Posts Tagged ‘internal controls’

CFO’s & Cyber Risk: Protecting Your Performance…& Shareholders

May 2nd, 2014 Comments off

As a CFO, I can’t help but be a bit shocked at the recent article on “CFO’s Disregarding Cyber Risks”.  In my position, and more in relation to my past positions, my involvement with IT-related activities typically centered on the ongoing assessments of our ERP platforms, annual budgets, necessary capex, and the standard operational issues. I can honestly say that cyber risks were really not part of our ongoing concerns, nor was the topic ever tabled by the rest of the senior leadership team or the Board. We also weren’t planning in an environment where billion dollar breaches were being reported in the press.

Fast forward a few years and it’s hard not to take note, and initiate an elevated level of planning, in the face of the Target breach that occurred just prior to the Holiday shopping season. I don’t care what industry you work in, any CFO should take note of a company which, in a single Quarter, revises their earnings estimates down by 25%, or approximately $250 million. How about a revision in revenue estimates that takes the topline down by almost $1 billion….in a single Quarter! Even more importantly, at the time of the revisions, the company was unable to assess the potential impact of the breach beyond the current Quarter. That event by itself should have every CFO looking over their shoulder and considering the proverbial “what if”. Evidently not…

In the recent article on, which drew 600 responses, CFO’s ranked data privacy only 12th on their list of corporate risks. In comparison, data privacy ranked 26th on their list in 2013. While the level of importance is rising, it’s still not being given the proper level of attention. At the top of their list was legal and regulatory shifts. In hindsight, I would love to have someone provide me an example where legal or regulatory changes resulted in an immediate and material revision to earnings or revenues. These are typically changes that are discussed over extended periods and phased in, thus allowing the company and shareholders to digest the resulting changes in how the company reports its results. This is in stark contrast to waking up and realizing you’ve just compromised the privacy for 70 million of your customers in the most critical shopping time of the year.

What was also concerning about the article is that 57% of the respondents weren’t analyzing whether they had enough cyber insurance coverage or weren’t undertaking additional key activities to sufficiently mitigate the risk of cyber risk. This was not only happening at the senior leadership level, but at the Board level as well. While the public and general investing community is aware of the breaches that are reported in the press, I know I have taken an entirely different approach to my personal cyber security as a result of the work I see our team doing across a wide spectrum of industries and with companies that are very recognizable to us all.

As a CFO, if you want to ensure that all of your costs saving initiatives and EBIT performance aren’t compromised, the investment in a security solution will pale in comparison if you do encounter a significant breach…

Thanks for reading…

Jeffrey Ishmael

When Skillsets & Application Separate. How Do You Qualify Those That Need to Quantify?

February 9th, 2010 Comments off

            Over the last 2-years+ I have come across some very talented Finance folks who have been forced to the employment sidelines as a result of mergers, corporate bankruptcy, or in most cases, downsizing at their respective companies. I have also had a chance to interview some of these same candidates and have come across what appeared to be some very good and talented individuals….at least on paper. However, in a number of cases, I have seen a drastic divergence between the skillset that is shown on a resume and the application of those skills in an everyday environment. The more I talk with companies about the hiring of Finance talent, the more I see a challenge for companies to really look beyond a resume and qualify those who need to quantify.

            A good example is the candidate that has come from an Audit background, has large company experience ($1 billion+) and is on the job hunt. You receive dozens of resumes and all seem to be very well qualified at first review:

·         CPA

·         Good company history & tenure

·         Summaries about efficiencies & controls.

·         Recommended by a trusted recruiter

·         Interviews well with the team

            So you finally make your choice and extend an offer to the Controller behind door #1. Great, that opening is now filled and you can check the box. Wrong. This is where there is often a divergence between the skillsets that are presented by a candidate and the actual application in an everyday environment, as well as their ability to effectively function with the rest of the staff. Have you just hired the candidate that you really wanted, a partner, collaborator, and someone that will help drive value for the company, or a candidate that will just create busy work and consume the time & resources of those around them? So what am I really talking about at this point….?

·         Is your new hire someone that would be inclined to zero in on a expense report form when there is no issue with the travel spend?

·         Is your new hire someone that wants to keep information silo’d and on a need to know basis because it’s “not your function”.

·         Is your new hire someone that wants to put in controls and processes that are only effective in a large company environment with larger staff?

·         Does your candidate understand the differences between working in a large company environment vs. a micro-cap or small privately held?

·         Does your candidate really have the ability to work effectively with others when the daily regiment really does mean “being in the trenches everyday”?

            This is where I tend to believe that many financial professionals, while accomplished and credentialed, really do not have a handle on the dynamic between their knowledge base and it’s application in the environment that they are potentially hiring into. That most candidates have not put forward the proper effort to not only run a diagnostic on the company, but one on themselves to truly understand their skillset and what they can offer a prospective employer. There is also the difficulty posed to the prospective employer when they need to qualify those who quantify. Show in the interview that you can deliver value, as you’ll be expected to do daily….


Thanks for reading . . . .


Jeffrey Ishmael

Small Company Structure vs. Internal Controls….

June 11th, 2009 Comments off

     During one of my prior engagements I was challenged with a situation in which we had a serious possibility of fraudulent accounting activities. The source was one of our foreign offices, which had only a small operating staff, and even worse, only a few accounting folks. There was not a broad enough staff to implement all the necessary levels of control to have a strong level of comfort to say all was operating perfectly. What triggered the entire situation was the combination of operating expenses that continued to exceed Budget in a very material way, as well as the delay, or cancellation of payments for shipments into their country. What was even more amusing was the fact that the country entity even passed a corporate audit after improprieties were suspected. After I was given the green light for a surprise audit, as a inter-country supplier, we effectively blew the lid off what was happening within that country. I’m actually quite proud of the work that was done on that situation.

     There real question though is how do you put effective controls in place to prevent fraud or other improprieties? In my current engagement, I find myself with a company that has a Finance staff that is much leaner than normal for a company of this size. Fortunately I have a GREAT staff that I am able push hard and we have implemented new documentation, new control procedures, and a level of financial reporting that is consistent with GAAP and fully supported with all the necessary documentation. So what’s the big deal? Try reaching this level with a small entity, where habits are long-lived, and financial disciplines are an afterthought.  To the Company’s credit, we also have great Management team that is both open, and supportive, of the change. They’re also seeing the benefits of the improved financial reporting on their ability to run the business and make informed decision. Great, so we now have solid reporting. What next?

     Next is the task of putting a more rigid control structure in place and implementing regular audit procedures that will prevent the temptation or likelihood that fraud will be perpetrated against the Company. But how do you do this when you don’t have the resources to add additional headcount, engage external resources, or implement new software platforms?  It comes through the diligence and integrity of the existing staff and cross-testing the existing resources. In the most elemental spirits of internal audit and Sarbanes-Oxley, it comes from having an effective control environment, appropriate risk assessments, as well as the necessary monitoring to determine that all controls are effective and that any necessary correction actions are undertaken. 

But our Company doesn’t have it’s financials audited?

-But our Company does not have an Audit Committee?

     Doesn’t matter…create the necessary level of communication with the Shareholders and Executive Team and keep them informed as to how the resources of the company are being protected. Ultimately, the inattention to these areas, will at a minimum, result in funds being diverted from the Company, or worse, could lead to the demise of the Company.  In a positive outcome, the actions taken will lead to a significantly higher level of trust in the financials and a higher valuation as it might relate to any acquisition activities your Company may find itself in. What is your commitment to ensuring that the proper controls are in place?

Thanks for reading . . . .

Jeffrey Ishmael

When Audit teams and Sales staff collide….

August 18th, 2008 Comments off

In my last commentary on Internal Audits, I went into an overview on the segment concerning Finance & Control. When it comes to this group, internal audit exercises are rather straightforward and generally not intimidating. But how do you coordinate this same exercise for a group that’s not used to being questioned and are accustomed to generally running in a fairly independent fashion, like the Sales department? Answer, very carefully and with a bit of handholding. Again, like the Finance portion of the audit, this is only intended as a brief overview and there was a much more comprehensive approach behind the scenes.

Although the intended scope of review for this department was not going to be the least bit exhaustive, it did mean that Sales personnel were going to be questioned on protocols and that their approach was going to come under some level of scrutiny. With regards to the auditors, they were going to key some of the following topics:
1. Efforts & action plans to achieve synergies with the parent company.
2. Project margin tracking was in place to achieve the original commitments.
3. Sales personnel bonus plans were definitely structured and approved.
I knew that the first couple parts were not going to be much of an issue, but once you start questioning Sales folks about their bonus plan you know there’s the potential for fireworks.

As we went through the various topics, we began to dig into more detail about how higher value jobs were being quoted and how the change orders on those jobs were being charged to the customer, or in some cases, how they weren’t. Fortunately, we had already implemented a new reporting structure prior to the audit that had us tracking the margin progression of every job over a specified value. We would track every progression in the job to the point that if we encountered even 50bp of margin change by the completion of the job we could bridge every element contributing to that change. For the better or the worse….

The delicate balance in this portion of the audit was working with the Sales team, who were instinctively working in the best interests of the customer and meeting their goals, and the Audit team, who was only focused on whether protocols were being followed, regardless of the outcome. We encountered some very short tempers but were able to work through it once each party understood the motives of the other. Not that the Audit team really cared…..
The valuable perspective for this part of the audit was that you had one group who worked in multiple shades of grey, and the Audit team who only worked in black and white, and how do you generate a productive outcome? We did so by educating all parties involved and making sure that all parties were working towards the same outcome – Making sure the company continues as a growing and profitable entity while mitigating risk.

Thanks for reading . . . .

Internal Audits – embrace & value the process.

August 7th, 2008 Comments off

While I had always participated in the internal audit process and provided my portion of the contribution, I’m not sure I really appreciated the process until I was the person actually leading the Finance team and responsible for everything that happened “under my watch”. During my time with MGE, it was decided by our parent company, Schneider Electric, that they would be purchasing the remaining portion of our company and converting us to a wholly-owned subsidiary of their $13 billion conglomerate. At the close of the transaction, Schneider sent in a full team to conduct a comprehensive internal audit on our process, documented procedures, and potential areas or risk.

The audit was not going to cover just the Finance department, but encompass every area of the organization. This was going to be an 8-week process that was going to cover Inventory & Logistics, Sales & Marketing, IT, as well as Human Resources. Their main objective was to assess the potential risks within each one of these areas and rate those levels of risk according to their importance and the ability to potentially have a material effect on our financial results. We also wanted to determine what levels of internal control and monitoring we had in place to deal with the risk, and if necessary, propose recommendations to correct either the situation or our ability to follow the risk.

Since we had always had a very good relationship with Schneider Electric there was no significant anxiety of the proposed audit, but this effort was much more comprehensive than previous audit engagements. We were hosting individuals from Los Angeles, Chicago, and Paris, along with occassional visits from external auditors Mazars and Moss Adams. Perhaps there was no significant anxiety since we had always operated our entity with a high level of control and accountability. Ultimately, our audit concluded and in a very satisfactory manner with some areas that were noted for improvement and a timeline for follow-up and modifications.

This is obviously a process that can be addressed in much more detail considering this was an 8-week engagement, which I will in future posts. I will spend more time discussing the audit engagement for each area. The most significant takeaway was the additional insight that it gave us into our organization and receiving an unbiased view of our operations. For any new CFO, this is a critical step to go through and assess what the strengths and weaknesses are for the organization and what the areas of risk are for you in the execution of the company’s financial goals. An area that certainly shouldn’t be left to chance & is well worth the 4-8 weeks that you might invest.

Thanks for reading . . . .

How well documented are your internal controls?

July 29th, 2008 Comments off

     Regardless of the size of organization you might be managing, one of the best documents that you can have in place is the one that sets the groundrules for spending and entering into commitments on behalf of the company.  Depending on the company, this document can be referred to as a Schedule or Delegation of Authority.  I’ve learned to refer to it as the D.O.A. (no pun intended for those that do not adhere to the guidelines…..).  This is the document that doesn’t leave anything to chance regarding approval levels and notifies each managing level as to their spending / commitment capabilities.

     The typical Delegation of Authority will state the purpose & applicability of the document and covers the ground rules for executing documents, engaging in binding agreements, or approving material decisions on behalf of the company.  This document will typically break decision makers into primary categories, which individually address Managers, Directors, Vice Presidents, and Executive Officers.  Considering the wide scope of purchases that could be covered by such a document, it usually tries to cover those areas that could have a materially negative impact on the company.  These areas might include leases, service contracts, capital expenditures, credit limit authorizations, or check signing authority.  Keep in mind that these are only a sampling of the areas, and depending on complexity of the organization, may involve dozens of areas to specify.  Further, depending on the global footprint of your company, this should also be coordinated with all foreign offices.  In one particular version that we drafted, orders of certain magnitude were required to be approved by the Chairman to ensure that appropriate margin levels were achieved and key global managers were also aware of the transaction.

     If you’re currently operating without a DOA, then now may be the perfect time to address this area and start putting together that first draft.  There won’t be a single version that you’ll draft and distribute. This is a dynamic document that will continue to evolve as your company grows and hopefully begins moving into new segments.  I’ve been mentored by some fantastic Finance professionals and the constant message has been one of paranoia.  What’s going to get you next?  This is one additional tool that will hopefully mitigate adverse reactions on the part of employees, that while not intentionally malicious or fraudulent, could have a material effect on your results.  And that’s really what this document is about…increased communication throughout the company.

Thanks for reading . . . .