Data Breach and Identity Theft Losses

The average cost of data breaches globally in 2023 was $4.5 million, and increasing.* Identity theft generally goes hand in hand with breaches. What should you do if you’re hit by either? Take immediate action to close the breach and protect against future attacks. Then, consider how you might deduct your losses.

Under Sec. 165(a) of the tax code, any taxpayer may deduct losses that (1) are incurred in a trade or business (which would include breach and identity theft losses); (2) are incurred in a transaction entered into for profit, other than through a trade or business; or (3) arise from fire, storm, shipwreck, or other casualty, or from theft. Alternatively, businesses may opt to deduct losses under Sec. 162(a) as “ordinary and necessary” business expense. Individuals may deduct their losses only under Sec. 165(a).

*Cost of Data Breach 2023 Report, IBM

Identity Protection

With identity theft commonplace, it’s important to understand available options to help safeguard your online information.

FRAUD ALERT

This free alert requires companies to contact you to verify that you want new credit before they approve it. You only need to contact one of the three credit reporting agencies to initiate this alert.

CREDIT FREEZE

A credit freeze will prevent anyone, including you, from opening a new account. You’ll need to ask all three major reporting agencies—Equifax, Experian and TransUnion—for the freeze. Victims of identity theft receive this service for free, but each reporting agency can charge $5 or $10 each time you freeze and unfreeze your credit.

CREDIT LOCK

A credit lock is good for people who have experienced identity theft and don’t plan to open new credit in the near future. Generally, this service will cost a monthly fee charged by each agency and the lock ends when your agreement ends or when you unlock it.

How to keep track of small tools and equipment

Barcode with red light ray and binary code in background

Whether it’s hard hats and drills on a jobsite, iPads in an office or RFID readers in a warehouse, small tools and equipment have a tendency to disappear at many companies. The cost of lost, damaged and stolen items can quickly add up, consuming profits and cash flow. What can you do to manage these items more effectively and create accountability among workers?

Technology to the rescue

Electronic bar-code technology that’s used to track inventory can also be used to label, coordinate, trace and catalog fixed assets in real time. These systems usually involve bar codes displayed on polyurethane labels on each tool or machine. The labels are designed to hold up under repeated on-the-job wear and tear.

These systems come with handheld devices that you can use to scan the bar codes when assigning tools and accepting returns. Tracking software sends the pertinent information to a database that can also be used for browsing, billing and running reports. In addition, the program records repair histories and maintenance schedules.

The cost of bar-code technology varies, depending on the number of features included in the system configuration. How complex a system you’ll need will depend on the number of items you’re looking to track. But if you’re already using this technology to manage inventory, there may be economies of scale by choosing a system that can handle both types of assets.

Improving efficiency

Bar-code technology also has the power to improve management efficiency. How? You can let employees know that, if the system shows that the tools they’ve checked out haven’t been returned, the employee or the job they’re working on could be charged for the missing item. Thus, employees will more closely monitor and protect these items to avoid paying for lost items or having a project go over budget.

The right system may also reduce your legal liability. In some industries, federal regulations or union rules may require workers to wear safety gear, such as goggles, hard hats and respirators. A formal tracking system allows you to show that you issued employees the proper equipment, which could in turn limit your accident liability.

Creating accountability

To take bar-code tracking to the next level, integrate it into your accounting system. For example, you might assign tools by employee name, job code, project number, date, time, location or other criteria. Then you can generate a report of employees or projects where specific tools are being used.

In turn, you’ll foster an atmosphere of accountability by making managers and employees more responsible for these assets. There’s no better way to drive home a point about wasted assets or money than to sit down with employees and show them, in dollars and cents, how a tool is being misused.

Bottom line

Bar-code technology isn’t new, but it’s become more cost effective and robust. Even if you’ve been working with this technology for several years, it’s time to consider upgrades that you might have missed — or new vendors with tighter security measures or innovative features.

For help evaluating your current system or investing in a new one, contact your CPA. He or she has helped other companies implement this technology and knows industry best practices and potential pitfalls to avoid.

© 2019

The Untouchables: Getting a Handle on Intangibles

Businesswoman hands opened creating a space for product or text placement.

The average company’s balance sheet understates its value by 80%, according to Sarah Tomolonius, co-founder of the Sustainability Investment Leadership Council. Why? Intangible assets aren’t recorded on the balance sheet under U.S. Generally Accepted Accounting Principles (GAAP), unless they’re acquired from a third party.

Instead, GAAP generally calls for the costs associated with creating and maintaining these valuable assets to be expensed as they’re incurred — even though they provide future economic benefits.

Eye on intangibles

Many companies rely on intangible assets to generate revenue, and they often contribute significant value to the companies that own them. Examples of identifiable intangibles include:

  • Patents,
  • Brands and trademarks,
  • Customer lists,
  • Proprietary software, and
  • A trained and knowledgeable workforce.

In a business combination, acquired intangible assets are reported at fair value. When a company is purchased, any excess purchase price that isn’t allocated to identifiable tangible and intangible assets and liabilities is allocated to goodwill.

Acquired goodwill and other indefinite-lived intangibles are tested at least annually for impairment under GAAP. But private companies may elect to amortize them over a period not to exceed 10 years. Impairment testing also may be required when a triggering event happens, such as the loss of a major customer or introduction of new technology that makes the company’s offerings obsolete.

Inquiring minds want to know

Investors are interested in the fair value of acquired goodwill because it enables them to see how a business combination fared in the long run. But what about intangibles that are developed in-house?

At a sustainability conference earlier in May, Tomolonius said that businesses are more sustainable when they’re guided by a complete understanding of their assets, both tangible and intangible. Assigning values to internally generated intangibles can be useful in various decision-making scenarios, including obtaining financing, entering into licensing and joint venture arrangements, negotiating mergers and acquisitions, and settling shareholder disputes.

Calls for change

For more than a decade, there have been calls for accounting reforms related to intangible assets, with claims that internally generated intangibles are the new drivers of economic activity and should be reflected in balance sheets. Proponents of changing the rules argue that keeping these assets off the balance sheet forces investors to rely more on nonfinancial tools to assess a company’s value and sustainability.

It’s unlikely that the accounting rules for reporting internally generated intangibles will change anytime soon, however. In a quarterly report released in August, Financial Accounting Standards Board (FASB) member Gary Buesser pointed to challenges the issue would pose, including the difficulty of recognizing and measuring the assets, costs to companies, and limited usefulness of the resulting information to investors. Buesser explained that “the information would be highly subjective, require forward looking estimates, and would probably not be comparable across companies.”

Want to learn more about your “untouchable” intangible assets? We can help you identify them and estimate their value, using objective, market-based appraisal techniques. Contact us for more information.

© 2019

Audits Home in on Cybersecurity

In 2018, U.S. organizations that suffered a data breach lost an average of $7.91 million as a result. That’s the highest average organizational cost of all the countries and regions covered in the 2018 Cost of a Data Breach Study by IBM and independent research firm Ponemon Institute. Malicious or criminal attacks were the source of more than half of those breaches, rather than system glitches and human errors.

With so much at stake, it’s no surprise that auditors consider these issues when conducting their audit risk assessments. This audit season, prepare to answer questions about cybersecurity and the effectiveness of your company’s internal controls against cyberthreats.

Inspections of public companies

In recent years, Public Company Accounting Oversight Board (PCAOB) inspectors have interviewed auditors of companies that have experienced a breach into their computer systems to find out how the auditors and their firms responded to the incidents. They report that auditors today are increasingly focused on matters related to cybersecurity.

Audit firms have provided varying levels of guidance, both when assessing risk at the start of an engagement and when uncovering a cybersecurity incident that occurred during audit fieldwork or the period under audit.

“Many of the firms are actually factoring cybersecurity issues into their risk assessment at this point in time, and there is a real focus on developing real understanding about cybersecurity incidents,” reported William Powers, deputy director for technology in the PCAOB’s Division of Registration and Inspections.

Audit inquiries

Possible questions that auditors might ask during fieldwork include:

  • How does management identify and prioritize cyberrisks?
  • What kind of internal controls has management established to safeguard digital assets and sensitive data (such as formal policies and procedures, employee training and the use of security analytics)?
  • How does management monitor internal controls to ensure effective operation?
  • Does management have a detailed breach response plan?
  • If a breach occurred during the accounting period, how did management respond and how much did it cost?
  • Has the company purchased cyber liability and breach response insurance?

The PCAOB hasn’t yet found any material misstatements on a public company’s financial statements as a result of a cybersecurity breach. But there’s a risk that future attacks may affect financial reporting. So, the PCAOB is planning to expand its inspection program to explore what auditors are doing to protect clients’ data and stakeholder data.

Universal risk factor

PCAOB inspectors target audits of public companies. But private companies can also be victims of cyberattacks — and the effects may be even more devastating for companies with fewer resources to absorb the losses and assign dedicated staff to respond to breaches.

The increasing frequency and severity of cyberattacks underscores the need for auditors of entities of all sizes to update their procedures. It’s our job to ask key questions about cyberrisks and the effectiveness of your internal controls. The answers, in turn, can help you formulate more effective governance strategies.

© 2019

Businesses Aren’t Immune to Tax Identity Theft

Tax identity theft may seem like a problem only for individual taxpayers. But, according to the IRS, increasingly businesses are also becoming victims. And identity thieves have become more sophisticated, knowing filing practices, the tax code and the best ways to get valuable data.

How it works

In tax identity theft, a taxpayer’s identifying information (such as Social Security number) is used to fraudulently obtain a refund or commit other crimes. Business tax identity theft occurs when a criminal uses the identifying information of a business to obtain tax benefits or to enable individual tax identity theft schemes.

For example, a thief could use an Employer Identification Number (EIN) to file a fraudulent business tax return and claim a refund. Or a fraudster may report income and withholding for fake employees on false W-2 forms. Then, he or she can file fraudulent individual tax returns for these “employees” to claim refunds.

The consequences can include significant dollar amounts, lost time sorting out the mess and damage to your reputation.

Red flags

There are some red flags that indicate possible tax identity theft. For example, your business’s identity may have been compromised if:

  • Your business doesn’t receive expected or routine mailings from the IRS,
  • You receive an IRS notice that doesn’t relate to anything your business submitted, that’s about fictitious employees or that’s related to a defunct, closed or dormant business after all account balances have been paid,
  • The IRS rejects an e-filed return or an extension-to-file request, saying it already has a return with that identification number — or the IRS accepts it as an amended return,
  • You receive an IRS letter stating that more than one tax return has been filed in your business’s name, or
  • You receive a notice from the IRS that you have a balance due when you haven’t yet filed a return.

Keep in mind, though, that some of these could be the result of a simple error, such as an inadvertent transposition of numbers. Nevertheless, you should contact the IRS immediately if you receive any notices or letters from the agency that you believe might indicate that someone has fraudulently used your Employer Identification Number.

Prevention tips

Businesses should take steps such as the following to protect their own information as well as that of their employees:

  • Provide training to accounting, human resources and other employees to educate them on the latest tax fraud schemes and how to spot phishing emails.
  • Use secure methods to send W-2 forms to employees.
  • Implement risk management strategies designed to flag suspicious communications.

Of course identity theft can go beyond tax identity theft, so be sure to have a comprehensive plan in place to protect the data of your business, your employees and your customers. If you’re concerned your business has become a victim, or you have questions about prevention, please contact us.

© 2018