Commitment to Equality Promotes Trust and Growth: Protiviti Celebrates Pride Month

By Steven Stachowicz, Managing Director
Risk and Compliance

 

 

 

As we progress through June, which is traditionally pride month for the lesbian, gay, transgender and bi-sexual (LGBT+) community, I want to take a moment to reflect on Protiviti’s commitment to the LGBT+ community and our employees, and share my thoughts on the value of diversity, and my experience as an out and proud executive within our firm.

At Protiviti, we know that diversity of ideas and experiences is essential to fulfilling our promises to our people and developing and maintaining a truly global, collaborative and diverse workforce. We strive to deliver an exceptional experience to our people, our clients and our communities. We know that we are stronger because of our inclusive work environment, where employees see one another’s uniqueness as assets and strengths. Stephen Covey, in his best-selling book, The Seven Habits of Highly Effective People, noted that valuing and respecting differences is “the essence of synergy,” because diverse individuals working together can bring their individual experience to the table, build on each other’s strengths, and produce far better results than they could individually. Diversity of thought is critical to the professional development of our people, the creativity, innovation and value we bring to our clients in the marketplace, and the way we engage with our communities as a responsible corporate citizen.

We work hard every day to be an inclusive organization, and so we are very proud that our parent company, Robert Half International, received a perfect score of 100 on the 2017 Corporate Equality Index (CEI). The CEI is a national benchmarking survey and reports on corporate policies and practices related to LGBT+ workplace equality, administered by the Human Rights Campaign (HRC) Foundation. The CEI criteria reflect leading policies, benefits and practices for the LGBT+ workforce and their families. These criteria are based on the notion of parity rather than prescription, and the CEI helps us know if we are achieving our goals to address the needs of the LGBT+ communities.

From an organizational standpoint, support is key to building a community. By promoting an environment of inclusion, all employees are respected and valued as demonstrated by equal access to opportunity and advancement reflected in our policies and programs. Our ProPride employee network group began in 2014 in the U.S., and now includes nearly 200 employees globally. This group, under the leadership of Philip Maziarz, Patrick Luong and Belton Flournoy, has made a tangible difference in promoting awareness within our organization and providing support to our LGBT+ employees and allies in their professional development through networking and mentoring. This outreach extends to Protiviti’s recruiting efforts, our community service through participation in AIDS Walks, and so much more.

Organizations that embrace inclusivity and diversity realize positive economic impacts. This should be common sense – people who feel comfortable within their companies tend to stay longer (reducing attrition rates), demonstrate increased productivity, and have less difficulty finding valuable mentorship and social networks. Research bears out this truth; these factors stimulate growth within organizations while reinforcing the fundamental principle – treat people the way you would want to be treated.

As a new Managing Director, I look back on my career with Protiviti and am thankful for all of the support that I have received over the years. I have grown in this organization “in my own skin,” as my authentic self, within my project teams and management teams, at my clients’ locations, social events, holiday parties, baseball games and in my day-to-day interactions with my leadership team and colleagues. I was recently engaged and married and am taking steps to form my own family, and the continued outpouring of congratulations and support has been and continues to be humbling.  I am closer to my coworkers and clients because of this, and have not once felt anything other than a strong sense of belonging.

However, it isn’t enough that I am grateful for the support I’ve received.  I believe it is important that I give back – that we give back. That we support others and truly listen to them and encourage them to be authentic in all aspects of their lives. That we work to promote awareness and understanding that we are all different, yet equally worthy of opportunities. That we actively recognize and value differences and diversity. That we communicate to the broader LGBT+ community, including among our peers, employees and clients, how we can support them, and why earning the CEI recognition is valuable to us and to them.

In other words, we must continue to be agents of change.

I am proud that Protiviti’s core values and vision embrace diversity and inclusion, and am proud to be a part of the firm.

From all of my LGBT+ colleagues and allies at Protiviti, happy pride month!

PCAOB Revises Auditor’s Report

By Chris Wright, Managing Director
Finance Remediation and Reporting Compliance Practice Leader

 

 

 

With the Public Company Accounting Oversight Board’s (PCAOB) new auditor reporting standard finally pending before the U.S. Securities and Exchange Commission (SEC) after nearly a decade in the making, Protiviti has published a Flash Report summarizing the changes and examining possible consequences.

The Auditor’s Report on Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion is intended to make the auditor’s report more relevant to investors by requiring more information about the audit. In a nutshell, the new standard requires auditors to communicate in the report any critical audit matters (CAMs) — that is, matters that were communicated or required to be communicated to the audit committee and that (1) relate to accounts or disclosures that are material to the financial statements, and (2) involve especially challenging, subjective or complex auditor judgment.

The latter distinction takes into account certain factors including, but not limited to:

  • The auditor’s assessment of the risks of material misstatement, including significant risks
  • The degree of auditor judgment related to areas in the financial statements that involved the application of significant judgment or estimation by management, including estimates with significant measurement uncertainty
  • The nature and timing of significant unusual transactions and the extent of audit effort and judgment related to these transactions
  • The degree of auditor subjectivity in applying audit procedures to address that matter or in evaluating the results of those procedures
  • The nature and extent of audit effort required to address the matter, including the extent of specialized skill or knowledge needed or the nature of the consultations outside the engagement team regarding the matter; and
  • The nature of audit evidence obtained regarding the matter

The distinguishing factor in determining whether something is a CAM is the degree to which it involves challenging, subjective or complex auditor judgment during the audit process. The audit report must include identification of each CAM, a description of the principal considerations that led the auditor to determine that the matter was a CAM, description of how the CAM was addressed in the audit, and reference to the relevant financial statement accounts or disclosures.

Because CAM determinations are subjective, some say it will give auditors leverage to encourage additional management transparency to the benefit of investors. Others see it as a significant cost, and, potentially, a competitive threat, depending on the kinds of issues discussed and disclosed.

The final standard includes other changes to the auditor’s report intended to affirm the auditor’s independence, clarify the auditor’s role and responsibilities related to the audit, provide additional information about the auditor, and make the auditor’s report easier to read.

The new standard applies to audits conducted under PCAOB standards. In addition, it specifically concludes that the communication of CAMs is not required for audits of brokers and dealers; investment companies other than business development companies; employee stock purchase, savings and similar plans; and emerging growth companies.

Subject to SEC approval, the final standard and amendments will take effect as follows (although the PCAOB allows auditors to comply with the standard before the effective date, at any point after SEC approval):

  • All provisions other than those related to critical audit matters will take effect for audits of fiscal years ending on or after December 15, 2017.
  • Provisions related to CAMs will take effect for audits of fiscal years ending on or after December 15, 2020.

One consequence to watch for is whether auditors will require disclosure of original information in articulating CAMs encountered during the audit. Limitations of the auditor’s knowledge and expertise, potential liability implications, and friction in the relationship with the company may become influencing factors that could discourage auditors from going beyond management disclosures. No doubt, this will place companies, their SEC counsel and their auditors on a collision course when it comes to deciding how much disclosure is enough disclosure.

We will continue to follow this issue and advise clients on best practices as they develop. For more detail, you can download the full flash report free from our website.

Critical Condition: Cybersecurity in Healthcare

By Adam Brand, Director,
IT Security and Privacy

 

 

 

On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.

The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.

The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.

The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.

We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.

In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:

THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.

Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.

THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.

Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.

THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.

The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.

THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.

Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.

THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.

To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.

THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.

We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.

The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.

Download the Protiviti flash report here.

Cyber Attacks Can Be Costly – Is Cyber Insurance the Answer?

By Adam Hamm, Managing Director
Risk & Compliance

 

 

 

The WannaCry malware attack in mid-May focused the attention of corporations around the world on escalating cyber threats. Our Flash Report released immediately after the attack noted that it marked a new and unsettling aggressiveness on the part of cyber criminals: No previous assault matched the breadth of impact of WannaCry, which affected hospitals, corporations and government offices in more than 150 countries around the world.

The cost of getting businesses up and running after the attack was expected to potentially add up to billions of dollars. Additionally, some organizations could face lawsuits over their failure to secure the previously disclosed Windows vulnerability that the criminals exploited.

In fact, news on May 23 that Target Corp. had agreed to pay $18.5 million to settle state and financial institution claims stemming from an enormous data breach should have warranted as much corporate attention as the WannaCry event. Hackers stole data from up to 40 million credit and debit cards belonging to the retailer’s shoppers during the holiday season in 2013, and the company disclosed that the total cost of its cyber security failure had amounted to $202 million so far. A settlement stemming from a consumer class action has yet to be finalized.

The grave consequences of weak cyber security – from business disruptions to the expense of repairs and lawsuit payouts – may lead some to believe organizations are scrambling to make cyber liability insurance part and parcel of their IT security protocols. Yet, according to recent surveys, roughly half of U.S. firms don’t have cyber risk insurance, and more than 25 percent of executives without a policy say they have no plans to add one. Among the companies that have insurance, only 16 percent reported that they have policies that cover all liabilities.

There are reasons many companies are reluctant to purchase cyber liability insurance or beef up existing policies, and the two main ones are cost and complexity. Certainly, insurers can improve clarity on their policies and enhance the ability for customers to compare different proposals. And, it may very well be the prohibitive cost of cyber insurance that is causing some companies hit by ransomware attacks to try and recoup their losses using kidnapping, ransom and extortion policies originally acquired to protect workers in dangerous locations.

Even so, a cyber liability insurance policy is a prudent course of action in most cases. Although it should never be a substitute for strong cybersecurity defenses, it can spell the difference between a severely affected and fairly unscathed bottom line in the aftermath of an attack. Before committing to a policy, however, it is important that management teams and their insurance brokers discuss three pivotal issues:

  • What kind of cyber liability insurance policy does the company need? Does it need a first-person policy to cover the cost of retrieving data critical to the operation, or does the company possess consumer information that requires protection against third-party lawsuits? Does it need both?
  • What amount of coverage does the company want to obtain? This figure will depend on a number of factors, including the size of the company and the type of coverage it needs. To mitigate third-party risk, for example, settlements like Target’s could provide useful benchmarks.
  • What is the premium an organization is willing to pay? A number of variables should be used to determine this figure, including a company’s earnings, the size of the IT budget, and the operations or data at risk.

Once a company has answered these questions, it can begin to shop for cyber liability insurance. As part of the process, the management team needs to fully understand what the policies cover. But perhaps most importantly, organizations need to understand what the policies don’t cover, which will ultimately indicate whether the policy is worth the expenditure.

Given the sophistication and prevalence of successful data breaches, it is now more important than ever for companies to analyze whether a cyber liability insurance policy should be a part of their overall cyber strategy.

Can Your SOX Compliance Process Benefit From Some Fine-Tuning? Find Out With Our Latest Benchmarking Survey

By Brian Christensen, Managing Director
Executive Vice President, Global Internal Audit

 

 

 

The results of Protiviti’s latest SOX compliance survey are in, and one takeaway in particular – cost of SOX compliance – may be music to the ears of some companies. For many organizations, those costs were reported to be lower this year than last, even as the number of controls, as well as hours dedicated to compliance, increased.

We don’t know the specific reasons why the costs at some companies decreased but we have some reasonable guesses: The fact that many companies have now completed their adoption of the new COSO Internal Control – Integrated Framework most certainly is a factor. The cost of the COSO implementation work was estimated to be between $50,000 and $100,000 on average.

Another potential factor regarding costs is who, exactly, is doing the work. As we illustrate in our infographic, a majority of organizations either outsource or co-source SOX compliance activities. This, in effect, may be masking some SOX compliance costs, as the expense for these external resources may not be captured under direct SOX costs the organization is tracking.

One other important point: The downward cost trend is not across the board – in fact, the overall number of companies spending over $2 million annually rose this year compared to last.

In addition, we wanted to get some further insight into why some companies report increasing controls, as well as increased hours and costs, so we introduced a new parameter in our survey this year – number of unique locations per company. Not surprisingly, the results revealed that the more locations a company has, the higher the number of controls it has and the higher its SOX costs are. This trend is quite clear, and it should help companies plan for their SOX costs next year, based on their plans to expand, reduce, or keep the same their number of unique locations.

Another trend driving hours and costs up is the dynamic nature of the SOX controls environment. With regulatory changes and developments constantly in play – PCAOB, new revenue recognition standard, cybersecurity, SOC 1, etc. – the learning curve seems to always be up, dragging hours up as well.

I’ve just highlighted the top trends here. The survey report provides much more granular insights, by type and size of company, type of control environment and more. Interest in benchmarking and peer performance with regard to SOX compliance is strong, and we are confident that the survey report provides a useful benchmark with detailed numbers and explanations. Download the survey report here and watch our highlights video below.

Manufacturers Are Upbeat About 2017 Business Climate Under New Administration

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

Four straight months of manufacturing job growth through March this year and a decidedly more pro-business climate emerging in Washington have given many manufacturers good reason to consider 2017 off to a good start.

According to the National Association of Manufacturers’ (NAM) first economic outlook survey of manufacturers since Trump took office, more than 93 percent were feeling positive. This not only represents a high-water mark in the survey’s 20-year history, but it is also up from 56.6 percent a year earlier, said NAM, which represents some 14,000 U.S. manufacturers of all sizes.

We are keeping an eye on Washington’s actions that could have the most impact on manufactures and their investment plans and operations in the near future, including efforts to roll back regulations, reform taxes and renegotiate the North American Free Trade Agreement (NAFTA). We’re also watching how the proposed infrastructure improvements and healthcare overhaul are playing out. They, too, will have a significant bearing on manufacturing decisions.

Big ideas

As we detailed in our Flash Report on the Trump administration’s first 100 days, the focus on deregulation is of critical importance to manufacturers, 94 percent of whom believe that the regulatory burden has increased over the last five years. The new administration has reversed several of the Obama administration policies on environmental reviews related to energy, infrastructure and other projects. President Trump’s executive order for broad regulatory reform, for example, included a public comment period (now closed) on “misaligned regulatory actions” at the Environmental Protection Agency (EPA) that are believed to have impeded economic growth. Congress is also taking up legislation, supported by manufacturers and other organizations, which would require agencies to develop new regulations in the most cost-effective way possible for companies.

Certainly, the media’s attention on the controversies surrounding the administration, including the executive orders, may temper manufacturers’ enthusiasm moving forward. That’s particularly true if, as has been suggested by political observers, the controversies end up thwarting the chances of enacting tax reform and other administration agenda items this year. Geopolitical risks, from North Korea to European terrorist attacks, also could distract attention away from domestic policy making.

Nevertheless, manufacturing leaders to date largely remain optimistic that Washington is focused on their most important interests. Testifying on May 18 at a hearing on how tax reform could spur the economy and job creation, NAM Chairman David Farr told the U.S. House Committee on Ways and Means that “we have the best chance in more than 30 years to advance permanent pro-growth reforms” and to improve the country’s manufacturing competitiveness globally.

At Protiviti, I’ve heard similar sentiments from manufacturers, who say they could make investments to expand, beef up research and development, or accelerate hiring and salaries if tax reform were to include a lower corporate tax rate, favorable treatment of international earnings, and a strong capital-cost recovery system. In 2015, NAM reported that incorporating those and other beneficial tax policies would generate more than $3.3 trillion in new investment and 6.5 million jobs over a decade.

Questions still remain

While it’s clear that the proposed regulation and tax reforms will benefit manufacturers, the effect of a NAFTA remake remains a big question. A 90-day period in which Congress will consult the administration about its goals for an amended pact began in May, and talks with Canada and Mexico officials could begin by the middle of August. Many economists believe that NAFTA has generally benefited the U.S., and some corporations were concerned that a complete withdrawal from the pact would hurt business.

But similar to the recent narrow trade-deal with China, the president has softened his harsh rhetoric on NAFTA in favor of a more judicious approach. The U.S. has proposed a modernization of the agreements, with new provisions on digital trade, regulations, intellectual property rights and other elements. Additionally, automotive executives and labor alike are lobbying for stronger currency manipulation protections in a new deal. Unions are also pushing for updates to procurement and origin rules to better support U.S. workers.

With regard to infrastructure, manufacturing and distribution companies stand to benefit from proposed infrastructure improvements and construction, although as of now it is unclear how much will take place. President Trump’s first proposed budget calls for $200 billion in infrastructure spending, well below the $1 trillion he campaigned on. Some portions of healthcare reform could help companies, as well, particularly the elimination of a special tax on medical devices. But again, these issues continue to evolve and they merit a watchful eye.

Protiviti’s outlook – stay agile

The turmoil in Washington aside, the overall pro-growth tone coming from government has given companies at least some confidence about the industry sector’s outlook in the coming months. Manufacturers that begin planning today will be ready to strike and reap the rewards when policies are enacted. It is best to stay nimble, however, and prepare to address risks in an environment that has the potential for rapid, even tumultuous change.

Financial Firm Auditors: Are You Ready to Audit Under CECL?

 

 

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit

and Benjamin Shiu, Director, Model Risk Management

 

Amid widespread concern that Generally Accepted Accounting Principles (GAAP) are inadequate when it comes to advising investors on deteriorating credit quality, the Financial Accounting Standards Board (FASB) has issued a new methodology. The new standard, known as Current Expected Credit Loss, or CECL, uses data analytics to forecast expected losses based on internal and external trends, as well as borrower-specific information. In its simplest form, CECL replaces the old standard of actual or “incurred” loss with a forward-looking estimate of “expected loss” over the foreseeable future. (See our analysis of its anticipated impact.)

The standard was originally scheduled to become effective for public companies in December 2018, but that deadline has been pushed back to December 2020, with private companies to follow a year later.

CECL represents a significant change with far-reaching implications for loss reserves. And yet, just one in ten affected companies has made any significant effort to assess the potential impact and prepare for the change.

Protiviti conducted a webinar recently aimed at internal auditors trying to get the ball rolling at their organizations. As is often the case, the webinar generated more questions than we were able to address during the live session. We want to address some of the additional questions here.

Q: Isn’t the “foreseeable future” loss prediction based on “historical losses” as well? It’s hard to see how CECL offers any real improvement if the underlying data is essentially the same.

A: The forecast into the foreseeable future could be based on historical experiences (losses) and management judgment based on the most updated information.

For the forecasting based on historical losses, data is essential, and that is why CECL implementation will require companies to retain a variety of historical data over a much longer time horizon and analyze it against external information, such as FICO scores, loan-to-value and debt-to-income ratios, and debt service coverage. Internal audit will need to provide assurance on data completeness. With a longer time horizon and more variety of historical data, the CECL model should be able to better estimate the loss under different foreseeable future scenarios. Most companies already have such data saved. Even those who don’t, if they start saving data now, will have four years of historical data to work with by 2020.

For the forecasting based on management judgment, unlike the incurred loss model, the CECL model explicitly requires management to take into account the current information and identify the future scenarios for loss estimation.

Q: With the implementation of CECL, will there also be a corresponding allowance for loan and lease losses (ALLL) requirement on the lending institution?

A: Yes. Regulators published a Joint Statement on CECL on June 17, 2016. Expect more on ALLL in the future, but the June 17 statement is already out there.

Q: Isn’t stress modeling sometimes subjective even when using a third party?

A: Not necessarily. Third-party vendors typically use industry-level data to develop their models, and these models then serve as objective benchmarks against which institutional assets can be evaluated.

Q: What is going to be expected of internal auditors under CECL? Will we be expected to audit the ALLL process and controls over the model, or will we be expected to perform full model validation as well?

A: Both would be expected. Right now, internal auditors should be talking to management to ensure there is transparency into the portfolio and the credit quality evaluation process. There should be clear lines of reporting and communication to the board, and internal audit must remain close to the process throughout to ensure that the model is being applied, and that the model itself is valid as a predictor of credit losses in the foreseeable future.

As we discussed during the webinar, and at the highest level, processes, data sources and accounting will be changing under the CECL guidance. Whenever processes change, internal controls must be reassessed to make sure that no new critical risks have been created and that all critical risk areas have adequate controls in place.

Once in place, the controls must be tested by internal audit. For example, here are some critical concerns:

  • Data, process and judgments – Internal audit must collect and test company loss experience and other past events. Some of the processes will require judgment; those judgements must be articulated and supported by evidence. Forecasts on factors that affect collectability, either internal or third-party, must be validated and back-tested.
  • Other models – For some institutions, Asset Liability Management (ALM) and DFAST/CCAR models, because they incorporate effective lifetime and credit risk assessment, may be utilized (or modified) for CECL estimates as well. However, these models are used for regulatory and management purposes, not as a source of disclosures in financial statements.
  • Documenting processes and controls – Documenting processes and controls will be a major undertaking. Ideally, areas of control weakness in the new processes should be identified as the processes are being developed, not after the fact.
  • New skill sets – Many internal audit departments may require skills in data and modelling. Adequate budget must be provided for staff and training.

Q: Do you advise firms to develop benchmarking CECL models?

A: It may not be necessary to develop a complete benchmarking model. Nevertheless, during the development process, it is reasonable to assume that after considering a variety of alternative approaches, data and assumptions, a benchmarking model may emerge as a side product of verifying the performance of the primary model.

The bottom line is that the time for the internal audit function to develop key CECL-related objectives is now. What auditors have to audit has changed significantly. Data has a certain subjectivity, and auditors must ensure that subjectivity is reduced. In addition, auditors have to increase their skill competency – they have to increase their understanding of modeling and data analytics. To provide assurance, auditors must become confident of their skills and ability to analyze credit risk. The archived webinar is a good first step.

Jeff Marsh of Protiviti’s Risk and Compliance practice co-presented the webinar and contributed to the development of this content.