At the Intersection of the Great Resignation, Professional Services, and Those Who Stayed Shifting Perspective from Those Who Left to Those Who Remain
The Great Resignation of 2021 has left more than vacant seats … although it has left plenty of those too. In its wake are thousands of desperate CEOs and the often forgotten-about, frenzied, and burnt-out workers who chose to stay. In their desperation, what these CEOs aren’t realizing is that while they struggle with finding new talent in this overly saturated candidate market, they are often not paying enough attention to, or completely disregarding, those who are still right in front of them.
These employees, whether they stayed because they had no choice (after all, not everyone can quit), felt a sense of loyalty to the company and/or their co-workers, or simply loved their jobs, are now feeling undervalued and underappreciated at the same time they are working harder than ever. And, while they pick up the slack and feel underappreciated by their supervisors, they are often also dealing with increasingly demanding clients and customers. It’s as if the country is in the grips of a new pandemic of impatience, rudeness, and intolerance, and these employees are left to deal with it all. Additionally, the resulting shift in power and bargaining positions of the Great Resignation have forced companies to offer more money than ever before … to secure new talent. That’s great for them, but what about the others?
As it stands today, in return for all that they’ve done and sacrificed, these employees are getting depressed, having panic attacks, and getting sick, with some turning to alcohol or drugs to try to ease their physical, mental, and emotional exhaustion. With our nation already struggling with massive mental health issues, something must be done to curtail this destructive path.
The Impact to Professional Services
While this challenge has impacted nearly every industry, professional services, including accountants, lawyers, finance, and IT professionals exemplify it even more. The mental and emotional anguish of a professional who is trying to do a good job when it is physically impossible to do so (because they have too much work to do) takes away their ability to think clearly and make quality decisions. All accounting firms – from the Big 4 to regional companies – are short staffed. And the ones who stayed are having to work extra to cover multiple jobs. Despite this dynamic, it seems companies are reluctant to increase their salaries to meet current market demands. According to one recruiter, if you want an accounting professional work in the office, the rate will be 130% of the market because they are demanding to work from home.
Like millions of others, professionals are tired, burnt out, and frustrated. And money isn’t everything. The pandemic shook people to the core – they are looking for more meaning and know that meaning rarely comes in a paycheck. In fact, there are professionals walking out of jobs that pay $250,000 per year because they can no longer cope with the constant stress of doing everyone else’s jobs. That’s a lot of money to walk away from, demonstrating the increasing severity of this situation.
It’s About Retention
It’s incredibly short-sighted to keep working those employees who chose to stay to a breaking point, while keeping them at below market salaries. It’s time for employers to shift some of that focus from securing new talent to securing the talent they already have. If they don’t, they will never find the right balance, as those who chose to stay before will likely soon also leave. According to Harvard Business Review, “employers need to recognize that it takes significantly longer to recruit someone than it does for them to give their two-week notice and depart.”
Increasing retention can come in many forms, including:
Providing opportunities to grow
Elevating the company’s purpose (and communicating it with the team)
Prioritizing culture and connection
Investing in taking care of employees and their families
Further, while we are at a time when there is increasing emphasis on Environmental, Social, and Governance (ESG), we cannot decrease emphasis on the health and welfare of our employees. It is counterintuitive to work on ESG initiatives while the company is short-staffed and burning out the employees they have.
A word of advice …
For Professionals. Know your worth! Do your research and ask for a raise with your current employer or seek a new position in this market to increase your salary.
For CEOs. Retain the talent you already have by treating them well! Pay more attention to the professionals you already have on staff than those you are attempting to get on staff.
The Great Resignation may have been considered empowering for those who were taking a stand, demanding more, and walking out the door. But for those chose to stay, it has been anything but empowering. And the resentment and exhaustion they feel isn’t going away anytime soon. It’s time for decisive action now to retain those who remain.
Barker Associates has extensive experience as an outsourced CFO. If you need assistance, or have any other questions, please click here to schedule a 30-minute consultation at a rate of $100.
What Getting Stuck in an Elevator Teaches You There are Lessons in Nearly Every Situation
I recently enjoyed a wonderful evening with some friends and family. We had a lovely dinner and then went to a show. We had purchased tickets for Hamilton years before the pandemic changed our lives, and were thrilled to finally be able to see it.
After the show, we walked blissfully back to our cars, still glowing with the excitement and contentment of a great night out. We had all parked in a parking garage that was only accessible by an elevator. We approached the elevator and were soon joined by several other people. As the doors to the elevator slowly opened, approximately twelve of us got in.
Lesson 1: Communication
We all pushed our respective parking garage levels, and continued our respective conversations. The elevator started to ascend. Suddenly, the elevator stopped, but the door did not open. My friend was next to the elevator controls and immediately hit the “open door” button. A few of us near the doors tried to nudge at the them, to no avail. We then hit the call button and reported to the person who answered that we were stuck in the elevator. He assured us that he was sending someone to help.
What we heard in that message was that someone who was capable of fixing the elevator was in the building and on their way. After a few minutes, when no one came, we called back and asked how long it would be. The person who answered said he was not sure, as he was unable to reach the mechanic. We asked a few more clarifying questions and determined that the mechanic who was “on his way” had not even yet been contacted, and we had no idea how far away from the building this person was.
Lesson 2: A Leader’s Attitude Can Change the Environment
There was no air conditioning in the elevator, and with that many people, it was very hot. Between the anxiety from learning that we were stuck in the elevator and the heat, one of the people from the other group began having a panic attack. We called the operator back and told him we had someone in distress, and to call 911. We were informed that it is against policy for them to call 911 and if we felt that was appropriate, we had to make the call ourselves. I attempted to call 911 from my phone, unsuccessfully. Thankfully, another person’s phone was able to get through.
At that point, my amazing friend Sondra (one of the strongest people I know) led us all in a standing yoga class with breathing exercises. It helped calm nerves in everyone almost immediately, and we all began to have some light conversation again. We even took a few selfies, trying desperately to lighten the mood. Even the person having the panic attack was able to relax with the breathing exercises and calm, light tone my friend used.
When the firefighters showed up, they worked diligently to get the door open. And soon, they were successful. Merely watching the doors open offered an incredible calming sensation. Unfortunately, it was short-lived. We soon discovered we were stuck in between floors. The firefighters were on the upper floor and determined they could not pull us up. They would have to close the doors to move the elevator to the lower floor.
Some of them stayed on the upper floor, and others took the tool they were using down to the lower floor. They then attempted to open the doors on the lower floor. This did not go as well. The firefighters began hitting the elevator forcefully to try to get the tool to work. One of them yelled with urgency to the team members that remained on the upper floor, “I can’t get it in. I cannot get the tool in.” The elevator was rocking back and forth, and the lights were flashing. It was pretty scary, and the anxiety levels were all back up to even higher than our pre-impromptu yoga class. I decided to close my eyes at that point, as it was all too much to process. The anxiety in the voices of the firemen, while we were rocking back and forth was overwhelming to us all. When they continued to yell the same thing, my friend said, “I think I’ve heard that before!” We all started laughing with that welcomed comic relief, and I remembered how important humor can be in stressful situations.
Ultimately, they got the door open and got us all off of the elevator.
Lesson 3: Be Grateful (and don’t forget about humor) … Always
When I got out and was finally able to get in my car to leave my wonderful evening (and yes, it was still wonderful – just with a twist), I felt incredibly grateful to be on my way home to my family. I was in a scary situation and I was ok. I wasn’t about to forget it. I also thought to myself, it was really hot in there, but I don’t stink!
Lessons learned from this experience –
Life is short. Make sure every day is full of what you value most.
You don’t have to be in a boardroom to learn valuable lessons … sometimes you’re in an elevator.
Communication is key in any situation. Ensure you are understanding what you are hearing and that the other person understands what you are saying.
When you are a leader, your anxiety or calmness multiplies when you communicate to others. Maintain an authentic calm demeaner, if possible, and you will see the effects in others.
As always, Barker Associates is here for any CFO services you may need (and is also happy to impart some words of wisdom from time to time!). If you need assistance, or have any other questions, please click here to schedule a 30-minute consultation at a rate of $100.
Cybersecurity – It’s Not Just a “Big Business” Problem
Cybersecurity is a word we’ve all become entirely too familiar with. It seems that we can’t turn on the news without hearing about another story of a company being hacked, its information stolen, and, in certain instances, its data being held for ransom. And despite what some continue to think, this is not just a “big company problem.” It affects small and mid-sized businesses just as much, if not more. In fact, according to the Verizon 2019 Data Breach Investigations Report, 43% of cyberattacks target small businesses.
There’s a reason for this targeting. Small businesses tend to have more exposure, without the protections in place to help minimize the risks of a cyberattack. Not only are they more prone to attacks, for small business with limited resources, an attack can prove to be fatal. Sadly, 60% of small businesses that experience a cybersecurity attack are out of business within six months. The reason? Too often, they don’t have a viable backup system or plan, so when they lose their data, it’s gone for good.
According to a U.S. Small Business Administration survey, 88% of small business owners believe their business is vulnerable to a cyberattack. With the increase in remote workers without infrastructure for cybersecurity or employee training on increased risks due to the pandemic, this high percentage is not surprising.
Other Costly Statistics in the World of Cybersecurity
The most common way attackers infiltrate your system in through email. We’ve all seen them. They look like legitimate emails at first glance, but then there is something that catches your eye – the email address may be off, it may be asking you to click on a link, or it has an attachment that doesn’t seem right.
Whether it’s through an email or through ads or pop-ups on the web, when you click on that document, link, or ad, the virus that was embedded launches a program on your computer that will start locking files. If you’re connected to a network (which many of us are), the virus then travels to the server and infects files there and on other connected computers. Once it starts, it cannot be reversed, and you may not even be aware it is happening. Often times, the attacker will wait, lurking in the background, to collect as much valuable information as possible.
What You Can Do to Protect Yourself
Despite the news stories and all the warnings, many small businesses are not prepared for a cyberattack. While we can never eliminate the threat completely, there are actions we can take as part of an overall strategy to minimize the risk:
Ensure your computers and servers have a strong firewall
Keep all hardware and software up to date
Install all updates and patches
Use stronger passwords and change them frequently
Use Multi-Factor Authentication (MFA)
Do not allow users to download unsupported or free software
Back up all critical data and systems regularly
Have a backup plan in place
Invest in Cybersecurity insurance
Educate your employees
Raising awareness among employees is one of the most important steps you can take. Continuously inform them about what the latest threats are, remind them about updates, and remind them not to open emails if they don’t know who the email is from. Use real-life scenarios and samples of phishing emails to help them understand the threats.
With these tools and systems in place, you not only minimize your risks, but if you are attacked, you will be able to get your company back up and running much faster than if you didn’t.
As they say, the world is changing, and, as always, we need to change right along with it. The key, as with much in business, is being prepared, understanding your own particular vulnerabilities, and taking proactive steps to help ensure your safety and the safety of your business.
Barker Associates has extensive experience in helping companies navigate through all the complexities of running a successful business, including utilizing resources to help keep it safe. If you need assistance, or have any other questions, please click here to schedule a 30-minute consultation at a rate of $100.
Weathering the Storm Preparing Your Business for Disaster Recovery
Many of us, myself included, operate businesses in the state of Florida. That being said, hurricane season is as much a part of our annual routines as tax season. From June 1st to November 1st each year, Floridians listen to the warnings, watch the forecasts and projected paths of impending storms, and stock up on non-perishable food, water, and batteries. Personally, we are prepared, but what about professionally?
Disaster preparedness and recovery go far beyond Florida and its susceptibility to devastating winds and torrential rain. There are, of course, an ample supply of natural disasters like hurricanes, tornadoes, floods, and earthquakes, but what about what we saw last year in terms of a global pandemic? That was utter devastation, the scope of which remains difficult to comprehend. There are also accidents, acts of violence, power outages, and equipment failures. In each of these situations, your business must be able to navigate through the hardships and challenges and get to the other side. And the sad truth is that many will not. In fact, according to a Federal Emergency Management Agency (FEMA) report, 40% of businesses never reopen after a disaster.
It’s time to take stock not just of water and batteries, but of cash, insurance, and disaster recovery plans. It’s time to ensure our businesses are as prepared as our homes. It’s time to safeguard ourselves against becoming a statistic.
It’s About Minimizing Risks
This hurricane season seemed like the perfect opportunity to provide some reminders about what you can do as a business owner to minimize your risks and prepare for the worst, as you hope for the best in any disaster. Here are ten crucial tips:
1. Assess your risks (internal and external) and your critical business functions.
2. Create or update your disaster recovery plan. If you don’t already have one (I hope you do), stop reading now and go create one (then come back and read on!) – it’s that important. This document will outline how your business will recover from a catastrophic event, such as a hurricane. When developed correctly, it should allow your business to recover as quickly as feasible, depending on the source of the disaster. Implementing the procedures set forth within the plan should be your first priority after ensuring your employees are safe. At a minimum, your plan should include:
The identification of a disaster recovery team or individual who will take primary responsibility for implementing the plan.
A crisis communications plan, including a phone tree, so critical information is communicated to employees quickly and efficiently.
A list of critical business tasks that must occur regardless of where the work is taking place (assuming you’ve been evacuated and cannot get back into the office).
3. Ensure you have sufficient cloud storage and back up of important business documents. Access to these documents is essential to continuing operations.
4. Secure a line of credit designated only for emergency use. This can help you continue payroll, purchase new equipment, or even lease temporary office space, if needed.
5. Review your insurance policies to determine what type of coverage you have before it’s too late. For example, once a hurricane is forecasted, you cannot secure certain types of coverage.
6. Ensure you have enough cash on hand to operate if revenue-producing activities must cease for a time.
7. Automate your accounts payable process and the receipt of cash. Having paper checks waiting to get deposited at an office can stop your cash flow unnecessarily. Sending paper checks that require signature is a disaster you don’t need while coping with another disaster.
8. Gather emergency supplies in the office and in another location if access to the office is restricted.
9. Test your disaster recovery plan.
10. Stay safe!
Unfortunately, disasters are a very real part of life. And while there may be some disruptions and loss that are outside our control, minimizing the effects of a disaster on our businesses is well within it. Otherwise, these disruptions can lead to lost revenue, damage to reputation and brand management, and unhappy clients or customers.
Barker Associates has a proven track record of solving problems by developing strategies to minimize the risks and effects associated with disasters, so that businesses can continue to operate through them. We can assist in determining effective solutions that will help you navigate the troubled waters of potential disasters. If you need assistance, or have any other questions, please click here to schedule a 30-minute consultation at a rate of $100.
How a Pre-Pandemic Shift Left Companies Vulnerable
At the Intersection of Financial Infrastructure and a Global Pandemic
How a Pre-Pandemic Shift Left Companies Vulnerable
Pre-pandemic (do we even remember that time?), the investment world had experienced a huge shift. Unfortunately, this shift did not help prepare companies or investors for what was to come. Priorities had shifted from a company’s sustainability and infrastructure to avenues of increasing revenue as quickly as possible. However, sustainability and infrastructure were exactly what was needed most during a global pandemic.
What Supply and Demand?
Everything we had learned in our earliest economics classes about supply and demand seemed to be irrelevant. I remember those classes –training my brain to think of opposites – supply goes up, demand goes down, and vice versa. However, that concept no longer applied to venture capital and private equity firms. The number of firms that were chasing deals with buckets of money created a huge supply of investor dollars. But the number of successful high–growth companies to invest those dollars did not increase at the same pace.
The result? Investment firms began expanding their reach. They started to invest not only in the usual entrepreneurial high-growth companies, but also in companies that would have typically received funds through stock sales in the public markets or through traditional bank financing. These companies needed to move into the investment firm world to fill the gap that had resulted in too much money and not enough companies. Additionally, investment firms began relaxing the guidelines associated with the due diligence process.
These changes forced a decline in the regulatory compliance surrounding the movement of investment dollars, financial audits, and other financial items. With the focus almost exclusively on top–line revenue growth, there just didn’t seem to be a need for them. Further, companies with contracts that brought in recurring revenue were trading in the investment world based on multiples of revenue (some as high as ten times what their revenue was currently).
A Lack of Infrastructure Meets a Global Pandemic
Enter COVID-19. With so much time and attention previously focused on quick revenue generation, many companies lost the infrastructure to produce the quality financial data and reports needed to make informed decisions for ensuring sustainability. However, infrastructure and sustainability were what was needed to survive the pandemic.
When the pandemic hit, every stakeholder (board members, investors, CEOs) immediately shifted their focus to cash flow analysis and sustainability. Chief Financial Officers have all noted that their interaction with other managers, officers, directors, and investors increased literally overnight. While no one could have predicted the full cash impact of the pandemic; in particular, the need for short-term cash flow, they could have been better equipped. The companies best prepared to analyze the situation were the ones that had the appropriate level of infrastructure prior to the pandemic. The stakeholders wanted to know if the entity would survive. While most had the ability to enter ‘survival mode,’ one has little to do with the other. Survival mode is simply not sustainable for any extended period … in any situation.
The pandemic taught us once again that knowledge is power. Infrastructure is crucial when analyzing different scenarios to make decisions quickly. Chief Financial Officers should take advantage of the temporary dynamic brought on by the pandemic. Using this time to get the right type of infrastructure in place will help prepare them to make critical decisions at any moment.
There are many companies that were forced to make difficult decisions to lay off employees, not renew leases, discontinue software development, or even close their doors for good. Unfortunately, most had to make these decisions without the confidence that they possessed all of the information. Full knowledge is mandatory for a sustainable future and for the success of any company overall.
By leading from a position of knowledge, which comes from having the right infrastructure, companies will have an edge over others whose directors or CFOs are blindly making decisions. What does that type of infrastructure mean? We’ve talked about it before – most recently in Oh No Not Again – but essentially it means having an Enterprise Resource Plan, CRM, General Ledger, Cash, HR System, and Payments. A clear vision and financial roadmap on how to achieve that vision, along with cash and a strong general ledger, are the foundation of an essential infrastructure.
Companies are going through year-end financial reporting.
Just for fun, at cocktail parties and networking lunches, I ask executives and
investors if they get the year-end results as quickly as they would like to get
them. My unofficial survey says that most stakeholders are not receiving
Proactive organizations have “Day Zero” at the top
of mind at the beginning of the month. If you don’t know what this means in
terms of proactively managing your financial strategy, read on…
The truth is that almost every single employee in an
organization can impact the ability of the accounting department to close
timely, yet the company accountant may not be the best source to drive home
that truth. The message from the top should convey respect for each
professional’s time and support for more efficient month-end and year-end
processes – where everyone focuses on funneling information in a manner to
close the records effectively. The ultimate goal is to provide to the
management team a Flash Report as soon as possible following month-end,
followed by the official month end financials.
Day Zero refers to tasks your accounting and finance
departments can complete prior to the
end of the month to speed up the month end close. Decisions about the company
require timely, accurate data – a smooth and timely month-end is vital.
eyeshade” accountants may balk at the idea that they can shorten the
month-end process; however, the strategic finance professional digs into their
process to find and tackle these tasks, as well as improving their process
Here are some examples of what I mean:
standard monthly entries for amortization of intangibles, and
accruals of expense.
Once you have identified the pre-close tasks, create a Day
Zero checklist with deadlines for each item. The finance manager should
oversee that deadlines are being consistently met and if not, get to the root
of the problem to correct the process. One solution may involve asking other
departments to turn in their information based on a schedule you provide in
Refining your month-end close process is an iterative
process if you continually raise the bar to identify better ways to execute.
Automating reconciliation and other process improvements contribute to
shortening the cycle.
Document your processes with Standard Operating Procedures
so that all team members have steps to follow should any one team member need
backup. Keep your SOPs up-to-date through periodic review.
Spend time in the middle of the month following the month-end
process to complete your review of the entire process. Engage your finance team
and uncover those Day Zero tasks you can incorporate into your process.
Everyone in the organization will benefit when leaders have more timely and
accurate information with which to make decisions.
If you are disciplined and implement Day Zero and other
month-end processes, you can provide a Flash Report of results to management as
soon as Day 1 after month-end.
can facilitate a review of month-end processes with your team to ensure you
have uncovered all the possible streamlining opportunities. Provide the best
customer service to your management team possible – provide financial
information and think strategically and become part of positive initiatives to
move the entity forward and not the green-eyeshade accounting department about
which everyone complains.
In recent emails, I’ve updated you on regulations going into effect this year as well as consequences we realize from previous legislation (namely, SOX). The legislation was enacted because of the erosion of accountability in this country. How do you hold your company accountable while also raising the bar for maturity of processes? Here are my recommendations, based on my experiences in private equity firms, for-profits and nonprofit organizations. It means going back to the basics that technology may have allowed inexperienced staff to circumvent.
Assess Your Procedures for Payments and Bank Reconciliations
Paper checks – Get rid of them; but if you must have them, make sure to use Positive Pay through the bank. Positive Pay uses information from a file that you provide to the bank each time you process checks. As checks are cashed or deposited, your bank compares the checks they receive against the checks you wrote to ensure they match and are not duplicated.
ePayments. If you can eliminate paper checks, consider using an ePayment service. Such services provide a comprehensive payment process with built-in controls. The due diligence process to determine which service will work for you can be overwhelming, but you can request a free ePayment vendor selection checklist I put together with the information you will need about your company and the questions to ask potential vendors during the evaluation phase.
I applaud companies who had the foresight to move to the ePayment process. Make certain the IT department has proper documentation on how the process works. With low unemployment and the resulting turnover, you do not want to find yourself with no one who knows how to push the buttons and fix this if something goes wrong with the process.
The checkbook is a thing of the past, and many young accounting professionals would not know what one looks like. I have asked many accountants, as they are processing a stack of checks, how do you know you have enough money in the bank account to cover those checks? Most of the time they put a very proud smile on their face and report, “I checked the online bank account balance this morning and there is plenty of money to cover the checks.”
After I hear this, I work to control my facial expression. I should become a poker player so I can practice the poker face I need when I hear this response.
So, I ask, “What about the outstanding checks that have not cleared the bank account? What about the auto draw of ongoing expenses like rent and other items? How do you account for that? Do you maintain a checkbook?”
The responses or reactions run the gamut from blank stares, to statements such as, “I keep a running total in my head,” “The checks we issue get cashed quickly.” These answers only serve to challenge my poker face so that I can keep good customer relations. Rarely does the person I am asking show me the checkbook kept in the general ledger system and a proper cash reconciliation they prepared for the previous month. I find this lack of process in organizations of all sizes.
Bank reconciliations. In general, if the organization has escaped the Sarbanes Oxley controls, which, as I stated before, more and more are doing to escape the enormous and overreaching regulation, there is no timely bank reconciliation.
Make sure that, at a minimum, these controls are in place:
Blank checks are locked in a secure place and only check processors and checks signers have access to them.
Ensure there is a review of the bank reconciliation and the bank statement two times a year by a C-Level executive, Finance Committee or Board member or investor. Request a free step-by-step bank reconciliation checklist on how to do this here.
This is a true story. I received a check for payment from a large, publicly-traded company. I was shocked when I received the same check number for the same amount twice in the mail. I called the insurance company to report it, but they never called me back. I received a letter about the duplicate check weeks after I had received the second check and made the phone call. The letter I received was very factual and did not offer an apology or do anything to try to mitigate the branding impact. This was a shocking revelation to me that the lack of controls over payments was everywhere.
Get Corporate Credit Card Usage Under Control
Credit Cards – If the US government ever creates a Corporate Credit Card office, I am going to run for the position and work myself out of a job. Corporate credit cards are a nightmare to manage in all companies, from small to large.
Large, publicly traded companies hide behind the fact that they are audited to ignore credit card controls. Yes, you are audited, but the corporate credit card balance is small and immaterial, which means it does not meet the audit criteria for detail testing. Remember, the outside auditors are focused on what the SEC is going to ask them about – the corporate credit card is not on the list. Many small, fraudulent credit card transactions can add up and instill a culture of weak financial responsibility in an organization.
In small organizations, the office manager, bookkeeper, (remember the one who figured out how to print a check out of QuickBooks?), or even the receptionist has a company credit card. This usually happens when a C-level person realizes they may have to pick up the toilet paper at Sam’s Club with their credit card and they do not want to. It’s OK to delegate that responsibility as long as controls are in place to prevent fraud and misuse.
In my work with all sizes of organizations, I have found that often they do not have a credit card policy. Get a policy, even if it is short and sweet, and have each employee sign it who is holding a company card. Email me for a free credit card policy template to get you started.
Fraud on corporate credit cards is running rampant. Often the employee is incurring small, unauthorized charges that add up to a significant number. The Accountant, Purchasing Manager or whoever oversees the corporate credit card may be faced with ethical dilemmas every day when executives in higher positions are the guilty parties. Such situations make it difficult to manage and monitor effectively without a signed policy as backup.
Small organizations and nonprofits tend to have no automation of the credit card process, relying instead on cardholders to provide receipts for accounting purposes. When cardholders are late in providing the receipts, accountants set up a holding account in the General Ledger, (which is often QuickBooks), where they charge the payment of the credit card to avoid paying late. With no accountability for the balance sheet reconciliation, the account just grows. If the accountant responsible for collecting the receipts takes their job seriously, they will walk around the building asking for the receipts and, as an added bonus, hit the goal of 10,000 steps on their Fitbit – the search for the receipts will take care of that!
Tighten up controls on the use of corporate credit cards with these process improvements:
If you work for a public company and have authority over credit cards, set up a process where the Audit Committee of the Board has someone designated to review a monthly or quarterly report of corporate credit card usage. Internal Audit should be reviewing executive expense reports and corporate credit card statements annually. I suggest they pick randomly from the group for about 10% coverage each year and always review the CEO and CFO.
Nonprofit Board – make sure there is a policy that each cardholder signs. Review how the process works and suggest implementing automation of credit card receipts. Expensify, or a similar technology tool, can serve that purpose.
Private company – Set up automation of collecting credit card receipts and a review process like the one described for nonprofits.
Readers of this email who work for well-organized companies with mature practices in place may be thinking, “Surely there are not companies operating without these fundamental business practices in place.” My response is that if that was the case, I would not be writing on this topic or asked repeatedly to present these concepts to audiences!
You can easily implement the actions from this post. I’ve made the tools available for you for free.
Get them sent straight to your inbox and download the ones you want.
· Free ePayment vendor selection checklist
If you are a regular reader of my emails and blog posts, you know that I am passionate about companies having the right financial infrastructure to operate their business. Real costs are eroding your bottom line when you don’t have a handle on people, procedures, and process.
Consider the cost of these infrastructure “fails”:
Little to no understanding of the cost of individual services or products and whether your price covers the costs;
The inability to seek funding from investors because you can’t pull together the required financial information;
The cost of replacing frustrated financial staff who refuse to follow old, antiquated processes;
Time spent by C-suite execs creating their own financial reports when their own Finance Department can’t meet their needs; and
Fraudulent activity that goes undetected until it’s too late due to the lack of proper procedures and education.
Finance and your company’s IT capabilities are closely linked by the daily transactions that run your business. Sound, efficient infrastructure in Finance is great, but it must be supported by a highly secure and reliable IT infrastructure. I’m not speaking hypothetically, either. This reality hit home when a colleague shared with me his story of being a ransomware victim. The following reads like a script for a cybersecurity who-dun-it!
Our company uses a cloud-based server provided by Intermedia Solutions to host mission-critical applications, including our QuickBooks accounting software and our back-of-the-house order management system. The actual computer hardware on which our cloud server was running was physically located in a server farm in Atlanta, Georgia. This order management system handles everything from accepting of orders from all the channels we do business through (our own website, Amazon.com, Walmart.com, eBay and orders we take via telephone), plus it performs inventory control operations, vendor management, and purchase order issuance. Virtually everyone in the company uses one or both applications throughout every day, seven days a week. They’re accessed via Microsoft’s Remote Desktop software.
On Sunday, February 26, 2017, one of our employees logged into the server, preparing to work, and saw this message on the screen of our supposedly secure cloud server:
Whoever posted the message said that our data and applications were being held for ransom and the only way to free the data was to pay, 24 bitcoins, at the time, about $35,000. We found that the data on the server was not available to us. It has been encrypted. We were a victim of a ransomware attack.
After a moment of panic, we recalled that we and our cloud server provider had prepared for this possibility. If we hadn’t prepared, we would have been a statistic- another company who was either forced to pay the ransom or go out of business as a result of the loss of all of the company’s data. In 2017, there were 184 million ransomware attacks, most in the United States.
But we were ready and if any day was a good day for a ransomware attack, it would be a Sunday when we aren’t speaking to customers.
We had backups. Our cloud services company made image backups of the hard drive containing our cloud server and its data every night at midnight. The one thing we weren’t going to be doing was paying the ransom. Instead, we contacted Intermedia’s after-hours helpdesk and explained what happened.
We instructed them that we did not want the physical computer hardware repaired (because we didn’t now and would never trust that hardware again). Instead, we wanted a new server configured for our use. They had that ready for us in about four hours. We now had a brand-new cloud server ready to go but with none of our data on it. We then asked for a SECOND brand new cloud server to be set up for us but re-imaged from the backup image taken Saturday night at midnight. This would take longer.
Monday morning, although we were still not operating, we now had a clean, empty server and another server that APPEARED to be working with all of our applications and data on it exactly as it was at the close of business Saturday night. But I didn’t want to actually use this for fear that the ransomware application was lurking on the hard drive someplace ready to be reactivated again.
Over the next two days, we created data backups on the server and worked with our two application software companies to reinstall fresh versions of their software on the new empty server. On the third day, we did a restore of the data from the server image to the new server we planned to use. We gave instructions to Intermedia to abandon the original server that had the ransomware and the server image we had created. We were almost ready to resume operation. But I wanted to get some idea as to how we might have become victim in the first place. What I learned is that ransomware is almost always delivered via a rogue email containing an image, HTML or a PDF. The travel path for the virus was likely from one of our users who likely clicked on an email on their local computer while they were also logged into the cloud server. If that was the case, then the ransomware virus was also residing on someone’s workstation.
In my investigation, I also learned that a) Microsoft’s included anti-virus software is completely inadequate for company use and b) the ant-virus software on the server was grossly out of date.
We needed an anti-malware application that created a closed loop- coverage for the server and all of the user’s workstations that access the server. Also, it needed to be managed centrally. Users could not be trusted to keep their anti-virus software up to date. This was not the time for “free” anti-virus protection. Ultimately, I selected Symantec’s Endpoint Protection. For $28 a year per workstation/server, we got a managed malware protection suite. From a single web portal, I can see that everyone’s computers are properly protected. Then I installed it on the server and in the process, it confirmed that my restored data was clean.
Finally, on Thursday morning, we were back in full operation and properly secured.
I was pleased we had no data loss and didn’t have to pay the ransom but disappointed it took four days to recover. Here’s what I learned:
We chose wisely when we chose Intermedia. They take our cloud-based service needs seriously.
If you’re using computers in your business, take a good long time to think about what would happen to if you had a complete data loss, ransomware attack, etc.
Take your IT infrastructure security needs seriously. PLAN for a worst-case breach. Do not presume that your employees keep their computer software updated.
Don’t take your provider’s word for it that you’re protected, backups are being created, etc. Every few months I have a new server brought online and a restore performed. Once I’ve seen with my own eyes that everything works, I delete the server. It’s like conducting a fire drill.
Lessons Learned for Finance
Had Larry not had the right disaster preparedness and IT infrastructure, the costs of his crisis would have been much more than the $35,000 ransom. He still would have incurred at least 4 days of downtime. With his confidence shaken in the violated server, he still would have repeated the recovery process to bring new servers online.
Larry’s Lessons may be applicable to your own IT infrastructure, whether you’ve followed a similar process or realized that you should. Here is how Larry’s Lessons Learned can be applied to your Finance infrastructure:
Have a disaster preparedness plan for your department that aligns with your IT disaster preparedness. Test it periodically against various scenarios, but not less than every 6 months. Update the plan based on changes in your systems, procedures or business.
Cheaper is not always better – in fact, it rarely is. Understand your needs and invest in meeting them with the most robust tools you can afford.
Have an IT Security Policy and related Procedures. Educate your staff at time of hire and throughout the year on the latest scams and the importance of following your company procedures.
Finally, have a third party review your processes for areas of improved efficiency and security.
Barker Associates has the unique ability to work with all sizes of organizations and building infrastructure that matters. Contact us today!
Mindy Barker, Founder & CPA | Jacksonville, FL 32256
(904) 394-2913 or (904) 728-2920 | CFO@MindyBarkerAssociates.com
Do you have your head in the sand – have you ignored my advice about being prepared for the Florida hurricane season? Here are critical items you should consider now that will help you keep your head out of the sand by being prepared.
The good news: Weather.com’s Hurricane Central reports a less active hurricane season than originally expected. The bad news: despite the fact that it’s been nearly a year since Irma ravaged the Florida coast, some business professionals have yet to take steps to be prepared.
Review this checklist to determine if you need to get your head out of the sand:
A disaster recovery plan that includes a phone tree, so critical information is communicated to employees.
A list of critical business tasks that must take place during the awful transition time when your employees have evacuated and you cannot get back in your office.
Sufficient cloud storage and back up of important business documents. Those who worked in the Wells Fargo building downtown Jacksonville – a 37 story skyscraper – were unable to get into the building for more than 2 weeks, causing many businesses to suffer.
Secure a line of credit or other back up cash to help you lease temporary office space and pay employees during a time you may not be able to generate revenue.
Review your insurance policies to determine what type of coverage you have. Once a hurricane is on its way you cannot secure certain types of coverage.
Barker Associates has the “C” level strategic breadth and depth of experience, with a proven track record of solving problems. We can assist you in determining effective solutions that will endure through potential disasters.
Contact us for your free 30-minute consultation today at email@example.com or 904.394.2913.