Skip to Main Content

insightsarticles

Optimizing financial statements for independent schools

04.18.24

Non-profit financial statements include a wealth of important knowledge and can often be overwhelming. When sharing your financial statements with your board of directors or other stakeholders, it can be useful to simplify your financial statements so the key information stands out and unimportant information doesn’t cause confusion. In our work with independent schools and other non-profit clients, we’ve seen many ways that financial statements can be simplified to paint a clearer picture of your organization’s health.

Engage with stakeholders to improve your financial statements 

Boards, donors, creditors, and other stakeholders gain key insights to a non-profit's financial status through reading the financial statements, allowing them to make informed strategic decisions. These reports also allow for improving communication between organizations and their stakeholders. Financial reporting additionally provides historical knowledge that can assist with strategic planning and forecasting.

As a first step in improving the ease with which your financial statements can be read, proactively engage with your stakeholders to gather feedback on the effectiveness and clarity of your current financial statements. To do this, consider conducting informational sessions or webinars to explain changes and address questions. Make sure to understand the needs of your stakeholders and what financial statement items they are most interested in and tailor disclosures to address their concerns and the items that matter most to them.

Simplify your financial statement disclosures 

For any financial statements that are to be issued in accordance with US generally accepted accounting principles (US GAAP), there are a certain number of required disclosures. Subject to materiality, for each financial statement line item, there is a related disclosure, and any item in your financial information that is material should be disclosed. As a general rule, if a trial balance account is less than 5% of total revenue, it could be grouped into an “other” category instead of being presented as a separate financial statement line item. This can also be done on the statement of financial position, but using 5% of total assets or total liabilities. Removing these smaller items can put more focus on the important items within your financial statements.

Another way to simplify your financial statements is to consider removing some small, fixed assets from your statements. For example, the purchase of an office printer could technically be considered a fixed asset to be capitalized, but it’s likely not worth the effort—and it makes the financial statement look more complex than necessary. Consider implementing a financial statement capitalization policy that determines a dollar limit threshold for capitalizing fixed assets and expensing items under that threshold.

Remove disclosures once they’re no longer needed  

Other common items that can increase the length of financial statements are disclosures related to the implementation of new accounting policies. In the year of adoption, footnotes are required to explain the impact of the adoption. In following years, not as many disclosures are necessary and can be removed. Ensure that information that is remaining after the year of adoption is either required under US GAAP or is necessary to stakeholders. If it’s not, remove it.

Take ownership of your financial statements 

Although your CPA firm might assist with the preparation of the financial statements, the ultimate responsibility rests on your organization’s management team to produce financial statements in accordance with US GAAP and satisfy the needs of your stakeholders. Ensuring your financial statements are optimized opens a great opportunity for you to sit down with your audit team and discuss your needs. Contact us at any time to set up a meeting and learn more.

Related Industries

Related Services

Accounting and Assurance

Related Professionals

Principals

BerryDunn experts and consultants

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Article
Save time and effort—our list of tips to prepare for year-end reporting

Editor’s note: Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

Last month, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2019. The report addresses key issues facing banks and focuses on those that pose threats to their safety and soundness. According to the report:

  • Bank financial performance is strong due to a favorable credit environment and the longest economic expansion in U.S. history.
  • Capital levels have reached historical highs.
  • Return on equity was above its 2006 pre-crisis level for the first time at 12.7%.
  • Net income grew 8.22% from the same period a year ago; however, net interest income grew only 4%, as loan growth is below historical averages and an increasing number of banks are facing a flat or declining net interest margin.
  • There is continued weakness in residential and commercial real estate loan growth.
  • Delinquent and nonperforming loans remain below their long-term averages.


Banks can thrive even with economic uncertainty

While these trends indicate that 2019 was by and large an excellent year, banks cannot afford to be complacent, as 2019 also saw increasing risks to the industry. For instance, in 2019 there was much discussion of the future cessation of the London InterBank Offer Rate (LIBOR). The OCC has indicated it will increase its regulatory oversight regarding the anticipated cessation, to ensure banks assess their exposure to LIBOR and are appropriately planning their transition from the widely used benchmark rate. The Financial Accounting Standards Board (FASB) is also working on a project to address accounting issues that could arise from the transition from LIBOR.

And, although 2019 continued the longest economic expansion in US history, economic uncertainty exists due to, in part, the US-China trade conflict and ongoing Brexit discussions. This economic uncertainty has caused volatility in the interest rate environment. Aside from the yield curve inverting in 2019, banks also saw the Federal Funds target rate increase 25 basis points prior to decreasing 50 basis points. Given the typically asset-sensitive nature of banks’ balance sheets, the current interest rate environment will also put pressure on net interest margins. The current volatility of interest rates has caused the OCC to conclude interest rate risk is currently at heightened levels. 

Net interest income continues to be the most significant driver of net revenues for community banks, comprising nearly 80% of net revenues. With a difficult interest rate environment and lackluster loan growth in residential and commercial real estate, banks may face a difficult path ahead. Banks should tread cautiously, especially if this uncertainty persists. Asset-liability management will need be a significant focus (more than usual) as banks try to position themselves to not only maintain profitability through this uncertainty, but also come out stronger than before. Specifically, if lower rates persist, asset growth will need be a priority over deposit growth to maintain profitability at lower net interest margins. If loan growth continues to wane, this will prove to be difficult.

Innovations to compete with new lending sources

Adding to the list of threats to performance is the increasing amount of alternative financial resources available to borrowers. Banks have traditionally been the only source of credit for borrowers. However, technology has rapidly changed that landscape. Person-to-person (P2P) lending (also known as crowd lending, or social lending), allows people to borrow funds directly from another person, cutting out traditional lending sources (banks). Additionally, blockchain technology, if the hype is accurate, has the potential to eliminate the need of a financial intermediary altogether. 

Banks are adapting to this competition and to customers looking for more convenience and alternative services by offering new, unique services that differentiate themselves from others and provide added value to the customer. Banks have delivered through remote deposit, ATMs, and interactive teller machines (ITMs). Banks will need to continue to adopt innovative services to remain competitive. 

For instance, banks could offer video conferencing services, in which customers could have a live conversation with a bank representative through their smartphone. This convenience would allow a customer to conduct a transaction, such as apply for a loan, from the convenience of their home, while still maintaining human interaction throughout the transaction. Such a service would help banks compete with digital channels offered by non-banks, such as Quicken Loans, which is now the largest mortgage originator in the United States.

Strategies to protect against technological risks

These services all require the use of existing and new technologies, which have caused banks to hold more personally identifiable information (PII) digitally across an increasing number of digital platforms. As noted by the OCC, this digital exposure has created persistent cybersecurity risks for banks. Adopting a robust cybersecurity framework is no longer an option. 

Banks should bring cybersecurity to the forefront of their strategic planning. Any strategic plan must consider cybersecurity implications, as a single disaster can be detrimental to a bank’s reputation. And, given this rapidly changing environment, the cybersecurity conversation must be ongoing through relevant bank committees and the board of directors.

Furthermore, these technological solutions require partnerships with businesses that banks would not traditionally partner with. Financial technology (fintech) companies don’t just pose as a competitor to traditional banks. Many fintech companies are offering their technological solutions to traditional banks. However, outsourcing technological solutions to fintech companies and other businesses does not relieve a bank from performing its own due diligence and ensuring those companies meet the bank’s standards. 

Banks should evaluate potential vendors to ensure they comply with the bank’s vendor management policy. Since environments are constantly changing, this evaluation should be ongoing. Many vendors now provide System and Organization Controls (SOC) reports which detail the control environment at the vendor and involve independent third-party testing of those controls that exist at the vendor. SOC reports can provide a useful starting point for evaluating a vendor’s ongoing compliance with the bank’s vendor management policy. However, it is not a substitute for ongoing communication with a vendor.

There is no doubt 2019 was a successful year for banks. But past performance is not a guarantee of future success. Banks face many challenges, risks, and uncertainties, of which only a few have been outlined above. The current landscape may be challenging but it is also filled with opportunity. Banks should consider expanding their services, adopting new technologies, and partnering with other companies to leverage their strengths. Doing so should help position themselves for an exciting decade ahead.

If you have specific concerns about challenges facing your institution, please contact the team

Article
Banking and finance: 2020 challenges and what to do to overcome them

Editor’s note: read this if you work for, or are affiliated with, a charitable organization that receives donations. Even the most mature nonprofit organizations may miss one of these filings once in a while. Some items (e.g., the donor acknowledgment letter) may feel commonplace, but a refresher—especially at a particularly busy time of the year as it pertains to giving—can fend off fines.

As the holiday season is now in full swing, the season of giving is also upon us. Perhaps not surprisingly, the month of December is by far the most charitable month of the year, accounting for almost one-third of all charitable gifts made annually. And with all that giving comes the requirement of charitable organizations to provide donor acknowledgments, a formal “thank you” of the gift being received. Different gifts require differing levels of acknowledgment, and in some cases an additional IRS form (or two) may need to be filed. Doing some work now may save you time (and a fine or two) later. 

While children are currently busy making lists for Santa Claus, in the spirit of giving we present to you our list of donor acknowledgment requirements―and best practices―to help you gain control of this issue for the holiday season and beyond.

Donor acknowledgment letters

Charitable (i.e., 501(c)(3)) organizations are required to provide a donor acknowledgment letter to each donor contributing $250 or more to the organization, whether it be cash or non-cash items (i.e., publicly traded securities, real estate, artwork, vehicles, etc.) received. The letter should include the following: 

  1. Name of the organization
  2. Amount of cash contribution
  3. Description of non-cash items (but not the value) 
  4. Statement that no goods and services were provided (assuming this is the case)
  5. Description and good faith estimate of the value of goods and services provided by the organization in return for the contribution, if any
  6. Statement that goods or services provided by the organization in return for the contribution consisted entirely of intangible religious benefit, if any

It is not necessary to include either the donor’s social security number or tax identification number on the written acknowledgment and as a best practice should not be included in the letter.

In addition to including the elements above, the written acknowledgment is also required to be contemporaneous, that is, sent out in a timely fashion. According to the IRS, a donor must receive the acknowledgment by the earlier of:

  • The date on which the donor actually files his or her individual federal income tax return for the year of the contribution
  • The due date (including extensions) of the return in order to be considered contemporaneous

Quid pro quo disclosure statements

When a donor makes a payment greater than $75 to a charitable organization partly as a contribution and partly as a payment for goods and services, a disclosure statement is required to notify the donor of the value of the goods and services received in order for the donor to determine the charitable contribution component of their payment.

An example of this would be if the organization sold tickets to its annual fundraising dinner event. Assume the ticket costs $100 and at the event the ticketholder receives a dinner valued at $40. In this example, the donor’s tax deduction may not exceed $60. Because the donor’s payment (quid pro quo contribution) exceeds $75, the charitable organization must furnish a disclosure statement to the donor, even though the deductible amount doesn’t exceed $75.

It’s important to note that there are some exclusions to these requirements if the value received is considered to be de minimis (known as the Token Exception), but the value received needs to be relatively small (e.g., receiving a coffee mug with a picture of the organization’s logo on it). Please consult your tax advisor for more details.

If the organization does not issue disclosure statements, the IRS can issue penalties of $10 per contribution, not to exceed $5,000 per fundraising event or mailing. An organization may be able to avoid the penalty if reasonable cause can be demonstrated.

Receiving or selling donated noncash property? Forms 8283 & 8282 may be required.

If a charitable organization receives noncash donations, it may be asked to sign Form 8283. This form is required to be filed by the donor and included with their personal income tax return. If a donor contributes noncash property (excluding publicly traded securities) valued at over $5,000, the organization will need to sign Form 8283, Section B, Part IV acknowledging receipt of the noncash item(s) received.

By signing Form 8283, the donee organization is not only acknowledging receipt, but is also affirming that if the property being received is sold, exchanged, or otherwise disposed of within three years of the original donation date, the organization will be required to file Form 8282. A copy of this form is filed with the IRS and must also be provided to the original donor. Form 8282 is not required for sales of donated publicly traded securities. The penalty for failure to file Form 8282 when required is generally $50 per form.

Cars, boats, and yes, even airplanes? That would be Form 1098-C.

An airplane? Yes, even an airplane can be donated, and the donee organization must file a separate Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, with the IRS for each contribution of a qualified vehicle that has a claimed value of more than $500. Contemporaneous written acknowledgment requirements apply here too, and Form 1098-C can act as acknowledgment for this purpose. An acknowledgment is considered contemporaneous if it is furnished to the donor no later than 30 days after the date of the contribution if you plan to use the item for a mission-related purpose, or 30 days after the date of the sale of the item to an unrelated third party.

Penalties for failure to provide contemporaneous written acknowledgment for qualified vehicles can be pretty stiff, generally calculated as a percentage of the sale price if sold, or a percentage of the claimed value if not sold. Should you have any questions or receive a request regarding any of the forms noted above, please consult your tax advisor.

As you can see, the rules around donor acknowledgments can seem a lot like Grandma’s fruitcake―complex and perhaps a bit on the nutty side. When issuing donor acknowledgments this holiday season and beyond, be sure to review the list above and check it twice. Doing so may end up keeping you off of the IRS’s naughty list!

Article
Donor acknowledgments: We have to file what?

Editor’s note: Read this if your organization is an entity with significant lease transactions with terms greater than a year.  

Updated: June 2020

The new Accounting Standards Codification Topic 842 (ASC 842) lease accounting standard is actually not that new. The Financial Accounting Standards Board (FASB) first released the standard in 2016 but, due to a series of delays, it hasn’t been required yet. Even with delays, some organizations have already started to implement ASC 842. They include:

  1. Public business entities
  2. Not-for-profits that have issued or are conduit bond obligors for securities traded, listed, or quoted on an exchange or an over the-counter market

All other entities will start implementing for fiscal years starting after December 15, 2021 and internal periods within fiscal years beginning after December 15, 2022 (January 1 for calendar reporting periods).

Here’s a quick rundown of the lease classifications and how they’ll impact your financial statements.  

Classifying leases

Under the new standards, leases fall into one of two classifications: finance leases and operating leases. This classification makes all the difference in how leases are reported in the financial statements. 

Finance lease

A finance lease essentially treats an asset as if it were purchased by the lessee and financed with funds from the lessor. This prevents companies from hiding financial obligations that are basically liabilities. ASC 842 requires leases to be classified as finance leases if they meet any of the following five criteria:

  1. The lease transfers ownership of the underlying asset to the lessee by the end of the lease term.
  2. The lease grants the lessee an option to purchase the underlying asset that the lessee is reasonably certain to exercise.
  3. The lease term is for the major part of the remaining economic life of the underlying asset. However, if the commencement date falls at or near the end of the economic life of the underlying asset, this criterion shall not be used for purposes of classifying the lease.
  4. The present value of the sum of the lease payments and any residual value guaranteed by the lessee that is not already reflected in the lease payments in accordance with paragraph 842-10-30-5(f) equals or exceeds substantially all of the fair value of the underlying asset.
  5. The underlying asset is of such a specialized nature that it is expected to have no alternative use to the lessor at the end of the lease term.

As you can see from the five criteria, finance leases are just purchase arrangements financed over time. ASC 842 is designed to reflect that and improve transparency for investors and other stakeholders.  

Operating lease

Any lease not meeting any of the above criteria is classified as an operating lease. 

No more off-book leases

One of the problems ASC 842 seeks to solve is “off-book” operating leases that show up only as notes on the balance sheet and cloud the debt ratios of companies. Under the new standards, both operating and finance leases will be reported on the balance sheet. The only exceptions are certain leases with terms of 12 months of less. 

Recording finance vs. operating leases

With both operating and finance leases reported on the balance sheet, what’s the difference between the two? The major difference is the way they are recorded on the income statement:

  • Interest and amortization are recorded separately on the income statement for finance leases.
  • Operating leases will report a single line item based on the lease payment. 
  • Principal repayments for finance lease are classified as financing activities.
  • Payments on operating leases are classified as operating activities.

Next Steps 

Make sure you start by implementing for fiscal years starting after December 15, 2021 and internal periods within fiscal years beginning after December 15, 2022. If you have questions about finance or operating leases, or need help with the new standard, please don’t hesitate to contact the team

Download our lease classification infographic for a comparison of finance and operating leases under ASC 842.

Download our Lease Classification Infographic

Article
ASC 842 lease accounting standards: Finance and operating leases

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: While this article is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Article
Five IT risks everyone should be aware of

Proposed House bill brings state income tax standards to the digital age

On June 3, 2019, the US House of Representatives introduced H.R. 3063, also known as the Business Activity Tax Simplification Act of 2019, which seeks to modernize tax laws for the sale of personal property, and clarify physical presence standards for state income tax nexus as it applies to services and intangible goods. But before we can catch up on today, we need to go back in time—great Scott!

Fly your DeLorean back 60 years (you’ve got one, right?) and you’ll arrive at the signing of Public Law 86-272: the Interstate Income Act of 1959. Established in response to the Supreme Court’s ruling on Northwestern States Portland Cement Co. v. Minnesota, P.L. 86-272 allows a business to enter a state, or send representatives, for the purposes of soliciting orders for the sale of tangible personal property without being subject to a net income tax.

But now, in 2019, personal property is increasingly intangible—eBooks, computer software, electronic data and research, digital music, movies, and games, and the list goes on. To catch up, H.R. 3063 seeks to expand on 86-272’s protection and adds “all other forms of property, services, and other transactions” to that exemption. It also redefines business activities of independent contractors to include transactions for all forms of property, as well as events and gathering of information.

Under the proposed bill, taxpayers meet the standards for physical presence in a taxing jurisdiction, if they:

  1.  Are an individual physically located in or have employees located in a given state; 
  2. Use the services of an agent to establish or maintain a market in a given state, provided such agent does not perform the same services in the same state for any other person or taxpayer during the taxable year; or
  3. Lease or own tangible personal property or real property in a given state.

The proposed bill excludes a taxpayer from the above criteria who have presence in a state for less than 15 days, or whose presence is established in order to conduct “limited or transient business activity.”

In addition, H.R. 3063 also expands the definition of “net income tax” to include “other business activity taxes”. This would provide protection from tax in states such as Texas, Ohio and others that impose an alternate method of taxing the profits of businesses.

H.R. 3063, a measure that would only apply to state income and business activity tax, is in direct contrast to the recent overturn of Quill Corp. v. North Dakota, a sales and use tax standard. Quill required a physical presence but was overturned by the decision in South Dakota v. Wayfair, Inc. Since the Wayfair decision, dozens of states have passed legislation to impose their sales tax regime on out of state taxpayers without a physical presence in the state.

If enacted, the changes made via H.R. 3063 would apply to taxable periods beginning on or after January 1, 2020. For more information: https://www.congress.gov/bill/116th-congress/house-bill/3063/text?q=%7B%22search%22%3A%5B%22hr3063%22%5D%7D&r=1&s=2
 

Article
Back to the future: Business activity taxes!

LIBOR is leaving—is your financial institution ready to make the most of it?

In July 2017, the UK’s Financial Conduct Authority announced the phasing out of the London Interbank Offered Rate, commonly known as LIBOR, by the end of 20211. With less than two years to go, US federal regulators are urging financial institutions to start assessing their LIBOR exposure and planning their transition. Here we offer some general impacts of the phasing out, some specific actions your institution can take to prepare, and, finally, background on how we got here (see Background at right).

How will the phase-out impact financial institutions?

The Federal Reserve estimates roughly $200 trillion in LIBOR-indexed notional value transactions in the cash and derivatives market2. LIBOR is used to help price a variety of financial services products,  including $3.4 trillion in business loans and $1.3 trillion in consumer loans, as well as derivatives, swaps, and other credit instruments. Even excluding loans and financial instruments set to mature before 2021—estimated by the FDIC at 82% of the above $200 trillion—LIBOR exposure is still significant3.

A financial institution’s ability to lend money is largely dependent on the relative stability of its capital position, or lack thereof. For institutions with a significant amount of LIBOR-indexed assets and liabilities, that means less certainty in expected future cash flows and a less stable capital position, which could prompt institutions to deny loans they might otherwise have approved. A change in expected cash flows could also have several indirect consequences. Criticized assets, assessed for impairment based on their expected future cash flows, could require a specific reserve due to lower present value of expected future cash flows.

The importance of fallback language in loan agreements

Fallback language in loan agreements plays a pivotal role in financial institutions’ ability to manage their LIBOR-related financial results. Most loan agreements include language that provides guidance for determining an alternate reference rate to “fall back” on in the event the loan’s original reference rate is discontinued. However, if this language is non-existent, contains fallbacks that are no longer adequate, or lacks certain key provisions, it can create unexpected issues when it comes time for financial institutions to reprice their LIBOR loans. Here are some examples:

  • Non-existent or inadequate fallbacks
    According to the Alternative Reference Rates Committee, a group of private-market participants convened by the Federal Reserve to help ensure a successful LIBOR transition, "Most contracts referencing LIBOR do not appear to have envisioned a permanent or indefinite cessation of LIBOR and have fallbacks that would not be economically appropriate"4.

    For instance, industry regulators have warned that without updated fallback language, the discontinuation of LIBOR could prompt some variable-rate loans to become fixed-rate2, causing unanticipated changes in interest rate risk for financial institutions. In a declining rate environment, this may prove beneficial as loans at variable rates become fixed. But in a rising rate environment, the resulting shrink in net interest margins would have a direct and adverse impact on the bottom line.

  • No spread adjustment
    Once LIBOR is discontinued, LIBOR-indexed loans will need to be repriced at a new reference rate, which could be well above or below LIBOR. If loan agreements don’t provide for an adjustment of the spread between LIBOR and the new rate, that could prompt unexpected changes in the financial position of both borrowers and lenders3. Take, for instance, a loan made at the Secured Overnight Financing Rate (SOFR), generally considered the likely replacement for USD LIBOR. Since SOFR tends to be lower than three-month LIBOR, a loan agreement using it that does not allow for a spread adjustment would generate lower loan payments for the borrower, which means less interest income for the lender.

    Not allowing for a spread adjustment on reference rates lower than LIBOR could also cause a change in expected prepayments—say, for instance, if borrowers with fixed-rate loans decide to refinance at adjustable rates—which would impact post-CECL allowance calculations like the weighted-average remaining maturity (WARM) method, which uses estimated prepayments as an input.

What can your financial institution do to prepare?

The Federal Reserve and the SEC have urged financial institutions to immediately evaluate their LIBOR exposure and expedite their transition. Though the FDIC has expressed no intent to examine financial institutions for the status of LIBOR planning or critique loans based on use of LIBOR3, Federal Reserve supervisory teams have been including LIBOR transitions in their regular monitoring of large financial institutions5. The SEC has also encouraged companies to provide investors with robust disclosures regarding their LIBOR transition, which may include a notional value of LIBOR exposure2.

Financial institutions should start by analyzing their LIBOR exposure beyond 2021. If you don’t expect significant exposure, further analysis may be unnecessary. However, if you do expect significant future LIBOR exposure, your institution should conduct stress testing using LIBOR as an isolated variable by running hypothetical transition scenarios and assessing the potential financial impact.

Closely examine and assess fallback language in loan agreements. For existing loan agreements, you may need to make amendments, which could require consent from counterparties2. For new loan agreements maturing beyond 2021, lenders should consider selecting an alternate reference rate. New contract language for financial instruments and residential mortgages is currently being drafted by the International Securities Dealers Association and the Federal Housing Finance Authority, respectively3—both of which may prove helpful in updating loan agreements.

Lenders should also consider their underwriting policies. Loan underwriters will need to adjust the spread on new loans to accurately reflect the price of risk, because volatility and market tendencies of alternate loan reference rates may not mirror LIBOR’s. What’s more, SOFR lacks abundant historical data for use in analyzing volatility and market tendencies, making accurate loan pricing more difficult.

Conclusion: Start assessing your LIBOR risk soon

The cessation of LIBOR brings challenges and opportunities that will require in-depth analysis and making difficult decisions. Financial institutions and consumers should heed the advice of regulators and start assessing their LIBOR risk now. Those that do will not only be better prepared―but also better positioned―to capitalize on the opportunities it presents.

Need help assessing your LIBOR risk and preparing to transition? Contact BerryDunn’s financial services specialists.

1 https://www.washingtonpost.com/business/2017/07/27/acdd411c-72bc-11e7-8c17-533c52b2f014_story.html?utm_term=.856137e72385
2 Thomson Reuters Checkpoint Newsstand April 10, 2019
3 https://www.fdic.gov/regulations/examinations/supervisory/insights/siwin18/si-winter-2018.pdf
4 https://bankingjournal.aba.com/2019/04/libor-transition-panel-recommends-fallback-language-for-key-instruments/
5 https://www.reuters.com/article/us-usa-fed-libor/fed-urges-u-s-financial-industry-to-accelerate-libor-transition-idUSKCN1RM25T

Article
When one loan rate closes, another opens