Hilltop’s primary services in this area are as follows:
Finance services provided have involved helping large and small clients with some of the basic functions of a finance department including, but not limited to:
- on-call CFO needs,
- business planning (new products, new service lines, expansions, acquisitions, etc.),
- external financial reporting design and implementation,
- management reporting design and implementation,
- assessment of profitability, costs and cost accounting, etc.,
- budget creation and monitoring,
- cashflow management – reporting, monitoring, projections,
- assessing liquidity risks and creating contingency plans,
- debt and capital planning,
- Bank borrowing process and loan application,
- valuations – enterprise and specific asset valuation,
- financial engineering for sophisticated financial transactions like REMIC cashflows and bondholder payments, earn-outs, purchase price calculations, etc.
- model validation and controls,
The Finance function and our services therein generally includes all non-accounting and audit related activities.
Accounting and Audit Readiness
Accounting and Audit Readiness services provided typically address our clients’ needs to support the accounting, internal controls, financial and management reporting and any audits of their business. Examples of services provided are summarized as follows:
- CFO and Controller services can be provided on a short-term basis, project need and/or regular monthly services for companies that cannot yet afford a full-time position,
- designing, implementing and testing accounting policies, processes, internal controls and financial systems,
- providing accounting advice relating to new accounting requirements and implementation, compliance requirements affecting accounting policy/processes, accounting issues, issues with your audit, new, new reporting requirements, etc.
- establishing procedures and controls to ensure that the accounting policy is adhered to (key or significant control points designed in our client’s internal controls (SOX)),
- identifying, implementing and testing financial systems for general ledger, management reporting, subledger, controls systems and any other finance or accounting need,
- Hilltop often “jumps in” when our client does not have the resources or methodology to identify/correct errors within the financial information (financials, general ledger, payroll, cost records, etc.). In this case our forensics team assesses the following:
- possible errors in the accounting system,
- possible errors in the data input, process or output and controls over such,
- evidence of incomplete transaction data,
- evidence of inaccurate transaction data,
- possible fraudulent entries and/or reporting to meet contract, bank covenant or shareholder promised results,
- possible improper use or interpretation of transaction data (data definition issues or use of too many End User Computing systems (spreadsheets that are not compared to the financial system),
- possible issues with poor or inexperienced accounting staff,
- possible management override of controls, processes, analyses, etc.
- evidence of errors in the data created/managed by other than the source systems (i.e. EUCs are used or separate databases that are not properly reconciled to source financial systems like the G/L, payroll system, etc.)
- evidence of accounting applications that were implemented incorrectly or the application was changed without proper review and testing,
- evidence of data transfers or downloads that affect the recording/capture of accounting data,
- Other risks involving people, process or technology and impact the capture, recording, processing, and reporting of accounting information.
- Performing audit readiness activities by providing accountants to prepare for and respond to audit requirements/inquiries as follows:
- gathering compliance policies/procedures documentation and evidence of compliance with requirements to give to auditors,
- providing SOX/internal control documentation to auditors,
- testing financial and operating controls as a “mock audit” before the auditors begin their audit to assess what results are likely to be,
- calculating the allowance for loan and lease losses (ALLL),
- analyzing risks and calculating loss estimates to be accrued as reserves or considered as part of asset fair value calculations,
- performing asset management accounting & reporting,
- training client accountants or internal auditors on new accounting or auditing topics, and
assisting in the Fair Market Value and asset classification policy and procedures.
Hilltop’s CPAs and audit professionals have all experienced a client with a fraud event in the accounting area. Frauds can happen anywhere in a client’s operations but our CPAs are focused especially on those frauds that occur with material financial statement impact. A few examples include:
- purposeful over-statement of the financial results or the assets and equity,
- incomplete or cancelled transactions accounted for as completed,
- using clearing accounts to cover up errors in various accounts,
- using dormant bank accounts to move funds to personal/controlled accounts,
- paying commissions or other incentives on overstated financials, and
- recording personal transactions/expenses as corporate expenses.
Our Fraud team utilizes Hilltop’s methodology for fraud investigations as noted in the Fraud Investigations business description.
Forensics (accounting records reconstruction and reconciliation)
Hilltop has performed its forensic accounting services for a number of clients. Our Forensics practice addresses reconstruction and reconciliation of all operational and financial records/information, however, accounting is the most typical engagement where Hilltop would perform the following services:
- bank reconciliations that have significant volume and many years of unreconciled activity,
- finding and assembling financial information needed to support file many years of unfiled Federal and state tax returns,
- financial transaction information lost due to fire, computer failure without backups, other business disruption issues,
- reconstruction of sales and shipping information over a long period of years,
- recasting business transactions and recording such in the proper business unit, and
- any other major need to reconstruct and reconcile financial and/or banking information.
While many of the situations requiring forensic accounting work are caused by mistakes or business disruptions that are not controllable, there are situations where the Company or its owner has purposefully caused the destruction of records or simply not maintained the financial information. The latter is typically where the forensic effort is tied to a fraud investigation, a tax audit, a litigation dispute, a major compliance issue or other criminal activity.
Financial, Compliance and Specialized Audits and Agreed Upon Procedures (AUP)
Financial, Compliance and Specialized Audits and Agreed Upon Procedures (AUP) are performed by Hilltop auditors for various purposes. Hilltop gains efficiency in preforming such because of our industry knowledge and financial experience. Further, our clients that have complex audit/AUP requirements need a firm like Hilltop that can provide a comprehensive and accurate audit/AUP review.
Hilltop provides assistance to large and small CPA firms by providing audit team members to help perform financial statement audits (both commercial and Federal audits). Hilltop teams also perform compliance and/or loan reviews on behalf of the Compliance or Internal Audit groups of many banks who access our subject matter knowledge. We have also assisted the bank’s CFO/Controller with ALLL and reserve calculations.
Hilltop provides “agreed upon procedures” (AUP) reviews to meet compliance needs that are specified in the following:
- regulatory requirements,
- Bank loan covenants,
- earn-out calculations and payment requirements,
- compensation plan requirements,
- loan sale representation and warranty requirements,
- loan servicing or Pooling & Servicing (PSA) agreements,
- loan reviews to support litigation claims,
- performance contracts (sales effort, bonuses, vendor incentives, etc.),
- legal settlement payment calculations,
- vendor contracts relating to scope, terms, service level agreements, etc.,
- lease agreements that require annual calculations lease escalations,
any other contractual or legal settlement requirements.
Finance and Accounting Technology & Data Controls Assessments
Information technology risks are significant given the increasing reliance for all business operations and financial information to be processed by a computer in some manner. If the risks are not controlled and monitored – it could have a significant disruptive impact on our client. Hilltop has expanded its’ IT & Data controls team that helps our clients establish the controls, test to see that they are working and perform any remediation effort if the controls are weak or not working. Our clients must remember that controls are only effective if all of the essential components are effective and working. These components are the IT & Data policies, procedures (both manual and application based), people who perform the procedures and monitor the controls in place, Management’s culture and attitude about controls (is it an important topic in meetings or not?) and finally the application technology and controls applications that are performing monitoring as well. IT and Data controls help ensure that the applications produce complete and accurate reports, process transaction properly and ensure that data is tested and used appropriately within the technology systems.
Sarbanes-Oxley and Dodd-Frank legislation increased the intensity of the spotlight on IT controls and their effectiveness, especially with respect to “Personally Identifiable Information or PII”. Accordingly, Hilltop has several Certified Information Security Auditors who along with our industry consultants help our clients with the critical assessment of IT & Data controls. The first step in our IT & Data controls assessment is to review “general controls” that include:
- assessing the control environment which establish the corporate culture and “tone at the top” i.e. Management seriousness about adhering to IT controls,
- assessing change management procedures and the controls designed to ensure the application and data changes meet business requirements and are authorized,
- reviewing source code and evaluate document version control procedures that protect the integrity of program code (which is the right version to use),
- determining if the client has software development life cycle (SDLC) standards that help ensure IT projects are effectively managed and reduce the risk of a bad application being launched,
- identifying access policies, standards and processes that manage access based upon Management’s decision of who needs to have what access for ongoing business purposes,
- reviewing client’s log of incidents and determining if management policies and procedures are being adhered to relative to controls that identify operational processing errors,
- identifying the root cause of various incidents noted in the previous step and how such is addressed by the IT team and Management,
- assessing the technical support procedures and documentation that should be in place to help users get efficient use of the applications and to be able to report problems when experienced,
- reviewing new hardware and software configurations, installation, testing, management standards, policies and procedures,
- assessing disaster recovery and data backup and recovery procedures,
- assessing controls over physical security over IT platform installations, hardware, data and all storage areas.
- ensuring that data definitions are documented and used consistently throughout company,
- assessing data security including basic and more advanced cyber security techniques used,
- Key questions that our team will ask include:
- If the appropriate controls exist in processes, technologies, data, security and change management?
- If the controls are operating effectively and according to their stated purpose and recommendations to improve effectiveness
- Whether gaps exist in controls and recommendations to close gaps
- Whether there are redundant controls that increase cost and decrease efficiency and recommendations on streamlining controls
- If management and reporting processes exist to provide stakeholders with transparency into controls effectiveness
- Hilltop will make basic recommendations on improving the effectiveness and efficiency of the IT control environment (no application specific controls have been evaluated at this level yet)
Our team will only begin assessing applications specific controls and controls over non-productions applications (EUCs, etc.) if we have completed our assessment of the general controls noted above.
IT application or program controls should be fully automated and designed to ensure that operating data is processed completely and accurately from input through output. Application controls can help ensure the privacy and security of data transmitted between applications. Our IT audit team would address application controls as follows:
- test completeness checks that ensure that all transaction data/records were processed from input to completed process,
- test validity checks that ensure only valid data is input or processed (data scrubs, reasonableness tests, etc.),
- assess whether the identification controls are in effect whereby all users are uniquely identified by the system and operate at the level permissible,
- test the authentication controls that ensure the transaction data/record information is appropriate,
- test the authorization controls to determine that business users have approved access at the appropriate level of the application,
- test input controls to determine that data integrity is not affected when moved from one system to another, and
- test forensic controls which ensure that data is scientifically and/or mathematically correct based on inputs and outputs.
Clients benefit from our thorough, independent view of their IT controls and our recommendations. We bring extensive experience as auditors, regulatory examiners, IT executives and risk management professionals to our assessments. We follow accepted industry frameworks, practices and standards, such as COBIT, in conducting assessments. Our recommendations are practical, cost effective and achieve the IT control effectiveness demanded by management, regulators and auditors.
Federal Accounting and Financial Statement Audits
Hilltop has a number of accountants including our founder who have Federal accounting and audit experience. Our Federal accounting and audit team has finance and accounting experience as consultants and employees in a number of the agencies. We understand the differences between commercial and Federal agency accounting, reporting and audit requirements. Hilltop has a number of subcontracts with major audit firms to help perform financial statement audits (our firm does not do financial statement audits). Hilltop does assist our Federal agency clients with compliance audits, investigations and litigation relating to finance and accounting topics.
Controls Assessments (Design, Implementation & Testing)
Controls assessments have been important to our industry for many years. Sarbanes-Oxley and Dodd-Frank legislation increased the intensity of the spotlight on business controls and their effectiveness. Regulators like the CFPB and others are introducing controls concepts that require Management to establish a Compliance Management System (CMS).
Hilltop supports our clients’ needs for assessing and implementing appropriate operating and internal controls. We thoroughly assess clients’ operating environments, including operations management processes, interfaces with technology, data and security. We bring extensive experience as auditors, regulatory examiners, operations executives and risk management professionals to our assessments. Given our audit and industry focused experience, Hilltop can assist our client with its assessment of each of the following controls types:
- All risk types,
Hilltop’s controls assessment methodology (which addresses all of the above types) has several key differentiators from standard SOX-like reviews of accounting controls as follows:
- assessing our client’s business to identify what is critical to “protect”,
- identifying the policies, processes, people and technology applications that need to be in place to “protect” the identified aspects of the business,
- identifying the appropriate key/significant control points that should be “built into” the business i.e. processes, applications, training, security, organizational structure, etc.
This methodology allows our client to focus on the significant/key control points for all of the control types. Most clients do separate analyses of each type of control and the result is too many key/significant controls being identified.
After completing our independent assessment, we will make recommendations for improving the effectiveness and efficiency of the existing controls environment and suggest improvements to close any gaps that were identified, while at the same time recommending possible streamlining of existing controls. Hilltop uses our controls evaluation process to reduce the number of controls being monitored (i.e. redundant controls increase cost and decrease efficiency) and hence the cost of maintaining all control types, especially the regulatory controls.