Category: Articles

Key Performance Indicators (KPIs) are quantifiable measurements used to track an organization’s performance towards the achievement of its objectives. Commonly used by company executives, boards, and other stakeholders, they can be a valuable tool when understood and used properly in a nonprofit organization.

KPI’s may be financial or non-financial metrics. Each can be used to not only help a nonprofit identify its strengths and weaknesses, but they can also aid in the quintessential process of obtaining grants and other funding. Below are some common financial KPI’s relevant to nonprofits:

• Year-over-year Growth – This is used to compare current financial performance with the financial performance at the same point in time during the previous year. It allows management to evaluate whether the organization’s financial performance is improving, worsening, or staying the same over time. The metric can also help depict cyclical or seasonality trends, which can provide insight for strategic planning initiatives.

• Fundraising Return on Investment – For fundraising events held throughout the year, tracking the costs associated with holding the event and dividing it by the amount of money raised from the event will provide the overall Return on Investment (“ROI”). Tracking this metric for events held annually will allow management to see how the event is contributing towards the organization’s fundraising efforts. It will also help when it comes to making decisions about the future of the event. Was the timing appropriate? Should we consider alternative fundraising events?

• Donation Growth – Comparing the amount of donations received across a monthly or yearly timeframe will show if donations are increasing or decreasing over time. Looking at this KPI may assist management in strategizing its process for obtaining donations, such as whether or not to, or how to, expand its advertising and marketing reach to help promote the organization and its mission further.

• Functional Expense Allocations – Grantors are always interested in the percentage of expenses that are going towards “Program Costs” vs. “Management & General”. It is important to track this metric and be able to show that Management & General is run lean and the bulk of the Organization’s cost structure is towards achieving the Organization’s mission statement.

Non-financial KPIs are also important to keep in mind and can sometimes be just as important as the financial metrics in determining the success of a nonprofit. Some common non-financial measures that should be considered include:

• Retention Rates – Monitoring the retention rates of both donors as well as employees or volunteers can serve as a measure of the organizations ability to carry out its goals and mission while also providing insight into the culture and work environment of the organization. An organization has to evolve to drive continued interest and investment from its employees, donors, and other stakeholders.

• Beneficiaries Served – Helpful when applying for grants and future funding, this KPI will show the effectiveness and the outreach the organization has had while carrying out its mission. Are there certain beneficiaries that seem to be the most positively impacted? Is the organization doing everything it can to identify any potential new beneficiaries while still serving its current ones?

• Social Media Engagement – Similar to retention rates, tracking social media interactions with the organization’s posts such as likes, comments, and shares can help show that the nonprofit is creating positive media buzz and reaching its targeted demographic.

A not-for-profit entity differs from a for-profit organization in that its main focus is not on making money for itself, but rather to carry out its mission for the benefit of others. Incorporating certain KPIs into regularly held performance reviews, board meeting discussions, etc., can assist an executive director in ensuring that their organization remains on track and can continue making a positive impact on the people, organizations, and community around us.

What exactly can a CPA firm do for our company, besides taxes or audits?

Many know that CPA firms can offer tax services and/or audits and reviews, but what else can CPA firms offer? If you or your business has ever had questions like these listed below, the CPAs at our firm, Dansa D’Arata Soucia LLP, can help.

“We’re looking to streamline our financial operations to maximize our current resources, but want to ensure we’re doing so at an affordable cost…”

“We’re at square one from an accounting and finance perspective. Our product has great potential and is garnering a lot of investor interest, but we haven’t focused our efforts to date on accounting and finance…”

“We’re not satisfied with the accuracy and professionalism of our financial reporting. We need a more cost-effective option than hiring a full team of in-house accountants and controllers…”

“I’m not sure how much finance and accounting staff we need. Is there someone that can help provide that insight and provide finance and accounting services until we hire those resources?”

At DDS, we have a team of CPAs that provide outsourced accounting services, offering you cost-effective solutions without compromising on quality or expertise. Here’s how we can help you answer the questions above and many others:

Outsourced Bookkeeping

Our team of skilled bookkeepers will handle your day-to-day financial tasks, ensuring accurate and up-to-date recording of transactions, reconciliations, and financial reporting. By leveraging our expertise, you can focus on your core business activities, confident in the knowledge that your financial records are being managed meticulously. 

Outsourced Controller

Our experienced controllers provide a higher level of financial oversight, bridging the gap between bookkeeping and strategic decision-making. From financial statement analysis and budgeting to internal control implementation and management, our controllers bring valuable insights to optimize your financial operations and support your growth trajectory. Our outsourced controller services can turn your basic bookkeeping into useable monthly management reports, focusing and highlighting KPI’s such as cash burn, MRR, Customer Churn Rate, etc. 

Outsourced CFO

Accessing the expertise of a Chief Financial Officer (CFO) can be a game-changer for small and mid-size businesses. Our outsourced CFO services enable you to tap into the strategic guidance of seasoned financial leaders who understand the intricacies of your industry. Whether it’s financial planning, raising money, pricing strategies, or mergers and acquisitions, our outsourced CFOs act as your trusted advisors, empowering you to make informed and impactful business decisions. 

Contact Us

At DDS, we spend the time up-front (no cost) to get to know and understand your unique business challenges. We tailor our accounting services to make sure those challenges are met head on. We always “measure twice, cut once,” so that you get the exact level of service that makes the most sense for your business. 

What is it?

Similar to a System and Organizational Control (SOC) 2 examination, SOC for Cybersecurity focuses on an organization’s cybersecurity risk management program. SOC for Cybersecurity is different from SOC 2 in that it is intended for any type of enterprise, not just service organizations.

SOC for Cybersecurity affords a company the opportunity to provide their partners (i.e., customers, stakeholders) assurance that they are committed to cybersecurity best practices.

How an auditor will evaluate an organization’s SOC for Cybersecurity report:

There are two criteria used by the auditor: description criteria and control criteria.

Description criteria – The organization provides a narrative describing their cybersecurity risk management program. There are several requirements, or criteria, for this description as established by the AICPA Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program.

• Nature of business and operations
• Nature of information at risk
• Cybersecurity risk management program objectives (cybersecurity objectives)
• Factors that have a significant effect on inherent cybersecurity risks
• Cybersecurity risk governance structure
• Cybersecurity risk assessment process
• Cybersecurity communications and the quality of cybersecurity information
• Monitoring of the cybersecurity risk management program
• Cybersecurity control processes

Control criteria – The baseline for the company’s system of internal control is up to management. Typically, management will adopt a framework for risk management and implement related control activities to mitigate cyber risk (i.e., NIST CSF, ISO 27001:2022). The auditor will evaluate the system of controls based on the framework selected.

Advantages of obtaining a SOC for Cybersecurity report:

• Internally, completing a SOC for Cybersecurity examination will help everyone on your team understand what you’re doing well and what you may be able to improve upon with respect to cybersecurity.
• You’re provided an objective opinion from an independent source that your cybersecurity risk management program is strong. Sharing this report with interested parties should provide a high level of assurance that your organization can be trusted with sensitive information.
• Competitive advantage over your competitors. SOC for Cybersecurity is a relatively new type of examination and it’s likely most of your competitors have not been through anything like it. The landscape, and related demands, of cybersecurity is changing everyday – being early will be nothing but helpful as you try to win deals.

Cost

The cost of one of these examinations is dependent on several factors but most importantly the scope (i.e., organizational size and complexity, complexity of the control activities) and the period covered by the auditor’s opinion.

Companies have the option of engaging the auditor to either:

• Evaluate the design of their cybersecurity program at a specific point in time (i.e., as of December 31, 20XX) or
• Evaluate the design and operating effectiveness [of controls] of the cybersecurity program for a specified period of time (i.e., January 1, 20XX to December 31, 20XX).

The latter provides a higher level of assurance to report users that not only do you have well designed procedures implemented but also that they have functioned as intended over a period of time. These types of reports are more costly due to a higher level of involvement from the auditor.

Summary

SOC for Cybersecurity is for all companies offering a service or selling a product, for-profit and non-profit. It’s a fantastic way to demonstrate your commitment to cybersecurity to your customers and stakeholders, and may help close deals that involve sharing sensitive information.

They are also a great tool for on-going management of your cybersecurity program. An external assessment may uncover gaps or weaknesses in your system of control that may otherwise have gone unnoticed.

If you would like to learn more about SOC for Cybersecurity, or discuss other types of assessments that may be beneficial to your organization, please do not hesitate to reach out to our team.

At Dansa D’Arata Soucia LLP (“DDS”), my internship experience has benefited both my professional accounting career and personal growth. Working alongside outstanding professionals, I have been able to learn new skills as well as continue to apply what I have learned in the classroom to real-world scenarios  

Everyone at DDS has been encouraging and eager to help my development. There has never been a time where I did not feel comfortable asking a question. The culture within the office is remarkable and it truly feels like a second family as everyone is close-knit, pleasant, and easy to talk to. I am currently interning in the Audit & Assurance Department. Right from the beginning, I was entrusted with client assignments. I’ve received continuous training as I work through my tasks. I hear feedback after every review from the senior or the manager on the engagement team. For me, this is a very effective training style rather than reviewing work from prior years because I got to learn as I went through the actual process and timeline of an audit. Being able to do hands-on work and learn the firm’s programs has enhanced my accounting knowledge on information systems and also my ability to see, learn, and understand the audit programs and testing procedures.

Within the firm there are many opportunities to gain experience and find your niche as you grow. Not only am I responsible for audit work, but I’ve also been given certain tasks within the firm’s Information Security Compliance department to broaden my experience and learn multiple career pathways within professional accounting. SOC reporting is a special niche here at DDS and to have the opportunity to expand my knowledge of cybersecurity has been remarkably interesting. In today’s world, information security is becoming increasingly important, and to see it applied from the classroom to real-world scenarios has been exceptionally beneficial.  

DDS has been very flexible, patient, and understanding as far as planning hours. The firm has expressed that I can work when I want/can during the week around my school schedule, and if I ever need to take a week or two off for exam week, I am able to. This was greatly appreciated and proves that the firm prioritizes education. It’s evident that DDS wishes to see its interns flourish in both school and the workplace.

Interested in joining the DDS team? Check out our internship opportunities!

Whether you’re thinking of selling your business, looking for new investors, or dividing assets during divorce, there may come a time where you need to evaluate the economic worth of your business. Determining the value of a business isn’t simple, which is why many business owners decide to work with experienced professionals to receive a detailed, unbiased evaluation of their business. Regardless, if you need to determine the value of your business, it’s important to understand how this process works. The article below discusses three common valuation methodologies and useful tools to aid in your evaluation.

The Income Approach

The income approach estimates the future income to calculate the present value of a business. There are two methods when using the income approach: capitalization of earnings and discounting of cash flow. The capitalization of earnings method is used for companies with steady earnings and slow stable growth. The discounting of cash flow method is used for companies with future earnings that are expected to fluctuate or already have fluctuated in past years. When using this method, the valuator discounts the value of the business based on the potential risks to a new buyer.

The Asset Approach

The asset approach focuses on recognizing the difference between the fair market value of the assets and liabilities of the business. This approach is often used when the assets of the business exceed the values projected by the income or the market approaches. This approach is best suited for companies that are struggling to earn profits and/or companies that own a large amount of assets.

The Market Approach

The market approach is best suited for companies that are expected to be sold within the year or are a part of a larger franchise. The valuator analyzes the business and then searches for comparable companies that have been sold recently. In order for this approach to be successful, the valuator must be able to locate recent sales of companies from within the same industry with similar earnings within the same geographic region. This approach is not often used due to the difficulty of establishing comparable sales.

Business Reference Guide

The Business Reference Guide is an invaluable tool for any professional in the business transaction or valuation profession. A new edition of this book comes out every year in order to provide up-to-date information for business pricing. The guide is developed by industry experts who accumulate data on recent sales in order to create the “rules of thumb.” These approximation guidelines are useful in determining a rough estimate of value or assisting the valuator in determining which business valuation approaches are most appropriate.

Contact Us

Valuations are not “one-size fits all” and it takes a skilled valuation expert to determine the appropriate methodology. Our team of business valuation experts have decades of experience in a wide variety of industries and understand the different market risks to consider when valuing your business or a target business.

Contact Susan Grzybowski, CVA, Manager of Litigation and Valuation Services, to learn more about business valuation.

Generative AI tools have become the shiny new toy and perhaps rightfully so. There are various ways teams and organizations may utilize them to help scale and drive business but the one I see most often is as an “assistant” of sorts for Sales and DevOps.  

For example, these tools may provide immense relief to these teams when it comes to administrative tasks and allow team members to focus on customer interactions and product value. In doing so, individuals may be tempted to share personal and/or company proprietary information with the tool. We recommend organizations consider the following concepts to mitigate the assumed risks of using these tools. 

Restrictions When Using Publicly Available Tools

Establish guidelines for employees/contractors that wish to use publicly available tools.  

• Prohibit the use of customer PII or other confidential information
• Tie to other policies (i.e., data classification and definitions of “PII” and “confidential information”) to make communication consistent
• Prohibit the use of organizational data (i.e., product information, personnel)
• Prohibit the use of proprietary/confidential data sourced from other third parties
• If an available option, opt out of allowing the tool to train using the information provided

Contractual Agreements

Establish commercial relationships with tools prior to use. Both sides agree on the service level commitments made and there is (hopefully) an emphasis on the security and confidentiality of the data/information shared with the tool. 

AI Vendor Procurement Process

Explicitly require approval of a generative AI tool prior to integrating with your system(s). This does not have to be a standalone policy and can be included in your Vendor/Third-Party management policy. 

This may already be part of your vendor management program but it’s also wise to classify the tools (if using multiple) by their allowed use cases.  

• Unrestricted – may be used freely 
• Restricted – may only be used in specific circumstances (define use cases as specifically as you can)
• Prohibited – drawback to this is that it may become cumbersome to maintain and may create more questions as more and more tools become available 

Security Awareness Training

Hopefully security awareness training is already part of your cybersecurity program. If you’ve ever helped construct a security awareness training exercise, you are aware that much of the information is also found in company policies. As noted previously, your organization should establish policy and procedure with respect to AI but also be sure to communicate this to your employees and contractors. We suggest adding training regarding AI tooling to your current program that includes, but is not limited to: 

1. Background – what generative AI/LLMs are and how they work
2. Vendors – what tools are allowed and which are not
3. Risks – how the tools may be used in your organization and what types of data may be input

Disclaimer

If you’re using AI to generate responses to inquiries or any other type of output, it’s wise to add a disclaimer to the communication. This lets the reader know the response was generated by using AI and that there is some responsibility on them to proof, review, and/or edit before they use it themselves. 

Technical Considerations

1. If submitting source code to AI tools, ensure the information will not be stored and/or used for training purposes
2. Be careful to not include code samples that mimic or reflect your organization’s proprietary information
3. Engineering teams should conduct input validation testing before release to a production environment in an effort to mitigate the risk of prompt injection
4. Monitor/audit – identify and authenticate users of the service to prevent malicious accounts from gaining access 

These recommended considerations are not exhaustive. Organizations should perform their own risk assessment with respect to AI tools actually used and implement appropriate control activities to mitigate the risks to acceptable levels. 

What is ISO 27001?

ISO 27001 is an internationally recognized standard for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Elements of the Standard

The ISO 27001 standard is comprised of 11 clauses (0 to 10) and includes a catalogue of 93 proposed controls within its Annex A. Clauses 0-3 introduce the ISO 27001 standard by specifying the scope, normative references, and terms and definitions. Clauses 4-10 make up the core of the ISO 27001 standard. These mandatory clauses establish the management system necessary to implement and maintain effective information security.

Clause 4 – Context of the Organization

Requires that the organization evaluates and accounts for all internal and external issues that may be relevant to its business purpose and could affect the implementation of an ISMS.

Clause 5 – Leadership

Requires that the organization’s top management demonstrate leadership and commitment to the establishment, implementation, maintenance, and improvement of the ISMS.

Clause 6 – Planning

Requires that the organization take actions to address risks and clarify the information security objectives.

Clause 7 – Support

Requires the organization to determine and provide the necessary resources to ensure an adequate level of information security competence and awareness.

Clause 8 – Operation

Requires the organization to plan, implement, and control the processes to meet the information security requirements and to implement the actions determined by the risk treatment plan.

Clause 9 – Performance Evaluation

Requires the organization to monitor, measure, analyze, and evaluate the ISMS to ensure its effective performance. This clause requires an internal audit and management review of the ISMS.

Clause 10 – Improvement

Requires the organization to develop a process to continually improve the suitability, adequacy, and effectiveness of the ISMS.

Annex A

Annex A is a catalogue of 93 security controls, divided over four chapters: Organizational, People, Physical, and Technological. Organizations are not required to implement all Annex A controls. An organization may choose to implement custom controls or controls from a different control set (for example, NIST, PCI DSS, ISO 27701, etc.). Selection of Annex A controls, indicated in the Statement of Applicability (discussed in the Implementation section) depends on the organization’s risk assessment, risk treatment, and specific needs. Look to ISO 27002 for further detail on the Annex A controls, as well as implementation guidance.

What is an ISMS?

An ISMS is a collection of documented policies, processes, procedures, and supporting records for systematically managing an organization’s information security. The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. An ISMS addresses information security from a holistic perspective. It provides an assessment of risks, a treatment plan to mitigate risks, a plan of action in case a security breach occurs, and assignment of responsibilities to competent individuals. An integrated ISMS enables organization personnel to readily understand information security risks and embrace controls as part of their daily workplace practices.

Objectives of an ISMS

Identify risks faced by the information assets

Provide safeguards to protect the confidentiality, integrity, and availability of assets

Document the information security processes

Assign responsibilities to relevant roles

Benefits of ISO 27001

The ISO 27001 Process

1. Appoint an ISO 27001 team

The organization should assemble a team responsible for the ISMS implementation to drive the project and keep it on course.

2. Plan the ISMS

The scope of the ISMS shall be defined and documented. The organization’s information security objectives should be established. A thorough and accurate inventory of all assets within the scope is to be created.

3. Plan and conduct a risk assessment

The organization shall outline its risk assessment methodology then execute the plan. The resulting risk assessment report is a central component of an organization’s ISMS.

4. Write the Statement of Applicability

The Statement of Applicability is the main link between risk assessment and risk treatment in an organization. The Statement of Applicability details the organization’s applicable controls. The document justifies the organization’s choice of including or excluding Annex A controls.

5. Implement a risk treatment plan

Create and implement a risk treatment plan to control the risks identified during the risk assessment. An action plan should be implemented to address risks requiring modification.

6. Build and operate the ISMS

Document and implement all policies, processes, and procedures. The organization shall monitor its ISMS for maintenance and continual improvement.

Internal Audit

Clause 9 of the ISO 27001 standard requires that the organization conduct internal audits of its ISMS to ensure that it is adequately implemented and related control activities are operating effectively. Internal audits must take place at least annually. Internal audit activities must be performed by objective auditors who are independent of the organization’s management.

Dansa D’Arata Soucia (“DDS”) has developed an internal audit program which includes the testing of the ISMS to meet Clauses 4-10, the applicable Annex A controls identified within the Statement of Applicability, and any custom controls.

Certification Audit

The initial certification audit is conducted in two stages. Stage 1 consists of a document review to verify the organization has the required documentation for an operational ISMS. There is a corrective action period between the two stages to allow for the organization to take any corrective actions arising from the Stage 1 audit. Stage 2 is an evidential audit to verify the organization’s ISMS was properly established and implemented and is functioning appropriately. An ISO 27001 certification is valid for 3 years.

Surveillance Audit

Now that you have your certification, you must work to maintain your ISMS. ISO requires a surveillance audit to take place annually during the two calendar years following certification. Each surveillance audit helps the organization get ready for its recertification audit, which takes place at the end of each 3-year cycle. The surveillance audit focuses on key ISMS processes such as management review, corrective action, internal audit, and the implementation of recommendations provided by the organization’s internal auditors.

Looking to take the next step?

For organizations seeking to implement an ISMS in hopes of becoming ISO 27001 certified, DDS can help!

Clause 9 of the ISO 27001 standard requires an organization to have an internal audit of its ISMS performed at least annually. The standard requires the organization to select auditors and conduct audits that ensure objectivity and impartiality of the audit process, meaning it should not be performed by someone internal to the organization who is involved in designing, implementing, and maintaining the ISMS. This is difficult for most small to medium sized organizations that do not have a distinct internal audit department. DDS can cost-effectively perform the internal audit function to prepare your organization for your ISO 27001 certification audit and to meet the annual internal audit
requirements described in Clause 9.

During the internal audit DDS focuses on evaluating your organization’s current ISMS against the ISO 27001 requirements. Our internal audit process aims to be as minimally invasive as possible, while still achieving a value-add list of recommendations that will satisfy the needs of your certifying auditors. We provide a detailed assessment of your compliance, including any gaps, possible nonconformities, as well as opportunities for improvement. DDS has consulted with various certifying auditors to ensure that our internal audit program and reporting methodology are aligned with expectations and give your organization the intended result.

Reach out to us today to discuss your path to ISO 27001 compliance!

What is SOC 2?

System and Organization Controls (SOC) 2 is a framework developed by the American Institute of CPAs (AICPA) in 2011 under the AICPA’s Standards for Attestation Engagements (SSAE). This allows independent CPA’s a framework in which to report on a Company’s internal control design and the operating effectiveness of their controls over data security, system availability, confidentiality, processing integrity and/or privacy. Service organizations that handle, process, and store customer data are the prime candidates to engage in a SOC 2 examination. Boiling it down, a SOC 2 report will help you answer, and give independent third-party verification to the following question: “How can we trust that you will protect our sensitive data and meet the service commitments that you are promising to us?”. Not to mention, the completed SOC 2 examination should drastically cut down the number of pesky security questionnaires you are being asked to respond to!

Considerations when selecting your SOC 2 auditor

1. Experience

You will want to work with an experienced firm that has “seen it all.” Experienced firms and auditors will be able to guide you through the process, clearly outlining what you can expect before, during, and after the SOC 2 examination. DDS completes hundreds of SOC 2 examinations each year and is prepared to guide you through this process, from initial project scoping, to clearly articulating expectations. We want to feel like an extension of your team.

An experienced auditor understands that communication is key. DDS will never leave you wondering where your engagement stands, or how control testing is progressing. We want to build your confidence and remove surprises.

2. Traditional vs. GRC

Over the past few years there have been several Governance, Risk, and Compliance (GRC) tools built to help with SOC 2 readiness and control evidence automation. If using a GRC tool (i.e. Vanta, Drata, TrustCloud, StrikeGraph), you will want your auditor to have experience working with the GRC tool. There are major efficiencies to be gained, but the auditor must know the capabilities and/or limitations of the tool in order to pass along the best cost-benefit to you. DDS has worked through hundreds of engagements using many of the leading GRC tools on the market.

Alternatively, you may decide that a GRC tool is not for you. Maybe you have the in-house expertise to prepare for the SOC 2 and aren’t worried about the more manual evidence gathering. You will want an audit firm that is comfortable with requesting and evaluating manual evidence. While most DDS clients these days are utilizing GRC tools, we have plenty of experience with rolling up our sleeves and doing this the old-fashioned way!

3. Customer Base

Are you a start-up or early-stage company? You will want your audit firm to have experience working with smaller, nimble teams. Certain control recommendations do not lend themselves nicely to small teams (think segregation of duties). You will want your auditor to have experience guiding smaller clients around the nuances of meeting the SOC 2 control objectives. While DDS has performed SOC 2 work for clients that have over 1,000 employees, the majority of our clients are smaller teams going through SOC 2 for the first time. This is our bread and butter. We take pride in minimizing the stress and providing clarity to these organizations.

4. Communication

You will want to make sure your auditor is available for frequent questions and check-ins. Whether you prefer to email, Slack message, schedule Zoom calls, or communicate via Skype, your auditor should be prepared to communicate with you and your team how you most feel comfortable.

5. Peer Review

Your auditor should be able to show you their most recent peer review report that covered SOC 2. Firms issuing reports under SSAE standards are supposed to be enrolled in the AICPA’s Peer Review Program. During Peer Reviews, an independent CPA reviews both a firms system of quality control as well as reviews engagements to make sure the engagements are performed and reported on in conformity with applicable professional standards. In the past couple of years as the market demand for SOC 2 has increased, there have been a number of “pop-up” companies offering SOC 2 services. Evaluating their independence and experience is critical. One way to do this is by asking to see the firm’s most recently issued peer review report.

6. Independence

CPA firms opining under SSAE standards are required to be independent of their clients both in fact and appearance. The users of your SOC 2 report may take exception if there is any indication that your auditor did not meet independence requirements. While DDS tries to be as helpful as possible, and offer as much insight as possible, we do have some limitations. For instance, we cannot write your policies for you or tell you exactly which controls to implement. GRC tools (which we are independent from) help us maintain our independence by being the unrelated entity that is helping with policy creation, and control recommendations.

7. Timeline/Deadline

When having discussions with potential auditors, you want to ensure that timeline expectations are clearly communicated and are attainable. Discussions surrounding the auditor’s process will be important as you need to ensure that timelines will be compatible. For example, any deadlines that you may have for your SOC 2 report should be communicated with your auditor.

The process of selecting your auditor

You will want to start by having a conversation with all of the audit firms you are interested in. This is your opportunity to ask questions based on the points outlined above to help you determine which firm will be a good fit.

Once you have narrowed down your selection of firms, you may want to vet their reputation. You can do this by asking the firms to provide you with a few references of past clients to reach out to and ask them about their experience.

Looking to take the next steps?

For organizations seeking to undergo a SOC 2 examination, DDS can help! Please reach out to us to discuss any questions you may have and learn about why hundreds of organizations have engaged with us for their SOC 2 attestations.

Reach out to us today utilizing the contact information below to discuss your path to SOC 2!

Timing of your next SOC

Your auditor just sent you your first official SOC report and you can finally satisfy that one (or several) customer request to see it. What now? Below are a few common questions we have received when discussing the timing and cadence for SOC compliance.

Does my SOC report expire?

Technically, no. A SOC report is not a traditional certification, but is rather an attestation, and the auditor’s report does not expire. However, the user of the report may determine that the period covered by the auditor’s report is no longer relevant. SOC reports are often considered stale or irrelevant by users after 12 months.

Additionally, when you initially receive your SOC report from your auditor, you’re able to register with the AICPA and display their SOC logo on your website and other marketing materials. Per the AICPA’s terms and conditions, a service organization may only display the logo for 12 months immediately following the date of the auditor’s report.

How often do other organizations go through SOC?

The most common and recommended cadence for SOC is a continuous cycle of compliance. For example, an organization who has never gone through SOC before will likely decide to go through an initial SOC Type 1, followed by an immediate 3 to 6-month SOC Type 2, and then follow that with 12-month Type 2s in perpetuity. Using dates for reference, SOC Type 1 as of January 1, 20XX, SOC Type 2 from January 1, 20XX to June 30, 20XX, then SOC Type 2 from July 1, 20XX to June 30, 20XX+1. This cadence would provide your organization with continuous, demonstrable compliance in perpetuity.

While the above sequence is typical it is not a requirement. We have had clients complete a SOC Type 2 covering 3 months, and then come back a year later and do another SOC Type 2 covering 3 months. Maybe this could work for your customers, but there are some risks to this approach. For instance, a vendor management department would likely be concerned that there was a 9 month period of time in between in which no independent third-party was attesting that your policies were being followed and your controls were operating effectively.

In summary, continuous compliance is the most conservative approach.

Are there any other disadvantages to putting off our next SOC until next year?

Another important consideration is efficiency. Constantly being engaged in an audit develops familiarity for both your team and the audit team. From the auditor’s perspective, this familiarity may mitigate a number of questions that would otherwise have to be discussed in order to understand your organization and/or system. Likewise, your team would likely develop good habits regarding documenting and providing evidence to support the functioning of internal control on a regular basis. These efficiencies directly impact the price of the examination.

What if our organization and/or service has significantly changed since our last SOC report?

This is common for maturing companies and not a big deal. The AICPA thought of this when designing the Description Criteria® and established a specific criterion for organizations to disclose changes that occur within an auditable period in their next SOC. This section is a convenient way for users of your report to quickly identify those significant changes and evaluate how those changes may impact their organization (if at all). You do not have to put off a SOC examination due to changes you are experiencing.

Years ago, Congress enacted the “kiddie tax” rules to prevent parents and grandparents in high tax brackets from shifting income (especially from investments) to children in lower tax brackets. And while the tax caused some families pain in the past, it has gotten worse today. That’s because the Tax Cuts and Jobs Act (TCJA) made changes to the kiddie tax by revising the tax rate structure.

History of the tax

The kiddie tax used to apply only to children under age 14 — which provided families with plenty of opportunity to enjoy significant tax savings from income shifting. In 2006, the tax was expanded to children under age 18. And since 2008, the kiddie tax has generally applied to children under age 19 and to full-time students under age 24 (unless the students provide more than half of their own support from earned income).

What about the kiddie tax rate? Before the TCJA, for children subject to the kiddie tax, any unearned income beyond a certain amount was taxed at their parents’ marginal rate (assuming it was higher), rather than their own rate, which was likely lower.

Rate is increased

The TCJA doesn’t further expand who’s subject to the kiddie tax. But it has effectively increased the kiddie tax rate in many cases.

For 2018–2025, a child’s unearned income beyond the threshold ($2,200 for 2019) will be taxed according to the tax brackets used for trusts and estates. For ordinary income (such as interest and short-term capital gains), trusts and estates are taxed at the highest marginal rate of 37% once 2019 taxable income exceeds $12,750. In contrast, for a married couple filing jointly, the highest rate doesn’t kick in until their 2019 taxable income tops $612,350.

Similarly, the 15% long-term capital gains rate begins to take effect at $78,750 for joint filers in 2019 but at only $2,650 for trusts and estates. And the 20% rate kicks in at $488,850 and $12,950, respectively.

That means that, in many cases, children’s unearned income will be taxed at higher rates than their parents’ income. As a result, income shifting to children subject to the kiddie tax won’t save tax, but it could actually increase a family’s overall tax liability.

Note: For purposes of the kiddie tax, the term “unearned income” refers to income other than wages, salaries and similar amounts. Examples of unearned income include capital gains, dividends and interest. Earned income from a job or self-employment isn’t subject to kiddie tax.

Gold Star families hurt

One unfortunate consequence of the TCJA kiddie tax change is that some children in Gold Star military families, whose parents were killed in the line of duty, are being assessed the kiddie tax on certain survivor benefits from the Defense Department. In some cases, this has more than tripled their tax bills because the law treats their benefits as unearned income. The U.S. Senate has passed a bill that would treat survivor benefits as earned income but a companion bill in the U.S. House of Representatives is currently stalled.

Plan ahead

To avoid inadvertently increasing your family’s taxes, be sure to consider the kiddie tax before transferring income-producing or highly appreciated assets to a child or grandchild who’s a minor or college student. If you’d like to shift income and you have adult children or grandchildren no longer subject to the kiddie tax but in a lower tax bracket, consider transferring assets to them. If your child or grandchild has significant unearned income, contact us to identify possible strategies that will help reduce the kiddie tax for 2019 and later years

© 2019