Cyber Safety Tips for Private Equity Managers

By Michael Seek, Director
Internal Audit and Financial Advisory

 

 

 

Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.

  1. Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
  2. Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
  3. System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
  4. Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
  5. Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.

In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.

Health Check on Emerging Growth Companies: PCAOB Reports High Incidence of Material Weaknesses

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit

 

 

 

A new white paper from the Public Company Accounting Oversight Board (PCAOB) and an April increase in qualifying revenue limits have put emerging growth companies (EGCs) in the news recently.

The EGC designation, established under the Jumpstart Our Business Startups (JOBS) Act of 2012, makes it easier for small and growing businesses — specifically those on track for an initial public offering — to attract investors and access capital by relaxing regulatory requirements and cutting some red tape. There are a number of benefits to a registrant being classified as an EGC – see Protiviti’s Guide to Public Company Transformation for what they are.

The original law established a revenue cap of $1 billion for a company to qualify as an EGC, but provided for that cap to be adjusted every five years for inflation. The Securities and Exchange Commission (SEC) made the first adjustment in April 2017, raising the revenue cap to $1.07 billion.

Another provision of the JOBS act was a mandate for the PCAOB to report via white papers, semiannually, on the extent to which EGCs actually benefitted from regulatory relief, and any unintended consequences stemming from the more permissive environment. The purpose of the PCAOB’s white papers is to provide general data about EGCs to inform the analysis contained in PCAOB rulemaking releases regarding the impact of applying new standards to the audits of EGCs.

The latest white paper, published in March 2017, found that of 1,951 companies reporting as EGCs in the 18 months prior to the reporting period, more than half (51 percent), received an explanatory paragraph in their most recent auditor’s report expressing substantial doubt about the company’s ability to continue as a going concern. Equally important, within that group of 1,951 EGC filers, 1,262 provided a management report on internal control over financial reporting in their most recent annual filing, and 47 percent – nearly one-half of all EGC filers – reported material weaknesses.

Protiviti explores the findings in the PCAOB’s March white paper at length in a recent Flash Report, but I wanted to highlight a few of the takeaways here.

First and foremost, while certain regulatory exemptions and benefits may be attractive, they do not mean that EGCs should accept or minimize issues surrounding potential findings of material weaknesses. These deficiencies in internal control over financial reporting may undermine a company’s reputation and reduce company value, to say the least.

The risk is real and should be addressed proactively. Protiviti has developed a financial reporting risk profile (FRRP) to identify financial reporting issues in advance and manage them to avoid potential financial restatements.

An effective FRRP focuses on six areas: accounting principle selection and application, estimation processes, related-party transactions, business transaction and data variability, sensitivity analysis, and measurement and planning. The underlying objective is to identify the most likely areas of potential misstatements and apply the appropriate oversight and control.

Second, EGCs should take the steps necessary to document key business processes so that these processes are well-defined and repeatable, reducing reliance on ad hoc activity by key employees. These processes may include a fair amount of financial reporting; related policies and activities, such as those that aid in the preparation of financial schedules for external auditors in the support of audits; filings; executive compensation; and employee benefits. Pre-public companies should design and implement a process for documenting conclusions on reporting and accounting matters.

Internal controls and documentation are critical because they minimize the risk of material weaknesses in the organization’s financial reporting. Consider the effects of just one material weakness: erosion of shareholder confidence, potential share price reduction, a fair amount of distraction throughout the organization, reduced brand quality, and significant remediation costs.

The high incidence of material weaknesses among EGCs is disappointing but, in many cases, generally preventable. It is important not to wait until the first auditor attestation to address potential issues. Many of the preventive measures – governance protocols, fraud controls, internal controls over financial reporting – should be in place prior to the company’s first public filing (e.g., 10Q filings, 302/906 certifications), and others should be in place prior to the initial management assertion on the effectiveness of internal control over financial reporting, as required by Sarbanes-Oxley Section 404(a). If these areas have not been addressed and the first public filing is upcoming, the organization should prepare itself by putting in place a robust remediation program. See the Protiviti Flash Report for additional points and information.

 

DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.

PCAOB White Paper Calls Attention to the Risk of Material Weaknesses at Emerging Growth Companies

Last week, the Public Company Accounting Oversight Board (PCAOB) released its semi-annual white paper providing general information about certain characteristics of emerging growth companies (EGCs). The PCAOB’s white paper provides a number of observations regarding EGCs, which we summarize in a just-released Flash Report published on Protiviti’s website. In our Flash Report, we also review the implications for EGCs that report material weaknesses in their internal control over financial reporting and offer guidance to affected organizations to help them avoid or overcome such findings.

Top Technology Challenges for Internal Audit: Results From Protiviti’s IT Audit Survey

By Gordon Braun, Managing Director
IT Audit

 

 

 

Process automation and digital transformation are near the top of most corporate agendas, and the IT audit function has never held a more crucial role. The results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations.

I had the opportunity, along with my colleague David Brand and ISACA director Ed Moyle, to discuss the results at length in a recent webinar. You can view an archived version by registering here. In the meantime, I wanted to give you a quick rundown of the top technology challenges expressed by respondents, and how those challenges compare with the previous year’s results.

No surprise on the top tech challenge: Nearly all organizations are struggling with data privacy and cybersecurity. It’s an area where boards want assurance — even with an understanding that assurance can never be 100 percent, regardless of the amount of money spent. The challenge for IT audit, therefore, lies in determining the right amount of IT audit time and focus to be dedicated to cyber risk and ensuring coverage is in alignment with the risk appetite and priorities of the organization. Though cybersecurity is always a business issue, the risk is typically assigned to IT. IT audit’s effectiveness in this area is strongly related to the experiences and discreet knowledge that the IT auditors in the group bring to the audit. There continues to be a strong push for education and for using the right tools, frameworks, approaches and resources; all are critical elements to ensuring IT auditors to stay in front of the cyber risks they are auditing.

Emerging technology (automation, digitization, cloud, etc.) remains a top challenge for IT auditors, though not ranked as high as last year. Effective IT governance in the face of emerging tech remains a goal for many organizations, and those that ignore it or get it wrong are going to struggle. IT auditors can help their organizations in this area by challenging the effectiveness of IT governance from both a design and operating perspective — this healthy and critical evaluation of the  alignment between the business and IT is required in today’s environment. In organizations with enterprise risk management (ERM) functions, there may be a natural overlap in interest between IT governance and ERM and IT auditors are well-positioned to seek out this partnership to share and receive perspectives from the ERM group.

Infrastructure management, regulatory compliance, and budget/cost concerns all moved up the list this year — a risk triumvirate that I think contributed to the return of third party/vendor management as a top-ten challenge, after dropping below the top ten last year. Infrastructure management and third-party vendor management are closely related as organizations increase reliance on infrastructure as a service (IAAS) and software as a service (SAAS) providers in an attempt to reduce their IT footprint. To ensure maturity in third-party risk management and ease related challenges, IT audit should be involved in the early stages of significant infrastructure projects, evaluating the processes and controls around third-party vendor management, ensuring upfront due diligence activities are completed, and reviewing service level agreements (SLAs) and contracts before they are signed. There are a number of efforts in the market to provide IT auditors with more avenues for assurance for these relationships – an area I fully expect will continue to see growth.

Missing from this year’s top-ten list is big data — a surprise, to say the least. In all my conversation with colleagues, big data remains a top priority, and is closely tied to many of the other top ten challenges. Its absence on the list, in my opinion, has more to do with the temporary elevation of other priorities, and a growing familiarity with the features, risks and benefits of big data, rather than any lessening of focus. Big data also looms large in this year’s Internal Audit Capabilities and Needs Survey, so the conversations around it are certainly not over.

Last, but certainly not least, staffing and skills cut across every other top technology challenge mentioned. Although it dropped slightly from last year’s ranking, it remains a top-five challenge — a reflection of the critical need for internal audit functions to hire and train tech-savvy auditors capable of understanding IT risks. This is particularly relevant for addressing the top challenge of cybersecurity, where expertise is key to gaining the cooperation and trust of IT. Co-sourcing, or even outsourcing of IT audit, can provide that expertise without straining internal resources. Each organization must decide on whether and how to augment its skills based on its specific level of reliance on technology.

Clearly, there is much to unpack from this year’s IT Audit survey results, and we will continue to analyze the findings and track progress in how companies address them. For the full ranking of challenges and a more in-depth analysis, visit our 6th Annual IT Audit Benchmarking Study page.

 

From the GAM Conference: Changing Priorities, Analytics in Auditing and More

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

On Day 2 of the conference, Protiviti Managing Director Jordan Reed shared some thoughts on the panel discussion titled “The Internet of Things: What Does This Mean to Internal Audit?” Jordan led the panel together with Jeff Rowland, Vice President, Audit Services at USAA. Below in Jordan’s own words are highlights from the discussion. For more on why the Internet of Things matters, and the risks and expectations arising from it, read the recently published Protiviti white paper (download).

Share on Twitter

Also hear Protiviti Managing Director and The Protiviti View blog host Jim DeLoach share his view on stakeholder expectations as reflected in the Global Internal Audit CBOK Stakeholder Study.

Share on Twitter

Finally, Protiviti Managing Director Matt McGivern discusses the current state of data analytics in internal auditing, including findings from Protiviti’s latest internal audit survey. Listen below.

Share on Twitter

The Four C’s in Overseeing Internal Audit

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

By Brian Christensen, Managing Director
Internal Audit Global Leader

 

 

 

In 2016, The Institute of Internal Auditors and Protiviti conducted the world’s largest ongoing study of the internal audit profession — the Global Internal Audit Common Body of Knowledge (CBOK) study — to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. Several imperatives for internal audit emerged from the responses of the participants in the study. Among them: focus more on strategic risks, think beyond the scope of the audit plan, and add more value through consulting.

Continue reading