Information and data are critical to the operation of every business. Whether running a local law firm or a multinational manufacturing operation, information technology systems are essential to your ongoing success. As data and technology become more and more entrenched in business operations, they can also represent a serious vulnerability. Data connects, facilitates and supports every part of most organizations. What happens if disaster strikes and critical information is suddenly unavailable?

For many businesses, a loss of data or system functionality would be a catastrophic event. Every second without working technology systems may lead to a significant loss in revenue. So how can businesses protect their technology systems and plan for efficient recovery when disaster strikes?

Smart Business spoke with Igor Zaika, IT and security director at Sensiba San Filippo LLP, about how companies can plan for and recover from disasters.
What are some causes of a disaster?

Threats to technology systems can come from many different directions. Hardware failures, human error, and natural disasters such as fire, floods and earthquakes can threaten hardware systems and the data they store.

Software corruption, viruses, ransomware and other unseen threats can also hit at any time, regardless of how well-secured a system may be. And for every known threat, there are many unknown threats that are hard to predict.

How should a company approach disaster recovery?

First and foremost, information security and disaster recovery should be approached strategically at the organizational level. Business owners need to take a proactive approach to protecting their businesses and their clients’ data. In today’s relatively ‘hostile’ IT environment with increasing threats, business owners can no longer hope that their IT teams have it under control. They need to plan for a disaster to occur and proactively have a recovery plan in place. Involve stakeholders throughout the organization, and identify critical processes that could be affected. Ask a lot of what-if questions, identify your most significant vulnerabilities, and develop an overall business strategy to sustain and restore your business operations in the event of a disaster.

What components should a good disaster recovery plan include?

There are several critical components that every disaster recovery plan should address. The first is a critical process assessment.

Understand how critical processes throughout the organization are affected by your technology systems. You’ll also need good back-up procedures. Good, clean data is critical to recovery.

Next, you should develop recovery procedures. Your recovery plan should lay out in detail instructions for each step that must be taken. Implementation and testing procedures will give you the peace of mind of a successful disaster recovery.

Finally, you’ll need a good maintenance plan. Swiftly changing technology, processes and threats will require your recovery plan to be frequently updated to remain effective.

Can the cloud and other technology help?

Utilizing cloud technology can be a great way to gain productivity, simplify your infrastructure and minimize potential risks of a disaster. However, before embracing the cloud, understand the impact to your business processes, compliance requirements and of course, your employees. Technology can be very useful in protecting your business from disaster, but it is important to understand that no single piece of technology constitutes a recovery plan. A great example of utilizing cloud technology as a part of your disaster recovery strategy is an all-in-one backup appliance. It allows you to protect your assets, simplify disaster recovery and replicate data to the cloud for added protection.

Disaster recovery should be a part of every organization’s strategic plan. Data and technology are too important to leave anything to chance. Find a technology partner that you trust and work with them to design, implement and troubleshoot a comprehensive disaster recovery plan. Taking a proactive approach today to disaster recover will ensure your success tomorrow.

Igor Zaika is IT and security director at Sensiba San Filippo LLP. Reach him at (925) 271-8700 or

Insights Accounting is brought to you by Sensiba San Filippo LLP

Published in Northern California

To provide or not to provide? That is the most pressing health insurance question facing companies across the country this year. As implementation of the Affordable Care Act moves forward, many businesses are making strategic decisions regarding health care benefits. Those that have sponsored health insurance for years are now considering dropping coverage and reallocating resources.

But what are the true costs of dropping coverage? While the questions may be simple, the analysis can get fairly complex and extend beyond easily identifiable costs.

Smart Business spoke with Sholly Nicholson, human resources manager at Sensiba San Filippo LLP, to examine some of the most important health care questions businesses face this year.

How should businesses approach their health care coverage decisions?

It is critical for any company to evaluate health care coverage based on the anticipated impact it will have on the entire organization. That means considering both easily recognizable and potentially hidden costs associated with sponsoring or dropping coverage. Will dropping coverage negatively affect your ability to attract and retain talent? Will it result in a loss of valuable personnel, and if so, to what degree?

What are the benefits to providing health care coverage?

Depending on the nature of your business, employer-sponsored health care plans might already be expected. It’s possible to drop coverage and increase employee pay to allow them to choose their own plans on the health care exchange networks. However, continuing coverage can be a critical part of strategic planning.

Employer-sponsored plans provide control over the plan’s design and benefits available to employees. If you operate in an industry with heated competition for a limited talent pool, selecting and managing your plan could provide a competitive advantage. With current uncertainty regarding exchange health plans, employees may feel more comfortable knowing that your organization is selecting a plan that allows them access to the doctors and hospitals they want.

What can companies do to control rates?

If you decide to offer health care benefits, managing costs will be critical moving forward. Get as many quotes as possible. Insurance providers are always offering new plan designs and premium pricing.

Incentives can be offered to employees who participate in annual health risk assessments, biometric screenings or other wellness initiatives. Promoting health and well-being through education, exercise facilities and nutrition initiatives can have a long-term effect on the number of claims incurred, which will have a significant effect on your group rates.

What should a company consider when designing its plan?

Not all plans are created equal, and the organizational benefits of a well-designed and well-managed plan can be substantial. It’s important to look closely at the provider network.

Will your employees be covered by the primary care physicians they want? Will they have access to the best hospital facilities? Smart companies review residential locations and current providers of their employees before making any changes.

The structure of the plan can also be important. To balance costs and benefits, many companies are moving toward high deductible plans combined with health savings accounts (HSAs). The high deductible plans keep premiums under control, while HSAs allow employees to set aside money pretax to offset deductibles.

What’s the best advice you can provide regarding health care coverage decisions?

The health care decisions you make today will have a profound effect on the future of your organization. A happy and healthy workplace will be productive and profitable.

The right answer is unique to every company, but the best approach to finding that answer is consistent: Expand the scope of your analysis and conduct a broad investigation in order to discover how your health care decisions will affect your company moving forward. If you consider all of the ramifications of your decisions and align your strategy with your desired outcome, you will find the best solution for your employees and organization.

Sholly Nicholson is human resources manager at Sensiba San Filippo LLP. Reach her at (408) 286-7780 or

Insights Accounting is brought to you by Sensiba San Filippo LLP

Published in Northern California

As technology continues to make the world seem smaller, more U.S.-based companies are looking overseas for untapped opportunities. International expansion has traditionally been undertaken primarily by large, multi-national companies. Today, small, private companies are increasingly venturing outside the U.S. But seeking overseas opportunities comes with a different rulebook. What are the hazards and pitfalls that companies may encounter when expanding internationally?

Smart Business spoke with Greg Brown, tax partner at Sensiba San Filippo LLP, to discuss why more businesses are considering overseas expansion and what they need to know before investing in international markets.

Why are more and more companies looking overseas for opportunity?

In recent years, we’ve seen locally based companies looking into international expansion for two primary reasons: increased sales opportunities and access to new talent pools. Consumer markets are expanding across the globe, while Bay Area technology companies are increasingly looking to India, the U.K. and Asia for specialized talent. In both cases, in order to increase their probability of success, company decision-makers need to educate themselves or partner with those who know about the geographies they are entering.

What’s the first thing a company should do prior to opening a foreign operation?  

Most businesses considering foreign expansion already have a good idea where they want to go and why they are going there, but their certainty isn’t always the result of thorough planning. It is not unusual for a business to make a snap decision about entering into a contract with a foreign customer or to hire a talented foreign employee without doing its homework. While the business decision may make sense, the company may not know the operational or cultural challenges and the tax implications of the decision.

Companies venturing out should use qualified advisers who have local connections and experience in the country where they are considering doing business. These advisers can navigate through the applicable laws and provide valuable advisory services to the stateside leaders. Many law and accounting firms have international resources and can often connect their clients with these advisers through global professional affiliations.

How can culture affect the outcome of an overseas venture?

Cultural differences are often overlooked during international expansion. Without prior experience in a specific location or the luxury of a local partner, it’s easy to miss cultural differences that could significantly impact the success of a venture. An understanding of proper manners and etiquette are important and should be valued. A local adviser or business partner can help you understand cultural differences ahead of time and potentially avoid embarrassing faux pas.

How important are the tax ramifications of international business?

The tax ramifications of operating in a foreign country are an important aspect of the overall business decision. Businesses should consider what level of activity would cause them to come under the laws of another country, and what they’ll need to do to ensure compliance. Even having a few employees in a foreign country may require the company to file tax returns and possibly pay tax. Establishing a subsidiary comes with additional requirements, such as transfer pricing agreements.  

Moving existing employees to another country or having them work overseas will more than likely require them to pay foreign and U.S. taxes. It is normal for companies to enter into agreements with these employees in order to equalize the financial tax burden and benefits that result from overseas employment.

Any other advice you want to share?

Have a clear vision of what you want to do, educate yourself and your team, and use competent legal, tax and business advisers. Start by talking with your lawyer and accountant. Many professional advisory firms have experience in foreign operations and very useful contacts in other countries that can help ensure that your venture has the greatest possibility for success.

Greg Brown, CPA, MST, is a tax partner at Sensiba San Filippo LLP. Reach him at (408) 286-7780 or

Insights Accounting is brought to you by Sensiba San Filippo LLP

Published in Northern California

In this day and age, only a small number of businesses can function without a network of computers. Unfortunately, there are inherent risks to computer usage — hackers, viruses, worms, spyware, malware, unethical use of stolen passwords and credentials, unauthorized data removal by employees with USB flash drives, or servers crashing and bringing productivity to a halt. Owners of small to midsize businesses have to be cautious of cyberattackers, and depending on your industry, your business many be an easier target than larger businesses.

With cyberattacks on the rise, Smart Business spoke with Jalal Nazeri, a certified information systems auditor at Sensiba San Filippo LLP to discuss what business owners can do to protect themselves.

What is the first step toward protection?

The first task in creating a secure network is to draft a security policy, which, if carefully managed, can lower the risk of these threats.

When drafting a policy, consider every perceived threat, no matter how unlikely it may seem. Communicating and monitoring these policies regularly will lay the groundwork for compliance in defense of your network.

There are a number of core ideas to consider in implementing a policy. First, you will need to do a risk assessment to identify risks and determine the best methods to prepare for them. Then you will need to classify data by sensitivity level and develop access restrictions. Consider what the security requirements are of an authorized user and assess the possible risk, both logical and physical. In addition, create a plan to back up each user’s data. Finally, ongoing monitoring and maintenance of your risk assessment and the underlying policies and procedures is a must.


How do you manage employees’ usage of company computers?

An acceptable use policy is a common element to include in your security policy. The acceptable use policy restricts users by giving them guidelines on what they can and cannot do on your company’s network. Adding these restrictions can place an inconvenience on the end user, but it’s imperative to have them in place for the protection of your organization. The end user can be an organization’s weakest point.

Once a user reviews the policy and accepts the restrictions in place, it’s important that he or she sign the policy. Users should be made to re-sign the policy whenever it changes, and at regular intervals even when unchanged. Some companies set a six-month timeline, others vary. The value of the policy depends on the communication and monitoring of compliance. Without enforcement, its value is greatly reduced.

What are other tools business can use?

A few other key items a business can use are firewalls, content filters, encryption, virus protection, and accounts and passwords. Business owners need to maintain these tools, not just put them in place and forget about them.

Firewalls act as a barrier to the internal network, blocking unwanted traffic, while content filters restrict material delivered on the network and control what content is available to users on the Internet. Encryption is becoming more vital for transferring and storing data, whether it is for regulatory compliance or customer protection from theft.

Anti-virus software is a must on all your servers and workstations. A scheduled virus scan should never be missed, and always have automatic updates turned on.

Never use generic passwords or account names, and restrict users to using only their own login. Passwords should follow a complexity requirement, like the use of a mix of letters, punctuation, symbols and numbers, and should also have a limited lifetime and a rotation.

What is the value of taking these steps?

With small to midsize businesses, budget is always a major consideration in what is plausible in obtaining the most secured environment. With a good policy in place, identification of priority spending can be determined and can reduce the need for excess software and hardware.

Cyberattackers look to gain access to networks that have the least amount of resistance. A good security policy protects data against potential threats. Without one, the company may incur significant remediation costs, lose productivity and even lose clients.

Jalal Nazeri is a certified information systems auditor at Sensiba San Filippo LLP. Reach him at (925) 271-8700 or

Visit our blog for more market insights.


Insights Accounting is brought to you by Sensiba San Filippo LLP

Published in Northern California

Service organizations are trusted with some of their customers’ most sensitive information. In order to thrive, these organizations need their stakeholders’ full faith that their internal controls safeguard both financial and nonfinancial information, and are designed and operating effectively. How can service organizations demonstrate that their control systems are protecting their customers? According to the American Institute of Certified Public Accountants (AICPA), Service Organization Control (SOC) reports are the answer.

Smart Business spoke with Jeff Stark, audit partner at Sensiba San Filippo LLP, about SOC reporting and how it helps service organizations provide the broad spectrum of assurance their stakeholders require.

What are SOC reports?

SOC reports are standards created by the AICPA to allow for reporting on controls at service organizations. There are three types of SOC reports: SOC 1, SOC 2 and SOC 3. Together, they both replace and expand on Statements on Auditing Standards (SAS) 70 reports, giving service organizations the tools they need to provide the assurance their stakeholders require.

Though not widely known, SOC reports are becoming essential to the ongoing growth of the technology service sector as more businesses are outsourcing tasks and functions to outside service providers. Since the risk of the service provider becomes the risk of their stakeholders and customers, SOC reports provide much needed assurance, empowering service organizations to gain trust, while helping to protect their stakeholders from outside risk.

Why was SAS 70 replaced?

Since 1992, SAS 70 has provided service organizations with a vehicle to disclose control objectives and activities related to financial reporting. As the market changed, service organizations had a growing need to report on many nonfinancial control objectives. SAS 70, with its limited intended focus, was too often being used for purposes outside of financial controls.

In order to solve this problem, the AICPA issued Statements on Standards for Attestation Engagements (SSAE) 16, which replaced audit standards with attestation standards for internal controls over financial reporting. SSAE 16 standards became the basis for SOC 1 reporting, replacing SAS 70.

Additionally, the AICPA issued guidance related to attestation on controls relevant to the Trust Service Principles and Criteria including security, availability, processing integrity, confidentiality and privacy. This guidance became the basis for SOC 2 reporting, bridging the gap between market need for broad assurance reporting and the previously narrow financial focus of SAS 70.

How can an organization know whether a SOC 1 or SOC 2 report is right for them?

Whether an organization should obtain a SOC 1 or SOC 2 report depends entirely on the controls in question. Controls relating to information that could affect financial statements are covered by SOC 1 reports. SOC 2 covers controls related to nonfinancial information.

Payroll processors, employee benefit plan managers and banks commonly use SOC 1 reports. Data centers, Software as a Service providers and companies subject to industry-specific regulatory standards frequently benefit from SOC 2 reports.

Why should companies consider SOC reporting?

Service organizations that want to remain competitive need internal control attestation in a variety of areas. Many companies will not even consider working with an organization without assurance that relevant controls are well designed and operating effectively. In a highly risk-averse business climate, organizations can demonstrate effective controls with the appropriate SOC report.

Jeff Stark is an audit partner at Sensiba San Filippo LLP. Reach him at (480) 286-7780 or

Insights Accounting is brought to you by Sensiba San Filippo LLP

Published in National

Many of us have heard the saying, “By failing to prepare, you are preparing to fail.” While most business owners meticulously plan the ongoing management of their organization, far fewer prepare for a successful sale. If the sale of the company is a part of your exit plan, it quite literally pays to be prepared.

With merger and acquisition activity heating up, Smart Business sat down with Kevin Strain, Audit Partner at Sensiba San Filippo LLP to discuss what specifically businesses can do to ensure they are ready.

Why is it critical that businesses be prepared for an acquisition?

The current climate for acquisitions makes it more likely than ever that you’ll find yourself talking to a potential buyer. Acquisition activity has been ramping up since 2010, and is only expected to increase. Low interest rates and resurgent equity markets have left corporations flush with cash, and looking for opportunities.

Yet even in the current environment, the majority of deals still fail. More than 85 percent of prospective deals are never completed. Suitors come calling, but the process breaks down prior to execution, often because sellers are unprepared.

What is the first step a company should take to prepare?  

It is critical to identify and document the areas that drive organizational value. Every organization is different, and what makes you an attractive candidate for an acquisition depends on the nature of your business. Some acquisitions are technology buys, driven by intellectual property. Others are organizational or revenue buys, driven by the desire to add personnel or future earnings.

Regardless of what drives the marketability of your company, it is important to recognize the value drivers and document them. For example, if you hold technology patents, it’s essential that these are defended and documented.

What financial preparations should be made?

A detailed examination of financial records and projections should be expected during the negotiation process. If you haven’t had an audit completed recently, that should be the first step. If you have been through an audit, you need to be ready to provide the same information on relatively short notice. Make sure to keep the information that your auditors ask for current.

The focus of the financial review may also be driven by the type of acquisition. If a suitor is seeking to buy a future revenue stream, you need to be sure your projections are tight and defensible.

What pitfalls can derail the sale of a business?

Areas of potential risk can provide bargaining power to a buyer or stop the process in its tracks. Whether it’s an uncertain tax position, legal exposure or patent dispute, exposure can damage or kill a deal. Ideally, you’d like to resolve these issues. But if that’s not possible, put them on the table as soon as possible. It’s best for buyers to know where you stand sooner rather than later so the investment in the process is not wasted.

What else should business owners keep in mind?

Understand your own expectations and limits. You don’t want to be deciding where you are willing to bend during negotiations. That will weaken your ability to negotiate the best deal. Are you comfortable with an earn-out? How much guaranteed cash do you need? Are you willing to indemnify the buyer against any contingent liabilities?

Finally, it’s wise to find an experienced adviser to help you navigate through the process. The majority of business owners only sell a business once, so it’s important to get it right the first time.

Kevin Strain is an audit partner at Sensiba San Filippo LLP. Reach him at (650) 358-9000 or

Blog: Visit for more insights on merger and acquisition best practices.

Insights Accounting is brought to you by Sensiba San Filippo LLP


Published in National

Every business owner requires the services of outside accountants from time to time. On the surface, many CPAs seem similar. They list the same services, have the same accreditations and work in the same industries. But do they all deliver the same value? Is one CPA as good as the next? How can a business owner tell if he or she is truly getting the greatest value from a service provider?

Jerry Krause, audit partner at Sensiba San Filippo LLP, says delivering value to a business owner requires more than just technical expertise. “Serving a business owner is about much more than providing specific services or understanding accounting principles and tax codes,” says Krause. “Delivering value requires taking the time to understand the full picture of the owner’s business, personal and financial situation.” He says strong relationships are the foundation for value-added delivery.

Smart Business spoke with Krause about the best approach to building valuable relationships, where accountants could fall short, and what business owners should expect from a trusted adviser.

What should business owners expect from their accountant?

First and foremost, business owners should expect their accountant to be looking out for them. That means proactively identifying opportunities and avoiding problems. If an accountant is only providing the services a business owner is asking for, they aren’t doing him or her any favors. A trusted adviser is not an order taker. They listen to what their clients are saying and will be creative and proactive in finding solutions.

For the owner of a closely held business, an accountant needs to know more than just the business issues. Business decisions affect personal and family finances, so sound advice can’t be given without knowing the ramifications of what’s being advised. To properly advise business owners, accountants need to understand all of the factors involved.

What does it mean to be a trusted adviser?  

A trusted adviser will talk about more than just numbers and compliance. Conversations should be wide-ranging and include company operations, tax planning for the business and the owner, exit strategies, and estate planning.

Further, a good adviser must be willing to disagree with his or her client. Many business owners lack peers within their organization. Sometimes there can be great value in challenging a business owner’s perspective. When a good accountant anticipates that a client is about to make a mistake, he or she would be doing the client a disservice by not interjecting a solution.

What is the key to getting value from a relationship with an accountant?

Open communication is the most important factor for ensuring a successful relationship between a business owner and their accountant. The more open the communication, the better the service an accountant can provide.

The test of a good relationship is if there is an understanding that a business owner can call their accountant anytime. Business owners need to feel comfortable knowing their accountant is available to discuss whatever issues they’re facing. In order for that to happen, clients have to know their accountant is not going to charge them every time a call is made.

How can a business owner assess their relationship with an adviser?

Finding the right adviser is about fit and commitment. While a business owner needs a firm that has the right expertise and resources, it’s just as important to find an adviser who places high value in the relationship. Having an accountant with a high level of expertise doesn’t mean much if he or she doesn’t understand his or her client. It takes more than industry and technical knowledge to create a valuable relationship. It takes commitment and the willingness to invest the time to build understanding and trust.

Jerry Krause is an audit partner at Sensiba San Filippo LLP. Reach him at (650) 358-9000 or

Blog: For more market insights, visit the Sensiba San Filippo blog.

Insights Accounting is brought to you by Sensiba San Filippo LLP



Published in National

[caption id="attachment_61899" align="alignright" width="200"] Bill Norwalk, tax partner-in-charge, Sensiba San Filippo LLP

Richard Leasia, shareholder, Littler Mendelson, P.C.[/caption]

On Mar. 23, 2010, President Barack Obama signed the Patient Protection and Affordable Care Act of 2010 (PPACA) with the intention of providing comprehensive health care coverage to nearly all individuals. The law is being rolled out in phases and arguably the most significant aspect for employers is set for implementation on Jan. 1, 2014.

“We have found ourselves at the intersection of streets paved with good intentions and unintended consequences,” says Richard Leasia, shareholder at Littler Mendelson, P.C.

Effective Jan. 1, 2014, employers with 50 or more full-time or full-time equivalent employees will have to choose between providing affordable health insurance coverage to qualifying employees or paying a penalty. There is no per se requirement that all employers provide health insurance coverage and employers will need to evaluate the pros and cons of providing health insurance coverage or paying various penalties.

“Each business owner’s analysis should include not only the financial implications of one option over the other, but also issues of employee morale, competitiveness within the marketplace, tax implications and benefits, and potential internal compliance and monitoring requirements,” says Bill Norwalk, tax partner-in-charge at Sensiba San Filippo LLP.

Every company, regardless of size, will need to continue to decide whether and to what extent they will provide health insurance coverage for employees. While the PPACA mandate directly affects only those employers meeting the minimum threshold number of employees, small businesses, some of which are not legally required to provide health insurance coverage, may wish to do so as an incentive for employees, as a means of staying competitive within the market, and/or in order to take advantage of certain tax credits.

At a recent event hosted by Sensiba San Filippo, Littler Mendelson, ABD Insurance and Financial Services, and the Small Business Majority, panelists from each firm discussed the implications of health care reform

on small and medium-sized businesses.

Smart Business spoke with Leasia and Norwalk after the event to gather feedback and to have them answer questions about the basics of health care reform laws and what the laws will mean to businesses from a financial, tax, and legal perspective.

What are the legal implications?

Although the PPACA indicates in general terms what will be required on Jan. 1, 2014, many questions concerning the specific application of the law remain unanswered. A few of the open questions include:

1. When does an employee qualify as full-time or full-time equivalent?

2. What standard will be used when assessing whether the employer-provided health insurance coverage is ‘affordable’?

3. How do contractors affect the analysis?

4. What about seasonal employees?

5. What effect will the PPACA have on current city-specific mandated health care (e.g., San Francisco’s Health Care Security Ordinance)?

Unfortunately, answers to these questions will be dependent on yet-to-come regulations, but business owners should address them with their advisers.

What are the tax and financial implications?

Many business owners remain focused on 2014, but they should not lose sight of some very specific requirements that will be rolled out this year. These include, for example, an implementation of a $2,500 cap on employee contributions to health flexible spending accounts for plans beginning on or after Jan. 1, 2013; W-2 informational reporting for the 2012 calendar year was due for many employers by Jan. 31, 2013; additional notice requirements to employees; and beginning Jul. 31, 2013, there will be the imposition of certain temporary taxes for insured and self-insured group health insurance plans. Additionally, businesses should ensure that they are harnessing the full potential of the various tax credits currently available, including those available to small businesses that offer health insurance coverage to their employees. Now is the time to start planning with your tax adviser.

Throughout the coming year it will be imperative for businesses to examine their particular situation, learn how the PPACA affects their specific workforce, and prepare a plan for implementing the requirements that will go into effect in 2013, 2014 and beyond.

Richard Leasia is a shareholder with Littler Mendelson, P.C. Reach him at (408) 998-4150 or Bill Norwalk is tax partner-in-charge at Sensiba San Filippo LLP. Reach him at (925) 271-8700 or

Insights Accounting is brought to you by Sensiba San Filippo LLP

Published in National

Business owners have long understood the importance of income tax compliance. Companies that understand the tax law and apply it correctly can save money and reduce the risk of surprises in the event of an audit. But recent focus on employment taxes by the IRS has caught even savvy business owners off guard, and in some cases, out of compliance.

Smart Business spoke with Claudia Necke-Lazzarato, a tax manager at Sensiba San Filippo LLP, about changes in employment tax rules, increased IRS scrutiny, and what businesses should be doing to ensure compliance and limit their risk.

Why is employment tax compliance becoming more important?

Compliance has always been important. However, recently the IRS has shown an increased focus on employment taxes. With the economic slowdown, income tax revenue growth has slowed as well, and the IRS has increased its focus on employment taxes. These types of tax audits are definitely on the rise. This increase in IRS audits means an increase in risk for taxpayers. It is essential that business owners understand the importance of employment tax compliance. If it’s important to the IRS, it should be important to every business owner.

What are some common employment tax reporting mistakes?

Underreporting W-2 wages is the easiest way for businesses to fall out of compliance. Whether it’s wages that are improperly characterized as reimbursable expenses, or employees who are incorrectly designated as subcontractors, it is very common for a misunderstanding of tax law to lead to the underpayment of taxes.

Just this year, the IRS released a clarification on what qualifies as a reimbursable expense. This clarification created a requirement that employers have ‘accountable plans’ for reimbursement. The IRS also defined these ‘accountable plans’ for employee reimbursements, and according to the new ruling, they must meet the following three requirements:

• The reimbursed expense must be allowable as a deduction and must be paid or incurred in connection with performing services as an employee of the employer.

• Each reimbursed expense must be adequately accounted for to the employer with receipts or other proof of expense.

• Any amounts paid to employees in excess of expense must be returned within a reasonable period of time.

If all of these requirements are not met, reimbursements will not be treated as reimbursable expenses. Instead, these payments would be considered wages, and would be subject to withholding and employment taxes.

This means that flat value ‘expense allowances,’ which allow a set amount of funds to offset the costs of tools, automobiles and other business-related expenses, may now be reportable as W-2 income. To simplify internal reporting, many companies have historically provided fixed-value allowances for common expenses. Typically, these allowances would not meet the new requirements for ‘accountable plans.’

How do you determine if someone should be designated as an employee or a subcontractor?

Another very common mistake is mischaracterizing employees as subcontractors. If an employer incorrectly designates a worker as a subcontractor, it will fail to withhold tax for the employee and fail to pay the employer’s share of employment taxes. This can put both the employee and employer at significant financial risk.

To feel confident that they have correctly determined employment status, employers should know what questions to ask and who to speak with for clarification. Evaluate each contractor’s relationship with a few simple questions, then ask a CPA who is well versed in employment tax law if there is any ambiguity remaining. Look closely at who has behavioral and financial control in the relationship and answer the following questions:

• Is the work performed as part of a defined project?

• Who is supervising the work?

• Who provides the tools and supplies needed to complete the work?

• Who sets the schedule for the work?

If you still aren’t sure of the answer, find a CPA and ask for help. The IRS defaults to assuming an employee/employer relationship, so be certain you’re getting it right.

What are the consequences of underreporting employment tax?

Employment tax compliance isn’t just about having the right answer. There are real consequences for underpayment of taxes. The IRS has sharpened its focus on the reimbursement arrangement taxpayers have in place. In several instances, companies have a reimbursement arrangement that does not pass the requirements of accountability, from the IRS’s point of view. The IRS penalties can be very costly and time consuming to resolve, with companies having to pay all underpayments with interest, and in addition, pay an automatically assessed 20 percent penalty. Working with a CPA firm with IRS audit experience can help clients receive a negotiated reduced penalty and put a qualifying accountable plan in place.

How can business owners ensure compliance?

Understanding the importance of getting employment taxes correct is the first step. Rules and enforcement change frequently, so partnering with an experienced tax professional is a good idea.

A best practice to help remain compliant is to talk about the issue as much as possible and in a proactive manner, rather than taking the rearview mirror approach after an audit notice is received. When ongoing success is your primary objective, you need a tax professional who actively helps you to find opportunities and avoid potential problems.

Claudia Necke-Lazzarato is a tax manager at Sensiba San Filippo LLP, a regional CPA firm based in the San Francisco Bay area. Reach her at (925) 271-8700 or

Insights Accounting is brought to you by Sensiba San FilippoLLP

Published in National

In April 2012, President Barack Obama signed into law the Jumpstart Our Business Startups Act. Meant to encourage initial public offering activity, certain provisions of the act impact the application of Section 404 of the Sarbanes-Oxley Act, which requires management to establish and maintain internal control procedures for financial reporting. So how do emerging growth companies cope?

Smart Business spoke with Bill Philippe, a senior audit manager at Sensiba San Filippo LLP, about SOX compliance and the JOBS act.

How would you define an emerging growth company and the requirements in question?

An emerging growth company generally has less than $1 billion in revenue in the fiscal year prior to its IPO and its status generally lasts for five years after its IPO. It is exempted from the internal control audit requirement of Section 404 of the SOX Act. In practical terms, this exemption from the audit requirement should reduce the cost of compliance for an emerging growth company, as its auditors will not be required to audit its internal controls over financial reporting (ICFR), thereby reducing the scope and focus of the annual audit process. However, emerging growth companies are not exempted from the management reporting requirements of Section 404 of SOX.

The most challenging aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company’s ICFR. This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires a significant sustained effort.

Under Section 404, management is required to produce an ‘internal control report’ as part of each annual exchange act report. It must affirm ‘the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.’ The report must also contain an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. To do this, companies generally adopt an internal control framework such as that described in Committee of Sponsoring Organizations of the Treadway Commission (COSO).

What should an emerging growth company do following an IPO?

During the five years following an IPO, an emerging growth company should take a risk-focused approach to SOX compliance by specifically identifying, implementing and monitoring those internal controls that enable management to certify the design and operating effectiveness of controls with confidence.

You want to develop a SOX implementation process that is designed with clearly defined goals and executed by an experienced team. You need to lay the foundation for your company’s regulatory compliance requirements as well as practice effective corporate governance now and into the future.

How does the post-IPO process break down?

Activities in the first post-IPO year are focused upon the identification of high-risk processes and the implementation of the documentation and monitoring activities necessary to support management’s annual reporting requirements under Section 404.

The focus in the second and third post-IPO years is on evaluating and understanding the company’s internal control priorities in light of the company’s growth. Monitoring activities necessary to support management’s annual reporting requirements continue.

In the fourth post-IPO year, add the additional objective of documentation and assessment of the moderate- and low-risk processes. Evaluation of  the company’s internal control priorities continues along with monitoring activities necessary to support management’s annual reporting requirements.

Monitoring activities necessary to support management’s annual reporting requirements continue in the fifth year, as do those needed to support the integrated audit work of the company’s external auditors.

What are the effects of the recent changes to the Internal Control – Integrated Framework?

On Sept. 18, COSO released Internal Control over External Financial Reporting: Compendium of Approaches and Examples.

It includes the Updated Internal Control – Integrated Framework, which reflects feedback from its recently closed comment period and the proposed Illustrative Tools: Assessing Effectiveness of a System of Internal Control.

The compendium illustrates how the principles set forth in the proposed updated framework can be applied in designing, implementing and conducting internal control over external financial reporting. It provides additional reference material for concepts discussed within the framework, including types of external reporting, suitable objectives, judgment, overlapping objectives, deficiencies in internal control and smaller entities.

The Updated Internal Control – Integrated Framework was initially made available for public comment in Dec. 2011, and incorporates the following major changes from the original 1992 framework:

  • The financial reporting objective was expanded to address internal and external, financial and non-financial reporting objectives.
  • An increased focus on operations, compliance and non-financial reporting objectives.
  • Codification of the 17 principles that represent the fundamental concepts associated within the five components of internal control.
  • Expanded discussion of the governance role of the board of directors and committees of the board.
  • The changes in technology and how they impact all components of internal control.

Companies should assess the impact that the expanded areas of focus in the updated framework will have on their current internal control processes and draft an implementation plan for any enhancements deemed necessary by internal stakeholders and those charged with governance.

Bill Philippe is a senior audit manager at Sensiba San Filippo LLP, a regional CPA firm based in the San Francisco Bay Area. Reach him at (650) 358-9000 or

Insights Accounting is brought to you by Sensiba San Filippo

Published in Northern California
Page 1 of 3