The average cost of a data breach has reached $4.88 million, up 10% from last year, according to a recent report. As businesses increasingly rely on technology, cyberattacks are becoming more sophisticated and aggressive, and risks are increasing. What can your organization do to protect its profits and assets from cyberthreats?

Recent report

In August 2024, IBM published “Cost of a Data Breach Report 2024.” The research, conducted independently by Ponemon Institute, covers 604 organizations that experienced data breaches between March 2023 and February 2024. It found that, of the 16 countries studied, the United States had the highest average data breach cost ($9.36 million).

The report breaks down the global average cost per breach ($4.88 million) into the following four components:

1. $1.47 million for lost business (for example, revenue loss due to system downtime and costs related to lost customers, reputation damage and diminished goodwill),
2. $1.63 million for detection and escalation (such as forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards),
3. $1.35 million for post-breach response (including product discounts, regulatory fines, legal fees, and costs related to setting up call centers and credit monitoring / identity protection services for breach victims), and
4. $430,000 for notifying regulators, as well as individuals and organizations affected by the breach.

A silver lining from the report is that the average time to identify and contain a breach has fallen to 258 days from 277 days in the 2023 report, reaching a seven-year low. One key reason for faster detection and recovery is that organizations are giving more attention to cybersecurity measures.

Implementing cybersecurity protocols

Cybersecurity is a process where internal controls are designed and implemented to:

• Identify potential threats,
• Protect systems and information from security events, and
• Detect and respond to potential breaches.

The increasing number of employees working from home exposes their employers to greater cybersecurity risk. Many companies now have sensitive data stored in more places than ever before — including laptops, firm networks, cloud-based storage, email, portals, mobile devices and flash drives — providing many potential areas for unauthorized access.

Targeted data

When establishing new cybersecurity protocols and reviewing existing ones, it’s important to identify potential vulnerabilities. This starts by inventorying the types of employee and customer data that hackers might want to steal. This sensitive material may include:

• Personally identifiable information, such as phone numbers, physical and email addresses, and Social Security numbers,
• Protected health information, such as test results and medical histories, and
• Payment card data.

Companies need to have effective controls over this data to comply with their obligations under federal and state laws and industry standards.
Hackers may also try to access a company’s network to steal valuable intellectual property, such as customer lists, proprietary software, formulas, strategic business plans, and financial data. These intangible assets may be sold or used by competitors to gain market share or competitive advantage.

Auditing cyber risks

No organization, large or small, is immune to cyberattacks. As the frequency and severity of data breaches continue to increase, cybersecurity has become a critical part of the audit risk assessment.

Audit firms provide varying levels of guidance, both when assessing risk at the start of the engagement and when uncovering a breach that happened during the period under audit or during audit fieldwork.

We can help

Contact us to discuss your organization’s vulnerabilities and the effectiveness of its existing controls over sensitive data. Additionally, if your company’s data is hacked, we can help you understand what happened, estimate and disclose the costs, and fortify your defenses going forward.

It usually takes between two and six weeks for management to prepare financial statements that comply with the accounting rules. The process takes longer if an outside accountant reviews or audits your reports. Timely information is critical to making informed business decisions and pivoting as needed if results fall short of expectations. That’s why proactive managers often turn to flash reports for more timely insights.

The benefits

Flash reports typically provide a snapshot of key financial figures, such as cash balances, receivables aging, collections, and payroll. Some metrics might be tracked daily, such as sales, shipments and deposits. This is especially critical during seasonal peaks, when undergoing major changes, or when your business is struggling to make ends meet.

Effective flash reports are simple and comparative. Those that take longer than an hour to prepare or use more than one sheet of paper are too complex to maintain. Comparative flash reports may help identify patterns from week to week — or deviations from the budget that may need corrective action.

The limitations

Flash reports also can identify problems and weaknesses. But they have limitations that management should recognize to avoid misuse.
Most importantly, flash reports provide a rough measure of performance and are seldom 100% accurate. It’s also common for items such as cash balances and collections to ebb and flow throughout the month, depending on billing cycles.

Companies generally only use flash reports internally. They’re rarely shared with creditors and franchisors, unless required in bankruptcy or by a franchise agreement. A lender also may ask for flash reports if a business fails to meet liquidity, profitability and leverage covenants.

If shared flash reports deviate from what’s subsequently reported on financial statements that comply with U.S. Generally Accepted Accounting Principles (GAAP), it may raise a red flag with stakeholders. For instance, they may wonder if you exaggerated results on flash reports or your accounting team is simply untrained in financial reporting matters. If you need to share flash reports, consider adding a disclaimer that the results are preliminary, may contain errors or omissions, and haven’t been prepared in accordance with GAAP.

What’s right for your organization?

There’s no one-size-fits-all format for flash reports. For example, billable hours are more relevant to law firms, and machine utilization rates are more relevant to manufacturers. Contact us for help customizing your flash reports to incorporate the key metrics that are most relevant for your industry. We can also answer questions about any reporting concerns you may be facing today.

Proactive working capital management is essential to successful business operations. However, on average, businesses aren’t managing their working capital as efficiently as they have in the past, according to a new study by The Hackett Group, a digital transformation and AI strategy consulting firm.
The study found that all elements of the cash conversion cycle (CCC) deteriorated by an average of 1.3 days (or 4%) from 2022 to 2023. The sectors reporting the biggest CCC deterioration include marine shipping, biotechnology, oil and gas, and food and staples retail. Here’s why working capital management is so important, and how your business can avoid the trend revealed in the study.

Why working capital matters

Working capital equals the difference between current assets and current liabilities. Organizations need a certain amount of working capital to run their operations smoothly. However, excessive amounts can hinder growth and performance. The optimal amount of working capital depends on the nature of your company’s operations and its industry.

Working capital management is often evaluated by measuring the CCC, which is a function of three turnover ratios:
1. Days in accounts receivable outstanding,
2. Days in inventory outstanding, and
3. Days in accounts payable outstanding.

A positive CCC indicates the number of days a company must borrow or tie up capital while awaiting payments from customers. A negative CCC represents the number of days a company has received cash from customers before it must pay its suppliers. Cash businesses might have a low or negative CCC, while most conventional businesses have a positive CCC.

Ways to shorten your CCC

Here are three ways to reduce the amount your business has tied up in working capital:
1. Collect receivables faster. Possible solutions for converting accounts receivable into cash faster include: tightening credit policies, offering early bird discounts, issuing collection-based sales compensation and using in-house collection personnel. Companies also can evaluate administrative processes — including invoice preparation, dispute resolution and deposits — to eliminate inefficiencies in the collection cycle.

2. Reduce inventory levels. The inventory account carries many hidden costs, including storage, obsolescence, insurance and security. Consider using computerized inventory systems to help predict demand, enable data sharing up and down the supply chain, and more quickly reveal variability from theft.
It’s important to note that, in an inflationary economy, rising product and raw material prices may bloat inventory balances. Plus, higher labor and energy costs can affect the value of work-in-progress and finished goods inventories for companies that build or manufacture goods for sale. So rising inventory might not necessarily equate to having more units on hand.

3. Postpone payables. By deferring vendor payments when possible, your company can increase cash on hand. But be careful: Delaying payments for too long can compromise a company’s credit standing or result in forgone early bird discounts. Many organizations have already pushed their suppliers to extend their payment terms, so there may be limits on using this strategy further.

Make working capital a priority

Some businesses are so focused on the income statement, including revenue and profits, that they lose sight of the strategic significance of the balance sheet — especially working capital accounts. We can benchmark your company’s CCC over time and against competitors. If necessary, we also can help implement strategies to improve your performance without exposing you to unnecessary risk.

Accurate financial statements are essential to making informed business decisions. So, managers and other stakeholders may express concern when a company restates its financial results. Before jumping to premature conclusions, however, it’s important to dig deeper to evaluate what happened.

Uptick in restatements 

In June 2024, the Center for Audit Quality (CAQ) reported a recent uptick in financial restatements by public companies. The report, “Financial Restatement Trends in the United States: 2013–2022,” delves into a ten-year study by research firm Audit Analytics. It found that the number of restatements in 2022 had increased by 11% from the previous year.

More alarming is a trend toward more “Big R” restatements. Big Rs indicate that the company’s previously filed financial reports were deemed unreliable by the company or its auditors. Although most restatements are due to minor technical issues, the proportion of total restatements that were Big Rs rose to 38% in 2022, up from 25% in 2021. The 2022 figure is also up from 28% in 2013 (the peak year for restatements in the study) — and it’s the third consecutive year that the proportion of Big Rs has increased.

However, the CAQ report states, “It is too early to tell if the increase in restatements toward the end of the sample period is a true inflection point or simply a brief disruption of the previous downward trend.” Overall, financial restatements have decreased from 858 in 2013 to 402 in 2022.

Reasons for restatement 

The Financial Accounting Standards Board defines a restatement as a revision of a previously issued financial statement to correct an error. Whether they’re publicly traded or privately held, businesses may reissue their financial statements for several “mundane” reasons. For instance, management might have misinterpreted the accounting standards, requiring the company’s external accountant to adjust the numbers. Or they simply may have made minor mistakes and need to correct them.

Common reasons for restatements include:

1. Recognition errors (for example, when accounting for leases or reporting compensation expense from backdated stock options),
2. Income statement and balance sheet misclassifications (for instance, a company may need to shift cash flows between investing, financing and operating on the statement of cash flows),
3. Mistakes reporting equity transactions (such as improper accounting for business combinations and convertible securities),
4. Valuation errors related to common stock issuances,
5. Preferred stock errors, and
6. The complex rules related to acquisitions, investments, revenue recognition, and tax accounting.

Often, restatements happen when the company’s financial statements are subjected to a higher level of scrutiny. For example, restatements may occur when a private company converts from compiled financial statements to audited financial statements or decides to file for an initial public offering. They also may be needed when the owner brings in additional internal (or external) accounting expertise, such as a new controller or audit firm.

Material restatements often go hand-in-hand with material weakness in internal controls over financial reporting. In rare cases, a financial restatement also can be a sign of incompetence — or even fraud. Such restatements may signal problems that require corrective actions. However, the CAQ report found that only 3% of all restatements and 7% of Big Rs involved fraud over the 10-year period.

We can help

The restatement process can be time-consuming and costly. Regular communication with interested parties — including lenders and shareholders — can help businesses overcome the negative stigma associated with restatements. Management also needs to reassure employees, customers and suppliers that the company is in sound financial shape to ensure their continued support.

Accounting and tax rules are continuously updated and revised. So, your in-house accounting team may need help understanding the evolving accounting and tax rules to minimize the risk of restatements, as well as help them effectively manage the restatement process. We can help you stay atop the latest rules, reinforce your internal controls, and issue reports that conform to current Generally Accepted Accounting Principles.

In certain circumstances, businesses may need to hire CPAs to perform agreed-upon procedures (AUPs) instead of (or in addition to) a review or an audit. AUPs are a type of attestation engagement “in which a practitioner performs specific procedures on subject matter and reports the findings without providing an opinion or conclusion,” according to the standards set forth by the American Institute of Certified Public Accountants.

AUPs generally cost less and take less time than a review or an audit. Plus, their versatility allows them to address nonfinancial matters and dig deeper into items reported on your financial statements.

The basics

In general, an AUP engagement uses similar procedures to a review or an audit, but on a smaller and limited scale and with no assurance on the part of the CPA. An engagement letter is used to outline the scope and nature of the specific procedures that will be performed.

Upon completing AUPs, CPAs issue a written report that 1) describes the procedures performed and 2) summarizes the findings from each procedure. The accounting standards also require an AUP report to contain the following:

• A title that includes the word “independent” to show the report is from an independent accountant,
• Identification of the engaging party, the subject, and responsible party (if it’s not the same as the engaging party),
• The intended purpose(s) of the engagement,
• A statement that the practitioner didn’t conduct an examination or review,
• A statement that the practitioner doesn’t express an opinion or conclusion, and
• Reservations or restrictions concerning procedures or findings.

AUPs can be tailored to your organization’s needs and provide a targeted analysis into key areas of your business’s operations.

AUPs in the real world

Examples of areas where an AUP can provide clients and third parties with valuable insights include:

• Internal control evaluations,
• Grant compliance,
• Franchise agreement compliance,
• M&A due diligence,
• Construction project progress and spending practices, and
• Royalty payments under a licensing agreement.

Lenders also may want to confirm whether a company is in compliance with its loan covenants. Or if a lender waived a loan covenant violation during the year-end review or audit, the bank might request, as a condition of the waiver, that the borrower hire a CPA to perform AUPs to check on key financial metrics midyear.

We can help

AUPs are among the many services CPAs offer. These engagements can be a flexible, time-saving alternative (or add-on) to financial statement reviews and audits. But they have their limitations. Contact us to determine whether an AUP engagement is right for your situation.