It is not reasonable for each enterprise to develop their own post quantum solutions, but there are planning steps that can be taken. Enterprises will continue to rely on major hardware and software vendors for new solutions, but enterprises cannot just wait for solutions to become available. The vendors relied upon for operating systems, security devices, software, and other technology resources will undoubtedly play a huge role, but enterprises need to be preparing for how those changes will be implemented in their individual environments. Many vendors are touting quantum safe solutions, but if those solutions do not operate with the rest of an enterprise’s system, they provide little to no value. At this point, every enterprise should be identifying and inventorying their systems, assessing the potential impact on each system, and planning for alternatives and updates.

Public Certificates

Some of the first impacts will likely be seen related to digital certificates purchased from publicly trusted certification authorities (CAs). These certificates are most used for transportation layer security (TLS) connections, and are most common between an enterprise’s website and customers. They are also used to sign software code that will be delivered to customers and trusted by the customer’s operating systems, and to enable secure email through secure/multipurpose internet mail extension (S/MIME). The basis for these certificates is to establish trust between an organization and external parties.

Since that external party can be either known or unknown, these certificates must be trusted publicly and therefore come under a high level of industry regulations and scrutiny. The public CAs that offer these certificates and the web browsers and software designers that trust these certificates are monitoring developments closely. They will likely be some of the first parties to push regulations. New regulations must be tempered and not be rolled out so fast they break all the connections they are attempting to secure.

Public CAs are performing a lot of the planning for post quantum changes, but enterprises need to be prepared for their role in the process. The webservers operated by enterprises are responsible for generating keys used for authenticating the website and encrypting the traffic. Enterprises need to inventory all webservers, email systems and other systems that interface with public certificates. The algorithms accepted by these systems need to be inventoried to allow the enterprise to track when updates are required based on new algorithms being put in place. Updates will likely need to be deployed quickly to minimize downtime. Systems that are not supported for updates will likely need to be replaced.

Separate from quantum computing, public certificates are expected to see their lifecycles shortened significantly in the next few years. This is especially true for TLS certificates. Inventorying these systems and developing automated tooling to manage the certificate lifecycle will help enterprises be better prepared for whatever changes come their way.

Internal Systems

Internal systems impacted by vulnerabilities from quantum computing are more difficult, because they are likely greater in number and will not benefit from direct support from public CAs. Enterprises systems that will become vulnerable can include VPN connections to remote devices, single sign on tooling, and database encrypting software, just to name a few. These systems can also include physical security devices, such as badge readers and security cameras. While these systems are not always externally facing, they are a critical part of the enterprise’s defense in depth approach to cybersecurity. Enterprises should start with inventorying all systems that utilize encryption or authentication mechanisms, especially focused on those with key pairs and shared secrets.

Just as with systems that utilize public certificates, internal systems will need to be updated to utilize new algorithms in a post quantum environment. Assessing the risk involved with each system will help enterprises prioritize the criticality of updates. Dataflow diagrams will help enterprises determine systems that interact with each other. System to system authentication is often overlooked, but are critical to operations. Data flows between different systems within an enterprise will likely be impacted by updating required algorithms and could break connections. Enterprises need to consider risks related to security and availability when evaluating systems. Some systems might be behind enough layers of security and not critical for immediate updates. These systems also might not support updates as easily.

Most enterprises are not at the stage to test new quantum computing safe algorithms and developing corresponding hardware and software. As always, vendors will play a significant role in the process of preparing for a post quantum time. Maintaining an inventory of vendors and the points of reliance will be critical to an enterprise’s strategy. Major vendors that provide operating systems, significant security systems, and cloud providers, are likely top of mind, but enterprises will need to dig deeper. Consider backup vendors that encrypt files, copiers and printers, and hardware vendors. Hardware that is not configured to support new algorithms could bring operations to a grinding halt. Hardware has integrated features for disk encryption and boot processes. These systems will likely not be easily updated for new algorithms, because keys can be burned into the chips.

Once an enterprise completes a full inventory and the risk to each system has been assessed, an enterprise will need to evaluate the strategy to address each system. Vendor supplied patches might be an easy solution, but will need to be applied as connecting systems are made compatible. Internally developed systems might require custom updates, and some systems might need to be replaced. For those systems that cannot be updated, consider looking to a vendor that can supply supplemental systems to add post quantum support to legacy systems. These solutions will become more popular as some enterprises determine which systems are inflexible, for the time being.

After inventorying systems and assessing risk, enterprises should begin developing and testing plans to move to quantum safe algorithms, also known as post quantum cryptography (PQC). The National Institute of Standards and Technology (NIST) has laid a lot of groundwork and narrowed the list of recommended PQC algorithms to a few promising options. While the list is still being scrutinized, enterprises can begin testing methods to change key pairs and deploy updates in an efficient manner. It is still unknown the exact changes we will need to make to be prepared for a post quantum world, but understanding what systems require changes and testing process to make those changes will put every organization in the best position to respond quickly.

Hybrid certificates, which have both current key pair, such as RSA keys, and PQC keys, are gaining popularity as a transition tool. These certificates allow for multiple signature algorithms. This allows enterprises to still rely on traditional algorithms, while testing quantum safe algorithms. These certificates might allow organizations to test their readiness while not taking down systems in the process. This will also allow for testing various PQC algorithms while the industry is still evaluating various options.

Conclusion

The two biggest takeaways in preparing for PQC are know your enterprise and remain flexible. All Enterprises should consider a three-step approach to knowing its environment. They should identify/inventory, assess risk, and plan for remediation of the assessed risks. The identify and inventory process should not be taken lightly, because it will lay the groundwork for preparing the enterprise. There are several organizations looking to sell quantum safe solutions, but if those do not function within your enterprise profile, it could make for a long and expensive process. Make sure you work to understand your entire organization before implementing changes.

In December 2023 a significant vulnerability was discovered in a leading quantum safe suite algorithm, CRYSTALS-Kyber (Cryptographic Suite for Algebraic Lattices). This vulnerability does not impact the underlying encryption math, but rather the implementation. This is a good example of why an enterprise needs to remain flexible. Developing new technology will be bumpy, and new patches and fixes will be required frequently. The ability to flex between multiple algorithms and implementations will allow an enterprise to adapt to the quickly changing environment.

Written by Tim Crawford. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

In addition to understanding the far-reaching implications that could help avoid missteps with LTPT employee eligibility and revised participant headcounts, we will explore how to correct any missteps that have already occurred.

New eligibility opportunities for long-term, part-time employees

Prior to the SECURE Act of 2019 and SECURE 2.0 Act of 2022 (collectively SECURE), employers could exclude employees from their tax-qualified defined contribution plans based on the number of hours they worked per year. Typically, this meant that part-time employees were ineligible to contribute to their employer’s retirement plan — no matter how many years they had worked for their employer. An IRS Employee Plans Newsletter issued on January 26, 2024, defined LTPT employees as workers who have worked at least 500 hours per year in three consecutive years, although the consecutive year condition will be reduced to two years in 2025.

SECURE expanded LTPT employee access to employer retirement plans by requiring 401(k) plans to allow employees that meet the LTPT requirements to make elective deferrals starting with the first plan year beginning on or after January 1, 2024. Employers are not required to make employer contributions for LTPT employees.

However, the burden of identifying, notifying, and enrolling these newly eligible LTPT employees falls on the employers. Failing to inform LTPT employees of their eligibility as of January 1, 2024, may have resulted in non-compliance. To rectify any compliance issues, employers can consider using the IRS amnesty program known as the Employee Plans Compliance Resolution System (EPCRS).

It is essential to understand this new requirement because LTPT employee eligibility may affect two other administrative functions for plan sponsors: Form 5500 filing and the annual employee benefit plan audit requirement.

A key change when counting participants for Form 5500

Prior to 2023, IRS Form 5500 — an essential part of ERISA’s reporting and disclosure framework — required defined contribution retirement plan sponsors to include employees who were eligible to make elective deferrals on the first day of the plan year. In most organizations, LTPT employees would be excluded from this headcount unless the employer’s plan allowed them to make contributions to the retirement plan.

Now, employers need only include participants with an account balance in the defined contribution retirement plan as of the first day of the plan year (but, for new plans, the participant account balance count is determined as of the last day of the first plan year). This may sound like a simple change, but the potential increase in participants who are LTPT employees complicates the matter.

The impact on a plan’s audit requirement

An organization’s obligation to have an annual audit of its retirement plan is dependent on the number of plan participants as of the first day of the plan year.

Beginning with the 2023 plan year, defined contribution plans that have more than 100 participant accounts as of the first day of the 2023 plan year generally must have an annual independent audit. Before 2023, all plan participants who were eligible to make salary deferrals were included in headcounts as participants even if they had not made any plan contributions. The DOL changed the rules starting in 2023 to include only those with account balances as participants. Keep in mind that the number of participants can be decreased by taking advantage of rules that allow distributions of small account balances (accounts valued at less than $7,000 starting in 2024) to former participants, if the defined contribution plan adopted these provisions.

The audit requirement of plans with 100 or more employees may change since employees without account balances are no longer counted. An organization may find that the defined contribution plan no longer requires an audit if eligible employees have not contributed to the 401(k) plan, but the audit requirement may be triggered when previously excluded LTPT employees begin to make elective deferrals.
Navigating the new normal for certain retirement plans

The LTPT employee rules take effect for plan years beginning on or after January 1, 2024 (for calendar-year end plans). If your organization missed the deadline to allow LTPT employees to participate in your plan, the good news is that there is a path to compliance. However, implementing these complicated changes in the law requires in-depth knowledge of the complex issues surrounding tax-qualified retirement plans. Experienced consultants can provide guidance and support throughout the process in the following ways:

• Analyze plan documents and employee data to identify any compliance gaps or issues that need to be addressed
• Engage in detailed discussions with plan sponsors to explain the intricacies of the changes and helping them understand the necessary steps to ensure compliance
• Facilitate communication with service providers to aid in a smooth transition and implementation of any required changes
• Calculate corrective actions required to rectify any non-compliance issues and confirm future compliance
• Guide the employer in enrolling in the IRS’s amnesty program (EPCRS), if necessary, to self-report non-compliance issues
• Help plan sponsors track the path taken to incorporate the necessary changes into the plan documents, to ensure ongoing compliance and avoid future issues
• Discuss Form 5500 preparation considerations, including participant head count

Contact David McKay, Assurance Partner, learn more.

A construction contract audit is typically conducted at the culmination of a project as an opportunity for project owners to affirm that all contractual agreements were upheld and address any financial discrepancies. While they are a helpful tool in this capacity, conducting contract audits earlier in a project — and more frequently — may help identify potential risks sooner, as well as identify areas for possible cost savings.

Construction contract auditing is a safeguarding practice that can help you reduce the likelihood of project disputes and legal issues that could directly impact your bottom line. Ultimately, audits provide project owners with greater control over their contracts.

Objectives of Construction Contract Audits

The most common use for construction contract audits is verifying that all parties involved in a project adhere to the terms and conditions outlined in the contract. This includes verifying project costs against contractual obligations. By enforcing contractual compliance, audits help contribute to fair and transparent project execution, reducing the likelihood of disputes and legal issues.

Another key objective of a construction contract audit is to establish cost control. These audits are instrumental in safeguarding effective budget management and financial controls throughout the project. An audit will meticulously examine invoices and project records to catch any discrepancies that may lead to overpayments. By reviewing the cost structure, audits can help prevent budget overruns, identify areas for potential cost savings, and ensure financial resources are allocated efficiently across the project.

The financial transparency provided by periodic contract audits can make them even more compelling in the face of continued supply chain constraints and a challenging economic environment. Companies may use audits to help recover overpayments made during a project and empower project owners to rectify financial errors and protect their interests.

Insight

Contract audits are a critical tool to help owners of construction projects in the following areas:

• Financial Control and Compliance: Audits assess and manage project costs, ensuring that resources are used efficiently and that projects are completed within budget.
• Risk Management: Audits help identify potential risks early in the construction process, allowing for timely mitigation strategies to be implemented, and reducing the risk of project delays and cost overruns.
• Quality Assurance: Audits enhance the quality of work performed and materials used in construction by ensuring that the final product meets the required standards and specifications.
• Schedule Adherence: Audits can monitor a construction project and determine if it is progressing according to the established schedule. Delays can be addressed promptly, allowing the project to stay on schedule.
• Contractual Compliance: Audits review contracts and agreements to ensure that owners, contractors, subs, and other stakeholders are meeting their obligations.
• Fraud Prevention: Audits expose fraudulent activities or discrepancies throughout transactions. This is essential to maintaining the integrity of a construction project and preventing financial losses.
• Documentation and Record Keeping: Audits verify the accuracy of project documentation and records. Proper documentation is critical for future reference, dispute resolution, and accountability.
• Communication: Audits promote transparency amongst stakeholders by providing an objective assessment of the project’s financial and operational performance. This transparency can promote trust and increase communication among stakeholders.
• Continuous Improvement: Audits provide an opportunity for project teams to learn from past experiences. By identifying areas of improvement, future projects can be better planned and executed.

Timeline Considerations

While many project owners are familiar with close-out audits performed at project completion, construction contract audits come in several forms and can be conducted at various stages of a project’s timeline. Each serves a specific purpose in risk mitigation.

Close-out audits are generally performed to verify that legal compliance requirements have been met and that the project adheres to contractual obligations and applicable regulations. These audits also aid financial reconciliation and address any related discrepancies or irregularities. Project owners find close-out audits to be a helpful tool for measuring the overall success of a completed project.

Construction contract audits are most effective when started from the pre-construction phase. Pre-construction audits offer a proactive approach to project and cost management. These audits run at a project’s outset and play a vital role in preventing overbilling by notifying contractors upfront of the rigorous financial standards in place and the expected level of diligence required.

In addition to considering a pre-construction audit, project owners may find conducting early audits during the project to be beneficial. Early audits aid in the timely detection of potential risks and help companies identify areas for possible cost savings. They also enable early course correction, which could save on potential issues at a later stage.

Value of Proactive Audits

The construction industry is built on relationships. Strong relationships foster effective collaboration and communication and help meet execution expectations, goals, and timelines. That said, maintaining a strong relationship with contractors, subcontractors, and suppliers does not negate the need for audits. Conversely, audits — especially those that are proactive — serve as a mechanism to improve processes and in many cases can strengthen relationships by transparently identifying areas for improvement and growth.

By taking a proactive approach, such as conducting front-end construction contract audits, project owners may unlock more substantial cost savings and risk reduction than by waiting until after issues arise. Front-end construction contract audits can help set appropriate guardrails for budgetary management and financial control. They also help in the efficient allocation of financial resources across the project.

Maintaining an early audit schedule can also help mitigate risk and guard against surprises as a project progresses. This practice can allow project owners to address any nascent issues related to contract administration, procurement, and overall governance — setting a strong foundation for the remainder of a project.

In the ever-evolving construction landscape, contract changes, supply chain disruptions, and other external factors are expected to pose new compliance challenges that require vigilant auditing. Proactivity also means keeping up with the latest practices and audit innovations, such as the use of generative AI to help stay agile and alert to emerging compliance challenges while unlocking value across the project.

Safeguard Your Bottom Line

The construction industry is evolving, with new and increased risks that call for proactive audit strategies.

A proactive approach, such as initiating front-end audits or pursuing audits at different stages of project completion, can help bolster risk mitigation, cost control, and contractual compliance.

Owners may be tempted to rely on contractors, architects, and contract managers having the project’s best interest in mind. However, it is unrealistic to expect all stakeholders, including employees and subcontractors, to operate with the owner’s best interest as their top priority at all times. Additionally, even if the stakeholders do have the best of intentions, errors can impact billings, and a construction contract audit is another line of protection against those errors.

Waiting until the end of a project to audit, as the industry has traditionally done, can lead to increased litigation, claims, and difficulties in recovering funds. Early audits not only help save costs, but also provide project owners greater control over their contracts.

Construction audits contribute to the overall success of construction projects by providing greater insight into financial accountability, adherence to quality standards, risk management, and compliance with contractual obligations. They serve as a valuable tool for project owners, investors, and other stakeholders to monitor and help optimize the construction process.

Written by Janet Smith. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

JANUARY

• 15 / Fund: Possible fourth quarter 2023 contribution due for defined benefit pension plans.
• 31 / Action: File IRS Form 945, Annual Return of Withheld Federal Income Tax, by January 31 for non-payroll income taxes, such as taxes withheld by retirement plans, during 2023.
• 31 / Action: Distribute IRS Form 1099-R to participants by January 31 for 2023 retirement plan distributions.
• Best Practice: Plan sponsor should confirm the accuracy of the prior year’s census data to the recordkeeper. This information is used for ADP/ACP testing, among other things.

FEBRUARY

• 28 / Action: File IRS Form 1096, Annual Summary and Transmittal of US Information Returns, with IRS if using paper transmittal by February 28 for 2023 tax year.
• 28 / Action: File IRS Form 1099-R in paper format with the IRS by February 28 for 2023 retirement plan distributions.
• Best Practice: Review and approve compliance testing results sent by plan administrator.

MARCH

• 15 / Action: Highly compensated employees who fail ADP/ACP test for prior plan year must have refunds processed by March 15 (other than eligible automatic contribution arrangements).
• 15 / Fund: Partnerships and S Corporations that are not getting an extension must fund employer contributions to receive tax deduction for the prior year.

APRIL

• 1 / Action: 401(k) plans with publicly traded employer stock that follow Article 6A of the Regulation S-X (SEC format) must file Form 11-K with the Securities and Exchange Commission by April 1.
• Note: The IRS “weekend rule” does not roll the April 1 deadline to the next business day if April 1 falls on the weekend or holiday.
• 1 / Action: Recordkeeper (or other responsible party) completes and files Form 1099-R electronically with the IRS by April 1 for 2023 retirement plan distributions.
• 1 / Action: April 1 deadline for 5% business owners and terminated participants who turned 73 in 2023 to receive their required minimum distribution (RMD). Note: the IRS “weekend rule” does not roll the April 1 deadline to the next business day if April 1 falls on the weekend or holiday.
• 15 / Fund: April 15 possible first quarter 2024 contribution due for defined benefit pension plans (i.e., contribute by April 15 before the weekend, as contribution deadlines are not extended to the next business day).
• 15 / Distribute: Participants who contributed over 402(g) or 415 limits in the previous year must be refunded the excess amount by April 15.
• 15 / Action: File PBGC Form 4010, Notice of Underfunding for single-employer defined benefit plans with more than $15 million aggregate underfunding by Monday, April 15.
• 15 / Fund: C-Corporations and Sole Proprietors that are not getting an extension must fund employer contributions by April 15 to receive tax deduction for the prior year.
• 15 / Fund: IRA contributions for the prior tax year must be funded by April 15.
• 29 / Action: Send annual funding notice to participants of single and multi-employer defined benefit plans over 100 participants by April 29.

JUNE

• 28 / Action: 401(k) plans with publicly traded employer stock must file SEC Form 11-K with the Securities and Exchange Commission by June 28 or file an extension on SEC Form 12b-25.
• 30 / Action: Highly compensated employees who fail ADP/ACP test for prior plan year must have refunds processed by June 30, if an eligible automatic contribution arrangement (EACA).

JULY

• 15 / Action: 401(k) plans with publicly traded employer stock that requested a 15-calendar day extension (SEC Form 12b-25) for the SEC Form 11-K must file the SEC Form 11-K with the Securities and Exchange Commission by July 15.
• 15 / Fund: Possible second quarter 2024 contribution due for defined benefit pension plans by July 15.
• 31 / Action: File IRS Form 5500, Annual Return/Report of Employee Benefit Plan, and IRS Form 8955-SSA, Annual Registration Statement Identifying Separated Participants with Deferred Vested Benefits, for the 2023 plan year by July 31.
• 31 / Action: To request an extension of time to file IRS Form 5500, file IRS Form 5558 by July 31.

SEPTEMBER

• 15 / Fund: If an extension was filed, September 15 is the deadline to fund employer contributions for Partnerships and S-Corporations.
• 15 / Fund: September 15, last date to make 2023 contributions for single and multiemployer defined benefit pension plans.
• 30 / Action: September 30, Distribute Summary Annual Report (SAR) to participants if the Form 5500 was filed on July 31.

OCTOBER

• 3 / Action: Distribute annual notices to participants no earlier than October 3 and no later than Dec 2, including notices for: 401(k) Plan Safe Harbor Match, Automatic Contribution Arrangement Safe Harbor, Automatic Enrollment and Qualified Default Investment Alternatives (QDIA).
• 15 / Fund: October 15 possible third quarter 2024 contribution due for defined benefit pension plans.
• 15 / Action: October 15 is the extended deadline for filing IRS Form 5500 and IRS Form 8955-SSA.
• 15 / Action: October 15 is the extended deadline for filing individual and C-Corp tax returns.
• 15 / Action: If an extension was filed, October 15 is the deadline to fund defined contribution employer contributions for C-Corporations and Sole Proprietors.
• 15 / Action: October 15 to open a Simplified Employee Pension (SEP) plan for extended tax filers.
• 15 / Action: Send annual funding notice to participants of single- and multi-employer defined benefit plans with 100 or fewer participants by October 15.
• 15 / Action: October 15 defined benefit plan PBGC Premium filings and payments due.
• 31 / Action: Single-employer defined benefit plans that are less than 60% funded or are 80% funded and have benefit restrictions triggered must inform participants by October 31 or 30 days after the benefit restriction applies.
• Best Practice: Make sure administrative procedures align with language in plan document.

DECEMBER

• 2 / Action: Distribute annual participant notices no later than December 2. These include notices for: 401(k) Plan Safe Harbor Match, Automatic Contribution Arrangement Safe Harbor, Automatic Enrollment and Qualified Default Investment Alternatives (QDIA).
• 15 / Action: December 15 is the extended deadline to distribute Summary Annual Report (SAR) when the Form 5500 was filed on October 15.
• 31 / Action: December 31 is the final deadline to process corrective distributions for failed ADP/ACP testing; a 10% excise tax may apply.
• 31 / Action: Ongoing required minimum distributions (RMDs) for 5% business owners and terminated participants must be completed by December 31.
• 31 / Action: Amendments to change traditional 401(k) to safe harbor design, remove safe harbor feature or change certain discretionary modifications must be completed by December 31. Amendments to change to safe harbor nonelective design must be completed by Dec 1 of given plan year for 3% or by Dec 31 of the following year for 4% contribution level.
• 31 / Action: Plan sponsors must amend plan documents by December 31 for any discretionary changes made during the year.

In addition to those important deadlines and dates, plan sponsors should be aware of the contribution plan limits and other rolling notices for 2024:

• Traditional and Roth Individual Retirement Account contribution limit is $7,000. Catch-up contributions for participants aged 50 and over is $1,000, which is fixed by law and not adjusted each year.
• Employee salary deferral limit for 401(k), 403(b) and 457 plans are $23,000. The catch-up contribution limit for participants who are age 50 or older in 2024 is $7,500.
• Maximum annual additions (i.e., employee deferrals, employer contributions and forfeitures) that can be allocated to a participant’s defined contribution plan account for 2024 is $69,000.
• Limitation for the annual benefit under a defined benefit plan under Section 415(b)(1)(A) is $275,000.
• The dollar amount used to define “highly compensated employee” under Section 414(q)(1)(B) is $155,000.

BEST PRACTICES:

• Contact your service provider to discuss any required and/or discretionary SECURE 2.0 provisions effective in 2024 to ensure compliance
• Make sure discretionary amendments that impact plan design and administration are executed and implemented timely per IRS regulations
• Make sure administrative procedures align with language in plan document.
• Plans may consider doing mid-year compliance testing to avoid failing applicable annual tests.
• Review and approve compliance testing results sent by plan administrator.
• Plan sponsor should confirm the accuracy of the prior year’s census data to the recordkeeper. This information is used for ADP/ACP testing, among other things.

Finally, in our most recent peer review, two of Kristen’s engagements were selected for inspection which resulted in no finding. We congratulate Kristen for this important career milestone. And, Kristen, thank you for all that you do for our great firm!

A New Mandate for Managing Risk

Audit teams who analyze the risks of IT are no strangers to change. Information system audits have been around for more than 70 years — starting in the 1950s as electronic data processing platforms made time-consuming business operations move with enhanced efficiency.
The original mandate of information system audits was simple: verify business processes worked. The primary stakeholder was typically the head of IT or business operations. Today, that mandate has expanded to include building trust among multiple stakeholders. Regulators, customers, and investors may all have different expectations about how risk should be managed. With the advent of cloud computing, mobile technology platforms, social media, blockchain, and the emerging ubiquity of artificial intelligence (AI), the scope of the traditional IT audit is expanding in ways that may leave many organizations feeling unprepared. The sheer amount of data can be overwhelming, and appropriate resources aren’t always there. This new reality is placing pressure on all auditing teams.

But with efficiency comes risk, so information systems audit teams must consistently develop new skillsets to adapt to change, manage new risks (like increased regulatory compliance), and promote trust. Companies must work hand in hand with their auditors to identify risks, strengthen internal controls, enhance compliance, and drive greater assurance. It takes a holistic approach to risk management — evaluating the organization’s IT systems and its infrastructure, policies, and overall operations. The reason is simple: data cuts across everything in business today, and trust in data-driven enterprises is at a premium. Failure to proactively manage risk is not an option.

There’s a Regulation for That

On the enforcement side, data and privacy legislation has been around for more than 20 years. Most recently, the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CPPA) placed restrictions on how companies leverage data, creating additional compliance risks for industries like financial services.

For example, fintech companies feel the effects of the Financial Data Exchange (FDX) standard, which places restrictions on the collection of consumer financial data for third-party apps. In addition, the Consumer Financial Protection Bureau’s data collection rule requires financial services companies to collect and report data on small business lending activities.

More recently, the Securities and Exchange Commission (SEC) has proposed new rules governing the use of data by broker-dealers The new rules would require broker-dealers to identify and disclose conflicts of interest, while also implementing safeguards to protect customer data.
These proposed rules are an indication of the SEC’s ongoing focus on the use of data. Adding emphasis to this focus, SEC Chair Gary Gensler recently spoke about his concerns over the potential risk AI might bring to financial markets. Concerns over risks to financial markets are likely an indication of a higher degree of scrutiny — and perhaps future enforcement action — around IT compliance issues. The internal controls provisions of the 2002 Sarbanes-Oxley legislation are especially relevant here. The Public Company Accounting Oversight Board (PCAOB) has also issued several standards on IT controls. These standards are intended to help information system auditors test the effectiveness of controls in preventing and detecting material misstatements in financial reporting.

The Impact of Emerging Technology

Ironically, a beneficial approach to managing risks linked to data and digital platforms involves utilizing other emerging technologies to support the proper functioning of these systems. Data analytics tools help audit teams identify anomalies in large data sets and enhance accuracy — enhancing the quality of audits without adding work for the client. A smarter, risk-based audit streamlines processes and creates additional value. Obtaining more accurate data allows the audit team to focus on specific risks. A traditional audit may not always reveal the most pertinent data or the most pressing material risks.

Technologies like AI and bots are helping to automate time-consuming and repetitive tasks, such as data collection, sampling, and testing. As a result, auditors have more time to focus on more complex risk assessments and judgment-based decisions. The ability to analyze large volumes of data faster than ever allows the audit team to identify anomalies and trends that may indicate fraud, errors, or other serious risks.
However, the biggest impact of emerging technology may be the ability to perform continuous auditing — taking a real-time, ongoing approach to monitoring a company’s systems and processes.

What Should Enterprises be Doing to Get Ready?

AI integration into control processes is still at a nascent stage. Organizations will have to resolve compliance risks, especially around new platforms like AI, with security protocols and internal policies to confirm audit teams have access to the data they need to help mitigate and address risk efficiently. Embracing new technology in an audit takes time, but as risks are identified and mitigated more automation can be implemented. When that happens, an experienced audit team can identify IT risks a client may not have been aware of.

For large public companies, the volume of data to review can be staggering, so large data dumps often prove impractical. Companies may need to partner with independent information system auditors to set parameters, so the right information is shared at the right time. Collaboration will be the key to success.

Any external information system auditing team needs to fully understand its client’s IT requirements and compliance issues. Meanwhile, enterprises must understand how emerging technologies can help reduce risk and enhance stakeholder trust and the importance of leveraging these tools—either internally or with knowledgeable external assistance.

Information system audits have evolved significantly over the years, but one thing has remained constant: it’s always been a matter of trust. Contact us to learn more.

Completed contract vs. percentage-of-completion

Homebuilders, developers, creative agencies, engineering firms and others who perform work on long-term contracts typically report financial performance using two methods:

1. Completed contract. Under this method, revenue and expenses are recorded upon completion of the contract terms.
2. Percentage-of-completion. This method ties revenue recognition to the incurrence of job costs.

If “sufficiently dependable” estimates can be made, companies must use the latter, more-complicated method, under U.S. Generally Accepted Accounting Principles (GAAP). And, if your business uses the percentage-of-completion method for financial reporting purposes, you’ll usually need to follow suit for tax purposes.

The federal tax code provides an exception to using the percentage-of-completion method for certain small contractors with average gross receipts of $25 million or less over the last three years. This amount is adjusted annually for inflation. For 2023, the inflation-adjusted figure is $29 million.

Percentage-of-completion estimates

In general, companies that use the percentage-of-completion method report income earlier than those that use the completed contract method. To estimate the percentage complete, companies typically compare the actual costs incurred to expected total costs. Alternatively, some may opt to estimate the percentage complete with an annual completion factor.

The IRS requires detailed documentation to support estimates used in the percentage-of-completion method. In addition, the application of the percentage-of-completion method may be complicated by job cost allocation policies, change orders and changes in estimates.

Balance sheet effects

The percentage-of-completion method can also affect your balance sheet. If you underbill customers based on the percentage of costs incurred, you’ll report an asset for costs in excess of billings. Conversely, if you overbill based on the costs incurred, you’ll report a liability for billings in excess of costs.

For example, suppose you’re working on a $1 million, two-year project. You incur half of the expected costs in Year 1 ($400,000) and bill the customer $450,000. From a cash perspective, it seems like you’re $50,000 ahead because you’ve collected more than the costs you’ve incurred. But you’ve actually underbilled based on the percentage of costs incurred.

So, at the end of Year 1, you’d report $500,000 in revenue, $400,000 in costs, and an asset for costs in excess of billings of $50,000. If you had billed the customer $550,000, however, you’d report a $50,000 liability for billings in excess of costs.

Getting assistance

Although the percentage-of-completion method is complicated, if your estimates are reliable, it can provide more current insight into financial performance on long-term contracts. Contact us to help train your staff on how this method works — or we can perform the analysis for you.

2022 findings

The PCAOB recently inspected portions of financial statement audits for public companies. The findings were published in a new PCAOB Spotlight report, Staff Update and Preview of 2022 Inspection Observations.

Many of the deficiencies found in 2022 are in inherently complex areas that have greater risks of material misstatement. The top seven financial statement deficiency areas were:

1. Revenue and related accounts,
2. Inventory,
3. Information technology,
4. Business combinations,
5. Long-lived assets,
6. Goodwill and intangible assets, and
7. Allowances for loan and lease losses.

Auditors may find this information useful as they plan and perform their audits. Likewise, managers and in-house accounting personnel may benefit from a review of these findings to help improve financial reporting, minimize audit adjustments and use as a reference point when engaging with external auditors.

Spotlight on cryptocurrency transactions

The PCAOB report also highlights an emerging area of concern: cryptocurrency transactions. Examples of these transactions include:

• Earning a fee, or “reward,” for mining crypto,
• Purchasing or selling goods or services in exchange for crypto assets,
• Exchanging one crypto asset for another,
• Purchasing or selling crypto assets in exchange for U.S. dollars, and
• Investing in crypto assets.

The PCAOB notes that companies with material digital asset holdings and/or that engage in significant activity related to digital assets present unique audit risks. This was evidenced by the recent, high-profile collapse of crypto asset trading platform FTX. The risks associated with crypto assets may be elevated due to high levels of volatility, lack of transparency regarding the parties engaging in the transactions and the purpose of such transactions, market manipulation, fraud, theft, and significant legal uncertainties. The PCAOB recommends using specialists and technology-based tools to help audit these transactions in certain situations.

Bottom line

Regardless of whether they’re public or private, companies should take proactive measures to ensure their financial reporting is accurate and transparent. These measures may include providing accounting personnel with additional training and assistance, increasing management review and staff supervision, and beefing up internal audit procedures in relevant high-risk areas.

Also, expect external auditors to focus on these high-risk areas. As audit season approaches, prepare to provide additional documentation to back up your accounting estimates, reporting procedures and account balances for high-risk items.

Defining overhead

Overhead costs are a part of every business. These accounts frequently serve as catch-alls for any expense that can’t be directly allocated to production, including:

• Equipment maintenance and depreciation,
• Rent and building maintenance,
• Administrative and executive salaries,
• Interest expense,
• Taxes,
• Insurance, and
• Utilities.

Generally, indirect costs of production are fixed over the short run, meaning they won’t change appreciably whether production increases or diminishes.

Calculating overhead rates

The challenge comes in deciding how to allocate these costs to products using an overhead rate. The rate is typically determined by dividing estimated overhead expenses by estimated totals in the allocation base (for example, direct labor hours) for a future time period. Then, you multiply the rate by the actual number of direct labor hours for each product (or batch of products) to establish the amount of overhead that should be applied.

In some companies, the rate is applied companywide, across all products. This might be appropriate for organizations that make single, standard products over long periods of time. But, if your product mix is more complex and customized, you may use multiple overhead rates to allocate costs more accurately. If one department is machine-intensive and another is labor-intensive, for example, multiple rates may be appropriate.

Handling variances

There’s one problem with accounting for overhead costs: Variances from actual costs are almost certain. There are likely to be more variances if you use a simple companywide overhead rate, but even the most carefully thought-out multiple rates won’t always be 100% accurate.

The result is large accounts that many managers don’t understand and that require constant adjustment. This situation creates opportunities for errors — and for dishonest people to commit fraud. Fortunately, you can reduce the chance of overhead anomalies with strong internal control procedures, such as:

• Conducting independent reviews of all adjustments to overhead and inventory accounts,
• Studying significant overhead adjustments over different periods of time to spot anomalies,
• Discussing complaints about high product costs with nonaccounting managers, and
• Evaluating your existing overhead allocation and making adjustments as necessary.

Allocating costs more accurately won’t guarantee that you make a profit. To do that, you have to make prudent pricing decisions — based on the production costs and market conditions — and then sell what you produce.

For more information

Cost accounting can be complex, and indirect overhead costs can be difficult to trace. Our accounting pros can help you apply a systematic approach to estimating meaningful overhead rates and adjusting them when necessary. We can also evaluate pricing decisions and suggest cost cutting measures to combat rising costs.

Assess risks

Under ERISA, plan administrators are responsible for ensuring that benefit plan financial statements follow U.S. Generally Accepted Accounting Principles (GAAP) and are properly audited. Independent audits of plan financial statements help stakeholders assess whether they provide reliable information about the plan’s ability to pay retirement, health and other promised benefits to participants. They also help management evaluate and improve internal controls over the plan’s financial reporting.

Administrators who hire unqualified plan auditors face substantial penalties from the U.S. Department of Labor (DOL). In addition, plan administrators who don’t follow the basic standards of conduct under ERISA and DOL regulations may be personally liable to restore any losses to the plan.

Auditor qualifications

To demonstrate your commitment to quality and due care, it’s important to carefully review auditor qualifications, rather than simply accept the lowest-bid contract offer. Only after the technical evaluation is complete and the qualified respondents have been identified should the administrator review the audit fees quoted by the qualified respondents.

Evaluating auditor qualifications requires consideration of licensing and independence rules. Independent plan auditors don’t have any financial interests in the plan (or the plan administrator) that would affect their ability to render an objective, unbiased opinion about the plan’s financial statements. The DOL doesn’t consider a plan auditor to be independent if the audit firm or any of its employees also maintain the plan’s financial records.

RFP process

The American Institute of Certified Public Accountants (AICPA) provides recommendations on how to put together a comprehensive request for proposal (RFP) that can be used to evaluate bidders. Comprehensive RFPs provide detailed explanations of the audit engagement, including its objectives, scope, special considerations and expected timeline.

Once plan administrators weed out unqualified respondents to their RFPs, they should invite the finalists to present and discuss their proposal letters. It’s important to interview prospective auditors to assess relevant experience and training. Also consider asking prospective auditors to provide a copy of their firms’ latest peer review report. A clean peer review report can provide additional assurance that a firm is applying best practices when auditing benefit plans.

When evaluating potential auditors, discuss the auditor’s work for other benefit plan clients and obtain references. Also review the audit team’s continuing professional education records over the last three years to determine whether they possess recent benefit-plan-specific training.

For more information

Not every CPA is qualified to audit employee benefit plans. These engagements require specialized training and experience. Contact us to find out more about employee benefit plan audits.