How to get started on a risk-based approach to third-party management

Companies interact with thousands of third parties. Even small companies have connections outside their walls with vendors, joint venture partners, customers, licensed distributors, royalty owners, supply chain intermediaries and even competitors that can impact their achievement of objectives.

“The number of third parties can be astounding and those relationships carry risk. So, a risk-based approach is needed ensure the most critical risks are considered,” says Jody Allred, partner in Risk Advisory Services at Weaver.

Smart Business spoke with Allred about how organizations can get started on assessing and managing third-party risks.

Why is this becoming more important?

As globalization and outsourcing have expanded so that companies can stay competitive, it’s become more evident that companies can be responsible for the actions of the third parties they work with. Companies need to take ownership even in an outsourced environment, especially consumer products companies and retailers concerned about reputation management.

There is also the issue of higher corporate visibility due to new regulatory requirements. One example of this is the SEC’s conflict minerals disclosure rule that requires companies to disclose the origin of certain metals from Central Africa.

What can happen if these risks aren’t managed?

Several incidents in the news highlight the need for third-party risk management. For example, Apple has faced significant concerns over the labor practices of its primary supplier of iPhone and iPad assembly in China. While this issue came to light in 2011, it continued in the news throughout 2013 and still lingers today.

In another instance, an HVAC contractor had access to Target’s internal network for billing and project communication. In 2012, the contractor’s account was leveraged to gain access to the network and plant malware that resulted in 40 million stolen credit cards, a 46 percent drop in fourth quarter profit in 2013 and the removal of the company’s CEO.

Do companies typically take the time to manage third-party risk?

The largest, first-class organizations and those in highly regulated industries like banking and insurance may have third-party risk management programs, but the average manufacturer or oil and gas company likely has not fully dealt with this issue.

How can organizations get started?

The biggest hurdle is obtaining the information needed to evaluate third-party risk because most companies don’t capture and collect the necessary data to build risk profiles. In order to properly evaluate their vendors and other external relationships, organizations must consider:

  • Financial stability.
  • Control environment.
  • Technology environment.
  • Dependency.
  • Access to information and intellectual property.
  • Items critical in the supply chain.
  • Regional risk.
  • Operational characteristics.
  • Regulatory and compliance interaction.

If you don’t have this information on-hand, you can build processes to capture the data over time. You have to start somewhere. So, consider what information you do have, and rate your third parties based on the financial, regulatory, operational and reputational risks. You cannot tackle thousands of vendors at once, but you can focus on those that present the most risk using your initial risk-based scoping.

Once you establish more formal protocols, you can build an evolving third-party risk management function to identify and respond to all risks on an ongoing basis. This may include auditing a vendor, implementing a compliance program, establishing corporate guidelines and/or better communicating your expectations.

Do you have any other recommendations?

Third-party risk management requires communication and collaboration across the organization — business units, senior management, operations and administration. It cannot be a siloed responsibility of a compliance group. Organizations that spend time to identify, understand, manage and navigate risk benefit from insights into risk influences that are strategic to business success.

Insights Accounting is brought to you by Weaver

How to avoid the net investment income tax with material participation

The Patient Protection and Affordable Care Act and the Health Care and Education Reconciliation Act, both enacted in 2010, contain the largest set of tax law changes in more than 20 years. Arguably the most notable of the changes, and certainly the largest revenue raiser, is the net investment income tax (NIIT).

Smart Business spoke with Mark Watson, a partner in Tax and Strategic Business Services at Weaver, about how the NIIT may affect you and what to do about it.

Who is subject to the NIIT?

As of Jan. 1, 2013, certain individuals, estates and trusts are subject to the NIIT. Corporations and partnerships are not.

With individuals, the NIIT is equal to 3.8 percent of the lesser of two amounts — the individual’s net investment income for the taxable year or the individual’s modified adjusted gross income in excess of a specified threshold. The threshold is $200,000 for a single individual, $250,000 for married couples filing jointly and $125,000 for married couples filing separately.

How are net and gross investment income calculated?

An individual’s net investment income is equal to his or her gross investment income less properly allocable deductions. Gross investment income is comprised of five buckets of investment and unearned income:

  1. Interest, dividends, annuities, royalties and rents.
  2. Other income from a trade or business that is a passive activity.
  3. Other income from a trade or business of trading in financial instruments or commodities.
  4. Net gain from the disposition of property.
  5. Income earned on an investment of working capital.

How can taxpayers reduce or eliminate NIIT?

Since NIIT includes income from a passive activity, individuals can reduce or eliminate NIIT by avoiding passive activities. One way to do that is to satisfy the material participation standard.

A passive activity involves the conduct of a trade or business in which the individual does not materially participate. Individuals are treated as material participants only if they are involved in the activity’s operations on a regular, continuous and substantial basis. Specifically, an individual will be treated as materially participating if any of these seven tests is satisfied:

  • The individual participates in the activity for more than 500 hours during the taxable year.
  • The individual’s participation in the activity constitutes substantially all of the participation in the activity of all individuals during the taxable year.
  • The individual participates in the activity for more than 100 hours during the tax year, and participation is not less than that of any other individual.
  • The individual’s aggregate participation in all of their ‘significant participation activities’ — non-rental activities in which the individual participates for more than 100 hours — exceeds 500 hours during the taxable year.
  • The individual materially participated in the activity for any five of the 10 taxable years that immediately precede the current taxable year.
  • The activity is a ‘personal service activity’ — involved in the fields of health, law, engineering, architecture, accounting, actuarial science, performing arts, consulting or any other trade or business in which capital is not a material income producing factor — and the individual participated in that activity for any three prior taxable years.
  • Based on the facts and circumstances, the individual is regularly, continuously and substantially involved in the activity.

For purposes of these tests, time spent by an individual’s spouse in the activity counts as time spent by the individual. Also, contemporaneous daily time reports, logs or similar documents are not necessary to prove an individual’s hours of participation; any reasonable means of proof may be sufficient.

With the introduction of the NIIT, it is more important than ever to analyze your various trade or business activities and, where the material participation standard is satisfied, classify such activities as non-passive. Doing so may result in substantial tax savings.

Insights Accounting is brought to you by Weaver

A global revenue recognition standard for customer contracts, at last

After a dozen years of collaboration and controversy, the Financial Accounting Standards Board (FASB) and International Accounting Standards Board (IASB) finally have agreed on how and when companies should recognize revenue.

Considered the “crown jewels” of accounting convergence efforts, Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers, and International Financial Reporting Standards 15 are expected to produce a major shift in how companies report the top lines in their income statements.

But many are unsure exactly how the changes will pan out, as the new standard ushers in a sea change and a learning curve.

Smart Business spoke with Mostafa Popal, partner of Assurance Services at Weaver, about these reporting updates.

What changes with recognizing revenue?

Companies will follow a single set principle-based approach for reporting of revenue from contracts with customers — a shift from industry-specific guidance of today. The new guidance is a five step principle-based approach with a core principle being to recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.

With the new rules, for example, companies must determine the expectation of collecting payments owed to them by recording revenue only to the extent that it’s ‘probable’ they won’t have to make a significant reversal in the future. They also must adjust the transaction price to reflect the time value of money, if the timing of the agreed payments provides customers or entities a significant benefit of financing the transfer of goods or services to the customer.

In addition, detailed footnote disclosures are required to break down revenues by product lines, geographical markets, contract length, services and physical goods.

Are there exceptions to these new rules?

Exceptions include insurance contracts, leases, financial instruments, guarantees and nonmonetary exchanges between entities in the same line of business to facilitate sales. These transactions remain within the scope of existing industry-specific generally accepted accounting principles.

Who will be affected, and when?

All companies can expect some change, but certain industries will be more affected, such as engineering and construction, industrial products and manufacturing, pharmaceutical and life sciences, retail and consumer, software and technology, and telecommunications.

For public companies, the new guidance is effective for annual reporting periods beginning after Dec. 15, 2016 (including interim reporting periods). Early implementation is not allowed. Private companies have the option of taking an extra year to implement the new rules.

So, what are the first steps for companies?

Despite having more than two years before the new standard becomes effective, most companies should gear up for adoption now, especially if they choose to utilize the retrospective approach. This would require them to present not only the current year under the new standards but also prior years need to be presented as if the standard had been in effect all along.

Companies can also make a simpler transition, the cumulative approach, which would apply the standard only to the current year figures. However, companies would still have to make some adjustments to deferred numbers and include disclosures to explain lack of comparability.

The approach companies take depends on the expectations of their financial statement readers and what industry peers utilize.
In addition, companies must look at whether their infrastructure can capture the information they will need to comply with the new standards. This cost could range from minimal to significant.

Where can firms get help with the new rules?

The FASB and IASB have formed a Joint Transition Resource Group for Revenue Recognition to field questions and concerns as companies prepare to adopt the new guidance. The American Institute of CPAs has also established 16 industry task forces that are developing a new accounting guide containing helpful tips and illustrative examples for applying the new standard.

The new global standard is expected to provide a universal accounting language for revenue recognition, but it relies heavily on judgment for companies to come up with their figures, which can differ from company to company, country to country and CFO to CFO. You need to continue to work with experts for helpful hints and considerations for applying these new rules in your industry.

Insights Accounting is brought to you by Weaver

Protecting your company from state tax exposure in your next acquisition

When you acquire another company, there is a hidden exposure that is catching many new owners by surprise — state sales taxes.

Often, the entity’s prior owners did not file sales taxes in a number of states they were doing business in. Then, one of those states conducts an audit and notifies the company of the tax liability, interest and penalties.

As the new owner, this is something to pay attention to because states have the ability to come after the company and current CEO, CFO and/or board of directors, regardless of when the tax was incurred.

“Most, if not all, states have these types of laws on the books. In addition, it doesn’t matter if the deal is a stock or asset acquisition, or what your corporate structure is,” says Mike Goral, partner-in-charge of State and Local Tax Services at Weaver.

“As the buyer of a company, you may not know that this risk exists. The issue can even make the transaction completely different,” Goral says. “States can put levies on bank accounts and can even go so far as to use criminal sanctions in order to get the company’s attention.”

Smart Business spoke with Goral about this contingent liability and how you can mitigate the state tax exposure.

Why is this state tax liability even more of  a risk right now?

States have become much more aggressive with this issue. Their budgets are down, and they’re looking to generate revenue. When states become aware that a business should have been filing sales tax, they will pursue it to get those back taxes.

Part of the problem is that there is no statute of limitations. So, if you haven’t filed a tax return, the state can go back to whenever the company first started doing business in the state, whether that’s five, 10 or 20 years ago. This can lead to a small initial tax liability growing exponentially over the years as interest and penalties are imposed on top of that. For example, in one case, Hawaii went after a company for a $5,000 tax from 1978. In the end, the company had to pay significantly more after interest and penalties incurred over the years were applied.

Private equity and venture capital firms that are holding on to their investments may be completely unaware of this exposure, which could mean a good deal turns bad or becomes less attractive.

Wouldn’t it make sense to get these back taxes from the seller?

The state has the ability to go after either the seller or the buyer, and it may decide to pursue the entity within the easiest reach and/or with the deepest pockets. As the buyer, you can pay the tax and then sue the previous owner to recoup the cost using the indemnification in your sale documents. However, this can be complicated if the seller has moved to another country, for example.

How do you recommend companies proactively deal with this risk?

Before the transaction takes place, consider a nexus review for sales tax purposes to see whether the prior owner has sales tax exposures in any states. If there’s exposure in just one state, it could be immaterial; but if the company owes a small amount in 10 different states, the tax liability can add up quickly.

If the nexus review spots a problem, a potential buyer can:

  • Set aside extra funds in escrow.
  • Work out a voluntary disclosure agreement, where a neutral third-party contacts that state on an anonymous basis to settle the tax.
  • Reduce the purchase price.

The right strategy depends on the situation and the deal’s structure. However, at any time, a buyer or seller can start the procedure for a voluntary disclosure agreement, which may take two or three months to negotiate. States usually ask for three year’s worth of taxes and interest before waiving all penalties and prior back taxes and interest.

Taking the extra steps to better understand your state tax exposures will take more time and money up front, but it can save both the buyer and seller a significant amount of money in the end.

Insights Accounting is brought to you by Weaver

The COSO effect: How the new control framework adds value, not just work for work’s sake

Every business, private and public, has a control structure. Internal controls — often called COSO after the Committee of Sponsoring Organizations that has set the standard for internal controls since 1992 — are the functional steps that process accounting transactions generated by a business.

Every company wants to profit by providing a product or service, and therefore, transactions must be initiated and recorded. The internal controls are the baseline framework to execute that.

“The current business environment is highly automated and global with more of a remote workforce and increased transparency. So, those kinds of activities needed to be reflected in the COSO framework,” says Alyssa G. Martin, a partner in Risk Advisory Services at Weaver. “This framework that we are all ‘supposed to follow’ was essentially stale. It wasn’t a reflection of the real business environment today.”

COSO recognized that migration by releasing an updated framework last year.

Smart Business spoke with Martin about these COSO changes and what they mean for those who run companies.

When do these changes go into effect?

The updated framework was approved in May 2013. Organizations in regulated industries, such as banking, insurance or health care, and those accountable to the U.S. Securities and Exchange Commission need to evaluate and update their control structure against the new framework by December 2014.

Others like large private organizations in unregulated industries aren’t required to use the new framework. However, these controls are best practices that are worth emulating.

How has the framework been updated?

The COSO framework still has 17 components, but those components are revised, renamed and renumbered. A couple of the biggest differences relate to data security and fraud prevention. The old framework did not explicitly recognize the reliance on technology in the ordinary course of business, as well as the need to specifically prevent and deter fraud. Further, the revised framework is more focused on overall coordinated governance, such as no longer viewing HR policies and procedures as separate from company-wide policies and procedures, and managing risk to meet business objectives.

How can an organization get started on following the new framework?

Corporate internal control structures sit along a spectrum that ranges from unintentional actions that focus on just trying to record transactions to highly intentional, effectively controlled and mature.

Every business should evaluate its structure against the new framework. As an outcome of the evaluation, if you fall toward the mature, effectively controlled end of the spectrum, the business is likely already following these changes. Ad-hoc organizations that are not strongly controlled, stale and/or highly manual are looking at more material changes.

Your chief financial officer, chief accounting officer or controller — whoever is responsible for the accurate reporting of financial transactions — needs to compare your internal controls to the new framework in a high-level gap assessment. Even if your processes aren’t well documented, this person knows best what practice is in place, and if it’s working or needs improvement.

Then, consider getting consultative help to implement the new framework. External assistance provides a competency and skillset to apply this framework efficiently. It is also a labor source to complete a project of this scale while people who work in the company are doing their normal jobs.

What’s the takeaway for business leaders?

This new framework is a good excuse to take a fresh look and determine if the way business is transacted could be more effective, efficient or automated in order to benefit the company. Every business can benefit from having internal controls that are intentional and preventative focused.

It may seem like work for work’s sake, but if you have to go through this exercise, then use this opportunity to look at efficiency and effectiveness. Are your processes scalable if the company experiences growth? Are you using automation that can be preventative and have low labor costs? Is it standardized, so it can be transferred to a new location?

The paradigm in which you approach this has a direct relation to the value and output at the end, which is why consultative assistance is so beneficial. Those experts can help you get more value versus simply going through an exercise to check the right boxes.

Insights Accounting is brought to you by Weaver

How to guard against cybersecurity risks and incidents

Brittany Teare, IT advisory manager, Weaver

Brittany Teare, IT advisory manager, Weaver

The Division of Corporation Finance, a part of the Securities and Exchange Commission, issued guidance on disclosure obligations related to cybersecurity risks and incidents a few years ago. Public companies aren’t yet required to disclose this information to shareholders, but they could be at some point, says Brittany Teare, IT advisory manager at Weaver.

“Right now, this is guidance that is in the best interest for your shareholders, but that will likely change. It could become a requirement sooner rather than later,” she says.

Smart Business spoke with Teare about the guidance and how businesses can measure and guard against cyberrisks.

What are the SEC reporting requirements for cybersecurity under this guidance?

The guidance expands upon the existing requirements that public companies follow, but there’s no mandatory piece yet that results in a direct impact if a company doesn’t disclose information.

Basically, the guidance states that if cybersecurity risks and cyber incidents have a material effect on your shareholders — if it could affect how financial information is reported — you have to report them.

How do you know when cybersecurity risks materially impact your company?

The guidance addresses some possible risks and whether they should be voluntarily reported to shareholders. If you don’t have cybersecurity controls around your key financial systems, for example, then the way you record or report your data can be easily manipulated or altered. Even if a cyber breach has not yet occurred, it is very likely.
Cybersecurity is a gray area. Employers typically know that network and perimeter security, access and change controls should be in place, but executives may not consider disclosing vulnerabilities. CEOs and CFOs typically look at balance sheets and see line items for hardware and other things they can touch, but it can be challenging to consider the ways a breach can happen.

How would you advise CEOs to quantify data and see vulnerabilities?

First, designate a person or group of people to be responsible for cybersecurity. They should not only understand SEC  requirements and where they are potentially heading, but also must identify specific risks.

There is a central entry point in any network, so key people need to know where the sensitive data is because if an attacker gets there, it could add up to a huge loss. If the company does not store much sensitive information, an attack could impact its reputation, which is more difficult to value.

Another challenge is improving communication from the CIO or IT manager. Often, IT will say, ‘We need X dollars for new equipment, applications and hardware that are going to help make our organization more secure.’ When management hears this number, which can be millions in larger organizations, they want to know the ROI. However, IT personnel typically struggle to quantify that.

A CIO needs to be able to tell other executives, ‘If this firewall, application or system is not installed, a breach would cost us X dollars, or the company could lose X dollars per day,’ for example. Not everything can be quantified, but this gives CIOs a starting point.

What will protect your data and reputation?

Some key, high-level steps to consider are:
•  Take inventory of the data systems and gain an understanding of where critical data is located. Then, work to ensure that there is an appropriate amount of security in those areas.
• Use complex, strong passwords to protect the network, systems and data, and regularly change them. Have the system lock out users after a certain number of failed attempts and log all such activity.
•  Heavily monitor networks and systems. Check who is logging in and from where, who is successfully entering and who is failing. Then, set a baseline to understand any abnormalities.
• Use the principle of least privilege, especially for critical accounts and functions. This ensures that no single employee has all access; rather, access is tailored to the job function.

There is more companies can do. But by implementing key, basic controls, if a breach occurs, the business can more easily identify what happened and how.

Brittany Teare is IT advisory manager at Weaver. Reach her at (972) 448-9299 or [email protected]

Website: More information about the SEC guidance.

Insights Accounting is brought to you by Weaver

How to prevent deal-breaking mistakes when selling your business

Brian Reed, partner, Transaction Advisory Services, Weaver

Brian Reed, partner, Transaction Advisory Services, Weaver

Selling a business is challenging. From vetting potential buyers to preparing financial statements to keeping negotiations on track — all while running your company — there’s a lot that can go wrong. In fact, almost no detail is too big or too small to affect the eventual outcome of merger and acquisition (M&A) deals. However, you can reduce the odds of a mistake by knowing where similar transactions have gone astray.

“It’s important to talk to owners who have successfully completed sale transactions and to work with experienced M&A advisers,” says Brian Reed, partner in Transaction Advisory Services at Weaver.

Smart Business spoke with Reed about common M&A mistakes and key items to resolve before closing a deal.

How might sellers hurt their chances before putting their business on the market?

You risk a letdown when you make overly optimistic future earnings projections or put too much weight on variable measurements, such as the sale prices of similar companies in stronger M&A markets. If you won’t budge from an unrealistic sale price, you could drive away an appealing buyer.

Work with a professional adviser to assess your company’s value as well as estimate an offering price the market can support. The two may not match because the price depends on contemporary economic, M&A market and sector conditions.

Where does timing factor into this?

Other critical seller mistakes revolve around timing, whether internal or external. For example, selling at the wrong time, at the end of a market cycle, could mean fewer buyers and possibly lower offers. If your sector has experienced a recent wave of M&A deals, the buyer base could be depleted, and you may want to hold off.

Sometimes sales are spurred by internal circumstances, such as the retirement of a founding owner, but these situations shouldn’t rush the sale. If your company is not ready for the market, consider appointing an interim head to make preparations and screen potential buyers.

Sellers, particularly those selling for the first time, often greatly underestimate the amount of work and hours it takes to prepare for sale. Have you allocated enough time to implement strategies to maximize your sale’s value? Is your company ready to promptly and accurately respond to hundreds of specific buyer requests? If you haven’t assembled a team with the time and resources to handle these requests, it could bring your potential deal to a standstill and deter otherwise interested buyers.

How might housekeeping impact deals?

Housekeeping issues aren’t trivial. They include essential tasks such as ensuring that contracts and legal obligations are in order. Some items that can trip companies up are:
• Poor accounting. If your financial statements and records are not properly organized and presented, it reflects poorly on your management, and the due diligence process will likely take longer. Sloppy accounting errors could mean tax or legal issues after the deal closes.
• Neglecting key players. Buyers want to know that key employees will stay onboard once the sale is completed. Make sure your top performers are offered financial and other incentives to stay.
• Locking in contracts. Don’t renew an expensive vendor contract as you’re about to transfer ownership. Buyers don’t like long-term contracts they didn’t negotiate, particularly if they’ll be penalized for breaking them. Negotiate short-term contracts or push for favorable terms.

What are some common loose ends to watch for and resolve?

Leaving loose ends hanging won’t endear you to your buyer, as they could hinder integration and future profitability. Some common unresolved internal issues involve:
• Minority interests. Buying out minority investors or shareholders before a sale means the buyer won’t need to deal with their demands later.
• Employee controversies. An integration team doesn’t want to deal with open legal issues, for example, while trying to build a new culture.
• Copyright confusion. Make sure all patents, copyrights, trademarks and other intellectual property holdings are in order. If you’ve failed to verify and document ownership, you may risk the deal’s value.

Brian Reed is a partner in Transaction Advisory Services at Weaver. Reach him at (972) 448-6936 or [email protected]

Blog: To stay current on audit, tax and advisory issues that may impact your business, visit Weaver’s blog.

Insights Accounting is brought to you by Weaver

How to mitigate the risks of using personal devices in the workplace

Brian Thomas, partner, IT advisory services, Weaver

Brian Thomas, partner, IT advisory services, Weaver

Over the past few years, employees have been trading in company-issued phones and bringing their own personal devices — phones and tablets — to connect to work servers. They want to carry a single device to access both work and personal material.

“Many companies have said there are enough people doing this that they no longer need to issue phones. They can just allow everyone to bring their own phones and connect them into the environment,” says Brian Thomas, partner in IT advisory services at Weaver.

However, the bring your own device (BYOD) trend comes with risks that companies need to recognize.

Smart Business spoke with Thomas about BYOD and practical steps to lessen risks.

How is the BYOD trend developing?

This is a strong trend among midsize businesses. As for the Fortune 500 organizations, it depends on the nature of the business. If a company has a lot of sensitive information, it will not necessarily adopt a pure BYOD strategy or will do so with an abundance of caution. Large corporations have information security departments that have been quick to identify the risks. In midsize organizations, there are simply not as many people to force a discussion about risk. Regardless, this is a broad trend that affects many businesses.

What are some of the risks?

The two primary areas of concern are physical access and the users themselves.

The No. 1 risk with mobile devices is that it’s not a matter of if they get lost, but when. If companies enable these devices to connect and receive company data, some of which will stay on the phone, then how do they protect that data when the device is lost and presumed to be in the hands of someone else? The primary methods for mitigating this risk are encrypting the phone’s contents, setting passwords to prevent unauthorized access and remote-wipe features that enable the company to delete the phone’s contents once lost. However, this is complicated in a BYOD scenario because users can connect a multitude of devices to the network, some of which will not support all of these features.

The reason users are a concern with BYOD is because they are often unaware of the risks associated with their mobile device activities. Because they own the phone, they may feel entitled to do with it as they please, including removing security features.

Do certain devices make companies more vulnerable to these risks?

In some ways, yes. The iPhone, for example, is a phone manufactured by one company with one operating system. There are multiple versions, but the uniformity of the product makes it simpler to manage and secure. In the Android world, vulnerabilities are more case-by-case. Similar to Windows PCs, anybody can manufacture the Android phones, and the operating system has to be reconfigured to work with different devices. As a result, updates to address vulnerabilities cannot always quickly be distributed by manufacturers and carriers.

What can be done to manage the risks?

A combination of training and technology can be used to reduce the risks associated with BYOD.

Companies must educate employees about the responsibility they bear when accessing company data on their personal devices. Employees must also be educated about the risks associated with disabling security features, jailbreaking their phone, downloading apps from unknown sources, using open wireless connections and other activities that can compromise security. Employees need to understand that using their personal devices for work purposes requires them to give up a certain amount of freedom. Companies can have employees sign a contract that outlines the rules and consequences for violations, along with the company’s right to remove company data from the phone at any time.

Companies should use technology to enforce a central policy that applies minimum security standards on devices. Many companies implement mobile device management solutions, which assist with enforcing security polices to address the risks associated with lost or stolen phones.

Finally, this is a fast-changing technology area, so companies should always keep an eye on what’s new and assess how it affects their organizations.

Brian Thomas is a partner in IT advisory services at Weaver. Reach him at (713) 800-1050 or [email protected]

Blog: To stay current on audit, tax and advisory issues that may impact your business, visit Weaver’s blog.

Insights Accounting is brought to you by Weaver


How to comply with new disclosures for manufactured products

Dale Jensen, CPA, CFE, partner-in-charge, SEC Practice, Weaver

Dale Jensen, CPA, CFE, partner-in-charge, SEC Practice, Weaver

In August 2012, the Securities and Exchange Commission (SEC) issued a final rule regarding the conflict minerals disclosures mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Act). Public companies will be required to disclose whether they use conflict minerals such as tantalum, tin, tungsten and gold in their manufactured products — and whether the minerals originated from one of the “covered countries” defined by the Act.

“This rule could be very broad reaching, with the SEC estimating approximately 6,000 issuers will be required to provide new disclosures under the rule. Many private companies may also be impacted,” says Dale Jensen, partner-in-charge of Weaver’s SEC practice.

Smart Business spoke with Jensen about how to prepare for compliance.

Why do companies need to be concerned with supply chains now?

Hundreds of products contain conflict minerals, from cell phones and laptop computers to jewelry, golf clubs, drill bits and hearing aids. The SEC estimates that thousands of public companies will have to provide the new disclosures, and many private companies that are part of the impacted public companies’ supply chains may also be affected. Additionally, they estimate the initial compliance costs to be $3 to $4 billion, with subsequent costs of more than $200 million annually.

Who is impacted by this new rule?

Public companies, foreign private issuers, emerging growth companies and smaller companies must all comply. Packaging essential to the product’s function, such as a tin can, is also covered, but materials purchased or inventoried before Jan. 31, 2013, should be outside the rule’s scope.

Retailers are not required to report on products bought or resold, only manufactured or contracted to manufacture. When contracting, the retailer’s degree of influence determines compliance, though it doesn’t need to be substantial.

What’s involved with complying?

First, a company should determine whether any products it manufactures or contracts to be manufactured contain conflict minerals necessary to functionality or production. If the minerals are necessary, but they didn’t come from covered countries or are from scrap or recycled sources, the company’s inquiry method and conclusion has to be annually disclosed on SEC Form SD. This information must also be posted on the company’s website.

However, if there’s reason to believe the minerals originated from covered countries, their origin is unknown, or they may not be from scrap or recycled sources, the company must perform due diligence on the source and chain of custody of the minerals.

After due diligence, if the issuer determines that its conflict minerals are from a covered country and not from scrap or recycled sources, the company will be required to file a Conflict Minerals Report as an exhibit to Form SD. An independent audit of the Conflict Minerals Report is required. The SEC estimates that 75 percent of companies subject to the Act will need to develop a Conflict Minerals Report and have it audited.

What is the timing for compliance?

The first filing isn’t due until May 2014 for the 2013 calendar year, but complying may require substantial preparation for public companies. Companies will also need to file a new Form SD annually by May 31.

What are some next steps for companies?

Management must determine whether the new rule impacts the company, prepare cost estimates for compliance and put a plan in place. Companies should identify products that may contain conflict minerals as soon as possible, keeping in mind that they must comply even if the product contains only small traces of a mineral. Companies should be prepared to report results on a product-by-product basis. Finally, they should work with advisers to develop policies and procedures for supply chain vetting, filing Form SD, and if needed, conducting due diligence and preparing and auditing Conflict Minerals Reports.

Dale Jensen, CPA, CFE, is partner-in-charge, SEC Practice, at Weaver. Reach him at (972) 448-9283 or [email protected]

Blog: To stay current on audit, tax and advisory issues that may impact your business, visit Weaver’s blog.

Insights Accounting is brought to you by Weaver


How executives will be affected by the new Medicare taxes

Partner, Houston Tax and Strategic Business Services, Weaver

Mark Watson, partner, Houston Tax and Strategic Business Services, Weaver

The Patient Protection and Affordable Care Act imposes two new Medicare taxes — one on wages and self-employment income and one on net investment income.

“As a result, executives subject to these new Medicare taxes will now incur a 3.8 percent Medicare tax on most of their taxable income,” says Mark Watson, partner, Houston Tax and Strategic Business Services, at Weaver.

Smart Business spoke with Watson about what this new tax means for executives.

How will the Medicare tax impact wages and self-employment income?

Beginning this year, an additional 0.9 percent Medicare tax is imposed on wages and self-employment income in excess of $250,000 for joint filers and $200,000 for single filers. So, the total Medicare tax on wages and self-employment income is now 3.8 percent, up from 2.9 percent.

If a couple files a joint return, the added tax is imposed on their combined wages and self-employment income. Employers must withhold this additional tax on wages paid to an employee in excess of $200,000 in a calendar year. This withholding applies even though the employee may not actually be liable for the additional tax because, for example, the employee’s wages with that of his or her spouse doesn’t exceed $250,000. Any excess withheld Medicare tax will be credited against the total tax liability shown on the employee’s income tax return.

The $250,000 and $200,000 threshold amounts aren’t indexed for inflation. So, over time, more executives will likely be subject to the additional Medicare tax.

How is net investment income affected?

Many executives also will be subject to a new Medicare tax on their unearned income in 2013. This new tax, commonly called the ‘net investment income tax,’ applies to individuals, estates and trusts when income exceeds $250,000 for joint filers, $200,000 for single filers and $11,950 for estates and trusts, and equals 3.8 percent of net investment income.

Net investment income equals investment income less properly allocable deductions. Investment income includes:

• Gross income from interest, dividends, annuities, royalties and rents.

• Gross income from a passive activity.

• Gross income from a trade or business of trading in financial instruments or commodities.

• Net gain from the sale of property.

• Gross income and net gain from the investment of working capital.

However, gain excluded from taxable income, such as gain on the sale of a personal residence and gain deferred through a like-kind exchange, isn’t included in investment income. Similarly, gain from the sale of certain property used in a non-passive trade or business isn’t included.

Properly allocable deductions include:

• Deductions allocable to rent and royalty income.

• Deductions allocable to income from a passive activity and to a trade or business of trading in financial instruments or commodities.

• Penalties imposed on early withdrawal of funds from a certificate of deposit.

• Investment interest expense.

• Investment adviser fees.

• State/local taxes on investment income.

In the case of an estate or trust, deductions also are available for distributions of net investment income to beneficiaries.

How can these taxes be minimized?

Executives subject to the net investment income tax and the maximum federal income tax rate — applying to joint filers with annual income in excess of $450,000 and to single filers with annual income in excess of $400,000 — will face a 43.4 percent federal tax rate on ordinary income and 23.8 percent federal tax rate on long-term capital gains and qualified dividends. Minimize taxable net investment income by:

• Documenting and claiming all allocable deductions.

• Making distributions from an estate or trust to beneficiaries with income below $250,000 or $200,000 who are not subject to the tax on net investment income.

• Investing through tax-sheltered investment vehicles such as 401(k) plans, Individual Retirement Accounts, annuities and life insurance policies.

Mark Watson is a partner, Houston Tax and Strategic Business Services, at Weaver. Reach him at (832) 320-3450 or [email protected]

Blog: To stay up to date on taxes and other accounting news, visit Weaver’s blog.

Insights Accounting is brought to you by Weaver