The BARR Way

The BARR Way

The BARR Way Mantra

1

Question every requirement

Never accept that a process or requirement came from a department, such as from “legal”, “the quality department”, or “the CEO”. You need to know the name of the real name of the person who made that requirement and question it, no matter how smart that person is or how widely adopted a practice guide is.

2

3 4 5

Delete any part or process you can

Simplify and optimize leveraging the five leadership abilities

Accelerate cycle time

Automate

Proven Processes (Front Stage)

Attest Proven Processes

General Examination Engagement

Connect

After we connect on a 30-minute call to determine a prospect’s needs, including the timing of their examination engagement, BARR will send an engagement letter within one day to confirm our understanding. We guarantee client satisfaction.

Readiness

The readiness assessment provides three deliverables to assess readiness to begin the audit: System Scope, Prioritization of Gaps, and Key Controls This is accomplished as follows:

Readiness Meeting #1: Client will meet with their BARR engagement manager, share a system demo, and confirm scope and expectations.

Readiness Meeting #2+: In this 2+ hour meeting, we will review a client’s key processes such as change management, access management, and vulnerability management.

Readiness Meeting #3: A debrief meeting to confirm the three readiness deliverables

Remediate & Engage: Client will correct gaps prior to starting the audit period

Examination Engagement

Plan: A kick off call is scheduled with the client to confirm we’re on the same page with the scope, timelines, deliverables, and personnel needed for the assessment The client will be responsible for confirming control wording and drafting the system description BARR will provide information requests based on the agreed scope and controls

Assess: The engagement team will schedule walkthroughs with the client to assess the controls and any preliminary issues. Everyone’s time is valuable. To make efficient use of time, BARR will review provided information requests and control activity in compliance automation software (if available) prior to walkthroughs Walkthrough duration is dependent on the environment complexity and size; however, four hours is the typical time commitment

Report: BARR will provide a draft report including feedback on the system description based on BARR’s knowledge of the system and control environment no later than 30 days after period end. Once reviewed by the client, BARR performs a final editorial and quality reviews After you sign off on the management representation letter, the report is issued

Celebrate & Optimize: BARR will provide a promotional package and schedule a debrief to review improvement opportunities for their client’s security program, rate the engagement, and plan the next engagement.

Certification to ISO Standards

Internal Audit - The prospect is responsible for, and required to get an internal audit prior to kicking off stage 1 The internal audit can be completed by an outside firm or an independent resource within the prospect’s organization who is not the control owner and not responsible for the team's ISMS

Deliverables from the internal audit include:

Statement of Applicability

Risk Assessment

List of major and minor non-conformities

Stage 1: ISMS Review - BARR will conduct a review of the ISMS based on ISO Clauses 4-10 This stage is focused on the enterprise level controls and environment, such as key policies and procedures

Stage 2: Annex A Controls - BARR will conduct a review of the client’s Annex A controls, or customized controls based on the statement of applicability (if available), in a live setting, to test for effectiveness.

Certification Issuance - We can issue the ISO 27001 certification once stage 2 has been completed. If the client has a major non-conformity that was found during stage 1 or 2. This must be closed before issuance If a minor non-conformity is found, we can issue the certification as long as there's a project plan in place to close the minor non-conformity

Subsequent Surveillance Audits - In the subsequent 2 years following the initial certification, BARR will perform surveillance audits. This consists of a review of the team's ISMS (i.e. Stage 1) as well as a check on ⅓ of the Annex A controls.

Timing- The audit days that we will spend on the client primarily depends on their headcount in relation to their ISMS Please refer to the ANAB audit days chart here (use ISMS column)

HITRUST

Consulting Proven Processes

Objective

The Cybersecurity Consulting team establishes cybersecurity programs that are flexible and adaptive to the needs of the client and relevant stakeholders. This includes a common structure to establish a demonstrable cybersecurity program and streamline the sales cycle with client customer security demands. Our approach includes the following phases, activities, and deliverables.

Phase 1: Gap Assessment and Remediation (2-4 months)

BARR believes in determining the why before proposing the how and that careful planning is imperative to help our clients achieve their business objectives by managing their cybersecurity and compliance demands. When we start working with a new client that we are implementing a cybersecurity program, we first perform a gap assessment and then help clients remediate their gaps and establish a cybersecurity program. Not all clients will follow this process exactly and engagement teams will modify the approach based on statements of work and in-scope services

Cybersecurity Gap Assessment

We help our clients identify gaps and provide a roadmap to implementing a sustainable and right-sized cybersecurity program When assessing a client’s cybersecurity posture, we follow the steps below

Step 1: Connect and Determine Scope: Once we have a signed contract or statement of work, we begin the process by connecting with the client and determining the scope of our engagement. This includes the following steps:

1. Prepare assessment documents, including gap assessment workbook, agendas, request lists and send these to the client

Onboard the client, including setting them up in BARR’s systems (e.g., Kantata, Google Workspace, etc.) and introducing the BARR team to the client team

2 Perform a kickoff meeting with the client to establish the goals, objectives, responsibilities, and timeline of the engagement.

3. Facilitate collaborative discussions with the client to understand their business processes, regulatory requirements, and key risk areas to ensure we tailor our assessment to the client’s unique needs and document our initial scope, including:

4. People Processes Technology Data Location(s) Assessment framework and criteria

5 Document the initial scope and communicate this to the client

Note: we will finalize the scope as part of step 3 below

Step 2: Assess the Client: We conduct a thorough and comprehensive cybersecurity assessment of the client’s existing cybersecurity program against best practices and the frameworks and criteria established during the scoping process. This process includes the following steps:

1

System walkthroughs and observations, interviews with key personnel, document reviews, and technical evaluations

2 Initial drafting of the deliverables, which are finalized in the step below.

Document the results of the assessment, including a result for each in-scope criteria or requirement and a description of any gaps identified during the process.

3.

Step 3: Prepare and Finalize Deliverables: Compile the findings from the assessment into a formal report to clearly outline identified gaps, areas of non-compliance, and potential vulnerabilities This report includes the following information:

1

High-level scope definition of the client based on the people, processes, and technology identified in the assessment process.

2. Prioritized list of gaps and recommendations to remediate them, including a:

Detailed description of the gap

Recommendation to remediate the gap

Proposed remediation plan

Priority ranking based on impact to controls or in-scope criteria

Owner(s) of each remediation plan

3. Initial set of controls, aligned with the in-scope criteria and best practices.

BARR also provides an executive summary, typically in the form of a slide deck, to use when presenting the results to an executive team or other interested parties that don’t require the details of the gap assessment report

Step 4: Debrief and Plan: Conduct a debrief session with the client to discuss the findings, recommendations, and next steps. This involves a detailed walkthrough of the report to provide clarification of any client concerns, assign ownership of the remediation activities, and discuss a plan to carry those activities out. This includes a project management plan between BARR and the client to determine how we will monitor and report on progress throughout the remediation process

Remediation

Once we’ve completed the gap assessment BARR helps the client remediate gaps and move forward on their roadmap to an implemented cybersecurity program. The goal of this phase is to help the client reach its desired cybersecurity and compliance state, including remediating gaps from our assessment.

Remediation activities will vary from client to client, but, in most engagements BARR will:

1

Establish a Security Committee: Form a security team between BARR, the client, and other partners We want representatives from each department and a designated CISO to own the program and team. Document and assign team members’ responsibilities, including BARR’s responsibilities and limitations.

2 Project Management: Ensure all gaps and recommendations progress toward remediation and provide regular updates to the client team on that progress Support and manage remediation owners as requested and needed

3 Provide Remediation Deliverables: Complete BARR-owned remediation plans and provide those deliverables to the client. These will vary from client to client, we make sure the appropriate policies, procedures, documents, and controls are implemented. These may include:

Security team documents (e.g., Charter, resumes, responsibilities)

External-facing security package to help with customer security evaluations (e g , SIG Lite, Trustpage, etc )

Information security policies and procedures

Vendor reviews

Risk assessment documentation

4. Determine the approach moving forward: Once we’ve reached the remediated state, we establish processes for ongoing management of the client’s cybersecurity program. This involves setting up processes for regular monitoring, periodic assessments, and updates to the cybersecurity program and posture in response to evolving threats and compliance requirements We ensure the client’s organization has a sustainable cybersecurity program and manage it for them

Debrief with client personnel, including the executive sponsor, executive teams, and other parties

Documented long-term security plan based on everything above and including a process to monitor progress and provide updates to client leadership

Integrate BARR team with the client for efficiency and deepen the relationship

Confirm BARR’s responsibilities and portions of the program that we will manage moving forward

We will communicate budget and fees estimates to clients for phase 2

Phase 2: Cybersecurity Consulting (ongoing)

Once we’ve helped the client achieve their initial goals in phase 1, we move into an ongoing relationship with the client where we help manage their cybersecurity programs, including the specific services listed below. We may perform all of these services for the client, one of them, or any number in between. We may also perform these services for a client without going through a formal gap assessment. We document the in-scope services in our contracts and statements of work

vCISO advisory and leadership

Policies and procedures

Risk management

Incident response program management

Customer compliance questionnaires and security evaluations

User access reviews

Tabletop exercises for business continuity and incident response

Privacy assessments

Third-party risk management

Internal audits

Security awareness training

Penetration tests

External audit assistance

Managed compliance automation tools

Ad-hoc services as requested by the client

Core Processes (Back Stage)

Business Development & Marketing

Inbound Lead

Objective: Define the prospect journey to ensure each inbound lead is addressed the BARR Way.

Drive Awareness

1. SEO/SEM Sponsorships Content Marketing Events

PR Social Media Partnership Referral

Employee origination, etc

2. Incoming Lead

All sales Qualified Leads are sent to engage@barradvisory.com email group

Within 24 hours of receipt, the business development employee will round robin and perform the following:

Checks if lead automatically added in Hubspot

Adds lead and company information to Hubspot (if not already) and checks required Hubspot fields for accuracy (i e , lead source, stage, title, industry, website, etc )

Respond to the lead to schedule an initial call.

A sales team member will be notified by HubSpot when a lead schedules time on their calendar

The team member adds their name as the Owner of the Contact and Company

The account executive adds a corresponding Deal into HubSpot within the corresponding Pipeline (New Business Attest or New Business Consulting) in the Conversation Scheduled stage

Core Processes (Back Stage)

Business Development & Marketing

Inbound Lead (continued)

3. Connect

About You (Discovery)

Learn about the prospect (what is important to them beyond a report, certification or consulting service)

Build trust and credibility

Sales Assistant sheets available in Marketing resource materials as needed (focus on them, not us)

About Us (Value and Process Communication)

Match prospect need to values and services BARR provides

Attest Sales Story / Consulting Sales Story

Proven process review

Confirm scope for pricing out the engagement.

Bring in partner or client service subject matter experts as needed

4. Pricing Proposal

Refer scope to Pricing Matrix to confirm the cost of the engagement

Receive price buy-in with Business Development or Client Service leadership

Send pricing and marketing deck within 24 hours of receiving scope from the prospect

For ISO prospects, send application

Update deal details and stage in Hubspot

5. Follow up and Close

Touchpoints via email and/or phone call at least once a week for 13 weeks (minimum requirement)

Sales team members use best judgment for how much attention and for how long that attention should be given to each individual prospect in their list.

If no contact is reciprocated by the prospect after 13 weeks, then the opportunity should be considered lost and the Deal should be moved to the Lost to Competitor stage

If lost, Marketing drip campaigns automatically trigger for re-engagement

6. Client and Engagement Acceptance and Continuance (CEAC)

Prospect verbally commits to price

CEAC completed (Attest Only)

Application reviewed and accepted by Attest ISO Application Reviewer (ISO only)

Sales team updates Hubspot deal details (timing, scope, etc.) and operation creates engagement letter

Timing and travel plans (if applicable) firmed up with prospect

CS Ops follows the steps outlined below for “New Business Pipeline” resourcing to ensure the project is able to be scheduled and Engagement Letter is drafted

Partner approves the engagement letter which is then sent to the prospect

Redline review, if any, is facilitated between the prospect and the BARR team

7. Client service handoff

Sales team member sends a thank you email to the client, copying the audit team (Partner/Manager) for an introduction.

Audit team schedules a kick-off call with the client to begin services.

Automated welcome package sent to client from CEO

Attest Engagement Management

General Attest Engagements (i.e., SOC 1/2/3)

CEAC completed during sales process for new clients, or pre-EL for recurring clients

Readiness Assessment following engagement letter (EL) signature for first year clients

Engagement scope and timing firmed up with a signed EL for recurring clients

Planning: scheduling; internal kickoff; team prep and handoffs (if needed); kickoff meeting with client; admin files A1-3

Assess: walkthroughs; control files; test of design and operating effectiveness

Reporting: draft report sent to client; admin files A4-C2; senior updates to report; client and manager reviews; EQCR; partner reviews; required checklists completed in taskBARR

Report issuance within 45 days of period end, and audit file archival

Optimized: Debrief with client, celebrate wins, communicate PIOs, lessons learned/continuous improvement, and pre-plan for the next engagement

ISO

CEAC completed during sales process for new clients, or pre-EL for recurring clients

Engagement scope and timing firmed up with a signed EL and approved application

Planning: audit time assessment; scheduling; team prep and handoffs (if needed)

Fieldwork

For initial certification and recertification (year 1, every 3 years thereafter):

Stage 1

Stage 2

For surveillance audit (Years 2 and 3 following an initial cert or recert)

Stage 1 review of ISMS and testing of a subset of controls

Reporting: draft report; senior updates; manager reviews; EQCR; CDM review

Certificate issuance and audit file archival

Debrief with client, communicate PIOs, lessons learned/continuous improvement, and pre-plan for the next engagement

Client Post Engagement

OWNER TASK

Client Services

Client

Marketing

Client Services

Marketing

Marketing

Final Engagement Deliverable

Engagement team member sends the final deliverable (report and/or certification) to the client via email. Templated copy for the delivery email includes links to the satisfaction survey and promotional packages

Client Calls-to-Action

Client completes satisfaction survey

Schedules debrief with engagement team

Schedules Marketing consultation (if needed)

Marketing Consultation

Member of the marketing team conducts marketing consultation call with the client to share best practices in promoting the report and/or certification (if needed)

Shares additional resources and examples and talking points for sales teams

Expresses that SOC is NOT a certification

Offers to review any materials the client develops

Debrief Meeting

Engagement team conducts a debrief meeting to discuss the success of the recent engagement Plans future engagements, drafts ELs, begins scheduling resources

This is when the engagement manager would promote other services to the client as indicated in the satisfaction survey

Satisfaction Survey Review

The marketing team reviews every survey submitted

Any scores below 9 or comments in “What could we do better?” are reported to the Head of Attest Services and Head of Business Development

Positive comments are pulled for us as testimonials in marketing material

Net Promoter Score (NPS)

Every quarter, the marketing team pulls all client survey data and calculates BARR’s NPS

Calculated by: % Promoters (9s and 10s) minus % Detractors (1s-6s)

Quality

Quality Management System

Document QMS for new service lines based on relevant regulations from the accreditation body

Review and amend QMS during the annual internal audits or when ad hoc changes in process or regulations occur

Monitor and respond to changes in professional standards and regulation

Assist in team development to maintain compliance with the above

Engagement Feedback

Respond to questions about quality requirements, independence, or professional standards issues

Identify areas of opportunity for team training based on engagement quality reviews

EQCRs

Annual Internal Audits for the ISO and SOC Practice

Select an internal audit team

Select a sample of engagements (for ISO engagements must match the scope of our accreditation)

Review the QMS against relevant AICPA and ISO standards to ensure completeness

AICPA - QC 10, but soon to be SQMS 1 and 2 effective December 2025

ISO - ISO 17021, 27006, 27006-2, and MD requirements

Review sampled engagements against relevant requirements and BARR proven processes utilziing defined audit templates

SOC engagements are reviewed against the AICPA peer review checklist which outlines requirements from QC 10, the SOC guides, AT-C 105, AT-C 205, and AT-C 320

ISO engagements are reviewed against ISO 17021, 27006, 27006-2, and MD requirements

Document findings and add them to the corrective actions registry

BARR Advisory

BARR Certifications

Annual Internal Management Reviews for ISO and SOC

Identify stakeholders

Kickoff with review team

Review Risk Analysis

Gather review inputs (i e audits, corrective actions, feedback, complaints, etc )

Note - Explicit management review requirements are defined in ISO 17021 for BARR Certifications

Debrief with stakeholders

Coordinate response to results

Communicate results to the team

Peer Review Processes for SOC Clients

Select peer review firm

Schedule peer review

Coordinate office visit

Respond to peer review requests

Coordinate response to peer review findings

Communicate the results to the team

ANAB Office and Witnessed Audits

Schedule and coordinate visits with the ANAB

Coordinate with audit teams to ensure witnessed audits are completed per requirements

Respond to findings

Coordinate improvements in processes as needed

New Accreditation Support

Be the main point of contact at the accreditation body and determine requirements for accreditation

Obtain pricing and build out a new accreditation roadmap

Identify an Attest SME

Obtain approval from leadership

Complete application steps, documentation, and QMS updates

Respond to any accreditation body comments and requests until accreditation is obtained

Maintain any internal QMS, policies and procedures related to accreditation and be the liason for any required audits or reviews

Client Service Operations

Resourcing, Engagement Letters, and the Engagement Pipeline

New Business Pipeline

The Resourcing Coordinator is alerted that a new engagement is ready to schedule Resourcing Coordinator reviews team availability in Kantata and determines if the project is staffable in the times outlined in Hubspot (based on Attest and Ops availability)

If project can't be staffed, communicate to Biz Dev what can be staffed

Resourcing Coordinator selects and assigns a manager and adds template to project

Moves Deal to EL Ready for EL (automated notification to CS Ops)

The Proposal Specialist Creates an Engagement Letter based on the Deal information in Hubspot

Moves Deal card to EL Ready for Executive Review in Hubspot Executive (Partner or Director) reviews and updates as appropriate

Moves Deal to EL Ready to Send in Hubspot

EL is sent to the client and the deal is moved to EL Pending Sign off in Hubspot Manager will finalize task time estimates in Kantata and communicate to Resourcing Coordinator any resourcing preferences Manager also reviews Hubspot Deal information and updates if necessary (price, engagement period, engagement scope)

Resourcing coordinator updates task hours allocation per manager estimates utilizing [insert to be created allocation guide] and creates allocation for each resource on the project. Resourcing Coordinator will staff Associate and Senior project resources in Kantata.

Update project status in Kantata to Scheduled

Proposal Specialist will track the Deal weekly until the Deal is signed

Proposal Specialist creates invoices 1 and 2 and attaches them in Kantata Proposal Specialist releases the first invoice if due upon EL execution If a later date, the manager will release both invoices

Proposal Specialist adds EL to the file section of the project.

Recurring Engagement Pipeline

Proposal Specialist creates Deal in Hubspot and moves the deal to “ready to schedule” in Hubspot. Resourcing Coordinator gets notified and adds the appropriate template to Kantata project and assigns the prior year Manager If prior year manager is no longer a Manager, Resourcing Coordinator selects a new one

Manager finalizes task time estimates in Kantata and communicates to the Resourcing Coordinator any resourcing preferences. Manager also reviews Hubspot Deal information and updates if necessary (price, engagement period, engagement scope)

Moves Deal to Ready for EL in Hubspot

Resourcing coordinator updates task hours allocation per manager estimates utilizing [insert to be created allocation guide] and creates allocation for each resource on the project

Resourcing Coordinator will staff Associate and Senior project resources in Kantata Update project status in Kantata to Scheduled

Proposal Specialist creates EL in Hubspot

Moves Deal to EL Ready for Executive Review

Executive (Partner or Director) reviews and updates

Moves Deal to EL Ready to Send

Proposal Specialist sends EL to Client

Moves Deal to EL Pending Sign-off

Deal is signed

CS Ops creates invoices 1 and 2 and attaches them in Kantata. CS Ops releases the first invoice if due upon EL execution. If a later date, the manager will release both invoices.

CS Ops adds EL to the file section of the project

Reporting

Draft reports, Management Rep Letters, and click-thru text are created by the Reporting Specialist from approved templates in the template gallery 120 days prior to the report issuance date and puts the draft report into the client engagement folder on the shared drive and the other documents into the report production folder.

Assigned quality reviewer occurs 14 days before report issuance

Partner Review occurs ~ 5 days before report issuance

Editorial by the technical report specialist occurs ~4 days before report issuance

Cybersecurity Consulting

Invoicing and Engagement Financial Management

Objective: Ensure we receive timely payment for services provided and ensure an accounting of services is available to clients.

Note: steps 1 -3, and first two bullets under step 5 are owned by Finance, but included here for reference. Invoicing - Subscription Engagements

1.

Startup costs are invoiced as soon as the proposal is won If there isn’t a set startup cost, we send the first subscription invoice at this time

Monthly invoices are sent on the first of each month based on the agreed-upon fees in the SOW

Hours Overages are billed the same as hourly engagements

2. Invoicing - Hourly Engagements

New Engagements: Startup costs for hourly engagements will include two invoices:

Invoice #1: 50% of gap analysis and remediation fees upon proposal execution

Invoice #2: 50% of gap analysis and remediation fees immediately following the completion of the remediation activities

Ongoing Engagements:

Invoices are sent based on the hours incurred in the prior month, typically in the second week of the month.

The Director(s) review the hours on each invoice before sending. If necessary, the engagement team discusses the hour and any necessary changes are made to timesheets before finance sends the invoice

3 Invoicing - Other Fixed Fee Engagements

New Engagements: Invoices are broken down into two separate invoices as follows:

Invoice #1: 50% of the total engagement fees, sent upon execution of the proposal.

Invoice #2: 50% of the total engagement fees, sent immediately after the client approves the final deliverables

Engagements with multi-year agreements: fixed fee engagements (e g , internal audits), two invoices are sent as follows:

Invoice #1: 50% of the total engagement fees, sent immediately following engagement kickoff

Engagement status changes from “Pipeline” to “Confirmed or Scheduled”

Note: include estimated completion date for invoice scheduling

Invoice #2: 50% of the total engagement fees, sent immediately after the client approves the final deliverables

Engagement status changes from “In Progress” to “Completed”

Note: include estimated completion date for invoice scheduling

4. Monthly Invoice Review: The Director(s), in consultation with engagement teams, reviews time entries and invoices for accuracy. This review occurs prior to the first Friday of each month

Hourly Invoices:

Review the time entries with the engagement team

If necessary, time entries are adjusted

Do hours seem reasonable based on services provided?

Are hourly rates accurate per SOW?

Once reviewed, notification is sent to the invoicing team that hourly invoices are ready to send.

Subscription Invoices:

Ensure all new subscription engagements are included in the Projects Module within Kantata

Review each subscription invoice for accuracy per the SOW

Fixed Fee Invoices:

Reviews any fixed fee invoices to double check invoices for the next month are planned according to the “Fixed Fee Invoicing Process”

5. Financial Standing Review: The Director(s), during the first week of each month:

Reviews each client’s invoices payment status.

Identifies any clients who are more than 1. $10k and/or 2. Two months behind on payments

Discusses with the client

Communicates the results to the Finance team

If necessary, pauses services until a payment plan is reached

Quality Service

Objective: Deliver a service quality to our clients from deal close to the end of a relationship. Uncover engagement issues before they become severe issues.

Onboarding

1 Request access to client’s tools or systems, when required

3

Create shared folder or drive and share with client contact(s)

2 Update the Kantata project and resource allocations with hours forecast, resource assignments, and schedule hours

4.

Communicate invoice process to finance team and/or update Kantata accordingly

Note: if the client requires a SOW outside of Proposify (e.g., Docusign), download the signed proposal from the external tool and upload to Proposify

5 Send Intake Survey to client contact(s)

Client Feedback

1.

Engagement satisfaction (NPS) survey

New clients: send survey once remediation is completed

Ongoing clients: after each external audit or major initiatives

Internal audits: after each IA deliverable is provided

2.

Formal Check Ins

The Director(s) on a quarterly basis meets with client engagement sponsors to:

Discuss quality of services delivered

Issues with engagement team, services, or deliverables

Potentially new security and compliance initiatives

Changes to budgets

Annually: See “Annual Budget and Feedback Review” process

Once above are completed, the Director(s)

Discusses feedback with engagement teams

Updates engagement forecasts and schedules

Communicates changes to Finance team, if necessary

3

Ad-hoc Check Ins:

The Director(s) will, on an as-needed basis:

Periodically join status calls

Chat via Slack or other messaging platforms

Call the client project sponsors directly

4.

Communication with Engagement Teams

The Director(s) will communicate any feedback, budget changes, or other relevant matters to the engagement team during:

Weekly Pulses

Monthly 1:1s

Direct phone calls

Slack messages

Client feedback will factor into team members’ annual performance reviews

If necessary, coordinate with the Learning and Development team to create training plans based on feedback

Annual Budget and Feedback Review

Director(s) meet with client contact(s) annually to: 1.

Gather feedback on engagement performance (see Client Satisfaction process) and confirm: Budget based on existing services provided and additional services planned for/needed in subsequent year

Invoicing approach - either hourly or subscription

Discuss feedback and proposed budget with team

Create new opportunity(ies) in Salesforce

If necessary, create new SOW and send to client for signature if:

Hourly rates change

Invoicing approach changes

Existing SOW is out of date

Update Kantata

Assign engagement resources in the project setup screen

Ensure the billing configurations are set up according to whether the engagement is hourly or fixed/subscription.

Update Kantata’s allocation to reflect budget in the Resource Center

Individual team members update their schedules according to forecast

Engagement status

Offboarding

1

The Engagement Manager(s):

Removes all client access to BARR’s shared drives and other tools

Reviews contractual agreements to ensure all required documents and data are retained and provided to the client.

2. The Director(s) and Finance team:

Ensures payments are received for all services delivered.

3 The Director(s):

Gathers feedback from the client; and, Communicates that feedback to the engagement team

4. The Engagement Manager(s) archives the engagement in taskBARR.

Knowledge Base Management

1

All Core and Proven processes reside in Guru under the “Consulting” collection

2. Director, Cybersecurity Consulting Manager, Cybersecurity Consulting

3

4

All Core and Proven process cards should be verified by at least one of the following job roles when the card is initially published, at least annually, and any time the processes change.

All Cybersecurity Consulting team members must review Core and Proven process cards at least annually, but more frequently as part of their day-to-day responsibilities

Periodic trainings should cover these Core and Proven processes, including any significant updates in the past quarter

5. Scheduling and Forecasting

All Cybersecurity Consulting new hires and transfers must review and acknowledge the Core and Proven process cards within the first two weeks of employment

Objective: To ensure engagements are scheduled sufficiently with a team that provides the skills required for each client’s individual needs while ensuring team members are deployed according to department targets.

1.

New engagements

Engagement status moves to “Scheduled or Confirmed” in Kantata

Director(s) or Manager(s)

Allocate the budgeted hours in the Resource Center Kantata

Assign engagement resources

Note: at least a manager and engagement lead

Communicate resource assignments to team members

Team members update their individual schedules

Director(s) or Manager(s) review forecasts against schedules to ensure engagements are adequately scheduled.

2

Ongoing engagements

Manager(s) or Director(s):

Confirm annual budget with client and engagement team

Create a new engagement in Salesforce with the correct year in the name

Update the allocations in Kantata’s Resource Center with budgeted hours/mo.

Subscription Engagements: is simply the monthly subscription cost divided by $290 (e.g., $5,000 subscription is 17 hours/month)

Hourly Engagements: based on discussion with the client and engagement team and should closely reflect an the engagement team’s schedules so as to ensure revenue and hours forecasts match the timing of services throughout the year

Fixed Fee Engagements: Hours are forecasted according to the timing of the engagement, which will generally take place over 1-2 months (e.g., internal audits, one-off gap/risk assessments)

Assign engagement resources as described above

Communicate resource assignments to team members

Team members update their individual schedules

Director(s) or Manager(s) review forecasts against schedules to ensure engagements are adequately scheduled.

Project Forecast Reviews: 3.

Manager(s) or Director(s), on a monthly basis:

Review the monthly forecast

If necessary adjust the Resource Center to reflect changes

Communicate changes to engagement teams

Director(s), on a quarterly basis,

Review budgets with client and engagement teams

If necessary adjust the Resource Center to reflect changes

Communicate changes to engagement teams

Individual Responsibilities: 4

Each team member is responsible for:

Their own schedules once assigned to an engagement

Reviewing their schedules monthly and updates them according to client needs, changes in priorities, PTO, etc.

Ensuring their schedule is aligned with deployment rate targets and raises issues with performance managers as soon as possible

Notifying Manager(s) and Director(s) of material changes to schedules and client priorities so they can make necessary changes to the engagement scope and contracts

People & Culture

Recruiting

Define role, job description, salary, and update accountability chart

Decide sourcing strategy (external, internal, both) and mediums (LinkedIn, Partner Channels, Apprenti, Campus, etc.)

Seek employee referrals

Resume reviews

Interviewing

30 minute phone screen by recruiter

2 minute video submission review

Candidate Mock Exercise

Team rounds

Values interview (practice leader/VP/managing partner)

Reference and background check

Track activities in Rippling ATS

Onboarding

Onboarding checklist created by P&C

Trello Board & peopleBARR

BARR Buddy

Manager Checklist

30/60/90 day check ins

Intro sessions with People & Culture and Marketing

V/TO Review with CEO

Performance Management

Accountability Chart and Job Descriptions

Creating Smart Quarterly Rocks

Quarterly Promotion & Transition Process

Performance Management

Who We Measure: Our Employees

Why We Measure: Right People + Right Seats + Continued Focus on Employee Development

What We Measure: Using our VIP Performance Management Tool, continuously measure (V) values alignment, (I) impact/performance, and (P) plan

BARR’s Five Step Performance Management Process:

People & Culture Annual Events

February: Annual Employee Reviews

March: Compensation Reviews

April: Compensation changes take effect

September: Annual Employee Engagement Survey

December: Benefits open enrollment

Learning and Development

Needs analysis types and techniques

Training program design and implementation

Developmental assessments

Goal-setting best practices

Career development techniques

Knowledge-sharing programs and facilitation

Leadership development and planning

Approaches to coaching and mentoring

Employee & Community Engagement

People & Culture Annual Calendar

Love Month

March Volunteer Madness

Camp BARR

Raising the BARR 5k

Annual Day of Giving

Holiday Party

BARR Matching Gift Program

Volunteer Paid Time Off Program

Brand Strategy, Marketing, and Strategic Communications

Brand and Content Management

Brand and Content Management

A request is created in Asana by marketing or a BARR employee fills out a creative request form accessible through Asana

Content types include whitepapers, case studies, fact sheets, sales enablement materials, blogs, slide decks, videos, etc.

Standard turnaround times range from 1 to 10 business days depending on the content type.

Marketing internal review

External stakeholder or BARR employee review, as needed.

Internal content posted in Guru (i e , marketing resources folder) Blogs and other external content stored in marketing drive and posted externally

Asana ticket closed

PR and Media Relations

mediaBARR

See mediaBARR sign-up sheet

1. BARR subject matter experts (SMEs) indicate in the thread if they plan to respond, then send their response to the PR and media relations marketing associate before the deadline.

The PR and media relations marketing associate identifies relevant opportunities and shares them in the #pr-media-barr channel on Slack.

2. The response is edited, then shared with the director of marketing for review before submission

3

4 Past mediaBARR responses are stored within the Root folder.

The PR and media relations marketing associate notifies the associate if their response is accepted If the response is rejected, it is saved in the Quote Bank to be repurposed for other marketing content

Press Releases

See our press release calendar for upcoming press releases.

Press Releases Process

1

The PR and media relations marketing associate works with relevant SMEs to draft the press release using this template.

From there, press releases follow BARR’s standard process for creative deliverables. (See Guru card.)

3.

2. Upon approval, the PR and media relations marketing associate submits the press release to Business Wire and schedules the press release to publish on BARR’s blog

4

After distribution, the PR and media relations marketing associate logs performance metrics within this spreadsheet

Press release drafts are stored within the Root folder.

Award Nominations

See our industry awards calendar for upcoming nominations.

Nomination Process

2.

1. The marketing team drafts all content associated with the award and coordinates recommendation letters, references, etc Award content follows BARR’s standard process for creative deliverables (See Guru card )

3

The marketing team identifies awards and selects eligible associates, teams, or projects to nominate.

If applicable, the associate being nominated reviews any drafts for accuracy

The marketing team submits the nomination.

4. Award nomination form drafts are stored within the Root folder.

Finance and Business Support (source)

Invoicing

Tools/resources: Quickbooks, TaskBARR, Proposify, Salesforce

Client Portals: Workday, Coupa Supplier Portal, Beeline, Tipalti-G2

Engagement letter or statement of work is agreed to by client and executed by BARR and client Salesforce is marked as “won” and TaskBARR phase is moved to “plan” - this tells accounting that an engagement is ready to invoice

Accounting manager reviews the finance dashboard in TaskBARR to identify new engagements ready to be invoiced

Invoices for existing clients are created in Quickbooks under the existing client profile Invoices for new client, a client profile is created in Quickbooks (Advisory client data is imported from Proposify, Certifications clients are manually entered)

Engagement letters must be signed prior to invoice creation. Accounting verifies signature on engagement letter in Kantata

Payment schedule and amounts are dictated by the terms in the engagement letter

All invoices are associated with the engagement in TaskBARR for reconciliation purposes

Invoices ready to be sent to clients are reviewed weekly and sent from Quickbooks or are uploaded to a client portal

A/R Management

Tools/resources: Quickbooks, Arvest Cash Manager, Arvest Lock Box, Microsoft Excel

Forms of payment that are accepted by BARR are: Check, Credit Card, ACH, or Wire

Checks are mailed to a lockbox at Arvest Once received at the lockbox, checks are automatically deposited into BARR Advisory’s account at Arvest

Credit card payments are facilitated through Melio or Bill com Melio and Bill com charges the client a fee for using this service

ACH and Wire payments are received directly in the Advisory or Certifications account at Arvest

Once payments are deposited at Arvest they are matched by the Accounting Manager with open invoices in Quickbooks

The A/R aging report is monitored weekly using an excel spreadsheet from a Quickbooks report

Accounts that are 1-30 days are contacted by the finance team as a reminder that payment is due

Accounts that are 31-60 days past due are sent to the engagement manager for a first escalation.

Accounts that are in excess of 60 days past due are reviewed by the finance and engagement team.

Communication must be established with the client with an explanation for the past due payment. If the client is not responsive or unwilling to make payment services are halted under the client is able to become current on invoices outstanding

Final Engagement Reports or work product is not released until all outstanding invoices have been paid

A/P Management

Tools/resources: Bill.com, Rippling Spend Management

BARR utilizes two primary forms of payment for employee expenses: Bill.com and Corporate Credit Cards managed via Rippling Spend Management

Bill com is used for vendor payments made via check/ACH and other employee expenses where a credit card is not an accepted form of payment Payments scheduled through Bill com are scheduled for payment on the invoice due date

A physical credit card is issued to each employee and a virtual card is issued to each department

Physical cards are used by employees for business expenses necessary for performance of their job.

Virtual cards are issued to each department for vendor charges and recurring expenses.

Payments scheduled through Bill.com or credit card must include a memo with a description of the charge and a receipt is required for expenses greater than $25

Treasury Management

Tools/resources: Arvest Cash Manager

BARR has a banking relationship with Arvest Bank

BARR has five separate accounts at Arvest:

BARR Advisory checking account (4300)

BARR Certifications checking account (8917)

BARR Ventures checking account (8409)

BARR Advisory A/R (4362)

BARR Advisory sweep account (6224)

Payments for BARR Advisory services are deposited in account 4300, or account 4362 and then swept nightly into account 4300

Payments for BARR Certifications services are deposited in account 8917

Excess cash in BARR Advisory account 4300 is swept into the BARR Advisory Sweep account 6224, where it is able to earn interest.

BARR Ventures is the employing entity for BARR employees and some contractors. Payroll is paid through BARR Ventures, account 8409 BARR Ventures charges BARR Advisory and BARR Certifications two fees:

Compensation Fee for the cost of the salary and benefits of employees performing work on each entity’s behalf

Management Fee for employment management services and back office services

BARR has a line of credit open with Arvest that is collateralized by BARR’s receivables. The maximum amount that can be drawn on the LOC is $1 million

Budgeting, Forecasting, and Communication

Tools/resources: Quickbooks, Microsoft Excel, Xero, Arvest Cash Manager

BARR performs an annual budget and forecasting exercise

The budgeting and forecasting process begins at the start of the fourth quarter and is completed by December 31st

Each department leader is provided with a summary of its historical expenses incurred over the past year as a reference for recurring expenses

The leader of each department is asked to forecast those recurring expenses along with any personnel changes and new expenses or investments required to support the Company’s strategic and financial objectives.

The budget and forecast of each department is sent to the Vice President of Finance and the Accounting Manager The Accounting Manager consolidates each department’s budget into a consolidated view to show the forecasted performance of the Company

The Leadership Team reviews the consolidated forecast to ensure the forecasted performance is in alignment with the stated financial and strategic goals for the period

The actual financial performance is reviewed alongside the forecasted performance of the Company by department and on a company wide basis monthly

Entity Consolidation for Financial Reporting

Tools/resources: Quickbooks, Microsoft Excel, Xero, Arvest Cash Manager

BARR consolidates the financial performance of its three entities (Advisory, Certifications, and Ventures) on a monthly basis.

The monthly income statement and balance sheet for BARR Advisory, and BARR Certifications are taken from Quickbooks, and the income statement and balance sheet for BARR Ventures is taken from Xero.

The income statement and balance sheet of each entity are recorded and consolidated in Microsoft Excel and tracked over the course of the fiscal year

Taxes

Tools/resources: Quickbooks, Xero, Rippling, Arvest Cash Manager, Hutchins & Haake LLC

BARR’s annual tax filing and quarterly payment estimates are prepared with assistance from our tax advisor, Hutchings & Haake LLC

Payroll

Tools/resources: Rippling, Arvest Cash Manager

Currently, payroll is monitored periodically in Rippling to ensure that deductions and withholdings are are properly completed for payruns

Assist People and Culture with registration of new hires in states where BARR is not currently registered

Respond to tax notices from the IRS and States by either using Rippling support or completing the needed actions

At the end of each month, reconcile payroll deductions and withholdings in Rippling with the payroll liability accounts in Xero

Entity Management and State Compliance

Tools/resources: Capitol Services, Joel Krieger

Finance and Business Support team ensures that BARR Ventures, Advisory and Certifications are registered and in good standing with state authorities where it has employees and ensures that the Firm is compliant with local CPA board of accountancy laws

BARR Ventures must be registered to do business in every state where it has an employee BARR utilizes Capital Services to assist with state registration and compliance. This relationship is managed by the Accounting Manager

BARR Advisory must be compliant with local CPA board of accountancy laws. The NASBA is monitored for Firm requirements and individual CPA license requirements.

Compliance is reviewed and monitored quarterly

BARR’s attorney specializing in CPA compliance law is Joel Krieger

IT Provisioning

Tools/resources: Complete Technology

New access

Access is pre-provisioned by role upon onboarding

Access needed beyond pre-provisioning must be approved by a manager

Asset Management

Complete Technology will send access reports to the owner of each asset for review quarterly