horizons FEATURING > Protect Your Organization with Cyber Resilience > BIG Problems with Small DATA > Information Technology Due Diligence:

Transcription

1 horizons A publication by RubinBrown LLP Cyber Security: The New Priority Spring 2014 FEATURING > Protect Your Organization with Cyber Resilience > BIG Problems with Small DATA > Information Technology Due Diligence: Often Overlooked but Vital to Deal Success PLUS > Private Company Financial Reporting: After Decades of Scrutiny, Relief May Finally Be Here > Outsourced Accounting: Paving the Way for Success in Our Economic Climate

2 TABLE OF CONTENTS horizons A publication by RubinBrown LLP Chairman James G. Castellano, CPA, CGMA Managing Partner John F. Herber, Jr., CPA, CGMA Denver Office Managing Partner Gregory P. Osborn, CPA Kansas City Office Managing Partner Todd R. Pleimann, CPA Editor Dawn M. Martin Art Director Jen Chapman Horizons, a publication of RubinBrown LLP, is designed to provide general information regarding the subject matters covered. Although prepared by professionals, its contents should not be construed as the rendering of advice regarding specific situations. If accounting, legal or other expert assistance is needed, consult with your professional business advisor. Please call RubinBrown with any questions (contact information is located on the back cover). Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein. Readers should not act upon information presented without individual professional consultation. SPRING 2014 Features 1 RubinBrown News Welcome from the Managing Partner Chairman s Corner Protect Your Organization with Cyber Resilience BIG Problems with Small DATA Information Technology Due Diligence: Often Overlooked but Vital to Deal Success Private Company Financial Reporting: After Decades of Scrutiny, Relief May Finally be Here Outsourced Accounting: Paving the Way for Success in Our Economic Climate Timely Reminders Industry-Specific Articles 33 colleges & universities Cyber Security Risks for Universities New risk factors and creating a control system to protect a university s assets and data. 36 gaming Regulating Online Gaming: A Focus on Security A look at regulation from the first three states to legalize online gaming. 40 professional services Safeguarding Electronic Health Records & Law Firm Security: Steps to Protect Your Firm Safeguard protected health information; plus protect firm and client information at organization, technical and physical levels. 45 manufacturing & distribution Cyber Security in the Supply Chain The risk of protecting information that exists with suppliers. 48 life sciences Protecting Intellectual Property Identifying IP inventory and mitigating IP risks. 52 public sector Data Analysis: A Resilient Approach to Control Spending Using data analysis to impact the bottom line. 55 real estate Positive News for the Historic Tax Credit Industry Much anticipated Revenue Procedure establishes a safe harbor. 58 not-for-profit An Update on Not-For- Profit Financial Reporting Senior project manager covers FASB s NFP Financial Reporting Initiative. 62 construction Succession Planning: An Introduction for Construction Companies Building value, grooming a successor, transferring ownership, and other considerations for succession planning. 66 transportation & dealerships Simple Steps to Increase Profitability for Transportation Companies & Auto Dealers Tips to ensure you fully maximize profitability with your current revenue stream.

3 WELCOME FROM THE MANAGING PARTNER The Latest Trend: Cyber Security Start-Ups Recent high-profile cyber security attacks like the data breach at Target have spurred an investment boom in cyber security companies. Research group PrivCo reports that early-stage funding for the cyber security sector soared almost 60% in Researchers expect that 2014 will bring more start-ups, along with subsequent transaction activity as security problems continue to increase, in tandem with our growing awareness of them. There s no doubt that cybercrime is on the rise. Cisco Systems Inc. reports that cybercrime was up 14% in 2013 from the year before. Even more frightening are the statistics on loss and occurrence. Poneman Institute reports that the cost of cybercrime has increased 26% since 2012 and further predicts that 3 out of 4 companies will be targeted by malicious web applications in this year alone. John F. Herber Jr., CPA, CGMA Managing Partner While heavily covered in the media, cybercrime is a serious business issue that threatens all of us no matter what our size. This is why we chose the topic of cyber security as our theme for this issue. This is one of the largest issues of Horizons RubinBrown has ever published. There s a lot of information to report on the topic of cyber security. And we hope that you glean some thoughtprovoking information and ideas from our research and writing. In addition to several great feature articles on cyber resilience, big data, and IT due diligence, we have also included articles that focus on cybercrimes effect on several industries. Check out the cyber articles related to colleges and universities, gaming, life sciences, professional services and manufacturing & distribution. I would welcome your feedback on ways we can continue to serve you as thought leaders in business as well as deliver totally satisfied clients. Please me directly at john.herber@rubinbrown.com. Pleasant reading, page 1

4 RUBINBROWN NEWS RubinBrown Publishes First Audit Quality Report In January 2014, RubinBrown published its first-ever audit quality report. Audit quality reporting is intended to foster greater confidence in the audit process by assisting financial statement users, audit committee members and other stakeholders in understanding how an audit firm s management and operations support the performance of high quality audits. The Public Company Accounting Oversight Board (PCAOB), which regulates the audits of public companies, is currently developing a concept release regarding audit quality reporting and audit quality indicators. The concept release is expected to provide a definition of audit quality and include an audit quality framework. Additionally, there will be 25 to 30 potential audit quality indicators identified. Finally, there will be discussion of potential uses of the audit quality indicators. You may access the report at RubinBrown Partner Amy Altholz Named Woman To Watch Amy Altholz, CPA, partner and vice chair of RubinBrown s Not- For-Profit Services Group, was recently honored as one of the Missouri Society of Certified Public Accountants (MSCPA) Women to Watch. The MSCPA Women to Watch Awards recognize women in accounting who have made significant contributions to the profession and development of women in their communities. RubinBrown Partner Steven Harris Named 2014 Young Leader Steven Harris, CPA, partner-in-charge of RubinBrown s Entrepreneurial Services Group was named one of the St. Louis American s 2014 Young Leaders. The Young Leader Awards identify and honor committed, compassionate, generous professionals making a positive impact in the community. RubinBrown Managing Partner John Herber Named to AICPA Governing Council John Herber, Jr., CPA, CGMA, managing partner of RubinBrown, was nominated to the American Institute of Certified Public Accountants Council as an at-large member. The appointment is for a three-year term on the council. Herber also currently serves as chairman of the AICPA s Professional Liability Insurance Program Committee. page 2 horizons Spring 2014

5 RubinBrown Team Member Recognized with AICPA Elijah Watt Sells Award RubinBrown team member, Nathan Hutson, CPA, was recently presented with the 2013 Elijah Watt Sells Award from the American Institute of Certified Public Accountants. The award recognizes the individuals with a cumulative score above across all four sections of the computerized Uniform CPA Examination. RubinBrown Partner Sharon Latimer Named To 2014 Class of Influential Women Sharon Latimer, CPA, partner in RubinBrown s Assurance Services Group, was named to KC Business magazine s 2014 Class of Influential Women. The publication s influential women honorees are recognized as those who inspire and mentor others, create opportunities for their organizations and give back to their communities. RubinBrown Kansas City Managing Partner Todd Pleimann Named to Kansas City Chamber of Commerce Todd Pleimann, CPA, managing partner of RubinBrown s Kansas City office, was recently elected to The Greater Kansas City Chamber of Commerce Board of Directors. The Greater Kansas City Chamber of Commerce is a membership organization representing more than 2,500 companies and 300,000 employees across the Kansas City region. RubinBrown Recent Talent Additions Partners Jeff Cunningham, joined RubinBrown as a partner in its Real Estate Services and Assurance Services Group in the Denver office. Jeff s expertise lies in working with clients that develop and rehabilitate multi-family housing using traditional financing, lowincome housing and historic tax credits and federal and state backed loans. Jeff Naeger is a new partner in the Tax Services Group in St. Louis. Jeff specializes in providing federal and state tax consulting, state and local taxation, and mergers and acquisitions services to clients in a number of industries including manufacturing, healthcare and natural resources. page 3

6 RUBINBROWN NEWS RubinBrown Recent Talent Additions Partners (continued) Rhonda Sparlin joined the Denver office as a partner in the State and Local Tax Services Group. Rhonda is an expert in consulting with businesses on issues related to multistate income, franchise and indirect tax issues. She serves clients in the manufacturing, retail, technology, healthcare, service, software, mining and utility industries. Sunti (Sunny) Wathanacharoen joined RubinBrown s Kansas City office as a partner in its Business Advisory Services Group. Sunny s experience managing consulting services spans various industries such as financial services/institutions, government, healthcare, manufacturing, professional services, retail, technology and telecommunications. Managers Brenda Buhrmester is a new manager in RubinBrown s Tax Services Group in Kansas City. With more than 18 years of experience, she primarily serves professional service organizations with tax consulting and compliance services. RubinBrown recently added Mark Breakfield as a manager in its Wealth Management Services Group in St. Louis. Mark specializes in tax planning and consulting, estate and retirement planning and gift tax planning services for clients. Timothy Kennedy joined RubinBrown s St. Louis office as a manager in RubinBrown s Real Estate Services Group, specializing in new markets, low-income housing and historic rehabilitation tax credits. Suzy Kimbrough recently joined the Kansas City office as a manager in the Tax Services Group. With more than 20 years of public accounting experience, she primarily provides tax and consulting services to businesses and individuals. Jason McAdamis joined the St. Louis office s Federal Tax Services Group as a manager. He provides comprehensive tax services for companies of all sizes in a variety of industries, including professional services and manufacturing and distribution. Rachel Parkes is a manager in RubinBrown s Tax Services Group in Kansas City. She has more than ten years of accounting experience. Rachel works with clients in various industries including construction, gaming and manufacturing and distribution. A new manager in the St. Louis office s State and Local Tax Services Group, Shawndel Rose provides clients with all phases of state and local tax compliance, consulting and planning services. Aisha White is a new manager in the State and Local Tax Group in St. Louis. With more than 13 years of accounting experience, she primarily provides tax services to a wide array of clients. page 4 horizons Spring 2014

7 MARK YOUR CALENDARS Denver RubinBrown Center November 6, 2014 Ethics Seminar Kansas City Doubletree Hotel November 11, 2014 St. Louis Donald Danforth Plant Science Center 8-10 a.m a.m. November 12, a.m. Year-End Accounting & Tax Update Denver RubinBrown Center December 10, a.m. Kansas City Doubletree Hotel December 11, a.m. St. Louis Donald Danforth Plant Science Center December 9, a.m. For Upcoming RubinBrown Seminars Glean insight into the latest tax legislation. Learn more about how new accounting rules will affect your business. Find out how your organization can benefit from business strategies and innovative ideas. Throughout the year, RubinBrown is an excellent source for learning and insight. SEC Update Denver St. Louis RubinBrown Center RubinBrown Center January 7, 2015 January 6, a.m a.m. Not-For-Profit Update Denver RubinBrown Center January 28, a.m. Kansas City Doubletree Hotel January 27, a.m. St. Louis Donald Danforth Plant Science Center January 22, a.m. Registration will be available 5 weeks prior to each event at Public Sector Seminar Denver RubinBrown Center February 6, a.m.-5 p.m. Kansas City Doubletree Hotel February 3, a.m.-12 p.m. St. Louis RubinBrown Center January 29, a.m.-12 p.m.

8 CHAIRMAN'S CORNER The Stakes Have Changed Today with Cybercrime by Jim Castellano, CPA, CGMA Remember when computers operated on punch cards a portable computer was as big as a suitcase and its screen the size of a 4 by 6 picture frame portable phones consisted of a heavy unit with a handset tethered to it with a spiral cord? Remember when crime involving theft only involved physical property or currency? What happened? What happened is that the incredible explosion in technological advancements continued to change our world in ways we could not even imagine just a decade ago. Jim Castellano, CPA, CGMA Chairman With the wonderful advances in technology also came ingenious techniques to steal valuable information by using the technology in devious ways. Hence, the emergence of an entirely new type of criminal engaged in cybercrime. The topic of cyber security is high on the agenda of most audit committees today and should be high on the agendas of management of most organizations. An effective enterprise risk management process can highlight the numerous areas vulnerable to those anonymous and sophisticated criminals intent on theft or destruction. The American Institute of CPAs (AICPA) recently published a paper titled The Top 5 Cybercrimes. The paper is intended to assist CPAs in public practice as well as in business and industry to understand the nature of each crime, the manner in which it is committed and remedial steps that can be taken. The paper can be found on AICPA s website at or viewed at the link in the sidebar to the right. page 6 horizons Spring 2014

9 29 Least-access privileges is a security concept that grants a person the least amount of access to systems, technologies and data needed to perform his/her duties or that first grants a person no access but then adds privileges to provide access only to needed information. 8 Cybersource Corporation is a worldwide ecommerce payment-management company. It publishes annual, statistics-based online fraud reports. At cybersource.com. 9 IC3 is the Internet Crime Complaint Center, sponsored by the National White Collar Crime Center, the Bureau of Justice Assistance and the FBI. It accepts complaints from the public regarding Internet-related crimes and scams. At ic3.gov. 10 IBM publishes a security report titled Trend and Risk Report. The March 2012 report was used as a source for this paper. 11 SANS has a global scope, with a focus on information security (InfoSec). It has a certification, Global Information Assurance Certification (GIAC), related to InfoSec. SANS s services and resources are generally free to the public. 12 Computer Emergency Response Team (CERT) is a partnership between Homeland Security and public and private sectors with the objective of coordinating responses to security threats. At cert.org. 13 Computer Security Institute (CSI), for information security professionals, provides an annual survey of cybercrime, CSI Computer Crime & Security Survey, since about At gocsi.com. 14 Ponemon Institute conducts independent research on privacy, data protection and information security policy. It has one of the best cybercrime studies, its annual Cost of Cyber Crime Study. The second study was published in August At ponemon.org. 15 The state of Florida has a department, Secure Florida, that focuses on cybersecurity. It published Florida Cyber-Security Manual in The Florida Department of Law Enforcement, Florida Cybersecurity Institute and Secure Florida contributed to the manual. At secureflorida.org. 30 Verizon s 2009 Data Breach Investigations Report. At securityblog.verizonbusiness.com. The top 5 cybercrimes discussed include: THE TOP 5 CYBERCRIMES Tax-refund fraud Corporate account takeover Identity theft Theft of sensitive data Theft of intellectual property While no precautions can provide absolute protection, you can begin to protect yourself and your organization from cybercrime by taking some or all of the following actions: Institute an internal audit function in your organization Conduct risk management sessions to identify and rank the risks affecting you Audit your privacy and security policies and controls Use data analytics to identify unusual transactions in your records Consider the value of cyber security insurance coverage to recover financial losses that might arise from cybercrime We hope you find the articles in this issue of Horizons, written by our practice leaders, to be useful as you contemplate the range of cyber risks facing your organization. GENERAL REMEDIATION STRATEGIES FOR THE TOP 5 CYBERCRIMES 87 % A Verizon study of 600 incidents of security breaches over a five-year period reveals that in 87 percent of cases, investigators concluded that breaches could have been avoided if reasonable security controls had been in place at the time of the incident. CPAs need to make timely, informed decisions about the effective controls that can prevent cybercrimes from occurring, and detect, at its earliest stage, a crime that already has occurred. Equally important is CPAs adeptness at responding to and correcting a security breach and cybercrime that has occurred. SECURITY AUDITS AND CONTROLS A Computer Security Institute (CSI) survey ranked internal cybersecurity audits as the strongest weapon in preventing and detecting cybersecurity vulnerabilities. An effective internal security audit identifies cybersecurity risks and assesses the severity of each type of risk. For optimal results, clients should ask their CPA to audit their privacy and security policies and controls. Following the audit, preventive controls for the major risks that were identified need to be instituted. Three strategies that can help management develop those controls are: TOP 5 CYBERCRIMES October 2013 Tax-refund Fraud Timely and proactively patching vulnerabilities, including INCIDENT RESPONSE PLAN vulnerable software. One useful correction remediation, although not Using least-access privileges 29 and other sound logical access controls preventive, is to develop an incident response plan. The to help remediate crimes perpetrated internally. For external threats, plan would require employees with the necessary level of sound perimeter controls such as firewalls and Intrusion Detection knowledge, and serving in key positions within the entity, Systems (IDS) are critical to protection. to answer the following questions relating to the top five Monitoring systems, technologies and access, cybercrimes such as identified various logs in this white paper: created by technologies for those activities, with associated controls varying based on the threat level (also a detection strategy). Which of these crimes are potential risks? BUSINESS INSURANCE What risks would follow from each crime? In an age of financially motivated cybercrimes, How every should entity we should respond have to each of these crimes? sufficient business insurance coverage to recover any financial losses. Executive management team members, especially How would the CFO, we fully must recover from each of these crimes? evaluate the entity s insurance coverage to ensure that it could recover estimated losses from any cybercrime. The manner in which an entity responds to a cybercrime provides valuable insight into its possible vulnerabilities Reviewing coverage should be done on a reasonable and preventive periodic steps basis. that could have been taken before Leaders also might consider enlisting service the providers crime occurred. that offer cleanup and restore functions after certain crimes have been committed. A Verizon study of 600 incidents of security breaches over a five-year period reveals that in 87 percent of cases, investigators concluded that breaches could have been avoided if reasonable security controls had been in place at the time of the incident. Thus, a good place to start BEFORE a breach occurs is reasonable security controls as defined by the information security profession as best practices or principles. 30 Remediation measures and controls that apply to one THE cybercrime TOP 5 CYBERCRIMES often apply equally 11 well to others, which results in multiple cybercrimes being addressed with a single countermeasure. This further supports the position that measures and controls taken by entities once a cybercrime occurs are the same measures and controls that should have been in place before the breach Corporate Account Takeover Identity Theft Theft of Sensitive Data Theft of Intellectual Property A broad range of reports and authoritative sources were analyzed to separate vectors and tools from the actual cybercrimes. The sources include the AICPA, Cybersource Corporation, 8 Internet Crime Complaint Center (IC3), 9 IBM, 10 SANS, 11 Computer Emergency Response Team (CERT), 12 Computer Security Institute (CSI), 13 Ponemon Institute, 14 Microsoft, Verizon and Secure Florida. 15 Once the cybercrimes were identified, they were ranked in the following order by relevance to CPAs in public practice and business and industry. THE TOP 5 CYBERCRIMES 5 THE TOP 5 CYBERCRIMES 12 Of course, please consider us a resource as you explore the opportunities to protect yourself from these 21st century risks. You may view AICPA s paper at For information about proactively addressing cybercrime, contact Audrey Katcher at or audrey.katcher@rubinbrown.com. page 7

10 FEATURE Protect Your Organization With Cyber Resilience by Audrey Katcher, CPA, CISA, CITP & Randall Hahn, CPA, CISA Assess the Risks STEP STEP Monitor & Report STEP With increasing cybercrime, entities need to turn their cyber security concerns into cyber resilience strategies Develop a Plan STEP Communicate the Plan STEP Define Responsibilities

11 T-Mobile, Electronic Arts (EA), British Broadcasting Channel (BBC), Federal Election Commission, Target These companies are all not only well known but also share another common attribute. All five entities had recent cyber attacks. And they re not alone. Cyber attacks have become an everyday reality in our modern economy, with the average loss per incident exceeding $5,000,000, according to the Poneman Institute. Cyber security is an issue vital to all entities. In today s environment, the question of becoming a victim to a cyber security attack is no longer if but when. While the threat of a cyber security attack has become almost inevitable, the risks associated with it can be managed through an effective cyber resilience plan. Throughout this entire issue of RubinBrown s Horizons, you will read the many ways cyber attacks are impacting various industries as well as what organizations are doing to mitigate their exposure. > Cyber security refers to analysis, warning, information sharing, vulnerability reduction, risk mitigation and recovery efforts for networked information systems. ~ World Economic Forum This article focuses on providing an overview of cyber security in today s environment and the five key steps to building a cyber resilience plan. Overview of Cyber Attacks and Cyber Resilience Today, cyber attacks pose the element of surprise, and nearly each new attack is more innovative and sophisticated. Attacks are impacting more than just an entity s technology; they affect financial, reputational and stakeholder value. The strain of a cyber attack can impact all stages of an entity s supply chain, from vendor to customer. Attacks are becoming more difficult to develop mitigation strategies for as the interconnectivity of entities continues to increase and attack techniques evolve. > Cyber resilience is defined as the ability of systems and organizations to withstand cyber events. ~ World Economic Forum Additionally, the current spending for cyber security is predominately limited to investment in firewalls and virus protection software. Companies are finding that in addition to these investments, it s just as important to have cyber resilience plans. Entities need to link the investment in cyber security to the potential consequences they face. Businesses today should incorporate consideration for preservation of reputation, impact on customers and consequences from attacks. page 9

12 FEATURE In summary, these components are the basic tenants of what is known as cyber resilience: Security Preservation of reputation Customer impact Consequences A cyber resilience plan incorporates an understanding of modern attacks, a plan > 57% of respondents expect to experience a security breach within the next year, yet only 20% regularly communicate with management about threats. ~ Poneman Institute for defending/defeating those attacks and potential responses to those attacks. Cyber resilience plans are critical for entities of all sizes and can be adopted through the following five key steps. Step One: Assess the Risks The first step to developing a cyber resilience plan is to consider the business risk. What loss can the entity live with? Since budgetary spending on security is often limited, entities must identify the risks they face and then prioritize those risks to identify which ones are their greatest concerns. Keep in mind that the greatest risk may be your reputation and not the dollars directly associated with an individual attack. The thought process evolves from thinking about what type of protection to provide to all of the operations and assets to what are our most important assets and how do we protect them. Entities move from thinking about what are the inputs we need for a security plan, to what are the outcomes, or consequences, that we can live with and then how do we balance those risks with our limited resources. Step Two: Develop a Plan Once the priority assets have been identified, develop a plan to protect against the threats on those assets. The mindset should be of one moving beyond the minimal preventive and defensive controls needed for compliance standards, to how can resources be effectively aligned to protect an entity s assets. As the effects of a cyber attack can impact all aspects of the supply chain, there needs to be a plan that strikes a balance between addressing concerns around security and not unnecessarily constraining the means by which business needs to be conducted. page 10 horizons Spring 2014

13 The plan needs to be flexible to allow quick responses to attacks and the consequences from those attacks. To do this, cross-functional teams from varying business disciplines should develop and test the plans. The team should also ensure everyone is prepared to respond quickly and communicate with all affected stakeholders in the case of an incident arising. Step Three: Define Responsibility for Maintaining Security and for Responding A recovery plan must be flexible so it can adapt to a variety of attacks, while also being specific, comprehensive, and most importantly, achievable by those within the organization. In the plan, two primary responsibilities should be assigned to leaders with authority and support. These responsibilities are for: Maintaining the security Leading the response Define your Cyber Resilience Team 1. Executives To provide governance as well as a conduit to the audit committee and board level questions 2. Internal Audit To be an independent resource to report on the processes supporting cyber security and resilience 3. Communications To provide broad communication, including public relations management Avoid Apathy With Your Cyber Security Strategies by Jack Zaloudek, Lecturer and Program Director Information Management & Masters in Cyber Security Management, Washington University in St. Louis Since cyber security is all about risk management, it is essential that the risk strategy be managed throughout the organization. It is the responsibility of the c-suite to ensure that the strategy is: Understood by the employees of the firm The employees have the tools and training to implement the strategy Executives monitor the execution and absorption of the daily action plans necessary to make the employee awareness campaign a muscle memory response at every level of the business It is very easy for one of the common killers of a good plan apathy to set in. Apathy can affect the senior level of leadership, but can also be experienced by the employees who will revert back to the status quo after the initial push and training is past. Strong leadership and monitoring for lapses in following the policies and procedures are essential watchdog elements to counteracting cyber security malaise and apathy. It will not happen here is not a suitable organizational response. 4. Insurance To ensure clarity in the policies 5. Legal To advise and monitor on current regulatory and other legal insights 6. Technology To be a liaison and ensure an on-call technical response team is under contract 7. Finance To enable transparency in the cost page 11

14 FEATURE 8. Human Resources To ensure employees and those who may leave the company are managed 9. Supply Chain To ensure vendors have signed a commitment to cyber security with your company The leaders should ensure testing of the plan allows regular re-evaluation of both the prioritized assets and the actions needed to protect those priority assets as the security landscape evolves. This activity will help validate the security and the responsiveness. Step Four: Communicate the Plan Executive Level Executive level direction and support is essential. Cyber resilience plans require executive buy-in, collaboration from different levels within the entity and coordination with vendors and customers. When preparing your cyber resilience plan, consider: There are no answers which provide 100% assurance It is not a question of if an attack or incident will occur, but a question of when > Only 31% of U.S. entities have cyber insurance policies. ~ Experian Information Solutions, Inc. There is a direct relationship between response time and the exposure to operations, finances and reputation In summary, communication of the plan, relevant updates, as well as what is driving these updates should be delivered to leadership and the board regularly. Step Five: Monitor and Report Moving forward, entities should continue to monitor the evolution of their cyber resilience plan. They should communicate to stakeholders, both internally and externally, monitoring results and changes to the direction of the plan. page 12 horizons Spring 2014

15 Why Act Now? The costs and frequency of breaches are rising exponentially. The qualitative costs include loss of customer trust, reputation and stakeholder value > 44% of all small businesses surveyed have been a cyber-attack victim. ~ National Small Business Association The quantitative costs average $188 per record, with an average of over 28,000 records compromised per incident, resulting in a total average incident cost of $5,264,000 (Poneman Institute) Do not assume that your business or one of your subsidiaries is not at risk: CNN reports nearly half of the data breaches that Verizon recorded in 2012 took place in entities with less than 1,000 employees. Symantec, a leading computer security firm, reported that 31% of all attacks in 2012 targeted businesses with less than 250 employees and attacks were up 81% over RubinBrown s Business Advisory Services Group RubinBrown s greatest asset is the thought leadership of our diverse group of seasoned professionals. We have directed and consulted with a wide variety of companies, ranging from Fortune 500 public companies to startup private companies. Michael T. Lewis, CFA St. Louis Partner-In-Charge Business Advisory Services Group michael.lewis@rubinbrown.com Sunti Wathanacharoen Kansas City Partner Business Advisory Services Group sunti.wathanacharoen@rubinbrown.com Audrey Katcher, CPA, CISA, CITP St. Louis Partner Business Advisory Services Group audrey.katcher@rubinbrown.com Matt Wester, CPA, CFE Denver Partner Business Advisory Services Group matt.wester@rubinbrown.com page 13

16 FEATURE BIG Problems with Small DATA by Josh Leesmann

17 A Google search of big data will return about 12.7 million results. You will be quickly inundated with an endless list of vendors and software claiming to provide the solution to all of your big data needs. However, the marketing blitz may be slightly misleading as more pressing data challenges often fall into the camp of small data. That is to say, many of us may not be effective creators and consumers of information that can fit neatly within the realm of common spreadsheet software. We are most often held back by a lack of a methodological approach to the way we capture, store, analyze and access this small data. Currently, Excel is the data tool of choice. Approximately 95% of U.S. companies use Excel in their operating environments. Further, 50% of Excel files are relied upon for critical business decisions. The fact that this software is so prolific throughout the U.S. economy is not, on its face, a problem. The issue is that there is no method to the madness. The average Excel file lives on for 5 years and is edited by an average of 12 professionals. Such a long-lived, dynamic instrument warrants a rigorous review and control environment to mitigate the impact of errors. For some additional reading on the potential impact of such errors, you can peruse the Horror Stories compiled by the European Spreadsheet Risks Interest Group at The appropriate Excel environment can be created if we first think of it as a data manipulation tool. Think of Excel users as coders or software engineers. If you open and create Excel documents, you can technically be referred to as an Excel coder. This is a subtle distinction, but an important one. It is made more obvious when we juxtapose the control environment of a typical software engineer and the control environment of an Excel user. Software engineers often develop centralized controls and establish strict segregations of duties, monitoring the software s development at every stage of its life cycle. Technically, we can leverage the methods and controls implemented by developers to mitigate the potential errors we make in Excel. A good place to start with error mitigation and file control would be to have the Excel coders provide some metadata about their files. Have them create a road map and document their work in Excel, including any changes made after its initial creation. Further steps can be taken to clean up the actual work in Excel to increase the computational efficiency of the file and make it easier to review and understand. Excel coders can reduce the amount of embedded cross worksheet linking. For example: DO NOT sum items from other worksheets using a formula such as: =Sheet1!A1+Sheet2!A2+Sheet3!A3 DO pull the information into individual cells in the current worksheet so that you can use the following code, =A1+A2+A3 page 15

18 FEATURE Another word to the wise, do not create embedded if statements. For example: DO NOT use a formula such as: =if(a1=a2, Yes,if(B1=B2, No, Error )) DO break it up into two individual statements, such as: =if(a1=a2, Yes, No ) and =if(b1=b2, Yes, No ) Another great hint is to use Excel s functions. For example: DO NOT use a formula such as: =A1+A2+A3 DO use =sum(a1:a3) As a final note, be sure to add self-checking formulas that confirm the results of your work. There are currently researchers working with Excel add-ins that can help remind us to clean up our files. (Check out the free download of BumbleBee under 2013 publications at The growing complexities ushered in by the era of big data are going to dictate that companies add rigor to their data collection, storage and analysis processes. Excel is not immune to this. It is easy to focus on the more complex software and data systems, but very few organizations leverage any software as much as Excel. Although big data issues are most certainly on the horizon for many companies, we (95% of U.S. companies) may be better served to focus on the bigger problem of harnessing and controlling the small data. Source: Felienne Hermans presentation, Spreadsheets: The Dark Matter of IT. RubinBrown s Business Advisory Services Group RubinBrown s greatest asset is the thought leadership of our diverse group of seasoned professionals. We have directed and consulted with a wide variety of companies, ranging from Fortune 500 public companies to startup private companies. Michael T. Lewis, CFA St. Louis Partner-In-Charge Business Advisory Services Group michael.lewis@rubinbrown.com Matt Wester, CPA, CFE Denver Partner Business Advisory Services Group matt.wester@rubinbrown.com Sunti Wathanacharoen Kansas City Partner Business Advisory Services Group sunti.wathanacharoen@rubinbrown.com page 16 horizons Spring 2014

19 HIRING Accounting and Business Professionals? ABACUS Recruiting, an affiliate of RubinBrown, can help. Our specialty includes both permanent and temporary placement in the following areas: Accounting/Financial Management Bookkeeping Administrative Marketing Operations Information Technology ABACUS Recruiting s reputation for quality service stems from our industry knowledge, commitment to personalized service, confidentiality and dedication to maintaining the most ethical standards in the recruiting industry. Having successfully placed financial and business professionals in positions at Fortune 1000 companies, regional businesses and entrepreneurial firms, ABACUS Recruiting has become one of the most respected names in our industry. Whether you are a company in search of high caliber professionals or a candidate searching for a job change, ABACUS Recruiting is uniquely qualified to assist you. Tamara Tucker President tamara.tucker@abacusrecruiting.com Paul Iadevito Recruiting Manager paul.iadevito@abacusrecruiting.com Visit us at ABACUS RECRUITING IS AN AFFILIATE OF RUBINBROWN LLP

20 FEATURE page 18 horizons Spring 2014