Skip to Main Content

insightsarticles

Sportsbook SOC 2 compliance: An introduction

01.19.23

Read this if you are a part of the gaming industry.

BerryDunn has been servicing the gaming and lottery industry for over 25 years. Our experience performing SOC examinations in the gaming and sportsbook industry provides you with trusted professionals who understand your environment, regulations, and customer expectations. As more states pass legislation allowing for sports betting, new rules and regulations are included in the legislation. These rules and regulations are typically focused on maintaining the integrity of systems and public confidence in the sportsbooks and other vendors. SOC 2 has quickly become the international standard for reporting on internal controls over security, availability, processing integrity, confidentiality, and privacy. States have included wording in proposed rules and regulations for SOC 2 examinations to be completed annually by key vendors.  

What is SOC 2?

Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service criteria” (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. 

Organizations design their own controls to address specific, pre-defined criteria within one (minimum TSC is Security) or more TSC. The SOC 2 report provides sportsbook providers with important information about how they manage data and systems and is shared with their customers and other relevant stakeholders such as regulatory bodies and auditors. We have explained how each TSC applies to a sportsbook environment below:

Security (often referred to as the common criteria)

The security TSC focuses on the protection and management of information and systems. This includes criteria on policies and procedures, operations, change management, incident management, logical security, and risk mitigation.

Applicability to sportsbook environments
Sportsbooks require a secure approach to help ensure that all data in the environment is securely designed, managed, and protected. Whether you are processing, managing, or storing data for your customer for the use of back-office administration, data feed providers, or traders, or players are making transactions in the environment, all data must be secure. 

Controls may include human resource, board, or management oversight, policies and procedures, third-party risk management, user access management, securing your environment (assessing firewall, anti-virus, intrusion protection, vulnerability scanning), operational management and incident handling, and change management. 

Availability

The availability TSC refers to ensuring both information and systems are available for operation and accessible to users. 

Applicability to sportsbook environments
As a sportsbook, you provide your customers with an environment that requires continuous up-time and system and business recovery measures to be in place for both full system recovery, and where required, failovers to backup hot sites. This TSC allows you to demonstrate to your customer the controls in place for your own environment, service providers (data centers), and data feed providers. 

Controls may include high-availability clusters, backup processes, operational monitoring, incident management, capacity management, and data recovery.

Processing integrity

The processing integrity TSC addresses whether the system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. 

Applicability to sportsbook environments
As a sportsbook, the integrity and correctness of data and transaction processing are essential to your system. Whether that processing entails odds, quotations, results, bets placed, or payouts—all data within the sportsbook requires accurate and consistent processing.  

Controls may include database logs of all transactions with unique IDs, game changes, failure messages, results processing, system checks and balances, and reporting functionality. 

Confidentiality

The confidentiality TSC assesses that information designated as confidential is protected to meet the entity’s objectives. (Confidential data focuses more on protecting business sensitive, trade secret data, and proprietary information that is not for public consumption.)

Applicability to sportsbook environments
Confidentiality in a sportsbook environment includes confidentiality for the bettors and confidentiality of the business. Sportsbooks hold the transactional data of players' accounts that are confidential to the individual. Additionally, other data you or your customer have contractually committed to protecting requires confidential safeguards in place more than non-critical or pieces of data. Most often, in sportsbooks we focus on the confidentiality of transactions, movement of data from one location to another, encryption in rest and in transit, and the destruction of data in a secure manner. 

Controls may include policies and processes for the handling, maintenance, storage, backup distribution or transmission of data, and destruction of confidential information.  

Privacy

The privacy TSC addresses how personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives and is designed to protect against unauthorized use or access.

Applicability to sportsbook environments
Privacy focuses on how an organization manages Personal Identifiable Information (PII). Sportsbooks house PII of their players (bettors) including name, address, birth date, social security number, banking information, or other government-issued identification, among other types of data. PII is used to validate a player’s identity and location. In many instances, third parties may be used for player validation and controls may also focus on third-party management and due diligence.

Controls may include policies and procedures, safeguards in place to protect PII, role-based access, disclosures, choices and consent, monitoring, and enforcement.

Do I already have required controls in place? 

In many cases, you likely already have many of the needed internal controls in place because of the nature of the highly regulated gaming industry. SOC 2s may easily leverage the controls you already have in place for other frameworks and requirements, such as NIST, ISO, and PCI. 

Preparing for a SOC 2 examination may take a significant amount of time (six months to a year) and we highly recommend you complete a readiness assessment first. In a readiness assessment, we take inventory of your current controls in place for all aspects discussed above and map the control for each TSC. Where gaps may be present, guidance is provided on ways to implement new controls or to enhance current practices. More information on preparing for a SOC 2 can be found here

Contact us for a SOC 2 readiness assessment 

Our team has conducted over 50 iGaming and Sportsbook SOC audits and has over 10 years of experience in the industry. Using industry experts for SOC 2 examinations allows you to get the most value from the process and helps you refine controls to reflect industry best practices. Please contact Josh Clark if you have questions about SOC 2 or your specific operation. 

Related Industries

Related Services

Accounting and Assurance

Related Professionals

BerryDunn experts and consultants

Read this if you are subject to SOC examinations.

In late October 2022, the American Institute of Certified Public Accountants’ (AICPA’s) Assurance Services Executive Committee (ASEC) released an update to the System and Organization Control (SOC) 2 reporting guide. Significant updates have been made to the Description Criteria implementation guidance and the Trust Services Criteria points of focus. Overall, the changes provide clarity around several recent and emerging industry topics and continue to promote reporting quality and consistency.

Summary of changes

Available for use now, the AICPA updates for SOC 2 examinations are significant and may require additional time and attention from companies who currently have a SOC 2 report or are planning on working toward compliance. High-level updates include incorporating new attestation standards (e.g., SSAE-20 and SSAE-21):

  • Updates to the Description Criteria implementation guidance for additional clarity regarding certain disclosure requirements, guidance on disclosure of how controls meet the requirements of a process or control framework, and guidance on disclosure of information about the risk assessment process and specific risks
  • Updates to the points of focus that support the application of the Trust Services Criteria that better reflect the ever-changing technology, legal, regulatory, and cultural risks, data management requirements, particularly related to confidentiality, and differentiating between a data controller and a data processor for privacy engagements
  • Incorporating, where appropriate, updates included in the AICPA Guide Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1 guide)
  • Incorporating, where applicable, additional guidance included in the AICPA Guide Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System (SOC for supply chain guide), particularly related to the risk assessment guidance

Additional updates

Other updates from the AICPA include, but are not limited to, the following:

  • Making qualitative materiality assessments (from the AICPA whitepaper on materiality)
  • Considering the service organization’s use of software applications and tools (from the SOC Tools FAQ)
  • Considering the operation of periodic controls that operated prior to the period covered by the examination
  • Considering management’s use of specialists
  • Performing and reporting in a SOC 2+ engagement (including an updated illustrative service auditor’s report)
  • Addressing considerations when the service organization has identified a service commitment or system requirement related to meeting the requirements of a process or control framework (such as HIPAA, ISO, or NIST)
  • Supplements and several appendices were removed and will be replaced with links to the appropriate documents on the AICPA website

If you currently have or will be working toward a SOC 2 report, it’s essential to understand the impact to the SOC 2 reporting process. Early preparation will help your organization stay ahead of the curve when it comes to achieving compliance. It is also essential to help ensure that frameworks are aligned and controls are in place to effectively guard against cybersecurity risks and protect sensitive data. If you have questions about SOC audits, or your specific situation, please contact our SOC Audits team. We’re here to help.

Article
Navigating changes to the SOC 2 guide

Read this if you are a part of the gaming industry.

The gaming industry has bounced back during 2021 and 2022 following pandemic-related declines, but a potential economic downturn will likely impact consumer behavior and have effects for gaming businesses. Though recessionary concerns may prompt some consumers to rein in spending, several factors point to resilience in the gaming industry, including customer retention initiatives, the growth of digital gaming and sports betting, and the continued allure of experiences offered by casino resorts.

Instead of merely weathering a potential recession, gaming companies can position for sustained success by reviewing strategic plans and focusing on key business objectives. Financial discipline will be another priority, particularly if changes in consumer spending affect revenue growth during 2023.

Retention has a big payoff in a recessionary environment

Despite the rate of inflation in the US reaching levels not seen in more than 40 years during 2022, consumer spending has remained relatively strong. According to data from the Bureau of Economic Analysis (BEA), disposable personal income and personal consumption expenditures both increased slightly more than expected during September. Interest rates have continued to rise, however, and there are indications that some consumers are delaying the purchase of big-ticket items, which suggests a slowdown in some areas of spending.

To help mitigate the effects of a potential recession, gaming companies may consider shifting more attention to customer retention in addition to customer acquisition. That strategy could be especially important for sports betting, a subsector that has invested heavily in customer acquisition in recent years—and may not be as recession-proof as some had predicted. According to a TransUnion study, 54% of US sports bettors earn at least $100,000 per year, but even high-income earners show signs of cutting back on discretionary spending like gambling. Nevertheless, many sportsbooks have seen relatively low rates of customer churn this year despite inflation, which could be due partly to the growth in popularity of unique multi-leg wagers such as same-game parlays.

High costs for customer acquisition due to digital competition can pose challenges for companies trying to grow their consumer base, and recessionary pressures make it even more important to keep existing customers engaged. Fragmentation and evolving competition also complicate predictions for the lifetime value of a new customer. The longer a customer stays, however, the bigger the return on initial acquisition costs.

Retention strategies

Strategies that focus on retention can help reduce churn amid growing recessionary pressures. These strategies vary for different types of companies, such as online gambling (iGaming), land-based casinos, or a hybrid of online and on-premises gaming. Taking steps to improve customer experience and leverage data analytics can both help increase engagement. Such initiatives can include customized loyalty and reward programs based on a customer’s unique habits, as well as data insights about the most popular types of games and bets that enable cross-promotion. Reload bonuses, referral bonuses, free bets, and percentage back on losses are examples of other strategies to help keep existing players engaged. Critically, even small improvements in retention can have a significant impact on margins and profitability.

Growth potential remains, but a downturn would impact industry subsectors differently

If recessionary pressures prove to be a drag on consumer spending in the months ahead, it may affect some gaming sectors differently than others. Even if consumers reduce discretionary spending, casino resorts could still fare well because of their diversified offerings, but they also have much higher operating costs than dedicated iGaming companies. Land-based casinos in particular should practice financial discipline and manage labor costs. They can achieve this by maintaining balanced staffing levels, expanding electronic casino games, and adopting cashless gaming and digital payments.

Overall, casino resorts can provide a relatively affordable range of unique leisure experiences. People remain eager to travel after dealing with pandemic-related restrictions, and recent TSA checkpoint data indicates airport activity has been near or above 2019 levels. BEA data also indicates that consumer spending on services, such as travel and dining, has outpaced spending on goods in recent months.

Although research has shown flat levels of growth for casino gambling during previous recessions, the industry has seen several notable changes in recent years. Digital gaming remains a convenient option for consumers and has experienced a spike in adoption in recent years, which aids both digital-only operators and land-based casinos that offer a digital component. Casino resorts can also use data-backed insights to help convert their online customers into on-premises customers through targeted offers and other marketing initiatives.

Sports betting has also grown rapidly during the past five years, which provides an accessible platform for a much larger population of customers than previously. Before the US Supreme Court’s 2018 decision in Murphy v. National Collegiate Athletic Association, only a few states could claim partial exemption to the 1992 federal ban on sports betting. As of November 2022, more than 30 states and the District of Columbia allow sports betting, and additional states are considering similar legislation.

Recession-related shifts in discretionary spending may not impact gaming as much as other consumer sectors. A May 2022 YouGov poll of 16 countries shows that while monthly gamblers may cut back on betting, they are more likely to reduce spending in other areas to maintain their monthly budget. A recession would still likely impact growth, so it is critical for gaming companies to protect revenue during a downturn.

Other developments also hold promise for the gaming industry. Casino stocks recently surged following China’s announcement of eased travel restrictions that would allow tour groups into Macau, the world's largest gambling jurisdiction. Overall, publicly traded gaming companies have enjoyed relatively strong earnings during 2022 despite market volatility, and many analysts have maintained “buy” ratings. A downturn could also give well-capitalized companies an opportunity to gain market share through acquisitions and partnerships.

Looking ahead: A sure thing

To help guard against the impact of recessionary pressures, managing costs and finding efficiencies will continue to be priorities. However, cutting back spending across the board can constrain growth and exacerbate customer churn. By combining financial discipline with a business strategy tailored to the effects of a potential downturn, gaming companies can continue the pandemic recovery and even thrive during volatility.

Article
Beyond weathering the storm: How the gaming industry can succeed during economically challenging times 

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask

Read this if you are responsible for cybersecurity at your organization.

Cybersecurity threats aren’t just increasing in number—they’re also becoming more dangerous and expensive. Cyberattacks affect organizations around the globe, but the most expensive attacks occur in the US, where the average cost of a data breach is $9.44 million, according to IBM’s 2022 Cost of a Data Breach Report. The same report shows that the cost of a breach is $10.10 million in the healthcare industry, $5.97 million in the financial industry, $5.01 million in the pharmaceuticals industry, and $4.97 million in the technology industry.

Cyber threat actors are a serious danger to your company, and your customers, stakeholders, and shareholders know this. They expect you to be prepared to defend against and manage cybersecurity threats. How can you demonstrate your cybersecurity controls are up to par? By obtaining a SOC for cybersecurity report.

What is a SOC for cybersecurity report?

It provides an independent assessment of an organization’s cybersecurity risk management program. Specifically, it determines how effectively the organization’s internal controls monitor, prevent, and address cybersecurity threats.

What’s included in a SOC for cybersecurity report?

The report is made up of three key components:

  1. Management’s description of their cybersecurity risk management program, aligned with a control framework (more on that below) and 19 description criteria laid out by the AICPA.
  2. Management’s assertion that controls are effective to achieve cybersecurity objectives.
  3. Service auditor’s opinion on both management’s description and management’s assertion.

Why should you consider a SOC for cybersecurity report?

A SOC for cybersecurity report offers several important benefits for your organization, which include:

  • Align with evolving regulatory requirements. The cybersecurity regulatory environment is constantly evolving. In particular, the SEC’s cybersecurity guidelines are becoming stricter over time. A SOC for cybersecurity report can demonstrate you’re aligned with these guidelines. If you’re a public company or are considering going public in the future, you need to be prepared to meet not just the SEC’s guidelines of today, but their evolved guidelines in the future.
  • Keep your board of directors informed. Your board is responsible for ensuring the business is effectively addressing and mitigating risks—and that includes cyber risk. A SOC for cybersecurity report offers your board a clear and practical illustration of your organization’s cybersecurity risk management controls.
  • Attract and retain more customers. It’s becoming increasingly common for companies to require that their vendors have a SOC for cybersecurity report. Even for companies that don’t require such a report, it’s important to know their vendors are keeping their data safe. Having this report differentiates you from vendors who have not prepared one.
  • Improve your cybersecurity posture. A SOC for cybersecurity report can identify current gaps in your cybersecurity risk management program. Once you’ve addressed these gaps, you can show your customers, stakeholders, and shareholders that you’re continuously improving and evolving your cybersecurity risk management approach.

How do I prepare for my SOC for cybersecurity assessment?

There are several steps you should take to prepare for your assessment.

  1. Choose your control framework. You have several options, including the NIST Cybersecurity Framework, ISO 27002, and the Secure Controls Framework (SCF). There are multiple online resources to help you choose the framework that’s right for your organization.
  2. Determine who your key internal stakeholders are for your cybersecurity risk management program. You’ll need to select a point person to be responsible for ensuring the independent services auditor has all the documentation they need to complete their assessment and act as liaison across internal and external stakeholders.
  3. Collect all cybersecurity-related documentation in one location. Make sure you have an organizational system that makes sense to your point person so it’s easy for them to pull the appropriate materials to give to the independent services auditor.
  4. Conduct a readiness assessment. You can work with an independent services auditor to conduct such an assessment which will identify gaps you can address before performing the attestation.
  5. Select an independent services auditor to perform the attestation. SOC for cybersecurity services are provided by independent CPAs approved by the AICPA. Ideally, you’ll want to select a firm that is experienced in your industry, has a diverse and robust team of cybersecurity professionals, and is accessible when and where you need them.

As always, if you have questions about your specific situation or would like more information about SOC for cybersecurity services, please contact our IT security experts. We’re here to help.

Article
Yes, you need a SOC for cybersecurity report—here's why

Read this if you are interested in GASB updates. 

The Governmental Accounting Standards Board (GASB) issued GASB Statement No. 99, Omnibus 2022 on May 9, 2022. The statement enhances comparability in accounting and financial reporting and improves the consistency of authoritative literature by addressing (1) practice issues that have been identified in previous GASB Statements, and (2) adding guidance on accounting and financial reporting for financial guarantees.

We’ve reviewed the statement in its entirety, and broken down key components for you to know. Here are the highlights.  

Accounting and financial reporting for exchange or exchange-like financial guarantees

Financial guarantees is a guarantee of an obligation of a legally separate entity or individual, including a blended or discretely presented component unit, that requires the guarantor to indemnify a third-part obligation holder under specified conditions, in an exchange or exchange-like transactions. 

An entity that extends an exchange or exchange-like financial guarantee should recognize a liability and expense related to the guarantee when qualitative factors and historical data indicate that is it more than likely not a government will be required to make a payment related to the guarantee.

Statement 99 excludes guarantees related to special assessment debt, financial guarantee contracts within the scope of Statement 53, or guarantees related to conduit debt obligations. 

Certain derivative instruments that are neither hedging derivative instruments nor investment derivative instruments

Derivative instruments that are within the scope of Statement 53, but do not meet the definition of an investment derivative instrument or the definition of a hedging derivative instrument are considered other derivative instruments. These “other derivative instruments” should now be accounted for as follows:

  1. Changes in fair value should be reported on the “resource flows statement” separately from the investment revenue classification.
  2. Information should be disclosed in the notes to financial statements separately from hedging instruments and investment derivative instruments.
  3. Governments should disclose the fair values of derivative instruments that were reclassified from hedging derivative instruments to other derivative instruments. 

Leases

If your entity has leases please review the following as Statement 99 clarifies numerous issues from Statement 87, specifically:

  • Lease terms as it relates to options to terminate and option to purchase the underlying assets, in paragraph 12 of Statement 87 has been clarified;
  • Short-term leases in paragraph 12 of Statement 87 has been clarified as it relates to an option to terminate the lease;
  • Lessee and lessor recognition and measurement for leases other than short-term leases that transfer ownership has been clarified, and
  • Lease incentives in paragraph 61 of Statement 87 has been further defined.

Public Private and Public-Public Partnerships (PPPs)

If your entity has PPPs, Statement 99 clarifies the following: 

  • PPP terms
  • Receivable for installment payments (transferor recognition)
  • Receivable for the underlying PP Asset (transferor recognition)
  • Liability for installment payments (operator recognition)
  • Deferred outflow of resources (operator recognition)

Subscription-Based Information Technology Arrangements (SBITAs)

Subscription terms and definitions have been clarified, specifically as it relates with options to terminate, short-term SBITAs, and measurement of subscription liabilities.

If your entity has SBITAs, review the provisions of each SBITA to ensure compliance with Statement 99 paragraphs 23–25.

Replacement of LIBOR

Check with your banking institutions to confirm when they have phased out of LIBOR. Confirm with your banking institutions what specifically has replaced LIBOR and update Financial Statement disclosures as needed. 

SNAP

State governments should recognize distributions of benefits from Supplemental Nutrition Assistance Program (SNAP) as a nonexchange transaction. Review Financial Statement disclosure and determine if a disclosure is needed. 

Disclosure of Nonmonetary Transactions

If you engage in one or more nonmonetary transactions during the fiscal year, you will need to disclose those transactions in the notes to the financial statements the measurement of attribute(s) applied to the assets transferred, rather than basis of accounting for those assets.

Pledges of future revenues when resources are not received by the pledging government

When blending the financial statement of a debt-issuing component unit into the financial statements of a primary government pledging revenue for the component unit’s debt, the primary government should reclassify an amount due to the component as an interfund payable and an interfund transfer out simultaneously with the recognition of the revenues that are pledged.

Focus of the government-wide financial statement

Statement 99 reiterates that there should be a total overall government-wide column within the MD&A, Statement of Net Position, and Statement of Activities. This column should exclude all fiduciary activities, including custodial funds. 

Terminology updates

No action is needed. Terminology has been updated in previous pronouncements, for terminology as it relates to Statements 63 and 53. 


Effective dates

The requirements related to the extension of the use of LIBOR, accounting for SNAP distributions, disclosures of nonmonetary transactions, pledges of future revenues by pledging governments, clarification of certain provisions in Statement 34 and terminology updates related to GASB 53 and 63 are effective upon issuance.

The requirements related to leases, PPPs, and SBITAs, are effective for fiscal years beginning after June 15, 2022.

The requirements related to financial guarantees and the classification and reporting of derivative instruments within the scope of Statement 53 are effective for fiscal years beginning after June 15, 2023.

Earlier application is encouraged and permitted for all.

If you would like more information regarding Statement 99, please contact our Audits of Governmental Component Units team. We’re here to help.

Article
Key considerations from GASB Statement No. 99 

Read this if you use QuickBooks Online.

With gas prices so high, you need to track your travel costs as closely as possible. Consider getting a tax deduction for your business mileage.

If you drive even a little for business, it’s easy to let mileage costs slide. After all, it’s a pain to keep track of your tax-deductible mileage in a little notebook and do all the calculations required. If you do rack up a lot of business miles, you probably forget to track some trips and end up losing money.

QuickBooks Online offers a much better way. Its Mileage tools include simple fill-in-the-blank records that allow you to document individual trips. You can either enter the starting point and destination and let the site calculate your mileage and deduction or enter the number of miles yourself.

If you use QuickBooks Online’s mobile app, it can track your miles automatically as you drive (as long as you have the correct settings turned on). Here’s a look at how all of this works.

Setting up 

To get started, click the Mileage link in QuickBooks Online’s toolbar. The screen that opens will eventually display a table that contains information about your trips, but you need to do a little setup first. Click the down arrow next to Add Trip in the upper right corner and select Manage vehicles. A panel will slide out from the right. Click Add vehicle.

 
You’ll need to supply information about your vehicles before you can start entering trips.

You’ll need to supply the vehicle’s year, make, and model. Do you own or lease it, and on what date was the vehicle purchased or leased and put into service? Do you want to have your annual mileage calculated by entering odometer readings or have QuickBooks Online track your business miles driven automatically? When you’re done making your selections and entering data, click Save.

Entering trip data

You can download trips as CSV files or import them from Mile IQ, but you’re probably more likely to enter them manually. Click Add Trip in the upper right corner. In the pane that opens, you’ll enter the date of the trip and either the total miles or start and end point. You’ll select the business purpose and vehicle and indicate whether it was a round trip. When you’re done, click Save. The trip will appear in the table on the opening screen, and your current possible total deduction will be in the upper left corner, along with your total business miles and total miles.

If you want to designate a trip as personal, click the box in front of the trip in that table. In the black horizontal box that appears, click the icon that looks like a little person, then click Apply. Now, the trip will appear in the Personal column and will not count toward your business tax-deductible mileage. 

When you select a trip in the Mileage table, you can mark it as personal so it’s not included in your business tax-deductible miles.

Personal trips can count, too

If you use your vehicle(s) for personal as well as business purposes, tracking some of those miles can also mean a tax deduction. For tax year 2022, you can deduct 18 cents per mile for your travel to and from medical appointments. Note: Medical mileage is only deductible if medical exceeds a certain percent of AGI. Be sure to check with the IRS yearly tax code, as they update the mileage amounts annually.

And if you do volunteer work for a qualified charitable organization, the miles you drive in service of it can be deducted at the rate of 14 cents per mile. You can also claim the cost of parking and tolls, as long as you weren’t reimbursed for any of these expenses. Obviously, the IRS wants you to keep careful records of your charitable mileage, and QuickBooks Online can provide them.

QuickBooks Online doesn’t track these deductions, but you’ll at least have a record of the miles driven.

Auto-track your miles

The easiest way to track your mileage in QuickBooks Online is by using its mobile app. You can launch this and have it record your mileage automatically as you’re driving. Versions are available for both Android and iOS, and they’re different from each other. They also have more features than the browser-based version of QuickBooks Online, like maps, rules, and easier designation of trips as business or personal.

 
The iOS version of Mileage in the QuickBooks Online app

In both versions, you’ll need to click the menu in the lower right corner after you’ve opened the QuickBooks Online app and select Mileage. Make sure Auto-Tracking is turned on. Your phone’s location services tool must be turned on, too. There are other settings that vary between the two operating systems. You can search the help system of either app to make sure you get your settings correct if the onscreen instructions aren’t clear enough.

Of course, you won’t see the fruits of your mileage deductions until you file your 2022 taxes. But you can factor these savings in as you’re doing your tax planning during the year. Please contact the Outsourced Accounting team if you’re having any trouble with QuickBooks Online’s Mileage tools, or if you have questions with other elements of the site.

Article
How QuickBooks Online helps you track mileage

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

  1. Access controls
    Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
  2. Patching
    One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
  3. Logging 
    Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
  4. Test backups and more
    Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
  5. Incident Management Plan 
    We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
  6. Training—phishing attacks
    Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Article
Cyberattack preparation: A basics refresher

Read this if you are at a not-for-profit organization.

Gaming activities are a great way for not-for-profit (NFP) organizations to raise funds which can be used for exempt purposes. While gaming activities can make for fun and fruitful events (after all, who doesn’t like winning something?), they can also be costly to your organization if you don’t play by the rules. This article will highlight what activities are considered gaming, and discuss the potential tax implications and reporting requirements associated with these activities. 

What is a gaming activity? 

The IRS considers any of the following to be gaming activities (NOTE: this is not an all-inclusive list):

Gaming includes: bingo, pull-tabs/instant bingo (including satellite and internet bingo), Texas Hold ‘em poker and other card games, raffles, scratch-offs, charitable gaming tickets, break-opens, hard cards, banded tickets, jar tickets, pickle cards, Lucky Seven cards, Nevada Club tickets, casino nights, Las Vegas nights and coin-operated gambling devices. Coin-operated gambling devices include slot machines, electronic video slot or line games, video poker, video blackjack, video keno, video bingo, video pull-tab games and so on.

Essentially any game of chance is considered a gaming activity. As a general rule, gaming activities are considered an unrelated business income activity (taxable), unless a specific exception applies—more on that later. Whether or not the funds generated through gaming are used to pay for expenses associated with the organization’s mission or exempt purpose does not change the fact that the activity is considered unrelated for tax purposes.

Form 990 reporting requirements 

Gaming activity is always required to be reported on Part VIII (Statement of Revenue) of Form 990 regardless of amount. If gross income generated from gaming activities exceeds $15,000 during the organization’s tax year, the activity is also reported on Schedule G, Part III. Further, organizations who complete either of the support tests on Schedule A will also need to report the net income from gaming activities as part of their overall support. 

Gaming and unrelated business income (UBI)

In general, three conditions must be met for an activity to be classified as UBI:

  1. The activity must be considered a trade or business;
  2. The activity must be regularly carried on; and
  3. The activity must not be substantially related to the organization’s exempt purpose.

If any one of the three conditions above is not met, then the activity will not be considered UBI. By default, gaming activities will likely satisfy the first and third conditions listed above. Gaming activities will be deemed “regularly carried on” if they manifest a frequency and continuity, and are pursued in a manner generally similar to comparable commercial activities of nonexempt organizations. If gaming activities occur infrequently or sporadically, they would likely not meet the standard of being regularly carried on. For example, gaming conducted as part of an annual fundraising event would typically not be classified as regularly carried on, whereas if the same event were to be held weekly it would be classified as regularly carried on. 

But even then there are exceptions. An activity can still be deemed regularly carried on even if held sporadically, depending on the amount of time involved leading up to the event. For example, if an organization holds an annual raffle, but significant time is spent by employees of the organization in the 11 months leading up to the event, the activity can still be deemed regularly carried on by the IRS.

Avoiding the UBI gaming trap

There are a couple of ways organizations can avoid the UBI trap on gaming. The first is to have the activity operated substantially (85% or more of the total time spent) by unpaid volunteers. The volunteer exception to UBI is not just limited to gaming activities, but can be applied to other potential UBI activities also. The other is to operate your gaming activity in such a manner as to qualify as a “bingo game”. Yes, bingo is specifically excluded from the definition of unrelated business income. In fact, the IRS even specifically defines what constitutes a “bingo game” in Regulation 1.513-5(d). The definition is rather narrow in scope, so organizations will need to be careful should they decide to use this defense. It’s important to note that the term “bingo game” does not refer to any game of chance, which includes raffles.

Reporting and withholding requirements for winnings

When conducting any gaming activity it is always important to be aware of how much the winners are receiving. Reportable winnings are reported on Form W-2G. Generally reporting is triggered if the total winnings (reduced by the wager) are $600 or more, and at least 300 times the amount of the wager. Winnings from raffles, lotteries, etc. are subject to this threshold, while other games such as poker and bingo have higher thresholds before Form W-2G is required. 

Tax withholdings can also come into play with gaming winnings. Generally, organizations are required to withhold federal income tax of 24% if the proceeds (the winnings minus the wager) exceed $5,000. This is known as regular gambling withholding. The organization may also be required to withhold 24% of gambling winnings for federal income tax (known as backup withholding) if any of the below circumstances apply:

  • The winner doesn't furnish a correct taxpayer identification number (TIN),
  • Applicable regular gambling withholding has not been withheld, and
  • The winnings are at least $600 and at least 300 times the wager (or the winnings are at least $1,200 from bingo or slot machines or $1,500 from keno, or more than $5,000 from a poker tournament).

It is important to note that state and even local income tax withholdings may also need to be withheld. Organizations that feel they may have a Form W-2G reporting or tax withholding requirement should consult their tax advisors as soon as possible.

Does your state have any special registrations? 

State and municipal registrations for gaming events vary widely. Some require registrations be completed at the state level as well as the city or town level. Before rolling the dice and hosting a charitable gaming event, you will want to do your homework to ensure the event is fully licensed or registered with state and municipal gaming authorities.

While life is full of chances, you shouldn’t gamble when it comes to charitable gaming. When in doubt, don’t take any chances and contact a member of our Not-for-profit Tax Team if you have any questions related to gaming activities for your organization. We’re here to help!

Article
Gaming: Reporting requirements for not-for-profit organizations