It is not reasonable for each enterprise to develop their own post quantum solutions, but there are planning steps that can be taken. Enterprises will continue to rely on major hardware and software vendors for new solutions, but enterprises cannot just wait for solutions to become available. The vendors relied upon for operating systems, security devices, software, and other technology resources will undoubtedly play a huge role, but enterprises need to be preparing for how those changes will be implemented in their individual environments. Many vendors are touting quantum safe solutions, but if those solutions do not operate with the rest of an enterprise’s system, they provide little to no value. At this point, every enterprise should be identifying and inventorying their systems, assessing the potential impact on each system, and planning for alternatives and updates.

Public Certificates

Some of the first impacts will likely be seen related to digital certificates purchased from publicly trusted certification authorities (CAs). These certificates are most used for transportation layer security (TLS) connections, and are most common between an enterprise’s website and customers. They are also used to sign software code that will be delivered to customers and trusted by the customer’s operating systems, and to enable secure email through secure/multipurpose internet mail extension (S/MIME). The basis for these certificates is to establish trust between an organization and external parties.

Since that external party can be either known or unknown, these certificates must be trusted publicly and therefore come under a high level of industry regulations and scrutiny. The public CAs that offer these certificates and the web browsers and software designers that trust these certificates are monitoring developments closely. They will likely be some of the first parties to push regulations. New regulations must be tempered and not be rolled out so fast they break all the connections they are attempting to secure.

Public CAs are performing a lot of the planning for post quantum changes, but enterprises need to be prepared for their role in the process. The webservers operated by enterprises are responsible for generating keys used for authenticating the website and encrypting the traffic. Enterprises need to inventory all webservers, email systems and other systems that interface with public certificates. The algorithms accepted by these systems need to be inventoried to allow the enterprise to track when updates are required based on new algorithms being put in place. Updates will likely need to be deployed quickly to minimize downtime. Systems that are not supported for updates will likely need to be replaced.

Separate from quantum computing, public certificates are expected to see their lifecycles shortened significantly in the next few years. This is especially true for TLS certificates. Inventorying these systems and developing automated tooling to manage the certificate lifecycle will help enterprises be better prepared for whatever changes come their way.

Internal Systems

Internal systems impacted by vulnerabilities from quantum computing are more difficult, because they are likely greater in number and will not benefit from direct support from public CAs. Enterprises systems that will become vulnerable can include VPN connections to remote devices, single sign on tooling, and database encrypting software, just to name a few. These systems can also include physical security devices, such as badge readers and security cameras. While these systems are not always externally facing, they are a critical part of the enterprise’s defense in depth approach to cybersecurity. Enterprises should start with inventorying all systems that utilize encryption or authentication mechanisms, especially focused on those with key pairs and shared secrets.

Just as with systems that utilize public certificates, internal systems will need to be updated to utilize new algorithms in a post quantum environment. Assessing the risk involved with each system will help enterprises prioritize the criticality of updates. Dataflow diagrams will help enterprises determine systems that interact with each other. System to system authentication is often overlooked, but are critical to operations. Data flows between different systems within an enterprise will likely be impacted by updating required algorithms and could break connections. Enterprises need to consider risks related to security and availability when evaluating systems. Some systems might be behind enough layers of security and not critical for immediate updates. These systems also might not support updates as easily.

Most enterprises are not at the stage to test new quantum computing safe algorithms and developing corresponding hardware and software. As always, vendors will play a significant role in the process of preparing for a post quantum time. Maintaining an inventory of vendors and the points of reliance will be critical to an enterprise’s strategy. Major vendors that provide operating systems, significant security systems, and cloud providers, are likely top of mind, but enterprises will need to dig deeper. Consider backup vendors that encrypt files, copiers and printers, and hardware vendors. Hardware that is not configured to support new algorithms could bring operations to a grinding halt. Hardware has integrated features for disk encryption and boot processes. These systems will likely not be easily updated for new algorithms, because keys can be burned into the chips.

Once an enterprise completes a full inventory and the risk to each system has been assessed, an enterprise will need to evaluate the strategy to address each system. Vendor supplied patches might be an easy solution, but will need to be applied as connecting systems are made compatible. Internally developed systems might require custom updates, and some systems might need to be replaced. For those systems that cannot be updated, consider looking to a vendor that can supply supplemental systems to add post quantum support to legacy systems. These solutions will become more popular as some enterprises determine which systems are inflexible, for the time being.

After inventorying systems and assessing risk, enterprises should begin developing and testing plans to move to quantum safe algorithms, also known as post quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) has laid a lot of groundwork and narrowed the list of recommended PQC algorithms to a few promising options. While the list is still being scrutinized, enterprises can begin testing methods to change key pairs and deploy updates in an efficient manner. It is still unknown the exact changes we will need to make to be prepared for a post quantum world, but understanding what systems require changes and testing process to make those changes will put every organization in the best position to respond quickly.

Hybrid certificates, which have both current key pair, such as RSA keys, and PQC keys, are gaining popularity as a transition tool. These certificates allow for multiple signature algorithms. This allows enterprises to still rely on traditional algorithms, while testing quantum safe algorithms. These certificates might allow organizations to test their readiness while not taking down systems in the process. This will also allow for testing various PQC algorithms while the industry is still evaluating various options.

Conclusion

The two biggest takeaways in preparing for PQC are know your enterprise and remain flexible. All Enterprises should consider a three-step approach to knowing its environment. They should identify/inventory, assess risk, and plan for remediation of the assessed risks. The identify and inventory process should not be taken lightly, because it will lay the groundwork for preparing the enterprise. There are several organizations looking to sell quantum safe solutions, but if those do not function within your enterprise profile, it could make for a long and expensive process. Make sure you work to understand your entire organization before implementing changes.

In December 2023 a significant vulnerability was discovered in a leading quantum safe suite algorithm, CRYSTALS-Kyber (Cryptographic Suite for Algebraic Lattices). This vulnerability does not impact the underlying encryption math, but rather the implementation. This is a good example of why an enterprise needs to remain flexible. Developing new technology will be bumpy, and new patches and fixes will be required frequently. The ability to flex between multiple algorithms and implementations will allow an enterprise to adapt to the quickly changing environment.

Written by Tim Crawford. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

In addition to understanding the far-reaching implications that could help avoid missteps with LTPT employee eligibility and revised participant headcounts, we will explore how to correct any missteps that have already occurred.

New eligibility opportunities for long-term, part-time employees

Prior to the SECURE Act of 2019 and SECURE 2.0 Act of 2022 (collectively SECURE), employers could exclude employees from their tax-qualified defined contribution plans based on the number of hours they worked per year. Typically, this meant that part-time employees were ineligible to contribute to their employer’s retirement plan — no matter how many years they had worked for their employer. An IRS Employee Plans Newsletter issued on January 26, 2024, defined LTPT employees as workers who have worked at least 500 hours per year in three consecutive years, although the consecutive year condition will be reduced to two years in 2025.

SECURE expanded LTPT employee access to employer retirement plans by requiring 401(k) plans to allow employees that meet the LTPT requirements to make elective deferrals starting with the first plan year beginning on or after January 1, 2024. Employers are not required to make employer contributions for LTPT employees.

However, the burden of identifying, notifying, and enrolling these newly eligible LTPT employees falls on the employers. Failing to inform LTPT employees of their eligibility as of January 1, 2024, may have resulted in non-compliance. To rectify any compliance issues, employers can consider using the IRS amnesty program known as the Employee Plans Compliance Resolution System (EPCRS).

It is essential to understand this new requirement because LTPT employee eligibility may affect two other administrative functions for plan sponsors: Form 5500 filing and the annual employee benefit plan audit requirement.

A key change when counting participants for Form 5500

Prior to 2023, IRS Form 5500 — an essential part of ERISA’s reporting and disclosure framework — required defined contribution retirement plan sponsors to include employees who were eligible to make elective deferrals on the first day of the plan year. In most organizations, LTPT employees would be excluded from this headcount unless the employer’s plan allowed them to make contributions to the retirement plan.

Now, employers need only include participants with an account balance in the defined contribution retirement plan as of the first day of the plan year (but, for new plans, the participant account balance count is determined as of the last day of the first plan year). This may sound like a simple change, but the potential increase in participants who are LTPT employees complicates the matter.

The impact on a plan’s audit requirement

An organization’s obligation to have an annual audit of its retirement plan is dependent on the number of plan participants as of the first day of the plan year.

Beginning with the 2023 plan year, defined contribution plans that have more than 100 participant accounts as of the first day of the 2023 plan year generally must have an annual independent audit. Before 2023, all plan participants who were eligible to make salary deferrals were included in headcounts as participants even if they had not made any plan contributions. The DOL changed the rules starting in 2023 to include only those with account balances as participants. Keep in mind that the number of participants can be decreased by taking advantage of rules that allow distributions of small account balances (accounts valued at less than $7,000 starting in 2024) to former participants, if the defined contribution plan adopted these provisions.

The audit requirement of plans with 100 or more employees may change since employees without account balances are no longer counted. An organization may find that the defined contribution plan no longer requires an audit if eligible employees have not contributed to the 401(k) plan, but the audit requirement may be triggered when previously excluded LTPT employees begin to make elective deferrals.
Navigating the new normal for certain retirement plans

The LTPT employee rules take effect for plan years beginning on or after January 1, 2024 (for calendar-year end plans). If your organization missed the deadline to allow LTPT employees to participate in your plan, the good news is that there is a path to compliance. However, implementing these complicated changes in the law requires in-depth knowledge of the complex issues surrounding tax-qualified retirement plans. Experienced consultants can provide guidance and support throughout the process in the following ways:

• Analyze plan documents and employee data to identify any compliance gaps or issues that need to be addressed
• Engage in detailed discussions with plan sponsors to explain the intricacies of the changes and helping them understand the necessary steps to ensure compliance
• Facilitate communication with service providers to aid in a smooth transition and implementation of any required changes
• Calculate corrective actions required to rectify any non-compliance issues and confirm future compliance
• Guide the employer in enrolling in the IRS’s amnesty program (EPCRS), if necessary, to self-report non-compliance issues
• Help plan sponsors track the path taken to incorporate the necessary changes into the plan documents, to ensure ongoing compliance and avoid future issues
• Discuss Form 5500 preparation considerations, including participant head count

Contact David McKay, Assurance Partner, learn more.

A construction contract audit is typically conducted at the culmination of a project as an opportunity for project owners to affirm that all contractual agreements were upheld and address any financial discrepancies. While they are a helpful tool in this capacity, conducting contract audits earlier in a project — and more frequently — may help identify potential risks sooner, as well as identify areas for possible cost savings.

Construction contract auditing is a safeguarding practice that can help you reduce the likelihood of project disputes and legal issues that could directly impact your bottom line. Ultimately, audits provide project owners with greater control over their contracts.

Objectives of Construction Contract Audits

The most common use for construction contract audits is verifying that all parties involved in a project adhere to the terms and conditions outlined in the contract. This includes verifying project costs against contractual obligations. By enforcing contractual compliance, audits help contribute to fair and transparent project execution, reducing the likelihood of disputes and legal issues.

Another key objective of a construction contract audit is to establish cost control. These audits are instrumental in safeguarding effective budget management and financial controls throughout the project. An audit will meticulously examine invoices and project records to catch any discrepancies that may lead to overpayments. By reviewing the cost structure, audits can help prevent budget overruns, identify areas for potential cost savings, and ensure financial resources are allocated efficiently across the project.

The financial transparency provided by periodic contract audits can make them even more compelling in the face of continued supply chain constraints and a challenging economic environment. Companies may use audits to help recover overpayments made during a project and empower project owners to rectify financial errors and protect their interests.

Insight

Contract audits are a critical tool to help owners of construction projects in the following areas:

• Financial Control and Compliance: Audits assess and manage project costs, ensuring that resources are used efficiently and that projects are completed within budget.
• Risk Management: Audits help identify potential risks early in the construction process, allowing for timely mitigation strategies to be implemented, and reducing the risk of project delays and cost overruns.
• Quality Assurance: Audits enhance the quality of work performed and materials used in construction by ensuring that the final product meets the required standards and specifications.
• Schedule Adherence: Audits can monitor a construction project and determine if it is progressing according to the established schedule. Delays can be addressed promptly, allowing the project to stay on schedule.
• Contractual Compliance: Audits review contracts and agreements to ensure that owners, contractors, subs, and other stakeholders are meeting their obligations.
• Fraud Prevention: Audits expose fraudulent activities or discrepancies throughout transactions. This is essential to maintaining the integrity of a construction project and preventing financial losses.
• Documentation and Record Keeping: Audits verify the accuracy of project documentation and records. Proper documentation is critical for future reference, dispute resolution, and accountability.
• Communication: Audits promote transparency amongst stakeholders by providing an objective assessment of the project’s financial and operational performance. This transparency can promote trust and increase communication among stakeholders.
• Continuous Improvement: Audits provide an opportunity for project teams to learn from past experiences. By identifying areas of improvement, future projects can be better planned and executed.

Timeline Considerations

While many project owners are familiar with close-out audits performed at project completion, construction contract audits come in several forms and can be conducted at various stages of a project’s timeline. Each serves a specific purpose in risk mitigation.

Close-out audits are generally performed to verify that legal compliance requirements have been met and that the project adheres to contractual obligations and applicable regulations. These audits also aid financial reconciliation and address any related discrepancies or irregularities. Project owners find close-out audits to be a helpful tool for measuring the overall success of a completed project.

Construction contract audits are most effective when started from the pre-construction phase. Pre-construction audits offer a proactive approach to project and cost management. These audits run at a project’s outset and play a vital role in preventing overbilling by notifying contractors upfront of the rigorous financial standards in place and the expected level of diligence required.

In addition to considering a pre-construction audit, project owners may find conducting early audits during the project to be beneficial. Early audits aid in the timely detection of potential risks and help companies identify areas for possible cost savings. They also enable early course correction, which could save on potential issues at a later stage.

Value of Proactive Audits

The construction industry is built on relationships. Strong relationships foster effective collaboration and communication and help meet execution expectations, goals, and timelines. That said, maintaining a strong relationship with contractors, subcontractors, and suppliers does not negate the need for audits. Conversely, audits — especially those that are proactive — serve as a mechanism to improve processes and in many cases can strengthen relationships by transparently identifying areas for improvement and growth.

By taking a proactive approach, such as conducting front-end construction contract audits, project owners may unlock more substantial cost savings and risk reduction than by waiting until after issues arise. Front-end construction contract audits can help set appropriate guardrails for budgetary management and financial control. They also help in the efficient allocation of financial resources across the project.

Maintaining an early audit schedule can also help mitigate risk and guard against surprises as a project progresses. This practice can allow project owners to address any nascent issues related to contract administration, procurement, and overall governance — setting a strong foundation for the remainder of a project.

In the ever-evolving construction landscape, contract changes, supply chain disruptions, and other external factors are expected to pose new compliance challenges that require vigilant auditing. Proactivity also means keeping up with the latest practices and audit innovations, such as the use of generative AI to help stay agile and alert to emerging compliance challenges while unlocking value across the project.

Safeguard Your Bottom Line

The construction industry is evolving, with new and increased risks that call for proactive audit strategies.

A proactive approach, such as initiating front-end audits or pursuing audits at different stages of project completion, can help bolster risk mitigation, cost control, and contractual compliance.

Owners may be tempted to rely on contractors, architects, and contract managers having the project’s best interest in mind. However, it is unrealistic to expect all stakeholders, including employees and subcontractors, to operate with the owner’s best interest as their top priority at all times. Additionally, even if the stakeholders do have the best of intentions, errors can impact billings, and a construction contract audit is another line of protection against those errors.

Waiting until the end of a project to audit, as the industry has traditionally done, can lead to increased litigation, claims, and difficulties in recovering funds. Early audits not only help save costs, but also provide project owners greater control over their contracts.

Construction audits contribute to the overall success of construction projects by providing greater insight into financial accountability, adherence to quality standards, risk management, and compliance with contractual obligations. They serve as a valuable tool for project owners, investors, and other stakeholders to monitor and help optimize the construction process.

Written by Janet Smith. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

JANUARY

• 15 / Fund: Possible fourth quarter 2023 contribution due for defined benefit pension plans.
• 31 / Action: File IRS Form 945, Annual Return of Withheld Federal Income Tax, by January 31 for non-payroll income taxes, such as taxes withheld by retirement plans, during 2023.
• 31 / Action: Distribute IRS Form 1099-R to participants by January 31 for 2023 retirement plan distributions.
• Best Practice: Plan sponsor should confirm the accuracy of the prior year’s census data to the recordkeeper. This information is used for ADP/ACP testing, among other things.

FEBRUARY

• 28 / Action: File IRS Form 1096, Annual Summary and Transmittal of US Information Returns, with IRS if using paper transmittal by February 28 for 2023 tax year.
• 28 / Action: File IRS Form 1099-R in paper format with the IRS by February 28 for 2023 retirement plan distributions.
• Best Practice: Review and approve compliance testing results sent by plan administrator.

MARCH

• 15 / Action: Highly compensated employees who fail ADP/ACP test for prior plan year must have refunds processed by March 15 (other than eligible automatic contribution arrangements).
• 15 / Fund: Partnerships and S Corporations that are not getting an extension must fund employer contributions to receive tax deduction for the prior year.

APRIL

• 1 / Action: 401(k) plans with publicly traded employer stock that follow Article 6A of the Regulation S-X (SEC format) must file Form 11-K with the Securities and Exchange Commission by April 1.
• Note: The IRS “weekend rule” does not roll the April 1 deadline to the next business day if April 1 falls on the weekend or holiday.
• 1 / Action: Recordkeeper (or other responsible party) completes and files Form 1099-R electronically with the IRS by April 1 for 2023 retirement plan distributions.
• 1 / Action: April 1 deadline for 5% business owners and terminated participants who turned 73 in 2023 to receive their required minimum distribution (RMD). Note: the IRS “weekend rule” does not roll the April 1 deadline to the next business day if April 1 falls on the weekend or holiday.
• 15 / Fund: April 15 possible first quarter 2024 contribution due for defined benefit pension plans (i.e., contribute by April 15 before the weekend, as contribution deadlines are not extended to the next business day).
• 15 / Distribute: Participants who contributed over 402(g) or 415 limits in the previous year must be refunded the excess amount by April 15.
• 15 / Action: File PBGC Form 4010, Notice of Underfunding for single-employer defined benefit plans with more than $15 million aggregate underfunding by Monday, April 15.
• 15 / Fund: C-Corporations and Sole Proprietors that are not getting an extension must fund employer contributions by April 15 to receive tax deduction for the prior year.
• 15 / Fund: IRA contributions for the prior tax year must be funded by April 15.
• 29 / Action: Send annual funding notice to participants of single and multi-employer defined benefit plans over 100 participants by April 29.

JUNE

• 28 / Action: 401(k) plans with publicly traded employer stock must file SEC Form 11-K with the Securities and Exchange Commission by June 28 or file an extension on SEC Form 12b-25.
• 30 / Action: Highly compensated employees who fail ADP/ACP test for prior plan year must have refunds processed by June 30, if an eligible automatic contribution arrangement (EACA).

JULY

• 15 / Action: 401(k) plans with publicly traded employer stock that requested a 15-calendar day extension (SEC Form 12b-25) for the SEC Form 11-K must file the SEC Form 11-K with the Securities and Exchange Commission by July 15.
• 15 / Fund: Possible second quarter 2024 contribution due for defined benefit pension plans by July 15.
• 31 / Action: File IRS Form 5500, Annual Return/Report of Employee Benefit Plan, and IRS Form 8955-SSA, Annual Registration Statement Identifying Separated Participants with Deferred Vested Benefits, for the 2023 plan year by July 31.
• 31 / Action: To request an extension of time to file IRS Form 5500, file IRS Form 5558 by July 31.

SEPTEMBER

• 15 / Fund: If an extension was filed, September 15 is the deadline to fund employer contributions for Partnerships and S-Corporations.
• 15 / Fund: September 15, last date to make 2023 contributions for single and multiemployer defined benefit pension plans.
• 30 / Action: September 30, Distribute Summary Annual Report (SAR) to participants if the Form 5500 was filed on July 31.

OCTOBER

• 3 / Action: Distribute annual notices to participants no earlier than October 3 and no later than Dec 2, including notices for: 401(k) Plan Safe Harbor Match, Automatic Contribution Arrangement Safe Harbor, Automatic Enrollment and Qualified Default Investment Alternatives (QDIA).
• 15 / Fund: October 15 possible third quarter 2024 contribution due for defined benefit pension plans.
• 15 / Action: October 15 is the extended deadline for filing IRS Form 5500 and IRS Form 8955-SSA.
• 15 / Action: October 15 is the extended deadline for filing individual and C-Corp tax returns.
• 15 / Action: If an extension was filed, October 15 is the deadline to fund defined contribution employer contributions for C-Corporations and Sole Proprietors.
• 15 / Action: October 15 to open a Simplified Employee Pension (SEP) plan for extended tax filers.
• 15 / Action: Send annual funding notice to participants of single- and multi-employer defined benefit plans with 100 or fewer participants by October 15.
• 15 / Action: October 15 defined benefit plan PBGC Premium filings and payments due.
• 31 / Action: Single-employer defined benefit plans that are less than 60% funded or are 80% funded and have benefit restrictions triggered must inform participants by October 31 or 30 days after the benefit restriction applies.
• Best Practice: Make sure administrative procedures align with language in plan document.

DECEMBER

• 2 / Action: Distribute annual participant notices no later than December 2. These include notices for: 401(k) Plan Safe Harbor Match, Automatic Contribution Arrangement Safe Harbor, Automatic Enrollment and Qualified Default Investment Alternatives (QDIA).
• 15 / Action: December 15 is the extended deadline to distribute Summary Annual Report (SAR) when the Form 5500 was filed on October 15.
• 31 / Action: December 31 is the final deadline to process corrective distributions for failed ADP/ACP testing; a 10% excise tax may apply.
• 31 / Action: Ongoing required minimum distributions (RMDs) for 5% business owners and terminated participants must be completed by December 31.
• 31 / Action: Amendments to change traditional 401(k) to safe harbor design, remove safe harbor feature or change certain discretionary modifications must be completed by December 31. Amendments to change to safe harbor nonelective design must be completed by Dec 1 of given plan year for 3% or by Dec 31 of the following year for 4% contribution level.
• 31 / Action: Plan sponsors must amend plan documents by December 31 for any discretionary changes made during the year.

In addition to those important deadlines and dates, plan sponsors should be aware of the contribution plan limits and other rolling notices for 2024:

• Traditional and Roth Individual Retirement Account contribution limit is $7,000. Catch-up contributions for participants aged 50 and over is $1,000, which is fixed by law and not adjusted each year.
• Employee salary deferral limit for 401(k), 403(b) and 457 plans are $23,000. The catch-up contribution limit for participants who are age 50 or older in 2024 is $7,500.
• Maximum annual additions (i.e., employee deferrals, employer contributions and forfeitures) that can be allocated to a participant’s defined contribution plan account for 2024 is $69,000.
• Limitation for the annual benefit under a defined benefit plan under Section 415(b)(1)(A) is $275,000.
• The dollar amount used to define “highly compensated employee” under Section 414(q)(1)(B) is $155,000.

BEST PRACTICES:

• Contact your service provider to discuss any required and/or discretionary SECURE 2.0 provisions effective in 2024 to ensure compliance
• Make sure discretionary amendments that impact plan design and administration are executed and implemented timely per IRS regulations
• Make sure administrative procedures align with language in plan document.
• Plans may consider doing mid-year compliance testing to avoid failing applicable annual tests.
• Review and approve compliance testing results sent by plan administrator.
• Plan sponsor should confirm the accuracy of the prior year’s census data to the recordkeeper. This information is used for ADP/ACP testing, among other things.

A New Mandate for Managing Risk

Audit teams who analyze the risks of IT are no strangers to change. Information system audits have been around for more than 70 years — starting in the 1950s as electronic data processing platforms made time-consuming business operations move with enhanced efficiency.
The original mandate of information system audits was simple: verify business processes worked. The primary stakeholder was typically the head of IT or business operations. Today, that mandate has expanded to include building trust among multiple stakeholders. Regulators, customers, and investors may all have different expectations about how risk should be managed. With the advent of cloud computing, mobile technology platforms, social media, blockchain, and the emerging ubiquity of artificial intelligence (AI), the scope of the traditional IT audit is expanding in ways that may leave many organizations feeling unprepared. The sheer amount of data can be overwhelming, and appropriate resources aren’t always there. This new reality is placing pressure on all auditing teams.

But with efficiency comes risk, so information systems audit teams must consistently develop new skillsets to adapt to change, manage new risks (like increased regulatory compliance), and promote trust. Companies must work hand in hand with their auditors to identify risks, strengthen internal controls, enhance compliance, and drive greater assurance. It takes a holistic approach to risk management — evaluating the organization’s IT systems and its infrastructure, policies, and overall operations. The reason is simple: data cuts across everything in business today, and trust in data-driven enterprises is at a premium. Failure to proactively manage risk is not an option.

There’s a Regulation for That

On the enforcement side, data and privacy legislation has been around for more than 20 years. Most recently, the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CPPA) placed restrictions on how companies leverage data, creating additional compliance risks for industries like financial services.

For example, fintech companies feel the effects of the Financial Data Exchange (FDX) standard, which places restrictions on the collection of consumer financial data for third-party apps. In addition, the Consumer Financial Protection Bureau’s data collection rule requires financial services companies to collect and report data on small business lending activities.

More recently, the Securities and Exchange Commission (SEC) has proposed new rules governing the use of data by broker-dealers The new rules would require broker-dealers to identify and disclose conflicts of interest, while also implementing safeguards to protect customer data.
These proposed rules are an indication of the SEC’s ongoing focus on the use of data. Adding emphasis to this focus, SEC Chair Gary Gensler recently spoke about his concerns over the potential risk AI might bring to financial markets. Concerns over risks to financial markets are likely an indication of a higher degree of scrutiny — and perhaps future enforcement action — around IT compliance issues. The internal controls provisions of the 2002 Sarbanes-Oxley legislation are especially relevant here. The Public Company Accounting Oversight Board (PCAOB) has also issued several standards on IT controls. These standards are intended to help information system auditors test the effectiveness of controls in preventing and detecting material misstatements in financial reporting.

The Impact of Emerging Technology

Ironically, a beneficial approach to managing risks linked to data and digital platforms involves utilizing other emerging technologies to support the proper functioning of these systems. Data analytics tools help audit teams identify anomalies in large data sets and enhance accuracy — enhancing the quality of audits without adding work for the client. A smarter, risk-based audit streamlines processes and creates additional value. Obtaining more accurate data allows the audit team to focus on specific risks. A traditional audit may not always reveal the most pertinent data or the most pressing material risks.

Technologies like AI and bots are helping to automate time-consuming and repetitive tasks, such as data collection, sampling, and testing. As a result, auditors have more time to focus on more complex risk assessments and judgment-based decisions. The ability to analyze large volumes of data faster than ever allows the audit team to identify anomalies and trends that may indicate fraud, errors, or other serious risks.
However, the biggest impact of emerging technology may be the ability to perform continuous auditing — taking a real-time, ongoing approach to monitoring a company’s systems and processes.

What Should Enterprises be Doing to Get Ready?

AI integration into control processes is still at a nascent stage. Organizations will have to resolve compliance risks, especially around new platforms like AI, with security protocols and internal policies to confirm audit teams have access to the data they need to help mitigate and address risk efficiently. Embracing new technology in an audit takes time, but as risks are identified and mitigated more automation can be implemented. When that happens, an experienced audit team can identify IT risks a client may not have been aware of.

For large public companies, the volume of data to review can be staggering, so large data dumps often prove impractical. Companies may need to partner with independent information system auditors to set parameters, so the right information is shared at the right time. Collaboration will be the key to success.

Any external information system auditing team needs to fully understand its client’s IT requirements and compliance issues. Meanwhile, enterprises must understand how emerging technologies can help reduce risk and enhance stakeholder trust and the importance of leveraging these tools—either internally or with knowledgeable external assistance.

Information system audits have evolved significantly over the years, but one thing has remained constant: it’s always been a matter of trust. Contact us to learn more.

SOC reports help demonstrate the strength of a company’s internal controls environment. There is a full spectrum of SOC reports: SOC 1, 2, and 3; SOC for cybersecurity; and SOC for supply chain. The type of SOC report a company may need depends on the opportunities at hand, risks they are looking to mitigate, and which stakeholders they are looking to provide assurances to. They are especially valuable for data-rich portfolio companies that deal with sensitive customer information, particularly those operating within technology, healthcare, financial services, as well as where these industries intersect – for example, healthtech, fintech, and insuretech.

Portco customers and other business stakeholders are increasingly expecting portcos to issue SOC reports, and for good reason: These reports offer a look into a variety of internal controls, including financial reporting, security, availability, process integrity, confidentiality, and privacy. By obtaining reports, a portco can gain a competitive edge by building trust and demonstrating value to its stakeholders while strengthening internal controls — helping to lessen the chance of unexpected challenges before exit.

SOC Attestation Supports a Winning Exit Strategy

A successful exit hinges on building trust and transparency with stakeholders and future investors.  While there are common and understandable concerns leadership teams may have with pursuing reporting, the upfront and ongoing benefits often outweigh the costs. The following table illustrates how SOC reports can help build confidence in a portco’s control environment and help meet deal objectives:

How SOC Reporting Can Help Private Equity

SOC reports are not only helpful for the portco leadership team but are also valuable to the PE operating partner. Here are three keyways these reports impact both parties:

1. Protect and Maximize Revenue – Private equity portfolio companies rely on stakeholders to be confident in their ability to meet compliance requirements and safeguard the company’s revenue. One effective way to establish this confidence is by engaging an independent third party to review and report on the company’s systems and controls. This external assessment allows stakeholders to verify the presence of robust internal controls, assisting with compliance and helping to drive customer retention and acquisition.
2. Reduce Risk – Rapidly evolving regulatory environments and heightened demands from potential investors require more stringent controls and transparency from PE funds and their portcos. SOC reporting can help leadership teams proactively identify when and where there are breakdowns in their controls, helping to reduce surprises at exit relative to unmitigated or unaddressed operational and financial risks. Identifying risks pre-exit allows portco leadership teams and their operating partners to correct and improve internal processes before the deal closes. Reports can help reduce the company’s exposure to fraud and financial loss while helping support compliance with industry regulations such as Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA).
3. Secure a Safe Exit – SOC reporting plays a crucial role in supporting due diligence efforts. Once a report is obtained and any identified issues are addressed, it is important to communicate the enhanced effectiveness of the portco’s control environment to both investors and potential buyers. This communication helps foster trust and confidence, setting the stage for a secure exit strategy. Third-party attestation through SOC reports offers potential buyers assurance that the portco has established mature internal controls. These reports serve as a valuable tool for evaluating the company’s health and independently validating the adequacy of its control environment. By providing a verified measure of the company’s control environment, SOC reporting aids in the investment decision-making process.

Getting Ready for SOC Reporting

To help generate a successful SOC Report, it is beneficial to engage a third-party advisor who will collaborate with the organization to understand the specific risks the business faces. This advisor can assist in preparing for the attestation process by conducting a readiness assessment. Contact David McKay to learn more.

Single-Sales-Factor Apportionment

Effective for tax years beginning on and after January 1, 2025, Massachusetts corporate taxpayers will be required to apportion net income using a single sales factor. That is a departure from current law, which requires corporations (other than qualifying manufacturers) to use a three-factor formula of property, payroll, and a double-weighted sales factor.

Financial Institution Receipts From Investment and Trading

Also effective for tax years beginning in 2025, H. 4104 repeals the current sourcing of financial institution receipts from investment and trading assets and activities, which generally sources those receipts to the taxpayer’s regular place of business (where day-to-day investment and trading decisions are made). Beginning in 2025, those receipts – interest, dividends, net gains, and other income from investment assets and activities and income from trading assets – will be sourced using a fraction. The numerator will be the financial institution’s Massachusetts-sourced receipts from financial activities, such as lending, credit card receivables, leasing, and the denominator will be total receipts, excluding income from investment assets and activities.

Short-Term Capital Gains

For Massachusetts personal income tax purposes, the legislation reduces the short-term capital gains rate to 8.5%, retroactive to January 1, 2023. Previously, Massachusetts taxed any gain from the sale or exchange of capital assets held for no more than one year at a rate of 12%.

‘Wealth’ Taxes

• The legislation increases the state estate tax threshold to $2 million for decedents dying on or after January 1, 2023. It also alleviates the so-called cliff effect of the Massachusetts estate tax, whereby estates valued at over $1 million were subject to tax on their entire value. The legislation grants a state estate tax credit of up to $99,600 as relief and changes how the tax on out-of-state real estate and tangible personal property is calculated.
• Effective January 1, 2023, Massachusetts enacted the millionaires surtax, an additional 4% state income tax on the portion of a taxpayer’s annual income that exceeds $1 million. For income earned on or after January 1, 2024, H. 4104 requires married couples to file Massachusetts joint income tax returns for any year in which they file federal joint income tax returns.
• H. 4104 also requires the Department of Revenue to study the effect of an additional surtax of up to 4% on pass-through entities (PTEs) that have made the Massachusetts PTE tax election.

Insights

• Affected taxpayers should model the impact of the Massachusetts apportionment changes that will be effective for tax years beginning January 1, 2025, particularly if applying economic nexus or other state nexus positions to avoid Massachusetts sales factor throwback and/or throwout.
• PTEs and their owners should watch for the Department of Revenue’s study and possible recommendations concerning a PTE surtax.” Like requiring married joint filing when a federal joint return is filed, a 4% surtax on electing PTEs is intended to address avoidance of the millionaires surtax that went into effect earlier this year.

Contact us

If you want to get ahead of your 2023 taxes, contact us and we would be happy to assist you with any of your tax needs.

Do you use an automobile in your trade or business? If so, you may question how depreciation tax deductions are determined. The rules are complicated, and special limitations that apply to vehicles classified as passenger autos (which include many pickups and SUVs) can result in it taking longer than expected to fully depreciate a vehicle.

Depreciation is built into the cents-per-mile rate

First, be aware that separate depreciation calculations for a passenger auto only come into play if you choose to use the actual expense method to calculate deductions. If, instead, you use the standard mileage rate (65.5 cents per business mile driven for 2023), a depreciation allowance is built into the rate.

If you use the actual expense method to determine your allowable deductions for a passenger auto, you must make a separate depreciation calculation for each year until the vehicle is fully depreciated. According to the general rule, you calculate depreciation over a six-year span as follows: Year 1, 20% of the cost; Year 2, 32%; Year 3, 19.2%; Years 4 and 5, 11.52%; and Year 6, 5.76%. If a vehicle is used 50% or less for business purposes, you must use the straight-line method to calculate depreciation deductions instead of the percentages listed above.

For a passenger auto that costs more than the applicable amount for the year the vehicle is placed in service, you’re limited to specified annual depreciation ceilings. These are indexed for inflation and may change annually. For example, for a passenger auto placed in service in 2023 that cost more than a certain amount, the Year 1 depreciation ceiling is $20,200 if you choose to deduct first-year bonus depreciation. The annual ceilings for later years are: Year 2, $19,500; Year 3, $11,700; and for all later years, $6,960 until the vehicle is fully depreciated.

These ceilings are proportionately reduced for any nonbusiness use. And if a vehicle is used 50% or less for business purposes, you must use the straight-line method to calculate depreciation deductions.

Reminder: Under the Tax Cuts and Jobs Act, bonus depreciation is being phased down to zero in 2027, unless Congress acts to extend it. For 2023, the deduction is 80% of eligible property and for 2024, it’s scheduled to go down to 60%.

Heavy SUVs, pickups and vans

Much more favorable depreciation rules apply to heavy SUVs, pickups, and vans used over 50% for business, because they’re treated as transportation equipment for depreciation purposes. This means a vehicle with a gross vehicle weight rating (GVWR) above 6,000 pounds. Quite a few SUVs and pickups pass this test. You can usually find the GVWR on a label on the inside edge of the driver-side door.

What matters is the after-tax cost

What’s the impact of these depreciation limits on your business vehicle decisions? They change the after-tax cost of passenger autos used for business. That is, the true cost of a business asset is reduced by the tax savings from related depreciation deductions. To the extent depreciation deductions are reduced, and thereby deferred to future years, the value of the related tax savings is also reduced due to time-value-of-money considerations, and the true cost of the asset is therefore that much higher.

The rules are different if you lease an expensive passenger auto used for business. Contact us if you have questions or want more information.

Here’s an overview of the benefits of using QuickBooks with marketing platforms:

Consolidated view of the customer. Integrating sales figures into marketing allows your company to develop data-driven marketing campaigns. For example, if a customer’s purchasing activity increases, a targeted marketing campaign that offers volume discounts could lead to additional revenue. Likewise, this combination could help your business track analytics, such as return on investment and click-through rates, from marketing programs.

More timely, targeted messaging. A marketing platform can help segment your customer base. This can allow your business to deliver strategically timed messages that target a specific audience. For example, you could send new customers promotional emails based on recent purchases. Or you could offer discounts to reengage with existing customers who haven’t made a purchase in the last 90 days.

Enhanced engagement monitoring. A centralized view of a customer’s transactions and interactions with marketing emails can provide a window into their connection with your organization. This can identify satisfied customers and those who may take their business elsewhere. For example, if a customer opens every email and clicks on the links, that shows a high level of engagement. If a customer deletes emails without opening them, it may be cause for concern.

Refined marketing campaigns. Analyzing financial and marketing data together allows your business to monitor the impact of its marketing campaigns in real-time. For example, if the first email of a marketing campaign fails to generate revenue, you can pause the process and revisit your messaging. Conversely, if an email generates significant revenue, that information could justify investing more in subsequent emails with similar messaging.

Using QuickBooks with your marketing platform may provide your business with new perspectives and insight into your customers’ buying patterns, unmet needs and connection to your brand. It can also provide actionable intelligence to facilitate deeper, mutually beneficial relationships with new and existing customers. Contact Jeff Walch for help getting the most out of data from these tools at your organization.

Completed contract vs. percentage-of-completion

Homebuilders, developers, creative agencies, engineering firms and others who perform work on long-term contracts typically report financial performance using two methods:

1. Completed contract. Under this method, revenue and expenses are recorded upon completion of the contract terms.
2. Percentage-of-completion. This method ties revenue recognition to the incurrence of job costs.

If “sufficiently dependable” estimates can be made, companies must use the latter, more-complicated method, under U.S. Generally Accepted Accounting Principles (GAAP). And, if your business uses the percentage-of-completion method for financial reporting purposes, you’ll usually need to follow suit for tax purposes.

The federal tax code provides an exception to using the percentage-of-completion method for certain small contractors with average gross receipts of $25 million or less over the last three years. This amount is adjusted annually for inflation. For 2023, the inflation-adjusted figure is $29 million.

Percentage-of-completion estimates

In general, companies that use the percentage-of-completion method report income earlier than those that use the completed contract method. To estimate the percentage complete, companies typically compare the actual costs incurred to expected total costs. Alternatively, some may opt to estimate the percentage complete with an annual completion factor.

The IRS requires detailed documentation to support estimates used in the percentage-of-completion method. In addition, the application of the percentage-of-completion method may be complicated by job cost allocation policies, change orders and changes in estimates.

Balance sheet effects

The percentage-of-completion method can also affect your balance sheet. If you underbill customers based on the percentage of costs incurred, you’ll report an asset for costs in excess of billings. Conversely, if you overbill based on the costs incurred, you’ll report a liability for billings in excess of costs.

For example, suppose you’re working on a $1 million, two-year project. You incur half of the expected costs in Year 1 ($400,000) and bill the customer $450,000. From a cash perspective, it seems like you’re $50,000 ahead because you’ve collected more than the costs you’ve incurred. But you’ve actually underbilled based on the percentage of costs incurred.

So, at the end of Year 1, you’d report $500,000 in revenue, $400,000 in costs, and an asset for costs in excess of billings of $50,000. If you had billed the customer $550,000, however, you’d report a $50,000 liability for billings in excess of costs.

Getting assistance

Although the percentage-of-completion method is complicated, if your estimates are reliable, it can provide more current insight into financial performance on long-term contracts. Contact us to help train your staff on how this method works — or we can perform the analysis for you.