Protect yourself: 5 cybersecurity measures you should take now How to report collaborative activities Proposed tax regs to guide deferred compensation arrangements News for Nonprofits
NONPROFIT AGENDAS OCTOBER/NOVEMBER 2017
Sechler CPA, P.C. Carolyn Sechler
carolyn@azcpa.com 921 East Orange Drive, Phoenix, AZ 85014 Tel: 602.230.2700/Fax: 602.230.2705 www.azcpa.com
Protect yourself: 5 cybersecurity measures you should take now
W
But cyber risks are real and can prove costly in terms of both finances and reputation. Fortunately, you can take some proactive steps to reduce your risks without breaking the bank.
The potential costs are high, according to NetDiligence, a cyber risk assessment and data breach services company. Its 2016 Cyber Claims Study, which examined 176 cyber liability insurance claims, found that “Non-Profit” was the fourth most affected sector with 19 claims, more than both “Financial Services” (18 claims) and “Retail” (17). The mean cost of a nonprofit claim was $208,015.
Why your nonprofit is vulnerable
What you can do about it
Cybersecurity isn’t just for the Targets, Home Depots or Citibanks of the world. Nonprofits are increasingly threatened by data breaches, partly because they generally have less sophisticated protections and fewer resources to fight the danger than larger or for-profit organizations. Client records, donor information and credit card data all could be targeted for theft.
To keep a lid on cyber risks, you should consider:
ith so much on their plates, it’s not surprising that cybersecurity isn’t at the top of some nonprofits’ to-do lists.
Cybercriminals might access information by attacking your organization’s servers, of course, but that’s not the only risk. Many not-for-profits outsource services such as bookkeeping, payroll and donation processing to third parties. Your information could be vulnerable if these providers have inadequate data security. And it’s not only cyber attacks that you should worry about. Data also can be exposed if, for example, an employee loses a laptop, smartphone or flash drive containing sensitive information.
2
1. Prioritizing cybersecurity. When data breaches or hacks hit the headlines, they usually involve familiar for-profit companies, so your employees might not worry too much about your not-for-profit’s security. To counter this mindset, management must prioritize cybersecurity and clearly communicate its importance, both internally and externally. A not-for-profit that takes its security seriously is less likely to be targeted. 2. Conducting appropriate training. Demonstrate the importance of cybersecurity by training your employees extensively on their roles in preventing it. Your employees — as well as volunteers and board members who use your computers — need to know about the risks they may encounter: for example, phishing emails with malicious links. They also should be aware of the policies and procedures you’ve created to address those risks.
3. Familiarizing yourself with the law. Federal and state rules and regulations may impose certain cybersecurity obligations on your organization. Hospitals, for example, must comply with the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules and the HITECH Act. Almost every state has a law requiring organizations to notify affected individuals of data breaches involving personally identifiable information. And the Federal Trade Commission’s disposal rule requires proper disposal of information in consumer reports and records to prevent unauthorized access to the information.
What about insurance? A growing number of not-for-profits are looking into data breach insurance (also known as cyber liability or cyber risk insurance) to cover costs not covered under general liability insurance. Cyber insurance usually covers regulatory fines and penalties, lawsuits and response costs (for example, forensic analysis, notification of affected parties and public relations) for data theft or destruction. While the general coverage is similar across policies, some significant differences exist. For instance, policies may or may not allow you to choose your own vendors in the postbreach response process. You also should look at the specifics of the response coverage. Does the policy cover all response costs or only certain costs? A standard policy, for instance, might cover credit monitoring but not identity theft monitoring. Obtaining your preferred response coverage will affect your premiums and sublimits. You should negotiate sublimits for each coverage area, rather than just an overall limit. Your existing security and privacy controls and your revenues also will likely affect premium rates.
4. Performing a risk assessment. A team composed of representatives from across the organization should assess its cyber risks so you can implement appropriate internal controls. A risk assessment typically begins by taking an inventory of systems and data and ranking them by importance and sensitivity. The team can then devise measures to mitigate the various risks, deploying the available resources according to the level of risk. The team also could develop incident response plans so the organization can move quickly in the event of a breach. 5. Upgrading your computers. It’s not unusual for nonprofits to have older computers or software, which are much more vulnerable. The risk is even greater when the manufacturer no longer provides technical support or security updates, as with Microsoft’s Windows XP. The costs of a breach down the road could far outweigh the upfront costs of new hardware and software.
Stay on top of things Technological advances are coming at us fast and furious, and cyber risks are evolving at a similar pace. You can’t afford to ignore technology that might help you accomplish your mission. But you also should take steps to address the associated risks and protect your organization and its stakeholders. n
3
How to report collaborative activities
A
collaborative arrangement may be the simplest relationship between nonprofits for accounting purposes. These are typically contractual agreements in which two or more organizations are active participants in a joint activity. One example would be a private school that’s jointly operated by two religious organizations. Another would be a nonprofit that provides free clothing and operates a shop at the local homeless shelter. The financial reporting rules in these arrangements depend on the type of collaborative relationship the parties enter into.
Reporting costs and revenues In any collaborative arrangement, the not-for-profit considered the “principal” for the arrangement should report costs incurred and revenues generated from transactions with third parties. And those costs and revenues should be reported on a gross basis in that organization’s statement of activities. Generally, the principal is the entity that has control of the goods or services provided in the transaction. But Generally Accepted Accounting Principles (GAAP) should be followed in each particular situation.
The nonprofits should present payments between participants according to their nature, following accounting guidance for the type of revenue or expense the transaction involves. Participants in a collaborative arrangement also are required to make certain disclosures. For example, they must report the nature and purpose of the arrangement and each organization’s rights and obligations.
When two nonprofits form a new legal entity In some circumstances, two organizations may determine that the best route forward is to form a new legal entity. A merger takes place when the boards of directors of both nonprofits cede control to the new entity. The historical values of the assets and liabilities of the organizations are combined, and the accounting policies of the original entities must be brought into conformity for the new entity.
If one nonprofit cedes control to the other Another option is for the board of one organization to cede control of its operations to another entity. An example: One nonprofit allows the other nonprofit to appoint the majority of its board, as part of its decision to engage in cooperative activities. But this must be done without creating a new legal entity. In such a case, an acquisition takes place, with the remaining organization considered the acquirer. The remaining entity must record the acquisition based on the current value of the acquired organization’s assets and liabilities. If there’s an excess of current value over original cost to the organization being acquired, that amount is recorded as a contribution. If the value is lower, the
4
difference is generally recorded as goodwill. But, if the operations of the acquired organization are predominantly supported by contributions and returns on investments, the difference is recorded as a separate charge in the acquirer’s statement of activities. Let’s say your nonprofit assumes control of another entity, and GAAP requires you to consolidate financial statements with the other. You should account for your interest in the other nonprofit and the cooperative activity by applying an acquisition method described in GAAP. If the shoe is on the other foot, and it’s your not-for-profit that cedes control of its operations to another entity, that organization may need to consolidate your organization (including the cooperative activity) starting on the “acquisition” date. If your not-for-profit will present its own separate financial statements, you must determine whether
to establish a new basis for reporting assets and liabilities based on the other entity’s basis.
When the new legal entity houses a joint activity In many cases, a new legal entity is formed only to house the cooperative activity instead of all activities of the organizations that are collaborating. This would be neither a merger nor an acquisition. However, to determine the proper accounting treatment, it’s important to look at which, if any, collaborator has control over the activity.
Seek help Reporting your collaborative activities with other organizations is an important responsibility. Your accountant can help you understand the rules and how to comply with your specific reporting obligations. n
Proposed tax regs to guide deferred compensation arrangements
T
he IRS has delivered its long-promised guidance on deferred compensation plans. Among other things, the proposed regulations on Section 457(f) plans clarify and add to the types of arrangements exempt from some of the negative tax consequences of these types of plans. While they don’t provide a timetable for issuing final regulations, the proposed regulations state that nonprofits can begin relying on them as of the date the regulations were proposed: June 22, 2016.
Section 457(f) plans in a nutshell A Section 457(f) plan is a deferred compensation plan sponsored by a state or local government or tax-exempt entity. The employee’s compensation under such a plan (or the present value of the compensation) is taxed in the year the employee has a legally binding right to the compensation, or vests, even if it isn’t paid until later. While the tax treatment is usually viewed as unfavorable, the plans are nonetheless attractive — because the IRS doesn’t impose limits on compensation amounts.
5
Deferred compensation vests when it’s no longer subject to a “substantial risk of forfeiture.” For example, a bonus won’t yet be vested if there are requirements that the employee work for two additional years or the organization meet a specific goal before the employee has a right to receive the bonus.
Certain deferred compensation arrangements are exempt from Sec. 457(f). Qualified retirement plans — such as defined benefit and 401(k) plans and Sec. 403(b) and Section 457(b) eligible plans — are exempt. Notably, certain deferred compensation arrangements are exempt from Section 457(f). For example, qualified retirement plans — such as defined benefit and 401(k) plans and Section 403(b) and Section 457(b) eligible plans — are exempt. Exemptions also apply to vacation, sick leave, disability pay and death benefit plans.
New and clarified exemptions The proposed regulations add an exemption for short-term deferrals. These arrangements will be exempt from the Section 457(f) rules as long as the amounts are paid by the 15th day of the third calendar month — or about 2.5 months — after either the employer’s or employee’s tax year in which vesting takes place. So, for example, a plan that awards a bonus for performance in Year 1 that is paid on or before the 15th day of the third month of Year 2 is exempt from the 457(f) rules. As a result, the bonus won’t be taxable until Year 2.
6
The regulations clarify the existing exemption for severance pay, too. Under the regulations, exempt severance pay includes only compensation that meets all of the following: u It is paid for an involuntary separation from
service, which includes voluntary separation based on an employer’s action that causes a significant change to the work relationship, such as a reduction in duties, working conditions or pay.
u It is limited to twice the amount of annual
compensation.
u It is paid by the end of the second year after
separation.
In addition, severance pay is exempt if it’s made available only for a limited time (for example, under a “window program” made available to certain employees for a 12-month period) and meets all other requirements.
And that’s not all! The proposed regulations also address the effects of noncompete agreements and employees’ elective compensation deferrals on vesting, as well as how to calculate the amount of compensation includable in gross income. Your CPA can help you abide by regulations to design the deferred compensation plan that’s best suited to your circumstances. n
NEWS FOR NONPROFITS How “techie” are nonprofits? The 2017 Global NGO Online Technology Report includes findings on how nongovernmental organizations (NGOs) use Web and email communications, online and mobile fundraising tools and social media. Among the discoveries: 92% of the NGOs have a website and, among those, 78% are mobile-compatible. Another finding: 67% accept online donations. The report, which surveyed almost 5,000 NGOs in 153 countries, was sponsored by Public Interest Registry (formed to oversee the .org domain), with research performed by Nonprofit Tech for Good (a social and mobile media resource). At techreport.ngo, click on “Past Reports” to reach the link to the report. n
Smaller “Giving Days” show promise Many organizations see a surge in donations on Giving Tuesday every year, but some also are having luck with smaller Giving Days — whether held on their own or in conjunction with other area nonprofits. Earlier this year, the University of California–Santa Cruz raised more than $520,000 with a Giving Day. Also this year, 414 nonprofits participated in the Fairfield County (Conn.) Giving Day, which generated almost $1.5 million. For information on how to hold a Giving Day, check out the Giving Day Playbook from the Knight Foundation — a national foundation focused on journalism, the arts and cities — at givingdayplaybook.org. n
Charity Navigator identifies “most charitable cities” When it comes to charity, not all U.S. cities are equal, according to a study by nonprofit watchdog Charity Navigator. The 2017 Metro Market Study analyzed differences in the financial, accountability and transparency practices of charities in the 30 largest U.S. metro markets. It found that San Diego’s philanthropic community leads the nation in overall financial health and commitment to accountability and transparency, and Houston’s charities raise the most money. The study also revealed that regional factors (such as cost of living) greatly influence the ability of charities to raise money and manage costs. You can see the full results at charitynavigator.org/metro. n
Look at who’s creating AI apps Recode, a technology news website, recently reported that nonprofits — not Silicon Valley — are taking the lead in creating artificial intelligence (AI) applications that can improve the lives of underserved communities. For example, Crisis Text Line has the largest open source database on how youths in crisis behave in the country. Using AI, the organization discovered that the word “ibuprofen” in a text is 16 times more likely to predict the need for emergency aid than the word “suicide.” So, incoming texts that include “ibuprofen” are prioritized in the queue. Other nonprofits are using chatbots, natural-language processing and data mining to better serve their clients. n
This publication is distributed with the understanding that the author, publisher and distributor are not rendering legal, accounting or other professional advice or opinions on specific facts or matters, and, accordingly, assume no liability whatsoever in connection with its use. ©2017 NPAon17
7
The support you need. The service you’re looking for. Succeeding in the not-for-profit sector today requires more than a strong commitment to your mission. It takes shrewd fiscal management, careful regulatory compliance, skillful use of technology and the assistance of advisors who know the issues nonprofit organizations face and how to address them. This is where Sechler CPA comes in. Our team of experienced professionals cherishes the opportunity to support nonprofit organizations, meet their management challenges and fulfill their missions. We offer a variety of specialized accounting, tax and consulting services including:
k Audit intermediary services
k Tax form preparation (990, etc.)
k Budget and policy design
k Strategic and management consulting
k Financial statement preparation
k Speaking on financial literacy and other topics
k Outsourced accounting/bookkeeping
k Technology and virtual system design
RESPONSIVE QUALITY We are committed to providing responsive, personalized service to the highest quality. We take time to truly understand your Organization so that we can customize our recommendations to your specific situation. Our goal is to make your processes easier, streamline your operations and ensure your success in reaching your goals. We welcome the opportunity to discuss your mission and vision so that we may assist you with our expertise. Please call us at 602-230-2700 or e-mail carolyn@azcpa.com and let us know how we may support you. Be sure to visit our website at www.azcpa.com for additional tools and information, as well as our archive of this newsletter.
Sechler CPA, P.C. 921 East Orange Drive Phoenix, AZ 85014 www.azcpa.com