- Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
- The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
- Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.
~
As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.
In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.
The Importance of Internal Controls in Fraud Prevention
A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:
Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.
Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.
Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.
Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.
Improve employee accountability by implementing checks and balances that discourage unethical behavior.
When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.
Fraud Prevention Starts with the “Tone at the Top”
The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.
There are four elements to fraud: pressure, rationalization, opportunity and capability.
Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.
Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.
Proper Segregation of Duties for Internal Controls
The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.
Fraud Controls
There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.
- Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.
- Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.
- Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.
Preventing Misappropriation of Assets
An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets:
- Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
- Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
- Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
- Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
- Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).
The Importance of Policies and Procedures
The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).
The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.
A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.
How We Can Help
As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.
Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed
]]>- The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
- The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
- The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
- Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.
The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K.
However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.
Defining “material” disclosures
According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”
Why is the SEC implementing this rule change?
The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”
But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.
What are the requirements for risk management, strategy, and governance disclosures?
Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).
How will the SEC cybersecurity rules affect you?
The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.
Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.
Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.
The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.
Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.
How we can help
It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.
If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.
Everything changes, except when it doesn’t
Time and time again we’ve seen reactions to various accounting scandals, after which new policies, procedures, and legislation are created and implemented. An example of this is the Sarbanes-Oxley Act (SOX) of 2002, which was a direct result of the accounting scandals at Enron, WorldCom, Global Crossing, Tyco, and Arthur Andersen.
SOX was established to provide additional auditing and financial regulations for publicly held companies to address the failures in corporate governance. Primarily it sets forth a requirement that the governing board, through the use of an audit committee, fulfill its corporate governance and oversight responsibilities for financial reporting by implementing a system that includes internal controls, risk management, and internal and external audit functions.
Governments experience challenges and oversight responsibility similar to those encountered by corporate America. Governance risks can be mitigated by applying the provisions of SOX to the public sector.
Some states and local governments have adopted similar requirements to SOX but, unfortunately, in many cases only after cataclysmic events have already taken place. In California, we only need to look back at the bankruptcy of Orange County and the securities fraud investigation surrounding the City of San Diego as examples of audit committees that were established in response to a breakdown in governance.
Taking your audit committee on the right mission
Governments typically establish audit committees for a number of reasons, which include addressing the risk of fraud, improving audit capabilities, strengthening internal controls, and using it as a tool that increases accountability and transparency. As a result, the mission of the audit committee often includes responsibility for:
- Oversight of the external audit.
- Oversight of the internal audit function.
- Oversight for internal controls and risk management.
Chart(er) your course
Most successful audit committees are created by a formal mandate by the governing board and, in some cases, a voter-approved charter. Mandates establish the mission of the committee and define the responsibilities and activities that the audit committee is expected to accomplish. A wide variety of items can be included in the mandate.
Creating the governing board’s resolution is the first step on the road to your audit committee’s success.
Follow the leader(ship)
In practice we see a combination of these attributes, ranging from the full board acting as the audit committee, committees with one or more independent outsiders appointed by the board, and/or members from management and combinations of all of the above. While there are advantages and disadvantages for all of these approaches, each government needs to evaluate how to work within their own governance structure to best arrive at the most workable solution.
Strike the right balance between cost and risk
The overriding responsibility of the audit committee is to perform its oversight responsibilities related to the significant risks associated with the financial reporting and operational results of the government. This is followed closely by the need to work with management, internal auditors and the external auditors in identifying and implementing the appropriate internal controls that will reduce those risks to an acceptable level. While the cost of establishing and enforcing a level of zero risk tolerance is cost prohibitive, the audit committee should be looking for the proper balance of cost and a reduced level of risk.
Engage your audit committee with regular meetings
Depending on the complexity and activity levels of the government, the audit committee should meet at least three times a year. In larger governments, with robust systems and reporting, it’s a good practice to call for monthly meetings with the ability to add special purpose meetings as needed. These meetings should address the following:
External Auditors
- Confirmation of the annual financial statement and compliance audit, including scope and timing.
- Ad hoc reporting on issues where potential fraud or abuse have been identified.
- Receipt and review of the final financial statements and auditor’s reports
- Opinion on the financial statements and compliance audit;
- Internal controls over financial reporting and grants; and
- Violations of laws and regulations.
Internal Auditors
- Review of updated risk assessments over identified areas of risk.
- Review of annual audit plan, including status of the prior year’s efforts.
- Status reports of ongoing and completed audits.
- Reporting of the status of corrective action plans, including conditions noted, management’s response, steps taken to correct the conditions, expected time-line for full implementation of the corrective action and planned timing to verify the corrective action plan has been implemented.
Establish resources that are at the ready
Audit committees should be given the resources and authority to acquire additional expertise as and when required. These resources may include, but are not limited to, technical experts in accounting, auditing, operations, debt offerings, securities lending, cybersecurity, and legal services.
Taking extra steps now will save time later
While no system can guarantee breakdowns will not occur, a properly established audit committee will demonstrate for both elected officials and executive management that on behalf of their constituents they have taken the proper steps to reduce these risks to an acceptable tolerance level. History has shown over and over again that breakdowns in governance lead to fraud, waste and abuse. Don’t be deluded into thinking that it will never happen to your organization. Make sure it doesn’t happen on your watch.
]]>Many cheered the passage of the 2018 Farm Bill, which descheduled industrial hemp and its derivatives (including CBD). But that was just the start of a much more complicated regulatory story that continues to have a major impact on entrepreneurs, investors, and advocates and patients who rely on CBD.
CBD and the 2018 Farm Bill
When President Trump signed the 2018 Farm Bill into law one of the key changes affecting the cannabis industry was the separation of “hemp” and “marijuana.” Before the Farm Bill, any incarnation of the cannabis plant and its byproducts were lumped into a single category and considered a Schedule 1 drug. Key language in Section 1103 of the Farm Bill defines hemp as:
“the plant Cannabis sativa L. and any part of that plant, including the seeds thereof and all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers, whether growing or not with a delta-9 tetrahydrocannabinol concentration of not more than 0.3 percent on a dry weight basis.”
In short, the Farm Bill descheduled industrial hemp and its byproducts as long as it stayed under the threshold of less than 0.3 percent THC. CBD is derived from the cannabis plant, whether there are significant levels of THC or not. CBD industry advocates have interpreted the language “all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers” as descheduling CBD when industrial hemp is the source. And they are “mostly” correct in this interpretation. Unfortunately, there are other federal agencies in play.
CBD and the FDA
United States Department of Agriculture (USDA) enacted the 2018 Farm Bill in their position overseeing laws related to the cultivation of industrial hemp. The United States Food and Drug Administration (FDA) oversees medicine and food additives. CBD has emerged as a “wonder drug” with a growing list of potential benefits and now appears as an additive in a wide range of consumer products. In addition, the FDA approved Epidiolex, the first CBD-derived drug, in 2018.
All of this has culminated in CBD being a priority of the FDA, so much so, that just a week after the Farm Bill was signed into law, the FDA issued a press release clarifying and asserting their regulatory control over all cannabis-derived compounds.
“We treat products containing cannabis or cannabis-derived compounds as we do any other FDA-regulated products — meaning they’re subject to the same authorities and requirements as FDA-regulated products containing any other substance. This is true regardless of the source of the substance, including whether the substance is derived from a plant that is classified as hemp under the Agriculture Improvement Act.”
Concurrent with the Farm Bill and the press release regarding CBD, the FDA also issued three Generally Regarded as Safe (GRAS) notices for hemp by-products: hulled hemp seeds, hemp protein powder, and hemp seed oil. Clearly demonstrating that (some) hemp products have been descheduled and cleared for use by the FDA.
The FDA’s policy is different toward CBD for two key reasons. Firstly, CBD products are largely marketed with a wide variety of therapeutic claims. In their press release the FDA notes:
“The FDA requires a cannabis product (hemp-derived or otherwise) that is marketed with a claim of therapeutic benefit, or with any other disease claim, to be approved by the FDA for its intended use before it may be introduced into interstate commerce.”
Secondly, the FDA’s approval of CBD-based drug Epidiolex, put CBD and THC into the category of “active ingredients in FDA-approved drugs.” Under the Federal Food, Drug, and Cosmetic Act (FD&C Act) it is “illegal to introduce drug ingredients like these into the food supply, or to market them as dietary supplements.”
In short, the FDA does not distinguish between CBD derived from hemp or “marijuana,” and until the agency approves CBD and establishes a regulatory framework, adding CBD to food and beverages is illegal.
Has the regulation of CBD slowed businesses?
While early CBD research has shown promise as a treatment for conditions like epilepsy and anxiety, as a consumer product it is unproven and has been largely unregulated until recently. In the absence of labeling standards and regulated dosage guidelines, consumers often have little understanding of what they are buying and its potential effects.
All of this uncertainty has earned greater regulatory attention for CBD. There have been reports of crackdowns on bakeries, restaurants and retailers selling CBD in California, New York, Maine and Ohio, just to name a few. This regulatory response has shocked and angered a number of hemp producers and CBD retailers who have invested millions into business ventures that they feel only supply the public with products that help manage health concerns.
Despite the confusing legality, the CBD industry appears to be moving full-steam ahead. In recent months, national retailers as diverse as Walgreens, DSW and Barney’s New York have announced plans (or have already begun) selling CBD products. Indicating the burgeoning CBD industry is well on the way to mainstream acceptance.
What is next for CBD?
In February, former FDA Commissioner Scott Pruitt testified before the House Appropriations Committee and said that the FDA is initiating a rule making procedure with the goal of creating “an appropriately efficient and predictable regulatory framework for regulating CBD products.” The FDA will launch the process with a public hearing on CBD scheduled for May 31, 2019.
Further complexity struck when Pruitt unexpectedly announced his resignation, which took effect in early April. Pruitt has been replaced by Dr. Ned Sharpless, the former director of the National Cancer Institute. To date, it is unknown whether Sharpless intends to take a progressive stance toward CBD.
While delays occur at the federal level, states are shifting into action. Maine recently passed an emergency law governing CBD. The bill aligns the definition of hemp in Maine’s laws with the definition used in the Farm Bill. Meaning, as long as CBD is derived from hemp sources it is to be considered a food product, rather than medicine, and is cleared for use in Maine.
Ultimately, until the FDA creates a regulatory framework for CBD, it will remain illegal to add it to any food or drink products.
Learn more about the FDA Public Hearing on CBD here
Provide a public comment for the FDA on CBD here
]]>Similar to the flurry of dotcom companies building out their platforms in the late 1990s, cannabis companies are investing vertically in order to provide seed-to-sale capability all under one roof. It’s this development, along with anticipated nationwide legalization, that is driving a number of mergers and acquisitions. Although there has been consolidation in prior years, 2019 is shaping up to be a bellwether, illustrating that the cannabis industry is preparing for a growth explosion.
The record-breaking start to 2019
So far in 2019, there have been several mergers and acquisitions worth billions of dollars. The action got an early start with two announcements in December of 2018; the MedMen acquisition of PharmaCann, and the purchase of a 45% stake in Cronos by Altria, the parent company of Phillip Morris USA. The MedMen-PharmaCann agreement included an all-stock transaction worth US$682 million and gave the combined company licenses to operate in 12 states with 79 cannabis facilities. The Altria-Cronos deal equates to US$1.8 billion for a 45% stake, with an option to purchase a majority stake in Cronos down the road.
In March of this year, Arizona-based Harvest Health & Recreation, announced it would purchase Chicago-based Verano Holdings, a vertically-integrated operator of licensed cannabis cultivation, manufacturing and retail facilities, for US$850 million.
More recently, in early April Cresco Labs agreed to purchase Origin House in an all-stock transaction valued at US$824 million. In late April, Canopy Growth Corp paid US$300 million for the right to merge with Acreage Holdings. Ontario-based Canopy Growth Corp, the first publicly traded cannabis company in North America, will purchase Acreage shares for US$3.4 billion, with full legalization acting as a triggering event for the complex merger deal.
In addition to mergers and acquisitions between cannabis companies, there is growing interest in cannabis from non-industry companies, such as alcohol, pharmaceutical, and tobacco – as illustrated by the Altria-Cronos announcement. Companies such as Constellation Brands, an international producer and marketer of beer, wine and spirits, paid $190 million for a stake in Canopy Growth Corp, hoping to counteract slowing beer sales and enter new cannabis-related markets.
What is driving cannabis M&A activity?
There are several factors motivating the increase in mergers and acquisitions in the cannabis space. Companies are seeking a variety of goals, such as a desire for vertical integration, an interest in operations in multiple states, and the aspiration by non-cannabis companies to enter the market. While these developments are worth noting, the trend is being driven by a much larger issue: the likelihood that cannabis use will be legalized nationwide by the US federal government. Investors and analysts believe this is more a case of when rather than if.
When legalization occurs and interstate restrictions are lifted, those companies maneuvering now will be well-positioned to effectively seize market share while others play catch up.
The US Congress, while not including language that would help resolve conflicting federal and state cannabis laws in pending criminal justice reform legislation, has left the door open to having a debate on nationwide legalization. “If there is an attempt to legalize across the country, we should have that debate and let the Congress decide the issue instead of creating a backdoor to legalization,” said Senator Chuck Grassley, the outgoing chairman of the Senate Judiciary Committee.
Forecasting beyond 2019
The wave of consolidation in 2019 is likely only the beginning. If a federal law is passed that legalizes cannabis, there will likely be a second wave of mergers and acquisitions with much higher stakes as the industry sorts itself out in in an effort to anticipate and fulfill coming demand.
In addition to consolidation, there will likely be a change to the banking industry in relation to doing business with cannabis companies. As of now, financial institutions are at risk of penalties, such as asset forfeiture and criminal fines, if they do business with companies in this space. In response to that risk, the House Financial Services Committee voted in favor of a bill protecting banks from federal punishment if they do business with such companies.
These moves signal a shift in how lawmakers are now viewing cannabis. If the federal government legalizes cannabis and financial institutions are allowed to engage those companies growing and selling it, then consolidation and investment in the near future could make 2019’s dazzling transactions look like chump change.
]]>Similar to the flurry of dotcom companies building out their platforms in the late 1990s, cannabis companies are investing vertically in order to provide seed-to-sale capability all under one roof. It’s this development, along with anticipated nationwide legalization, that is driving a number of mergers and acquisitions. Although there has been consolidation in prior years, 2019 is shaping up to be a bellwether, illustrating that the cannabis industry is preparing for a growth explosion.
The Record Breaking Start to 2019
So far in 2019, there have been several mergers and acquisitions worth billions of dollars. The action got an early start with two announcements in December of 2018; the MedMen acquisition of PharmaCann, and the purchase of a 45% stake in Cronos by Altria, the parent company of Phillip Morris USA. The MedMen-PharmaCann agreement included an all-stock transaction worth US$682 million and gave the combined company licenses to operate in 12 states with 79 cannabis facilities. The Altria-Cronos deal equates to US$1.8 billion for a 45% stake, with an option to purchase a majority stake in Cronos down the road.
In March of this year, Arizona-based Harvest Health & Recreation, announced it would purchase Chicago-based Verano Holdings, a vertically-integrated operator of licensed cannabis cultivation, manufacturing and retail facilities, for US$850 million.
More recently, in early April Cresco Labs agreed to purchase Origin House in an all-stock transaction valued at US$824 million. In late April, Canopy Growth Corp paid US$300 million for the right to merge with Acreage Holdings. Ontario-based Canopy Growth Corp, the first publicly traded cannabis company in North America, will purchase Acreage shares for US$3.4 billion, with full legalization acting as a triggering event for the complex merger deal.
In addition to mergers and acquisitions between cannabis companies, there is growing interest in cannabis from non-industry companies, such as alcohol, pharmaceutical, and tobacco – as illustrated by the Altria-Cronos announcement. Companies such as Constellation Brands, an international producer and marketer of beer, wine and spirits, paid $190 million for a stake in Canopy Growth Corp, hoping to counteract slowing beer sales and enter new cannabis-related markets.
]]>