- Written by: Angela Appleby, CPA
The AICPA recently issued an update to the Trust Services Principles and Criteria for Security, Availability, Processing Integrity, and Confidentiality. The revised criteria are effective for reporting periods ending on or after December 15, 2014. SOC 2 SM reports are based on the AICPA’s Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP section 100A).
In an effort to eliminate the redundancy and cross-referencing involved with the original Trust Services Principles and Criteria, the new criteria have been restructured to group all common criteria. The criteria used to be grouped together by the four different areas for each trust principle:
The new Trust Services Principles and Criteria group common criteria that apply to all principles into the following seven categories:
1. Organization and management
3. Risk management and design and implementation of controls
4. Monitoring of controls
5. Logical and physical access controls
6. System operations
7. Change management
In addition to these seven categories, service organizations must consider the additional criteria that are specific to availability, confidentiality, and processing integrity. Be aware that streamlining the common criteria does not mean that there are fewer controls that need to be in place, as those seven categories apply to all principles being reported on.
Some of the most significant areas of change and focus that services organizations should address:
- Greater focus on risk assessment.
- Code of conduct and background screening procedures are now required, whereas in the past it was an illustrative control for a specific criteria.
- Criteria surrounding disaster recovery and incident response-related controls are more specific.
- More focus on defined organization structure and reporting lines.
- More focus on performing root cause analysis over incidents that occur and their respective remediation efforts.
- Clearer communication of certain security criteria to internal and external users is now required.
- Streamlined criteria that provides enhanced presentation for SOC 2SM reporting.
- Documentation prepared to explain to internal and external users the limitations of the system as well as each user’s responsibilities.
What you need to do differently?
Although early adoption of the new Trust Services Principles and Criteria is permitted and most organizations that have undergone a SOC 2SM audit will likely have the controls in place to meet the new criteria, we suggest that your organization perform the following on behalf of clients:
- Assess current controls to ensure alignment with the newly issued criteria.
- Re-map existing controls to the new criteria to support coverage.
- Discuss any needed changes.
A service organization that currently or has previously provided a SOC 2SM or SOC 3SM report to stakeholders, should understand the impact of these changes on SOC reporting processes. If your client has not completed a SOC audit but provides outsourced services to customers, this is particularly important; especially for those being audited by their customers surrounding those processes, and are completing checklists to provide information on their internal control environment to their customers. This is also important if compliance initiatives such as HIPAA, GLBA, ISO 27001, and NIST 800-53 need to be achieved.
Angela Appleby, CPA, is an audit partner with EKS&H LLLP and leads the Risk Advisory Services group. Contact Angela at
- Written by: Vani Murthy, CPA MST
Clark v. Rameker became a controversial case when the bankruptcy court, district court and 7th circuit court gave differing opinions on its outcomes concerning Bankruptcy Code Section 522(b)(3)(C). This section excludes retirement funds to the extent that those funds are in a fund or account that is exempt from taxation under section 401, 403, 408, 408A, 414, 457, or 501(a) of the Internal Revenue Code of 1986.
Clark v. Rameker
Ms. Heffron-Clark and her husband filed for Chapter 7 Bankruptcy petition and tried to exclude $300,000 of the inherited IRA from the bankruptcy estate using the “retirement funds” exemption. They argued that an inherited IRA was a retirement account because it was set aside for retirement by the previous owner and continues to bear the legal characteristics of a retirement fund even after the death of the previous owner. The Bankruptcy Court concluded that an inherited IRA does not represent “retirement funds” and disallowed the exemption. A District Court reversed the decision stating that the funds were “retirement funds” as they retained the same character in the hands of the successor. The decision was subsequently reversed by the Seventh Circuit. The debtors finally appealed to the Supreme Court which granted certiorari to resolve the split between different courts over this issue.
In deciding whether the inherited IRA was a retirement account, the US Supreme Court noted three legal characteristics of inherited IRAs that led to the conclusion that funds held in such accounts were not retirement funds (1) the holder of an inherited IRA may not invest additional funds in the account. (2) owners of inherited IRAs are required to withdraw money from such accounts, no matter how many years away they may be from retirement (3) the holder of an inherited IRA may withdraw the entire balance of the account at any time without any penalty implications. Funds held in inherited IRAs accordingly constitute “a pot of money that can be freely used for current consumption,” 714 F. 3d., at 561, not funds objectively set aside for one's retirement.
By protecting funds in retirement accounts the Bankruptcy Code preserves debtors' ability to meet their basic needs and ensures that they have a “fresh start,” but by allowing that kind of exemption to an inherited IRA account would convert the Bankruptcy Code's purposes of giving debtors a “fresh start,” Rousey, 544 U. S., at 325, into a “free pass,” Schwab, 560 U. S., at 791.
Additionally, the Court held that just because an inherited IRA bears the legal characteristics of a fund set aside for retirement at an earlier moment in time did not make it a retirement fund. Accordingly retirement fund exemption for an inherited IRA was denied.
Brandon C. Clark et ux., Petitioners v. William J. Rameker, Trustee, et al,U.S. Supreme Court; 13–299, June 12, 2014.
Vani Murthy, CPA MST is tax manager at Golbar and Associates.Write comment (0 Comments)
- Written by: T. Steel Rose, CPA, ACS Editor
Time and billing studies have found that merely tracking time always more than pays for itself in professional service firms. Smaller firms that choose to do without it always leave money on the table that should have been billed or acknowledged. This also leaves the firm completely without a budget to estimate any tax or CPA firm engagement for the subsequent year. It is especially problematic for succession planning and firm valuation. Not using a time and billing product that captures and applies all time and expense also circumvents the valuable markdown process where the CPA reduces the price so the client can see where the firm acknowledges concessions based on the expected outcome.
Even though early pioneer Timeslips still has a measurable user base, time and billing products have evolved into practice management and workflow management powerhouses. Beyond just capturing time and expense per staff member per client, the software reduces process bottlenecks to accelerate project completion while reducing duplication of work.
Time and billing products have evolved to also provide seamless integration for QuickBooks. The products were once designed more generically for professional services firms while the more powerful products are made specifically for the workflow needs of CPA firms. Newer CPA firm-designed products emphasize multiple timesheet templates and multiple billing rates as well as WIP (work in progress) billing and payments, which can be customized for each client. Expect a mobile app where you can modify timesheets, expenses, projects, and clients that integrate with phone, email features and a secure chat module for messaging between CPAs and clients.
Today’s expanded time and billing software will handle all the basics of practice management: time and expenses, project management and tracking, contact management and emailing, invoicing and billing, client AR, staff scheduling, document management, markdowns, analytics, deadline tracking, calendar scheduling, customer contact management and data sharing with Microsoft Outlook, Word and Excel. Current products also provide security access types based on the project, client or task level. Most support audit trails and review processes so your firm can establish DCAA-compliant timekeeping and invoicing for certain government assignments.
Publishing CPA Magazine since 2002, T. Steel Rose began his career with Price Waterhouse leading to the start of Rose & Cash, CPAs. He was a Vice President for Solomon Software.
Write comment (0 Comments)
- Written by: Jason Tyra, CPA
By: Jason Tyra, CPA | Bitcoin has seen tremendous growth over the last twelve months. Taxpayers and not-for-profit organizations alike are now starting to wonder what the tax implications are for bitcoin (or other crypto-currency) denominated donations.
In order for a not-for-profit to accept donations in bitcoin, the organization must have a wallet address to receive the coins. The bitcoin network runs on a variety of different software clients that may be downloaded and installed to a local computer. Though all clients support address creation and will receive and store bitcoins, the best way to establish a wallet is probably to use one of the US-based payment processors, such as BitPay or Coinbase. There are three reasons for this:
- Online trading platforms are usually better at producing complete and usable records. Not-for-profits are required to maintain records indicating where their donations originated and may also be subject to donor imposed restrictions on the use of the funds. These organizations may also lack a dedicated accounting staff, making detailed record keeping difficult without outside help.
- Not for profit organizations are likely to want to sell their bitcoins right away. Online merchant processors provide options for immediate or pre-planned liquidations that may not be convenient with desktop bitcoin clients. Additionally, even if coins are kept on a local machine, they will likely need to be moved to an exchange in order to sell them.
- Storing bitcoins with a trading platform shifts the risk that they could be lost to theft, equipment failure, or natural disaster away from the organization and to the processing platform. Though bitcoins do not enjoy FDIC insurance or many other protections associated with traditional bank accounts, many online merchant processing platforms employ state of the art bank-type security features and store the bulk of their holdings in offline “cold wallets” (or in escrow) to keep them safe. Further, not for profits are prime targets for internal theft. An unscrupulous volunteer who might want to steal the organization’s bitcoin holdings can do so in a variety of technical ways, but would really need only to take the computer on which they were stored to complete the theft.
Here are a few different scenarios related to bitcoin donations that may come up and suggestions for dealing with them.
Taxpayer donates bitcoins by sending them to the organization’s wallet. The donation is deductible to the donor at its fair market value at the time of the donation. Generally, this would be the value, in dollars, of the bitcoins transferred at the time the transfer is made. Whether the organization liquidates them right away or holds them is unlikely to be a factor in their deductibility to the donor. However, the IRS may consider bitcoin exchange gains to be Unrelated Business Taxable Income to an exempt organization if they are not liquidated right away. The organization should provide an acknowledgement to the donor that includes the organization’s name, the donor’s name and the date and amount of the donation.
Taxpayer donates a substantial amount of bitcoins (i.e. more than $5,000). Bitcoins are likely to be treated as non-cash property when donated (similar to securities). A donor must fill out Form 8283 in connection with his tax return for donated property valued at more than $500. For property valued at more than $5,000, an appraisal is usually necessary, but bitcoin’s market value at the time of the donation is likely to be sufficient to meet this requirement. Again, the organization should provide an acknowledgement to the donor that includes the organization’s name, the donor’s name and the date and amount of the donation.
A third party accepts donations on behalf of the organization and then transfers the funds either in the form of dollars or in bitcoins. This is not recommended, as donations received by an individual or an organization that is not a qualified not for profit may be treated as ordinary income by the IRS and/or may not be deductible to the donor. If you or your organization elects to raise funds this way, ensure that you maintain thorough documentation concerning your intent and also the receipt and disposal of donated funds.
Write comment (0 Comments)
- Written by: Robert Brant, CPA and Kenneth J. Burstiner, CPA
By: Robert Brant, CPA and Kenneth J. Burstiner, CPA | In March 2010, the Patient Protection and Affordable Care Act was signed into law. Its provisions included the establishment of a 0.9% Additional Medicare Tax (code Sec. 3101(b)(2)) and a 3.8% Medicare tax on Net Investment Income (Code Sec. 1411). The additional Medicare tax of 0.9% is imposed on earned income in excess of $200,000 for individuals and $250,000 for married couples filing jointly. For certain taxpayers, the combined Medicare tax rate will approach 2.35%. Employers are required to withhold this 0.9% tax when an employee’s wages meet the criteria; however, they are not required to determine if the threshold is met due to other sources of earned income.
Jane Smith earns $175,000 at ABC Inc. Jane Smith does not meet the threshold, so there is no additional withholding requirement. However, Jane’s spouse also earns $175,000. Together, they meet the threshold for married taxpayers filing jointly, and are responsible for paying the 0.9% tax directly.
John Doe earns $210,000 at XYZ Corp, meeting the threshold for mandatory withholding. If John is married and his spouse has self-employment income of $30,000, their combined earned income does not meet the threshold. Any “excess” tax paid in would be claimed as a credit on their 2013 tax return.
3.8% Medicare Tax on Net Investment Income
For the first time, a payroll-type tax will be levied on investment income. Previously, the Medicare tax has only been levied on wages or self-employment income. The tax is calculated by applying the 3.8% statutory rate to the lessor of (1) net investment income or (2) the excess of Modified Adjusted Growth Income (MAGI) over a threshold amount of $200,000 for single filers and $250,000 for married taxpayers filing jointly. This tax also applies to estates and trusts. If the taxpayer’s MAGI is less than the threshold amounts, no tax is due. The threshold amounts are not indexed for inflation and will likely affect more taxpayers in subsequent years.
Bill is single, with net investment income of $10,000 and MAGI of $205,000. His additional Medicare tax is $190 ($205,000 minus $200,000 X 3.8%). Bill’s MAGI of $5,000 above the threshold is less than his net investment income of $10,000, therefore, the tax is calculated on the $5,000.
Bill has MAGI $175,000 and net investment income of $10,000. Since his MAGI is less than the $200,000 threshold, no tax is due.
Net Investment Income
There are three categories of income:
- i) Gross income from interest, dividends, royalties and rents, unless such income is derived in the ordinary course of an active trade or business other than a securities or commodities business.
- ii) Other types of gross income derived from a) a trade or business that is a passive activity for the taxpayer under Sec. 469, or (b) a financial instrument or commodities business as defined under Sec. 475.
- iii) Net gain attributable to the disposition of property other than property held in an active business that is not a securities or commodities business.
Net investment income does not include Social Security, pensions, IRAs, or tax exempt interest.
What to do? Planning Considerations
There are two variables to consider when planning for this tax – net investment income and MAGI. Reducing one or both will reduce or eliminate the additional tax.
Strategies to consider include:
1. Converting taxable interest to non-taxable interest by purchasing municipal bonds. The interest from these bonds is not subject to the tax nor is it included in the calculation of MAGI.
2. Maximizing contributions to retirement plans.
3. Harvesting capital losses if there are realized gains already in one’s portfolio. Net capital gains will be included in investment income subject to the tax as well as MAGI. Using capital losses will reduce both numbers.
4. Consider increasing participation in “passive activities.” Net investment income includes amounts generated by passive activities such as real estate or rentals. If one increases participation to “materially participate” in an activity, the income will not count as net investment income.
These strategies should be considered in conjunction with an overall investment plan and should be discussed with your tax and investment advisors.
Robert Brant, CPA is the Senior Manager at WeiserMazars LLP and Kenneth J. Burstiner, CPA is the Senior Manager at WeiserMazars LLPWrite comment (0 Comments)