When trying to learn about an individual, many companies turn to online background checks. However, this could be a mistake as much of the available information may not be fully verified, which is why many businesses turn to a licensed investigator to help provide a more complete and accurate picture.

Smart Business spoke with Theresa Mack, CPA, CFF, CAMS, CFCI, PI, a senior manager at Cendrowski Corporate Advisors LLC, about working with a licensed investigator to help your business uncover the information you need.

Why hire a licensed investigator?

Most online or database-driven background checks are actually ‘record checks.’ In other words, data from records are compiled and the quality of the source information is not thoroughly verified.

This cursory check may be sufficient in some cases. However, depending on the information found, the nature of the background check, the check’s intended use and the access to confidential/proprietary information that a potential employee may have, a complete background due diligence investigation by a licensed investigator may be warranted.

An investigator uses multiple resources to verify data accuracy and corroborate information. Thus, background due diligence investigations help reduce the risk of client reliance on false information.

How do investigators perform background due diligence activities?

An investigator generally works on a six-step methodology: prepare, inquire, analyze, query, document and report. This methodology is highly applicable to background investigations. An accurate and comprehensive investigation is based upon existing, determined and verified information, leaving no rock unturned.

Investigators will tailor their activities to suit the needs of their clients, which typically include attorneys, businesses and individuals. Client needs will define both the records checked by the investigator and the type of documents that can be released to the investigator and the client.

Where does an investigator begin?

An investigator often begins by examining open-source information, which refers to sources that are overt and publicly available. These are available through online data warehouse applications, which house data from disparate sources.

Open-source information includes public documents that are created throughout a person’s lifetime, allowing the investigator to follow a paper trail leading to a complete history of the individual being searched. These may include court filings, property tax documents, vehicle registrations and social media sources. Open-source intelligence is a form of intelligence collection management that involves finding, selecting and acquiring publicly available information and analyzing it to produce actionable intelligence.

How does an investigator evaluate sources?

Any record is only as good as the chain of events involved in its creation. Online record checks simply provide information on an individual. Investigators go further by evaluating the veracity of the source data.

Record maintenance, storage and dissemination procedures can often impact the accuracy of the information. Typos, misprints and mistakes introduced by human error can also affect the accuracy of records. These latter items are often seen on personal credit reports, criminal convictions and even civil litigation histories. While these are official records, they can contain errors nonetheless.

Processes for updating records can also compromise the accuracy of information, as records are only as accurate as their frequency of updates. Some records are never updated and may provide stale data if the user is unaware of this underlying issue.

Finally, the method that data warehouses employ for acquiring information critically impacts information integrity. For instance, the provider may have purchased information from a secondary source. In such an instance, it is essential that the provider have accurate retrieval processes and is knowledgeable about handling special data items.

An investigator evaluates each of these issues over the course of conducting background due diligence activities.

Theresa Mack, CPA, CFF, CAMS, CFCI, PI, is a senior manager at Cendrowski Corporate Advisors LLC. Reach her at (866) 717-1607 or tbm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

Challenging times present opportunities for organizations to perform detailed assessments of their operations. Performing operational assessments can help organizations identify, mitigate and take advantage of the risks that they face. These assessments focus on process design and execution risks.

“When properly performed, operational assessments identify areas where process design and execution risks are not aligned with an organization’s risk tolerance,” says James P. Martin, a managing director at Cendrowski Corporate Advisors LLC.

Smart Business spoke with Martin to learn more about operational assessments.

How can operational assessments help?

Organizations must achieve a diverse set of strategic objectives. This is accomplished by translating strategic objectives into what are often interdependent yet, disparate operational objectives.

Operational objectives include revenue growth, operational efficiency, compliance with laws and regulations, public perception, corporate responsibility and market leadership, as well as customer and employee satisfaction. Attainment of each requires the assumption of inherent risks.

Operational assessments focus on mitigating inherent process design and execution risks through the use of controls. Controls are employed to reduce an organization’s residual risk, or risk after control implementation, to a tolerable level.

What’s included in operational assessments?

Operational assessments examine whether an organization’s processes enable the achievement of strategic objectives. The first step is breaking down process design and execution elements into tasks performed by employees. This is often accomplished through employee interviews, as well as through observation in the workplace.

Once tasks have been identified, risks associated with the accomplishment of tasks are enumerated, as well as controls centered on mitigating risks. Risks are quantified by likelihood and impact. High-likelihood and/or high-impact risks are prioritized for mitigation in operational assessments, as they pose the greatest threat.

How can organizations decrease high-likelihood and/or high-impact risks?

High-likelihood risks can be decreased through preventive controls, while high-impact risks can be decreased by detective controls. For example, organizational training regarding fire hazards decreases the likelihood that a fire will occur. This is a form of preventative control. Proper placement of fire detectors throughout an organization’s premises decreases the potential impact should a fire occur. This is a form of detective control.

For risks that remain at a level too high for the organization to tolerate, new controls must be developed to bring residual risks in line with the organization’s risk tolerance. Otherwise, the organization should consider outsourcing the risk — for example, utilizing hedging strategies and insurance contracts that transfer risk to a third party.

What can be missed when performing operational assessments?

A key element that is sometimes missed by those performing operational assessments is the assignment of clear roles and responsibilities to team members who will oversee the creation and redesign of process controls. Without accountability, proper incentives are not present, and the operational assessment may struggle to achieve its intended results.

How do these assessments differ?

Risk assessments primarily assist organizations in preserving shareholder value, while operational assessments also help organizations grow shareholder value. More specifically, a risk assessment is really a deep dive into one component of an operational assessment. It involves the identification and analysis of potential risks that may impede an organization from achieving its strategic objectives.

By performing risk assessments across the organization, organizational managers can develop plans to mitigate the risks an organization may face, helping preserve its objective from potential threats and, hence, its shareholder value.

Actively identifying internal risks also can help organizational managers remove the opportunity for fraudulent activity.

James P. Martin, CMA, CIA, CFE, is a managing director at Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

On Aug. 13 the Public Company Accounting Oversight Board (PCAOB) exposed proposed changes to the standard auditor’s report that have the potential to impact the relationship between auditors and their clients.

“Practitioners, issuer entities and attorneys dealing with accountants’ liability matters should all understand the implications of the proposed changes,” says Barry Jay Epstein, Ph.D., CPA, CFF, a principal at Cendrowski Corporate Advisors LLC.

Smart Business spoke with Epstein about the changes and their impact.

What are the main proposed changes to the auditor’s report?

The proposal most likely to generate controversy is that which requires identification of what the auditors determined to be ‘critical audit matters.’ This will mean that audit decisions that are currently not shared with the public, and most often are not even disclosed to the clients, will be set forth for financial statement users.

The second of the proposed requirements pertains to auditor independence, auditor tenure and an auditor’s responsibility for information that is outside the financial statements but that is included in the financial statement filings. Auditors have long been required to at least ‘read and consider’ other information included in documents containing audited financial statements. This is in an effort to be assured that information, such as the management discussion and analysis section of Form 10-K, does not contradict or conflict with what the financial statements convey about the reporting entity’s financial position or results of operations. This rule was imposed in reaction to observed situations where disparate implications could be drawn from the financial statements and footnotes, on the one hand, and narratives such as the ‘chairman’s letter,’ which sometimes would present a rosier scenario than would seemingly be warranted by the ‘hard data’ in the financial statements, on the other hand.  

The last of the three proposals amplifies slightly the already-extant options for the auditors to include certain explanatory paragraphs, addressing matters that, in the auditors’ judgment, deserve to be emphasized. It also draws attention to the so-called ‘going concern’ language when there is substantial doubt that the reporting entity will be able to survive for a year beyond the balance sheet date. These changes, too, are not deemed likely to garner opposition from the profession, or to expand auditors’ exposure to litigation.

What specifically would citing critical audit matters entail?

According to the PCAOB, critical audit matters are those matters addressed during the audit that:

  • Involved the most difficult, subjective or complex auditor judgments.
  • Posed the most difficulty to the auditors in obtaining sufficient appropriate evidence.
  • Posed the most difficulty to the auditors in forming the opinion on the financial statements.

Most firms’ internal audit guidance materials, such as manuals, programs and checklists, require that auditors plan their audits on the basis of financial statement assertions. Inherent and control risks must be considered for each of these assertions so that appropriate planned audit procedures can be selected or developed for each material assertion. Unless litigation later arises, these audit judgments are not generally shared with others, even with client personnel. Thus it is a radical departure to propose that critical audit matters be explicitly set forth in the auditors’ report or be made public in any other manner.

Will the PCAOB proposal improve the efficacy of audits?

As the SEC, the PCAOB and assorted academic researchers have documented, the predominant reasons audit failures occur among public companies are:

  • Exhibiting insufficient audit skepticism.
  • Failure to obtain and correctly evaluate sufficient appropriate audit evidence.
  • Inadequate planning, including risk assessments.

Audit failures rarely occur because the auditors misidentified critical areas deserving of audit attention.

Barry Jay Epstein, Ph.D., CPA, CFF, is a principal at Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or bje@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC


Published in Chicago

Since infiltrating the business world, the use of social media has increased at an incredible rate. Last year, Netflix CEO Reed Hastings caused considerable commotion in the financial community when he announced via Facebook that Netflix had exceeded 1 billion viewing hours in a month for the first time. There was heavy debate as to whether it was appropriate for a high-level executive to divulge material information regarding a public entity’s success through social media.

Fast forward one year and the SEC just released a statement in April allowing companies to make announcements through social media outlets provided investors have the ability to gain access to material information at the same time. Clearly, social media has become a mainstream tool for companies and is an issue management must address.

Smart Business spoke with Matthew P. Breuer, J.D., an associate with Cendrowski Corporate Advisors, about how the use of social media can introduce risk to your company.

What are some of the major risks and issues with social media?

Social media pose risks to companies in a variety of ways. Perhaps the biggest risk stems from reputational impact on an organization, which can come from both social media interaction by the company and/or through public discussion about the organization through social media.

The potential damages of posting confidential information is another risk companies must take into account. This can be particularly difficult to prevent because the release of confidential information could be done inadvertently by an employee or by an unknown individual with insider knowledge, which makes it all the more important for a company to manage and document who will have access to key material information. An unauthorized employee speaking on the behalf of the company and libelous statements are other major risks that should not be overlooked. In addition, the risks of social media can trickle down to affect a company even at the level of an individual employee with a risk as simple as decreased employee productivity. Consequently, these risks should all be addressed by management when developing a strategic plan.

Why is social media such a difficult subject for companies to address?

Companies are increasingly using social media, but still have difficulty grasping its changing intricacies, especially as it continues to evolve at a rapid pace and revolutionize marketing and customer interaction. The difficulty of handling the identified risks of social media can also be attributed to the balancing that needs to be done to ensure an organization still reaps the benefits of social media.

Despite all of the risks, social media serves as an excellent channel for marketing contact, increasing company exposure, customer base development, increasing sales activity and as a tool for recruiting. Moreover, using social media can allow a company to gain a better understanding of customer or consumer perception of the company. Developing an approach to utilize the benefits while mitigating the risks of social media is never an easy task.

What can companies do to mitigate risk?

Mitigating the risks associated with social media begins from the top. Management must have a clear and defined social media policy already entrenched within a company. The policy should clearly outline expectations and address social media interaction deemed to be forbidden. This policy is especially imperative in smaller companies. While larger companies may be able to have positions created for this purpose or outsource the responsibilities to outside agencies, smaller companies will have less resources and time to monitor their company’s interaction with social media. In addition, management must be aware of any legal ramifications that could arise from the use of social media. Management’s strategic plan should also determine the individual(s) who will have access to a company’s social media.

Companies may never be able to eliminate all of the risks of using social media, but management having a clearly communicated plan already in place is an effective way to mitigate these risks.

Matthew P. Brewer, J.D., is an associate with Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or mpb@cendsel.com.

For additional information, visit Cendrowski's website.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC.

Published in Chicago

On July 30, 2012, the National Labor Relations Board (“NLRB”) reached a decision ruling that Banner Health Systems non-union employer’s system of advising its employees to refrain from discussing ongoing internal investigation matters with fellow co-workers violated Section (a)(1) of the National Labor Relations Act. Prior to the Banner Health System decision, businesses had a certain level of discretion in implementing confidentiality requests. However, the freedom to make such requests may no longer be exclusively in the hands of management and may even no longer be permitted without special justification. Companies should take notice.

Courts and administrative agencies are cracking down on blanket employer requests for silence without adequate justification during investigations and the NLRB confirmed this standard in Banner Health System d/b/a Banner Estrella Medical Center, 358 NLRB No. 93 (2012) (“Banner”). The Banner decision came after a technician working for a hospital voiced concern to the hospital’s human resources consultant about certain practices he did not feel comfortable following and believed could cause a patient to become sick. After complaining to human resources, he was instructed to not discuss the matter with any of his co-workers while the hospital conducted its investigation. The same human resources consultant would routinely make identical confidentiality requests to other employees who made complaints that were subject to an investigation.

Given the recent Banner decision, corporate response plans must be sensitive to the level of confidentiality involved in internal investigation matters and specify the proper protocol for disclosing information within an organization.

Smart Business spoke with Andrea Gonzalez, senior manager at Cendrowski Corporate Advisors LLC, about the Banner decision and the potential trickle-down effect it could have on business confidentiality processes during investigations.

What should an organization learn from this decision regarding confidentiality issues in internal investigation matters?

Companies will need to have established protocol ready in the event an internal investigation is launched and the protocol will need to address the issue of confidentiality. There may be a valid justification for confidentiality between co-workers in an internal investigation. However, in order to withstand a challenge, such as the one in Banner, companies will need to be able to readily articulate these justifications. Blanket requests are likely to fail, but well-planned and established processes will not only survive any challenges but continue to allow for effective internal investigations consistent with management’s plan. Each corporate response plan needs to take confidentiality issues into account, be planned in advance and be individualized to the present issues so that it is not found to be overly broad or too burdensome.

How can an organization justify a confidentiality request and likely succeed if challenged?

In Banner, the NLRB discussed the appropriate criteria for determining whether an organization has met the burden of justifying its approach. Despite the hospital’s argument that the confidentiality was necessary for protecting the investigation, the Court stated the hospital needed to show (1) it was necessary for the protection of the witnesses; (2) evidence could potentially be destroyed; (3) testimony could be fabricated; or (4) there was a need to prevent a cover-up. The hospital was unable to do so.

Management should keep these factors in mind during the planning phase of their response plans and protocol should reflect this idea. Retroactive planning after an internal investigation has been launched should also be avoided.

In the event of a challenge to the confidentiality request, what is the best course of action?

One of the most important aspects of combating a challenge to a confidentiality request is an organization’s effort to document its basis for each confidentiality request. An individual file should be maintained with detailed and updated information regarding the investigation. A company should also consider engaging counsel to maintain privilege and identify additional information needed to support or contradict its position. A company may never have perfect information, but a well-maintained file is instrumental in its analysis of a challenge and the manner in which it should proceed.

How can an organization ensure their plan for confidentiality requests is implemented properly?

An organization should monitor guidelines or protocols in place and ensure any blanket policies have been removed. From the moment an investigation begins, the organization should continue to revisit their confidentiality requests and evaluate the facts of the current investigation. A check list of all questions and open items should be kept and findings should be reviewed for accuracy and completeness. The communications protocol to personnel involved in the investigation should also be presented to all parties in a clear and concise manner.

How can an organization gain confidence in established confidentially request guidelines and policies?

Organizations can engage a third party to perform a detailed independent review of an ongoing investigation to evaluate whether the established policies and procedures are being adhered to by individuals conducting the investigation. The third party can also assess whether the confidentiality requests would withstand a challenge under Banner.

The feedback provided by the third party would enable the organization to adjust their guidelines and policies to help ensure future confidentiality requests succeed if challenged.


Andrea Gonzalez is a senior manager at Cendrowski Corporate Advisors LLC. Reach her at (866) 717-1607 or arg@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

The requirement for appropriate enterprise risk management (ERM) techniques continues to grow. The recently passed Dodd-Frank Wall Street Reform and Consumer Protection Act calls for a risk committee to be established by all public, nonbank financial companies, as well as larger public bank holding companies.

Supervised by the board of governors of the Federal Reserve, the risk committee will be held responsible for enterprisewide risk management oversight and practices. Additionally, ERM is a central focus for many organizations outside of the financial sector looking to mitigate risks in today’s volatile economic climate.

“All organizations face uncertainty; the challenge for management is to determine how much uncertainty to accept,” says James P. Martin, CMA, CIA, CFE, managing director of Cendrowski Corporate Advisors LLC. “Uncertainty brings both risk and opportunity, with the potential to enhance or erode value. A robust ERM process helps the organization ready itself to make the most of the opportunity while appropriately managing the downside of relevant risky events.”

Smart Business spoke with Martin about how companies can establish effective ERM processes and the benefits of such processes to organizations.

How can an effective ERM process benefit an organization?

In short, effective ERM processes help the organization respond to the constantly changing business environment. More specifically, ERM helps organizations quickly perceive changes in their environments, analyze these changes, develop a plan for response and execute this plan. Through identification and planning, organizations will improve their resilience to changes in their environment by viewing the realization of risky events as opportunities for shareholder value creation rather than degradation: If an organization is able to successfully mitigate risky events and capitalize on opportunities presented by change, it will tend to be more successful than those that are not prepared.

On what areas of risk should organizations focus?

Risk is really a continuum across the business environment, but for simplicity, there are generally four main areas that must be considered: strategic, operational, process and compliance risks. The latter element is a key thrust of the recently passed Dodd-Frank law.

In brief, strategic risks describe those associated with the organization’s plan to create shareholder value, including their chosen risk/reward appetite; operational risks that relate to the design of processes intended to carry out the organization’s strategy; process risks that are presented by the day-to-day operations of the organization; and compliance risks, those associated with an organization’s failure to comply with federal, state and local laws and regulations.

Can you describe the differences among these four types of risks?

Strategic risks can prevent the accomplishment of the strategic objectives of the organization. These include visionary plans to maximize shareholder value over a long-term horizon. These objectives drive operational objectives, such as the deployment of people and other resources, which present another layer of risk to the organization. These objectives, in turn, define and drive operational processes. These layers must all work in harmony to ensure that overall objectives are achieved. The risk assessment process should encourage ongoing, active identification of risk and ensure that ideas about risk facing the organization at any level are elevated to the appropriate level. Compliance risks pervade virtually all levels of an organization and thus are a foundational element of an organization’s strategy, operations and processes. However, due to their marked importance, the Dodd-Frank law has explicitly stated that organizations should place an intense focus on compliance risk and that compliance risks should be integrated with other areas of risk in the assessment process.

How should risks be identified and evaluated?

Risks should be identified and evaluated through the use of ERM workshops. These workshops bring together numerous subject matter experts, allowing them to collectively brainstorm risks faced by the organization in an open environment.

Once identified, the impact and likelihood of risks should be estimated by subject matter experts. Those risks with both high impact and high likelihood should be prioritized for oversight and monitoring by the organization, as they can have the greatest potential effect on the organization’s objectives.

What types of individuals should participate in ERM workshops?

An ideal workshop participant is an open and honest communicator who embraces change rather than impedes it. Even though numerous individuals within an organization may have excellent ideas regarding organizational risk and how risk readiness can be improved, many may fail to share them due to their personality or because the organization has created obstacles to communication.

However, beyond these traits, the characteristics of an ideal workshop participant will differ by the type of workshop being conducted. For instance, in conducting an operations-focused ERM workshop, an ideal participant would be a creative thinker and a process visionary. By possessing these character traits, operational processes can be devised that maximize the organization’s rewards associated with its strategy while concurrently minimizing risk.

In contrast, an ideal participant in a process-focused ERM workshop need not possess these traits, but he or she should have a profound understanding of the workflow within an organization. This type of knowledge will help ensure processes are implemented according to their operational design.

James P. Martin, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago
Tuesday, 31 July 2012 20:00

How to manage employment tax risk

When a company assumes the role of payroll administrator, there are considerations to protect the assets of the company from risk related to various employment taxes.

“There are several circumstances that may cause a company to run the risk of becoming noncompliant or considered evasive of employment withholding tax obligations, requiring employers by law to withhold taxes from their employees, including federal income taxes and other taxes required by the Federal Insurance Contributions Act such as Social Security and Medicare taxes,” says Walter McGrail, senior manager, Cendrowski Corporate Advisors LLC.

Although not discussed here, these same requirements apply to other  employer taxes such as FUTA and taxes required by any states.

Smart Business spoke with McGrail about employment tax risks and what companies can do to mitigate them.

What are employment tax risks, and are they a realistic issue?

Companies are required to withhold taxes and remit them to the Internal Revenue Service via an authorized financial institution, as established by the Federal Tax Deposit Requirements. When the taxes withheld are not remitted, or not remitted in a timely manner, the company may be liable for penalties, interest, or, in the case of proven evasion, prosecution. Noncompliance may result in penalties and interest, whereas evasion may subject the responsible parties to criminal and civil sanctions

According to the IRS, for fiscal years 2009 to 2011, it initiated approximately 500 investigations into employment tax evasion. Of these cases, more than 40 percent were investigated, recommended for prosecution, indicted and ultimately sentenced.  Additionally, of those sentenced, 80 percent were incarcerated by means of either federal prison, halfway house, home detention, or some combination, lasting an average of nearly 24 months.

These penalties are most commonly levied against the responsible parties, including, but not limited to, corporate officers, shareholders, members and partners.

What are the most common methods, or schemes, related to employment tax evasion?

There are several common scenarios that could result in evasion or simply result in noncompliance when it comes to employment taxes. The most common, according to the IRS, involve pyramiding, utilizing unreliable intermediaries to remit the tax and misclassifying wages or salaries based on worker status or officers’ compensation treated as distributions. Due to the lengths someone may go to in order to evade employment taxes, there is even a listed transaction related to employment and the use of offshore employee leasing to evade these taxes.

If employment taxes are automatically withheld, how can companies be put at risk?

Companies are at risk when withheld taxes have not been paid in a timely manner, as prescribed by the IRS. Fraud can be an integral part of employment tax evasion.

Pyramiding is one of the more common practices. This involves the employer not remitting the taxes and using the monies to cover other liabilities or operating shortfalls. If the employer continuously uses this practice to continue the operation of the company, the amount can accrue over time (pyramid) to the point where business operations cannot recoup the funds utilized and the company is left with a tax liability and no cash. The frequent result is the business going under.

Unreliable payers can also be an issue. A payer can be either a third party or related (someone employed by the company). Both types of payers can be instrumental in causing the company to be at risk of noncompliance.

Third-party payers generally fall into one of two categories: Payroll Service Providers (PSP) and Professional Employer Organizations (PEO). PSPs typically assume the role of payroll administrator and the responsibility for making employment tax payments and filing the appropriate employment tax returns. PEOs effectively lease employees and assume the role of human resources, managing the administrative, personnel and payroll functions for the company. Tax issues can arise when either type of third-party payer is in control of employment taxes or the company dissolves. This can leave employment taxes unpaid.

If the company utilizes an internal department or employee to pay employment taxes, there are different ways the company can be exposed to risk. One way could be rooted in fraud. If the payer were to pay taxes but not properly credit them to the company’s tax account, the company would still have an employment tax liability and no funds to pay the taxes owed.

Much like other frauds that involve payables, funds can be paid or transferred to a taxing authority while being applied to a different account. The company believes its tax liabilities are being properly paid and may not become aware of an issue for months or years.

How can companies safeguard against employment tax evasion and noncompliance?

There are no guarantees, but one way to reduce possible exposure is to exercise due diligence when engaging a third-party or related payer.

Monitoring is essential to the process. The company can insist on paying all federal taxes electronically, utilizing the Electronic Federal Tax Payment System (EFTPS), which allows users to access tax payment history to ensure payments were made and applied to the appropriate tax account. Additionally, verifying and matching the amounts paid against the information reported on the Employer’s Quarterly Federal Tax Return (Form 941) can aid in reducing noncompliance and the possibility of employment tax evasion.

Additionally, ask your CPA to look at wages and related withholdings as part of the tax return preparation for your company.


Walter McGrail, CPA, is senior manager of Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or wmm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

Understanding when, where and how much credit risk is being incurred throughout an enterprise is important knowledge to possess to not only survive, but thrive, and that applies to both businesses and financial institutions.

Smart Business spoke with Scott B. McCallum, senior manager at Cendrowski Corporate Advisors, about how to create a basic credit risk assessment framework for banks, the elements of which businesses may wish to consider adopting and adapting for their own purposes.

What is credit risk?

Credit risk is the financial exposure one party has to a counterparty’s failure to meet its financial obligation. For a typical business, the most prevalent form of credit risk is, of course, the accounts receivable owed by clients or customers. Another credit counterparty is a company’s bank, whether to access deposit balances, fund draws on a revolving credit facility or receive contractual cash flows associated with an interest rate swap or foreign currency contract. Another form is prepaid expenses, such as  insurance premiums, in which the business becomes an unsecured creditor of the provider of the service to the extent of unearned revenue.  Credit risk arises to a seller of a business to the extent that a buyer finances a portion of the purchase price with notes payable to the seller.

How does credit risk arise at banks?

The primary risk that causes a bank to fail is credit risk. Looking at credit risk on an enterprisewide basis, banks hold most of their assets in the form of loans and investment securities. The most prevalent form of credit risk is in the loan portfolio, in which the bank lends money to a variety of borrowers with the intention of getting repaid in full.

Depending on the underlying investment securities in the portfolio, there is often credit risk embedded in securities other than those backed by the full faith and credit of the U.S. government.

Was JP Morgan Chase’s recently announced $2.3 billion loss related to credit risk?

Yes, according to an editorial in the May 14, 2012, edition of The Wall Street Journal, ‘J.P. Morgan recently suffered an unexpected loss of more than $2 billion on trades related to the creditworthiness of various corporations.’ The editorial also stated, ‘The bank had tried to protect itself from the potential of deteriorating financial markets by essentially making a bet that would pay off if corporate default risks increased.’

What is a risk assessment?

A risk assessment is an analytical exercise conducted to identify the risks associated with a particular business activity. A risk inventory is developed in the context of the defined business activity or process. Once the risks are identified, they are measured and ranked in priority based on an understanding of the magnitude and frequency of occurrence. Then, key risk indicators (KRIs) are developed to facilitate ongoing measurement of actual performance versus the KRIs. Risk reporting enables management and the board to provide effective monitoring and oversight.

What does a credit risk assessment process look like at a bank?

Banks are often organized to conduct business activities in silos, which can result in some risk gaps. A credit risk assessment helps to neutralize silos. Here is a basic credit risk assessment framework.

  • Identify major subcategories of credit risk (e.g., residential mortgages and home equity lines and loans; consumer loans; commercial and industrial, and owner-occupied commercial real estate loans; agriculture and farm loans; construction and development loans; and investment securities).
  • Engage key team members involved in making/underwriting the loans to identify credit risks for each subcategory.
  • Prioritize risks based on evaluation of financial impact from the magnitude of each occurrence and frequency of occurrence.
  • Develop KRIs for each credit risk subcategory.
  • Determine credit risk tolerances, limits and controls.
  • Develop reporting for effective monitoring by management and the board.

What are credit concentrations?

Managing credit concentrations is about maintaining prudent diversification in the composition of a bank’s assets. Banks have stepped up monitoring and management of credit concentrations such as limits on dollar exposures to any single borrower, or limits on the aggregate percentage of the portfolio consisting of certain loan types. Bank regulators also have been strong advocates of managing credit concentrations, as many that failed had high concentrations of those loan types.

What can businesses learn from banks to apply in their own credit risk assessments?

Know your counterparty. For the customer base to which you extend terms, establish credit limits per account debtor, obtain credit reports, background checks or similar reports that provide timely information and monitor for deterioration. Manage concentrations of business with your top 10 accounts. Identify local market or industry-specific key risk indicators that provide early warnings of elevated risks. Look for credit risk enterprise-wide, on and off the balance sheet. Understand the financial impact of the potential loss, based on magnitude and frequency of occurrence.

Finally, don’t compound a problem. Don’t sell more to deadbeats. Stay disciplined and diligent in actively managing customer limits and monitoring account debtors for deterioration. If you are concerned, take some risk out of the sale by requiring wire transfer remittances or cash-in-advance. And know your counterparty and sleep better at night.

Scott B. McCallum is senior manager at Cendrowski Corporate Advisors. Reach him at sbm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago
Saturday, 30 June 2012 21:00

The impact of fraud on organizations

The Association of Certified Fraud Examiners’ (ACFE) “2012 Report to the Nation” is one study that describes the losses that an entity may experience as a result of fraud: A typical organization loses approximately 5 percent of its annual revenue to fraudulent acts.

Small businesses often suffer disproportionate fraud losses, as the “median loss suffered by organizations with fewer than 100 employees was $190,000 per [fraud] scheme, says James P. Martin, managing director for Cendrowski Corporate Advisors LLC.

“In today’s environment, companies of all sizes need to consider the risk of fraud and take proactive measures to help mitigate the risks that they face,” says Martin.

Smart Business spoke with Martin about how a to take proactive measures to protect a business and help it fight fraud.

What can companies do to help mitigate the risk of fraud?

Fraud is not a random occurrence; it happens in situations in which conditions are right for it to happen. Identifying the root causes of fraud and removing the potential for fraud is called fraud deterrence.’

There are procedures can be applied in any organization to help alleviate the growing threat of fraud.

What is fraud deterrence?

The term ‘fraud deterrence’ refers to a systematic approach to identifying and removing the causal factors of fraud; it is not simply a plan focused on earlier fraud detection. Fraud deterrence is based on the premise that fraud occurs when the conditions are right for it to occur, more specifically, in situations in which there is motive, opportunity and rationalization for a fraudulent act.

These three elements, comprising the ‘Fraud Triangle,’ are the focus of fraud deterrence, as the removal of any one of these element will reduce the opportunity for fraud to occur. In this manner, fraud deterrence centers on the premise that the causal factors of fraud can be recognized and proactively reduced in an organization.


How do the causal factors of fraud work?

It is through the implementation of strong internal controls that elements of the fraud triangle — the causal factors of fraud — are reduced. To illustrate the deterrence actions, consider a familiar example relating to fire deterrence and response:

Fire extinguisher = remediation

  • The fire has already happened.
  • Minimize the damage by quickly controlling the fire.
  • The longer the response time, the greater the damage that will occur.

Smoke detector = earlier detection

  • Earlier detection, before fumes can even be smelled.
  • Detects nothing until the event actually happens.
  • By the time the detector is activated, there has been a fire.

Removal of causal factors = deterrence

  • Removal of flammable materials
  • Removal of sources of ignition (e.g. not allowing smoking, flammables away from a flame source such as a water heater)
  • Increasing awareness of risk of fire (e.g. Smokey the Bear)

Deterrence of the fire event, just as in the case of fraud, is effected by the removal of causal factors without waiting for a warning sign that something has gone wrong. Of the three elements of the fraud triangle, ‘opportunity’ can be most directly addressed by the organization through improvements in the internal control structure.

What improvements can help eliminate opportunity?

First and foremost, make sure that cash is well controlled, and that starts with the bank account. The bank reconciliation should be performed by a person not involved with collections or disbursements.  The bank statement should always go to a person not involved with any of those functions; in the case of a small business, the statement should go to the owner.

The statement should be reviewed for unexpected activity, including looking at the payee of each check, before a copy is provided to the person doing the reconciliation. Likewise, cash collections and deposits should be independently counted and verified. Basic diligence of cash can prevent many fraud schemes.

Would the deterrence activities also identify the need for further investigation?

Yes, fraud deterrence initiatives frequently move to detection activities: Fraud deterrence identifies an opportunity that could allow a fraud to occur; detection activities are performed to determine if anyone has exploited that opportunity.

Fortunately, fraud deterrence, and the resulting understanding of the opportunity for fraud, provides a clear roadmap for where such detection activities should be applied. Clearly, an organization that has instituted fraud deterrence activities has a greater defense against fraud than one that has not actively identified and eliminated the opportunity for fraud in its organization.

James P. Martin, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

Cloud computing is the marketing focus of many IT companies.

Ads touting the benefits of cloud computing and the “cloud readiness” of software products are visible in airports, print media and on TV, and surveys predicting the rapid adoption of cloud computing solutions appear regularly. But how do cloud computing solutions affect the production of electronic documents and information in a litigation setting?

Smart Business spoke with James P. Martin, CMA CIA CFE, managing director of Cendrowski Corporate Advisors, regarding the issues that can arise when attempting to obtain information when a party has information stored in the cloud.

What is cloud computing?

Cloud computing describes an IT model in which computing resources can be obtained and utilized on an as-needed basis; this is why cloud computing is often referred to as ‘utility computing.’ The end user is provided a turnkey solution that is supported and maintained by the service provider at a remote location.

Cloud computing is enabled by rapid, reliable Internet communications, and, in fact, ‘the cloud’ is a term referring to the pool of resources hosted on the Internet.

What are some common cloud solutions that should be considered in litigation?

Cloud computing applications include hosted email products, such as Gmail or Hotmail, picture hosting services, text message services, hosted document processing, as well as social media services such as Facebook, Myspace, or dating sites. These sites would potentially have data that could be relevant to the litigation.

How does a cloud solution affect electronic discovery?

Moving to a cloud computing solution does not remove an organization’s document retention requirements, and many cloud solutions tout their ability to help the organization meet statutory requirements.   If the cloud vendor performs services to the public, access to the data stored in that solution would be subject to the restrictions of the Stored Communication Act.

It is also important to understand that this is an emerging area of law. Third-party solutions are evolving rapidly, and social media services are creating issues and carrying information that was inconceivable a few years ago. The legal system is dealing with emerging issues related to these new technologies and case law is changing rapidly.

What is the Stored Communication Act?

Data hosted by a third-party service provider may be covered by the Stored Communications Act (18 U.S.C. §§ 2701-2712 (SCA). This act was included as Title II of the Electronic Communications Privacy Act of 1986.

The SCA states that ‘a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.’ The SCA was primarily written to protect the end user of computing services from government surveillance. In civil litigation, some courts have concluded that contents of communications cannot be disclosed to litigants even when presented with a civil subpoena.

How can a litigant obtain information subject to the SCA?

The SCA defines three categories of information; each category has different requirements to obtain the information. In litigation, the parties will tend to need access to ‘contents,’ such as email conversations and documents, which has the highest threshold. Contents generally require a subpoena with notice, a court order with notice, or search warrant.

One wrinkle is that the SCA defines a ‘court of competent jurisdiction’ as any district court of the United States, and the U.S. Court of Appeals; it is silent on whether state courts may issue orders to providers outside their districts.

Are there any exceptions to these requirements?

Yes, the SCA includes several exceptions.  Importantly, contents can be produced with the permission of the subscriber.  Also, contents can be released in emergency situations related to the commission of a crime, death, or serious physical injury, or if it is submitted to the National Center for Missing and Exploited Children.

Also, the SCA applies only to companies that provide the service to the public.  For example, consider a consultant who is provided an email account by a company where he or she is assigned for work.  Court decisions have determined that the company providing such an email account is not covered by the SCA, as it does not provide services to the public.

How are courts dealing with discovery in a civil matter?

In a recent decision, the court noted that a subscriber could grant permission for the provider to release contents and reasoned that the information held by the provider was under the control of the subscriber, and therefore had a duty to exercise this control and retrieve the content. The court allowed a subpoena to the subscriber directing it to provide permission to produce the information. Courts continue to evaluate aspects of the SCA, and case law continues to build around these issues.

Investigators attempting to access information held by a third party will need to evaluate an appropriate course of action depending on the type of information to be received, as well as the relative cooperation of the subscribing party.

JAMES P. MARTIN, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or


Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago
Page 1 of 3