One of the most powerful ways busy accounting teams can unlock time for higher-value risk management and data analysis is by automating as much of the credit card reconciliation process as they can.

BlackLine’s Transaction Matching tool offers powerful ways to help finance teams identify and review higher-risk credit card transactions. The tool automates the vast majority of routine purchases that fall within the organization’s policies and risk tolerance.

Using BlackLine, data from a variety of sources including data feeds from the organization’s bank and credit card issuers can be downloaded and matched automatically (typically overnight). BlackLine reconciles transactions that match details within the various data feeds and identifies the small minority of transactions that require corrections or human investigation.

One of the challenges finance teams face in reconciling credit card payments is the fact that every transaction will generate data from several sources. A purchase will typically create separate records from the point-of-sale (POS) system, payment processor, and potentially the organization’s general ledger.

This results in a need for two- or three-way matching in which a transaction must be reconciled. First, between the POS system and processor. Then, between the processor and the organization’s bank. And each transaction will have several data fields including the amount, date, and authorization code that need to match for a transaction to be reconciled.

As BlackLine reviews credit card data fields, it sorts transactions into three broad categories:

Transactions for which key details are identical in all the data sources are sorted into the “matched transactions” category. Generally, this will include most of a company’s credit card purchases.

Transactions for which most, but not all, of the key details are identical are routed into a “suggested matches” category for review by the finance team. This will typically include transactions such as amounts higher than a pre-set limit for a spending category or missing an authorization number.

In these instances, the finance team can provide any missing data and approve the reconciliation or set it aside for further review. 

BlackLine’s matching logic can also be adjusted to account for typical exceptions. For instance, it’s not uncommon for a transaction to clear the payment processor a few days later. The organization can establish a tolerance within the matching rules that says if the other details are the same, but the dates are off by four days, the transaction can be matched automatically.

The final category, “unmatched transactions,” would require manual review by the finance team. This will typically be a small fraction of the overall credit card transaction volume.

Overall, this automated transaction review and matching streamlines an onerous reconciliation process and frees up the finance team’s time for higher-value activities that contribute more directly to the organization’s performance and success.

To begin taking advantage of BlackLine’s powerful transaction matching tools, contact us today.  

With uncertain conditions and increased volatility in the U.S. economy, businesses looking to grow and improve profitability will need to understand their anticipated cash flow needs and choose the most effective strategies to prevent or address cash flow gaps triggered by growth.

A cash flow gap arises when a company’s expenditures exceed the funds that are coming in, resulting in a shortage of cash on hand. This can occur, for instance, when a company’s expenses are due before it receives payment on its outstanding customer invoices.

If, say, expenses must be paid on the 15th of the month, but customers don’t pay until the 30th, the company will need to cover expenses in the latter half of the month without the benefit of incoming cash. In this situation, the company may struggle to meet its obligations, or it may need to borrow short-term funds to cover outstanding expenses.

Bootstrapping occurs when a company uses its existing resources to self-sustain its cash flow needs to promote and develop the business. Sources of funds and activities commonly associated with bootstrap financing include personal savings, family loans, purchasing used equipment, bartering, leasing real estate and property, or obtaining advanced deposits.

The key advantages of bootstrapping include:

The potential disadvantages include:

Debt financing is when companies or individuals borrow money from a lender with terms to repay the loan plus interest. Common sources of debt financing include credit cards, loans from banks or financing companies, loans from private debt investors, or capital leasing.

The key advantages include:

The potential disadvantages include:

Asset-backed debt financing can allow companies to maximize their borrowing capacity by pledging collateral. For businesses without strong balance sheets or historically profitable operations, this may be a preferable approach to establishing or rebuilding credit with a financial institution.

Asset-backed lending works well for manufacturers with seasonal volume spikes or highly variable industry cycles that can disrupt their cash flow. Such businesses may experience rapid growth at certain times and have well-performing receivables. However, they may lose out on opportunities due to undercapitalization.

Accounts receivable factoring is a form of asset-backed lending commonly used by manufacturers. A factoring transaction occurs when a business sells its accounts receivable to a financing company at a discount in return for immediate payment.

Although the business will not receive the entire amount of the original receivable, the financing should allow for larger volumes of sales to occur while the company builds working capital to grow.

This is often the most expensive form of cash flow, but if other options are not available, factoring can provide the working capital a company needs.

Regardless of whether factoring is an option or not, decreasing the collection time of receivables should always be a focus.

Numerous cash management options can be implemented as part of a company’s strategy to combat the cash flow gap. One aspect they share is that they take time to initiate.

As the outlook and shape of the banking industry have changed in recent years, companies need to evaluate their available options and be prepared to implement a concerted solution as growth opportunities emerge.

Companies should prepare a cash flow forecast to understand best how much cash is needed to fuel growth. Contact us today to learn more about a cash flow gap and see how we can help.

With the Australian Prudential Regulation Authority (APRA) enforcing CPS 230 – Operational Risk Management – as of July 1, 2025, material service providers (MSPs) supporting APRA-regulated entities are facing new expectations.

Whether you deliver core technology services, credit assessments, or other business-critical operations, understanding your role under CPS 230 is essential.

Here’s what you need to know.

CPS 230 replaces APRA’s earlier standards on outsourcing (CPS 231) and business continuity (CPS 232). Its goal is to improve the operational resilience of regulated entities—banks, insurers, and superannuation (pension) funds—by strengthening how they prepare for and respond to disruptions, including cyberattacks, system failures, and third-party breakdowns.

CPS 230 applies directly to APRA-regulated entities. However, the obligations flow downstream to MSPs via updated contracts, requiring providers to meet specific operational risk expectations.

By July 1, 2026, or the next contract renewal, APRA-regulated entities must ensure all agreements with MSPs reflect CPS 230 requirements. That makes now the right time for service providers to assess their position and engage proactively.

CPS 230 applies to vendors classified as “material service providers” by their APRA-regulated customers. APRA defines MSPs as vendors:

Examples include IT infrastructure providers, mortgage brokers, credit assessors, claims processors, and others delivering core services.

Important note: Your customers—not your organization—decide whether your services are material. Once designated, your role in supporting critical operations and aligning with recovery time expectations must be clearly understood.

Once designated an MSP, review your contracts with APRA-regulated customers to ensure they reflect CPS 230 requirements. These include:

Your business continuity plan (BCP) must support your customers’ ability to maintain critical operations during disruptions. This includes:

CPS 230 requires regulated entities to understand their extended supply chain. As an MSP, you’ll need to:

This “fourth-party” visibility is a key element of operational risk mapping under CPS 230.

For MSPs, CPS 230 isn’t just a compliance exercise. It’s a chance to improve operational maturity, strengthen customer trust, and become a preferred partner for APRA-regulated organizations.

Understanding your status, updating contracts, aligning continuity strategies, and mapping supply chain risks will set you apart as a CPS 230-ready provider.

What Are Tolerance Levels Under APRA?

APRA defines tolerance levels as:

Your RTOs, backup strategies, and contractual SLAs must reflect these thresholds.

We help service providers streamline compliance with both SOC 2 and CPS 230 requirements. Our SOC 2+ report covers traditional security, confidentiality, and availability controls—plus key CPS 230-specific elements for MSPs.

This means you can deliver a single SOC 2+ report to your APRA-regulated customers, addressing multiple assurance needs with one engagement.

To understand how CPS 230 may affect your organization—and how to prepare—contact us. We’re here to help you navigate the changes and build a compliance strategy that creates long-term value.

Disruptions are inevitable in business and their effects can be quite significant for small to medium businesses (SMBs). By taking the initiative and embracing business continuity planning, SMBs can mitigate risk, navigate uncertainty, and emerge from adverse situations stronger and more resilient.

Larger corporations typically have dedicated resources for risk management, while SMBs do not possess the same level of preparedness. But SMBs are equally vulnerable to disruptions, whether from natural disaster, cyber-attack, power outage, equipment failure, human error, or supply chain disruption that affects critical business operations.

Investing in business continuity is valuable not only in mitigating risks and addressing emerging threats, but also in safeguarding the long-term sustainability of the business and maintaining trust and confidence among customers, investors, and other stakeholders.

Customers and suppliers increasingly want to collaborate with organizations that demonstrate their commitment to reliability, risk management, and responsiveness through an effective business continuity plan (BCP). Customers depend on SMBs to deliver products or services consistently and dependably, while suppliers depend on their customers to maintain stable demand for their offerings.

Internal challenges can pose significant barriers to the successful implementation of business continuity strategies for SMBs. For companies with simple organizational structures and fewer personnel, it can be challenging to identify critical processes, assess risks, and develop mitigation strategies. These obstacles may include:

Business continuity planning involves developing and implementing a comprehensive set of organizational policies and procedures to prevent and recover quickly from crises. Establishing a dedicated Business Continuity Planning Team entrusted with the responsibility to design, implement, and maintain a robust BCP is imperative for an organization’s ongoing success.

Developing an effective BCP requires a thorough understanding of the organization’s operations and dependencies, and the recognition of potential vulnerabilities. In most cases, SMBs choose to optimize the expertise of consultants that specialize in the complex planning involved with BCPs. Consultants partner with the organization and serve as a key advisor, offering guidance on effective BCP strategies and implementation.

Key components integral to business continuity planning that consultants often tailor to the needs of specific companies include:

Planning for these actions before a disruption resulting from a disaster or other unplanned event is critical to help mitigate risk and ensure the availability of potentially scarce resources when they’re needed most in the immediate aftermath of a crisis.

Contact us for innovative solutions and actionable strategies to help prepare your business for the unexpected.

Open Banking under the Consumer Data Right (CDR) is reshaping the Australian financial services landscape. The legislation requires financial institutions to securely share customer data with accredited third-party providers (TPPs), but only when customers opt in. Consumers retain full control and can opt out at any time.

For TPPs, this opens the door to new products, services, and customer insights, driven by access to standardized data through secure APIs. But with that opportunity comes a heightened focus on security, privacy, and compliance.

Australia’s Open Banking framework mirrors the United Kingdom’s model introduced under the Payment Services Directive 2 (PSD2) in 2018. It establishes two primary categories of third-party providers:

For now, Open Banking in Australia is limited to AISP functions.

The Australian Competition and Consumer Commission (ACCC) is the lead regulator, supported by the Office of the Australian Information Commissioner (OAIC). CSIRO’s Data61 has been appointed as the Data Standards Body (DSB), tasked with developing the Consumer Data Standards (CDS) across industries, beginning with banking and expanding to energy and telecommunications.

At the heart of the CDS is a clear priority: “APIs are secure.” That principle guides the technical specifications designed to mitigate cyber risks and inadvertent data exposure.

Open Banking is being introduced in phases. In late 2019, the ACCC announced delays due to security concerns:

While some large institutions may resist the timeline, tech-forward providers have already developed APIs and platforms ready to capitalize on the shift.

TPPs must register with the ACCC and demonstrate compliance with the CDS. This includes:

These requirements ensure data recipients are prepared to safeguard sensitive consumer information from both technical breaches and organizational oversights.

SOC 2 and ISO/IEC 27001 are widely recognized frameworks for demonstrating strong security and privacy controls. While not required explicitly, they align well with the expectations of Open Banking regulators.

These frameworks assess and validate key elements such as:

Pursuing a SOC 2 report or ISO/IEC 27001 certification signals that your organization takes its security responsibilities seriously and provides third-party assurance that your practices meet industry standards.

Open Banking offers a competitive advantage for TPPs that can demonstrate compliance, transparency, and operational maturity. Whether you’re preparing to register with the ACCC or looking to strengthen your security posture, aligning with trusted frameworks like SOC 2 and ISO/IEC 27001 can accelerate your readiness.

To learn more about how Open Banking requirements may affect your organization—and how to prepare—contact us. We’re here to help you turn compliance into opportunity.

For busy accounting teams, automating bank reconciliations offers one of the fastest ways to increase efficiency, improve financial risk management, and free up time for higher-value data analysis.  

Using BlackLine’s Transaction Matching to reconcile bank accounts to the general ledger allows finance teams to spend less time squinting at multi-colored spreadsheets and more time identifying high-risk transactions and analyzing the organization’s financial performance.  

Automated bank and general ledger matching provide several benefits to finance teams and organizations, including: 

Using BlackLine’s tools, bank transactions occurring during a set period (such as a month) are downloaded into the system and reviewed by the platform’s matching engine. From there they are sorted into three categories: Matched, Suggested Matches, and Unmatched.   

Transactions for which key details (such as the check number and amount) match general ledger data precisely are sorted into the “matched transactions” category. In most instances, this will include 80% to 90% of an account’s transactions in a given period.  

Transactions for which most, but not all, of the key details are identical are routed into a “suggested matches” category for review by the finance team. This will typically include transactions with potential issues such as missing check numbers, or a transaction that falls outside the expected date range for clearing the bank.  

In these instances, the finance team can provide any missing data and approve the reconciliation of a flagged transaction or set it aside for further review.  

The final category, “unmatched transactions,” would require manual examination and intervention by the finance team. In most instances, this should only be a small handful of exceptions that can be identified and processed rather easily.  

As finance professionals review suggested matches and unmatched transactions, they can adjust BlackLine’s rules to account for a broader range of acceptable variations. If, for instance, several transactions are cleared beyond the default date range, the finance team can adjust the range to include a higher volume of transactions that still fall within the organization’s acceptable tolerances.  

Over time, these adjustments to the system’s matching rules can help the finance team enhance the benefits of their transaction matching tool while streamlining reconciliations and the financial close.  

Well-directed automation can free up valuable time for the finance team, allowing them to focus their time and attention on processes that provide higher value to the organization and allow them to partner more effectively with business unit leaders.  

To begin taking advantage of BlackLine’s powerful transaction matching tools, contact us today.  

As executives incorporate sustainability considerations into their strategic planning and operations, the resulting benefits include more effective employee attraction and retention, risk mitigation, supply chain management, and more.

A panel of company leaders participating in a Sensiba webinar said that while some executives approach sustainability as a compliance exercise, the potential benefits can spread through to an organization’s culture and help it save money as well.

“There are many thoughtful people that are looking to drive change and to work with organizations that are doing good, celebrating people, and nurturing growth,” said Ahmed Rahim, Chief Visionary Officer and Co-Founder of Numi Organic Tea. “We’re here not to just focus on shareholder profitability, but also all the stakeholders involved, including employees. It is very important, and organizations are attracting people that want to create impact and put their time sweat, blood, and tears into something that goes beyond just creating a product.”

With more people interested in working for employers who share their values and provide a sense of purpose, including sustainability in the organization’s operations makes it more attractive to prospective employees.

“Since we’ve really become focused on sustainability, we’ve doubled our firm in the last four years, without acquisition, and that’s the proof in the pudding,” said John Sensiba, Managing Partner, Sensiba LLP. “That’s not the point—the point is to do the right thing—but it’s evidence that doing the right thing, especially in today’s transparent world, helps you attract a labor force and customers.”

To learn more about this sustainability benefit read our articles “Sustainability Attracts Talent” and “Sustainability and Employee Retention: A Winning Combination for Businesses.”

With an increasing number of sustainability-related disclosure requirements and growing expectations for sustainable practices among customers, companies that overlook sustainability can be taking on a higher level of compliance, reputation, and marketplace risk.

“We do a total risk assessment when we onboard our customers because this is such a dynamic environment, with changing regulations and changing situations,” said Hannah Kain, President and CEO of the supply chain management firm ALOM Technology. “When it comes to sustainability and reporting, it’s important to help our customers with understanding their requirements and providing information so they can report quickly. There’s a lot of risk in the supply chain, starting with environmental risk, but there’s also social, and of course, governance, compliance, and oversight risks.”

Organizations face risks from failing to describe what they’re doing effectively to business partners or customers. “We worked with a company that was actually a pretty good actor, but didn’t tell their story well and they didn’t get a good grade on a scorecard for a certain buyer,” said John Sensiba. “We helped them identify and explain what they were doing in a way that allowed them to continue to sell to that customer. It shows you the risks they had—not because they weren’t doing the right thing, but because they didn’t know how to tell their story well enough.”

Sustainable practices also provide opportunities to increase efficiency and reduce operational costs throughout organizational supply chains. Kain said minimizing product packaging, choosing suppliers close to production facilities or customers, and optimizing shipping routes can reduce the waste and carbon emissions in an organization’s supply chains.

“The first thing we look at is, ‘are we doing things we don’t need to do?’” Kain said. “When a package comes to your doorstep, maybe two-thirds or three-quarters of the box contains air that has been transported around and used up resources.”

The opportunities to maximize the benefits and ensure economic resilience for your business are growing. To learn more about integrating sustainable practices into organizational strategies, planning, and reporting, contact us.

Property owners interested in disposing of commercial or investment real estate, and deferring the resulting taxable gains, may benefit from a Section 1031 “like-kind” exchange. Under this provision, they can exchange real property held for investment or for use in a trade or business for a similar (or like-kind) investment property. 

Under tax regulations, the idea of a “like-kind” property is defined broadly. Most real property will be considered eligible for a like-kind exchange unless the relinquished property or the replacement property was held primarily for sale. 

A like-kind exchange must involve commercial or investment real estate. Under the Tax Cuts and Jobs Act, tax-deferred Section 1031 treatment is no longer allowed for exchanges of personal property, such as equipment and personal property building components, completed after December 31, 2017. 

Common examples of qualifying commercial or investment properties include: 

For a straight asset-for-asset exchange, you won’t have to recognize any gain from the transaction, and your basis (the acquisition cost for tax purposes) transfers from the relinquished property to the replacement property. You then report the transaction on Form 8824, “Like-Kind Exchanges.” 

In many transactions, however, the properties aren’t equal in value. In these instances, cash or other property is added to the deal. These additional assets are known as “boot.” If boot is involved, you’ll have to recognize a gain for tax purposes, but only up to the amount of boot you receive in the exchange.  

In these situations, your basis in the like-kind replacement property becomes: 

No matter how much boot you receive in a transaction, you’ll never recognize more than your actual (or “realized”) gain on the exchange. 

If the property you’re exchanging is subject to debt from which you’re being relieved, that amount is treated as boot because it’s equivalent to receiving cash in the transaction. If the replacement property is also subject to debt, that amount can reduce or exceed the boot.  

Like-kind exchanges can also play a role in estate planning because the tax basis for any beneficiaries who receive property that have been exchanged will receive it at the fair-market value on the day on which the property is inherited. This value could be significantly higher than the previous basis, allowing the beneficiaries to avoid taxes that had been deferred in previous like-kind exchanges.  

If your properties meet the requirements, like-kind exchanges can be an effective tax-deferred way to dispose of investment, trade, or business real property.

For more information on 1031 exchanges read our article “1031 Exchange Rundown: What you Need to Know”. 

Contact us if you have questions or would like to discuss the strategy further. 

The ISO 27001 certification and the SOC 2 report are perhaps the leading frameworks for companies to demonstrate their commitments to securing customer data. Some service providers, depending on their customers and the types of information they handle, can benefit from obtaining both.  

Understanding the uses of each framework, where they overlap, their intended audiences—and whether an organization needs one, the other, or both—can play a large role in helping a service organization enhance its risk management efforts and highlight its security capabilities to current and prospective customers. 

A SOC 2 report provides service organizations with an external opinion on their compliance with a standardized set of industry-neutral controls based on the AICPA’s Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy.  

Under SOC 2, only the security criterion is mandatory. Deciding whether to include any of the other criteria depends on the types of information a service provider handles and its customers’ requirements.  

SOC 2 is not a certification. Instead, it is an audit opinion on the description of the system (a written narrative describing the infrastructure, data, people, processes, and boundaries of the system), and the controls implemented. 

An ISO 27001 Information Security Management System certification provides service organizations with a framework that’s more prescriptive than the SOC 2 criteria. ISO 27001 helps organizations manage and protect their information assets by developing policies, procedures, and controls to protect information from unauthorized access, alteration, theft, or destruction. 

An ISO certification requires a statement of applicability, risk assessment, internal audit, and management review. The certification also prescribes the number of days, primarily based on the organization’s headcount, an audit will require.  

A key difference between the two is that SOC 2 is not a certification. A SOC 2 report is an attestation by an independent audit firm as to whether the organization under review reasonably meets the standards outlined in the SOC 2 criteria.  

Both reviews look at the following:

ISO 27001 adds the following requirements:

SOC 2 adds the following:

The ISO certification is a three-year certification standard, starting with two stages in the first year. The stage one process is essentially a readiness review to ensure the organization has the information needed for the stage two audit. This will include, for example, items such as the organization’s internal audit function, risk assessment, and key policies and procedures.  

If this initial review identifies any areas of concern, the organization will typically have 30 to 60 days to remediate those issues. Once the areas of concern are addressed, the deeper-dive stage two audit will occur.  

After an organization receives ISO 27001 certification, surveillance audits are required for two years before its compliance needs to be recertified.  

ISO is an international standard, while SOC 2 focuses on North America. Service organizations supporting international customers outside of North America will benefit from an ISO certification.   

Similarly, companies based outside North America hoping to do business in the U.S., Canada, or Mexico will likely have an ISO certification but should consider obtaining a SOC 2 report to capture market opportunities in those markets.  

Service organizations operating globally would benefit from undergoing both audits. The good news is the types of information each review requires are similar enough that an organization undergoing one review will be about 70% of the way toward completing the other.  

Under the ISO 27001 standard, internal audits are required annually and must be conducted by someone who is both competent in auditing against the 27001 standard, as well as independent from the information security management system being reviewed.  

Because of these two requirements, most organizations interested in ISO certification outsource their internal audit function to a third party. For all but the largest organizations, someone on staff who is competent in the ISO standard is unlikely to be independent. In addition, outsourcing the internal audit function often results in a more thorough evaluation of their management system.  

Organizations interested in pursuing ISO 27001 and SOC 2 reviews can streamline the process by scheduling both examinations carefully. For instance, SOC 2’s higher sampling requirement means the information gathered for that audit can also be used as part of the ISO certification, if the audits are timed correctly.   

Similarly, the organization should align the periods when auditors will be reviewing evidence with less-busy times of the fiscal year. Conducting both reviews at once can reduce the administrative overhead on their internal teams.   

Service organizations that process personal health information and need to demonstrate compliance with Health Insurance Portability and Accountability Act (HIPAA) security and privacy safeguards can also incorporate that examination with a SOC 2 audit.  

To learn more about ISO 27001, SOC 2, and the potential benefits of undergoing both reviews, contact us.  

If you’re a financial service provider in Australia or your company sells software or services to one, you’re likely to encounter APRA regulations. The Australian Prudential Regulation Authority (APRA) oversees financial services in Australia, and its evolving standards increasingly impact regulated entities and their third-party providers.

There are two ways APRA may apply to your company:

 You’re an APRA-regulated entity. If you’re a licensed institution such as a bank, insurer, or superannuation provider, you’re directly subject to APRA’s suite of prudential standards, CPS (Cross-industry Prudential Standards). These include prescriptive requirements and principles-based guidelines, requiring direct compliance and evidence of ongoing oversight.

You serve APRA-regulated customers. If you’re not directly regulated, your services may support APRA-regulated entities in cybersecurity, risk, or continuity planning areas. In these cases, your customers are accountable to APRA for any risks introduced through third-party relationships—and they will often extend their compliance obligations to you.

You must read, interpret, and meet all applicable requirements if you’re regulated directly. You’ll also be subject to APRA supervision and potential enforcement actions. If you serve regulated customers, you won’t be subject to direct APRA oversight, but you should expect compliance assessments, due diligence reviews, and ongoing assurance requests from your clients.

This standard mandates that APRA-regulated entities formally assess, manage, and monitor risk across their operations, including their third-party supply chains. While CPS 220 doesn’t directly impose obligations on suppliers, regulated entities typically conduct vendor due diligence and require annual reassessments as part of their risk management programs.

CPS 232 focuses on ensuring the continuity and availability of critical services. If a customer’s business continuity depends on your product—such as ATM withdrawals relying on your software—your services fall within their continuity scope. Regulated entities may require business impact assessments, recovery objectives, testing, and formal continuity plans from you, even if you’re not directly subject to APRA.

Introduced to raise the baseline for cybersecurity, CPS 234 requires APRA-regulated companies to implement and monitor security controls, with oversight at the board level. It was also the first APRA standard to mandate supplier verification based on the criticality and sensitivity of the data involved. If your system processes sensitive customer data, expect to undergo heightened security assessments by your clients.

Effective July 2022, CPS 230 integrates elements from CPS 220 and CPS 232 to form a comprehensive operational risk framework. It adds formal internal control expectations, event response processes, and enhanced third-party oversight. Nearly half the standard focuses on vendor risk, underscoring the growing pressure on regulated entities to monitor and manage supplier performance.

If your business works with APRA-regulated clients, these standards will likely shape their expectations of your services. While global frameworks like SOC 2, HIPAA, and ISO/IEC 27701 don’t map perfectly to APRA’s requirements, they offer a strong foundation for meeting customer assurance needs. These certifications demonstrate proactive risk, security, and continuity management and can help bridge the compliance gap, especially for non-regulated providers.

Need help navigating APRA-aligned standards or demonstrating assurance to regulated clients? Contact us to learn how we can support your compliance and risk management goals.

Any compliance program needs a few key elements. Each element has its benefits, but implementing all three ensures your compliance program is robust and fit-for-purpose.

No matter what software or services you plan to use for your compliance, you need to maintain internal governance activities. This includes your management structures, defined processes, the systems you use to track and operate processes, how you manage your employees, and more.

These can’t be outsourced. They can be simplified and supported by software or third-party service providers like a CISO, but they will always remain your responsibility to operate and ensure they meet your compliance obligations. Those obligations include your customer’s requirements, any regulations that apply, and your internally defined policies that are influenced by those other requirements.

These policies are a critical foundation for all three components of your compliance, and it’s best to define them early so the remaining pieces fit together.

Every company uses some form of software as part of its compliance program. We can broadly divide this into two sub-parts: software in the scope of compliance and governance, risk, and compliance (GRC) platforms. 

Software in the scope of compliance typically includes the key systems holding sensitive data. For typical SaaS companies, this includes cloud infrastructure like AWS, in-house-built product(s), code repository, authentication software, and others.

Both need to be secured and operated effectively to comply with security compliance standards, but they often have features that automatically address compliance requirements. For example, AWS has network firewalls, applies encryption to databases, and enables effective system recovery. For Okta, it’s strengthening authentication to other systems. 

GRC software is designed to manage compliance obligations centrally. This is a very broad category that includes platforms enabling audits and compliance to be verified effectively. It also includes compliance platforms designed for maximum automation of security standards. These platforms are often much broader than security compliance.

They include functions to implement and maintain the risk registers, vendor tracking, and compliance controls across any standards. We partner with some of the world’s leading GRC platforms like Drata and Vanta to create a seamless compliance experience.

There are two main categories of professional services, generally called “consultants” and “auditors.”

Consultants implement and maintain compliance (think CISO services), while auditors verify compliance and issue accreditation. To maintain independence, these two roles need to be segregated.

Whilst some companies prefer to use their internal teams to build compliance capability in-house, engaging third-party consultants can save those internal responsible owners time and add capability, especially if there are no internal security experts. 

Auditors are required for any formal compliance accreditation. It’s the independent audit and issuance of assurance reports or certifications that constitute compliance with many of the industry standards. For regulations, you can be compliant without verification from auditors, but providing audited assurance reports builds greater trust with third-party stakeholders who are accountable for your compliance.

For example, using third-party services that handle relevant data like the personal data of EU citizens, triggers GDPR compliance requirements that apply to the enterprise.

To learn more about designing and leveraging these pillars effectively to protect your organization and data, contact us.

Nearly two years after its initial proposal, the U.S. Securities and Exchange Commission (SEC) adopted final climate disclosure rules on March 6, 2024. The new rules require registrants to disclose certain climate-related information in their registration statements and annual reports.

The final rules require a registrant to disclose, among other things:

Large accelerated filers with calendar year-end reporting will begin financial disclosures in annual reports for the year ending December 31, 2025, with the start of GHG emissions and related assurance ranging from 2026 to 2033.

Accelerated filers will begin financial disclosures after December 31, 2026, with limited GHG emissions starting in 2028.

Non-accelerated filers, smaller reporting companies, and emerging growth companies will begin financial disclosures after December 31, 2027. They will not be required to make GHG-related disclosures.

Scope 1 and 2 emissions, if deemed material by a registrant, will need to be disclosed on Form 10-Q for the second fiscal quarter following the year to which the GHG emission disclosure relates.

The rules also face legal challenges that could affect their ultimate implementation date.

The SEC adopted the new rules in response to growing investor interest in climate-related risk and the financial implications for public companies. SEC Chair Gary Gensler said 90% of the companies in the Russell 1000 stock market index currently provide climate-related disclosures, predominately in annual sustainability reports. Climate-related disclosures may also appear in quarterly and annual SEC filings and registration statements.

Erik Gerding, director of the SEC’s Division of Corporation Finance, said because climate-related risks can affect a company’s performance and share price, investors are interested in the potential effects on the registrant’s strategy, results, and financial condition. Despite this interest, climate disclosures are often inconsistent, and can be difficult to find and compare across entities.

Elliot Staffin, special counsel in the SEC’s Office of Rulemaking, said registrants will be required to disclose any climate-related risks that have had, or reasonably will have, a material impact on registrants, as well as the mitigation processes companies have integrated into their risk management systems.

In its final rules, the SEC omitted the required disclosure of Scope 3 GHG emissions from registrants’ value chains (aka indirect emissions). The omission came in response to registrants’ comments to the initial proposal that collecting the required data would be challenging and cumbersome.

Even without an SEC mandate, private companies will surely face increasing requests from their public-company business partners to provide their sustainability- and climate-related risks and opportunities.

The regulatory landscape, however, goes beyond the federal level. In June 2023, the International Sustainability Standards Board (ISSB) issued requirements for companies reporting under IFRS to disclose the impacts of industry-specific sustainability issues and climate-related risks. Further, In October 2023, California enacted two laws mandating Scope 1, 2, and 3 reporting by companies operating in the state that report more than $1 billion in revenue. As a result, certain retailers and distributors have now made it “table stakes” to report greenhouse gas emissions and other ESG-related information to do business with them.

Beyond regulatory considerations, more companies are examining Scope 3 emissions as part of comprehensive reviews of their supply chains and the associated risks. Small and medium-sized businesses can expect additional questions about topics such as their manufacturing practices, including chemicals and byproducts, and their labor sources.

As large companies compare and select suppliers, they understand that choosing a partner with more sustainable manufacturing practices often leads to lower costs and reduces the reputational risk of being associated with suppliers with undesirable behaviors.

To learn more about the new SEC requirements or effective sustainability- and climate-related disclosures and reporting, contact us.

Automated credit card accounting platforms are streamlining expense management by replacing outdated paper-based processes and spreadsheets with mobile-friendly submissions and automatic reconciliations.

Expense reports have always been challenging for employees on the go, as well as finance teams trying to decipher often-haphazard, outdated, or incomplete information. Now, automated platforms such as Fyle enable companies to address the primary challenges of credit card management: collecting receipts, controlling approvals, and tracking card spending effectively.

Using Fyle, a user is prompted by a text message to take a photo of a credit card receipt immediately after a transaction and submit the image by replying. When the receipt is sent, it’s matched with the charge and the transaction is automatically coded and ready for completion and approvals. Once reviewed and approved, the expense is automatically synced to the accounting software and charged to the appropriate account, location, department, and project.

Automated solutions help finance teams address many administrative and processing challenges associated with manual expense reporting, including:

Beyond the administrative headaches, problems administering credit card expenses can affect the organization’s cash flow. For many professional service companies and some nonprofits, friction in recording card charges delays the revenue associated with invoicing customers for billable expenses.

One of the primary benefits of automating credit card processing is real-time visibility into the organization’s payment card spending. As soon as a card is swiped, the user is notified to submit a photo of the receipt. The image enables immediate visibility of the transaction, and accelerates real-time updates on spending associated with specific budgets and projects.

Fyle also offers real-time integration with accounting software platforms, allowing companies the option to process transactions as credit card transactions, accounts payable bills, or journal entries. Finance teams can tag the transactions with dimensions including employees, departments, locations, projects, or other user-defined dimensions. Over time, Fyle’s machine learning will become more capable of properly coding each company’s unique expenses.

When considering a credit card management platform, companies should look for solutions that connect directly with the leading payment processors such as Visa, MasterCard, or American Express. This connection allows companies to continue using their existing payment cards and prevents the need to rely on bank feeds to reconcile credit card transactions.

Another option to look for is the ability to issue virtual cards. They allow companies to set spending limits on transactions and restrict the type of charges that can be applied to a company credit card. Additionally, cards can be easily removed if an authorized user leaves the company.

Companies should look for solutions that allow users to submit digital receipts directly from their email or collaboration tools, and to automate user notifications for pending items such as unsubmitted receipts or unreviewed transactions.

To learn more about automated credit card management, contact us.

Everybody knows about the direct costs of their inventory, such as paying a vendor to stock your shelves or labor costs to manufacture the final product. But it can be easy to overlook manufacturing overhead costs—behind-the-scenes labor and production needed to create the final product.

Often referred to simply as “overhead costs,” these are indirect expenses incurred in the production process of goods or services. Overhead costs are applied to the units produced within a reporting period and capitalized as part of the finished good to be recognized on the balance sheet until sold.

Examples of overhead costs include, but are not limited to:

Methods of allocating overhead are up to the individual company. They can be based on fixed inputs generated during the production process such as the labor content of a product, the machine production hours, or the square footage used by production equipment. Management can also use multiple allocation methods, depending on the inputs, as long as their approach is consistent. Using the fixed inputs of production and applying them to indirect costs is known as the calculated overhead rate.

The calculation of the overhead rate is based on the period of production. For example, if you wanted to evaluate the overhead rate for the inventory produced during one week, you would need to total the indirect overhead costs for that week, then divide by the fixed inputs used to measure productivity for the same period. If you use direct labor as your fixed measure, you could analyze the efficiency of overhead costs for every dollar spent on direct labor for the week.

For financial statement reporting, Generally Accepted Accounting Principles (GAAP) and International Financial Reporting Standards (IFRS) require the assignment of manufacturing overhead as part of production costs. Overhead costs must be capitalized as part of the inventory asset account on the balance sheet. They are subsequently recognized on the income statement as the operating cost of goods sold once the finished product has been sold to the customer.

By tracking and recognizing overhead costs and applying them to the manufactured inventory, management is able to ensure several factors:

Everything flows to the bottom line, and understanding your overhead costs can lead to improved operating efficiencies and a larger profit. Proper cost management and overhead cost awareness can help management and owners ensure they are prepared for whatever the market throws at them.

Tracking fixed inputs and overhead costs manually can be a time-consuming and tedious project. If not already implemented, you should consider investing in a time and material inventory and accounting ERP system that can integrate and automatically apply overhead costs to production inventory.

Further, developing AI technologies can be used to increase cost savings across overhead inputs by identifying inefficiencies and streamlining processes, allowing organizations to better recognize growth opportunities. AI tools are being readily adopted into:

The rise of AI in production capacities offers limitless opportunities for owners to expand their future capabilities.

To learn more about calculating and optimizing manufacturing overhead costs, contact us.

Biodiversity, a measure of the variety of life on Earth, encompasses the diversity of plants, animals, and microorganisms, as well as the ecosystems they form and the variety of interactions between species. Biodiversity is essential to the health of our planet and all functions on earth, but its significance extends beyond environmental benefits and has profound implications for business.

In fact, new research from S&P Global Sustainable finds that 85% of the world’s largest companies in the S&P Global 1200 have a significant dependency on nature across their direct operations.

Economic endeavors rely heavily on biodiversity and natural capital, highlighting its importance as a driver of sustainable growth and innovation. Biodiversity underpins essential ecosystem services businesses rely on, including water purification, crop pollination, climate regulation, and nutrient cycling. Preserving biodiversity can ensure the continued availability of these critical services, directly benefiting businesses that rely on natural resources.

Changes to, or the loss of, natural ecosystems and the biodiversity within those ecosystems can have profound implications on companies in a variety of industries.

Agribusinesses, for instance, depend heavily on pollinators like bees for crop production. The loss of biodiversity, often caused by pollution, deforestation, and unsustainable land use, can disrupt these services, leading to increased costs and reduced productivity.

Consider the tourism and hospitality sector, which often depends on natural features, such as coral reefs, to attract tourists interested in snorkeling and diving. Coral reefs support diverse marine life, and their decline due to climate change and pollution can reduce tourism revenue.

The automotive sector depends directly and indirectly on biological diversity and ecosystems for renewable resources such as natural rubber for tires, leather for seats, and ready access to water supplies for production processes.

In the financial sector, biodiversity can be a consideration for investment decisions. Accounting firms are increasingly being asked to evaluate ESG disclosures as well as financial reporting.

The diversity of species offers a variety of materials, chemicals, and organisms essential to new products and services. Pharmaceutical companies, for instance, derive numerous drugs from compounds found in plants and animals. Similarly, the fashion industry relies on the variety of plant and animal fibers for fabrics and clothing production. Biodiversity is vital for research and development, driving innovation in various industries.

Preserving biodiversity can also open new markets and create economic opportunities. Consumer demand for eco-friendly and sustainable products is rising, and companies that integrate biodiversity considerations into their operations can gain market share. This shift can lead to the development of new business models, such as eco-tourism or sustainable agriculture, that can be profitable and environmentally sustainable.

For businesses, investing in biodiversity can act as a risk mitigation strategy because biodiverse ecosystems are typically more resilient to market volatility. For example, a diverse forest can be more resistant to pests, benefiting the timber industry. Biodiversity also plays a role in climate change mitigation, which is increasingly becoming a concern for businesses worldwide due to regulatory and reputational risks.

Recognizing the interdependencies within an ecosystem—specifically, the extent to which an organization depends on ecosystem services—can provide valuable insights into the potential risks the organization might encounter if an ecosystem service is disrupted.

From another perspective, engaging in biodiversity conservation can enhance a company’s reputation and brand value. Consumers have become more acutely aware of environmental issues and favor businesses that are committed to sustainability.

When a company openly communicates its dedication to eco-friendly practices, it showcases transparency and accountability and can build trust over time. This trust becomes a valuable asset, particularly during times of crisis or when introducing new products or services.

With the growing emphasis on sustainability, governments worldwide are implementing regulations to further protect biodiversity. Businesses will benefit from being proactive in understanding these regulations to be better protected from the financial risks of noncompliance. Additionally, tax or other financial incentives will likely continue to be available for businesses that successfully and consistently demonstrate a commitment to sustainable practices.

The economic benefits of biodiversity are abundant. Biodiversity ensures the longevity of natural resources that are essential for business operations and opens avenues for innovation, risk mitigation, and market growth. While the global economy benefits from nature, it is also driving nature loss and simultaneously prohibiting ecosystems’ ability to sustain their intrinsic services.

As the world more fully recognizes the importance of sustainability, biodiversity will become a crucial factor in strategic business planning, offering challenges and opportunities. Companies that understand and integrate the value of biodiversity into their business models will likely thrive in the emerging green economy and find value in staying aware of current conservation efforts.

If you’re curious about the benefits of biodiversity and risks associated with your industry, reach out to the Sensiba sustainability team for more information.

Improved cash flow management, forecasting, and operational efficiency are among the advantages outsourcing their accounting and finance functions offers to restaurant operators.

Under an outsourced accounting arrangement, a restaurant company gains the experience and knowledge of a professional finance team without having to invest in full-time staffers or spending time learning specialized software platforms.

The outsourced team takes on the company’s daily finance and accounting tasks such as:

Outsourced accounting allows management to tap into professionals with restaurant-specific experience who can unlock insights hidden in performance data.

This professional help allows restaurant operators to focus on running their stores, building their business, and concentrating on the hospitality-related tasks they enjoy most.

Many growing restaurant companies quickly recognize the importance of effective financial management—as well as the challenges of trying to do it yourself or with the help of a well-intentioned friend or family member.

In addition to understanding how much cash flows into and out of a restaurant, operators also need to monitor critical factors including labor and ingredient costs, and other important performance metrics.

Outsourced accounting is more cost-effective than spending money on fulltime staffers that, even for an operator with two or three locations, you don’t need. Rather than paying fulltime salaries and benefits, you can purchase the right level of accounting talent for your company today, freeing up vital cash for other areas of your business.

Managing cash flow effectively is a common challenge for restaurant operators for several reasons. For instance, each location receives almost-daily deliveries of ingredients, linens, and other essentials. Many of these deliveries come with two- or three-day payment terms. The operator needs the ability to understand how much cash is coming in and the agility to make payments quickly.

A professional finance team can also support the restaurant with accounting software that makes forecasting and reporting much easier than would be possible with spreadsheets or general-purpose small-business software. Financial management software can improve efficiency and streamline operations by automating account reconciliations and identifying transactions that may indicate financial fraud.

To learn ways to improve your accounting software, read our article “Assembling a High-Performance Restaurant Tech Stack”.

The outsourced accounting team will be able to analyze your restaurants’ performance data to help you understand the factors driving performance. It’s one thing to know you can pay tomorrow’s bills, but it takes operators to a different level when you know details such as the percentage of your expenses devoted to ingredients, or how your front-of-house labor costs compare with those in the back of the house. Understanding these details help operators identify issues and make necessary adjustments to course correct before issues become problems.

In many cases, restaurant operators are collecting data from their point-of-sale (POS) systems and invoices. Unless their finance team analyzes that data, valuable insights that can unlock performance improvements will go unnoticed and management will rely primarily on instinct.

Accounting professionals can also help with detailed forecasting and trend analysis to better understand how costs and profitability can vary by location, day and time, season, and other factors. Your outsourced finance team can go beyond reviewing actual spend to develop budgets and forecasts. Management can also compare the likely outcomes of different scenarios, such as adjusting staffing levels, launching promotions, or increasing menu prices to obtain desired revenue and profitability

To learn more about the performance and profitability benefits outsourced accounting can provide restaurant operators, contact us.