Lastest news

Tommy Maycock, Director at Grant Thornton, explains how a proactive approach to cybersecurity and data protection can allow companies to move forward with confidence. In the context of today’s unsettled markets with uncertainty around Brexit, the refugee crisis, the Trump presidency and the increased support for the so-called “alt-right”, it is not surprising that many are seeking more control and measures to improve stability. Regulators are increasingly applying hard controls and obligations that many would see as intrusive, and others as necessary. In the areas of cybersecurity and data protection, the requirements can be onerous and opaque, and the consequences of not meeting these requirements can be very high. Cybersecurity and data protection, however, can be considered good hygiene measures that can in fact enable companies to go forward confidently by properly assessing and managing risks to deliver on business value. Cybersecurity is now ranked as number five on the World Economic Forum’s Global Risk Report. This is a big change over the last 10 years, during which cybersecurity did not feature. This demonstrates the growth in the appreciation of the impact of cybersecurity on the world’s economy. Advice from the Central Bank of Ireland and An Gardaí Siochána indicate that cyber-attacks are becoming more sophisticated and more targeted. The Bank of England and the EU, along with many industry bodies, have also published guidance on cybersecurity. I think there can be no doubt of its importance. The increasing sophistication of cyber-attacks and the increasingly targeted nature reflects the change in antagonists over the last number of years. In the past, cyber attackers (or hackers) were curious amateurs who used their knowledge and skills to prove a point or show off to their peers. These days, cyber-attacks are increasingly carried out by professional criminal organisations. These organisations utilise a service-based model to provide different elements of their value chain. A group may provide a hacking service or an intelligence gathering service, for example, that is then sold back to others in the criminal underworld. The reason they do this is the reason most companies are in business – for the money. There is a definite financial motive to almost all cyber-crime (the rarer exception being for political purposes). Cyber-crime can be very lucrative for criminals. The initial capital outlays can be very low – in the thousands of euros – while a single successful attack can reap multiple times the initial investment. Cyber attackers, like all criminals, can then choose to reinvest their gains for expanded capacity to launch more cyber-attacks. Two of the most common cyber-attacks are “ransomware” and “CEO fraud”. Ransomware can be particularly disruptive to organisations. A computer infected with ransomware will have its hard drive and the files it contains encrypted or scrambled so that the legitimate user cannot access them. Infections can spread across a computer network to potentially affect hundreds of devices. The criminals then offer their victim the key to unlock their files for what may appear to be a low, “reasonable” sum that the company may be willing to pay to make the problem go away. The problem with paying out is that it encourages the cyber criminals to continue such attacks and in many cases, the key does not work and the files are still inaccessible. Technical controls, such as regular off-line backups and limited user permissions, are the best defence against this kind of attack. CEO fraud is like other phishing attacks where an email is received by someone within an organisation claiming to be from the CEO, managing director, president or similarly senior person in the organisation requiring an urgent payment be made to a new account. The supposed auspices under which the payment is required can vary, but may include a new business deal with a supplier or a merger or acquisition. The key features are that the request comes from senior management and is urgently required. The primary defence against this kind of cyber-attack is staff training and empowerment to question unusual requests. Cybersecurity and cyber defences can be difficult to implement without senior, board level involvement. Ultimately, though, cybersecurity is a business risk, widely recognised for the impact it can have on your organisation. Cybersecurity demonstrates regulatory compliance and good governance and is now expected by clients, partners and shareholders. Tommy Maycock is a Director at Grant Thornton.

Eamonn Quinn FCA talks to Briefly about the key challenges facing non-executive directors in a fast-changing and uncertain world. How has legislation impacted the working environment for non-executive directors in Ireland? In terms of Company Law, the impact is limited in terms of changes to responsibilities, but significant insofar as directors must now attest in a much more public way an acknowledgement of their duties and responsibilities to the Company they serve. First, it is important to point out that there is no distinction to be drawn between directors of any classification; law does not distinguish between executive, non-executive, independent non-executive directors, shadow or de facto directors. In the Republic of Ireland, Companies Act 2014 served to codify, for the first time, the fiduciary duties of directors that broadly already existed from common law and equitable principles. Prior to the 2014 Act enactment, it is arguable that the scope of directors’ duties and responsibilities was not clear cut, with directors having to take account of a very fragmented company law framework, their memorandum and articles of association and ever evolving common law. Directors potentially also face obligations and liabilities under other applicable statute such as environmental, equality or tax law. What the 2014 Act has done is to make it more difficult for directors to rely on relief from liability based on acting honestly and reasonably. Newly appointed directors must acknowledge their duties, responsibilities and obligations in writing when consenting to act and serve as a director. Further, directors of all PLCs and those other private limited or guarantee companies that exceed certain balance sheet and turnover thresholds must sign annually a Directors’ Compliance Statement in the Directors’ Report acknowledging their responsibility and demonstrating that the company has the appropriate arrangements and structures in place and operating to ensure material compliance with its relevant obligations under company and tax law. If the company does not comply, this must be explained. As the arrangements and structures must be reviewed at least once per year, in practice this put a considerable extra workload on the boards of ‘in scope’ companies which will usually delegate the detailed review to the audit committee to streamline the process and allow for efficient use of overall board time; the board will, or should, scrutinise and challenge the work and recommendations of the audit committee resulting from its detailed review and enquiry. The directors’ report must also include a ‘relevant audit information’ statement confirming that the company directors have disclosed all relevant information to the external auditors and have made themselves aware of relevant audit information. By this statement, directors must take very clear steps to satisfy themselves that they can make such a declaration. If a company becomes insolvent and enters liquidation, a director must be able to demonstrate cooperation with the liquidator as far as could reasonably be expected in relation to the conduct of the winding up. In the context of clear codification and attestation, it is much more difficult for a director of any classification to put forward a defence of acting honestly and reasonably by citing ignorance of their duties or the affairs of the company. The level of basic knowledge required and expected is now higher and while the courts usually consider the differing levels of experience and background of individual directors, the benchmark of what is expected of all directors has risen. All directors must ensure that they can reasonably demonstrate how they have met, and are meeting, their ongoing obligations and that, in my experience, is leading to a general increase in compliance workload for all companies – not even considering those companies regulated under the Central Bank Act 1997 for which regulation burden has increased significantly. It has been reported that more SMEs in Northern Ireland are appointing non-executive directors. Is this a positive move? Evidence suggests net migration back to Northern Ireland has been the trend for more than 10 years now. Those returning include experts from the province with successful international careers. SMEs would do well to harness the increasing pool of experience available to them for a cost that represents real value for their investment. Whether the appointment of a non-executive is a good idea, however, depends on the reasons behind the appointment. A significant number of SMEs appoint non-executive directors because of specific expertise in attracting finance or long-term capital into their businesses. The function of the non-executive is to utilise their often extensive contact book to help achieve successful funding rounds or capital raising on behalf of the SME to which they are appointed. While this may be positive for the business, if the scope of expected input is narrow and shallow, the benefit will not be long lasting. Many SMEs realise the significantly positive benefits that derive from appointing to their board extremely experienced professionals whom they would not be able to afford to employ as full-time executives. They welcome insight and perspective based on the independent and objective view of the non-executive. The right appointment can be a game changer for the SME: to reduce group think, broaden perspective and diversity, engender better performance in the executive management and provide a source of mentoring. As a director with fiduciary responsibility, the good non-executive will be clear and focused on the issues, remaining engaged with the SME despite not being present all the time. In your experience, what makes for an effective board? It is often forgotten that a board of directors is a collection of people in the first instance; individually strong willed and opinionated leaders with particular skills and expertise. Individually, those good directors will not be pushed around easily. We find that the boards that work best are those where individual board members have a high degree of trust in one another and a respect for each other’s skill and experience. Directors should not be afraid to challenge one another, nor be particularly afraid of conflict. No one director should be overly dominant (although there are exceptions to this, in situations of crisis management for example). Effective boards are committed to the success of the company and are clear on its strategy, having had the freedom to craft it, being fully accountable for performance and focused on outcomes. Effective boards require an effective chair, someone who listens and facilitates conversation and debate while bringing the board to a place of sensible decision and outcome. The chair’s effectiveness is often seen much in the work he or she does between board meetings – it is a time-consuming role if done properly. Effective boards are clear on their strategy, objectives and risk appetite and relentlessly focus on real key performance indicators and how to affect them positively. In terms of composition, the better boards are those that have a diverse range of opinion and skill, not all deriving from the same sector or skill base. They should have regard to the strategic challenges facing the company today and tomorrow, not yesterday. Boards should value the stupid question (as there usually is no such thing). The effective board appreciates the value of good governance and has a great understanding of its legal and regulatory responsibilities, respecting them in kind. Communications and information sharing should be free and clear. All of these characteristics can only thrive, however, if the organisation’s culture enables it; poor culture breeds poor leadership and governance, and it is quite a difficult challenge to overcome. Cyber security is a major concern. How is the issue reflected in the boardroom? We could not agree more wholeheartedly. In our opinion, cyber risk is a global systemic threat that faces every business – large and small, multinational, large corporate or SME – irrespective of sector. It is prompted by our connected interdependence on electronic data flows. If we stand back and think about it, cyber risk affects our critical infrastructure, financial system, communications and trading platforms to name but a few. We have moved a long way from the Morris worm in 1988 that was created for intellectual fun to the pure, brute force “terrorism” that has seen billions wiped off stock markets, assets lost and CEOs fired. I cannot speak for how the risk is being handled in every boardroom but time after time, our evaluations reveal that cyber risk has yet to be fully understood by most company boards. They are quick to acknowledge concern for the risk, but too often fail to address it appropriately. There is a tendency to respond with policies and procedures that paint the risk as an IT issue, when what is needed in the first instance is a better understanding of ‘thyself and thine enemy’ – a risk assessment of the company’s critical data and how it truly flows, its deployed systems and vulnerable points. Boards should list the cyber threats that could seriously threaten them. The company will not be able to protect everything to the same degree and an organisation will not be able to prevent a breach, so the board will need to establish a risk appetite and make risk choices in the area – the crucial questions being what are you not protecting and why, and how do your choices marry up to GDPR? Going back to a point made earlier, boards need diversity of skill in their composition and they need more members who genuinely “get” cyber. Cyber risk is a business risk that requires a cross-functional response plan and the risk requires proper monitoring at board level with quality management information metrics that are appropriately defined. In subsidiary boards, it is not good enough to simply rely on central functions, service level agreements must be good enough to ensure that central functions responsible for providing services are reporting appropriate management information to those responsible for governance and central functions must be responsive to the reasonable requirements of the subsidiary board. Boards are taking action in this area, but I would observe that a step change is required among some top tables as board preparedness is often not all it might be. With Brexit on the way, how will (or should) this issue affect the work of non-executive directors across the country? Brexit is an issue that should affect every board and every board member across the country, not just the non-executives. Based on balance of trade statistics from January 2017, of the €10.84 billion total Irish exports for the month, exports to the UK alone accounted for €1.073 billion (9.9%) of the monthly total. When you dig deeper into the statistics, different industry sectors will be more exposed than others. A little like cyber risk, boards of Irish companies should be hoping for a reasonable outcome from Brexit but preparing for the worst – a hard Brexit with the UK outside the customs union and WTO trade rules applying. Boards must have this subject high on their risk register and have a response plan ready. How will your sales and your supply chain be affected? What changes are needed, how can they be implemented and when? It is not practically possible to simply replace a significant market overnight and in certain cases, it will not be possible at all. Can the company respond through efficiency savings, or should the operating model be revised to ensure that both UK and EU markets can be serviced? Also, what strategic business opportunities does Brexit potentially present to us? Non-executives must play a key role in ensuring that these conversations take place, driving the executive to develop their thinking against the background of well-considered research and cultural understanding of both markets. Board membership may need to be revised to ensure that business change, transformation and market development skills are present. Standing still is not an option. Should more Chartered Accountants consider non-executive directorships, and what’s the first step? The training, experience and discipline Chartered Accountants gain over their career provides an excellent basis for suitability as a potential non-executive director. The breadth of subject matter a Chartered Accountant covers is significant but often not fully appreciated. It provides a key advantage, an excellent understanding of law and legal principles, ethics, governance, economics, corporate finance and marketing. Others will also gain further experience in insolvency and business reconstruction, not to mention the regular staples of financial and management accounting, tax and audit. When combined with the discipline quality training brings, a good, experienced Chartered Accountant will bring, inter alia, insightful analysis, keen observation, an eye for detail, risk and control, quality communication skill and organised leadership. A good Chartered Accountant knows how to resolve significant issues in a timely, risk mitigated fashion. The first step to a good career as a non-executive director is first to demonstrate world class executive leadership at C-Suite level and to become known for being excellent at what you do, whether that is leading a business to significant growth, effecting successful change management and/or business transformation or some other clear and demonstrable achievement that marks you out as an experienced person, from whom any company would benefit from your service and perspective as a non-executive. Eamonn Quinn FCA is a chairman, professional independent director, audit committee chair, board mentor and governance specialist at ‎Board Matters International.

Lorcan Tiernan, Adrian Benson and Catherine Hicks of Dillon Eustace on the current status of The Companies (Accounting) Bill 2016, the impact on non-filing structures, company thresholds and accounting and filing regimes. The Companies (Accounting) Bill 2016 was passed through Dáil Eireann on 22 March 2017. The Bill, which was first published last August 2016, is intended to transpose EU Directive 2013/34/EU. The Directive was enacted to update EU accounting law, particularly reducing the administrative obligations of SMEs and allowing for easier comparison between company accounts across the EU. The background The Companies (Accounting) Bill 2016 attempts to achieve these goals by adapting the accounting and filing regimes for different types of company. It will increase the criteria for entities to qualify as small or medium companies, allowing more to avail of these regimes, in addition to creating a new category, the micro company. The Bill will also expand the range of corporate structures which are required to file financial statements, with significant effects for non-filing unlimited companies.   The impact on non-filing structures If enacted in its present form, the Bill will broaden the definition of a ‘designated unlimited company’ (ULC). This will expand the range of corporate structures required to file financial statements with the CRO and may render ineffective many ‘non-filing ULC’ structures.   The current provisions of the Act provide that ULCs which do not fall under the ‘designated ULC’ definition are not required to file, and make public, their financial statements. The present definition allows that ULCs with any members that are unlimited companies incorporated outside the EEA will be not be considered ‘designated ULCs’ and therefore are exempt from this requirement. This allowed for the non-filing structures in use at present.   However, the current iteration of the Bill has significantly widened the definition of the ‘designated ULC’. The Bill will remove the EEA limitation contained in the Act and will include ULCs which are holding companies for limited undertakings, credit institutions or insurance companies which are ULCs and any ULC whose ultimate owners enjoy limited protection. This is a considerably broader definition which will prevent many non-filing ULC structures from operating effectively. It is worthy of note that any previously exempt ULCs submitting financial statements for the first time will be required to include information from the previous financial year for comparison.   Company thresholds The Bill also alters the financial criteria for businesses to qualify as a “small” or “medium” company. By increasing the net turnover and balance sheet criteria, more businesses will qualify for each of these regimes. The third criteria in relation to average number of employees has not been changed. The Bill also introduces a new category of “micro” company below the “small” category. To qualify as a micro company, a business must not exceed two of the three criteria, as with the small and medium categories.   Accounting and filing regimes The changes in thresholds are accompanied by changes to the regimes for the filing of financial statements. The changes will reduce the filing regimes for smaller businesses while increasing the requirements for medium and large companies.   Medium companies will no longer be able to qualify for audit exemption and will be compelled to file group financial statements; the option for them to file abridged statements will be repealed. Small and micro companies will be exempt from this requirement but may still opt to file group statements.   A reduced filing system is available for the new category of micro companies including an exemption from including a director’s report.   The Bill also introduces a new class of “ineligible entities” consisting of companies carrying out particular activities, which will be excluded from taking advantage of audit exemptions. Credit institutions, investment companies, insurance undertakings and ‘public interest’ entities are included in this class. In addition, any ineligible entities or large companies engaging in the mining, quarrying and logging industries will be required to file annual reports on any payments made to governments under the Bill.   When will the Bill come into effect? The Bill has now moved on to Seanad Éireann and may be subject to further change before it becomes law. It is unclear as to when it is likely to come into effect, particularly given the delay in transposing the Directive. The Directive was due to be transposed in Ireland by 20 July 2015 with a stipulation that the provisions would first apply to financial statements for financial years commencing on or after 1 January 2016.   In a recent development, the amended version of the Bill which passed Dáil Éireann states that the provision specifically requiring ULC holding companies of limited undertakings to file financial statements will not come into operation until a financial year starting on or after 1 January 2022. The Minister for Jobs, Enterprise & Innovation stated in Dáil Éireann that this amendment was proposed due to the concerns expressed by companies that will be affected by the change. The Minister voiced her understanding that many companies would require restructuring as a result and that a transition period was fair and appropriate.   Lorcan Tiernan is Head of Corporate at Dillon Eustace; Adrian Benson is a Partner at Dillon Eustace; and Catherine Hicks is a Senior Associate at Dillon Eustace.

Significant changes in how auditors evaluate accounting estimates and related disclosures have been proposed by the International Auditing and Assurance Standards Board. The changes will require auditors to sharpen their focus on risks of material misstatements arising from accounting estimates, and to address those risks with more granular audit requirements.   “Accounting estimates are used in many financial statements – often they are complex, and require judgement or have estimation uncertainty. It is especially important that auditors are required to design and perform procedures to ensure estimates’ reliability,” said Professor Arnold Schilder, International Auditing and Assurance Standards Board (IAASB) Chairman. “The proposed standard will bring significant changes to many audits, but particularly to audits of financial institutions, such as banks and insurers, given the recent shift to accounting for expected credit losses.”   The proposed standard continues the evolution of audit to meet the challenges of an increasingly complex global economy. It was developed following extensive consultation with regulators and practitioners, including those who audit small, medium, and large businesses.   The proposed standard:   Enhances requirements for risk assessment procedures to include specific factors related to accounting estimates – namely complexity, judgment, and estimation uncertainty; Sets a more detailed expectation for the auditor’s response to identified risks, including augmenting the auditor’s application of professional skepticism; and Is scalable regardless of the size or sector of the business or audit firm. International Standard on Auditing 540 (Revised), Auditing Accounting Estimates and Related Disclosures, is open for public comment until 1 August 2017. The IAASB invites all stakeholders to comment on the exposure draft via the IAASB website.

Global venture capital deals are down, but Ireland is poised to become a springboard to European market according to a new KPMG report. The number of venture capital deals worldwide fell in the first quarter of 2017 with 2,716 deals completed globally during the period according to the latest quarterly report on global venture capital (VC) trends from KPMG. This compares to 3,201 in the last quarter of 2016.   The global report calls out Ireland as a springboard to the European market with its fintech sector continuing to show signs of growth.   Anna Scally, Partner at KPMG, said: “The slow start to 2017 is not surprising, as macroeconomic matters across the EU and in the US are contributing to investor caution. However, we do expect investor appetites to pick up later in the year as we all come to terms with the new normal.   “Dublin is increasingly being chosen as the European headquarters for multinational companies and growing firms, such as Kabbage. Other companies, especially in Ireland’s strong fintech market, increased operations and added headcount throughout the first quarter.   “Brexit is certainly a factor in this trend and is well-positioned to serve as a springboard to the vast European market. Ireland’s straightforward tax regime and strong tech talent base are also motivators,” Scally added.   Despite the decline, venture capital investment grew to US$26.8 billion in the first quarter of 2017. Globally, the Americas led VC investment, accounting for $17.8 billion. The US made up the lion’s share, with $17.3 billion invested. In Asia, VC investment grew slightly quarter over quarter to $5.6 billion, while in Europe investment remained relatively flat at $3.4 billion. Corporates participated in 22% of all venture deals in Europe – the highest percentage seen over the last seven years.

Advances in technology have boosted data scientist roles by 57% globally in one year, according to a Big Data Analytics & Business Intelligence Observatory run by Politecnico di Milano School of Management.   Advances in big data analytics are encouraging increasing numbers of industries – including banking, media and big pharma – to maximise this tool by employing more data scientists.   The research, which surveyed 280 international data scientists, revealed a 57% annual increase in positions allocated as well as role availability in nearly a third of companies.   Alessandro Piva, director of the research observatory and faculty member of Politecnico di Milano’s (MIP) School of Management, said: “As big data analytics grips the world of business and as companies increasingly understand the merit of using this valuable information in their decision-making processes, the role of the data scientist is increasing both in popularity and in availability. This is one example of a job created in recent years by huge advances in our understanding of tech and our ability to interpret masses of data that often used to stagnate in unread files – or sometimes even failed to be collected.”   The research suggests that international businesses will increasingly look to integrate data scientist roles into their hiring strategies. According to Erica Titchener, Head of Technology and Operations Consulting at Alexander Mann Solutions, “At a time when speculation around the number of jobs which will be replaced by robots and automation is rife, MIP’s research demonstrates how the technological revolution is, in actual fact, creating fresh demand for highly skilled professionals.   “Organisations have long had access to data which was almost beyond the capability of humans to digest, cross-reference and analyse. However, thanks to the rise of AI (artificial intelligence), RPA (robotic process automation) and machine learning, this can now be used as a springboard to boost innovation, productivity and economic success.   “For medium and large businesses in particular, investing in data analysis is no longer novel or luxurious – it’s business imperative. Companies which fail to create workforces which can harness the potential of big data analytics face a very real risk of being left behind by their competitors as the pace of technological change advances.”