News & Tech Tips

Strong internal controls and audits can help safeguard against data breach

The average cost of a data breach has reached $4.88 million, up 10% from last year, according to a recent report. As businesses increasingly rely on technology, cyberattacks are becoming more sophisticated and aggressive, and risks are increasing. What can your organization do to protect its profits and assets from cyberthreats?

Recent report

In August 2024, IBM published “Cost of a Data Breach Report 2024.” The research, conducted independently by Ponemon Institute, covers 604 organizations that experienced data breaches between March 2023 and February 2024. It found that, of the 16 countries studied, the United States had the highest average data breach cost ($9.36 million).

The report breaks down the global average cost per breach ($4.88 million) into the following four components:

  1. $1.47 million for lost business (for example, revenue loss due to system downtime and costs related to lost customers, reputation damage and diminished goodwill),
  2. $1.63 million for detection and escalation (such as forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards),
  3. $1.35 million for post-breach response (including product discounts, regulatory fines, legal fees, and costs related to setting up call centers and credit monitoring / identity protection services for breach victims), and
  4. $430,000 for notifying regulators, as well as individuals and organizations affected by the breach.

A silver lining from the report is that the average time to identify and contain a breach has fallen to 258 days from 277 days in the 2023 report, reaching a seven-year low. One key reason for faster detection and recovery is that organizations are giving more attention to cybersecurity measures.

Implementing cybersecurity protocols

Cybersecurity is a process where internal controls are designed and implemented to:

  • Identify potential threats,
  • Protect systems and information from security events, and
  • Detect and respond to potential breaches.

The increasing number of employees working from home exposes their employers to greater cybersecurity risk. Many companies now have sensitive data stored in more places than ever before — including laptops, firm networks, cloud-based storage, email, portals, mobile devices and flash drives — providing many potential areas for unauthorized access.

Targeted data

When establishing new cybersecurity protocols and reviewing existing ones, it’s important to identify potential vulnerabilities. This starts by inventorying the types of employee and customer data that hackers might want to steal. This sensitive material may include:

  • Personally identifiable information, such as phone numbers, physical and email addresses, and Social Security numbers,
  • Protected health information, such as test results and medical histories, and
  • Payment card data.

Companies need to have effective controls over this data to comply with their obligations under federal and state laws and industry standards.
Hackers may also try to access a company’s network to steal valuable intellectual property, such as customer lists, proprietary software, formulas, strategic business plans, and financial data. These intangible assets may be sold or used by competitors to gain market share or competitive advantage.

Auditing cyber risks

No organization, large or small, is immune to cyberattacks. As the frequency and severity of data breaches continue to increase, cybersecurity has become a critical part of the audit risk assessment.

Audit firms provide varying levels of guidance, both when assessing risk at the start of the engagement and when uncovering a breach that happened during the period under audit or during audit fieldwork.

We can help

Contact us to discuss your organization’s vulnerabilities and the effectiveness of its existing controls over sensitive data. Additionally, if your company’s data is hacked, we can help you understand what happened, estimate and disclose the costs, and fortify your defenses going forward.

Are you liable for two additional taxes on your income?

Having a high income may mean you owe two extra taxes: the 3.8% net investment income tax (NIIT) and a 0.9% additional Medicare tax on wage and self-employment income. Let’s take a look at these additional taxes and what they could mean for you.

1. The NIIT

In addition to income tax, this tax applies on your net investment income. The NIIT only affects taxpayers with adjusted gross incomes (AGIs) exceeding $250,000 for joint filers, $200,000 for single taxpayers and heads of household, and $125,000 for married individuals filing separately.

If your AGI is above the threshold that applies ($250,000, $200,000, or $125,000), the NIIT applies to the lesser of 1) your net investment income for the tax year or 2) the excess of your AGI for the tax year over your threshold amount.

The “net investment income” that’s subject to the NIIT consists of interest, dividends, annuities, royalties, rents, and net gains from property sales. Wage income and income from an active trade or business aren’t included. However, passive business income is subject to the NIIT.

Income that’s exempt from income tax, such as tax-exempt bond interest, is likewise exempt from the NIIT. Thus, switching some taxable investments to tax-exempt bonds can reduce your exposure. Of course, this should be done after taking your income needs and investment considerations into account.

Does the NIIT apply to home sales? Yes, if the gain is high enough. Here’s how the rules work: If you sell your principal residence, you may be able to exclude up to $250,000 of gain ($500,000 for joint filers) when figuring your income tax. This excluded gain isn’t subject to the NIIT.

However, gain that exceeds the exclusion limit is subject to the tax. Gain from the sale of a vacation home or other second residence, which doesn’t qualify for the exclusion, is also subject to the NIIT.

Distributions from qualified retirement plans, such as pension plans and IRAs, aren’t subject to the NIIT. However, those distributions may push your AGI over the threshold, which would cause other types of income to be subject to the tax.

2. The additional Medicare tax

In addition to the 1.45% Medicare tax that all wage earners pay, some high-wage earners pay an extra 0.9% Medicare tax on part of their wage income. The 0.9% tax applies to wages in excess of $250,000 for joint filers, $125,000 for married individuals filing separately, and $200,000 for all others. It applies only to employees, not to employers.

Once an employee’s wages reach $200,000 for the year, the employer must begin withholding the additional 0.9% tax. However, this withholding may prove insufficient if the employee has additional wage income from another job or if the employee’s spouse also has wage income. To avoid that result, an employee may request extra income tax withholding by filing a new Form W-4 with the employer.

An extra 0.9% Medicare tax also applies to self-employment income for the tax year in excess of the same amounts for high-wage earners. This is in addition to the regular 2.9% Medicare tax on all self-employment income. The $250,000, $125,000, and $200,000 thresholds are reduced by the taxpayer’s wage income.

Mitigate the effect

As you can see, these two additional taxes may have a substantial effect on your tax bill. Contact us to discuss how the impact could be reduced.

Review real-time data with flash reports

It usually takes between two and six weeks for management to prepare financial statements that comply with the accounting rules. The process takes longer if an outside accountant reviews or audits your reports. Timely information is critical to making informed business decisions and pivoting as needed if results fall short of expectations. That’s why proactive managers often turn to flash reports for more timely insights.

The benefits

Flash reports typically provide a snapshot of key financial figures, such as cash balances, receivables aging, collections, and payroll. Some metrics might be tracked daily, such as sales, shipments and deposits. This is especially critical during seasonal peaks, when undergoing major changes, or when your business is struggling to make ends meet.

Effective flash reports are simple and comparative. Those that take longer than an hour to prepare or use more than one sheet of paper are too complex to maintain. Comparative flash reports may help identify patterns from week to week — or deviations from the budget that may need corrective action.

The limitations

Flash reports also can identify problems and weaknesses. But they have limitations that management should recognize to avoid misuse.
Most importantly, flash reports provide a rough measure of performance and are seldom 100% accurate. It’s also common for items such as cash balances and collections to ebb and flow throughout the month, depending on billing cycles.

Companies generally only use flash reports internally. They’re rarely shared with creditors and franchisors, unless required in bankruptcy or by a franchise agreement. A lender also may ask for flash reports if a business fails to meet liquidity, profitability and leverage covenants.

If shared flash reports deviate from what’s subsequently reported on financial statements that comply with U.S. Generally Accepted Accounting Principles (GAAP), it may raise a red flag with stakeholders. For instance, they may wonder if you exaggerated results on flash reports or your accounting team is simply untrained in financial reporting matters. If you need to share flash reports, consider adding a disclaimer that the results are preliminary, may contain errors or omissions, and haven’t been prepared in accordance with GAAP.

What’s right for your organization?

There’s no one-size-fits-all format for flash reports. For example, billable hours are more relevant to law firms, and machine utilization rates are more relevant to manufacturers. Contact us for help customizing your flash reports to incorporate the key metrics that are most relevant for your industry. We can also answer questions about any reporting concerns you may be facing today.

Take charge of working capital management

Proactive working capital management is essential to successful business operations. However, on average, businesses aren’t managing their working capital as efficiently as they have in the past, according to a new study by The Hackett Group, a digital transformation and AI strategy consulting firm.
The study found that all elements of the cash conversion cycle (CCC) deteriorated by an average of 1.3 days (or 4%) from 2022 to 2023. The sectors reporting the biggest CCC deterioration include marine shipping, biotechnology, oil and gas, and food and staples retail. Here’s why working capital management is so important, and how your business can avoid the trend revealed in the study.

Why working capital matters

Working capital equals the difference between current assets and current liabilities. Organizations need a certain amount of working capital to run their operations smoothly. However, excessive amounts can hinder growth and performance. The optimal amount of working capital depends on the nature of your company’s operations and its industry.

Working capital management is often evaluated by measuring the CCC, which is a function of three turnover ratios:
1. Days in accounts receivable outstanding,
2. Days in inventory outstanding, and
3. Days in accounts payable outstanding.

A positive CCC indicates the number of days a company must borrow or tie up capital while awaiting payments from customers. A negative CCC represents the number of days a company has received cash from customers before it must pay its suppliers. Cash businesses might have a low or negative CCC, while most conventional businesses have a positive CCC.

Ways to shorten your CCC

Here are three ways to reduce the amount your business has tied up in working capital:
1. Collect receivables faster. Possible solutions for converting accounts receivable into cash faster include: tightening credit policies, offering early bird discounts, issuing collection-based sales compensation and using in-house collection personnel. Companies also can evaluate administrative processes — including invoice preparation, dispute resolution and deposits — to eliminate inefficiencies in the collection cycle.

2. Reduce inventory levels. The inventory account carries many hidden costs, including storage, obsolescence, insurance and security. Consider using computerized inventory systems to help predict demand, enable data sharing up and down the supply chain, and more quickly reveal variability from theft.
It’s important to note that, in an inflationary economy, rising product and raw material prices may bloat inventory balances. Plus, higher labor and energy costs can affect the value of work-in-progress and finished goods inventories for companies that build or manufacture goods for sale. So rising inventory might not necessarily equate to having more units on hand.

3. Postpone payables. By deferring vendor payments when possible, your company can increase cash on hand. But be careful: Delaying payments for too long can compromise a company’s credit standing or result in forgone early bird discounts. Many organizations have already pushed their suppliers to extend their payment terms, so there may be limits on using this strategy further.

Make working capital a priority

Some businesses are so focused on the income statement, including revenue and profits, that they lose sight of the strategic significance of the balance sheet — especially working capital accounts. We can benchmark your company’s CCC over time and against competitors. If necessary, we also can help implement strategies to improve your performance without exposing you to unnecessary risk.

Do you owe estimated taxes? If so, when is the next one due?

Federal estimated tax payments are designed to ensure that certain individuals pay their fair share of taxes throughout the year. If you don’t have enough federal tax withheld from your paychecks and other payments, you may have to make estimated tax payments. This is the case if you receive interest, dividends, self-employment income, capital gains, a pension, or other income that’s not covered by withholding.

Individuals must pay 25% of a “required annual payment” by April 15, June 15, September 15, and January 15 of the following year, to avoid an underpayment penalty. If one of those dates falls on a weekend or holiday, the payment is due on the next business day.

So the third installment for 2024 is due on Monday, September 16 because the 15th falls on a Sunday. Payments are made using Form 1040-ES.

The amount due

The required annual payment for most individuals is the lower of 90% of the tax shown on the current year’s return or 100% of the tax shown on the return for the previous year. However, if the adjusted gross income on your previous year’s return was more than $150,000 ($75,000 if you’re married filing separately), you must pay the lower of 90% of the tax shown on the current year’s return or 110% of the tax shown on the return for the previous year.

Most people who receive the bulk of their income in the form of wages satisfy these payment requirements through the tax withheld by their employers from their paychecks. Those who make estimated tax payments generally do so in four installments. After determining the required annual payment, divide that number by four and make four equal payments by the due dates.

However, you may be able to use the annualized income method to make smaller payments. This method is useful to people whose income flow isn’t uniform over the year, perhaps because of a seasonal business. For example, if your income comes exclusively from a business operated in a resort area during June, July, and August, no estimated payment is required before September 15.

The underpayment penalty

If you don’t make the required payments, you may be subject to an underpayment penalty. The penalty equals the product of the interest rate charged by the IRS on deficiencies, times the amount of the underpayment for the period of the underpayment.

However, the underpayment penalty doesn’t apply to you if:

  • The total tax shown on your return is less than $1,000 after subtracting withholding tax paid;
  • You had no tax liability for the preceding year, you were a U.S. citizen or resident for that entire year, and that year was 12 months;
  • For the fourth (January 15) installment, you file your return by that January 31 and pay your tax in full; or
  • You’re a farmer or fisherman and pay your entire estimated tax by January 15, or pay your entire estimated tax and file your tax return by March 1.

In addition, the IRS may waive the penalty if the failure was due to casualty, disaster or other unusual circumstances and it would be inequitable to impose the penalty.

The penalty can also be waived for reasonable cause during the first two years after you retire (and reach age 62) or become disabled.

We can help

Contact us if you need help figuring out your federal estimated tax payments or you have other questions about how the rules apply to you.