Cyber IQ. Test Your. CAMICO Named. Smokin Hot Issues for CPAs. and Implementation Issues. Marijuana business Clients: Issue 104

Transcription

1 impact Issue 104 Don t Miss Out on Free CPE Test Your Cyber IQ Policyholder Social Media Survey Results CAMICO Named Business of the Year by Washington Society of CPAs SSARS No. 21 Risk Management and Implementation Issues Marijuana business Clients: Smokin Hot Issues for CPAs Return Due Dates to Change + CAMICO Receives B+ (Good) Rating with Stable Outlook CAMICO Appoints VPs of Claims, Marketing and Sales

2 SSARSS No. 21 Risk Management and Implementation Issues By Duncan B. Will, CPA/ABV/CFF, CFE AICPA s Accounting and Review Services Committee (ARSC) issued Statement on Standards for Accounting and Review Services (SSARS) No. 21 in October This Standard marked the conclusion of the ARSC s Clarity Project, which clarified and modified existing standards covering the performance of review and compilation engagements for historic financial statements. Most significantly, SSARS No. 21 introduced engagements to prepare financial statements. SSARS No. 21 s introduction of the preparation service and the requirement that all compilations be accompanied by a report effectively eliminated the SSARS 8 management use only compilation engagement. This article highlights loss prevention tips CPAs can use to safely implement SSARS No. 21 and reduce their risk exposure. Historical Relevance of Landmark Case The landmark 1136 Tenants case i resulted in a sizeable judgment against a CPA firm sued by its client for failing to uncover embezzlemen nt. The firm was hired to perform write up stated, No independent verifications were undertaken, but the firm was found liable for failing too discuss or inquire about missing invoices. Without an engagement letter, the firm was unable to convince the court that the firm was not engaged to audit the financial statements. In 1978, SSARS No. 1 was issued in part to address the professional liability exposure associated with such plain paper financial statements. The issuance of SSARS No. 21 s AR C Section 70 again permits CPAs to prepare financial statements without reporting on them. To do so they must have a written understanding (engagement letter) with their client and include a legend on each page of the financial statement stating that no assurance is provided. The Tenants case illustrates the importance of following up on unusual findings regardless of the level of services by a managing agent who committed the fraud. The financial statements clearly service. Also integral to the Tenants decision was that the services were not delineatedd in an engagement letter. CPAs should be forewarned and learn from this. Yes, SSARS No. 21 makes clear that CPAs must engage with a written understanding (engagement letter) when reporting on or preparing an entity s financial statements, but the Standard doesn t require such documentation when only engaged to perform bookkeeping or assist with the preparation of an entity s financial statements. Don t fall into that trap. The best defensive documentation in situations not subject to the SAS or SSARS is to delineate the services contemplated and specifically what services will not be performed we will not audit, review, compile or prepare financial statements. IMPACT 104 August 2015 Page 1

3 Differentiating from Bookkeeping Services SSARS No. 21 distinguishes between whether accountants aree engaged to prepare financial statements or to merely assist in preparing financial statements. If engaged to prepare financial statements, the accountan is subject to SSARS No. 21, but merely assisting with the preparation of financial statements is a bookkeeping function not subject to the SSARSs. Without an engagement letter clearly indicating that the contemplated services do NOT include the audit, review, compilation or preparation of financial statements, clients might successfully allege the accountan was to have reported on or prepared financial statements. Claiming that the engagement letter would have detailed that a financial statement reporting or preparation service was to be performed may be an inadequate defense, as CPAs are generally expected by average individuals (e.g., jurors) to be scribes. So without a written understanding to the contrary, clients could prevail in arguing the CPA s services included financial statement services. CPAs should adopt the defensive documentationn strategy of not only engaging for the bookkeeping services, but also having their engagement letters specify that their services don t contemplate the audit, review, compilation or preparation of financial statements. The Legend AR C Section 70 is short, and fairly simple, but could be confusing to some accountants and their clients. Much of the discussion leading up to and after the issuance of SSARS No. 21 focused attention on a legend that would appear on each page of the financial statements. Interestingly, the SSARS No. 21 substitutes statement for legend. The ARSC s May 2014 Exposure Draft (ED) and a Journal of Accountancy article ii appearing shortly after SSARS No. 21 s releasee both state, When an accountant is engaged to prepare financial statements, the accountan is required to include an adequate statement on each page off the financial statements indicating that no CPA provides any assurance on the financial statements. (Emphasiss added.) iii Unfortunately, none of the guidance or examples offered in SSARS No. 21 iv clearly state that no CPA is providing assurance, the implicit intent of the standard. Instead, the examples could suggest (and likely do suggest) that the entity whose financial statements are presented provides no assurance. CAMICO recommends that all CPAs engaged to perform a preparation engagement make clear BOTH in their engagement letters and each page of the resulting financial statements that No CPA provides any assurance on these financial statements. AR C Section 70 states that the accountant s name is not required to be included in the legend. However, some CPAs have expressed their inten to include their firm name in financial statement legends as part of their marketing strategy. Inclusion of your firm name may have some modest marketing benefit, but CAMICO s claims experience suggests the added risk exposure from association IMPACT 104 August 2015 Page 2

4 with the financial statements outweighs any marketing advantage. Don t associate your name with any AR C Section 70 prepared financial statements unless compelled to do so in a disclaimer. The Disclaimer AR C Section 70 establishes that if an accountant is unable too include an adequate statement on each page of the financial statements regarding the lack of assurance, the accountant must (1) issue a disclaimer that makes clear that no assurance is provided on the financial statements, or (2) compile the financial statements. Having your name associated with financial statements suggests to some that the financial statements may be more reliable than identical financial statements omitting any reference to a CPA. As such, CAMICO anticipates that there will likely be more risk exposure to CPAs who issue a disclaimer or in some other way (such as adding their name to the legend) include their firm s name within an entity s financial statements. Presumably what would prompt the need for a disclaimer would be if the computer software used to print the financial statements could not accommodate a suitable footer. The number of required characters expands when an entity opts for a reporting framework other than U.S. GAAP and when management elects to omit substantially all disclosures. Some software providers permit only a limited number of characters in their footers, headers and titles. When, as permitted with compilation or preparation engagements, management elects to omit substantially all disclosures, the legend s character length will need to be expanded. To avoid the additional risk exposure of having your name unnecessarily associated with financial statements, CAMICO encourages practitioners to print preparation engagement financial statements on paper stock pre printed with footers containing their preferred legend; e.g., No CPA provides any assurance on these financial statements or No CPA provides any assurance on these financial statements, which lack substantially all disclosures required by <financial reporting framework>. Engagement Letters Unilateral engagement letters (when the letter is signed byy the CPA but not the client) are commonly used for tax engagements but only rarely used for financial statement engagements. SSARS No. 21 removes that option by requiring engagement letters to be signed by the accountant and the client. Unfortunately, the ARSC did NOT prohibit evergreen letters,, which remain in effect until a party to the agreement terminates the agreement. The use of evergreen letters, although permitted by professional standards, is discouraged by CAMICO. Courts could deem that an engagement letter s lack of a terminus date means the statute of limitations doesn t begin until one of the parties terminates the agreement. In such an instance the statute of limitations could be held openn indefinitely. CAMICO strongly discourages the use of evergreen and multi year letters.. If used, however, the engagement letter should include a clause indicating each year s service iss a separate and distinct IMPACT 104 August 2015 Page 3

5 engagement, and CPAs should refresh their client management s memory of their responsibilities and of the scope and limits of the engagement throughh the use and review of a memorandumm outlining the terms of the current year s engagement Write Up Work In conjunction with performing monthly write up services, CPAs are often engaged to provide their clients with financial statements. Unaudited financial statement engagements for the first 11 months of 2015 can be performed under either SSARS No. 19 or 21, but those for periods after December 14, 2015 (i.e., December 31, 2015) must comply with the SSARS No. 211 standards. Many CPAs, either unaware of SSARS No. 21 or choosing not to early adopt SSARS No. 21, used engagement letters developed to comply with SSARS No. 19 when continuing to service their write up clients in While in many ways quite similar, engagement letters and reports under SSARS No. 21 requiree language and formatting different from those under SSARS No. 19. As such, peer reviewers may find the use of SSARS No. 19 language for periods after December 14, 2015, to be deficient. How to address this is a decision your firm must make. For CPAs who engaged with their clients to perform interim and annual financial statement servicess without considering SSARS No. 21 s implications, CAMICO recommends having those clients sign an addendum to their 2015 engagement letters. The addendum would: inform clients that their December 31, 2015, financial statements must be performed in accordance with new clarified compilation standardss effective forr periods ending after December 14, 2015; include the revised report language (if applicable); and define the CPA and management s responsibilities ass required by SSARS No. 21 s clarified standards. Please seee the sample addendums in this IMPACT. Independence Impairment The AR C Section 70 preparation of financial statements service is a nonattest service. When accountants perform such engagements, they are not usuallyy contemplating performing audits or reviews of their clients financial statements for the same year. However, often clients that initially request bookkeeping and financial statement preparation services later request an audit or review of their financial statements. If precautions are not taken, the implications of Interpretation Performance of Nonattest Services v may preclude the CPA from performing the desiredd attest services. When uncertain whether a request for attest services may bee in the offing, CPAs should take precautions to have their engagement letters spell out vi the client s responsibility to designate someone (preferably within management) to assume responsibility forr the nonattest services performed (i.e., the bookkeeping and preparation of financial statements). IMPACT 104 August 2015 Page 4

6 When considering whether circumstances impair their independence, CPAs have long considered potential threats in isolation. Recent changes to the AICPA s Code of Conduct now require CPAs to consider the cumulative effect of threats to their independence. Preparing financial statements is a typical nonattest service performed when engaged to audit or review financial statements, and when initially engaged to perform these attest services, the CPA anticipates conforming to Interpretation When not so engaged, CPAs should still consider whether to take steps to avoid impairing their independence. Sample Reports in Engagement Letters Many CPAs choose to include anticipated report language within their engagement letters. Doing so in engagement letters for services including both interim and annual financial statementss for periods before December 15, 2015, and after December 14, 2015, is convoluted when CPAs haven t early adopted SSARS No. 21. In recognition of the wish to shorten/ /condense engagement letters wherever possible, CAMICO has often suggested omitting the illustrative report from the engagement letter as a way to shrink engagement letters. However, we recommend CPAs engagement letters include the report language expected to be used when the CPA expects the report to differ from the standard report. The migration from SSARS No. 19 report language to that of SSARSS No. 21 isn t sufficient to warrant that engagement letters contain sample report language. Modifying engagement letters to include anticipated report language would be desirable whenn an anticipated deviation from the standard reporting language is contemplated for going concern issues or other financial statement matters the accountan believes should be emphasized (i.e., when the new AR C Section 80 compilation one paragraph report is unacceptable). If you early implement SSARS No. 21 for one client, must youu early implement for ALLL your clients? No. That decision is up to your firm and your clients. CPAs should study the new standard and become familiar with its requirements before meeting with clients to introduce them to the clarified review and compilation standards and the new preparation of financial statements service. When engaged to prepare comparative financial statementsts for a client for which an audit, review or compilation was performed for the prior period, must the CPA include orr reference the prior period s report? No. However, from a risk management perspective, CPAs asked or choosing to provide comparative financial statements for their preparation engagement clients should specify in their engagement letter that neither the prior period s report nor a reference to the prior report will be included in the comparative financial statements. Association with Financial Statements The AICPAA Auditing Standards Board (ASB), as part of its project to clarify the auditing standards, deleted AU section 504, Association With Financial Statements (AICPA, Professional Standards), expecting the ARSC to address thesee responsibilities. This guidance addressed accountants responsibilities when their IMPACT 104 August 2015 Page 5

7 names were associated with financial statements that the compiled. accountant had not audited, reviewed or The ARSC proposed a SSARS Association With Financial Statements, but later determined that the SSARS should not be issued. The proposal would have addressed instances when an accountant permits the use of the accountant s name in a report, document, or written communication containing financial statements on which the accountan had not issued a compilation, review, or audit report. In such cases, the accountant would have been required to read the financial statements in order to identify material misstatements, and if dissatisfied, request that management revise the financial statements, as appropriate. If management didn t revise the financial statements, ass appropriate, the accountant would not permit the use of the accountant s name. If the accountant permitted the use of the accountant s name, the accountant would have been required to determine that the financial statements were marked to indicate that no CPA provides any assurance on the financial statements or issue a disclaimer on the financial statements. CAMICO supports the decision not to adopt the proposal,, as doing so would have invited litigation suggesting CPAs had permitted (difficult to define or disprove) the use of their name in association with financial statements. The proposed SSARS would have applied regardless of whether the accountant prepared the financial statements. Peer Review Implications The previous significant changes to compilation and review standards occurred when the ARSC issued SSARS No. 19, effectivee for periods ending after December 14, Peer review results plunged and deficiencies increased dramatically when SSARS No. 19 took effect. Although not a risk management issue, if SSARS No. 21 s adoption follows SSARS No. 19 s track, peer review results may again plummet if practitioners don t take the time to learn and embrace the changes. SSARS No. 21 (AR C Section 80) mandates that reports accompany all compiled financial statements, so management use only (formerly SSARS 8) compiled financial statements will no longer be permitted for periods after December 14, Also, the ARSC chose to distinguish compilation reports from those for audits and reviews by altering the standard report to be one paragraph with no headings. There is no title required for compilation reports, and adding a title would defeat the objective of making compilation reports appear dramatically different from assurance engagements. However, additional paragraphs would be required whenever: financial statements are prepared in accordance withh a special purpose framework (formerly OCBOA ); management elects to omit substantially all requiredd disclosures; the CPA s independence is impaired; and IMPACT 104 August 2015 Page 6

8 the financial statements have a known departure from the applicable financial reporting framework the disclosure may be within the header, title, or legend. Each of the foregoing SSARS changes could trip up the unwary CPA. If currently subject to peer review, and the highest level of service your firm performs is the preparation engagement, you can opt out of peer review. However, if youu should laterr accept an engagement that would subject your firm to peer review, the date by which your peer review must be performed will be accelerated. Prospective Financial Statements SSARS No. 21 s clarified standards supersede the existing compilation guidance other than AR Section 120, Compilation of Pro Forma Financial Information. The AICPA chose to have the compilation of prospective financial information, previously contained within the Statements on Standards for Attestation Engagements, fall under the purview of the ARSC. As such, the ARSC is in the process of reviewing these standards and expects shortly to expose a draft standard addressing prospective financial statements (i.e., financial statement forecasts and projections). Initial impressions of thesee discussions suggest significant changes in this arena, as the ARSC appears to wish to fit much of the prospective financial statement services within the newly introduced preparation framework. CAMICO s own experience has shown that the ARSC seriouslyy considers feedback received on its exposure drafts. If your firm practices or is thinking about practicing in this arena, please consider reading and commenting upon the exposure draft once it is released. Understand the Exceptions to AR C Section 70 SSARS No. 21 provides for four exceptions to having to comply with AR C Section 70 when preparing financial statements and when not engaged to perform an audit, review or compilation of the financial statements. Those exceptions occur when the financial statements are (1)) to be included in personal financial plans, (2) in conjunction with litigation services, (3) in conjunction with business valuation services, and (4) solely for submission to taxing authorities. (Emphasis added.) Some may misinterpret the exception based on submission too taxing authorities as meaning CPAs preparing an entity s income tax returns would be allowed too prepare the entity s financial statements without complying with AR C Section 70. The preparation of financial statements exception when preparing tax returns does not mean that CPAs engaged to prepare tax returns may now circumvent AR C Section 70 s provisions. Instead, it means that income statements and balance sheets within an entity s federal income tax return do not count as financial statements subject to AR C Section 70. Educate Clients and Their Financial Statement Users IMPACT 104 August 2015 Page 7

9 SSARS No. 21 may be implemented early. Accountants shouldd read and understand the full text of the new section and have thorough discussions with their clients to ensure clients understand: the service nature of the service to be performed, whether the service will include a report, and whether a legend indicating the CPA provides no assurance will be present on each page of the financial statements. Some clients and their bankers or investors may have become used to, or expect to have, an accountant s report accompany financial statements. Bankers have long been prohibited from receiving management use only financial statements. The demise of the SSARS 8 financial statement service and the introduction of the preparation service are expected to result in fewer compilation engagements. CPAs must avoid the trap of assuming clients and their bankers will be satisfied with a preparation engagement. Many bankers unfamiliar with the new Standardd will likely wish to have a report accompany their clients financial statements. CPAs and clients should familiarize bankers and other financial statement users with AR C Section 70 s Preparation Engagement servicee and contrast the service with the compilation service. To avoid confusion and the related risk resulting from the expectation gap, CPAs should meet with clients and local bankers to educate them about the new standard. That way, users can make an informed decision regarding the financial statement that best suits their needs, and CPAs can avoid performing services that don t meett user expectations or needs. As always, CAMICO members can call for additional risk management guidance. Endnotes i 1136 Tenants Corporation v. Max Rothenberg and Company (1971) ii A bright line in SSARSs, Journal Of Accountancy, December 2014,, By Michael L. Brand, CPA, CGMA; Michael P. Glynn, CPA, CGMA; and Charles J. McElroy, CPA iii SSARSS No. 21, Section 70 paragraphs.10c and Application Paragraph.A11 iv AR C Section 70 paragraphs.10c,.14 and. A11 v The AICPA Code of Conduct s Nonattest Services subtopic [1.295] under the Independence vi Rule [ ] AICPAA Interpretation and AICPA Code of Conduct Rule 202 IMPACT 104 August 2015 Page 8

10 Compilation Addendum to Conform with SSARS No. 21 <Date> <Client Representative> <Client Name> <Client Address> Re: Engagement letter addendum required to comply with revised professional standards Dear <Client Representative>: As we agreed in our original engagement letter dated <date>, we are writing to notify you that our compilation of your December 31, 2015, financial statements requires we adhere to the clarified compilation standards effective for periods ending after December 14, The <monthly/quarterly> financial statements for the periods preceding your December 31, 2015 financial statements are unaffected. Only our compilation of your December 31, 2015 financial statements is impacted by these new standards. Our fees arrangements, <describe other matters addressed in prior engagement letter such as record retention> are not impacted by this addendum to that agreement. Compilation Services We will compile, from information you provide, the December 31, 2015 balance sheet and related statements of income, retained earnings, and cash flows of <Client Name> for the year ending <date>, and will issue an accountant's report on such financial statements in accordance with the compilation standards as set forth in the Statements on Standards for Accounting and Review Services issued by the American Institute of Certified Public Accountants. The objective of a compilation is to prepare financial statements in accordance with the financial reporting framework you select, based on information provided by you, and to apply accounting and financial reporting expertise to assist you in the presentation of the financial statements without undertaking to obtain or provide any assurance that there are no material modifications that should be made to the financial statements in order for them to be in accordance with that financial reporting framework. It is our understanding that you have selected accounting principles generally accepted in the United States of America (US GAAP) as your financial reporting framework and, as such, that is the framework we will use for this engagement. A compilation differs significantly from a review or an audit of financial statements. A compilation does not contemplate performing inquiry, analytical review procedures, or other procedures performed in a review. Consequently, the information provided by management will not be verified, corroborated, reviewed, or audited. Additionally, a compilation does not contemplate obtaining an understanding of the entity's internal control; assessing fraud risk; tests of accounting records by obtaining sufficient appropriate audit evidence through inspection, observation, confirmation, the examination of source documents (for example, cancelled checks or bank images); or other procedures ordinarily performed in an audit. Therefore, a compilation does not provide a basis for expressing any level of assurance on the financial statements being compiled. Because we are

11 performing our compilation work as accountants rather than as auditors, <Client Name> should not record or describe our services as an audit or auditing in its minutes or books of record. Our engagement cannot be relied upon to disclose errors, fraudulent financial reporting, misappropriation of assets, or illegal acts that may have occurred. However, we will inform the appropriate level of management of any material errors and of any evidence or information that comes to our attention during the performance of our engagement that fraud may have occurred. We will also report to the appropriate level of management any evidence or information that comes to our attention regarding illegal acts that may have occurred, unless they are clearly inconsequential. <Name of Firm Representative> is the engagement partner for the compilation services specified in this letter. <His/Her> responsibilities include supervising <Firm>'s services performed as part of this engagement and signing or authorizing another qualified firm representative to sign the compilation report. Responsibilities of Management Management is responsible for providing us with access to all information of which management is aware that is relevant to the preparation and fair presentation of the financial statements, such as records, documentation, and other matters, as well as additional information we may request for this engagement. Management will also provide us with unrestricted access to persons within the entity of whom we determine it necessary to communicate or make inquiries. By your signature below, you understand and agree that management is responsible for the accuracy and completeness of the records, documents, explanations, and other information provided to us, including management s significant judgments impacting the preparation and fair presentation of the financial statements. As outlined in this letter, we will assist in the preparation of your financial statements and we may advise you about appropriate accounting principles and their application, but the final responsibility for the preparation and fair presentation of the financial statements in accordance with the financial reporting framework you selected, US GAAP, remains with you. Also, as part of our engagement, we may propose standard, adjusting, or correcting journal entries to your financial statements. Management, however, has final responsibility for reviewing the proposed entries and understanding the nature and impact of the proposed entries to the financial statements. By your signature below, you acknowledge that you are also responsible for all management decisions and responsibilities including designating qualified individuals with the suitable skills, knowledge and experience, to be responsible and accountable for overseeing the preparation and fair presentation of your financial statements and any other nonattest services performed as part of this engagement. This includes designing, implementing and maintaining internal control relevant to the preparation and fair presentation of the financial statements that are free from material misstatement, whether due to fraud or error; as well as identifying and ensuring that the organization complies with the laws and regulations applicable to its activities. We will have no responsibility to identify and communicate deficiencies in your internal control as part of this engagement. Your signature below further acknowledges that you understand and agree that you are responsible for preventing and detecting fraud. Written Report

12 As part of our engagement, we will issue a report that will state that we did not audit or review the financial statements and that, accordingly, we do not express an opinion, a conclusion, nor provide any assurance on them. <If applicable add: We will disclose that we are not independent in our report.> If, for any reason, we are unable to complete the compilation of your financial statements, we will not issue a report on such statements as a result of this engagement. [Optional: Our report on the annual financial statements of <Client Name> is expected to read as follows: Management is responsible for the accompanying financial statements of <Client Name>, which comprise the balance sheet as of December 31, <year>, and the related statements of income, retained earnings, and cash flows for the years then ended, and the related notes to the financial statements in accordance with accounting principles generally accepted in the United States of America. We have performed compilation engagements in accordance with Statements on Standards for Accounting and Review Services promulgated by the Accounting and Review Services Committee of the AICPA. We did not audit or review the financial statements nor were we required to perform any procedures to verify the accuracy or completeness of the information provided by management. Accordingly, we do not express an opinion, a conclusion, nor provide any form of assurance on these financial statements. <If applicable: We are not independent with respect to <Client Name>.] If management elects to omit substantially all disclosures, we will include an additional paragraph that will read as follows: Management has elected to omit substantially all of the disclosures required by accounting principles generally accepted in the United States of America. If the omitted disclosures were included in the financial statements, they might influence the user's conclusions about the Company's financial position, results of operations, and cash flows. Accordingly, the financial statements are not designed for those who are not informed about such matters. By your signature below, you agree to include our compilation report in any document that contains the referenced financial statements which indicates that we have performed a compilation of such financial statements; and to obtain our written permission before releasing such information. We will be pleased to discuss this letter with you at any time. If the foregoing is in accordance with your understanding, please sign the copy of this letter in the space provided and return it to us. Sincerely,

13 <Accountant Name> <Firm Name> Acknowledged: <Client Representative> <Client Name> Date

14 Review Addendum to Conform with SSARS No. 21 <Date> <Client Representative> <Client Name> <Client Address> Re: Engagement letter addendum required to comply with revised professional standards Dear <Client Representative>: As we agreed in our original engagement letter dated <date>, we are writing to notify you that our review of your December 31, 2015, financial statements requires we adhere to the clarified review standards effective for periods ending after December 14, The <monthly/quarterly> financial statements for the periods preceding your December 31, 2015 financial statements are unaffected. Only our review of your December 31, 2015 financial statements is impacted by these new standards. Our fees arrangements, <describe other matters addressed in prior engagement letter such as record retention> are not impacted by this addendum to that agreement. Review Services We will review, from information you provide, the December 31, 2015 balance sheet and related statements of income, retained earnings, and cash flows of <Client Name> for the year ending <date>, and will issue an accountant's report on such financial statements in accordance with the review standards as set forth in the Statements on Standards for Accounting and Review Services issued by the American Institute of Certified Public Accountants. The objective of this review is to prepare financial statements in accordance with the financial reporting framework you select, and to obtain limited assurance as a basis for report whether we are aware of any material modifications that should be made to the financial statements in order for the statements to be in accordance with that framework. It is our understanding that you have selected accounting principles generally accepted in the United States of America (US GAAP) as your financial reporting framework and, as such, that is the framework we will use for this engagement. A review differs significantly from an audit of financial statements, in which the auditor provides reasonable assurance that the financial statements, taken as a whole, are free of material misstatement. A review does not contemplate obtaining an understanding of the entity s internal control; assessing control or fraud risks; testing of accounting records by obtaining sufficient appropriate audit evidence through inspection, observation, confirmation, or the examination of source documents (for example, cancelled checks or bank images); or other procedures ordinarily performed in an audit. Thus, a review does not provide assurance that we will become aware of all significant matters that would be disclosed in an audit. Therefore, a review provides only limited assurance that there are no material modifications that should be made to the financial statements in order for the statements to be in conformity with U.S. GAAP. Our review will consist primarily of inquires of company personnel and analytical procedures applied to financial data, and we will require a letter from management at the conclusion of our

15 review that confirms certain representations made during the course of our review. As we will not perform an audit of such financial statements, the objective of which is the expression of an opinion regarding the financial statements taken as a whole, we, accordingly, will not express such an opinion on them. Because we are not performing an audit, <Client Name> agrees not to record or describe our services as an audit or auditing in its minutes or other books of record. Responsibilities of Management Management is responsible for making all financial records and related information available to us and for providing us with unrestricted access to all individuals within <Client Name> with whom we determine it necessary to communicate. By your signature below, you understand and agree that management is responsible for the accuracy and completeness of the records, documents, explanations, and other information provided to us, including management s significant judgments for the engagement. The information provided by management, including the responses to our inquiries, will not be verified, corroborated, or audited. As outlined in this letter, we will assist in the preparation of your financial statements and we may advise you about appropriate accounting principles and their application, but the final responsibility for the preparation and fair presentation of the financial statements in accordance with US GAAP remains with you. Also, as part of our engagement, we may propose standard, adjusting, or correcting journal entries to your financial statements. Management, however, has final responsibility for reviewing and accepting the proposed entries and understanding the nature and impact of the proposed entries to the financial statements. By your signature below, you acknowledge that you are also responsible for all management decisions and responsibilities including designating qualified individuals with the suitable skills, knowledge and experience to be responsible and accountable for overseeing the preparation and fair presentation of your financial statements and any other nonattest services performed as part of this engagement. This includes designing, implementing and maintaining internal control relevant to the preparation and fair presentation of the financial statements that are free from material misstatement, whether due to fraud or error; as well as identifying and ensuring that the organization complies with the laws and regulations applicable to its activities. We will have no responsibility to identify or communicate deficiencies in your internal control as part of this engagement. In addition, your signature below further acknowledges that you understand and agree that you are responsible for preventing and detecting fraud, and for establishing and maintaining internal controls, including monitoring ongoing activities. Written Report We expect to issue an unmodified review report addressed to <Client Name> s board of directors. We cannot provide assurance that an unmodified accountant s review report will be issued. Circumstances may arise in which it is necessary for us to report known departures from U.S. GAAP, ad an emphasis-of-matter or other-matter paragraph(s), or withdraw from this engagement. If, for any reason, we are unable to complete our review of your financial statements, we will not issue a report on such statements as a result of this engagement.

16 [Optional: Our report on the annual financial statements of <Client Name> is presently expected to read as follows: We have reviewed the accompanying financial statements of <Client Name>, which comprise the balance sheet as of December 31, <year>, and the related statements of income, retained earnings, and cash flows for the year then ended, and the related notes to the financial statements. A review includes primarily applying analytical procedures to management s financial data and making inquiries of company management. A review is substantially less in scope that an audit, the objective of which is the expression of an opinion regarding the financial statements as a whole. Accordingly, we do not express such an opinion. Management s Responsibility for the Financial Statements Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement whether due to fraud or error. Accountant s Responsibility Our responsibility is to conduct the review engagements in accordance with Statements on Standards for Accounting and Review Services promulgated by the Accounting and Review Services Committee of the AICPA. Those standards require us to perform procedures to obtain limited assurance as a basis for reporting whether we are aware of any material modifications that should be made to the financial statements for them to be in accordance with accounting principles generally accepted in the United States of America. We believe that the results of our procedures provide a reasonable basis for our conclusion. Accountant s Conclusion Based on our review, we are not aware of any material modifications that should be made to the accompanying financial statements in order for them to be in accordance with accounting principles generally accepted in the United States of America.] By your signature below, you agree to include our review report in any document that contains the referenced financial statements which indicates that we have performed a review of such financial statements; and to obtain our written permission before releasing such information. We will be pleased to discuss this letter with you at any time. If the foregoing is in accordance with your understanding, please sign the copy of this letter in the space provided and return it to us. Sincerely, <Accountant Name>

17 <Firm Name> Acknowledged: <Client Representative> <Client Name> Date

18 Marijuana Business Clients: Smokin Hot Issues for CPAs The marijuana industry is a prime example of a current, emerging and future risk area, given the number of perplexing difficulties CPAs face when trying to assess the special considerations pertaining to marijuana business clients and to the CPA firms that service such clients. At the heart of the difficulties is the split between federal law, under which marijuana is basically illegal, and the laws in states where voters or legislators have approved measures to allow the use of marijuana for medical and/or recreational purposes. Twenty three states have legalized marijuana for medical use, and four of those states, as well as the District of Columbia, have also legalized it for recreational use. i When states began passing laws to legalize marijuana, starting in 1996 with California allowing medical use, a state legal, federally illegal situation was created. Marijuana is listed on Schedule 1 of the federal Controlled Substances Act (CSA) of 1970 and as such has no currently accepted medical use, according to the CSA, leading to legal problems in states wishing to legalize medical marijuana. The U.S. Supreme Court reinforced the precedent of federal law over state law in 2001 (United States v. Oakland Cannabis Buyers Coop) and 2005 (Gonzales v. Raich) by ruling that the federal government has the right to regulate and criminalize marijuana even when state law allows for its use. ii Since then, the federal government has given states the opportunity to enforce their own marijuana laws, but when state enforcement has been inadequate on occasion (by federal standards), federal agencies have moved to enforce the laws themselves. For example, preventing the distribution of marijuana to minors is an enforcement priority of the U.S. Department of Justice (DOJ). If there is evidence that an entity is in violation of state law by operating too close to a school, playground, child care center, or library, the DOJ may take actions to close the entity. Those actions might result in news reports. Legal Recreational Use The legalization of recreational (or adult use ) marijuana began in Colorado and Washington when those states passed laws in Recreational sales to the public began on Jan. 1, 2014, in Colorado, and similar sales began in Washington on July 8, Alaska was the next state to do so, with its Measure 2, effective Feb. 24, 2015, and Oregon was the latest when Ballot Measure 91 took effect on July 1, Initiative 71, passed in Washington, D.C., became effective Feb. 26, 2015, allowing adults to possess up to two ounces of marijuana, to grow up to six plants, and to gift up to one ounce to other adults. Sales in D.C. remain banned, however, as the initiative process in D.C. does not allow spending mandates, which commercialization would require. By March 2014 in Colorado there were 190 recreational marijuana businesses projected to gross $1 billion in 2014 sales. iii The marijuana industry is growing, from $1.55 billion in 2013 to $2.7 billion in 2014, according to one research firm, with projections of future growth depending in part on how many other states legalize marijuana. If 16 more states were to legalize use, the market could grow to $11 billion annually by If all 50 states were to legalize it at some point in time, the market could grow to $36 billion or more, the equivalent of the organic food industry. iv IMPACT 104 August 2015 Page 1

19 Meanwhile, some basic questions for CPAs remain unanswered in many respects: Where does a thriving marijuana business find ethical, qualified and professional tax and accounting advice? Are the CPAs, attorneys, and other advisers who counsel such a business at risk of jeopardizing their practices or professional standing by working with them? Banking Problems Many marijuana businesses have to operate as cash only, as banks are understandably reluctant to accept money from businesses engaged in activities considered illegal under federal laws. The result is that marijuana businesses are susceptible to theft and robberies, requiring expensive security measures. Banks are also required to file a Marijuana Priority Suspicious Activity Report (SAR) if they believe a business is acting illegally, or a Marijuana Limited SAR if they believe the business is following state guidelines for legal sales. v Other complications for banks pertain to violations related to money laundering laws, especially banks with multinational operations exposed to drug cartels. The DOJ prosecutes banks it believes are violating such laws, and sentences can include lengthy prison terms. The potential for investment fraud is also present in the marijuana industry. In May 2014, the Securities and Exchange Commission issued an Investor Alert to warn investors about securities in the marijuana industry, and the SEC temporarily suspended the trading of securities in five companies operating in the industry. On April 30, 2015, U.S. Reps. Ed Perlmutter, D Colorado, and Denny Heck, D Washington, along with a bipartisan group of 16 other Republicans and Democrats, re introduced H.R. 2076, the Marijuana Business Access to Banking Act of The purpose of the bill is to create protections for depository institutions that provide financial services to marijuana related businesses and to resolve the banking crisis that marijuana related businesses are facing. vi Policy Issues The District of Columbia presents an interesting case study on the range of opinions on marijuana policy. By passing Initiative 71 in the November 2014 election, D.C. voters decriminalized possession of small amounts for personal use. However, the federal spending bill passed by Congress in December 2014 blocked the District from using any federal or local funds to implement Initiative 71, partly due to congressional objections to the use of marijuana for recreational purposes. However, Initiative 71 took effect after a 30 day congressional review period elapsed. The same December 2014 federal spending bill also prevents the DOJ from using funds to enforce federal law with medical marijuana programs acting in accordance with state laws; i.e., state laws must be adequately enforced. The federal CSA, however, still holds that there is no currently accepted medical use for marijuana (as a Schedule I drug). Some advocates believe that marijuana should be removed from Schedule I, which would acknowledge currently accepted medical use, but opponents in Congress disagree. The language in the Washington and Colorado proposals highlights some of the political issues. Washington s Initiative 502 called for a new approach. The intent of the law, as stated in its text: (1) Allows law enforcement resources to be focused on violent and property crimes; IMPACT 104 August 2015 Page 2

20 (2) Generates new state and local tax revenue for education, health care, research, and substance abuse prevention; and (3) Takes marijuana out of the hands of illegal drug organizations and brings it under a tightly regulated, state licensed system similar to that for controlling hard alcohol. The measure authorizes the state liquor control board to regulate and tax marijuana for persons 21 years of age and older, and to add a new threshold for driving under the influence of marijuana. vii Colorado s Amendment 64 cites similar interests, such as the efficient use of law enforcement resources, enhancing revenue for public purposes, and individual freedom. The amendment also calls for marijuana to be taxed and regulated in a manner similar to alcohol, and it states that legitimate, taxpaying business people, and not criminal actors, will conduct sales of marijuana, subject to additional regulations to ensure that consumer are informed and protected. Distribution to minors remains illegal, as is driving under the influence of marijuana. Other policy concerns pertain to a disproportionate enforcement of marijuana laws among the poor and people of color, giving rise to questions about whether the laws are being used by local governments in a fair and appropriate manner. At a time when incarceration rates are considered by many to be too high, governments may look for ways to reduce the number of arrests, and that may lead to legalizing and regulating activities that had been illegal and unregulated. The regulatory landscape at least appears to be moving toward more lenient penalties. viii Risk Management Considerations Opportunities for CPAs in the marijuana industry are just one side of the equation. The other side includes risk management issues as well as social and moral issues that have become national in scope and remain moving targets because of disagreement among Americans on how best to deal with them. For CPAs, though, the specific issues tend to boil down to whether CPAs should accept marijuana business clients. Some CPAs have had many marijuana business clients over the years and have been able to manage the related risks within their risk appetites. Entities engaged in growing, supplying, distributing and selling marijuana will seek professional assistance related to tax preparation, accounting, attestation, internal control evaluations and/or other financial services. Before accepting such an engagement, though, CPAs should carefully consider whether the prospective client would be a good fit for their firm. Is This a Client the Firm Would Like to Have? A variety of factors need to be considered in answering this question, ranging from the client s reputation and integrity to its commitment to appropriate accounting practices and to internal controls. Analyze the risks posed by the client by thinking backwards through time, a process that helps to promote a better analysis and review of relationships with new and continuing clients. These analyses and reviews are used to project the adverse situations that could develop in the future while representing the client. You then decide what, if any, decisions or choices can be made now to mitigate the potential damages to your firm in the event of such adverse developments. For example, spend time to evaluate and think about any potential damage to your firm s reputation by being associated with a marijuana business client. What if the client becomes the target of a federal IMPACT 104 August 2015 Page 3

21 investigation or prosecution, and the association between the client and the firm becomes public? Would your potential or existing clients view this association in a negative light? Federal investigation can come from several different agencies, including the federal Drug Enforcement Administration, the DOJ, and the Internal Revenue Service. If this occurs, your firm may be subpoenaed for documents and/or depositions for testimonies. Accountant Client Privilege Given that the accountant client privilege is limited and does not cover information obtained in providing tax compliance services, think ahead about what your firm would do if a client discloses something to you that could damage the client if revealed to a regulatory body. What can you do, or should you do, to mitigate the potential exposures to your firm if that were to occur? For example, you may want to clearly define in your engagement letter the limitations of the accountant client privilege, as well as to specify the conditions under which you will need to fully disclose information to regulatory and/or legal bodies. It may also be beneficial to include billing policies in your engagement letters and to clarify that clients would be responsible for your fees and reasonable copy charges when responding to subpoenas or depositions. The business implications of rendering services to marijuana business clients are significant aspects to your client screening assessment. There are high risk clients and high risk engagements. Some CPAs rank their clients according to how cooperative, knowledgeable, reasonable, difficult, or time consuming they are. Engagements can be ranked as well by the complexity of the work. Don t forget, though, to also include the reputational implications to your firm. Generally, difficult clients with complex work pose the highest risk to the CPA firm from a technical perspective, but clients that could pose significant harm to your firm s reputation are also of great risk from a business perspective. Other considerations are addressed in An Issue Brief on State Marijuana Laws and the CPA Profession, published on May 16, 2013, and updated on Jan. 5, 2015, by the AICPA with input from the Washington and Colorado state societies of CPAs. ix Client Screening A CPA firm presented with opportunities to take on marijuana business clients should consider the following client screening measures: Situational proficiency: What are your firm s skills and experience relative to professional standards, the complexity of your clients businesses, and the types of services you are asked to provide? Proficiency addresses the fit between the CPA firm and the situation, not just the technical aspects. Discuss your firm s potential legal ramifications with the firm s attorney. Discuss any illegal activities with those charged with governance of the client, and contemporaneously memorialize those discussions. In summary, your firm s client screening and retention policies should clarify and address your firm s risk tolerance for providing services to marijuana business clients. Clearly, a mismatch in client/firm fit can spell trouble and possibly expose your firm to reputational damage, disputes and even possible lawsuits. IMPACT 104 August 2015 Page 4

22 Federal Income Tax Treatment for Marijuana Business Clients Tax practitioners advising clients in this area must possess a good understanding of the relevant tax law. Although a business may be illegal under federal law, it is still obligated to pay federal income tax on taxable income. Marijuana (as a Schedule I controlled substance) is considered illegal under federal law, and its growth, distribution or possession is a federal crime. According to IRC 280E, no deduction or credit is permitted for amounts paid or incurred in carrying on any trade or business if such trade or business involves trafficking in controlled substances. For purposes of IRC 280E, the sale and/or distribution of marijuana are considered "trafficking". However, a marijuana business may reduce gross receipts by the cost of goods sold (COGS) in order to determine gross income. The reason for this disparity is simple: deductions are considered legislative grace, while determining gross income is not. Determining COGS is not simple and is beyond the scope of this article. However, a good place to start would be recently issued guidance from the IRS Office of Chief Counsel. IRS Chief Counsel Advice Memorandum x provides guidance regarding the capitalization of inventory costs and deduction of cost of goods sold for taxpayers considered to be trafficking in Schedule I and II controlled substances (see CCA ). The memorandum also provides the method for determining the COGS for marijuana dispensaries. Accounting Treatment for Marijuana Businesses Clients Even though certain marijuana related business activities are currently legal under certain state laws, marijuana is still considered an illegal substance under federal law. Consequently, the accounting treatment for entities engaged in such activities requires special consideration. Illegal acts are addressed by AU C 250 (SAS No. 122), AR 80 and AR 90 (SSARS No. 19), and AR C 90 (SSARS No. 21). Professional standards do not preclude issuing a clean report on financial statements of an illegal venture as long as there is no scope limitation and the financial statements have the appropriate disclosures. Transparency in financial reporting is the best approach from GAAS, SSARS, financial reporting framework (e.g., U.S. GAAP) and risk management perspectives. The following are suggestions for a CPA firm faced with this client issue: Discuss the potential legal ramifications to the firm with the firm s attorney. Discuss the illegal activities with those charged with governance of the client, and contemporaneously memorialize those discussions in writing. Be certain that the financial statements appropriately disclose any related party interest, the nature of the relationship, the marijuana business, that the state considers this activity to be legal, that the U.S. federal government considers the activity to be illegal, and note that the federal government s current policy is not to target marijuana distributors unless they violate both federal and state laws. The financial statements should also include a contingency footnote describing the illegal activity and the potential consequences to the client. Obtain a representation letter from the client describing the activities and the client s estimates (if any) of the potential consequences of this association/business. It is management s obligation to estimate the potential consequences, and the CPA s responsibility to assess the IMPACT 104 August 2015 Page 5

23 reasonableness of those representations. The representation letter should document the basis for the financial statement reporting of this matter. Add an emphasis of matter (EOM) paragraph to the auditor/accountant s report to draw attention to the situation. If the client does not have an estimate of the potential consequences, that fact should be noted in the EOM paragraph. Disengage if the client refuses to provide either the representations requested or the financial statement presentation proposed by the CPA. Note that the financial reporting treatment is not impacted by the level of service (audit, review, compilation). The financial reporting presentation would be the same regardless of the level of service, as the financial statement presentation is a financial reporting framework issue. SSARSs permit compiled financial statements that omit substantially all disclosures. However, to highlight the situation, CAMICO strongly encourages practitioners compiling financial statements that omit substantially all disclosures to add an EOM paragraph to their compilation reports, add the disclosures described above, and label the disclosure Selected Information Substantially All Disclosures Required by <Financial Reporting Framework> Are Not Included, as required by the SSARSs for compilations when some, but not all disclosures, are present. The above suggested disclosures would add clarity and reduce the potential risk to the CPA firm were a third party to later allege the CPA conspired with the client in producing misleading financial statements that harmed the third party by not disclosing this activity. For additional information on addressing risk management considerations, please refer to the preceding section in this article on Risk Management Considerations. As always, CAMICO policyholders can contact the Loss Prevention department with any questions, either by calling , or ing lp@camico.com. IMPACT 104 August 2015 Page 6

24 Endnotes i National Conference of State Legislatures, medical marijuanalaws.aspx ii An Issue Brief on State Marijuana Laws and the CPA Profession, updatedjan2015.pdf (The Department of the Treasury issued guidance for banks on Feb. 14, 2014, and reiterated the eight priority factors cited earlier by the DOJ: Preventing distribution to minors. Preventing revenue from marijuana sales from funding criminal enterprises. Preventing legal marijuana from being transported over state lines to where it s not legal. Ensuring that state sanctioned marijuana businesses aren t fronts for illegal activity. Keeping guns and violence out of the legal marijuana supply chain. Preventing drugged driving. Avoiding growing marijuana on public lands. Keeping marijuana off of federal property. (The DOJ released a memorandum on Aug. 29, 2013, known as the Cole Memo (after Deputy Attorney General James Cole) on Guidance Regarding Marijuana Enforcement, which states in part that the DOJ expects states to create strong and effective regulatory and enforcement systems... with a tightly regulated market The guidance also states, If state enforcement efforts are not sufficiently robust the federal government may seek to challenge the regulatory structure itself in addition to continuing to bring individual enforcement actions, including criminal prosecutions ) iii Internal Revenue Service Advisory Council (IRSAC) 2014 Public Report, IRSAC Full Report.pdf iv The State of Legal Marijuana Markets, 3 rd Edition, ArcView Market Research, v An Issue Brief on State Marijuana Laws and the CPA Profession (see preceding) vi Colorado lawmaker fights to ease marijuana banking, Denver Business Journal, lawmaker fights to ease marijuana banking.html vii Initiative Measure No. 502, viii The State of Legal Marijuana Markets (see preceding) ix An Issue Brief on State Marijuana Laws and the CPA Profession (see preceding) x Office of Chief Counsel, Internal Revenue Service, Memorandum Number ( wd/ pdf) IMPACT 104 August 2015 Page 7

25 Test Your Cyber IQ Cyber security has become a major risk concern for CPA firms of all sizes across the country. Trusted advisers such as CPAs should therefore be well informed about preventive measures in order to assist their firms and clients with the pre breach environment, and to reduce the high costs associated with the post breach environment. Take this 15 question cyber IQ quiz to find out how prepared you are. Please select the best answer out of those presented: 1) What is a data breach? a. A laptop is lost or stolen, and it has employee personally identifiable information (PII) on it b. There is unauthorized access to your computer system and PII is taken c. Paper files containing PII are stolen by an employee. d. a. and b. e. a., b. and c. 2) Most states have PII security laws that require notification if a company suffers a breach. Which companies and professional organizations are subject to these notification requirements? a. All companies b. Only large companies c. Only public companies d. Only companies in the medical and financial services industries 3) Which take precedence in the event of a data breach? a. Federal laws b. State laws c. Federal or state law; whichever is more restrictive d. Generally Accepted Privacy Principles (GAPP) 4) Which of the following should be encrypted to protect PII? a. Hard drives b. Electronic data c. Electronic files d. E mail e. a., c. and d. f. a., b., c. and d. 5) Which of the following would you not immediately contact if you suspect a breach: a. The firm s attorney b. The firm s cyber insurance carrier c. The firm s managing partner d. Law enforcement 6) What does a kill switch feature do? IMPACT 104 August 2015 Page 1

26 a. Disables smart phones. b. Provides remote security to tablets and laptops. c. Neither a. nor b. d. Both a. and b. 7) If the CPA is using cloud services to process PII, who is primarily responsible for ensuring the confidentiality of the information? a. The CPA b. The cloud services provider c. Neither 8) Cloud services providers should be willing to: a. Make a contractual commitment to support compliance with applicable laws and regulations b. Undergo external audits and security certifications, such as Service Organization Control (SOC) 1, 2 or 3 reports c. Implement measures for physical security as well as data security d. a. and c. e. a., b. and c. 9) How might an employee s computer become infected with a drive by download? a. The employee s mobile device gets too close to another mobile device b. The employee visits a malicious website c. The employee downloads a file from the Internet d. a. and b. e. a. and c. 10) You receive an e mail message informing you of an issue with your bank account. The message includes a phone number to call as well as a link to access your account. The message format is similar to others you've received from your bank; however, you are aware of phishing scams and want to be careful. What is your best course of action? a. Delete the b. Look for suspicious elements in the , and if you feel it is legitimate, then click on the link but don t enter any information c. Call the bank directly using the phone number provided on the back of your bank card 11) When recycling or disposing of hard drives, which of the following are best practices? a. Creating an audit trail of serial numbered inventory of equipment b. Obtaining vendor certification that personal data has been destroyed c. Pounding the drive with a hammer until it is unusable and tossing it into a trash can d. a. and b. e. a., b. and c. 12) In the event of an actual or potential PII breach, which of the following is a correct initial response to the incident? a. Stop the source of the incident by turning off or rebooting the system. b. Do not turn off or reboot any systems. IMPACT 104 August 2015 Page 2

27 13) When discussing or communicating a potential PII incident, avoid using the term(s): a. lost laptop b. potential malware intrusion c. breach 14) When discussing or communicating the incident, which of the following is least preferred? a. communication on a need to know basis b. face to face communication c. communication d. telephone communication 15) When using a cloud services provider that stores information overseas, which of these two options is safer: a. a U.S. based provider with a foreign branch b. a foreign based provider with a U.S. branch IMPACT 104 August 2015 Page 3

28 Answers 1) Answer: e. a, b. and c. Ascertaining a legally defined breach is a complex process and requires the assistance of an expert specializing in security issues. A breach can be the loss of laptop or paper records, or the theft of these records in person, or over the Internet, or the accidental posting of personally identifiable information (PII) on the Internet. The list goes on and on. If you suspect a breach, contact your attorney and other risk advisers. Some definitions: The U.S. General Services Administration in its Oct. 29, 2014, memo on GSA Rules of Behavior for Handling Personally Identifiable Information (PII) defined data breach as including the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users with an authorized purpose have access or potential access to Personally Identifiable Information, whether physical or electronic. In the case of this policy, the term breach and incident mean the same. The GSA memo also defined Personally Identifiable Information (PII) as information about a person that contains some unique identifier, including but not limited to name or Social Security Number, from which the identity of the person can be determined. The federal Office of Management and Budget (OMB, memo M 10 23, June 25, 2010), stated: The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case by case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non PII can become PII whenever additional information is made publicly available in any medium and from any source that, when combined with other available information, could be used to identify an individual. 2) Answer: a. All companies. State PII laws differ by state, but most states require that once a company has determined it has been breached, or PII has been accessed by an unauthorized party, the company must notify the office of the state Attorney General and, in many cases, other state agencies. The mandated time period for reporting to notify the state and potentially impacted parties varies from a reasonable time period to 30 or 60 days. Many states require companies to indicate how they plan to secure PII and what they will do if their PII is breached. 3) Answer: c. Federal or state law; whichever is more restrictive. The federal laws take precedent if they are more restrictive than the state laws, but the state laws take precedent if more restrictive than the federal laws. In addition, most federal laws give the power to the state Attorney General to levy fines. Further, many state laws require a company to be compliant with that state s law if a company in another state has the PII of a resident of the first state. The prime example is Massachusetts, which requires a company to comply with its laws, regardless of where the company resides, if the company has PII of a Massachusetts resident. In some cases if a company does not verify that its vendors are in compliance, it must communicate not having taken these precautions with all potentially impacted parties. In other cases the PII laws of foreign countries have to be respected as well. GAPP is not IMPACT 104 August 2015 Page 4

29 law but criteria developed by the AICPA and CPA Canada to assist organizations with the management of confidential information. 4) Answer: f. a., b., c. and d. Hard drive encryption secures data in the event a computer is lost or stolen. Data encryption protects PII such as Social Security numbers. File encryption protects files and attachments, such as a PDFs encrypted with a password or passphrase. digital certificates protect entire messages, including the body of the message, as part of a subscription service. 5) Answer: d. Law enforcement. The firm will first need to verify whether a breach has actually occurred as defined by state and federal laws, and the firm s attorney, cyber insurance carrier, and managing partner will help make that determination. If a breach has occurred, the next steps would be to comply with state and federal laws, which may require reporting to law enforcement. 6) Answer: d. Both a. and b. Remote security is especially useful in preventing access to protected files in the event a computer, tablet, smart phone or USB storage drive has been lost or stolen. Encryption policies and other protective actions can be managed by the firm or by a third party managed service provider (MSP). Some services are available by online subscription, without the need to purchase or support hardware or software infrastructure. 7) Answer: a. The CPA is responsible and should perform the necessary due diligence to address any potential threats to compliance with the Confidential Client Information Rule. Therefore, before disclosing confidential client information to a third party service provider, a CPA should do one of the following: a) Enter into a contractual agreement with the third party service provider to maintain the confidentiality of the client information and ensure that appropriate procedures/safeguards are in place to protect such information. b) Obtain specific consent from the client before disclosing confidential information to the third party service provider. 8) Answer: e. a., b. and c. Cloud services providers should be willing to provide several types of assurances to CPAs regarding the security of client information, including an incident response plan. As part of the plan, the provider and the CPA should determine ahead of time who will lead the response team, prepare client notifications, and provide legal counsel. The provider should also have insurance in place to cover the damages resulting from a breach. Otherwise, the CPA firm may be responsible for such damages a good reason for the firm to have cyber insurance coverage in place. 9) Answer: b. The employee visits a malicious website. An employee s computer could become infected with malware from a malicious website just by visiting it, without stopping to click or accept any software. This method of infection is usually limited to users with unpatched or out of date software that has a security flaw. 10) Answer: c. Call the bank directly using the phone number provided on the back of your bank card. This is the best approach, even if the message appears to be legitimate. Use a phone number that you already know and trust to be the bank when calling to verify, not a number within the . Never click links or visit websites included or mentioned IMPACT 104 August 2015 Page 5

30 Scoring in any suspicious or unfamiliar or senders. By hovering the cursor over links without clicking them, you can sometimes gain more information and assurance, but not always. 11) Answer: d. a. and b. Hard drives and other computer components need to be recycled, due to the metals they contain. The Environmental Protection Agency has been known to impose substantial fines for companies not documenting proper computer disposal. Use a reputable data destruction vendor that will certify destruction when recycling computers. 12) Answer: b. Do not turn off or reboot any systems. First record critical facts regarding the incident, such as date and time the incident was discovered, who discovered the incident, what occurred, what systems, applications and information were potentially compromised, and what data elements were included (e.g., name, date of birth, Social Security number, or any other PII). Once this information has been recorded, the affected systems should be backed up or mirrored to enable future analysis, including forensic analysis. 13) Answer: c. breach. Using the term breach can trigger legal obligations. Instead, refer to the event as a security incident or simply what it is, such as a lost laptop or potential malware intrusion. Your attorney and other risk advisers will help you determine whether a breach, as defined by law, actually occurred. 14) Answer: c. communication. Care must be taken in managing communications and discussing the incident. Limit discussions to a need to know basis, with communications taking place over the phone or face to face rather than by , which may be compromised if an incident is still in progress. 15) Answer: a. a U.S. based provider with a foreign branch. If your firm outsources work containing PII, the more contacts an offshore provider has in the U.S., the more legal recourse the client and CPA have in the event of an unauthorized PII disclosure. Comment slide: Did you find this quiz useful? Please provide any comments, suggestions or other feedback. Thank you. 13 to 15 correct = Excellent. Keep it up! 10 to 12 = Good. Build your knowledge! 9 or less correct = Fair. Time to brush up! A good place to begin building and brushing up your knowledge is the Identity Theft and Data Security Resource Center on the CAMICO Members Only Site (). IMPACT 104 August 2015 Page 6

31 Return Due Dates Change The Surface Transportation and Veterans Health Care Choice Improvement Act of 2015 changes the due dates for partnership and corporate income tax returns as well as for FinCEN Form 114, Report of Foreign Bank and Financial Accounts (FBAR), among other items. For taxable years beginning after Dec. 31, 2015, the Act changed certain return due dates. These changes won t impact payments made during calendar year 2016, but do impact payments to be made in 2017 and beyond: Partnership returns will be due on the 15 th day of the third month following the close of the taxable year (March 15 th for calendar year partnerships). C corporation returns will be due on the 15 th day of the fourth month following the close of the taxable year (April 15 th for calendar year corporations). S corporation returns will continue to be due on the 15 th day of the third month following the close of the taxable year. C corporations with tax years ending on June 30 th will continue to have a due date of September 15 th until taxable years beginning after Dec. 31, For years beginning after 2025 (10 years from now), the due date for these returns will be extended to October 15 th. The due date for FinCEN Form 114 (FBAR) is accelerated from June 30 th to April 15 th, but taxpayers are now permitted a six month extension to file the form. In brief, beginning in the 2017 calendar year: Partnership returns are due March 15 th instead of April 15 thh (for calendar year partnerships); or the 15 th day of the 3 rd month following the close of the partnership s taxable year. C corporation returns are due April 15 th instead of March 15 th (for calendar year corporations); or the 15 th day of the 4 th month following close of the corporation s taxable year (except for fiscal years ending June 30 th t ). FinCEN Form 114 (FBAR) is due April 15 th instead of June 155 th; taxpayers are allowed a 6 month extension. States may not automatically conform to any of these due date changes, so separate legislation willl be required to change the applicable state due dates for these returns. Additional changes are likely, as the Act directs the IRS to make regulatory changes to a number of other extension deadlines. More information may be found at: // return due dates changed html IMPACT 104 August 2015 Page 1

32 Don t Miss Out on Free CPE CAMICO offers several hours of free CPE to policyholders each year through webcasts on the LearnLive platform ( We provide education on risk management specifically for CPA firms, brought to you by our experts, many of whom are CPAs themselves. You won t find this level of expertise and depth of risk management content anywhere else. CAMICO webcasts are an outstanding way to fulfill CPE requirements, and they offer a number of advantages. For example, our webcasts: 1) are FREE to all members of CAMICO policyholder firms and can save your firm hundreds of CPE dollars per firm member; 2) offer NASBA accredited group live CPE credits; and 3) are interactive, enabling participants to ask questions and get live answers directly from risk management experts. Webcast topics being offered over the next several weeks are listed below, and more topics and dates will be announced via to policyholders soon for September through December. Challenges Facing Accounting Professionals: The Past, The Present, and the Future Disengaging: The Why, When and How to Fire Clients Ethical Dilemmas and War Stories: What Would You Do? Fraud and Embezzlement: Risk Management Strategies Fraud Understanding, Communicating and Addressing Its Risks High Duty Engagements: Rules, Risks and Tools (including Business Management, Family Office, Trust and Closely Held Business Engagements) Risk Management Implications of Implementing SSARS No. 21 Serving on Boards You Know the Benefits Do You Know the Risks? Self Study Courses (available on demand): Harassment: Response, Prevention, and Protection Cloud Computing: Doing Business in the Cloud Policyholders can go directly to LearnLive s website to enroll in webcasts and view the most up to date schedule. Simply go to If you already have a LearnLive account, log in under Student Login with your username and password (note: this will be different from the username and password you use to access the CAMICO Members Only Site at ). To create an account, click New Student Registration and fill out the form. The company pass code is Don t miss out on these free educational opportunities! IMPACT 104 August 2015 Page 1

33 CAMICO Named Business of the Year CAMICO was recently honored by the Washington Society of Certified Public Accountants (WSCPA) as the society s Business of the Year. Rich Jones, CPA, CGMA, president and CEO of the WSCPA, presented the award to CAMICO at the company s Annual Meeting in San Mateo, Calif., on June 9, The WSCPA has been a sponsor of the CAMICO program since 1997, and CAMICO has actively participated in WSCPA conferences, events, meetings and publications by providing speakers, articles, updates and alerts on risk management topics of concernn to CPAs. In presenting the award, Jones said, This recognizes the noteworthy support that CAMICO has provided over the past 18 years to the WSCPA and its members. We have tremendous respect for the company and its leaders, and we are proud to be partners with CAMICO. Ric Rosario, CPA, CFE, CGMA, CAMICO president and CEO, accepted the award on behalf of the company, commenting, It has been an honor to be partnering with the Washington Society over the years, and we look forward to our productive relationship continuing with the WSCPA for many more years to come. The CAMICO program is also sponsored by state CPA societies and associations in Arizona, California, Colorado, Greater Washington D. C., Indiana, Kansas, Mississippi, Missouri, Nevada, New Jersey, New York, South Carolina, Tennessee, Utah and Virginia. Ric Rosario (r) accepts Businesss of the Year honors from Rich Jones. IMPACT 104 August 2015 Page 1

34 Policyholder Social Media Survey Results In the preceding issue of IMPACT (103), we asked readers to complete a brief survey to help CAMICO better understand the social media habits and practices of our policyholders. Here are highlights of the survey results: 1) Most survey respondents (56% to 84%) use social sites such as Facebook, Twitter, LinkedIn and YouTube for both professional and personal purposes. 2) Respondents access social networking sites for work/professional reasons between once a week and a few times a week. 3) Most respondents access social sites on Saturday (57%) and Sunday (58%). 4) Over 90% of respondents spend less than 30 minutes on average during each social media visit. 5) Over 90% of respondents prefer to read just short posts in one social media session. 6) The majority of respondents use social media/networkingg sites for: a) professional networking, and joining professional groups and online communities (92%); and b) sharing and exchanging information with CPA peers/followers (90%). 7) When asked what kind of information they would be interested in, or would more likely read on CAMICO social media sites, common responses were: a) a forum/group where readers can ask questions and solicit feedback on CPA trends and issues (92%); b) industry news, industry expert insights ( 89%); and c) webinars, videos, podcasts (87%). We appreciate the time and thought given by those of you who chose to participate, and we ll be incorporating your feedback into our own social media activity. Questionss regarding the survey can be directed to marcom@camico.com. IMPACT 104 August 2015 Page 1

35 CAMICO Receives B+ (Good) Rating with Stable Outlook CAMICO financials remain sound after five consecutive years,, 2010 through 2014, in which CAMICO s net income and policyholder surplus have grown. All key financial ratios have not only returned to the normal levels of the years prior to 2008, but these ratios havee improved to levels greater than the best years in CAMICO s history. CAMICO is also continuing to resolve older legacy claims still open from the years before 2009, when the CAMICO operating structure was enhanced. Recent volatility from those years has prompted A.M. Best Company to issue a slight downgrade of CAMICO s financial strength from B++ (Good) to B+ (Good). This rating keeps CAMICO in the upper echelon of Secure insurers. In A.M. Best s words, a Good rating is assigned to companies that have, in our opinion, a good ability to meet their ongoing insurance obligations. A.M. Best also issued a stable rating for CAMICO, which assures our commitment and service to our policyholders. A key result of CAMICO s enhanced operating structure is its new strategicc relationship with Berkley Alliance Managers, a W. R. Berkley Company, combining CAMICO s strong market position and expertise with W. R. Berkley Corporation s financial strength and capacity, rated A+ (Superior) by A.M. Best. This positions CAMICO to offer the best program available to larger CPA firms and those CPA firms requiring an A rated solution. The CAMICO board of directors and leadership team are continuing to take steps to improve CAMICO s rating, strengthen surplus, control costs, improve profitability, and furtherr embed superior policyholder service into the company culture. The focus will remain on: 1) continued expense management; 2) promoting losss prevention and risk management processes; 3) diversification of risk by growing the CAMICO and CAMICO Berkley programs; and 4) growing our share in all states where we operate. CAMICO also maintains a strong reinsurance program supported by A rated reinsurers and remains committed to its mission of protecting, advising and solving problems for CPAs. More information on CAMICO s financial strength is available in this IMPACT (see Financial Strength. ) IMPACT 104 August 2015 Page 1

36 > financial strength CAMICO s financial results for 2014 reflect the program s continuing success in strengthening its financial position and posting profitable years. The year 2014 was the fifth consecutive year of growth in policyholder surplus and net income. Contact US CAMICO Mutual Insurance Company 1800 Gateway Drive Suite 300 San Mateo, CA T: F: E: inquiry@camico.com Surplus grew from $38.5 million in 2013 to $39.2 million in 2014, a 1.7 percent growth in surplus over 2013 Net income has grown since 2009 $945,000 was posted in 2010, $1.4 million in 2011, $1.1 million in 2012, $1.2 million in 2013, and $1.5 million in CAMICO also continues to improve key capital adequacy ratios tracked by regulatory institutions and rating agencies, such as the Department of Insurance and A.M. Best Company. Key ratios have not only returned to the normal levels of RBC Ratio RBC Ra&o the years prior to 2008, but these ratios have improved to levels greater than the best years in CAMICO s history. For example, CAMICO s Risk-Based Capital (RBC) ratio, a capital adequacy standard used by the National Association of Insurance Commissioners and state insurance regulators, has not only returned to the above-normal levels of the years prior to the recession, but our RBC ratio has been at its highest levels in CAMICO history for the past three years ( ; see chart.) This information is provided as a general overview. Professional Liability insurance coverage may be underwritten by CAMICO Mutual Insurance Company. Alternatively, coverage may be underwritten through CAMICO Insurance Services, a wholly owned subsidiary of CAMICO Mutual Insurance Company, by Great Divide Insurance Company or Nautilus Insurance Company; both member companies of W. R. Berkley Corporation. Each company is solely responsible for the policies it issues CAMICO Mutual Insurance Company. All Rights Reserved. CMIFS

37 Best s Capital Adequacy Ratio (BCAR) is one of the components A.M. Best uses to provide an opinion on an insurance company s balance sheet strength. CAMICO s BCAR is also now at historically strong levels. CAMICO has always been well within A.M. Best s Secure category of insurance companies, even after the impacts of the recession, and has steadily improved its capital adequacy position ever since. Other major factors include: CAMICO s annual policyholder renewal rate of more than 93.9 percent in 2014 for the entire program, indicating high policyholder satisfaction with CAMICO s top quality services. CAMICO in the normal course of its business, reinsures certain risks with other companies through contractual agreements. It utilizes its reinsurance program to cede severe/high-limit losses and to limit yearly aggregate losses in order to protect surplus and maintain conservative operating ratios. CAMICO s reinsurance partners are all rated A for financial strength by A.M. Best and S&P. The mutual foundation of CAMICO aligns the company s interests with the interests of CPAs in public practice across the country, propelling the program forward in a strong and profitable manner and building long term value for CAMICO policyholders. The steady growth in the total number of CAMICO policyholders for 23 years a number that grew from 8,143 in 2013 to 8,400 in CAMICO Mutual Insurance Company 1800 Gateway Drive, Suite 300, San Mateo, CA 94404

38 CAMICO Appoints VPs of Claims, Marketing and Sales CAMICO has recently appointed two vice presidents: Kenneth Wigboldy, CPCU, vice president of claims, and Brian Guthrie, vice president of marketing and sales. Wigboldy joined CAMICO in October 2014 and is responsible for CAMICO claims operations. He has more than 30 years of insurance industry experience in various claims positions, most recently with The Hartford Financial Insurance Group, Inc., as regional vice president, general liability field claims, responsible for claims management in 29 states. He began his insurance career in products liability and general liability claims with Sentry Insurance, where he was promoted to senior commercial claims manager and then to regional auto claims director. After joining The Hartford as a claims manager, Wigboldy was promoted to director of property and auto field claims before becoming regional vice president. An alumnus of Calvin College in Grand Rapids, Mich., with a Bachelor of Science in economics and mathematics, he is a member of the Society of Chartered Property and Casualty Underwriters. Guthrie joined CAMICO in June 2015 and is responsible for CAMICO marketing, communications and sales. He has more than 30 years of experience as an insurance executive with the Allstate Corp., most recently as director of marketing for Encompass Insurance Co., responsible for the independent insurance agency channel and strategic growth. Prior to his role with Encompass he was a senior regional marketing manager, directing marketing strategies for Allstate s automotive, homeowners and specialty insurance product lines in Ohio, Michigan and Indiana. Guthrie started his career as a supervisor and was promoted to field operations manager, again promoted to senior field operations manager, and then to product line manager, responsible for managing and marketing specialty lines products. He earned a bachelor s degree in history from Ripon College and recently received a certificate in data driven marketing from ecornell. Ken s and Brian s talents and experience contribute significantly to the CAMICO program, and their participation on our team further enhances the broad, effective support we provide our policyholders, said Ric Rosario, CPA, CFE, CGMA, CAMICO CEO. IMPACT 104 August 2015 Page 1