If you don’t know where you are going any road will get you there. – Lewis Carroll
Customer experience (CX)
has been a hot topic for the last several years.
Companies have invested in teams to analyze data, customer service issues,
survey results, and they’ve utilized sophisticated tools such as the Net
Promoter Score (NPS) to understand how likely the customer is to share their
experience and promote the company.
Companies have increased
their budgets and resources to understand the habits, needs and desires of customers to create the perfect
journey and ultimate experience for those they serve but, despite all their
efforts, some companies are still falling short, which means lost revenue,
customer churn, and retention issues with their employees.
CX is the sum of all
interactions. According to a 2018 survey by Gartner, nearly 90% of businesses
compete on customer experience alone. Whether your company is transactional or
subscription-based the competition is fierce and if you want to attract, retain
and grow your customer base you have to lead with the end in mind and design
the ultimate experience.
Employee Experience EX
The exclusive focus on the
customer alone has not resulted in the business outcomes companies desire. Perhaps
the focus should be on something a little closer to home…the Employee Experience (EX). After all,
without employees you can’t serve customers, so maybe the old adage “customer
first” should take a back seat for organizations that truly desire to be
transformative in the market place.
Social media and platforms
like Glassdoor and Indeed have created complete transparency so that organizations
can no longer hide from the real-time employee workplace reviews. In this
competitive market, where skilled talent can be scarce,
companies cannot ignore the need to make the Employee Experience a priority.
Like CX, EX is the sum of every day to day
interaction the employee has from the first contact to last. It’s every
touchpoint they have with recruiters, HR, their boss and peers, the software
they use, the processes they must follow; each touchpoint is specific and
The Employee Experience is
a full spectrum of all their experiences and
a well-designed EX should empower employees with the tools and know-how to
serve customers successfully, provide employees control over their professional
growth and development, and create an atmosphere for positive and healthy
collaboration in a well-designed workplace. When EX strategy is developed and correctly
implemented the end result will be happy employees with a commitment to the
company and their job.
According to a 2016 report
by Deloitte University
Press, organizational culture and employee engagement was a top
priority in 2017 and is still a top focus. The report noted that nearly 80% of
executives rated employee experience very important or important, yet only 22%
felt that their companies were excellent at building a differentiated employee
experience. Of those same responders, more than half were either not ready or
only somewhat ready to address the challenge.
In lieu of a true
strategy that focuses on understanding and implementing modern actionable solutions
to promote a positive EX, employers are using perks like casual Friday, free
ice cream and an occasional “bring your pet to work day” to solve the problem. Companies
use these perks in an attempt to build a great culture without any actual
thought to what creates a great culture.
Jacob Morgan, the author of
The Employee Experience Advantage, analyzed over 252 global organizations to
understand the attributes that promote EX and drive employee engagement. The
top 3 companies that excel in this area are no surprise: Facebook, Google, and
Apple. We’ve all heard about some of the amazing perks these companies offer, but according to Morgan, leadership in these
organizations has focused on the bigger picture to yield positive results. They
focused in areas that really matter to
employees: culture, technology, and physical space.
Culture is a nebulous word and people define culture in a variety of ways. Morgan describes culture as a side effect of
working for an organization. Are your employees frustrated and burnt out? Do
they have a voice and an opportunity to present ideas or provide feedback
without fear of backlash? Is there role clarity and a clearly defined path for
growth? If you’ve heard negative chatter,
you likely have a culture problem impacting the EX, which will ultimately
impact the engagement level of your employees and your customers.
Employees should have
access to technology that supports their function. Technology should be a help
not a hindrance to employees. They should be able to work successfully and with
ease with the help of technology, but sadly, many companies have convoluted
systems that don’t sync, resulting in
errors, rework and duplication, all of which are time-consuming, costly and put
not only the employee experience at risk but your company as well. Leaders who
fail to stay current with new technology and upgrade the employee experience
through exposure to more advanced technology risk losing those employees to
companies who do make such investments.
Lastly, a great employee
experience is dependent upon the physical space in which employees work. Is
your office well lit, clean, free of clutter? Do you participate in initiatives
that support a healthy workplace? Are employees situated in an environment that
supports their tasks? For instance, if call centers are placed next to
employees who must utilize quiet focus to get their job done, then you likely are going to have some unhappy and frustrated
Companies that invest in
the development of a focused EX have seen improved results with attracting and
retaining skilled employees who are passionate about the company and the brand,
and play an active role in the ongoing success of the organization. Employees
want and expect to develop their skills as the company grows and adapts to
market demands. Maintaining stale, obsolete skills is the ultimate morale
Although developing a
focused strategy has not been a priority to organizations, of the 252 global
organizations analyzed by Jacob Morgan, only 15 companies, or 6%, have created
a winning employee experience; companies that don’t focus their strategy are at
risk for both employee and customer churn.
Focusing on long term
solutions means taking the time to engage employees to understand their needs,
wants and expectations and work to align tactics with developing a winning experience.
In the end, you get happy, productive employees who bring tremendous value and
drive positive business outcomes.
Are your business outcomes
meeting your expectations?
Where is your focus, the CX
or the EX?
Have you invested in your
Employee Experience or paid it lip service?
Barker Associates will help you review and understand opportunities to enhance your Employee Experience – the work environment, use of technology and company culture. Together we can design and implement employee experience solutions that yield happy employees and positive results. Contact us today at (904) 394-2913 or by email at here.
Founder-itis is a serious condition that occurs when one or more of the founders have remained in their position in an organization for far too long. They have remained physically, mentally and emotionally in a position that is preventing the organization from healthy growth. This condition can occur in small to very large organizations. I have witnessed very strong impacts of Founder-itis at large companies.
The cure for this condition is an emotionally evolved founder-turned-leader to fight against their natural tendency to hang on to what is comfortable, what worked in the early stages of the company to catapult its growth.
Long-term CEOs of successful companies such as Jeff Bezos at Amazon and Howard Schultz at Starbucks have broadened their horizons as the company has grown.
Successful founders who transition to long-term leaders by avoiding Founder-itis have learned these four key qualities.
Deals with ambiguity – When an organization starts out the management team may find themselves working around someone’s dining room table, in a basement or their garage. All the stakeholders communicate and keep each other up to date in real time because they can, literally, reach out and touch. Modern-day conference software works for small teams as they start a business. During this stage, the Chief Executive Officer (CEO) is engaged in very detailed decisions and aware of every move that is made. When it’s time to move effectively upward with a growing organization at some point, the CEO must effectively delegate those detailed tasks to move up to a more strategic role with the organization. Details they knew off the top of their head intuitively will have to be delivered to them in a report that is generated as a result of a quality process. The CEO must learn to deal with some ambiguity and trust the management team is effectively executing their responsibilities. Founder-itis comes in when the CEO will not let go of knowing small details and continues to micromanage staff. This is not an effective use of CEO or staff time.
Hires well and timely – CEOs of high growth companies hire professionals for positions that will challenge them and help develop the strategy as well as successfully execute it. If the CEO lets Founder-itis slip in and only hires puppets who will execute only on what they are told without challenging the status quo, they are holding the organization back from the ability to grow effectively. I recently heard a private equity partner state that is one of the things that holds back the execution of the strategy that fuels growth.
Leads and supports rather than controls and micromanages – If a CEO constantly talks about how easy a certain task is and should be with 1980s style processing; is not open to a suggested change in process, upgrade to a new system or hiring enough staff to complete tasks, they are choking the organization. Two examples I often see of this are processing payroll internally instead of outsourcing and gathering paper receipts and matching against a paper credit card statement. You may think that only happens in smaller companies; however, it has happened in companies that have over $50 million in revenue and operate in most of the fifty states. Such situations persist because one of the Founders thinks that since they had always processed payroll manually when it was their responsibility, it’s just not a big deal.
I also have seen recently where a very young company got hit with an $8,000 fine from the state department of revenue related to incorrectly processing unemployment. This happened as the founder wanted to save money and not incur the payroll processing fee. The fee was taken from their bank account before the receipt of the letter that explained the error and related fee.
Embraces pivots – Founders who believe they can keep doing what got them to their first $1 million in revenue are not pivoting. Founders need to realize their role has changed and it is essential for the strategy of the organization to change. The world is changing so fast – just when an organization is up to date with technology, it is time to change again. Embracing that change and the short term disruption it causes is not easy, but it is essential if the organization is to remain relevant, keep talented and engaged employees and execute sustainable strategy.
Leadership and sustainability go hand-in-hand and truly make a difference in a growing organization. Especially with today’s low unemployment, leaders must recognize part of their strategy is to provide a working environment that will keep top talent engaged. Expecting employees to be happy that they receive a paycheck while you expect them to deal with 1980s technology and stone age processes will lead to high turnover and unnecessary chaos and is a sure symptom of Founder-itis.
In recent emails, I’ve updated you on regulations going into effect this year as well as consequences we realize from previous legislation (namely, SOX). The legislation was enacted because of the erosion of accountability in this country. How do you hold your company accountable while also raising the bar for maturity of processes? Here are my recommendations, based on my experiences in private equity firms, for-profits and nonprofit organizations. It means going back to the basics that technology may have allowed inexperienced staff to circumvent.
Assess Your Procedures for Payments and Bank Reconciliations
Paper checks – Get rid of them; but if you must have them, make sure to use Positive Pay through the bank. Positive Pay uses information from a file that you provide to the bank each time you process checks. As checks are cashed or deposited, your bank compares the checks they receive against the checks you wrote to ensure they match and are not duplicated.
ePayments. If you can eliminate paper checks, consider using an ePayment service. Such services provide a comprehensive payment process with built-in controls. The due diligence process to determine which service will work for you can be overwhelming, but you can request a free ePayment vendor selection checklist I put together with the information you will need about your company and the questions to ask potential vendors during the evaluation phase.
I applaud companies who had the foresight to move to the ePayment process. Make certain the IT department has proper documentation on how the process works. With low unemployment and the resulting turnover, you do not want to find yourself with no one who knows how to push the buttons and fix this if something goes wrong with the process.
The checkbook is a thing of the past, and many young accounting professionals would not know what one looks like. I have asked many accountants, as they are processing a stack of checks, how do you know you have enough money in the bank account to cover those checks? Most of the time they put a very proud smile on their face and report, “I checked the online bank account balance this morning and there is plenty of money to cover the checks.”
After I hear this, I work to control my facial expression. I should become a poker player so I can practice the poker face I need when I hear this response.
So, I ask, “What about the outstanding checks that have not cleared the bank account? What about the auto draw of ongoing expenses like rent and other items? How do you account for that? Do you maintain a checkbook?”
The responses or reactions run the gamut from blank stares, to statements such as, “I keep a running total in my head,” “The checks we issue get cashed quickly.” These answers only serve to challenge my poker face so that I can keep good customer relations. Rarely does the person I am asking show me the checkbook kept in the general ledger system and a proper cash reconciliation they prepared for the previous month. I find this lack of process in organizations of all sizes.
Bank reconciliations. In general, if the organization has escaped the Sarbanes Oxley controls, which, as I stated before, more and more are doing to escape the enormous and overreaching regulation, there is no timely bank reconciliation.
Make sure that, at a minimum, these controls are in place:
Blank checks are locked in a secure place and only check processors and checks signers have access to them.
Ensure there is a review of the bank reconciliation and the bank statement two times a year by a C-Level executive, Finance Committee or Board member or investor. Request a free step-by-step bank reconciliation checklist on how to do this here.
This is a true story. I received a check for payment from a large, publicly-traded company. I was shocked when I received the same check number for the same amount twice in the mail. I called the insurance company to report it, but they never called me back. I received a letter about the duplicate check weeks after I had received the second check and made the phone call. The letter I received was very factual and did not offer an apology or do anything to try to mitigate the branding impact. This was a shocking revelation to me that the lack of controls over payments was everywhere.
Get Corporate Credit Card Usage Under Control
Credit Cards – If the US government ever creates a Corporate Credit Card office, I am going to run for the position and work myself out of a job. Corporate credit cards are a nightmare to manage in all companies, from small to large.
Large, publicly traded companies hide behind the fact that they are audited to ignore credit card controls. Yes, you are audited, but the corporate credit card balance is small and immaterial, which means it does not meet the audit criteria for detail testing. Remember, the outside auditors are focused on what the SEC is going to ask them about – the corporate credit card is not on the list. Many small, fraudulent credit card transactions can add up and instill a culture of weak financial responsibility in an organization.
In small organizations, the office manager, bookkeeper, (remember the one who figured out how to print a check out of QuickBooks?), or even the receptionist has a company credit card. This usually happens when a C-level person realizes they may have to pick up the toilet paper at Sam’s Club with their credit card and they do not want to. It’s OK to delegate that responsibility as long as controls are in place to prevent fraud and misuse.
In my work with all sizes of organizations, I have found that often they do not have a credit card policy. Get a policy, even if it is short and sweet, and have each employee sign it who is holding a company card. Email me for a free credit card policy template to get you started.
Fraud on corporate credit cards is running rampant. Often the employee is incurring small, unauthorized charges that add up to a significant number. The Accountant, Purchasing Manager or whoever oversees the corporate credit card may be faced with ethical dilemmas every day when executives in higher positions are the guilty parties. Such situations make it difficult to manage and monitor effectively without a signed policy as backup.
Small organizations and nonprofits tend to have no automation of the credit card process, relying instead on cardholders to provide receipts for accounting purposes. When cardholders are late in providing the receipts, accountants set up a holding account in the General Ledger, (which is often QuickBooks), where they charge the payment of the credit card to avoid paying late. With no accountability for the balance sheet reconciliation, the account just grows. If the accountant responsible for collecting the receipts takes their job seriously, they will walk around the building asking for the receipts and, as an added bonus, hit the goal of 10,000 steps on their Fitbit – the search for the receipts will take care of that!
Tighten up controls on the use of corporate credit cards with these process improvements:
If you work for a public company and have authority over credit cards, set up a process where the Audit Committee of the Board has someone designated to review a monthly or quarterly report of corporate credit card usage. Internal Audit should be reviewing executive expense reports and corporate credit card statements annually. I suggest they pick randomly from the group for about 10% coverage each year and always review the CEO and CFO.
Nonprofit Board – make sure there is a policy that each cardholder signs. Review how the process works and suggest implementing automation of credit card receipts. Expensify, or a similar technology tool, can serve that purpose.
Private company – Set up automation of collecting credit card receipts and a review process like the one described for nonprofits.
Readers of this email who work for well-organized companies with mature practices in place may be thinking, “Surely there are not companies operating without these fundamental business practices in place.” My response is that if that was the case, I would not be writing on this topic or asked repeatedly to present these concepts to audiences!
You can easily implement the actions from this post. I’ve made the tools available for you for free.
Get them sent straight to your inbox and download the ones you want.
· Free ePayment vendor selection checklist
The Sarbanes-Oxley Act has created several unintended consequences including, in my opinion, eliminating many basic company controls it was intended to enhance in the first place.
Sarbanes-Oxley (SOX) became law in 2002 and was shortly followed by more regulation and the creation of the Public Accounting Oversight Board (PCAOB). SOX has created many interesting dynamics and consequences, which I will elaborate on in this post. Initially, public companies struggled with how to define a “control” to document that could be used to monitor compliance with Sarbanes-Oxley. I related it to one of my past roles where I was required to read two magazine articles a quarter to maintain my technical knowledge. The way the control was written, it seemed I could read any magazine article to maintain compliance and I was uncertain how an article in People or Cosmopolitan was going to help fulfill this control. SOX regulators and my supervisor both needed to tighten up the definition of “control.”
Since 2002 there has been significant, well-documented analysis of the requirements related to SOX, leading to very specific rules and oversight. The result in the public sector is that the audit team who is auditing for compliance now must to try to keep the regulators from sending them letters and questions about controls that may not be the most strategic as it relates to the health of the company. The auditors then, in turn, have their hands full during the audit process reviewing these types of controls, making it harder for them to add value and help with overall strategy. They have less time to step back and analyze the numbers in a way that results in a critical eye on the company’s financials, as they are auditing to the specific regulation to prevent the SEC from having a reason to come after them.
The increased regulation has flowed into the AICPA audit guidance, enhancing the rules of all audits; consequently, the cost of audits has increased for public and private sector companies. One of the most impactful changes has been the enhancement of the rules around auditor independence, including:
The auditor can no longer prepare the accounting records of the company they are auditing at all. Twenty years ago, if an auditor identified a small issue or difference, that auditor could determine what adjustment was required and make the entry to the financial statements. Now the auditor must communicate the finding to the client and request they analyze to determine what the entry should be and submit the entry to the auditor. Especially in smaller companies, the staff may not have the specific expertise to carry this through. These types of delays in the audit process drives the cost up.
The public company can not hire partners and managers on the audit team while they are working on the audit. Twenty years ago, public companies would frequently hire professionals from their audit firm who were already familiar with their company and the culture. The SEC was concerned this impacted independence because if the auditor is expecting to be hired and receive a large salary, they may not work with complete independence.
The peer review regulation has been enhanced, requiring even the smallest audit firms participate in peer reviews. However, a small CPA firm has a difficult time allocating the time to either host a peer review of their work or go to another firm to perform a peer review on their work.
Those were some of the enhancements. Now for the unintended consequences of regulation:
Partners in big CPA firms are leaving the practice as they are tired of dealing with the PCAOB inquires while still having to complete their audit responsibilities.
The number of companies entering the public market with IPOs has declined over time as they are unwilling to incur the cost to comply with public reporting. This trend reversed in 2018; there has been an increase in IPOs as noted in the EY Global IPO trends Q4. Most of the increase is in the healthcare and technology sectors as you can see in this report from EY.
The typical entrepreneurial growth company does not have the disruptive technology and the ability to attract multi-billion-dollar valuations. Take Farfetch (FTCH), for example, who commanded the initial $6.2 billion valuation after the first day of trade in September 2018, with a $112 million loss in 2017. Farfetch’s valuation will make it worth the increased regulation of a public company. This example is the exception rather than the norm.
The cost of an audit for both public and private companies has increased significantly. As a result, many companies subject themselves to an audit when it is necessary. Recently, I learned of a company that was required to get an audit to comply with the buy-side due diligence of their potential acquirer. The cost of the audit was double the original estimate, significantly delaying the sale closing.
Private Equity firms struggle getting through buy-side due diligence without having audit reports or typical systems infrastructure and controls upon which they have historically relied. The standard of requesting an audit has been lowered and the Quality of Earnings (“QOE”) report is being used more often.
Public company accounting and finance executives are expending valuable energy managing to the specific concerns of the PCAOB, leaving inadequate time and mental space to think strategically and apply judgment to controls in their environment.
The companies electing not to have an audit due to the cost may not have proper data and information to run the business day-to-day, which an audit would reveal.
By choosing not to pay for an audit and the value a third party brings by reviewing their controls, the company may not have adequate controls, leaving companies more vulnerable for fraud and embezzlement.
High growth companies have grown without the benefit of audits and may be using a combination of QuickBooks and an Excel spreadsheet explosion to maintain their records. The accounting team may not be reconciling balance sheet accounts and applying proper month end closing process. When the company seeks outside investment or desires to implement an exit strategy, they may find themselves in a situation where they must get an audit completed. The cost of an audit will likely be enormous at that point, as the books are probably not ready for an audit and chances are the existing staff may have never gone through a process of preparing a company for an audit.
SOX and PCAOB are certainly necessary in the United States regulatory environment. Public reporting and transparency are necessary for investors to be properly informed. The regulation should be reviewed and “right-sized” for the current environment. It is a shame that a few companies with less-than-stellar ethics, like Enron, led to a set of rules that has grown into such a powerful force. The PCAOB is not strategically focused on keeping businesses in business, and C-level executives should be pushing back for regulations that help businesses and against those controls that waste time.
Private companies that feel they are unable to afford an audit should keep their books and records so they are auditable. Basics such as monthly bank and balance sheet reconciliations and proper month end cut off should be a normal business practice.
One of the changes affecting private businesses in 2019 is ASC 606, Revenue Recognition.
Danielle Moga provided the insights below about what ASC really means to you. She is an associate of Barker Associates with a wide variety of accounting and finance experience with non-profit and public companies.
ASC 606 What it Means to Private Business
Contributed by Danielle Moga
Public companies had to adopt the standard in 2018 and what we’ve learned is that the process to implement was not a straightforward exercise. Many companies underestimated the complexity of the change and did not have the appropriate time, resources or processes in place to implement seamlessly.
The new standard changes the way companies need to record and recognize revenue from their contracts. The goal of the new standard is to enable users to understand better and consistently analyze revenues across industries, transactions, and geographies but the disclosure requirements are comprehensive, and the changes to the nature and timing of revenue recognition can be significant.
The good news is that you don’t have to be an industry-specific guru to implement the changes, as FASB opted for a more principles-based approach. The challenge is, those preparing financial statements and disclosures will require more judgement.
ASC 606 breaks down the analysis of contracts into a 5-step process that is intended to help preparers wrangle the chaos of details but the task to determine revenue recognition can be daunting depending on the volume and types of contracts that exist.
Identify the contract(s) with a customer
The contract must be fully executed, clearly identify the good/services to be transferred and specifically outline the payment terms.
Determine the performance obligations in the contract
All distinct transfers of goods or services must be identified. A good or service is distinct if 1) the customer can benefit from it on their own, or with resources they already have, and 2) can be transferred independent of other performance obligations.
Determine the transaction price
The amount of consideration the company expects to be entitled to in exchange for transferring the promised good or service.
Allocate the transaction price to the performance obligations in the contract
Performance obligations in the contract need to be separately identified priced or estimated.
Recognize revenue when (or as) the entity satisfies a performance obligation
The timing of recognition of revenue is dependent upon the time frame in which satisfaction of the obligation occurs. Point in time vs. variable over time.
The five steps are handy but don’t realistically help to manage the complexity of the project or the time it will take to meet the looming deadline.
We recommend a 3-phase approach:
Analyze contracts and systems
Ensure you have the right resources on hand with the skills and time necessary to lead and organize the project; or hire those resources externally for support.
Outline all components of the contract(s), as denoted in the 5-step process.
Decide if the retrospective or cumulative method will be utilized.
Document the existing methods and systems used to report revenue streams.
Determine the necessary changes to process and systems to implement and control the new recognition methods.
Document judgements made where clarity is needed.
Outline historical journal entries and the new ones necessary for compliance.
Determine differences and the impact on revenue, KPI’s and other material items.
Begin the conversion process and maintain parallel systems to ensure accuracy.
Schedule internal assessments of reporting and systems to ensure ongoing compliance.
Assess the skills and time of the internal team designated to safeguard this process to establish if additional support is needed.
Even with steps and a process, companies must set aside the time necessary to transition. Companies with minimal impact may only need a few months to go through the process of outlining and documenting. Companies with complex revenue streams and required system changes could take six months or more to transition and implement.
Don’t get caught in the 11th hour, start now! If your internal team is seasoned enough to handle this change then there are many resources available to educate and plan. Alternatively, leverage outside talent to minimize the chaos and challenges that come with significant change.
If you are a regular reader of my emails and blog posts, you know that I am passionate about companies having the right financial infrastructure to operate their business. Real costs are eroding your bottom line when you don’t have a handle on people, procedures, and process.
Consider the cost of these infrastructure “fails”:
Little to no understanding of the cost of individual services or products and whether your price covers the costs;
The inability to seek funding from investors because you can’t pull together the required financial information;
The cost of replacing frustrated financial staff who refuse to follow old, antiquated processes;
Time spent by C-suite execs creating their own financial reports when their own Finance Department can’t meet their needs; and
Fraudulent activity that goes undetected until it’s too late due to the lack of proper procedures and education.
Finance and your company’s IT capabilities are closely linked by the daily transactions that run your business. Sound, efficient infrastructure in Finance is great, but it must be supported by a highly secure and reliable IT infrastructure. I’m not speaking hypothetically, either. This reality hit home when a colleague shared with me his story of being a ransomware victim. The following reads like a script for a cybersecurity who-dun-it!
Our company uses a cloud-based server provided by Intermedia Solutions to host mission-critical applications, including our QuickBooks accounting software and our back-of-the-house order management system. The actual computer hardware on which our cloud server was running was physically located in a server farm in Atlanta, Georgia. This order management system handles everything from accepting of orders from all the channels we do business through (our own website, Amazon.com, Walmart.com, eBay and orders we take via telephone), plus it performs inventory control operations, vendor management, and purchase order issuance. Virtually everyone in the company uses one or both applications throughout every day, seven days a week. They’re accessed via Microsoft’s Remote Desktop software.
On Sunday, February 26, 2017, one of our employees logged into the server, preparing to work, and saw this message on the screen of our supposedly secure cloud server:
Whoever posted the message said that our data and applications were being held for ransom and the only way to free the data was to pay, 24 bitcoins, at the time, about $35,000. We found that the data on the server was not available to us. It has been encrypted. We were a victim of a ransomware attack.
After a moment of panic, we recalled that we and our cloud server provider had prepared for this possibility. If we hadn’t prepared, we would have been a statistic- another company who was either forced to pay the ransom or go out of business as a result of the loss of all of the company’s data. In 2017, there were 184 million ransomware attacks, most in the United States.
But we were ready and if any day was a good day for a ransomware attack, it would be a Sunday when we aren’t speaking to customers.
We had backups. Our cloud services company made image backups of the hard drive containing our cloud server and its data every night at midnight. The one thing we weren’t going to be doing was paying the ransom. Instead, we contacted Intermedia’s after-hours helpdesk and explained what happened.
We instructed them that we did not want the physical computer hardware repaired (because we didn’t now and would never trust that hardware again). Instead, we wanted a new server configured for our use. They had that ready for us in about four hours. We now had a brand-new cloud server ready to go but with none of our data on it. We then asked for a SECOND brand new cloud server to be set up for us but re-imaged from the backup image taken Saturday night at midnight. This would take longer.
Monday morning, although we were still not operating, we now had a clean, empty server and another server that APPEARED to be working with all of our applications and data on it exactly as it was at the close of business Saturday night. But I didn’t want to actually use this for fear that the ransomware application was lurking on the hard drive someplace ready to be reactivated again.
Over the next two days, we created data backups on the server and worked with our two application software companies to reinstall fresh versions of their software on the new empty server. On the third day, we did a restore of the data from the server image to the new server we planned to use. We gave instructions to Intermedia to abandon the original server that had the ransomware and the server image we had created. We were almost ready to resume operation. But I wanted to get some idea as to how we might have become victim in the first place. What I learned is that ransomware is almost always delivered via a rogue email containing an image, HTML or a PDF. The travel path for the virus was likely from one of our users who likely clicked on an email on their local computer while they were also logged into the cloud server. If that was the case, then the ransomware virus was also residing on someone’s workstation.
In my investigation, I also learned that a) Microsoft’s included anti-virus software is completely inadequate for company use and b) the ant-virus software on the server was grossly out of date.
We needed an anti-malware application that created a closed loop- coverage for the server and all of the user’s workstations that access the server. Also, it needed to be managed centrally. Users could not be trusted to keep their anti-virus software up to date. This was not the time for “free” anti-virus protection. Ultimately, I selected Symantec’s Endpoint Protection. For $28 a year per workstation/server, we got a managed malware protection suite. From a single web portal, I can see that everyone’s computers are properly protected. Then I installed it on the server and in the process, it confirmed that my restored data was clean.
Finally, on Thursday morning, we were back in full operation and properly secured.
I was pleased we had no data loss and didn’t have to pay the ransom but disappointed it took four days to recover. Here’s what I learned:
We chose wisely when we chose Intermedia. They take our cloud-based service needs seriously.
If you’re using computers in your business, take a good long time to think about what would happen to if you had a complete data loss, ransomware attack, etc.
Take your IT infrastructure security needs seriously. PLAN for a worst-case breach. Do not presume that your employees keep their computer software updated.
Don’t take your provider’s word for it that you’re protected, backups are being created, etc. Every few months I have a new server brought online and a restore performed. Once I’ve seen with my own eyes that everything works, I delete the server. It’s like conducting a fire drill.
Lessons Learned for Finance
Had Larry not had the right disaster preparedness and IT infrastructure, the costs of his crisis would have been much more than the $35,000 ransom. He still would have incurred at least 4 days of downtime. With his confidence shaken in the violated server, he still would have repeated the recovery process to bring new servers online.
Larry’s Lessons may be applicable to your own IT infrastructure, whether you’ve followed a similar process or realized that you should. Here is how Larry’s Lessons Learned can be applied to your Finance infrastructure:
Have a disaster preparedness plan for your department that aligns with your IT disaster preparedness. Test it periodically against various scenarios, but not less than every 6 months. Update the plan based on changes in your systems, procedures or business.
Cheaper is not always better – in fact, it rarely is. Understand your needs and invest in meeting them with the most robust tools you can afford.
Have an IT Security Policy and related Procedures. Educate your staff at time of hire and throughout the year on the latest scams and the importance of following your company procedures.
Finally, have a third party review your processes for areas of improved efficiency and security.
Barker Associates has the unique ability to work with all sizes of organizations and building infrastructure that matters. Contact us today!
Mindy Barker, Founder & CPA | Jacksonville, FL 32256
(904) 394-2913 or (904) 728-2920 | CFO@MindyBarkerAssociates.com
My first CFO job was working for a relatively small organization with an administrative assistant who still used a typewriter and refused to have a computer on her desk. She had been with the company since its origination and she knew where everything was located. She had all the contracts, historical Board reports and legal agreements in a file drawer. If you asked her for a document, she could stand up from her desk open one file drawer and hand it to you within 3 minutes tops.
The truth is, in today’s environment, to locate corporate, financial and administrative documents when they are needed can cost organizations unbelievable amounts of money.
Betty did not like me too much when I became CFO, as she thought I was taking a job away from a man. My approach to this and all discrimination I have experienced in my career is to analyze the situation and determine if I could make it better by doing such an awesome job no one could ignore me. If that was not possible, I would have changed my geography.
When she came to some of the first C-level management meetings, she would ask all the men in the room what they wanted to drink and skip over me. I was fortunate to have a wonderful boss who would then follow her out of the room and tell her what I would like. I quickly realized that if I wanted to be successful in this position, I had to figure out how to win Betty over so that I could get to those documents and of course get a cup of coffee at the management meetings.
Who’s Job is it to Manage Corporate Documents?
Times have changed and the days of Betty or any administrative assistant asking if you would like something to drink or logically organizing documents have gone the way of the rotary telephone.
Businesses have, for the most part, eliminated the administrative assistant position as they feel the position is not needed now that professionals have email and all the APPs and tools a computer provides. Even if there is an administrative assistant, the job description generally will not include managing and maintaining corporate documents. I frequently ask when I begin a new job with a company who has this responsibility; C-Level executives of small and large organizations look at me just like I asked them what kind of cheese is on the moon. They have no idea.
Failure to follow a document management process costs your organization in the following ways:
The C-Level executives do not have a clear line of sight to the contract terms they are bound to as they are carrying out their corporate responsibilities. This can lead to losing major customers, noncompliance issues with regulatory bodies and lawsuits that take a tremendous amount of time to litigate.
Creates negative relationships with vendors. I once spoke with a professional who had served as a manufacturer’s rep for an organization for several years. The management of the company changed, and when the manufacturer’s rep came to meet with the new management, they were told: “I looked in the file drawer, there was not a contract, so I am terminating our relationship today.” The manufacturer’s rep had a long-term relationship with the company and its customers in a very closely held industry. Once the new management realized the mistakes they had made, it was too late. Not only did the contract had a 90-day termination notice clause, but the rep was well-loved by many customers. The negative ethical behavior on the part of company management left the rep unwilling to work with that company.
I have seen many a deal fall apart, and the potential investor or buyer walk away, before due diligence is complete. When a company’s documents are distributed in corporate and personal emails, shared corporate drives, personal drives, even the email files of terminated employees, locating them takes valuable time in which the potential buyer can find a lot of other things that interest them, causing them to move on to another deal that is ready to move forward.
Compliance issues are not dealt with on an ongoing basis. As a new CFO at an organization with government contracts, a governmental agency called me to report my organization was out of compliance with the terms of the contract. I pulled the “I am the new kid on the block” card and asked to call them back. It was shocking how long it took to locate the contract after I hung up the phone and even more shocking to learn the terms of the contract to which we had agreed. It was apparent to me that our organization had failed to thoroughly read and understand their contractual obligations. When I appealed to the agency that the terms were not reasonable, the agency basically said, “Well you (meaning the organization) signed the contract and you will be compliant, or we will terminate the contract.” This was not the welcoming present I was looking for.
Who is Your Betty?
If I had a nickel for every time someone sent me a contract they considered final, but was not fully reviewed and executed with all signatures, I would be inviting you to my corporate yacht this weekend. Betty would never have filed an incomplete document in her precious filing system without all the signatures, dates, notary stamps and corporate seals. Honor Betty and her memory, as she now rests in peace in the clouds; put someone you trust in charge of finding and organizing all the corporate documents and maintaining them. Your organization will be better for it.
Barker Associates has the unique ability to work with all sizes of organizations and building infrastructure that matters. Contact us today!
Mindy Barker, Founder & CPA | Jacksonville, FL 32256
(904) 394-2913 or (904) 728-2920 | CFO@MindyBarkerAssociates.com
When you scale you need to have a more analytical approach of targeting and segmentation, but in the beginning, it’s more much qualitative.(Pavel Malos 6/11/18, uxdesign.cc)
Chief Executive Officers, Board Members, and Investors have a fiscal responsibility to ensure an organization can handle planned growth. For-profit business leaders must back up the strategy with the right level of working capital and financial infrastructure. Nonprofit leaders must make certain they have the right financial and fundraising data to analyze and plan effectively.
QuickBooks and other simple financial programs have elevated the confidence of professionals, not trained in accounting, past their competence. These systems allow you to process the basic information easily; however, the non-accountant may not have applied the required strategic thought process to the design of the infrastructure that a trained and experienced financial strategist would apply. Some entities can be run effectively in QuickBooks, and the financial data can be analyzed if the infrastructure is set up properly in the beginning.
All organizations need to have financial information, in proper segments in the General Ledger and make sure there are proper period end procedures. Lack of proper information can lead to performing services or selling product at a loss, non-compliant reporting and a lack of proper cash flow. All of these issues can lead to an untimely end to any organization, for-profit or nonprofit. We have all heard of employees showing up for work one day to find the doors locked and an abrupt end to their job and paycheck. Sometimes these employees learn their employers have not remitted federal income taxes, deducted from their paychecks, to the IRS and they have to pay the taxes again. Leaders of organizations should listen to their financial leaders when they request upgraded systems and more people to account properly for the organization’s financial data.
Leaders who make it a priority to set up, manage and monitor metrics have thought through configuring their reporting infrastructure. Leaders without such foresight run through their day-to-day life worrying about how to make payroll and pay bills, with little to no awareness about which decisions are working and which are not working to scale growth to new levels.
Barker Associates has the unique ability to work with all sizes of organizations and building infrastructure that matters. Contact us today!
Mindy Barker, Founder & CPA | Jacksonville, FL 32256
(904) 394-2913 or (904) 728-2920 | CFO@MindyBarkerAssociates.com
Placing paper checks in the mail to vendors places your company at risk if you are placing them in the mail without Positive Pay.
Why don’t you just play Russian roulette with a full chamber or ride a motorcycle without a helmet? That may seem a little over the top, but the paper check is a risky way to submit payments to vendors.
What Can Happen?
A client contacted me recently to help unravel the mystery of the missing payment to one of his vendors. By researching his automated AP system and conferring with his third-party print vendor, we confirmed that the check had been produced and picked up by the post office for delivery. The check was eventually presented to a bank in Chicago for payment. The vendor was in North Carolina.
The bank in Chicago eventually released a photo to the FBI (yes, they had to get involved) of the person trying to cash the check. We had the chance to view the photo to confirm the person was not an employee of my client’s company. Thanks to using Positive Pay, they did not lose out on the amount of the check.
The incidents of check fraud are so frequent that law enforcement officials such as the FBI aren’t that interested in pursuing the “little guys;” they want to go after the big fish. Even though the check my client had cut was over $20,000 – big to him – it wasn’t worth pursuing just that instance to the FBI.
Seventy-five percent of organizations that were victims of fraud attempts/attacks in 2016 experienced check fraud, a 4% increase over 2015.
Positive pay continues to be the method most often used by organizations to guard against check fraud, used by 74 percent of organizations. Other methods include:
Segregation of accounts (cited by 69 percent of respondents)
Daily reconciliations and other internal processes (64 percent)
Payee positive pay (41 percent)
Lack of positive pay (cited by 23 percent of respondents) and clerical errors (18 percent) were two primary reasons for financial loss due to check fraud.
As the statistics show, checks continue to be the payment method most frequently targeted by those committing or attempting to commit fraud. One method companies use to fight check fraud is converting to electronic payments. In addition to the fraud prevention benefits, ePayments provide benefits such as:
Ability to quickly process last-minute bill and payroll payments.
Take advantage of early payment discounts, while paying closer to the due date.
Improved client-vendor relationships due to rapid, more efficient payments.
Eliminate the cost of printing and mailing paper checks, which can be as much as $9 per check.
Often implemented as an add-on to your existing financial system, the selection of vendors offering B2B ePayment solutions is huge. Barker Associates has seen the “deer-in-the-headlights” look that clients get when trying to sort through the options to choose the best solution for their company.