Navigating changes to the SOC 2 guide

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

• Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

• Availability: Information and systems are available for operation and use to meet the entity's objectives.

• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

• Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

• Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

• Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.

• Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.

• Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.

• Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.

• Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.

2. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.

3. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.

4. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.

5. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.

6. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

What are the top three areas of improvement right now for your business? In this third article of our series, we will focus on how to increase business value by aligning values, decreasing risk, and improving what we call the “four C’s”: human capital, structural capital, social capital, and consumer capital.

To back up for a minute, value acceleration is the process of helping clients increase the value of their business and build liquidity into their lives. Previously, we looked at the Discover stage, in which business owners take inventory of their personal, financial, and business goals and assemble information into a prioritized action plan. Here, we are going to focus on the Prepare stage of the value acceleration process.

Aligning values may sound like an abstract concept, but it has a real world impact on business performance and profitability. For example, if a business has multiple owners with different future plans, the company can be pulled in two competing directions. Another example of poor alignment would be if a shareholder’s business plans (such as expanding the asset base to drive revenue) compete with personal plans (such as pulling money out of the business to fund retirement). Friction creates problems. The first step in the Prepare stage is therefore to reduce friction by aligning values.

Reducing risk

Personal risk creates business risk, and business risk creates personal risk. For example, if a business owner suddenly needs cash to fund unexpected medical bills, planned business expansion may be delayed to provide liquidity to the owner. If a key employee unexpectedly quits, the business owner may have to carve time away from their personal life to juggle new responsibilities. 

Business owners should therefore seek to reduce risk in their personal lives, (e.g., life insurance, use of wills, time management planning) and in their business, (e.g., employee contracts, customer contracts, supplier and customer diversification).

Intangible value and the four C's

Now more than ever, the value of a business is driven by intangible value rather than tangible asset value. One study found that intangible asset value made up 87% of S&P 500 market value in 2015 (up from 17% in 1975). Therefore, we look at how to increase business value by increasing intangible asset value and, specifically, the four C’s of intangible asset value: human capital, structural capital, social capital, and consumer capital. 

Here are two ways you can increase intangible asset value. First of all, do a cost-benefit analysis before implementing any strategies to boost intangible asset value. Second, to avoid employee burnout, break planned improvements into 90-day increments with specific targets.

At BerryDunn, we often diagram company performance on the underlying drivers of the 4 C’s (below). We use this tool to identify and assess the areas for greatest potential improvements:

By aligning values, decreasing risk, and improving the four C’s, business owners can achieve a spike in cash flow and business value, and obtain liquidity to fund their plans outside of their business.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations.

This is our second of five articles addressing the many aspects of business valuation. In the first article, we presented an overview of the three stages of the value acceleration process (Discover, Prepare, and Decide). In this article we are going to look more closely at the Discover stage of the process.

In the Discover stage, business owners take inventory of their personal, financial, and business goals, noting ways to increase alignment and reduce risk. The objective of the Discover stage is to gather data and assemble information into a prioritized action plan, using the following general framework.

Every client we have talked to so far has plans and priorities outside of their business. Accordingly, the first topic in the Discover stage is to explore your personal plans and how they may affect business goals and operations. What do you want to do next in your personal life? How will you get it done?

Another area to explore is your personal financial plan, and how this interacts with your personal goals and business plans. What do you currently have? How much do you need to fund your other goals?

The third leg of the value acceleration “three-legged stool” is business goals. How much can the business contribute to your other goals? How much do you need from your business? What are the strengths and weaknesses of your business? How do these compare to other businesses? How can business value be enhanced? A business valuation can help you to answer these questions.

A business valuation can clarify the standing of your business regarding the qualities buyers find attractive. Relevant business attractiveness factors include the following:

• Market factors, such as barriers to entry, competitive advantages, market leadership, economic prosperity, and market growth
• Forecast factors, such as potential profit and revenue growth, revenue stream predictability, and whether or not revenue comes from recurring sources
• Business factors, such as years of operation, management strength, customer loyalty, branding, customer database, intellectual property/technology, staff contracts, location, business owner reliance, marketing systems, and business systems

Your company’s performance in these areas may lead to a gap between what your business is worth and what it could be worth. Armed with the information from this assessment, you can prepare a plan to address this “value gap” and look toward your plans for the future.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations.

Next up in our value acceleration series is all about what we call the four C's of the value acceleration process. 

This is the first article in our five-article series that reviews the art and science of business valuation. The series is based on an in-person program we offer from time to time.  

Did you know that just 12 months after selling, three out of four business owners surveyed “profoundly regretted” their decision? Situations like these highlight the importance of the value acceleration process, which focuses on increasing value and aligning business, personal, and financial goals. Through this process, business owners will be better prepared for business transitions, and therefore be significantly more satisfied with their decisions.

Here is a high-level overview of the value acceleration process. This process has three stages, diagrammed here:

The Discover stage is also called the “triggering event.” This is where business owners take inventory of their situation, focusing on risk reduction and alignment of their business, personal, and financial goals. The information gleaned in this stage is then compiled into a prioritized action plan utilized in future stages.

In the Prepare stage, business owners follow through on business improvement and personal/financial planning action items formed in the discover stage. Examples of action items include the following:

• Addressing weaknesses identified in the Discover stage, in the business, or in personal financial planning
• Protecting value through planning documents and making sure appropriate insurance is in place
• Analyzing and prioritizing projects to improve the value of the business, as identified in Discover stage
• Developing strategies to increase liquidity and retirement savings

The last stage in the process is the Decide stage. At this point, business owners choose between continuing to drive additional value into the business or to sell it.

Through the value acceleration process, we help business owners build value into their businesses and liquidity into their lives.

If you are interested in learning more about value acceleration, please contact the business valuation services team. We would be happy to meet with you, answer any questions you may have, and provide you with information on upcoming value acceleration presentations.

Read more! In our next installment of the value acceleration blog series, we cover the Discover stage.

Executive compensation, bonuses, and other cost structure items, such as rent, are often contentious issues in business valuations, as business valuations are often valued by reference to the income they produce. If the business being valued pays its employees an above-market rate, for example, its income will be depressed. Accordingly, if no adjustments are made, the value of the business will also be diminished.

When valuing controlling ownership interests, valuation analysts often restate above- or below-market items (compensation, bonuses, rent, etc.) to a fair market level to reflect what a hypothetical buyer would pay. In the valuation of companies with ESOPs, the issue gets more complicated. The following hypothetical example illustrates why.

Glamorous Grocery is a company that is 100% owned by an ESOP. A valuation analyst is retained to estimate the fair market value of each ESOP share. Glamorous Grocery generates very little income, in part because several executives are overcompensated. The valuation analyst normalizes executive compensation to a market level. This increases Glamorous Grocery’s income, and by extension the fair market value of Glamorous Grocery, ultimately resulting in a higher ESOP share value.

Glamorous Grocery’s trustee then uses this valuation to establish the market price of ESOP shares for the following year. When employees retire, Glamorous Grocery buys employees out at the established share price. The problem? As mentioned before, Glamorous Grocery generates very little income and as a result has difficulty obtaining the liquidity to buy out employees.

This simple example illustrates the concerns about normalizing executive compensation in ESOP valuations. If you reduce executive compensation for valuation purposes, the share price increases, putting a heavier burden on the company when you redeem shares. The company, which already has reduced income from paying above-market executive compensation, may struggle to redeem shares at the established price.

While control-level adjustments may be common, it is worth considering whether they are appropriate in an ESOP valuation. It is important that the benefit stream reflect the underlying economic reality of the company to ensure longevity of the company and the company’s ESOP.

Questions? Our valuation team will be happy to help. 

BerryDunn’s Business Valuation Group partners with clients to bring clarity to the complexities of business valuation, while adhering to strict development and reporting standards. We render an independent, objective opinion of your company’s value in a reporting format tailored to meet your needs. We thoroughly analyze the financial and operational performance of your company to understand the story behind the numbers. We assess current and forecasted market conditions as they impact present and future cash flows, which in turn drives value.

Do you know what would happen to your company if your CEO suddenly had to resign immediately for personal reasons? Or got seriously ill? Or worse, died? These scenarios, while rare, do happen, and many companies are not prepared. In fact, 45% of US companies do not have a contingency plan for CEO succession, according to a 2020 Harvard Business Review study.  

Do you have a plan for CEO succession? As a business owner, you may have an exit strategy in place for your company, but do you have a plan to bridge the leadership gap for you and each member of your leadership team? Does the plan include the kind of crises listed above? What would you do if your next-in-line left suddenly? 

Whether yours is a family-owned business, a company of equity partners, or a private company with a governing body, here are things to consider when you’re faced with a situation where your CEO has abruptly departed or has decided to step down.  

1. Get a plan in place. First, assess the situation and figure out your priorities. If there is already a plan for these types of circumstances, evaluate how much of it is applicable to this particular circumstance. For example, if the plan is for the stepping down or announced retirement of your CEO, but some other catastrophic event occurs, you may need to adjust key components and focus on immediate messaging rather than future positioning. If there is no plan, assign a small team to create one immediately. 

Make sure management, team leaders, and employees are aware and informed of your progress; this will help keep you organized and streamline communications. Management needs to take the lead and select a point person to document the process. Management also needs to take the lead in demeanor. Model your actions so employees can see the situation is being handled with care. Once a strategy is identified based on your priorities, draft a plan that includes what happens now, in the immediate future, and beyond. Include timetables so people know when decisions will be made.  

2. Communicate clearly, and often. In times of uncertainty, your employees will need as much specific information as you can give them. Knowing when they will hear from you, even if it is “we have nothing new to report” builds trust and keeps them vested and involved. By letting them know what your plan is, when they’ll receive another update, what to tell clients, and even what specifics you can give them (e.g., who will take over which CEO responsibility and for how long), you make them feel that they are important stakeholders, and not just bystanders. Stakeholders are more likely to be strong supporters during and after any transition that needs to take place. 

3. Pull in professional help. Depending on your resources, we recommend bringing in a professional to help you handle the situation at hand. At the very least, call in an objective opinion. You’ll need someone who can help you make decisions when emotions are running high. Bringing someone on board that can help you decipher what you have to work with and what your legal and other obligations may be, help rally your team, deal with the media, and manage emotions can be invaluable during a challenging time. Even if it’s temporary. 

4. Develop a timeline. Figure out how much time you have for the transition. For example, if your CEO is ill and will be stepping down in six months, you have time to update any existing exit strategy or succession plan you have in place. Things to include in the timeline: 

• Who is taking over what responsibilities? 
• How and what will be communicated to your company and stakeholders? 
• How and what will be communicated to the market? 
• How will you bring in the CEO's replacement, while helping the current CEO transition out of the organization? 

If you are in a crisis situation (e.g., your CEO has been suddenly forced out or asked to leave without a public explanation), you won’t have the luxury of time.  

Find out what other arrangements have been made in the past and update them as needed. Work with your PR firm to help with your change management and do the right things for all involved to salvage the company’s reputation. When handled correctly, crises don’t have to have a lasting negative impact on your business.   

5. Manage change effectively. When you’re under the gun to quickly make significant changes at the top, you need to understand how the changes may affect various parts of your company. While instinct may tell you to focus externally, don’t neglect your employees. Be as transparent as you possibly can be, present an action plan, ask for support, and get them involved in keeping the environment positive. Whether you bring in professionals or not, make sure you allow for questions, feedback, and even discord if challenging information is being revealed.  

6. Handle the media. Crisis rule #1 is making it clear who can, and who cannot, speak to the media. Assign a point person for all external inquiries and instruct employees to refer all reporter requests for comment to that point person. You absolutely do not want employees leaking sensitive information to the media. 
 
With your employees on board with the change management action plan, you can now focus on external communications and how you will present what is happening to the media. This is not completely under your control. Technology and social media changed the game in terms of speed and access to information to the public and transparency when it comes to corporate leadership. Present a message to the media quickly that coincides with your values as a company. If you are dealing with a scandal where public trust is involved and your CEO is stepping down, handling this effectively will take tact and most likely a team of professionals to help. 

Exit strategies are planning tools. Uncontrollable events occur and we don’t always get to follow our plan as we would have liked. Your organization can still be prepared and know what to do in an emergency situation or sudden crisis.  Executives move out of their roles every day, but how companies respond to these changes is reflective of the strategy in place to handle unexpected situations. Be as prepared as possible. Own your challenges. Stay accountable. 

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.