Skip to Main Content

insightsarticles

The SOC 2 update — how will it affect you?

11.22.17

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Related Industries

Related Services

Assurance

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Article
Five IT risks everyone should be aware of

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read this if you are a business owner. 

Now that the Democrats have control of the Presidency, House of Representatives, and Senate, many in Washington, DC and around the country are asking “What is going to happen with business taxes?” 

While candidate Biden expressed interest in raising taxes on corporations and wealthy individuals, it is best to think of that as a framework for where the new administration intends to go, rather than a set-in-stone inevitability. We know his administration is likely to favor a paring back of some of the tax cuts made by the 2017 Tax Cuts and Jobs Act (TCJA). Biden has indicated his administration may consider changes to the corporate tax rate, capital gains rate, individual income tax rates, and the estate and gift tax exemption amount.

Procedurally, it is unclear how tax legislation would be formulated under the Biden administration. A tax package could be included as part of another COVID-19 relief bill. The TCJA could be modified, repealed, or replaced. It is also unclear how any package would proceed through Congress. Under current Senate rules, the legislative filibuster can limit the Senate’s ability to pass standalone tax legislation, thus leaving any such legislation to the budget reconciliation process, as was the case in 2017. It also remains unclear if the two parties will come together to work on any bill. Finally, it will be important to note who fills key Treasury tax positions in the Biden administration, as these individuals will have a strategic role in the development of administration priorities and the negotiation with Congress of any tax bill. Here are three ways tax changes could take shape:

  1. Part of a COVID-19 relief package
    With the Biden administration eager to provide immediate relief to individuals and small- and medium-sized businesses affected by the coronavirus pandemic, some tax changes could be included as part of an additional relief bill on which the administration is likely to seek bipartisan support. Such changes could take the form of tax cuts for some businesses and individuals, tax credits, expanded retirement contributions, and/or other measures. If attached to a COVID-19 relief bill, these changes would likely go into effect immediately and would provide rapid relief to businesses and individuals that have been particularly hard hit during the pandemic and economic downturn.
  2. Repeal and replace TCJA
    Another possibility is for Biden to pursue a full rollback of the TCJA and replace it with his own tax bill. This would be a challenge since the Democrats only have a slim majority in the Senate, meaning that Republicans could filibuster the bill unless Senate Democrats take steps to repeal the filibuster.

    Given that the Biden administration’s immediate priorities will be delivering financial assistance to individuals and businesses, ensuring the rollout of COVID-19 vaccines, and flattening the curve of cases, a repeal and replacement of the TCJA might not be voted on until at least late 2021 and likely would not go into effect until 2022 at the earliest.
  3. Pare back or modify the TCJA
    An overall theme of Biden’s campaign was not sweeping, radical change but making incremental shifts that he views as improvements. This theme may come into play in Biden’s approach to tax legislation. He may choose not to repeal the TCJA completely (prompting a return to 2016 taxation levels), but instead pare back some of the tax changes enacted in 2017. In practice, this could mean raising the corporate tax rate by a few percentage points, which could garner bipartisan support. Again, this likely would not be a legislative priority until after the country has passed through the worst of the COVID-19 pandemic.

Factors that will influence potential tax changes

Senate legislative filibuster

Currently, the minority party in the Senate can delay a vote on an issue if fewer than 60 senators support bringing a measure to a vote. Thus, Republicans would be likely to filibuster any bill that contains more ambitious tax rate increases. The uptick in the use of the filibuster in recent decades is perhaps a symptom of congressional deadlock, and there are calls from many Democrats to eliminate the filibuster in order to pass more ambitious legislation without bipartisan support (in fact, in recent years, the filibuster has been removed for appointments and confirmations). While President Biden and Senate Majority Leader Chuck Schumer may be open to ending or further limiting the filibuster, every Democratic senator would have to agree. West Virginia Senator Joe Manchin has said repeatedly that he will not vote to end the legislative filibuster.

If the filibuster remains in place as it appears it will, tax legislation would likely be passed as part of the budget reconciliation process, which only requires a simple majority to pass. However, the tradeoff is that any changes generally would have to expire at the end of the budget window, which typically is 10 years. This is how both the 2001 Economic Growth and Tax Relief Reconciliation Act and the TCJA were passed.

Appetite for bipartisanship

President Biden has signaled that he wants to work for all Americans and seek to heal the partisan divides in the country. He may be looking to reach across the aisle on certain legislation and seek bipartisan support, even if such support is not necessary to pass a bill. Biden stated during his campaign that he wants to increase the corporate tax rate—not to the 2017 rate of 35%—but to 28%. Achieving this middle ground rate might be viewed as a compromise approach.

As the new government takes office, it remains to be seen how much bipartisanship is desired, or even possible.

What this may mean for your business

It is important to note that sweeping tax changes probably are not an immediate priority for the incoming Biden administration. The new administration’s immediate focus likely will be on addressing the current fragmented approach to COVID-19 vaccinations, accelerating the distribution of the vaccines, taking steps to bring the spread of COVID-19 under control, and providing much needed economic relief. As noted above, there could be some tax changes and impacts resulting from future COVID-19 relief bills.

Those will be the bills to watch for any early tax changes, including cuts or credits, that businesses may be able to take advantage of. Larger scale tax changes, particularly any tax increases, may not go into effect until 2022 at the earliest. Here are some of the current rules and how Biden is proposing to deal with them.

If you have questions about your particular situation, please contact our team. We’re here to help. 

Article
Biden's tax plan: Tax reform details remain unclear

Read this if your company is seeking guidance on PPP loans.

The Consolidated Appropriations Act, 2021 (H.R. 133) was signed into law on December 27, 2020. This bill contains guidance on the existing Paycheck Protection Program (PPP) and guidelines for the next round of PPP funding.

Updates on existing PPP loans

Income and expense treatment of PPP loans. Forgiven PPP loans will not be included in taxable income and eligible expenses paid with PPP funds will be tax-deductible. This tax treatment applies to both current and future PPP loans.

Tax attributes and basis adjustments. Tax attributes such as net operating losses and passive loss carryovers, and basis increases generated from the result of the PPP loans will not be reduced if the loans are forgiven.

Economic Injury Disaster Loans (EIDL). Any previous or future EIDL advance will not reduce PPP loan forgiveness. Any borrowers who already received forgiveness of their PPP loans and had their EIDL subtracted from the forgiveness amount will be able to file an amended forgiveness application to have their PPP forgiveness amount increased by the amount of the EIDL advance. The SBA has 15 days from the effective date of this bill to produce an amended forgiveness application. 

Simplified forgiveness application for loans under $150,000. Borrowers who received PPP loans for $150,000 or less will now be able to file a simplified one-page forgiveness application and will not be required to submit documentation with the application. The SBA has 24 days from the effective date of this bill to make this new forgiveness application available. 

Use of PPP funds. Congress expanded the types of expenses that may be paid with PPP funds. Prior eligible expenses were limited to payroll (including health benefits), rent, covered mortgage interest, and utilities. Additional expenses now include software and cloud computing services to support business operations, the purchase of essential goods from suppliers, and expenditures for complying with government guidance relating to COVID-19.

These additional expenses apply to both existing and new PPP loans, but they do not apply to existing loans if forgiveness has already been obtained.
 
In addition, the definition of "payroll costs" has been expanded to include costs for group life, disability, dental, and vision insurance. These additions also apply to both existing and new loans.

Information for new PPP loans

Application deadline. March 31, 2021 

Eligibility for first-time borrowers. A business that did not previously apply for or receive a PPP loan may apply for a new loan. The same requirements apply from the first round of loans. The business must employ fewer than 500 employees per physical location and the borrower must certify the loan is necessary due to economic uncertainty.

Eligibility for second-time borrowers. Businesses that received a prior PPP loan may apply for a second loan, however the eligibility requirements are a little more stringent. The business must have fewer than 300 employees per physical location (down from 500 previously) and it must have experienced a decline in gross revenue of at least 25% in any quarter in 2020 as compared to the same quarter in 2019. The business must have also expended (or will expend) their initial PPP loan proceeds. 

Maximum loan amount. Lesser of $2 million or 2.5x average monthly payroll for either calendar 2019 or the 12-month period prior to the date of the loan. Businesses operating in the accommodations and food service industry (NAICS code 72) can use a 3.5x average monthly payroll multiple. If the business previously received a loan less than the new amount allowed, or if it returned a portion or all of the previous loan, it can apply for additional funds up to the maximum loan amount. 

New types of businesses eligible for loans.

  • Broadcast news stations, radio stations, and newspapers that will use the proceeds to support the production and distribution of local and emergency information 
  • Certain 501(c)(6) organizations with fewer than 300 employees and that are not significantly involved in lobbying activities 
  • Housing cooperatives with fewer than 300 employees 
  • Companies in bankruptcy if the bankruptcy court approves

Ineligible businesses. A business that was ineligible to receive a PPP loan during the first round is still ineligible to receive a loan in the new round. The new legislation also prohibits the following businesses from receiving a loan in the second round:

  • Publicly traded companies 
  • Businesses owned 20% or more by a Chinese or Hong Kong entity or have a resident of China on its board 
  • Businesses engaged primarily in political or lobbying activities
  • Businesses required to register under the Foreign Agents Registration Act 
  • Businesses not in operation on February 15, 2020 

Forgiveness qualifications. New PPP loans will be eligible for forgiveness if at least 60% of the proceeds are used on payroll costs. Partial forgiveness will still be available if less than 60% of the funds are used on payroll costs. 

Covered period. The borrower may choose a covered period (i.e., the amount of time in which the PPP funds must be spent) between 8 and 24 weeks from the date of the loan disbursement.

Employee Retention Tax Credit. The CARES Act prohibited a business from claiming the Employee Retention Tax Credit if they received a PPP loan. The new legislation retroactively repeals that prohibition, although it is unclear how an employer can claim retroactive relief. The new bill also expands the tax credit for 2021. 

Additional guidance is expected from the SBA in the coming weeks on many of these items and we will provide updates when the information is released.

We’re here to help.
If you have questions about PPP loans, contact a BerryDunn professional.

Article
Paycheck Protection Program: Updates on new and existing loans

If you received PPP funds, read on.

The Treasury has released new information regarding Paycheck Program Protection forgiveness. 

Based on IRS guidance, if you intend to apply for forgiveness and have a reasonable expectation it will be granted, the expenses used to support forgiveness will not be permitted as a deduction in 2020. It is unclear whether this guidance would apply if a taxpayer is undecided with regard to their forgiveness application at year end. Here is what we know so far.

The CARES Act included provisions that stated PPP loan forgiveness would not be considered taxable income under the Internal Revenue Code (“IRC”). The CARES Act specifically provides the forgiveness is not taxable income under IRC Section 61.

However, the IRS has issued the following guidance on this matter, which relates to the expenses paid with the PPP loan funds.

Notice 2020-32, states IRC Section 265(a)(1) applies to disallow expenses that were included on and supported a taxpayer’s successful PPP loan forgiveness application. 

In general, this section states NO deductions are permitted for expenses that are directly attributable to tax exempt income. 

The IRS seems to have concluded, in this Notice, the PPP loan forgiveness is tax exempt income. Therefore, the salary and occupancy costs used to support forgiveness, under current IRS guidance, will not be tax deductible.

Unanswered questions

This notice, while somewhat informative, raises many unanswered questions. For example, what are the tax consequences if a PPP loan is forgiven in 2021 and the expenses supporting the forgiveness were incurred in 2020? Could the forgiveness be construed as something other than tax exempt income?

Revenue Ruling 2020-27 attempts to answer some of these questions and provides additional guidance with regard to IRS expectations. The Ruling seems to indicate there are two possible tax positions relative to expenses that qualify PPP loans for forgiveness:

  • First, the loan forgiveness could be construed as tax exempt income and, pursuant to IRC Section 265 expenses directly attributable to the exempt income are not deductible.
  • Second, loan forgiveness could be construed as the reimbursement of certain expenses, and not as tax exempt income. Under the reimbursement approach the IRS has stated if you intend to apply for forgiveness and reasonably expect to receive forgiveness the reimbursed expenses are not deductible, even if forgiveness is obtained in the following tax year. This position seems to be supported by several tax controversies which were litigated in favor of the IRS. 

Some taxpayers had anticipated using a rule known as the tax benefit rule to deduct expense in 2020 and report a recovery (income) in 2021 when the loan is forgiven. It appears the IRS is not willing to accept this filing position.

We are hoping Congress will revisit this issue and consider statutory changes which allow for the deduction of expenses. Some taxpayers are planning to extend their income tax returns, taking a wait and see approach, with the hopes Congress will amend the statutes and allow for a deduction.

Under current law, it appears the salary, interest, rent used to support a forgiveness application will not be permitted as a tax deduction on your 2020 tax returns. This could result in a significant change in your 2020 taxable income.

Final considerations

For estimated tax payment purposes, we believe it would be reasonable to attribute the lost deductions to the quarter in which you made your final determination to file for forgiveness. This could mitigate any underpayment of estimated income tax penalties. 

If you are making safe harbor quarter estimates and/or have sufficient withholdings any incremental tax would be due with your return on April 15, 2021. Generally, the IRS safe harbor is to pay 110% of prior year tax during the current year to be penalty proof.

If you have questions about your specific situation, please contact us. We’re here to help.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Article
Update: Treasury issues a revenue ruling and revenue procedure regarding PPP forgiveness

If you received over $2 million in PPP funds, read on.

The Small Business Administration (SBA) has posted a new form to collect additional information on loan necessity from businesses that received over $2 million in PPP funds. The comment period is now open and closes on November 25, 2020. As we seek more clarity, here is what we know.

What is happening: 

The SBA released PPP Loan Necessity Questionnaires (Forms 3509 and 3510) for borrowers that received PPP loans of $2 million or more on October 30, 2020. The forms are not available at the SBA or Treasury websites, but were released through the PPP Loan Forgiveness portal to lenders.  

Here is an excellent description of what we know thus far. Here are our concerns: 

  • The timing and lack of clarity. The 10-day turnaround is very tight. It could be very difficult to manage if it hits during a month or quarter close, or even worse at year-end.

  • This is counter to what was described in the FAQs at the time, so it leaves us with many unanswered questions.
  • It appears that information on the form might be subject to FOIA. There is a toggle to indicate what information you consider to be confidential. We recommend that you carefully review what information you have not flagged as confidential before submitting the form.

Other considerations and actions you can take in the meantime:

  • We know that the questionnaire is triggered by submitting an application for forgiveness. Given some of the uncertainty of other program impacts and this additional information that is requested, it may be reasonable to wait to seek loan forgiveness until we determine the impact.
  • You may wish to comment on the federal notice. See instructions for submitting comments below.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Instructions for submitting comments:
Agency Clearance Officer                  
Curtis Rich
Small Business Administration
409 3rd Street SW
5th Floor
Washington, DC 20416

and 

SBA Desk Officer
Office of Information and Regulatory Affairs
Office of Management and Budget
New Executive Office Building
Washington, DC  20503

Your comments should be titled as follows:
Title: Paycheck Protection Program
OMB Control Number: 3245-0407

Comments should include one or all of the following: 
(a) whether the collection of information is necessary, 
(b) whether the estimate of 1.6 hours to complete or review the proposed application form is accurate (42,000 applications, 67,833 annual hour burden), 
(c) whether there are ways to minimize this burden, and
(d) whether there are ways to enhance the quality, utility, and clarity of the information.

Article
Paycheck Protection Program: New regulatory announcements

Read this if you are a Maine business or organization that has been affected by COVID-19. 

The State of Maine has released a $200 million Maine Economic Recovery Grant Program for companies and organizations affected by the COVID-19 pandemic. Here is a brief outline of the program from the state, and a list of eligibility requirements. 

“The State of Maine plans to use CARES Act relief funding to help our economy recover from the impacts of the global pandemic by supporting Maine-based businesses and non-profit organizations through an Economic Recovery Grant Program. The funding originates from the federal Coronavirus Relief Fund and will be awarded in the form of grants to directly alleviate the disruption of operations suffered by Maine’s small businesses and non-profits as a result of the COVID-19 pandemic. The Maine Department of Economic & Community Development has been working closely with affected Maine organizations since the beginning of this crisis and has gathered feedback from all sectors on the current challenges.”

Eligibility requirements for the program from the state

To qualify for a Maine Economic Recovery Grant your business/organization must: 

  • Demonstrate a need for financial relief based on lost revenues minus expenses incurred since March 1, 2020 due to COVID-19 impacts or related public health response; 
  • Employ a combined total of 50 or fewer employees and contract employees;
  • Have significant operations in Maine (business/organization headquartered in Maine or have a minimum of 50% of employees and contract employees based in Maine); 
  • Have been in operation for at least one year before August 1, 2020; 
  • Be in good standing with the Maine Department of Labor; 
  • Be current and in good standing with all Maine state payroll taxes, sales taxes, and state income taxes (as applicable) through July 31, 2020;
  • Not be in bankruptcy; 
  • Not have permanently ceased all operations; 
  • Be in consistent compliance and not be under any current or past enforcement action with COVID-19 Prevention Checklist Requirements; and 
  • Be a for-profit business or non-profit organization, except
    • Professional services 
    • 501(c)(4), 501(c)(6) organizations that lobby 
    • K-12 schools, including charter, public and private
    • Municipalities, municipal subdivisions, and other government agencies 
    • Assisted living and retirement communities 
    • Nursing homes
    • Foundations and charitable trusts 
    • Trade associations 
    • Credit unions
    • Insurance trusts
    • Scholarship funds and programs 
    • Gambling 
    • Adult entertainment 
    • Country clubs, golf clubs, other private clubs 
    • Cemetery trusts and associations 
    • Fraternal orders 
    • Hospitals, nursing facilities, institutions of higher education, and child care organizations (Alternate funding available through the Department of Education and Department of Health and Human Services for hospitals, nursing facilities, child care organizations, and institutions of higher education.)

For more information

If you feel you qualify, you can find more details and the application here. If you have questions about your eligibility, please contact us. We’re here to help. 

Article
$200 Million Maine Economic Recovery Grant Program released