the new standard (full or modified retrospective application). A full retrospective application requires the recasting of prior year financial statements as if the new standard had been applied in those years. In contrast, a modified retrospective application requires disclosure of the effect on each financial statement line item in the period of application, and explanations of significant changes between the reported results under the new standard and those that would have been reported under current accounting principles. Under either option, the company recognizes the cumulative effect of adopting the new standard against opening equity of the earliest period of application. The new revenue standard also provides optional practical expedients that may be applied during the transition. The standard requires the practical expedients to be consistently applied and disclosed in the financial statements. It is important for auditors to identify and assess the risks of material misstatement associated with the company’s transition adjustments and design and implement audit responses that address those assessed risks. Specific considerations in assessing and responding to the risks of material misstatement of the transition adjustments include, among others, (a) internal control over financial reporting, (b) data that may not have been audited previously, (c) opportunities for committing and concealing fraud, and (d) prior-period misstatements identified in the current period’s audit. Internal controls over the transition adjustments will generally be relevant to the audit, including in selecting controls to test in an audit of financial statements (if the auditor plans to rely on such 1.12 18 controls) or an audit of internal control over financial reporting. As described in Practice Alert No. 11, auditors are cautioned that controls must be tested directly to obtain evidence about its effectiveness; an auditor cannot merely infer that control is effective because no misstatements were detected by substantive procedures. This applies to the evaluation of evidence about the effectiveness of internal controls over the transition adjustments. Auditing transition adjustments involves obtaining company-produced information (e.g., standalone selling prices of the distinct goods or services underlying each performance obligation). As is the case generally with company-produced information, the auditor should perform procedures to evaluate whether the information produced by the company is sufficient and appropriate for purposes of the audit. In situations where management has asserted in the financial statements that the company’s transition adjustments are immaterial, it is important for auditors to perform procedures to test the accuracy of management’s assertions. The transition adjustments could pose new or heightened fraud risks. For example, a company could improperly identify performance obligations or improperly allocate transaction prices to performance obligations to defer revenue in order to recognize that revenue in subsequent periods. Auditors should evaluate whether the information gathered in obtaining an understanding of the company’s transition adjustments indicates that one or more fraud risk factors are present and should be taken into account in identifying and assessing fraud risks. When auditing the company’s transition adjustments, the auditor may identify a misstatement of revenue reported in prior-period financial statements. The auditor should perform procedures described in AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report, to determine whether or not the financial statements and auditor’s report should be revised as a consequence of the misstatement. Considering Internal Control over Financial Reporting PCAOB standards require the auditor to obtain a sufficient understanding of each component of internal control over financial reporting to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. Changes to company processes for the implementation of the new revenue standard can affect one or more components of internal control. For 19 relating to this principle is management evaluating competence across the organization and in outsourced service providers and acting as necessary to address any shortcomings identified. In addition, new or modified processes and systems to gather contract data, develop new estimates, and support new financial statement disclosures can affect the auditor’s risk assessment. Performing walkthroughs can help the auditor understand the flow of transactions, evaluate the design of controls relevant to the audit, and determine whether those controls have been implemented. In an audit of internal control, walkthroughs can also be an effective way to further understand the likely sources of potential misstatements and select controls to test. Internal Control-Related Considerations The following discussion highlights certain internal control-related considerations that may be relevant to auditing the implementation of the new revenue standard in audits of internal control over financial reporting and audits of financial statements. – Information system and manual controls. The auditor should obtain an understanding of the information system relevant to financial reporting, including, among other things, (a) the related business processes; (b) the related accounting records and supporting information used to initiate, authorize, process, and record transactions; and (c) how the information system captures events and conditions, other than transactions, that are significant to the financial statements. As discussed in Practice Alert No. 11, how a company uses or modifies its information systems (e.g., upon implementation of the new revenue standard) can affect internal controls and, in turn, the auditor’s evaluation of those controls. The auditor should obtain an understanding of, among other things: • The extent of manual controls and automated controls related to revenue used by the company, including the information technology general controls (“ITGCs”) that are important to the effective operation of the automated controls; and • the specific risks to a company’s internal control resulting from information technology. During the transition to the new revenue standard, some companies might utilize spreadsheets and other short-term manual processes until automated processes and controls are implemented. These short-term manual processes may present different or greater risks of material misstatement than automated processes subject to effective ITGCs. – Management review controls. Some companies may design and implement management review controls over revenue as part of their implementation of the new revenue standard. When testing management review controls, PCAOB standards require the auditor to perform procedures to obtain evidence about how those controls are designed and operate to prevent or detect misstatements. Practice Alert No. 11 described considerations for evaluating the precision of management review controls and identifies factors, such as the level of aggregation and the criteria for investigation, that can affect the level of precision of an entity-level control. 1.14 20 When selecting and testing management review controls over revenue, it is important for auditors to consider the impact of the new revenue standard on management review controls that rely on expectations based on historical operations or trends. Further, controls over the accuracy and completeness of the information used to perform the management review control can affect the control’s operating effectiveness. – Reviews of interim financial information. The auditor’s understanding of internal control is also important when performing a review of interim financial information. The auditor should have sufficient knowledge of the company’s business and its internal control as they relate to the preparation of both annual and interim financial information to: Identify the types of potential material misstatements in the interim financial information and consider the likelihood of their occurrence; and Select the inquiries and analytical procedures that will provide the auditor with a basis for communicating whether he or she is aware of any material modifications that should be made to the interim financial information for it to conform with generally accepted accounting principles. The auditor should perform procedures to update his or her knowledge of the company’s business and its internal control during the interim review to (a) aid in the determination of the inquiries to be made and the analytical procedures to be performed and (b) identify particular events, transactions, or assertions to which the inquiries may be directed or analytical procedures applied. Such procedures should include, among other things, inquiries of management about changes to the company’s business activities, and the nature and extent of changes to internal control. Identifying and Assessing Fraud Risks The auditor should presume that there is a fraud risk involving improper revenue recognition and evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks. Auditors should perform substantive procedures, including tests of details that are specifically responsive to the assessed fraud risks. As discussed in Practice Alert No. 12, performing such procedures involves (a) considering the ways management could intentionally misstate revenue and related accounts and how they might conceal such misstatements, and (b) designing audit procedures directed toward detecting intentional misstatements. Identifying specific fraud risks arising from the implementation of the new revenue standard involves having a sufficient understanding of the standard as well as the company’s processes, systems, and controls over its implementation of the standard. Fraud risks may exist at various levels and in different areas of a company. PCAOB standards require auditors to make certain fraud-related inquiries of management, the audit committee (or the equivalent), and others within the company. Key engagement team members, including the engagement partner, should brainstorm about how and where they believe the company’s revenue and related accounts might be susceptible to fraud. They should also discuss how management could perpetrate and conceal fraud, including by omitting or presenting incomplete or inaccurate disclosures. Brainstorming also includes discussing factors that might (a) create incentives or pressures for management and others to commit fraud, (b) provide the opportunity for management to perpetrate fraud, and (c) indicate a culture or environment that enables management to rationalize committing fraud. One potential incentive for fraud arises when new accounting requirements affect a company’s reported financial performance. When combined with excessive pressure to meet expectations of third parties or targets set by the board of directors or management, this could create the motivation to misstate revenue to achieve these expectations. For example, management could establish incorrect accounting policies and practices that achieve revenue targets when the correct application of the new revenue standard would result in revenue below expectations. Opportunities for fraud in implementing the new revenue standard may arise in the development of significant new accounting estimates or due to control deficiencies that might result from changes made to systems, processes, and controls to implement the new standard. For example, companies may be required to develop estimates for variable consideration and standalone selling prices, which might involve subjective judgments or uncertainties that are difficult to corroborate. Risk Factors Certain risk factors may reflect attitudes or rationalizations by board members, management, or employees that lead them to engage in or justify fraudulent financial reporting, and may not be susceptible to observation by the auditor. Nevertheless, an auditor who becomes aware of the existence of such information should consider it in identifying the risks of material misstatement arising from fraudulent financial reporting. Examples of risk factors that might arise in connection with implementation of the new revenue standard are (a) non-financial management’s excessive participation in, or preoccupation with, the selection of accounting principles or the determination of significant estimates, and (b) attempts by management to justify marginal or inappropriate accounting on the basis of materiality. The auditor’s identification of fraud risks should also include the risk of management override of controls. Controls over management override are important to effective internal control over financial reporting for all companies and may be particularly important at smaller companies because of the increased involvement of senior management in performing controls and in the period-end financial reporting process. Furthermore, the auditor should emphasize to all engagement team members the need to maintain a questioning mind throughout the audit and to exercise professional skepticism in gathering and 1.16 22 evaluating evidence. Practice Alert No. 10 identifies a number of threats to professional skepticism inherent in the audit environment. Auditors should be mindful that circumstances related to the implementation of the new revenue standard may increase such threats in some audits. Circumstances, where a company is late in implementing the new revenue standard, might create incentives and pressures on the auditor that could inhibit the exercise of professional skepticism and allow unconscious bias to prevail. Incentives and pressures may arise, for example, to avoid significant conflicts with management or provide an unqualified audit opinion prior to obtaining sufficient appropriate audit evidence. In addition, the implementation of the new revenue standard could heighten scheduling and workload demands, putting pressure on partners and other engagement team members to complete their assignments too quickly. This might lead auditors to seek audit evidence that is easy to obtain but may not be sufficient and appropriate, to obtain less evidence than is necessary, or to give undue weight to confirming evidence without adequately considering contrary evidence. As discussed in Practice Alert No. 12, auditors who merely identify revenue as having a general risk of improper revenue recognition without attempting to assess ways in which revenue could be intentionally misstated may find it difficult to develop meaningful responses to the identified fraud risks. Conclusion Because of the nature and importance of the matters covered in this practice alert, it is particularly important for the engagement partner and senior engagement team members to focus on these areas and for engagement quality reviewers to keep these matters in mind when conducting their engagement quality reviews. Auditing firms may find this practice alert helpful in determining whether additional training of their personnel, revisions to their methodologies or implementation thereof or other steps are needed to assure that PCAOB standards are followed . Auditors and auditing firms might also find certain matters discussed in this practice alert to be relevant to their preparations for auditing the application of new accounting standards on leases and credit losses. The PCAOB will continue to monitor auditing of revenue as part of its ongoing oversight activities.

Division Accounting and Finance, BGSF, Executive Leadership June 21, 2018 Auditing Transition Adjustments Obtaining an understanding of a company’s selection and application of accounting principles is part of the auditor’s procedures to identify and evaluate risks of material misstatement under PCAOB standards. Additionally, the auditor is required to evaluate a change in accounting principle to determine whether the method of accounting for the effect of a change in accounting principle is in conformity with generally accepted accounting principles and whether the disclosures related to the accounting change are adequate. The new revenue standard provides two transition options for applying the new standard (full or modified retrospective application). A full retrospective application requires the recasting of prior year financial statements as if the new standard had been applied in those years. In contrast, a modified retrospective application requires disclosure of the effect on each financial statement line item in the period of application, and explanations of significant changes between the reported results under the new standard and those that would have been reported under current accounting principles. Under either option, the company recognizes the cumulative effect of adopting the new standard against opening equity of the earliest period of application. The new revenue standard also provides optional practical expedients that may be applied during the transition. The standard requires the practical expedients to be consistently applied and disclosed in the financial statements. It is important for auditors to identify and assess the risks of material misstatement associated with the company’s transition adjustments and design and implement audit responses that address those assessed risks. Specific considerations in assessing and responding to the risks of material misstatement of the transition adjustments include, among others, (a) internal control over financial reporting, (b) data that may not have been audited previously, (c) opportunities for committing and concealing fraud, and (d) prior-period misstatements identified in the current period’s audit. Internal controls over the transition adjustments will generally be relevant to the audit, including in selecting controls to test in an audit of financial statements (if the auditor plans to rely on such 1.12 18 controls) or an audit of internal control over financial reporting. As described in Practice Alert No. 11, auditors are cautioned that a control must be tested directly to obtain evidence about its effectiveness; an auditor cannot merely infer that a control is effective because no misstatements were detected by substantive procedures. This applies to evaluating evidence about the effectiveness of internal controls over the transition adjustments. Auditing transition adjustments involves obtaining company-produced information (e.g., standalone selling prices of the distinct goods or services underlying each performance obligation). As is the case generally with company-produced information, the auditor should perform procedures to evaluate whether the information produced by the company is sufficient and appropriate for purposes of the audit. In situations where management has asserted in the financial statements that the company’s transition adjustments are immaterial, it is important for auditors to perform procedures to test the accuracy of management’s assertions. The transition adjustments could pose new or heightened fraud risks. For example, a company could improperly identify performance obligations or improperly allocate transaction prices to performance obligations to defer revenue in order to recognize that revenue in subsequent periods. Auditors should evaluate whether the information gathered in obtaining an understanding of the company’s transition adjustments indicates that one or more fraud risk factors are present and should be taken into account in identifying and assessing fraud risks. When auditing the company’s transition adjustments, the auditor may identify a misstatement of revenue reported in prior-period financial statements. The auditor should perform procedures described in AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report, to determine whether or not the financial statements and auditor’s report should be revised as a consequence of the misstatement. Considering Internal Control over Financial Reporting PCAOB standards require the auditor to obtain a sufficient understanding of each component of internal control over financial reporting to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. Changes to company processes for the implementation of the new revenue standard can affect one or more components of internal control. For 19 relating to this principle is management evaluating competence across the organization and in outsourced service providers and acting as necessary to address any shortcomings identified. In addition, new or modified processes and systems to gather contract data, develop new estimates, and support new financial statement disclosures can affect the auditor’s risk assessment. Performing walkthroughs can help the auditor understand the flow of transactions, evaluate the design of controls relevant to the audit, and determine whether those controls have been implemented. In an audit of internal control, walkthroughs can also be an effective way to further understand the likely sources of potential misstatements and select controls to test. Internal control-related considerations The following discussion highlights certain internal control-related considerations that may be relevant to auditing the implementation of the new revenue standard in audits of internal control over financial reporting and audits of financial statements. – Information system and manual controls. The auditor should obtain an understanding of the information system relevant to financial reporting, including, among other things, (a) the related business processes; (b) the related accounting records and supporting information used to initiate, authorize, process, and record transactions; and (c) how the information system captures events and conditions, other than transactions, that are significant to the financial statements. As discussed in Practice Alert No. 11, how a company uses or modifies its information systems (e.g., upon implementation of the new revenue standard) can affect internal controls and, in turn, the auditor’s evaluation of those controls. The auditor should obtain an understanding of, among other things: • The extent of manual controls and automated controls related to revenue used by the company, including the information technology general controls (“ITGCs”) that are important to the effective operation of the automated controls; and • The specific risks to a company’s internal control resulting from information technology. During the transition to the new revenue standard, some companies might utilize spreadsheets and other short-term manual processes until automated processes and controls are implemented. These short-term manual processes may present different or greater risks of material misstatement than automated processes subject to effective ITGCs. – Management review controls. Some companies may design and implement management review controls over revenue as part of their implementation of the new revenue standard. When testing management review controls, PCAOB standards require the auditor to perform procedures to obtain evidence about how those controls are designed and operate to prevent or detect misstatements. Practice Alert No. 11 described considerations for evaluating the precision of management review controls and identifies factors, such as the level of aggregation and the criteria for investigation, that can affect the level of precision of an entity-level control. 1.14 20 When selecting and testing management review controls over revenue, it is important for auditors to consider the impact of the new revenue standard on management review controls that rely on expectations based on historical operations or trends. Further, controls over the accuracy and completeness of the information used to perform the management review control can affect the control’s operating effectiveness. – Reviews of interim financial information. The auditor’s understanding of internal control is also important when performing a review of interim financial information. The auditor should have sufficient knowledge of the company’s business and its internal control as they relate to the preparation of both annual and interim financial information to: Identify the types of potential material misstatements in the interim financial information and consider the likelihood of their occurrence; and Select the inquiries and analytical procedures that will provide the auditor with a basis for communicating whether he or she is aware of any material modifications that should be made to the interim financial information for it to conform with generally accepted accounting principles. The auditor should perform procedures to update his or her knowledge of the company’s business and its internal control during the interim review to (a) aid in the determination of the inquiries to be made and the analytical procedures to be performed and (b) identify particular events, transactions, or assertions to which the inquiries may be directed or analytical procedures applied. Such procedures should include, among other things, inquiries of management about changes to the company’s business activities, and the nature and extent of changes to internal control. Identifying and Assessing Fraud Risks The auditor should presume that there is a fraud risk involving improper revenue recognition and evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks. Auditors should perform substantive procedures, including tests of details that are specifically responsive to the assessed fraud risks. As discussed in Practice Alert No. 12, performing such procedures involves (a) considering the ways management could intentionally misstate revenue and related accounts and how they might conceal such misstatements, and (b) designing audit procedures directed toward detecting intentional misstatements. Identifying specific fraud risks arising from the implementation of the new revenue standard involves having a sufficient understanding of the standard as well as the company’s processes, systems, and controls over its implementation of the standard. Fraud risks may exist at various levels and in different areas of a company. PCAOB standards require auditors to make certain fraud-related inquiries of management, the audit committee (or the equivalent), and others within the company. Key engagement team members, including the engagement partner, should brainstorm about how and where they believe the company’s revenue and related accounts might be susceptible to fraud. They should also discuss how management could perpetrate and conceal fraud, including by omitting or presenting incomplete or inaccurate disclosures. Brainstorming also includes discussing factors that might (a) create incentives or pressures for management and others to commit fraud, (b) provide the opportunity for management to perpetrate fraud, and (c) indicate a culture or environment that enables management to rationalize committing fraud. One potential incentive for fraud arises when new accounting requirements affect a company’s reported financial performance. When combined with excessive pressure to meet expectations of third parties or targets set by the board of directors or management, this could create the motivation to misstate revenue to achieve these expectations. For example, management could establish incorrect accounting policies and practices that achieve revenue targets when the correct application of the new revenue standard would result in revenue below expectations. Opportunities for fraud in implementing the new revenue standard may arise in the development of significant new accounting estimates or due to control deficiencies that might result from changes made to systems, processes, and controls to implement the new standard. For example, companies may be required to develop estimates for variable consideration and standalone selling prices, which might involve subjective judgments or uncertainties that are difficult to corroborate. Risk Factors Certain risk factors may reflect attitudes or rationalizations by board members, management, or employees that lead them to engage in or justify fraudulent financial reporting, and may not be susceptible to observation by the auditor. Nevertheless, an auditor who becomes aware of the existence of such information should consider it in identifying the risks of material misstatement arising from fraudulent financial reporting. Examples of risk factors that might arise in connection with implementation of the new revenue standard are (a) non-financial management’s excessive participation in, or preoccupation with, the selection of accounting principles or the determination of significant estimates, and (b) attempts by management to justify marginal or inappropriate accounting on the basis of materiality. The auditor’s identification of fraud risks should also include the risk of management override of controls. Controls over management override are important to effective internal control over financial reporting for all companies and may be particularly important at smaller companies because of the increased involvement of senior management in performing controls and in the period-end financial reporting process. Furthermore, the auditor should emphasize to all engagement team members the need to maintain a questioning mind throughout the audit and to exercise professional skepticism in gathering and 1.16 22 evaluating evidence. Practice Alert No. 10 identifies a number of threats to professional skepticism inherent in the audit environment. Auditors should be mindful that circumstances related to the implementation of the new revenue standard may increase such threats in some audits. Circumstances, where a company is late in implementing the new revenue standard, might create incentives and pressures on the auditor that could inhibit the exercise of professional skepticism and allow unconscious bias to prevail. Incentives and pressures may arise, for example, to avoid significant conflicts with management or provide an unqualified audit opinion prior to obtaining sufficient appropriate audit evidence. In addition, the implementation of the new revenue standard could heighten scheduling and workload demands, putting pressure on partners and other engagement team members to complete their assignments too quickly. This might lead auditors to seek audit evidence that is easy to obtain but may not be sufficient and appropriate, to obtain less evidence than is necessary, or to give undue weight to confirming evidence without adequately considering contrary evidence. As discussed in Practice Alert No. 12, auditors who merely identify revenue as having a general risk of improper revenue recognition without attempting to assess ways in which revenue could be intentionally misstated may find it difficult to develop meaningful responses to the identified fraud risks. Conclusion Because of the nature and importance of the matters covered in this practice alert, it is particularly important for the engagement partner and senior engagement team members to focus on these areas and for engagement quality reviewers to keep these matters in mind when conducting their engagement quality reviews. Auditing firms may find this practice alert helpful in determining whether additional training of their personnel, revisions to their methodologies or implementation thereof or other steps are needed to assure that PCAOB standards are followed. Auditors and auditing firms might also find certain matters discussed in this practice alert to be relevant to their preparations for auditing the application of new accounting standards on leases and credit losses. The PCAOB will continue to monitor auditing of revenue as part of its ongoing oversight activities.

Division Accounting and Finance, BGSF June 2, 2018

Division Accounting and Finance, BG Multifamily, BG Talent, Real Estate Division August 22, 2017 Leasing is widely used to address a variety of business needs, from short-term asset use to long-term asset financing. Sometimes leasing is the only option available to obtain the use of a physical asset, such as office space. Leasing transactions today represent over $1.4 trillion in off-balance-sheet financing. Because of its magnitude, many have argued that the disclosures prior to the new pronouncement were inadequate. The FASB and IASB initiated a joint project on leases in 2006 as part of the global convergence effort. After issuing two exposure drafts, extensive outreach and re-deliberations to address the concerns raised by stakeholders, the FASB and IASB issued separate lease accounting standards that diverged in significant areas. Key Provisions The main difference between previous GAAP and ASC 842 is the recognition of lease assets and lease liabilities by lessees for those leases classified as operating leases under previous GAAP. The FASB reached the conclusion that the economics of lease transactions may be different between leases and therefore ASC 842 retains a distinction between finance leases and operating leases. The recognition, measurement, and presentation of expenses and cash flows arising from a lease by a lessee, have not significantly changed from previous GAAP. The principal difference from previous guidance is that the lease assets and lease liabilities arising from operating leases should be recognized in the statement of financial position. The core principle is that a lessee should recognize the assets and liabilities that arise from leases. A lessee should recognize in the statement of financial position a liability to make lease payments (the lease liability) and a right-of-use asset representing its right to use the underlying asset for the lease term. When measuring assets and liabilities arising from a lease, a lessee (and a lessor) should include payments to be made in optional periods only if the lessee is reasonably certain to exercise an option to extend the lease or not to exercise an option to terminate the lease. Similarly, optional payments to purchase the underlying asset should be included in the measurement of lease assets and lease liabilities only if the lessee is reasonably certain to exercise that purchase option. For finance leases, a lessee is required to do the following: Recognize a right-of-use asset and a lease liability, initially measured at the present value of the lease payments, in the statement of financial position Recognize interest on the lease liability separately from amortization of the right-of-use asset in the statement of comprehensive income Classify repayments of the principal portion of the lease liability within financing activities and payments of interest on the lease liability and variable lease payments within operating activities in the statement of cash flows. For operating leases, a lessee is required to do the following: Recognize a right-of-use asset and a lease liability, initially measured at the present value of the lease payments, in the statement of financial position Recognize a single lease cost, calculated so that the cost of the lease is allocated over the lease term on a generally straight-line basis Classify all cash payments within operating activities in the statement of cash flows. Effective Dates The new lease accounting pronouncements are effective for fiscal years beginning after December 15, 2018, including interim periods within those fiscal years, for any of the following: A public business entity; A not-for-profit entity that has issued, or is a conduit bond obligor for, securities that are traded, listed, or quoted on an exchange or an over-the-counter market; and, An employee benefit plans that file financial statements with the U.S. Securities and Exchange Commission (SEC). For all other entities, the amendments to the lease accounting rules are effective for fiscal years beginning after December 15, 2019, and interim periods within fiscal years beginning after December 15, 2020. Early application of the amendments in this update is permitted for all entities. Additional Resources Exhibits I and II – an example of the accounting treatment of an operating lease and an example of the accounting treatment for a finance lease. Exhibit III – a series of questions and answers concerning the new pronouncement. FASB video on lease accounting Exhibit IV – next steps slide from the luncheon presentation.

Division Career Tips, Company Culture, Executive Leadership, IT, Light Industrial Division, Professional Division, Real Estate Division June 17, 2017 Quality Assurance: A Necessary Ingredient for Internal Control Management’s ability to fulfill its financial reporting responsibilities often depends on the design and effectiveness of the processes and safeguards it has put in place over accounting. While no control system can absolutely assure that financial reports will never contain material errors or misstatements, companies must discuss how a quality assurance process can substantially reduce the risk of inaccuracies and can lead to an effective system of internal control over financial reporting. An increased focus on the adequacy of internal control systems by a wide variety of regulators is causing organizations to take a more systematic, risk-focused approach to managing their compliance efforts. A well-designed quality assurance program supports the process by which accounting judgments and estimates are made, and in turn the reliability of the financial reports. Considering the new standards on revenue recognition and lease accounting, it will become even more important for companies to have a robust system of controls. Most companies tend to have their upstream processes such as AP, AR, and fixed assets, covered, but it’s the downstream processes such as financial statements, footnotes, and MD&A that are often questioned. Below are general best practices to discuss internally when executing this strategy: A Quality Assurance (QA) program should be considered when an organization wants to minimize the risk/impact to Financial Reporting, Operations, and Reputation A risk based approach should be utilized when designing and implementing controls as well as establishing your QA program. Build effective relationships with Internal and External Auditors – leverage them as a “sounding board” QA Key Points: Be sure the individual(s) performing the QA are knowledgeable enough about the organization to identify when items should be questioned further or if the control was performed correctly As part of the QA review process, it is important to document the following: Key attributes or data points reviewed Items requiring additional follow-up Steps taken to address/resolve items requiring follow-up Timely resolution of items requiring additional follow-up Evidence to support the QA individual(s) review and approve the follow-up items have been resolved Include this information as part of the support to evidence the QA review occurred As part of the QA review process, it is also important the individual(s) performing the review validate the underlying data used to perform the control is complete and accurate. For example, the reviewer can inspect the parameters/filters used to obtain the data from a particular system for accuracy of the data that is included or excluded. Also, it’s worth mentioning that QA processes are needed at various levels of an organization, and if a company does not have resources, they should outsource competent QA resources. A good independent set of eyes can make all the difference with success in this endeavor.

Division Construction and Architecture, Engineering, Light Industrial Division, Professional Division, Real Estate Division, Smart Resources, Transport, Supply and Logistics February 17, 2015 From staffing to streamlining processes, today’s distribution centers face a number of challenges. Fortunately, InStaff is here to help. A leader in full-service recruiting, we pride ourselves on helping distribution centers maximize output. Here are some of our top strategies for distribution center success. Go green. These days, almost every industry is concerned with its carbon footprint, and distribution centers are no exception. To protect the environment, and your pocketbook, consider updating to more eco-friendly MDR conveyors. Along with using 30-60 percent less energy, MDR conveyors offer the added bonus of reducing noise levels in your facility. Measure velocity. Product velocity refers to a measure of mover speed at your distribution center. According to the experts, placing stock-keeping units in easy-to-access areas is essential to a distribution company’s success in the coming years. Additionally, you should keep ergonomics in mind to boost employee satisfaction rates at your business. Try cross-decking. Want to cut costs at your distribution center? Consider cross-decking, or moving goods straight from receiving to shipping. For best results, incorporate a receiving conveyor system into your warehouse. Conduct reporting. Looking for a less time-consuming way of assessing your current systems? At InStaff, we recommend that warehouses implement a software-based system of tracking performance. As a bonus, most of these programs allow you to track both employees and overall system function. Utilize automation. Checkweighers can have a significant impact on your warehouse’s quality control. Not only can you boost productivity by automating these systems, but you can also reduce the amount of time spent dealing with customer complaints about underweight or overweight packages. Consolidate vendors. While the economy is slowly recovering, many businesses are still looking for ways to save. By forming relationships with integrators, distribution companies have the opportunity to score the products they need at a lower price point. Automate wrapping. These days, customers expect to receive their orders in days instead of weeks. Automated pallet building and wrapping allow for speedier service with a reduced risk of product injury. Additionally, distribution centers that adopt this technology can reduce labor costs for their facilities. Automate printing. A long-time burden for distribution centers is printing and affixing labels before packages can be sent. With automated printing and labeling, your facility can enjoy improved accuracy rates on shipping with less manpower. Utilize multiple channels. Integrating your various distribution channels in one sitting is another great way for businesses to save. In addition to allowing for better inventory management, a multichannel approach lets companies cut costs while fulfilling orders more expediently. Look at outsourcing. Sick of handling all your distribution needs in-house? These days, many companies are outsourcing this role to another enterprise. This is a great option for businesses looking to save money while freeing themselves up to focus on other tasks.