When you read about nations and sophisticated hacking organizations being responsible for computer hacks, it’s easy to throw up your hands and say how can I possibly prevent such things; but the reality is a lot more nuanced than that. While the Equifax hack was quite sophisticated once the hackers got inside Equifax’s systems, the reality was that the hackers took advantage of a known vulnerability that could have been patched to prevent the hackers from getting inside in the first place. Wannacry is another example that took a patchable vulnerability and the weakest link, users clicking on a link in an email, to cause havoc. Here are four inexpensive and easy things anyone can do to reduce the risk of succumbing to a cyber-security incident.
Train your staff – make sure your staff knows to ask questions about emails, and be suspicious about phone calls. Never go to a website directly from an email. If your bank wants you to do something go directly to the site from your favorites list. See who the email is really from; most email programs allow you to hover over the email address and see if it is really from the person or organization it appears to be from. And make sure everyone understand that it is not offensive to call someone to ask if they really sent you the email before you click on any links in the email. Finally reinforce the training constantly at monthly staff meetings and with new employees.
Patch your software – you should be updating your operating systems and other software as soon as the patches are available, or at least on a regular scheduled that is no longer than a month. The patches don’t cost you any money, so there is simply no excuse for not patching software regularly. If your IT department tells you they need to make sure the patches don’t interfere with the operations of other software, then tell them that is fine, but they must do it fast.
Keep up with access – make sure you delete all access for employees that leave the company. You also need to make sure that access rights are changed when employees job duties change. The most likely hacker isn’t a nation or some rogue operation, but a disgruntled current or former employee. Leaving people with access to systems they no longer need is like giving the robber the keys to your house and telling them when you’ll be away. STUPID!
Check on vendor compliance – Just as you are responsible for internal controls performed by vendors, your business will be held accountable for cyber-security hacks that come through or happen to vendors. The famous Target hack started through a vendor that was completely unrelated to the point- of-sale system that was ultimately hacked. You need to make sure your contracts say vendors are responsible for maintaining your standards for cyber-security and then make sure they are following the contract.
While none of these steps will eliminate cyber-security hacking risk, they are like common sense things we do every day such as locking your car when you go inside a store. The point is not to be invulnerable. The point is to make your business harder to get into so the criminal will go looking for an easier target. The old adage of not having to outrun the bear, just having to outrun the other people in your group applies here. Don’t be the most vulnerable one in the group or the bear will take you down.
Given all the disasters and destruction that make us feel like life is out of control and there is nothing we can do about it, I thought I would be a good time to turn to turn to some famous people to make us realize that there are things we can and should do.
John D Rockefeller:
“The secret of success is to do the common things uncommonly well.”
Don’t go around saying the world owes you a living. The world owes you nothing. It was here first.”
“We make a living by what we get. We make a life by what we give.”
“Live as if you were to die tomorrow. Learn as it you were to live forever.”
Life is 10% what happens to you and 90% ho you react to it.”
“It is our choices that show what we truly are, far more than our abilities.”
“I cannot do everything, but I can do something. I must not fail to do the something I can do.”
“I have not failed. I’ve just found 10,000 ways that won’t work.”
“Only I can change my life. No one can do it for me.”
“No one can make you feel inferior without your consent.”
It’s October. While fall officially started a couple of weeks ago, October is when it starts feeling a little more like the actual season, at least here in Texas. The turn of the season seems to be an opportune time for another top 10 list. This time it is the top 10 things I look forward to doing in the fall.
10. Cook out on the grill for fun, not to just avoid heating up the house.
9. Talk smack with my friends in our fantasy football league and reminisce about how we had to compute the scores manually when we started a couple of decades ago.
8. Take a trip to a college campus to visit my daughter and remember what it was like when I was in college.
7. Roll the windows down in the car and watch my dog enjoy the wind on her face.
6. Put out the Halloween decorations including the tree filled with plastic pumpkins lights.
5. Relax in the hammock while reading the weekend paper and enjoying a beverage of choice.
4. Go camping and sit around the fire at night watching the flames change color.
3. Enjoy the break between the end of extension tax season and third quarter reporting before year-end reporting and the next tax year work starts up.
2. Walk outside without feeling like I’m walking into an oven.
1. Take my grandson to his first college football game.
I hope you find a few things to enjoy as well.
The Equifax data theft is only the latest in a long history of data thefts by hackers getting into sensitive information held by companies about their customers, employees, contractors and just about anyone else. Many CPAs think that such issues are the prevue of the ‘IT people.’ But the reality is cyber-attacks have significant financial implications to the companies hacked; and CPAs need to be prepared to determine how the incidents impact the attacked entities financial results.
Clearly, CPAs need to thoroughly evaluate contingent liabilities related to such incidents. Early on, contingent liability evaluations to determine the probability or likelihood of any amounts to accrue are difficult, but ‘difficult’ is not an excuse to avoid undertaking or thoroughly documenting the evaluation. In addition, the question of how much disclosure can and should be made will be a hot topic for the finance team to handle. Another result of the cyber-attack on Equifax was a significant drop in its share price. On the one hand, there is no direct connection between share price and an entity’s financial statements, but there are several indirect impacts.
A drop in share price can impact the accounting for share-based compensation. Any compensation accounted for as a liability will be immediately impacted by lowering the liability. This has the ironic result of increasing net income because a reduction in the liability results in a credit to expense; but it definitely is an impact that need to be accounted for in the entity’s financial results. Less obvious might be the reduction of future tax benefits from the exercise of stock options. If the tax deduction value of option exercises is less than was expensed for GAAP purposes, then the difference between the two amounts will result in an increase in tax expense on the financial statements. The change the FASB recently made means this difference will no longer be handled in an equity windfall/shortfall account, but instead it will go straight to the income statement.
Another area that is impacted by a significant change in share prices is the earnings per share calculation. A change in the share price will impact the number of additional shares in the fully diluted calculation which relies on assumptions about the exercise and potential vesting of stock options, performance shares and restricted stock, as well as the tax benefits on those exercises.
Goodwill impairment testing is another less obvious area that could be impacted by a significant drop in share price. While the valuation of reporting units is independently determined, the sum of the fair values of all reporting units needs to be reconciled to the fair value of the entity as a whole (generally the market cap of the entity plus the value of its external debt). While such comparison usually involves some level of control premium, that premium cannot be too large. Anything approaching 20% or more will be severely scrutinized by not only your auditor, but potentially the SEC.
Any business that suffers a cyber-attack has a lot of work to do to clean up the mess and reassure customers, but as discussed, that work is not limited to operations personal. The Finance team has a lot of work to do as well, and just like operations team needs to plan and prepare for disruptions, the finance team needs to think ahead about all the work they will have to do as well.
The Importance of Committing to a Thorough Interviewing / Hiring Process by Guest Blogger Bryan Edwards, MSA, CPAPosted: September 20, 2017
Sometimes you reap what you sow…………………..
Have you had too many employee challenges and too much turnover? It’s easy to bemoan not finding “the right” candidates/employees in a tight labor market. One path to better results is to analyze your hiring process.
Being both a CPA and recruiter, I have the opportunity to see many organizations’ hiring processes. If you are looking to improve your hiring and retention results, consider these questions:
- Am I realistic in assessing the current labor market? A strong economy, many baby boomers retiring and the 150 hour CPA requirement all contribute to fewer candidates in the market. Be careful waiting to interview too many candidates only to lose your top candidate due to delays. When you see somebody you like, you have to move quickly in a competitive market; otherwise somebody else will. Also, researching the appropriate salary range for a particular skill set and experience level are key.
- Is it appropriate to delegate the screening process? You, as the hiring manager, know what you need better than anybody else. Therefore, it makes sense to be as involved as possible in the early stages of the process. This is an investment of time, but it is an investment that pays off.
- What personality and working style makes sense? Beyond your company culture, specific roles require specific working styles. Somebody who is a great Analyst, for example, usually wouldn’t be the right person for a high volume data entry role. Consider what specific working style makes sense given the nature of the work.
- Are we doing all we should to ensure an employee’s long-term success? Once hired, do they feel they are a part of the team? Have they been introduced to possible mentors? Are they being invited to participate in events? Employees in today’s market decide quickly whether or not they consider their new positions to be a long-term fit. Make sure you invest as much in them post hire as you did to hire them in the first place.
Assessing your hiring and onboarding process prior to a search is an investment in the beginning, but pays good returns in the end. You are more likely to locate and secure the right fit and they are more likely to stay with your organization for a longer tenure.
Best wishes in all your hiring processes,
Bryan Edwards, MSA, CPA
Several years ago the call for separate private company GAAP was loud and rancorous. The FASB was accused of too much focus on public company issues that resulted in financial statements which were complicated, or worse, meaningless to the users of private company reporting. The roar got so loud that a blue ribbon panel was formed and recommendations were made to have a separate board for private companies much like the GASB for governmental organization. The path was set for the FASB to be relegated to public company issues only.
Instead, the Financial Accounting Foundation (FAF) which oversees the FASB and the GASB decided to take a different route. The Private Company Council (PCC) was formed, but instead of having standard setting authority, it could only make recommendations to the FASB, much like the EITF. Many thought that the PCC was destined to fail because it seemed it had little more authority than a predecessor organization known as the Private Company Financial Reporting Committee (PCFRC), and the FASB had generally ignored any recommendations or suggestions from the PCFRC. There were some critical differences including designated staff support for the PCC and a requirement that the FASB actually vote on formal PCC recommendations including an explanation of why they didn’t vote in favor of such recommendations, if the vote came to that result. Still, it was far short of a separate standard setting board, and many thought that a FASB primarily funded by a public company levy (as the result of the Sarbanes-Oxley Act) would continue to focus on those who provided the money.
It has now been five years since the PCC was formed, and I would have to say that the PCC has been a great success. They made a big splash addressing a handful of issues that private companies had complained about for years, but the real story of success is the day to day council the PCC is now providing to the FASB in its standard setting work. You can see its impact on almost every new standard issued, from private company specific issues addressed in the share-based compensation standard, that went into effect this year, to the issues addressed in a consolidation standard update proposed a couple of months ago. There is a great article on the subject that can be found here.
Maybe the FASB got religion and realized they had to change because they finally saw how serious the profession had become. Maybe the more formal recommendation and rejection process had an impact on their thinking. Maybe the advocates for differential standards realized that, in the end, the big issues were few in number and, once they were addressed, felt like they could live with a mostly single set of GAAP. Whatever the reasons, I’m happy we all came together as a profession to help create a better answer that works for everyone.
Thank you FAF; thank you FASB; and thank you and happy birthday PCC.
I recently had the honor of attending my first meeting as a full member of the TSCPA Executive Board. This is the third professional association leadership team that I have had the privilege to serve on during my tenure as a CPA, and I was thoroughly impressed by what I saw.
The Executive Board:
- Takes care of your money; they make sure your dues are being used appropriately for the right things.
- Protects your license; they help CPAs get better, deal with the few bad apples out there and have a good relationship with the Texas State Board of Public Accountancy (which is not something that can be said about every state CPA society).
- Plans for the future; they want the society and you to be prepared for the future and take the time to think and plan accordingly.
- Finds ways to help you advance your career; they make sure we provide critical learning opportunities and work with the AICPA to provide tools and resources.
- Voices your concerns and ideas to standard setting bodies and regulators though committees including the Professional Standards Committee and the Federal Tax Policy Committee.
- Works to better serve you; every board member‘s first and last concern is your profession and how we can help you succeed, no matter how you define success.
I came away impressed by the quality of caring and of the ideas put forth by my fellow board members. The discussion and interactions made clear that everyone takes their service on the Executive Board seriously, and that makes me proud to be a part of such a great leadership team.