Business Advisory Services

Whether a company is public, private or not-for-profit, key personnel with responsibility over finance and operations are often faced with challenges to help their operations become more efficient and profitable, while complying with applicable laws and regulations. Economic, regulatory, and business environments are never static and can change very quickly, resulting in the need to address strategic, financial, operational, regulatory compliance and technological issues.

To assist busy executives with these challenges and/or opportunities to promote increased efficiency, effectiveness and profitability, Windes & McClaughry's Business Advisory Services (BAS) practice provides a comprehensive range of services in the areas of:

Governance, Risk and Compliance

Governance, Risk & Compliance (GRC) is one of the most critical issues facing just about every company CEO, CFO, COO and its audit committee and board of directors. Without an effective GRC environment, companies can be presented with difficult challenges that can divert precious time and attention away from key strategic initiatives. At Windes & McClaughry, our BAS professionals help our clients understand various regulatory requirements and help implement an effective, cost-efficient, and sustainable corporate governance framework. Windes & McClaughry's GRC services include:

Sarbanes-Oxley (SOX) Compliance Services

  • Accelerated Filers
  • Non-Accelerated Filers
  • Outsourcing; Co-Sourcing; Staff Augmentation

Internal Audit Services

  • Outsourcing; Co-Sourcing; Staff Augmentation
  • Internal Audit Function Start Up
  • Quality Assurance Reviews of the Internal Audit Function
  • Enterprise Risk Management Consulting
  • Regulatory Compliance Audits
  • Specialty Audits (CAM Expense Allocations, Construction Audits, and more)
  • Fraud & Forensic Consulting
  • Operational Policy & Procedure Documentation

Audit Committee Advisory Services

  • Periodic Self-Assessments

For more information, please contact:

J. Lyle Scheppele, CPA

Information Technology (IT) Audit and Consulting Services

Today, the stature and survival of most businesses and organizations is heavily dependent upon the strength and security of their information technology (IT) infrastructure. However, most of these entities are not maximizing their IT investment, nor are they using their technology effectively to ensure strategic company initiatives are adequately supported for the present or the future.

As a result, IT has become a priority issue to senior management to provide proactive sponsorship for efforts that will ensure adequate security, confidentiality, integrity and availability over their organization's information assets. Creating an operating environment that allows you to effectively manage and mitigate risks is fundamental to ensuring the viability of the IT and business infrastructure.

Windes & McClaughry can help you address federal and state requirements as well as overcome challenges posed by fundamental and emerging IT issues. Our services assist leading organizations to prioritize their efforts to ensure that IT investments provide maximum security and risk mitigation in the most cost effective manner.

Our auditors have a wealth of experience, specializing in specific industry sectors and maintain certifications in their areas of expertise. This allows us to perform each engagement with a unique, value-added insight. Our services include competency in the following areas:

IT Audit and Consulting Services

Our audit approach combines experience and an in-depth understanding of your business and industry to deliver independent, quality information that helps you run a better organization. We establish hands-on, year-round relationships with our clients, utilize outstanding professionals and the best in training and technology, and demand excellence in each engagement. We design the audit process to drill down to the pertinent data, which allows our professionals to ask critical questions that can provide insight into important trends and enhance the value of the results.

The primary objective of each IT audit is to express an opinion on the internal controls within an organization's IT infrastructure components and their impact on the business. We perform audits in accordance with industry standards, best practices and internationally recognized information technology frameworks. Audits involve identifying risks, evaluating internal controls, and testing design and operating effectiveness of such controls. To add the most value, our management letters not only address internal control matters, but operational and efficiency issues, as well. Clients also benefit from the computer systems, analytics, and processes we use to ensure the accuracy and validity of their business critical and sensitive data. Our Standard IT Audit services include the following:

Statement on Auditing Standard No. 70 (SAS 70) Audit

Assessment of the internal controls of a 3rd party service provider. Assessment results in a SAS 70 report.

  • Type 1 SAS 70 Audit: Includes service organizations description of controls and auditor’s opinion about whether the control design is adequate to meet the objectives at a specific point in time. (e.g. as of June 30, 2008)
  • Type II SAS 70 Audit: Includes Type I information in addition to 1) control test plan and 2) evaluation of whether the tested controls operated with sufficient effectiveness to provide reasonable assurance in meeting the control objectives over a 6-month minimum period. (e.g. period from 1/1/08- 6/30/08)

General Computer Controls (GCC) Audit

An all encompassing IT controls audit. This audit addresses general computer controls which apply to all systems components, processes, and data for a given organization or IT environment.

The objectives of general computer controls are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations. A GCC Audit assesses the following 10 IT domains:

  • Information Security
  • Operations
  • Application Systems Implementation and Maintenance
  • Database Implementation and Maintenance
  • Network
  • System Software Support
  • Hardware Support
  • Business Continuity Planning
  • Information Resource Strategy and Planning
  • Outsourced Vendors

Application Audit

Application specific reviews. The Application Audit encompasses controls that relate to the transactions and data pertaining to each computer-based application system and are therefore specific to each application. The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from both manual and programmed processing. An Application Audit assesses the following application areas:

  • Data Input Controls
  • Data Processing Controls
  • Data Output Controls
  • Application Interface Controls
  • Storage and Retrieval
  • Change Control
  • Application Security
  • Data Security

Operating System (OS) Audit

Security review over operating systems. Common operating systems are MS Windows, Unix, VMS and OS400. The OS Audit will address the following:

  • Configuration Parameters
  • User Access
  • File / Object Protections
  • Information Security
  • Change Management
  • Physical Access
  • Backup and Recovery

Database Management System (DBMS) Audit

Security review over database management systems. A DBMS is a complex set of software programs that controls the organization, storage, management and retrieval of data in a database. The DBMS Audit will address the following:

  • Configuration Parameters
  • User Access to the DB
  • Access Protections Over Tables, Views, etc.
  • Database Permissions
  • Security
  • Interfaces
  • Change Management
  • Physical Access
  • Backup and Recovery

System Development Life Cycle (SDLC) Audit

The SDLC relates to processes or methodologies that are used by teams and companies when developing computer software and systems. Review of the SDLC methodology will include the following areas:

  • SDLC Procedures
  • Critical Milestones / Checkpoints
  • Review Points
  • SDLC Deliverables and Artifacts
  • Management Sign-Off
  • Testing and Test Environments
  • Access Controls
  • Version Control Mechanisms In Use
  • Code Protection
  • Deployment
  • Post Implementation

Software Change Management (SCC) Audit

Change control processes are used to minimize risks to the computing environment when changes are introduced into the production systems. Review of the SCC processes in use will include the following areas:

  • Change Control Procedures
  • Critical Milestones / Checkpoints
  • Review Points
  • Required Artifacts
  • Management Sign-Off
  • Testing and Test Environments
  • Access Controls
  • Version Control Mechanisms In Use
  • Code Protection
  • Deployment
  • Post Implementation

Information Security Review

Review of the information security program, policies and procedures safeguarding critical company assets. The Information Security Review will include the following areas:

  • Awareness
  • Communication
  • Implementation
  • Enforcement
  • Monitoring
  • Policies
  • Procedures
  • Standards
  • Privacy
  • Information Classification

Software System Solution Selection

Windes & McClaughry's solution selection services offer an unbiased and fact-based decision process, while working collaboratively with client senior and executive management. Our approach involves:

  • Independence and objectivity
  • Consideration of vendor reputation, technology, system functionality and scalability, and user support needs
  • Evaluation of company needs requirements using cost/benefit analysis

Enterprise Resource Planning (ERP) System Implementation Risk Assessments

Windes & McClaughry will collaborate with senior and executive management, integration consultants and the external auditors to execute an independent detailed risk assessment and GAP analysis on the ERP implementation. Specific emphasis is placed on:

  • Project management, including established timelines, deliverables and milestones documented in the implementation plan
  • Integrity of data ultimately converted to the new system
  • A thorough review and evaluation of test plan scenarios
  • IT security and segregation of duties (SOD) analysis with respect to user access rights
  • System development life cycle (SDLC) and change management controls

Disaster Recovery Plan (DRP) Evaluation

Assessment of the disaster recovery plan in effect. The DRP evaluation will include the following areas:

  • Backup and Recovery
  • Plan Testing and Recovery Procedures
  • Network Connectivity
  • Application Support
  • Third Party Service Providers
  • Plan Maintenance

Regulatory IT Audit Services:

The effectiveness of internal controls represents an important issue to senior executives and corporate boards in organizations across all industries. Equal to internal controls over financial processes are internal controls over information technology supporting these financial and other critical business processes.

IT has becomes more pervasive and is relied upon by all aspects of the organization. As the need to provide regulators and shareholders with information on controls increases, the effective design and operation of automated internal controls are also becoming more and more important.

To assist your organization achieve its mission, objectives and compliance with federal and state requirements in the most effective and efficient manner possible, Windes & McClaughry offers the following audits and assessments of IT controls.

Sarbanes Oxley (SOX 404) Compliance Review

The SOX 404 Audit is an assessment of a public company's internal controls over financial reporting. This audit incorporates the latest updates, standards and requirements issued by the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). The SOX 404 Audit addresses the following:

  • Risk based, top down approach
  • Documentation of controls
  • Assess control design effectiveness
  • Assess control operating effectiveness
  • Controls deficiency assessment

Senate Bill 1386 (CA SB 1386) Compliance Review

A compliance review over a business’s actions taken to disclose to California resident's a breach to the security of any computerized data that included specified unencrypted personal information reasonably believed to have been, acquired by an unauthorized person.

For more information, please contact:

J. Lyle Scheppele, CPA

Financial & Operational Improvement

Streamlined operations and financial reporting processes are an important component of an organization's success and profitability. Many companies have the same policies and procedures in place today as they did many years ago when they were much smaller organizations. Chances are that these same organizations could be more efficient, effective, and ultimately more profitable with targeted financial or operational improvement efforts. Interestingly enough, most of these same companies realize this, but lack the resources to address this issue as internal staff has been reduced with an increase in responsibility.

Windes & McClaughry's Financial & Operational Improvement services can help you reengineer your existing operational or financial reporting processes to improve the efficiency and effectiveness of such processes. Our methodology-based solutions consider the culture of your organization, along with existing personnel, processes and technology. We seek ways to remediate inefficiencies and reduce costs, while considering your short-term and long-term strategic goals. Windes & McClaughry’s Financial and Operational Improvement services include:

  • Business Process Improvement / Reengineering
  • Account Reconciliation Services
  • Finance Function Improvement – Financial Close, Budgeting, Forecasting, and more
  • Streamlined Sourcing and Procurement Process
For more information, please contact:

J. Lyle Scheppele, CPA

Strategic Services

Economic, regulatory and business environments are never static and can shift rapidly. Such changes usually require altering direction or strategy of an organization to comply with new regulations, to become more efficient, to expand existing operations (organically or through acquisition), or in more extreme cases to simply survive. Windes & McClaughry's Strategic Services can assist your organization with such strategic initiatives and includes the following:

  • Project Management Office (PMO)
  • Due Diligence & Merger Integration
  • Financial Accounting
  • Business Continuity & Disaster Recovery Planning
For more information, please contact:

J. Lyle Scheppele, CPA

Our BAS professionals work closely with client management to provide a tailored solution focused on the client's needs. Depending on the client's needs, our delivery method can range from client staff augmentation to full project solutions. Our approach is based on people, process, technology and risk while understanding, adapting to, and working within the culture of the client. Our professionals have extensive knowledge and experience in delivering a variety of services including, but not limited to, the following:

  • Sarbanes-Oxley Compliance
  • Audit Committee Advisory Services
  • Internal Audit Co-Source or Out-Source
  • Internal Control Diagnostic Studies
  • Common Area Maintenance (CAM) Expense Audits
  • Quality Assurance Reviews of the Internal Audit function
  • Enterprise Risk Management Consulting
  • Fraud & Forensic Consulting
  • Information Technology Audits
    • General Computer Controls
    • Application Controls
    • Information Security and Vulnerability Assessments
    • SAS 70
    • Software System Solution Selection
    • ERP System Implementation Risk Assessments
  • Business Process Improvement/Reengineering

Our alliance with Baker Tilly International provides additional national and international resources to assist our clients with specifi technical needs at all applicable locations.

For more information, please contact:

J. Lyle Scheppele, CPA