Mid-sized manufacturing companies face a number of pressures — inflation, a weak dollar, growing foreign demand and stagnant domestic sales — but targeted tax incentives can help businesses decrease their tax and allow them to breathe a little easier.
Two incentives drawing interest from employers are the Last-In, First-Out (LIFO) method of accounting and establishing an IC-DISC (Interest Charge-Domestic International Sales Corporation) entity, says Philippe Simoens, CPA, partner in tax and strategic business service for Weaver.
“Although the U.S. has one of the highest corporate tax rates in the world, there are ways to get more sophisticated with your tax planning through LIFO, IC-DISC or other special deductions and credits to help control your tax situation,” says Simoens.
Smart Business spoke with Simoens about how manufacturers can efficiently attain tax savings with LIFO and IC-DISC.
How can LIFO accounting or launching an IC-DISC help manufacturers and other businesses?
The LIFO method allows manufacturers to use the price of the most-recently purchased inventory (last-in) as a basis for determining the cost of goods sold (first-out). This method works well when inflation and supply costs are increasing, as the manufacturer declares small net profits on goods sold, leading to lower taxes.
To simplify the calculation process, companies can follow simplified methods such as dollar-value pooling. One particular method uses indices from the Bureau of Labor Statistics, which make it simple to calculate inflation.
Companies also are turning to IC-DISCs with the demise of other U.S. export incentives. When a business exports products that are extracted, grown or manufactured in the U.S., the company can set up an IC-DISC. This separate entity receives a commission of 50 percent of export profits or 4 percent of gross receipts. The IC-DISC then pays out at the dividend rate of 15 percent, while the remaining profit is taxed at the regular corporate rate of 35 percent. Employers may have some products that qualify for the deduction and others that do not. So, a periodic review of export sales is required at least annually after the IC-DISC is set up.
Right now, more companies are taking advantage of IC-DISC than LIFO accounting, but both can offer savings.
What types of businesses benefit from LIFO or IC-DISC?
Both tax incentives are mostly targeted at U.S. manufacturing companies, but some distributors and/or producers may be able to take advantage of them, as well.
The benefit that businesses receive from LIFO depends on the types of inventory and products manufactured, and also varies by industry and regional location. Companies that process raw materials that have steadily increased in price could be a good fit, such as those in the food or metal fabrication sectors.
In general, companies within specific global industries that make substantial allowances for inflation in financial and production planning would also benefit from the increased cash flow LIFO brings. However, a business that produces technological components, such as a computer manufacturer, would not usually gain an advantage because productivity gains and a short inventory life cycle do not lead to increasing inventory costs.
When considering setting up an IC-DISC, companies need to consider whether they meet the requirements. Businesses that sell only in the domestic market or that have a foreign supply chain won’t be able to leverage the IC-DISC as a general rule, as one requirement is that the exported item must be manufactured or produced for at least 50 percent of its value in the U.S.
Are there drawbacks to either tax incentive?
One issue for employers is the uncertainty of the world market and tax laws. For example, with the euro currency crisis, commodity prices may fall, which would curtail the advantages of LIFO accounting. At the same time, there is uncertainty as to what Congress will do in this election year, which means tax rates could change based on the outcome of the November election for the 2013 tax year. The 15 percent dividend tax rate may increase or be extended unchanged; while there could also be changes to corporate taxation and special accounting methods and deductions.
In addition, there is a debate about federal corporate taxation. Many politicians want to reduce the top federal corporate tax rates and repeal special deductions and credits. However, under the current system, a profitable mid-market employer can start with a marginal tax rate of 35 percent; however, after applying tax incentives that reward manufacturing companies that create domestic jobs in the U.S. — such as the domestic production activities deduction, IC-DISC benefit, the R&D tax credit and the LIFO benefit — the resulting effective tax rate can drop substantially.
One should also note that the LIFO method could be repealed under the current process of convergence to IFRS.
Another potential barrier is these tax incentives can be complicated to implement and calculate, and they require a solid understanding by company management. If an employer is considering a capital transaction with a private equity group or putting the company on the market, having these methods in place may not appeal to buyers. For example, the new partner or owner of a consolidated group may prefer to use an alternative method, such as maximizing earnings per share, which is impacted by LIFO accounting.
That said, a mid-market company owner that wants to implement effective corporate tax planning would be well served to explore special deductions such as LIFO accounting or creating an IC-DISC, among others, to see if the benefits may outweigh any challenges.
Philippe Simoens, CPA, is a partner in tax and strategic business services at Weaver. Reach him at (832) 320-3215 or firstname.lastname@example.org.
Insights Accounting is brought to you by Weaver
Making the decision to become a publicly traded company is not easy for any company. The process can be cumbersome and expensive, and it’s not a decision that a private company makes lightly.
However, the Jumpstart Our Business Startups (JOBS) Act — signed into law by President Barack Obama on April 5 — may make that decision easier for companies that meet the definition of an emerging growth company (EGC). The law is designed to increase American job creation and economic growth by improving access to capital markets for companies.
“The premise of the act is to somewhat reduce the financial and regulatory burden of going public and to provide EGCs with avenues of communication that did not exist under the prior rules for the process of becoming a public company,” says Dale Jensen, partner-in-charge of the SEC practice group at Weaver.
Smart Business spoke with Jensen about what companies can expect from the newly signed JOBS Act and how it can help them on their journey to going public.
What are EGCs and how will the JOBS Act impact them in their quest to go public?
As defined by the act, an EGC is one that has less than $1 billion in total annual gross revenue. The act redefines the rules around accessing capital in the public markets for those companies defined as an EGC. The intent is to give them some advantages by reducing the burdens that, in the past, they had to overcome when going public.
Also, with additional changes in communications with the Securities and Exchange Commission (SEC) and certain allowable communications with qualified potential investors before filing documents, companies can better understand whether becoming public is the right choice for them.
What advantages does the JOBS Act bring to EGCs?
First, an EGC may submit a confidential draft registration statement with the SEC before going public to get feedback and work through initial comments on a confidential basis. Because the law is so new, the SEC continues to come out with additional guidance and clarification about the process.
Another advantage is that an EGC will only be required to have two years of audited financial statements, rather than the three years previously required.
Along those lines, the JOBS Act also delays the requirement for EGCs to have an auditor’s attestation to report on internal controls for up to five years, potentially. In addition, for the implementation of new or revised financial reporting standards, EGCs will be exempt until the time when such standards are required to be implemented by private companies.
Finally, there are other reporting exemptions for EGCs, such as permitting smaller reporting, scaled disclosures for executive compensation, which means significantly reduced reporting and disclosure requirements.
Will the creation of the JOBS Act lead to an increase in the number of publicly traded companies?
Possibly. The reduced burden and the new allowable communications with potential investors (qualified institutional buyers and institutional accredited investors) should enable more EGCs to become publicly traded companies. That said, the process to go public remains the same, but the reduced disclosure requirements and adjustments in the communication process with the SEC and investors should simplify the process and make it less cumbersome for companies that want to pursue that option.
However, with the increase in the number of shareholders a private company may have before it will be required to file with the SEC (increased from 500 to 2,000), there may also be increased opportunity for companies to remain private and raise additional capital. This could also provide an avenue for public companies that are currently below this threshold to exit the public markets.
What challenges of becoming a publicly traded company are not addressed by the JOBS Act?
An EGC needs to understand that even though there is a reduced cost burden of going public, it is still an expensive process. And, once the company has gone public, there is an increase in the cost and oversight related to being public.
Companies also need to consider whether going public is really the right decision for them. Just because the JOBS Act simplifies the process, does not mean that companies should move forward. Companies should consider the following questions: Do you have the organizational structure in place? Do you have the right personnel? Do you have the ability to do the necessary reporting? Are you organizationally ‘publicly fit?’
Finally, make sure you have the right partners in place — aligning with the right accounting and advisory firm and the right legal counsel is critical to a successful entrance into the public markets.
Dale Jensen, CPA, CFE, is the partner-in-charge of the SEC practice group at Weaver. Reach him at Dale.Jensen@WeaverLLP.com.
Insights Accounting is brought to you by Weaver
Executives are jumping on the outsourcing bandwagon as cloud service providers promise unlimited scalability, reduced expenditures for hardware and IT staff, and the ability to offload software and routine maintenance at a moment’s notice.
In fact, Gartner analysts predict that 35 percent of enterprise IT expenditures will be managed outside the IT department’s budget by 2015.
But overzealous executives eager to jump to the cloud may encounter security issues down the road, as the security practices of the cloud service provider are often unclear — up to and including where the data is stored. A survey by Symantec shows that only 27 percent of companies have set procedures to approve cloud applications that use sensitive or confidential information.
“It’s easy to deploy data and applications to the cloud, but most executives don’t have a handle on the true risks associated with those decisions. So they fail to build the proper assurances into the procurement process,” says Brian Thomas, IT advisory services partner for Weaver.
Smart Business spoke with Thomas about the risks of outsourced computing services and why companies should seek an auditor’s assurance during the procurement process.
What are the specific risks associated with the cloud and outsourced computing?
Possible issues include data integrity, confidentiality, privacy and security, system availability and reliability, and data retention and ownership. But the threat level and mitigation strategies vary depending upon the importance and sensitivity of the data being processed by the cloud service provider.
It may not matter if you can’t access your sales prospects for a few hours if your hosted CRM application goes down, but business would come to a halt if your hosted e-mail or e-commerce system crashes. Therefore, the provider’s server redundancy and service-level contract guarantees may be the most critical risks to address, where in other cases, the primary concerns may be security and privacy issues. Certainly, regulated companies need to pay particular attention to how the cloud service provider addresses their regulatory risks.
How can executives identify outsourcing risks?
When considering cloud computing project ideas, executives should ask a lot of questions. First, they must understand the nature of the cloud services being procured and the sensitive aspects of the systems being hosted or managed by the provider. After getting an understanding of the types of data and systems that will be exposed to the cloud, executives should ask ‘what if’ questions of their project teams. Such questions should be focused on general risk areas including data integrity, confidentiality, privacy and security, and system availability and reliability.
Executives should also get an understanding of their company’s exposure to risks related to data ownership and retention. Examples of questions to ask include, ‘What will happen if we lose connectivity to our cloud service provider for an extended period of time?’ And, ‘What happens if our cloud service provider is acquired by another company?’
How can executives use an outside audit to ensure the performance of service providers?
A third-party assessment by a qualified professional is the only way to know whether a cloud service provider has designed and implemented effective measures to identify and mitigate relevant risks, as self reporting is inadequate and providers may simply tell you what you want to hear.
You can save money by having your auditor review a cloud service provider’s service organization controls (SOC) report. There are three reports available under the AICPA’s standards for service providers. SOC 1 is based on the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and is best suited for companies that previously used SAS 70 for Sarbanes-Oxley or financial audit compliance. SOC 2 addresses the design and operating effectiveness of a service organization’s controls over the security, availability, processing integrity, confidentiality and privacy of a system. This may be more valuable for executives evaluating the controls a cloud service provider has in place to address risks beyond those relating to financial reporting.
SOC 3 involves the same scope as SOC 2; however, the report contains less detail and is intended for broader (marketing) audiences.
When are SOC 2 and SOC 3 appropriate?
Executives should request that their cloud service providers submit a SOC 2 report where applicable. The scope is generally best suited to address the concerns of users of cloud services. SOC 2 reports provide details of the procedures executed by the auditor to test the controls in place at the cloud service provider, and the results of those procedures.
If a cloud service provider only has a SOC 3 report available, that may be sufficient for getting comfortable while evaluating the service provider during the procurement process. However, executives responsible for the cloud services should request that the service provider submit a SOC 2 going forward to ensure that they can monitor the provider’s efforts to address any failed control activities.
Are there other certifications that can help mitigate risk when transitioning to the cloud?
If the provider cannot provide a SOC 2 report, see if they are certified as ISO 27001 compliant or if they have obtained assurance reports from a security firm addressing the ISO 27001 standard. If the provider processes, stores or transmits credit card information, it is required to meet the Payment Card Industry’s Data Security Standard (PCI DSS). Be careful when using these other forms of assurance. Their scope is generally narrower than SOC reports and may follow less rigorous quality assurance standards. However, in the proper context, they can be useful for executives attempting to get information about the activities performed at the cloud service provider.
Brian Thomas is an IT advisory services partner at Weaver. Reach him at (713) 850-8787 or email@example.com.
Insights Accounting is brought to you by Weaver
Although energy executives can’t control some factors that influence the IPO market — like economic conditions, global turmoil and interest rate changes — they certainly have the power to ensure their company’s readiness for the big event. Creating a scalable infrastructure well before a public offering not only helps private companies manage growth and thrive in a highly regulated environment, but it also ensures a smooth transition by imposing a diligent, sequential preparation regimen.
“Building a strong, scalable infrastructure helps private energy companies handle the growth that accompanies public registration in a well-managed, compliant fashion,” says Alyssa Martin, executive partner in advisory services at Weaver.
Smart Business spoke with Martin about the steps executives should take to proactively prepare their private energy company for an IPO.
Why is creating a scalable infrastructure the top priority?
You’ll crash if you try to build the airplane once you’ve left the ground, so energy executives need to proactively prepare their company for future growth by uniting people, process and technology to create a scalable infrastructure. Of course, it’s important to assemble an upper and middle management team of veterans with energy experience and public company expertise, but preparing for the event in an organized manner is vital, particularly in private companies that may have limited staff and resources. Otherwise, your team can become overwhelmed with trying to juggle their regular duties with a hefty list of complex, pre-IPO tasks.
A best practice is for senior management to create a roadmap to shepherd their staff through the daunting IPO preparation process, as well as enhance the private company foundation to become a company that is publicly fit.
What are the first steps in the IPO preparation process?
Start by enhancing your financial reporting capabilities so you understand the key critical risks and key performance indicators that drive the business. Timely, accurate and usable financial reports allow you to make informed business decisions, meet shareholder expectations and prepare accurate disclosure statements. In addition, the data will help you analyze trends and craft a strategy so you’re ready to answer questions from underwriters, attorneys and auditors.
These experts want to hear the story behind the numbers, including a description of the factors that drive the business up and down. They also want assurances that the company has the necessary procedures to comply with the regulations imposed on public companies.
Creating robust procedures is the next step because they emanate from the financial reporting system. The procedures will help you spot and report changes in control and material contracts, since public companies must demonstrate that they can comply with SEC reporting rules and stay ahead of disclosure requirements by creating a warning system that alerts them to reportable activities.
Once you have enhanced the financial reporting process and created robust procedures, its time to undergo a comprehensive risk assessment. A facilitated risk assessment not only helps your company comply with regulations like Sarbanes-Oxley, the risk analysis and response plan also allows your team to view the entire risk portfolio, agree on the priorities, and tackle mitigation and other related tasks in a logical manner.
It’s important not to overload employees during the IPO preparation or the early stages of implementing public company standards, since people can only initiate and absorb so much change at once.
How can private companies prepare for an IPO by instituting corporate governance practices?
Using external consultants to assess risk, conduct gap analysis and implement procedures helps private energy companies evolve from being lean, internally driven organizations to substantial, regulatory-driven public companies. Policies tend to be unstructured and undocumented in private energy firms, but internal audit consultants working under the direction of an audit committee can help institute written procedures and documentation guidelines.
This provides employees with a chance to form new habits and comply with governance practices well before an IPO.
How can private companies strengthen internal controls and IT systems?
In private companies, risk is usually managed at the process level based on comfort with the employee base. In public companies, it must be managed at the enterprise level first and then balanced through controls at the process level to comply with the strict guidelines for business operations and Section 404 financial reporting requirements.
Accordingly, it can take 12 to 24 months and a hefty financial investment for private companies to adequately strengthen their internal controls and IT systems to meet public company standards. Have internal audit consultants assess your internal controls, highlight areas of potential risk and provide recommendations for improvement. Then start early, so your IT staff has the bandwidth to implement the required changes while performing their regular duties.
Finally, facilitate a smooth transition by building control components into each step as you navigate the public company requirements.
Do you have any other tips to help energy executives prepare for an IPO?
Seek outside assistance and guidance before embarking on the journey from private to public status. External consulting experts who have travelled the path and understand your industry can help you navigate the process and reduce the chances of a false start. Prevent errors, costly rework and stress by tackling each step in the process logically and sequentially.
Finally, create a scalable infrastructure so your company is ready to handle the growth that accompanies public status.
Alyssa Martin, CPA, MBA, is an executive partner in advisory services at Weaver. Reach her at Alyssa.Martin@WeaverLLP.com or (972) 448-6975.
Insights Accounting is brought to you by Weaver
Not only is Texas a leading provider of crude oil and natural gas, but the state’s abundant sunlight and persistent winds offer businesses yet another opportunity to lead the nation, by tapping renewable energy sources to power manufacturing plants, distribution centers and office buildings.
But despite the fact that Texas companies can leverage more than 80 federal, state and local incentive programs to defray the cost of purchasing and installing renewable energy systems and energy conservation equipment, executives in the Lone Star state are still leaving money on the table.
“Renewable energy and conservation incentives and credits allow companies to demonstrate environmental stewardship, increase operating efficiencies and lower income taxes by defraying the cost of purchasing renewable energy and energy conservation equipment and systems,” says Laura Roman, CPA, CMAP, partner in tax and strategic business services at Weaver. “Unfortunately, the funds often go unused, and the programs won’t last forever.”
Smart Business spoke with Roman about the opportunities to lower taxes and operating expenses and positively impact the environment by taking advantage of underutilized conservation and renewable energy credits and incentives.
Why should companies consider switching to renewable energy or energy efficient building materials?
The benefits include the opportunity to lower energy consumption and utility bills by installing modern, energy-efficient manufacturing equipment, windows or HVAC systems, and the chance to promote a positive public image by launching green initiatives and supporting environmental stewardship. Plus, both tenants and building owners can utilize the incentive programs and reap the financial rewards. For example, the improvements help owners by boosting property values, while tenants benefit from increased energy efficiency, which ultimately reduces operating costs.
What types of incentives are available?
There are more than 54 federal and 28 state and local programs that can be used for equipment purchases or upgrades that reduce energy consumption or utilize solar, wind, ethanol and biodiesel energy. The programs include: tax deductions, credits and exemptions, loans and grants, rebates and performance-based incentives. For example, Texas businesses can qualify for commercial energy efficiency rebates, energy efficient incentive programs, green building corporate tax credits and sales tax exemptions for purchasing energy and water efficient products. While the U.S. Treasury Department offers renewable energy grants for projects involving: solar photovoltaics, landfill gas, wind, biomass, hydroelectric, geothermal, municipal solid waste, CHP/cogeneration, solar hybrid lighting, hydrokinetic, tidal/wave energy, and ocean and fuel cells using renewable fuels or micro turbines.
Best of all, executives don’t have to commandeer large amounts of cash to complete the projects because companies can tap different programs to train employees, purchase equipment or pay for installation contractors. So, companies can still invest in that much-needed marketing program or software upgrade if they utilize renewable energy incentives and credits to hire renewable energy specialists, replace inefficient manufacturing equipment or install a new HVAC system.
How do the incentives provide financial benefits?
Essentially there are five areas where companies benefit from renewable energy incentives and tax credits.
- Gross income exclusions. Companies can deduct the full amount of incentive payments or grant funds they receive for qualified renewable energy or energy conservation projects from gross income.
- Dollar-for-dollar deductions. There are no sliding scales or phased-out deductions. Companies can use every dollar they invest in qualified renewable energy and energy conservation projects to reduce their tax liability.
- Accelerated depreciation. Under IRS 179D, companies can depreciate the cost of purchasing new plant and energy equipment at a faster rate than typically allowed. So, instead of taking 39 years to recover the cost of a new lighting, HVAC system or building envelope, the owner of a 100,000-square-foot building can deduct up to $1.80 per square foot, or up to $180,000 in the first year.
- Ancillary funding and allowances. Funding is available to hire specialized workers or train current employees on the use of renewable energy equipment and processes.
- Multiple opportunities. Companies can tap multiple incentives for each project including loans, performance-based incentives, deductions, tax exemptions and grants, as well as property and sales tax rebates.
Should executives be aware of any special qualifications or rules?
The incentive plans and tax codes are fairly straightforward, but there’s no need to spend hours interpreting the criteria or deciphering nebulous clauses when a tax professional is intimately familiar with the nuances of each program. At the same time, he or she may help identify additional opportunities to complete the project without tapping cash reserves, and can often share tips and ideas from experience helping other companies navigate the process.
How can executives evaluate the ROI and choose the most advantageous projects?
Companies should discuss ideas and energy needs with architects, contractors and energy professionals so they can create a list of feasible projects and determine the material and labor cost for the various improvements. Review the list with an accountant, since he or she is familiar with the tax code and incentives and can provide an estimate of the cash outlay and ROI. Finally, act now. Remember, it costs virtually nothing to investigate these opportunities, and there’s no sense in waiting when the money to complete renewable energy or energy conservation projects is there for the taking.
Laura Roman, CPA, CMAP, is a partner in tax and strategic business services at Weaver. Reach her at Laura.Roman@weaverllp.com or (432) 570-3030.
For the young, small, or medium-sized company, it can be inherently difficult to measure the value of the internal audit. As an example, upstream and midstream energy companies often employ fewer people and use less sophisticated administrative processes than similarly sized companies in other industries.
But the unique circumstances faced by these companies highlight the need for risk mitigation, and savvy energy executives have found a way to leverage the internal audit to help define the company’s strategy and manage risk.
“It’s critical to identify and mitigate risk in energy companies,” says Jody Allred, advisory services partner at Weaver. “But auditors also have the ability to offer objective advice, create operating efficiencies and resolve myriad issues, if they’re empowered to execute that charter.”
Smart Business spoke with Allred about the opportunities to create strategic business value by expanding the reach of the internal audit function beyond traditional audits.
Why is risk mitigation a priority in E&P and pipeline companies?
Preventing loss is always important, but it may mean the difference between success and failure in E&P and pipeline companies that require a substantial capital investment and simply can’t afford errors or inefficiencies. A relatively small E&P company requires 10 to 12 times the capital investment of similarly sized manufacturers, and also lacks the resources and streamlined operations when compared to these companies. Plus, survival hinges on its ability to exploit its assets and ensure the success of early projects.
All of this means that risk is higher and there’s a greater need for an internal auditor’s objective assessment.
How can an internal auditor create value by identifying, assessing and responding to risk?
Auditors create value by combining their industry experience, intuition and professional training to conduct assessments, identify risks and quantify the exposures. Savvy auditors know how to boil down massive amounts of data, so the risks can be prioritized and dealt with through a recommended course of action. And since they’ve seen the movie before, experienced auditors know what to look for in E&P companies, so investors are protected in cases where operational processes and procedures are often less sophisticated or mature.
Can an auditor really improve business processes and create new efficiencies?
It isn’t unusual for auditors to spot ways to streamline processes while reviewing the current systems and workflow during the risk assessment phase. But auditors are capable of going beyond risk assessment by finding solutions to recognize and solve business problems across the enterprise.
For example, a client was about to hire a consultant after a department struggled to comply with a set of operating procedures. After listening to the issues, we found that cultural differences were the root cause of the problem. So, we explained the need for the process to the department manager, made some minor adjustments and resolved the issue for a third of the cost of a consultant. Since auditors are detail-oriented, they often spot opportunities to streamline or eliminate bureaucratic processes during an engagement. They may even identify opportunities to negotiate better deals with vendors, garner higher margins or lower costs by utilizing business process outsourcing.
But to be effective in a broader, more strategic role, internal auditors must be empowered to go beyond risk mitigation by the company’s executives and audit committee.
Why is it important for an auditor to provide executives with insight and objective advice?
Executives often take a broad view of the operation, since they rarely have hands-on experience in every functional area. For example, they may need help assessing and understanding the risks in departments that require high levels of control like accounting and finance or IT.
An auditor can help executives determine whether the company’s security systems are adequate, calibrated and functioning effectively. Plus, they can help executives find the right balance between risk and cost, so the organization can achieve its business plan. Auditors can also assess the company’s operational effectiveness by providing benchmarking against peer organizations. Since auditors have the opportunity to work across multiple departments within a company, they have the knowledge that no one else has about the cross-functional interaction of the company.
The bottom line is that an auditor’s vast skills are often underutilized, since they can provide a valuable perspective and potentially play a greater role in adding value across the enterprise.
How can executives support the transformation process so internal auditors create value instead of police reports?
First, the executive-auditor relationship has to be built on trust, which seldom happens when auditors are relegated to creating police reports. Launch a cultural shift by changing the auditor’s marching orders and measuring them on value creation and financial contributions, not just the problems they find.
Second, executives need to understand the audit process, so they can identify opportunities for auditors to make recommendations. Give auditors an opportunity to prove their value-creating capabilities and ability to liaise with executives by giving them a crack at an under-performing business process or an area where costs are accelerating.
Third, view auditors as trusted advisers that are capable of making viable recommendations and be open to hearing them. Finally, maximize your investment in the internal audit function by expanding the reach, because companies can’t afford errors or inefficiencies in today’s competitive business environment.
Jody Allred is an advisory services partner at Weaver. Reach him at firstname.lastname@example.org or (817) 882-7750.
It’s no wonder executives seemed less than enthusiastic about the new auditing standards and controls for service organizations instituted by the American Institute of CPAs (AICPA). After all, most companies had already suffered through a decade of new internal controls and financial reporting requirements that managed to increase costs while offering nominal benefits.
But, this time, the reports that are part of the AICPA’s new Service Organization Controls (SOC) reporting suite actually benefit outsourced service providers and their customers by providing additional transparency at a time when companies are looking to outsource rudimentary tasks or move data and applications to the cloud.
“Companies previously felt like they had no option but to report under Statement on Auditing Standards 70 (SAS 70) even though it was often misused and did little to assure the performance of service providers,” says Brian Thomas, advisory services partner for Weaver. “But, the new SOC reporting options are better focused on the current needs of outsourced service providers and their customers.”
Smart Business spoke with Thomas about the benefits of the new SOC reporting options for service organizations and their clients.
Why did the AICPA change the reporting options for service organizations?
Some of it was housekeeping. The AICPA is updating certain U.S. audit standards to harmonize them with international standards, resulting in the replacement of SAS 70 with SSAE 16 (also called SOC 1). Secondly, the SAS 70 and SysTrust reports weren’t meeting the broader needs of outsourced service providers or their customers.
SAS 70 (now SSAE 16 or SOC 1) addresses only internal controls over financial reporting and SysTrust (now SOC 3) did not provide enough detail to customers — especially at a time when companies are increasingly contracting with Software as a Service (SaaS) and cloud providers, which is raising a host of different concerns. So, while doing its housekeeping, the AICPA addressed this gap with a new option called SOC 2.
What are the new SOC reporting options?
The new SOC reporting suite features three reports called SOC 1, 2 and 3. Best of all, the reporting formats are customizable, so customers can get information tailored toward their specific needs.
- SOC 1 — This report is intended to fulfill the requirements of SAS 70 (now SSAE 16). It has been updated to match international standards and is focused on internal controls over financial reporting relevant to the service provider’s customers.
- SOC 2 — This report is valuable because it addresses a service provider’s controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system. All of these are important aspects of the non-financial performance of service providers. SOC 2 is more relevant for IT-based services and contains detailed results similar to a SOC 1
- SOC 3 (also SysTrust) — Its scope is the same as SOC 2; however, less information is provided about the results. A seal is issued that the service provider can post on its website. The accompanying report confirms only that a SOC 3 engagement was performed and the overall result without any details.
How do these new reports benefit service providers and their customers?
Alleviating the concerns of prospects and customers is one of the primary benefits for service providers. The reports may also reduce the need to accommodate auditors from client organizations because providers have to meet a fairly high audit threshold instead of self-accrediting and validating their performance using a universal set of standards.
Customers can simply review the reports and may be able to avoid the cost of auditing the service provider themselves. Also, the new reports engender trust by providing greater transparency into a service provider’s day-to-day operations, along with the assurance that a qualified auditor has examined its internal controls, compliance and performance.
How can service providers determine the best reporting format for each customer?
Certainly, the service providers should understand the needs and concerns of each customer and tailor the reports appropriately. They can also confer with the client’s auditor to determine the exact scope of their reporting concerns. The format to choose really comes down to the information and transactions handled by the outsourcer and the concerns of its customers.
For example, a client may be concerned about data confidentiality and privacy if they use any SaaS applications to manage customers and prospects, but they’ll have different concerns if they are hosting their core financial application with a service provider. It makes sense for auditors from both organizations to confer when the parties are ready to negotiate the contract and reporting requirements.
How can customers and prospects use the reports to mitigate risk and select a best-in-class service provider?
Customers must read the reports and should not assume that everything’s OK just because an auditor has ventured onto the service provider’s premises. Customers need to understand the scope of the SOC report and its relevance to the services they purchase from the service provider. Look for trends over time with the issues that are identified in their reports and request additional information from the service provider, as necessary.
Although service providers may not share the SOC reports with prospective customers, procurement specialists can develop screening criteria and RFP questions for service providers regarding the scope and issues identified in the report. Finally, don’t let the pain of implementing the new standards keep you from enjoying the gains. Thanks to the new SOC reports, customers can finally have the assurances they need to outsource with confidence.
Brian Thomas, CISA, CISSP, is an advisory services partner at Weaver. Reach him at (713) 850-8787 or email@example.com.