The business community has seen a shift in recent years, with many companies using business as a tool for social and environmental change. These businesses are leveraging their work to build healthy, equitable, and regenerative communities as part of a trend reflected in movements and certifications like the B Corporation.

The basic definition of a B Corporation or certified B Corp is a for-profit company that uses its business as a force for social and environmental good. This may include, for example, an ice cream company that uses its flavors to create awareness of critical social issues. Or a toilet paper company that donates 50 percent of their profits toward clean water and toilets for everyone.

Every B Corp company considers the impact of its business decisions on not just shareholder value, but on all stakeholders across the value chain.

Each certified B Corp has completed a multi-question, robust assessment of their social and environmental performance as an organization, and supplied documentation to validate their answers on the assessment.

The assessment is then audited for high levels of accountability and transparency by the oversight organization, B Lab. 

Becoming a Certified B Corporation is a rigorous, multi-step process designed to ensure companies meet the highest standards of social and environmental performance, accountability, and transparency.

It looks at seven different areas of a company:

There are also foundational requirements that ensure companies meet B Lab’s fundamental eligibility before they progress to the Impact Topic requirements.

Here’s how the journey unfolds:

The evaluation process begins when a company registers in the B Impact platform and completes its Assessment Setup.

Next, the company reviews B Lab’s Foundation Requirements—baseline standards of eligibility—and B Lab confirms the company qualifies to move forward.

Together, the company and B Lab define the certification scope, defining which legal entities and brands are included and where the B Corp logo may be used.

The company then conducts a comprehensive Self-Assessment against the B Lab Standards (currently Version 2.1) within the B Impact platform.

After submission, B Lab assigns an independent assurance provider to oversee the audit and verification process.

The assurance provider conducts a structured audit (onsite or remote) to validate the company’s performance and documentation.

Following the audit, the company receives a detailed report outlining any nonconformities. Major issues must be resolved before certification can be granted; minor ones can be addressed in the next cycle.

Once all requirements are met, B Lab issues the B Corp certificate, which is valid for five years.

Certified companies undergo periodic audits throughout the certification cycle, with frequency determined by their size and sector, ensuring continued alignment with evolving standards.

There are several benefits to becoming a certified B Corporation. Here are the top five benefits that are touted most often.

Choosing to be a B Corp allows you to pursue broader management goals. Running a traditional for-profit business, your investors expect you to focus solely on shareholder value. That can make you a servant to your profitability.

With a B Corp, your investors, employees, and customers know from the get-go that your goals are much larger than simply turning a profit. This gives you greater latitude to manage your business as you desire, focusing on producing the most meaningful results for your business’s mission.

Financial metrics are important, but they only tell a short-term story about an organization’s profitability. Non-financial metrics tell a much richer account of a business’s overall health and grant you a longer view of the broad range of risks facing an organization. Economists and business experts now see that the top five risks within many companies are Environmental, Social, and Governance (ESG) concerns.

Certification can help you identify and mitigate these risks. Frameworks like B Corp certification allow a business owner to benchmark and measure a host of non-financial metrics that have been typically hard to measure in the past.

B Corps are attracting top talent, especially among employees who seek purpose in their careers. Certification helps promote and validate an employee-centric culture, which engages great candidates because of the company’s reputation as a great place to work.

Instead of staffing your business with individuals looking for a paycheck, you can attract and retain employees whose values align with your purpose. Companies with engaged workforces are more profitable and twice as likely to succeed as businesses with less-engaged teams.

When you become a B Corp, you can’t just claim to be sustainable or socially conscious — you must prove it. The certification process requires you to demonstrate, through rigorous documentation, how you create tangible benefits for people and the environment. This means consumers and other businesses can trust that companies with B Corp status aren’t just claiming to benefit their community. They’re walking the walk.

Recent surveys show that a large majority of consumers are willing to pay more for environmentally and socially responsible products: for example, a 2024 PwC survey found around 80–85% of consumers are willing to pay a premium — on average about 9.7% more — for sustainably produced or sourced goods.

The demand by conscious consumers is already having an economic impact on the sales of consumer goods, as products with an element of sustainability have been.

When writing this article, there are 10,00+ companies in 100+ countries and 160+ different industries, all operating with a unifying goal of using business as a force for good. Here is a list of some commonly used consumer brands and professional services firms:

Consumer Brands

Professional Service Firms

There is more than likely a B Corp for anything you need. I highly recommend consulting the B Corp Directory anytime you want to purchase.

For a list of the currently certified companies and their B Impact Report, visit BCorporation.net and click the “Find a B Corp link” at the top of the page.

Contact our team of B Corp consultants to learn more about certification.

Original Published Date Mar 17, 2022

For many credit unions, the financial close relies on spreadsheets, emails, and manual checklists. These tools may seem efficient, but tracking mismatched entries, verifying balances, and chasing approvals wastes time and resources. Beyond labor, unresolved discrepancies and delayed reporting create financial and compliance risks.

Manual reconciliation slows decision-making and exposes credit unions to audit issues. Automating the process isn’t just a tech upgrade—automation protects profitability, ensures compliance, and lets finance teams focus on strategic, value-driving work.

Beyond being time-consuming, relying on manual reconciliation directly affects your credit union’s budget through increased labor costs, potential financial leakage, and overall operational slowdowns.

Traditional reconciliations demand extensive manual effort as team members spend hundreds of hours aggregating data, validating transactions, and performing line-by-line matching. Month-end periods become especially grueling, with overtime surging as teams race to close the books. This increases payroll costs and contributes to burnout, reducing efficiency over time.

Every unresolved difference carries a tangible financial impact. When discrepancies go unaddressed, they are often written off to meet deadlines. These write-offs erode profitability and can create vulnerabilities to fraud. Even small, recurring variances can compound, silently affecting the credit union’s bottom line.

Manual processes inherently slow the financial close. The back-and-forth of emails, spreadsheet versioning, and cross-departmental coordination creates the largest bottleneck in month-end reporting. Errors are frequent, and any mistake can trigger a time-consuming re-opening of the books. Delayed or inaccurate reporting hampers management’s ability to make timely, informed decisions.

When finance teams are bogged down with tactical reconciliation, they cannot focus on higher-value activities such as CECL modeling, profitability analysis, or forward-looking financial planning. The lost opportunity cost is significant: skilled staff are trapped in routine tasks instead of driving strategic initiatives that support growth and risk management.

While financial costs are clear, the most significant risk associated with manual reconciliation lies in failing to meet the rigorous internal control standards and audit trail requirements set by regulators like the National Credit Union Administration (NCUA).

Reliance on spreadsheets and email fails to meet the robust internal control standards expected by auditors and the NCUA. Without enforced workflows and standardized policies, credit unions risk a “Significant Deficiency” finding signaling that internal controls over financial reporting are inadequate.

A decentralized reconciliation process leaves no single, time-stamped record. Regulatory and external audits become slower, more expensive, and harder to defend. Each audit requires extensive verification and reconstruction, consuming staff hours and professional services.

Errors in reconciliations, whether unrecorded differences or faulty eliminations, can lead to material misstatements in critical reporting, including the NCUA 5300 Call Report. Inaccuracies can jeopardize regulatory compliance and erode stakeholder confidence in the institution’s financial integrity.

Given the high financial and regulatory risks, implementing an automated solution like BlackLine is not merely an IT upgrade but a critical investment with a measurable Return on Investment (ROI).

Automation transforms reconciliation into a controlled, efficient process with measurable benefits:

Automation enforces standardized policies and mandatory approval workflows, strengthening internal controls and reducing fraud risk. A centralized platform provides a single, defensible source of truth, ensuring instant audit readiness for NCUA reviews and other regulatory inspections.

Automated reconciliation is designed for growth:

The total cost of manual reconciliation extends beyond staff hours to include lost time, financial leakage, delayed decision-making, and significant compliance exposure. Credit unions can no longer afford to rely on outdated processes that can compromise profitability and regulatory confidence.

The modern financial close is a competitive advantage. By embracing automated reconciliation, credit unions transform this critical function from a costly, tactical necessity into a strategic investment in financial integrity, regulatory assurance, and scalable growth.

Our team at Sensiba will work with your credit union to implement a solution that safeguards accuracy, enforces controls, and positions finance as a driver of strategic value. Contact our team to learn more.

On November 4, 2025, the IRS released draft instructions for the 2025 Form 6765, Credit for Increasing Research Activities. The form remains largely unchanged from the 2024 version, with the most important update reflecting the requirement to complete Section G (the detailed reporting) being pushed out to tax year 2026. 

Other items of note: 

The schedule for control groups, common in the tech and medical industries, is affirmed to require an attachment with listed information and details about the individual companies and the group.  

For control groups with entities completing Section G and filing separately, the information about the business components comprising 80% of the total Qualified Research Expenses (QREs) or the Top 50 projects (80%/Top 50) is for that entity, not the group. 

The instructions also detail how to tabulate and detail expenditures included with the ASC 730 Directive. Companies with Certified Audited Financials can leverage the directive to provide Section G reporting as a single line item. These financial statements, often prepared for companies with high debt or bank obligations, external investors, or preparing for an IPO, can be leveraged to reduce the compliance burden for the R&D Credit. 

These changes are intended to reduce the administrative overhead for small companies. Streamlining the reporting process should allow taxpayers to focus on innovation while making it more efficient for them to claim the Research and Development (R&D) tax credit.

Note that most companies are not currently taking the reduced credit due to Section 174 capitalization and amortization and $1.5 million in QREs is a credit of approximately $150,000.

The IRS also reduced the number of business components that must be reported on the revised Section G (formerly Section F in the draft released in late 2023). The June draft eliminates the questions about whether a business component is: new or improved; if it is for sale, license, or lease; and the narrative requirement outlining the information or discovery sought.

Taxpayers are no longer required to report 100% of total QREs: the revised draft is for 80% of QREs in descending order by amount, per business component, for up to 50 business components.

This revised Section G is also optional for all filers for the 2024 and 2025 tax years, giving taxpayers time to transition to the new requirements. Section G will be mandatory for the 2026 tax year for taxpayers unless they are otherwise eligible to skip. 

There are no substantive changes to “Section A – Regular Credit” and “Section B – Alternative Simplified Credit.” While the purpose of “Section C – Current Year Credit” remains largely consistent, additional on-form instructions have been added to line 39.

“Section D – Qualified Small Business Payroll Tax Election and Payroll Tax Credit” also adds additional checkboxes to clarify how the company is handling the credit, especially in cases of acquisition or entity change. Note that the form also includes the update to the payroll tax offset amount under Section 41(h), which increased to $500,000 for 2023.

Read our article “R&D Payroll Tax Credit Election for Small Businesses,” to learn more about applying the R&D tax credit against payroll taxes.

The biggest changes start in the new “Section E – Other Information.” The IRS is collecting data around the count of business components (an IRS term for “projects”) included, identifying officer wages being included as QREs, checking for transactions such as an acquisition or disposition, and flagging the consistency requirement as something to pay attention to.

While few of our clients are leveraging the ASC 730 directive for safe-harbor, other companies may be. The form requests disclosure of the ASC 730 amount.

While the required data points are not burdensome individually, the combination of details needed will add significant time and effort to data collection, analysis, and presentation to complete Form 6765 as proposed.

Companies with time-tracking and project-level accounting will generally be able to perform the arithmetic required to allocate expenses by business component and type of contributor. The key will be to make sure all non-wage expenses, like the supplies and outside contractors, are properly coded to the relevant business component. Also, a brief description should be kept available during the year to complete line 49  and substantially meet the requirements.

Companies with no time-tracking (or poor adherence) and accounting systems that do not allocate expenses to specific projects must track additional information to comply with the new requirements.

1. Include the project (business component) name in General Ledger entries, ideally as a separate field. Even listing it as a part of the additional information entered would be helpful.

2. If the company is considering time-tracking but hasn’t committed yet, implement it as soon as possible for all technical personnel. In addition to substantiating the R&D credit, this also provides visibility into the actual project development costs.

3. If the company does not have time tracking, consider quarterly surveys that include a project list and time allocation. These contemporaneous surveys often provide better data than a single, end-of-year survey and reduce the risk of data loss with staff departures.

4. Maintain a list of business components that includes key information such as:

Our team of research & development tax credit experts provide engineering-based tax credit studies customized to meet your needs. Contact us with any questions regarding the R&D Tax Credit.

Original Published Date Feb 18, 2025

Cybersecurity threats are a daily reality, and a simple checklist approach is no longer enough.

The Essential Eight, developed by the Australian Cyber Security Centre (ACSC), sets out eight practical strategies that form the foundation of a strong, measurable security posture.

But the real strength of the Essential Eight lies in its Maturity Model . Rather than a one-off compliance exercise, the model provides a tiered roadmap for progress that guides organizations from a basic, reactive approach to a highly resilient cybersecurity posture.

This article will demystify the four maturity levels of the Essential Eight, offering business leaders a clear, strategic view of what each level means for their organization’s defense as they move from checkbox compliance to genuine resilience.

Summary: Not a level to achieve, but the starting point for an organization with significant cybersecurity weaknesses.

Key Characteristics:

Analogy: An unlocked door with a sign that says, “Please Don’t Enter.”

Summary: The minimum standard for a basic, effective defense against common threats.

Objective: To defend against unsophisticated or opportunistic adversaries who exploit publicly known vulnerabilities.

Implementation Focus: All eight controls are implemented to a foundational level. The goal is to make the organization a more difficult target, forcing a basic attacker to move on.

Illustrative Example: Patching critical vulnerabilities within a one-month timeframe. Implementing simple multi-factor authentication for remote access.

Analogy: Locking the front door, closing the windows, and setting a basic alarm system.

Summary: A significant improvement designed to defend against more capable and motivated attackers.

Objective: To mitigate attacks from adversaries willing to invest more time and resources.

Implementation Focus: Controls are tightened and become more rigorous. There is a focus on reducing the attack surface and increasing resilience.

Illustrative Example: Tightening patching deadlines to 48 hours for extreme-risk vulnerabilities. Restricting administrative privileges with a “just-in-time” approach.

Analogy: Reinforcing the door with a deadbolt, installing an advanced alarm system, and monitoring for suspicious activity.

Summary: The highest level of maturity, designed to defend against well-resourced, adaptive, and persistent adversaries.

Objective: To protect against sophisticated attackers, such as state-sponsored or advanced criminal groups, who can develop custom exploits.

Implementation Focus: Security is proactive, automated, and continuous. The organization uses advanced technology and processes to detect and respond to threats in real time.

Illustrative Example: Using phishing-resistant multi-factor authentication. Implementing application control on a “deny-by-default” basis.

Analogy: A fortress with multiple layers of defense, including moats, high walls, and active patrols.

The first step toward strengthening your cyber resilience under the Essential Eight is to establish a clear baseline. Conduct a comprehensive self-assessment to understand your organization’s current maturity level across the eight mitigation strategies. This process helps identify which controls are already performing effectively and where gaps remain.

Achieving maturity under the Essential Eight is not a one-time project—it’s a structured, ongoing journey. A phased approach enables sustainable improvement while managing cost, complexity, and operational impact. The initial objective should be to reach a solid Maturity Level One, where basic cyber hygiene is established and repeatable.

From there, organizations can progressively advance toward Levels Two and Three, strengthening control design and automation over time. Each phase builds upon the last, providing measurable progress and tangible risk reduction at every step.

Engaging the right partner, at the right time, will be an essential step to achieving successful implementation of the Essential Eight framework. At Sensiba, we bring an independent view and a practical approach that fits how your team works.

The Essential Eight isn’t just a checklist to complete; it’s a practical framework for continuous improvement. Each Maturity Level helps you strengthen your organization’s ability to prevent, detect, and respond to cyber threats.

There’s no better time to start than now. Begin by assessing where you are today, identifying your gaps, and mapping out a plan for growth. Whether you’re just getting started or ready to advance to the next maturity level, Sensiba can help you take the next step with clarity and confidence.

When it comes to addressing the climate crisis, private sector, nonprofit, and international action is continuing apace. At this point, companies have received pressure from a range of stakeholders, reviewed research demonstrating sustainability’s positive impacts on business resilience, and invested sufficiently in establishing sustainability programs that momentum continues.

Although progress has stalled at the U.S. federal level, participants during Climate Week NYC 2025 described how state and local governments are leading the way for U.S. climate action.

For example, states such as California are keeping pace with the global movement toward increased alignment with sustainability and climate-related disclosures for large companies. Additionally, state-level Extended Producer Responsibility (EPR) laws have proliferated, prompting companies to evaluate the part they play in the lifecycle of consumer goods (particularly regarding plastic packaging).

At a corporate-investor dialogue, a large multinational corporation indicated it would be disclosing for the first time in line with IFRS due to requirements enacted by California and Mexico. An EU-based pension fund with over $600 billion in assets under management is looking at climate-related, human rights, and biodiversity data and management by its portfolio companies.

Not only is there continued cohesion and alignment around a common framework for sustainability reporting, but certain reporting areas, such as nature-based target-setting and disclosures, are receiving heightened attention

Grounding us in the reality and gravity of challenges we face, Adam Kanzer from BNP aptly reminded the attendees at Pure Strategies “Ambition to Action” sessions that we are in the middle of a sixth mass extinction event driven by human activities like habitat destruction, pollution, and climate change.

In our work consulting with clients on their sustainability impacts, we often hear the sentiment “We care about the environment, human rights, and biodiversity, but how does that impact our bottom line?”

Methodologies and frameworks for assessing and reporting sustainability-related impacts have been established for years now (SASB, GRI, etc.), but the Taskforce on Nature-Related Financial Disclosures (TNFD) and the Science Based Targets Network (SBTN) are advancing the vital work of guiding nature-based disclosures.

The TNFD has been backed by G7 and G20 governments, scientific institutions, and over 1,700 organizations including major financial institutions and corporations. The TNFD framework helps organizations assess and disclose their nature-related dependencies, opportunities and risks related to their supply chains, asset valuations, and financial stability.

The SBTN is a global coalition of environmental organizations, scientists, and sustainability experts working to help companies and cities set science-based targets for nature (a corollary to the climate-focused work of the Science Based Targets initiative (SBTi). Their methodology guides companies in how to identify and prioritize nature-related impacts, which can then feed into disclosures aligned with the TNFD.

The TNFD released their 2025 Status Report during Climate Week, citing evidence of more than 500 TNFD-aligned reports now being published. At a conversation convened by Anthesis Group, TNFD CEO Tony Goldner highlighted a handy guide on how to address questions on nature-related impacts to board directors, starting with, “How and where does our business depend and impact on nature?”

Erin Billman, executive director of SBTN, described how their methodology equips companies with the ability to conduct nature-focused materiality assessments and prioritize potential areas of impact.

The enormity of climate-related disasters and damage wrought both on human and non-human beings can seem insurmountable at times. An event hosted at Pioneer Works, “Science & Society: Heat Advisory,” honed in on the specific threat that extreme heat poses, which is now the leading cause of weather-related deaths in the United States.

Despite the long list of reasons to despair, there are experts such as Jainey Bavishi, who has dedicated her career to climate resilience, who highlight the array of existing and effective initiatives to address the impacts of climate change. Dr. Ayana Elizabeth Johnson, marine biologist, policy expert and prolific convener of climate solutions and solutionists, asserts: “…know that we already have most of the solutions we need — from regenerative farming, to renewable energy, to replanting ecosystems, to electrifying transportation — we don’t need to wait for new technologies, we just need to get to it.” (For even more inspiration, check out her new podcast, “What If We Get It Right?”).

To learn more about climate-related risk management and reporting, contact us.

The technology industry, and particularly the software industry, faces unique accounting challenges. One common question that companies need to answer is whether to expense or capitalize software development costs.

When software is developed in-house, it can be tricky to know whether the costs should be treated as an asset (capitalized) or as an expense. GAAP provides separate guidance for internal-use and external-use software.

Here’s our guide to determining what guidance applies to you.

Internal-use software is developed in-house for internal-use cases. This also includes software accessed through a hosting arrangement (SaaS) in which customers do not obtain ownership of the software. In general, ASC 350 should be used to guide accounting for internal-use software.

External-use software, also known as traditional or “on-premise” software, should follow ASC 985 for guidance.  This software is designed to be leased or sold to end customers.

In 2024, the FASB proposed significant changes to ASC 350 related to internal-use software to modernize outdated rules and better align with today’s agile, iterative development practices. One major impact is that fewer costs will qualify for capitalization because of a higher threshold, meaning more development costs will be expensed. This article incorporates these changes made to ASC 350.

For internal-use software, costs should be capitalized when two criteria are met:

Costs should be expensed if there is significant uncertainty associated with the development, such as novel, unique, or unproven functions and features.

For external-use software, costs should be capitalized once “technological feasibility” has been established. Until that point (during planning, coding, and testing), costs are expensed.

Costs that should be capitalized include:

Capitalized costs should be amortized on a straight-line basis over their estimated useful life, beginning when the software is ready for use. Because of agile development practices, software changes rapidly and typically has a relatively short life—often three to five years.

Upgrades and enhancements can be capitalized only if they add new additional functionality—that is, enabling the software to perform tasks it previously could not. Maintenance costs should always be expensed.

Once you understand the applicable guidance, you’ll need to determine which costs to capitalize. This involves collaboration between the accounting and engineering teams.

During this process, it is crucial to understand the engineering team’s reporting and tracking systems. Ask questions like:

Capitalization of software development costs involves judgment and estimation. Our team of experts is available to support you and ensure the right calls are made. Get in touch with our technology audit team today.

Modern tech leaders are faced with challenges like increasingly tighter capital, rising investor expectations, and fierce competition. Financial modeling helps startup founders translate their ideas into clear numbers that can guide decision-making while helping company leaders and investors understand market opportunities, prepare for challenges, and identify funding needs.

A solid model shows how revenue, costs, and growth might unfold, which is essential for winning investor trust and making smart business choices. And while the process of preparing and updating models can be complex for founders without a strong finance background, AI-powered tools can simplify this process by automating financial reports and reducing errors. This allows tech startups to focus less on spreadsheets and more on building their business.

For founders, a well-built financial model serves as a roadmap and a communication tool. Investors expect to see forecasts that outline how revenue, expenses, and funding needs should play out over time. These models are also useful internally for budgeting, planning, and anticipating potential tax implications. By testing different scenarios, founders can prepare for challenges, optimize hiring, and track progress against goals.

While traditional spreadsheet-based modeling provides a foundation, newer AI-driven tools can streamline the process by automating data updates, flagging inconsistencies, and generating realistic projections more quickly. This frees up founders to focus on strategy while ensuring their numbers are credible and investor-ready.

Startup financial models come in different forms, depending on the company’s stage:

Many founders also build industry-specific models, such as recurring revenue forecasts for SaaS companies, inventory and logistics planning for e-commerce, or production costs for device companies.

Regardless of the type, most models include three key financial statements:

Together, these elements give founders and investors a clear view of the company’s financial health and performance.

While spreadsheets and static forecasts once sufficed, today’s investors expect founders to use modern tools to automate manual processes and reduce errors. Relying solely on traditional models can hinder organizational flexibility and overlook the speed at which markets evolve.

By embracing AI-driven financial modeling, startups can build stronger, more adaptable forecasts that adjust quickly as conditions change. Automation reduces the time founders spend working with spreadsheets, freeing them to focus on strategy, fundraising, and growth. The shift from reactive to proactive planning is now essential to stay ahead.

The result is not just greater efficiency, but also clearer insights into the company’s health and resilience. For investors, it signals discipline and foresight. For founders, it creates a reliable framework to plan for shifts in markets, customer behavior, or funding needs, while instilling investor confidence in their ability to execute.

Building a financial model may sound complex, but breaking it into steps makes the process manageable and valuable:

AI-powered tools can streamline these steps, automating updates and testing assumptions more efficiently. This combination of structure, accuracy, and flexibility allows startups to build investor-ready models.

When building a model, a few best practices provide powerful advantages and benefits in meeting investor expectations:

Financial modeling is essential for startup founders, but building a reliable model requires avoiding common pitfalls. Investors look for discipline, realism, and adaptability in forecasts, and models that miss these marks can undermine credibility.

One of the most frequent mistakes, for instance, is creating overly optimistic revenue projections. While confidence is important, projections should be grounded in data and reasonable assumptions about market adoption.

Another misstep is ignoring seasonality or industry trends that can affect sales cycles. For example, SaaS companies may see slower growth in summer months, while e-commerce businesses often experience spikes during holidays.

A third mistake is failing to update the model regularly. Startups operate in fast-changing environments, and stale data quickly makes forecasts irrelevant.

Finally, using unrealistic expense assumptions—such as underestimating hiring costs, marketing spending, or infrastructure needs—can lead to dangerous cash shortfalls.

With accurate, timely, and flexible models, startups can better plan for challenges, gain investor trust, and make smarter decisions about growth and funding. The right approach ensures financial models serve as a reliable roadmap rather than just a fundraising tool.

To learn more about financial modeling or optimizing your startup’s technology stack, contact us.

When construction or engineering firms take on long-term projects, recognizing revenue and tracking expenses can become complex. The percentage-of-completion accounting method offers a reliable solution that aligns financial reporting with project progress and helps firms comply with accounting standards.

Percentage-of-completion accounting follows a simple principle: revenue should be recognized as costs are incurred and work is completed. By aligning revenue with a project’s progress, this method gives companies clearer insight into the financial performance of each contract.

In addition, reporting expenses and revenue annually helps spread tax liabilities across multiple years, potentially lowering taxable income in a given year and enabling the write-off of qualifying expenses

To better understand the percentage-of-completion accounting method, it may be helpful to compare it with the completed contract method. The latter recognizes revenue only when the project is fully complete. Under this method, costs and revenue are also matched when the project is completed.

The potential advantages of the completed contract method include its simplicity, and the deferral of tax liability (since revenue recognition is delayed until the project is finished). Potential drawbacks include the fact that the method doesn’t reflect a project’s ongoing performance (which may create an inaccurate understanding of the project’s profitability) and that revenue is recognized as a lump sum at completion.

This can distort financial ratios and forecasts if a project’s completion takes longer than anticipated. The completed contract method is also limited to contractors whose average annual gross receipts for the three preceding tax years does not exceed $30 million for tax years beginning in 2024, or $31 million for tax years beginning in 2025.

In contrast, percentage-of-completion provides a more accurate understanding about a project’s performance by matching revenue with work as it’s performed. It also increases overall performance evaluation and forecasting by smoothing out revenue recognition over a project’s life.

A potential disadvantage of percentage-of-completion is the higher administrative burden associated with tracking and documenting a project’s status.

The percentage of completion method offers several advantages for long-term construction or engineering projects:

To fully realize these benefits, companies must track estimated and actual costs throughout a project’s life. This requires ongoing coordination with the project managers in the field to ensure the project is progressing as expected.

As projects evolve, estimates may need to be adjusted to reflect change orders or contractual adjustments (ideally before the project is completed). Good estimates, along with regular job cost reviews and updates, are essential for maintaining accuracy.

Clear documentation of performance obligations and change orders, along with strong collaboration between project management, accounting, and legal teams, further supports accurate reporting.

Common challenges, such as accounting for cost overruns, project delays, or handling contract claims and disputes, can influence costs and estimates. Failing to monitor expenses and progress accurately during a project’s lifecycle can result in revenue and costs being recorded in the wrong period. 

Because contract billings rarely align precisely with a project’s progress, the percentage of completion method usually has balance sheet effects that account for any differences.

For example, consider a two-year construction project with a contract valued at $1 million. The contractor expects the project to cost $800,000 to complete and to generate $200,00 in profit.

If the contractor incurs half of the expected costs in the first year ($400,000) and bills the customer $450,000, the contactor will recognize half of the contract’s value ($500,000) as revenue and record the $50,000 ($500,000 in revenue recognized less $450,000 in actual billings) in underbilling as a contract asset on the balance sheet.

Similarly, if the contractor invoices $550,000 during the first year, the $50,000 in excess billings would appear on the balance sheet as a contract liability.

To learn more about the percentage of completion accounting and the benefits for your company, contact us.

For technology companies, innovation is the engine of growth, and that innovation often comes with significant software development costs. How these costs are accounted for can have a major impact on your company’s financial statements, profitability, and investor perceptions.

When software is developed in-house, it can be tricky to determine whether the cost of the development is a capital expenditure or an expense. It can be even trickier to support your position when undergoing your audit.

Many startup companies deprioritize labor documentation early in their lifecycle. This can create significant challenges as they undergo their first audit. When auditors review software development costs, they’re looking for more than just numbers on a spreadsheet.

Your auditor is focused on compliance with accounting standards, consistency with industry practices, and the presence of robust supporting documentation. Auditors will scrutinize your company’s capitalization policies, compare them to industry norms, and assess whether the costs being capitalized meet the criteria of GAAP standards.

For a deeper dive into the specific accounting rules for software development, see our article, Accounting for Software Development Costs in the Technology Industry.

The foundation of any successful audit is thorough documentation. You will need to show your auditor a reconcilable trail, related to software development costs, that includes:

There are several methods to ensure you have this information ready for your auditor:

In all of the above methods, this information can be integrated with payroll data to allocate payroll costs to your organization’s projects. The finance and engineering teams then need to collaborate on which projects can be capitalized, and which should be expensed in accordance with GAAP.

Finding alignment and understanding between the finance and engineering teams can be a common challenge with these methods.

Auditors prefer systems that allow them to match general ledger data, payroll, and project output. Time tracking that captures all work, not just capitalizable tasks, allows for better cross-comparisons and audit readiness. A robust understanding of each project is essential in determining whether related costs should be capitalized or expensed.

ClickTime is a time tracking system that reduces audit prep burden. With ClickTime, technical teams don’t need to remember what they worked on or worry about whether their projects are capitalizable. Their existing tools, like calendars and Jira boards, translate directly into hours worked to intelligently capture where time was spent, so they never need to spend Friday afternoon guessing how they spent their week.

Finance then applies its own logic layer, ensuring each new hour logged is routed to the right cost center. Time entries flow straight into payroll, while reports stay aligned with the GL and audit requirements.

First and foremost, get your finance and engineering teams aligned before audit season to ensure you have the data and understanding needed to support your determinations. Use a tool that tracks time, ties into payroll, and produces a complete dataset.

Developing good processes with clean documentation early in your company’s life cycle adds operational maturity, not just for cost capitalization, but for all of your financial reporting.

Need help? Our team of experts is available to support you and ensure you have the right processes in place. Get in touch with our technology audit team today.

As organizations prepare to undergo an ISO/IEC 42001 audit, identifying the employees, contractors, and business partners who should be included in the organization’s AI-related headcount is vital in determining the audit’s scope, complexity, and cost.

ISO/IEC 42001:2023, Artificial Intelligence Management Systems (AIMS), offers guidance and controls to help organizations deploy AI efficiently and mitigate related security risks.

Determining whether an organization’s AIMS meets the requirements spelled out in the standard requires an external audit. During this review, auditors will examine processes, policies, and practices to verify conformity with the standard’s requirements, such as maintaining ethical AI governance, risk management, transparency, accountability, privacy, fairness, and safety.

The number of people directly involved in processes governed by the AIMS, such as AI development, deployment, risk management, and monitoring, plays a key role in defining how an audit is conducted.

Certification bodies use AI-related headcount as the basis for estimating the time required to perform an audit because a higher headcount generally means more complex workflows and dependencies, as well as a need to review more processes and documentation.

For example, a team of one to 10 people working as AI producers (defined in the standard as being “responsible for the full lifecycle of designing, developing, testing, and deploying products or services that utilize one or more AI systems”) would require an estimated 5.0 auditor days.

For the same-sized team of AI developers, providers, or users, that estimate drops to 3.5 days. If people on the team have multiple roles, the estimate increases to 6.5 auditor days. Organizations can also use the higher-value role in preparing estimates.

These estimates are codified in the ISO/IEC 42006 standard, which provides guidelines to determine the number of expected audit days based on factors like headcount, organizational complexity, and AI roles. The standard ensures auditors apply consistent criteria when defining the scope of the AIMS audit, such as verifying that the in-scope headcount reflects the organization’s roles affecting AI governance accurately.

Determining the in-scope headcount for an ISO/IEC 42001 audit involves reviewing job descriptions and identifying the team members whose roles directly or indirectly influence the organization’s AIMS. This is important to make sure the audit reflects the scale and complexity of AI-related activities.

For a more detailed breakdown of key AI roles and their importance in ISO 42001 compliance, refer to our article:

Understanding AI Roles to Promote ISO 42001 Compliance.

As a first step, organizations should map roles involved in the AI lifecycle, including development, deployment, monitoring, and maintenance (such as data scientists and product managers). They should include personnel responsible for risk management, ethical oversight, and compliance with AI governance frameworks.

From there, organizations should add teams providing indirect support such the IT function responsible for maintaining the AIMS infrastructure and access controls, and their cybersecurity team.

It’s also important to include contractors, third-party vendors, and part-time workers in the headcount total. Their hours should be totaled to establish how many fulltime equivalent hours they represent, with the FTE figure being included as part of the overall headcount.

For headcount purposes, someone’s duties and responsibilities are more important than their employment status. Similarly, if team members divide their time between AI and non-AI related tasks, their AI-related hours should be added to provide a fulltime equivalent for audit purposes.

Every team member’s role should be documented clearly, along with a narrative description explaining what the role entails and its reason for being included in the in-scope audit headcount.

The following challenges and common oversights can increase audit time and cost while hindering the potential effectiveness of an ISO/IEC 42001 audit:

With careful planning and by avoiding common mistakes, organizations can ensure their defined in-scope headcount aligns with ISO/IEC 42001 requirements, supports effective audits, and strengthens overall AI governance. To learn more about ISO/IEC 42001 and certification or recertification audit planning, contact us.

The Sarbanes-Oxley (SOX) landscape is complex, evolving, and unforgiving. Companies are navigating a dense web of requirements, from data privacy mandates to financial reporting obligations under SOX and industry-specific frameworks such as PCI DSS. The stakes are high: missteps can result in financial penalties, reputational harm, and diminished investor confidence.

Traditionally, organizations have managed SOX compliance as a manual, reactive exercise. Internal teams scramble to prepare and execute, often relying on spreadsheets, siloed systems, and ad hoc processes. This approach consumes valuable time and resources while exposing organizations to heightened risk. 

Compliance as a Service (CaaS) introduces a proactive, continuous, and tech-enabled approach that simplifies SOX compliance. By blending expert human oversight and continuous monitoring with automation, CaaS offers finance leaders a way to reduce costs, proactively reduce financial risk exposure, increase confidence, and strengthen resilience in the face of ever-expanding requirements.

SOX Compliance as a Service is an outsourced, cloud-based model where a third-party provider manages an organization’s compliance obligations on an ongoing basis. Rather than shouldering the full cost and burden of compliance internally, companies can partner with specialists who combine automation, continuous control monitoring, real-time visibility, and professional expertise to align compliance programs with management’s strategic initiatives.

Key components of a CaaS model include:

Together, these elements provide a sustainable, forward-looking approach that transforms compliance into a strategic function.

CaaS brings tangible advantages across industries and regulatory frameworks:

SOX compliance remains one of the most resource-intensive challenges for U.S. public companies. Section 404 requires rigorous documentation and testing of internal controls over financial reporting. Traditional SOX programs often devolve into annual, labor-intensive exercises that strain finance teams and delay strategic priorities.

A CaaS model redefines the SOX experience:

For CFOs and audit committees, the result is a SOX program that is more efficient and reliable, turning compliance into a strategic advantage rather than a compliance cost center.

Transitioning to a SOX CaaS model is both achievable and pragmatic. Finance leaders should consider the following steps:

Best practices for success include securing leadership buy-in early, setting measurable objectives for the transition, and maintaining ongoing dialogue with the provider to ensure continuous alignment.

Our Offering: As part of our commitment to advancing compliance innovation, we’re launching SOX Quest, our dedicated SOX Compliance as a Service solution. To learn more about this offering, please see our official launch article: Sensiba Launches Subscription-Based SOX Compliance Model.

Compliance is no longer a periodic checklist—it’s a strategic imperative that shapes how companies build trust with stakeholders, investors, and regulators. Compliance as a Service moves organizations beyond reactive, manual processes to promote continuous assurance, resilience, and transparency.

The message for finance executives at publicly traded companies is clear: adopting a CaaS model for SOX and beyond is not just about meeting today’s requirements. It is about preparing for tomorrow by building a governance structure that instills confidence, drives efficiency, and positions the organization to thrive in an era of accelerating regulatory scrutiny.

To learn more about Compliance as a Service, contact us.

As we navigate the evolving sustainable business and environmental, social, and governance (ESG) landscape, the role of a fractional Chief Sustainability Officer (CSO) has cemented itself as an integral part of a company’s strategic leadership structure.

In previous articles, we have defined the fractional CSO role and highlighted how they support the C-Suite with sustainability strategy and implementation—Maximizing ESG Impact: The Role of a Fractional CSO in Business Strategy. This article dives deeper into the tangible benefits companies can expect to see from their investment in a fractional CSO.

Fractional CSOs are an invaluable asset because much of their work occurs behind the scenes. As such, they offer a flexible and cost-effective way to achieve leadership alignment, empower staff, build trust with stakeholders, increase efficiency, and mitigate risk in a changing world while enabling the organization to control the narrative surrounding its sustainability initiatives.

Here are the key benefits we see for hiring a fractional CSO:

A fractional CSO creates an executive-level structure for measuring and managing sustainability-related risks and opportunities. This ensures leadership is aligned on a shared vision without the expense of a full-time hire. Their work with the leadership team can include:

Fractional CSOs mitigate risks related to sustainability impacts, regulations, and public perception, that, if not managed correctly, can create whole-firm reputational damage. This critical role includes:

Based on the company’s core strategic ESG initiatives, the fractional CSO is responsible for ensuring sustainability information and goals flow through the organization. They provide mentorship and capacity building to empower staff to become champions of sustainability through initiatives like:

By providing a clear and transparent sustainability strategy, a fractional CSO strengthens trust and engagement with the organization’s internal and external stakeholders. They:

A 2023 report from McKinsey and NielsenIQ found 78% percent of US consumers say a sustainable lifestyle is important to them, and a 2024 report from PwC highlighted that consumers are willing to spend more for sustainable products and services.

Alongside supporting leadership and other stakeholders from a strategic point of view, a fractional CSO works with finance and functional leaders to unlock cost savings and increase efficiency by optimizing operations through a sustainability lens. They:

A fractional CSO plays an integral role in the strategic growth of any business. Through aligning leadership, reducing risk, empowering staff, fostering trust with stakeholders, and increasing efficiency, they ensure the success of a company beyond ESG considerations. Their role drives innovation, creating a competitive edge for a more sustainable and successful future. To learn more about the role and benefits of retaining a fractional CSO, contact us.

The U.S. government’s 2025 AI Action Plan outlines a strategy to accelerate artificial intelligence adoption by reducing regulatory friction, expanding national infrastructure, and promoting U.S.-developed AI technologies globally.

While the plan is aimed at boosting innovation and competitiveness, wider adoption of AI tools and services introduces new risk exposures for companies implementing or developing AI capabilities.

As organizations integrate AI more deeply into their products and operations, the need for reliable security and governance frameworks becomes critical. The ISO/IEC 42001:2023 standard and the NIST AI Risk Management Framework (AI RMF) can help security leaders align their efforts with evolving expectations and demonstrate accountability in a complex policy and regulatory environment.

The U.S. government’s AI strategy is centered on reducing barriers to adoption and positioning the United States as a global leader in AI infrastructure and innovation. The plan is structured around three key pillars:

Federal and state agencies are encouraged to remove perceived regulatory bottlenecks, redirect funding to jurisdictions with business-friendly policies, and support open-source models and datasets. To create downstream demand, the federal government is positioning itself as an early adopter of AI tools.

To address long-term capacity needs for AI workloads, the plan wants to promote measures such as expediting permitting for data center construction, using federal land, strengthening electrical infrastructure, and expanding domestic semiconductor production.

The U.S. will promote exports of the full AI technology stack—hardware, software, and models—to trusted partners, while updating export controls to reduce the risk of sensitive technologies reaching adversaries. Notably, proposed revisions to the NIST AI RMF suggest a move toward “ideological neutrality” in federal procurement.

Taken together, these initiatives aim to lower regulatory friction, increase deployment speed, and create incentives for public and private adoption.

Faster adoption and expanded infrastructure introduce new risks that must be addressed proactively. Among the most pressing for security teams:

Security executives seeking to address these risks can look to ISO/IEC 42001 and the NIST AI RMF as practical tools to guide and structure AI risk management and oversight.

ISO/IEC 42001 provides a formal, certifiable framework for managing AI systems across their lifecycle. It emphasizes governance, transparency, risk-based controls, and human oversight—principles that align closely with U.S. policy goals, including those outlined in Executive Order 14110 and OMB’s draft guidance on AI use in federal agencies.

NIST’s framework is non-certifiable but widely referenced. It is organized around four core functions—Map, Measure, Manage, and Govern—and is designed to help organizations identify and mitigate risks to individuals, systems, and organizations posed by AI.

While ISO 42001 establishes organizational controls suitable for audit and certification, the NIST RMF provides an adaptable model for day-to-day risk management. Used together, they offer complementary approaches:

Organizations can use the NIST AI RMF to inform the design of their AI programs and build toward ISO/IEC 42001 certification.

Here’s a summary of how the frameworks align with the U.S. AI Action Plan:

Although ISO/IEC 42001 is a voluntary standard, certification may serve as a differentiator in several ways:

While certification is not mandatory, it offers a structured path toward transparency and assurance, especially in high-stakes, high-regulation environments.

The 2025 AI Action Plan signals a policy environment focused on speed, infrastructure investment, and global competitiveness. But it also places greater responsibility on companies to self-regulate and secure their AI deployments.

Security executives have an opportunity—and a growing obligation—to lead on AI risk governance. By adopting frameworks like ISO/IEC 42001 and the NIST AI RMF, organizations can not only strengthen their internal controls but also position themselves for long-term success in an increasingly complex ecosystem.

Together, the frameworks provide a solid foundation for accountability, resilience, and trust in an AI-driven future. To learn more about the frameworks and AI governance, contact us.

As organizations become more complex and regulatory expectations increase, the traditional phased approach to Sarbanes–Oxley (SOX) compliance is increasingly feeling outdated. Management teams struggle to identify emerging risks and meet deadlines as year-end approaches.

In this article, we’ll explore the shortcomings of the traditional model, define continuous auditing as a next-generation approach, and demonstrate how organizations can transition to a proactive, data-driven compliance model.

The benefits of continuous auditing are clear: faster risk identification and remediation, smoother workloads, stronger stakeholder confidence, and better alignment with today’s pace of business change.

Since the passage of the Sarbanes-Oxley Act in 2002, most companies have relied on a three-phased compliance model to anchor their internal control programs. This approach traditionally begins with walkthroughs and design assessments early in the year to confirm key controls are in place and designed appropriately.

From there, auditors conduct interim testing (sampling transactions and reviewing control activities during the first nine to 10 months) to gauge whether controls operate effectively.

Finally, companies face year-end testing in the fourth quarter, where controls are evaluated one last time before certifications are finalized.

This cadence has offered structure and clarity for years, giving organizations a predictable framework for meeting their compliance obligations.

While effective in theory, this once-reliable model is increasingly at odds with today’s business environment. Under the phased approach, for example, control failures often come to light months after they occur, leaving little time for remediation before year-end filings.

The burden on finance and audit teams is also backloaded heavily, with testing bottlenecks in the fourth quarter that can create intense pressure as reporting deadlines approach.

Meanwhile, the model assumes a static risk profile throughout the year. This assumption rarely holds true in organizations undergoing rapid change, whether from new system implementations, acquisitions, or shifts in regulatory requirements.

Perhaps most critically, the traditional SOX cycle fosters a reactive posture. Rather than empowering organizations to stay ahead of risks and adapt controls as conditions evolve, it encourages a game of catch-up in which problems are discovered after the fact instead of being prevented in real time.

For financial executives tasked with safeguarding trust and steering their organizations through dynamic market conditions, this outdated model can hinder agility and increase risk exposure.

Continuous auditing represents the modernization of SOX testing, moving compliance away from rigid, phase-based cycles toward an ongoing process of monitoring, testing, and remediation.

Instead of waiting for designated checkpoints in the year, organizations adopt a model that aligns with the continuous way businesses operate (and risks can emerge). 

At its core, continuous auditing is a methodology powered by automation, analytics, and collaborative workflows that deliver near real-time assurance over internal controls.

This approach integrates technology directly into compliance processes:

Just as important, collaborative remediation closes the loop quickly, ensuring issues are detected and resolved before they can cascade into larger compliance failures.

By surfacing issues as they occur, organizations shift into a proactive risk management posture that supports stronger SOX certifications under Sections 302 and 404. The continuous flow of testing and remediation helps finance and compliance teams avoid the familiar year-end scramble, distributing audit workloads more evenly across the year and reducing Q4 bottlenecks. For leadership, real-time visibility enhances trust with investors and regulators, demonstrating a commitment to transparency and accountability.

Over time, this model also delivers cost efficiencies. Automating data collection and reducing duplicate testing streamlines compliance work, while improved alignment across finance, IT, and internal audit reduces rework.

More strategically, continuous auditing enables organizations to adapt their SOX framework as business conditions change. Whether integrating new systems, navigating acquisitions, or scaling toward an IPO, companies gain the agility to update controls without waiting for the next annual cycle.

Finally, the continuous model improves feedback loops across the organization. Instead of hearing only about failed controls, managers and control operators receive regular feedback on every evaluation, creating a culture of engagement and accountability.

This emphasis on communication builds stronger ownership of controls at every level, ensuring compliance is not viewed as a once-a-year hurdle but as a shared, ongoing responsibility.

Making the shift to continuous auditing requires more than simply layering new tools on top of old practices. It demands a deliberate approach that rethinks processes, roles, and expectations across the compliance function.

For finance leaders, this transition represents not only an opportunity to modernize SOX but also to strengthen risk management and ease the burden on teams. The following roadmap outlines how organizations can build a strong foundation for success.

Many organizations already know where the bottlenecks occur—recurring deficiencies, control failures that surface too late, or spikes in workload concentrated around quarter- and year-end. By documenting these pain points formally, leaders can articulate the business case for change and ensure the transition addresses real challenges rather than theoretical improvements.

This clarity also helps win buy-in across teams who may initially view continuous auditing as “just another compliance initiative.”

Continuous control monitoring (CCM) tools are particularly valuable in high-risk areas such as user access, journal entries, and revenue recognition. When paired with analytics, these tools can flag anomalies as they happen and transform testing from a retrospective exercise into an active, preventive safeguard. Technology doesn’t replace auditors; it augments their ability to focus attention where it matters most.

Instead of concentrating audit activity into semi-annual or quarterly phases, testing can be performed monthly (or even more frequently) based on organizational needs. Smaller, more regular testing cycles ensure controls are evaluated across the entire fiscal year, smoothing workloads and preventing last-minute scrambles. This cadence also increases confidence that the control environment reflects the business as it is today, not as it was months earlier.

Continuous auditing cannot succeed if finance, IT, and internal audit remain siloed. Shared dashboards and communication channels allow these groups to see the same data, interpret results together, and act quickly if issues arise.

Establishing rapid-response protocols ensures remediation keeps pace with detection, reducing the risk of small control failures snowballing into material weaknesses.

Audit committees and external auditors should understand not only what continuous auditing is, but how it benefits them directly. Educating these groups on the advantages helps secure their support and builds trust in the new model. Demonstrating early wins, such as faster remediation or smoother year-end testing, can reinforce the value proposition.

Leveraging the Risk and Control Matrix (RCM), finance teams can define the controls that are tested each month and the required sample sizes. Coordinating with management, control operators, and external auditors ensures expectations are aligned, responsibilities are clear, and remediation efforts are prioritized effectively.

This step transforms the concept of continuous auditing into a disciplined, repeatable process embedded in the organization’s compliance culture.

Taken together, these actions create more than a compliance upgrade. They build a framework that aligns SOX with the pace of modern business, reduces strain on teams, and strengthens investor and regulator confidence.

The phased SOX compliance model has reached its limits. Continuous auditing represents not just an efficiency improvement, but a strategic shift in how companies approach risk management and compliance.

By adopting continuous auditing, management teams transform SOX from a reactive, compliance-heavy burden into a proactive, value-adding function. The result is not just compliance—it’s confidence, agility, and resilience to meet the dynamic challenges of today’s fast-moving business environment.

To learn more about the benefits of continuous auditing, contact us.

Despite a seemingly contradictory name, the business personal property tax imposes crucial reporting and management requirements for companies.

Business personal property tax reporting is an important component of an organization’s overall tax compliance strategy that affects financial reporting, insurance coverage, and audit outcomes. Inaccurate or incomplete reporting, for instance, can lead to tax penalties, audit complications, and financial misstatements.

“Business personal property” refers to tangible assets, such as business equipment, machinery, inventory, supplies, office furniture, business vehicles, and similar items, that an organization owns or leases. Depending on the state, county, or municipality where those assets are located, the organization may be responsible for itemizing those assets and paying the associated business personal property tax.

Business personal property taxes are collected in 38 states, with taxable asset classes, affected industries, exemptions, filing deadlines, and other considerations varying among state and local jurisdictions.

To ensure compliance and maintain financial integrity, businesses must value assets accurately, apply proper depreciation methods, and meet the requirements of tax regulations in every location where they have business personal property assets.

The valuation of business personal property affects a company’s tax liability and financial statements. Incorrect valuations create a risk of overpayment that reduces available capital or underpayment which increases potential audit risk and penalties.

Businesses must determine the fair market or taxable value of their assets based on requirements in different jurisdictions. Most jurisdictions require reporting based on original acquisition costs, which must be documented consistently and tracked by the company (typically in a fixed asset management system).

Companies must also consider whether an asset meets materiality thresholds and make strategic decisions about capitalizing an asset versus expensing it.

Similarly, impairment testing can affect depreciation by adjusting an asset’s carrying amount and altering its depreciation or amortization expense over its remaining useful life. When an impairment loss is recognized, for instance, the asset’s carrying amount is reduced to its recoverable amount. This adjustment directly affects the asset’s future depreciation expense and property tax assessed value.

Depreciation affects a company’s financial reporting and tax obligations. While GAAP financial reporting typically uses straight-line depreciation and federal tax uses Modified Accelerated Cost Recovery System (MACRS), property tax jurisdictions often apply their own depreciation tables based on asset class and useful life. Many jurisdictions maintain minimum taxable values, such as 20-30% of the asset’s original cost, regardless of its book value or actual condition.

Aligning depreciation records with property tax filings ensures consistency and minimizes potential discrepancies during audits.

Physical verification and document review play important roles in preparing an accurate business property tax report. Physical verification allows companies to confirm the existence, condition, and location of assets subject to property taxation. This approach helps to identify assets that may have been disposed of, relocated, or impaired, ensuring that businesses do not pay taxes on assets they no longer own or use.

Document review complements physical verification by examining financial records, purchase agreements, lease contracts, and previous tax filings. This examination helps establish accurate asset values, acquisition dates, and depreciation schedules, which affect tax calculations.

Together, these practices help businesses:

Implementing a systematic approach to physical verification and documentation also reduces the risk of penalties for inaccurate reporting.

Similarly, analytical procedures play an important role in preparing a business property tax report by helping businesses ensure accuracy, identify potential issues, and maximize tax efficiency. These procedures involve systematic analysis of financial data to identify patterns, anomalies, and tax-saving opportunities by verifying that all taxable assets are accounted for properly and classified correctly.

Preparing a business property tax report involves several potential issues that can be complex and time-consuming. Some of the key challenges include:

To learn more about business personal property tax reporting and developing effective compliance strategies, contact us.

When starting your compliance journey, you might ask, “Which compliance standard is best for us?” But once you explore the realm of standards, it’s common to land on more than one!

You might have customers asking about multiple standards. Or you might operate across different geographies and industries and have a mix of regulations and customer requirements. Everyone knows there’s duplication across standards, so it often makes sense to do them together.

Our modern audit pathways are popular for that reason; why not achieve multiple business outcomes from a single project with a marginal extra cost and effort?

Here are the 10 standards commonly considered by cloud services companies looking to satisfy their global customers across industries.

SOC 2 is referred to as the most accepted standard. It works best to open doors by providing a base level of maturity for information security, and it satisfies most customers’ needs to start doing business with them. Its flexibility also enables various ways to expand it, with optional trust services criteria for availability, confidentiality, processing integrity, and privacy that can be added to the base criteria for security.

It’s also commonly used for “SOC 2 +” to combine other bespoke requirements or regulations into a single report. SOC 2’s flexible criteria and practical focus make it an adaptable standard that any business can achieve.

Prevalence: 9/10

Difficulty rating: 4/10

This international information security standard has a best practice focus. Its prescriptive nature in terms of the requirements to comply, and the audits conducted, tend to Give the illusion that this standard is ‘harder’ to achieve.

It can be very painful with a broad and stringent set of requirements, and several days of business disruption for the audits. It’s not easy to achieve, but it is viewed favorably around the world by large enterprises. Our flexible approach means you can still achieve ISO 27001 compliance in a way that works for your business. There are additional ISO standards like ISO/IEC 27701 (Privacy), ISO/IEC 42001 (AI Management Systems), and ISO/IEC 22316 (Resilience) to cover other areas, much in the way the SOC 2 Trust Services Criteria offers optional additions within the same standard.

Prevalence 9/10

Difficulty: 7/10

HIPAA is the de facto expectation for doing business in the healthcare industry. Although it applies to American patient data, it’s often used to satisfy non-American healthcare customers and verify service providers even where patient data is not collected or used. It has some prescribed requirements and a broad set of regulatory criteria that can be daunting for those without experience in this regulation.

Since there’s no formal certification scheme or accreditation, it allows a lot of flexibility with how it’s achieved and demonstrated to stakeholders, which makes it a little easier to combine with other standards and work with a preferred audit partner.

Prevalence: 5/10

Difficulty: 5/10

The European Union’s General Data Protection Regulation (GDPR), introduced in 2018, was a sweeping step forward in consumers’ privacy rights. Various countries and states have taken their own steps forward in refining or introducing new privacy regulations. However, GDPR is seen as the global benchmark. It applies to EU citizens’ data, regardless of the location or type of service, and therefore impacts most global technology companies. It provides a key point of consideration for ambitious growing companies.

The key difference is based on your type of service. If you’re B2C, you’re regulated and may be fined for non-compliance. If you’re B2B, that also applies, but perhaps more significantly you need to prove your compliance to larger customers to satisfy their obligations and mitigate their risk of non-compliance.

Prevalence: 8/10

Difficulty: 6/10

The California Privacy Rights Act (CPRA), which amends and expands the earlier California Consumer Privacy Act (CCPA), introduces more rigorous regulatory requirements for organizations handling personal data of California residents. In addition to aligning with many principles of the GDPR, the CPRA establishes new consumer rights, such as the right to correct inaccurate personal information and the right to limit the use of sensitive personal data.

Businesses that meet certain thresholds—such as having annual gross revenues over $25 million, processing personal information of 100,000 or more consumers or households, or deriving 50% or more of their revenue from selling or sharing personal information—must comply.

Importantly, the CPRA places greater emphasis on accountability through mandatory risk assessments, enhanced contractual obligations with service providers, and expanded transparency in data-sharing practices.

Prevalence: 4/10

Difficulty: 4/10

The Consumer Data Right is Australia’s Open Data scheme, which requires compliance to receive data from those covered by the scheme (e.g., banks, and in time, economy-wide enterprises that collect consumer data). Although this is an Australian slant, similar regimes are anticipated or already in action in other countries (e.g., the UK, with compliance rules built on PSD2).

These have a similar focus on core information security and privacy to ensure consumers’ rights are protected through the data sharing and use of that data. It’s early stages for open data standards but are widely anticipated to transform the tech industry’s products and use of data.

Prevalence: 2/10

Difficulty: 5/10

The System and Organizational Control standards are the oldest on this list, dating back to the early 2000s. SOC 1 was the first generation of these standards, which had various iterations and country-specific versions (FRAG21, SAS70, ISAE/ASAE 3402, SSAE 18, and so on).

These standards are focused on financial reporting objectives to report on the controls at a service organization with the general purpose of satisfying external audit requirements that may include Sarbanes-Oxley internal controls. It became more broadly used for information security before SOC 2 was introduced for that general purpose. SOC 1 continues to be common where you have publicly listed enterprise customers.

Prevalence: 510

Difficulty: 5/10

The Cloud Security Alliance (CSA), Security Trust, Assurance, and Risk (STAR) program includes a Level 1 self-assessment, Level 2 certification (or attestation), and Level 3 continuous auditing certification based on the Cloud Controls Matrix (CCM). This program and standard are rapidly growing as cloud security threats evolve. Level 2 is where CSA STAR is most used to satisfy stakeholders, including customers, that the security practices satisfy their requirements.

Prevalence: 4/10

Difficulty: 8/10

HITRUST is a private organization that developed a master standard designed to provide an all-inclusive approach. Enterprise healthcare in particular drives this standard to ensure their interests and compliance requirements are covered. That often includes HIPAA as a subcomponent, general information security like what’s covered in ISO/IEC 27001, and generally a rigorous, best practice, focus on governance, risk, and compliance.

Prevalence: 3/10

Difficulty: 9/10

The list can’t be complete without a mention of environmental, social, governance. ESG is quickly becoming as significant as information security assurance as public pressure mounts and enterprises need to satisfy their commitments (including their use of third parties and those impacts by extension).

ESG is not a standard per se, it’s an area of growing importance. We’ve developed our own ESG standard to plug a market gap and enable any business to report their ESG practices to satisfy customers and other stakeholders. In the broader market, there’s GRI, SASB, CDP, B Labs, and B-Corporation as a few of the main standards and certification schemes.

Prevalence: 5/10

Difficulty: 3/10

Most B2B cloud services businesses comply with at least one of the above standards. Most commonly that’s starting with SOC 2 or ISO/IEC 27001. These standards benefit from broad recognition. They establish a baseline of information security and compliance practices that lay a good foundation for working with enterprise customers and the other compliance standards on the list.

About 50-70% of those companies also comply with one or more other standards from the list above. Despite being very similar, SOC 2 and ISO/IEC 27001 are often both achieved to satisfy varying customer preferences. SOC 1, HIPAA, and the Consumer Data Right (CDR) all fit seamlessly with the SOC 2 standard and are largely also addressed by ISO/IEC 27001.

It’s common that these are added to the baseline to satisfy large publicly listed companies (SOC 1), healthcare customers (HIPAA), or to achieve accreditation to participate in Open Banking as a Fintech (CDR). For companies operating globally and collecting some form of personal data (most cloud services businesses), the privacy regulations apply based on region; the GDPR in Europe, and CPRA in California.

Then there’s a smaller ~10% that see compliance as a competitive advantage, or otherwise just want to ensure all bases are covered to reduce the friction in selling into and serving enterprise customers. That’s where CSA STAR, HITRUST, and/or ESG reporting are used to bolster the compliance program and demonstrate best-in-class compliance.

After reading this list, you may still wonder, “What’s involved in each standard? How long would it take to achieve? What sort of cost can you expect (including your team’s time)? Is it realistic and achievable for your business?”

The good news is, we’ve created free software to help you answer those questions. In ~60-90 minutes you can assess the above standards to see exactly where you do and don’t comply. The tailored outputs will give you a baseline of your existing state, with recommendations to solve the gaps and achieve compliance.

Our software is a world-first to remove the significant duplication between these standards, so there’s no harm starting with a longer list of potential standards, then narrowing it down later. Check it out.