Taxation l ERC eligibility and brokers Caught Between a Rock and a Hard Place

Employers can be confused when tax professionals and opportunistic brokers offer conflicting advice on the Employee Retention Credit (ERC).

The Employee Retention Credit, since its introduction under the CARES Act in March 2020, has significantly impacted many for-profit and not-for-profit employers, both large and small. While the ERC got off to a slow start (most employers opted instead for a Paycheck Protection Program (PPP) loan), the enhancements of the ERC under “CARES 2” in December 2020 made the credit available to employers even if they obtained a PPP loan (although the same wages could not be used for both the ERC and the PPP). The floodgates opened as employers wanted to learn how the ERC worked and whether they would be eligible for this incentive.

By Jim Brandenburg,

Opportunistic ERC brokers sprang up, as employers searched for direction on the specifics of the ERC, seeking to aid employers in obtaining a refund. Some of these brokers were professional and diligent in following IRS guidance to assist employers; others, however, were not. Many brokers were aggressive in their search for business owners and pushed the envelope in their interpretations of the IRS’s ERC guidance. ERC brokers also received a percentage — often 15% to 35% — of an employer’s ERC refund.

As ERC brokers increased their outreach to businesses last year, the IRS began cautioning employers about aggressive brokers contacting unsuspecting taxpayers

— many of whom did not qualify for the ERC. The IRS warnings regarding the ERC expanded this year as the agency added abuse of the ERC to its “Dirty Dozen” list of tax scams and recently issued the following alerts:

• IRS warning on ERC mills: This IRS warning, issued on March 7, urged taxpayers “to carefully review the [ERC] guidelines before trying to claim the credit as promoters continue pushing ineligible people to file.” This IRS alert also noted that the “IRS and tax professionals continue to see third parties aggressively promoting these ERC schemes on radio and online. These promoters charge large upfront fees or a fee that is contingent on the amount of the refund.”

• IRS alert to tax practitioners regarding professionals not following IRS standards: In this separate alert, the IRS cautioned tax practitioners about their responsibility in ERC situations. The IRS noted that “to fulfill their professional obligations to clients and to tax administration, practitioners (attorneys, CPAs and enrolled agents) must meet the applicable provisions in Circular 230.” A key aspect of Circular 230 involves a practitioner exercising “diligence as to accuracy” (Section 10.22(a)). The IRS notes the following in its alert: o If the practitioner cannot reasonably conclude (consistent with the standards discussed in the guidance) that the client is or was eligible to claim the ERC, the practitioner should not prepare an original or amended return that claims or perpetuates a potentially improper credit. o Additionally, if a practitioner learns that a current client did not comply with the ERC requirements in a prior tax year, the practitioner must — under Section 10.21 — promptly inform the client of the noncompliance, error or omission and any penalty or penalties that may apply.

Therefore, not only must employers be cautious in pursuing ERC claims, but tax practitioners must also exercise diligence in working with the ERC. They are often caught in the middle as they advise employers about the ERC. For instance, a CPA could perform a thorough assessment that an employer is NOT eligible for the ERC only to have an aggressive broker tell the employer they ARE entitled to a refund. An employer would be confused as to how to proceed, and the CPA would likely be put on the defensive.

Tax practitioners know that sometimes gray areas can occur in dealing with tax issues, but some brokers are aggressively pushing large ERC claims in cases where there is not even a hint of gray. This puts the employers, and in some cases the CPA, in a quandary.

IRS audits of the ERC have started, sometimes involving an on-site visit by an auditor and/or a correspondence audit. During an examination, the IRS will request documentation from the employer concerning its ERC claim and question whether it complies with IRS guidance. Some disputed cases might eventually find their way into the courts, as legal arguments supporting ERC eligibility due to a full or partial shutdown from a government order will be tested.

If employers have their ERC claims disallowed, they will be forced to pay back the ERC amounts, possibly with interest and penalties. If an ERC claim is disallowed and repayment is required, one challenge for employers that worked with an ERC broker will be to seek a refund of the fees paid. The ability to recover these fees may largely depend on the terms of the contract that was signed.

While unclear now, many practitioners are hopeful that by the end of 2023 they will have a better understanding of the types of ERC claims the IRS disallows.

What advice would a practitioner offer to an employer now regarding ERC?

Be diligent. Encourage employers to compare their situations to the IRS rules on the ERC. Remind employers that a company officer must sign the ERC refund claim on behalf of the employer and, thus, bears the responsibility to be diligent in determining the employer’s ERC eligibility, reviewing the ERC calculations and documenting the ERC support.

If an employer engages a consultant or ERC broker for assistance, they should consider the terms of the contract for payment — for example:

• Will the employer be required to pay the fees before the ERC refunds are received?

• In the event the ERC claim is disallowed in an audit, will the broker or consultant refund fees paid?

Lastly, stress to employers that they understand the net amount they will receive after all fees and additional income taxes on amended tax returns are paid.

Don’t rush. Urge employers not to be in a hurry to file an ERC claim. As noted, they should take their time to be diligent and not feel pressured to file an ERC claim until they are comfortable with it. The statute of limitations does not start until 2024 for ERC claims from 2020 (and 2025 for claims from 2021).

Retain documentation supporting the claim. Inform employers that they should assume the IRS will examine their ERC claims. They should gather and retain all the applicable documentation as they file. If they have already filed a claim, they should go back through the ERC filings and make sure to gather documentation, even if the IRS has not contacted them for an exam. Employers who had a consultant or ERC broker prepare their claims should request all documentation from the broker to retain in their files.

Pay now; refund later. Remind employers that ERC refunds must be included in taxable income for the period the wages generated by the ERC were earned. For example, if an ERC claim was filed in 2022 for the second quarter of 2021, but the employer did not receive their ERC refund until 2023, the business still needs to include the ERC amount in their taxable income for 2021, the year of the claim. Amended income tax returns will likely be needed to include this ERC in taxable income. Thus, employers will need to pay the income tax cost now for the amount of the ERC to be received later — or they will be subject to additional interest.

Carefully weigh eligibility methods. There are two main methods a business or not-for-profit organization can follow to be eligible for the ERC. The first method involves a significant decline in the employer’s gross receipts in a calendar quarter compared to the same quarter in 2019. This is an objective and generally straightforward calculation for ERC eligibility.

The other method involves a full or partial shutdown of the organization due to a government order. The IRS further states the impact to the employer must be “more than nominal” (which the IRS indicates is at least 10%). This is a much more subjective determination, and many ERC brokers present the opportunity to generate refund claims under this method. In some cases, they use aggressive and seemingly unsupportable legal positions to help employers qualify for the ERC. These aggressive positions will likely cause employers to be subject to IRS audits that will consume time and resources, and the ERC may ultimately be disallowed.

Practitioners should directly alert employers who are filing an ERC claim in which they are relying on a government order to proceed with caution. If contemplating this path, some practitioners recommend obtaining a legal opinion from an independent legal counsel that addresses (1) the applicable government orders in 2020 and/or 2021, (2) how these government orders applied to their business and (3) assurance that the order satisfies the IRS guidance issued on government orders. Further, employers should be instructed to quantify how they satisfy the nominal standard of at least 10% and not just provide a narrative.

Consult with advisors. Practitioners should cover the above items with employers and remind them to be diligent in their work, but they should then consider reviewing their ERC claims with outside advisors (who should be independent from an ERC broker) and rely on IRS guidance to justify any ERC. The advisor may also need to obtain a legal opinion on the ERC, as noted above.

The ERC continues to present a significant opportunity for employers. It also poses a critical exposure area for others. Employers should exercise caution, whether they are considering an ERC now or have previously filed an ERC claim. They should always take a close look at their documentation and assume the IRS will likely review it.

By Scott Hirschfeld

Irecently met with the CFO of a distribution company about improving and updating their information technology (IT). As we were talking, he made a statement that expressed a deeper understanding of cybersecurity than I have seen from many leaders. He said that their management team has concluded that of all the risks and factors in business, “Our greatest risk is cybersecurity. If we are hacked or get crypto-locked, this would devastate our business. It represents our greatest risk.”

While this is true for many companies, I rarely hear such strong acknowledgment of the risk we all face. This risk is real and backed up by the cyber events we hear about daily in the news.

According to the respected security vendor Check Point in their 2023 Cybersecurity Report, there has been a significant increase in the number of attacks on cloud-based networks per organization, shooting up by 48% in 2022. Additionally, their report shows that global cyberattacks increased by 38% in 2022 compared to 2021.

Overall, hacking is up. Hackers have grown even bolder. The risk to organizations is higher due to their increased activity. Organizations’ finances, operational interruptions, the turmoil created by extortion demands and reputation damage all are at stake.

Many companies have invested in cybersecurity insurance as these risks have increased. However, the insurance companies have been hit hard by the number of claims they have received, and most now require cybersecurity prevention measures before they will provide coverage. Other insurance companies are simply exiting the cybersecurity market altogether because it has proven to be unprofitable and too risky. As a result, some companies no longer see the value in insurance. The are so many rules and restrictions on coverage that money may be better spent on improving one’s cybersecurity posture.

How can we protect ourselves in such a tumultuous environment? Interestingly, there are fundamental ways to reduce risk and raise your level of protection. Here are nine crucial cybersecurity strategies designed to improve your security stance.

Yes, IT hygiene is a thing. A strong password policy is at the top of the list, and surprisingly, this is still an area where some companies cut corners. Another must is a patching system to update your Windows, Apple and other systems automatically. Patching is essential to stay secure. Hackers exploit the unpatched, and their automated tools find the holes. Many other things fall under good IT hygiene, including a backup and recovery solution that meets your recovery time objectives. If you have not recently reviewed these basics with your IT advisor, it may be time to open a conversation.

MFA is that safety feature we know well from banking, as most banks send a PIN or onetime security code as a secondary method of authenticating. Enabling MFA for email is a standard security practice that prevents phishing by using web-based email portals. It is also necessary to implement MFA for any remote access. Whether you log in with a VPN or a remote access tool, MFA should be configured — and turned on! In addition to these two entry points, enabling MFA for any administratorprivileged access is also essential and often required by cybersecurity insurance policies.

New protection software has exploded beyond the traditional antivirus software. Solutions include endpoint response (EDR), managed detection and response (MDR) and extended detection and response (XDR). The important thing to look for with these advanced strategies is a solution that does proactive threat-hunting over and above the standard reactive prevention. In addition, it is vital to have a 24/7 SOC in which human eyes are always on critical events.

Ensuring you have the right cloud protection in place is also essential. Many organizations have moved files and folders to the cloud. It is important to not only survey the cloud vendor to see what their protection looks like but also implement strategies of your own that check, scan and watch your cloud data.

Almost every system on your network creates log files: firewall, PC, server, wireless and more. SIEM is a technology that pulls all these logs into one

The most common form of data in transit is email. We all need to occasionally email confidential information, and some of us do it daily. There are a variety of email encryption tools available. The key is to implement the right one for yourself and your organization. Suppose someone intercepts an email with a bank account, Social Security number, passport or health information. This can be incredibly damaging to both the intended recipient and the company sending it. I am amazed at how often I am asked to “just email” business and personal items. Always send it encrypted.

The issue with protected data is that we don’t often know what we have. Using an advanced tool to do a data asset inventory can be very revealing. These tools often reveal data where it should not be that data is located, with the click of a button it can be automatically encrypted (transparent to the user) and then restricted from upload to various sites like OneDrive, Box or other public file-sharing sites.

This relatively new network security strategy installs on a computer or server, learns what is normal and then locks the computer down and does not allow anything other than that baseline. The idea here is: Rather than operating from a perspective of “What should we stop?” the perspective is to disallow everything and instead determine what to allow. This advanced software provides the highest level of security and does it efficiently. It prevents malware and spyware by prohibiting anything that’s not part of the baseline.

Penetration testing is a method of testing that simulates a hacking attack on your network resources.

penetration test is now within reach of many companies that may have chosen not to do it previously.

Sometimes knowing what is next and how to stay protected is overwhelming. And often we don’t think we are really at risk. The reality is that everyone has resources that a hacker will use. It doesn’t matter whether you are a company of five or 50,000. They use automated tools to find your weaknesses and do everything they can to extort and exploit them once they get in.

Your cybersecurity protection need is almost certainly more than you have now, especially if you haven’t reviewed it in the last year. Take time to review your information security strategy and ensure you are keeping up with the current threat landscape.