Q: What are the most common issues addressed in the management letter following a club audit? How should management respond?
A: Club operations have garnered increased attention from club boards during the recent economic downtown. Pressure to cut costs inevitably results in internal controls suffering—specifically segregation of duties. Crucial to an efficiently run operation is a properly functioning internal control. Internal controls in a club are subject to an ever-changing environment. It is paramount that club leaders understand their clubs’ internal controls and how they function.
In performing an audit, the club’s auditors are required to obtain an understanding of internal control. The auditor needs to identify and assess the risks of material misstatement of the financial statements. The auditor may identify deficiencies in internal control at any stage of the audit, which are referred to as control deficiencies.
Control Deficiencies
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.
Control deficiencies are classified into 3 categories based on the severity of the deficiency or deficiencies as follows:
Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Other matters. Other control concerns that the auditor identifies during the audit.
Communicating Deficiencies
The auditor has a responsibility to communicate any governance deficiencies in internal control that he or she has identified and are worth bringing to the club’s attention. This communication is usually referred to as a management letter. For management letters that contain either a material weakness or a significant deficiency (as outlined above) management should act quickly to address and correct such shortcomings.
Other comments and recommendations in management letters may encompass both best practice recommendations as well as other control deficiencies not deemed severe by the auditor. To the extent possible management should take these comments and recommendations under advisement and consider corrective actions. Since management letters have become more of a focal point at year-end wrap up audit meetings, more and more clubs have begun responding in writing to each of the comments and recommendations addressed in the letter.
Management’s Response
Management should respond in writing to each of the comments contained in the management letter within an appropriate time frame. Such responses can either be included in the management letter after each of the applicable comments or in a separate document. They should include a description of the corrective action that will be taken as well as an implementation date or alternatively, an explanation as to why management did not plan on taking corrective action (e.g., the cost to implement the new control would exceed the benefit).
The process of reviewing the comments and recommendations contained in the management letter and having management provide written responses to each of the comments should eliminate the likelihood of the same comments being repeated in subsequent years, enhance controls, and enable those charged with governance to discharge their oversight responsibilities.
Daniel T. Condon is a founding partner in the accounting firm of Condon O’Meara McGinty & Donnelly LLP, which currently serves as auditors, consultant and tax advisors to more that 325 clubs in 14 states. He has practiced in the area of private membership clubs for more than 30 years. He can be reached at 212-661-7777. Learn more about COMD at www.comdcpa.com.
Q: What trends are you seeing related to private clubs and cyber insurance? Are businesses required to carry this type of insurance?
A: A small but growing number of private clubs have experienced a data breach. Luckily, many of these clubs had cyber insurance. A common misconception is that cyber liability is for Internet-related risk only. In fact, no computer or crime is required for loss. While hacker attacks and virus/malicious code incidents are most commonly reported in the news, in other cases, privacy issues such as accidental or unauthorized release of confidential member information, social engineering and rogue employees are responsible for security liability—as well as reputational damage—to the club.
The Ponemon Institute, a well-known research firm, publishes an annual “Cost of a Data Breach” report. In partnership with IBM, the 2014 report indicated that 32 percent of organizations in the study have a cyber insurance policy to manage the risk of attacks and threats.
An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, their research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.
While there is presently no law that requires a business or organization to carry cyber liability, there is a national trend in business contracts for proof of this coverage. In addition, the SEC is encouraging disclosure of this coverage as a way of demonstrating sound information security risk management. Laws such as HIPAA-HITECH and Gramm-Leach-Bliley and state-specific data breach laws are continually driving demand as requirements for notification in the wake of a data breach become more expensive.
The Symantec “2014 Internet Security Threat Report” indicates that small businesses like clubs accounted for 30 percent of targeted spear-phishing attacks in 2013. In 2012, Verizon reported that approximately 40 percent of all data breaches that year occurred among companies with fewer than 100 employees. Even more alarming is the fact that 60 percent of companies that have been a victim of cyber-attacks are out of business within six months. While breaches involving public corporations and government entities garner the vast majority of headlines, it is the small business that can be most at risk. With lower information security budgets, limited personnel and greater system vulnerabilities, small businesses are increasingly at risk for a data breach.
The Ponemon Institute “2014 Cost of a Data Breach” report indicated that the average cost paid for each lost or stolen record is $201. These numbers are reflective of both the indirect expenses associated with a breach (time, effort and other organizational resources spent during the data breach resolution, customer churn, etc.), as well as direct expenses (customer notification, credit monitoring, forensics, hiring a law firm, etc.).
Because every breach is different, and the per-capita cost of a breach depends largely on the number of records compromised, it is helpful for small to mid-sized organizations to start with a lower number of $65/record, (the average direct costs associated with a breach in the Ponemon study)—multiply this number by the estimated number of records containing PII, PHI or financial account information in the insured’s control. By engaging in this simple exercise, businesses quickly understand the financial value of implementing cyber insurance as a risk transfer vehicle. More information can be found at www.ponemon.org.
Tom Walker is area executive vice president of RPS Bollinger – Sports & Leisure. He serves as the program manager, with oversight for all operations, sales, financial performance and key broker, industry association and carrier relationships. He has served on several club boards and committees, and is a recognized authority on club insurance issues. He can be reached at 800-446-5311 (ext. 8098) or [email protected].
Q: We seem to be having trouble making greater use of technology to run our club and communicate with the membership. What might the club do to address the opportunities technology can present?
A: With the exception of all but the largest clubs, many clubs are just beginning to deploy technology as a way to better serve and communicate with members. This isn’t to suggest it’s unimportant or will lack effectiveness; it’s just the reality of membership composition and budgets. Clubs are capital-intensive environments and they serve relatively small and diverse audiences. Converting to a new operating system or building a new website can be low priorities when parts of the physical plant are dated or the club lacks the right amenities. There is clear competition for dollars and attention.
This attitude will change as membership’s profile changes— ultimately making it good business for all clubs to be viewed as tech savvy. The Millennials are coming (we hope!) and demographers have already identified shifting technological preferences within this segment. They will be our club members of the future, so get prepared.
However, like all major aspects of your plan for club success, your approach to technology must align with the culture of the club and marketplace. It should be addressed in your strategic plan and given its proper due within the capital and programmatic schemes. We are getting better as an industry at making use of technology, but the blanket statements that we are behind other hospitality organizations miss the point about the unique nature of clubs. What works for a resort or hotel may not be best for a club. And what works for a club serving retirees in the Sunbelt may not fit with a country club in Palo Alto, Calif. On the other hand, if you are not leveraging the advantage you have to use modern tools to serve and understand your members, you are missing the boat.
In the upper echelon of needs, we’d include accounting, billing and reservations. This technology is unobtrusive and efficient on the member side with a proven return on investment. Next is the need to keep members informed and engaged. Members in our surveys continue to rate the weekly e-blast as the most effective and desirable form of communication. That may seem dated to some, but that is what members prefer. Make sure you are pushing out information at regular time frames and under a banner that has the appropriate look and feel. More is not necessarily better here and just because it’s free to pump out e-mails, abuse brings rejection.
Another key technology component is your website, as it is the club’s face to the world. Prospective members almost always begin their evaluation of the club on the Internet. This “first impression” should be given as much consideration as you present along the entrance drive or front door.
Technology presents myriad opportunities for serving members, connecting them to the club and even interacting with one another. We are at the dawn of a new era. It is only a matter of time until we are using analytics to truly understand the member experience. In the meantime, push forward a step at a time and get ready for the Millennials. n
Frank Vain is president of McMahon Group, Inc., a premier full-service, private club consulting firm serving more than 1,600 private clubs around the world. He also serves as a director of NCA and chairs the Communications Committee. He can be reached at [email protected]. For more information, visit www.mcmahongroup.com.