Virginia Government Finance Officers’ Association Training · Virginia Government Finance...

Virginia Government Finance Officers’ Association Training Thursday, March 19, 2015

_________________________________________________________________

8:30 am - 9:00 am Registration & Continental Breakfast 9:00 am - 9:05 am Welcome Tom McNeish, Government Practice Leader, Elliott Davis Decosimo 9:05 am – 10:05 am Legal Update Daniel M. Siegel, Shareholder, Sands Anderson 10:05 am - 11:05 am IRS Compliance Issues Denise Hill, Senior Manager, Elliott Davis Decosimo 11:05 am - 11:15 am Break 11:15 am - 11:45 am GASB 86 – Accounting & Reporting for Pensions Tom McNeish, Government Practice Leader, Elliott Davis Decosimo 11:45 am – 12:15 pm OMB Uniform Guidance Tom McNeish, Government Practice Leader, Elliott Davis Decosimo 12:15 pm - 1:15 pm Lunch 1:15 pm - 2:10 pm Fraud: Current Trends & Case Studies Lee Wagner, Senior Manager, Elliott Davis Decosimo 2:10 pm - 3:00 pm Information Technology-Database Security and Threats Richard Cook, Director, Elliott Davis Decosimo

IRS Compliance Issues: Spotlight on Fringe Benefits

Denise P. Hill Senior Tax Manager March 19, 2015

© 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.


Why Discuss Fringe Benefits?

• Employment audits generate significant income for the IRS – considered to be an untapped source of revenue – made up 44% of all IRS collections in 2009

• 2010 Project for small employers – results will help IRS identify potential audit targets - IRS is examining 6,000 employment tax returns and has discovered that under reporting fringe benefits is a wide-spread problem

• Audits and IRS analysis supposed to be completed in the summer of 2014 • The benefits are no longer a minor part of compensation – they now

represent close to 40% of the total cost of compensation • The employer is “secondarily liable” for failing to withhold

3 © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

• Fringe Benefits are the most overlooked area by employers

- Difficult to identify - Difficult to value - Uncertainty in reporting (i.e. taxable or not?) - Lack of clear communication to employees: Benefits are a wide

variety of inducements offered to employees having little in common except they are not “paid” to the person each payday. This makes terminology and categorization of benefits difficult.

- Finance/payroll not aware of the benefit - Overall departmental differences


Topics of Discussion

• Define Fringe Benefits • Discuss Taxable versus Nontaxable • Components of an Accountable Plan • Managing Written Guidelines and Policies • Employee versus Nonemployee – does it matter?


What is a Fringe Benefit?

• A fringe benefit is a form of pay for the performance of services:

- Property - Services - Cash or Cash Equivalent

All fringe benefits are taxable and must be included in the recipients’ pay unless the law specifically excludes it.


Examples of Fringe Benefits

• Airline club memberships • Disability payments • Automobile allowances • Discounts on property or service

• Awards or prizes • Discounted airline passes • Back pay awards • Educational reimbursements • Bonuses (cash or noncash) • Executive dining rooms • Cafeteria plans • Estate planning • Cell phones and other • Financial counseling telecommunications devices • Financial seminars • Chauffeur service • Free or subsidized lodging • Club memberships (including campus lodging) • Company aircraft • Golden parachute payments


Examples of Fringe Benefits Continued

• Company cars •Memberships in athletic facilities • Credit cards (employer-provided) •Military differential pay • Dependent care assistance programs •Moving expense reimbursements • Group-term life insurance over $50,000 •Nonqualified stock bonus plans • Holiday gifts •Nonqualified stock option plans • Home security systems •Outplacement services • Income tax preparation •Parking • Laptop computers •Personal liability insurance • Legal counseling •Physical examinations and/or loans

(low-interest or interest-free) •Use of health/medical facilities • Local transportation for commuting purposes • Reimbursements of expenses on meal money because of overtime • Sale of personal residence • Meal allowances/reimbursements (not away overnight)


Examples of Fringe Benefits Continued • Retirement gifts • Safety or length of service awards • Severance pay • Scholarships or fellowships • Sick pay • Spousal travel • Uniform allowances • Use of recreation vehicles or boats • Use of vacation homes • Vacations (all expense paid or discounted)


Nontaxable Fringe Benefits

• Specifically excluded by law:

- IRC 79 – Group Term Life Insurance - IRC 105 & 106 – Employer Health Benefits - IRC 119 – Meals or Lodging for the Employer’s

Convenience - IRC 125 – Cafeteria Plans - IRC 127 – Educational Assistance Programs - IRC 129 – Dependent Care Assistance


IRC Section 132

• Fringe Benefits excluded under certain conditions (the “Workhorse” of Statutory Exclusions):

- No additional cost service - Qualified employee discounts - Working condition fringe - De minimis fringe - On-premises athletic facilities - Qualified transportation fringe - Qualified moving expense reimbursements - Qualified retirement planning services - Qualified military base realignment and closure fringe


Working Condition Fringe Benefits

The entire value of the property or service provided is excludable from the employee’s income if the employee would be able to deduct it as a trade or business expense if he/she had to pay for it during the process of getting an employee’s job done.

- Examples: • Professional dues and subscriptions • Supplies • Business meal • Cash reimbursement for business travel • Job training • Uniforms that are not adaptable to general use


De Minimis Benefits

• Excluded from the employee’s income when the employer-provided property or services have such a small value and frequency that accounting for them would be impractical

• De minimis benefits can be provided on a discriminatory basis • De minimis rules do not apply to – cash and cash equivalents

(including gift cards) and memberships in private country clubs or athletic facilities

- Examples: • Employee cocktail parties • Company picnics • Coffee and doughnuts / bottled water and soft drinks • Occasional use of the copy machine/fax machine/phones


Common Fringe Benefits

• Gifts and Awards - Employers may give employees cash or noncash awards and

prizes as a reward for achievements within the organization - The fair market value of the reward are included in gross

income of the employee – IRC Section 74

Cash gifts and awards are always included in gross income, including gift cards which are considered cash equivalents. No matter how small the amount, even $5, gift cards presented to an employee should be reported in their wages.



• Gifts and awards may be excluded from income under certain exceptions:

- De minimis fringe benefits (turkey/pin/flowers/coffee mugs/plaques) - Recognition awards that are given for charitable/other achievement

such as the Nobel Peace Prize - Tangible noncash employee achievement awards given for length of

service or safety: • Must be presented with meaningful presentation • FMV of award must be under $400 per award / $1,600 per year • Length of service may not be during first five years of employment

- Traditional retirement awards presented upon completion of lengthy term of service (gold watch regardless of value because no expectation of future services, i.e. not compensatory)



• Meals on Business Premises- Nontaxable - Meals provided after hours for employees working

overtime - Meals provided during employer’s training seminars /

departmental meetings - Free meal from the cafeteria to substantially all

employees during each work day so that employees may be on call at all times

TAXABLE: The value of food provided on a regular, expected basis (not just occasionally) should be included in taxable wages.



• Cell Phone/ Tablets

- For tax years after 2009, cell phones and related devices are no longer considered listed property, meaning that employers no longer need to meet substantiation requirements to deduct the equipment (i.e. no need for a contemporaneous detailed activity log)

- Business use of the cell phones (or other similar telecommunications equipment) are considered a working condition fringe benefits (i.e. provided for non-compensatory business reasons) and are therefore not taxable

- The personal use, however, is still considered taxable compensation, unless provided for non-compensatory business reasons, then the personal use will be considered excludable as a de minimis fringe benefit



• Employer Provided Auto

- Use of an employer-provided auto by an employee while conducting an employer’s business is an excludable working condition fringe benefit

- Personal use of the company auto is a taxable fringe benefit - Personal use cannot be changed to business use by attaching

display material that advertises business while the employee is driving

- Business use must be properly substantiated with adequate records (i.e. using an accountable plan with documentation)

- All of an employee’s use of a qualified non-personal-use vehicle (such as a police car, unmarked vehicles, fire vehicles) is excluded from taxable income



• Spousal Travel - Employer-provided spouse or dependent travel is

generally taxable income to the employee - The expense will qualify as a working condition fringe

benefit only if the employer: • Can adequately demonstrate that spouse’s presence on the

business trip has a bona fide business purposes and • If the employee substantiates the travel and • If the companion is also an employee



• Uniforms - Must be related to the employer’s business and be provided so the

employee can perform his/her job – such as high visibility shirts/reflective lettering for road crews or police officers and protective clothing

- Embroidered logos and patches on polo shirts are almost always taxable (i.e. considered an informal work uniform). If the clothing /shoes are adaptable to normal wear, the value is taxable. However, most organizations consider the purchase of low-cost clothing items ($100 or less per employee per calendar year) to be a de minimis fringe and nontaxable

- Safety equipment is excludable from wages such as safety glasses, hardhats, work gloves and anti-glare screen for computers


20


• Employer Issued Credit Cards Many companies allow employees to use credit cards to buy items for the company. Some companies issue credit cards to executives and pay the bills without requiring the executive to show business purpose. Personal expenses paid through these credit cards to executives are considered taxable fringe benefits and they cannot be deducted as business expenses. If executives are not required to substantiate that the expenses charged to the corporate credit card were for business expenses, the reimbursement is considered to have been made under a non-accountable plan and the entire reimbursement is taxable to the executive, and wages for employment tax purposes.



• Awards Funded by Third Party If funds or a noncash prize are provided by an outside party, the award is taxable in the same way as if provided directly by the employer. If the third party selects and distributes the award directly to the agency employee without any direction or decision making from agency personnel, then the award is income to the recipient and must be reported. The outside party would be required to furnish a Form 1099-MISC to the recipient if the amount is $600 or more in a calendar year.


Employee Business Expense Reimbursements

• Provided under an Accountable Plan

Must meet all three of the following to be non-taxable:

- 1. There must be a business connection

- 2. Must be adequate accounting by the recipient within a reasonable period of time – receipts required for lodging and for expenses in excess of $75 or more

- 3. Excess of expenses must be returned within a reasonable period of time

The Accounts Payable function is essentially administering a payroll tax body of law – so communication and written policies are critical.


Business Connection

• The plan must provide reimbursements or advances only

for business expenses that would otherwise qualify as a trade or business expense under IRC Section 162

• Section 162 allows deductions for all ordinary and necessary expenses paid or incurred during the taxable year in carrying on a trade or business

• The IRS looks to whether or not the expenditure secured a business benefit when evaluated if the expense is ordinary and necessary


Adequate Accounting

• Employees are required to provide sufficient information to satisfy a “business connection” of the expenditure – i.e. the 5 “W”’s:

- What – amount - When – time, date, etc. - Where – business location, destination, etc. - Why – business purpose - Who – for entertainment purposes

Written contemporaneous recordkeeping has more values than oral evidence.


Written Guidelines and Policies

• When is it time to update your policy handbook/procedures/guidelines?

- Given the recent publicity regarding fiscal mismanagement in state and county agencies (due to lack of coordination and information sharing) – it may be time to re-write your policies in order to provide:

• Better audit measurements to access compliance within the Agencies departments

• To provide clarification of the Agencies position and specific guidance for employees that may have resulted in confusion or non-compliance in the past

• To ensure there are no gaps in the public’s understanding


Written Guidelines and Policies- Best Practices

• Provide background of the purpose for the policy, including how the

personal use will be reported via the employer’s payroll process.

• Clear concise guidance on the distinction between business and personal use. Accountability issues will arise when detailed standards for conduct are inaccurate or outdated.

• Review the requirements for business use of the “benefit” and how to record and report the business use. Policies that do not sufficiently document processes can create varying degrees of inconsistency within each department.

• Explain the fringe benefit that is received by the employee when the benefit is used/received for non-business (i.e. personal) reasons.


Consider a Fringe Benefit Plan Review

• Identifying all fringe benefits • Confirming that the benefit is properly reported and that taxes are

withheld and deposited in a timely manner • Identifying and implementing statutory fringe benefit rules /

reviewing and/or re-writing current guidelines and policies that will pass IRS scrutiny

• Identifying and implementing the special valuation rules that apply to fringe benefits

• Employment Tax audits are expensive – in addition to any penalties imposed by the IRS, increased costs in administrative and financial resources will be incurred during an audit

• Costs can be alleviated by conducting a comprehensive review before you are contacted by the IRS


Employee Versus Non-Employee Classification

Generally, directors of a corporation (i.e. members of the governing board) are defined by statute as non-employees. This is due to the fact that a board member's responsibility for the fulfillment of an organization's mission and legal accountability for its operations typically dictate that the board be comprised of individuals from outside of the organization. While it is possible for a board member to also be an employee of the organization, the services they perform in their role as board member will be reported separately from the services they perform as an employee.

Independent contractors should be paid through accounts payable (i.e. and receive a Form 1099-MISC) and employees are paid through payroll.


Employee Versus Non-Employee Classification

Current case law has made it clear that elected public officials are classified as employees since they are subject to a degree of control that is characteristic of an employer-employee relationship. Elected officials are responsible to the public, which has the power to vote them out of office. Appointed public officials, however, may be classified as either employees or independent contractors based on a determination of their "worker status" under common law standards. See attachment for Common Law Standards for Determining Worker Status


Handouts

• Employee or Independent Contractor Status • Travel and Business Expense Policy with Exhibit A • Vehicle Use Policy • Fringe Benefit Memorandum • 2014 IRS Quick Reference Guide for Public

Employers • 2014 IRS Fringe Benefit Guide: Office of Federal,

State and Local Governments


Questions?


Denise P. Hill Email: [email protected] Phone: 803-255-1479 Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


http://www.elliottdavis.com/

GASB 68 – Accounting and Reporting for Pensions

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Tom McNeish Government Practice Leader & Shareholder March 19, 2015

Effective Date

• Effective for fiscal years beginning after June 15,

2014 • For employers with a December 31 fiscal year end,

December 31, 2015 financial statements


Under GASB 27 – Funding vs Accounting

• Accounting liabilities are about the same as funding liabilities • Pension liability = the cumulative difference between the

actuarial required contribution (ARC) versus what the employer actually contributes

• For actuarially determined contribution plans, it is likely that little or no liability is reported

• Actuarial valuation used for both accounting and funding purposes


Under New Standards

• Funded status moves from the footnotes to the

balance sheet • Additional footnote and RSI disclosures • Shift in focus from income statement to balance

sheet focus - Before: “Are ARC contributions adequate?” - Now “How large is the Net Pension Liability?”


Other Changes

GASB 68 GASB 27

Actuarial cost method Entry Age Normal Cost Method only Six (6) allowable actuarial cost methods

Discount rate May require use of a blended discount

rate (between long-term expected rate of return and municipal bond rate)

Long term expected rate of return on assets is the discount rate

Amortization periods

Shorter amortization periods (no longer up to 30 years) - Five (5) years for

investment gains/losses. Average future working lifetime for other gains/losses or

assumption changes

Amortizations of any kind (gains/losses, assumption changes,

benefit changes, etc.) over a maximum of thirty (30) years

Contributions Plans administered through a trust or

equivalent arrangement. Contributions are irrevocable

Trust not required


Potential Effects

• Accounting liabilities will likely be higher than

funding liabilities • Some employers may re-evaluate defined benefit

plan • Credit ratings may be impacted • Increased complexity in accounting and reporting • Possible increased scrutiny to the plan


New Terms

• Total Pension Liability (TPL) the actuarial present value of projected benefit payments that is attributed to past periods of employee service.

• Net Pension Liability (NPL) Total pension liability minus the pension plan’s fiduciary net position

• Fiduciary net position = market value of assets • Pension Expense (PE) The difference between the NPL from

the prior fiscal year to the current fiscal year, with some adjustments


Measurement date

Financial reporting period for year ended June 30, 2015:

12/31/2012 6/30/2013 6/30/2014 6/30/2015

If valuation date is in this period, it must be updated (rolled forward) to the measurement date.

Any date in this period is an appropriate measurement date.

If valuation date and measurement date are the same and in this period, no roll forward

is required.


Discount rate

• The discount rate should be the single rate that reflects the following: a. The long-term expected rate of return on pension plan investments that

are expected to be used to finance the payment of benefits, to the extent that 1. the pension plan's fiduciary net position is projected to be sufficient

to make projected benefit payments 2. pension plan assets are expected to be invested using a strategy to

achieve that return b. A yield or index rate for 20-year, tax-exempt general obligation

municipal bonds with an average rating of AA/Aa or higher (or equivalent quality on another rating scale), to the extent that the conditions in (a) are not met.

• The amount of the pension plan's projected fiduciary net position and the amount of projected benefit payments should be compared in each period of projected benefit payments.


Discount rate

Adjust discount rate to incorporate 20 -year muni

yield

-

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

0 5 10 15 20 25 30

$

Years

Fiduciary net position

Projected payments


Reporting of Expense and Deferred Inflows/Outflows

Event Reporting Method

Differences between expected and actual experience

Should be recognized in pension expense, beginning in the current reporting period. The

portion not recognized in pension expense should be reported as deferred outflows of resources or

deferred inflows of resources

Use a systematic and rational method over a closed period equal to the average of the

expected remaining service lives of all employees (active employees and inactive employees)

determined as of the beginning of the measurement period

Changes of assumptions

Net effect of the change in proportionate share of the net pension liability and

deferred inflows/outflows

Difference between employer contributions and proportionate share of

contributions

Difference between projected and actual earnings

Use a systematic and rational method over a closed five-year period

Contributions made subsequent to the measurement date

Should be reported as a deferred outflow of resources related to pensions because they are

outside the reporting period

Employer contributions to the pension plan from the employer should not be recognized in pension

expense


Illustration – Year 1

NPL Assets Deferred inflows

Deferred outflows

Net position

Pension expense Check

1 12/31/13 valuation date (100,000) 2 Service costs (1,250)

3 Interest costs (2,500)

4 Benefit payments 2,000

5 6/30/14 measurement date (101,750) 101,750 -

6 Deferred outflows/inflows

7 Employer contributions subsequent to measurement date - (3,000) 3,000 -

8 Actual earnings on plan assets of $10,000 vs projected earnings of $7,500 10,000 (2,500) (7,500) -

9 Increase in NPL arising from the effects of differences

10 between Expected and Actual Experience (1,000) 1,000 -

11 Decrease in NPL arising from effects of Changes of Assumptions 750 (750) -

12 Service costs (2,600) 2,600 -

13 Interest on NPL (4,900) 4,900 -

14 Administrative expense (200) 200 -

15 6/30/15 reporting date - journal entry (99,700) (3,000) (3,250) 4,000 101,750 200 -


Illustration – Year 2

NPL Assets Deferred inflows

Deferred outflows

Net position

Pension expense Check

1 6/30/15 measurement date (99,700) (3,000) (3,250) 4,000 101,950 - -

2 Contributions made in the prior measurement period 3,000 (3,000) - -

3 Pension expense recognized from previously recorded

4 deferred inflows and outflows

5 Actual earnings on plan assets 500 (500) -

6 Differences between Expected and Actual Experience (125) 125 -

7 Changes of Assumptions (95) 95 -

8 Deferred outflows/inflows -

9 Employer contributions subsequent to measurement date (2,200) 2,200 -

10 Actual earnings on plan assets of $8,000 vs projected earnings of $9,500 8,000 1,500 (9,500) -

11 Increase in NPL arising from the effects of differences

12 between Expected and Actual Experience (500) 500 -

13 Decrease in NPL arising from effects of Changes of Assumptions 350 (350) -

14 Service costs -

15 Interest on NPL (4,500) 4,500 -

16 Administrative expense (250) 250 -

17 6/30/16 reporting date (95,800) (3,000) (3,195) 5,075 101,950 (5,030) -


Recognition under modified accrual— single and agent employers

• The net pension liability should be recognized to the extent it is normally expected to be liquidated with expendable available financial resources

• Pension expenditures should be recognized equal to the total of a) amounts paid by the employer to the pension plan and b) the change between the beginning and ending balances of amounts

normally expected to be liquidated with expendable available financial resources.

• Net pension liabilities are normally expected to be liquidated to the extent that benefit payments have matured—that is, benefit payments are due and payable and the pension plan's fiduciary net position is not sufficient for payment of those benefits.


Cost-Sharing Employers – Fund Financial Statements

• In governmental fund financial statements, the cost-sharing employer's proportionate share of the collective net pension liability is required to be recognized to the extent the liability is normally expected to be liquidated with expendable available financial resources.

• Pension expenditures should be recognized equal to the total of (1)

amounts paid by the employer to the pension plan and (2) the change between the beginning and ending balances of amounts normally expected to be liquidated with expendable available financial resources.


Note disclosures – single and agent employers

• Descriptions of the plan and benefits provided • Significant assumptions employed in the measurement of the net

pension liability • Descriptions of benefit changes and changes in assumptions • Assumptions related to the discount rate and the impact on the

total pension liability of a 1 % point increase and decrease in the discount rate

• Net pension liability and deferred outflows of resources and deferred inflows of resources.

• Beginning and ending balances of the NPL, and the effects of changes during the period, including service cost, benefit changes, and actual investment earnings.


RSI Schedules

• Single and agent governments will be required to present RSI schedules with the following information for each of the past 10 years (generally on a prospective basis):

- Beginning and ending balances of the total pension liability, - The plan’s net position - The net pension liability, - The ratio of the plan’s net position to the total pension liability - The covered-employee payroll, and - A ratio of the net pension liability as a percentage of the

covered-employee payroll.


RSI Schedules

• If a single, agent, or cost-sharing government has an actuarially determined annual pension contribution, it is also required to present an RSI schedule with the following information for each of the past 10 years

1. the actuarially determined annual pension contribution 2. the amount of employer contribution actually made 3. the difference between 1 and 2, 4. the payroll of employees covered by the plan, and 5. a ratio of 2 divided by 4.

• Governments are also now required to present notes to the RSI schedules regarding factors that significantly affect the trends in the schedules. For single and agent employers, significant assumptions also should be disclosed


Cost-Sharing Employers – Note Disclosures and RSI

• This Statement requires that notes to financial statements of cost-sharing employers include descriptive information about the pension plan.

• Cost-sharing employers should identify the discount rate and assumptions made in the measurement of their proportionate shares of net pension liabilities, similar to the disclosures about those items that should be made by single and agent employers.

• Cost-sharing employers, like single and agent employers, also should disclose information about how their contributions to the pension plan are determined

• This Statement requires cost-sharing employers to present in required supplementary information 10-year schedules containing (1) the net pension liability and certain related ratios and (2) if applicable, information about statutorily or contractually required contributions, contributions to the pension plan, and related ratios


Computing Proportionate Share: One Potential Method

Illustration 3—Note Disclosures and Required Supplementary Information for a Cost-Sharing Employer

(Amounts in 000's)

Total Plan (all participating employers) Pension Liability $ 39,502,453 Plan net position 35,979,370

Net pension liability 3,523,083

Covered payroll for the individual employer $ 11,512 Covered payroll for the Plan (total of all participating employers) 5,615,736 Individual employer's pro-rata portion of net pension liability based on covered payroll (%) 0.20%

Individual employer

Pension liability $ 79,005

Plan net position 71,959

Net pension liability $ 7,046


Tom McNeish Email: [email protected] Phone: 919.334.6180 Website: www.elliottdavis.com




OMB New Uniform Guidance

Tom McNeish Government Practice Leader & Shareholder March 19, 2015

1


2

OMB Super Circular

• December 26, 2013 - Office of Management and Budget (OMB) issued

guidance that makes significant changes to federal grants management. • Super Circular - Streamlines requirements and supersedes eight existing

OMB Circulars • Changes are in response to the administrative burden of the existing

procurement standards • Language revisions to require "oversight" rather than a "system" to

ensure that contractors comply with contract terms. • Effective for entities with fiscal years beginning on or after December 26,

2014.

3

Codification

This uniform guidance codifies the following circulars into the Code of Federal Regulations:

• Administrative Requirements - A-102, Grants and Cooperative Agreements with State and Local Governments - A-110, Uniform Administrative Requirements for Grants and Other Agreements

with Institutions of Higher Education, Hospitals, and Other Non-Profit Organizations

- A-89, Catalog of Federal Domestic Assistance • Cost Principles

- A-21, Cost Principles for Educational Institutions - A-87, Cost Principles for State, Local, and Indian Tribal Governments - A-122, Cost Principles for Non-Profit Organizations

• Audit Requirements - A-133, Audits of States, Local Governments, and Non-Profit Organizations - A-50, Audit Follow-up

4

Streamlining effects

• Definition of "supplies“ - Computers will be considered supplies if the purchase

price is the lesser of institution’s capitalization policy or $5,000, regardless of useful life.

• Micro purchases - Supplies or services not exceeding $3,000 may be awarded without soliciting competitive quotes if the nonfederal entity considers the price reasonable.

• Direct Costs - Administrative costs may be charged directly when they are specifically allocated to one award, with prior approval from the awarding agency.

• Indirect costs - Approved indirect cost rates may be extended on a one-time basis without further negotiation, for up to four years.

• Provision to allow institutions to recover increased utility costs associated with research.

5

New Requirements for Recipients

• Review of Risk – Recipients to be evaluated for financial stability; the quality of management systems; performance history; reports and findings from audits; and ability to effectively implement statutory, regulatory, or other broad compliance requirements.

• Procurement standards – Emphasis on policies to prevent conflicts of interest and protect the integrity of procurements under federal awards

• Performance Measurement - Recipients will be required to provide financial information demonstrating cost-effective practices

• Internal Controls - Institutions must establish and maintain effective internal controls over federal awards.

• Personal info protection - Nonfederal entities must take reasonable measures to safeguard protected personally identifiable information.

6

New Requirements for Auditors

• Thresholds - The single audit threshold will increase to $750,000 from $500,000. - Audit oversight over 99.7 percent of federal award dollars and 81

percent of the entities subject to the requirement. - Audit oversight will be eliminated for approximately 5,000 of the

37,500 entities that currently undergo a single audit. • Findings

- The types of findings reported in the Schedule of Findings and Questioned Costs will remain substantially the same.

- The threshold for reporting questioned costs, will increase from $10,000 to $25,000.

7

Major Program Determination

Total Federal Awards Expended Type A/B Threshold

Equal to $750,000 but ≤ $25 million $750,000

> $25 million but ≤ $100 million .03 time total federal awards expended

> $100 million but ≤ $1 billion $3 million

> $1 billion but ≤ $10 billion .003 times total federal awards expended

> $10 billion but ≤ $20 billion $30 million

> $20 billion .0015 times total federal awards expended

8

Major Program Determination

• High Risk Type A Programs - To be considered low-risk, the program must have not had:

- Internal control deficiencies identified as material weaknesses - A modified opinion on compliance - Known or likely questioned costs that exceed five percent of the total federal

awards expended for the program. • High Risk Type B Programs

- A material weakness finding will be the primary trigger for high risk - The number of high-risk Type B’s to be audited will reduced from ½ to ¼ the

number of low-risk Type A’s - The Type B threshold to be omitted for risk assessment will be a flat 25 percent of

the Type A threshold - Selection of different high-risk Type B’s each year will be encouraged.

9

Low-Risk Criteria

• Low-Risk Auditee - must meet the following conditions for the two prior audit periods to qualify as low-risk :

- Single audits were performed annually - Audit opinion on the financial statements and the schedule of expenditures of

awards were unmodified. - No material weakness findings - No substantial doubt about the auditee's ability to continue as a going

concern. - No material weaknesses, questioned costs that exceeded five percent, or a

modified opinion on a major program

• Percentage of Coverage rule - The minimum percentage of total federal awards to be tested as major programs will decrease:

- 25% to 20% for low-risk auditees - 50% to 40% for all others

10

Questions?

11 © Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Tom McNeish Email: [email protected] Phone: 803.255.1488 Website: www.elliottdavis.com


12


Fraud: Current Trends and Case Studies

Lee A. Wagner, CPA, CFE Senior Manager March 19, 2015


Presentation Overview

• Overview and selections from the 2014 Report to the

Nations on Occupational Fraud and Abuse*, published by the Association of Certified Fraud Examiners (ACFE)

• Example real-life fraud case studies and anecdotes • Discussion of “take-away’s” and lessons learned from

the Report to the Nations and case studies *Copyright 2014 by the Association of Certified Fraud Examiners, Inc.


Speaker Background

• Senior Manager, Raleigh office • Over 8 years experience in public accounting • CFE since 2011 • Experience with a variety of forensic accounting and

fraud examination projects • Financial statement audit experience in industries

including manufacturing/distribution, state and local government, and not for profit


Part I: ACFE’s Report to the Nations


ACFE’s 2014 Report to the Nations

• ACFE surveys the population of all certified fraud examiners and compiles results

• 2014 report is based on 1,483 cases of occupational fraud as reported by CFEs

• Provide valuable information on how fraud is committed, how it is detected, and how organizations can reduce their vulnerability to the risk of fraud

• Entire report available for download: - http://www.acfe.com/rttn-download-2014.aspx



“The cost of fraud is the equivalent of a financial iceberg; some of the direct losses are plainly visible, but there is a huge mass of hidden harm that we cannot see.” - Report to the Nations, ACFE


Size and type of frauds


Detection of frauds


Fraud victims


Fraud controls


The perps


The outcomes


Part II: Case Studies and Anecdotes


Case Studies and Anecdotes - 1

• Rita Crundwell – City Comptroller, Equine Enthusiast and Brazen Fraudster


Rita Crundwell – City Comptroller and Fraudster

• Background Info: - Became comptroller of City of Dixon, Illinois, in 1983 - Dixon: working-class city of approx. 16,000, and the

boy-hood home of Ronald Reagan - Dixon’s 2011 general fund operating budget was $6.9

million - Rita’s salary in 2011 was approx. $80,000 - Between 1991 and April 2012, Rita embezzled $53.7

million from Dixon



• How did she do it? - December 1990: Rita opens a bank account at an Ohio bank

(bank subsequently acquired by Fifth Third Bank) in the name of City of Dixon and RSCDA, c/o Rita Crundwell (Reserve Sewer Capital Development Account)

- Rita repeatedly transferred funds from City of Dixon accounts to the RSCDA account

- Rita used funds deposited into RSCDA account for personal expenses and for operations of her race horse breeding business

- Rita generated fake invoices (179 in total), mostly supposedly from the State of Illinois, as support for amounts deposited/withdrawn into RSCDA account



• How did she get away with it? - Poor (or altogether nonexistent) segregation of duties

allowed Rita complete control over Dixon’s finances • Rita made bank deposits and transfers without second

signature or authorization • Rita reconciled all monthly bank accounts • Rita prepared interim financial reports for the mayor and

council • Rita even received the mail each day

- Blamed Dixon’s weak financial position on lagging or late payments from the State of Illinois



• How was she caught? - In 2011 Rita took unpaid leave for 12 weeks to focus

on her horse breeding operation - During this time a monthly statement for the RSCDA

account was intercepted in the mail by another Dixon employee

- The mayor contacted the FBI – it all unraveled from there



• What was the fall-out? - Rita’s purchases included the following:

• Two lavish homes in Dixon • 80 acres of farmland • A house in Florida • Extensive updates and construction at her horse farm

property • A $2 million custom motor home • Several hundred quarter horses (some at more than $100k) • Several vehicles, tractors , horse trailers and trucks (including

a 1967 Corvette Roadster) • At least $500 k in jewelry and furs



• What was the fall-out? - Rita plead guilty to $53 million scam in November

2012 - Sentenced to 19 years and 7 months in prison - CliftonLarsonAllen, one of two accounting firms used

by Dixon, settled with Dixon for $35.15 million in gross negligence suit

- Janis Card Associates (other accounting firm) paid $1 million in settlement

- Fifth Third Bank paid $3.85 million in settlement with Dixon 48



Rita Crundwell began working for the City of Dixon while still in high school, was made treasurer in 1983, and by this time she was fully trusted with complete control of the City’s finances.

• What was it that Ronald Reagan used to say???


Case Studies and Anecdotes - 2

• Controller of a small business in Columbia, SC steals more than $1 million over course of 6-plus years


Case Studies and Anecdotes – 2

• Background info: - No names included here as investigation and legal proceedings

are ongoing - Company is industrial laundry / linens facility - Former controller (“Suspect”) was employed by Company from

2005 through 2013 - During that time, Suspect made payments to herself via direct

deposit from Company’s payroll bank account at least in the amount of $978,311

- Additionally, Suspect altered two checks totaling $51,388 to be paid to a shell company owned by Suspect


Small Company Controller and Embezzler

• How did Controller do it? - Two bank accounts: operating and payroll - In addition to “normal” bi-monthly company-wide

payroll disbursements, Controller initiated three smaller direct deposit transactions most months to Controller’s personal bank account

- In the GL, these three transactions were recorded as one transaction, most typically as an expense transaction to one of the Company’s most significant income statement line items



• How did Controller do it?

• Which one of these is not like the other??

Account Account Description

Period Date Comments Journal Source Debit Credit

1000-00 Cash 3 12/1/2011 A/P CHECK REGISTER CD-000502 A/P - 1,777.14 1000-00 Cash 3 12/5/2011 A/P CHECK REGISTER CD-000503 A/P - 86.88 1000-00 Cash 3 12/6/2011 A/P CHECK REGISTER CD-000504 A/P - 137,627.64 1000-00 Cash 3 12/8/2011 A/P CHECK REGISTER CD-000505 A/P - 894.9 1000-00 Cash 3 12/8/2011 A/P CHECK REGISTER CD-000506 A/P - 350 1000-00 Cash 3 12/13/2011 A/P CHECK REGISTER CD-000507 A/P - 153,478.86 1000-00 Cash 3 12/13/2011 A/P CHECK REGISTER CD-000508 A/P - 760 1000-00 Cash 3 12/13/2011 A/P CHECK REGISTER JE-002394 G/L - 19,396.74 1000-00 Cash 3 12/15/2011 A/P CHECK REGISTER CD-000510 A/P - 713.66 1000-00 Cash 3 12/16/2011 A/P CHECK REGISTER CD-000511 A/P - 55.62 1000-00 Cash 3 12/19/2011 A/P CHECK REGISTER CD-000512 A/P - 260 1000-00 Cash 3 12/21/2011 A/P CHECK REGISTER CD-000513 A/P - 55,237.59 1000-00 Cash 3 12/21/2011 A/P CHECK REGISTER CD-000514 A/P - 1,664.89 1000-00 Cash 3 12/21/2011 A/P CHECK REGISTER CD-000515 A/P - 1,355.93 1000-00 Cash 3 12/28/2011 A/P CHECK REGISTER CD-000516 A/P - 61,228.45 1000-00 Cash 3 12/28/2011 A/P CHECK REGISTER CD-000517 A/P - 309.25



• How did Controller do it? - From December 2011 bank statement, other debits

section: • 12-6 Company Payroll – XXXXX $ 6,249.76 • 12-13 Company Payroll – XXXXX $ 6,523.49 • 12-20 Company Payroll – XXXXX $ 6,623.49

$ 19,396.74



• How was Controller able to get away with it? - Lack of segregation of duties: Controller had

responsibilities over payroll, A/P disbursements, and bank reconciliations

- General manager of Company “reviewed” bank statements but clearly did not understand them or look very closely; evidence does not indicate that General Manager was ever even provided with the payroll account monthly statement

- Three-payment pattern per month consistently followed over several years, but never during month of September

- Company year end was September 30 55



• How was Controller caught? - Controller quit company early 2013 - Before leaving Controller got greedy and careless

• Recorded illicit transactions in GL against inventory account rather than expense account (on accident?)

• Additionally, altered two checks recorded in GL to Company’s largest supplier and made payable to shell company of Controller

- Financial statement audit for FY2013: inventory sub-ledger was out of balance which led to subsequent investigation



• What was the fall-out? - Known amounts embezzled:

• 2007 – $ 90,000 • 2008 – $ 141,000 • 2009 – $ 190,000 • 2010 – $ 143,000 • 2011 – $ 141,000 • 2012 – $ 204,000 • 2013 – $ 121,000 (resigned 4 months in to fiscal year) • Total – $ 1,030,000


Case Studies and Anecdotes – 3

• Nathan J. Mueller – ING Accounting Manager and Convicted Fraudster

• Embezzled close to $8.5 million from ING over 4 year span

• See Journal of Accountancy article for detailed account in fraudster’s own words:

- “Lessons from an $8 million fraud” - http://www.journalofaccountancy.com/Issues/2014/

Aug/fraud-20149862.htm


Nathan Mueller – ING Embezzler

• Started his career in accounting at life insurance company, ReliaStar (Minnesota), which was acquired by ING in 2000 for more than $6 billion

• Played a significant role in transitioning company to new ERP system upon acquisition by ING

• Glitch in system parameters allowed for fraud: - “I was also, by mistake, along with a co-worker, given

authority to approve checks up to $250,000. I discovered this permission quite by accident some two years after the takeover.”



• How did he do it? “In our small accounting department, we knew everyone else’s system passwords. . . . One morning, while sitting at my desk, I realized that I could log in as someone else, request a check, and then log in as myself and approve my own request.” “I went to work every day for the next year tempted by the pot of gold that was there for the taking.”



• How did he do it? - Began by requesting checks paid directly payable to his

personal credit card - After debt paid off, Nathan created shell company with

Minnesota secretary of state: Ace Business Consulting - Initially, recorded debits in GL in “accounts that had a lot

of reconciliation activity” - 2005 to 2007 – Nathan was in charge of accounting for

Canadian investments in US dollars; would purposely weaken Canadian dollar by a few basis points to understated the US dollar value of the income



• Why did he do it? - At first, pressures included pregnant wife and

significant credit card debt - As time went on, Nathan developed a taste for luxury

cars, expensive watches, and high-roller trips to Las Vegas

- Developed serious substance abuse issues as well as gambling problem



• How was he caught? - He and his wife divorced in 2006 - His ex-wife remained friends with one of Nathan’s

coworkers in the accounting department, and over lunch in August 2007 she voiced her concerns and suspicions related to Nathan’s exorbitant “gambling winnings”

- This prompted coworker do some digging and research all checks initiated by herself and then approved by Nathan – led to discover of Ace Business Consulting checks



• What was the fall-out? - Nathan stole approx. $1 million in 2004, $2 million in

2005, $4 million in 2006, and $1 million in 2007 - Sentenced to 97 months in federal prison; term began

February 2009 - Released September 2014 with time off for good

behavior and completion of a residential alcohol abuse program

- Has paid back approx. $860 thousand to date


Part III: Take Away’s and Lessons Learned


Take Away’s and Lessons Learned

• Cressey’s Fraud Triangle



• Importance of anti-fraud controls at every organization!

- From ACFE’s Report to the Nations, how are most frauds discovered?

• Employee tips • Management review • Internal audit • By accident

- What about external financial statement audits?



• Anti-fraud controls: - Formal fraud policy and annual training to all

employees - Fraud risk assessment procedures, at least annually - Tip or whistleblower hotline - Ongoing monitoring and data analytics - Mandatory vacations and surprise audits - Regular review of segregation of duties and IT system

access


Questions and open discussion


Lee Wagner, CPA, CFE Email: [email protected] Phone: 919.987.2762 Website: www.elliottdavis.com




Information Technology – Security


Richard Cook, CISA, CISM & CRISC Director: IT Audit & Security March 19, 2015

Agenda

• Cyber Terrorism - Overview - Common Data Breaches/Threats - Strategies to Mitigate Cyber Terrorism Risks

• Management Review of IT Controls - User Access Reviews - Privileged User Reviews - Vendor Management Reviews

• Password Security Guidance - Password Security Best Practices


Overview of Cyber Terrorism

• Cyber Terrorism defined…. Criminal acts using computers and networks as tools or targets


4


• Quotes from Verizon’s Data Breach Investigations Report:

- “Some organizations will be a target regardless of what they do, but most become a target because of what the do.”

- “87% of all breaches were avoidable through simple or intermediate controls.”

- 37% of all breaches affected financial institutions - 66% of all breaches took months to discover - 69% of all breaches were discovered by third parties


5


Cyber terrorism video 1 • http://www2.deloitte.com/br/en/pages/risk/articles

/cybervideo-companies-like-yours.html • A Company Like Yours


http://www2.deloitte.com/br/en/pages/risk/articles/cybervideo-companies-like-yours.html

http://www2.deloitte.com/br/en/pages/risk/articles/cybervideo-companies-like-yours.html

http://vimeo.com/106286242

Common Data Breaches/Threats

The chart below shows the percentage of tactics utilized across all data breaches:

Source: Verizon Data Breach Investigations Report (2013) © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

7


Malware threats - Malware is software designed to infiltrate, damage or

obtain information from a computer system without the owner’s consent (as defined by ISACA)

- The biggest malware culprits: • Spyware/Keylogger – 75% of cases • Backdoor – 66% • Export Data – 62% • Captured Stored Data – 55%


8


Use of physical attacks - Physical threats encompass deliberate actions that

involve proximity, possession, or force. - Skimmers installed inside ATM’s, POS devices, and gas

pump terminals comprise almost all incidents in the physical category


9


• Speaking of “Skimming” - Been around for a while, but the skimmers keep

getting more sophisticated - Beginning to leverage 3D printing technology to

improve efficiency and adapt to changes in card reader design

Pictures: from Krebs on Security © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

10

http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/

http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/


• Nordstrom Case - Found 6 skimmers attached to their point-of-sale

computers back in the fall of 2013 - Team of 3 individuals used devices similar to this to

collect/store/transmit credit card data

Picture: from Google Shopping © 2014 Elliott Davis, PLLC © 2014 Elliott Davis, LLC

11


Social Engineering - Gaining sensitive information or unauthorized access

privileges by building inappropriate trust relationships with insiders.

- Phishing is the most common threat • Usually accomplished through email or phone call schemes • Our employees are our weakest link


12

Strategies to Mitigate Cyber Terrorism Risks

There are so many risks…where to start?


13


Cyber terrorism video 2 • http://vimeo.com/60738040 • Cybersecurity Evolved





• How do we prevent cyber security attacks? - Perform internal network vulnerability assessments (each device as an ip address and

each type of device has known vulnerabilities that are easily accessible on the internet).

• To prevent – all systems must be appropriately patched as vulnerabilities are identified (this applies at network, operating system, application and database layers). Patches are provided by the vendors.

- Perform external penetration test (this is an actual hack attempt). • To prevent – updated patches, appropriate network security configuration –

firewalls, routers, etc.. - University of Wisconsin has recently reported nearly 100,00 hacking

attempts per day – mostly from China. As reported in The Wall Street Journal, July 2013.

- Perform social engineering test (physical or remote – email phishing is most popular). • To prevent – training of employees, periodic updates. • There are tools that can scan for these types of data/files in email and will

automatically encrypt the files prior to sending.


15


Other strategies to consider • Create a response team to handle issues, often called

a Computer Emergency Response Team (CERT) - Much like a Business Continuity/Disaster Recovery

Plan • Network with local cyber experts to understand

emerging threats • Complete a cybersecurity risk assessment


16

User Access Reviews

• Obtain system generated list of all users and their system privileges (helps with financial statement assertions for completeness and accuracy).

• No spreadsheets for tracking user access - This process only validates that the spreadsheet is

correct – actual system access may vary • User review may be difficult to do if the system is not

using either role or group security for applying access rights.


User Access Reviews, continued

• During the review; check for: - Users are current employees, contractors, 3rd party users and

temps - Be sure to cover Application, Database and Operating system

access rights - Users access rights are appropriate for their job function - Users do not have SoD (Segregation of Duties) conflicts

• If SoD conflicts exist – point to mitigating control (ex. Reconciliations or other business process control)

• SoD conflicts do not exist across systems (credit approval management system – loan origination system)

• Maintain all User Access Review documents (the user access review detail – completed by reviewer - is the most important piece of evidence that the review occurred)


User Access Reviews, continued

• Maintain User Access Review Tracking sheet, should note:

- Reviewer’s name - List of users to be reviewed - Date sent to reviewer - Date received from reviewer - If changes were requested (Yes/No) - When changes were applied - Users should not review their own access rights (very risky)

• Note: User Access Review Tracking sheet is often times maintained by IT group. User Access Reviews should be performed by management.


Basic Security (layers of an onion)

• Most secure should be the center of the onion


Privileged User Reviews

• Always review 100% of privileged users – this is the highest risk area for users (Administrators, Super Users, DBA, etc.)

• Privileged users are any users that can perform the following functions: user provisioning (Add, Change Delete user access rights), administrator level access, change configuration settings and users that have back end access to databases (can make changes directly to the database, i.e. DBA)

• Any 3rd party user that have access rights to your systems should be logged and monitored (we cannot outsource risk)

• 3rd party access should be limited and only granted when needed. It should not be open ended access 7X24


Privileged Users Review – Database Users

• Database user reviews are often overlooked

• Privileged database users are those users who can access the data directly via the back end

• The business owners are responsible for reviewing backend access for database users

• SQL database only has one backend database account - the Security Administrator or SA account. Hence, the password must be shared and changed periodically


Vendor Management Reviews

• Vendor Management Review - What is the opinion on the SOC report? - Does the SOC report have a carve out? Are these carve out

processes significant to our environment? If yes, how do we get comfort around these processes? (Ex, obtain another SOC report for carve out process)

- What is the reporting period? Need to cover at least 6 months of the financial period under review.

- Are there any exceptions in the SOC report? Do they apply to our environment? If yes, how do we get comfort that the exceptions will not affect our financial reporting process.

- Do we have the proper User Control Considerations (UCC’s) in place? Have we validated the key UCC’s? Do we have evidence of the validation process?


Vendor Management Reviews/UCCs

• When reviewing UCCs be sure to include these steps: - List all UCCs from key SOC reports - Review each UCC to determine if the UCCs are key or

not (no need to test non-key UCCs) - For each key UCC for each key SOC report, provide

evidence that the UCC is designed appropriately and operating effectively

- Maintain all documentation of the UCC reviews/testing


Did you know?

• The biggest violators of IT Security are the senior members of the IT/IS team – the team that is responsible for securing the enterprise

- So I ask you – how do you know that your enterprise is secure and only approved users have access to systems and their access is appropriate for their job function?


Password Security Best Practices – Short Reminder

• We would recommend that the following best practices be applied to password security and account lockout parameters:

• Minimum password length – 6 to 8 characters • Maximum password age – 60 to 90 days • Minimum password age – 1 day (or more) • Password history – no password re-use for the trailing 12 months • Password complexity – enabled (at least require one alpha and one

numeric) • Unsuccessful log on attempts – 5 invalid attempts before user lock out • Lockout duration – at least 15 minutes • Reset lockout counter – at least 15 minutes • Domain inactivity timeout setting – 15 to 30 minutes


Questions


Richard Cook, CISA, CISM, CRISC Email: [email protected] Phone: 704.808.5243 Website: www.elliottdavis.com




Virginia Government Finance Officers’ Association Training · Virginia Government Finance...

Documents

Transcript of Virginia Government Finance Officers’ Association Training · Virginia Government Finance...