Fall 2015 Issue of Horizons

horizons

Fall 2015 A publication by RubinBrown LLP

ETHICS : GUIDING BUSINESS EXCELLENCE

FEATURING u ETHICS DECISION TREE FOR FINANCIAL EXECUTIVES

u NEW ONLINE PLATFORM FOR AICPA CODE OF CONDUCT

u TEST YOUR FRAUD IQ

u PROTECTING YOUR COMPANY FROM CYBER ATTACKS

TABLE OF CONTENTS

horizons A publication by RubinBrown LLP Fall 2015

Features Welcome from the Managing Partner

10 16 68

1 2 5 6

What’s Your Fraud IQ?

Protecting Your Company from Cyber Attacks

Chairman James G. Castellano, CPA, CGMA

RubinBrown News

Chairman’s Corner

Timely Reminders

Managing Partner John F. Herber, Jr., CPA, CGMA

Ethics Decision Tree for Financial Executives

Denver Managing Partner Michael T. Lewis, CFA

Denver Resident Manager Gregory P. Osborn, CPA, CGMA Kansas City Managing Partner Todd R. Pleimann, CPA, CGMA

Industry-Specific Articles

50

22

35

life sciences & technology

private equity

public sector Elected Officials & Internal Control: A Time to Revisit

Ethical Negotiations & the Role of Sell-Side Due Diligence Presenting honest information to buyers can build buyer trust and greatly impact negotiations. law firms The Millennial Generation & Workplace Ethics Considerations Understanding their characteristics and personality traits will be critical in shaping organizational policies.

Ethics Are An Asset Considering culture an intangible asset and how it’s impacted by ethics.

Editor Dawn M. Martin

The importance of governing bodies

understanding of and participation in internal controls.

Art Director Jen Chapman

38

construction Fraud In the Construction Industry Identifying potential areas of risk for fraud and methods to minimize risk not - for - profit Ethics & Your Organization Actions not-for-profits can take to protect their reputations and assets with little to no financial resources.

55

Designer Antionette Bedessie

26

real estate Supreme Court Recognizes Disparate Impact Disparate impact and the effect on low-income housing tax credits. healthcare Affordable Care Act Is Now Reality for American Healthcare - Frequently Asked Questions Answering frequently asked questions regarding employer compliance. gaming Growth Continues as Theme for 2015 Explaining the significance of the growth and what it means for the rest of 2015.

Horizons , a publication of RubinBrown LLP, is designed to provide general information regarding the subject matters covered. Although prepared by professionals, its contents should not be construed as the rendering of advice regarding specific situations. If accounting, legal or other expert assistance is needed, consult with your professional business advisor. Please call RubinBrown with any questions (contact information is located on the back cover).

42

58

30

manufacturing & distributing

46

Are You Compliant with the Foreign Corrupt Practices Act (FCPA)? Exploring how to be in compliance with the FCPA and reduce your risk exposure.

TRANSPORTATION & DEALERSHIPS

Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.

The Industry’s Code of Conduct Outlining the NADA, NITL and TCA codes of conduct.

64

Readers should not act upon information presented without individual professional consultation.

WELCOME FROM THE MANAGING PARTNER

Ethics Education for Our Clients

E very year for the past 10 years, RubinBrown has offered ethics seminars. This is our way of educating our clients and colleagues on this important topic, as well as helping them fulfill their two-hour ethics requirement for CPA licensure. It’s interesting because of the 60+ seminars RubinBrown holds every year, the ethics seminars fill up the fastest and are, by far, the highest attended. While we do realize the interest is due in large part to the free CPE, we also take our role seriously in providing quality and thought-provoking education on this and other financial topics. This year, we’re excited to host Mark Whitacre as our keynote speaker for our ethics seminars. Many of you may have heard of Mark as he is the highest-ranking executive of any Fortune 500 company in the U.S. to become a whistleblower. He uncovered the Archer Daniels Midland (ADM) price- fixing scandal in the early 1990s. While he wore a wire and helped the FBI over a three-year period, he was also convicted and imprisoned for fraud and tax evasion. Most notably, Mark’s role in the ADM case became the subject of a major motion picture starring Matt Damon (who played Mark). The film, The Informant , was released nationwide in 2009. Drawing from his unique experiences, Mark now provides insight into corporate ethics, accountability and the warning signs of flawed corporate leadership. RubinBrown is thrilled that Mark will serve as our keynote speaker for our 2015 ethics seminars. We have located the seminars at larger venues so we can accommodate as many of our clients and friends as possible.

John F. Herber Jr., CPA, CGMA Managing Partner

REGISTER NOW! at www.RubinBrown.com/Ethics for Professional Ethics: When Good Leaders Lose Their Way ∙ Denver November 10 Denver University ∙ Kansas City November 11 Overland Park Convention Center ∙ St. Louis November 12 Saint Louis Art Museum

Looking forward to seeing you there!

Pleasant reading,

www.RubinBrown.com | page 1

RUBINBROWN NEWS

RubinBrown Manager Named St. Louis Business Journal 30 Under 30 Daniel Holmes, CPA, manager in RubinBrown’s Business Advisory Services Group, was named one of the St. Louis Business Journal ’s 30 Under 30. Holmes serves as a practice leader for RubinBrown’s Gaming Services Group where he is responsible for the development of a national accounting and consulting practice focused on the gaming industry.

RubinBrown Partner Named St. Louis Business Journal Most Influential Business Women

Audrey Katcher, CPA, partner in RubinBrown’s Business Advisory Services Group, recently received one of the St. Louis Business Journal ’s Most Influential Business Women Awards. The awards honor women who are accomplished business leaders from a variety of industries across the area and have made a significant impact in the business community.

Castellanos Awarded Rockhurst University’s Magis Award RubinBrown Chairman Jim Castellano and his wife, Karen, are the 2015 honorees of the Rockhurst University Magis Award. This award is presented annually to individuals who have made outstanding contributions to the St. Louis and Rockhurst University communities. Jim is an alumnus of Rockhurst University and is the former chairman of the Board of Trustees.

photo courtesy of Rockhurst University

The RubinBrown Client Portal is Coming Soon RubinBrown announces the upcoming launch of a new client portal. The new portal will provide a safe and secure method for RubinBrown and clients to share files. Once in place, clients will receive email notifications with a link to download files whenever a file is uploaded to their portal. Likewise, RubinBrown will be notified when new files are uploaded by clients, allowing the RubinBrown team to securely retrieve the necessary information.

Additional information will follow closer to the portal’s launch date.

page 2 | horizons Fall 2015

RubinBrown Promotions PARTNERS

Natalie Massaro serves as a partner in RubinBrown’s Tax Services Group. She serves clients in the contractors, home builders, professional services, real estate, manufacturing & distribution and retail industries. Jason McAdamis is a partner in the Tax Services Group. He has more than ten years accounting experience. He works with clients in various industries including, private equity and manufacturing & distribution. Chester Moyer is a partner in RubinBrown’s Assurance Services Group. He provides including public sector and manufacturing & distribution. Now serving as a partner in the firm’s Strategic Client Development department, Eric Stranghoener works with the firm’s industry and practice leaders to develop new relationships and achieve strategic growth plans. audit and attestation services, specializing in multiple industries

Peter Aje is a partner in the Tax Services Group. Peter has been with the firm since 2004. Peter specializes in real estate partnerships and helping real estate developers and syndicators take advantage of tax credits. A partner in the Business Advisory Service Group, Jim Grimes has been with the firm since 2012. He specializes in internal control risk assessment, Sarbanes-Oxley compliance and forensic and fraud investigations. Suzy Kimbrough is a partner in the Tax Services Group. She has more than 20 years of public accounting experience. Suzy provides tax and consulting services to businesses, not-for- profit organizations and individuals. Mary Kay Lofgren is a partner in the Assurance Services Group and has more than 15 years experience working on assurance engagements. She specializes in the not-for-profit and public sector industries.

CONGRATULATIONS!

www.RubinBrown.com | page 3

RUBINBROWN NEWS

RubinBrown Promotions MANAGERS Since joining the firm in 2009, Patrick Amos serves clients in manufacturing and distribution, nonprofit & public sector industries. Jeff Barnes provides consulting services regarding business transactions and forensic accounting to clients in the various industries. Leslie Bittle provides tax services primarily for clients in the real estate, home builders, construction, professional services and oil and gas industries. Matt Hefti works with clients in the construction and manufacturing & distribution industries. Buck Julian focuses on serving clients in the real estate industry, specializing in low- income housing tax credits, new markets tax credits and other tax credits.

Graham Ryan focuses on construction, manufacturing & distribution and benefit plan audit services. Sheila Sharples assists clients in the agriculture, manufacturing & distribution, medical, professional services and real estate industries. Brent Wartick focuses on internal audit and risk services for clients in the gaming, manufacturing & distribution and life sciences and technology industries. Linda Wolff specializes in new entity advisory, tax preparation and compilation and review services.

Jordan Lampkin provides plan and risk-based audit services to clients in the manufacturing & distribution industries. Josh Leesmann provides business analytics and litigation consulting services to healthcare and pharmaceutical clients. Melissa McCabe provides audit services to public sector and not-for-profit entities. Colleen McDole provides assurance services with a focus on not-for-profit organizations and the manufacturing & distribution industries. Dan Pimmel provides business performance analysis and risk-based audit services to clients in the construction and private clubs industries.

PROMOTED TO DIRECTOR

NEW TALENT

Tamra Fischer has been with RubinBrown since 1995 and now serves as the Director of Tax Operations. In Tamra’s new role, she will oversee and manage the operational aspects including scheduling and staffing management, tax return assembly and much more.

Rachelle King joined RubinBrown as a manager in the firm’s Business Advisory Services Group. She works with clients in a variety of industries, including healthcare, public sector, life sciences and technology.

Bruce Welikson joined RubinBrown as a manager in RubinBrown’s Tax Services Group. He specializes in low- income housing tax credits, historic rehabilitation tax credits, new markets tax credits and renewable energy tax credits.

page 4 | horizons Fall 2015

CHAIRMAN'S CORNER

Is Public Accounting an Industry Or a Profession? by Jim Castellano, CPA,CGMA

I must admit to a bit of irritation every time I hear someone refer to the “accounting industry.” Okay, maybe I am overly sensitive. Most people would not know the distinction. But there is a distinction and it is quite significant. What is a profession after all? A profession is a discipline that is based upon professional education, a system of self regulation based on a code of professional ethics and subject to governmental review and licensure.

The principles require CPAs to:

Perform all professional responsibilities with the highest sense of integrity ∙ Maintain objectivity and be free of conflicts of interest ∙ Strive continually to improve competence and the quality of services, among other things

Jim Castellano, CPA, CGMA Chairman

The enforceable rules of conduct include independence, integrity and objectivity, confidential client information and general standards of behavior. “A distinguishing mark of a profession is acceptance of its responsibility to the public,” according to the AICPA Code of Conduct. The code defines public interest as “…the collective well being of the community of people and institutions that the profession serves.”

It is this responsibility for public service that distinguishes the public accounting profession from an industry.

To become a certified public accountant in most states, one must have a baccalaureate degree with a minimum of 150 semester hours, pass a rigorous national examination and meet prescribed experience requirements. Once a CPA, the professional must adhere to requirements for continuing professional education and maintain strict compliance with the AICPA Code of Conduct. Members of the American Institute of CPAs, the national professional organization for all CPAs in the United States, are subject to the AICPA Code of Conduct. Compliance with both the principles and the rules of the Code of Conduct is required.

Our mission at RubinBrown is to “help clients build and protect value, while at all times honoring our responsibility to serve the public interest.” This is why we exist as an organization. Serving an essential role in society, we are, indeed, a profession.

Jim Castellano is Chairman of the Board of RubinBrown LLP. He joined RubinBrown in 1973 and has served at the helm since 1989. Jim’s influence extends beyond the firm to the accounting profession as a whole. In addition to his leadership role at RubinBrown, he also serves as Chairman of Baker Tilly International, the world’s eighth largest network of independent accounting firms.

www.RubinBrown.com | page 5

FEATURE

thics DECISION TREE for financial executives

The AICPA created an ethics decision tree to help walk financial executives through the process of resolving ethics issues. If you encounter an issue that would result in a material misrepresentation of fact or a violation of applicable laws or regulations, then threats to compliance with AICPA’s Code of Conduct exist.

When speaking with your manager or higher level(s) of management, carefully gauge your satisfaction with the response. Bear in mind that your manager or other executive might be a party to the situation that you have observed, so approach the response with the necessary degree of professional skepticism. It appears you have successfully managed your way through this challenge. It is recommended that you maintain and secure all documentation related to this matter as described in your organization’s record retention policy or as recommended by your legal counsel, in case the issue resurfaces. Has the organization’s processes, internal control system and culture changed in response to this matter? Are these changes sufficient to minimize the recurrence of a challenge like this one? Evaluate your answers and properly document all resulting actions. In addition, make sure you document your understanding of the facts, accounting principles or other relevant professional standards involved or applicable laws or regulations and the conversations and parties with whom these matters were discussed. Consider whether it is appropriate for you to continue your employment at this organization and take appropriate steps to eliminate your exposure to subordination of judgment. Consider the severity and implications of the issue you have identified and whether it should be reported to the outside accountants, regulatory agency, bank or other lending institution, owner or investor committee, Board of Directors or another party.

www.RubinBrown.com | page 7

FEATURE | Ethics Decision Tree for Financial Executives

New Online Platform for AICPA Code of Conduct

To achieve this, the AICPA restructured the code into several parts each organized by topic, edited the code using consistent drafting and style conventions, incorporated a conceptual framework for CPAs, revised certain provisions to reflect the “conceptual framework” approach (also known as the “threats and safeguard” approach) and where applicable, referenced existing non- authoritative guidance to the relevant topic. In addition, a new dynamic online platform was developed to house the code. This platform allows users to quickly navigate the code, conduct searches and also contains personalization features. To view the new online AICPA Code of Professional Conduct, go to: www.RubinBrown.com/AICPA-Code This information originally appeared in Journal of Accountancy. © 2015, American Institute of CPAs. Used by permission.

The AICPA recently restructured its ethics standards to improve the AICPA Code of Professional Conduct so that financial executives can apply the rules and reach correct conclusions more easily and intuitively.

RubinBrown’s Assurance Services Group RubinBrown utilizes a unique, value-added approach to our audit services. The ViewPoints report focuses on understanding all aspects of your organization and enables us to evaluate the overall effectiveness of your organization.

Fred Kostecki, CPA, CGMA — St. Louis Partner-In-Charge Assurance Services Group 314.290.3398 fred.kostecki@rubinbrown.com

Rodney Rice, CPA, CGMA — Denver Partner Assurance Services Group 303.952.1233 rodney.rice@rubinbrown.com

David Duckwitz, CPA — Kansas City Director of Quality Control Assurance Services Group 913.499.4433 david.duckwitz@rubinbrown.com

Todd Pleimann, CPA, CGMA — Kansas City Kansas City Managing Partner 913.499.4411 todd.pleimann@rubinbrown.com

page 8 | horizons Fall 2015

UPCOMING RUBINBROWN SEMINARS

MARK YOUR CALENDARS

Manufacturing & Distribution Lean Roundtable: Cyber Security Kansas City

Year-End Accounting & Tax Update Denver RubinBrown Office December 10, 2015 Kansas City Overland Park Convention Center December 9, 2015 St. Louis Donald Danforth Plant Science Center December 8, 2015 SEC Update Denver RubinBrown Office January 6, 2016 St. Louis St. Louis Cortex Office - CIC@4240 January 5, 2016 Research & Experimentation Tax Credit Seminar Denver RubinBrown Office January 14, 2016 Kansas City RubinBrown Office January 12, 2016 St. Louis RubinBrown Office January 19, 2016 Not-For-Profit Update Denver RubinBrown Office January 26, 2016 Kansas City Overland Park Convention Center February 9, 2016 St. Louis Donald Danforth Plant Science Center January 20, 2016

RubinBrown Office October 27, 2015 St. Louis RubinBrown Office October 29, 2015

Glean insight into the latest tax legislation. Learn more about how new accounting rules will affect your business. Find out how your organization can benefit from business strategies and innovative ideas. Throughout the year, RubinBrown is an excellent source for learning and insight. Registration will be available 5 weeks prior to each event at www.RubinBrown.com/Events

Professional Ethics: When Good Leaders Lose Their Way Denver Denver University November 10, 2015 Kansas City Overland Park Convention Center November 11, 2015 St. Louis Saint Louis Art Museum November 12, 2015 How the Federal Government’s New Uniform Grant Guidance Impacts You Denver RubinBrown Office November 12, 2015 Kansas City Overland Park Convention Center November 5, 2015 St. Louis

Public Sector Seminar Denver RubinBrown Office February 5, 2016 Kansas City Hallbrook Country Club February 3, 2016 St. Louis RubinBrown Office January 28, 2016

RubinBrown Office November 10, 2015

Affordable Housing Tax Credit Conference Denver

RubinBrown Office December 9, 2015

www.RubinBrown.com | page 9

FEATURE

What’s your fraud IQ?

The groundwork for effective fraud prevention and detection is found in an ethical team that is expected to make ethical decisions and then is fully supported in doing so.

Organizations that enact robust ethics programs send a clear message to their employees about which behaviors are acceptable and which behaviors are prohibited.

Do you know the hallmarks of an ethical corporate culture? Are you ready and able to help institute an effective ethics program at your organization?

Take this quiz and find out.

1. According to the Ethics Resource Center, what percentage of workers observed ethical misconduct at their workplaces during 2013?

a) 14% b) 27%

c) 41% d) 73%

2. Generally speaking, what is the difference between a code of ethics and a code of conduct? a) A code of ethics applies exclusively to members of management, whereas a code of conduct applies to all employees. c) A code of ethics instructs employees on how to comply with laws and regulations, whereas a code of conduct comprises the company’s mission statement and core values. d) There is no difference—the terms code of ethics and code of conduct are synonymous. 3. As part of its current ethics program evaluation, Maple Inc. management is revisiting the company’s code of conduct. During a discussion about the existing code, a member of the management team suggests that they should enact a specific code for just the company’s executives. Which of the following is one of the goals of an executive-specific code of conduct? a) To provide a more stringent set of conduct standards for executives than for the rest of the staff. b) To reinforce policies addressing issues faced by all levels of employees. c) To establish harsher sanctions than legally required for executives who commit fraud. d) To replace the organization’s general code of conduct for executives. b) A code of ethics describes broad ethical standards, whereas a code of conduct describes acceptable behaviors for specific situations.

4. Which of the following statements regarding an ethics audit is true? a) The objective of an ethics audit is to determine whether the organization’s

c) To be effective, ethics audits must be performed by an independent third party. d) An ethics audit examines both qualitative and quantitative data to arrive at an assessment of the company’s ethical culture.

financial statements were created in accordance with sound ethical principles. b) The same audit procedures should be used in each area of the company to ensure a consistent picture of the company’s ethical culture is obtained.

www.RubinBrown.com | page 11

FEATURE | What’s Your Fraud IQ?

5. As part of its new ethics initiative, management at Green Co. is holding an ethics training session during which participants are surveyed regarding the specific character attributes they associate with ethical or unethical behaviors. Which of the following types of ethics

workshops is Green Co. holding? a) A code of ethics assessment. b) A code of conduct violations and outcomes discussion.

c) A personality analysis. d) An application of the ethics decision- making process.

6. Which of the following statements regarding organizations’ cultural systems is true? a) A company’s formal cultural system includes the language used to communicate values throughout the organization.

c) A company’s informal cultural system includes the organization’s mission and value statements. d) All of the above.

b) Employees’ perceptions of informal cultural systems influence their ethics- related behavior more than formal systems do.

7. In the wake of a corporate scandal, XYZ Co. management is expanding the company’s ethics program and has decided to create a new position for a chief ethics officer. To be most effective, the individual in this position should: a) Report directly to the company’s legal counsel. b) Have direct, unimpeded access to the board of directors. c) Be hired directly by the company’s vice president of operations. d) Be exempt from performance goals to boost independence.

8. Which of the following is NOT a recommended practice for incentivizing employees’ ethical behavior?

a) Providing employees with a list of general ethical qualities that they should strive for to be rewarded. b) Allowing employees to report instances of or other employees who exhibit exemplary ethical behavior. Answers 1. (c) The most recent National Business Ethics Survey conducted by the Ethics Resource Center (ERC) found that 41% of private-sector employees witnessed misconduct at their organizations during the 12 months preceding the study.

c) Including ethical behavior as a formal part of all performance evaluations. d) Empowering managers to reward employees who exhibit a high level of ethics.

news regarding the effectiveness of many organizations’ ethics programs.

Another positive note from the ERC survey is the decline—from 13% in 2011 to 9% in 2013—in the percentage of employees who reported feeling pressure to compromise their ethical standards on the job.

This finding is a record low for the ERC’s surveys and reflects some potential good

page 12 | horizons Fall 2015

An executive-specific code of conduct should be in addition to—not in place of— the general code of conduct, and should address issues that are specifically applicable to management, such as conflicts of interest and relationship issues, protection of confidential information, financial reporting and disclosure issues, influence on independent auditors, and requirements for reporting to the board of directors and audit committee. Creating a separate code of conduct for executives also demonstrates to other staff members and outside parties the higher standards to which management is held. Further, because senior leaders are the ones setting the standard for acceptable behavior within the company, enacting more stringent ethical requirements for those individuals supports and emphasizes a strong tone at the top. 4. (d) According to the Society for Human Resource Management, an ethics audit is “a comparison between actual employee behavior and the guidance for employee behavior provided in policies and procedures.” By its nature, this type of assessment relies heavily on qualitative or subjective information; however, the ethics audit team should also consider use of quantitative, measurable data—such as employee performance review scores and helpline metrics—wherever possible. Additionally, while an ethics audit conducted by an independent third party will yield more objective results, ethics audits are often conducted by the organization itself. If the audit is conducted by an internal team, the team should consist of staff members from various functions such as HR, compliance, legal, and internal audit. Procedures performed as part of an ethics audit typically include: ∙ Reviewing the company’s ethics-related policies and procedures against best practices, expected and actual outcomes, and benchmarking data.

However, 60% of the incidents of observed misconduct were perpetrated by supervisors and managers, and 67% of the misconduct involved multiple acts or ongoing unethical behavior, revealing the need for companies to continue taking proactive steps toward building an ethical culture. 2. (b) A code of ethics and a code of conduct are both integral parts of an organization’s ethics program; in many organizations, the two codes are collectively referred to as the ethics policy. Although the two codes work in tandem to provide ethical guidance to all employees, they serve different purposes and contain different information to meet that objective. A code of ethics is a principles-based code that describes broad ethical aspirations, standards, and values that support employees in making judgments about the underlying ethics of varying situations. In contrast, a code of conduct is a rules- based code that describes acceptable and unacceptable behaviors for specific situations that are likely to arise, thereby removing the need for judgment in many circumstances. In essence, the code of conduct gives substance to the code of ethics; consequently, the code of ethics tends to be straightforward and concise, while the code of conduct is usually more detailed and much longer. 3. (a) A company’s executives face different—and often more serious—ethical dilemmas than the rest of the staff. And the choices executives make typically have a much greater impact on the organization. Since 24% of misconduct and 19% of frauds involve organizations’ senior leaders, specific ethical guidance for company executives sends a clear message about expected ethical conduct from the top down.

www.RubinBrown.com | page 13

FEATURE | What’s Your Fraud IQ?

6. (b) In any organization, two ethical cultural systems are at play: the formal system and the informal system. The formal cultural system is composed of the policies and programs that are formally established and adhered to in an effort to build and boost the company’s ethical culture. Elements of a formal cultural system include the organization’s mission statements, core value statements, ethics policies, hiring processes, orientation and training programs and performance-management systems. In contrast, the informal cultural system involves those symbolic traits that influence employees in a more subconscious way, such as company leaders’ responses to crises, the issues and situations that leaders systematically pay attention to, the behavior that is celebrated as part of company rituals (e.g., community service days, awards to top salespersons) and the language used to communicate values throughout the organization. Employees’ perceptions of informal cultural systems tend to influence their ethics-related behavior more than the formal systems, so attention to and proactive management of these systems is especially crucial. 7. (b) As companies embrace the importance of fostering an ethical culture from the top down, many organizations have created a leadership position charged with maintaining, monitoring and continually improving the ethics program. Whether combined with the duties of the chief compliance officer or divided into a separate chief ethics officer role, a C-level official focused on ethics can serve as an embodiment of the organization’s desired ethical culture. The chief ethics officer role is typically charged with managing the formal and informal components of the entity’s ethics program, as well as leading the response to any potential violations thereof.

∙ Interviewing employees about the company’s culture and commitment to ethics. ∙ Observing processes for adherence to ethics-related policies and procedures. ∙ Analyzing the frequency, significance, and trends in known misconduct. ∙ Analyzing trends in reports of wrongdoing by employees and others. ∙ Examining how previous ethical breaches were handled. ∙ Asking management what the company has done to prevent repeat occurrences of past breaches. The audit team’s selection and application of such procedures should be based on the specific relevant ethics risks in each area (e.g., conflicts of interest in sales, falsifying company financial data in accounting and bribery in geographic regions where such practices are common). Using this risk-based approach, the goal of the ethics audit should be to identify gaps in the company’s policies and practices where additional guidance or requirements would better serve employees in making ethical decisions. 5. (c) If conducted effectively, ethics training can foster a culture of trust. While there is no single best way to train employees in ethics, training sessions are typically most effective when they are conducted live, led by managers and held in small groups. Ethics workshops provide a more interactive and personal—and, thus, a better retained— training experience than online or lecture- style programs. Workshops can be conducted using a variety of approaches, but the goal is to provide discussion-driven, applicable and actionable learning to all employees.

page 14 | horizons Fall 2015

Another mechanism to emphasize the importance of ethics is to provide employees with a means to submit real examples of excellence in ethical decision-making or behavior that they have observed in the organization. Management can publicly acknowledge and praise the examples received, as well as consider providing other rewards to the ethical employee if the situation merits. This form of reverse hotline, in which management seeks to collect reports of positive behavior, rather than just ethical breaches, highlights the importance the company places on detecting misconduct and fostering ethical conduct. Whatever reward mechanisms management enacts, a large part of successfully incentivizing employees to act ethically is to define specifically what type of behavior company leadership considers ethical. A clear and helpful way to do this is to tie these expectations to the company’s value statements. As with any other performance measurement, the examples must be observable behaviors to facilitate witnessing, monitoring and rewarding—or correcting, reprimanding and punishing—specific incidents based on the clear criteria provided.

However, simply appointing a chief ethics officer to the executive team does not ensure that the organization’s ethics program will be effective; the individual must also be provided sufficient authority to carry out these responsibilities. 8. (a) Most organizations have performance management programs in place to address and discipline ethical breaches. But far fewer entities have implemented measures to formally incentivize desired behavior. In other words, for many companies, the stick is present, but the carrot is missing. To be fully effective, a comprehensive ethics program should include mechanisms to address both angles of encouraging ethical behavior. Perhaps the most common method of incentivizing ethical behavior is to incorporate ethical considerations into employee performance evaluations. Requiring an assessment of employees’ ethics ensures that management evaluates employees not only on which performance objectives they met, but on how those goals were achieved. To reinforce the importance of these factors, the results should be considered in determining the employees’ bonuses and salary increases. The results should also be a key factor in all promotion decisions. Additionally, this type of assessment should carry as much weight—or even more—in executives’ performance evaluations as they do in staff-level employees’ performance evaluations. Providing managers with the authority to reward employees who exhibit a high level of ethics, such as with a small gift or bonus, a one-on-one lunch or some other incentive, is another effective way to incentivize ethical behavior.

Scoring If you answered all eight questions correctly, congratulations. Your thorough knowledge of effective ethics program design will help you effectively in the fight against fraud and misconduct. Keep up the good work. If you answered six or seven questions correctly, you’re on the right track. Continue to build on your knowledge of ethics and fraud prevention programs. If you answered fewer than six questions correctly, you may want to brush up on your knowledge. Enhancing your understanding of effective ethics program components will help ensure that you have what it takes to keep your organization protected from fraud.

This article originally appeared in Journal of Accountancy. © 2015, American Institute of CPAs. Used by permission.

www.RubinBrown.com | page 15

FEATURE

PROTECTING YOUR COMPANY FROM CYBER ATTACKS by Rob Rudloff, CISSP-ISSMP, MBA

page 16 | horizons Fall 2015

With the increasing risks and costs of cyber security, knowing how to protect your company is critical. Cyber risk must be managed as an ongoing organization-wide concern, not just an IT issue. The first step is to admit that the threat is real and your company could be a target. According to the Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis , U.S. companies had the most costly data breaches worldwide on average ($217 per record) and, on average, U.S. companies had data breaches that resulted in the greatest number of exposed or compromised records (28,070). According to the report, the global average cost of a breach rose to $1.57 million and the United States average cost rose to over $6 million. One disturbing phenomenon that has grown exponentially over the past decade is social engineering – the use of human assets and vulnerabilities to try to break into systems. Examples include hackers calling people to try to gain information, picking up access codes or entry cards by “shoulder surfing” employees, sending phishing emails, placing calls asking users to update computers or software – all in order to gain context or credentials for hacking into your systems. Phishing email attacks are increasingly sophisticated, presenting seemingly legitimate information with disastrous consequences. The increasing sophistication includes methods to bypass email filtering (so the attack reaches the end-user) and significantly better emails (so your end-users are more likely to click). It is nearly guaranteed (i.e., likelihood approaching 100%) someone, at some point, is going to click on a link or attachment. The question is: Will you know when it has happened and are you equipped to deal with it effectively? Tone at the Top First, setting the governance perspective over the importance of security is a critical step. Cyber security has risen to become one of the top boardroom issues, according to a recent study conducted by the Georgia Tech Information Security Center. The report indicates that nearly two-thirds (63%) of boards and executives of Forbes Global 200 companies are actively addressing computer and information security, up from 33% in 2012. The survey also indicates that, now more than ever, these boards and executives understand that they have a fiduciary duty to protect the digital assets of their companies and are now paying more than “cursory attention to cyber risks.” Getting Serious About Protecting Your Company Protecting your company against attacks is certainly possible, but it requires focus, vigilance and a sprinkling of paranoia. First, determine what is known about your company’s data, where and how it is accessed and how it is protected.

www.RubinBrown.com | page 17

FEATURE | Protecting Your Company from Cyber Attacks

How is Our Technology Protected? Do we have adequate perimeter controls to detect and prevent attacks against our IT systems? Do we have adequate internal controls to detect and prevent attacks from within our environment? Is our technology physically protected to prevent tampering? Do we have disaster recovery and continuity plans in place? How Will We Know? Unfortunately in today’s world, it is not “if” but rather “when” we’ll become a victim. How will we know if/when a security event or breach has occurred? Do we have enough security intelligence to inform us when something abnormal is occurring so it can be investigated, contained and eradicated? Once you have the snapshot you can develop plans, processes and designs to protect the information. Limit Your Exposure A good next step is to review your vendor contracts with your legal advisor to ensure you are limiting your exposure in case of a data breach and to obtain security assurance reports (Service Control SOC2) from the vendors. It is critical to review your vendor contracts and SOC2 reports for the same issues, especially vendors providing data center, cloud and software services and IT specialist services. Include other outside suppliers with access to your internal systems. Talk with your industry peers about what they have learned and which systems they are implementing, and assign responsibility within your own organization. Regularly review your company’s cyber liability insurance coverage to determine whether coverage is appropriate. Determine what risks you are willing to take on at your company. A board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

Consider the following questions to develop a clear snapshot of your company’s sensitive information: What Sensitive Information Exists in Our Company? Do we have social security numbers, driver’s license photos, credit information, or other personally identifiable information for our customers, employees, contractors or vendors? Do we have marketing, pricing or other information valuable to our competitors? What kind of customer information is covered by confidentiality agreements? Where Does the Sensitive Information Exist? Where do we store paper documents, scanned documents, electronic files, email and application data? Are we using cloud service applications to store data outside our environment? Who Has Access to Our Data? Who in our organization has the ability to login and access the data? Once logged in, are there rules to restrict who has access to only what is needed? Do we have any partners, suppliers, or other vendors in our systems with access to our data? Do we use segregation of duties to limit and detect fraudulent activity? How is Our Data Protected? Is our data encrypted as it is transmitted between our internal environment and outside recipients? Is our data encrypted when stored? Do we have appropriate authentication methods in place? How do users get provisioned for access?

page 18 | horizons Fall 2015

Safeguard Your Data Data protection must be company-wide. Think about the various ways in which your company interacts with technology and data. Use these areas to develop policies, procedures and technology solutions. Each of the areas listed on the following page is part of a layered defense approach, so that if any one layer is compromised, the additional controls can still provide protection and detection capabilities. Physical Environment Safeguarding your data begins with a secure physical environment. Restrict access to physical areas with sensitive information and monitor who accesses the area. Maintain secure destruction of paper and media, including PC drives, USB drives, servers, copiers, scanners, etc.

Technology Infrastructure Understand your inventory of hardware, software, and applications so you can recognize something out of the ordinary. Implement web content filtering and automated “threat intelligence” feeds to block outbound access to known malicious sites. Install and update antivirus and anti-malware protection regularly. Decide who receives mobile devices and set up protocols for how and when they are used. Consistently monitor for malicious or abnormal behavior across the network, applications, and end- user workstations. Finally, establish solid perimeter controls, including firewalls and intrusion detection/prevention programs which include regular review.

Cyber Security Health Check The areas listed below are covered in the “The Critical Security Controls for Effective Cyber Defense, Version 5” found at www.RubinBrown.com/CriticalControls and include aspects of the National Institute of Standards & Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, International Organization for Standardization (ISO) 27000 series, and can be linked to other standards as well.

Data Retention & Secure Destruction

Access & Authentication Controls

Change Management

Data Security

End-Point Protection

Information Security Policies

IT Risk Assessment Process

Logging, Auditing & Monitoring Mobile Devices

Network Architecture, Design & Implementation

Password Management

Patch Management

Perimeter & Network Segmentation

Recovery, Response & Continuity Plans

Remote Access & Authentication Controls

Third Party Security & Cloud Usage

Vulnerability Management

Wireless Security

www.RubinBrown.com | page 19

FEATURE | Protecting Your Company from Cyber Attacks

Users & Endpoints Understanding how information moves into, through and out of your business is essential to assessing security vulnerabilities. Identify any sensitive information that personnel or third parties have (or could have) access to via your systems. Companies should limit the information they collect and retain to prevent needless storage of data and reduce the risk of unauthorized access to it. Further, companies should protect the information they do maintain by assessing risks and implementing protections in certain key areas – physical security, electronic security, employee training and oversight of service providers. And, companies should properly dispose of information that they no longer need. Finally, have a plan in place to respond to security incidents and data breaches should they occur. The plan should be closely aligned with your continuity plan. Mobile Computing Security Employees’ use of their personal devices (Bring Your Own Device or BYOD) represents a huge potential threat to your company. This is often accompanied by international travel which exposes your systems to further security risk. With the explosion of social media use and international travel, it is essential to decide whether or not you will allow personal mobile devices on your network. Cyber criminals, locally and internationally, are increasingly targeting mobile devices; seemingly innocuous activities like downloading a video or installing a new app could represent a serious threat. Clearly document what devices can be used as well as how and when they may be used. Set similar protocols for USB drives, tablets and other hardware that may be connected to your environment. (See the Controls Assessment sidebar on page 19 for more information)

Applications Limit access to your software applications on a “need to know basis,” sometimes referred to as “least privilege.” Set up access rights for sensitive applications that limit read vs. write access and manage segregation of duties. Enable audit trails to monitor who has been on your system, when it was accessed and what changes were made. Require strong passwords and consider using multi-factor authentication, particularly when remote access into the environment is involved. Regularly review contracts to understand the risk associated with the ongoing use of each application. Require Service Organization Controls (SOC) reports for all cloud providers and understand how your data will be handled in their environment. Encrypt all data “in motion” and assess risk to determine if it should be used for data “at rest.” Vendor Management Securing information does not only focus on your own organization. Establish a process to identify, risk rank, screen and monitor vendors who use, process or otherwise access your information. Requesting Service Organization Controls 2 (SOC2) reports and other security compliance information is a good first step.

page 20 | horizons Fall 2015

Monitor activities to determine what needs to be updated or replaced. A comprehensive review of your systems should include a review of available logs, alerts, reports and key systems. Data flow should be traced (both inbound and outbound) and both controls and weaknesses should be identified. An effective review will also include an external vulnerability assessment, examining perimeter controls and identifying potential issues or vulnerabilities from external connections. Continuously identify and deploy new solutions to secure your data as your environment and the threats change. Consider developing a “red team” comprised of IT specialists who try to hack into your systems. This is a good way to identify vulnerabilities and determine where an “open door” may exist. Overall, in the current “when, not if” environment, a sustained focus on cyber security is imperative. It’s more important than ever to communicate with your leadership and board, adapt to the ever- changing threat environment and monitoring and test your systems. These are all pieces of the cyber security puzzle designed to minimize your risk and impact.

Prevention Is a Continuous Process Ongoing vigilance can be one of your most effective tools against cyber threats. Continuously educating and training employees is critical to combat the daily threats delivered via email and malicious websites. Are your employees aware of the threats and are they informed and trained on proper procedures? Are they encouraged to report possible breaches because those reports are vital to the company? Performing periodic assessments of the environment based on risks and threats can be extremely useful to understand where weaknesses may exist and how the security infrastructure detects and prevents attacks. This approach should also be applied to networks, systems and applications.

RubinBrown’s Cyber Security Advisory Services Group RubinBrown has a dedicated team specializing in cyber security services designed to meet each client’s requirements. We provide experienced security professionals for executive consulting, security risk assessments, vulnerability and penetration testing, vendor risk management and specialized security consulting.

Rob Rudloff, CISSP-ISSMP, MBA Partner Cyber Security Advisory Services Group 303.952.1220 rob.rudloff@rubinbrown.com

Audrey Katcher, CPA, CISA, CITP, CGMA Partner Business Advisory Services Group 314.290.3420 audrey.katcher@rubinbrown.com

www.RubinBrown.com | page 21