Internal audit can make your company stronger

Although only public companies are required to have documented processes that identify internal controls, all companies could benefit from following a similar approach.

“What company wouldn’t want to know where their problem areas are and develop a plan to fix them?” says Chrissy Walters, principal at Skoda Minotti.

Adopting a risk-based approach starts with the question, “What keeps you up at night?” The answers will guide executives to the risks that need to be addressed.

Smart Business spoke with Walters about the benefits that control oversight and internal audit offers to companies of all types and sizes.

How well do C-level executives understand the risks their companies face?
C-level executives understand the high-level risks, but more granular issues are typically managed by the process owners. For example, an executive may understand the risk of non-compliance to Generally Accepted Accounting Principles (GAAP), but it is the process owner who manages risk mitigation activities such as completing a financial reporting checklist.

The key is to have effective communications so C-level executives are informed of emerging issues and can act accordingly. Internal audit plays a role in the communication cycle by reporting testing results to management and the board of directors.

Where should companies start when setting up control oversight?
Start by documenting existing processes such as accounts receivable, accounts payable, inventory, etc. This is commonly completed in narrative form, which may not capture the process correctly or may not contain an appropriate level of detail.

People tend to skim a narrative and believe that it’s acceptable without considering the underlying control structure. I prefer flowcharts because they provide a visual depiction of the process, with tasks assigned to specific individuals, and highlight controls.

Ideally, each person involved in the process reviews the steps to make sure they are captured correctly and agrees to their role in the control environment. A well-documented process has the added benefit of facilitating a clear understanding for new employees, management and auditors while showing the controls that have been implemented.

Through the documentation process, potential risks, such as segregation of duties conflicts, become more apparent. Process owners can then develop a control program to mitigate identified risks.

Once controls are established, they should be tested through an internal audit testing program to verify they are effective. Process documentation captures information at a specific point in time. It’s important that companies review their process documentation annually to verify that process flows and controls are still valid, or if additional risks and controls should be considered.

What are the benefits of using a third party to conduct an internal audit?
There are three benefits to using third-party internal audit consultants. They provide specific expertise, a more objective perspective and staffing flexibility.

Internal audit specialists are unique in their focus on risk environments and control development. They work with a variety of companies, learn from them, and therefore can share best practices to maximize control effectiveness in a cost-efficient manner.

Auditors work with their clients to challenge the status quo and identify better ways to manage their risk. Solutions could include automating processes, adding new controls, or in some cases eliminating overlapping controls. A different perspective is important because people may be accustomed to the way a company has operated over time, but there may be room for improvement.

A third-party auditing team provides staffing flexibility by taking on special projects, such as enterprise risk management reviews, litigation support and fraud investigations, leaving the company’s staff to focus on their core responsibilities.

Internal audit removes a company’s blindfold so risks can be seen and effective controls can be constructed to help the company become stronger.

Insights Accounting is brought to you by Skoda Minotti

How tax reform changes the financial reporting of corporate taxpayers

The Tax Cuts and Jobs Act introduced major tax reform for corporations, partnerships and business owners.

“Everyone is still trying to wrap their heads around the changes and how they’re going to impact their company today and within the next few years,” says Todd Rosenberg, tax managing director at BDO USA, LLP.

Smart Business spoke with Rosenberg about changes that are already impacting financial reporting for corporate taxpayers.

How will tax reform impact corporate taxes?

Significant changes for corporate taxpayers are the reduction to a flat 21 percent income tax rate, repeal of the corporate Alternative Minimum Tax, interest expense limitation, the treatment of net operating losses, changes to the percentage of bonus depreciation and how foreign earnings are subject to U.S. tax. While most changes weren’t effective until Jan. 1, 2018, some items will impact a company’s ASC 740 calculation for financial statements that include the enactment date of Dec. 22, 2017.

What is ASC 740?

ASC 740 — formerly Statement 109: Accounting for Income Taxes or FAS 109 — provides guidance on recognizing income tax expense in financial statement reporting. ASC 740 presents a company’s current income tax liability owed to authorities and reports an asset or liability for the income tax impact of transactions that have occurred. ASC 740 continues to be a risk area within financial statements.

How will financial reporting change?

Changes or updates to the Internal Revenue Code impact a company’s ASC 740 computation and financial statement reporting. As more guidance is released, companies need to gain an understanding of how those changes will impact them.

Some items will impact Dec. 31, 2017, financial statements. For example, calendar year-end companies that issue financial statements as of Dec. 31 must re-measure their deferred taxes using the reduced rate of 21 percent for deferred balances that will be recognized after Dec. 31, 2017. This could greatly increase or decrease the amount of tax expense reported in the financial statements for the period, depending on a company’s deferred tax position. Also, companies with foreign entities that have unremitted earnings will need to assess those earnings and profits to determine if they need to provide for the repatriation tax. Fiscal year-end companies need to reflect these changes in the quarter that includes the enactment date of Dec. 22, 2017.

Further, companies need to look at how tax reform will impact their first quarter. A lot of documentation and analysis may be required. For example, when a company analyzes its need to record a valuation allowance on its deferred tax assets, it will have to consider the changes to the net operating loss (NOL), carry-forward period and utilization limit, or if the company is subject to the interest expense limitation. These two items could create indefinite lived deferred tax assets.

Also, the 100 percent dividend received deduction could impact a company’s foreign source income when considering the utilization of foreign tax credits.

What if companies don’t have the necessary information for their financial statements?

Given the complexity of the changes, the Securities and Exchange Commission issued SAB 118. It provides guidance on the approach companies may use if the necessary information is incomplete or not available when financial statements are issued. Companies will need to work with their tax professionals to follow this guidance correctly, while planning to update statements as soon as possible or as the information is gathered.

Are there other changes to ASC 740 that businesses need to keep an eye on?

The Financial Accounting Standards Board (FASB) was reviewing comments on a proposed Accounting Standard Update (ASU) focusing on the financial statement disclosures framework for ASC 740. Its purpose is to improve the effectiveness of the disclosures that companies provide in financial statements and give clearer communication on information that is important to financial statement users. The FASB will likely focus on this again once the dust settles from tax reform. This framework will impact public and private companies.

Insights Accounting is brought to you by BDO USA, LLP

Next steps for business owners under the new tax law

Business owners are trying to determine how the Tax Cuts and Jobs Act will affect them and their companies. But while Congress set an outline, the IRS hasn’t written the rules yet that will determine which businesses qualify for things like the 20 percent deduction for pass-through income, says Jim Komos, CPA, partner-in-charge of tax at Ciuni & Panichi, Inc.

“The uncertainty will probably remain going into the summer,” he says. “Plus, they’re already talking about a corrections bill to fix loopholes that resulted from rushing it through.”

Smart Business spoke with Komos about what’s clear so far about the tax law changes.

The U.S. corporate rate is going from 35 to 21 percent. Are there any downsides to that?

Some small C corporations could be hurt. Before, the first $50,000 of taxable income was taxed at 15 percent; now it all will be taxed at 21 percent. However, C-corps are generally the biggest benefactors of this law.

What changes do business owners need to be concerned about most?

The big concerns are the business interest limitation and the 20 percent deduction for pass-through entities.

Business interest deductions previously had no limit. Now, the government will only let you deduct business interest expense to the extent you have income before that interest expense and depreciation. The change came because of some abuses and the government wanted less risk by business owners who are over-leveraged. For instance, real estate owners with a large mortgage may only be able to deduct two-thirds of that interest expense because they don’t have enough income to justify the full amount. Almost any large business with marginal profits and high debt could be hit by this, such as those with a lot of equipment or inventory.

The other area to watch is whether your S corporation, or flow-through entity, can take a new 20 percent deduction. Previously, 100 percent of income was subject to tax; now with a non-service business or income below a certain threshold, you can take the 20 percent deduction. This could really impact personal tax returns, but there will be complex rules as far as how to compute that deduction and who qualifies for it.

Even if your company will qualify, you’ll want to look closely at the rules. For instance, you may need enough payroll to at least equal the 20 percent deduction. Each case will require individual analysis.

Does that mean business owners may switch from C-corp to S-corp or vice versa?

A lot entities are looking at their structure to see if they should go one way or the other. Some flow-through entities, especially those that wouldn’t qualify for the 20 percent as a service business, for example, are re-examining if should they be a C-corp. However, if you terminate a S selection, you generally can’t make it again for five years.

Remember, though, that mid-March is the deadline for changes, if you’re a calendar-year taxpayer and you want to convert to S-corp for 2018 and make it effective for the whole year. You also need to look into any state and local tax ramifications.

These conversations about ownership structure are always going on, but it has added emphasis with the tax reform bill.

What else should owners look at?

Analyze your improvement plan. You may want to accelerate or change how you deal with your improvements in light of the 100 percent bonus depreciation. (It was previously 50 percent.)

Also, sketch out what 2018 will look like. For instance, you might be in a lower bracket, so you could take more bonus depreciation or be more aggressive in your 2017 accounting. Even though the year is over, you can still do some things with regards to accruals or depreciation methods.

Other changes could affect employees. Employee business expenses are no longer deductible, for instance, and your employees may want to get reimbursed for those expenses or re-structure compensation so the company pays those expenses.

How should business owners handle their personal investments?

The biggest change on investment income is that fees will no longer be allowed as a miscellaneous itemized deduction. Also in general, it’s not as advantageous to itemize. Start planning now for things like charitable contributions.

Insights Accounting is brought to you by Ciuni & Panichi, Inc.

How CPAs can help tip the balance toward success in your family business

In family-run businesses, the employees and family members wear many hats, and usually one of these is an accountant’s visor.

“When they are not trained and skilled in accounting matters, misunderstandings and mistakes happen,” says Mark A. Ulishney, CPA, partner at Case | Sabatini.

In many instances, the family business relies upon external assistance from CPAs with general accounting issues, financial reporting and income taxes. As the business grows, executives are usually able to bring in skilled employees to perform more accounting functions.

Smart Business spoke to Ulishney about family businesses’ accounting struggles and where a CPA can provide assistance.

I’ve heard a good CPA will help a family business operate in a professional fashion. How can he or she help the leaders make decisions that are best for the business?

The relationship of a CPA with his or her clients, especially in the case of family businesses, is one of trust and confidence.

Since a quality CPA is well skilled and versed in accounting and tax matters, the family business owners rely upon the CPA’s knowledge, not only in general day-to-day functions, but especially in presenting the best financial picture of the business to financial institutions while reducing the tax bite to the lowest level possible.

When it comes to longevity in a family business, what are the keys to developing a succession plan or exit strategy?

The longevity of a family business is, first and foremost, dependent upon it being successful — both financially and in its community image. It should be a desired provider of products and/or services in its field.

The members that make it successful must pass along the knowledge and skills they have obtained to either the next generation or youthful employees. This is no different than a father and mother passing on their family life skills.

How else can companies use accounting management to better maximize profits and generate more revenue?

A CPA brings experience and skill to the table and can assist family business leaders in devising plans to increase the bottom line. Because the CPA works with several businesses across different industries, he or she has a broad base of knowledge as to what has worked and what has not, and can provide suggestions of what actions would work to the business’s benefit.

There is always a cost/benefit approach to any business decisions and each business is unique in that endeavor and analysis.

How should a family business seek out a CPA?

Word-of-mouth referrals are a great place to start, and business owners should always interview a prospective CPA before engaging them. If the family business is a member of a chamber of commerce or industry-specific association, it would pose a great opportunity to network within those groups and perhaps familiarize themselves with a CPA who works with businesses in its industry.

In what areas should family business owners consult with their CPA on an ongoing basis?

The family business should not hesitate to consult with their CPA if there is uncertainty in accounting matters. Most importantly, they should keep their CPA in the loop as to what they are doing.

The last thing a CPA wants to see happen is for the client to make uninformed business decisions or to take actions that the CPA only finds out about after year-end. At that point, the CPA has not only lost the ability to plan, but also the ability to correct any mistakes. The CPA can only mitigate the financial damage.

Specific areas where the CPA should be consulted are obviously major business purchases or sales, and of course, income taxes. Other items the CPA can assist with include debt financing, lease versus purchase, employee benefit plans, software evaluation and utilization, payroll matters and more.

If there is only one takeaway from this discussion, it is to plan — with your CPA — before enacting financial business decisions.

Insights Accounting is brought to you by Case | Sabatini

As tax presence expands, nexus studies become more important

Where companies do business, and the definition of “doing business,” seems as if it should be obvious given the attention most pay to revenue, marketing and sales efforts. However, not all companies are aware of the states and cities in which they have nexus, especially as those entities look to impose digital or “cookie” nexus to capture as much tax revenue from those doing business in their jurisdictions.

“A company is considered to have nexus when it has a significant enough connection with a state — connection being defined in a number of ways — for that state to impose its laws on the company,” says Jeff Stonerock, tax director at Clarus Partners. “This is most often used with respect to a company’s tax liability.”

This is why a nexus study is important. It’s a review of the company’s activities to determine if they meet the requirements under a particular state’s laws to require the company to file tax returns and pay taxes owed to that state.

Smart Business spoke with Stonerock about tax nexus and how to use nexus studies to determine tax liability.

How is a nexus study run and what should companies know when it’s done?

A nexus study is executed by gathering the facts surrounding the operations and locations of the work and sales of a company. It involves payroll and sales records, and meetings with key personnel.

Companies should realize that not only is current information important, but where the company will or expects to be operating and selling in the future is important as well.

What companies should be sure to conduct a nexus study?

Any company that has activities outside of the city and/or state in which the company is physically located should conduct a nexus study to understand its tax obligations. Typically, activities that create nexus are sales; people, specifically their physical presence in another city or state, as well as their activity; property; or subcontractors working on behalf of the company in a city or state outside of the company’s home base.

What should companies know about cookie nexus and how to account for their presence where these laws are on the books?

All states have different rules related to cookie nexus, also referred to as click-through or affiliate nexus, which in one way or another refer to a company’s digital sales activities. It is important to know that what has traditionally been considered a physical presence in a state to create nexus may no longer be the limit of the definition. Companies that have a digital presence in another state could be required to file returns and pay taxes in that state.

When undertaking a nexus study, companies should be sure to explore their digital presence, especially any digital sales activities, and understand the laws in the states where transactions have occurred.

Who should be on the team that runs a nexus study?

The most important people are the CFO, the head of operations and the human resources lead. The numbers of the business are important, but where and how the business operates as well as where the people are located and working is equally as important in a nexus study.

Companies should work with their accounting professional to understand the filing requirements of the states, including estimated payments and filing dates to make sure they follow all laws going forward. In addition, they should understand what items from their business may require them to file taxes in another state.

How often should companies run a nexus study?

Run a nexus study every year in which business activities in a state increase significantly based on the original nexus study. If the nexus study is performed correctly, a business should have a plan in place to review its activities as they increase in a new state. The subsequent nexus study should take just a couple of hours to perform each year going forward.

Companies that have a growing business and have not performed a nexus study in five years or more should contact their tax professional to ensure their business does not have tax liabilities in other states from the ever-changing state tax laws.

Insights Accounting is brought to you by Clarus Partners

New tools for accountants can help protect companies from cyber threats

The digital threats facing organizations today have multiplied as they move their data hosting from localized servers to the cloud. Further, myriad devices, such as smartphones, tablets and laptops are accessing that data, many of which are not a company’s property, but are owned by employees. That’s made protecting all that data, and securing all the possible entry points, a significant task.

Coming to the aid of organizations in the fight against cyber threats are accountants who, with a new reporting tool, are able to help companies identify areas of vulnerability in their cyber defenses.

Smart Business spoke with Ryan Bidlack, IT Senior Manager at Barnes Wendling CPAs, about how accountants are helping companies with cybersecurity.

What are the major threats to an organization’s digitally stored information?
While the types of attacks have multiplied and evolved, what has remained much the same is the threat posed by internal employees. It’s not necessarily a rogue or malicious employee intent on doing harm to the company that is the problem.

Instead, it’s people who are unaware of the potential harm of clicking on a malicious link, falling for a phishing scam, or unwittingly downloading malware. Because employees can access the network from anywhere at anytime, if an unauthorized user gets access to their account, they can steal confidential data, client information, or anything that’s housed on the company’s network.

Outside devices pose a major threat. While the trend of Bring Your Own Device has certainly helped productivity, it’s become a means through which malware or viruses can find a way into a company’s network.
It’s tough to manage everything that comes into a company’s network these days. There isn’t one solution companies can use to protect themselves, rather it takes a multifaceted approach.

How well are companies defending themselves from these digital threats?
How well a company protects itself varies significantly between organizations. Based on the general success of ransomware and other high-profile attacks, no company should feel as if their systems are safe.

It’s a good idea to have risk assessments and system testing done annually by an outside entity. The American Institute of Certified Public Accountants, in 2017, introduced System and Organization Controls (SOC) Reporting for Cybersecurity to assist organizations in the fight against cyber threats.

It’s designed to examine, assess and report on various internal controls, and create greater efficiency by identifying redundant or ineffective controls. Some accountants have in-depth IT knowledge and are capable of performing an SOC Cybersecurity engagement. They not only have broad knowledge of existing threats, but they also stay current on threat protection methods.

What is cybersecurity and who needs a cybersecurity program?
Cybersecurity encompasses any software, hardware, processes or procedures designed to protect a network’s systems and data from any unauthorized access.

Any organization with an internet connection and data on its servers and workstations needs a cybersecurity program.

Some companies don’t think they’re at risk because they don’t process credit cards, but all companies could have personally identifiable data on their employees, such as Social Security numbers and protected health information. They also could have sensitive customer information or data —all businesses use emails, which contain a wealth of information. Companies that are storing any of this must protect access to that data.

How can accountants help companies address cyber threats?
SOC Reporting for Cybersecurity is a tool CPAs can use to provide companies with an opinion on their risk management program, including the effectiveness of their controls. It’s a unique reporting mechanism for CPAs  who are bound by AICPA guidelines, and adhere to standards subject to peer review.

All organizations need to continuously assess their cyber risk proactively rather than reactively. While an organization might feel safe because it hasn’t been hit by a cyberattack, chances are it will be, or already has been hit and doesn’t know it. ●

Insights Accounting is brought to you by Barnes Wendling CPAs

How a cost segregation study can focus your fixed asset strategy

Has your business acquired, constructed or substantially improved a building recently? You may want to get a cost segregation study to develop a strategy around capitalizing your fixed assets. It could allow you to accelerate depreciation deductions, to ultimately reduce taxes and increase cash flow.

Tony Constantine, CPA, a tax partner at Ciuni & Panichi, Inc., says, unless you’re in the business of owning real estate, you may not be aware of the benefits of a cost segregation study. In fact, some accountants don’t understand how these studies can provide savings.

“You don’t even have to be the property owner. A major tenant that does a large build-out could take advantage of this if they own the improvements,” he says.

Smart Business spoke with Constantine about cost segregation studies, depreciation and how they apply to your fixed assets.

How can a cost segregation study reduce your company’s taxes?

IRS rules generally allow business owners to depreciate commercial buildings over 39 years. They can depreciate structural components — walls, windows, HVAC systems, elevators, plumbing and wiring — along with the building.

Companies often allocate all or most of a building’s acquisition or construction costs to real property, overlooking opportunities to allocate costs to shorter-lived personal property or land improvements. Personal property, depreciable over five or seven years, can include removable wall and floor coverings, detachable partitions, awnings and canopies, window treatments, signage and decorative lighting. In addition, certain items qualify if they serve a business function. Examples include reinforced flooring to support heavy manufacturing equipment, electrical or plumbing installations, and dedicated cooling systems for server rooms. Land improvements — fences, outdoor lighting and parking lots — are depreciable over 15 years.

A cost segregation study applies engineering methods to quantify the building materials, reconciling that to the purchase price. It uses statutes and case law to determine how items can be depreciated.

What other tools can apply to fixed assets?

The tangible property regulations provide a framework for determining when to capitalize an expense and when to expense it.

Additional incentives amplify the benefits of putting a strategy around your fixed assets. Section 179 allows for an immediate expensing of tangible personal property, such as desks and equipment. That limit was $500,000 in 2017, but under the Tax Cuts and Jobs Act, it jumps to $1 million in 2018.

Another incentive is bonus depreciation, where employers write off a percentage of the cost basis of an asset with the first-year depreciation. Prior to the new tax law, a 50 percent bonus depreciation was available for new property. Now, any asset, new or used, acquired from Sept. 27, 2017, to 2023 can be written off at 100 percent.

What else should business owners know about creating a fixed asset strategy?

Don’t just look at the hypothetical benefit; consider the whole picture. How do you maximize the provisions and use them to get the biggest benefit? You might be in a situation where, depending how the ownership is structured, if you create losses, they’ll be limited. So, paying $10,000 for a study and an extra depreciation deduction doesn’t make sense. Other times, a study might increase cash flow by $50,000 but cost $10,000. Some people will think that’s great and they’ll do it. Others won’t think that’s enough margin to go through the hassle.

Apply a global strategy — not only for this year, but next year and beyond. Your tax adviser can look at your situation, tax rate structure and the provisions that are applicable to see where and when your company gets the biggest benefit. But you also need to provide a clear picture, if you plan to sell an asset in five years, rather than keep it for the full term, that changes the modeling and potential benefits.

If you already invested in depreciable buildings or improvements, it may not be too late to take advantage of a cost segregation study. A ‘look-back’ study allows you to claim missed deductions in qualifying previous tax years. You can also review your depreciation schedule to see if equipment, for example, is in the wrong asset class.

Insights Accounting is brought to you by Ciuni & Panichi, Inc.

Data analytics and AI are the future of internal audit and fraud investigation

Data analytics helps people better understand their business and see weaknesses and inefficiencies more clearly. Analytics can also increase revenue through pricing optimization or analyzing margin or costs to improve the efficiency of the manufacturing process. Many internal audit departments, however, are just getting on board with this trend.

Smart Business spoke with Kirstie Tiernan, data analytics managing director for BDO, Chicago at BDO USA, LLP, about data analytics, especially as it relates to internal audit and why artificial intelligence (AI) adds even more value.

How are employers developing programs around data analytics?

Data analytics requires people, tools, infrastructure and IT, and it’s an involved investment. That’s why it’s best for employers to start developing programs by focusing on one area, such as accounts payable. Once a program analyzes variables like duplicate vendors and payments, employers can expand into accounts receivable, journal entry review, payroll, analyzing customer behavior or pricing optimization. Employers might also benefit from working with an outside vendor, and its tools and subscriptions, so they can evaluate their baseline before purchasing anything.

What are some risks to be aware of?

First, avoid collecting garbage data that requires time and effort to clean. When looking to make better use of data, you should review your information governance policies. How have you collected data? What data are you collecting? How long are you retaining it? Who has access to it? Are you collecting it in a way that you’re able to verify it? It’s critical to have a method to improve the quality, so your analysis is useful in the end. Cybersecurity is a concern as well. Make sure you’re storing data appropriately and that third parties with access to your data are vetted and secure.

One pitfall of data analytics — especially with internal audit — is that people tend to focus on generating reports. They can get overwhelmed and find it hard to wrangle those results into value. As you’re creating your analysis program, make sure you have the results in mind. If you get 5,000 exceptions from an analysis, it’s not a good analysis. You want limited results and as few false positives as possible. That takes upfront planning. The goal is targeted analysis.

The holy grail of analytics is an alert-based program. A restaurant that looks at voided transactions on a monthly basis, for example, might find it more valuable to receive emails flagging where and when voided transactions took place. Those emails can include which voided transactions look fraudulent based on the knowledge of why voided transactions are an issue. This format moves you away from cumbersome report reviewing and toward real-time analysis of specific problems you need to address.

How does AI aid fraud investigations?

Rather than analyzing samples of data, AI incorporates statistical and advanced analytics to review entire populations for anomalies. It’s a new level of analysis that reviews an entire population of data to find transactions that look different. As the advanced algorithms get smarter, looking across more industries and company data examples, they identify anomalies more quickly and efficiently.

If you suspect fraud, targeted data analytics can look for variables like your typical round dollar payments or users with inappropriate access. When you’re unaware of fraud, however, it can be difficult to know where to run specific analytics. This is where AI is invaluable, running millions of data points through algorithms for a quicker focus and narrower scope. Rather than running 50 reports and sampling the results, AI looks at the entire data set. For example, in one investigation, the client had 10 million journal entries over three years of data. It knew it had a fraud issue, but wanted to understand the fraud’s scope and if there were other issues beyond the ones it was aware of. Plus, the client had three days to get back to its auditors. BDO used Mindbridge to examine all 10 million entries. Of the top 10 accounts of highest risk as noted by the tool, two of those accounts had fraud. When you don’t know what you’re looking for or you’re unsure of the scope of the fraud, advanced analytics incorporating AI can provide a quicker and lower-cost application of analytics.

Insights Accounting is brought to you by BDO USA, LLP

Careful due diligence is needed when seeking incentives

Financial incentives provide a competitive advantage to businesses. Local officials understand the importance of attracting new businesses and are willing to provide economic development incentives. But how does an existing business compete for the same attention and financial investment from local leaders?

“While new business attraction grabs the headlines, savvy officials are aware that approximately 80 percent of new jobs are created by existing businesses,” says Graham Allison, president of Graham A. Allison & Associates LLC, an affiliate of Clarus Partners.

He says local officials regularly hold ‘retention and expansion’ visits with companies already in the community to identify their needs and discuss growth opportunities.

However, not all companies seize their chance for help.

“Many of these local businesses invest in new jobs, equipment and infrastructure without determining if they are eligible for incentives, and the opportunity passes them by.”

Smart Business spoke with Allison about the incentives available to companies, when they can be used and what to consider before pursuing them.

In what situations do companies have the leverage to negotiate for incentives?

In general, the larger the investment and the number of jobs created, the greater the likelihood of a more robust incentive package. Companies have the most leverage when there is interstate or international competition for the project and when incentives are a key factor in the decision to expand.

The opportunity for incentives arises from investment in new jobs, equipment, technology, infrastructure, and brick and mortar. Rather than exerting leverage, companies can look to create a public-private partnership in which both the community and company benefit.

What kinds of incentives should be requested?

Discussions around incentives typically refer to municipal or city-level incentives. Yet, there are numerous types of incentives at the local, county, state and federal levels. CEOs should make expansion decisions based on all the information at their disposal.

There is a bit of art and science to negotiating incentives. Each program has its own goals and mission to aid in job creation, along with specific compliance requirements. It’s important that companies avoid asking for an incentive that cannot be utilized.

Who from the company should be represented during incentive negotiations?

This can be done multiple ways — an anonymous site selection project or direct discussion with state, county and local officials by the CEO and his or her team of advisers. It is also helpful for CEOs and CFOs, as well their accountants, to work with incentives specialists who can help maximize the opportunity to gain incentives. Economic development incentive specialists can help save time and effort when determining eligibility for incentives and help drive the negotiation process to positive outcomes.

What can businesses that are looking for incentives do to get what they’re after?

Businesses should do their homework. Most incentive programs have strict, codified covenants that require diligent compliance reporting to avoid claw-back of incentives. It is important to know going into a negotiation if the business will be eligible to receive incentives at all based on the level of investment and jobs created. A consultant can take you down a relevant path.

Financial incentives can have tremendous positive impact to the bottom line. While local officials are generally willing to provide incentives, they are not without strings. Prior to making any major expansion or investment, it is important to know if the cost of gaining incentives justifies the efforts to obtain them. A professional who is well-versed in the process can help to create the most advantageous outcome that is a win-win for communities and the business.

Insights Accounting is brought to you by Clarus Partners

Measure your organization’s security posture to ensure protection

The data companies have in their digital networks multiplies daily. And as the workforce becomes increasingly mobile, more and more devices seek to connect to that data via the internet, creating significant vulnerabilities for companies.

“Too often business leaders don’t understand the nature of the data that’s sitting on their network,” says Joe Compton, a principal at Skoda Minotti Risk Advisory Services. “Companies that fail to do comprehensive risk assessments have no way of understanding the potential business impacts if that data were to be stolen or rendered inaccessible.”

He says that’s why it’s important that organizations adopt an IT security framework (e.g., PCI, HITRUST, NIST sp800, or ISO 27001) to protect sensitive information from those who seek to profit from it illegally.

Smart Business spoke with Compton about what companies should know about the data they keep and how to protect it.

How do businesses determine what security standards to adopt?
Before selecting a security framework, companies should first determine what data they have and where it is, then assign some level of risk to each data category.

Data should be classified by its level of sensitivity. The highest level of security should be assigned to data that would be most damaging to the company or its clients/customers if it were to be captured by a bad actor. Another aspect to data classification is the importance of its availability. What data must a company access daily to operate?

Consider how threats could affect the integrity of data processing. These could alter a transaction or alter the way other information is processed in the system so that it becomes inaccurate — an attack that could affect bank statements or payroll.

Once a company understands the types of data and the risks the loss of each poses, it can select a security framework. Adopting a framework of controls gives the company the ability to audit and test its protections and understand how network threats are being handled. It also provides management a decision framework when considering enhanced security controls.

The simplest control framework to implement is PCI DSS (Payment Card Industry Data Security Standard), which is designed to protect credit card holders against the misuse of their personal information. Adhering to this standard doesn’t guarantee that a company’s data will be secure, but it does offer a sound framework of best practices to reduce unmitigated threats.

How can organizations feel confident that their security is adequate?
Once a company has implemented a security framework, it should conduct security testing to expose flaws. At a basic level, this can be done as automated, weekly vulnerability scans that alert management to discovered weaknesses and advise how they can be remediated. It’s also a good idea to conduct regular penetration testing to ensure systems can’t be altered or otherwise tampered with.

It’s also important that every organization achieves some type of segregation of duties. There should be adequate testing of user roles in the system to make sure users can’t escalate their privileges and access otherwise restricted information.

What is the process to make sure these benchmarks are being met?
It’s critical to conduct regular security and risk assessments, either internally or through an outside provider, and make sure internal logs are being monitored for activity.

If a company has the resources, getting an independent, third-party opinion on a regular basis is always good.

The third-party provider’s job is to identify vulnerabilities and deliver ideas on how to make the environment more secure. Established and reputable third-party providers are likely in hundreds of environments every year, which gives them a broad perspective on the types of threats that exist and how to stop them.

Companies must be diligent when monitoring and testing their networks. If a breach or attack does occur, it’s better to know within 24 hours than six months later. It’s not about perfection, but rather mitigation. That takes a well-defined process and a cohesive plan to manage.

Insights Accounting is brought to you by Skoda Minotti