• AI agents deliver efficiency across the value chain — from contract review and tenant services to construction planning and payment management, agentic AI can streamline operations, reduce errors, and cut costs.
• Your firm should implement oversight, ethical safeguards, and security protocols to responsibly adopt autonomous systems.
• If you adopt early, you gain a competitive edge, as organizations that act now to pilot agentic AI use cases will position themselves ahead of competitors still relying on traditional processes.

—

Real estate and construction companies are on the precipice of a dramatic shift. Artificial intelligence (AI), particularly agentic AI, will permanently change how the industry does business, streamlining functions from back-office administration to logistics, data-heavy tasks, and more.

Unlike traditional automation, intelligent agents are purpose-built and trained to fulfill specific roles, enabling them to make decisions independently and navigate complex processes with minimal human intervention. Organizations that successfully integrate these tools stand to benefit from faster decision making, improved project planning, and more competitive pricing.

For all its benefits, autonomous AI represents an intimidating advancement. These systems require robust support infrastructure and bring new risks and challenges. Organizations will need to strengthen their data governance processes, implement cybersecurity best practices, learn how to collaborate with autonomous systems, and account for novel risks like AI bias on an ongoing basis.

These complex dynamics call for thoughtful planning and targeted investments without delay. As first steps to integration, real estate and construction companies should proactively investigate how agentic AI can improve their operations and seek out potential use cases. Organizations that act quickly will unlock a powerful competitive differentiator, while those who wait risk being left behind.

Agentic AI Real Estate and Construction Use Cases

Companies are just beginning to understand the vast potential of AI agents. For real estate and construction leaders seeking an entry point, several use cases stand out as impactful and achievable options, each carrying the potential to increase efficiency and reduce operational overhead.

Real Estate Use Cases

Contracts and pricing: Property management firms are responsible for maintaining and understanding large troves of documentation. AI can quickly sift through huge amounts of data, easing the process of reviewing and drafting key documents. These tools will help verify that contractual clauses are written correctly and do not contain any oversights. They can also monitor regulatory activity and notify businesses in real time about any changes, new rules, and potential compliance issues. With appropriate oversight, they will even be able to make the necessary adjustments in some cases. 

During negotiations, firms could call upon their AI agents to screen tenant applications and leverage historical and current market data. Property managers could come to the table confident that their pricing decisions are defensible and backed by data, tailored to both meet their needs and satisfy applicants’ expectations.

Tenant management and customer service: Intelligent systems can offer around-the-clock support for maintenance or information requests. Previously, if a tenant experienced a non-emergency issue with an appliance during the night, they might need to wait until the following day to notify their management company and schedule repairs. Autonomous agents can respond immediately, no matter the time, and place a service request on the schedule for the following morning. Prompt responses will help reassure tenants they are being heard, reducing instances of friction and building loyalty. Should an emergency arise, the system can immediately notify the management company and update the maintenance schedule accordingly.

Back-office support: AI will transform the back office, processing and validating payments automatically and sending reminders to tenants or other customers who miss a deadline. With access to this financial information, intelligent tools can also help collect and organize data for financial reporting obligations and, if given the appropriate parameters, may even supplement actions such as filing taxes, cutting down on compliance costs while increasing efficiency.

Portfolio Management: Agentic AI can act as a continuous decision-making partner in investment management for both real estate and construction firms. It can autonomously monitor market dynamics, forecast project viability, and reallocate capital across portfolios in real time. It can also evaluate factors like material cost fluctuations, urban development plans, and rental yield trends to optimize asset performance without constant human oversight.

Construction Use Cases

Coordination and planning: AI agents can engage in forecasting, simulation, and planning for construction projects. They can also oversee communications with and between parties like inspectors, contractors, and subcontractors. Acting as project managers, these systems will monitor and log progress when a job is running smoothly, and step in to help course correct when necessary, independently adjusting schedules or budget forecasts based on changing circumstances. If, for example, malfunctioning machinery causes a work stoppage, an AI agent can flag the breakdown and incorporate the time needed for repairs into an updated project roadmap. With an autonomous agent managing workflows, organizations may be better insulated against human scheduling errors and resultant cost overruns.

Payment Management: Agentic AI can help construction companies manage payment applications, ensuring contractors and subcontractors are paid on time. It can also log completed work for recordkeeping and reporting purposes, keeping information standardized and accessible and reducing the chances of documentation getting lost or misclassified.

Permits and compliance: Construction projects require proper permitting and regular inspections to verify that job-site conditions are safe and compliant. Mistakes or misstatements in permitting documentation can be expensive and may increase overall compliance costs or open organizations up to enforcement actions. Intelligent agents can reduce these risks by gathering information for use in permit applications, interpreting and filling out the necessary forms, keeping track of permits filed, and updating the company in real time if permitting needs change. This function can be particularly impactful with respect to local jurisdictions, where regulations can often vary widely and can be difficult to track manually.

Agentic AI can also monitor labor union agreements and related workforce regulations, helping firms proactively align with union requirements, avoid disputes, and maintain smooth operations across all jurisdictions.

Humans in the Loop

Real estate and construction companies can pursue these applications today. As agentic AI advances, companies can integrate these systems even more deeply into operations. Think of smart buildings and autonomous construction equipment, all managed and guided by intelligent tools.

Even as AI functionality continues to evolve, one factor remains constant: Humans are essential to support both initial integration and provide ongoing oversight of new tools and technologies. Leaders must remain aware of the challenges AI can bring and treat adoption not as a one-off instance but as part of a long-term strategy.

Agentic AI Risks and Challenges

In the past, real estate and construction companies have not been as tech-forward as other industries. To support agentic AI, they will have to make up ground, particularly in areas like governance, cybersecurity, and AI literacy.

AI Bias

The risks posed by unseen biases grow substantially with AI agents. Data used to train AI is subject to the biases of the humans who provide it, sometimes causing a program to “inherit” the discriminatory biases of its creators. Inherited biases could lead to unfair or inaccurate outputs that damage the businesses that rely on them. This risk is especially prevalent for real estate firms, which may employ intelligent tools for tasks like pricing, contract negotiations, and application screening. For instance, if those systems have inherited a bias that causes them to treat applicants differently based on a protected characteristic, the firm could violate fair housing regulations, leading to significant financial, legal, and reputational risks.

Preventing AI bias demands continuous and active testing, covering both the underlying dataset and the AI’s outputs. Companies should request bias test results from any potential AI vendor, and check whether a vendor has obtained third-party certifications such as SOC 2 as an additional layer of confidence. A lack of bias testing is a red flag. The risks of harm to a business and its customers are too great to ignore. Organizations inexperienced in making these evaluations may consider enlisting a knowledgeable third party with the resources and experience to help check for unseen biases.

Governance

Strong AI governance, covering both technical concerns and operational risks, is critical for successful AI implementation. Because autonomous agents will operate cross-functionally, building a governance framework must be a cross-functional process, incorporating feedback from each area of the business and covering critical domains like risk management, data ethics, data privacy, data lifecycle management, and organizational structure.

For real estate and construction companies, the first step is assigning decision rights. Where will an AI agent be empowered to make decisions, what data will it leverage to do so, and how will human oversight be conducted? Answering these questions means defining specific use cases, such as the options above, and will allow firms to clearly delineate the AI agent’s role and assessing any risks tied to each use case. Organizations will also need a process to document decisions and deliver feedback. For domains that introduce compliance risks, such as construction site safety or tenant application screening, governance teams should implement several layers of checks to ensure that all decisions are responsible and ethical.

Governance is not just as a means for organizations to protect themselves, but also a way to unlock the full potential of their AI agents. A clear scope and well-defined decision parameters will enable safer usage, but they also create higher quality and more reliable outputs.

Cybersecurity

Interconnected systems can increase security vulnerabilities, necessitating new protections against novel forms of data theft. Real estate and construction companies will need clear visibility into AI input data, how that data is processed, who has access to it, and how it is shared to support data loss prevention (DLP) and stop sensitive data from leaking.

For organizations that employ outward-facing AI, such as agents that handle tenant inquiries, these needs are even sharper. A user interacting with an agent could ask a question that causes the system to reveal sensitive business information. Known as “prompt injection,” this tactic is increasingly used by bad actors to steal information without breaking into a company’s systems.

In some cases, strengthening cybersecurity also involves physical security. On a construction site, for instance, supervisors will likely use mobile devices or machinery that communicate with AI agents. Firms must be sure they have adequate endpoint security and a robust mobile device management strategy to track usage. If an unauthorized individual gains access, whether on purpose or by mistake, they could obtain sensitive information. These devices should only be accessed by trusted, predesignated users.

How MGO Can Help

Adopting agentic AI is not just about technology; it’s about building a sustainable framework that blends innovation with responsibility. At MGO, we help real estate and construction firms evaluate practical AI use cases, strengthen data governance, mitigate risk, and design tailored strategies for integration. Whether you are exploring tenant management automation, portfolio optimization, or construction compliance tools, our team provides you with the insights and guidance needed to move forward with confidence. By acting today, your organization can unlock efficiency, resilience, and a powerful competitive advantage in tomorrow’s market. Contact us to learn more.

Written by Tyler Cahill, Kirstie Tiernan and Kristi Gibson. Copyright © 2025 BDO USA, P.C. All rights reserved. www.bdo.com.

The post Agentic AI Use Cases for Today’s Real Estate and Construction Firms appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• SOX requires CEOs/CFOs to certify financials, creating top-down accountability in reporting.
• Continuous monitoring and tech updates are vital to maintain SOX compliance in a dynamic regulatory landscape.
• Embedding SOX compliance into daily operations builds transparency and reduces risk.

—

Reliable financial reporting can protect companies and their investors from fraudulent activities. In fact, the C-Suite is held to stringent requirements imposed by the intricate provisions of the Sarbanes-Oxley Act of 2002 (SOX), making transparency and accountability essential components of corporate governance.

Despite the serious consequences of noncompliance — including fines, criminal charges, loss of reputation, and delisting — SOX compliance may be shuffled behind a myriad of competing corporate initiatives. Taking a proactive approach is generally best, and it begins with gaining a deeper understanding of what SOX compliance means to members of the C-suite.

SOX Compliance Relevance to the C-Suite

Prior to 2002, a series of financial scandals eroded investor confidence and exposed significant flaws in corporate governance. The Sarbanes-Oxley Act was the government’s response.

Complying with SOX has become a crucial component of contemporary corporate governance. SOX establishes legal accountability for senior executives, who can be held personally responsible for inaccuracies and misstatements of the financial statements they certify. The financial integrity of a company hinges on its accurate financials; unreliable financial reporting can erode the trust of investors and tarnish the company’s reputation in the market. Strong internal controls can streamline processes, provide the C-suite with reliable data, and help mitigate risk.

Key C-Suite Responsibilities

SOX contains two sections that are particularly relevant to the C-suite and have led to significant changes in corporate governance.

• Section 302 mandates that senior executives certify the accuracy of financial reports. The CEO and CFO sign personal attestations as to the accuracy and completeness of the reports, which makes them accountable for the integrity of the company’s financial reporting.
• Section 404 requires that senior executives establish and maintain robust internal controls, continuously monitoring and updating them as needed.

It’s important to note here that senior executives like the CFO and CEO may not participate in the writing of financial reports or the design and implementation of internal controls. However, they do oversee such activities and, more importantly, provide an overall “tone from the top” that promotes integrity and ethical behavior.

Building a SOX-Compliant Culture

SOX compliance depends on the company’s culture of compliance, something that can be built into the company’s day-to-day operations. Just as the responsibility for compliance falls to the C-suite, senior executives are also responsible for taking the steps needed to build a SOX-compliance culture. Developing that environment starts with the C-suite leading by example and demonstrating a commitment to ethical behavior and transparency.

Employees are another key component to SOX compliance. Training and awareness programs help educate them about SOX requirements and inculcates the importance of compliance. Staff also should feel comfortable reporting their concerns about suspicious activities to their superiors without fear of retaliation.

While complying with SOX, senior executives can help ensure that employees understand and use the internal controls they approve; procedures that become part of the process are easier for employees to embrace. Instead of approaching compliance as a separate “exercise,” frame it as a normal part of doing business.

Finally, the board of directors and audit committee members contribute to the company’s governance and its culture of transparency.

Implement Effective Internal Controls

Internal controls provide a framework for ensuring the integrity of financial reporting and compliance with regulatory requirements. Such controls help the company:

• Comply with regulations and laws.
• Prevent and detect fraud.
• Enhance reliability of financial records.
• Identify and help mitigate risk.
• Provide clear guidance on accountability within the organization.
• Present accurate and complete financial information.
• Promote a corporate culture of transparency, integrity, and ethical behavior.

Before designing and implementing internal controls, it’s important to start with a comprehensive risk assessment to help identify potential vulnerabilities. Control procedures then can be developed and documented, with clear guidance on the assignment of responsibilities.

Even after internal controls are in place, the work continues. Monitoring people, processes, and systems in any organization is an ongoing process. Changes to any of those categories — such as employee turnover or implementation of new processes — could result in weakened controls, but periodic reviews and testing can help identify and address critical situations. Another way to improve compliance and reduce human error is by leveraging technology and automation. Companies that lack the in-house capabilities to implement such technology should consider outsourcing this critical function.

Challenges and Best Practices for SOX Compliance

Companies with poor Internal Controls over Financial Reporting (ICFR) are missing a critical component of the company’s corporate governance. ICFR processes are designed to help ensure the reliability of financial reporting, and SOX controls are focused on the production of accurate financial statements. Senior executives on the path to SOX compliance will face challenges, but it is well worth the effort to overcome them.

Lack of awareness, especially among the C-suite, can be the first issue to address. If senior executives do not understand the serious consequences of noncompliance, then building compliance into the company’s culture can become a nonissue. Understanding SOX requirements is an important first step.

Employees often resist changes to established procedures. But a “we’ve always done it this way” mindset can stand in the way of progress that leads to SOX compliance. Senior executives can lead by exhibiting a willingness to change and an expectation that others will align their actions with the company’s culture of compliance.

C-suite members must understand that reactive compliance is generally more costly than proactive compliance. Poor ICFR processes can lead to material weaknesses and irregularities in financial reporting, which in turn can lead to loss of reputation, loss of stakeholder trust, and potential delisting. The culture of transparency and compliance should permeate the entire company, and that can be accomplished with programs that are comprehensive, consistent, and routine.

Continuous Improvement and Adaptation

The corporate environment is not static. Emerging risks and regulatory changes can affect a company’s preparation and filing of financial reporting. The C-suite must stay informed about changes and adapt their compliance strategies accordingly.

For example, trends that may affect SOX compliance processes include increased use of technology — including AI and automation — and a greater emphasis on data analytics. Regulatory bodies may alter their regulatory requirements, which means evaluating and realigning processes to remain in compliance.
SOX compliance requires on-going evaluation. As senior executives lead their companies to full compliance, the following steps are needed to maintain the right program for the current environment:

• Monitor your internal processes and controls.
• Refresh them as needed.
• Check with auditors to learn how they assess financial reporting.

Finally, obtaining objective opinions and advice from third party professionals can assist the C-suite in making informed decisions as they move toward SOX compliance.

How MGO Can Help

MGO supports your C-suite with tailored SOX compliance solutions, emphasizing robust internal controls and fostering a culture of transparency and accountability. Our team provides guidance in developing customized internal control frameworks that promote reliable financial reporting and SOX compliance. We also offer comprehensive training programs for executives and staff, embedding a compliance-focused culture throughout the organization. Additionally, MGO offers ongoing monitoring and advisory services, with regular assessments and strategic adjustments to keep compliance aligned with evolving regulations. Contact us to learn more.

Written by Dawn Williford and Sucheta Atre. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

The post SOX Compliance Tips to Build Transparency Culture appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Governance frameworks shape government operations, providing the foundation for public trust through transparency, accountability, and engagement.
• Trust-building strategies, such as open meetings, diverse boards, and regular audits, foster stronger connections with constituents and protect public resources.
• Internal audit plays a critical role in risk management, offering insights to address issues, strengthen controls, and enhance credibility.

—

In today’s complex public sector environment, public trust isn’t just important — it’s essential for effective government. Trust is built by demonstrating accountability, compliance with policies and regulatory requirements, implementation of new initiatives, and effective service delivery to constituents.

As you work to strengthen community trust, focusing on governance, risk management, and compliance (GRC) can play a pivotal role.

Understand Your Governance Framework

As a government entity, you operate within a unique governance framework. This framework, shaped by fundamental elements like your constitution, amendments, and federal system structure, guides every aspect of your operations.

Your organization is specifically shaped by:

• Governing documents: These include your agency’s charter or legislative mandate.

• Governing bodies and committees: Boards, councils, and their committees provide oversight and strategic guidance in meetings open to the public.

• Strategic plan: Organization-wide and department-specific strategies, goals, and objectives.

• Organizational policies: Policies, such as procurement guidelines, set consistent standards for activities.

• Organizational structure: Clear chains of command, span of control, reporting lines, and definition of roles and responsibilities to drive organizational performance.

This framework isn’t just bureaucratic structure — it’s the foundation upon which public trust is built.

Building a Foundation of Trust

In our interpersonal relationships, trust is built by exhibiting certain characteristics — such as being authentic and transparent, demonstrating interest and empathy, and taking responsibility and being accountable. Trust in the public sector is built on similar pillars:

1. Transparency: Make important decision-making and strategy setting processes visible to the public.

2. Accountability: Drive positive outcomes and promptly address issues.

3. Responsiveness: Actively engage with community concerns and adapt to evolving needs.

4. Engagement: Maintain open communication with constituents.

These pillars provide a foundation for a trust-driven approach in both governance and daily interactions with citizens. Building upon this foundation, public sector entities should make efforts to build public trust through trust-building strategies such as:

• Boards and committees: Elect/appoint qualified, diverse members with relevant expertise.

• Administrative policies: Strengthen policies on procurement and budgeting to prevent resource misuse.

• Open meetings and public comments: Encourage public participation and a culture of inclusion.

• Transparency initiatives: Go beyond the basics of public records laws and make financial performance, budget decisions, and large procurement decisions in a transparent manner.

• Citizen engagement: Set up advisory committees and oversight groups to maintain open dialogue on important matters.

• Internal audits: Conduct regular audits to reinforce confidence in your organization’s accountability and fiscal responsibility.

By fostering transparency and engagement, you create a foundation of trust that supports both governance and public relations.

Leverage Internal Audit to Build Trust

Internal audit plays a critical role in sustaining public trust. By offering an independent, objective view into the operations and fiscal management of your government entity, internal audit can help you detect and address issues before they escalate. This function also demonstrates accountability and transparency, directly enhancing the credibility and trust constituents have in your government and its leaders.

To maximize the impact of your internal audit function, focus your audit team on these areas:

• Offer strategic advice: Guide the board and audit committee with insights into key risks.

• Prioritize risk assessment: Focus on areas with the highest impact.

• Tackle complex issues: Engage as an advisor in major projects and initiatives.

• Strengthen internal controls: Identify and reinforce controls to protect public resources.

• Address reputational risks: Mitigate risks that could damage public confidence.

By proactively managing these areas, your audit team can help prevent significant risks and support your government’s commitment to public service.

How MGO Can Help

Our dedicated State and Local Government team has decades of experience working alongside governments large and small. We can help you implement effective internal audit and GRC practices that build public trust and drive your mission forward. Reach out to our team today to learn more.

The post How Prioritizing GRC Builds Trust in Your Government appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
• The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
• Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.

—

As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.

In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.

The Importance of Internal Controls in Fraud Prevention

A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:

Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.

Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.

Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.

Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.

Improve employee accountability by implementing checks and balances that discourage unethical behavior.

When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.

Fraud Prevention Starts with the “Tone at the Top”

The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.

There are four elements to fraud: pressure, rationalization, opportunity and capability.

Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.

Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.

Proper Segregation of Duties for Internal Controls

The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.  

Fraud Controls 

There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.

• Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.  
• Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.  
• Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.  

Preventing Misappropriation of Assets 

An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets: 

• Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
• Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
• Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
• Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
• Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).

The Importance of Policies and Procedures

The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).

The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.

A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.

How We Can Help

As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.

Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed.

The post Internal Controls: Keys to Limiting Fraud and Boosting Your Company Value appeared first on MGO CPA | Tax, Audit, and Consulting Services.

• The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
• The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
• The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
• Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

—

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K. However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “Material” Disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why Is the SEC Implementing This Rule Change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What Are the Requirements for Risk Management, Strategy, and Governance Disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How Will the SEC Cybersecurity Rules Affect You?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How We Can Help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.

The post SEC Adopts Rules for Cybersecurity Risk Management appeared first on MGO CPA | Tax, Audit, and Consulting Services.

SOX was established to provide additional auditing and financial regulations for publicly held companies to address the failures in corporate governance. Primarily it sets forth a requirement that the governing board, through the use of an audit committee, fulfill its corporate governance and oversight responsibilities for financial reporting by implementing a system that includes internal controls, risk management, and internal and external audit functions.

Governments experience challenges and oversight responsibility similar to those encountered by corporate America. Governance risks can be mitigated by applying the provisions of SOX to the public sector.

Some states and local governments have adopted similar requirements to SOX but, unfortunately, in many cases only after cataclysmic events have already taken place. In California, we only need to look back at the bankruptcy of Orange County and the securities fraud investigation surrounding the City of San Diego as examples of audit committees that were established in response to a breakdown in governance.

Taking Your Audit Committee on the Right Mission

Governments typically establish audit committees for a number of reasons, which include addressing the risk of fraud, improving audit capabilities, strengthening internal controls, and using it as a tool that increases accountability and transparency. As a result, the mission of the audit committee often includes responsibility for:

• Oversight of the external audit.
• Oversight of the internal audit function.
• Oversight for internal controls and risk management.

Chart(er) Your Course

Most successful audit committees are created by a formal mandate by the governing board and, in some cases, a voter-approved charter. Mandates establish the mission of the committee and define the responsibilities and activities that the audit committee is expected to accomplish. A wide variety of items can be included in the mandate.

Creating the governing board’s resolution is the first step on the road to your audit committee’s success.

Follow the leader(ship)

In practice we see a combination of these attributes, ranging from the full board acting as the audit committee, committees with one or more independent outsiders appointed by the board, and/or members from management and combinations of all of the above. While there are advantages and disadvantages for all of these approaches, each government needs to evaluate how to work within their own governance structure to best arrive at the most workable solution.

Strike the right balance between cost and risk

The overriding responsibility of the audit committee is to perform its oversight responsibilities related to the significant risks associated with the financial reporting and operational results of the government. This is followed closely by the need to work with management, internal auditors and the external auditors in identifying and implementing the appropriate internal controls that will reduce those risks to an acceptable level. While the cost of establishing and enforcing a level of zero risk tolerance is cost prohibitive, the audit committee should be looking for the proper balance of cost and a reduced level of risk.

Engage your audit committee with regular meetings

Depending on the complexity and activity levels of the government, the audit committee should meet at least three times a year. In larger governments, with robust systems and reporting, it’s a good practice to call for monthly meetings with the ability to add special purpose meetings as needed. These meetings should address the following:

External Auditors

• Confirmation of the annual financial statement and compliance audit, including scope and timing.
• Ad hoc reporting on issues where potential fraud or abuse have been identified.
• Receipt and review of the final financial statements and auditor’s reports
• Opinion on the financial statements and compliance audit;
• Internal controls over financial reporting and grants; and
• Violations of laws and regulations.

Internal Auditors

• Review of updated risk assessments over identified areas of risk.
• Review of annual audit plan, including status of the prior year’s efforts.
• Status reports of ongoing and completed audits.
• Reporting of the status of corrective action plans, including conditions noted, management’s response, steps taken to correct the conditions, expected time-line for full implementation of the corrective action and planned timing to verify the corrective action plan has been implemented.

Establish resources that are at the ready

Audit committees should be given the resources and authority to acquire additional expertise as and when required. These resources may include, but are not limited to, technical experts in accounting, auditing, operations, debt offerings, securities lending, cybersecurity, and legal services.

Taking Extra Steps Now Will Save Time Later

While no system can guarantee breakdowns will not occur, a properly established audit committee will demonstrate for both elected officials and executive management that on behalf of their constituents they have taken the proper steps to reduce these risks to an acceptable tolerance level. History has shown over and over again that breakdowns in governance lead to fraud, waste and abuse. Don’t be deluded into thinking that it will never happen to your organization. Make sure it doesn’t happen on your watch.

The post Why You Need an Audit Committee appeared first on MGO CPA | Tax, Audit, and Consulting Services.