To KYD or Not to KYD: It Is Hardly a Question

Matt McGivernShaheen DilBy Matt McGivern and Shaheen Dil,
Managing Directors

Protiviti’s Data and Analytics practice



The importance of “know your customer,” or KYC, activities to any AML compliance program is well known. A much less known – but equally crucial – component of an AML program is “know your data,” or KYD, which feeds into KYC and other AML compliance modules.

To run their AML compliance programs, financial firms use a variety of software to review customers, analyze transactions to identify suspicious activities and provide analytical and research capabilities to support suspicious activity reports (SARs). Both SARs and KYC rely on the quality and accessibility of data, which requires knowledge of that data – where it resides, who uses it, what actions are performed on it, etc. While over-stretched AML departments may not want to hear that they now need now to be more proficient in data management, KYD activities are needed and can drive efficiencies inside these departments through better data governance.

Due to the way they grow, financial institutions often are burdened with siloed organizational and technical infrastructure with redundant and difficult to integrate systems and data stores. This creates a particular challenge for AML compliance heads who have to make sense of disparate data that flows into the AML system from a variety of sources.

A recently published Protiviti point-of-view paper, AML and Data Governance: How well do you KYD?, sets out how firms can benefit from putting in place an effective data governance program to alleviate this problem. The paper covers the main challenges firms face with regard to data management in the context of an AML program and summarizes the main steps needed to create an effective data governance function as follows:

  • Institute and enforce effective master- and reference-data management programs
  • Institute enforceable enterprisewide data governance strategy and processes
  • Be proactive in assigning data ownership and monitoring of data quality
  • Create a centralized repository for metadata
  • Support big data initiatives

Financial institutions that take these steps in an effort to create better data governance will not only be better equipped with regard to their AML efforts; they are more likely to achieve good standing with regulators who look favorably on firms that demonstrate data governance efforts.

Case in point: A Protiviti team, while working on a customer repository project at one of our clients, uncovered substantial data integrity and completeness issues across core systems supporting transaction monitoring at the organization. Regulators severely criticized the bank following an AML compliance program examination – a criticism that could have been avoided if effective data governance practices had been put in place. The firm engaged Protiviti to help expedite remediation of the data issues and formulate an effective and proactive data governance resolution to avoid an enforcement action.

We highly recommend reading this paper to gain a clear understanding of how critical KYD is to the long-term success of your AML program. Regulatory scrutiny around AML compliance has intensified after a series of high-profile lapses – so making data governance a priority seems like a prudent approach for financial firms.

Revenue Recognition Webinar Series: Systems and Data Challenges

Siamak RazmazmaSiamak Razmazma, Managing Director
IT Consulting Practice




Good news for companies getting a late start preparing for the new Financial Accounting Standards Board (FASB) revenue recognition rules. As we predicted, the effective date for the new rules has been pushed back a year. The new rules will now apply to reporting periods beginning after December 15, 2018.

Although the effective date has been pushed back, there’s a lot of work to be done between now and then (a prime reason why the effective date is being delayed!). Protiviti launched the Revenue Recognition webinar series in November last year, to help organizations understand what needs to be done well ahead of the deadline. In this series, we continue to work through the Six Elements of Infrastructure, delineating the probable impacts of the transition process in each area. The fourth installment of this five-part webinar series — Systems, Data, Reporting and a Transparent Audit Trail — was held on May 21.

Below, Siamak Razmazma, Managing Director of IT Consulting at Protiviti and one of the webinar speakers, answers some of the top questions raised by webinar participants:

Q: Can my core ERP system properly account for revenue under the new rules, or do I need a dedicated revenue recognition solution?

A: Most likely you’ll need a dedicated solution. Core ERP systems are transactional. When you sell a product or service and generate an invoice, the transaction is recorded in accounts receivable. When you receive a payment, it is posted against that invoice. Invoice and payment.

The accounting for how a customer payment transitions across the balance sheet from liability (advance payment received) to asset (revenue earned), is a separate process requiring its own tracking. For revenue recognition purposes, a payment received is an obligation to perform some contractual task. An advance payment, therefore, is a liability. It doesn’t become revenue until the obligation is met. The new FASB rules are designed to better align revenue recognition on the books with the underlying contractual obligation and the risks associated with it — manufacturing costs, cash flow, etc. Those obligations are defined by contracts and may involve several sales orders or transactions over time.

Combinations of sales transactions over time, or other criteria — such as risk — are totally unknown to the core ERP accounts receivable application. Revenue recognition requires an entirely separate sub-ledger, with a different architecture, capable of applying the appropriate criteria to record complex transactions.

Q: How do companies monitor compliance with revenue recognition rules when their ERP systems lack the capabilities to do so systematically?

A: There are several revenue recognition applications — both third-party and ERP-integrated. A lot of companies, especially smaller ones, use Excel or some kind of homegrown database. These do-it-yourself solutions may work for isolated cases, but if your company does any kind of volume at all, an automated solution is really the only way to achieve consistency, efficiency, transparency and data integrity.

Every calculation should be able to be tracked and the entire process should be transparent. Automated tools allow these things to happen at a fraction of the time that a manual audit requires. A single transaction that might take 30 or 40 hours to track manually only takes an hour with a revenue tracking application and automated reporting tools. When you consider an audit that takes 100 hours to perform with automated tools, you can imagine the enormous amount of time and cost saved.

Q: What are some third-party applications created for the new revenue recognition process?

A: Some of the more popular third-party applications include RevPro, RevStream,
and Softrax. A few ERP systems, including Oracle, NetSuite and Intacct, have integrated revenue recognition applications, and Microsoft has integrated a certified third-party application into Dynamics AX.

Q: When is the right time for companies to start elaborating their system strategy and related design to support the revenue recognition process?

A: The sooner the better, and strategy and design should develop simultaneously. Developing a strategy in the absence of system capabilities could lead to costly workarounds. The best way forward is to become familiar with the various revenue recognition solutions on the market and develop a compliance strategy that leverages existing capabilities as much as possible.

The final webinar in our Revenue Recognition series, which looks at the industry and cross-functional implications of the new rules, is scheduled for July 23 at 11:00 a.m. CST (12:00 noon EST). You can register here.

Here are the links to our previous webinars:

Webinar #1 – Revenue Recognition: It’s Here, Are You Ready? Transitioning to the New Revenue Recognition Standard

Webinar #2 – Revenue Recognition: The People Element – The Collaborative and Cross-Functional Employee Education Process

Webinar #3 – Revenue Recognition: Using a Methodology to Identify Gaps in Current Business Processes

Embracing the Digital World with SAP S/4HANA – What It Means to You

Global market dynamics – including an economically challenging environment along with changing consumer needs and buying behaviors – are forcing companies to rethink how they operate in a digitally connected world. To meet this challenge, many organizations are looking for innovative and adoptable ways to embrace digital disruption, especially around analytics, mobile, social media, the so-called “internet of things,” and of course, “big data.”

SAP’s recent release of SAP S/4HANA – which focuses on creating a digital enterprise – is the future of the global ERP giant. SAP S/4HANA enables organizations to respond quickly to their customer needs, enhance service levels, improve efficiencies, and enable the workforce with intuitive technologies to elevate performance of the organization.

SAP S/4HANA offers exciting opportunities for companies with decades-long investments in the SAP platform. In HANA, data is stored in memory as opposed to hard disk, increasing the speed of data retrieval for faster transaction processing and analytics. HANA’s innovative data storage structure facilitates the processing of large volumes of data at unprecedented speeds.

So, how is SAP S/4HANA different from various technology solutions in place from SAP? And what do SAP customers need to know prior to migration? Join Protiviti’s SAP Data Management and Advanced Analytics experts on July 15, at 11 a.m. Pacific Time. We will provide guidance on various deployment options, and discuss how this will help you better prepare to take advantage of S/4HANA.

An archived version of the live webinar will be available for those unable to attend. You can register on our website.

FASB Officially Defers Effective Date of New Revenue Recognition Standard

Steve Hobbs and Christopher Wright

Steve Hobbs and Chris Wright are Protiviti Managing Directors and leaders in the firm’s Financial Reporting Remediation and Compliance practice.

It’s official: As expected, on July 9, the Financial Accounting Standards Board (FASB) approved a one-year deferral of the effective date of the new revenue recognition standard it has developed in collaboration with the International Accounting Standards board (IASB).

Issued almost a year ago, this new guidance (Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers) resulted from a collaborative effort by the FASB and IASB to agree on a global standard based on common principles that can be applied across industries and regions.

What does this mean for companies?

As we have noted in our series of Flash Reports and webinars detailing the new revenue recognition accounting standard (see below), this deferral not only was expected, but it was an assumption baked into the planning and implementation practices among many companies that have started the transition to the new standard in earnest. In effect, a one-year delay still means “full steam ahead” for public companies, especially for those who may not have begun working on the transition process.

Half of the current year is now spent. The only delay is in the effective date of the standard; there should be no delay in management’s efforts to position the organization in a prudent state of readiness.

Also of note, the introduction of the “early adoption” option presents an opportunity for those who have started, were focused on the new standard and now are, or will be, ready to adopt early. In addition, it presents yet another choice (whether to early adopt) to the list of decisions for companies, which already includes deciding whether to adopt prospectively or retrospectively.

For additional information, I’ve provided links to our relevant Flash Reports and webinars on the new standard, which should be helpful for those interested in learning more about the standard, its requirements and how to get started with a detailed diagnostic to address them.

A Country Default: What Does It Mean?

Eyes have been on Greece and its debt crisis for a long time. The downward spiral of the Greek economy began some 35 years ago with fiscal policies that expanded the country’s debt-to-GDP ratio four-fold over the ensuing decade and into the early 1990s. After stabilizing its economy and holding the debt-to-GDP ratio relatively constant until the advent of the Great Recession, Greece has experienced a 50 percent increase in the ratio to its present unsustainable level. Structural weaknesses in the economy, the recent default on debt obligations, and lost confidence among lenders regarding Greece’s ability to take responsibility for its fiscal issues have led to the present crossroads.

After the initial 2010 bailout and subsequent bailout extensions, coupled with extensive debt restructuring involving principle reductions, extended maturities and lower rates, the present crisis has been marked by weeks of debate and posturing between Greece and the eurozone in which the country requested additional debt relief and the eurozone demanded concrete proposals that will lead to progress toward achieving the long-term debt-to-GDP ratio targets set by previously established bailout terms. On July 5, a strong majority of Greek citizens voted to reject the current bailout terms, causing global capital markets to tumble amid the uncertainty over what will happen next.

In the aftermath of the Greek vote, the country’s finance minister was replaced and negotiations with the eurozone have continued. As it stands today, the eurozone has demanded new proposals from Greece to secure a deal with creditors in time for evaluation by the eurozone finance ministers prior to a full summit of the European Union (EU) scheduled for Sunday, July 12.

So it’s all coming to a head. Either there will be a deal or Greece and its banks will be on their own starting next week.

So Why Should We Care?

As the 45th largest economy in the world in terms of GDP in 2014, Greece’s economy is smaller than that of the Seattle, Washington metropolitan area in the United States. It’s slightly greater than one percent of EU GDP. Since no one is arguing that Greece is too big to fail, why do we care what happens in the crisis?

Perhaps the primary reason is the uncertainty of not knowing what we don’t know. Could a so-called Grexit from the euro and reintroduction of the drachma destabilize the eurozone and would a permanent default by Greece on its debt throw global markets into distress mode? No one wants to start a fire they can’t put out.

What about the effect on Greece itself following a Grexit? It is reasonable to expect the new drachma to devalue significantly relative to the euro once the currency is pegged to another currency (perhaps to the euro). In addition, we can expect higher inflation, exorbitant interest rates and lost purchasing power for Greek citizens. Add rising unemployment and out-of-reach prices for imported goods, a possible run on the banks (which may have already begun), a drop in per capita income, and rising income inequality, and you’ve got a not-so-pretty picture of declining living standards and a budding humanitarian crisis in the making.

Close observers of the situation in Greece have seen the present impasse coming for a long time. Hopefully, companies with operations or other interests in Greece have been able to make adjustments over time to prepare. But the real question is this: What other countries are exposed to bankruptcy due to economic, structural and/or political issues, do we operate there, and if so, are our operations exposed? In addition to Greece, examples of such countries include Venezuela, Argentina, Egypt, Pakistan, Ukraine, Jamaica and Cuba. And there are other countries that may be on the brink or headed in the wrong direction.

Managing Country Risk

Companies invest in other countries to enter new markets, lower costs and, above all, earn a satisfactory return on investment. The less stable a country, the greater the exposure to either investment impairments or reductions in investment returns. These may arise from:

  • Confiscatory actions by a sovereign (g., nationalization of the business or expropriation of assets);
  • Discriminatory actions by a sovereign directed to the company, a targeted industry (say banking) or companies from certain countries (e.g., additional taxation, price or production controls, exchange controls, currency manipulation or performance requirements); or
  • As we witnessed in the Arab spring, destructive/disruptive acts by others (e.g., violence, terrorism, war, strikes, infrastructure deficiencies, kidnappings or physical phenomena).

The primary objective of managing country risk is to protect company investments and sustain investment returns. To that end, if multinationals believe that destabilizing situations in certain countries exposes them to confiscation, discrimination or destructive/disruptive acts, they can face these changes with confidence by:

  • Managing down investment: Repatriate cash to the extent exchange controls and currency conditions allow, manage the operation as though it’s a “cash cow” until conditions stabilize, avoid any additional capital investments, cease replenishing inventory from abroad, and/or look for ways to finance payroll, maintenance and other operational functions through local cash flow.
  • Moving assets to higher ground: Move tangible and non-tangible (e.g., data files, intellectual property) assets out of harm’s way, if feasible. For example, if the company has physical assets close to known “hot spots” where the masses are likely to converge, it may be best to move them to other locations away from the action and potential violence.
  • Sharing the risk: Enter into joint ventures with local/foreign partners to reduce exposure to confiscation risk since the presence of nationals can take a multinational under the radar. If cost-effective, political risk insurance is another option covering the risks of confiscation, political violence, insurrection, civil unrest and discrimination.
  • Listening to local management: Make sure local management is on top of things and empower them to do what they have to do to take any and all necessary steps to protect the safety of employees and safeguard company assets.
  • Initiating an exit strategy: Divesting assets in the cool of the day (before violence breaks out) may be a viable option, if there is a willing buyer. Obviously, it is not likely to be viable when people take to the streets.
  • Paying attention to the warning signs: Assess exposure to instability and take proactive steps to manage that exposure. Don’t wait until it’s too late and options are limited. Watch countries with runaway food price inflation such as those with a low GDP per capita and a very high percentage of food relative to total household consumption. People have to eat.
  • When stuff happens, conducting a post-mortem: When an adverse event happens, review the assumptions your company had previously from an economic, political and structural standpoint. Did management see the event coming? If not, why not? If management saw it coming, did the organization take steps to prepare? Could the company have done anything different?

A Grexit would pose new uncertainties – for Greece and its people, for the EU and eurozone, for global markets and for companies with operations affected by the fallout. It’s just another illustration that the world is a dynamic place and escalating cost structures are impossible to sustain without growth. It’s also a reminder that multinationals can expect continued challenges when countries in which they operate become unstable.


Strategic BYOD: “D” Is NOT for Doom

Jeff SanchezBy Jeff Sanchez, Managing Director
IT Security and Privacy



For IT security managers, Bring Your Own Device, or BYOD, is a four-letter acronym guaranteed to strike fear into their hearts by conjuring up visions of a data proliferation doomsday. But it doesn’t have to be that way. There is a way to create business benefits through the use of individuals’ devices while still maintaining control on data and reducing security and privacy risk.

The risks posed by employee devices with ever-increasing capabilities, such as tablet PCs and smartphones, are hardly new. Financial firms and other highly-regulated industries with a duty to protect sensitive customer data have been concerned about this for years, and many firms have BYOD policies in place to control the risk of data proliferation. But to be truly successful in this effort, organizations need to do more: They need to design and implement a BYOD strategy that aligns with the organization’s IT objectives and business operations – a next step that, to date, few organizations have embraced.

A new Protiviti point of view paper, Strategic Bring Your Own Device: Implementing an Effective Program to Create Business Benefits While Reducing Risk, sets out clearly what the challenges are and explains how a BYOD program and strategy can help firms solve those challenges and seize those all-important benefits of BYOD.

I recommend reading the paper in full but I want to highlight just a few important points here:

  • There are major advantages and important risks of BYOD: The benefits include employee satisfaction and retention of talent, increased productivity and innovations, as well as cost savings for the firm. The risk of data loss and data exposure, however, is vastly increased with BYOD since basic security controls no longer apply.
  • BYOD programs can have hidden IT costs when they are not coupled with the right IT infrastructure: A BYOD environment can require additional IT resources to manage and accommodate the wide range of device types. Organizations need to choose the right governance and support models to control these hidden costs prior to implementation – streamlining the enrollment and deprovisioning processes is one way to do that.
  • BYOD strategies are highly specific to each firm: They all start with an assessment of the company’s unique business needs and IT infrastructures – there is no such thing as a one-size-fits-all BYOD plan.
  • There are several approaches firms can take to creating a BYOD strategy: CYOD – Choose Your Own Device – is an alternative to BYOD that is gaining traction among businesses as a less risky alternative. In this option, the employer owns the device as well as the application licenses.

There is no doubt that BYOD risk to organizations is only going to increase in the future as more employees make use of more than one device and as devices continue to get smarter and more powerful. For this reason, forward-thinking IT departments must ensure they develop a robust and efficient BYOD program that fits with the risk profile of their organizations, if they are to save themselves a potential BYOD nightmare.

Does your organization have an aligned BYOD strategy? I would love to read about it in the comments.

Assessing SharePoint Security: Are You Due for a Check-up?

James EnsmingerAntonio Maio (2)By James Ensminger and Antonio Maio,
Protiviti’s SharePoint practice



Microsoft’s SharePoint enterprise content management platform is everywhere. An estimated 80 percent of the Fortune 500 use it in one form or another. Yet, in our experience, only about one-third of companies have a SharePoint security plan in place.

A secure SharePoint environment is certainly possible and not too difficult to achieve. This was the focus of Protiviti’s May 27th webinar, Conducting a SharePoint Audit and Resolving Challenges. Hundreds of executives and practitioners participated in the free live presentation, which is available in archive at the link above.

The best way to manage SharePoint security is by establishing some good governance up front and understanding how the business intends to use the environment. However, this doesn’t mean security issue won’t arise over time as the platform grows organically within the organization. After a couple of years of SharePoint use, an IT manager realizes one day, “Wow, we have ten terabytes of information in SharePoint, but we don’t really know how everybody’s using it, and we don’t have security policies around it.”

Many organizations turn to us at this point.

Restoring security to the SharePoint environment starts with a SharePoint assessment. This reivew helps provide an understanding of how users are utilizing the system, and allows companies to understand the risks involved so they can manage them accordingly.

Often, IT departments are tempted to delegate ownership of SharePoint sites to the individual business units. Without a governance or security plan in place, those business units will tend to use the sites in whatever way makes sense to them. This could lead to a number of risk factors and security issues. Some of the most common are as follows:

  • A lack of roles and responsibilities over SharePoint sites and information.
  • Poor information architecture. Without rules for metadata – labels that allow companies to classify information for security and retrieval – sensitive information can be lost or exposed.
  • Site proliferation. Business units will create sites, use them for a while and abandon them. Or they might create a site that doesn’t get used at all. These sites may contain sensitive information, and it’s easy to lose track of it when the sites are forgotten.
  • Poor permissions management. In SharePoint, access to information is given by granting permissions. When that’s delegated down to business units without defined security and controls, it is hard to keep track of who has access to information and who has access to sensitive information.

It is important, therefore, to conduct an assessment both at the business units that are using SharePoint, to help evaluate the risks and controls within these units, and on an enterprise level, since, in many cases, SharePoint is centrally managed. Conducting an assessment on both of these levels will bring to the surface both systemic and subsidiary issues and risks.

There are a various monitoring solutions that will check to see who has access to what information and what sites exist out there, and report back up the chain of command. Data Loss Prevention (DLP) tools can scan for things like credit card numbers, Social Security numbers, and other specifically defined “sensitive” information. Finally, encryption tools can ensure that data – both inside and outside SharePoint – is readable only by the people who have been approved for access. What tools to implement and in what capacity is the kind of information organizations can attain following a SharePoint assessment.

Once an organization has conducted an assessment and identified risks, it should develop security policies and controls and then train employees rigorously to ensure that the rules will be adhered to, and enforced, over time.

For more information and specific recommendations about SharePoint security, watch the webinar, and/or download our free white paper, Maximizing Opportunities in the SharePoint Environment: Conducting Assessments and Resolving Challenges.