Spring 2014 issue of Horizons

RubinBrown's Spring 2014 issue of Horizons covers the new priority: cyber security. The issue includes articles featuring ways to protect your agency, information technology due diligence and more.

horizons A publication by RubinBrown LLP Spring 2014

Cyber Security: The New Priority

FEATURING > Protect Your Organization with Cyber Resilience > BIG Problems with Small DATA > Information Technology Due Diligence: Often Overlooked but Vital to Deal Success PLUS > Private Company Financial Reporting: After Decades of Scrutiny, Relief May Finally Be Here > Outsourced Accounting: Paving the Way for Success in Our Economic Climate

TABLE OF CONTENTS

horizons A publication by RubinBrown LLP SPRING 2014

Features

1 2 6

Welcome from the Managing Partner

RubinBrown News

Chairman’s Corner

Chairman James G. Castellano, CPA, CGMA

8 14 18 22 30 69

Protect Your Organization with Cyber Resilience

Managing Partner John F. Herber, Jr., CPA, CGMA

BIG Problems with Small DATA

Information Technology Due Diligence: Often Overlooked but Vital to Deal Success

Denver Office Managing Partner Gregory P. Osborn, CPA Kansas City Office Managing Partner Todd R. Pleimann, CPA

Private Company Financial Reporting: After Decades of Scrutiny, Relief May Finally be Here

Outsourced Accounting: Paving the Way for Success in Our Economic Climate

Timely Reminders

Editor Dawn M. Martin

Industry-Specific Articles colleges & universities Cyber Security Risks for Universities New risk factors and manufacturing & distribution Cyber Security in the Supply Chain 33 45 58

Art Director Jen Chapman

not - for - profit An Update on Not-For- Profit Financial Reporting Senior project manager covers FASB’s NFP Financial Reporting Initiative .

Horizons , a publication of RubinBrown LLP, is designed to provide general information regarding the subject matters covered. Although prepared by professionals, its contents should not be construed as the rendering of advice regarding specific situations. If accounting, legal or other expert assistance is needed, consult with your professional business advisor. Please call RubinBrown with any questions (contact information is located on the back cover). Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.

The risk of protecting information that exists with suppliers.

creating a control system to protect a university’s assets and data.

48

62

36

life sciences Protecting Intellectual Property Identifying IP inventory and mitigating IP risks.

construction

gaming Regulating Online Gaming: A Focus on Security A look at regulation from the first three states to legalize online gaming. professional services Safeguarding Electronic Health Records & Law Firm Security: Steps to Protect Your Firm Safeguard protected health information; plus protect firm and client information at organization, technical and physical levels.

Succession Planning: An Introduction for Construction Companies Building value, grooming a successor, transferring ownership, and other considerations for succession planning.

52

public sector Data Analysis: A Resilient Approach to Control Spending Using data analysis to impact the bottom line.

40

66

transportation & dealerships

Simple Steps to Increase Profitability for Transportation Companies & Auto Dealers Tips to ensure you fully maximize profitability

55

Readers should not act upon information presented without individual professional consultation.

real estate

Positive News for the Historic Tax Credit Industry Much anticipated

with your current revenue stream.

Revenue Procedure 2014-12 establishes a safe harbor.

WELCOME FROM THE MANAGING PARTNER

Recent high-profile cyber security attacks like the data breach at Target have spurred an investment boom in cyber security companies. Research group PrivCo reports that early-stage funding for the cyber security sector soared almost 60% in 2013. Researchers expect that 2014 will bring more start-ups, along with subsequent transaction activity as security problems continue to increase, in tandem with our growing awareness of them. The Latest Trend: Cyber Security Start-Ups Even more frightening are the statistics on loss and occurrence. Poneman Institute reports that the cost of cybercrime has increased 26% since 2012 and further predicts that 3 out of 4 companies will be targeted by malicious web applications in this year alone. While heavily covered in the media, cybercrime is a serious business issue that threatens all of us—no matter what our size. This is why we chose the topic of cyber security as our theme for this issue. This is one of the largest issues of Horizons RubinBrown has ever published. There’s a lot of information to report on the topic of cyber security. And we hope that you glean some thought- provoking information and ideas from our research and writing. In addition to several great feature articles on cyber resilience, big data, and IT due diligence, we have also included articles that focus on cybercrimes’ effect on several industries. Check out the cyber articles related to colleges and universities, gaming, life sciences, professional services and manufacturing & distribution. I would welcome your feedback on ways we can continue to serve you as thought leaders in business as well as deliver “totally satisfied clients.” Please email me directly at john.herber@rubinbrown.com . There’s no doubt that cybercrime is on the rise. Cisco Systems Inc. reports that cybercrime was up 14% in 2013 from the year before.

John F. Herber Jr., CPA, CGMA Managing Partner

Pleasant reading,

www.RubinBrown.com | page 1

RUBINBROWN NEWS

RubinBrown Publishes First Audit Quality Report

In January 2014, RubinBrown published its first-ever audit quality report. Audit quality reporting is intended to foster greater confidence in the audit process by assisting financial statement users, audit committee members and other stakeholders in understanding how an audit firm’s management and operations support the performance of high quality audits. The Public Company Accounting Oversight Board (PCAOB), which regulates the audits of public companies, is currently developing a concept release regarding audit quality reporting and audit quality indicators.

The concept release is expected to provide a definition of audit quality and include an audit quality framework. Additionally, there will be 25 to 30 potential audit quality indicators identified. Finally, there will be discussion of potential uses of the audit quality indicators.

You may access the report at www.RubinBrown.com/Audit-Quality .

RubinBrown Partner Amy Altholz Named Woman To Watch

Amy Altholz, CPA , partner and vice chair of RubinBrown’s Not- For-Profit Services Group, was recently honored as one of the Missouri Society of Certified Public Accountants (MSCPA) Women to Watch. The MSCPA Women to Watch Awards recognize women in accounting who have made significant contributions to the profession and development of women in their communities.

RubinBrown Partner Steven Harris Named 2014 Young Leader

Steven Harris, CPA , partner-in-charge of RubinBrown’s Entrepreneurial Services Group was named one of the St. Louis American’s 2014 Young Leaders. The Young Leader Awards identify and honor committed, compassionate, generous professionals making a positive impact in the community.

RubinBrown Managing Partner John Herber Named to AICPA Governing Council

John Herber, Jr., CPA, CGMA, managing partner of RubinBrown, was nominated to the American Institute of Certified Public Accountants’ Council as an at-large member. The appointment is for a three-year term on the council. Herber also currently serves as chairman of the AICPA’s Professional Liability Insurance Program Committee.

page 2 | horizons Spring 2014

RubinBrown Team Member Recognized with AICPA Elijah Watt Sells Award

RubinBrown team member, Nathan Hutson, CPA , was recently presented with the 2013 Elijah Watt Sells Award from the American Institute of Certified Public Accountants. The award recognizes the individuals with a cumulative score above 95.50 across all four sections of the computerized Uniform CPA Examination.

RubinBrown Partner Sharon Latimer Named To 2014 Class of Influential Women

Sharon Latimer, CPA , partner in RubinBrown’s Assurance Services Group, was named to KC Business magazine’s 2014 Class of Influential Women. The publication’s influential women honorees are recognized as those who inspire and mentor others, create opportunities for their organizations and give back to their communities.

RubinBrown Kansas City Managing Partner Todd Pleimann Named to Kansas City Chamber of Commerce

Todd Pleimann, CPA , managing partner of RubinBrown’s Kansas City office, was recently elected to The Greater Kansas City Chamber of Commerce Board of Directors. The Greater Kansas City Chamber of Commerce is a membership organization representing more than 2,500 companies and 300,000 employees across the Kansas City region.

RubinBrown Recent Talent Additions Partners

Jeff Naeger is a new partner in the Tax Services Group in St. Louis. Jeff specializes in providing federal and state tax consulting, state and local taxation, and mergers and acquisitions services to clients in a number

Jeff Cunningham , joined RubinBrown as a partner in its Real Estate Services and Assurance Services Group in the Denver office. Jeff’s expertise lies in working with

clients that develop and rehabilitate multi-family housing using traditional financing, low- income housing and historic tax credits and federal and state backed loans.

of industries including manufacturing, healthcare and natural resources.

www.RubinBrown.com | page 3

RUBINBROWN NEWS

RubinBrown Recent Talent Additions Partners (continued)

Rhonda Sparlin joined the Denver office as a partner in the State and Local Tax Services Group. Rhonda is an expert in consulting with businesses on issues related to multistate

Sunti (Sunny) Wathanacharoen joined RubinBrown’s Kansas

City office as a partner in its Business Advisory Services Group. Sunny’s experience managing consulting services spans various industries such as financial services/institutions, government, healthcare, manufacturing, professional services, retail, technology and telecommunications.

income, franchise and indirect tax issues. She serves clients in the manufacturing, retail, technology, healthcare, service, software, mining and utility industries.

Managers

Jason McAdamis joined the St. Louis office’s Federal Tax Services Group as a manager. He provides comprehensive tax services for companies of all sizes in a variety of industries, including professional services and manufacturing and distribution.

Brenda Buhrmester is a new manager in RubinBrown’s Tax Services Group in Kansas City. With more than 18 years of

experience, she primarily serves professional service organizations with tax consulting and compliance services.

RubinBrown recently added Mark Breakfield as a manager in its Wealth

Rachel Parkes is a manager in RubinBrown’s Tax Services

Group in Kansas City. She has more than ten years of accounting experience. Rachel works with clients in various industries including construction, gaming and manufacturing and distribution.

Management Services Group in St. Louis. Mark specializes in tax planning and consulting, estate and retirement planning and gift tax planning services for clients.

Timothy Kennedy joined RubinBrown’s St. Louis office as a manager in RubinBrown’s Real Estate Services Group, specializing in new markets, low-income housing and historic rehabilitation tax credits.

A new manager in the St. Louis office’s State and Local Tax Services Group, Shawndel Rose provides clients with all phases of state and local tax compliance, consulting and planning services. Aisha White is a new manager in the State and Local Tax Group in St. Louis. With more than 13 years of accounting experience, she primarily provides tax services to a wide array of clients.

Suzy Kimbrough recently joined the Kansas City office

as a manager in the Tax Services Group. With more than 20 years of public accounting experience, she primarily provides tax and consulting services to businesses and individuals.

page 4 | horizons Spring 2014

MARK YOUR CALENDARS

Ethics Seminar

Denver RubinBrown Center November 6, 2014 8-10 a.m.

Kansas City Doubletree Hotel November 11, 2014 8-10 a.m.

St. Louis Donald Danforth

Plant Science Center November 12, 2014 8-10 a.m.

Year-End Accounting & Tax Update

Denver RubinBrown Center December 10, 2014 8-10 a.m.

Kansas City Doubletree Hotel December 11, 2014 8-10 a.m.

St. Louis Donald Danforth Plant Science Center December 9, 2014 8-10 a.m.

SEC Update

Glean insight into the latest tax legislation. Learn more about how new accounting rules will affect your business. Find out how your organization can benefit from business strategies and innovative ideas. Throughout the year, RubinBrown is an excellent source for learning and insight. For Upcoming RubinBrown Seminars

Denver RubinBrown Center January 7, 2015 8-10 a.m.

St. Louis RubinBrown Center January 6, 2015 8-10 a.m.

Not-For-Profit Update

Denver RubinBrown Center January 28, 2015 8-10 a.m.

Kansas City Doubletree Hotel January 27, 2015 8-10 a.m.

St. Louis Donald Danforth Plant Science Center January 22, 2015 8-10 a.m.

Public Sector Seminar

Registration will be available 5 weeks prior to each event at www.RubinBrown.com.

Denver RubinBrown Center February 6, 2015 8 a.m.-5 p.m.

Kansas City Doubletree Hotel February 3, 2015 8 a.m.-12 p.m.

St. Louis RubinBrown Center January 29, 2015 8 a.m.-12 p.m.

CHAIRMAN'S CORNER

The Stakes Have Changed Today with Cybercrime by Jim Castellano, CPA, CGMA

R emember when computers operated on punch cards… a portable computer was as big as a suitcase and its screen the size of a 4” by 6” picture frame…portable phones consisted of a heavy unit with a handset tethered to it with a spiral cord?

Remember when crime involving theft only involved physical property or currency?

What happened?

What happened is that the incredible explosion in technological advancements continued to change our world in ways we could not even imagine just a decade ago. With the wonderful advances in technology also came ingenious techniques to steal valuable information by using the technology in devious ways. Hence, the emergence of an entirely new type of criminal engaged in cybercrime. The topic of cyber security is high on the agenda of most audit committees today and should be high on the agendas of management of most organizations. An effective enterprise risk management process can highlight the numerous areas vulnerable to those anonymous and sophisticated criminals intent on theft or destruction.

Jim Castellano, CPA, CGMA Chairman

The American Institute of CPAs (AICPA) recently published a paper titled “ The Top 5 Cybercrimes. ” The paper is intended to assist CPAs in public practice as well as in business and industry to understand “the nature of each crime, the manner in which it is committed and remedial steps that can be taken.” The paper can be found on AICPA’s website at www.aicpa.org or viewed at the link in the sidebar to the right.

page 6 | horizons Spring 2014

THE TOP 5 CYBERCRIMES

The top 5 cybercrimes discussed include:

∙ Tax-refund fraud

∙ Corporate account takeover

∙ Identity theft

∙ Theft of sensitive data

∙ Theft of intellectual property

TOP 5 CYBERCRIMES

While no precautions can provide absolute protection, you can begin to protect yourself and your organization from cybercrime by taking some or all of the following actions:

October 2013

Abroad range of reports and authoritative sourceswere analyzed to separate vectors and tools from the actual cybercrimes. The sources include theAICPA,CybersourceCorporation, 8 InternetCrimeComplaint Center (IC3), 9 IBM, 10 SANS, 11 Computer Emergency Response Team (CERT), 12 Computer Security Institute (CSI), 13 Ponemon Institute, 14 Microsoft,Verizon and Secure Florida. 15

1

Tax-refund Fraud

2

Corporate Account Takeover

Once the cybercrimeswere identified, theywere ranked in the following orderby relevance toCPAs inpublicpractice andbusiness and industry.

3

Identity Theft

4

Theft of Sensitive Data

∙ Institute an internal audit function in your organization

GENERAL REMEDIATION STRATEGIES FOR THE TOP 5 CYBERCRIMES

5

Theft of Intellectual Property

CPAs need tomake timely, informeddecisions about the effective controls that canprevent cybercrimes from occurring, anddetect, at its earliest stage, a crime that already has occurred. Equally important is CPAs’ adeptness at responding to and correcting a securitybreach and cybercrime that has occurred. SECURITYAUDITSANDCONTROLS AComputer Security Institute (CSI) survey ranked internal cybersecurity audits as the strongestweapon inpreventing anddetecting cybersecurity vulnerabilities.An effective internal security audit identifies cybersecurity risks and assesses the severity of each type of risk. For optimal results, clients should ask theirCPA to audit their privacy and securitypolicies and controls. Following the audit,preventive controls for themajor risks that were identified need tobe instituted. Three strategies that can help managementdevelop those controls are: Timely andproactivelypatching vulnerabilities, including vulnerable software. Using least-accessprivileges 29 andother sound logical access controls to help remediate crimesperpetrated internally. For external threats, soundperimeter controls such as firewalls and IntrusionDetection Systems (IDS) are critical toprotection. Monitoring systems, technologies and access, such as various logs createdby technologies for those activities,with associated controls varyingbased on the threat level (also adetection strategy). BUSINESS INSURANCE In an age of financiallymotivated cybercrimes, every entity should have sufficientbusiness insurance coverage to recover any financial losses. Executivemanagement teammembers, especially theCFO,must evaluate the entity’s insurance coverage to ensure that it could recover estimated losses from any cybercrime. Reviewing coverage shouldbedoneon a reasonableperiodicbasis. Leaders alsomight consider enlisting serviceprovid rs thatoffer cleanup and restore functions after certain crimes havebeen committed.

87 %

∙ Conduct risk management sessions to identify and rank the risks affecting you

8 CybersourceCorporation isaworldwideeCommercepayment-managementcompany. Itpublishesannual, statistics-basedonline fraud reports.At cybersource.com . 9 IC3 is the InternetCrimeComplaintCenter, sponsoredby theNationalWhiteCollarCrimeCenter, theBureauof JusticeAssistance and theFBI. It accepts complaints from thepublic regarding Internet-related crimes and scams.At ic3.gov . 10 IBMpublishes a security report titledTrend andRiskReport.TheMarch 2012 reportwasused as a source for thispaper. 11 SANShasaglobal scope,witha focuson information security (InfoSec). Ithasacertification,Global InformationAssuranceCertification (GIAC), related to InfoSec.SANS’s services and resources aregenerally free to thepublic. 12 ComputerEmergencyResponseTeam (CERT) is apartnershipbetweenHomelandSecurity andpublic andprivate sectorswith theobjectiveof coordinating responses to security threats.At cert.org . 13 ComputerSecurity Institute (CSI), for information securityprofessionals,providesanannual surveyofcybercrime,CSIComputerCrime&SecuritySurvey, sinceabout1999.At gocsi.com . 14 Ponemon Institute conducts independent researchonprivacy,dataprotection and information securitypolicy. Ithasoneof thebest cybercrime studies, its annualCostofCyberCrimeStudy.The second studywaspublished inAugust 2011.At ponemon.org . 15 The stateofFloridahas adepartment,SecureFlorida, that focuseson cybersecurity. ItpublishedFloridaCyber-SecurityManual in2007.TheFlorida Departmentof LawEnforcement,FloridaCybersecurity Institute andSecureFlorida contributed to themanual.At secureflorida.org .

AVerizon study of 600 incidents of security breaches over a five-yearperiod reveals

∙ Audit your privacy and security policies and controls

that in87percentof cases, investigators concluded that breaches could have been avoided if reasonable security controls had been in place at the time of the incident.

INCIDENT RESPONSE PLAN One useful “correction” remediation, although not preventive, is todevelop an incident responseplan. The planwould require employeeswith the necessary level of knowledge, and serving in keypositionswithin the entity, to answer the followingquestions relating to the top five cybercrimes identified in thiswhitepaper:

THE TOP 5 CYBERCRIMES | 5

Which of these crimes are potential risks?

∙ Use data analytics to identify unusual transactions in your records

What riskswould follow from each crime?

How shouldwe respond to each of these crimes?

Howwouldwe fully recover from each of these crimes?

Themanner inwhich an entity responds to a cybercrime provides valuable insight into itspossible vulnerabilities andpreventive steps that could havebeen takenbefore the crime occurred. AVerizon study of 600 incidents of securitybreaches over a five-yearperiod reveals that in 87percent of cases, investigators concluded thatbreaches could havebeen avoided if reasonable security controls hadbeen inplace at the timeof the incident.Thus, agoodplace to start BEFORE abreachoccurs is reasonable security controls asdefinedby the information securityprofession asbest practicesorprinciples. 30 Remediationmeasures and controls that apply to one cybercrime often apply equallywell to others,which results inmultiple cybercrimesbeing addressedwith a single countermeasure. This further supports theposition thatmeasures and controls takenby entities once a cybercrime occurs are the samemeasures and controls that should havebeen inplacebefore thebreach. THE TOP 5 CYBERCRIMES | 11

∙ Consider the value of cyber security insurance coverage to recover financial losses that might arise from cybercrime We hope you find the articles in this issue of Horizons , written by our practice leaders, to be useful as you contemplate the range of cyber risks facing your organization. Of course, please consider us a resource as you explore the opportunities to protect yourself from these 21st century risks.

29 “Least-accessprivileges” is a security concept thatgrants aperson the least amountof access to systems, technologies anddataneeded toperformhis/her dutiesor that firstgrants apersonno accessbut then addsprivileges toprovide accessonly toneeded information.

30 Verizon’s 2009DataBreach InvestigationsReport.At securityblog.verizonbusiness.com .

THE TOP 5 CYBERCRIMES | 12

You may view AICPA’s paper at www.RubinBrown.com/cybercrimes

For information about proactively addressing cybercrime, contact Audrey Katcher at 314.290.3420 or audrey.katcher@rubinbrown.com .

www.RubinBrown.com | page 7

FEATURE

Protect Your Organization With Cyber Resilience

by Audrey Katcher, CPA, CISA, CITP & Randall Hahn, CPA, CISA

Assess the Risks

STEP

STEP

Monitor & Report

With increasing cybercrime, entities

Develop a Plan

need to turn their cyber security concerns into cyber resilience strategies

STEP

STEP

STEP

Define Responsibilities

Communicate the Plan

T-Mobile, Electronic Arts (EA), British Broadcasting Channel (BBC), Federal Election Commission, Target

These companies are all not only well known but also share another common attribute. All five entities had recent cyber attacks.

> Cyber security refers to analysis, warning, information sharing,

And they’re not alone.

Cyber attacks have become an everyday reality in our modern economy, with the average loss per incident exceeding $5,000,000, according to the Poneman Institute. Cyber security is an issue vital to all entities. In today’s environment, the question of becoming a victim to a cyber security attack is no longer “if” but “when.” While the threat of a cyber security attack has become almost inevitable, the risks associated with it can be managed through an effective cyber resilience plan. Throughout this entire issue of RubinBrown’s Horizons , you will read the many ways cyber attacks are impacting various industries as well as what organizations are doing to mitigate their exposure. This article focuses on providing an overview of cyber security in today’s environment and the five key steps to building a cyber resilience plan. Overview of Cyber Attacks and Cyber Resilience Today, cyber attacks pose the element of surprise, and nearly each new attack is more innovative and sophisticated. Attacks are impacting more than just an entity’s technology; they affect financial, reputational and stakeholder value. The strain of a cyber attack can impact all stages of an entity’s supply chain, from vendor to customer. Attacks are becoming more difficult to develop mitigation strategies for as the interconnectivity of entities continues to increase and attack techniques evolve. Additionally, the current spending for cyber security is predominately limited to investment in firewalls and virus protection software. Companies are finding that in addition to these investments, it’s just as important to have cyber resilience plans. Entities need to link the investment in cyber security to the potential consequences they face.

vulnerability reduction, risk mitigation and recovery

efforts for networked information systems.

~ World Economic Forum

> Cyber resilience is defined as the ability of systems and organizations to withstand cyber events.

~ World Economic Forum

Businesses today should incorporate consideration for preservation of reputation, impact on customers and consequences from attacks.

www.RubinBrown.com | page 9

FEATURE

In summary, these components are the basic tenants of what is known as cyber resilience:

for defending/defeating those attacks and potential responses to those attacks. Cyber resilience plans are critical for entities of all sizes and can be adopted through the following five key steps. Step One: Assess the Risks The first step to developing a cyber resilience plan is to consider the business risk. What loss can the entity live with? Since budgetary spending on security is often limited, entities must identify the risks they face and then prioritize those risks to identify which ones are their greatest concerns. Keep in mind that the greatest risk may be your reputation and not the dollars directly associated with an individual attack. The thought process evolves from thinking about what type of protection to provide to all of the operations and assets to what are our most important assets and how do we protect them. Entities move from thinking about what are the inputs we need for a security plan, to what are the outcomes, or consequences, that we can live with and then how do we balance those risks with our limited resources. Step Two: Develop a Plan Once the priority assets have been identified, develop a plan to protect against the threats on those assets. The mindset should be of one moving beyond the minimal preventive and defensive controls needed for compliance standards, to how can resources be effectively aligned to protect an entity’s assets. As the effects of a cyber attack can impact all aspects of the supply chain, there needs to be a plan that strikes a balance between addressing concerns around security and not unnecessarily constraining the means by which business needs to be conducted.

∙ Security

∙ Preservation of reputation

∙ Customer impact

∙ Consequences

A cyber resilience plan incorporates an understanding of modern attacks, a plan

> 57% of respondents expect to experience a security breach within the next year, yet only 20% regularly communicate with management about threats.

~ Poneman Institute

page 10 | horizons Spring 2014

The plan needs to be flexible to allow quick responses to attacks and the consequences from those attacks. To do this, cross-functional teams from varying business disciplines should develop and test the plans. The team should also ensure everyone is prepared to respond quickly and communicate with all affected stakeholders in the case of an incident arising. Step Three: Define Responsibility for Maintaining Security and for Responding A recovery plan must be flexible so it can adapt to a variety of attacks, while also being specific, comprehensive, and most importantly, achievable by those within the organization. In the plan, two primary responsibilities should be assigned to leaders with authority and support. These responsibilities are for: Define your Cyber Resilience Team 1. Executives – To provide governance as well as a conduit to the audit committee and board level questions 2. Internal Audit – To be an independent resource to report on the processes supporting cyber security and resilience 3. Communications – To provide broad communication, including public relations management ∙ Maintaining the security ∙ Leading the response

Avoid Apathy With Your Cyber Security Strategies by Jack Zaloudek, Lecturer and Program Director Information Management & Masters in Cyber Security Management, Washington University in St. Louis Since cyber security is all about risk management, it is essential that the risk strategy be managed throughout the organization.

It is the responsibility of the c-suite to ensure that the strategy is:

∙ Understood by the employees of the firm

∙ The employees have the tools and training to implement the strategy

∙ Executives monitor the execution and absorption of the daily action plans necessary to make the employee awareness campaign a “muscle memory” response at every level of the business It is very easy for one of the common killers of a good plan—apathy—to set in. Apathy can affect the senior level of leadership, but can also be experienced by the employees who will revert back to the status quo after the initial push and training is past. Strong leadership and monitoring for lapses in following the policies and procedures are essential “watchdog” elements to counteracting cyber security malaise and apathy. “It will not happen here” is not a suitable organizational response.

4. Insurance – To ensure clarity in the policies

5. Legal – To advise and monitor on current regulatory and other legal insights

6. Technology – To be a liaison and ensure an on-call technical response team is under contract

7. Finance – To enable transparency in the cost

www.RubinBrown.com | page 11

FEATURE

8. Human Resources – To ensure employees and those who may leave the company are managed 9. Supply Chain – To ensure vendors have signed a commitment to cyber security with your company The leaders should ensure testing of the plan allows regular re-evaluation of both the prioritized assets and the actions needed to protect those priority assets as the security landscape evolves. This activity will help validate the security and the responsiveness. Step Four: Communicate the Plan – Executive Level Executive level direction and support is essential. Cyber resilience plans require executive buy-in, collaboration from different levels within the entity and coordination with vendors and customers.

When preparing your cyber resilience plan, consider:

∙ There are no answers which provide 100% assurance

∙ It is not a question of if an attack or incident will occur, but a question of when

> Only 31% of U.S. entities have cyber insurance policies.

∙ There is a direct relationship between response time and the exposure to operations, finances and reputation In summary, communication of the plan, relevant updates, as well as what is driving these updates should be delivered to leadership and the board regularly. Step Five: Monitor and Report Moving forward, entities should continue to monitor the evolution of their cyber resilience plan. They should communicate to stakeholders, both internally and externally, monitoring results and changes to the direction of the plan.

~ Experian Information Solutions, Inc.

page 12 | horizons Spring 2014

Why Act Now? The costs and frequency of breaches are rising exponentially. ∙ The qualitative costs include loss of customer trust, reputation and stakeholder value ∙ The quantitative costs average $188 per record, with an average of over 28,000 records compromised per incident, resulting in a total average incident cost of $5,264,000 (Poneman Institute) ∙ CNN reports nearly half of the data breaches that Verizon recorded in 2012 took place in entities with less than 1,000 employees. ∙ Symantec, a leading computer security firm, reported that 31% of all attacks in 2012 targeted businesses with less than 250 employees and attacks were up 81% over 2011. Do not assume that your business or one of your subsidiaries is not at risk:

> 44% of all small businesses surveyed have been a cyber-attack victim.

~ National Small Business Association

RubinBrown’s Business Advisory Services Group RubinBrown’s greatest asset is the ‘thought leadership’ of our diverse group of seasoned professionals. We have directed and consulted with a wide variety of companies, ranging from Fortune 500 public companies to startup private companies.

Michael T. Lewis, CFA — St. Louis Partner-In-Charge Business Advisory Services Group 314.290.3397 michael.lewis@rubinbrown.com

Sunti Wathanacharoen — Kansas City Partner Business Advisory Services Group 913.499.4462 sunti.wathanacharoen@rubinbrown.com

Audrey Katcher, CPA, CISA, CITP — St. Louis Partner Business Advisory Services Group 314.290.3420 audrey.katcher@rubinbrown.com

Matt Wester, CPA, CFE — Denver Partner Business Advisory Services Group 303.952.1277 matt.wester@rubinbrown.com

www.RubinBrown.com | page 13

FEATURE

BIG Problems with Small DATA by Josh Leesmann

A Google search of “big data” will return about 12.7 million results. You will be quickly inundated with an endless list of vendors and software claiming to provide the solution to all of your big data needs. However, the marketing blitz may be slightly misleading as more pressing data challenges often fall into the camp of “small data.” That is to say, many of us may not be effective creators and consumers of information that can fit neatly within the realm of common spreadsheet software.

We are most often held back by a lack of a methodological approach to the way we capture, store, analyze and access this small data.

Currently, Excel is the data tool of choice. Approximately 95% of U.S. companies use Excel in their operating environments. Further, 50% of Excel files are relied upon for critical business decisions. The fact that this software is so prolific throughout the U.S. economy is not, on its face, a problem. The issue is that there is no method to the madness. The average Excel file lives on for 5 years and is edited by an average of 12 professionals. Such a long-lived, dynamic instrument warrants a rigorous review and control environment to mitigate the impact of errors.

For some additional reading on the potential impact of such errors, you can peruse the “Horror Stories” compiled by the European Spreadsheet Risks Interest Group at www.EuSpRIG.org .

The appropriate Excel environment can be created if we first think of it as a data manipulation tool. Think of Excel users as ‘coders’ or software engineers.

If you open and create Excel documents, you can technically be referred to as an Excel coder. This is a subtle distinction, but an important one. It is made more obvious when we juxtapose the control environment of a typical software engineer and the control environment of an Excel user. Software engineers often develop centralized controls and establish strict segregations of duties, monitoring the software’s development at every stage of its life cycle. Technically, we can leverage the methods and controls implemented by developers to mitigate the potential errors we make in Excel. A good place to start with error mitigation and file control would be to have the Excel coders provide some metadata about their files. Have them create a road map and document their work in Excel, including any changes made after its initial creation.

Further steps can be taken to clean up the actual work in Excel to increase the computational efficiency of the file and make it easier to review and understand.

Excel coders can reduce the amount of embedded cross worksheet linking . For example:

∙ DO NOT sum items from other worksheets using a formula such as: “=Sheet1!A1+Sheet2!A2+Sheet3!A3”

∙ DO pull the information into individual cells in the current worksheet so that you can use the following ‘code’, “=A1+A2+A3”

www.RubinBrown.com | page 15

FEATURE

Another word to the wise, do not create embedded “if” statements . For example:

There are currently researchers working with Excel add-ins that can help remind us to clean up our files. (Check out the free download of BumbleBee under 2013 publications at www.felienne.com .) The growing complexities ushered in by the era of big data are going to dictate that companies add rigor to their data collection, storage and analysis processes. Excel is not immune to this. It is easy to focus on the more complex software and data systems, but very few organizations leverage any software as much as Excel. Although big data issues are most certainly on the horizon for many companies, we (95% of U.S. companies) may be better served to focus on the bigger problem of harnessing and controlling the “small data.”

∙ DO NOT use a formula such as: “=if(A1=A2,”Yes”,if(B1=B2,”No”,”Error”))”

∙ DO break it up into two individual statements, such as: “=if(A1=A2,”Yes”,”No”)” and “=if(B1=B2,”Yes”,”No”)”

Another great hint is to use Excel’s functions . For example:

∙ DO NOT use a formula such as: “=A1+A2+A3”

∙ DO use “=sum(A1:A3)”

As a final note, be sure to add self-checking formulas that confirm the results of your work.

Source: Felienne Hermans’ presentation, “Spreadsheets: The Dark Matter of IT.”

RubinBrown’s Business Advisory Services Group RubinBrown’s greatest asset is the ‘thought leadership’ of our diverse group of seasoned professionals. We have directed and consulted with a wide variety of companies, ranging from Fortune 500 public companies to startup private companies.

Michael T. Lewis, CFA — St. Louis Partner-In-Charge Business Advisory Services Group 314.290.3397 michael.lewis@rubinbrown.com

Matt Wester, CPA, CFE — Denver Partner Business Advisory Services Group 303.952.1277 matt.wester@rubinbrown.com

Sunti Wathanacharoen — Kansas City Partner Business Advisory Services Group 913.499.4462 sunti.wathanacharoen@rubinbrown.com

page 16 | horizons Spring 2014

HIRING Accounting and

Business Professionals?

ABACUS Recruiting, an affiliate of RubinBrown, can help. Our specialty includes both permanent and temporary placement in the following areas:

∙ Marketing

∙ Accounting/Financial Management

∙ Operations

∙ Bookkeeping

∙ Information Technology

∙ Administrative

ABACUS Recruiting’s reputation for quality service stems from our industry knowledge, commitment to personalized service, confidentiality and dedication to maintaining the most ethical standards in the recruiting industry. Having successfully placed financial and business professionals in positions at Fortune 1000 companies, regional businesses and entrepreneurial firms, ABACUS Recruiting has become one of the most respected names in our industry. Whether you are a company in search of high caliber professionals or a candidate searching for a job change, ABACUS Recruiting is uniquely qualified to assist you.

Tamara Tucker President 314.878.5522 tamara.tucker@abacusrecruiting.com

Paul Iadevito Recruiting Manager 314.878.5522 paul.iadevito@abacusrecruiting.com

Visit us at www.abacusrecruiting.com

ABACUS RECRUITING IS AN AFFILIATE OF RUBINBROWN LLP

FEATURE

page 18 | horizons Spring 2014

Today’s businesses are more reliant on information technology (IT) than in any other time in U.S. history. IT risk is no longer confined to entities involved in processing significant numbers of financial transactions or subject to complex regulation; rather, IT risk is pervasive across all industries in today’s world and is an often overlooked area for due diligence when executing a merger or acquisition. Given that most studies suggest 70% to 90% of mergers and acquisitions (M&A) fail, thorough due diligence is an absolute must and IT cannot be overlooked. IT due diligence is not a “one size fits all” approach. There are different considerations depending upon whether the acquirer is a strategic or financial buyer, and whether the target company is a new platform company or if the target company will be rolled into another company. A thorough understanding of the strategic purpose for acquiring the target is critical. Additionally, the buyer should have a robust 120-day post-deal plan with a significant component of that plan being IT. The buyer should take the opportunity during due diligence to establish an IT plan for the business going forward.

IT Due Diligence Defined IT due diligence can generally be thought of as an assessment of the target company’s state of information technology. Throughout this assessment, key questions should be asked:

∙ Will we own the technology?

∙ Will there be a gap in IT skills post-deal? If the entity is a carve-out, IT support may be lost.

∙ Do we have to replace the technology?

∙ Has there been downtime due to technology?

∙ What information (including transactional and intellectual property) is important?

∙ Is the technology, such as the ERP, scalable?

∙ Where is the information? Is it housed with unknown third parties (i.e. Dropbox)?

∙ Do we have risk related to our web presence that will require additional spending? ∙ What is “technology” for the entity (i.e. computers, servers, network, telecom, data center/server room, websites, software)?

∙ Who has the control of the technology? Is there a limited group with access to “all”?

∙ Is there a key man risk? The loss of certain key IT individuals could be detrimental to the company.

Security For companies in certain industries that are collecting personally identifiable information or credit card information, regulatory and reputational risk for a security breach should be of significant concern to a potential buyer. Identifying gaps or weaknesses in security over such information can help inform the buyer as to future costs or risks associated with owning the business.

Scalability IT due diligence is critical in assessing the potential for future capital investment in the business. For example, many financial buyers of businesses will require significant amounts of financial data at a disaggregated level to run the business post-transaction. It is critical to understand,

www.RubinBrown.com | page 19

FEATURE

recommended. The page rank indicates the relevance of a website’s content. The higher a site is ranked, the more relevant it is considered and the greater the likelihood it will be listed in search results. How secure is the website? Security is becoming a paramount concern and a “high-jacked” website can lead to problems from reputational loss to loss of confidential information. Checking for a current security certificate and encryption is important. Point of View RubinBrown’s experience with middle-market deals and deal makers is that few buyers want to take the time and resources to perform IT due diligence on an acquisition. We have seen many examples where IT due diligence has identified deal issues that have to be overcome either pre- or post-deal. Deal makers don’t like surprises. IT can be a source of bad surprises. IT due diligence can help identify what those surprises might be and evaluate an action plan to deal with them. It is rare that IT due diligence is performed on a middle-market company where risks aren’t identified. Some of those risks include: Insufficient licenses Will we be subject to fines for unlicensed software? Has Microsoft performed an audit recently? Is legal reviewing the contracts? No validated security protocol What level of protection over company data is in place? What is needed? Lack of IT spend Has the IT spend been so limited that necessary upgrades haven’t been done? Technology cannot scale If the entity is expected to be a platform company, will the core systems (ERP) support the volume and diversity of transactions?

during due diligence, if the company’s systems are going to be capable of providing such information. If the systems are not, the financial buyer will want to incorporate system upgrades into their financial models. Additionally, if the target company is going to be utilized as a platform for other acquisitions, a buyer will want to know whether the systems will be sufficient to accommodate additional businesses being rolled in. The answers to these questions can have a dramatic impact on the economics of the deal and can be reasons to walk away from a deal or renegotiate the purchase price. Web Presence More companies’ websites are becoming strategic assets. Depending on the business model of the company, the website can range from outward representation to the world to a critical revenue-generating engine. Therefore, due diligence of a company’s website should be part of a comprehensive IT due diligence plan. Some considerations are: Who owns the website? This may seem like a straight forward question, but companies can farm out ownership of their website to a third party. If this is the case, a check of other internet (IP) addresses owned/run by the third party should be performed. How much traffic is the website getting? The owner of the website may claim certain traffic figures, but how accurate are those numbers? Tools are available to give you an independent estimate of actual website traffic. Is the website search engine optimized? With search engines driving the majority of visitors to websites, one small tweak in search engines’ algorithms could impact the page rankings of poorly optimized websites.

While performing due diligence, a check of Google’s page rank for the site is

page 20 | horizons Spring 2014

Merely identifying the IT risks is not enough. RubinBrown recommends during due diligence that the risk factors be identified and an IT road-map for improving the IT operations of the business be put in place. This strategy will prove helpful so that on day one post-deal, the buyer is ready to execute and make the necessary improvements and has a real perspective on the capital and expense costs for IT. It is very important for any buyer to quickly fix any issues identified during due diligence so that everyone can focus on growing and expanding the company. After all, this is how the investment pays off.

In the case of a carve out, will a new data center need to be developed or sourced?

Outsourcing Has their security been assessed to protect your confidential information? Their security failure can be your reputational failure. Key-man risk What happens if we lose the key person who knows “everything” about our IT? How long will it take to replace key IT personnel? What will be the interim cost? Rogue IT Has freeware been installed that could be sending information to competitors? Does the sales force use third-party software to store/share customer information? How can we ensure the information isn’t compromised if any sales staff leave?

RubinBrown’s Mergers & Acquisitions Services Group RubinBrown’s team of mergers & acquisitions professionals has the experience to help your organization successfully navigate the transaction process.

Ben Barnes, CPA — St. Louis Partner-In-Charge Mergers & Acquisitions Services Group 314.678.3531 ben.barnes@rubinbrown.com

Rodney Rice, CPA — Denver Partner Mergers & Acquisitions Services Group 303.952.1233 rodney.rice@rubinbrown.com

Tim Farquhar, CFA, CPA — St. Louis Partner Mergers & Acquisitions Services Group 314.290.3281 tim.farquhar@rubinbrown.com

Sunti Wathanacharoen — Kansas City Partner Mergers & Acquisitions Services Group 913.499.4462 sunti.wathanacharoen@rubinbrown.com

Audrey Katcher, CPA, CISA, CITP — St. Louis Partner Business Advisory Services Group 314.290.3420 audrey.katcher@rubinbrown.com

Kyle Murphy, CFA, CPA — St. Louis Manager Mergers & Acquisitions Services Group 314.678.3511 kyle.murphy@rubinbrown.com

www.RubinBrown.com | page 21

Made with FlippingBook - professional solution for displaying marketing and sales documents online