Heading Off Unintended Consequences
In recent emails, I’ve updated you on regulations going into effect this year as well as consequences we realize from previous legislation (namely, SOX). The legislation was enacted because of the erosion of accountability in this country. How do you hold your company accountable while also raising the bar for maturity of processes? Here are my recommendations, based on my experiences in private equity firms, for-profits and nonprofit organizations. It means going back to the basics that technology may have allowed inexperienced staff to circumvent.
Assess Your Procedures for Payments and Bank Reconciliations
Paper checks – Get rid of them; but if you must have them, make sure to use Positive Pay through the bank. Positive Pay uses information from a file that you provide to the bank each time you process checks. As checks are cashed or deposited, your bank compares the checks they receive against the checks you wrote to ensure they match and are not duplicated.
ePayments. If you can eliminate paper checks, consider using an ePayment service. Such services provide a comprehensive payment process with built-in controls. The due diligence process to determine which service will work for you can be overwhelming, but you can request a free ePayment vendor selection checklist I put together with the information you will need about your company and the questions to ask potential vendors during the evaluation phase.
I applaud companies who had the foresight to move to the ePayment process. Make certain the IT department has proper documentation on how the process works. With low unemployment and the resulting turnover, you do not want to find yourself with no one who knows how to push the buttons and fix this if something goes wrong with the process.
The checkbook is a thing of the past, and many young accounting professionals would not know what one looks like. I have asked many accountants, as they are processing a stack of checks, how do you know you have enough money in the bank account to cover those checks? Most of the time they put a very proud smile on their face and report, “I checked the online bank account balance this morning and there is plenty of money to cover the checks.”
After I hear this, I work to control my facial expression. I should become a poker player so I can practice the poker face I need when I hear this response.
So, I ask, “What about the outstanding checks that have not cleared the bank account? What about the auto draw of ongoing expenses like rent and other items? How do you account for that? Do you maintain a checkbook?”
The responses or reactions run the gamut from blank stares, to statements such as, “I keep a running total in my head,” “The checks we issue get cashed quickly.” These answers only serve to challenge my poker face so that I can keep good customer relations. Rarely does the person I am asking show me the checkbook kept in the general ledger system and a proper cash reconciliation they prepared for the previous month. I find this lack of process in organizations of all sizes.
Bank reconciliations. In general, if the organization has escaped the Sarbanes Oxley controls, which, as I stated before, more and more are doing to escape the enormous and overreaching regulation, there is no timely bank reconciliation.
Make sure that, at a minimum, these controls are in place:
- Blank checks are locked in a secure place and only check processors and checks signers have access to them.
- Ensure there is a review of the bank reconciliation and the bank statement two times a year by a C-Level executive, Finance Committee or Board member or investor. Request a free step-by-step bank reconciliation checklist on how to do this here.
This is a true story. I received a check for payment from a large, publicly-traded company. I was shocked when I received the same check number for the same amount twice in the mail. I called the insurance company to report it, but they never called me back. I received a letter about the duplicate check weeks after I had received the second check and made the phone call. The letter I received was very factual and did not offer an apology or do anything to try to mitigate the branding impact. This was a shocking revelation to me that the lack of controls over payments was everywhere.
Get Corporate Credit Card Usage Under Control
Credit Cards – If the US government ever creates a Corporate Credit Card office, I am going to run for the position and work myself out of a job. Corporate credit cards are a nightmare to manage in all companies, from small to large.
Large, publicly traded companies hide behind the fact that they are audited to ignore credit card controls. Yes, you are audited, but the corporate credit card balance is small and immaterial, which means it does not meet the audit criteria for detail testing. Remember, the outside auditors are focused on what the SEC is going to ask them about – the corporate credit card is not on the list. Many small, fraudulent credit card transactions can add up and instill a culture of weak financial responsibility in an organization.
In small organizations, the office manager, bookkeeper, (remember the one who figured out how to print a check out of QuickBooks?), or even the receptionist has a company credit card. This usually happens when a C-level person realizes they may have to pick up the toilet paper at Sam’s Club with their credit card and they do not want to. It’s OK to delegate that responsibility as long as controls are in place to prevent fraud and misuse.
In my work with all sizes of organizations, I have found that often they do not have a credit card policy. Get a policy, even if it is short and sweet, and have each employee sign it who is holding a company card. Email me for a free credit card policy template to get you started.
Fraud on corporate credit cards is running rampant. Often the employee is incurring small, unauthorized charges that add up to a significant number. The Accountant, Purchasing Manager or whoever oversees the corporate credit card may be faced with ethical dilemmas every day when executives in higher positions are the guilty parties. Such situations make it difficult to manage and monitor effectively without a signed policy as backup.
Small organizations and nonprofits tend to have no automation of the credit card process, relying instead on cardholders to provide receipts for accounting purposes. When cardholders are late in providing the receipts, accountants set up a holding account in the General Ledger, (which is often QuickBooks), where they charge the payment of the credit card to avoid paying late. With no accountability for the balance sheet reconciliation, the account just grows. If the accountant responsible for collecting the receipts takes their job seriously, they will walk around the building asking for the receipts and, as an added bonus, hit the goal of 10,000 steps on their Fitbit – the search for the receipts will take care of that!
Tighten up controls on the use of corporate credit cards with these process improvements:
- If you work for a public company and have authority over credit cards, set up a process where the Audit Committee of the Board has someone designated to review a monthly or quarterly report of corporate credit card usage. Internal Audit should be reviewing executive expense reports and corporate credit card statements annually. I suggest they pick randomly from the group for about 10% coverage each year and always review the CEO and CFO.
- Nonprofit Board – make sure there is a policy that each cardholder signs. Review how the process works and suggest implementing automation of credit card receipts. Expensify, or a similar technology tool, can serve that purpose.
- Private company – Set up automation of collecting credit card receipts and a review process like the one described for nonprofits.
Readers of this email who work for well-organized companies with mature practices in place may be thinking, “Surely there are not companies operating without these fundamental business practices in place.” My response is that if that was the case, I would not be writing on this topic or asked repeatedly to present these concepts to audiences!
You can easily implement the actions from this post. I’ve made the tools available for you for free.
Get them sent straight to your inbox and download the ones you want.
· Free ePayment vendor selection checklist
· Free step-by-step bank reconciliation checklist
· Free credit card policy template
Simple click here – Yes, send me the free tools.
If one of your 2019 goals is to build up your company infrastructure with financial process improvements, Barker Associates can help. Contact us today at email@example.com
Find the other related articles here:
Unintended Consequences of Regulation,
ASC 606 Revenue Recognition
If you are a regular reader of my emails and blog posts, you know that I am passionate about companies having the right financial infrastructure to operate their business. Real costs are eroding your bottom line when you don’t have a handle on people, procedures, and process.
Consider the cost of these infrastructure “fails”:
- Little to no understanding of the cost of individual services or products and whether your price covers the costs;
- The inability to seek funding from investors because you can’t pull together the required financial information;
- The cost of replacing frustrated financial staff who refuse to follow old, antiquated processes;
- Time spent by C-suite execs creating their own financial reports when their own Finance Department can’t meet their needs; and
- Fraudulent activity that goes undetected until it’s too late due to the lack of proper procedures and education.
Finance and your company’s IT capabilities are closely linked by the daily transactions that run your business. Sound, efficient infrastructure in Finance is great, but it must be supported by a highly secure and reliable IT infrastructure. I’m not speaking hypothetically, either. This reality hit home when a colleague shared with me his story of being a ransomware victim. The following reads like a script for a cybersecurity who-dun-it!
Our company uses a cloud-based server provided by Intermedia Solutions to host mission-critical applications, including our QuickBooks accounting software and our back-of-the-house order management system. The actual computer hardware on which our cloud server was running was physically located in a server farm in Atlanta, Georgia. This order management system handles everything from accepting of orders from all the channels we do business through (our own website, Amazon.com, Walmart.com, eBay and orders we take via telephone), plus it performs inventory control operations, vendor management, and purchase order issuance. Virtually everyone in the company uses one or both applications throughout every day, seven days a week. They’re accessed via Microsoft’s Remote Desktop software.
On Sunday, February 26, 2017, one of our employees logged into the server, preparing to work, and saw this message on the screen of our supposedly secure cloud server:
Whoever posted the message said that our data and applications were being held for ransom and the only way to free the data was to pay, 24 bitcoins, at the time, about $35,000. We found that the data on the server was not available to us. It has been encrypted. We were a victim of a ransomware attack.
After a moment of panic, we recalled that we and our cloud server provider had prepared for this possibility. If we hadn’t prepared, we would have been a statistic- another company who was either forced to pay the ransom or go out of business as a result of the loss of all of the company’s data. In 2017, there were 184 million ransomware attacks, most in the United States.
But we were ready and if any day was a good day for a ransomware attack, it would be a Sunday when we aren’t speaking to customers.
We had backups. Our cloud services company made image backups of the hard drive containing our cloud server and its data every night at midnight. The one thing we weren’t going to be doing was paying the ransom. Instead, we contacted Intermedia’s after-hours helpdesk and explained what happened.
We instructed them that we did not want the physical computer hardware repaired (because we didn’t now and would never trust that hardware again). Instead, we wanted a new server configured for our use. They had that ready for us in about four hours. We now had a brand-new cloud server ready to go but with none of our data on it. We then asked for a SECOND brand new cloud server to be set up for us but re-imaged from the backup image taken Saturday night at midnight. This would take longer.
Monday morning, although we were still not operating, we now had a clean, empty server and another server that APPEARED to be working with all of our applications and data on it exactly as it was at the close of business Saturday night. But I didn’t want to actually use this for fear that the ransomware application was lurking on the hard drive someplace ready to be reactivated again.
Over the next two days, we created data backups on the server and worked with our two application software companies to reinstall fresh versions of their software on the new empty server. On the third day, we did a restore of the data from the server image to the new server we planned to use. We gave instructions to Intermedia to abandon the original server that had the ransomware and the server image we had created. We were almost ready to resume operation. But I wanted to get some idea as to how we might have become victim in the first place. What I learned is that ransomware is almost always delivered via a rogue email containing an image, HTML or a PDF. The travel path for the virus was likely from one of our users who likely clicked on an email on their local computer while they were also logged into the cloud server. If that was the case, then the ransomware virus was also residing on someone’s workstation.
In my investigation, I also learned that a) Microsoft’s included anti-virus software is completely inadequate for company use and b) the ant-virus software on the server was grossly out of date.
We needed an anti-malware application that created a closed loop- coverage for the server and all of the user’s workstations that access the server. Also, it needed to be managed centrally. Users could not be trusted to keep their anti-virus software up to date. This was not the time for “free” anti-virus protection. Ultimately, I selected Symantec’s Endpoint Protection. For $28 a year per workstation/server, we got a managed malware protection suite. From a single web portal, I can see that everyone’s computers are properly protected. Then I installed it on the server and in the process, it confirmed that my restored data was clean.
Finally, on Thursday morning, we were back in full operation and properly secured.
I was pleased we had no data loss and didn’t have to pay the ransom but disappointed it took four days to recover. Here’s what I learned:
- We chose wisely when we chose Intermedia. They take our cloud-based service needs seriously.
- If you’re using computers in your business, take a good long time to think about what would happen to if you had a complete data loss, ransomware attack, etc.
- Take your IT infrastructure security needs seriously. PLAN for a worst-case breach. Do not presume that your employees keep their computer software updated.
- Don’t take your provider’s word for it that you’re protected, backups are being created, etc. Every few months I have a new server brought online and a restore performed. Once I’ve seen with my own eyes that everything works, I delete the server. It’s like conducting a fire drill.
Lessons Learned for Finance
Had Larry not had the right disaster preparedness and IT infrastructure, the costs of his crisis would have been much more than the $35,000 ransom. He still would have incurred at least 4 days of downtime. With his confidence shaken in the violated server, he still would have repeated the recovery process to bring new servers online.
Larry’s Lessons may be applicable to your own IT infrastructure, whether you’ve followed a similar process or realized that you should. Here is how Larry’s Lessons Learned can be applied to your Finance infrastructure:
- Have a disaster preparedness plan for your department that aligns with your IT disaster preparedness. Test it periodically against various scenarios, but not less than every 6 months. Update the plan based on changes in your systems, procedures or business.
- Cheaper is not always better – in fact, it rarely is. Understand your needs and invest in meeting them with the most robust tools you can afford.
- Have an IT Security Policy and related Procedures. Educate your staff at time of hire and throughout the year on the latest scams and the importance of following your company procedures.
Finally, have a third party review your processes for areas of improved efficiency and security.
Barker Associates has the unique ability to work with all sizes of organizations and building infrastructure that matters. Contact us today!
Mindy Barker, Founder & CPA | Jacksonville, FL 32256
(904) 394-2913 or (904) 728-2920 | CFO@MindyBarkerAssociates.com
Do you have your head in the sand – have you ignored my advice about being prepared for the Florida hurricane season? Here are critical items you should consider now that will help you keep your head out of the sand by being prepared.
The good news: Weather.com’s Hurricane Central reports a less active hurricane season than originally expected. The bad news: despite the fact that it’s been nearly a year since Irma ravaged the Florida coast, some business professionals have yet to take steps to be prepared.
Review this checklist to determine if you need to get your head out of the sand:
- A disaster recovery plan that includes a phone tree, so critical information is communicated to employees.
- A list of critical business tasks that must take place during the awful transition time when your employees have evacuated and you cannot get back in your office.
- Sufficient cloud storage and back up of important business documents. Those who worked in the Wells Fargo building downtown Jacksonville – a 37 story skyscraper – were unable to get into the building for more than 2 weeks, causing many businesses to suffer.
- Secure a line of credit or other back up cash to help you lease temporary office space and pay employees during a time you may not be able to generate revenue.
- Review your insurance policies to determine what type of coverage you have. Once a hurricane is on its way you cannot secure certain types of coverage.
Barker Associates has the “C” level strategic breadth and depth of experience, with a proven track record of solving problems. We can assist you in determining effective solutions that will endure through potential disasters.
Contact us for your free 30-minute consultation today at firstname.lastname@example.org or 904.394.2913.