• CMMC is now required for DoD contractors handling FCI or CUI — non-compliance can result in contract loss and disqualification from future awards.

• Prime contractors are liable if subcontractors are non-compliant — your entire supply chain must meet CMMC standards to maintain eligibility.

• The window to achieve certification is closing fast — readiness can take 6–12 months, so starting now is critical to avoid lost revenue or missed opportunities.

—

What Is CMMC and Why Does It Matter to My Business?

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) framework that requires contractors and subcontractors to implement specific cybersecurity practices and standards. If your business processes, stores, or transmits federal contract information (FCI) or controlled unclassified information (CUI), compliance is mandatory to continue working with the DoD.

Who Does CMMC Apply To?

CMMC applies to:

• Prime contractors

• Subcontractors

• IT and service providers that handle FCI or CUI

If you’re part of the estimated 300,000 organizations within the DoD supply chain — even indirectly — you’ll need to comply. And if you’re a prime contractor, you’re responsible for ensuring your subcontractors comply as well.

What Are the Levels of CMMC, and Which One Applies to Me?

CMMC is broken into three maturity levels. Most middle-market contractors will fall into Level 1 or 2:

• Level 1 – Foundational: Basic cybersecurity hygiene practices (for handling FCI)

• Level 2 – Advanced: Security requirements of full NIST SP 800-171 (for handling CUI)

• Level 3 – Expert: Protecting high value CUI, compliance with NIST SP 800-172

The level of certification required depends on the type of information your organization touches during contract performance.

What Happens if We Don’t Follow CMMC?

The risk is significant. Non-compliance may result in:

• Loss of current contracts

• Ineligibility for future DoD work

• Legal or reputational risk

• Disqualification due to a non-compliant subcontractor

CMMC will soon be a “gatekeeper” for DoD eligibility — no certification, no contract.

When Will CMMC Go Into Effect?

With the final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) issued, the DoD will officially begin implementing CMMC compliance on November 10, 2025. The program will phase in over three years: initial self-assessments for Levels 1 and 2 in year one, third-party reviews for Level 2 in year two, and Level 3 assessments in year three.

Now is the time to start readiness — waiting could mean lost revenue or missed opportunities.

How Do We Prepare for CMMC?

Here’s a quick roadmap:

1. Define your scope: Identify the systems, people, and processes that interact with FCI/CUI. This will guide which level of certification you should target (Level 1, 2, or 3).

2. Perform a gap analysis: Understand where you are and where you need to be.

3. Close compliance gaps: Implement missing controls, policies, processes, and documentation, including NIST 800-171 controls and a system security plan (SSP)

4. Train your team: Staff education is a requirement, especially around cyber hygiene. Support your subcontractors — you’re accountable for their compliance too.

5. Prepare for the assessment: Level 1 certification requires an annual self-assessment. Levels 2 and 3 require third-party assessments conducted every three years.

6. Receive certification

How Long Does CMMC Readiness Take?

The timeline varies depending on your current cybersecurity maturity. With focused support, many organizations can reduce the estimated 6-12 month timeline by 50% — especially at Levels 1 and 2.

Can MGO Help With CMMC Compliance?

Yes. MGO supports companies at every stage of the CMMC journey — with a clear focus on readiness, not attestation. Our services include:

• CMMC gap assessments

• Scope and level planning, including boundary definition and data flows

• Policy and documentation development

• Employee training

• Subcontractor support

• Remediation guidance

We help you prepare efficiently and confidently for certification without overbuilding your controls or delaying your timeline.

How MGO Can Help

We help government contractors and their supply chains get CMMC-ready quickly and efficiently. Our Cybersecurity team includes Registered Practitioners (RPs) with extensive experience in DoD compliance, technical accounting, and IT infrastructure.

We serve a wide range of industries affected by CMMC: technology, manufacturing, life sciences, professional services, and more. Whether you’re a small subcontractor or a large prime, we tailor our services to your environment.

Our end-to-end support helps you get prepared for attestation, keep long-term compliance, and protect your DoD revenue. Reach out to our team today to learn how we can support your CMMC compliance efforts.

The post How Your Government Contracting Firm Can Get CMMC-Ready Fast appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• AI agents deliver efficiency across the value chain — from contract review and tenant services to construction planning and payment management, agentic AI can streamline operations, reduce errors, and cut costs.
• Your firm should implement oversight, ethical safeguards, and security protocols to responsibly adopt autonomous systems.
• If you adopt early, you gain a competitive edge, as organizations that act now to pilot agentic AI use cases will position themselves ahead of competitors still relying on traditional processes.

—

Real estate and construction companies are on the precipice of a dramatic shift. Artificial intelligence (AI), particularly agentic AI, will permanently change how the industry does business, streamlining functions from back-office administration to logistics, data-heavy tasks, and more.

Unlike traditional automation, intelligent agents are purpose-built and trained to fulfill specific roles, enabling them to make decisions independently and navigate complex processes with minimal human intervention. Organizations that successfully integrate these tools stand to benefit from faster decision making, improved project planning, and more competitive pricing.

For all its benefits, autonomous AI represents an intimidating advancement. These systems require robust support infrastructure and bring new risks and challenges. Organizations will need to strengthen their data governance processes, implement cybersecurity best practices, learn how to collaborate with autonomous systems, and account for novel risks like AI bias on an ongoing basis.

These complex dynamics call for thoughtful planning and targeted investments without delay. As first steps to integration, real estate and construction companies should proactively investigate how agentic AI can improve their operations and seek out potential use cases. Organizations that act quickly will unlock a powerful competitive differentiator, while those who wait risk being left behind.

Agentic AI Real Estate and Construction Use Cases

Companies are just beginning to understand the vast potential of AI agents. For real estate and construction leaders seeking an entry point, several use cases stand out as impactful and achievable options, each carrying the potential to increase efficiency and reduce operational overhead.

Real Estate Use Cases

Contracts and pricing: Property management firms are responsible for maintaining and understanding large troves of documentation. AI can quickly sift through huge amounts of data, easing the process of reviewing and drafting key documents. These tools will help verify that contractual clauses are written correctly and do not contain any oversights. They can also monitor regulatory activity and notify businesses in real time about any changes, new rules, and potential compliance issues. With appropriate oversight, they will even be able to make the necessary adjustments in some cases. 

During negotiations, firms could call upon their AI agents to screen tenant applications and leverage historical and current market data. Property managers could come to the table confident that their pricing decisions are defensible and backed by data, tailored to both meet their needs and satisfy applicants’ expectations.

Tenant management and customer service: Intelligent systems can offer around-the-clock support for maintenance or information requests. Previously, if a tenant experienced a non-emergency issue with an appliance during the night, they might need to wait until the following day to notify their management company and schedule repairs. Autonomous agents can respond immediately, no matter the time, and place a service request on the schedule for the following morning. Prompt responses will help reassure tenants they are being heard, reducing instances of friction and building loyalty. Should an emergency arise, the system can immediately notify the management company and update the maintenance schedule accordingly.

Back-office support: AI will transform the back office, processing and validating payments automatically and sending reminders to tenants or other customers who miss a deadline. With access to this financial information, intelligent tools can also help collect and organize data for financial reporting obligations and, if given the appropriate parameters, may even supplement actions such as filing taxes, cutting down on compliance costs while increasing efficiency.

Portfolio Management: Agentic AI can act as a continuous decision-making partner in investment management for both real estate and construction firms. It can autonomously monitor market dynamics, forecast project viability, and reallocate capital across portfolios in real time. It can also evaluate factors like material cost fluctuations, urban development plans, and rental yield trends to optimize asset performance without constant human oversight.

Construction Use Cases

Coordination and planning: AI agents can engage in forecasting, simulation, and planning for construction projects. They can also oversee communications with and between parties like inspectors, contractors, and subcontractors. Acting as project managers, these systems will monitor and log progress when a job is running smoothly, and step in to help course correct when necessary, independently adjusting schedules or budget forecasts based on changing circumstances. If, for example, malfunctioning machinery causes a work stoppage, an AI agent can flag the breakdown and incorporate the time needed for repairs into an updated project roadmap. With an autonomous agent managing workflows, organizations may be better insulated against human scheduling errors and resultant cost overruns.

Payment Management: Agentic AI can help construction companies manage payment applications, ensuring contractors and subcontractors are paid on time. It can also log completed work for recordkeeping and reporting purposes, keeping information standardized and accessible and reducing the chances of documentation getting lost or misclassified.

Permits and compliance: Construction projects require proper permitting and regular inspections to verify that job-site conditions are safe and compliant. Mistakes or misstatements in permitting documentation can be expensive and may increase overall compliance costs or open organizations up to enforcement actions. Intelligent agents can reduce these risks by gathering information for use in permit applications, interpreting and filling out the necessary forms, keeping track of permits filed, and updating the company in real time if permitting needs change. This function can be particularly impactful with respect to local jurisdictions, where regulations can often vary widely and can be difficult to track manually.

Agentic AI can also monitor labor union agreements and related workforce regulations, helping firms proactively align with union requirements, avoid disputes, and maintain smooth operations across all jurisdictions.

Humans in the Loop

Real estate and construction companies can pursue these applications today. As agentic AI advances, companies can integrate these systems even more deeply into operations. Think of smart buildings and autonomous construction equipment, all managed and guided by intelligent tools.

Even as AI functionality continues to evolve, one factor remains constant: Humans are essential to support both initial integration and provide ongoing oversight of new tools and technologies. Leaders must remain aware of the challenges AI can bring and treat adoption not as a one-off instance but as part of a long-term strategy.

Agentic AI Risks and Challenges

In the past, real estate and construction companies have not been as tech-forward as other industries. To support agentic AI, they will have to make up ground, particularly in areas like governance, cybersecurity, and AI literacy.

AI Bias

The risks posed by unseen biases grow substantially with AI agents. Data used to train AI is subject to the biases of the humans who provide it, sometimes causing a program to “inherit” the discriminatory biases of its creators. Inherited biases could lead to unfair or inaccurate outputs that damage the businesses that rely on them. This risk is especially prevalent for real estate firms, which may employ intelligent tools for tasks like pricing, contract negotiations, and application screening. For instance, if those systems have inherited a bias that causes them to treat applicants differently based on a protected characteristic, the firm could violate fair housing regulations, leading to significant financial, legal, and reputational risks.

Preventing AI bias demands continuous and active testing, covering both the underlying dataset and the AI’s outputs. Companies should request bias test results from any potential AI vendor, and check whether a vendor has obtained third-party certifications such as SOC 2 as an additional layer of confidence. A lack of bias testing is a red flag. The risks of harm to a business and its customers are too great to ignore. Organizations inexperienced in making these evaluations may consider enlisting a knowledgeable third party with the resources and experience to help check for unseen biases.

Governance

Strong AI governance, covering both technical concerns and operational risks, is critical for successful AI implementation. Because autonomous agents will operate cross-functionally, building a governance framework must be a cross-functional process, incorporating feedback from each area of the business and covering critical domains like risk management, data ethics, data privacy, data lifecycle management, and organizational structure.

For real estate and construction companies, the first step is assigning decision rights. Where will an AI agent be empowered to make decisions, what data will it leverage to do so, and how will human oversight be conducted? Answering these questions means defining specific use cases, such as the options above, and will allow firms to clearly delineate the AI agent’s role and assessing any risks tied to each use case. Organizations will also need a process to document decisions and deliver feedback. For domains that introduce compliance risks, such as construction site safety or tenant application screening, governance teams should implement several layers of checks to ensure that all decisions are responsible and ethical.

Governance is not just as a means for organizations to protect themselves, but also a way to unlock the full potential of their AI agents. A clear scope and well-defined decision parameters will enable safer usage, but they also create higher quality and more reliable outputs.

Cybersecurity

Interconnected systems can increase security vulnerabilities, necessitating new protections against novel forms of data theft. Real estate and construction companies will need clear visibility into AI input data, how that data is processed, who has access to it, and how it is shared to support data loss prevention (DLP) and stop sensitive data from leaking.

For organizations that employ outward-facing AI, such as agents that handle tenant inquiries, these needs are even sharper. A user interacting with an agent could ask a question that causes the system to reveal sensitive business information. Known as “prompt injection,” this tactic is increasingly used by bad actors to steal information without breaking into a company’s systems.

In some cases, strengthening cybersecurity also involves physical security. On a construction site, for instance, supervisors will likely use mobile devices or machinery that communicate with AI agents. Firms must be sure they have adequate endpoint security and a robust mobile device management strategy to track usage. If an unauthorized individual gains access, whether on purpose or by mistake, they could obtain sensitive information. These devices should only be accessed by trusted, predesignated users.

How MGO Can Help

Adopting agentic AI is not just about technology; it’s about building a sustainable framework that blends innovation with responsibility. At MGO, we help real estate and construction firms evaluate practical AI use cases, strengthen data governance, mitigate risk, and design tailored strategies for integration. Whether you are exploring tenant management automation, portfolio optimization, or construction compliance tools, our team provides you with the insights and guidance needed to move forward with confidence. By acting today, your organization can unlock efficiency, resilience, and a powerful competitive advantage in tomorrow’s market. Contact us to learn more.

Written by Tyler Cahill, Kirstie Tiernan and Kristi Gibson. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com.

The post Agentic AI Use Cases for Today’s Real Estate and Construction Firms appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Using AI cybersecurity tools can help you detect threats faster, reduce attacker dwell time, and improve your organization’s overall risk posture.

• Generative AI supports cybersecurity compliance by accelerating breach analysis, reporting, and regulatory disclosure readiness.

• Automating cybersecurity tasks with AI helps your business optimize resources, boost efficiency, and improve security program ROI.

—

Cyber threats are evolving fast — and your organization can’t afford to fall behind. Whether you’re in healthcare, manufacturing, entertainment, or another dynamic industry, the need to protect sensitive data and maintain trust with stakeholders is critical.

With attacks growing in volume and complexity, artificial intelligence (AI) offers powerful support to help you detect threats earlier, respond faster, and stay ahead of changing compliance demands.

Why AI Is a Game-Changer in Cybersecurity

Your business is likely facing more alerts and threats than your team can manually manage. Microsoft reports that companies face over 600 million cyberattacks daily — far beyond human capacity to monitor alone.

AI tools can help by automating key aspects of your cybersecurity strategy, including:

• Real-time threat detection: With “zero-day attack detection”, machine learning identifies anomalies outside of known attack signatures to flag new threats instantly.

• Automated incident response: From triaging alerts to launching containment measures without waiting on human intervention.

• Security benchmarking: Measuring your defenses against industry standards to highlight areas for improvement.

• Privacy compliance support: Tracking data handling and reporting to meet regulatory requirements with less manual oversight.

• Vulnerability prioritization and patch management: AI can rank identified weaknesses by severity and automatically push policies to keep systems up to date.

AI doesn’t replace your team — it amplifies their ability to act with speed, precision, and foresight.

Practical AI Use Cases to Consider

Here are some ways AI is currently being used in cybersecurity and where it’s headed next:

1. Summarize Incidents and Recommend Actions

Generative AI can instantly analyze a security event and draft response recommendations. This saves time, supports disclosure obligations, and helps your team update internal policies based on real data.

2. Prioritize Security Alerts More Efficiently

AI triage tools analyze signals from across your environment to highlight which threats require urgent human attention. This allows your staff to focus where it matters most — reducing risk and alert fatigue.

3. Automate Compliance and Reporting

From HIPAA to SEC rules to state-level privacy laws, the regulatory landscape is more complex than ever. AI can help your organization map internal controls to frameworks, generate compliance reports, and summarize what needs to be disclosed — quickly and accurately.

4. Monitor Behavior and Detect Threats

AI can track user behavior, spot anomalies, and escalate suspicious actions (like phishing attempts or unauthorized access). These tools reduce attacker dwell time and flag concerns in seconds — not weeks or months.

5. The Next Frontier: Autonomous Security

The future of AI in cybersecurity includes agentic systems — tools capable of acting independently when breaches occur. For instance, if a user clicks a phishing link, AI could automatically isolate the device or suspend access.

However, this level of automation must be used carefully. Human oversight remains essential to prevent overreactions — such as wiping a laptop unnecessarily. In short, AI doesn’t replace your human cybersecurity team but augments it — automating repetitive tasks, spotting hidden threats, and enabling faster, smarter responses. As the technology matures, your governance structures must evolve alongside it.

Building a Roadmap and Proving ROI

To unlock the benefits of AI, your business needs a strong data and governance foundation. Move from defense to strategy by first assessing whether your current systems can support AI — identifying gaps in data structure, quality, and access.

Next, define clear goals and ROI metrics. For example:

• How much time does AI save in daily operations?

• How quickly are threats identified post-AI deployment?

• What are the cost savings from prevented incidents?

Begin with a pilot program using an off-the-shelf AI product. If it shows value, scale into customized prompts or embedded tooling that fits your specific business systems.

Prompt Engineering to Empower Your Team

Your teams can get better results from AI by using structured prompts. A well-designed prompt ensures your AI tools deliver clear, useful, business-ready outputs.

Example prompt:

“Summarize the Microsoft 365 event with ID ‘1234’ to brief executive leadership. Include the event description, threat level, correlated alerts, and mitigation steps — in plain language suitable for a 10-minute presentation.”

This approach supports internal decision-making, board reporting, and team communication — all essential for managing cyber risks effectively.

Don’t Wait: Make AI Part of Your Cybersecurity Strategy

AI is no longer a “nice to have”; it’s a core component of resilient, responsive cybersecurity programs. Organizations that act now and implement AI strategically will be better equipped to manage both today’s threats and tomorrow’s compliance demands.

How MGO Can Help

At MGO, we help forward-thinking companies across industries — including healthcare, life sciences, manufacturing, cannabis, technology, and entertainment — harness the power of AI to strengthen their cybersecurity posture while maintaining control, compliance, and clarity.

Our team combines deep technical knowledge with industry-specific insight to help you evaluate your current systems, identify where AI can deliver real value, and implement solutions that support long-term resilience across the board.

From building data governance frameworks to designing effective prompt strategies, we guide you step-by-step to make sure your cybersecurity investments are strategic, scalable, and aligned with your business goals — all with tailored advisory solutions in cybersecurity management, outsourced accounting, and technical compliance.

Explore how MGO can help you build a smarter, stronger cybersecurity program. Contact us today to learn more.

The post How AI Can Strengthen Your Company’s Cybersecurity appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• AI in manufacturing boosts efficiency, but poor data quality can lead to costly errors and flawed forecasts.

• Cyber threats grow as AI connects IT and operational technology (OT) systems. Secure your infrastructure to reduce exposure.

• AI tools risk IP leaks and job disruption. Protect proprietary data and invest in workforce upskills.

—

Amid growing cost pressures and dampened sentiment, manufacturers are turning to artificial intelligence (AI) to improve visibility, decision-making, and efficiency across complex operations. According to the Q2 2025 Outlook Survey from the National Association of Manufacturers, 84.7% of manufacturers plan to prioritize digital transformation in the next 12 months — with 21.8% placing significant emphasis on these initiatives.

While 72% of manufacturers already report measurable cost savings and performance gains from AI, overall optimism has dropped to 55.4% (the lowest level since Q2 2020). With rising input costs — particularly tariffs and raw material inflation — manufacturers must adopt AI with discipline and oversight.

But with accelerated adoption comes elevated risk. Manufacturing leaders must proactively manage the challenges AI introduces to avoid exposing the business to unnecessary vulnerabilities. This includes building strong governance frameworks with human-in-the-loop oversight, so critical decisions and outputs are always validated by skilled professionals rather than left entirely to automated systems.

Top 5 AI Risks in Manufacturing (and How to Manage Them)

Here are five critical AI risks manufacturing organizations face — and strategies to manage them responsibly:

1. Poor Data Quality Can Lead to Faulty AI Outputs

Manufacturers generate massive amounts of data from internet of things (IoT) sensors, machinery, and supply chain systems. However, if this data is unstructured or inconsistent, AI algorithms may produce inaccurate or misleading insights. This can result in flawed inventory levels, distorted demand forecasts, and even safety risks due to unreliable quality control systems.

How to manage it: Invest in foundational data hygiene and governance, such as continuous metric monitoring. Standardizing, structuring, and validating data across systems before deploying AI models is critical to ensuring reliable outcomes.

2. Cybersecurity Threats Expand with AI-Driven Connectivity

As AI tools integrate with OT and IoT infrastructure, they increase the attack surface across the manufacturing environment as well as regulatory risk exposure. Legacy OT systems, often not built with security in mind, become vulnerable when connected to AI-driven IT networks.

How to manage it: Implement robust cybersecurity protocols across IT and OT systems and adopt zero-trust architecture. Prioritize threat detection, continuous monitoring, and security-by-design when deploying AI platforms.

3. Risk of Intellectual Property (IP) Exposure

AI tools often rely on proprietary data — including process flows, equipment settings, and production methodologies — to generate insights. When shared on open platforms or in unsecure environments, this sensitive information can be at risk of theft or misuse.

How to manage it: Leverage secure AI environments with limited internet exposure and implement enterprise-wide access controls and data classification protocols. Train staff on responsible data handling practices and limit AI exposure to critical IP when possible.

4. Workforce Disruption from Automation and Digital Tools

AI technologies like computer vision and digital twins are redefining job functions on the factory floor. While these tools enhance efficiency, they may also displace certain roles — such as manual inspectors — unless companies invest in reskilling initiatives.

How to manage it: Develop talent strategies that focus on digital upskilling. Align workforce planning with technology adoption and support employees through change management and training programs.

5. Operational Disruptions from AI Model Failures

Without structured oversight, AI systems can produce unexpected outputs, including “hallucinations” — inaccurate or fabricated information. In critical functions like demand forecasting, these errors can lead to overproduction, tied-up capital, or delays.

How to manage it: Establish a cross-functional AI governance model with clear testing, validation, and human-in-the-loop oversight protocols. Embed monitoring systems to continuously evaluate model performance and flag anomalies early.

How MGO Can Help: Strategic AI Risk Management for Manufacturers

We work closely with manufacturing leaders to develop customized AI governance strategies that align with operational goals and industry regulations. Whether you’re adopting AI for the first time or scaling your digital infrastructure, our solutions — including cybersecurity, risk management, technical accounting, and digital transformation — are designed to help you harness innovation responsibly.

From safeguarding intellectual property to implementing secure, auditable AI platforms, we help you drive performance while reducing exposure to operational, financial, and reputational risk. Let’s build a smarter, safer future for your manufacturing operations together.

The post AI Risks in Manufacturing: How to Protect Your Operations, IP, and Workforce appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Your board should boost tech literacy and structure to oversee innovation, risk, and digital transformation effectively. 

• Staying current on AI, cybersecurity, and data privacy laws is essential for strong technology governance. 

• If you want strong, effective tech oversight, it’ll require cultural alignment, workforce readiness, and smart investment strategies.  

—

Technology is no longer just an operational tool; it is a core driver of strategy, risk, and opportunity. For boards, the imperative to innovate is matched only by the responsibility to govern technology effectively. As organizations harness emerging technologies, the boardroom must be equipped to navigate complex issues ranging from regulatory compliance and risk management to cultural alignment and investment prioritization.  

Here we explore the top five boardroom conversations shaping technology governance for directors seeking to foster innovation while safeguarding organizational integrity and value. 

1. Assessing the board’s technological literacy and access to expertise  

• Determine whether the board, as a whole, has the appropriate knowledge and experience with technological innovation and implementation to provide strategic oversight.  

• Assess the board’s familiarity with the company’s technology debt when considering opportunities to implement emerging technologies.  

• Consider whether the circumstances of the company indicate the need to appoint a member with specific and relevant technology expertise. 

• Discuss whether the current board structure supports the strategic technology goals, objectives, and identified risks.   

• Weigh potential decisions for a dedicated technology committee, assigning technology to a specific existing committee, or keeping responsibility with the full board.   

2. Remaining apprised on a shifting regulatory landscape 

• Given the fast-evolving nature of data privacy, cybersecurity, and AI regulations, consider the board’s ability to confirm compliance with all laws and regulations.  

• Request continuing education and updated thought leadership from counsel and other advisors, subscriptions to emerging legislative trackers, etc.  

3. Engagement with management to understand risk management effectiveness  

• Consider whether management has adopted a viable framework that provides accountability and instills trust in its use and deployment of AI. 

• Assess whether the underlying data hygiene of the organization – including data integrity, access and privacy rights protections, effective internal controls, and system security – will enable technology to provide usable and ethical outputs. 

• Evaluate management’s use case identification in prioritizing the opportunity/problem being addressed versus the risk exposure to the organization. 

• Assess how human supervision and continuous monitoring are built into the process to identify and mitigate issues promptly. 

4. Cultural alignment and workforce preparation 

• As technology is being integrated and implemented, consider the appropriateness of training and upskilling the workforce to use and monitor new tools, identify and remedy associated risks, and comply with internal policies, procedures, and external rules and regulations.  

• Determine the existence and robustness of cross-disciplinary change management to foster a cultural of innovation acceptance and empowerment.  

• Discuss management strategies in place to address cultural and operational challenges to widespread adoption and use.  

• Assess the quality and effectiveness of communication throughout the organization to drive employee understanding of the use cases being deployed, changes to workflows, and how their roles may continue to evolve. 

5. Prioritizing technology investment 

• Consider the process applied by management for evaluating use cases against the mission, values, and agreed upon strategy of the organization. 

• Determine whether management’s technology strategy focuses not only on the investment in specific tools and their implementation but includes adequate investments in security and risk management.  

• When planning to deploy AI technology, consider whether critical input is being provided by others responsible for related risks such as cybersecurity teams, general counsel, finance, human resources, and operations.   

Stay Engaged 

Directors are encouraged to stay educated, informed, and in constant contact with management when integrating and utilizing new and complex technologies. The BDO Center for Corporate Governance endeavors to support directors in engaging in effective governance by providing insights, learning, and networking opportunities in collaboration with BDO subject matter specialists, advisors, and peer networks designed specifically for boards of directors. 

Written by Amy Rojik, Rachel Moran and Lee Sentnor. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com 

How MGO Supports Boards in Technology Oversight 

As technology becomes central to strategy and risk, MGO helps boards elevate their governance capabilities. From assessing board tech literacy to advising on AI risk frameworks and regulatory compliance, MGO offers tailored insights that empower directors to make informed decisions. Our team supports board and committee structures, provides continuing education on emerging tech, and helps align technology investments with organizational values. With deep experience in cybersecurity, data governance, and digital transformation, we work with you to navigate the complexities of modern technology oversight as it continues to evolve. Contact us to learn more.  

The post Top 5 Boardroom Conversations on Technology Governance  appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Many state and local governments still approach internal audit risk assessments with a narrow, accounting and/or compliance-focused lens — leaving them vulnerable to emerging threats like cybersecurity, digital disruption, and workforce challenges. 

• A modern risk assessment should go beyond finance to cover a broad range of risks, combining data, executive and senior management input, and informed judgment to build a clear, actionable audit plan. 

• By rethinking how you assess risk, you can turn internal audit into a strategic driver of resilience, accountability, and long-term success for your government. 

— 

State and local governments navigate a complex web of service delivery, public accountability, and financial obligations. This operating environment can be strengthened through the second and third lines of defense, including internal audit. However, many internal audit functions still focus narrowly — concentrating on accounting and compliance. That limited view might leave you vulnerable to the most disruptive risks ahead. 

Cybersecurity threats. Human capital issues. Fraud, waste, and abuse. Business continuity and service delivery continuity. Digital transformation. These are no longer hypothetical concerns — they’re realities shaping how governments operate. To truly safeguard your organization, it’s time to broaden your risk horizon and rethink how you approach internal audit risk assessments. 

Why a Broader View of Risk Matters Now

Internal audit plays a critical role in identifying where your organization is vulnerable and where it’s thriving. But too often, risk assessments are rooted in yesterday’s threats. The Institute of Internal Auditors’ “Risk in Focus” report paints a clear picture: the top risks projected by 2028 aren’t limited to financial reporting or policy compliance — they include cybersecurity, digital disruption, regulatory change, human capital, business continuity, and market changes. 

If your current risk assessment process is overlooking areas like technology implementations, talent shortages, or reputational threats, you’re not getting the full picture. And that means your audit plan may be missing the very areas that need your attention most. 

What Makes a Strong Risk Assessment?

At its core, a good risk assessment involves more than ticking boxes. It should be dynamic, forward-looking, and grounded in both data and professional judgment. Here’s how to rethink your approach:

1. Understand Your Risk Universe

Your risk universe should go beyond accounting and finance. A strong assessment covers a broad landscape of risk categories, including:

• Operational
• Technology and cyber
• Strategic
• Compliance
• Human capital
• Reputation
• Fraud
• Public services
• Governance
• Safety

These areas are just as critical as your accounting and finance-related risks. The key is to build an audit universe that reflects your organization’s full risk profile — from billing errors in your tax collection system to gaps in emergency preparedness.

2. Build Your Audit Universe with Intention

Your risk assessment process should start with understanding your organization inside and out. That means: 

• Reviewing org charts, budgets, and annual financial reports 

• Conducting surveys and interviews with key stakeholders 

• Documenting key functions, strategic initiatives, and capital projects 

The goal is to build a living document — an audit universe — that’s functional, relevant, and tied to your organization and risk landscape. 

For example, when assessing information technology-related risks, traditional areas of focus might include IT general controls (such as access controls), cybersecurity, and IT governance. By broadening the risk universe, you might also include department and functional-level risks (such as technology risks specific to an airport or police/sheriff department), IT strategy, large IT system selection and implementation efforts, data privacy, artificial intelligence, third-party risk management, and more. 

3. Address What You Might Be Missing

Even strong internal audit teams can fall into patterns. But in our experience working with government clients, we’re seeing a few risk areas consistently overlooked: 

• Digital disruption and AI: Are you ready for rapid changes in tech? 

• Human capital and organizational culture: Do you have the talent to run the organization today and into the future? 

• Business continuity: Do you have a plan and has it been tested? 

• Strategic planning: Are day-to-day actions and decision making tied to long-term goals? 

• Capital projects: Are you managing large-scale efforts with adequate oversight? 

Take time during your assessment process to scan for these gaps. Addressing them now could help you prevent a costly surprise later. 

4. Make It Both Art and Science

Risk assessment isn’t just about crunching numbers — it’s a balance between structured scoring and informed judgment.

Use both quantitative (e.g., likelihood and impact scales from 1–10) and qualitative (e.g., low/moderate/high risk) methods to rate risks. The resulting score (likelihood x impact) gives you a sense of where to focus.

But remember, numbers alone won’t tell the full story. Talk to department heads. Ask about upcoming initiatives, funding concerns, and staffing realities. The insights you gather will shape a more accurate, actionable audit plan. 

Assessing and scoring risk is key to identifying how internal audit can add value.

5. Use Risk Assessment to Drive Action

A risk assessment isn’t just a list. It’s a tool to drive internal audit strategy.

Once your risks are scored and prioritized, use the data to create a risk-based audit plan. This should guide your audit activities for the year, aligning internal audit efforts with your organization’s top priorities.

Risk Management Is Everyone’s Business

Risk isn’t something internal audit owns alone. It’s shared across departments, leadership teams, and service areas. By broadening your perspective and harmonizing your risk-related activities — whether it’s internal audit, enterprise risk management, or strategic planning — you build a stronger, more resilient government.

Risk will never disappear. But with a clear view of the landscape and a strong internal audit foundation, you can face the future with confidence.

How MGO Can Help

Our dedicated State and Local Government team is here to help you take a broader, more strategic approach to risk. From internal audit services and internal controls evaluations to IT risk and cybersecurity assessments, we offer tailored solutions to assess performance, identify gaps, and benchmark against best practices.  

Reach out to our team today to find out how we can help you strengthen resilience, improve accountability, and prepare for what’s next. 

The post How to Build a Broader Risk View for Your Government appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Outsourced accounting provides real-time financial data and insights to support agile FP&A. 

• Engaging an experienced CAS team enhances collaboration and reduces operational strain on internal finance. 

• Scalable accounting support helps organizations shift from reactive reporting to strategic forecasting. 

—

Financial planning and analysis (FP&A) are the cornerstone of effective decision-making — but many growing businesses struggle to give it the attention it deserves. Internal teams are often stretched thin, focused on month-end closes, reconciliations, and reporting cycles. 

Outsourced accounting services can provide a practical path forward for organizations facing growing financial complexity. By transferring day-to-day accounting responsibilities to a dedicated external team, internal finance leaders can refocus their efforts on analysis, forecasting, and long-term planning. This article explores how leveraging Client Accounting Solutions (CAS) can strengthen your FP&A capabilities and position your business for more informed, agile decision-making. 

The Challenge: Limited Capacity, Fragmented Tools 

As businesses scale, so does financial complexity. Many organizations have reached a point where spreadsheets, disconnected systems, and lean internal teams can no longer keep up. Finance teams become consumed by data reconciliation and compliance tasks, leaving little room for long-term planning or scenario modeling. 

Common pain points include: 

• Data overload: Managing high volumes of financial data across spreadsheets and legacy systems leads to inefficiencies. 

• Reactive reporting: Most time is spent looking backward, not forward — limiting the value FP&A can provide. 

• Talent constraints: Hiring and keeping skilled finance professionals is costly and time-consuming. 

• Limited collaboration: When finance is siloed from operations, strategic alignment suffers. 

How Outsourced Accounting Helps Your FP&A Function 

Engaging with an outsourced accounting team provides immediate access to experienced finance professionals, set up processes, and enabling technologies—without the need to expand your internal headcount. 

Here’s how outsourced accounting supports stronger FP&A: 

1. Improved Data Accuracy and Availability 

An outsourced CAS team provides prompt, clean, and consistent financial data — the foundation of any successful planning process. With better data hygiene, your team can focus on analysis rather than troubleshooting. 

2. Enhanced Forecasting and Strategic Insight 

Outsourced accounting support frees up bandwidth for your internal team to work on forward-looking initiatives. You gain access to advisory professionals who can help build models, test scenarios, and align financial planning with business goals. 

3. Built-In Scalability 

As your business grows or changes direction, your outsourced team can flex with your needs — whether that means supporting a new product launch, managing M&A activity, or helping integrate new systems. 

4. Better Collaboration Across Departments 

An outsourced accounting team can serve as a crucial point of coordination, helping align finance with operations, sales, and HR. With consistent reporting and integrated planning processes, stakeholders across departments gain access to prompt information that supports informed decision-making. 

What to Look for in an Outsourced Accounting Team 

If your organization is exploring outsourced accounting to strengthen FP&A, consider these key factors to align support with your strategic goals: 

1. Industry-Specific Experience 
Look for a team with a solid understanding of the financial, operational, and regulatory considerations in your industry—whether that’s cannabis, life sciences, manufacturing, or technology. Sector knowledge allows for more relevant, tailored guidance. 

2. Strategic Advisory Capabilities 
Outsourcing should go beyond transactional work. Seek ability in budgeting, forecasting, and cash flow management, so your accounting function contributes to business planning and performance. 

3. Technology Alignment and Integration 
Even with a services-first approach, technology remains a critical part. An experienced outsourced team should work well with your ERP and support financial planning tools that streamline data and reporting. 

4. Scalable and Flexible Support 
As your business grows or shifts, accounting needs may change. A flexible CAS team can offer controller-level insights, full FP&A support, or project-based services based on your evolving priorities. 

Building a Strategic Finance Function with MGO 

Outsourced accounting is more than a back-office solution. When structured properly, it becomes a strategic lever that supports high-quality financial planning, improves agility, and positions your business for long-term success. 

MGO works with middle-market organizations across technology, cannabis, healthcare, life sciences, and manufacturing to modernize finance operations. Our Client Accounting Solutions, technical accounting advisory, and management consulting services are designed to help growing companies build finance functions that support strategy — not just compliance. 

Whether you’re preparing for an audit, scaling operations, or strengthening your forecasting capabilities, we help you gain the confidence and clarity to plan effectively. 

The post How Outsourced Accounting Can Strengthen Your FP&A Strategy appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Audit committees (ACs) are prioritizing enterprise risk management (ERM) due to a dynamic risk environment influenced by geopolitical factors, supply chain disruptions, and technological advancements.

• The composition and structure of the board are critical for effective risk governance, and AC members need industry knowledge and relevant experience to oversee the ERM process effectively.

• Boards should clearly articulate risk appetites, engage in ongoing education, and stress-test ERM processes, with holistic risk conversations.

—

1. Enhanced Risk Governance: Audit committees (ACs) are prioritizing enterprise risk management (ERM) due to a dynamic risk environment influenced by geopolitical factors, supply chain disruptions, and technological advancements.

2. Board and Committee Composition: The composition and structure of the board are critical for effective risk governance. AC members need relevant experience and deep industry knowledge to oversee financial reporting and ERM processes effectively.

3. Leading Practices for Oversight: Boards should clearly articulate risk appetites, engage in ongoing education, and stress-test ERM processes. Effective risk conversations should be holistic, incorporating strategy and planning, and involving collaboration across the organization.

In an era when the business landscape is characterized by rapid changes and rising uncertainties, the need for robust governance oversight has never been more critical. As organizations strive to navigate an increasingly complex business environment, the role of the board in overseeing enterprise risk management, financial reporting, and compliance becomes paramount. This publication discusses the evolving priorities and responsibilities of audit committees (ACs) in 2025, emphasizing risk governance, technology integration, and investor expectations. 

Enhanced Risk Governance and Enterprise Risk Management Integration 

Today’s ACs are watching an evolving risk landscape impacted by significant geopolitical factors, continuing supply chain disruptions, global inflation, and the emergence of technology that for many companies may prove highly disruptive to their businesses. According to the BDO 2024 Board Survey of approximately 250 sitting directors, 31% identified enterprise risk management (ERM) as the governance process requiring the most significant time and effort over the next 12 months. Today’s dynamic risk environment, coupled with regulatory (e.g., SEC) and stakeholder expectations, require corporate risk assessments to cover the entire enterprise, not just financial reporting. A recent Audit Committee Practices Report found that 47% of respondents assigned ERM oversight to the AC, 15% to a risk committee, and 35% to the full board. ERM is expected to be an integrated, holistic process that considers all manner of risks to the organization (e.g., strategic, regulatory, operational, and reputational). Regardless of the express responsibilities within the board and committee charters, all board members are expected to exercise skepticism and be risk aware. 

Governance Structure and Composition   

The combined structure and composition of the board plays a crucial role in risk governance. AC members have a significant responsibility in reviewing and overseeing risk factors as part of their mandate to oversee the financial reporting function, and their directive often extends to oversight of the ERM process as well. This requires well-informed directors who understand not simply financial accounting but have relevant experience and deep industry knowledge about the company’s specific risk factors and the experience to make judgments about how well management is identifying, prioritizing, and managing risks. For example, consider the adequacy of an AC that has the additional responsibility for cyber risk oversight that is composed solely of financial experts who may have no current understanding of the cyber risk landscape or impact of emerging technology on the protection of data to ask informed questions of management about risk detection and mitigation strategies. 

Leading Practices for Board/Committee Oversight  

The board should be responsible for setting and clearly articulating risk appetites and tolerance thresholds and ensuring management is operating within those boundaries. There are several steps directors should take to advise management on risk and strategic priorities. These include: 

• Establishing incentives to provide accurate reporting on risks to the organization 

• Remaining forward thinking and open minded as the business environment rapidly changes 

• Prioritizing ongoing education, including inviting experts into the boardroom (e.g., economists, cyber specialists, technologists, and others) 

• Taking a hands-on approach by engaging with stakeholders, leveraging technology, and performing site visits 

The AC’s oversight of ERM goes beyond oversight of management’s processes to stress testing those results to help ensure priorities are aligned, mitigation efforts are sound, and the company can be resilient against new challenges. The AC should not only review the formal ERM processes performed by management but receive further reporting and updates at an established cadence throughout the year to enhance recurrent risk conversations. The Audit Committee Practices Report indicated 49% of boards discussed ERM monthly, as opposed to the 28% and 20% who add it to the agenda semiannually and annually, respectively. Effective risk conversations have several key characteristics that include considering the company holistically, incorporating the organization’s strategy and planning processes, and collaborating with professionals throughout the organization. Additionally, these conversations may benefit from this list of questions every board should ask about risk management. 

Risk Mitigation and Preparedness  

Much like our own immune systems, organizations are much better prepared to respond to risks if they are generally healthy. If the fundamentals of a business are strong and if potential shocks to the system have been considered and prepared for in advance, the business will be much better positioned to survive.  However, in today’s fast-paced business environment, the speed at which risks can materialize has a significant impact on risk management, often requiring response within minutes rather than overnight. Boards should consider whether management is prepared to identify rapidly materializing risks and react swiftly to disruptions. Resilience programs such as business continuity, IT disaster recovery, and cyber incident response programs should be adequately resourced and include formal documented processes and responsibilities, scenario planning, and crisis simulations that are updated regularly. 

Governance Oversight Priorities   

BDO’s 2024 Board Survey identified the activities directors expect to spend the most time on next year: 

Specific Governance Activities to Strengthen Both Management and the Board 

Conclusion 

Effective risk management and resilience through ERM integration are essential for navigating the complexities of the modern business environment. By adopting leading practices, aligning with strategy, and prioritizing forward-thinking approaches, ACs can enhance their oversight capabilities and help ensure the long-term success of their organizations. 

Emerging Technology and Cybersecurity 

The expanded use of technology is transforming business operations, reducing costs, and enhancing human capabilities. The challenge organizations face is balancing innovation with risk management, focusing on efficiency, productivity, cybersecurity, data governance, and human capital impacts. 

Governance Structure and Composition 

The 2024 BDO Board Survey shows the priority emerging technology and cybersecurity have in boardrooms today. Directors identified “advancing the use of emerging technology” as the second most important strategic priority and “lagging implementation of emerging technologies” as one of the most significant risks. Cybersecurity was also in the top five strategic priorities and significant risks. Additionally, 50% of directors plan to increase investments in emerging technologies, and 41% intend to boost cybersecurity investment over the next 12 months. While some organizations may create additional board committees for technology and/or cybersecurity, many consider the AC the appropriate committee to oversee these areas, given its familiarity with the need for strong implementation and internal control environments designed to protect the integrity of information being used and generated by the company.  

As boards formalize their oversight response to evolving technology, they should consider committee capacity and expertise. According to the recent Audit Committee Practices Report, 58% of AC’s have cyber responsibility, followed by 25% retaining oversight at the full board level. Seventy-three percent of directors report discussing the topic quarterly, followed by 15% semiannually. Similar to the evolution of sustainability oversight, technology is integrated throughout the corporate environment (e.g., human capital systems, operations, supply chain management, third-party risk, and financial reporting). Collaborative oversight will be essential and may require assignment to one or more board committees depending on the significance and pervasiveness of the risks. 

There is an ongoing debate about whether to bring subject matter experts onto the board or to cultivate director “generalists” supported with focused continuing education, with no definitive best practice emerging. For example, while the SEC dropped its proposed requirement to disclose whether cybersecurity expertise existed within the board, the board may determine that having a cyber expert among them may still be warranted. However, we caution about deferring responsibility for significant risks to a single board member. There is also growing support for all directors to be “technology and cyber literate,” much like they should be financially knowledgeable, with many boards encouraging directors to achieve and maintain certifications in these and other significant risk areas. 

In response to the SEC’s cybersecurity disclosures, directors report obtaining external assessments and creating internal processes as the top two areas for improvement in their oversight of cybersecurity. This includes understanding what cyber incidents may be considered material to the business and how prepared the organization is to respond timely and effectively to a cyber incident when it occurs. Consider additionally Questions Directors Should be Asking in Their Oversight of Cyber Risk. 

What is certain is that directors should continue to educate themselves in emerging and dynamic areas, including AI/generative AI and cybersecurity to continue to inform appropriate dialogues with management and auditors. Subject matter specialists may be invited to board and committee meetings to provide education to bolster collective board knowledge and address identified director skill and knowledge gaps, as well as serving as trusted advisors. Often, while these sessions may be requested by the board or AC chair, many boards encourage attendance by all directors and certain members of management.  

Oversight of Generative AI 

Board oversight of generative AI should be considered as part of the broader ERM mandate. From recognizing strategic benefits to mitigating associated risks, the board can embrace AI by establishing a safe environment and a culture of trust that accelerates innovation while promoting long term success. The board of directors further plays a pivotal role in guiding the responsible and ethical use and strategic deployment of generative AI. The board may consider establishing a cross-functional AI team that includes the CIO, CISO, general counsel, and operations providing regular reporting to the board or oversight committee. 

From an AC perspective, many finance teams are identifying efficient AI use cases to help analyze financial information, detect trends, and identify anomalies in large data sets. By the same token, auditors are incorporating AI into their auditing methodologies and tools to drive efficient and effective audits and address audit risk.  

Regulators from government to industry are also keenly focused on the role that emerging technologies play in shaping business opportunities and risks to consumers and stakeholders. We encourage the AC to remain attentive to developing rules and regulations that may impact how their business chooses to integrate and use technology and the impact those choices may have on their stakeholders.  

Questions directors should be asking in their oversight of generative AI. 

• What are the company’s policies around the ethical use of technology? How are those policies monitored, and how often are they reviewed and revised? 

• What is the process for identifying effective use of generative AI? Is the organization monitoring industry and competitor uses? Do these uses align with strategic objectives and business goals? 

• What is the process for adopting innovative technologies from identification to selection, implementation, education to monitoring and compliance? Who is responsible and accountable? 

• What monitoring and compliance controls exist? How are instances of noncompliance reported and remedied? 

• What are the risks associated with generative AI use, and what controls are in place to mitigate these risks?  

• What controls does the company have around the reliability, accuracy, and consistency of its data? 

• How does the organization monitor (and who is responsible for) the regulatory environment to ensure compliance? 

• How is the company mitigating third-party risk? 

• How are we remaining current with respect to developing laws and regulations related to the use of AI?

AI Oversight in Financial Reporting and Use by the External Auditor 

With disclosure demand increasing, it is anticipated that stakeholders will expect similar information around technology governance and oversight to what they are receiving about cybersecurity. Directors should not only confirm the company has processes around technology risk management, strategy, and governance that are operating effectively, but also that the governance oversight is established, documented, reviewed, and revised frequently.  

A recent report The Rise of Generative AI In SEC Filings, states that almost two-thirds of Fortune 500 companies mention AI in their annual report on form 10-K, 11% specifically reference generative AI, and more than half have a risk factor citing AI. ACs should ensure consistent and balanced messaging on emerging technologies, considering the materiality to their business when making public disclosures, while also anticipating stakeholder demand for details on process and governance oversight. 

Underlying the financial statements, ACs should evaluate the impact of technology, including generative AI use in the financial reporting function. Three increasingly interdependent elements — technological efficiency, regulatory compliance, and talent — impact both corporate finance teams and audit engagement teams. Data governance challenges can increase the risk for potential reporting issues, errors, or unreliable insights. 

The PCAOB has started “limited outreach” to understand audit firm and public company perspectives on the integration of generative AI in audits and financial reporting. Findings suggest that the integration is falling behind operational and customer-facing areas for many companies, which was further supported by BDO’s recent Board Survey results. Similarly, while some audit firms have started to incorporate generative AI into their audits, it remains primarily for administration and research as firms proceed cautiously in their testing and vetting of innovative technologies. 

Meanwhile, stakeholder demand for adoption is high. BDO’s inaugural Audit Innovation Survey revealed that senior finance leaders say tech-savvy auditors increase trust and influence auditor selection, while acknowledging continuing challenges in audits as technology is implemented. More than two-thirds (69%) of respondents say established data governance and internal data management are a barrier to a smooth audit experience. ACs should continue to engage in discussion with external auditors, as well as internal auditors, around their use of technology, the associated benefits, and risks. 

The CAQ recently released a resource providing an overview of the technology and regulatory environment along with audit considerations for companies deploying generative AI. They also included sample use cases that may be useful for the AC in the evaluation and oversight of their own company’s generative AI deployment. 

Investor Expectations of Audit Committee Effectiveness 

The AC’s effectiveness is vital for robust corporate governance and investor confidence. While ACs are often assigned expanding responsibilities, they must not fall behind on the traditional mandate of their role. It is important to clearly define and regularly review the AC’s responsibilities and associated charter to ensure compliance with requirements, along with assessing the capacity and experience around expanded oversight responsibilities. 

Questions ACs should be asking about fulfilling investor expectations: 

• Is the AC fulfilling its requirements per applicable rules and regulations? 

• How does the AC determine effectiveness and independence of the external auditor? 

• Is our ERM process fit for purpose with respect to identifying and prioritizing emerging areas of risk? 

• Does the AC inquire about “close calls” – e.g., areas of focus by the external auditor that were considered but didn’t rise to the level of a CAM?  

• If applicable, is management’s remediation of deficiencies being done timely and effectively? 

• How is the AC leveraging internal audit (IA) for value creation and risk mitigation? 

• How often does IA revise their audit plan and update the AC on any deficiencies found? 

• What are the qualifications and experience of the IA team? 

• How is the AC ensuring collaborative input into the company’s disclosures? 

• What disclosure controls are in place, and how does the AC monitor effectiveness? 

• To what depth does the AC review, challenge, and approve items ancillary to the earnings release? 

• Do any/all directors sit in on earnings calls? 

• How does the AC ensure consistency around the company’s internal and external messaging? 

• How are AC members staying current with rules, regulations, and environmental trends? 

• What are the AC’s responsibilities beyond the core requirements, and does the AC have the capacity and experience to execute on them? 

• Does the company’s finance function need additional support? How and when was a gap analysis performed?

Oversight of Internal Audit 

Leveraging IA effectively can provide significant insights into the company’s operations and risk management processes, including emerging and high-priority areas such as AI, cybersecurity, and controls around non-financial data (e.g., sustainability metrics). The Institute of Internal Auditors has issued new Global Internal Audit Standards, effective January 9, 2025. These standards are designed to guide the professional practice of internal auditing and serve as a basis for evaluating the quality of the IA function by those in oversight roles (e.g., ACs). While not mandatory, the standards offer 15 guiding principles and essential conditions (i.e., activities of the board and senior management) that enable effective internal auditing. ACs can facilitate indispensable value from their IA function in several ways, such as: 

• Aligning expectations with the IA mandate 

• Setting clear IA authority, roles, responsibilities, and scope of services 

• Building an open and trusting relationship 

• Understanding the risk assessment process 

• Equipping IA with adequate resources and tools 

• Promoting the IA function 

• Assessing the performance of the Chief Auditing Executive (CAE) and IA function 

• Requiring the maintenance of a current IA charter for approval 

Best practices for the oversight of IA include regular reports to the AC to ensure continued alignment on audit strategy and goals, along with timely resolution of identified deficiencies before they become material issues. The PCAOB has also taken interest and added a mid-term project to consider updates to Auditing Standard 2605, Consideration of the Internal Audit Function. See the BDO Internal Audit Webinar Series and upcoming BDO in the Boardroom Podcast for discussions around emerging topics and best practices within the IA function. 

Oversight of Financial Reporting 

The AC plays a vital role in overseeing financial reporting quality and controls. Recent studies from Ideagen Audit Analytics and the Center for Audit Quality indicate that the number of financial restatements filed by SEC-reporting companies is at or near historic lows, likely the result of continued diligence around emerging risks and robust internal control environments. The AC should remain vigilant in these areas and sensitive to the impact macroeconomic and geopolitical factors will have on their companies, including but not limited to: political elections and potential changes in legislation, geopolitical and economic indicators ( e.g., inflation, interest rate changes, supply chain disruption, changes in tariff policies, war impacts) along with human capital matters associated with cultivating and retaining a skilled finance workforce.  

Regulatory Landscape 

The regulatory landscape is continually evolving, with robust SEC and PCAOB rulemaking agendas, enforcement actions, inspection findings, and litigation continuing to make headlines. The AC must stay informed about these changes and ensure compliance with new regulations, consider priority regulatory areas, and monitor the impact of legislation, as well as an upcoming transfer of executive power in the U.S. 

The PCAOB has prioritized transparent communication and continues to issue Investor bulletins, audit focus, and spotlight publications that ACs are encouraged to monitor. Some recent examples include the PCAOB’s information about their inspection activities that include observations, inspection activities from the past year, and inspection priorities for the upcoming year that can inform ACs in their oversight of the financial reporting and audit processes. The SEC also releases examination priorities and makes public recent comment letters issued to registrants.  

Fraud Risk 

Fraud risk evaluation and oversight are critical components of the AC’s responsibilities, and the current environment constitutes a heightened risk for organizations, including digitally enabled fraud. The PCOAB recently paused its significant proposed Noncompliance with Laws and Regulations (NOCLAR) auditing standard, but ACs should continue to stay informed and involved in this and other rule and standard setting. See the 2024 BDO Board Survey and the PCAOB’s recent Spotlight for discussion around solidifying a culture of compliance.  

Board’s Actions to Prevent and Detect Fraud 

Disclosure 

Recent SEC enforcement has focused on the adequacy of company disclosure controls under Exchange Act Rule 13a-15 and emphasized the need for comprehensive disclosure controls. The Division of Corporation Finance also continues its Disclosure Review Program. ACs should be aware of cited trends — e.g., misleading non-GAAP measures and ransomware attack disclosures — to ensure their company’s own alignment with regulatory expectations. 

Companies may consider maintaining a well-structured disclosure committee, which includes diverse management representation from various departments such as accounting, finance, IT, cyber, sales, and general counsel. ACs should monitor the disclosure committee’s recommendations to ensure transparency and regulatory compliance. Additionally, the AC should discuss disclosure of material judgments to understand exclusions and evaluate the necessity of included information. 

Disclosure alignment should be a priority in AC discussions, ensuring company-wide collaboration and consistency across sources that broadly include (but are not limited to) financial statements, MD&A, earnings releases, proxy statements, company websites, sustainability reporting, and marketing materials. ACs should frequently scrutinize noted comment letter areas and emerging risks, as applicable, such as: 

• China-related matters 

• Non-GAAP measures 

• Critical accounting estimates 

• MD&A 

• Revenue recognition 

• Financial statement presentation 

• Market disruptions 

• Cybersecurity 

• Supplier finance programs 

• Inflation 

• Other related rules (e.g., pay for performance) 

The AC should inquire about the rigor for how disclosures outside the financial statements (such as those related to earnings releases and sustainability reports) are verified for accuracy and consistency, including reviewing presentation slides and management’s commentary, while overseeing internal controls around non-financial metrics. 

The SEC recently disbanded their Climate and ESG Task Force stating the priorities were determined to be well integrated into overall company strategy and risk management. Additionally, the SEC’s new climate rules remain stayed and the issuance of anticipated new human capital rules are in question given the pending U.S. election transition. However, ACs should not lose focus as jurisdictions globally and locally are moving forward with significant reporting requirements that may impact a broad group of U.S. companies and will require significant action by management and oversight of the AC. ACs should discuss the emerging ESG disclosure landscape and company controls that are in place to monitor compliance as well as stakeholder sentiment, remaining attuned to verifiable data that reflect actual practices and do not mislead investors. 

Finance Function Talent Management 

The experience, effectiveness, interactions, and reporting of professionals in the accounting and finance functions serve as an important control in the oversight of financial reporting that the AC receives. In an environment where the war for talent continues, ACs should ensure they are evaluating resources and supporting the needs of the finance function in their companies.  

Oversight of the External Auditor 

Audit quality stems from the AC’s ability to exercise professional skepticism, including challenging assessments and estimates made by auditors and management. It is considered a best practice to build a strong professional relationship with their external auditors, which includes frequent, transparent communications about the audit, including:  

• Auditor independence 

• Scope, status and conduct of the audit,  

• Audit team and the audit firm including engagement team members’ experience, supervision and review,  

• Firm structure and potential impact on audit quality 

• Recent inspection results at the engagement level and at the firm level, and 

• Firm’s system of quality control  

See the PCAOB’s recent Audit Focus: Audit Committee Communications for reminders and common deficiencies in this area.  

SEC’s Office of Chief Accountant Paul Munter released this statement on the recent increase in deficiency rates found in audit inspections and the importance of the role of the AC in ensuring high-quality audits. 

The PCAOB has been active in its rulemaking intended to support the AC’s responsibility in oversight of the auditing function and selection and retention of auditors. This includes the recently adopted standards regarding the audit firm’s system of quality control, required firm reporting, and firm and engagement metrics, which at the time of publication are still awaiting SEC approval. Directors should remain knowledgeable about auditing standards and how those standards may impact the AC’s and management’s engagement with the auditors. Similarly, they should carefully consider proposed standard setting regarding the scope and procedures of financial statement audits, such as the PCAOB’s (NOCLAR) rules. A recent roundtable briefing paper may further impact how the auditor engages with the company, along with the types of controls and additional information that may become a required component of public company audits in the future. 

In September 2024, the PCAOB issued a spotlight focused on recent inspection deficiency findings with respect to auditor independence requirements and highlighted considerations for the AC particularly around its responsibility for the pre-approval of audit firm services, including but not limited to: 

• ACs are required to consider whether any services provided by the audit firm may impair the audit firm’s independence in advance. 

• ACs should consider whether the public company’s policies and procedures require that all audit and non-audit services are brought before the AC for pre-approval.  

• ACs should consider whether their auditor has implemented processes to identify prohibited relationships.  

• If the AC pre-approves services using pre-approval policies and procedures, the AC should consider whether the pre-approval policies and procedures are sufficiently detailed as to the particular services to be provided so that the AC can make a well-reasoned assessment of the impact of the service on the auditor’s independence.  

• Independence is a shared responsibility between the entity under audit, its AC, and its auditor. It is important for the company to have policies and procedures to proactively alert auditors to proposed or pending merger and acquisition activity that could have an impact on auditor independence. 

BDO is poised to release an audit committee pre-approval guide aid in early 2025 to be posted within the practice aid section of the BDO Center for Corporate Governance. 

As the regulatory environment continues to advance at a quick pace, ACs are being encouraged by regulators, auditors, and other stakeholders to be more engaged in the rulemaking and standard-setting process, as well as to remain active in the community establishing and discussing best practices. The PCAOB continues to be especially active in their board outreach and annually publishes high-level observations and key takeaways from their conversations with AC chairs. 

Conclusion 

The AC’s effectiveness is crucial for maintaining investor confidence and ensuring robust corporate governance. By fulfilling its mandate, adapting to evolving risks, overseeing the external and internal audit functions, evaluating significant risks (including potential fraud and emerging risks), and staying informed about regulatory changes, the AC can significantly contribute to the company’s success and the delivery of high audit quality to the markets. 

Written by Mike Stevenson, Amy Rojik and Lee Sentnor. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com 

How MGO Can Help 

MGO can provide significant support to audit committees as they navigate their evolving priorities in 2025 through integrating ERM processes and addressing the dynamic risk environment that includes geopolitical factors, supply chain disruptions, and technological advancements. Our team can also assist in assessing and enhancing the composition of your board and audit committees to make sure your members have the relevant experience and industry knowledge necessary for effective oversight. Lastly, we can equip you with guidance on best practices for that board and committee oversight. Contact us to learn more.  

The post Top Audit Committee Priorities for 2025  appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• A well-constructed, collaborative compliance program can enhance your business strategy, strengthen overall ethical culture, and protect against costly regulatory risks.

• When you embed compliance functions within business units, you build trust, accountability, and alignment with your broader organizational goals.

• Proactive leadership and strategic investment in compliance talent are essential for staying agile and resilient in a regulatory environment that changes.

—

The corporate regulatory landscape is constantly evolving, influenced by changes in government, economic conditions, and societal expectations. Recent years have seen increased stakeholder focus on corporate accountability, transparency, and ethics — placing greater emphasis on the role of compliance programs.  

Compliance programs serve as the backbone of corporate integrity, supporting essential efforts such as risk management, legal adherence, and ethical decision making. Without an adequately supported compliance program, companies could open themselves up to pitfalls like additional costs, loss of stakeholder trust, and slowed decision making. 

Considering these risks, companies must not treat compliance as a passive endeavor. Structuring an effective compliance program requires a nuanced understanding of the various roles, responsibilities, and relationships across an organization. It demands collaboration between multiple functions, each contributing its knowledge in service of comprehensive risk management and adherence to legal and ethical standards. 

This insight explores core principles and best practices that business leaders can follow to build and maintain a robust compliance program within their organization. 

Trust and Relationships 

Trust, both internal and external, is a fundamental component of effective compliance programs. Placing compliance officers within individual business units allows them to build strong relationships with key stakeholders. These officers can participate in regular meetings and provide strategic advice, integrating ethical considerations into everyday decision making and establishing compliance as a value-generating asset, rather than a bureaucratic burden. 

But the importance of trust extends beyond internal relationships. A strong compliance program can help emphasize ethical and transparent practices, increasing trust and enhancing the company’s reputation in the eyes of the public and capital markets. A trustworthy reputation can function as a critical draw for external investors and can positively influence the company share price. 

Structuring Compliance for Strategic Advantage 

Embedding compliance responsibilities into profit centers, such as sales or product divisions — rather than relegating the compliance program to a separate cost center — can help enforce accountability and align compliance efforts with business objectives. For instance, transferring responsibility for compliance with sales practices and anti-bribery regulations to a sales division can help integrate compliance into revenue-generating activities. This approach not only aligns compliance with business objectives but also fosters a culture of accountability, as the division directly benefits from maintaining ethical sales practices and avoiding regulatory penalties. 

Common Compliance Responsibilities Across Functions 

1. Ethics & Compliance Function 

• Ethical Standards and Code of Conduct: Develops and enforces the organization’s code of conduct and ethical guidelines, conducting training and awareness programs. 

• Anti-Bribery and Corruption: Implements policies to prevent bribery and corruption, ensuring compliance with laws like the FCPA. 

• Internal Investigations: Conducts investigations into potential violations of laws, regulations, or company policies. 

• Risk Management: Identifies and assesses compliance risks related to ethics and integrity, developing strategies to mitigate these risks. 

2. Regulatory Compliance Function  

(in industries like financial services, healthcare, and pharmaceuticals): 

• Industry-Specific Regulations: Manages compliance with regulations such as FDA or HIPAA, focusing on regulatory reporting and audits. 

• Regulatory Relationships: Maintains direct relationships with regulatory bodies to stay informed about changes and expectations. 

3. Data Privacy and Protection 

• Chief Privacy Officer: Ensures compliance with data protection laws like GDPR and CCPA, focusing on data privacy strategies and risk management. 

4. Internal Audit Function (Chief Audit Executive) 

• Comprehensive Audits: Conducts audits across the organization to assess the effectiveness of internal controls, risk management processes, and governance practices. 

• Collaboration: Works with the Ethics & Compliance department to ensure compliance risks are addressed in the audit plan. 

5. Other Functions 

• Finance/Internal Audit: Manages compliance with financial regulations such as Sarbanes-Oxley (SOX). 

• Health and Safety: Ensures compliance with occupational health and safety regulations. 

• Human Resources: Focuses on compliance with employment laws and regulations. 

• Information Security: Ensures compliance with cybersecurity standards and protects company data.

Pros and Cons of Different Compliance Structures 

Different organizations may elect to adopt various structures for their compliance programs, each with its own set of advantages and challenges. A centralized compliance function can support greater consistency and control, but integrating compliance into profit centers allows for greater alignment with business goals and responsiveness to market demands. Understanding an organization’s unique needs and goals is key to determining the most effective compliance structure. 

By clearly defining roles and responsibilities across functions, organizations can create a cohesive compliance strategy that leverages the strengths of each department. This collaborative approach makes compliance both a protective measure and a strategic advantage that supports the organization’s overall objectives. 

Navigating Change 

As administrations change and regulatory focus shifts over time, some business leaders may seek to deprioritize compliance. CCOs must remain vigilant and proactive, and work to ensure that compliance remains a competitive advantage. Taking a strategic approach — focusing on predicting, protecting, and enabling — can empower CCOs to adapt their programs and highlight the enduring role of compliance in delivering business impact. 

Proactive Adaptation 

To effectively navigate regulatory changes, CCOs must stay informed about potential shifts, regularly engage with industry peers, and leverage data to anticipate and respond to changes. By adopting a forward-thinking mindset, compliance programs can remain agile and responsive. In instances where CCOs face a need to justify why compliance should remain a priority, they should consider pointing to outcomes from investigations at similar companies. Cases where a weak compliance program was a root cause of misconduct can help illustrate the risks and demonstrate the value of internal efforts in preventing similarly costly breaches. 

Just as domestic policy changes impact compliance efforts, globalization has also added complexity to the regulatory landscape. Organizations with a multinational footprint need to navigate myriad international laws and standards, some of which may even overlap or conflict. CCOs must stay attuned to these global dynamics and ensure that their compliance programs are equipped to handle cross-border challenges. 

A Culture of Compliance 

A strong compliance culture — an environment where ethical behavior is valued and rewarded — can be a powerful bulwark against new complexities or challenges. When compliance is integrated into the fabric of the business, individual employees will be better able to make decisions that are consistent with established ethical and legal frameworks and will feel more enabled to speak up if they become aware of actions that place the business at risk. 

But creating a culture of compliance requires a concerted effort and investment from CCOs, business leaders, and compliance officers across the organization. For a compliance program to truly impact culture, it must go beyond monitoring and advice to offer ongoing training, clear communications, and an exemplified commitment to ethical leadership. 

Elevating Compliance as a Career Path 

Even the most well-structured compliance framework is powerless without teams to communicate and enforce its standards. But compliance work is often perceived as less glamorous compared to other business careers, and leaders may find it hard to attract or retain employees. To elevate compliance as a desirable career path, organizations should aim to reposition it as a dynamic field at the intersection of regulatory regimes and technological change. 

Attracting Early-Career Professionals 

To appeal to early-career professionals, leaders can emphasize the meaningful work of compliance teams, such as combating financial crime and terrorism. Highlighting the core values of integrity and corporate responsibility can resonate with younger generations, who often prioritize purpose-driven careers. Offering other benefits like job flexibility and emphasizing the compliance function’s role in protecting consumers and investors can also help set compliance apart and make it more appealing. 

The Role of Leadership 

No matter the approach, leadership plays a crucial role in changing perceptions around compliance. The tone from the top must reflect the importance of compliance as a central and respected part of the organization. By treating compliance as a vocation and emphasizing its strategic importance, companies can better attract and retain talent in this critical field. 

Ongoing Compliance 

Even as the regulatory landscape continues to evolve, compliance will remain a core strategic asset for any business, helping to guard against risks and cultivate trust. That trust is a foundational element that supports a company’s long-term success and sustainability. It influences customer behavior, investor decisions, talent attraction and retention, regulatory interactions, and overall market perception. But given compliance’s critical importance, leaders looking to assess or augment their compliance programs may find it difficult to know where to start. 

No matter its maturity level, BDO’s professionals can assist in strengthening your organization’s compliance program. Our knowledgeable teams can help you conduct a comprehensive assessment of your compliance program and related policies, procedures, and systems to identify gaps, craft strategies for improvement, and help monitor the program on an ongoing basis. 

How MGO Can Help 

At MGO, we know that a robust compliance program is more than a regulatory requirement. It’s a strategic asset that can help you foster trust, as well as enhance your decision-making and protect your business from risk. Whether your organization is building a program from the ground up or seeking to refine your existing practices, our experienced team can provide you with tailored assessments, practical recommendations, and ongoing monitoring support. Contact us to learn how we can assist you in doing everything from navigating complex industry regulations to embedding compliance into the fabric of your company culture.  

Written by Kenneth Koch and Phillip Ostwalt. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com 

The post Building and Maintaining a Robust Compliance Program  appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Nonprofits are facing an escalating cybersecurity threat, with a 30% increase in cyberattacks in 2024, making it imperative for your organization to prioritize robust security measures.  

• The financial and operational impact of cyberattacks is severe, with data breaches costing nonprofits up to $2million and ransomware demands rising by nearly $1 million in just one year. 

• AI is transforming cybersecurity by enhancing threat detection, automating responses, and predicting future attacks, offering nonprofits a powerful tool to strengthen their defenses.   

—

As we step into 2025, the importance of cybersecurity for nonprofit organizations cannot be overstated. The digital landscape is fraught with evolving threats that pose significant risks to the operations, reputation and financial stability of nonprofits. This article aims to highlight the critical importance of cybersecurity for nonprofits, backed by recent statistics and trends, and to persuade executives and board members to prioritize this issue. Additionally, we will explore how BDO can assist in navigating these challenges and how artificial intelligence (AI) will play a pivotal role in defending against cyberattacks. 

The BDO Benchmarking industry surveys noted that mitigating cybersecurity is in the top tier of IT challenges for 2025.  

The Growing Threat Landscape 

Nonprofit organizations are increasingly becoming prime targets for cybercriminals. According to Integrity360¹, nonprofits experienced a 30% year-over-year increase in the number of weekly cyberattacks in 2024. This alarming statistic underscores the vulnerability of nonprofits, which often lack the robust cybersecurity measures found in for-profit enterprises. 

In 2024, 68% of breaches involved a human element, such as phishing or human error. This highlights the critical need for comprehensive cybersecurity training and awareness programs. The financial implications of cyberattacks on nonprofits are profound, with the average cost of a data breach reaching up to $2 million. This includes costs related to data recovery, legal fees and reputational damage control. 

Financial and Operational Impacts 

The financial impact of cyberattacks on nonprofits can be devastating. The average ransom demanded in a ransomware attack increased by nearly $1 million in 2024 compared to 2023. Despite this, very few organizations that paid the ransom received all their data back. Such incidents not only disrupt operations but also erode trust among donors and beneficiaries. 

Nonprofits often operate on limited budgets, dedicating most of their funds to fulfilling their missions. This financial constraint makes it challenging to invest in advanced cybersecurity measures. However, the cost of inaction is far greater. Cyberattacks can lead to identity theft, loss of donor trust and diversion of precious funds to mitigate the damage. 

The Need for Proactive Cybersecurity Measures 

Given the increasing digitalization of nonprofit operations, from online fundraising to managing beneficiary data, it is imperative for nonprofits to adopt proactive cybersecurity measures. Unfortunately, many nonprofits are ill prepared. A staggering 78% of organizations feel their cyber resilience is insufficient to meet their needs. This gap in preparedness makes nonprofits attractive targets for cybercriminals. 

To address these challenges, nonprofits must prioritize cybersecurity at the executive and board levels. This involves not only investing in technology but also fostering a culture of cybersecurity awareness and resilience. Regular training, robust data protection policies and incident response plans are essential components of a comprehensive cybersecurity strategy. 

The Role of AI in Cybersecurity 

AI is revolutionizing the field of cybersecurity by enhancing threat detection, response and prevention capabilities. Here are some top ways AI is being utilized in cybersecurity: 

1. Threat Detection and Prevention: AI systems can analyze vast amounts of data to identify patterns and anomalies that may indicate a cyber threat. Machine learning models establish baseline behaviors and detect deviations, enabling real-time threat detection and rapid response. 

2. Automated Response: AI can automate routine cybersecurity tasks such as log analysis, vulnerability scanning and incident response. By automating these processes, AI frees up human analysts to focus on more complex and strategic activities. 

3. Behavioral Analysis: AI-powered systems can monitor user behavior and network traffic to detect unusual activities. For example, AI can identify phishing attempts by analyzing email content and user interactions. 

4. Predictive Capabilities: AI’s predictive analytics can anticipate potential cyberattacks by analyzing historical data and identifying trends. This allows organizations to implement preventive measures and strengthen their defenses against future threats. 

5. Enhanced Security Operations: AI enhances the capabilities of security operations centers (SOCs) by providing advanced threat intelligence and automated incident response. AI-driven tools can correlate data from multiple sources, prioritize alerts and provide actionable insights to security teams. 

6. Vulnerability Management: AI can continuously scan for vulnerabilities in systems and applications, providing real-time updates and recommendations for patching. This helps organizations stay ahead of potential exploits and reduce their attack surface.

Conclusion 

As we prepare to navigate the complexities of 2025, cybersecurity must be a top priority for nonprofit organizations. The risks are too significant to ignore, and the consequences of inaction can be devastating. By investing in robust cybersecurity measures and partnering with experts like BDO, nonprofits can safeguard their operations, protect their beneficiaries and continue to fulfill their vital missions with confidence. 

For executives and board members, the message is clear: Cybersecurity is not just an IT issue; it is a critical component of organizational resilience and success. Taking proactive steps today can secure a safer tomorrow for your organization and the communities and stakeholders you serve. 

How MGO Can Help 

 At MGO, we understand the unique cybersecurity challenges facing your nonprofit organization. Our team of professionals provides personalized cybersecurity assessments, risk management strategies, and AI-powered solutions to help you strengthen your defenses. From implementing proactive security measures to offering compliance guidance and incidence response planning, we work closely with your executives and board members to build a resilient cybersecurity framework. Contact us to learn how we can help you protect your data, maintain donor trust, and focus on your mission with confidence.  

Written by Ric Opal. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com 

The post The Crucial Role of Cybersecurity for Nonprofit Organizations in 2025 appeared first on MGO CPA | Tax, Audit, and Consulting Services.