Your business faces risks on multiple fronts, so risk management should be a strategic priority. Identifying and addressing risks helps your business run smoothly, and keeps you focused on pursuing your business objectives. We discuss strategies to mitigate your IT threats, explore insurance options and assess your internal control needs.
2. 2
Introduction
Lucy Fanger, Owner
• Founder and CEO of On Technology Partners,
a woman-owned technology company
developing partnerships with various local and
national companies through planning and
strategic design
• 25 years of experience
• Passionate about helping people and making a
difference in the business community in Ohio
and across the countrylfanger@ontechpartners.com
linkedin.com/in/lucy-fanger-5412581/
216-920-3100
3. 3
Introduction
Michelle Hirsch, Brunswick
Companies
• Senior Vice President of Brunswick
Companies, a third-generation family-owned
insurance and risk management consulting
firm, serving clients nationwide
• Provides P&C insurance services to
companies, aspiring and accomplished
individuals, families and professional athletes
• Bachelor’s degree from Penn State University
and MBA from Case Western University
Weatherhead School of Management
• Part of Crain’s Cleveland Business:
– Twenty in their 20’s (2008)
– Forty Under 40 (2017)
mlstein@brunswickcompanies.com
linkedin.com/in/michelles1/
800-686-8080
4. 4
Introduction
Chrissy Walters, Skoda Minotti
• Principal in the firm’s Accounting and Auditing
Group
• Leads the firm’s Internal Audit niche
• 17 years of public accounting and industry
experience
• Background with Big 4 accounting firms in their
external audit group and specializing in internal
audit co-source and out-source engagements
for large manufacturing SEC companies
• Coordinated and developed new internal audit
services in India and Argentina to benefit U.S.
engagement teams
cwalters@skodaminotti.com
linkedin.com/in/chrissy-walters-5992207/
440-605-7178
5. 5
Strategies to Mitigate Your IT Threats
1. Technology Risk
2. Cyber Security
3. Cyber-Liability
Insurance
6. 6
Technology Risk
What you care about:
1. Loss of function
2. Loss of business
3. Loss of money
Technology Risk is
UNDERSTANDING
Cyber Security is
IMPLEMENTATION
8. 8
Cyber Security
Things to do:
1. Backup
2. Antivirus
3. Patching
4. Multi-Factor Authentication
5. Strong passwords
a. Password Management
programs
b. do not use the same
password for all
accounts
c. change passwords
regularly
d. use multiple characters
- the more the better
9. 9
Cyber-Liability Insurance
What is it good for?
1. It helps recovery after a
loss.
2. It can help save the
company after a
catastrophic loss.
Concerns:
1. Are you covered?
2. Can you afford the
insurance? “But surely you can’t put a price on your family’s
lives!”
– Ex-Con Home Security Guy
“I wouldn’t have thought so either, but, here we are.”
– Homer Simpson
10. 10
Business Insurance Requires
• Knowledgeable
agent
• Access to network
of carriers
• Experienced in the
industry
• Strong business
acumen
11. 11
Universe of Risk Advisors
Independent Brokers
Captive Agents
Direct Response Companies
12. 12
Sample of Common Business Insurance
Coverages
• General liability
• Property coverage
• Product liability
• Cyber
• Commercial auto
• Workers compensation
• Boiler and machinery
• Business Interruption
• Employment Practices
liability
• Directors and officers
• Fiduciary liability
• Professional liability
• Inland marine
• Employers liability
• Umbrella
13. 13
Deciding the Right Coverages
• Diving deep into your business
operations with your insurance
agent
• Understanding available
insurance coverage to help
mitigate business risks
• Defining contractual liability with
clients, suppliers, tenants and
subcontractors
• Implementing the insurance,
business process and
contractual changes
14. 14
Why Insurance Review?
• When was your last
conversation with your
agent?
• Did it extend beyond
revenue and address
changes?
• When was the last time you
saw a side-by-side analysis
of several carriers’ coverage
and pricing for your
business?
75%
Percentage of U.S.
businesses significantly
underinsured
Insurance Journal
15. 15
Commonly Misunderstood Business
Insurance Coverages:
• Cyber vs. crime
• Home-based business
coverage
• Hired non-owned auto
• Umbrella
• Business interruptions
insurance
• Elements of management
liability
• Professional liability
16. 16
Cyber vs. Crime
• Cyber, social, crime,
data breach,
professional indemnity
• Cyber liability – To
insure loss of intangible
property
• Crime insurance –
Protect an insured
organization’s assets
from threat by employee
or third party
58%
Malware attack
victims are small
business
Verizon 2018 DBIR
$2.2M
Cost of cyber
attacks on small
business
Verizon 2018 DBIR
90%
Cyber attacks are
successfully executed
with credentials stolen or
socially engineered from
employees
Identity Management Institute
17. 17
Home-Based Business
Homeowner’s policy excludes:
• Business property
• Business liability (extends off
premise)
• Additional coverage
50%
U.S. business
home-based
sba.gov 2016
18. 18
Hired Non-Owned Auto
• Rented a car on a work
trip
• Support staff picked up
office supplies
• Driving to a conference
• Picking up lunch for an
office meeting
19. 19
Umbrella
• Realizing the impact of
liability
• Extends liability
Coverage over primary
insurance policy
• Inexpensive premiums
20. 20
Business Interruptions
• Different policy definitions
• Direct loss
• Contingent loss
• Extra expense
40%
Experienced a BI
loss and claim in
last five years
RIMS Business Interruption Survey
2017
21. 21
Management Liability
• Directors and Officers (D&O) –
Protects Directors, Officers and
Employees against financial
impact from claims by
competitors, shareholders and
regulators
• Employment Practices
Liability Insurance (EPLI) –
Broad protection against
financial impact from claims
including discrimination, wrongful
termination, retaliation and
harassment
1 in 4
Private companies
experienced D&O
loss
Chubb Risk Survey 2016
7 of 10
Small businesses
don’t carry EPL
Chubb Risk Survey 2016
23. 23
What Does a Broker Need to Quote?
• Expiration date
• Current policies
• Completed application
It’s important to
find a broker who
is experienced,
knowledgeable
and is willing to
help should a
claim arise.
24. 24
Agenda
• Internal Audit Requirements
⮚ Public companies
⮚ Private companies
• Where to Start
• Process Documentation
⮚ High level
⮚ Instructional
• Your To-Do List
25. 25
My Company is Fine….
“We’ve never had fraud…”
“Our employees know how to do their jobs...”
“We are very profitable…”
“Seems like a burden to undertake…”
• Are you prepared for unexpected changes to your
company?
• How will the company owners react if fraud occurs and you
didn’t take precautions to mitigate those risks?
• Can your company benefit from creating efficiencies?
26. 26
IA Requirements for Public Companies
Public companies need to be compliant with Sarbanes-Oxley
- Document processes
- Conduct an annual risk assessment
- Prioritize risks (likelihood and impact)
- Identify or create controls to mitigate those risks
- Test controls to determine if effective
- Create remediation plans for ineffective controls
- Revisit every year or as needed
Does that seem overwhelming?... It doesn’t have to be!
27. 27
Why are Public Companies Required to
Do All That?
• After Enron and WorldCom, investors lost
confidence in the accuracy of financial
statements
• Sarbanes-Oxley was enacted to combat
fraud, improve the reliability of financial
reporting and restore investor confidence
28. 28
Benefits of Sarbanes-Oxley
Documentation helps by:
• Assigning responsibility to ensure accountability
• Identifies risks, controls or lack thereof
• Identifies process improvements
• Allows others to understand the process
– New employees
– Auditors
– Management
– Potential buyers (Less risky = higher price)
– Banks
29. 29
Benefits of Sarbanes-Oxley
After getting a solid understanding of the process,
you can determine where controls are missing or if
current controls should be enhanced.
These new or enhanced controls make the
companies stronger by:
• Standardizing processes
• Creating efficiencies
• Reducing the risk of human error or fraud
30. 30
Private Companies
Shouldn’t all companies be concerned about
the accuracy of their financial statements and
if there are ways to gain efficiencies or best
practices?
YES
31. 31
One Bite at a Time
• Don’t make the process of incorporating controls stressful.
• Internal controls should help alleviate stress because you
are taking action against risky issues.
• If not required by Sarbanes-Oxley, you don’t need to cover
all processes at once.
• Focus on your riskiest area, tackle that, and then move
onto the next.
Any internal audit activity is better than none!!
32. 32
Internal Audit Overview
We help our clients become stronger by improving
controls over their financial processes. We
accomplish this through process documentation, risk
assessments and the development of effective
testing programs.
• Risks
• Controls
• Process Improvement
34. 34
Are Your Eggs All in One Basket?
Think about your most crucial employees….
• What if any of those employees quit, or had to
take a sudden leave?
• Could your company run smoothly with little to no
downtime?
• What would that downtime cost your company?
– How much time would be spent to figure out their
tasks?
– Would you miss deadlines?
– Would business be disrupted?
35. 35
Step-by-Step Instructions
Create instructions for those crucial roles
• Month end close
• Payroll
• General accounting
Create “click-by-click” instructions
1. Have the employee create their own instructions
2. Demonstrate those instructions to another employee
3. The other employee asks questions for steps that need
clarification
4. The other employee performs the task unassisted
36. 36
Risk-Based Audit Approach
• First, identify the risks (lack of review, segregation of
duties issue, improper access, etc.)
• Develop controls to mitigate the risks
– Segregation of duties (Can’t create new vendors and cut checks)
– Review controls with defined steps (A signature is not enough)
– Access controls (Only allow essential access and remove timely)
– Checklists (processes such as the month end close)
• Create a testing program to verify control effectiveness;
perform testing at least annually
37. 37
5-Step Plan
• Step 1: Document the process
• Step 2: Identify weaknesses
• Step 3: Improve or create controls
• Step 4: Create a remediation plan
• Step 5: Control testing
38. 38
Consider Your Company
• Have you defined your company’s risks?
• Do you have a control to mitigate those risks?
• How do you know if those controls are effective?
• Can your company benefit from a fresh set of
eyes to help determine best practice and
efficiencies?
39. 39
Your To-Do List
Assess your company…
• What are the risks?
• What are you doing about them?
It’s that simple.
40. 40
Questions?
Michelle Hirsch
Senior Vice President
Brunswick Companies
mlstein@brunswickcompanies.com
Chrissy Walters
Principal
Accounting and Auditing
Group – Internal Audit
Skoda Minotti
cwalters@skodaminotti.com
Lucy Fanger
Founder and CEO
On Technology Partners
lfanger@ontechpartners.com