• State and local governments need defensive strategies to protect against risks like fraud, financial loss, and reputational damage, and checks to ensure those strategies are working.
• The Three Lines Model executes three levels of protection designed to prevent risks from disrupting your operations and causing damage or loss.
• As the third-line defense, internal auditing analyzes the entire field to identify potential weaknesses and ensure your defensive strategies are effective at averting risks.

~

At the start of the football season, sports analysts spend a lot of time talking about who will be the player to lead their team to a championship. Yet, as we learn year after year, championships are not won by a single player. It is a collective effort, based on an assembly of individuals pooling their talents together in pursuit of a common goal.

In sports, the common goal is a championship. In business, the goal is to generate profit by establishing customer loyalty for your products or services. In government, the goal is to make our communities ideal places to live, work, and play. To win in all these instances, you need a strong team with contributions from every player.

Football fans often hear the refrain, “offense wins games, but defense wins championships.” Government teams looking to achieve their goals should not overlook the necessity of a robust defense — with internal auditing giving you the upper hand over your opponent.

What is Internal Auditing?

According to The Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditing provides a systematic approach to evaluating and improving the effectiveness of governance, risk management, and controls processes.

To simplify: Your organization has goals (objectives). However, obstacles (risks) may exist that keep your organization from reaching its goals. You should develop strategies (internal controls) to prevent those obstacles from occurring, and continuously check to make sure your strategies are working properly (monitoring). To avoid confirmation bias — where you only seek and accept information that supports your goals — you should seek validation from an objective entity (internal audit) to evaluate if your strategies truly position your organization to succeed.

To accomplish all this, you need a coalition of talented individuals that can identify risks, strategize against them, prevent or detect risk infiltration, and consistently monitor emerging risks to provide guidance on how to stay ahead of the curve. In football terms, you need a strong defensive line!

Three Lines of Defense 

Let’s say that risk is the offensive team. Its goal is to get into your organization’s end zone to disrupt operations. The quarterback could be a hacker, fraudster, or unintentional human error. The offensive team also has other formidable players: fraud risks, cyber-attack risks, liquidity risks, etc.

Organizations need a more skilled, agile, and experienced defensive team to counteract the activity of the risk offense. Enter IIA’s Three Lines Model. This defensive strategy executes three levels of protection designed to keep risk from causing extreme financial or other damage.

The Three Lines Model defines defensive roles and responsibilities as follows:

• First Line of Defense – develops strategies to address risks
• Second Line of Defense – monitors strategies
• Third Line of Defense – provides assurance that strategies are truly effective at mitigating risks

Let’s look at the organizational playbook to understand the goals of the offensive and defensive teams and the Three Lines defensive strategy.

Understanding the Offensive Opponent

Organizations are trying to prevent risks from disrupting operations and causing financial and/or other damages. If the risk team scores in your end zone, that means they have exposed a weakness in your organization. Depending on the weakness, it could cost you a little (inefficient operations) or it could cost you a lot (major cyberbreach with financial and reputational damages) … but it will cost you!

Defining Each Line of Defense

First Line of Defense: Management, Staff, and Internal Controls

The first line of defense consists of the organizational staff associated with daily operations, delivery of goods and services, and identifying and addressing risks. For example, to minimize the risk of hacking via password breaches, this line would create a password policy and accompanying procedure, set up systems requirements accordingly, and follow the policy and procedures in daily operations.

Second Line of Defense: Risk Management and Compliance Functions

The second line of defense consists of the organizational staff that monitor your organization’s adherence to its own policies and procedures and other required guidance (e.g., regulations, laws, etc.). For example, to ensure that your organization is following its policies and procedures for minimizing hacking via password breaches, this line would periodically analyze data to ensure compliance with internal guidance, industry best practices, etc.

Third Line of Defense: Internal Audit

The third line of defense consists of internal audit professionals with knowledge in various industries. Internal audit conducts real-time assessments and communicates any weaknesses in the first two lines. Using the prevention of hacking example from above, in addition to assessing password protocols and practice, internal audit may identify that your organization has improper access controls that increase the risk of hackers infiltrating your organization’s systems. Internal audit would provide recommendations for improvement and express urgency for corrective action.

Defensive Benefits of Internal Auditing

Internal audit is not an adversary, it is part of your team. Internal audit collaborates with your management and staff, in real time, to understand your organizational goals, concerns, strengths, and weaknesses. Where external audit provides your management with an analysis of a snapshot in time, internal audit continuously and systematically provides value-added feedback to your management and your board and/or audit committee.

Internal audit assists with ensuring your organizational playbook(s) remain relevant. As the third or last line of defense, it analyzes the entire field (the organization) to make sure your defensive strategies (internal controls) are effective at averting risks from scoring (causing financial, operational, reputational, etc., losses).

Part of the analyses conducted by internal audit include (but are not limited to):

• Conducting risk assessments to identify the likelihood and potential impact of risks to assist the organization in focusing resources on prioritized areas for improvement.
• Assessing your information technology and cybersecurity environments to identify and advise on protecting organizational data, improving IT infrastructure, preparing disaster recovery strategies, etc.
• Assisting in preparing for external audits by assessing if the organization’s financial statements are accurate, complete, compliant with regulations, and free from material misstatement. 
• Conducting performance assessments to identify areas for efficiency and effectiveness improvements.

Internal audit strengthens your organization’s improvement efforts by bringing reinforcements to your already stellar team. The internal audit group delivers additional resource capacity, skills, and perspectives — including extensive knowledge about various industry standards as internal audit professionals are required to maintain continuing education in their specific areas of focus.

How MGO Can Strengthen Your Team’s Defense

MGO has a defensive line that is ready and motivated to support your organization. Stacked with professionals experienced in areas like state and local government, fraud, audit and assurance, government audit, and cybersecurity, our team is diverse in thought, knowledge, and culture — and we bring those perspectives to the field for you. Contact us today to learn how our internal auditing solutions can boost your organization’s defense.

Executive Summary:

• The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
• IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
• Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

~

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

1. Is the data complete?  

2. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk   

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE? 

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.  

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

1. Match the list of individual debt instruments to the signed agreements.  

2. Validate the reconciliation and each individual schedule for mathematical accuracy.  

3. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

1. Send confirmations to outside counsel (where possible).  

2. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

1. Have you identified the report or saved search that was used?   

2. What parameters were used to generate this report?   

3. In what format is the data exported?   

4. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

1. PDF (portable document format) 

2. Excel  

3. CSV (comma-separated values)   

4. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  

2. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   

3. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

1. Totals (dollar amounts, hash amounts, etc.)   

2. Lines count   

3. Parameters utilized 

4. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.   

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.

Specific scams that mask as abusive or fraudulent tax avoidance strategies to be aware of include concealing assets in offshore accounts and improper reporting of digital assets, manipulation of high-income taxpayers to file their tax returns, abusive syndicated conservation easements, and abusive micro-captive insurance arrangements. Read more to round out the annual list for the 2022 filing season.

Tips for taxpayers on emerging scams

To avoid compromising yourself with these “too good to be true” schemes, taxpayers should stay wary, as these scams adopt a wide range of communication methods, including:

• Emails
• Phone calls
• Social media posts
• Targeted online advertisements

You must also consider each source before putting any of these arrangements on your tax returns — because ultimately, you are the one responsible for what is on the return, not the promoter who reached out to you and made a promise they failed to uphold. To mitigate risk, an anxious taxpayer should turn to trustworthy tax professionals to assist with their returns.

Read on to learn about these Dirty Dozen scams targeted primarily to high-net-worth individuals who may be trying to knowingly — or unknowingly — avoid filing.

Scam #9: Concealing Assets in Offshore Accounts and the Improper Reporting of Digital Assets

We hear Switzerland is beautiful this time of year … and so do some high-net-worth individuals looking to conceal their assets in offshore accounts (and yes, that does include cryptocurrency and other digital assets). As more taxpayers look to complex international tax avoidance schemes, the IRS is more determined than ever to “protect the integrity of the U.S. tax system” by enforcing tax responsibilities.

Whether it entails offshore banks, brokerage accounts, nominee entities, employee leasing schemes, foreign trusts, structured transactions, or private annuities, all are designed to hide the true owner of an account — which is illegal, considering U.S. taxpayers are taxed on all the income they make, not just what they keep in the country. But scammers know you may not want to give up some of your hard-earned assets to Uncle Sam. So, what do they do? They sell you a convincing story: you can easily evade the government and hide your assets through digital asset holdings; they claim these are “undetectable by tax authorities.” The catch? They are definitely detectable. By believing these fraudsters, you run the risk of being criminally charged or penalized, so in the end, it is better to report your assets — yes, all of them — when you file.

Scam #10: High-Income Individuals Who Don’t File Tax Returns

Believe it or not, there are some taxpayers who choose to just … not file a tax return. And believe it or not, there are scamming professionals out there aiming to convince you this is a good idea. The IRS takes this seriously. If you are considering this option, remember the Failure to File Penalty is higher than the Failure to Pay Penalty, meaning you are better off filing an accurate, timely return (and setting up a payment plan, if you are concerned about that) rather than not filing and hoping you get out of paying whatever taxes you owe.

Scam #11: Abusive Syndicated Conservation Easements

In this scam, dishonest promoters manipulate a part of the tax law that allows for conservation easements by inflating appraisals of underdeveloped land (i.e., the guise of a real estate investment) and engaging in bogus partnerships without a business purpose. These “deals” rarely help you out; instead, they benefit the promoters, who charge high fees, and clog the tax system with fraudulent tax deductions. (In the last five years, the IRS determined billions of dollars of deductions were wrongly claimed!) And if you are caught — which, you should expect to be, because the IRS takes a microscope to every single one of these “deals” — you can expect large fines and potential time in court.

Scam #12: Abusive Micro-Captive Insurance Arrangements

A high priority for the IRS, this scam sees professionals like accountants and wealth planners convince entity owners to pay for what they believe to be insurance coverage against unlikely events, events that are already being covered, or disingenuous business needs. Complete with sky-high premiums, the abusive structure does the opposite of protecting your organization’s tax safety — it opens you up to more risk as a ”micro-captive” to these “professionals” taking advantage of you. Be on the lookout for an offshore version of this too.

Consequences of falling for a Dirty Dozen scheme

It is important for taxpayers who have already taken part in transactions like these — or those who are thinking about doing so — to consult a tax professional before claiming any tax benefits they think they are owed.

Those taxpayers who have already claimed the purported tax benefits of one of these four “Dirty Dozen” arrangements on a tax return should file an amended return and go to an independent professional for guidance. If necessary, the IRS will examine the tax benefits from transactions like the ones depicted in the list and inflict penalties related to accuracy ranging from 20% to 40%, or a civil fraud penalty of 75% on any taxpayer who underpaid.

Our perspective on the latest batch of “Dirty Dozen” scams

This is not, of course, an exhaustive list of every scam the IRS has its eye on this year. But it does include some of the more common trends. The best advice we can give? If something looks too good to be true … it probably is. Consult your tax professional for guidance and know that it is in your best interest to stay aware of these nefarious arrangements, so you do not fall susceptible to additional penalties.

And remember, you cannot hide income from the IRS!

MGO’s Tax team brings more than 30 years of experience and is well versed in reviewing your return for compliance. We also stay up to date on the risks, pitfalls, and warnings issued by the IRS so you don’t have to. If you think you have been involved in or are in the process of being involved in one of the Dirty Dozen scams, we can help. Contact us today.

To read more about how California’s PTET works from our Insight Library, see here and here.

California’s PTET considerations

To make the election in California for tax year 2022, eligible entities must pay in the greater of $1,000, or 50% of the 2021 PTET liability, by June 15, using FTB 3893. Entities that fail to make this “safe harbor” payment will not be able to make the election on the 2022 tax return. (Note: The election can only be made on an entity’s timely filed original tax return.)

New York extends its 2022 PTET deadline

Previously, the deadline for making the 2022 election was March 15, 2022, but recent legislation not only extended the deadline but also increased the amount of benefit for resident S corporations. Under the prior legislation S corps could only make the election as to the portion of income that is sourced to NY; however, new legislation (A10080/S8948) enables S corporations, for which all owners are New York residents, to include income from all sources, which has the effect of increasing the amount of available credit on the individual owners’ returns. And because these rules went into effect after the PTET election due date for tax year 2022, New York extended its PTET election deadlines for all taxpayers. Now, passthrough entities can make their PTET election any time by or before September 15, 2022.

Accompanying the deadline extension is a new schedule of estimated payments, contingent on when the eligible entity makes the election. Taxpayers must still pay the entire amount of estimated PTET liability by the end of the year (90% of the PTET shown on the entity’s return for the taxable year; or 100% of the PTET shown on the preceding year’s return). However, instead of owing 25% each quarter (March 15, June 15, September 15, and December 15), taxpayers that make the election prior to June 15, 2022, only need to pay an amount equal to 25% of the required annual PTET liability by June 15, followed by 50% due in September, and the remaining 25% by December 15. And taxpayers that make the election after June 15 but before September 15, must submit a payment equal to 50% of the annual liability by September 15, with the other 50% due December 15.

You can find links here to make the election and submit payments online.

MGO’s insights

If you missed making the CA election on the 2021 return, the silver lining is that you can now “lock in” eligibility with a payment of only $1,000 on June 15, regardless of the amount of taxable income the entity ultimately reports. If you did make the election on the 2021 return, be sure to pay at least 50% of prior year liability (and consider adding a cushion for good measure), as there does not appear to be a “reasonable cause” exception to the rule.

And remember, most tax professionals have interpreted IRS Notice 2020-75 to allow the entity only to claim a deduction for the expenses actually incurred during the applicable tax year — regardless of whether the entity is on a cash or accrual basis accounting method. This means that if you intend to experience the full benefit of a state’s SALT Cap Workaround on your 2022 tax return, you will need to submit the full amount of PTET liability before the end of the year. Amounts paid after the end of the year but before the return deadline (March 15, for most taxpayers) will be deducted on the following year’s federal tax return regardless of when they are credited to state tax liability.

Thus, if the entity made the election in 2021 and paid the PTET before December 31, 2021, then it should (or should have already) claimed the entire amount of PTET credit as an ordinary expense deduction on its tax return (and reported on the owners’ K-1s, generally, line 13). But if the payment was submitted between January 1 and March 15, 2022, that payment, plus the upcoming payments, will be deducted on the 2022 return alongside the other payments made during the tax year.

Final perspectives

To take advantage of the 2022 CA and NY SALT Cap workarounds, make sure to submit your payment by June 15, 2022 for the California PTET, and your election and any necessary payments by September 15, 2022 for the New York PTET.

Only state PTET payments made during the entity’s fiscal tax year are deductible on that year’s federal tax return, so in addition to meeting the state’s minimum estimated tax requirements to ensure eligibility, consider making grossed-up estimated payments before year end to maximize the economic effect of the deduction on the 2022 return.

The PTET rules are different in every state, and with a near-constant stream of amendments and clarifications from state legislators and tax agencies, you may be unsure what is due when. MGO’s tax team can provide you with reminders for payment submission deadlines and calculate amounts due to help you navigate this opportunity for tax savings.

Please get in touch and see how New York, California, or another state’s PTET can benefit your business.

Previously, you were not mandated to include independent contractors under the state’s new hire reporting requirement; now you’ll have to add them to the list of other new hires or rehires to report.

If your organization falls into one of the following categories, you’re required to report your new hires for tax purposes:

• Labor organizations, including union-operated placement offices (I.e., hiring halls),
• Employers of individuals performing domestic services,
• Government entities excluding federal agencies.

Your organization will have to report those new hires or rehires, including independent contractors, within 20 calendar days from the date hired. The hiring date is defined as the first day the employee or contractor:

• Is eligible to collect commissions for any job performed based only on commissions,
• Completes the services for which they will be paid (collecting tips, wages, commissions, or another agreed-upon compensation).

If you are an employer looking for clarification regarding additional reporting requirements in New York State (including how to actually file), please contact MGO’s tax team to talk to an advisor who can comprehensively walk you through the steps and ensure you avoid any missteps that could affect your organization.

In the following, our tax team breaks down what this might mean for you if you filed a partnership, corporate, or LLC tax return — and what you’ll need to do to avoid an audit or additional costs.

What is unclaimed property?

Unclaimed property refers to property or accounts that have not generated any activity or engagement with the owner for three years or more (known as a dormancy period), after which it is labeled “unclaimed.”

Common examples of unclaimed property include uncashed checks, stocks, safe deposit box contents, gift cards, insurance payments, or refunds. For example, California hosts a database for taxpayers to verify whether the state may be holding any unclaimed property in their name (or related to their properties).

If your business or organization is holding unclaimed property, you must either return it to its owner, or, if unable to locate the owner, turn it over to the state once the dormancy period has ended (called “escheating”). Any holder that knows unclaimed property exists but has not sought to effectively address the issue can face expensive consequences.

California’s updated unclaimed property requirements

Currently, there is a low reporting rate of unclaimed property in California, which has prompted the state to act. It is estimated that businesses are withholding close to $18 million in escheatable funds, and the Legislative Analysts’ office estimates only 2% of businesses are compliant with the current unclaimed property reporting laws.

But now California tax returns will require taxpayers to answer the following questions regarding unclaimed property compliance:

• Have you previously filed an unclaimed property holder remit report with the state controller’s office?
  • If so, when did you last file the report?
• What was the amount last paid?

Your answers will be shared with the state controller’s office, potentially spurring an unclaimed property audit. And if your business is located outside of California, any audits you are subjected to would be referred to third party collection companies, meaning you might be susceptible to a multi-state unclaimed property examination.

Possible unclaimed property respite via Assembly Bill 2280

The California State Assembly is deliberating a new assembly bill to provide an amnesty program for businesses looking to report unclaimed property in California, interest-free. This is due in part to the regulatory challenges unclaimed property poses for organizations in nearly every industry.

To be eligible for the voluntary compliance program, companies cannot 1) be currently under examination in California, 2) be involved in criminal or civil action for unclaimed property noncompliance, or 3) have been alerted to unclaimed property interest in the past five years. California will forgive the company’s unclaimed property interest if the company:

• Takes part in an educational training program.
• Makes a diligent effort to reunite unclaimed property with its rightful owners.
• Promptly files reports and submits unclaimed property spanning the past 10 years.
• Reviews its accounting records for unclaimed property spanning the past 10 years.

California Attorney General: “Corporate evasion is corporate fraud.”

Unclaimed property is also an increasingly hot topic for enforcement because of the high stakes for unclaimed property compliance and risk.

In a March 2022 press release, the California Attorney General brought unclaimed property into the spotlight alongside a complaint filed by the state, which alleges a California healthcare provider chain failed to report and remit unclaimed funds. Not only did it violate the California Unclaimed Property Law, but it also allegedly concealed the funds instead of simply failing to report them.

With the California Attorney General’s involvement in unclaimed property enforcement, it stands to reason that other companies should examine their own compliance to avoid additional penalties.

How you can avoid unclaimed property issues

The focus on unclaimed property compliance is growing, and noncompliance with the laws can prove costly: California charges a 12% interest rate on back filings, and its audits can reach back as far as 10 years.

To avoid unclaimed property issues, you must:

1. Identify the unclaimed property
2. Perform due diligence by notifying the proper owner of the property
3. Remit the unclaimed property to the state.

If you think you might have compliance gaps in your company’s history, or you have knowingly neglected to report unclaimed property in the past, an internal review of your exposure is crucial.

How MGO can help

If you have questions about your unclaimed property compliance or think your organization could benefit from understanding its level of exposure and vulnerability in case of an audit, MGO’s Tax Controversy team can guide you through best practices. Contact us to learn how you can avoid additional compliance costs.

Who is your grant administrator?

This seems like a simple question, but if an organization only has a few grants, grant administration may be one of many roles. Or, responsibility may be shared among several roles. That situation works until the size of the organization and the complexity of the grants make responsible grant management impossible.

When the responsibility and complexity of grant management becomes too demanding to include as one of many responsibilities, it’s time to identify one person to take the lead. Eventually, that person may build the team responsible for overseeing and coordinating grant administration.

It is easy to see the benefits of having one person develop the full knowledge of grant requirements and take responsibility for establishing policies and procedures for the organization. This person provides guidance for the organization and monitors compliance requirements. They also serve as the point person for grant related audits.

Do you have policies and procedures for grant administration?

A grant administrator’s first priority is to develop policies and procedures that outline each step in the lifecycle of the grant. Typically, this document will answer the following questions:

• Who approves grant applications?
• Who executes grant agreements?
• What systems will be used to track grant activities, such as qualifying expenses, reporting dates, performance metrics (both financial and programmatic)?
• What documentation is required for compliance?
• Who reviews and approves grant activities to ensure compliance?
• Who develops and manages a schedule and process for annual financial reporting (financial statements and grant reporting, e.g., single audit)?
• Who is responsible for training staff in grant requirements?
• Are subrecipient contracts standardized, and do they comply with your responsibilities as a grantor?
• Who is responsible for resolving audit findings?

Are you prepared for grant reporting?

One of the key responsibilities of a grant administrator is to manage deadlines (monthly, quarterly, biannually, annually, and grant close out). In addition to the initial application deadline, grants require consistent attention. You need to file updates and reports throughout the life of the grant, and they will often require specific documentation. The information in these reports must be complete, accurate, and filed promptly. If they are not, you can count on the grantor requiring you to follow-up and resolve the issues.

Do you have the resources to monitor activities?

It’s true, monitoring grants is a full-time job. Or it should be.

Being awarded a grant is the first chapter of a long story. The rest of the tale involves using the grant for its intended purposes and documenting that fact. Responsible monitoring and documentation require time, energy, systems, and personnel.

Someone should be assigned responsibility for the continuous monitoring and evaluation of grant administrative policies and procedures. This involves looking for changes in grant requirements communicated by the grantor.

For subrecipients, the grant administrator must convey the expectations about their activities and then monitor the progress toward the stated goals. On-site visits will sometimes be necessary and require time. Verifying the status of periodic reporting responsibilities can also take up resources that may already be scarce.

The final chapter of monitoring activities is to develop a clearly defined plan for responding to audit findings. Depending on the complexity of the findings, resolving these issues can require rewriting procedures, documenting changes, and verifying the implementation.

Are you ready for an audit?

While this may seem obvious, knowing your requirements should be the first step in preparing for the possibility of an audit.

In addition to reviewing grant requirements, look back at your prior year findings to confirm that they were fully resolved. If they were not, they need to be addressed immediately.

The next step in being prepared for an audit is to ensure all necessary documentation is complete and accurate. Your documentation should demonstrate compliance with the grant requirements. Usually, your materials will need to include evidence of internal controls that supports the process of reviews and approvals. Internal policies and procedures should be easily accessible. (Thankfully, once this document is complete, it only needs to be updated going forward.) When these items are assembled, make sure all reconciliations connected to the grant are complete.

Once the preparations are made, the hardest part of an audit is done. You will still need to meet with auditors and discuss expectations, timelines, and requests for information, but these are more scheduling and time management issues. If your paperwork and systems are in good order, your work will consist mainly of providing evidentiary support, and possibly providing explanations on details that may not appear obvious to an outsider.

Continuously improving your grant compliance processes

With a lot of subjectivity in the process of managing grants, along with requirements changing on a regular basis, it is important to continuously evaluate the adequacy of your grant administration policies and procedures. So, no matter what your situation is, your processes can always improve, and any deficiencies can be remediated. But it takes commitment as an organization to devote the resources to do the ongoing work of grant compliance.

Many state and local governments have compliance questions about the federal grants that were distributed during the pandemic. The reporting rules of these programs are complex, and requirements continue to evolve.

MGO’s state and local government professionals can help answer questions about these federal grants and help organizations document their systems of internal controls, improve their audit preparation, and address audit findings. Contact Linda Hurley at +1 (949) 296-4340 or lhurley@mgocpa.com for more information on how to improve your grant compliance processes.

In this fast-paced environment, aggressive growth plans can easily outpace more “burdensome” internal initiatives, like establishing proper financial and compliance controls and corporate governance policies. In the race for market share, these internal activities appear to do little for supporting bottom line growth. In the worst circumstances, they can be treated as onerous hurdles to be overcome.

But in the highly-regulated cannabis industry, there is simply no room for fudging over the details. A spate of scandals related to corporate malfeasance has already rocked the industry, and the clear and present dangers of failing to comply with regulations are being demonstrated with the on-going fallout from the CannTrust Holdings, Inc. fiasco.

What we’ve learned about the importance of regulatory compliance

The lesson provided by CannTrust’s missteps is simple: the drive to expand a cannabis business cannot outweigh the responsibility of adhering to regulatory compliance demands. CannTrust’s troubles began when regulators observed grow rooms operating without licenses. The rooms were built to regulatory standards and the licenses were approved at a later date, but the rooms were operational for at least six months prior to being licensed.

To a casual observer, this may appear as nit-picking on the side of the regulators. But the seeming simplicity of the transgression only underlines the importance. Even small missteps can have cataclysmic outcomes for a business.

Just as cannabis businesses are “building the plane in flight,” cannabis regulators are caught in a similar dilemma. Industry regulations are also their infancy and there have been delays and other issues with licensing in nearly every legal cannabis market. While licensing delays are frustrating to a company ready to expand, they are no excuse for defying compliance.

The strategic view: incorporating compliance into corporate governance

Corporate governance policies broadly establish a company’s stance toward risk, ethics and business practices. Effective policies establish control mechanisms that facilitate the execution of high-level directives throughout an organization; enable feedback and the flow of communication between levels; and balance and protect the interests of employees, stakeholders, investors and the rest of the business’ ecosystem.

In a worst-case-scenario, compliance activities are one of many “low-priority” control functions, siloed from broader governance policies and considered an onerous duty of “checking boxes” to meet compliance demands. This attitude is not recommended for ANY kind of business, but is absolutely a red flag and non-starter for operation in the highly-regulated cannabis industry.

The ideal alternative is to elevate compliance in the hierarchy of corporate governance and make it central to business strategy. Compliance can be considered the tactical execution of strategic governance policies. Rather than a “second thought,” compliance should be among the primary considerations when planning and enacting business activities. Whether launching new cultivation or retail spaces, executing an M&A deal, or raising capital, the feasibility and timeliness of attaining and maintaining regulatory compliance should be a primary consideration. If issues related to compliance stand in the way, they must be respected and addressed, or an enterprise risks losing…everything.

Tactical View: Structuring Effective Regulatory Compliance

While aligning compliance activities with the overall philosophy of an organization is a good start, putting this idea into practice requires a tactical approach to creating and staffing the compliance functions. Following are key steps that empower regulatory compliance as a priority for cannabis businesses:

Staff a Dedicated Regulatory Compliance Officer: The inconsistent legal status of cannabis across jurisdictions, plus the multitude of rules governing every aspect of the cannabis supply chain and finances, make for a very complex regulatory environment. Ensuring compliance enterprise-wide must be a dedicated role for a qualified professional at the executive level. They should have oversight into all relevant areas and direct communication with C-Suite executives, the Board of Directors, and other relevant stakeholders.

Build a Functional Compliance Team: Your appointed officer will be responsible for compliance activities, but they will most likely need support from throughout the organization. Ideally, a staff member in each major area will be responsible for reporting up to the compliance officer and also executing directives under their purview. Most enterprises will not have the ability to have dedicated compliance staff, but it should be included among responsibilities to lower level management. Creating a clear, identifiable chain of command will facilitate communication and make compliance activities more efficient and effective.

Empowering Your Compliance Team: Unfortunately, it is not uncommon to have a compliance team in name only. Without the ability to communicate with the Board of Directors, company leadership, and other stakeholders, a compliance officer’s effect is muted. It is important to empower your compliance officer, involve them in strategic planning initiatives, and give them the platform to regularly update stakeholders on progress and risks.

Preparing for Change: Regulatory compliance is not a “set it and forget it” function. The cannabis industry regulatory landscape is constantly changing at state/province and local levels. Proper corporate governance must include regular tests of controls, subsequent updates, and on-going employee training on regulatory demands.

Moving Forward

The emergence of scandals in the cannabis industry illustrates just how easy it is to foster a culture of non-compliance, and how disastrous the consequences can be. Rather than risk running afoul of the rules in heavily regulated industries, organizations must be willing leverage the time and resources to diligently adhere to compliance requirements. With a qualified team, an effective structure, and commitment from leadership, cannabis enterprises greatly improve their chances of avoiding regulatory trouble and do not put all their hard work and perseverance at risk.

Many cheered the passage of the 2018 Farm Bill, which descheduled industrial hemp and its derivatives (including CBD). But that was just the start of a much more complicated regulatory story that continues to have a major impact on entrepreneurs, investors, and advocates and patients who rely on CBD.

CBD and the 2018 Farm Bill

When President Trump signed the 2018 Farm Bill into law one of the key changes affecting the cannabis industry was the separation of “hemp” and “marijuana.” Before the Farm Bill, any incarnation of the cannabis plant and its byproducts were lumped into a single category and considered a Schedule 1 drug. Key language in Section 1103 of the Farm Bill defines hemp as:

“the plant Cannabis sativa L. and any part of that plant, including the seeds thereof and all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers, whether growing or not with a delta-9 tetrahydrocannabinol concentration of not more than 0.3 percent on a dry weight basis.”

In short, the Farm Bill descheduled industrial hemp and its byproducts as long as it stayed under the threshold of less than 0.3 percent THC. CBD is derived from the cannabis plant, whether there are significant levels of THC or not. CBD industry advocates have interpreted the language “all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers” as descheduling CBD when industrial hemp is the source. And they are “mostly” correct in this interpretation. Unfortunately, there are other federal agencies in play.

CBD and the FDA

United States Department of Agriculture (USDA)  enacted the 2018 Farm Bill in their position overseeing laws related to the cultivation of industrial hemp. The United States Food and Drug Administration (FDA) oversees medicine and food additives. CBD has emerged as a “wonder drug” with a growing list of potential benefits and now appears as an additive in a wide range of consumer products. In addition, the FDA approved Epidiolex, the first CBD-derived drug, in 2018.

All of this has culminated in CBD being a priority of the FDA, so much so, that just a week after the Farm Bill was signed into law, the FDA issued a press release clarifying and asserting their regulatory control over all cannabis-derived compounds.

“We treat products containing cannabis or cannabis-derived compounds as we do any other FDA-regulated products — meaning they’re subject to the same authorities and requirements as FDA-regulated products containing any other substance. This is true regardless of the source of the substance, including whether the substance is derived from a plant that is classified as hemp under the Agriculture Improvement Act.”

Concurrent with the Farm Bill and the press release regarding CBD, the FDA also issued three Generally Regarded as Safe (GRAS) notices for hemp by-products: hulled hemp seeds, hemp protein powder, and hemp seed oil. Clearly demonstrating that (some) hemp products have been descheduled and cleared for use by the FDA.

The FDA’s policy is different toward CBD for two key reasons. Firstly, CBD products are largely marketed with a wide variety of therapeutic claims. In their press release the FDA notes:

“The FDA requires a cannabis product (hemp-derived or otherwise) that is marketed with a claim of therapeutic benefit, or with any other disease claim, to be approved by the FDA for its intended use before it may be introduced into interstate commerce.”

Secondly, the FDA’s approval of CBD-based drug Epidiolex, put CBD and THC into the category of “active ingredients in FDA-approved drugs.” Under the Federal Food, Drug, and Cosmetic Act (FD&C Act) it is “illegal to introduce drug ingredients like these into the food supply, or to market them as dietary supplements.”

In short, the FDA does not distinguish between CBD derived from hemp or “marijuana,” and until the agency approves CBD and establishes a regulatory framework, adding CBD to food and beverages is illegal.

Has the regulation of CBD slowed businesses?

While early CBD research has shown promise as a treatment for conditions like epilepsy and anxiety, as a consumer product it is unproven and has been largely unregulated until recently. In the absence of labeling standards and regulated dosage guidelines, consumers often have little understanding of what they are buying and its potential effects.

All of this uncertainty has earned greater regulatory attention for CBD. There have been reports of crackdowns on bakeries, restaurants and retailers selling CBD in California, New York, Maine and Ohio, just to name a few. This regulatory response has shocked and angered a number of hemp producers and CBD retailers who have invested millions into business ventures that they feel only supply the public with products that help manage health concerns.

Despite the confusing legality, the CBD industry appears to be moving full-steam ahead. In recent months, national retailers as diverse as Walgreens, DSW and Barney’s New York have announced plans (or have already begun) selling CBD products. Indicating the burgeoning CBD industry is well on the way to mainstream acceptance.

What is next for CBD?

In February, former FDA Commissioner Scott Pruitt testified before the House Appropriations Committee and said that the FDA is initiating a rule making procedure with the goal of creating “an appropriately efficient and predictable regulatory framework for regulating CBD products.” The FDA will launch the process with a public hearing on CBD scheduled for May 31, 2019.

Further complexity struck when Pruitt unexpectedly announced his  resignation, which took effect in early April. Pruitt has been replaced by Dr. Ned Sharpless, the former director of the National Cancer Institute. To date, it is unknown whether Sharpless intends to take a progressive stance toward CBD.

While delays occur at the federal level, states are shifting into action. Maine recently passed an emergency law governing CBD. The bill aligns the definition of hemp in Maine’s laws with the definition used in the Farm Bill. Meaning, as long as CBD is derived from hemp sources it is to be considered a food product, rather than medicine, and is cleared for use in Maine.

Ultimately, until the FDA creates a regulatory framework for CBD, it will remain illegal to add it to any food or drink products.

Learn more about the FDA Public Hearing on CBD here

Provide a public comment for the FDA on CBD here

To help cannabis entrepreneurs and investors keep up with the fast pace of change in the cannabis industry we will be providing monthly summaries of the latest regulatory and legislative news to provide a snapshot of latest happenings while also highlighting matters of interest looking forward.

This month the focus is on prominent federal legislative activity (e.g. the SAFE Act and the STATES Act), state legalization measures (e.g. NJ, NY, IL, and others), and two bills in Colorado that have the potential to attract out-of-state investment to that market.

Changes in federal cannabis legislation

With control of the House of Representatives being transferred to the Democratic party, several bills that have the potential to profoundly impact the cannabis landscape have advanced in Congress.  For example, the last week of March saw the House Financial Services Committee move forward the Secure And Fair Enforcement (SAFE) Banking Act to a full House vote, reportedly “within weeks.” Following the momentum of the House bill, U.S. Sens. Jeff Merkley (D-OR) and Cory Gardner (R-CO) have introduced the companion bill in the Senate.

The latest SAFE iteration addresses the cannabis banking crisis and includes amendments that offer protection to insurance companies and other financial services companies.

The banking issue is long-standing and predates even the implementation of recreational cannabis in the US. The lack of straight forward access to fundamental banking services for the cannabis industry creates a multitude of challenges, most notably the operational and financial difficulties of a multi-billion-dollar industry operating almost entirely in cash. This has obvious implications for public safety and potential diversion to the black market, among other concerns.

The inability to access banking services is often identified as a major hindrance to market entry for large and well-resourced corporations and removal of this barrier could herald a seismic shift in investment into the cannabis industry. At time of writing the House Bill had 152 cosponsors, including 12 Republicans, whereas the Senate bill has 20 co-sponsors.

Adding further momentum to the SAFE bill, last week Last week,  Secretary Steve Mnuchin offered his support for a legislative fix for the banking issues facing the cannabis industry. “There is not a Treasury solution to this. There is not a regulator solution to this,” he said. “If this is something that Congress wants to look at on a bipartisan basis, I’d encourage you to do this.”

Another potentially substantial piece of legislation is the Strengthening the Tenth Amendment Through Entrusting States Act (STATES Act), which aims to reduce conflict between federal and state laws as they relate to cannabis. The STATES Act is a potential gamechanger for the cannabis industry, allowing legal certainty for companies seeking to operate in dozens of jurisdictions across the US.

Although this legislation stalled in December, it was reintroduced on April 4^th, alongside other measures, which include:

• the Ending Federal Marijuana Prohibition Act that would effectively legalize marijuana at the federal level by removing it from the Controlled Substances Act.
• The Marijuana Justice Act of 2019

The extent to which these bills have bipartisan support may be crucial if they are move beyond the House.

Four steps forward and two steps back in state legalization efforts

It has been a mixed month in terms of advancing cannabis legalization measures at the state level. On the one hand, there has been progress in multiple states, such as Connecticut, Illinois, and New Hampshire. While on the other hand there was a couple of snags holding up the implementation of recreational markets in New Jersey and New York.

Recent adult-use cannabis legalization headlines include:

• The New Jersey cannabis legalization bill was pulled due to lack of support although Gov. Murphey (D) reportedly stated he remained committed to getting the bill passed.
• New York dropped cannabis legalization from its budget bill where it was viewed as more likely to pass, however, regulators remain optimistic of progress later in the year. The New York City Council also voted to ban cannabis testing for job applicants.
• A General Law Committee in the Connecticut Legislature approved a bill that would legalize an adult-use cannabis market in the state.
• In New Hampshire, the House Ways and Means Committee approved a vote on the floor on legislation that would legalize an adult-use cannabis market.
• A bill to legalize retail cannabis in Illinois was introduced and passed to a subcommittee for further consideration.
• Governor of Guam signed a bill legalizing cannabis, becoming the first US territory to do so.

Despite the hiccups outlined above, there is a clear trend towards legal cannabis across the US. Moreover, several states took steps towards expansion or liberalization of their medical cannabis markets. Certainly in the long term, the outlook is optimistic for the cannabis industry on a number of fronts.

Back to the future as Colorado looks to position itself as an investment hub for cannabis

When Colorado became the first state to implement an adult-us cannabis framework in 2014, out of state investment was restricted. This allowed the state to build upon its existing medical cannabis market.

The understandable caution has since been questioned, however, and a Bill offering more flexibility in investment passed both the Colorado House and Senate in 2018, only for then Gov. Hickenlooper to veto it. In 2019, a replacement Bill was introduced and has recently passed its third reading in the House unamended.

As an established market with mature regulations and market stability, Colorado has low-risk potential when compared to emerging markets in other states – although competition is likely to be strong, with ever-thinning margins as prices continue to drop in the state.

Out-of-state investors exploring options in Colorado may be interested in acquiring social consumption licenses in Denver, or seek opportunities for market expansion in the delivery segment of the market. If passed, HB19-1234 would allow licensed dispensaries to offer these services for the first time.