News & Tech Tips

Cyber risks: A critical part of your auditor’s risk assessment

As businesses and not-for-profit entities increasingly rely on technology, cyberthreats are becoming more sophisticated and aggressive. Auditors must factor these threats into their risk assessments. They can also help you draft cybersecurity disclosures and brainstorm ways to mitigate your risk of an attack.

Increasing risks

How much does a data breach cost? The average has reached an all-time high of $4.35 million, according to the newly released “Cost of a Data Breach Report 2022.” The report, published by independent research group Ponemon Institute, also found that 83% of respondents have experienced more than one data breach.

Another key finding is that the average cost of a data breach increased by roughly 13% during the pandemic. Why? One reason is the increase in remote working arrangements. Many organizations now have sensitive data stored in more places than ever before — including laptops, cloud-based storage, email, portals, mobile devices and flash drives — providing many potential areas for unauthorized access.

Ransomware attacks are also on the rise, in part due to geopolitical instability. According to the study, ransomware attacks were up 41% in 2022 compared to the previous year. These attacks cost organizations an average of $4.54 million per incident in 2022, excluding any ransom paid to the perpetrator. Ransomware attacks generally take longer to detect and contain than other types of data breaches.

Targeted data

Hackers may try to steal valuable information about your organization’s employees and customers. Examples include payment card data, protected health data and personal identifiable information, such as phone numbers, addresses and Social Security numbers.

Another target may be valuable intellectual property, such as customer lists, proprietary software, formulas, strategic business plans and financial data. These intangible assets may be sold or used by competitors to gain market share or competitive advantage.

Risk assessment

As the frequency and severity of cyberattacks have increased, data security has become a critical part of the audit risk assessment. In recent years, the Public Company Accounting Oversight Board (PCAOB) has interviewed auditors of companies that have experienced a cybersecurity breach.

These interviews reveal that audit firms provide varying levels of guidance, both when assessing risk at the start of the engagement and when uncovering a cybersecurity incident that occurred during the period under audit or during audit fieldwork. For example, auditors usually ask management what’s being done to understand, detect and prevent computer system breaches.

Another key finding of the PCAOB research is that the costs associated with cybersecurity breaches may not always be apparent. A major cybersecurity breach can cause more than lost profits; it may also result in a loss of customers, reputational damage and even bankruptcy.

We can help

Though PCAOB’s research focuses on public companies, any organization can be the victim of a cyberattack. And the effects may be even more devastating for those with fewer resources to absorb the losses and assign dedicated staff to respond to breaches. Our firm is atop the latest cybersecurity trends. Our auditors can help your organization assess its cyber risks and improve the effectiveness of internal controls over sensitive data. Contact us for more information.

© 2022

Estimated tax payments: Who owes them and when is the next one due?

If you don’t have enough federal tax withheld from your paychecks and other payments, you may have to make estimated tax payments. This is the case if you receive interest, dividends, self-employment income, capital gains or other income. Here are the applicable rules for paying estimated tax without triggering the penalty for underpayment.

When are the payments due?

Individuals must pay 25% of a “required annual payment” by April 15, June 15, September 15, and January 15 of the following year, to avoid an underpayment penalty. If one of those dates falls on a weekend or holiday, the payment is due on the next business day.

So the third installment for 2022 is due on Wednesday, September 15. Payments are made using Form 1040-ES.

How much should you pay?

The required annual payment for most individuals is the lower of 90% of the tax shown on the current year’s return or 100% of the tax shown on the return for the previous year. However, if the adjusted gross income on your previous year’s return was more than $150,000 ($75,000 if you’re married filing separately), you must pay the lower of 90% of the tax shown on the current year’s return or 110% of the tax shown on the return for the previous year.

Most people who receive the bulk of their income in the form of wages satisfy these payment requirements through the tax withheld by their employers from their paychecks. Those who make estimated tax payments generally do so in four installments. After determining the required annual payment, divide that number by four and make four equal payments by the due dates.

But you may be able to use the annualized income method to make smaller payments. This method is useful to people whose income flow isn’t uniform over the year, perhaps because of a seasonal business. For example, if your income comes exclusively from a business operated in a resort area during June, July, and August, no estimated payment is required before September 15.

Who owes the penalty for underpaying?

If you don’t make the required payments, you may be subject to an underpayment penalty. The penalty equals the product of the interest rate charged by the IRS on deficiencies, times the amount of the underpayment for the period of the underpayment.

However, the underpayment penalty doesn’t apply to you if:

  • The total tax shown on your return is less than $1,000 after subtracting withholding tax paid;
  • You had no tax liability for the preceding year, you were a U.S. citizen or resident for that entire year, and that year was 12 months;
  • For the fourth (January 15) installment, you file your return by that January 31 and pay your tax in full; or
  • You are a farmer or fisherman and pay your entire estimated tax by January 15, or pay your entire estimated tax and file your tax return by March 1.

In addition, the IRS may waive the penalty if the failure was due to casualty, disaster or other unusual circumstances and it would be inequitable to impose the penalty. The penalty can also be waived for reasonable cause during the first two years after you retire (and reach age 62) or become disabled.

Do you have more questions?

Contact us if you think you may be eligible to determine your estimated tax payments under the annualized income method, or you have other questions about how the estimated tax rules apply to you.

© 2022

How external confirmations are used during an audit

Auditors commonly use confirmations to verify such items as cash, accounts receivable, accounts payable, employee benefit plans and pending litigation. Under U.S. Generally Accepted Auditing Standards, an external confirmation is “a direct response to the auditor from a third party either in paper form or by electronic other means, such as through the auditor’s direct access to information held by a third party.”

Some companies may be put off when auditors reach out to customers, lenders and other third parties — and sometimes confirmation recipients fail to respond in a timely, complete manner. But confirmations are an important part of the auditing process that you’ll better appreciate if you learn more about them.

Three formats

The types of confirmations your auditor uses will vary depending on your situation and the nature of your organization’s operations. Confirmations generally come in the following three formats:

1. Positive. Recipients are requested to reply directly to the auditor and make a positive statement about whether they agree or disagree with the information included.

2. Negative. Recipients are requested to reply directly to the auditor only if they disagree with the information presented on the confirmation.

3. Blank. The amount (or other information) isn’t stated on this type of request. Instead, it requests recipients to complete a blank confirmation form.

Confirmation procedures may be performed as of a date that’s on, before or after the balance sheet date. If the procedures aren’t performed as of the balance sheet date, the account balance will need to be rolled forward (or backward) to the balance sheet date.

Mailed vs. electronic forms

In the past, auditors sent out confirmation letters through the U.S. Postal Service. Then, they waited to receive written responses from their audit clients’ customers, suppliers, banks, benefits plan administrators, attorneys and others. This was a cumbersome process. If an auditor failed to receive an adequate level of response, follow-up confirmation letters could be sent, which could lead to delays in the audit process. Alternatively, the auditor could contact nonresponding recipients by phone or in person. Otherwise, the auditor would need to perform alternative procedures.

Although written confirmations are still permitted, auditors routinely use electronic confirmations today. These may be in the form of an email submitted directly to the respondent by the auditor or a request submitted through a designated third-party provider.

Electronic confirmations can be considered reliable audit evidence. Plus, they overcome some of the shortcomings of written confirmations. That is, they’re sent and received instantaneously at no cost, and the electronic confirmation process is generally secure, minimizing the risks of interception or alteration. As a result, some financial institutions no longer respond to paper confirmation requests and will respond only to electronic confirmation requests.

Let’s work together

External confirmations can be a simple and effective audit tool. Contact us if you have questions about how we plan to use confirmations during your next audit or if you have concerns about the efficacy or security of the confirmation process.

© 2022

Is your withholding adequate? Here’s how to check

When you filed your federal tax return this year, were you surprised to find you owed money? You might want to change your withholding so that this doesn’t happen again next year. You might even want to adjust your withholding if you got a big refund. Receiving a tax refund essentially means you’re giving the government an interest-free loan.

Adjust if necessary

Taxpayers should periodically review their tax situations and adjust withholding, if appropriate.

The IRS has a withholding calculator to assist you in conducting a paycheck checkup. The calculator reflects tax law changes in areas such as available itemized deductions, the child credit, the dependent credit and the repeal of dependent exemptions. You can access the IRS calculator here: https://www.irs.gov/individuals/tax-withholding-estimator

Life changes

There are some situations when you should check your withholding. In addition to tax law changes, the IRS recommends that you perform a checkup if you:

  • Adjusted your withholding last year, especially in the middle or later part of the year,
  • Owed additional tax when you filed your 2021 return,
  • Received a refund that was smaller or larger than expected,
  • Got married or divorced,
  • Had a child or adopted one,
  • Purchased a home, or
  • Had changes in income.

You can modify your withholding at any time during the year, or even multiple times within a year. To do so, you simply submit a new Form W-4 to your employer. Changes typically go into effect several weeks after a new Form W-4 is submitted. (For estimated tax payments, you can make adjustments each time quarterly estimated payments are due. The next payments for 2022 are due on September 15, 2022, and January 16, 2023.)

Plan ahead now

There’s still time to remedy any shortfalls to minimize taxes due for 2022, as well as any penalties and interest. Contact us if you have any questions or need assistance. We can help you determine if you need to adjust your withholding.

© 2022

Three tax breaks for small businesses

Sometimes, bigger isn’t better: Your small- or medium-sized business may be eligible for some tax breaks that aren’t available to larger businesses. Here are some examples.

  1. QBI deduction

For 2018 through 2025, the qualified business income (QBI) deduction is available to eligible individuals, trusts and estates. But it’s not available to C corporations or their shareholders.

The QBI deduction can be up to 20% of:

  • QBI earned from a sole proprietorship or single-member limited liability company (LLC) that’s treated as a sole proprietorship for federal income tax purposes, plus
  • QBI passed through from a pass-through business entity, meaning a partnership, LLC classified as a partnership for federal income tax purposes or S corporation.

Pass-through business entities report tax items to their owners, who then take them into account on their owner-level returns. The QBI deduction rules are complicated, and the deduction can be phased out at higher income levels.

  1. Eligibility for cash-method accounting

Businesses that are eligible to use the cash method of accounting for tax purposes have the ability to fine-tune annual taxable income. This is accomplished by timing the year in which you recognize taxable income and claim deductions.

Under the cash method, you generally don’t have to recognize taxable income until you’re paid in cash. And you can generally write off deductible expenses when you pay them in cash or with a credit card.

Only “small” businesses are potentially eligible for the cash method. For this purpose under current law, a small business includes one that has no more than $25 million of average annual gross receipts, based on the preceding three tax years. This limit is adjusted annually for inflation. For tax years beginning in 2022, the limit is $27 million.

  1. Section 179 deduction 

The Sec. 179 first-year depreciation deduction potentially allows you to write off some (or all) of your qualified asset additions in the first year they’re placed in service. It’s available for both new and used property.

For qualified property placed in service in tax years 2018 and beyond, the deduction rules are much more favorable than under prior law. Enhancements include:

Higher deduction. The Sec. 179 deduction has been permanently increased to $1 million with annual inflation adjustments. For qualified assets placed in service in 2022, the maximum is $1.08 million.

Liberalized phase-out. The threshold above which the maximum Sec. 179 deduction begins to be phased out is $2.5 million with annual inflation adjustments. For qualified assets placed in service in 2022, the phase-out begins at $2.7 million.

The phase-out rule kicks in only if your additions of assets that are eligible for the deduction for the year exceed the threshold for that year. If they exceed the threshold, your maximum deduction is reduced dollar-for-dollar by the excess. Sec. 179 deductions are also subject to other limitations.

Bonus depreciation

While Sec. 179 deductions may be limited, those limitations don’t apply to first-year bonus depreciation deductions. For qualified assets placed in service in 2022, 100% first-year bonus depreciation is available. After this year, the first-year bonus depreciation percentages are scheduled to start going down to 80% for qualified assets placed in service in 2023. They will continue to be reduced until they reach 0% for 2028 and later years.

Contact us to determine if you’re taking advantage of all available tax breaks, including those that are available to small and large businesses alike.

© 2022