Chelan David

Wednesday, 28 February 2007 19:00

Private banking

Each client in private banking has a relationship with his or her own private banker. Beyond credit needs, private-banking clients have available and may draw upon other specialists like securities/investments, trust services, insurance and financial planning.

Smart Business spoke with Mark Nakamaru, a senior vice president and group manager of private banking at Comerica Bank, about what types of services private bankers provide, how individuals and businesses alike can benefit and what factors to consider when looking for a private banking partner.

What are some of the services that private bankers provide?

Their primary focus is to address the financing needs of their clients, although in some cases, this extends to the businesses that they are associated with. Service-related companies such as law firms, CPA firms and medical practices are some examples of private banking businesses. Private bankers provide one-stop banking including customized credit facilities, a full array of deposit products, securities investments, asset management, insurance and financial planning. One private banking relationship manager can help deliver all the financial needs for both an individual and his or her business.

How can a company benefit from private banking lending options?

With any business, there is a need for a multitude of services and products. We provide a wide array of services such as traditional depository products, treasury management, merchant services and foreign exchange, to name a few.

Also, a company benefits from a private banker’s ability to customize service needs, as well as banking the principals of the company. Private bankers have the ability to underwrite, structure and approve loan requests in-house, providing quick decisions and customized loans for clients.

How do stock option loans work?

Let’s say a senior executive of a company has stock options that are coming due in six months. He has a tremendous opportunity today on an investment he wants to take advantage of. We can structure a loan for him today with repayment to come from the stock options he will eventually exercise. There is some risk to this. He may not want to exercise his stock options if the stock price drops below the strike price. But we will look for ways to mitigate this risk and structure this loan for him.

How can a company use a mortgage as collateral for a loan?

We can establish a line of credit for a business using the equity in the owner’s personal residence or commercial building as collateral. This may provide a lower interest rate and extended terms on the line of credit. A start-up company, for example, could benefit from this type of loan as it provides additional collateral.

The process to establish this type of loan mirrors the steps one would take to borrow individually for an equity line of credit.

What types of questions should one ask when looking for a private banking partner?

I would inquire about the approval process for loan requests. Does the prospective partner use loan centers for approval or does it have the ability to underwrite and approve loans in-house? There could be advantages or disadvantages with either, depending on your needs.

Another key issue is the lending limit of the bank. If it is a small community bank, there are restrictions as to how much money it can lend. A client who is looking for a large credit facility would not be well served by a bank with a house limit that cannot match his credit needs.

The lending experience of your private banker should also match your credit needs. A real estate investor, for example, should ask if the bank actively participates in this market. If so, your private banker should have the real estate experience to help facilitate the real estate loans you require.

Remember, all banks will tell you that they provide great service. Before choosing a bank and/or private banker, have a face-to-face meeting. The candidate should be quite convincing in its commitment to back up its claims.

MARK NAKAMARU is senior vice president and group manager for private banking at Comerica Bank. Reach him at (714) 435-3963 or mnakamaru@comerica.com.

Wednesday, 28 February 2007 19:00

Health care solutions

Nearly two-thirds of the U.S. population is considered overweight, and 5 percent of all Americans fall into the morbidly obese category. Excess weight substantially increases the risk of numerous health problems and is also associated with an increase in mortality.

Bariatric surgery is designed to help people fighting obesity improve their health by using surgical intervention. Although bariatric surgery can be an effective tool in weight loss, patients must also commit to long-term lifestyle changes.

“Bariatric surgery is ideal for people who are willing to take personal responsibility for their well-being,” says Dr. Amir Mehran, assistant clinical professor of surgery and director of bariatric surgery at UCLA Medical Center. “It really helps them as long as they are willing to help themselves.”

Smart Business spoke with Mehran about the types of surgical weight-loss techniques that are available, what eligibility requirements must be met and what the recovery process consists of.

What are some health risks associated with obesity?

Obesity is associated with several risks, including cardiac disease, high blood pressure, diabetes, hyperlipidemia and obstructive sleep apnea. There are also risks for malignancies such as ovarian, prostate, colon and kidney cancers.

What types of methods are available for the surgical treatment of excess weight?

Several are available. The caveat, however, is that none of them will work unless the patients change their lifestyle and eating habits before surgery.

The most common procedure is the Roux-en-Y gastric bypass, which has been done since the late 1960s. It has been shown to be quite effective with minimum number of side effects. Another available method is adjustable gastric banding. It is a newer operation whose U.S. results have been mixed. The biliopancreatic diversion/duodenal switch is a much more drastic and less commonly performed operation. It results in the most amount of mal-absorption.

Once again, however, if a person is not committed to the whole pathway of changing his or her life, nothing will work.

In order to have a surgery, what eligibility requirements must a patient meet?

The general eligibility requirements are based on guidelines set by the National Institutes of Health. Essentially, they go by body mass index, which is defined as kilograms divided by meters squared. People with body mass indexes over 40 are considered to be morbidly obese. If their body mass index is over 35 but they have other problems such as high blood pressure or diabetes, they are considered to be candidates for surgery as well.

People are generally between the ages of 18 and 65, although there is currently much debate about what to do with children who are morbidly obese. Obesity must have been present for several years, and patients should have been on several supervised diets in the past. They must also be free of any major psychiatric problems.

What are some possible risks and complications that can arise from bariatric surgery?

Speaking for the gastric bypass procedure, the mortality rate is roughly one in 500. The risks include intestinal leakage, which occurs in less than 1 percent of cases, and deep venous thrombosis in the leg with resultant pulmonary embolus, where a clot from the leg travels to the lung, which occurs in about less than 1 percent of all cases. Other potential problems include bowel obstructions, marginal ulcers and sagging skin.

How should a person decide if a surgery is the most viable option?

It’s a very personal choice. It has to be made with the help of family, a good social support system and a trusted primary care physician.

This type of surgery is really geared toward people who have tried everything else to lose weight. They’ve been on all kinds of diets and exercise programs and have lost a certain amount of weight. However, after a while they stop losing weight, get discouraged and gain all of their weight back plus an additional amount.

Once surgery is completed, what does the recovery process consist of?

For the laparoscopic Roux-en-Y gastric bypass, which is what we do at the UCLA Medical Center, the recovery time is roughly two to four weeks. Then during the first year or two, the patient needs to be followed closely with blood work done every three months. After that, a yearly follow-up is fine.

For the gastric bypass procedure, as long as patients take their vitamins and are watchful of what they do, the downsides are very minimal. It is critical to have a good primary physician who can follow their progress closely.

DR. AMIR MEHRAN is assistant clinical professor of surgery and director of bariatric surgery at UCLA Medical Center. Reach him at (310) 206-7235. For more information visit www.bariatrics.ucla.edu.

Wednesday, 28 February 2007 19:00

New accounting practices

The enactment of the Sarbanes-Oxley Act of 2002 has spurred heavier regulation in the auditing industry. A new auditing standard, SAS 112, affects how auditing work is conducted. Among other things, SAS 112 redefines the types of internal control issues that are reportable.

Companies of all sizes need to be familiar with the new standard and its implications, says Wade McMullen, partner at Vicenti, Lloyd & Stutzman LLP. “Things that might not have been a problem in the past will now become a problem in terms of reporting on internal controls. The bar has been lowered on what is considered a significant deficiency.”

Smart Business spoke with McMullen about SAS 112, how the standard relates to business risk and how companies should prepare for it.

What is SAS 112?

It is a statement that Certified Public Accountants are required to follow on auditing standards. The statement, issued by the American Institute of Certified Public Accountants, gives auditors new guidance on how to communicate internal control matters. SAS 112 also provides some new definitions.

When does this auditing standard become effective?

SAS 112 becomes effective for financial periods ending on or after Dec. 15, 2006. For most businesses operating on a calendar-year basis, it would be effective for last year. For most nonprofit entities, it would be effective for this year.

What accounting procedures will change as a result of SAS 112?

It will make accounting procedures more important in terms of internal controls and the checks and balances that need to be implemented. Also, it’s going to affect the documentation of those procedures. In the past, documentation has been much more informal. Not everything was necessarily written down. Now, procedures need to be documented so that they can be reviewed by an auditor.

How does the new standard relate to business risk?

Worst case, this new standard makes it possible for a business to receive an adverse opinion on its financial statements if an auditor is unable to get reasonable assurance about effective internal controls.

But in general, with the new SAS 112 standard, internal controls are becoming a larger part of what is expected of businesses. Internal control issues will affect stakeholders’ opinion about a business, and more stakeholders might be interested in internal controls than were before.

How should companies prepare for implementing SAS 112?

First, they should talk to their auditing firm or conduct research about the new requirements so that they will fully understand SAS 112 and its implications. With the new standard, it’s now getting to the point of ‘what could go wrong’ rather than ‘what did go wrong.’ In other words, the possibility of a potential problem with internal controls could be nearly as damaging as an actual problem that is found. This can be combated by formulating an action plan that can be phased in over a number of years.

Also, a company should look at its financial closing process and examine what types of internal controls are in place.

Finally, the company should manage the expectations of insurers, creditors, rating agencies and board members (if applicable), and let them know about the potential issues that might arise from the new standard.

In what ways has the auditing process changed since the advent of the Sarbanes-Oxley Act?

More work is required to complete an audit. The amount of audit evidence that needs to be obtained is greater and documentation requirements are more stringent. Also, the new auditing standards are bringing all companies into a more regulated environment.

Sarbanes-Oxley started out primarily for public companies, but there has been a big trickle-down effect and now even private companies and nonprofit organizations are being affected. SAS 112 is another way in which the rest of the business world is coming into conformity with what has been asked of public companies with Sarbanes-Oxley.

WADE MCMULLEN is a partner at Vicenti, Lloyd & Stutzman LLP. Reach him at wmcmullen@vlsllp.com or (626) 857-7300.

Wednesday, 28 February 2007 19:00

Global insurance programs

More companies are expanding their presence overseas. With emerging markets springing to life and improved technologies making the world a bazaar of economic activity, those with an international presence have an opportunity to earn tremendous rewards.

However, there are corresponding risks to the rewards associated with conducting business abroad. One potential hazard is not having a suitable insurance coverage and employee benefits plan in place for workers overseas.

“It’s important to really understand a global insurance program and not just rely on independent decisions in each country,” points out Jim Kapnick, president of Kapnick Insurance Group.

Smart Business spoke with Kapnick about insurance and employee benefits for companies doing business abroad.

How should a company go about implementing insurance coverage and employee benefits for workers abroad?

The important item to keep in mind when designing an international program is the need for strong communication. Insurance coverages and employee benefits differ greatly in each country and it is important to seek out strong local knowledge of the marketplace. Having a relationship with a local service provider can prove to be invaluable when structuring program design, compliance with local laws and regulations, and — most importantly — providing knowledgeable assistance in the event of a claim.

What are some of the logistical hurdles and how can these be overcome?

The two obvious ones are language barriers and time differences. The biggest logistical hurdle is the effective coordination of an international insurance program. It is important to have a centralized understanding of a global insurance program while still allowing for local (abroad) knowledge and servicing.

Too often, people do one of two things: Either they control the entire program from the U.S., which is not good since they don’t get local servicing and/or knowledge; or they let the operation abroad directly purchase the insurance and employee benefits, which is not a good idea because often the coverage limits are inadequate and it is not coordinated to protect the global company.

It is important to deal with an insurance/employee benefit adviser that has an established global network with formalized operating standards to assure proper understanding and communication of the program.

How has the Sarbanes-Oxley Act affected global insurance programs?

Sarbanes-Oxley has made management more accountable for understanding what’s going on. Too often, people with foreign locations take an out-of-sight-out-of-mind stance in regard to insurance and employee benefit placement. With Sarbanes-Oxley, you can’t do this because there is a responsibility for management to protect assets for investors.

Most overseas locations are very small — just a salesperson or a couple of people abroad, so it is tempting to say, ‘It’s no big deal, let’s just let people take care of it locally.’ But it is a big deal because you’re subjecting the corporate assets. With Sarbanes-Oxley, somebody within the organization has to have a global understanding of the insurance and employee benefit programs being offered.

What factors should a company consider when analyzing its global employee benefits program?

Employee benefits are just that … benefits to employees that entice them to join or stay at a firm. In order to offer a competitive compensation package and attract and retain the best employees, one must have a thorough understanding of the local market.

In some countries, employee benefits are simply providing transportation, a uniform and lunch. In others it involves programs more typical to the United States. Also, in global companies there often are foreign nationals working on assignment in other countries. It is important to coordinate employee benefit package programs to determine which countries’ coverages will respond.

If, upon inspection, the program could be improved, what steps should be taken?

Every global program should be fully customizable; there should never be a cookie-cutter approach. In my opinion, the steps involved include discussing the corporate philosophy regarding ultimate control of the program and then evaluating the local service providers to assure that the improvements can be implemented properly.

How should a local service provider be selected?

One option is to do business with people who have an established network and have experts locally. Another way is to have your people in foreign countries seek out local representation with the understanding that information has to roll up through a master program.

JIM KAPNICK is president of Kapnick Insurance Group. Reach him at (888) 263-4656, ext. 132 or Jim.Kapnick@kapnick.com. Kapnick Insurance Group is a member of Assurex Global, an international network of insurance & employee benefit brokers.

Sunday, 31 December 2006 19:00

Medical technology

The advent of dual-source CT scanners represents a significant step up in the evolution of CT machines. Designed with two X-ray tubes and two detector arrays, the dual-source scanner captures data nearly twice as fast as previous scanners.

The dual-source CT scanner is ideal for cardiac imaging, says Stefan Ruehm, M.D., Ph.D., associate professor of radiology at UCLA Medical Center.

“It’s a rather noninvasive diagnostic tool that allows a physician, with a very high negative predictive value, to determine whether or not the patient has coronary artery disease,” he says.

Smart Business spoke with Ruehm about how the new scanner aids patients and doctors alike and what further developments he expects to see in the early detection of heart disease.

How does the dual-source CT differ from earlier CT scanners?
The main difference is that it’s about twice as fast as the previous generation of scanners known as 64-slice CT scanners. The dual-source CT has two X-ray sources and two 64-slice detector arrays as compared to the previous generation, which had just one X-ray source and one detector with 64 rows. There has been a development of CT technology from one row of detectors to four rows to 16 rows to 64 rows. The latest development, as seen in the dual-source CT, is putting two 64-row detectors into one scanner.

What advantages does the new scanner offer patients?
It is particularly well suited for cardiac imaging because it provides very fast data acquisition. If your data acquisition times are too long, you will end up with images that show motion artifacts. You want to have a very small window to collect data during your cardiac cycle. The big advantage of the dual-source CT is that it nearly doubles the speed that you can acquire data compared to the previous generation of scanners. You could do cardiac CT with the previous machines; however, you had to use beta-blockers to decrease the heart rate. With the dual-source CT you don’t need to give beta-blockers, you can scan patients independent of the heart rate.

How does the noninvasive nature of the dual-source CT scanners aid doctors?
In the past, if there was a question about coronary artery disease, you would have done a catheter angiogram study. In a certain percentage of patients, you would have done the study for diagnostic purposes because you would have seen on the invasive angiogram that there is no coronary artery disease. This process is not very beneficial to the patient because it’s a rather invasive procedure and if you do it just for diagnostic purposes it’s not appropriate. There has been a need for an alternative, and it appears with the dual-source scanners that you can get diagnostic information concerning the coronary arteries in a far less invasive manner.

How useful is the dual-source scanner in helping to identify medical problems at an early stage?
The main goal is to detect coronary artery disease at an early stage and to adapt certain therapeutic strategies. You want to do this early, because with certain medications, you can prevent progression of coronary artery disease. The problem so far has been that people were reluctant undergoing the types of invasive procedures that were previously available. With this technique, we have a rather noninvasive tool to detect coronary artery disease. If there are signs of disease, patients can undergo medical treatment at a very early stage and prevent further progression or complications.

In the future, what further developments do you expect to see in the early detection of heart disease?
One further development focuses on the exact and objective grading of the degree of vessel narrowing. However, it has been shown that the degree of the narrowing of the coronary arteries does not predict the likelihood of a cardiac complication.

What appears more important is the characterization of the plaque that causes the vessel to narrow. There may be a change of paradigm away from the quantification of the degree of the narrowing, or stenosis, towards the characterization of plaque.

In general, there are two different types of plaques: unstable and stable. The unstable plaques are regarded as dangerous while stable plaque is usually calcified plaque. With the invasive, conventional angiogram you can only see the stenosis, but you can’t tell anything about the vessel wall itself where the plaques develop. With these new cross-sectional techniques, you can quantify the degree of stenosis. Eventually, we hope to differentiate between a dangerous plaque and a stable plaque.

STEFAN RUEHM, M.D., Ph.D., is an associate professor of radiology and director of cardiovascular CT at UCLA Medical Center. Reach him at sruehm@mednet.ucla.edu or (310) 825-0958.

Sunday, 31 December 2006 19:00

Workers’ compensation

In the modern business landscape, workers’ compensation provides a safe workplace environment and financial compensation in the event of an employee injury. It also provides a system whereby employers can fulfill their obligation to provide employee protection while also allowing a way to budget costs associated with workers’ compensation injuries.

A number of risk services are geared toward businesses, but every company has its own individual needs when it comes to workers’ compensation. That’s where insurance agents play an important role.

“Agents or brokers can be your absolute best friends in this process because their end objective is to improve your risk profile,” says Mike Eckert, vice president of risk services for Kapnick Insurance Group.

Smart Business spoke with Eckert about the importance of obtaining unbiased information, the best practices that can be employed in controlling workers’ compensation claims and why a safe work environment starts at the top.

How can a CEO or business owner most effectively identify his company’s strengths and weaknesses in regard to employee safety?

The key is getting a formal safety program audit from an objective source. The caution is that there may be certain consultants or other businesses that may have a bias. For example, perhaps they want you to buy more of their services even though such offerings aren’t necessarily in your best interest. You want someone who can take a fresh and objective look at your program to assure that it is the appropriate one for your organization and who can provide information on high-level, structural changes that may be needed.

What types of risk service capabilities are available?

A number of risk services are available from many sources. For example, national organizations can provide OSHA compliance services; organizations can provide training services and training tools; national nonprofit associations and government organizations such as OSHA have resources available to individual companies.

Like so many other things in business, paring through options and finding what the best fit is for your company is always a challenge because you don’t want to spend money unnecessarily. If you don’t have someone internally to help you with these choices, then having an external trusted adviser can help you ‘triage’ resources and get the best ones to you. Ultimately, an insurance agency can help coordinate some of those services for its client groups.

Are alternative risk financing programs a viable tool for companies hoping to minimize the cost of workers’ compensation?

They can be, but it’s certainly not a one-size-fits-all. It depends on a number of things like the state laws where you operate, the type of business that you’re in, your loss history, the nature of the exposures that you might have, and your financial strengths and capabilities. For some companies, guaranteed-cost programs can be a great fit. For other companies, being in more traditional types of programs may be a better fit for them. Again, having quality, trusted advisers to steer you through that process as a business owner is critical. Because workers’ compensation is really a long-term financial obligation, not only will current business needs and strengths need evaluation, but they must also be projected into the future.

What best practices can a business use to help control workers’ compensation claims?

Pay attention to workers’ compensation matters and manage them like any other valued part of your business. Many company owners, officers and key managers are under the assumption that the insurance carrier will take care of all of their needs related to workers’ compensation. The reality is that the business owner needs to be savvy and have an understanding of fundamental loss-control principles. The level of knowledge necessary for key managers and executives doesn’t have to be terribly complex and time-consuming, but understanding fundamental principles is critically important.

How important is it for management to be fully committed to creating a safe work environment?

It’s absolutely essential. Ultimately, there is not an individual within any organization who manages safety at a higher level than their executive management team will allow. It takes a firm, visible commitment, active involvement and a desire to understand what the processes are.

Creating a safe work environment involves more than lip service. Anytime workplace safety is perceived as being less important than productivity or quality, it loses a lot of traction within an organization.

MIKE ECKERT is vice president of risk services for Kapnick Insurance Group. Reach him at (888) 263-4656 ext. 1160 or mike.eckert@kapnick.com. Kapnick Insurance Group will sponsor a safety seminar in Adrian, Mich., on January 23 and in Novi, Mich., on January 30. For more information visit www.kapnick.com.

Wednesday, 20 December 2006 16:03

M&A considerations

The past several years have been good to middle-market business owners looking to sell their companies. The confluence of private equity funds and businesses looking for a strategic edge, both bidding on the same entities, has caused prices to spike.

Dan Shea, managing director of W.Y. Campbell & Co., a subsidiary of Comerica Inc., says that banks have also played a role in the active market, given their willingness to fund deals.

Smart Business spoke with Shea about the current climate for selling businesses, the types of buyers who are driving the market and how valuations should be handled.

What’s the current environment like for selling a business?
It’s one of the best markets since the late ‘90s. Buyers are aggressive because they have cash and feel good about the economy, while banks are helping by providing acquisition debt. At the same time, sellers see what a good time it is to sell, given the activity levels of buyers and historically high prices. It’s a liquid market, which isn’t always the case.

Toward the end of 2005 and on into 2006, it appears that the growth in the number of deals has started to level off. We don’t believe that transaction volumes are going to go down, we just see them leveling.

What types of buyers are driving the market?
The strategic buyer has been more active in recent periods and is looking to benefit from the synergies that can accompany a purchase, such as with a target’s customers, products, channels and geographic locations. Both public and private acquirers are aggressively seeking growth through acquisition to complement internal growth initiatives.

There are also private equity firms that go out and raise capital for the purpose of buying and holding companies. They look to grow sales and profits before selling anywhere from one to seven years down the road for a nice return. According to Private Equity Intelligence, through September of 2005, private equity capital fundraising surpassed the level achieved in all of 2004, so there is a tremendous amount of capital waiting to be invested.

When contemplating selling or acquiring a business, what should a CEO or business owner consider?
If they’re a seller, they need to be mindful of making a market for their business. Most middle-market companies are privately held so the process is not as easy as selling stock on the open market. With private companies, there is no established market for the business; you have to make the market.

Hire someone who can prepare and provide the appropriate information in a compelling manner under confidentiality agreements to qualified prospective buyers and then assist in establishing a price, a structure, and terms and conditions acceptable to both parties. A seller wants multiple buyers bidding for their business to ensure they can drive a good deal — too many lose value (and time) by engaging in what we call one-off transactions.

Buyers, both strategic and financial, need to make sure the perceived benefits of the acquisition are for real. Strategic buyers in particular need to have a realistic integration plan and a realistic forecast of expectations for the combined entity, because studies show that the majority of transactions fail to meet objectives. The way to fix this problem is to set realistic objectives and then don’t overpay — you can pay at most for the value the acquisition creates and, ideally, less would be better.

How should the valuation be handled?
The market will decide the eventual price but it behooves sellers to have a good idea of the likely outcome before initiating the sale process. Realistic expectations are critical or else a lot of time and money will be wasted.

Sellers should have their investment banker develop an estimate prior to engagement. This estimate should triangulate the results of a variety of valuation techniques including guideline public company and recent transaction analyses.

We rely on discounted cash flow analysis as well because this technique provides for more granularity. It is where you take a look at the expected future cash flows of the business and value the business based on what those cash flows are worth today.

People talk about multiples of various accounting measures such as sales or earnings to arrive at initial value estimates or as rules of thumb, but discounted cash flow analysis is the predominant technique employed for estimating value at a more thoughtful level.

Daniel S. Shea is a managing director of W. Y. Campbell & Co., a subsidiary of Comerica Inc., and head of the firm’s Los Angeles Office. His responsibilities include relationship management and client representation in sell-side, buy-side and private placement transactions. Reach Shea at dshea@wycampbell.com or (310) 297.2894.

Wednesday, 25 October 2006 10:44

E-mail fraud protection

Anyone with an e-mail address is at risk of being scammed by a practice called phishing. For the perpetrators, it’s simply a numbers game. They send out millions of deceitful e-mails with the hope that even a few recipients will act on them, and in the process, unwittingly provide personal and financial information.

The objective behind phishing e-mails is a sinister one, says Hormazd Dalal, president of Castellan Inc. “Underground organizations do it to access bank accounts and glean the information they need to make online charges or to make wire transfers from banks.”

Smart Business spoke with Dalal about how to spot phishing scams, the manner in which phishing has evolved and what type of protection is available.

What is phishing?
Phishing is the process of duping Internet users, by e-mail, to go to a fake site that poses as their bank. Once a target visits the phony site, they are requested to type in private, confidential information like bank account numbers, PIN numbers, Social Security numbers, and so on. This information then enables the ‘phisher’ to access banking information for illegal purposes, such as withdrawing funds, making fraudulent purchases and stealing identities.

How can a person spot a phishing scam?
Typically, valid banks send notices in their statements to customers saying that they never request information via e-mail. Any e-mail that requests this information should be treated with skepticism.

If you’re an advanced computer user, you can usually determine whether an e-mail is fraudulent or not by verifying the link to the Web page that has been pulled up. In many cases, you will notice that it is not actually at your bank home page and that it has a different IP address. The Web page, however, looks very professional and it looks like it could be the bank’s. Sometimes it is possible that the Web site could be secure so you can’t judge whether it is legitimate by the lock in the corner of the page.

The best way to avoid phishing is to know that you should never be typing your information into a Web site that you have arrived at from a link in an e-mail.

What are some common elements of phishing e-mails?
The major characteristic is that they have a clickable link to another Web site. A valid e-mail from a bank would instruct the user to log onto their site and will give no further information. It would not contain a link, but rather would direct the user to authenticate the transaction by using his or her specific password.

How have phishing scams, such as spear phishing, evolved in an effort by perpetrators to elude detection?
As the Internet populace becomes savvier and more aware about identity theft, phishers try and pose as though the e-mail is coming from a known person rather than from a bank. This is part of the technique that spammers use to spoof an e-mail address.

Spear phishing is when a scammer attempts to make the e-mail appear as though it’s coming from someone you know within your company or department. Essentially, they’re targeting you with the expectation that you’re more likely to click on a link from such an e-mail because it appears to have more credibility.

What technologies are available for protection?
There are several databases of known phishing schemes. Starting later this year, Microsoft will be releasing IE7, its new browser, which will check against these phishing databases and alert you if it is indeed a known phishing site. Although these technologies will mature and the databases will be updated more regularly there is always the latest phishing scam that will slide through. The nature of phishing is that it can’t be identified by patterns. An e-mail is sent to a user who’s asked to go to a specific site and if that site is a brand new phishing site that is unknown to the databases then that user is vulnerable. No technology can stop a person from going to a specific site and typing in their private information. The best defense is to never go from an e-mail to a link to a Web site.

In the future, how do you anticipate people being able to protect themselves against phishing schemes?
As technology evolves, users will become readily protected. Protecting against phishing is in its infancy. By the end of next year, there will be far more efficient systems in place to diagnose and recognize phishing scams. The FBI is also actively involved in tracking down phishing schemes.

HORMAZD DALAL is president of Castellan Inc. Reach him at (818) 789-0088 ext. 202 or hormazd@castellan.net.

Thursday, 21 September 2006 07:35

Financial accountability

It’s been four years since the Sarbanes-Oxley Act was signed into law. Although private companies and nonprofit organizations are generally exempt from its provisions, many such organizations have found that certain aspects of the act can enhance their overall operations. It has raised the bar for what constitutes best practices in governance and expectations regarding internal control.

“Many companies are taking the idea of improved governance and accountability seriously and are recognizing how it benefits their organization,” says Gema Ptasinski, a partner at Vicenti, Lloyd & Stutzman LLP. “It helps to reduce risk of fraud, it increases confidence and credibility with stakeholders, and it results in having a stronger entity.”

Smart Business spoke with Ptasinski about what types of provisions make the most sense for private companies, the role of audit committees, and how to develop internal controls.

What types of private companies might want to voluntarily adopt the Sarbanes-Oxley provisions?
Companies that are going public will need to spend some time and money to show that they can comply with the act. Prior to an IPO issue, a private company will want to look into the provisions of the Sarbanes-Oxley act sections that require management to take responsibility for internal controls over financial reporting and conducting a year-end assessment of the internal control structure.

Companies considering mergers or being acquired by a public company will also need to show compliance. If you’re looking for investor funding and have documented internal controls and governance policies, you will be more attractive and able to secure investor funding.

Also, companies with absentee owners might consider the governance features of the act to help ensure that professional management is doing a good job.

Finally, some organizations are receiving pressure from board members, auditors, attorneys and investors to implement certain ‘best practices’ of the act.

What types of best practices make the most sense for private companies?
Private companies may want to consider having the CEO and CFO sign a financial statement certification. This acknowledges responsibility for the financial information being accurate and demonstrates their leadership and competence.

A second best practice would be the formation of an audit committee. The audit committee should be independent of management and should be composed of individuals who have financial expertise.

Additional best practices include developing codes of ethics and conflict-of-interest policies to set the tone of expected behavior for all employees and in light of the potential risk of fraud in any organization, providing an anonymous fraud reporting mechanism.

If an audit committee is formed, what is its role?
Committee members are responsible for interviewing and hiring the audit firm and ensuring independence of that firm. They’re also responsible for ongoing communication with the audit firm regarding the results of the audit. They should provide oversight of the fraud prevention program and assist the board of directors in fulfilling oversight responsibilities. A best practice for an audit committee — or for a board if there is no audit committee — is approving nonaudit services performed by the auditor, such as comments on candidates for executive positions and tax services.

How can a private company determine if the audit committee has a financial expert?
Sarbanes-Oxley defines a financial expert as someone who either has education or experience as a public accountant, auditor, CFO, controller, or has performed similar functions. When a company is thinking about qualified committee members, it should find individuals who have an understanding of Generally Accepted Accounting Principles and experience in preparation or auditing of financial statements for comparable entities. They should also have experience with internal controls and understand audit committee functions.

What resources are available to help an organization develop a code of ethics or a fraud hotline?
The AICPA (American Institute of Certified Public Accountants) offers a wide variety of information on their Web page at www.aicpa.org. It has an anti-fraud resource center, a sample code of conduct and ethics, and information about audit committee effectiveness. There are service organizations that provide assistance in developing a fraud hotline.

Public companies are required to attest to and report on the internal control assessment made by management. Should private companies go that far?

Developing accounting and reporting policies and procedures is always a good practice for any organization. Considering the effectiveness of the internal controls in place is the key to minimizing fraud risk and risk of errors. An organization may want to consider establishing an internal audit function or committee. If resources and expertise are not available within the organization, they can consider outsourcing this function.

GEMA PTASINSKI is a partner at Vicenti, Lloyd & Stutzman LLP. Reach her at (626) 857-7300 x243 or gptasinski@vlsllp.com.

Thursday, 21 September 2006 07:15

Two for the show

A virtual machine is a simulated computer inside a computer. In effect, this type of technology enables multiple operating systems, as virtual machines, to run concurrently on a single machine.

The uses for such a setup are plentiful. Companies are aided by virtual machines in the testing, production and development of software applications. Also, entities with extra space on their servers can use virtual deployment to set up multiple applications for their business.

While virtual machines have not reached the mainstream yet, Hormazd Dalal, president of Castellan Inc., believes that they will eventually make their presence felt.

“It’s a technology that is more readily available as hardware costs have come down,” says Dalal. “Also, there are many uses.”

Smart Business spoke with Dalal about how virtual machines can help businesses, the costs involved, and why he believes virtual deployment will become the norm for certain types of companies.

What is a virtual machine?
A virtual machine is a program designed to behave as if it is a physical computer, otherwise known as an emulator. It clones a computer and puts it on another piece of hardware. Thereby, it gives you the ability to have multiple computer operating systems and configurations running on one piece of hardware.

How does this type of technology help businesses?
It has several useful applications. You can set up a ‘spam’ appliance and put it on the server so it functions as a virtual appliance. It’s very good for testing because you can have one piece of hardware doing multiple configurations.

In a production mode, it’s useful for businesses that have the resources to purchase one large piece of hardware because they can have several applications or operating systems running on it.

In addition, it’s very good for development. For example, if you need to develop something that will run on Windows 2000, but also Windows 2003, you can have them both running on one piece of hardware and then test them simultaneously.

What are the costs involved with virtual machines?
VMware is currently being offered free of charge. The major outlay is the cost associated with obtaining high-end hardware with a lot of memory. If you have one server that needs two gigabytes of memory, and you’re trying to emulate two servers on the same machine, then you will need four gigabytes of memory. It is important to provide the adequate resources such as processing power and RAM (random-access memory) for the virtual machines that are in operation. Also, bear in mind that any virtual machine will run slightly slower than the actual computer that it is running on.

What types of operating systems are virtual machines compatible with?
They are compatible with any operating system. You can run a Linux appliance on a Windows machine, you can run a UNIX appliance on a Windows machine and you can run all of the Windows operating systems on any given machine. A benefit with virtual machines is that you can have one machine running with Windows 98, Windows XP, Windows Vista and a Linux appliance, which is helpful for testing purposes.

Why do you believe virtual deployments will gain popularity in the upcoming years?
The fact that Microsoft has now come out with its free version of VMware, and has come into the marketplace with a VMware server, is one reason. I don’t see it becoming mainstream for all companies, but those that do have one large server with under-utilized horsepower on it will be able to set up multiple applications running on that server. It will be embraced primarily by large companies and development shops.

HORMAZD DALAL is president of Castellan Inc. Reach him at (818) 789-0088, ext. 202, or hormazd@castellan.net.