1
Winter 2021 | The Cooperative Accountant
82 ––––––––––– EXECUTIVE COMMITTEE AND NATIONAL DIRECTORS –––––––––––––
PRESIDENT: *William Miller, CPA Electric Co-op Chapter Bolinger, Segars, Gilbert & Moss, LLP 8215 Nashville Avenue Lubbock, TX 79423
CONTENTS FEATURES 3 From the Editor
By Frank M. Messina, DBA, CPA
4 Utility Cooperative Forum: Upskilling for Accountants By Peggy Maranan, CPA, MBA, Ph.D.
8 ACCTFAX Bulletin Board
By Phil Miller, CPA; Greg Taylor, MBA, CPA, CVA; Bill Erlenbush, CPA
12 TAXFAX
By George W. Benson
21 Small Business Forum: Violations Enforced by Governmental Agencies
By Barbara A. Wech, Ph.D.; Jennifer D. Harrick, PhD, CPA, CGMA; Caleb Houston, PhD
27 Best Practices: How to Survive a Ransomware Attack
(806) 747-3806 bmiller@bsgm.com
VICE PRESIDENT: *Nick Mueting (620) 227-3522 Mid-West Chapter nickm@.lvpf-cpa.com Lindburg, Vogel, Pierce, Faris, Chartered P.O. Box 1512 Dodge City, KS 67801
EXECUTIVE COMMITTEE SECRETARY-TREASURER: *Dave Antoni Capitol Chapter KPMG, LLP 1601 Market St. Philadelphia, PA 19103
President David Antoni, CPA KPMG, LLP
(267) 256-1627 dantoni@kpmg.com
IMMEDIATE PAST PRESIDENT: *Jeff Brandenburg, CPA, CFE (608) 662-8600 Great Lakes Chapter jeff.brandenburg@cliftonlarson ClifftonLarsonAllen LLP 8215 Greenway Boulevard, Suite 600 Middleton, WI 53562
Vice President Eric Krienert, CPA Moss Adams LLP
*Indicates Executive Committee Member
Treasurer NATIONAL OFFICE Erik Gillam, CPA Kim Fantaci, Executive Director Aldrich CPAs +Advisors Jeff Roberts, Association Executive Tina Schneider, Chief Administrative Officer
136 S. Keowee Street Dayton, Ohio 45402 info@nsacoop.org
Krista Saul, Client Accounting Manager Bill Erlenbush, Director of Education
Secretary THE COOPERATIVE ACCOUNTANT Kent Erhardt CoBank, ACB
Phil Miller, Assistant Director of Education
Winter 2018
Immediate Past President Nick Mueting, CPA Lindburg, Vogel, Pierce, Faris, Chartered
At Large April Graves, CPA United Agricultural Cooperative Inc.
For a complete listing of NSAC’s National Board of Directors and Committees, visit
www.nsacoop.org 2
Winter 2021 | The Cooperative Accountant
From the
Editor
Frank M. Messina, DBA, CPA Alumni & Friends Endowed Professor of Accounting UAB Department of Accounting & Finance Collat School of Business CSB 319, 710 13th Street South Birmingham, AL 35294-1460 • (205) 934-8827 fmessina@uab.edu
The Cooperative Accountant has been our top publication in NSAC for as long as many of us “old-timers” have been members (actually even longer than that). Publishing a quarterly publication is not easy as it takes a host of people willing to give a lot of time to our membership. Phil Miller, our ACCTFAX forum editor has been writing ACCTFAX for some 35+ years. Great things always come to an end and this ACCTFAX issue is Phil’s last. Phil has been my mentor in NSAC and I have nothing but fond, fond memories of his friendship and leadership. As Phil has noted, “I have enjoyed every aspect of my association with NSAC, especially the people.” Phil as you ride off into the sunset, please note that we are all beyond ever grateful for all your knowledge you have shared with us over these 35 years writing ACCTFAX. We are simply a better NSAC with all your leadership roles in our organization over the years. You have always been there for us when we needed you! You are all the qualities of a great friend and wonderful professional. We sincerely thank you beyond belief!! Remember, we too are always looking for you to share your knowledge since you may have some extra time on your hands (like others continue to do) with us through articles in The Cooperative Accountant. Feel free to contact me (fmessina@uab.edu) if you have any ideas or thoughts on a potential article contribution. Sharing knowledge is a wonderful thing for all!!! Knowledge can change our world! That is why we must remember – “The Past is history; the Future is a mystery, but this Moment is a Gift – that’s why it’s called the Present.” Positively Yours, Frank M. Messina, DBA, CPA Articles and other information which appear in The Cooperative Accountant do not necessarily reflect the official position of the NATIONAL SOCIETY OF ACCOUNTANTS FOR COOPERATIVES and the publication does not constitute an endorsement of views or information which may be expressed. The Cooperative Accountant (ISSN 0010-83910) is published quarterly by the National Society of Accountants for Cooperatives at Centerville, Ohio 45459 digitally. The Cooperative Accountant is published as a direct benefit/service to the members of the Society and is only available to those that are eligible for membership. Subscriptions are available to university libraries, government agencies and other libraries. Land Grant colleges may receive a digital copy. Send requests and contact changes to: The National Society of Accountants for Cooperatives, 7946 Clyo Road, Suite A, Centerville, Ohio 45459.
3
Winter 2021 | The Cooperative Accountant
Editor & Guest Writer Peggy Maranan, Ph.D. DEMCO Director, Finance 16262 Wax Road Greenwell Springs, LA 70739 Phone 225.262.3026 Cell: 239.887.0131 peggym@DEMCO.ORG
What is “upskilling”? Merriam-Webster (n.d.) defines “upskill” as a verb:
suddenly become so important?” His short answer is “digital transformation.” He further describes this as follows: 1. transitive: to provide (someone, such as The digital economy, enabled by an employee) with more advanced skills astonishing advances in technology, is through additional education and training reimagining the provider-customer dynamic and transforming how goods and services 2. intransitive: to acquire more advanced skills are bought and sold. Customer-centric, through additional education and training tech-enabled, well-capitalized, new model providers are disrupting incumbents Van Echtelt (2021) discusses the difference across industries. They share several core between “upskilling” vs. “reskilling”. characteristics: a relentless commitment to improve customer access, experience, and Upskilling is the process of taking your loyalty; the efficient use of data; achieving skills and knowledge in a certain area to a “more with less” for the benefit of customers, new level, while the term reskilling involves employees, and shareholders; and constant learning new skills so you can do a different improvement. Their models are built from the job. Upskilling primarily focuses on helping customer perspective, not to fit the provider employees become more skilled and economic model. (para. 3) relevant at their current position within the organization (para. 3). Accounting professionals are recommended to keep up their skills with Upskilling involves implementing training latest technology and evolving workplace that improves an employee’s skillsets, with the intent of developing them for progression needs. With these skills, accountants will not only progress in their professional in their current role or for that employee to bring added value to the organization. goals, but will be better able to service Cohen (2019) asks “Why has upskilling their clients and organizations at which 4
Winter 2021 | The Cooperative Accountant
UTILITY COOPERATIVE FORUM they work. Upskilling is about choice and opportunity—what role(s) does one seek to play in the accounting profession and which competencies are required? While many accountants today are focused on honing skills that serve e-commerce and supply chain technologies, they will also need to learn to leverage advanced technologies, such as blockchain and artificial intelligence (AI), in an increasingly sophisticated technological environment. Additionally, the recent global pandemic has transitioned many accountants from working in a workplace office environment to a home office environment. Some accountants have returned to work full-time, some remain working at home as a potentially permanent change, and others have adopted a mix of both. So, improving digital communication skills will continue to be an important upskill. Video conferencing tools will continue to be important tools used to help collaborate with coworkers and clients, regardless of their physical location. So, learning or increasing skills with conferencing applications like Zoom, Teams, or Webex all offer an upskill opportunity. Koch (2021) recommends approaching upskilling with a strategic plan. As part of that plan, he advises accountants should focus on developing skills in the six key competencies identified in the IMA Management Accounting Competency Framework. These are noted as reporting and control, technology and analytics, leadership, strategy/planning/ and performance, business acumen and operations, and ethics. Knowing the rules and regulations of the industry in which an accountant operates is important, these become core competencies to enter the profession or maintain a position. But, for an accountant to be increasingly effective, the accountant should build upon these and develop the skills of collaboration and integration of that knowledge with other operational, marketing, and customer service areas of the organization. Koch offers: 5
According to Grant Thornton’s 2020 CFO survey report, CFOs consider data analytics the most important skill set that needs to be developed within the finance function, closely followed by business strategy and application development. According to a recent American Accounting Association panel discussion of accounting educators and accounting firm representatives, the most important technical skills for new accounting hires include advanced Excel; data visualization; extract, transform, and load (ETL); modern programming languages; relational database fundamentals; and automation tools (a “nice to have”). (para. 7) Koch also notes that “Robotic process automation (RPA) is a tool that’s already being used to speed monthly closures and automate common repetitive accounting processes” (para. 6). Along with data analytics, AI, and machine learning, these are all setting the stage for the requirement of more complex decision-making processes. Potential decision solutions will need to be assessed by accountants who can properly assess alternatives to attain successful organizational outcomes. Looking towards these trends, accountants can upskill by expanding Excel spreadsheet skills by adding more advanced data visualization tools, such as Tableau or Microsoft’s Power BI. If in-house RPA tools are not available, there are other applications available in the marketplace that could be evaluated for potential deployment. General knowledge of relational databases, data table joins, and skills that assist in manipulating data for decision-making purposes are all useful upskill recommendations. Distilling large amounts of data into meaningful stories presenting recommendations or analysis to decision makers will be a skill set becoming more and more in demand. Beaver (2021) suggests that upskilling should include adding skill enhancements in using cloudbased applications, data analytics, financial modeling and forecasting. Winter 2021 | The Cooperative Accountant
UTILITY COOPERATIVE FORUM Bell (2021) offers some predictions for future accountants: • Clients will increasingly expect accounting and tax professionals to become ‘holistic advisers’ rather than simply being transactional accountants. • The future accountant is tech-savvy, mobile-friendly and comfortable using mobile platforms to service clients. • Technology will generate a new revenue stream in audit protection services for accounting professionals. • Cloud solutions will become standard. • Practice management will increase in importance, driving market consolidation. • Firms will adapt as the future of work changes. Eira (n.d.) monitors accounting industry trends, and offers the following predictions: • Current accounting trends tell us one thing: digitization is as ubiquitous in the accounting sector as it is anywhere else, but human roles remain just as relevant. Another development that will define accounting practice in the future is the growing acceptance of remote work in the field. It’s already big in other industries and accounting will see more of it in the future. • There are benefits to mine from the advanced solutions brought by the recent developments in the accounting sector. Among these are saving time, making tasks more efficient, and having more accurate analytics. Other than these, however, reducing costs is one of the significant benefits that companies and accounting firms experience as they embrace the latest technologies to optimize processes. Reducing costs is especially important as the world navigates the economic havoc brought about by the COVID-19 pandemic. (Monitoring Accounting Industry Trends section, para. 1-2) Some of the key increasing accounting trends, as noted by Eira, include the following: • Automated accounting processes 6
• Rise of accounting software solutions • Outsourcing accounting functions • Cloud-based accounting • Focus on data analytics • Blockchain • Utilizing social media • Advisory services • Role of AI • Big data in accounting • Remote work setting (Accounting Trends Table of Contents section) Holmes (2021) offers these tips to accountants in how to improve their technology skills: • Make use of updated training programs. • Get hands-on with technology. • Pursue an online master’s degree in accounting. • Volunteer on technology-based projects. (para. 5) In addition to the technical upskilling, accountants need to be open to upskilling soft skills. These include the ability to work independently or in teams, physical and/or virtual teams, attention to detail, adapting to change, remaining creative, and maintaining a learning-for-life mindset. Collaboration skills in demand will require skills with both technology and with people. Cultural diversity and awareness, people skills (EQ), and ability to adapt to fast-paced or fluid dynamics will be the skills that will enhance an accountant’s ability to be successful. Additionally, skills like problem-solving and critical thinking are becoming increasingly more essential. The ability for an employee to think quickly and adjust to situations occurring real-time are also skills that employers will be seeking. Hand-in-hand is an employer’s desire for good communication skills, the ability of an employee to be empathetic, and a good listener. Summary Automation is intended to reduce the need for workers to perform routine tasks, Winter 2021 | The Cooperative Accountant
UTILITY COOPERATIVE FORUM and the demand for more skilled or highly skilled workers is increasing. Accountants will need to develop and maintain technical and professional skills to stay abreast of employers’ needs and demonstrate their continued value in the workplace. Moyer
(2020) cites a 2019 Sage survey noting that accountants reported that “technological literacy (57%), relationship building (46%), and business advisory (44%) were the top three skills necessary in the coming years” (para. 14).
References Beaver, S. (March 9, 2021). 5 Biggest Accounting Challenges and Solutions in 2021. Retrieved November 18, 2021 from the following website: https://www.netsuite.com/portal/resource/ articles/accounting/accounting-challenges.shtml Bell, D. (February 3, 2021). Predictions For The Accounting Industry For 2021 And Beyond. Retrieved November 18, 2021 from the following website: https://www.forbes.com/sites/ forbestechcouncil/2021/02/03/predictions-for-the-accounting-industry-for-2021-andbeyond/?sh=708d85ac301d Cohen, M. (September 3, 2019). Upskilling: Why It Might Be The Most Important Word In The Legal Lexicon. Retrieved November 18, 2021 from the following website: https://www.forbes. com/sites/markcohen1/2019/09/03/upskilling-why-it-might-be-the-most-important-word-in-thelegal-lexicon/?sh=59bf76c936a9 Eira, A. (n.d.). 11 Accounting Trends for 2021/2022: New Forecasts & What Lies Beyond? Retrieved November 18, 2021 from the following website: https://financesonline.com/ accounting-trends/ Holmes, A. (February 18, 2021). Four Tips on How CPAs Can Digitally Upskill. Retrieved November 18, 2021 from the following website: https://www.njcpa.org/stayinformed/news/blog/ post/njcpa-focus/2021/02/18/four-tips-on-how-cpas-can-digitally-upskill Koch, R. (June 1, 2021). Your 5-year upskilling plan. Retrieved November 18, 2021 from the following website: https://sfmagazine.com/post-entry/june-2021-your-5-year-upskilling-plan/ Merriam-Webster (n.d.). Upskill definition. Retrieved November 18, 2021 from the following website: https://www.merriam-webster.com/dictionary/upskill#:~:text=1%20transitive%20 %3A%20to%20provide%20(someone,Santhosh%20Ramdoss Moyer, S. (January 2, 2020). 2020 Predictions: New skills needed for industry survival. Retrieved November 18, 2021 from the following website: https://www.accountancyage. com/2020/01/02/2020-predictions-new-skills-needed-for-industry-survival/ Van Echtelt, R. (April 15, 2021). Why upskilling is key for the future of work. Retrieved November 18, 2021 from the following website: https://www.ag5.com/upskilling-future-of-work/ Other article of interest: Munro, N. (December 21, 2020). The three most challenging issues facing accountants in 2021. Retrieved November 18, 2021 from the following website: https://blog.fathomhq.com/the-threemost-challenging-issues-facing-accountants-in-2021 7
Winter 2021 | The Cooperative Accountant
GENERAL EDITOR UTILITY COOPERATIVE FORUM
Philip W. Miller, CPA NSAC Assistant Education Director 18 Tow Path Lane South Richmond, VA 23221 (804) 339-9577 pwm01@comcast.net
ASSISTANT EDITORS Greg Taylor, CPA, CVA, MBA Shareholder Williams & Company (806) 785-5982 gregt@dwilliams.net
By Phil Miller, NSAC Assistant Education Director
FASB PROPOSES IMPROVEMENTS TO FAIR VALUE GUIDANCE FOR EQUITY SECURITIES On September 15, 2021, the Financial Accounting Standards Board (FASB) issued a proposed Accounting Standards Update (ASU) that would improve financial reporting for investors and other financial statement users by increasing comparability of financial information across reporting entities that have investments in equity securities measured at fair value that are subject to contractual restrictions preventing the sale of those securities. Stakeholders were encouraged to review and provide comment on the proposed ASU by November 14, 2021. Topic 820, Fair Value Measurement, states that when measuring the fair value of an asset or a liability, a reporting entity should consider the characteristics of the asset or liability, including restrictions on the sale of the asset or liability, if a market participant also would take those characteristics into account. Key to that determination is the unit of account for the asset or liability being measured at fair value. Some stakeholders noted that Topic 820 contains conflicting guidance on what the unit of account is when measuring the fair value of an equity security. This has resulted in diversity in practice on whether the effects of a contractual restriction that prohibits the sale of an equity security should be considered in 8
Bill Erlenbush, CPA NSAC Education Director (309) 530-7500 nsacdired@gmail.com
measuring that equity security’s fair value. To address this, the amendments in the proposed ASU would clarify that a contractual restriction on the sale of an equity security is not considered part of the unit of account of the equity security and, therefore, is not considered in measuring fair value. The proposed ASU is available at www.fasb. org. NEW FASB STANDARD IMPROVES CONSISTENCY IN ACCOUNTING FOR ACQUIRED REVENUE CONTRACTS WITH CUSTOMERS IN A BUSINESS COMBINATION On October 28, 2021, the Financial Accounting Standards Board (FASB) issued an Accounting Standards Update (ASU) that addresses diversity in practice related to the accounting for revenue contracts with customers acquired in a business combination. “The new ASU provides specific guidance on how to recognize and measure contract assets and contract liabilities related to revenue contracts with customers acquired in a business combination,” stated FASB Chair Richard R. Jones. “This will align the accounting for these acquired contracts to the accounting for revenue contracts originated by the acquirer and will provide more comparable information to investors and other financial statement users seeking to better understand the financial impact of these acquisitions.” Winter 2021 | The Cooperative Accountant
ACCTFAX Under current GAAP, an acquirer generally recognizes assets acquired and liabilities assumed in a business combination, including contract assets and contract liabilities arising from revenue contracts with customers and other similar contracts that are accounted for in accordance with Topic 606, Revenue from Contracts with Customers, at fair value on the acquisition date. Some stakeholders indicated that it is unclear how an acquirer should evaluate whether to recognize a contract liability from a revenue contract with a customer acquired in a business combination after Topic 606 is adopted. Furthermore, it was identified that under current practice, the timing of payment (payment terms) of a revenue contract may subsequently affect the post-acquisition revenue recognized by the acquirer. To address this, the ASU requires entities to apply Topic 606 to recognize and measure contract assets and contract liabilities in a business combination. Finally, the amendments in the ASU improve comparability after the business combination by providing consistent recognition and measurement guidance for revenue contracts with customers acquired in a business combination and revenue contracts with customers not acquired in a business combination. The ASU, including effective date information, is available at www.fasb.org. RECENT ACTIVITIES OF THE PRIVATE COMPANY COUNCIL The Private Company Council (PCC) met on Tuesday, September 28, 2021. Below is a brief summary of topics addressed by the PCC at the meeting: Summary of September 27, 2021 Meeting with the AICPA Private Companies Practice Section, Technical Issues Committee (TIC): PCC members reported on the issues discussed with TIC during their annual PCCTIC Liaison meeting. PCC members shared observations on various topics including disaggregation of financial information, debt modifications, balance sheet classification, 9
digital assets, environmental, social, and governance matters, leases, contingent consideration, disclosures, statement of cash flows, and consolidation accounting. PCC members highlighted that TIC members found the FASB Staff Educational Paper, “Topic 470 (Debt): Borrower’s Accounting for Debt Modifications,” to be useful; however, PCC members also noted that there appears to be an unfortunate lack of awareness of the paper by many private companies and their auditors. Additionally, PCC members expressed interest in TIC’s more general preference for principlesbased accounting standards when addressing private company needs and thanked TIC for the insightful dialogue. Leases–Implementation Issues: FASB staff updated the PCC on the post-implementation review activities related to Topic 842, Leases. PCC members discussed the challenges of implementation, including implementing new software, complying with the detailed disclosure requirements, and auditor resource shortages. PCC members also discussed and expressed mixed views on an additional deferral of the guidance. Fair Value Measurement of Equity Securities Subject to Contractual Sale Restrictions: FASB staff updated the PCC and solicited feedback on the proposed Accounting Standards Update, Fair Value Measurement (Topic 820): Fair Value Measurement of Equity Securities Subject to Contractual Sale Restrictions, which was issued on September 15, 2021 and has a comment period ending on November 14, 2021. PCC members who offered feedback generally agreed that the proposed amendments would result in cost savings but expressed mixed views on the decision-usefulness of the information that may result from the proposed amendments. Profits Interests and Their Interrelationship with Partnership Accounting: FASB staff updated the PCC on the outreach conducted by the staff and Working Group during June and July 2021 and noted that outreach conducted with stakeholders after July Winter 2021 | The Cooperative Accountant
ACCTFAX 2021 would be summarized at a future PCC meeting. FASB staff summarized four profits interests accounting issues for which feedback has been received, including (1) determining the scope of guidance, (2) determining whether implied performance conditions are present, (3) classification as liabilities or equity, and (4) measurement. The PCC Chair and FASB staff thanked the outreach participants for their preparation and valuable feedback. PCC members noted that these accounting issues are complex and might not have simple solutions. PCC Issue No. 2018-01, “Practical Expedient to Measure Grant-Date Fair Value of EquityClassified Share-Based Awards”: FASB staff updated the PCC on the status of the PCC’s project for an optional private company practical expedient for determining the current price input of equity classified share-based awards. FASB staff noted that the Board endorsed the PCC’s consensus at the August 4, 2021 Board meeting and that the final Accounting Standards Update is expected to be released in October 2021. FASB Agenda Consultation: FASB staff updated the PCC on the FASB research project and how PCC member feedback from the April PCC meeting was represented in the Invitation to Comment, which had a comment due date of September 22, 2021. FASB staff plans to provide a feedback summary to the Board by the end of 2021 and will return to the PCC to discuss private-company specific feedback at a future meeting. PCC members discussed the interaction between the disaggregation of financial information for private companies and the Private Company Decision Making Framework. Credit Losses: FASB staff updated the PCC on the post-implementation review activities related to Topic 326, Financial Instruments— Credit Losses, including outreach, a public roundtable, educational workshops, and monitoring activities. The staff also provided an update on three technical agenda projects: Financial Instruments—Credit Losses (Topic 10
326)—Acquired Financial Assets; Financial Instruments—Credit Losses (Topic 326)— Targeted Improvements to the Accounting for Troubled Debt Restructuring for Creditors; and Codification Improvements—Financial Instruments—Credit Losses (Vintage Disclosure: Gross Writeoffs and Gross Recoveries). A PCC member expressed that Topic 326 is working as intended and has proven to be effective overall. Current Issues in Financial Reporting: The PCC Chair noted that while no new practice issues were identified resulting from the current business environment under the COVID-19 pandemic, some stakeholders continue to have challenges in accounting for government assistance and determining the appropriate disclosures to provide. The next PCC meeting is scheduled for Thursday, December 16, 2021 and Friday, December 17, 2021. SEC ENHANCES ACCESS TO FINANCIAL CLOSURE DATA On Aug. 19, 2021, the Securities and Exchange Commission announced open data enhancements that provide public access to financial statements and other disclosures made by publicly traded companies on its Electronic Data Gathering, Analysis, and Retrieval system (EDGAR). The SEC is releasing for the first time Application Programming Interfaces (APIs) that aggregate financial statement data, making corporate disclosures quicker and easier for developers and third-party services to use. APIs will allow developers to create web or mobile apps that directly serve retail investors. “These new APIs make important information about public companies more accessible and usable than ever before,” said Jed Hickman, Director, EDGAR Business Office. “This marks another important milestone in the SEC’s continuing efforts to facilitate innovation and make financial disclosure data accessible to all market participants.” Winter 2021 | The Cooperative Accountant
ACCTFAX The free APIs provide access to EDGAR submission history by filer as well as eXtensible Business Reporting Language (XBRL) data from financial statements, including annual and quarterly reports, Forms 8-K, 20-F, 40-F, and 6-K. The SEC anticipates adding more datasets in the future. The SEC updates APIs in real time throughout the day as EDGAR submissions are made public. In addition, a bulk ZIP file— making it possible to download all the API data—is updated and republished nightly. The APIs were made available for beta testing prior to today’s release, allowing for a period of public testing and feedback. To learn more about the APIs and how to get started, visit the API documentation page at https://www.sec.gov/page/sec-apidocumentation. IASB ISSUES PAPER DISCUSSING A NEW APPROACH TO DISCLOSURE REQUIREMENTS On Sept. 21, 2021, the IASB issued the latest issue of ‘Investor Perspectives’. In this edition, IASB Board member Nick Anderson discusses the new approach to developing and drafting disclosure requirements in IFRSs. Specifically, this issue features insight into the proposed approach and discusses some of the changes that investors would see in the financial statements since investors have been calling for better disclosures in financial statements. Per Nick Anderson, “More information is not necessarily better, just as less information is not necessarily better; instead better quality information is needed. We have consistently heard this message from users of financial statements (investors) over the years. However, delivering better quality information has been a challenge for companies. To help companies, the (IASB) Board is proposing a new approach to developing and drafting disclosure requirements in IFRS Standards. The proposed approach is intended to help companies: 11
• understand why information is useful to investors; and • apply better judgement about what information is material and should be disclosed. In this Investor Perspectives article, we discuss some changes to the financial statements that investors will see if the proposed approach is finalized, including illustrative examples. We provide context for the proposed approach by discussing the issues investors face with information provided in financial statements today and why those issues arise.” For more information, see the press release and Investor Perspectives article on the IASB’s website. 2021 GAAP GUIDE AVAILABLE FROM AICPA Titled, 2021 U.S. GAAP Financial Statements Best Practices in Presentation and Disclosure, the guide has been updated for new accounting and auditing guidance issued, and provides hundreds of high quality disclosure examples from carefully selected U.S. companies of different sizes, across industries. Whether you’re a preparer or auditor, you’ll save time and improve efficiency with this valuable resource that will give you an unparalleled picture of U.S. GAAP compliance. The guide includes: • hundreds of carefully selected high-quality disclosure examples from U.S. companies of different sizes across virtually any industry. • illustrations of virtually every required disclosure, coverage of current hot topics, and clear guidance to help understand and comply with all significant reporting requirements. • detailed indexes will help quickly find exactly what you need. For auditors, an upto-date auditor’s report—fully in compliance with GAAS—is included. Price is $210 for nonmembers and $169 for AICPA members. Go to aicpa.org for ordering details. Winter 2021 | The Cooperative Accountant
TAXFAX EDITOR George W. Benson Counsel McDermott Will & Emery LLP 444 West Lake Street Suite 4000 Chicago, IL 60606 (312) 984-7529 fax: (312) 984-7700 gbenson@mwe.com
IRS Releases Revised Hobby Loss Audit Technique Guide By George W. Benson To assist agents in the field, the IRS has developed a series of publications which it calls audit technique guides (“ATGs”). According to the IRS website: “ATGs explain industry-specific examination techniques and include common, as well as, unique industry issues, business practices and terminology. Guidance is also provided on the examination of income, interview techniques and evaluation of evidence. Also they may be helpful for business and tax planning purposes.” Currently, there are fifty ATGs, covering such topics as capitalization of tangible property; cost segregation; credit for increasing research activities; lawsuits, awards and settlements; and the retail industry. Copies are available on the IRS website. https://www.irs.gov/businesses/smallbusinesses-self-employed/audit-techniques-guidesatgs.
There is an audit technique guide for farming (Farmers ATG (Revision 7/2006)), 12
but it is currently being revised. According to the IRS website, a revised version will be posted “as soon as it is completed and approved for publication.” Like other forms of informal guidance, each ATG contains a disclaimer that it is “not an official pronouncement of the law or the position of the Service and cannot be used, cited, or relied upon as such.” However, the ATGs provide useful information for taxpayers. Recently, the IRS released an updated version of the ATG designed to help agents in audits of activities which may not be engaged in for profit (often referred to as “hobby loss” activities). Audit Technique Guide for Activities Not Engaged in for Profit, Internal Revenue Code Section 183 (Rev. 09/2021). The purpose of this guide “is to provide guidance to examiners on how to conduct a quality examination of an ‘activity not engaged for profit’ issue under IRS 183.” It also is intended to provide “information to taxpayers, tax return preparers, tax representatives, tax accountants and tax attorneys.” In agriculture, Section 183 is sometimes Winter 2021 | The Cooperative Accountant
TAXFAX used to disallow deductions of so-called “gentlemen farmers” whose operations seem never to generate profits.1 However, Section 183 applies much more broadly. The ATG lists activities where the limitation has been applied: “… acting, art work, writing, auto racing, gunsmithing, practicing law, making movies and videotapes, operating a talent agency, dog breeding, horse breeding, cattle ranching, farming, operating a bed and breakfast, aircraft rentals, boat chartering, boat racing, fishing, golfing, venture capitalization (sic), used car sales, mining and drilling, sound recordings, Amway distributorships, tax shelters, and drag racing.” The introduction to the ATG indicates that the IRS believes that the problem Section 183 is designed to address is a significant area of noncompliance. But, it acknowledges: “An activity not engaged in for profit examination is both extensive and challenging because of the infinite variations of fact patterns and regulations which are quite often vague. Even for tax scholars, it can often prove highly difficult to figure out the difference between a legitimate business that is devoted to making a profit and an activity that is not. The question of determining the taxpayer’s intent is unavoidably very subjective. The answer to this question depends on the intent of a particular individual. The determination of a particular person’s profit objective is based on the application of all nine objective
factors listed in the regulations.” Section 183 audits can be high stakes audits.2 Historically, if Section 183 applied to an activity, then the taxpayer’s deductions related to the activity were limited to (i) deductions allowable without regard to whether the activity was engaged in for profit (e.g., interest and property taxes), and (ii) “other deductions” that would have been deductible if the activity was engaged in for profit, but not in excess of gross income from the activity less deductions allowable by reason of (i). Anything else is not deductible and is lost forever. The “other deductions” that are allowed have other hurdles because they are treated as miscellaneous itemized deductions. Historically, this meant they were subject to the 2% of adjusted gross income limitation for regular tax purposes and were disallowed for alternative minimum tax purposes.3 The Tax Cuts and Jobs Act of 2017 (“TCJA”) suspended miscellaneous items deductions for tax years beginning after December 31, 2017 and before January 1, 2026, so today “other deductions” are also lost forever. Because of the potentially high stakes, Section 183 has been the source of much controversy since enacted as part of the Tax Reform Act of 1969. Taxpayers have won some cases and lost others. At the end of the day, success or failure in litigation has depended largely upon the facts and how they were developed by the IRS and the taxpayer. Realizing this, the ATG focuses on instructing examiners as to how to conduct audits so that the facts are adequately
Note that other limitations can apply to losses incurred by gentlemen farmers, such as the passive loss limitations contained in Section 469 if the owner does not materially participate in the operations. Special rules, contained in Section 172(b)(1)(B), apply to farm net operating loss carryovers. 2 The ATG also tells examiners conducting Section 183 audits to be on the alert for personal expenses that may have been deducted as expenses of the activity. Even if the examination ultimately concludes an activity is engaged in for profit, personal expenses would not be deductible. 3 See, Carl L. Gregory v. Commissioner, T.C. Memo. 2021-115 (September 29, 2021), which concluded: “In sum, we hold that section 183(b)(2) constitutes a miscellaneous itemized deduction subject to section 67(a)’s 2-percent floor.” 1
13
Winter 2021 | The Cooperative Accountant
TAXFAX developed with the result that their adjustments will be sustained in IRS Appeals and, if necessary, in court. The ATG includes detailed guidance from pre-contact analysis through report writing. It outlines reasons why Appeals sometimes does not sustain adjustments proposed by examiners. It warns examiners to be on the outlook for common taxpayer strategies which “may require additional scrutiny when conducting IRC 183 tax examinations.” It warns examiners – “don’t let the taxpayer’s representative control the examination.” It advises examiners to interview taxpayers: “In response to requests to interview the taxpayer, representatives will sometimes try to shield the taxpayer from an examiner’s interview, contending that the representative can answer all the questions in an interview or in writing. With the fact-intensive inquiries involved in IRS 183 cases, the examiner should interview the taxpayer. Examiners should not be resultant or afraid to summons the taxpayer for an interview.” It advises that “[d]ocumenting the taxpayer’s position will bind the taxpayer to a story. And if the taxpayer later changes their story, the taxpayer will appear less credible.” Section 183 audits typically focus on nine factors outlined in Treas. Reg. § 1.183-2(b). The ATG provides detailed guidance to examiners for developing the facts relevant to each of the factors. It warns examiners to avoid focusing on any one factor to the exclusion of the others. An important element in a farm “hobby loss” defense is often provided by Treas. Reg. § 1.183-1(d)(1), which, under certain circumstances, allows appreciation in the value of a farm to be taken into account in the analysis. This is generally permitted “only if the farming activity reduces the net 14
cost of carrying the land for its appreciation in value.” The ATG warns examiners that “courts have treated the land and farming activity as one activity where they found that the taxpayer purchased the property with the primary intent to use it in farming.” It advises examiners to “develop facts relating to the taxpayer’s intent in purchasing the land.” The ATG is, of course, helpful to defending a client involved in a Section 183 audit. However, taxpayers and their advisors engage in activities that never seem to make money would be well advised to study this ATG carefully in advance. The ATG provides a guide as to what a taxpayer can and should do to demonstrate and document his or her profit motivation. Defending Section 183 cases is easiest where there is contemporaneous documentation.
New Procedures for the Issuance of Some FAQs By George W. Benson The IRS has in recent years increasingly relied upon frequently asked questions (“FAQs”) to provide guidance with respect to tax law changes and emerging issues. A search of the phrase “frequently asked questions” on the IRS.gov website turns up 1,094 items. The IRS has viewed FAQs as an expeditious means to provide guidance without going through the review process required of regulations or followed for more formal published guidance such as revenue rulings. But the plethora of FAQs has come at the expense of guidance taxpayers can rely on such as published rulings, which today are uncommon. While taxpayers generally have welcomed quick guidance, FAQs have had drawbacks. Taxpayers have not been permitted to rely on FAQs as “authority” on the matters addressed. For instance, the July 16, 2019 version of the Section 199A(g) FAQs Winter 2021 | The Cooperative Accountant
TAXFAX contained the following disclaimer: “These FAQs are not included in the Internal Revenue Bulletin, and therefore may not be relied upon as legal authority. This means that the information cannot be used to support a legal argument in a court case.” There is uncertainty as to the extent to which taxpayers may rely upon FAQs for penalty protection purposes. Guidance often has been released piecemeal on the IRS website, with revisions made as the IRS has further time to think about issues. There has been no formal repository showing successive versions FAQs and the date of their release. This can make it difficult to establish the version of FAQs that were in existence at any time. In a recent news release, the IRS announced several changes in the process for FAQs “on newly enacted tax legislation.” IR-2021-202 (October 15, 2021). “Significant” FAQs will be announced in a news release and posted on the IRS. gov website in a separate Fact Sheet (“Fact Sheet FAQs”). They will be dated. Successive versions will be maintained on the website “to ensure that, if a Fact Sheet FAQ is later changed, taxpayers can locate the version they relied on if they later need to do so.” These are welcome improvements. Not all FAQs will be Fact Sheet FAQs. According to the news release, initially the new process will apply to “significant” FAQs with respect to newly enacted legislation. The release goes on to state that “the IRS may apply this updated process in other contexts, such as when FAQs address emerging issues.” The news release repeats the position that FAQs are not authority: “FAQs that have not been published in the [Internal Revenue] Bulletin will not be relied on, used or cited as precedents by 15
Service personnel in the disposition of cases. Similarly, if an FAQ turns out to be an inaccurate statement of the law as applied to a particular taxpayer’s case, the law will control the taxpayer’s tax liability. Only guidance that is published in the Bulletin has precedential value.” But, the news release goes on to provide that “a taxpayer’s reasonable reliance on an FAQ (even one that is subsequently updated or modified) is relevant and will be considered in determining whether certain penalties apply.” With respect to negligence and accuracy related penalties, FAQs can be taken into account in a reasonable cause defense if a taxpayer can show that “[it] relied in good faith on an FAQ” and that its reliance was “reasonable based on all the facts and circumstances.” In addition, Fact Sheet FAQs will be considered authority for purposes of a penalty defense based upon “substantial authority.” Of course, the news release is being closely studied, and some limitations have been identified. The new procedure will, at least initially, be limited to FAQs released as Fact Sheet FAQs. There is no discussion as to the penalty protection status of other FAQs (or, for that matter, of the numerous prior FAQs released in recent years). It would have been helpful if there was language in the news release that “no inference” should be drawn from the news release as to whether taxpayers relying on prior FAQs could qualify for penalty relief. “Reasonable cause” penalty protection is dependent upon a taxpayer being able to show it “relied in good faith on an FAQ” so taxpayers should be prepared to show that they were actually aware of the FAQ at the time. A careful taxpayer relying on a Fact Sheet FAQ in the future should consider retaining a copy in its tax file to evidence actual awareness of the FAQ. Some had hoped that the IRS would go Winter 2021 | The Cooperative Accountant
TAXFAX one step further than it has and actually amend the penalty regulations, but it did not. (This might lead some to wonder whether they can rely upon an IRS news release which is not included in the Internal Revenue Bulletin though it should be difficult for the IRS to disavow the news release in future litigation.) Some tax return preparers have noted that preparer penalties are not mentioned in the news release and wondered whether the penalty protection extends to them. While the new release has some limitations, it is still a positive step by the IRS.
Prepare Refund Claims with Care By George W. Benson If refund claims end up in court, the last thing taxpayers want is to have the litigation expand to include tangential issues related to the form, content or timeliness of the claims themselves. Litigation is slow enough without involving side issues that could largely have been avoided if the refund claims had been carefully drafted. Section 7422(a) provides that “no suit or proceeding shall be maintained in any court for the recovery of any internal revenue tax alleged to have been erroneously or illegally assessed or collected … until a claim for refund or credit has been duly filed…” This means what it says. A refund suit cannot be commenced in either a U.S. District Court or the U.S. Court of Federal Claims without a valid refund claim. See, for example, Naresh Channaveerappa v. United States, Case No. 1:20-CV-1732 (October 26, 2021) (order dismissing case because “Plaintiffs did not file a legally compliant request for refund”). Claims must be timely filed and must adequately put the IRS on notice as to what is being claimed. Treas. Reg. § 301.6402-2(a)(1) provides that “[c]redits or refunds of overpayments 16
may not be allowed or made after the expiration of the statutory period of limitation properly applicable unless, before the expiration of such period, a claim therefore has been filed by the taxpayer.” Treas. Reg. § 301.6402-2(b)(1) states: “No refund or credit will be allowed after the expiration of the statutory period of limitation applicable to the filing of a claim therefor except upon one or more of the grounds set forth in a claim filed before the expiration of such period. The claim must set forth in detail each ground upon which a credit or refund is claimed and facts sufficient to apprise the IRS of the exact basis thereof. The statement of the grounds and facts must be verified by a written declaration that it is made under the penalties of perjury. A claim which does not comply with this paragraph will not be considered for any purpose as a claim for refund or credit.” For regular corporations, refund claims are made by filing Form 1120X (Amended U.S. Corporation Income Tax Return) with the IRS. For cooperatives, refund claims are made using an amended Form 1120-C (U.S. Income Tax Return for Cooperative Associations). The instructions to that form state: “If the cooperative must change its originally filed return for any year, it should file a new return including any required attachments. Use the revision of the form applicable to the year being amended. The amended return must provide all the information called for by the form and instructions, not just the new or corrected information. Check the ‘Amended return’ box.” Timely filing. Generally federal claims for refund of income taxes must be filed within three years after the date a corporation filed its original Winter 2021 | The Cooperative Accountant
TAXFAX return or within two years after the date the corporation paid the tax, whichever is later. A return filed before the due date is considered filed on the due date. For tax purposes, timely mailing (evidenced by a timely postmark) generally is timely filing for documents that actually reach the IRS, provided that the letter bears a legible postmark. See, Section 7502(a). However, there are exceptions to this rule. First, if the claim arrives after the due date without a postmark and it was not sent by registered or certified mail (or by use of a duly designated private delivery service), the taxpayer may very well be out of luck. See, for instance, McCaffery v. United States, Docket No. 19-1112T (Fed. Cl. August 9, 2021) where the Court of Federal Claims refused to consider evidence of when a refund was actually mailed when it arrived after the due date and did not have a postmark. “But on the plain text of section 7502, the deemed delivery rule only applies if a postmark or equivalent marking is made: The date of the postmark is what matters, not the date of the mailing. … Similarly, the regulations provide for extrinsic evidence only to prove the contents of an illegible postmark, not to prove time of mailing when there was no postmark.” The court recognized that the result was “harsh,” particularly since it appeared clear that the claim had been timely mailed, but “the text controls.” Second, the rule does not apply if a claim never arrives at the IRS (or the IRS asserts it never arrived). In such a case, Treas. Reg. § 301.7502-1(e)(ii) provides: “Other than direct proof of actual delivery, proof of proper use of registered or certified mail, and proof of proper use of a duly designated [private delivery service] …, 17
are the exclusive means to establish prima facie evidence of delivery of a document to the agency, officer, or office with which the document is required to be filed. No other evidence of a postmark or of mailing will be prima facie evidence of delivery or raise a presumption that the document was delivered.” This second exception is illustrated by a recent decision of a District Court in New Jersey. See, Charles Crispino, Jr. v. United States, Civ. No. 17-13751 (July 26, 2021), where the court dismissed the taxpayer’s claim, concluding that the regulations were valid and supplanted any common-law mailbox rule. Adequately describing what is being claimed – the “specificity requirement.” The regulation also provides that a “claim must set forth in detail each ground upon which a credit or refund is claimed and facts sufficient to apprise the IRS of the exact basis thereof.” Occasionally the IRS tries to have cases dismissed because of an asserted failure of the refund claim to meet this requirement. Obviously, claims that simply assert that the taxpayer is entitled to a refund without any explanation as to why do not meet this standard. But just how detailed must the description of the basis of the claims be? Two recent U.S. District Court decisions, both in Utah, illustrate potential problems that sketchy refund claims can create. See, Premier Tech, Inc. v. United States, No. 2:20-cv-890-TS-CMR (July 15, 2021), and Intermountain Electronics, Inc. v. United States, No. 2:20-cv-00501-JNP (July 16, 2021). Both of these cases dealt with research credit claims based on studies conducted by the AlliantGroup LP. Research credit claims often present difficult factual issues. While many companies that claim research credit Winter 2021 | The Cooperative Accountant
TAXFAX are in fact entitled to what they claim, the IRS specific…. By Barbara A. Wech believes that many claims are unwarranted. It The amended return is complete and puts the has included research credit claims on its annual IRS on notice about the nature of the claim, “dirty dozen” list of tax scams for the past few the entity claiming the credit, and the legal year. See, IR-2021-144 (July 1, 2021). See, also, “Research Credit Claims Audit Techniques theory upon which the claim is founded. The Guide (RCCATG): Credit for Increasing Research amended return has sufficient data to calculate the tax and enough information to allow the Activities § 41,” available at the IRS website. https://www.irs.gov/businesses/research-credit- IRS to efficiently investigate the requirement claims-audit-techniques-guide-rccatg-credit-for- so 26 U.S.C. § 41 and make an informed determination about the refund.” increasing-research-activities-ss-41 The two cases were decided by the same The judge also concluded that the complaint court a day apart, but by different judges contained sufficient information to survive a who took somewhat different approaches. In motion to dismiss for failure to state a claim. each, the Government argued that the refund In Intermountain Electronics, the judge claims contained insufficient detail and that the cast doubt as to the Government’s argument case should be dismissed because of that. In that the claim was not sufficiently specific addition, in each the Government also argued (characterizing what the Government asserted that the pleadings in the complaints filed with should have been included as placing “quite a the court lacked sufficient detail to state a heavy burden on taxpayers”), but concluded claim and the cases should be dismissed. she did not need to address that issue. She In Premier Tech, the judge held for the concluded that the IRS waived the regulatory taxpayer on both arguments. With respect to specificity requirements when it investigated the Government’s argument that the refund Intermountain’s claim and denied it. claim was not sufficiently specific, the judge However, she went on to decide that observed: Intermountain’s complaint did not contain sufficient detail. She dismissed it for failure to “The purpose of this requirement ‘is to afford state a claim, but without prejudice, allowing the Service an opportunity to consider and Intermountain to file an amended complaint dispose of the claim without the expense and that she said should contain: time which would be consumed if every claim had to be litigated.’ There is not a precise rule for what level of detail satisfies the specificity requirement, but it is not a high standard. Some courts have explained, ‘[t]he specificity requirement is met if the basic issue is evident from the record, and the IRS is aware of the nature of the claim.’ Another court has said that ‘to be a valid return for purposes of a refund claim, the return must contain sufficient data to allow calculation of tax.’ And another court has said the taxpayer ‘need only set forth facts in the claim sufficient to enable the IRS to make an intelligent review of the claim’ Premier’s amended return is sufficiently 18
“… sufficient factual matter to advise the court and the Government of the nature of its claim. This should include the facts underlying its belief that it is entitled to a refund, such as the activities it believes constituted qualified research activities. The amended complaint should also articulate the ways in which the IRS improperly denied Intermountain’s claim for refund.” The IRS pushes back – new rule requiring “specificity” for research credit claims. Not long after the decisions in Premier Tech and Intermountain Electronics, the IRS issued IR-2021-203 (October 15, 2021), requiring Winter 2021 | The Cooperative Accountant
TAXFAX that all research credit claims for refund filed on or after January 10, 2022, contain extensive information and providing that after that date “there will be a one-year transition period during which taxpayers will have 30 days to perfect a research credit claim for refund prior to the IRS’ final determination on that claim.” Released at the same time was a 20-page IRS Chief Counsel Memorandum specifying what must be included in research credit claims and discussing the consequences of filing deficient claims. FAA 20214101F (September 17, 2021) (the “Memorandum”). The news release and Memorandum require refund claims to include the following information: “… for a Section 41 research credit claim for refund to be considered a valid claim, taxpayers are required to provide the following information at the time the refund claim is filed with the IRS: • All business components to which the Section 41 research credit claim relates for that year. • For each business component, identify all research activities performed and name the individuals who performed each research activity, as well as the information each individual sought to discover. • Provide the total qualified employee wage expenses, total qualified supply expenses, and total qualified contract research expenses for the claim year.”
This information must be provided in a written statement (not simply through the production of documents) which must be signed under penalties of perjury. The reaction of the taxpayer community to the news release and Memorandum has been negative. Does the IRS have legal authority for its position? Is what it proposes to require reasonable? Such 19
detailed information is not required to be included when research credit is claimed on original returns. Why should refund claims be treated differently? Is the IRS analysis in the Memorandum of what is required in a refund claim just applicable to refund claims involving the research credit? If so, what justifies treating research credit claims differently? Note, there is nothing in the news release suggesting that other claims must have comparable detail. If the IRS goes forward, the likely result will be to significantly complicate future research credit refund claims, perhaps require “perfection” of prior claims, and add another issue to all research credit disputes. As a matter of strategy, the Memorandum recommends that the IRS should simply reject outright (without audit) any research credit refund claims that do not meet the new standards. It suggests doing so for two reasons, both of which are tactical. First, courts have found that, when claims are audited, the IRS waives any argument that the “specificity requirement” is not met. This was done in Intermountain Electric. Another recent example, also involving a research credit claim, is Harper v. United States, 127 AFTR 2d 2021-1027 (9th Cir. 2021). While the District Court agreed with the IRS that the claim was insufficient, the Ninth Circuit reversed. The court concluded that the IRS had waived any failure to meet the “specificity requirement” after conducting a four-year audit, with “extensive correspondence between the government and Taxpayer, and … over 112,000 pages of documentation produced by Taxpayer.” Second, courts have often been lenient when taxpayers “perfect” deficient claims that were timely filed, but not “perfected” until after the statute of limitations for filing claims expired. The Memorandum notes that summarily rejecting claims not containing all of the prescribed information “may preclude Winter 2021 | The Cooperative Accountant
TAXFAX a taxpayer from amending or perfecting their refund claim if the refund claim failed to follow procedural requirements and the statute of limitations to file a new refund claim has expired.” The news release and Memorandum both require that the requested information be included “at the time the refund claim is filed with the IRS.” While these requirements seem like administrative over-reach, taxpayers who plan to file research credit refund claims should study this news release and Memorandum carefully and keep on the watch for further developments. Also, taxpayers who have filed research credit refund claims that are pending will need to be on the alert for clarification as to what the IRS contemplates must be done during the “one-year transition period” to perfect prior claims. Protecting against a later assertion of “variance.” The first sentence of Treas. Reg. § 301.6402-2(b)(1) precludes a taxpayer from asserting an issue in court that was not set forth in the refund claim. It does so by providing that no refund will be allowed “except upon one or more of the grounds set forth” in a timely claim. A taxpayer that raises a new matter for the first time in its pleadings or briefs runs the risk of having the matter dismissed without regard to its merits. As the Court of Appeals recently observed in Green v. United States, 880 F.3d 519 (10th Cir. 2018): “Together, § 7422(a) and Treasury Reg. § 301.6402-2(b)(1) give rise to what courts have described as the ‘substantial variance’ rule. This rule bars a taxpayer from presenting claims in a tax refund suit that ‘substantially vary’ the legal theories and factual bases set forth in the tax refund claim presented to the IRS. Of relevance here, any legal theory not expressly or 20
impliedly contained in the application for refund cannot be considered by a court in which a suit for refund is subsequently initiated.” (citations and quotation marks deleted). Variance arguments arise when claims totally unrelated to the original refund claim are later made. They also can arise where alternative theories are raised. Amended returns should include all claims for the year in question. If, after a claim is filed and while the statute is still open, the taxpayer discovers additional items that should have been included, an additional claim should be filed. Also, taxpayers should be careful in how they describe the grounds for their claims so that the description is broad enough to cover the arguments the taxpayer anticipates later using in court to support the claims. Application to cooperatives. As noted above, there is no form for cooperatives to use for refund claims comparable to Form 1120X used for refund claims filed by regular corporations. Cooperatives should consider attaching a schedule to an amended Form 1120-C that follows the format of Form 1120X. The Form 1120X contains a section inviting an explanation of the basis for the claim. Care should be taken so the explanation meets the “specificity requirement” and adequately covers what is being claimed so it precludes a later “variance” attack. Cooperatives should always follow the practice of sending refund claims by registered or certified mail (or by use of a duly designated private delivery service). This provides a means to prove timely filing if the claim is delivered to the IRS after the last day for filing and the envelope does not have a postmark or if the IRS asserts it never received the claim. Winter 2021 | The Cooperative Accountant
TAXFAX TAXFAX
EDITOR Barbara A. Wech, Ph.D. Department of Management, Information Systems, and Quantitative Methods University of Alabama at Birmingham COLLAT School of Business 710 13th St. South Department of Management, Information Systems, & Quantitative Methods Birmingham, Alabama 35233 bawech@uab.edu
Introduction To inhibit damaging practices and to encourage compliance, a plethora of government agencies enforce the compliance of regulations. Agencies like the Environmental Protection Agency (EPA) provide efficiencies to the market and peace of mind to consumers regarding the businesses and products they engage with regularly1. At the same time, the Securities and Exchange Commission (SEC) seeks to protect investors and enforce fairness in the financial markets (SEC, 2016). While regulating bodies protect consumers and the general public, a cooperative is an entity owned and managed by the individuals that use the products or services. With ownership and control resting with the same individuals, there is a greater chance of thorough self-regulation. This makes it seems unlikely that cooperatives would violate laws and regulations designed to protect their interests and provide efficiencies to the market. In this study, we examine cooperatives that have violated laws and parameters set forth by governmental regulating bodies, such as the EPA, SEC, and others, and have experienced
GUEST WRITERS Jennifer D. Hamrick, PhD, CPA, CGMA COLLAT School of Business UAB | The University of Alabama at Birmingham CSB 315 | 1720 2nd Ave South | Birmingham, AL 35294 P: 205-996-2657 | jdhamrick@ uab.edu
monetary enforcement as a result. In our sample, there are 602 Caleb Houston, PhD violations Assistant Professor of Finance subject to COLLAT School of Business penalties Accounting and Finance averaging $3.9 The University of Alabama at Birmingham million per CSB 311 | 710 13th St. South cooperative. Birmingham, AL 35233 Violating P: 205-975-2867 cooperatives houston0@uab.edu are spread across 15 industries, with infractions clustering in the Agribusiness and Food Products industries. The primary offenses in 86.4% of the violations were Environmental, Workplace Safety or Health Violations. Further, 98.5% of the cases are enforced on a federal level, with an entity such as the EPA or the SEC policing the wrongdoing. Overall, the results demonstrate the frequency and costly nature of violating regulations. Monetary penalties are not the sole cost of these indiscretions; there is also a “social
1 The stated mission of the EPA is to “protect human health and the environment” (US EPA, 2013). 21
Winter 2021 | The Cooperative Accountant
TCA SMALL BUSINESS FORUM penalty” that can be imposed by consumers how cooperatives can better track and analyze when companies have corporate social their behavior and avoid violations. responsibility failures or violate regulations. To show disappointment or disapproval, Analysis of Cooperative Violations and consumers can withhold support through their Economic Enforcement buying behavior and public reviews (Crane Data on cooperative violations were collected et al., 2004). For example, consumers with a from Good Jobs First, a policy resource large and influential social media following center “promoting corporate and government could encourage their audience to examine accountability in economic development and recent infractions, discredit the cooperative smart growth for working families” (Good and encourage a boycott (Russell et al., 2016; Jobs First, 2021a). The violation database Trudel & Cotte, 2008). contains 444,685 entries across 3,341 public We posit that the motivation to abide by and private companies, cooperatives, nonestablished laws is driven by incentives to profits, and joint ventures. We identified maintain safe practices and avoid economic 602 violations occurring at 29 different penalties. In addition, since consumers are cooperatives over a 20-year period (Good aware of the culture created by a cooperative, Jobs First, 2021b). Several important variables outsiders could impose social penalties for contained in the data include the name of cooperatives whose actions do not match the cooperative, type of offense, date of their mission. By actively avoiding violations, occurrence, penalty amount, and government the cooperative can profit from maintaining entity enforcing the violation. For this study, a positive image and not drawing negative we examine the yearly trend of violations, the attention to themselves. Therefore, it is vital type of violations, and the regulating body for cooperatives to understand standard issuing the penalty. We summarize the data regulations to avoid violations and the and its implications below. associated penalties. Our discussion is as follows. We begin Violations by Year by examining the number of cooperative Figure 1 presents the frequency of violations by year and providing a detailed cooperative violations by year. For the 2000 analysis of the violation characteristics. Then, to 2013 period, the number of violations we tabulate the related penalties Figure 1: Cooperative Violations by Year cooperatives Figure 1 presents the frequency of cooperative violations for each year. The y-axis is the number of violations and experienced for the x-axis shows the years in our sample that the violation(s) took place. these violations. Next, we identify the enforcement 60 agencies to uncover which government 45 entities are policing these 30 infractions. Finally, we 15 conclude with the implications of disregarding 0 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018 2020 laws and regulations and 22
Winter 2021 | The Cooperative Accountant
TCA SMALL BUSINESS FORUM steadily increases to 58 violations in 2013, followed by a general decline to 8 violations in 2020. The COVID pandemic can partially explain the decrease in enforcement actions, with both EPA and OSHA-related offenses experiencing a steep decline in 2020 with the number of enforcements. Violation Characteristics Summary statistics for cooperative violations and characteristics are presented in Table 1. Panel A contains the industries represented by the cooperatives. There are 15 different industries in this sample, with 223 (37%) violations occurring in the Agribusiness industry and 188 (31%) in Food Products. The remaining 191 (32%) violations are spread out across the remaining thirteen industries with a range of violations from 2 to 57. While two industries account for roughly two-thirds of the violations, there is a substantial number of violations committed by cooperatives in the Power Systems (57), Power Generation (22), and Retail-Supermarkets (29) industries. The Electric Utility and Grain cooperatives had the lowest number of violations with 2 and 3, respectively. For the 29 cooperatives in the sample, there is an average of 21 violations per cooperative. Panel B presents the violations grouped by type of offenses. Overall, 58.6% of the offenses are Safety Related while another 33.2% are Environment Related. These groupings can be further classified by their primary and, if applicable, secondary offense. For example, the Safety Related grouping contains the primary offenses within Workplace Safety or Health Violations (320), Railroad Safety (21), Motor Vehicle Safety Violation (11), and Aviation Safety Violation (1). Out of the 602 total violations, ninety-one also carry a secondary offense. 60.4% of secondary offenses are Mining Violations, while the rest are spread out across eight distinct categories, such as Pipeline Safety Violations (16.5%), Fair Labor Standards Act violations (9.9%), and Child Labor or Youth Employment Violations (5.5%). Penalties Table 2 highlights the financial impact of the enforcement of regulation violations. From 2000 23
Table 1: Summary Statistics Panel A presents the industry for the total number of cooperative violations. The first column contains the industry name, the second column contains the number of violations, and the third column contains the percentage of total violations each industry represents. Like the previous panel, Panel B presents the types of offences carried out by cooperatives. This is shown by offence group, and then broken down into primary and secondary offences, if the violation contains multiple offences. The number of violations, and the percentage of total violations are contained in columns two and three, respectively.
Panel A Industry
Frequency
Percent
Agribusiness
223
37.04%
Dairy
15
2.49%
Dairy Products
7
1.16%
Electric Utility
2
0.33%
Ethanol
7
1.16%
Financial Services
8
1.33%
188
31.23%
Grain
3
0.50%
Power Generation
22
3.65%
Power Systems
57
9.47%
Retail-Agricultural Supplies
15
2.49%
Retail-Outdoor Gear
4
0.66%
Retail-Supermarkets
29
4.82%
Utilities
12
1.99%
Wholesalers-Groceries
10
1.66%
Food Products
Panel B Offense Group
Frequency
Percent
Competition Related
2
0.33%
Consumer Protection Related
4
0.66%
Employment Related Environment Related
12
33
5.48%
200
33.22%
Financial
10
1.66%
Safety Related
353
58.64%
Primary Offense
Frequency
Percent
Family and Medical Leave Act
1
0.17%
Accounting Fraud or Deficiencies
1
0.17%
Anti-Money Laundering Deficiencies
3
0.50%
Aviation Safety Violation
1
0.17%
Banking Violation
1
0.17%
Benefit Plan Administrator Violation
2
0.33%
Consumer Protection Violation
3
0.50%
Employment Discrimination
4
0.66%
200
33.22%
13 Interest Rate Benchmark Manipulation
2
0.33%
Investor Protection Violation
4
0.66%
Labor Relations Violation
8
1.33%
Motor Vehicle Safety Violation
11
1.83%
Privacy Violation
1
0.17%
Railroad Safety Violation
21
3.49%
Tax Violation
1
0.17%
Wage and Hour Violation
18
2.99%
Workplace Safety or Health Violation
320
53.16%
Environmental Violation
Secondary Offense
Frequency
Percent
Fair Labor Standards Act
9
9.89%
Child Labor or Youth Employment Violation
5
5.49%
Donning and Doffing
1
1.10%
Mining Violation
55
60.44%
Misclassification
1
1.10%
Overtime Violation
1
1.10%
Pipeline Safety Violation
15
16.48%
Retaliation
1
1.10%
Securities Issuance or Trading Violation
3
3.30%
Winter 2021 | The Cooperative Accountant
TCA SMALL BUSINESS FORUM Table 2: Penalties for Violations This table presents the information on penalties categorized by Offense Group. The mean, standard deviation, minimum, maximum and total penalty amounts are provided.
Penalty by Offense Group Competition Related
N
Mean
Std. Deviation
Minimum Maximum
2
400,000,0 00
106,066,01 7
325,000,0 00
475,000,0 00
Sum 800,000,0 00
violations by cooperatives are equally weighted by governmental agencies when it comes to the severity of the enforcement and the designated penalty amount.
Governmental Agencies Governmental agencies provide the 18,995,21 33 575,613 1,206,832 5,000 5,000,000 enforcement arm to the laws that Employment Related 7 businesses must abide by during 650,750,0 1,057,230, 200 5,286,154 47,842,537 5,000 Environment Related 00 797 operations. This is a significant number 43,334,44 115,377,42 368,701,2 433,344,4 10 35,235 of regulations and a plethora of Financial 9 9 59 94 government agencies in our sample Safety Related 353 16,718 27,170 5,000 376,350 5,901,316 spanning 15 industries. As reported 650,750,0 2,317,018, 3,848,868 39,168,961 5,000 602 00 824 in Table 3, 26 agencies are enforcing these violations, ranging between 1 to to 2020, penalties totaling over $2.3 billion 265 cases per agency2. 98.5% of the have been levied against cooperative entities. agencies operate at the federal level, and the On average, each violation carries a $3.8 remaining 1.5% are state agencies. million dollar fine. However, a higher number Corresponding to the high number of of penalties does not always translate into violations for safety and environmental higher totals. Instead, offense groups with a reasons, the agencies most frequently much smaller number of violations have the engaged are the Occupational Safety & Health largest total penalties. Administration (OSHA) and the Environmental For example, there are only 2 Competition Protection Agency (EPA) with 265 cases, and Related offenses, but they were the costliest 172, respectively. However, penalties imposed penalties totaling $800 million, which is over a by OSHA and the EPA are not the costliest third of the total penalties. 15Financial offenses for cooperatives. On average, penalties were, on average, the second-costliest penalty levied by OSHA and the EPA are $18.7 at $43.3 million. Of the ten financial offenses, thousand and $557.9 thousand. However, the four offenses involved Investor Protection Justice Department’s Criminal Division and Violations, while three more were Anti Money Environment and Natural Resources Division3, Laundering Deficiencies. Accounting Fraud on average, give the costliest penalties of or Deficiency, Banking Violation, and Tax $346.9 million and $193.8 million, respectively. Violation each had one observation to round Additionally, penalties levied by the out the Financial Offense group. Commodity Futures Trading Commission4 and Finally, the two offense groups with the the Environmental Protection Agency (referral highest number of violations, Safety-Related to the Justice Department) are the third and Environment Related, have lower average and fourth highest average penalty at $97.7 penalties of $16.7 thousand and $5.3 million, million and $30.8 million, respectively. It is respectively. These findings imply that not all worth noting that like the Justice Department Consumer Protection Related
4
386,750
357,098
35,000
872,000
1,547,000
2 There are 5 instances where the agency tied to the violation is not listed in the data. 3 Only four penalties were issued by the Justice Department Environment and Natural Resources Division. There were two large penalties that skewed the average upward. One penalty involved the actual penalty and pollution controls for a total penalty of $650.7 million. The other large penalty was $100 million and also attributable to pollution controls. 4 Penalties imposed by the Commodities Futures Trading Commission involved penalties related to failing to submit accurate Form 204 reports, along with penalties for failure to register as a Futures Commission Merchant. Additionally, there was a $12 million-dollar civil penalty for an attempt to manipulate a futures contract and exceeding speculative position limits in the contract. 24
Winter 2021 | The Cooperative Accountant
TCA SMALL BUSINESS FORUM Divisions, there are a small number of penalties in this sample. For example, there are only five penalties in our sample collected by the Commodities Futures Trading Commission and six by the Environmental Protection Agency (referral to the Justice Department).
Table 3: Government Agencies This table tabulates the number of violation cases enforced by government agencies. The first column contains the agency name, the second column contains the frequency of enforcement, and the third column contains the average amount of monetary penalties levied by the agency.
Government Agency
Frequency Penalty Average
Commodity Futures Trading Commission
5
97,730,000
Connecticut Attorney General
2
167,617
Employee Benefits Security Administration
2
815,211
172
557,901
Environmental Protection Agency
Environmental Protection Agency referral to the Justice Decline in Enforcement Dept 6 30,820,833 With the COVID pandemic, Equal Employment Opportunity Commission 2 317,375 overall government enforcement declined Federal Aviation Administration 1 15,000 in 2020. The EPA Federal Motor Carrier Safety Administration 11 22,271 clearly stated that they Federal Railroad Administration 21 7,595 would “exercise the Indiana Attorney General 1 5,979 enforcement discretion… for noncompliance covered Justice Dept Criminal Division 2 346,850,630 by this temporary policy Justice Dept Environment and Natural Resources Division 4 193,840,000 and resulting from the Labor Dept Wage and Hour Division 15 31,963 COVID-19 pandemic, if Mine Safety and Health Administration 55 9,789 regulated entities take the steps applicable to their Multistate Attorneys General Case 1 872,000 situations” (United States National Labor Relations Board 8 484,174 Environmental Protection New Jersey Attorney General 1 235,000 Agency, 2020a). However, even before the COVID New Jersey Division of Consumer Affairs 1 35,000 19 pandemic, the EPA had New York Attorney General 1 405,000 experienced an overall Occupational Safety & Health Administration 265 18,655 decrease in inspections Office of Federal Contract Compliance Programs 1 42,000 and enforcement cases in all industries from 2007 Office of the Comptroller of the Currency 2 25,029,000 to 2018 (United States Pipeline and Hazardous Materials Safety Administration 15 42,060 Environmental Protection Securities and Exchange Commission 1 400,000 16 Agency, 2020). This decline U.S. Attorney-Southern District of California 1 500,000 in overall enforcement actions corresponds to Wisconsin Attorney General 1 50,000 Figure 1’s decline using our Cooperatives’ Violations peaked in 2013 cooperative sample. During with 29 cases and then slowly declined to 11 the sample period of 2000 to 2019, the EPA enforcement actions in 2019 and 5 in 2020. levied 182 enforcements against cooperative firms. In 2019, only one enforcement action was This trend is consistent with the total decrease in inspections OSHA conducted seen in 2020. noted, and zero enforcement activity occurred in 2020. However, the five enforcement actions A decrease in enforcement actions during 2020 was not just limited to the EPA and OSHA; the carried, on average, a higher fine than the 11 SEC’s Division of Enforcement also saw a steep violations in 2019. OSHA enforcements show a similar decline in enforcement. Overall, there drop in enforcement actions. During the fiscal year 2020, enforcement actions experienced a are 265 OSHA violations noted in the sample.
25
Winter 2021 | The Cooperative Accountant
TCA SMALL BUSINESS FORUM 17% drop compared to 2020 (The National Law Review, 2020). Implications and Conclusion Cooperatives are widespread and diverse among industries and were founded to negate the separation of ownership and control that leads to agency problems. Within the operations of a cooperative, workers and owners are often the same, allowing ownership and control to coexist. However, there are instances where cooperatives do not act in their own best interest and violate the laws governing their operations. This leads to suboptimal circumstances for the cooperative and substantial economic penalties, similar to an agency problem at a public corporation. After violating, some cooperatives correct their behavior, while others do not, leading to additional enforcement as a result. Overall, our findings demonstrate the sizeable economic penalty levied against cooperatives who commit regulatory violations. What our results do not capture is the social penalty imposed by
consumers. Cooperatives should review the regulatory penalties amassed each year and implement strategies to avoid violations that lead to penalties in the future. In terms of frequency, EPA and OSHA violations are the most common, implying that substantial resources should be put forth to stay current on compliance with current and emerging laws policed by these agencies. However, the costliest penalties per violation stem from cases involving the Justice Department and the Commodity Futures Trading Commission, so adequate resources also need to be allocated to monitor these legal environments. Further, the existence of these violations is in direct opposition to a cooperative’s purpose. By committing violations, especially repeatedly, cooperative organizations run the risk of reducing their credibility and positive image. Therefore, beyond living by the letter of the law, cooperatives should stay vigilant and seek to foster a safe and healthy environment for their constituents to maintain their image and culture.
References Crane, A., Matten, D., & Moon, J. (2004). Stakeholders as Citizens? Rethinking Rights, Participation, and Democracy. Journal of Business Ethics, 53, 107–122. Good Jobs First. (2021a). About Us | Good Jobs First. https://www.goodjobsfirst.org/about-us Good Jobs First. (2021b). Violation Tracker. The Corporate Research Project of Good Jobs First’s Violation Tracker. https://www.goodjobsfirst.org/violation-tracker Russell, C. A., Russell, D. W., & Honea, H. (2016). Corporate Social Responsibility Failures: How do Consumers Respond to Corporate Violations of Implied Social Contracts? Journal of Business Ethics, 136(4), 759–773. https://doi.org/10.1007/s10551-015-2868-x SEC.gov | About the SEC. (n.d.). Retrieved July 8, 2021, from https://www.sec.gov/about.shtml The National Law Review. (2020). The Pandemic Has Caused the Number of SEC Enforcement Actions to Decline Sharply in FY 2020. The National Law Review, XI(188). https://www.natlawreview.com/article/pandemichas-caused-number-sec-enforcement-actions-to-decline-sharply-fy-2020 Trudel, R., & Cotte, J. (2008, May 12). Does Being Ethical Pay? Wall Street Journal. https://online.wsj.com/ article/SB121018735490274425.html United States Environmental Protection Agency. (2020a, March 26). COVID-19 Implications for EPA’s Enforcement and Compliance Assurance Program. https://www.epa.gov/sites/production/files/2020-03/ documents/oecamemooncovid19implications.pdf United States Environmental Protection Agency. (2020b). EPA’s Compliance Monitoring Activities, Enforcement Actions, and Enforcement Results Generally Declined from Fiscal Years 2006 Through 2018 (p. 38). https://www. epa.gov/sites/production/files/2020-04/documents/_epaoig_20200331_20-p-0131.pdf US EPA. (2013). Our Mission and What We Do [Overviews and Factsheets]. US EPA. https://www.epa.gov/ aboutepa/our-mission-and-what-we-do 26
Winter 2021 | The Cooperative Accountant
TCA SMALL BUSINESS FORUM
playbook. Individuals at each level of the organization should know their specific roles The biggest question that arises in the wake and responsibilities, says Tim Rawlins, senior of a ransomware attack is whether to pay the advisor at security consulting firm NCC ransom, and the answer is by no means easy. Group. What should a company do when cyber The gold/silver/bronze model standard criminals attack its systems and demand in many business continuity plans is a good a ransom? Unfortunately, the increase in starting point, Rawlins says. The executive ransomware incidents forces a growing or gold team focuses on setting the number of businesses to answer that organization’s strategy and managing the question. response to stakeholders. The silver team of How organizations handle the minutes, departmental heads focuses on ensuring the hours, and days following a ransomware right tactics are used and that resources are attack determines how much it hurts their available to the various operational (bronze) finances, reputation, and standing with teams that deliver the response. customers and regulators. A poor response “This process is predicated on using the could lead to a heavy financial hit, while an individual’s expertise to do what they do excellent one could reduce the incident to best and not interfering,” Rawlins says. an inconvenience. “Leave the technical response to the bronze Response actions and plans vary based teams of security and IT, with support and on the scope of an attack, the size of guidance from the silver team, based on the the organization, and the organization’s strategy set by the gold team.” resources. But there are some key steps As a member of the gold team, the to take to mitigate losses in any attack on chief financial officer will be responsible any size company. (While we call these for gauging the incident’s impact on the recommendations “steps,” many of them company’s finances and its long-term will coincide.) stability, Rawlins says. “The CFO will likely have personal stakeholder relationships 1. Follow an incident response plan (IRP) that they manage, so they will probably be to keep things from devolving into chaos. the point person to talk to the banks, major Ideally, the response to a ransomware attack shareholders, and investors.” should follow a well-prepared and rehearsed Assuming the organization has an IRP Published November 17, 2021
27
Winter 2021 | The Cooperative Accountant
BEST PRACTICES in place — which it should — response teams need to follow the plan as closely as possible following a ransomware incident. The IRP “provides a defined set of stepby-step instructions to help staff detect, respond to, and recover from network security incidents,” says Jeffrey Wells, cochair of the cybersecurity, data protection, and privacy team at law firm Clark Hill PLC. A good IRP includes a roster of IT team members and trusted outside technology experts as well as a cross-functional incident response team poised to respond when security is breached, Well says. This group is “charged with determining as quickly as possible what systems and hardware are affected by the ransomware attack,” Well says. A company with multiple locations should have each site conduct a similar triage. The team should determine whether backups still exist and are usable, and ascertain whether the attackers sent a ransom note. Pay particular attention to the variant of ransomware involved. “Sometimes the ransom note will identify this, or the file extension used on encrypted files may provide information,” Wells says. 2. Identify and contain the source of the attack, and fix the vulnerability. Immediately following a ransomware incident, the IT or cybersecurity team must identify the root cause and then contain the attack. That includes figuring out the method of attack, says Bruce Young, leader of cybersecurity operations and control management at Harrisburg University of Science and Technology. “Was it by a clicked link in a phishing email, a drive-by pop-up for a user to update their Adobe software, or a bad actor exploiting a vulnerability providing access to internal resources?” Young says. Containment includes ensuring that the malware doesn’t spread. “Ransomware must be contained before eradication and 28
recovery, or there is a risk of having restored information contaminated,” Young says. The company needs to eradicate or remediate whatever vulnerabilities allowed the exploit to be successful as soon as possible. “Otherwise, the bad actor can use the same method to re-attack the organization,” Young explains. Once the root cause is contained and eradicated, the organization can begin the recovery process. According to Young, compromised or encrypted data must be restored and verified in an environment known to be free from ransomware. “Verification includes ensuring that the backup copies of the data are not contaminated,” he says. 3. Contact law enforcement and legal representatives. At the same time, an organization that is dealing with an attack should be in contact with law enforcement, such as the FBI’s Internet Crime Complaint Center (IC3). “While the FBI may not be able to assist you or your organization, they do have resources,” Wells says. The FBI will collect information from the organization to make it easier to assist the next victim of the particular ransomware variant. Not only can law enforcement officials help assess the breach’s magnitude, but they can guide the organization in how to proceed. “Law enforcement can assist with communications with attackers,” Young says. Also, a law enforcement investigation provides evidence to help determine the identity and location of the bad actors. Companies should also contact internal legal representatives and engage external legal counsel that specializes in cybersecurity and incident response in the event the attack results in litigation, says Meredith Griffanti, cohead of the cybersecurity & data privacy communications practice at global business advisory firm FTI Consulting. They can help assess the situation Winter 2021 | The Cooperative Accountant
BEST PRACTICES and onboard additional vendors such as crisis communications providers and ransom negotiators under attorney-client privilege. They can also perform the proper compliance checks and other due diligence if a potential payment is made, Griffanti says. In some cases, the target has to inform regulatory bodies within 72 hours of learning of the incident. (See #6, “Meet regulatory compliance obligations.”) 4. Decide whether to pay the ransom. The biggest question that arises in the wake of a ransomware attack is whether to pay the ransom, and the answer is by no means easy. “Whether the ransom should be paid depends on the organization’s ability to recover from the impact of a ransomware attack,” says Harrisburg University’s Young. The cybersecurity team should consult executive management regarding the incident status and the organization’s ability to respond and recover in a reasonable amount of time. “Ultimately, the executive management team, including the CFO, may determine the risk is high that systems and information cannot be recovered in an appropriate timeframe. Therefore, they may decide to pay the ransom,” Young says. But he says that if an organization has planned and implemented the necessary security measures to detect, prevent, and recover from ransomware attacks, paying the ransom should be avoided. The CFO has a central role in assessing any business impact a ransom may have on an organization’s finances and the ability to fund day-to-day operations, Griffanti says. “However, ultimate decision-making should rest with the CEO, given the range of considerations that need to be evaluated — financial, legal, operational, reputational, and otherwise,” Griffanti says. A company’s board of directors will at the very least need to be informed of the decision about payment, and a company’s 29
general counsel or equivalent — in partnership with external legal counsel — should advise the CFO and CEO on what level of board engagement is prudent, says Griffanti. 5. Communicate news of the attack to other parties. Victims of ransomware attacks are obligated to inform a number of interested parties and stakeholders. These include employees, customers, business partners, insurance companies, corporate legal representatives, members of the media, and the public. “Communication … should be consistent and timely across the board,” Griffanti says. The most critical communications objective is that the organization’s stakeholders learn of the incident or notable developments from the company — not second-hand from threat actors or the media. In addition, communications should be done in lockstep with the legal strategy throughout the incident response process, Griffanti says. That ensures the information conveyed is rooted in fact and does not get ahead of any forensic investigations. “We typically recommend that clients start with developing key messages around what happened, what containment and remediation measures are in place, how the organization plans to communicate [amid] operational disruption, and when stakeholders can expect to receive updates, as appropriate,” Griffanti says. “From there, all communications materials can be tailored to individual audiences but should reflect consistent facts.” Senior management is usually responsible for communicating news of a significant cybersecurity breach, Young says. For example, the CEO, chief information security officer, or chief information officer should share the news with employees. Most likely, this will have to be done early on because once IT discovers an attack, it will have to disable Internet connectivity and shut down some or all systems. Keep this in Winter 2021 | The Cooperative Accountant
BEST PRACTICES regulations, New York State Department of Financial Services (NYDFS) regulations, or the European Union’s General Data Protection Regulation (GDPR). Companies may also have a contractual obligation to notify specific customers, partners, or vendors within a specified period.
mind when formulating the communications strategy. A public relations spokesperson or senior executive should be the pipeline to the media. The messages to the public must be transparent and accurate, Young stresses. “Misinformation, especially early on, can seriously damage the reputation of the organization and lose customers.” 6. Meet regulatory compliance obligations. All organizations, especially those in financial services and health care sectors, have to follow regulatory guidelines around cybersecurity incidents and data theft. “An experienced lawyer can help navigate not just the technical or even the compliance obligations, but can foresee potential legal, regulatory, and compliance risks,” Clark Hill’s Wells says. Data or information stolen in the attack may trigger compliance obligations on an expedited timeline, Well says. Often, the company has time to investigate before compliance deadlines are triggered, Wells says. “However, there are circumstances [when] the company has to provide notice before completing an investigation.” This includes attacks that involve data or information subject to Defense Federal Acquisition Regulation Supplement (DFARS) 30
7. Review what occurred before, during, and after the attack and make necessary changes. To learn from the experience, review the detection and prevention security controls that failed to protect the organization in the first place, Young says. He recommends meeting with the relevant vendors to determine possible causes. For example, was it a misconfiguration, a flaw in product functionality or design, a failed detection mechanism? The review should also include evaluating the IRP — or creating one if it doesn’t already exist. Finally, it’s important to hire an IT forensic investigator, Wells says, instead of relying on the internal IT group. “[The internal IT group] can be a valuable resource in the response, but ultimately you want a neutral third party — and one with experience handling ransomware events — to assist the company in the investigation and to help ward off potential claims of [investigatory bias].” Not only will an excellent independent forensic investigative team get to the bottom of what occurred and help improve the security of the company’s IT infrastructure, “but it will be familiar with collecting and preserving evidence for future use in possible litigation,” says Wells. (Source: AICPA & CIMA – CPA Letter Daily – CFO -October 26, 2021) Winter 2021 | The Cooperative Accountant