Audits Home in on Cybersecurity

In 2018, U.S. organizations that suffered a data breach lost an average of $7.91 million as a result. That’s the highest average organizational cost of all the countries and regions covered in the 2018 Cost of a Data Breach Study by IBM and independent research firm Ponemon Institute. Malicious or criminal attacks were the source of more than half of those breaches, rather than system glitches and human errors.

With so much at stake, it’s no surprise that auditors consider these issues when conducting their audit risk assessments. This audit season, prepare to answer questions about cybersecurity and the effectiveness of your company’s internal controls against cyberthreats.

Inspections of public companies

In recent years, Public Company Accounting Oversight Board (PCAOB) inspectors have interviewed auditors of companies that have experienced a breach into their computer systems to find out how the auditors and their firms responded to the incidents. They report that auditors today are increasingly focused on matters related to cybersecurity.

Audit firms have provided varying levels of guidance, both when assessing risk at the start of an engagement and when uncovering a cybersecurity incident that occurred during audit fieldwork or the period under audit.

“Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents,” reported William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections.

Audit inquiries

Possible questions that auditors might ask during fieldwork include:

  • How does management identify and prioritize cyberrisks?
  • What kind of internal controls has management established to safeguard digital assets and sensitive data (such as formal policies and procedures, employee training and the use of security analytics)?
  • How does management monitor internal controls to ensure effective operation?
  • Does management have a detailed breach response plan?
  • If a breach occurred during the accounting period, how did management respond and how much did it cost?
  • Has the company purchased cyber liability and breach response insurance?

The PCAOB hasn’t yet found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. But there’s a risk that future attacks may affect financial reporting. So, the PCAOB is planning to expand its inspection program to explore what auditors are doing to protect clients’ data and stakeholder data.

Universal risk factor

PCAOB inspectors target audits of public companies. But private companies can also be victims of cyberattacks — and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.

The increasing frequency and severity of cyberattacks underscores the need for auditors of entities of all sizes to update their procedures. It’s our job to ask key questions about cyberrisks and the effectiveness of your internal controls. The answers, in turn, can help you formulate more effective governance strategies.

© 2019

Cybersecurity Matters

Investors, lenders and other stakeholders have been vocal in recent years about pushing companies to provide more information in their financial reports about cybersecurity. Could your company do a better job disclosing cyberrisks and recent hacks?

Most public companies could do better, according to recent testimony during congressional hearings by Jay Clayton, Chairman of the Securities and Exchange Commission (SEC). Here are ways his agency is attempting to “refresh” the disclosure guidance.

Updating the guidance

The SEC doesn’t expect to overhaul its Disclosure Guidance: Topic No. 2, Cybersecurity. Rather, it plans to consider whether important information about cybersecurity should be disclosed to stakeholders within the context of the existing rules. For example, companies may need to beef up their management’s discussion and analysis (MD&A) and footnote disclosures to reflect potential cyberrisks and material financial implications of data breaches.

The current guidance on cybersecurity, which was published in 2011, doesn’t include a specific requirement for companies to disclose computer system intrusions. The SEC’s effort to update the guidance comes amid concerns that more public companies have been experiencing attacks to their computer systems, but their disclosures haven’t been timely or informative enough.

Changes in the works

Regulators in the SEC don’t know whether the update will be issued in the form of staff-level guidance or a regulatory release approved by the SEC’s commissioners. But they’ve decided to address two key areas in the update:

  • Financial reporting controls and procedures that identify and disclose cybersecurity threats in a timely manner, and
  • Corporate strategies and policies regarding cybersecurity prevention, detection and breach response.

Many companies welcome additional guidance from the SEC, because it can be difficult to determine the appropriate time to disclose a hack into their systems.

On the one hand, companies feel a responsibility to share relevant information openly and honestly with stakeholders. On the other, they don’t want to prematurely disclose information about a breach before they know the extent of the damage or to release inaccurate information that later needs to be revised. Company insiders may also be working with law enforcement, in which case they don’t want to disclose information that could compromise the investigation.

Team approach

Regardless of whether your business is public or private, it’s important to assemble a team of professional advisors — including legal, insurance and financial experts — to identify risk factors and to handle breach response, measure the impact and mitigate potential losses. We can help you provide transparent and timely information to your stakeholders.

© 2018

What Businesses Need to Know About the Tax Treatment of Bitcoin and Other Virtual Currencies

Over the last several years, virtual currency has become increasingly popular. Bitcoin is the most widely recognized form of virtual currency, also commonly referred to as digital, electronic or crypto currency.

While most smaller businesses aren’t yet accepting bitcoin or other virtual currency payments from their customers, more and more larger businesses are. And the trend may trickle down to smaller businesses. Businesses also can pay employees or independent contractors with virtual currency. But what are the tax consequences of these transactions?

Bitcoin 101

Bitcoin has an equivalent value in real currency and can be digitally traded between users. It also can be purchased with real currencies or exchanged for real currencies. Bitcoin is most commonly obtained through virtual currency ATMs or online exchanges.

Goods or services can be paid for using “bitcoin wallet” software. When a purchase is made, the software digitally posts the transaction to a global public ledger. This prevents the same unit of virtual currency from being used multiple times.

Tax impact

Questions about the tax impact of virtual currency abound. And the IRS has yet to offer much guidance.

The IRS did establish in a 2014 ruling that bitcoin and other convertible virtual currency should be treated as property, not currency, for federal income tax purposes. This means that businesses accepting bitcoin payments for goods and services must report gross income based on the fair market value of the virtual currency when it was received, measured in equivalent U.S. dollars.

When a business uses virtual currency to pay wages, the wages are taxable to the employees to the extent any other wage payment would be. You must, for example, report such wages on your employees’ W-2 forms. And they’re subject to federal income tax withholding and payroll taxes, based on the fair market value of the virtual currency on the date received by the employee.

When a business uses virtual currency to pay independent contractors or other service providers, those payments are also taxable to the recipient. The self-employment tax rules generally apply, based on the fair market value of the virtual currency on the date received. Payers generally must issue 1099-MISC forms to recipients.

Finally, payments made with virtual currency are subject to information reporting to the same extent as any other payment made in property.

Deciding whether to go virtual

Accepting bitcoin can be beneficial because it may avoid transaction fees charged by credit card companies and online payment providers (such as PayPal) and attract customers who want to use virtual currency. But the IRS is targeting virtual currency transactions in an effort to raise tax revenue, and it hasn’t issued much guidance on the tax treatment or reporting requirements. So bitcoin can also be a bit risky from a tax perspective.

To learn more about tax considerations when deciding whether your business should accept bitcoin or other virtual currencies — or use them to pay employees, independent contractors or other service providers — contact us.

© 2018