The era of optional environmental disclosure has ended. Environmental transparency is now a baseline regulatory mandate, integrated into the core financial and operational strategy of every successful business. As global regulations like the CSRD (EU), California’s SB 253 and 261 (USA), and ISSB standards transition from voluntary to mandatory, CDP remains the most reputable standard for harmonizing these complex requirements into a single, actionable disclosure.

We are witnessing a regulatory convergence, with a number of independent frameworks now merging. The International Sustainability Standards Board (ISSB) and the European Sustainability Reporting Standards (ESRS) now share high interoperability with one another and with CDP.

What makes CDP unique is its benchmarking capability. Unlike many regulatory frameworks, where comparing reports requires manual effort, the CDP system allows companies to quickly gauge their performance against industry peers. Additionally, the system can carry over data from previous years into the current cycle.

CDP (formerly the Carbon Disclosure Project) is a global non-profit that runs the world’s leading environmental disclosure system. Organizations submit data through standardized annual questionnaires that continue to align with most leading sustainability disclosure frameworks.

Core 2026 Reporting Themes

Timing is everything. Missing the scoring deadline means your data will not be analyzed, leaving you with a “No Score,” which could put you at a competitive disadvantage if you were requested by an investor but failed to respond.

Pro Tip: Don’t wait for June. Use the guidance released in April to cross-examine your sustainability actions early. If you lack a Climate Transition Plan, start drafting it now.

CDP uses a “hurdle” system. For example, you cannot earn a ‘B’ until you meet the criteria for ‘D’ and ‘C’.

To move your organization from mere disclosure to environmental leadership, focus on these five core pillars, ordered by their impact on your reporting maturity:

Building a Unified Reporting Infrastructure

Reliable reporting demands cross-functional collaboration across all core departments. To secure early buy-in, emphasize that proactive disclosure is both a compliance necessity and a strategic move to protect the business.

Centralizing Data Through Automation

The complexity of modern disclosure demands automation. By utilizing dedicated sustainability reporting software(s), you ensure data integrity across the entire organization.

Building Resilience Through Strategic Planning

 Stay agile in a shifting market by developing a robust, long-term sustainability strategy. Ensure your reporting details how you manage emerging regulatory risks and market opportunities over time. To make your strategic plan more compelling, include specific evidence of board-level governance, rigorous scenario testing, and aligned financial forecasting.

Data-Driven Accountability

Precision is the foundation of corporate credibility. To ensure your goals are both ambitious and achievable, you should establish a Science-Based Target (SBTi) using your most recent data. Providing detailed, evidence-led responses demonstrates a commitment to measurable decarbonization rather than mere high-level aspirations.

Answer All Questions

Thoroughness translates directly to scoring. Aim for 100% completion by explaining your status even in areas where development is ongoing. Transparency regarding ‘in-progress’ tasks is valued by the CDP and investors alike, as it signals active oversight, whereas empty fields suggest a gap in your reporting framework.

CDP scoring operates on a ‘hurdle’ basis, meaning you must satisfy the criteria for lower levels before being eligible for the next. Navigating these cumulative requirements is complex, and a technical partner is essential for success. Sensiba’s CDP consulting team streamlines this process by:

As we move towards the near-term targets many companies have set for 2030, CDP remains the cornerstone of environmental disclosure. Its alignment with global standards ensures that your response is not just a survey, but a strategic asset for regulatory compliance and investor trust.

Ready to optimize your 2026 disclosure? Sensiba specializes in GHG Assurance, SBT setting, and CDP gap analysis. We help you move beyond “Disclosure” into “Leadership.” Connect With Our Sustainability Team

From the encryption that secures your online purchases to the precise measurements that enable modern manufacturing, one organization quietly underpins the trust and reliability of technology in the United States and globally: The National Institute of Standards and Technology (NIST).

While you may not interact with it daily like the Department of Defense or the FDA, NIST is arguably one of the most critical, yet least understood, non-regulatory federal agencies in the U.S.

NIST is a non-regulatory agency of the U.S. Department of Commerce.

Its official and enduring mission is to: “Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

Founded in 1901 by the National Bureau of Standards (NBS), the agency was established to address a critical problem: the lagging standardized measurements that were behind those of economic rivals. Over a century later, NIST continues this foundational work, evolving to address everything from the atomic clock to the complex world of Artificial Intelligence (AI) safety.

NIST’s broad mandate is executed across three interconnected and essential domains that influence science, commerce, and security:

Measurement Science (Metrology): NIST acts as the nation’s supreme metrology laboratory, tasked with defining and ensuring the traceability of all fundamental units of measure (e.g., the volt and the second). This precision is vital for guaranteeing accuracy in U.S. manufacturing, scientific research, and global trade. Critical infrastructure, including GPS and financial services, relies on the official U.S. time set by NIST’s highly accurate atomic clocks.

Standards (Non-Regulatory Guidelines): This is the area where NIST is most influential. It develops voluntary guidelines, specifications, and best practices. These standards are widely adopted globally because of their scientific rigor and collaborative development, providing a common technical language for entire industries.

Technology & Innovation: NIST conducts cutting-edge research to solve complex national challenges. Its work often precedes industry adoption, providing the foundational science for future markets, particularly in fields such as Quantum Information Science and AI Assurance.

The work of NIST directly affects your security and the reliability of the products you use every day:

NIST’s most widespread and globally adopted contribution in the 21st century is the NIST Cybersecurity Framework (CSF). This framework has become the de facto global standard—a comprehensive, flexible, and risk-based guide used by organizations of all sizes to manage and reduce their cyber risk.

The latest version, CSF 2.0 (released in 2024), strategically evolved from five functions to six, emphasizing the essential role of organizational leadership.

These functions form a continuous, cyclical process to manage risk, ensuring cybersecurity is not just a technical issue, but a core component of enterprise risk management:

While CSF is the executive-level roadmap, the NIST Special Publication (SP) 800 Series provides the detailed technical instructions and security control catalogs necessary for deep implementation.

Understanding NIST is essential, but implementing frameworks like the CSF 2.0 or achieving compliance with standards like SP 800-171 requires specialized expertise, deep technical knowledge, and a structured approach.

Whether your organization needs to:

Don’t navigate the complexities of federal compliance and advanced security standards alone. Our team of certified NIST professionals and compliance experts is here to guide you through every step, ensuring you meet regulatory requirements and strengthen your overall security posture.

Trade spend is a powerful promotional tool for food and beverage companies that, when managed well, can drive growth, strengthen retail relationships, and boost brand visibility.

But to maximize its benefits, trade spend must be tracked and accounted for carefully. Without proper accounting controls, trade spend can distort financial reporting and hamper cash flow.

Trade spend is a collaborative investment between a company and its retail or distribution partners. Depending on the arrangement, this may include discounts, volume rebates, chargebacks, or slotting fees, with each incentive designed to support sales and shelf presence.

For example, a beverage company may offer a rebate to a grocery chain for stocking a new flavor, pay a slotting fee to secure premium shelf space, or offer a chargeback to reimburse a retailer for advertising a product in a weekly circular. A promotional discount might offer retailers $2 off per case during a seasonal push. Volume rebates, such as $0.50 per case after moving 1,000 cases quarterly, can reward retailers for reaching specified sales targets.

For food and beverage companies, trade spend arrangements can help products stand out in crowded categories and encourage retailers to prioritize them. But they require careful tracking to understand performance and maintain profitability.

Trade spend can drive measurable results when executed strategically by increasing sales volume and market share by making products more attractive to retailers and consumers.

Strong trade spend programs can also deepen retailer relationships. Partners view collaborative investments as signs of a shared commitment to mutual success.

Trade spend creates complex accounting challenges because it reduces revenue either directly or indirectly.  It is important to understand the key principles of how to account for trade spend as either a revenue reduction or as a marketing expense:

Under the guidance of ASC 606, payments that a company makes to a customer are typically treated as reductions to the transaction price, which reduces the amount of revenue recognized. The main question is whether the payment is in exchange for a distinct good or service:

In practice, that means many incentives or payments tied to a sale end up reducing recognized revenue, not being expensed separately. Here are some examples to illustrate the differences:

Additionally, it can be difficult to estimate and record trade spend properly because it may not be defined clearly in contracts. This can make understanding historical trends essential to estimate the recognition methods outlined above, and is why recognition requires careful judgment that can be subject to heightened scrutiny in an audit.

Food and beverage companies have two primary options for presenting trade spend in financial statements, with each offering different implications for stakeholders.

A company’s choice depends on materiality and stakeholder needs. If trade spend exceeds 10% of gross sales, the gross method often provides better transparency. Companies with robust promotional strategies, such as those in highly competitive categories, often benefit from presenting a comprehensive view of their revenue generation approach.

Either way, consistency matters. Choose a method and stick with it.

Trade spend can influence accounts receivable in subtle but important ways. Rebates and discounts often encourage larger orders, which can increase AR balances. That’s great for volume, but it can also complicate forecasts and performance comparisons by shifting orders into different periods.

Large promotional orders can also shift purchasing patterns between periods. Retailers might accelerate Q1 purchases to capture Q4 promotional pricing, creating artificial spikes that complicate forecasting. This forward-buying behavior can leave a company with lower-than-expected Q1 reorders.

The cash flow impact can extend beyond collections. Larger orders require increased production and distribution capacity. The company may need additional raw materials, overtime labor, or expanded warehouse space to fulfill promotional demand, creating upfront costs before collecting on higher AR balances.

Proper trade spend accounting requires meticulous documentation. Trade agreements should ideally specify exact terms, including discount percentages, volume thresholds, and performance requirements.

Food and beverage companies should:

Effective trade spend management balances growth opportunities with financial controls. Companies that master this balance typically outperform their competitors while maintaining predictable cash flows and accurate financial reporting.

To learn more about the role that effective trade spend accounting can play in your company’s success, contact us.

Few tax provisions offer the immediate financial power of bonus depreciation. For years, this incentive has been a critical tool for business growth. It allows companies to immediately write off the cost of major assets.

Recent legislative changes have now solidified the deduction. Understanding the rules and strategic advantages is essential. This knowledge is key to maximizing your company’s profitability and cash flow. Whether you are buying new equipment, upgrading property, or planning your next fiscal year, this guide provides the clarity you need. Learn to leverage the permanent 100% bonus depreciation rule to its fullest.

Bonus depreciation is a powerful tax incentive. It is also known as the additional first-year depreciation deduction (IRC 168(k) allowance). This rule allows businesses to immediately deduct a significant percentage of an asset’s cost. This deduction is now permanently 100%. The deduction applies in the year the qualifying assets are placed in service.

Instead of spreading the deduction over the asset’s useful life under the Modified Accelerated Cost Recovery System (MACRS), this accelerated tax write-off reduces a company’s taxable income, providing an immediate boost to cash flow and lowering tax liability.

The biggest news for tax planning is the elimination of the planned phase-out of bonus depreciation.

The One Big Beautiful Bill Act (OBBBA), signed into law on July 4, 2025, permanently restores the 100% deduction for qualifying property. This stability enables much more predictable long-term capital planning and removes the pressure to make investment decisions under a deadline.

Previous Phase-Out Schedule vs. Current Law

Key Date to Remember:

The permanent 100% rate applies to qualifying property acquired and placed in service after January 19, 2025. Assets acquired before this date but placed in service in 2025 are subject to the prior 40% rate. The acquisition date for tax purposes is generally the date on which a written binding contract is entered into.

To qualify for the full 100% deduction, property must meet specific criteria under IRC section 168(k):

Depreciable Life: The asset must be tangible property with a MACRS recovery period of 20 years or less. This typically includes:

Used Property Inclusion: A critical change from prior law is that both new and used property qualify, provided the taxpayer is the first person to use the property in their business (i.e., it must not have been previously used by the taxpayer or a related party).

Placed in Service: The asset must be purchased and ready and available for use in the business during the tax year the deduction is claimed.

This is a critical classification for real estate investors and business owners who lease commercial space.

QIP refers to certain interior improvements made to nonresidential real property (commercial buildings) that are placed in service after the building was first placed in service. Thanks to a prior legislative correction, QIP is classified as 15-year property, which makes it eligible for 100% bonus depreciation.

Exclusions: QIP does not include expenditures related to:

The permanence of 100% bonus depreciation unlocks powerful, predictable strategies for businesses:

For businesses that own or purchase commercial or residential real estate, a cost segregation study is the most effective way to leverage bonus depreciation.

A building’s shell is typically depreciated over 39 years (commercial) or 27.5 years (residential). A cost segregation study identifies and reclassifies components like specialized wiring, dedicated plumbing, site improvements (paving, fences), and certain fixtures into shorter MACRS lives (five, seven, or 15 years).

By reclassifying these shorter-lived assets, they become immediately eligible for the 100% bonus depreciation, allowing a substantial, non-cash deduction in the first year of ownership or improvement.

Both provisions offer immediate expensing, but they differ significantly, making their combined use highly strategic:

Strategic Use: Large businesses with capital purchases exceeding the $4 million Phase-Out Threshold must rely on Bonus Depreciation. Smaller or mid-sized businesses can use Section 179 first (to maximize the deduction up to the limit) and then use 100% Bonus Depreciation for any remaining asset costs, generating a full 100% write-off.

While it may seem counterintuitive, a business can opt out of bonus depreciation. This election must be made by asset class (e.g., all five-year properties). This is useful if a business anticipates higher taxable income in future years and wishes to defer some depreciation to offset that future income more effectively.

State Tax Conformity: Not all states automatically conform to the federal bonus depreciation rules. Many states still require businesses to use standard MACRS depreciation schedules, which can complicate state tax filings. Always consult a tax professional to understand your state’s specific rules.

Depreciation Recapture: If you sell a depreciated asset for more than its remaining tax basis, the previous depreciation deductions will be “recaptured” and taxed as ordinary income upon the sale. This is a critical factor for assets with a short holding period.

Need help applying the 100% bonus depreciation rules to your specific business investments, including compliance with state laws and optimizing for Cost Segregation? Contact our tax experts today to schedule a strategic planning session.

Business and individual taxpayers who own commercial real property or residential rental property have an opportunity to reduce their tax liabilities by conducting a cost segregation study to accelerate the depreciable lives of certain assets

A cost segregation study is a strategy that analyzes the components of a building to identify assets that can be depreciated over shorter periods than standard depreciation schedules. This process allows property owners to reduce their taxable income and increase cash flow by accelerating depreciation deductions.

Cost segregation studies can be especially beneficial when qualified property is placed in service in a year that Bonus Depreciation applies.

In most instances, the entire cost of residential rental property is depreciated over 27.5 years. Commercial buildings, such as offices, retail space, grocery stores, restaurants, warehouses, and manufacturing plants are depreciated using a 39-year schedule.

However, under IRS cost segregation guidelines, a significant portion of a building’s cost can be depreciated over shorter periods. Certain building components may qualify for a reduced recovery period over five or seven years, and qualified improvement property and exterior land improvements may qualify for a reduced recovery period of 15 years.

Conducting a cost segregation study allows property owners to separate building components and fixtures into different categories based on their depreciable lives. Common examples include:

The client purchased a commercial property 10 years ago for $5 million and has been depreciating $4 million ($1 million was allocated to non-depreciable land) on a straight-line basis over 39 years with an annual depreciation deduction of approximately $102,000 for a total accumulated depreciation of $1,020,000. 

A recent Cost Segregation study reveals that 30% of the $4 million as more appropriately allocable to non-structural components with a useful life of 10 years or less which would result in accumulated depreciation deductions of about $1,920,000 (30% of $4 million ($1.2 million) plus $720,000 ($72,000 of annual depreciation on the 39-year assets times 10 years). 

As a result, the client is entitled to an additional $900,000 of “catch-up depreciation” in the year the results of the study are reported.

A cost segregation study begins with a feasibility analysis that reviews the taxpayer’s current position, property details, acquisition or construction costs, and potential tax savings. This is based on examining relevant data such as construction costs and invoices, blueprints, engineering plans, appraisals, property condition reports, and similar information.

From there, qualified engineers or specialists inspect the property to identify and document building components and systems (including their condition and use). Costs are allocated to the components using industry standards and methodologies to ensure defensible IRS compliance.

The findings are then implemented in the property owner’s tax filings. This may involve adjusting current depreciation schedules and, if applicable, amending prior tax returns.

Bonus depreciation legislation influences the value and timing of cost segregation studies significantly by altering the immediate tax benefits property owners can claim.

When bonus depreciation was at 100% (the case between 2018 and 2022), cost segregation studies allow property owners to expense the full value of reclassified assets immediately. This creates substantial upfront tax savings, potentially eliminating taxable income in the first year.

As bonus depreciation phases down (to 40% in 2025), the immediate deduction decreases. However, cost segregation still accelerates depreciation, making even this reduced amount valuable for reducing taxable income.

Under current tax law, bonus depreciation is scheduled to decline to 20% in 2026 and to be phased out completely in 2027.

While specific situations may vary, property owners should monitor legislative developments. The potential restoration of 100% bonus depreciation may make waiting until 2016 more attractive than applying the current lower rates this year or next, but they may need enough time to complete a study in 2025 if rates do not change.

The detailed documentation provided by a cost segregation study can promote compliance with IRS regulations and reduce audit risks. A study can also provide a foundation for future tax planning, such as claiming disposition losses when assets are replaced or repaired.

By leveraging these benefits, property owners can significantly enhance the financial performance of their real estate investments while minimizing their tax burdens.

To learn more about cost segregation studies and how they may apply in your situation, contact us.

The Qualified Business Income (QBI) deduction provides a valuable opportunity for owners of pass-through entities to reduce taxable income. At the same time, grouping and aggregation elections under the Internal Revenue Code offer essential tools for structuring how that income is calculated and reported.

These rules affect many businesses in the real estate, construction, and manufacturing sectors, where ownership structures often span multiple entities. Understanding how these elections interact can lead to more consistent reporting, stronger compliance, and, in many cases, a larger deduction.

Grouping allows taxpayers to treat two or more related activities as a single trade or business for tax purposes. The election is typically used to determine whether an owner participates in an activity materially and whether losses are passive or non-passive.

In practice, grouping means combining operations that form an “appropriate economic unit.” The IRS looks at common ownership, shared facilities or employees, and how financially interdependent the activities are.

For example, a business owner who holds several manufacturing sites under separate LLCs could group them if they operate under one management team and share supply-chain functions. Similarly, a real estate investor might group multiple rental properties managed through the same system.

Once a grouping election is made, it generally must remain in place in future years unless a significant change occurs. This consistency is important for sustaining eligibility for deductions and maintaining defensible reporting.

The QBI deduction, established under Section 199A, allows qualifying owners of pass-through entities to deduct up to 20% of their qualified business income. Eligible structures include sole proprietorships, partnerships, S corporations, and certain trusts and estates.

The deduction does not apply to wages, guaranteed payments, or investment income. For higher-income taxpayers, the amount may also be limited by W-2 wages paid or the unadjusted basis of qualified property.

In sectors like construction and manufacturing, where owners often hold operating and asset-holding entities, these limitations can significantly affect the result. For real estate owners, the treatment of rental income, whether it rises to the level of a trade or business, can determine if the income qualifies at all.

Understanding these boundaries allows owners to plan their entity structure and compensation approach before year-end, rather than adjusting after the fact.

Aggregation is an election available under Section 199A that allows owners to combine multiple qualified trades or businesses when computing the QBI deduction.

To aggregate, the businesses must:

For example, a construction firm that owns a related equipment-leasing company could obtain a higher deduction by aggregating the two to combine wages and qualified property. A manufacturer with a separate real estate entity that owns its production facility could do the same, as could a real estate group operating multiple interrelated management entities.

Aggregation is optional but powerful. When used properly, it allows the business owner to align operations and optimize how income, wages, and property interact in the QBI calculation. Like grouping, once elected, the aggregation must be applied consistently in subsequent years.

Because grouping and aggregation both affect how income and losses are reported, inconsistent or poorly documented elections can create long-term challenges. Common issues include:

Each of these can lead to confusion or potential IRS examination. For construction and manufacturing companies that often manage multiple entities under shared control, clear documentation is essential.

(adapted from the Regulations (Treas. Reg. Sec. 1.199A-1(d)(4), Examples 7 & 8))

F: Unmarried Individual with Income from 3 Businesses + Wages

F, an unmarried individual, owns as a sole proprietor 100 percent of three trades or businesses, Business X, Business Y, and Business Z. None of the businesses hold qualified property. F does not aggregate the trades or businesses under § 1.199A-4.

After allowable deductions unrelated to the businesses, F’s taxable income is $2,722,000.

Because F’s taxable income is above the threshold amount, the QBI component of F’s section 199A deduction is subject to the W-2 wage and UBIA of qualified property limitations. These limitations must be applied on a business-by-business basis. None of the businesses hold qualified property, therefore only the 50% of W-2 wage limitation must be calculated. Because QBI from each business is positive, F applies the limitation by determining the lesser of 20% of QBI and 50% of W-2 wages for each business.

Next, F must then combine the amounts determined in paragraph (d)(4)(vii)(B) of this section and compare that sum to 20% of F’s taxable income. The lesser of these two amounts equals F’s section 199A deduction. The total of the combined amounts in paragraph (d)(4)(vii)(B) of this section is $200,400 ($200,000 + zero + 400). Twenty percent of F’s taxable income is $544,400 ($2,722,000 × 20%). 

Thus, F’s section 199A deduction for 2018 is $200,400.

If, however, we assume that F aggregates Business X, Business Y, and Business Z under the rules of § 1.199A-4, F’s section 199A deduction will be $400,400 in 2018, or $200,000 higher!

Because F’s taxable income is above the threshold amount, the QBI component of F’s section 199A deduction is subject to the W-2 wage and UBIA of qualified property limitations. If the businesses are aggregated, these limitations are applied on an aggregated basis. 

Thus, F’s section 199A deduction for 2018 is $400,400.

Grouping and aggregation are more than compliance exercises; they are strategic decisions that influence tax efficiency and long-term structure. For real estate investors, manufacturers, and contractors, reviewing these elections annually ensures the chosen structure still fits the business’s current operations.

Before making or modifying these elections:

Our team works with clients across real estate, construction, and manufacturing to evaluate these structures in context, helping owners align tax strategy with business goals while maintaining consistency and compliance.

For guidance tailored to your situation, contact Sensiba’s Tax Advisory team.

Water scarcity continues to challenge farms, processors, and agtech innovators across the United States. Drought conditions have accelerated the need for smarter irrigation systems, more resilient crop varieties, livestock management, and new ways to monitor and conserve resources.

For many agricultural operations, whether it’s orchards, crops or animals, these adaptation efforts are not only practical necessities but also may qualify as research under the federal and state Research and Development (R&D) Tax Credit. Understanding how this credit applies can help agricultural businesses recognize the value of their ongoing problem-solving and reinvest in future improvements.

 The R&D Tax Credit is a powerful federal and state incentive that financially rewards businesses for innovating. It’s designed to offset the costs associated with developing or improving products, processes, or technology.

While commonly associated with high-tech manufacturing and engineering, the credit applies directly to agriculture, where essential experimentation happens in the field, barn, or processing facility.

The credit is calculated based on a portion of your qualifying expenses related to eligible projects. These expenses include:

For startup companies, the credit can potentially be used to offset payroll taxes, providing immediate financial relief.

Any project aimed at improving quality, efficiency, sustainability, or technique can qualify. If you are testing, adjusting, or evaluating alternatives, it’s likely eligible.

As environmental and regulatory pressures evolve, agricultural innovation is essential. Producers explore new technologies, sustainable practices and data-driven tools to manage resources more effectively. Recognizing that these activities can qualify for the R&D credit ensures that innovation is not only environmentally sound but also financially sustainable.

Many farms and agtech companies already perform the type of applied research the credit was designed to support. By identifying these efforts early, organizations can better leverage available incentives and document the technical work behind their results.

Some examples of naturally occurring day-to-day activities that may meet the IRS definition of qualified research include:

Water Management & Crop Science

Livestock & Nutrition

Post-Harvest & Processing

The key factor is that the work involves experimentation — testing, adjusting, and evaluating alternatives to achieve measurable improvements.

Agriculture will have to continue evolving, with growers adapting strategies and techniques to changing climate conditions and limited resources. Programs like the R&D Tax Credit help support that progress by recognizing the time, effort and ingenuity that go into developing more sustainable operations.

Understanding the connection between innovation and incentive can help farms and ag-based businesses plan strategically for the future and continue building a foundation for growth and resilience.

Businesses can begin by:

Even small pilot projects or incremental improvements may qualify if they follow a process of evaluation and refinement.

To learn more about how these rules apply to your operation, connect with Sensiba’s R&D Tax Credit Team. Our team will work with you to review your activities and help determine whether your innovation efforts may qualify.

Financial institutions can no longer rely on a traditional 10-day close. Leadership teams, audit committees, and regulators expect timely, accurate financial data.

Yet many finance departments remain stuck in reactive, close dependent processes that create unnecessary risk and prevent meaningful analysis.

Modernizing the close allows organizations to shift from a chaotic, month-end scramble to a proactive, continuously managed function. With the right structure, institutions can eliminate manual bottlenecks, strengthen internal controls, and deliver higher-quality financials in a fraction of the time.

Organizations can implement a faster, more reliable close by blending process re-engineering, continuous accounting practices, and strategic automation. When these components work together, they create a streamlined, audit-ready close that improves accuracy, reduces stress on the finance team, and supports better strategic decisions.

The continuous accounting approach to financial management distributes key activities across the month rather than concentrating them in the final days. Instead of waiting until the books close to reconcile accounts, review transactions, and address discrepancies, finance teams tackle these activities as transactions occur.

Shifting from a periodic, event-driven process to an ongoing, daily discipline removes the volume spikes that can overwhelm teams and lead to errors, while providing management with fresher, more actionable insights.

And by performing most of the heavy lifting before month-end arrives, finance teams can turn the close into more of a validation exercise than a marathon sprint.

An effective continuous accounting timeline often includes:

Automated Bank Reconciliation: Cash activity is matched to the general ledger every day, eliminating the historical lag between transaction settlement and GL accuracy.

Transaction Matching: High-volume, low-value transactions (credit card activity, intercompany cash, loan payments) are matched and cleared daily, allowing exceptions to be resolved in real time instead of accumulating until month-end.

Preliminary Flux Analysis: Performing mid-month variance reviews helps identify anomalies long before the hard close, reducing last-minute research and improving the quality of explanations.

Prepaid and Accrual Amortization: Recurring entries such as depreciation, amortization, and standard accruals can be generated and posted automatically based on predefined rules, smoothing workloads and improving accuracy.

A continuous model doesn’t just accelerate the close—it stabilizes it. By spreading the work evenly, finance teams reclaim capacity for planning, analysis, and partner support across the institution.

A faster, more reliable close starts with disciplined processes. Re-engineering the workflow ensures every task is visible, repeatable, and executed consistently.

Develop a Detailed Calendar: A master checklist outlines every task, its dependencies, assigned owners, and deadlines.
Workflow Management: A close-management tool, such as BlackLine, replaces email-driven coordination, providing real-time visibility into progress, approvals, and bottlenecks.

SOP Development: Each recurring task should be documented with clear instructions, required support, and review criteria.

Template Adoption: Standard templates for reconciliations, journal entries, and variance explanations ensure consistency across teams and branches.

Establish firm deadlines for sub-ledger closures such as AP, AR, credit card systems, and loan subsystems, and set rules defining when operational transactions must be posted. This eliminates ambiguity and protects the integrity of the general ledger.

With standardized processes, month-end becomes predictable instead of chaotic. Teams execute faster and with fewer errors, and leadership gains confidence in the reliability of the numbers.

Technology serves as the backbone of a modern close, replacing manual effort with automated accuracy and providing a single source of truth across systems.

Integrate core banking platforms, GL/ERP systems, and sub-ledgers (fixed assets, loans, investments) to eliminate manual data pulls and ensure the GL reflects real-time activity.

Journal Entry Automation: Recurring and rule-based entries, such as accruals, amortizations, and reclassifications, can be created, posted, and reversed automatically.

Intelligent Transaction Matching: Machine learning improves matching rates over time, auto-clearing the majority of transactions and routing exceptions to staff for review.

Close-management software automatically captures supporting documentation, reconciliation details, comments, and sign-offs. The result is a built-in audit trail that prepares the institution for regulatory and external auditor review without additional effort.

With automation handling the repetitive work, accounting teams can focus on analysis, strategic support, and control oversight—raising the value of the finance function.

Even the best tools and processes depend on the people responsible for executing them. A modern close requires clear accountability, well-trained staff, and strong internal controls.

Assign Owner: Assign a single close owner (controller or CFO) with end-to-end oversight.

Define Roles/SOD: Define roles and responsibilities to maintain segregation of duties (SOD) and prevent control failures.

Ongoing Training: Provide ongoing training on accounting standards (e.g., CECL), technology updates, and new workflows.

Avoid SPOFs: Cross-train staff on critical processes to avoid single points of failure during vacations, transitions, or turnover.

Before the books are locked each period, a senior finance leader should review the adjusted trial balance, key reconciliations, and major variance explanations. This executive-level checkpoint ensures nothing slips through the cracks and provides an additional layer of oversight.

The goal isn’t just to close faster—the real objective is to close stronger, delivering financial statements that stand up to scrutiny from auditors, regulators, and your board. Speed and quality aren’t mutually exclusive; when you build the right controls and processes, they reinforce each other.

A high-performing close team combines technology, controls, and human judgment to ensure accuracy, strengthen governance, and elevate the institution’s financial leadership.

Modernizing the close delivers measurable benefits: reduced labor hours, fewer errors, higher matching and reconciliation accuracy, and a dramatically shorter close cycle—often shrinking from 10 days to as few as three.

The shift to continuous accounting provides institutions with a smoother and more predictable process, reducing stress on staff and improving audit readiness.

More importantly, timely and reliable financial data becomes a competitive advantage. With fresher insights, management can make faster and more informed decisions on pricing, liquidity, asset/liability management, and lending strategies.

In addition, automation and standardization ensure defensible, transparent financial reporting. Instead of scrambling to meet regulatory demands, the institution enters each audit cycle prepared, confident, and in full control of its financial data.

To learn more about continuous accounting and optimizing the close process, contact us.

Achieving a SOC 2 report completes a rigorous process that evaluates a company’s commitment to protecting customer data and maintaining strong internal controls. For many organizations, it’s among the first milestones in building a trustworthy security posture, and SOC provides a valuable pathway to other widely accepted standards and frameworks including HITRUST e1.

The HITRUST e1 certification, increasingly requested by large customers, offers a prescriptive, validated tool for strengthening your security efforts. The certification, while newer than SOC 2, is gaining traction among organizations seeking deeper security assurance or operating in regulated environments.

As a result, more companies are using SOC 2 as a foundation and layering HITRUST e1 for enhanced credibility and security (especially in industries where security expectations are strict).

For companies that have a SOC 2 report, the considerable overlap between the two frameworks means much of the groundwork is already done

While both frameworks address organizational security, SOC 2 and HITRUST e1 take different approaches to providing assurance.

A SOC 2 report is an attestation issued by a public accounting firm that evaluates how well your organization’s controls align with Trust Services Criteria developed by the AICPA. A SOC 2 report, based on the auditor’s opinion, is not a formal certification.

In contrast, HITRUST e1 is a certification developed by the HITRUST organization validating that an organization meets a specific set of 44 foundational controls. A HITRUST audit is performed by an authorized External Assessor, which sends the results of its assessment (including testing controls, evidence, and maturity level scores) to HITRUST for review. The final certification decision is made by HITRUST.

Another key difference is how each framework approaches audit scoping. SOC 2’s scope is defined by the Trust Services Criteria you choose. The Security criterion is required, and organizations have the option to add Availability, Confidentiality, and others. The appropriate controls are reviewed by your auditor.

HITRUST e1 has a fixed scope: 44 essential controls that apply across the board. That consistency makes it easier to compare assessments and benchmark progress.

Beyond the fixed HITRUST e1 requirements, organizations have the option to scope in controls from other authoritative frameworks such as HIPAA, NIST, or others.

Similarly, SOC 2 outlines what needs to be protected but lets the organization decide how to accomplish that. HITRUST e1 is prescriptive, spelling out the framework’s requirements for each control.

For example, while SOC 2 might require that backups exist, HITRUST e1 could specify that backups must be stored offline in an immutable format. That level of detail pushes organizations toward a more consistent and robust security posture.

The results also look different. The SOC 2 process results in a qualitative report that reflects the auditor’s assessment. HITRUST e1 uses a quantitative scoring system based on the HITRUST CSF PRISMA maturity model. That score gives you a measurable view of your security maturity.

Beyond the operational efficiencies, HITRUST e1 offers strategic benefits in several areas.

HITRUST can boost market trust because the certification is widely recognized and signals a mature security posture. HITRUST was developed to meet the security and regulatory requirements of the healthcare sector. More recently, it’s being adopted extensively among technology and SaaS providers, business services firms, and financial services companies.

HITRUST sets the stage for future growth, with HITRUST e1 offering an entry point to a broader certification ecosystem. The work done to obtain e1 certification provides a foundation for more advanced certifications like HITRUST i1 or r2, which may become relevant as your business scales or enters new markets.

HITRUST in general also strengthens your security. Its prescriptive nature requires a deep examination of your controls, helping to identify potential issues that might be missed in a more flexible framework.

HITRUST also incorporates threat-informed validation. Using the MITRE ATT&CK framework, it tests whether your controls (such as access management, endpoint protection, and patching) reduce the risk of known attacker behaviors.

If you’ve already completed a SOC 2 audit recently, your organization has a head start on a HITRUST e1 assessment. Much of the evidence and documentation collected for SOC 2 can be reused for HITRUST e1. Overall, about 36 of the 44 HITRUST e1 controls align with SOC 2 requirements.

The next step is mapping your SOC 2 controls to the HITRUST e1 framework to identify where you’re already covered and where gaps exist between the two frameworks.

At this stage, a readiness assessment can be an effective way to identify potential issues that could preclude final certification. Resolving those gaps before submitting audit results for HITRUST review can make the process smoother and reduce the risk of failing the assessment.

During your preparation, leveraging a GRC (governance, risk, and compliance) platform can streamline the process of mapping evidence from a SOC 2 audit into a HITRUST e1 assessment. These platforms provide centralized documentation, automated control mapping, and workflow capabilities that reduce manual effort and improve traceability between frameworks.

Since SOC 2 and HITRUST share overlapping control requirements (particularly around data protection, access management, and incident response) a GRC tool can help identify reusable artifacts and align them with HITRUST’s specific criteria.

While this approach can accelerate readiness and reduce redundancy, it’s important to note it does not guarantee successful HITRUST certification. Each framework has unique requirements and validation standards, so organizations must ensure full compliance by completing a thorough gap analysis and remediation.

There’s value in working with a CPA firm experienced with SOC 2 that is also a HITRUST Authorized External Assessor. That dual capability can streamline the process, reduce costs, audit fatigue and ensure consistency across both evaluations.

Some organizations choose to conduct SOC 2 and HITRUST e1 assessments simultaneously. Others follow up HITRUST immediately (within about six months) after SOC 2. With either approach, the overlap in evidence collection can save time and effort.

SOC 2 is a strong start, and HITRUST e1 builds on that momentum by offering a clear, validated path to a mature and credible security posture. For organizations serious about protecting data and earning trust, it’s a step worth considering.

To learn more about how SOC 2 and HITRUST e1 work together, and how SOC 2 can provide a compelling pathway to HITRUST certifications, contact us.

In today’s threat landscape, most organizations recognize the need to strengthen their cybersecurity posture and the importance of frameworks like the Essential Eight—but many struggle to implement them effectively.

On the surface, the Essential Eight appears straightforward; eight baseline strategies developed by the Australian Cyber Security Centre (ACSC) to defend against common cyberattacks.

Yet in practice, compliance often stalls—not because the controls are overly technical, but because organizations face broader challenges such as resourcing, culture, and change management.

This article explores the biggest roadblocks to Essential Eight compliance and offers practical strategies business leaders can use to turn intent into real, measurable resilience.

The Problem: The cost of implementing new tools, hiring skilled staff, and dedicating employee time to Essential Eight compliance can be prohibitive, especially for small to medium-sized businesses.

Why It’s a Roadblock: Companies often underestimate the total investment required, leading to projects that are underfunded or abandoned.

How to Overcome It:

The Problem: Many organizations operate with outdated or legacy systems that are difficult to patch, integrate, or secure with modern controls.

Why It’s a Roadblock: Legacy infrastructure creates compatibility issues, increases complexity, and can leave significant security gaps that cannot be addressed easily.

How to Overcome It:

The Problem: Employee resistance to change and a lack of a strong security culture can derail even the best-planned projects.

Why It’s a Roadblock: Employees may view new security measures (like multifactor authentication or restricted privileges) as inconvenient or disruptive to their workflow, leading to workarounds and non-compliance.

How to Overcome It:

While the roadblocks to Essential Eight compliance can seem daunting, they are far from insurmountable. By taking a phased, strategic approach that balances technical, financial, and cultural considerations, organizations can turn these challenges into opportunities for stronger resilience.

The Essential Eight Maturity Model can help organizations adopt a phased approach to cybersecurity.

Think of it as an investment, not a cost. Essential Eight compliance pays you back in reduced risk, greater trust, and long-term business continuity. The key is to start small, identify your biggest roadblock, and take the first step today.

Learn how Sensiba can help start your journey toward Essential Eight implementation.

For real estate investors who want to leave a partnership, converting the partnership to a Delaware Statutory Trust (DST) can allow the investors to go their separate ways while retaining the tax benefits of a Section 1031 like-kind exchange. Converting a partnership or an LLC to a DST is often known as a “synthetic drop and swap.”

The effective use of this strategy assumes either:

The DST structure gives the investors the flexibility sell or retain their interests.

A DST can offer a practical alternative to a drop and swap, a popular tax planning strategy often chosen when members of a business partnership want to sell appreciated assets. Under a drop and swap, the partnership effectively redeems partnership interests by distributing tenant-in-common (TIC) interests in its assets to the partners. This allows each TIC owner to decide whether to cash out or reinvest the interests in new assets.

However, a big limitation of the drop-and-swap is that it only works if it is planned in advance. Once a partnership has shown clear intent to sell property, adopting this strategy retrospectively is more likely to face challenges from the IRS.

Post-sale-agreement attempts to implement a drop-and-swap can face IRS questions, citing doctrines like assignment of income or step transactions. The IRS might also argue that TIC ownership doesn’t meet Section 1031’s “held for investment” requirement.

While there is no guarantee the IRS wouldn’t make similar arguments in these cases, however, a DST conversion can achieve similar tax benefits as a drop-and-swap.

Careful planning well in advance of the decision to sell is the single factor most likely to protect the intended tax treatment of the transaction. This includes drafting the documentation that will become effective when the original entity is converted to a Delaware DST.

A DST is a legal entity created under Delaware law that provides liability protection similar to LLCs or partnerships. A DST can be set up as a multi-beneficiary grantor trust under federal tax rules. Essentially, each grantor-beneficiary owns a share of the DST’s assets proportional to their interest in the trust. For example, if someone holds a 10% interest in a DST that owns investment property, they’re treated as owning 10% of that property for tax purposes.

In 2004, the IRS issued guidance (Rev. Proc. 2004-86) confirming that DST interests could qualify as replacement property for Section 1031 exchanges. This ruling spurred the popularity of syndicated DST investments in the Section 1031 market, gradually overshadowing TIC investments. DSTs can also help individual taxpayers manage tax consequences when other strategies, like drop-and-swaps, are unavailable.

Within the last 10 years, there was a bubble in DST transactions, mostly de novo creations of DSTs to hold newly acquired property and harvest up-leg exchange proceeds.  Paralleling the history of the private placement industry in the 1980s, some of these failed spectacularly due to such things as dishonest conduct and incompetent property management. 

The primary investor risk in failed DST investments is the fact that if a property is foreclosed or a “gain recognition event” occurs, the investor’s reportable taxable gain will be his percentage share of the difference between the debt cancelled (“forgiven”) in the transaction and his adjusted basis in his DST units, which basis may be quite low.

Recently created DSTs are typically the creation of Wall Street houses and conservatively structured, but also have modest investor returns and high fee schedules.

Here’s how it works: The partnership converts into a DST under state law before the property sale is finalized. This triggers the partnership’s liquidation for federal tax purposes, with each partner receiving an undivided interest in the partnership’s assets and liabilities based on their ownership share.

Under the Delaware conversion statute, the assets, liabilities and contracts of the partnership become the assets, liabilities and contracts of the DST. Delaware’s conversion statute expressly directs that the conversion shall not be construed as a transfer of assets or liabilities from the partnership to the DST, operating in a manner akin to a corporate merger statute. The DST is regarded as a continuation of the partnership for state law purposes.

If structured correctly, the DST will qualify as an investment trust, and each partner becomes a grantor-beneficiary. The DST can then sell the property, and each beneficiary can decide how to reinvest their share of the proceeds.

Because the conversion happens without formally transferring the partnership’s assets—thanks to Delaware law—the DST remains the same taxpayer that signed the purchase and sale agreement. This approach helps avoid violating the Section 1031 same taxpayer rule, similar to how corporate mid-exchange mergers are handled.

The structuring approach we describe employs (for California and states with similar conversion laws) the authority in the California Corporations Code at Chapter 11.5, Sections 1150 through 1159, which authorize the statutory conversion of a CA LLC or LP into “another foreign entity.”  The Delaware conversion law anticipates that the existing jurisdictional state has such authorizing legislation, so the two sets of laws fit together neatly.

For estate planning, DSTs offer step-up in basis for beneficiaries, and can be more easily divided among heirs than real estate that is owned directly.

Investors planning a DST conversion need to be aware of “Seven Deadly Sins,” a reference to seven IRS-imposed restrictions outlined in Revenue Ruling 2004-86. These rules are designed to ensure DSTs qualify for 1031 exchange treatment by maintaining their passive investment nature.

Here’s a breakdown of each “sin”:

Once a DST offering is closed, no new equity can be added—neither by current nor new investors. This prevents dilution of ownership and maintains the trust’s original structure.

DST trustees cannot borrow new funds or renegotiate existing loans unless there’s a loan default due to tenant bankruptcy or insolvency. This ensures financial stability and predictability.

Proceeds from the sale of DST property must be distributed to investors. The trust cannot reinvest these funds, preserving the passive nature of the investment.

Trustees may only spend on routine maintenance, minor non-structural improvements, or legally required upgrades. Major renovations are prohibited.

Any cash reserves must be invested in short-term, highly liquid instruments. This ensures funds are readily available and not tied up in long-term investments.

All excess cash (except necessary reserves) must be distributed to investors regularly, reinforcing the passive income model.

Trustees cannot enter new leases or renegotiate existing ones, unless a tenant is bankrupt or insolvent. This maintains lease stability and avoids active management.

These restrictions are essential for DSTs to maintain their eligibility for 1031 exchanges. While they help preserve tax advantages and passive ownership, they also limit flexibility. Investors should weigh these carefully when considering DSTs.

Investors also need to understand several practical considerations:

While the flexibility and tax advantages of a synthetic drop and swap can be compelling, investors need to consider the potential risks and roadblocks.

For instance, DST investments are generally illiquid, with no active secondary market for selling interests. This means investors may be unable to exit the investment easily if their goals or needs change.

Similarly, DST investors have limited control over the investment and property management decisions, as they rely on the DST sponsor or trustee. This passive nature may not suit investors who prefer active involvement.

As with any complex real estate strategy, it’s important for investors to understand the potential advantages and risks, and to conduct thorough due diligence before investing in a DST. Consulting with financial and tax advisors is recommended to understand how the potential benefits and implications for an individual’s specific goals and circumstances.

Contact us to learn more about the synthetic drop and swap, and other tax planning services.

In response to growing cyberattacks targeting defense contractors and subcontractors, the Department of War (DOW) created the Cybersecurity Maturity Model Certification (CMMC) program to strengthen the security posture of the U.S. Defense Industrial Base (DIB).

CMMC is a verification framework designed to ensure contractors handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) have implemented the appropriate cybersecurity protections.

The CMMC program is designed to support the goal of safeguarding sensitive government data across the defense supply chain by standardizing and enforcing security expectations for contractors and their partners.

CMMC 2.0 introduces a structure with three compliance levels, with each level reflecting the sensitivity of the data being handled and the rigor of the appropriate cybersecurity measures.

Designed for organizations that handle only Federal Contract Information (FCI), Level 1 requires implementation of 15 basic cybersecurity practices outlined in FAR 52.204-21. These practices focus on safeguarding systems from common threats like unauthorized access and data loss.

The Level 1 requirements are based on organizations completing an annual self-assessment and submitting an affirmation of compliance.

Example of Who Needs Level 1

Level 2, which applies to organizations that handle Controlled Unclassified Information (CUI), requires adherence to 110 security controls based on the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).

Level 2 assessment requirements vary:

Example of Who Needs Level 2

Reserved for organizations managing the most sensitive CUI, often in environments targeted by Advanced Persistent Threats (such as sophisticated attacks by nation-state actors), Level 3 builds on the NIST SP 800-171 controls and adds a subset of requirements from NIST SP 800-172.

Assessments at this level are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Example of Who Needs Level 3

CMMC applies to all defense contractors and subcontractors that handle FCI or CUI. This includes prime contractors and their supply chains. The “flow-down” requirement means subcontractors may need to meet the same compliance level as the prime contractor when handling sensitive data.

Commercial off-the-shelf (COTS) products are exempt from CMMC requirements, but most service providers and manufacturers in the DIB will need to comply.

The final rules for CMMC have been published in the Federal Register under 32 CFR and 48 CFR. The rollout will occur in phases, giving contractors time to prepare.

Phase 1: Enforcement Begins
On November 10, 2025, CMMC requirements began appearing in new DOW solicitations and contracts. At this stage, Level 1 and Level 2 self-assessments are required for contract eligibility.

Phase 2: Third-Party Assessments Introduced
On November 10, 2026, contracts involving prioritized CUI will begin requiring third-party assessments for Level 2 compliance. Organizations should plan ahead to schedule and complete these assessments.

Full Implementation Across New Contracts
By November 10, 2026, all new defense contracts will include CMMC requirements. Contractors must have a valid certification or self-assessment recorded in the Supplier Performance Risk System (SPRS) to be eligible for award.

Full Operational Rollout
CMMC is expected to be fully integrated across all applicable defense contracts by 2028. At that point, compliance will be a standard requirement for doing business with the DOW.

With deadlines approaching, contractors and subcontractors must take proactive steps to prepare:

Start by identifying the type of data your organization handles. If you work with FCI, Level 1 may be sufficient. If you handle CUI, you’ll likely need to meet Level 2 or Level 3 requirements.

Conduct a thorough self-assessment against the required security controls. For Level 2, this means evaluating your environment against all 110 controls outlined in NIST SP 800-171 r2. The goal is to identify gaps and prioritize remediation.

An SSP is a mandatory document that outlines your cybersecurity environment, including implemented controls and how they are implemented. It serves as the foundation for your assessment and must be kept up to date.

Once your assessment is complete, whether self-assessed or validated by a C3PAO—you must submit the results to the DoD’s Supplier Performance Risk System. This includes an affirmation of compliance and supporting documentation.

C3PAOs are authorized to conduct Level 2 assessments for prioritized acquisitions. Engaging a C3PAO early can help avoid delays and ensure your organization is ready when enforcement begins.

A Registered Practitioner Organization (RPO) can play an important role in helping companies prepare for CMMC certification. Their support can be valuable during the early stages of readiness, where understanding and implementing the necessary cybersecurity controls can be challenging.

One of the primary ways an RPO contributes is by helping organizations interpret the CMMC framework and its alignment with the requirements of NIST SP 800-171 r2. This involves clarifying each level of certification and how those requirements apply to the organization’s specific environment.

RPOs often begin with a readiness assessment or gap analysis to identify where the organization’s current cybersecurity posture falls short of CMMC requirements. This analysis results in a clear roadmap for remediation, allowing the organization to prioritize actions and allocate resources effectively.

Beyond identifying gaps, RPOs assist in developing and implementing the technical controls, policies, and procedures needed to meet CMMC requirements. This includes helping with Controlled Unclassified Information (CUI) scoping, risk management strategies, and system hardening.

They also support the creation of documentation critical for passing a formal CMMC assessment, such as:

RPOs may also provide training and education to internal teams to ensure team members are equipped to maintain compliance over time.

Some RPOs offer ongoing monitoring and advisory services to help organizations address evolving standards and threats.

RPOs can also assist Organizations Seeking Assessment (OSAs) during their C3PAO assessment as subject matter experts, helping OSAs understand the questions being asked and deliver the appropriate evidence to the C3PAO. It’s good to have a trusted advisor during stressful assessments.

CMMC has evolved from a future consideration into an active requirement with fast-approaching deadlines. Organizations that fail to comply risk losing access to defense contracts and exposing sensitive information to cyber threats.

In contrast, contractors that demonstrate CMMC compliance will be well-positioned to compete in the defense marketplace.

To learn more about CMMC compliance, contact us.

Cyberattacks are becoming more frequent and sophisticated, making proactive defense a business necessity. Essential Eight is a framework of eight baseline strategies designed to stop the most common threats.

This article breaks down each strategy and shares practical examples to help leaders understand how the Essential Eight can strengthen resilience and protect their organization.

What it is:

A security measure that allows only a pre-approved list of applications to run on a computer. This prevents unauthorized and malicious software from being executed.

Real-World Example:

A company uses a digital “whitelist” to ensure only approved software like Microsoft Office and its specific project management tool can run. When an employee tries to install a free, unapproved application downloaded from the internet, the system blocks it automatically and prevents a potential malware infection.

What it is:

The process of regularly updating all software (e.g., web browsers, PDF readers, office suites) to fix security vulnerabilities.

Real-World Example:

An IT department is alerted to a new vulnerability in its web browser. Using an automated system, they push the patch to every computer within 48 hours, preventing an attack that has already been observed in the wild.

What it is:

The practice of disabling or tightly controlling macros, which are small programs often embedded in Office documents and used by attackers to deliver malware.

Real-World Example:

A finance employee receives an email with an Excel spreadsheet that claims to contain an invoice. Because the company has configured macros to be disabled by default for internet-sourced files, the malicious code inside the macro is never executed when the employee opens the file.

What it is:

The practice of configuring user-facing applications, like web browsers and media players, to block or disable known attack vectors.

Real-World Example:

An organization configures its web browsers to block all pop-up ads and block Flash content by default. This simple configuration prevents a user from accidentally interacting with a malicious ad that could lead to a malware infection.

What it is:

Limiting the special access rights (administrator privileges) that users have on a system. Users are only given the permissions they need to do their jobs.

Real-World Example:

A systems administrator uses a separate, non-administrator account for daily tasks like checking email and browsing the web. They only log into their administrator account when they need to perform specific, privileged actions, like installing software. If their standard email account is compromised, the attacker can’t access the network’s core systems.

What it is:

The process of keeping the core operating systems (e.g., Windows, macOS, Linux) on all devices up to date with the latest security patches.

Real-World Example:

A new critical vulnerability is found in the Windows operating system. The IT team uses an automated tool to push the patch to all company computers overnight, preventing a large-scale attack that could affect the entire network.

What it is:

A security method that requires users to provide two or more verification factors to gain access to an account.

Real-World Example:

A marketing manager tries to log into the company’s customer relationship management CRM system. After entering their password, a notification is sent to their phone, and they must approve the login before they can access the account. Even if their password was stolen, a hacker couldn’t log in without access to the user’s phone.

What it is:

The practice of creating regular, offline, and verifiable backups of all important data.

Real-World Example:

A law firm is hit with a ransomware attack that encrypts all its client files. Because the firm has a recent, tested, and offline backup, it can wipe the affected systems and restore the unencrypted data, losing no data and avoiding the ransom payment.

Visit our Essential Eight page to see how you can leverage the framework to protect your organization with guidance from Sensiba.

Client trust accounts are central to the attorney-client relationship, safeguarding more than $14 billion in client funds across California. To strengthen public protection and address longstanding concerns, the State Bar launched the Client Trust Account Protection Program (CTAPP). This initiative focuses on proactive regulation, attorney education, and early detection of potential misconduct.

CTAPP sets three annual requirements for attorneys:

The next and most impactful stage of this initiative is the Compliance Review. Unlike the annual filings, this phase involves independent oversight. As one of the few State Bar–approved Certified Public Accountant (CPA) firms, we perform these reviews to help attorneys demonstrate adherence to the highest fiduciary standards.

The Compliance Review is an Agreed-Upon Procedures (AUP) engagement. While the procedures performed can be similar, this engagement is not an audit, and the CPA does not provide an opinion or assurance about the attorney’s financial position or the results of the procedures.

Instead, the CPA performs specific procedures mandated by the State Bar and reports factual findings. The purpose is straightforward: to evaluate an attorney’s compliance with California Rules of Professional Conduct, Business and Professions Code, and related client trust accounting rules and statutes.

In the early phases of CTAPP, attorney selection is random. Over time, the State Bar may also consider risk-based criteria. Most importantly, being selected is not an indication of misconduct.

A Compliance Review typically covers at least one full calendar year of trust account activity. Core areas include:

When the State Bar notifies an attorney they have been selected, the State Bar will send an initial records request of information as well as a request for the attorney to provide the name of the approved CPA firm the attorney has engaged to perform the mandatory compliance review. It’s the attorney’s responsibility to engage an approved CPA within 30 days.

The cost of a CTAPP compliance review generally ranges from $5,000 to $12,000. However, fees may increase depending on the complexity of the trust account activity, the quality of recordkeeping, and the timeliness of responses during the engagement. Poor documentation or delayed communication can lead to extended review times and higher costs.

Once engaged, the CPA and attorney enter into an agreement in the form of an engagement letter, and this will be communicated to the State Bar. Once the State Bar is notified of the attorney’s selected CPA firm, the initial records obtained by the State Bar will be forwarded to that CPA.

The CPA will coordinate with the attorney to establish a timeline that aligns with the State Bar deadline and accommodates the attorney’s availability. Following this, the CPA will make selections and issue a second records request, with items due according to the agreed-upon schedule.

The CPA performs the agreed-upon procedures on selected trust account records and transactions, applying the methodology and requirements set forth by the State Bar. The CPA will report factual findings to the State Bar and the attorney for review prior to finalization.

Attorneys often worry about confidentiality. Business and Professions Code section 6091.4 ensures privilege, confidentiality, and work product protections remain intact for information provided during a Compliance Review.

Following a mandatory compliance review, attorneys may receive one of several outcomes:

Most outcomes are corrective rather than punitive, reinforcing CTAPP’s focus on education and prevention.

Attorneys can reduce risk and streamline compliance by implementing sound practices, including:

CTAPP is designed to enhance trust in the legal profession by ensuring client funds are managed responsibly. Compliance Reviews provide an independent, structured assessment that supports public protection and attorney competence.

Rather than viewing the compliance review as punitive, it is an opportunity to confirm best practices and gain assurance that their fiduciary responsibilities are being met.

We are committed to guiding attorneys through the review process with professionalism, objectivity, and respect for the confidential nature of client trust accounting records.

If you have been selected for a CTAPP compliance review or would like to understand the process, please contact us.

Automated reconciliation software goes beyond transaction matching to support financial integrity, operational efficiency, and accurate reporting. For credit unions and multi-branch institutions, automating manual reconciliation processes reduces operational strain, ensures regulatory compliance, and frees staff to focus on higher-value strategic analysis.

The goal is a comprehensive Record-to-Report (R2R) system that provides a holistic view of the organization’s financial health through balance sheet reconciliation, intercompany eliminations, and variance analysis.

Choosing the right platform to support this vision requires evaluating functionality, integration, user experience, and vendor viability. Applying a careful assessment approach ensures automation today while providing scalability for future growth, increased transaction volume, and evolving accounting standards.

This initial phase moves past simple transaction aggregation to assess the core engine, which must manage complex matching logic and high-volume data crucial for operational continuity and accurate financial reporting.

High-volume processing is crucial for institutions that handle millions of daily card transactions and electronic payments. Effective software must process these quickly without bottlenecks. Intelligent matching rules are essential because they support one-to-many, many-to-one, and multi-criteria matches, ensuring complex transactions are reconciled accurately.

Automated exception handling further improves efficiency, reduces errors, and keeps the close process on track. It does this by flagging unmatched items and routing them to the correct staff member for immediate resolution.

A robust R2R system should include pre-built templates for common balance sheet accounts, such as accrued expenses, prepaid items, and loans held for sale. These templates standardize reconciliation and reduce the risk of omissions. Enforced, system-driven sign-off workflows provide automatic audit trails for every reconciled account, reinforcing internal controls.

Real-time reporting dashboards give finance teams visibility into close status, tracking progress by percentage complete and estimated time remaining. This transparency supports timely decision-making and enables proactive issue resolution.

Automating the elimination of intercompany transactions ensures clean consolidated financial statements for multi-branch or multi-entity institutions. This functionality removes the manual burden of reconciling internal transfers, reduces errors, and ensures accurate and reliable regulatory reporting.

See how tools like BlackLine automate intercompany eliminations and complex consolidation for multi-entity firms.

Once core functionality is confirmed, the next critical step is ensuring the platform can integrate securely with your existing General Ledger (GL) and core banking systems while offering the scalability necessary to handle future institutional growth.

Seamless, two-way integration with the primary GL is non-negotiable. The software must extract transactions from the GL, post adjusting journal entries, and maintain secure connectivity throughout. Data ingestion capabilities should support multiple sources across formats such as APIs, CSV, and flat files, including core banking systems, bank feeds, and payment processors.

Scalability is essential to accommodate growth from new products, mergers, or acquisitions without impacting performance.

Data protection must meet bank-grade security standards, including encryption and strict access controls. The system should support regulatory compliance, particularly for National Credit Union Administration (NCUA) reporting, and enforce internal controls with complete audit trails and change management logs. These features reduce risk and streamline regulatory reporting.

Institutions must weigh the benefits of cloud-based software (SaaS) against on-premise deployments. Cloud solutions offer lower maintenance, remote accessibility, and predictable updates. On-premise systems provide tighter control and customization options, which may be necessary for highly regulated or complex environments.

Even the most powerful software will fail without proper adoption, making a positive user experience (UX), structured implementation, and reliable vendor partnership essential for realizing a fast and complete return on investment.

A user-friendly interface accelerates accounting staff adoption and reduces errors. The software should be easily configurable, allowing finance teams to set rules and build templates without constant IT intervention. Avoid solutions that require extensive coding or customization for routine updates.

Vendors with experience in financial services understand regulatory nuances and can offer smoother implementation. A clear, structured timeline for setting up and going live is essential to manage expectations and minimize disruption.

Ongoing support, including 24/7 technical assistance and a transparent roadmap for future product enhancements, ensures the institution can continue to optimize processes over time.

With any successful implementation, a pilot phase is critical. Prioritize a Proof of Concept (POC) or pilot test on a single complex account to validate core functionality before full deployment. This approach allows teams to confirm performance, integration, and exception handling in a controlled setting.

Key metrics for final selection should emphasize time to value, how quickly the institution realizes ROI, and future-proofing to ensure the system scales with institutional growth and adapts to evolving accounting standards.

Ultimately, the right platform transforms accounting from a transactional function into a strategic analysis unit. By providing control, visibility, and automation, the software enables finance teams to focus on insight, decision-making, and operational efficiency.

Careful assessment of functionality, technical requirements, user experience, and vendor expertise ensures your selection delivers long-term benefits and positions the organization for sustainable financial success.

Get connected with our team to learn more about our software services.

Cyberattacks are a daily reality for businesses of every size, bringing risks of financial loss, reputational damage, and operational disruption. From ransomware to phishing scams, the consequences of poor security can be severe, yet many leaders still find cybersecurity overwhelming or overly technical.

That’s why the Australian Cyber Security Centre (ACSC) created the Essential Eight, a framework that offers a practical approach by outlining eight core strategies proven to defend against the most common cyber threats.

This article highlights the framework in simple terms to help business leaders understand what it means and how to get started.

The Essential Eight framework sets out baseline mitigation strategies to help organizations proactively defend against cyberattacks (rather than simply reacting to them).

While the framework was developed for Australian Government agencies, it is now widely recognized as an effective standard for any organization that uses IT systems to store, process, or transmit sensitive data.

The framework is structured as a tiered maturity model (Levels One, Two, and Three), enabling organizations to begin at a foundational level and strengthen their defenses progressively. This approach provides a clear roadmap for improving resilience, helping organizations assess their current posture and advance to higher levels of cybersecurity maturity.

The eight controls identified by the ACSC include:

The Essential Eight framework goes beyond simply outlining security controls to provide a practical path to reducing risk, protecting reputation, and ensuring operational resilience. Here’s why it matters to your business:

By implementing the Essential Eight strategies, organizations can significantly lower the likelihood of a successful breach. Each control addresses common attack vectors directly, helping to stop threats before they cause harm.

Incidents are inevitable, but prolonged downtime doesn’t have to be. The Essential Eight strengthens your ability to withstand and recover from cyberattacks, minimizing disruption, financial loss, and operational impact.

Strong cybersecurity practices signal to clients, partners, and stakeholders that your organization takes security seriously. Adopting the Essential Eight can build confidence, strengthen relationships, and provide a competitive edge.

Increasingly, regulators and customers expect demonstrable security controls. Aligning with the Essential Eight helps your organization meet compliance obligations while showcasing a proactive commitment to protecting sensitive data and systems.

Begin with a simple cybersecurity gap assessment to understand where your organization stands today. This doesn’t need to be overly complex. The goal is to highlight obvious gaps and risks so you know what needs attention first.

Focus on the “low-hanging fruit.” Essential Eight is designed to be implemented progressively through its Maturity Model. Also, start with the first controls that bring the biggest improvement with the least effort, such as enforcing multi-factor authentication or ensuring regular software updates. Small wins build momentum. A good place to start is by assessing readiness against Level One.

Getting buy-in across your leadership team and staff is crucial. Make sure employees understand why new practices are being introduced and how they protect the business. Fostering a culture of cybersecurity helps reduce human error, which is one of the biggest risks.

As you move into the more advanced Essential Eight strategies, things can become more complex. That’s the right time to engage a cybersecurity professional like Sensiba. Our team can help assess your current readiness, identify key next steps, and perform an independent assessment to provide trusted assurance over your Essential Eight practices.

The Essential Eight provides organizations with a clear, practical roadmap to strengthen cybersecurity defenses in a structured and measurable way. Adopting the framework is not just about compliance, it’s about safeguarding the continuity, reputation, and long-term success of your organization.

Engaging the right partner is key to helping you navigate this compliance journey. Reach out to Sensiba today.