Tax Accounting for the New Partnership Audit Rules · 2018-05-15 · Partners have no rights to participate in audit, receive notice of key audit stages, or contest audit results

Tax Accounting for the New Partnership Audit RulesNATE SMITH, CBIZ NATIONAL TAX OFFICE MAY 18, 2018

Speaker

Nate Smith is a Director in the CBIZ National Tax Office, bringing over 20 years of

experience in public accounting to provide technical support and strategic

solutions for the firm’s tax practice. Nate leads the development of practice aids

and tactical approaches used in responding to industry and Federal tax

developments in a variety of subject matter areas. He also consults nationally to

facilitate delivery of client service opportunities and solutions, contributes as an

author and editor to the firm's tax thought leadership publications and assists with

the development and implementation of national tax policies and procedures.

727.572.1400 • [email protected]

Nate Smith, CPADirector, CBIZ MHM, LLC

CBIZ, Inc.Tax Accounting for the New Partnership Audit Rules2

Topics for Today

Overview of new partnership audit rules

Example: Net increase from exam; one partner leaves

Accounting for adjustments under ASC 740

3 Tax Accounting for the New Partnership Audit Rules CBIZ, Inc.

Overview of New Rules

Overview of New Partnership Audit Rules

IRS facing significant challenges in conducting audits under existing TEFRA rules Identification of Tax Matters Partner

Administration of required notice and participation rights

Processing of examination adjustments for ultimate partners

Bipartisan Budget Act of 2015 (“BBA”) signed into law on November 2, 2015

New audit rules generally apply to partnership tax years beginning after December 31, 2017

Many strategies to consider under new rules; specific concerns of partners effectively require every partnership and LLC to amend its partnership/member agreement



New rules fundamentally change the IRS examination and tax collection process for partnerships Underpaid tax, interest and penalties resulting from

unfavorable exam adjustments (“imputed underpayment”) assessed against and collected from partnership itself

Payable by partnership during the “adjustment year,” which is the year when “final partnership adjustment” IRS notice is mailed; reported on partnership’s adjustment year tax filing

Exam adjustments not resulting in imputed underpayment (favorable adjustments) do not produce a refund; instead are reported as income adjustments in partnership’s adjustment year tax filing



Eligible partnerships provided with annual election to “opt out” of new rules. Eligible partnerships: Cannot issue more than 100 “statements” (Schedules K-1)

Cannot have a partner that is a partnership or a trust

Under proposed regulations, cannot have a partner that is a disregarded entity, nominee, or non-partner’s estate

Can have foreign partners, if such partners have TIN, and would be treated as C Corporations if they were domestic

Under proposed regulations, shareholders of S corporation partners count toward 100-statement limit


Does the partnership always want to opt out? How will it ensure ineligible partners are not admitted?


Tax Matters Partner eliminated

Partnership Representative (“PR”) installed and given exclusive authority to bind the partnership and its partners to strategies employed during audit PR can be any person (partner or non-partner), as long as

the person has a “substantial presence in the United States”

Partners have no rights to participate in audit, receive notice of key audit stages, or contest audit results

Under proposed regulations, PR can be entity, as long as U.S. individual also is identified to act for entity

IRS can name a PR if a designation is not in effect


Do partners want separately-negotiated rights to notification and participation?


An imputed underpayment is calculated by netting exam adjustments of similar character, and multiplying the netted positive amounts by the highest rate of tax in effect (for any type of taxpayer) for the year to which the adjustment relates Adjustments to partnership’s credit items then increase or

decrease the tentative calculation

Remember, netted non-positive amounts reported as income adjustments in partnership’s adjustment year tax filing

Decrease side of reallocations and recharacterizations do not net; treated as separate non-positive adjustments (picked up in adjustment year)



PR can request alternative to the default imputed underpayment calculation, using “modification” procedures, or using a “push-out” election Modification procedures and push-out elections operate to

reduce or eliminate a portion or all of the partnership’s liability for an imputed underpayment Under technical corrections legislation, modifications or

push-out elections may be requested even if no portion of the exam adjustment results in an imputed underpayment, so if the adjustment is purely non-positive (favorable), all of these options are still available (big change from proposed regs)

The PR is the only person with IRS authority to choose a modification procedure or to make a push-out election



Modification procedures: Amended returns Amended returns for “reviewed year” (the year pertaining to

the exam adjustment) filed by some or all partners

Amended returns do not have to be filed by all partners, or any partners

However, in the case of a reallocation adjustments, all affected partners must file amended returns

Default imputed underpayment does not include exam adjustments taken into account on amended returns


How will former partners be bound by this when PR determines it is in the current partners’ interest?


Modification procedures: Amended returns (cont’d) Amended returns must also be filed for “intervening years” if

affected by adjustment

Amended returns can be filed by “indirect partners” (e.g., owners of S Corporation partners and Partnership partners) to satisfy modification criteria for adjustments allocable to pass-through partners

Under proposed regulations, pass-through partners (e.g., partnership partners and S corporation partners) can elect to file an amended return that calculates an entity-level tax using a safe-harbor rate equal to the maximum rate for any type of partner, instead of providing for amended returns from indirect partners



Modification procedures: Amended returns (cont’d) If desired, the partners can simply pay the tax that would be

due with amended returns (without actually filing amended returns), make binding changes to their tax attributes for subsequent years, and provide the IRS information to substantiate that the tax was correctly computed and paid

This has the same effect as amended returns, and is referred to as the “pull-in” procedure



Modification Procedures: Rate Modification Rate of tax used to compute imputed underpayment is

reduced when shown that the highest tax rate for particular partners is lower than the highest rate for any partner

C Corporations have a maximum rate of 21%

Individuals have a maximum rate of 20% for the portion of adjustments allocable to qualified dividend income or long-term capital gains

S Corporation partners considered to be individuals

Under proposed regulations, partnership partners are eligible to substantiate rate modification to the extent adjustments are allocable to its own partners who have the above criteria



Modification Procedures: Tax-exempt Partners Rate of tax used to compute imputed underpayment is

reduced when shown it is allocable to a “tax-exempt” partner as defined under IRC §168(h)(2)

Under proposed regulations, the tax-exempt partner must also demonstrate its adjustment is not subject to unrelated business income tax


Is there a procedure to provide for dynamic data sharing so PR can have timely access to this data?


Push-out election In lieu of imputed underpayment, partnership elects to have

the exam adjustment “pushed out” to all reviewed yearpartners affected by adjustment

No amended returns filed; reviewed year returns recomputed with adjustment to identify tax increase

Tax increase payable by reviewed year partners during the year that the adjustments are reported

Interest on underpaid tax includes a 2% surcharge

Non-positive adjustments result in tax decrease

Non-positive (favorable) adjustments can be taken into account as a result of technical corrections legislation (big change from proposed regulations)



Push-out election (cont’d) Corollary adjustments to “intervening years” also required

Exam adjustments are permitted under technical corrections legislation to push out to indirect partners (e.g., owners of partnership partners and S corporation partners)

Proposed regulations allow for any partner (including a pass-through partner) impacted by push-out election to elect a “safe harbor” tax calculation, which permits the partner to simply use the maximum rate of tax with respect to a push out adjustment, and removes the need to calculate intervening year adjustments



Other modifications Proposed regulations provide for additional types of

modification procedures to default imputed underpayment

Publicly-traded partnerships demonstrating a net decrease to passive activity losses

Adjustment relates to “deficiency dividends” of a regulated investment company or a real estate investment trust

Adjustment taken into account by a partner in a closing agreement with IRS (similar effect to amended return)


Example

Net increase from exam; one partner leaves

Ex.: Net increase from exam; one partner leaves

Partnership “P” is formed during Year 1 by Partners “A” and “B,” with agreement to share 50/50

Assume the beginning tax basis of A’s and B’s partnership interest is $0 each

P has Year 1 income of $1,000, allocated 50/50 to A and B

P has Year 2 income of $0, and during Year 2, A sells her entire interest in P to new Partner “C” for $600 A recognizes $100 gain on sale (the difference between her

Year 2 sales proceeds and basis of $500 that results from her Year 1 and Year 2 allocations from P)

P’s Year 1 tax return is audited during Year 3, where Year 1 income is re-determined to be $1,200 instead of $1,000



Under the default imputed underpayment rule, tax on the $200 unfavorable adjustment is paid by P during Year 3 B and C economically bear the cost of the imputed

underpayment, which is “unfair” to C

Under the “push-out” election, the $200 unfavorable adjustment is pushed out to A and B, who re-compute their Year 1 taxes to account for the adjustment, and then report the resulting tax on their Year 3 tax returns “Fairer” to C, in that A remains responsible for the tax

increase attributable to A

A and B have no choice to comply with effects of election

A and B are subject to the 2% interest surcharge

BUT, what about “intervening year” adjustments?



Under the “push-out” election, A must include “intervening year” adjustments Once A makes her $100 Year 1 push-out adjustment, her

basis in P at the end of Year 2 is increased from $500 to $600. As a result, A’s Year 2 gain on sale to C is reduced from $100 to $0.

A’s Year 2 tax decrease (resulting from this gain reduction) is taken into account in determining the final amount A must pay with her Year 3 tax return

Technical corrections legislation solved a major problem here, since previously the decrease adjustment could not be taken into account and would have whipsawed Partner A



Under the amended return option, some or all of P’s Year 3 imputed underpayment can be replaced with tax paid by A and/or B on amended returns to be filed for Year 1

Assuming A uses the amended return option, she will prepare a Year 1 amended tax return and pay the tax resulting from the $100 exam adjustment allocable to A

A’s Year 2 taxes can be re-determined under the amended return option, so A can claim a refund for the tax paid on the Year 2 gain of $100 that is re-determined to be $0 “Fair” to both A and C, but comes with the administrative

burden of filing returns

Also, remember that A and B do not have to cooperate



Practical concerns Who will help the Partnership Representative make the

appropriate choice?

What if A is subject to different tax rates on ordinary income and capital gains? A will not care much for the amended return option in that case, and would prefer the default rule (which hurts C). Note that the partnership must rely on A’s cooperation to take advantage of this modification procedure (the partnership cannot force A to amend, unless there is a previous contractual consent). On the other hand, the partnership could make a push-out election, without a need for A’s consent.

Will A have recourse against P if A is not consulted on choice between “push-out” election or amended return option?

These contingencies must be addressed in a revised partnership agreement


Accounting for Adjustments Under ASC 740


The new partnership audit rules provide that tax payments associated with examination adjustments are payable by the partnership itself, unless alternative actions are taken by the partnership representative This is an entity-level payment obligation, despite the fact

that a partnership is otherwise a pass-through entity for federal income tax purposes

The entity-level payment obligation resulting from the default rule raises new accounting considerations for a partnership, which otherwise refers to accounting guidance for pass-through entities Does ASC 740 govern accounting for the entity-level

payment obligation of a partnership?



The scope of potential tax payments to be made at the entity level includes: Tax resulting from examination adjustments discovered

during an IRS audit Tax resulting from administrative adjustment requests filed

by the partnership (the equivalent to an amended return for partnerships subject to the new audit rules) Interest and penalties on any entity-level tax payment

The potential for payment under any of these events indicates that (prior to these occurrences) the partnership has uncertain tax positions Does this extend the recognition and measurement analysis

of ASC 740-10-25-5 (aka “FIN 48”) to a partnership’s federal tax positions?



The partnership representative can restore the traditional application of pass-through taxation for examination adjustments by: Electing out of the new partnership audit rules, if eligible Making an amended return modification request (or a pull-in

modification request) Making a push-out election

This adds a conceptual wrinkle to the existing question about the proper accounting for entity-level payments, because any of these actions by the partnership representative are optional Must one assume the default rule because of this optionality? If not, what factors could overcome this optionality for financial

accounting purposes? Before asking these questions, it must first be determined whether

ASC 740 applies to entity-level payments under the default rule



Basic accounting guidelines for pass-through entities (PTE): Generally, no entity-level income tax accounting because the

PTE’s owners are taxed on their respective shares of the PTE’s taxable income (ASC 740-10-30-2, ASC 740-10-40-6)

Accounting rules for uncertain tax positions generally apply to the PTE (ASC 740-10-15-2AA)

Regarding a taxable entity’s investment in a PTE, the widely-accepted view is that the taxable entity’s investment in the PTE is treated as the unit of account for ASC 740 purposes (rather than the taxable entity’s proportionate share in each of the PTE’s assets/liabilities) Nevertheless, a taxable entity’s current taxes on its share of

income from a PTE, as well as the deferred taxes on its investment in the PTE, remain subject to the basic recognition and measurement criteria of ASC 740-10-25-5 (FIN 48), which requires consideration of the taxable entity’s share of uncertain tax positions within the PTE



The accounting guidance of ASC 740 applies only to taxes based on income (ASC 740-10-15-3)

Section 6221(a) of the Internal Revenue Code provides that tax on exam adjustments is assessed and collected at the partnership level, notwithstanding modification requested by the partnership representative Section 6232(a) provides that the assessment and

collection occurs in the same manner as if it was a tax imposed under “subtitle A” (income tax)


What to make of the partnership’s entity level payment

(or potential FIN 48 liability for payment)


Although the law provides that payment in this case is “assessed and collected” at the entity-level in a manner similar to income taxes, this does not clearly answer the accounting question as to whether the payment is a tax based on income “Assessed and collected” seem to speak to a legally enforceable

payment obligation, but do not exactly insinuate that the payment is a tax liability based on the partnership’s income

In Baltic v. Com’r, 129 T.C. 19 (2007), the Court noted that Section 6203 defines “assessment” as “the formal recording of a taxpayer’s tax liability”

Many other courts noted similarly (see for example, Miller v. U.S., 763 F. Supp. [1534] at 1543 (N.D. Cal. 1991))

In an effort to answer the question, the Regulations and other sources should also be reviewed



In the preamble to June 2017 Proposed Regulations, it is stated that “the partnership is liable for an imputed underpayment based on the adjustments made at the partnership level” (NPRM REG-136118-15)

In the preamble to December 2017 Proposed Regulations (dealing with push-out elections), the IRS stated that: “Partnerships, as such, are not subject to tax under chapter 1 of

the Code . . .”

. . . and with respect to assessment and collection from the partners, went on to say . . .

“The enactment of the centralized partnership audit regime changed this paradigm by introducing the imputed underpayment, an entity-level liability . . . that is assessed and collected at the partnership level, rather than being assessed and collected from the ultimate partners.” (NPRM REG-120232-17; REG-120233-17)



The 2015 explanation of the new rules provided by the Joint Committee on Taxation address this issue directly, where they state in their “Blue Book” report: “Under the centralized system, the flowthrough nature of the

partnership under subchapter K of the Code is unchanged, but the partnership is treated as a point of collection of underpayments that would otherwise be the responsibility of partners.” (JCS-1-16, at 79)

As articulated here, the partnership’s payment is regarded as a collection mechanism with regard to the tax responsibility of the partners, lending strong credence to the notion that the payment is not a tax on the partnership’s income Although this is directly on point, the authoritative weight of the

Blue Book report is applicable only when the statute is ambiguous (Caltex Oil Venture v. Com’r, 138 T.C. 18, 34 (2012); Burlington N.R.R. v. Okla. Tax Comm’n, 481 US 454, 461)



Recap regarding the nature of the payment as a tax based on income The law only states that a payment is “assessed and

collected” at the partnership level

The December 2017 proposed regulations are somewhat helpful in re-stating that partnerships are not subject to tax, as they went on to distinguish changes relating to liabilities that are “assessed and collected” at the partnership level

The Joint Committee on Taxation’s report is very helpful in answering this question, and although its authoritative weight is much less than that of the Code and Regulations, it can be considered to the extent the Code and Regulations are ambiguous



Through examples, ASC 740 touches on some broad concepts involved with determining whether a payment is a tax based on income

Example at ASC 740-10-55-228 In a situation involving an S corporation where laws and

regulations permit the S corporation and its shareholders to be held jointly and severally liable for payment of income taxes, and where those laws and regulations also indicate that the S corporation’s payment is made on behalf of its shareholders, the S corporation’s payment is attributed to its shareholders. Hence, the payment is treated as a transaction with the shareholders.



Example at ASC 740-10-55-228, cont’d On the first condition in the example, Section 6232(f)

provides that a partnership’s failure to satisfy the entity-level payment obligation allows the IRS to pursue payment from each partner However, this is not a “joint and several” payment right, in

that the IRS cannot pursue all of the payment from any of the parties involved The IRS must first pursue payment from the partnership,

and only after the partnership fails to pay by a specified date, may the IRS pursue payment from the partners Even if the partners become liable, they are each liable

only on their proportionate shares of the payment, so there is no joint and several payment right for the IRS here



Example at ASC 740-10-55-228, cont’d On the second condition in the example, the Joint

Committee on Taxation’s Blue Book report indicates that the partnership’s payments are made on behalf of the partners, however, federal laws and regulations do not indicate this

Accordingly, the example at ASC 740-10-55-228 is not analogous to the new partnership audit rules and does not answer the question



Example at ASC 740-10-55-226 In a situation where tax is assessed on a partnership and

where partners are permitted to file personal returns and claim a pro rata share of the partnership’s payment as a credit, the partnership’s payment is attributed to the partners regardless of whether they file, and regardless of any reimbursement arrangement from the partners. Hence, the payment is treated as a transaction with the partners.

This example is not analogous to the new partnership audit rules either, because the federal laws and regulations do not permit partners to claim credits on personal tax filings based on the partnership’s entity-level payment

As such, this example does not answer the question



Example at ASC 740-10-55-227 In the previous situation, where no provision is made for the

partners to file personal returns and where laws and regulations do not indicate that the partnership’s payments are made on behalf of the partners, the payment is attributed to the partnership and is subject to ASC 740 This example is the closest to the new partnership audit

rules, because on the first condition, provisions do broadly exist for partners to file personal returns On the other condition in the example, again the Blue Book

report indicates that the partnership’s payments are made on behalf of the partners, however, federal laws and regulations do not indicate this As such, this example does not answer the question directly,

but it is closer than the others



In March 2018, the AICPA posted “Q&A Section 7200” (item .09) to state its position for this question

In the AICPA guidance, they provide as follows: “[T]he collection of tax from the partnership is merely an

administrative convenience on the part of the government to collect the underpayment of income taxes from the partners in previous periods. Accordingly, the income taxes on partnership income, regardless of when paid, should continue to be attributed to the partners and, therefore, the partnership would not apply the FASB ASC 740 accounting model . . .”

The AICPA guidance then states: “[A] payment made by the partnership under the IRS partnership

audit regime should be treated as a distribution from the partnership to the partners in the financial statements of the partnership.”



The AICPA guidance echoes similar views from other major accounting firms and from the Joint Committee on Taxation’s Blue Book, and reflects the notion that the partnership’s payment is for the benefit of its partners, and does not constitute a tax on partnership income

Accordingly, the questions about whether the partnership representative takes certain actions to modify or eliminate the entity-level payment liability are irrelevant in concluding that ASC 740 does not apply to potential liabilities under the new partnership audit rules



Because ASC 740 does not apply here, accounting for the liability is treated as a transaction with the partners (as a distribution for financial accounting purposes)

The timing of such liability depends on when the partnership is obligated to pay This generally is when the partnership declares a

distribution

In this case, a partnership likely should consider accounting guidance under ASC 450 to determine when its distribution (obligation to pay) is effectively declared ASC 450 standards require consideration of liabilities that

are probable and reasonably estimable


?

QUESTIONS

?

??


44

SPEAKER

CYBERSECURITY: GOVERNANCE, THREATSAND RISK MANAGEMENT

Steven J. Ursillo, Jr.Partner, National Leader of Information Assurance & Cybersecurity [email protected]

Steven J. Ursillo, Jr.Certifications: CPA, CGMA, CITP, CIA, CFE,

CISA, CISM, CISSP, CGEIT, CRISC, CEH, CCSFP

Partner, National Leader of Information Assurance & Cybersecurity

Meet the Speaker

Steve specializes in risk management, internal control over financial reporting, information system security, privacy, cyber fraud prevention and detection, security and privacy governance, and IT assurance services.

With more than 20 years of experience, Steve provides a variety of IT audit and security services for his clients across multiple industries. His background and knowledge with risk assurance and advisory engagements include information security readiness, cybersecurity, security and privacy attestation services, third‐party assurance including ISO 27001/PCI/NIST/HITRUST/HIPAA HITECH Security Assessments, cyber risk assessments, vendor risk assessments, disaster recover reviews, privacy reviews, Service Organizational Control (SOC) reporting including SOC 1, 2 & 3, ISAE 3402 as well asother types of attestations and readiness assessments. In the area of information security, Steve’s experience ranges from security consulting and implementation to security assessments involving network and attack and penetration testing.

CybersecurityWhat You Can Do

Focus and Objectives

Today’s Learning

Objectives

Facilitate a collaborative discussion to increase awareness around cyber security risks and threats

Facilitate a collaborative discussion around the cybersecurity risk mitigation tactics

Facilitate a collaborative discussion around senior management and board responsibilities pertaining to information security governance and incident response

Facilitate a discussion on other technology trends and related security considerations.

Cybersecurity Threat Landscape

Ransomware use is growing exponentially (RAAS)

Ransomware attacks evolve from simple malware, persistent attacks to destructive attacks.

IoT devices (smart appliances, smart entertainment) create a new attack vector for DDoS and malware attacks

Financial attack techniques are becoming more sophisticated

Attacks are continuing to be more targeted

Attackers are distributing malware for crypto currency mining

As cloud service usage proliferates, the amount of sensitive data on the public cloud increases

Cyber Threat LandscapeWhat are the trends?

6

Cyber espionage and warfare is on the rise

Hacktivism causes worldwide political subversion and sabotage

Phishing attacks will continue to thrive across social media platforms

Fake ads and ad wars will continue to escalate

Web applications are evolving at a faster rate than web security tools

Fileless malware leaves no evidence to be found during investigations

Cyber attackers are utilizing Artificial Intelligence (AI)

Cyber Threat LandscapeWhat are the trends? (Cont.)

7

How Much Technology Is Too Much?

8

How Much Technology Is Too Much?

9

Average cost of U.S. cybercrime rises to $17 million in 2016 ($15 million in 2015)

Only 39% of companies have implemented advanced data backup and recovery processes – reducing the average cost of a cybercrime by $2 million

– CIO Insight, 2017

Cost of Cybercrime

10

Cost Per Record

Ponemon Institute's 2017

Global Cost of Data Breach Study

$141 in 2017 - cost per record average ($225 average in US)

$380 cost per record average (healthcare)

$245 cost per record average (financial services)

Breach Impact

11

State Security Breach Notification Laws:

All 50 states as of 3/29/18 have enacted legislation for notice to individuals for breach of PII

The District of Columbia, Guam, Puerto Rico and the Virgin Islands

Customer / Vendor Contractual breach notifications requirements

Breach Impact

12

Federal Breach Notification Requirements: Privacy Act, the Federal Information

Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, HIPPA, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, the Fair Credit Reporting Act.

Breach Impact

13

Organized Crime/Terrorists

State Affiliated/Nation State

Hacktivists/Activist

Insiders…

Sources of Attacks

Insiders:

Employee

Disgruntled Employee

Past Employee

Hackers/Crackers

Unaffiliated

Competitor (Espionage)

Terrorist

Vendor / Customer (Trusted 3rd Party)

Sources of Attacks (continued)

Loss of private, confidential, customer data

System availability or service levels

Third party dependencies (vendor management)

Data breach (lack of incident response)

Spear phishing attacks

Attack sophistication and evolution

Data management

What Keeps the Board, Executive Management, and Audit Committees Up at Night?

Strategy, Compliance, Operational, Financial, Reputational Risk considerations

Lawsuits and legal implications

Proper risk mitigation

Negative publicity

Are we doing the right thing?

What Keeps the Board, Executive Management, and Audit Committees Up at Night? (continued)

Types of Information Stolen Stolen

Personal (ePHI, PHI, PII) Confidential (1st and 3rd Party) Credentials and System Secrets, Classified Controlled Unclassified

Information (CUI) Covered Defense Information

(CDI) Source Code Copyrighted, Proprietary Financial

18

Compromise to Detection

19

Mandiant M-Trends:

47% of victims discovered the breach internally

53% of victims were notified by an external entity

The median global time from compromise to detection dropped from 146 days (2015) to 99 days (2016)

Detection of Compromise

Threat activity increased in two key industries, financial services (15% to 19%) and education (3% to 8%)

Attacks are becoming more sophisticated – lines between nation-state actors and financial threat actors are becoming blurred

Detection of Compromise (continued)

NIST Cyber Security Framework

22

Phishing/Spear-Phishing

Malware, ransomware and social engineering

Client side threats, risks

Phishing/spear-phishing

Corporate account takeover and fraud

Insecure web application threats and risks

InfoSec Risk & Threat Overview

Physical & environmental threats, risks

Network threats and risks

HR and sourcing threats and risks

Cloud and vendor (third-party) threats and risks

Spam level reduced, campaigns are lasting longer

GreatHorn 2017 Spear Phishing Report

91% of phishing attacks are display name spoofs

Direct spoofs were 8% and domain lookalikes 1%

Highly targeted spear phishing, exploiting trust and pressure tactics

Malware embedded in attachments and documents

Continues to be a very effective method for exploit/payload delivery

Phishing/Spear Phishing

24

Examples of Phishing Attempts

25

Email Address does not match the sender



27

Be Aware!

28

Valid Site/Certificate for Salesforce

Email Address does not match the Sender:

Potentially unsafe web site


29

Unfortunately, it only takes….

Emails that contain links even from known friends/family/coworkers

The link does not point to the actual site presented

The site is not secure

Emails that contain a download (picture, file, document, etc.)

Emails that create a scenario where your ‘friend’ is stuck in a country and needs money to get home, won the lottery, etc.

Techniques to Identify Phishing Attempts

A message with a response to a question you never had

Validate the message came from a legitimate sender by verifying the email address

A message explaining there is a problem and some information needs to be verified by clicking on a link

The link might look legitimate (all the right logos, content, etc.)

Convey a sense of urgency or warning if you fail to act soon

Techniques to Identify Phishing Attempts (Cont.)

What To Do

Slow down

•If a sense or urgency is conveyed be skeptical; never let their sense of urgency influence your review of the request

Research

•Do some research on the company or service. Use search engines to navigate to the company’s website

Reject any requests for assistance

•Charity donation, restore credit scores, refinance a home, answer your question, etc.

Control where you navigate

•Use search engines to find the web page rather then clicking directly within the email

33

A form of malware that locks or encrypts a victim’s files and demands a ransom payment in order to restore access to the files

Typically spread via phishing emails or distributed once a system is compromised

Attacks may demand electronic payment such as Bitcoin Some attacks increase the stakes as time passes,

demanding an increased payment and threatening to delete files from the system

The average ransom payment amount is $1,077 Prominent ransomware attacks: WannaCry, NotPetya,

CryptoWall, CryptoLocker, Locky, TeslaCrypt, Cryakl, Crowti, Fakebsod, WannaCry

What is Ransomware?

34

WannaCry

35

Back up your data and keep a recent backup off-site, access controlled and logically separated

Network and host segmentation, zero trust Be suspicious of unsolicited attachments Update and customize anti-spam management

protection Use anti-malware, web proxy and browser popup

protections Comprehensive malware scans including

compressed and archived files

Ransomware Prevention

Use strong passwords and multifactor authentication Disable file sharing, remote management and desktop services, wireless

communication, etc. unless needed Restrict executable from running in known malware locations Enable the showing of file extensions Restrict known address used in campaigns (Tor) Don’t use administrative accounts for non-administrative tasks If infected, disconnect from the network and external media right away. Employee training and awareness

Ransomware Prevention (Continued)

Targeted phishing campaigns A new breed of social engineering Malvertising Malicious tiny URL’s Exploitation of trust Abuse of the inherent use of social media (information sharing)

PREVENTION: Don’t accept everyone in your social circle Training and awareness Scrutinize all mobile downloads and app permissions Implement a social media policy Restrict the use of social media from trusted platforms

Social Media Attacks

38

Corporate Account Takeover

• Attacks perpetrated to electronic banking technology

• Distributed like any other malware

• Corporate and personal targets

• Elaborate fraud using in depth knowledge

- technology, business and financial

39

EFT Risk Assessment EFT Transaction Workflow

Documentation Segregation of Duty (Initiation

and Approval) Dedicated EFT Trusted Systems Multi‐factor Authentication

with Independent Mechanism (Token, FOB, SMS, Secure ID,

etc.)

Corporate Account Theft Mitigation

Logging, Monitoring and Reporting (systems, traffic and accounts)

Daily EFT Reconciliations Dedicated Clearing Accounts Positive Pay and Debit Blocks General IT Security and Controls

(Firewall, malware and AV, patch management, etc.)

http://www.journalofaccountancy.com/Issues/2010/Oct/20092174.htm

Cloud and Vendor Threats and Risks

Traditional risks apply

Cloud technical risks

Data access / segregation

Insecure APIs

Malicious Insiders [ Subcontractors]

Shared Technology Vulnerabilities

Maintenance of secure infrastructure

Cloud governance and legal risks

Lack of control and transparency

Lack of expertise or structure around vendor mgt

Lack of data management procedures

Service level disruptions

41

Cloud and Vendor Risk Mitigation

Cloud (system) functional risk assessment

Structured vendor management program

Identify and manage cloud

service providers

Identify scope of services

Identify data management requirements

Service level agreements

Restrict to only authorized

providers and services

Understanding of each parties roles

and responsibilities

Backup and restoration strategies

42

System and Organization Control Reporting (SOC) SSAE 18

43

SOC 1 SOC 2 SOC 3

SSAE 18 (for all reports issued on or after May 1, 2018

Restricted Use Report (Type I or Type II)

Generally a Restricted Use Report(Type I or Type II)

General Use Report

Controls over Financial Reporting (ICFR)

Trust Service CriteriaTSP Version 100TSP Version 100ATSP Version 100A‐1

SSAE 18(105, 320 & 205)

SSAE 18105, 205 – SOC2 (exam)

SSAE 18105, 205 – SOC2 (exam)

44

SOC Suite of ServicesReporting

LevelReport Category Intended Audience Benefit

Entity SOC for Cybersecurity

Board

Management

Investor

Regulator

Analysts

Transparency regarding the entity’s cyber risk

management

Service

Provider

SOC2

(New guide coming)

Business unit management

Vendor risk management

Accounting / internal audit

CISO

BCP

Transparency for the services provided and

provides assurance over the selected principles.

with detail

Service

Provider

SOC 1

(Recently released

guide)

Use of these reports is restricted to the management of

the service organization, user entities, and user auditors.


provides assurance over internal control over

financial reporting. with detail

Supply

ChainNew guide coming

Business unit management

Vendor risk management

Accounting / internal audit

CISO

BCP


provides assurance over the selected principles.

with detail

45

CIS Critical Security Controls (formerly SANS Top 20)

•Inventory of Authorized and Unauthorized Hardware DevicesCSC 1

•Inventory of Authorized and Unauthorized SoftwareCSC 2

•Continuous Vulnerability Assessment and RemediationCSC 3

•Controlled Use of Administrative PrivilegesCSC 4•Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersCSC 5

•Maintenance, Monitoring, and Analysis of Audit LogsCSC 6

•Email and Web Browser ProtectionsCSC 7

46

CIS Critical Security Controls (Continued) (formerly SANS Top 20)

•Malware DefensesCSC 8

•Limitation and Control of Network Ports, Protocols, and ServicesCSC 9

•Data Recovery CapabilityCSC 10

•Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesCSC 11

•Boundary DefensesCSC 12

•Data ProtectionCSC 13

•Controlled Access Based on the Need to KnowCSC 14

47

CIS Critical Security Controls (Continued) (formerly SANS Top 20)

•Wireless Access ControlCSC 15

•Account Monitoring and ControlCSC 16

•Security Skills Assessment and Appropriate Training to Fill GapsCSC 17

•Application Software SecurityCSC 18

•Incident Response and ManagementCSC 19•Penetration Tests and Red Team Exercises CSC 20

“CIS Controls are especially relevant because they are updated by cyber experts based on actual attack data pulled from a variety of public and private threat sources.”

Cybersecurity Governance


Board of Directors

Technology or IT

Steering Committee

Risk committee

Audit committee

Organization governance models will vary depending on size:

49

Communication

Needs to be appropriate for the level of organizational governance (know your audience)

Cybersecurity risk needs to be presented as a business risk

Strategy, Compliance, Operational, Financial, Reputational Risks


Increased demand for transparency around the Cybersecurity Governance program, suitable measurement criteria and results


51

Security/Cybersecurity Frameworks & Publications

NIST Cyber Security Framework

• FFIEC Cybersecurity Assessment tool (Map to NIST)• Information Security Forum (Map to NIST)• CSA ‐ Cloud Security Alliance CCM (Map to NIST)• HITRUST CSF (Map to NIST)• AICPA TS (Anticipate a mapping to NIST)• ALTA (References FFIEC Cybersecurity Assessment tool)

NIST 800‐53, 800‐171 Security & Privacy Controls for Federal and Non Federal Information Systems & Organizations

NIST Special Publications

CERT

52


Regulatory Resources:

• FFIEC, HIPAA, FedRAMP, FISMA

AICPA Trust Services (SOC 2,3)

AICPA Cybersecurity Resource Center

ISO 27000

PCI

SEC ‐ OCIE Office of Compliance Inspections and Examinations

•Risk Alert Volume IV, Issue 8 9/15/15

•2015 Cybersecurity Examination Initiative

53


DHS ‐ FISMA – FY15 CIO Metrics, Guidance for CEO’s

OWASP (Mobile and Web Applications)

COSO, CoBIT

Center for Internet Security (Critical Security Controls & Configurations)

California Attorney General Releases Data Breach ReportRecommendations for Organizations

And More….

54

Strategy (objectives, resources, business strategy)

Governance

Critical Data and Asset Identification

Risk Management

Vulnerability Management

Third Party Risk Management

Monitoring and Reporting

Incident Response and Breach Notification

Awareness and Training

Cybersecurity Governance Checklist

What is the impact of cyber risk to the organization? What are we doing to address these risks and do we

have the appropriate resources? Are these risk being considered at the entity level in

addition to each specific business unit? How are we informing executive management and

leadership about these risks and the overall impact? What industry standards or best practices does the

cybersecurity program follow and how often is it updated, tested and reviewed?

How many cyber incidents are occurring weekly/monthly and what thresholds are met for the incident to be escalated to executive management?

What questions should we be asking?

56

How mature and complete is the incident response plan, do we have the resources to meet the reporting expectations?

What methodology is used and how often is the incident response and business continuity program tested and evaluated?

Are we complying with the proper federal, state and regulatory breach and notification requirements?

Are we using the proper financial risk mitigation strategies ‐ cyber insurance?

What role does audit play around cybersecurity? Are we staying proactive enough for awareness

training?

What questions should we be asking? (Cont.)

57

Cyber Implications onOther Technology Trends

Internetworking of embedded and electronic devices for information use and exchange

Smart devices and technology

Functionality driven

Data collection points

Consumer and commercial use

Risk Considerations

Low level of security maturity

Privacy and confidentiality implications

Another technology asset that needs to fall under governance

Internet of Things (IOT)

59

Big Data & Data Analytics

Significant amounts of data

Proper analytics can be used for decision making, prediction of trends and

much more

Analysis of patterns of behavior and IOCs

(indicators of compromise)

Big Data: Collection of large data sets from a variety of sources (GPS, social media, behavioral history, etc.), normalized and used for analytics.

60

Big Data & Data Analytics

Data management and governance

Security Privacy Confidentiality

Integrity (bad data = bad analytics = unfavorable decisions)

Risk Considerations

61

Artificial Intelligence (AI) & Automation

(AI) Intelligence

•Demonstrated by machines where actions are taken based on behavior.

Machine problem solving

•Based on the use of complex algorithms, current and historical data sets and advanced logic.

Example use cases

•Cybersecurity (threat intelligence and threat hunting)

•Accounting (accounts payable, travel, etc.)

• Fraud detection (illicit transaction and money laundering)

•Manufacturing (throughput, expense, fulfilment, supply chain)

62

Blockchain

Open decentralized database for transactions of value

Transaction authenticity and integrity verified by a community

Based on technology, mathematics and cryptography

Distributed immutable ledger

Public or private blockchain implementations

Eliminate the need for an intermediary

Digital currency (bitcoin), ethereum (ether), smart contracts, storage of private data, triple entry accounting, trading transactions, direct sales, voting, digital identities and authentication, etc.

Systems vulnerabilities and flaws around design and implementation will not be eliminated by the use of block chain

63

64

Key Takeaways

Cyber Crimes are consistently occurring and the related costs are increasing.

Social engineering / spear phishing attacks are on the rise. Question the request. When in doubt contact a manager or IT

representative to verify the request. Use search engines to navigate to web sites rather then clicking links

within emails. Incident Response Procedures should be reviewed with all

employees. Call for verification based on authoritative publications. Follow your instincts…………

65

Key Takeaways (Continued)

It’s a Business Problem

Stop focusing on “if” we get breached and focus on “when”

Understand the significance of Executive, Board Level and Audit Committee involvement for Information Security Governance

Insist on a reasonable level of transparency to the organizations security governance program including risk management and incident response activities

66

Key Takeaways (Continued)

Stay involved and include information security / privacy governance high level strategic initiatives and performance metrics as regularly reviewed artifacts

Leverage and benchmark against frameworks Don’t get lost in the technology

Use appropriate communication sources

Govern as you would other business issues Ask the question

Don’t be intimidated by technology terms

Steven J. Ursillo, Jr.

Partner, Risk Assurance & Advisory ServicesNational Leader, Information Assurance & Cybersecurity

[email protected]@StevenUrsilloJr

What Questions Do You Have?

Major Concerns to Today’s Audit Committees of Public Companies

Cary McMillan, CEOTrue Partners Consulting

My Background

Role of the Audit Committee

Audit Committees Boards and Tax

Today’s Topics

©2017 True Partners Consulting LLC. All rights reserved. 2

Managing Partner – Arthur Andersen Chicago Office until November 1999

Audit Partner and CPA

My Background


Executive Vice President and Board Member –Sara Lee Corporation, 1999‐2004

CFO, 1999‐2001

CEO, Sara Lee Branded Apparel

–2001‐2004

–$7 billion division with 75,000 employees

My Background


NYSE Board of Directors–American Eagle Outfitters (2007 ‐ Present)

–Sara Lee Corporation (1999 ‐ 2004)

–McDonald’s Corporation (2003 – 2015)

–Hewitt Associates (2002 – 2010)

–Hyatt Hotels (2013 – Present)

My Background


CEO & Board Member, True Partners Consulting–Nationwide Tax Advisors

• Atlanta, Boston, Chicago, Dallas, Long Island, Los Angeles, New York, San Francisco, San Jose, Tampa

My Background


Financial ReportingInternal Control Assessment

Hiring and Firing of External Auditor

Managing Internal Audit

Finance Function Assessment

Traditional Role of Audit Committee


Cyber RiskData AnalysisPrivacyAnd for Many, Risk Assessment and Management

New Roles of Audit Committees


By Far Our Biggest Change!Governments – USA and International

Financial

Cyber Risk


Used to be Back in ITNow in Front Row!

How Data is Obtained

AccuracyInternal

Data Analytics


Europeans Leading the Way

USA Will Need to Catch Up

Privacy


1

The M&A Process: It’s not a Straight Path

PRESENTED BY

Brooke Evans & Kurt Blass

2

1. The Big View ‐ What’s Happening in the Economy2. M&A Transaction Activity3. M&A Deal Path – Navigating the curves and avoiding pitfalls4. Advice for Sellers on the Journey5. Accounting for Business Combinations ‐ Navigating the Guidance

1. Business Combination vs. Asset Purchase2. Taking Control ‐ Defining the Acquisition Date3. Transaction Costs & Consideration4. Purchase Price Allocation & Valuation Process

6. Panel Discussion ‐ The M&A Process

Please text CFOA to 22333 now to join our polling session

What we’ll cover today:

3

The Big ViewWhat’s Happening in the Economy

4

U.S. Tax Reform

Before Tax Reform

After Tax Reform

5

U.S. Federal Funds Rate

6

Business Outlook for the Middle Market

ExpandingOutlook

7

Q1 Corporate Earnings Snapshot

ExpandingOutlook

April 30 (Reuters) - U.S. stock index futures rose on Monday as strong earnings and a string of mergers lifted spirits, kicking off a busy week for inflation watchers.

8

Industry Valuation Multiples (DEC 2016 ‐ MAR 2018)

9

M&A DealsA Quick Look at Market Activity

10

U.S. M&A Activity vs. S&P 500

Where are the Deals?

Avg. D

eal V

ol. $(b)

S&P 500 In

dex

M&A deal volume vs. S&P500

11

2018 U.S. M&A Activity

0

500

1,000

1,500

2,000

2,500

3,000

3,500

$0

$100

$200

$300

$400

$500

$600

1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Deal Value ($B) Deal Count

2,874 1Q17

2,160 1Q18

2,453 4Q17

12

1Q18 M&A Activity (Completed Transactions)

Region # Deals % Cg Deal $ Value % Cg 1Q18 # of Deals 1Q18 $(b) Value 1Q17 # of Deals 1Q17 $(b) Value

N. America + Europe ‐18.4% ‐25.4% 4,867 $ 616.7 5,961 $ 826.1

United States ‐24.8% ‐35.9% 2,160 $ 300.3 2,874 $ 468.9

Florida ‐25.5% ‐32.6% 307 $ 10.9 412 $ 16.2

Tampa Bay ‐24.1% ‐12.9% 63 $ 2.2 83 $ 2.6

13

Florida M&A Activity

14

M&A Deal PathNavigating the curves and avoiding pitfalls

15

A Deal Path can Zig‐Zag due to Many Variables:

Deal Structure

Seller Motives

Buyer Type

Market Conditions

Capital Source

Trans. Type

Regulatory Environment

StakeholdersGeography

16

“Typical” Steps in a Deal:

1) Getting Ready for a Transaction

2) Finding a Partner

3) Negotiating the Transaction

4) Due Diligence (Evaluation)

5) Closing

6) Integration

17

Advice for Sellers on the

Journey

18

#1: Preparing for a Transaction

Ready. Aim. Fire. (In That Order)1. Have a Well thought out Exit Strategy

• Strive for Buyer Confidence 2. Know your Story

• Understand “normalized” EBITDA• Value drivers and detractors• Have coherent financials• Know your risks and be prepared to disclose them at the right time and in the right

way3. Timing is More than Half the Battle4. Build a Transaction Team

• All hands on deck• No such thing as “Too much help” • Investment in the process may yield millions in return

5. Have a Plan for Your Future• Anticipate pivots, twists, turns in the process• Identify realistic growth opportunities• Keep investing in the business (don’t put things off until the deal is done!)

19

#2: Finding the Perfect Partner

Go Fishing….There are lot’s of Fish in the Sea1. Know What You Want

• Top $$• Culture to remain intact• Growth capital, future involvement, 2nd bite of the apple• Personal liquidity• Retirement

2. Understand Types of Buyers and Their Motivations• Start a watch list

3. Use Expert Advisors• You don’t know what you don’t know• Let them help tell your story• Reduce the effects of emotions & noise

4. It Might Take Longer Than You Think• Anticipate delays in deal timing• How will business factors affect this?

5. The World Turns on Personalities• Understand the culture of your organization• Drama does not drive deal value

2020

Types of Buyers:

Strategic Buyers Financial Buyers

Competitors, Suppliers, Customers Complementary Businesses (seeking new growth channels) Consolidators

Private Equity Sponsors Companies owned by PEGS (bolt‐in acquisitions) Family Offices

21

#3: The Art of the Negotiation

I Got This……20x EBITDA!!

22

#3: The Art of the Negotiation

Know What you Want…..But be Realistic1. Continue Using Expert Advisors

2. Defining the LOI = Time Well Spent • Exclusivity ‐ to be or not to be exclusive

3. Uncle Sam has a Seat at the Table• Understand potential outcomes before starting

4. Terms can Terminate Deals• Taxes

• Noncompetes & Key Employee Retention

• Working capital

5. The Increasing Importance of Reps & Warranties Insurance

6. The Dreaded Re‐Trade

7. Tap into What Buyer Wants Most

23

#4: Due Diligence

What you Don’t Know Will Cost You1. Have your Ducks in a Row

• Be prepared, allocate proper resources

• Buyers are always from Missouri

• Design a diligence process flow• Version control (file1_new_v.#$%#!)

2. Have a Communication Plan• Who will be “under the tent”

3. Honesty is the Best Policy• Positioning the elephants

4. Make it Happen ‐ Time Kills Deals

24

Closing & IntegrationFinal Chapter and Second Journey

25

Closing

Be Ready to Cross the Finish Line1. Push & Shove

• Getting a deal to the finish line

2. Full Disclosure• Who will get that fun job?

3. Upping the Intensity Factor

4. Day 1 Details• A bit like a shuttle launch

5. Catch Your Breath … • NOW the hard work starts!

26

Integration

The Second Leg of the Journey …. Are We There Yet?1. Eat the Frog

• Cultural issues• Compensation & benefit issues• Reporting & Metrics• Creativity and Flexibility

2. Clarity – Priority # 1• No Such Thing as Over Communication

3. People, People, People4. A Good Plan Violently Executed Now

• Is better than a perfect plan executed next week5. 45‐60 Days Post Close

• Help!6. What did We Miss?

• Probably something!7. Delivering on the Plan

• Decisions from Data• Measure early, measure often

27

Accounting for Business Combinations: Navigating the Guidance

28

The winding path of accounting for business combinations is primarily covered in ASC 805 and ASU 2017‐01. Knowing the right questions to ask is a good way to avoid common implementation detours:

1. What are we buying?

2. When did we take control?

3. How much did we pay?

4. What are our transaction costs?

5. How do we find everything we bought?

6. How do we value all this stuff?

7. What if my estimates are wrong?

Staying on the Path

29

What are we Buying?Business Combination vs. Asset Purchase

30

• A business combination occurs when the buyer obtains control of a business via a transaction or other event. If the acquired entity does not meet the definition of a business, it is treated as an asset purchase.

What are we Buying?

General Indicators of Business Combination

• Purchase of substantially all assets and some liabilities

• Purchase price includes fair value of intangible assets

• Activities and assets are sufficient to provide an output or return to investors

• Revenues are generated before and after transaction

General Indicators of an Asset Purchase

• Purchase of a group of assets for use in its own operations

• Assets (inputs & processes), on their own, are not sufficient to provide an output

31

Definition of a business, per ASC 805

• A business is an integrated “set” of activities and assets that is capable of being conducted and managed for the purpose of providing a return in the form of dividends, lower costs, or other economic benefits directly to investors or other owners, members, or participants.

• The integrated “set” of activities must include at least one input and one substantive process; together, both must significantly contribute to the ability to create outputs.

• Although businesses usually have outputs, outputs are not required for an “integrated set” to qualify as a business.

What are we Buying?

Additional Guidance, per ASU 2017‐01

• If substantially all the fair value of the gross assets acquired is concentrated in a single identifiable asset or group of similar identifiable assets, the “set” does not qualify as a business.

• If the fair value of the acquired set is not “concentrated” then an evaluation of its workforce, processes and outputs (revenue , goods or services) must be performed.

32

What are we Buying?Is Target Producing Outputs Now?

(Revenue before and after Transaction)

No

• Organized workforce with ability to perform an acquired process which is critical to converting acquired inputs into outputs.

• An input that the organized workforce can convert into output.

Yes

• Organized workforce with ability to perform an acquired process which is critical to converting acquired inputs into outputs.

• An acquired contract that provides access to the organized workforce

• The acquired process significantly contributes to the ability to produce outputs, and the process cannot be replaced without significant cost, effort or delay.

• The acquired process significantly contributes to the ability to produce outputs, and the process is considered unique or scarce.

Target is a Business

Yes

Not a Business

Not a Business

No NoYes

33

Defining the Buyer & the Acquisition Date

Taking Control

34

Obtaining control: To evaluate if control has been obtained, the buyer must determine if the business is a VIE:

If the business is a VIE:• The buyer must apply the guidance in ASC 810‐10 to determine if it has a controlling financial interest in the VIE

• If a controlling financial interest is obtained, the transaction or event that gave rise to the interest should be accounted for as a business combination

If the business is not a VIE: • The buyer must determine if control has been obtained using the same definition of control that is used to determine if a voting interest entity should be consolidated

• Under this definition, control could be obtained in multiple ways including acquisition of a majority ownership interest or minority rights lapsing

When did we Take Control?

35

Determining the buyer and acquisition date• The “buyer”

• The buyer is typically the party transferring cash, incurring liabilities and/or issuing equity interests

• In a transaction involving a VIE, the buyer is always the Primary Beneficiary (PB).

• Acquisition date is typically the closing date except where the written agreement specifies another control transfer date

• Identifying the acquisition date impacts many areas including:1. Effective date for fair value measurements by the buyer2. For WIP and inventory cutoff3. The buyer begins consolidating the target for accounting purposes4. The clock starts for the “measurement period”5. May necessitate mid‐month close for opening balance sheet presentation

When did we take Control?

36

Transaction Costs & Consideration

How Much did We Pay?

37

Identification and Treatment of Transaction Costs• Acquisition costs are expensed in the transaction period and not part of the consideration transferred in a business combination

• The exception to this is that costs to issue debt or equity securities shall be recognized in accordance with other applicable guidance

• Buyer’s acquisition costs should be recognized by the buyer even if the are paid by the target, seller, or other related party

• Transaction costs such as legal or due diligence expenses or liabilities paid by the buyer for the benefit of the seller, are not expensed, they are deemed to be part of the purchase price consideration

What are our Transaction Costs?

38

Identifying all Transaction Consideration• Consideration is the fair value of all assets transferred plus liabilities incurred to the seller and equity interest issued by the acquirer.

• Items which should be included:• Transaction costs incurred for the benefit of the seller

• Installment payments

• Value of stock and stock options in NEWCO

• Contingent future payments (earnouts)• Treatment as consideration varies if conditional or unconditional

• Fair value includes consideration of probability of payment, and time value of money

• Subsequent period accounting varies depending on whether asset/liability or equity

How much did we Pay?

39

Identifying Costs Outside the Transaction Purchase Price• Items that settle previous relationships or payments for the benefit of the purchaser should not be included in total consideration.

• Items which should be excluded:• Settlement of existing balances with seller

• Transactions that, compensate employees or former owners for future service

• Transactions that, reimburse the seller for paying the purchaser’s acquisition related costs

• Payments to seller for restructuring costs incurred at request of buyer

• Payment to target employees that would be forfeited upon termination of their employment

How much did we Pay?

40

Finding & Valuing What you Bought

Purchase PriceAllocation

41

Identification of Acquired Assets and Assumed Liabilities• ASC 805 requires that all identifiable assets acquired in a business, be assigned a portion of the purchase

price based on their fair values. This includes current assets, fixed & other tangible assets, goodwill, and identifiable intangible assets,

• Current assets are often recorded at book value unless it varies significantly from fair value

• Material fixed assets, real estate and personal property, are typically appraised to determine recording value

• Intangible assets are to be separately recognized apart from goodwill if they are separable or arise from contractual or legal rights

• Many complex items arise from this process, including the following:• Marketing‐related

• Customer relationships and lists

• Internally developed intangibles & technology based intangibles

• Contingent liabilities, including contingent purchase price liabilities

• Non‐compete agreements

• Favorable and unfavorable contract assets and liabilities

• In process research and development (IPR&P)

• ASU 2014‐02 & 2014‐18 provides private company simplification for goodwill and intangibles

How do we Find Everything we Bought?

42

Valuation Methods• Income Approach ‐ estimates fair value by estimating the present value of net future economic benefits. Generally used to value the primary asset acquired in a business combination.

• Cost Approach ‐ measures fair value based on the amount necessary to construct or acquire an asset of equal utility after consideration of deterioration, or obsolescence. Generally used to value secondary assets in a business combination.

• Market Approach ‐ determines value through the analysis of the market price of comparable assets or business interest that have been traded in arms‐length transactions.

How do we Value all this Stuff?

43

Downstream Consequences to be Aware Of• Purchase accounting revenue & expense impacts

• Subsequent period amortization of “new” or revalued intangibles

• COGS impacts from write up or write down of WIP and inventory

• GAAP adjustments for sellers previously on other basis of accounting• Goodwill impairment or amortization

• Deferred revenue and “disappearing revenue”

• Subsequent accounting adjustments for “special” business combination assets and liabilities• Contingent consideration

• Indemnification assets

• Reacquired rights

• Revenue and expense changes can impact contractual agreements• Debt covenant compliance

• Compensation arrangements• Earn out calculations

How do we Value all this Stuff?

44

Measurement Period Adjustments• If accounting for a business combination is not complete in the reporting period the combination took place, the acquirer has a period of time to finalize its accounting.

• The buyer must disclose this identify all amounts included in the financials that are estimates• New information is obtained about facts and circumstances existing at the acquisition date:

• The new information is related to “known incomplete items” AND • The new information would have affected the recognition or measurement of some

element of the accounting (asset or liability) at the acquisition date• The amount of time since the acquisition was effective has not exceeded 1 year

• If these criteria are met, the corresponding entry to the measurement period adjustment is to goodwill

• If these criteria are not met, treat the adjustment as a change in estimate due to an error, with the corresponding entry to the statement of operations

What happens if my Estimates are Wrong?

45

Thank you!

Brooke Evans: [email protected] Blass: [email protected]

46

The M&A Process: Panel Discussion

Nicole Jackson ‐ Refresco Ken Bowles – Wilson HCG

Derivatives and Risk Management

Peter Klipa

Risk Mitigation

• Types of Risk– Interest Rate

– Foreign Currency Exchange Rate

– Equity Index

– Credit

• Risk Maintenance– Increase Predictability

– Decrease Volatility

– Contain Exposure

What is a Derivative

• Derivatives are financial instruments that derive their value from some characteristic of another underlying instrument, such as:

– Interest Rate

– Foreign Currency Exchange Rate

– Equity Index

• Unlike other financial instruments derivatives in and of themselves have no value

Authoritative Accounting Guidance

• Generally Accepted Accounting Principles (GAAP)

– ASC 815

• Statements of Statutory Accounting Principles (STAT or SSAP)

– SSAP 86

– One example of additional guidance on derivatives

Common Types of Derivatives

• Options

• Caps

• Floors

• Collars

• Futures

• Forwards

• Swaps

• Swaptions

Common Uses for Derivatives

• Risk Mitigation

– Company invests in a EURO denominated bond to achieve higher yields – foreign currency swap exchanging EURO for USD at a fixed rate mitigates net yield degradation due to FX fluctuations

– Company with fixed interest rate obligations –interest rate swap to exchange a fixed interest rate payment for a floating market rate

• Speculation

Derivative Considerations

• Costs

– Hedging costs

– Personnel costs

– Regulatory costs

• Alternatives

– Offsetting asset / liability pairing

– Other risk mitigation strategies

Accounting for Derivatives U.S. GAAP

• Balance Sheet – ALL derivatives must ALWAYS be recognized as assets or liabilities at fair value on the balance sheet

– Derivative assets and liabilities cannot be netted

• Income Statement– Changes in derivative fair values are sometimes immediately reflected in earnings, but are sometimes deferred and/or netted against gains and losses of hedged items

Accounting for Derivatives

• Although the asset and liability classification and valuation of derivatives is always consistent; the timing and net impact to the P&L is determined based on multiple factors and various special accounting rules (hedge accounting status vs. non‐qualifying status)

Accounting Classifications under ASC 815

• Hedge Accounting (special accounting rules)– Fair Value

– Cash Flow

– Net Investment in Foreign Operations

• Non‐qualifying– ALL changes in derivative fair values are ALWAYS immediately recognized in earnings

– All derivative related earnings must go to the same financial statement line

Hedge Accounting vs. Non‐qualifying Treatment

• The use of hedge accounting is optional

• If hedge accounting is chosen:– The hedging strategy must be documented and a determination of the type of hedge must be assessed at inception

– The hedging relationship must be expected to be highly effective

• If hedge accounting is achieved:– Special accounting rules, benefitting the entity, are permitted

Required Documentation for Hedge Accounting

• Primary Requirements under GAAP

– The risk management objective and strategy for achieving that objective

– The nature of the risk being hedged

– The hedging instrument used

– The hedged item

– The method to assess hedge effectiveness

– The method to measure hedge ineffectiveness

Hedge Accounting SummaryHedge Status Recognition of Gain or

LossComments

Fair Value Hedge – hedge of asset or liability

In net income, offsets loss or gain on hedged item

Hedged item gets special accounting

Cash Flow Hedge – hedge of variable cash flows or a forecasted transaction

Outside of earnings until the forecastedtransaction affects earnings

Derivative gets special accounting

NIFO Hedge ‐ hedge of foreign currency exposure of a net investment in foreign operations

Outside of earnings as part of cumulative translation adjustment in OCI until foreign operation is substantially liquidated

Derivative gets special accounting

Non‐qualifying derivative In earnings No special accounting permitted

Fair Value Specifics

• Accounting Specifics– Derivative is carried on the balance sheet at FV– Hedged item (examples are bonds, mortgage loans, debt) is carried at FV on the balance sheet with changes in FV recorded directly to earnings (special accounting)

– Changes in the FV of the derivative are recorded to earnings

– Changes in the FV of the hedged item are recorded to the same earnings location as the derivative (special accounting)

– Difference between the change in FV of the derivative vs. the hedged item is measured ineffectiveness which nets in earnings (special result of treatment)

Cash Flow Specifics

• Accounting Specifics– Derivative is carried on the balance sheet at FV

– Hedged item (examples are bonds, mortgage loans, debt) is accounted for using its normal convention

– Changes in the FV of the derivative are recorded in other comprehensive income (special accounting)

– Changes in the FV of the hedged item are recorded to their traditional location (typically in OCI or carried at cost)

– Through this treatment, FV changes do not impact earnings. Derivative earnings are typically reclassified out of OCI only when the hedged item’s normal accounting impacts earnings (special accounting)

Embedded Derivatives

• Simple Definition – A derivative within another contract that is not a derivative– A call option feature on a bond issuance – call option is a derivative, but a bond is classified as an invested asset not a derivative

• In some cases GAAP requires that embedded derivatives be bifurcated from the host contract and accounted for separately

Bifurcation is Required when…

• The embedded feature meets the definition of a derivative

• The entire instrument is not already carried at FV with changes in value included in earnings

• The features in the contract are not clearly and closely related– Example – debt instruments with interest payments tied to credit score (own credit clearly and closely related to debt) vs. changes in the S&P 500 (equity index not clearly and closely related to debt)

Wrap Up

© 2018 Crowe Horwath LLP

Healthcare Provider Risks and TrendsMay 18, 2018 – USF CPE Day, Tampa, FL

© 2018 Crowe Horwath LLP 2Audit | Tax | Advisory | Risk | Performance

Objectives

Session is designed to discuss recent and relevant healthcare provider risks and trends for CPE A&A credit.

Cybersecurity

Volume to Value and the Affordable Care Act

Pharmacy: Controlled Substances & 340B

Healthcare Transformation

Takeaways

Understand some key risks associated with today’s healthcare provider environment

Explain how healthcare systems are responding to these risks


Cybersecurity


Healthcare Data Breaches Reported to Office of Civil Rights


Cybersecurity

“Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”

Objectives of Security continue to be: The Triad of Security – CIA of “CRITICAL DATA” Confidentiality Integrity Availability

Who does it impact? Anyone or Anything, connected to the internet


Trends in Cybersecurity

Expect Cyber attacks More frequent, varied and mobile Center stage and becoming more public More corporate accountability and resulting litigation More regulatory pressure

As a result of the above four trends, other sub-trends are: Standard frameworks Growing workforce Expanded research Mobile coverage


Industry Impacts

Over 90% of healthcare organizations had a data breach in the past two years Approximately 45% of healthcare organizations had 5 or more incidents Average cost of a medical record data breach to an organization was over

$200 per record Average cost of a medical record on the black market is $10 or more. Cost of an

individual’s credit card record is going for less than $0.50 Causes of healthcare data breaches:

Lost or stolen devices Employee actions (other than losing devices) Third parties Hacking (or similar) attempts

Average cost to victims is over $13,000 Breaches cost the healthcare industry approximately $5.6 billion per year


Some publicized 2017 Healthcare breaches


How are Healthcare Systems responding

Guidance for Healthcare OCR; National Institute of Standards and Technology (NIST;) Health Insurance

Portability and Accountability Act (HIPAA) Timely risk assessment, as required under the HIPAA Security Rule, to pave

the way for mitigating risks and avoiding breaches. Boost information security programs beyond the requirements of HIPAA, NIST

Cybersecurity Framework provides healthcare organizations with a roadmap for "looking where you are now, and where you want to be.“

Health Information Trust Alliance (HITRUST) – Popular security interoperability controls framework, provide support for the NIST Framework

Security Assessments, incident planning responses, and penetration testing


Ongoing Cybersecurity Protection


Volume to Value and the Affordable Care Act


Health Care Reform is a transformative event - it is fundamentally changing the way health care is paid for, delivered and consumed in the U.S. over the next 20 to 30 years, and it will affect:

Every employer

Every person residing in

the U.S.

Everyhealth care

provider

Every pharmacy benefits

management provider and every

pharmaceutical company

Every medical device

manufacturer


Volume to ValueVolume to Value

Fee for Service –No Link to QualityFee for Service –No Link to Quality

Payments are based on volumes of services and not linked to quality or efficiency.

Payments are based on volumes of services and not linked to quality or efficiency.

-Limited in Medicare fee for service

-Majority of Medicare payments are not linked to quality

-Limited in Medicare fee for service

-Majority of Medicare payments are not linked to quality

Fee for Service –Link to Quality

Fee for Service –Link to Quality

At least a portion of payments vary based on the quality or efficiency of healthcare delivery.

At least a portion of payments vary based on the quality or efficiency of healthcare delivery.

-Hospital value based purchasing

-Physician value-based modifier

-Readmission/ hospital acquired condition reduction program

-Hospital value based purchasing

-Physician value-based modifier

-Readmission/ hospital acquired condition reduction program

Alternative Payment Models

Built on Fee for Service Architecture

Alternative Payment Models

Built on Fee for Service Architecture

Some payment is linked to the effective management of a population or an episode of care. Payments on delivery of services, but opportunities for shared savings or two-sided risk.

Some payment is linked to the effective management of a population or an episode of care. Payments on delivery of services, but opportunities for shared savings or two-sided risk.

-Accountable Care Organizations (ACOs)

-Bundled Payments

-Comprehensive primary care initiative

-Medicare – Medicaid financial alignment initiative fee-for service model

-Accountable Care Organizations (ACOs)

-Bundled Payments

-Comprehensive primary care initiative

-Medicare – Medicaid financial alignment initiative fee-for service model

Population-Based Payment

Population-Based Payment

Payment is not directly triggered by service delivery and volume is not linked to payment. Clinicians and organizations are paid and responsible for the care of a beneficiary for a long period.

Payment is not directly triggered by service delivery and volume is not linked to payment. Clinicians and organizations are paid and responsible for the care of a beneficiary for a long period.

-Eligible Pioneer ACOs

-Advanced Payment ACOs

-Eligible Pioneer ACOs

-Advanced Payment ACOs


Major Legislation driving Volume to Value

February 2009 – American Reinvestment & Recovery Act (ARRA) establishing Health Information Technology for Economic and Clinical Health (HITECH) Establishes a system of bonuses and penalties to encourage providers to adopt

electronic record systems that are demonstrated as meaningful (Meaningful Use)

Systems form basis of quality reporting

March 2010 – Patient Protection and Affordable Care Act (ACA) Make Healthcare more affordable

Expand Medicaid coverage for opted in States to 138% of poverty

Support care delivery models to improve quality and lower cost

ACA provides a platform and commitment to testing new approaches to how healthcare is delivered and paid for while recognizing there is no single solution Center for Medicare and Medicaid Innovation

Patient-Centered Outcomes Research Institute

Medicare-Medicaid Coordination Office

National Strategy for Quality Improvement in Health Care

Prevention and Public Health Fund


Trump Administration Response In First Year No change to Obama Administration value-based goals 30% of Medicare payments to hospitals and physicians through alternative payment

models by end of 2016 (Achieved)

50% of Medicare payments through alternative payment models by end of 2018

No significant changes thus far to the Medicare ACO program

Elimination of proposed mandatory bundled payment programs

First introduction of a new voluntary bundled payment program in January 2018 – BPCI Advanced

Further exemptions granted from MACRA participation

Repeal of Health Insurance Mandate


Care Delivery Change Requirements

• Reduce Waste and Redundancy

• Slow Historical Growth Rate in Healthcare Costs

• Implement Efficient and Effective Clinical Processes

• Increase Care Coordination

• Strengthen Transparent Exchange of Healthcare Information

• Improve Professional Credibility & Market Perception

• Compete for Populations Served

• Improve Patient Outcomes

• Adhere to Evidence Based Standards

• Foster Cultural Change: Safety and Reliability


Affordable Care Act (ACA) Initiatives Designed to Measure and Compensate Hospitals for Performance

Payment Models

Medicare Shared Savings Programs and creation of Accountable Care Organizations

Value Based Purchasing

Hospital Acquired Conditions and Readmissions Program

Bundled Payments & BPCI Advanced program

MACRA – MIPS & Alternative Payment Models

Direct Provider Contracting (CMS 2018 idea)

Quality of Care

31 measures covering: Patient/Caregiver Experience, Care Coordination/Patient Safety, Preventative Health, At-Risk Population


Risks

Technology

Culture Shifts

Complex quality reporting

Complex rules behind payment models

Impacts

Patient Quality

Reduced reimbursement and/or penalties

Long term growth/ sustainability of the provider entity

Shifts in operational models


How are hospitals reacting?

Reimbursement Impacts

Quality of Care

Improvements

Cost Reduction


Pharmacy: Controlled Substances & 340B


The Opioid Epidemic - Facts

What are the facts (according to the Centers for Disease Control): On average, 115 Americans die every day from an opioid overdose

Nearly two million Americans either abused or were dependent on prescription opioid pain relievers

Overdoses from prescription opioids are a driving factor in the 16-year increase in opioid overdose deaths

The majority of drug overdose deaths (66%) involve an opioid


Controlled Substance Thefts (Employee Pilferages = 41%)


Controlled Substances

Risks


Actions Control Design Audit: From Order to Dispense / Waste / Reverse Distributor

Accountability Audit

Diversion Investigations

Assistance with potential BOP and/or DEA investigations or Settlement Agreements


340B – What is it?

Established by Congress in 1992

Administered by Health Resources and Services Administration/Office of Pharmacy Affairs (HRSA/OPA)

Improve prescription drug access to uninsured patients

Drug manufacturers agree to provide discounted prices to “covered entities” for covered outpatient drugs

Eligible Patients:

Patients must receive outpatient healthcare services other than drugs from the 340B covered entity; and the services were provided by a healthcare professional who is either employed by the covered entity or provides healthcare under a contractual arrangement.


EligibilityEligible Organizations:

Nonprofit healthcare organizations that have certain Federal designations or receive funding from specific Federal Programs can become eligible organizations (covered entities)

Examples include:

Federally Qualified Health Centers

Disproportionate Share Hospitals

Critical Access Hospitals

Sole Community Hospitals

Ryan White HIV/AIDS Programs

Tuberculosis Clinics

Eligible Drugs:

FDA-approved prescription drugs

Over the counter drugs via prescription

FDA-approved insulin

Biological products that can be dispensed only by prescription


During the enrollment process a covered entity will elect how they will implement their program as follows: In-House Pharmacy, in which the covered entity owns drugs, pharmacy and

license; purchases drugs; is fiscally responsible for the pharmacy; and pays pharmacy staff.

Contract Pharmacy Arrangements, in which the covered entity owns drugs; purchases drugs; pays (or arranges for patients to pay) dispensing fees to one or more contract pharmacies; and contracts with pharmacy to provide pharmacy services.

Provider/In-House Dispensing, in which the covered entity owns drugs; employs providers licensed in the state to dispense; holds a license for dispensing for the participating providers; and is fiscally responsible for operating and dispensing costs.


Risks

Heavily regulated –

Exposed to HRSA audits

Program Independent audit requirements

Complex contractual arrangements if contract pharmacy status

Information Technology Systems

Maintenance of records to filter specific scenarios (i.e. specific services for specific patients for specific drugs)

Constant regulatory Change

Financial impact of program





Regulation change in Volume to Value

Mergers & Acquisition Activity System Mergers Mercy Health & Bon Secours

Ascension & Presence

CHI & Dignity

Pharmacy/ Drug Mergers CVS & Aetna

Walmart (Large Pharmacy) & Humana

Non Traditional Berkshire Hathaway/ Amazon/ JP Morgan Chase??!!

UBER??!!

Technological change Telemedicine

Machine Learning

Device integration


Contact

Harry Kimball, CPA

CHAN Healthcare

Direct: (904) 728-0738

[email protected]

Documents

Tax Accounting for the New Partnership Audit Rules · 2018-05-15 · Partners have no rights to participate in audit, receive notice of key audit stages, or contest audit results