The SECURE 2.0 Act of 2022 (“Act”) was designed to strengthen the retirement system and improve Americans’ financial readiness by expanding access to plans, encouraging savings, enhancing flexibility in planning, and simplifying plan administration.

The Act introduced several key implications for employers offering retirement plans, with many taking effect this year. Some of the Act’s most notable provisions include the following.

Effective January 1, 2025, new defined contribution plans such as 401(k) or 403(b) plans that were signed and enacted after December 29, 2022, must automatically enroll participants upon becoming eligible unless the participants opt out of coverage.

Plans established before December 29, 2022, are “grandfathered” and not subject to this mandatory automatic enrollment feature.

The initial automatic enrollment amount for new plans is at least 3%, but not more than 10%. Each year thereafter, that amount increases by 1% until it reaches at least 10%, but not more than 15%.  If a participant makes an affirmative election, that remains in effect. Additionally, participants can affirmatively elect to make contributions in a different amount.

Automatic enrollment is expected to significantly increase employee participation in retirement plans. Participation rates in plans with automatic enrollment typically exceed 90%, for instance, compared to around 44% for traditional opt-in plans.

This broader participation can help plans pass non-discrimination tests more easily, benefiting highly compensated employees as well.

Effective January 1, 2025, plans have the option to increase the amount of catch-up contributions employees aged 60-63 are able to make. If a plan adopts the provision, employees in that age group can make higher catch-up contributions of up to $11,250 to eligible retirement plans. The increased amounts are indexed for inflation after 2025.

Starting January 1, 2026, employees earning over $145,000 in the prior year must make catch-up contributions to Roth accounts in after-tax dollars. Other eligible participants in the plan who are not subject to this new rule will be able to make catch-up contributions on either a pre-tax or Roth basis.

The Act provides increased tax credits for small businesses starting new retirement plans:

The SECURE Act requires employers to allow long-term, part-time workers to participate in the employers’ 401(k) plans. The SECURE Act provision provides that, except in the case of collectively bargained plans, employers maintaining a 401(k) plan must have a dual eligibility requirement under which an employee must complete either one year of service (with the 1,000-hour rule) or three consecutive years of service (where the employee completes at least 500 hours of service).

Section 125 of SECURE 2.0 reduces the three-year rule to two years, effective for plan years beginning after December 31, 2024. Section 125 also provides that pre-2021 service is disregarded for vesting purposes, just as such service is disregarded for eligibility purposes under current law.

Section 110 permits an employer to make matching contributions under a 401(k) plan, 403(b) plan, or SIMPLE IRA with respect to “qualified student loan payments.” A qualified student loan payment is broadly defined as any indebtedness incurred by the employee solely to pay qualified higher education expenses of the employee.

Governmental employers are also permitted to make matching contributions in a section 457(b) plan or another plan with respect to such repayments. For purposes of the nondiscrimination test applicable to elective contributions, Section 110 permits a plan to test separately the employees who receive matching contributions on student loan repayments.

The SECURE 2.0 Act introduces several new types of distributions to offer participants flexibility and support for various situations. Some of the new distributions include:

The Act includes provisions to simplify plan administration by:

Under current law, generally, a Form 5500 for a defined contribution plan must contain an opinion from an independent qualified public accountant as to whether the plan’s financial statements and schedules are fairly presented. However, no such opinion is required for a plan covering fewer than 100 participants with plan balances.

Section 345 clarifies that plans filing under a group of plans (or defined contribution group) need only to submit an audit opinion if they have 100 or more participants with balances. In other words, DOL and Department of Treasury would continue to receive full audit information on at least the number of plans as under current law.

These changes aim to make it easier for employers to offer retirement plans and encourage greater employee participation and savings.

To learn more about SECURE 2.0 or retirement plan disclosures, contact us.

As organizations consider large or complex software purchases, enlisting support from a value-added reseller (VAR) can provide a more efficient and cost-effective approach than dealing directly with the software publisher.

VARs are common in industries with services or products based on deep technical knowledge. Because software publishers are less likely to understand the day-to-day nuances associated with specific industries, VARs add value by mastering the details of specific software solutions and customer needs, and by serving as expert consultants, product support specialists, and customer advocates.

VARs can develop deeper relationships with their clients that go beyond a sale to include implementation, training, and ongoing support. These can be especially important for smaller or mid-sized organizations that may not feel like a priority as they consider working with larger software publishers.

One of the primary benefits of dealing with VARs is their objective advice about whether a given software platform will be a good fit for your organization’s needs. Acting in your interests, a VAR can invest time in getting to know your organization to help you evaluate your options.

A VAR’s insights can be critical in evaluating software solutions aimed at broad markets. For instance, publishers often focus on adding functionality to their products, but it can be difficult to understand whether a wide range of features, typically aimed at a broad market, will benefit your organization.

And if a specific application isn’t a good fit for your needs, a VAR can tell you objectively not to buy it.

Another advantage of working with value-added resellers is their experience dealing with client companies within your industry, and often of similar size or development stage. This experience allows them to better understand your business needs as well as regulatory changes that can influence how you’ll use a software solution.

If, for instance, you’re considering a financial close optimization tool such as BlackLine, the VAR will understand the most important options to start with, provide an upgrade path as your needs change, and explain how the solution will integrate with your other software tools to improve efficiency.

Another VAR advantage with financial management systems is that we approach situations with the perspective and experience of a full-service accounting and advisory firm. We’re not just systems people; we understand clients’ financial reporting and management challenges, and how technology tools can help address those. For more information on our BlackLine services,  visit our page.

Beyond the sale, a VAR can help your organization implement the software, train staff members, and review the system’s performance to identify improvement opportunities on an ongoing basis.

The value-added reseller team will understand the differences between each software solution and can apply real-world experience to help their clients avoid common mistakes and get the most from their investment.

In contrast, many software publishers take a transactional approach to implementation and training by outsourcing those services to outside providers that also view their role as a one-time engagement.

Depending on the specific solution, a VAR may have stronger buying power and the ability to offer more favorable pricing than a single-implementation customer may be able to get on its own. If not, they may be able to offer lower pricing on related services such as implementation, training, and support.

As you weigh your options for large or complex software purchases, remember that enlisting the services of a value-added reseller can provide increased efficiency and cost savings. VARs are common in industries where deep technical knowledge is required.

They offer industry-specific expertise and develop relationships with clients beyond the initial sale to include implementation, training, and ongoing support. If you want to learn more about how we could help you, don’t hesitate to contact our team.

On March 21, 2025, the Financial Crimes Enforcement Network (FinCEN) issued an interim final rule removing the requirement for U.S. companies and persons to report beneficial ownership information (BOI) under the Corporate Transparency Act. 

In its interim final rule, FinCEN revised the definition of “reporting company” in its implementing regulations to mean only entities formed under the law of a foreign country and that have registered to do business in any U.S. State or Tribal jurisdiction. FinCEN also exempts entities previously known as “domestic reporting companies” from BOI reporting requirements. 

Foreign entities will not be required to report any U.S. persons as beneficial owners, and U.S. persons will not be required to report BOI with respect to any such entity for which they are a beneficial owner. 

FinCEN is accepting comments and expects to issue final regulations at a future date. 

Below are the general guidelines for the CTA’s reporting requirement, which are subject to further guidance. This information is not meant to be legal or tax advice, and should not be applied to your specific facts and circumstances without consulting competent legal counsel or another professional adviser. 

International companies required to report under the CTA include corporations, LLCs, or any similar entity formed under the law of a foreign country and registered to do business in any state or tribal jurisdiction by filing a document with a secretary of state or any similar office.

There are 23 categories of exemptions including publicly traded companies, banks and credit unions, securities brokers/dealers, public accounting firms, tax-exempt entities, and certain inactive entities. These are not blanket exemptions, and many government-regulated companies already disclose their BOI to a government authority.

Most notably, certain “large operating entities” may be exempt from filing. To qualify for this exemption, the company must:

The BOI Small Entity Compliance Guide provides further explanations and checklists for these nuanced exemptions.

Any individual who, directly or indirectly, either:

The CTA regulations define the terms “substantial control” and “ownership interest” further.

FinCEN expects every reporting company to have at least one individual to have “substantial control.”

Non-U.S. companies will have to report the following information: the full name of the reporting company, any trade name or doing-business-as name, business address, state or tribal jurisdiction of formation, and an IRS taxpayer identification number (TIN).

Additionally, information is required on the beneficial owners of the entity and, for newly created entities, the company applicants of the entity. The following individual information is required to be reported: full legal name, date of birth, current address, and legal identification.

FinCEN has indicated that it will waive penalties and fines for most non-compliance, and further guidance is expected. As written, penalties for willfully not complying with the BOI reporting requirement are steep and can result in criminal and civil penalties of $500 per day and up to $10,000, with up to two years of jail time.  

This new law is unsettled, complex, and subject to interpretation. Additional information can be found at www.fincen.gov/boi. We urge you to contact your legal counsel to determine whether the CTA applies to you and your applicable reporting requirements. 

In today’s digital landscape, the security of your organization’s assets is only as strong as your ability to identify and address weaknesses. A well-executed vulnerability management program is a core pillar of modern cybersecurity strategy, proactively reducing risk, supporting compliance, and strengthening operational resilience.

A vulnerability is a flaw in systems, processes, or procedures that malicious actors may exploit. Left unaddressed, these weaknesses can lead to data breaches, system downtime, or unauthorized access. A proactive approach to identifying and managing vulnerabilities helps organizations minimize those risks before damage occurs.

Vulnerability management is the continuous or periodic process of identifying, classifying, assessing, prioritizing, remediating, and tracking vulnerabilities across your environment. Whether automated or manual, it’s a disciplined cycle of discovery and action.

The numbers behind the risk:

An effective program goes beyond supporting cybersecurity to reinforce long-term business success. The benefits of vulnerability management include:

A complete and current asset inventory gives you visibility into your environment, enabling smarter prioritization. By correlating vulnerability data with assets, you can determine which systems present the most risk and focus remediation where it matters most.

Correlating vulnerability data with asset inventory provides insight into each asset’s risks. It helps associate individual vulnerabilities with the assets they affect, allowing your organization to identify which systems are vulnerable and prioritize remediation actions accordingly.

This context allows you to focus on the vulnerabilities that pose the most risk to an organization.

Before prioritizing vulnerabilities, it is important to assess their severity, impact, exploitability, and potential impact.

It is important for the organization to determine the criticality of different assets, such as data, applications, and infrastructure. This assessment should consider factors such as asset value and the potential impact of a breach on the organization’s operations.

Remediation includes patching, mitigating, or otherwise resolving a vulnerability. Effective programs log each issue, including source (e.g., scan, penetration test), severity rating, remediation plan, and resolution status.

Tracking vulnerabilities through to resolution provides transparency and enables internal and external stakeholders, such as auditors, to evaluate how well your program aligns with policy and industry expectations.

Vulnerability management is more than a technical checklist—it’s a visible commitment to protecting your organization’s digital assets and the trust of your customers, partners, and regulators.

By taking a proactive, structured approach, you not only reduce risk, you also lay the groundwork for a more secure, sustainable digital future.

Have questions or need help building a tailored vulnerability management program? Contact us to start a conversation.

As organizations work to maintain effective data protection, privacy, and governance, penetration testing provides powerful tools to guard against attacks.

A penetration test, often referred to as a “pen test,” is a simulated cyberattack designed to uncover vulnerabilities in systems and networks before malicious actors can exploit them. By identifying and addressing weaknesses, organizations can strengthen their security posture, ensure compliance with industry regulations, and gain peace of mind.

Unlike automated security scans, pen testing involves human experts who think creatively and adapt their approach during the attack. This provides a comprehensive view of a company’s security capabilities and identifies vulnerabilities that must be mitigated.

Common vulnerabilities that can be discovered during pen tests include:

Penetration testing is most common in industries that handle sensitive data or critical infrastructure, or where regulations mandate the practice. In financial services, for instance, penetration testing is mandated by various payment card and customer privacy regulations and reduces fraud risk by identifying vulnerabilities in transaction systems.

In other sectors, such as healthcare, government and defense, manufacturing, software, telecom and others, pen testing may not be required by regulation. Still, it represents a common and prudent security measure that can mitigate risk and satisfy contractual expectations to maintain data security and privacy.

An effective pen test is a systematic, iterative process that is typically conducted in five phases:

The first step involves defining the test’s objectives and methods. This sets the stage for the pen test and ensures critical systems and networks are included.

Penetration testers review as much information as possible about the target. They may examine public records, network scans, and open-source intelligence to identify potential entry points attackers might exploit.

Testers identify weaknesses in the target organization’s systems and applications, often blending automated tools and manual techniques to pinpoint security gaps.

This is the core of penetration testing. Testers attempt to use any identified vulnerabilities to gain unauthorized access to systems or data. Unlike actual attackers, pen testers stop short of causing damage, focusing instead on demonstrating the risks posed by these vulnerabilities.

The final phase involves documenting the findings and providing the target organization a comprehensive report detailing any discovered vulnerabilities, their potential impact, and recommendations to address them.

By following these steps, penetration testing goes beyond highlighting weaknesses to provide a clear path to strengthening security.

Penetration testing can provide:

The frequency with which an organization should undergo pen testing depends on several factors including its risk profile, any applicable regulations, stakeholder expectations, and other considerations. Consistent testing can help ensure the regular verification of security controls and help the organization adapt to emerging threats and changing environments.

For regulatory compliance, penetration testing is typically required at least annually, at regular intervals, or after significant changes to the environment. Large enterprises often conduct penetration tests every six months or annually, while some high-risk organizations may test monthly. Smaller companies may choose conduct penetration tests annually and focus their efforts on critical data and assets.

To learn more about how penetration testing can help your organization identify and manage cyber risks, contact us.

Managing employee travel expenses effectively requires a balancing act between administrative efficiency and financial control.

Businesses have two primary options for reimbursing employees: per diem rates or actual expense reimbursements. Each approach offers specific advantages and potential drawbacks that need to be evaluated as companies choose a reimbursement method.

With the per diem method, employees receive a predetermined daily amount to cover lodging, meals, and incidental expenses. This approach simplifies recordkeeping, as employees only need to document the time, place, and purpose of their travel—receipts aren’t required. 

The advantages of the per diem method include:

In contrast, actual expense reimbursement requires employees to submit detailed receipts for all travel-related expenses. While this method offers flexibility and more accuracy, it can be time-consuming for employees and employers. 

The advantages of the actual expense method include: 

For businesses opting for per diem reimbursement, two methods are available: 

The high-low method provides two standardized per diem rates—one for high-cost areas and one for low-cost areas. 

In the context of business travel reimbursements, “high-cost areas” are specific cities or regions within the continental United States where the federal per diem rates for lodging, meals, and incidental expenses are set higher due to their elevated cost of living and travel expenses.

This typically includes locations such as New York City, Washington, D.C., San Francisco, and other popular business destinations. The Internal Revenue Service (IRS) and the General Services Administration (GSA) designate these areas and adjust the rates annually to reflect economic changes.

For the fiscal year 2025 (effective from October 1, 2024, to September 30, 2025), the IRS has defined a high-cost locality as any area with a federal per diem rate of $272 or more. Travel to these high-cost areas allows for a per diem rate of $319 per day, which includes $233 for lodging and $86 for meals and incidental expenses.

In contrast, travel to areas not classified as high-cost—or low-cost areas—has a per diem rate of $225 per day, covering $151 for lodging and $74 for meals and incidental expenses.

It’s important to note that some localities are considered “high cost” only during specific times of the year, often due to seasonal demand affecting lodging prices. For instance, per-diem rates in Newport, RI, range from an off-season (November through May) low of $141 before climbing to $268 for the peak summer period and declining to $218 for September and October.

The key benefits of the high-low method include: 

In contrast, the specific location method assigns per diem rates based on the destination, using rates set by the GSA.

The benefits of this approach include:

EEach business has unique travel needs, and choosing the right reimbursement method can impact financial planning and compliance. Keep the following rules of thumb in mind:

The information above is a general overview and not inclusive of every option available to taxpayers. If you need help selecting the best approach for your company, contact us to ensure your policy aligns with IRS guidelines and your business objectives. 

As a technology startup prepares for its first audit, there are a few common accounting issues that can increase the time and cost required to complete the audit.

These issues often result from the accounting/finance team balancing competing priorities, not having certain technical accounting knowledge, or not having proper systems in place to account for transactions properly.

The most common accounting challenges we see for technology companies include:

Technology companies are often unsure how to account for various non-cash, equity related transactions. This includes accounting for equity instruments such as restricted stock, warrants, and stock options. Because non-cash equity activity won’t appear on bank statements, these transactions are often overlooked from a financial reporting perspective and are not recorded (or are recorded improperly).

Similarly, legal or other costs incurred in the issuance of preferred stock are often recorded improperly as legal expenses, rather than being properly capitalized on the balance sheet as stock issuance costs.

A common challenge for tech startups is failing to recognize revenue in line with the often-complex provisions within the GAAP requirements under ASC 606. Startups may struggle to understand, for instance, precisely what’s being sold within a customer contract, the complexities of subscription revenue accounting, or the accounting implications of non-cash items.

Startups often lack a robust revenue recognition policy or may have inconsistencies in recording similar kinds of transactions. In many situations, the accounting for revenue must be adjusted to complete the audit successfully.

For startups that operate through multiple entities/subsidiaries, intercompany accounts are often not reconciled, so the auditors may request that a company unwind historic transactions to determine if intercompany balances are appropriate and in line with any intercompany cost-plus agreements. If a startup has international entities, such as an offshore development subsidiary, the company needs to be sure any foreign currency translations or remeasurements are assessed and calculated properly.

Technology startups face the specific, complex issue of accounting for software development costs in accordance with GAAP. Many companies mistakenly expense the costs associated with software development as they are incurred, but there are complicated rules dictating whether these costs should be capitalized or expensed.

Many companies also lack the necessary documentation regarding the nature of their software development costs, making the accounting determinations increasingly difficult.

If reconciliations aren’t done on a consistent and timely basis, there’s a risk that expense or revenue cutoff dates are missed. As a result, transactions can be recorded in the wrong period, which causes an inaccurate accounting of the organization’s performance in each period. Common causes for this issue include a lack of proper accounting policies or inconsistent practices among different team members.

While most of these startup challenges can be resolved, a consultation with your external auditor early in the audit process to identify and resolve potential roadblocks is extremely beneficial. Consulting with your auditors as you’re setting up systems, developing accounting policies, and creating your financial infrastructure can save time and money while helping you achieve your business goals sooner.

If any of these scenarios sound familiar, don’t hesitate to reach out.

Internal controls are the processes and procedures that ensure efficient operations, reliable financial reporting, and legal compliance. They provide an important framework for promoting accountability, integrity, and transparency within an organization and play a vital role in helping governmental entities safeguard their financial assets, fulfill their obligations to serve constituents and maintain public trust.

Strong internal controls increase public trust and allow governments to carry out their essential services effectively. They also help guarantee the accuracy of financial information shared with citizens and funding sources.

One of the most common challenges governments face in implementing effective internal controls is their comparatively smaller staffs. With limited budgets, governments are more likely to invest funds in public-facing roles such as teachers or police officers. In contrast, people in operational roles like the finance function are asked to do more with less.

This approach can make preventative controls such as segregation of duties difficult to implement. For instance, tasks such as writing a check, signing that check, and recording the payment should, under ideal circumstances, be performed by separate people to reduce the risks of fraud or errors. But if a finance department has two staff members, this level of segregation isn’t possible.

Key Red Flags for Detecting Fraud or Errors

In response, a government finance team should implement a mitigating control designed to reduce the severity or impact of a risk. To address staffing shortages, for instance, creating a procedure such as having the team prepare checks that are later signed by an oversight board member, or a city manager reviewing credits posted within a given period.

In the latter example, the city manager could be given a one-page checklist highlighting common signs of errors or fraud. If they identify a transaction that looks irregular or suspicious, they can contact the city treasurer to investigate the question.

To prevent fraud, obtain bank check images routinely and have someone outside the accounting function review them for unusual activity. This reduces the risk of a bookkeeper writing checks to themself.

Effective internal controls also provide a strong deterrent because staff members are less likely to act inappropriately if they know transactions are reviewed routinely.

Government organizations face particular vulnerability at cash collection points. For example, water utility payments can present a significant risk, especially in smaller municipalities where customers frequently pay in cash at local offices. Similarly, event tickets for school sporting events and student activities generate substantial cash that requires careful handling.

Disbursement processes, particularly vendor verification, represent another critical control point. Fraudsters can establish fictitious companies that submit invoices for payment, counting on overworked staff to process them without adequate scrutiny. Prevention strategies include:

Similarly, regular reviews of payroll changes by someone outside the payroll department can detect unusual patterns such as employees without deductions, address changes that might indicate diverted payments, or unauthorized pay rate increases. Implementing formal authorization protocols for all changes can strengthen this control environment further.

For governments looking to create or upgrade their internal controls, several frameworks can provide valuable guidance. The COSO framework, for instance, is an internal control system designed to help organizations improve their oversight and governance practices. The COSO framework includes five interconnected components:

Government organizations are prime targets for cybercriminals seeking to exploit financial systems through sophisticated digital attacks. Phishing scams represent one of the most prevalent threats. Attackers often leverage inside knowledge gleaned from compromised email accounts to create convincing scenarios, such as people pretending to be leaders and requesting the immediate transfer of funds.

Wire fraud schemes similarly target government entities by impersonating legitimate vendors requesting banking information changes. These attacks succeed because perpetrators understand that government finance teams are often understaffed.

Prevention strategies must center on comprehensive employee training programs that equip all staff—not just finance personnel—to recognize and respond to potential threats. Establishing secondary verification processes for fund transfers above a certain threshold, particularly requiring approval from someone outside the typical authorization chain, provides an additional layer of protection against social engineering tactics.

When fraud is detected, immediate response can mean the difference between recovery and permanent loss. Government organizations should maintain a documented response plan with clear protocols for freezing accounts, contacting law enforcement, preserving evidence, and notifying relevant stakeholders.

Your plan should identify specific responsibilities and include after-hours contact information for key personnel since attacks are often timed outside normal working hours.

By anticipating common exposures and developing effective internal controls to prevent or detect loss, governmental entities can improve their risk management initiatives and reduce the chances of financial errors or fraud, diluting their ability to serve constituents and fulfill their primary purpose.

To learn more about creating effective internal controls for government entities, contact us.

Undergoing your technology startup’s first audit can be daunting. Here are a few tips to help ease the stress.

You’ll need the cooperation of several key team members to navigate your first audit successfully. Your auditor will need to understand your accounting policies and your general business practices. Ensure key team members with knowledge of accounting, HR, sales, and operations are ready to participate in the audit process.

It is common for startup companies to operate without a robust accounting team in their early stages. For that reason, before the first audit it is common for financial statements to be on a cash basis or have other deviations from U.S. Generally Accepted Accounting Principles (“US GAAP”).

Before beginning your first audit, ensure the company’s accounting records are brought in order. This includes reconciliations for all balance sheet accounts, documented accounting policies for key areas, and ensuring your supporting documentation is available and organized.

As mentioned in #2, there are several common accounting issues in startup company financial statements. Ensure you engage someone with the necessary understanding of U.S. GAAP accounting rules to facilitate the audit. Some of the most common areas of accounting complexity include:

See this article for more detail around these complex areas:

5 of the Most Common Audit Challenges We See with Tech Startups

Understanding the business need for the audit is crucial to building the timeline. Knowing who is counting on the audit report (such as lenders or investors) can determine whether there are any hard deadlines to meet.  Once you establish a deadline, work with your auditor to lay out a detailed timeline.

The audit process is iterative and requires management’s cooperation throughout, so it is important to establish key milestones with your auditor to ensure both parties stay on track. Request regular check-ins with your auditor to ensure any issues are resolved timely.

Initial audits take time to complete, so be sure to communicate proactively and continuously with key stakeholders to manage expectations.

At the end of each audit, your auditor will provide you with their report as well as more detailed results for management’s consideration. It is common for startup companies to receive recommendations from their auditor on areas needing improvement. Common deficiencies the first time through an audit include a lack of supporting records, improper segregation of duties, or insufficient internal controls.

Talk through the findings with your auditor, discuss remediation priorities with the Board of Directors or Audit Committee, and make a plan to begin implementing their suggestions. At the end of the audit, you should also provide feedback on the process to you auditor because developing a good working relationship with your auditor requires providing feedback in both directions for shared success.

Use this checklist to assess your readiness. Audit Readiness Checklist – Technology Company (First Year Under Audit)

When choosing an auditor, look for a firm experienced in the auditing of startup companies who will be prepared to partner with your company throughout the process. At Sensiba, our technology accounting team has helped hundreds of startups navigate their first audits successfully. Contact us to discuss your company’s needs.

Technology startups often overlook the Research and Development (R&D) Tax Credit. In doing so, they bypass the powerful benefits the credit can provide during a company’s earliest stages (and beyond).

Legislative provisions allow companies to apply some or all of their research tax credit against payroll taxes—instead of income taxes. This can free up valuable cash as the company works to establish its marketplace and financial foundations.

The federal Research and Experimentation (R&E) tax credit, often called the R&D Tax Credit, is designed to incentivize U.S. private-sector innovation by providing cash savings that, in turn, enable investment or reinvestment and growth.

Companies can receive credits for up to approximately 10% of project-qualifying expenditures that satisfy a four-part test embedded in the legislation:

Wages, typically the major driver of R&D credits, include the eligible portion of all taxable compensation. Qualified wages include the portion of an employee’s compensation corresponding to the percentage of working time engaged in one of several designations.

Direct conduct wages (engineers, scientists, and programmers performing the basic work required to complete an R&D project) typically represent the largest eligible wage expense category, though the credit also includes direct support (production personnel, testers, drafters) and first-line supervisors.

Note that under Section 174 of the Tax Code, domestic research or experimental expenditures must be capitalized and amortized over five years (expenses attributable to foreign research must be amortized over 15 years).

During the startup phase, most technology companies make significant investments long before their products and services begin to generate revenue, let alone profit. For these companies, the payroll tax election offers an opportunity to get immediate use from the organization’s research credits. Because every dollar of credit-eligible expenditure can result in as much as a 10-cent tax credit, that’s a big help in a company’s earliest stages.

To qualify for the election, a company must have gross receipts for the election year of less than $5 million and no more than five years (or tax periods in the case of short years) past the period for which it had no receipts (the start-up period).

Since tax year 2023, the amount of research credit a company can elect to use the payroll tax offset doubled to $500,000. The company can allocate the payroll tax offset (which can be applied to the employer side of Social Security and Medicare, not just the Social Security portion of FICA taxes) in any value up to the amount of total credits generated or the statutory maximum.

Reporting and documentation changes starting with the 2024 tax year are increasing the complexity of filing for the R&D credit by mandating more detailed disclosures of business component details and expenses.

A new Business Component Information section on the proposed new Federal Form 6765 requires taxpayers to identify specific projects included in the credit and to break out qualified research expenses by project. Direct wages are further allocated to the conduct, supervision, and support of qualified research.

Time tracking and project-level accounting, often set aside during the long days and nights that define startups with leaders performing multiple roles, can provide valuable information for claiming the R&D credit on a company’s return. Companies should take time to ensure expenses are coded to the relevant project.

Absent time-tracking tools and processes, startups should conduct quarterly surveys to capture lists of ongoing projects and the time allocated to them.

The R&D tax credit is an active area, with legislative changes under discussion at the federal and state levels. For more details, explore the webinar video and the accompanying slides on this page. To understand the latest developments and how they may affect your technology company, contact us.

Building a successful tech startup requires more than an innovative product or service—you also need to implement back-office tools, processes, and teams to ensure you’re operating the business efficiently, managing your financial resources, and reporting your results effectively.

Financial shortfalls are among the most common causes of startup failures, and failing to create a back-office infrastructure can lead to your company burning through precious cash too quickly, or not being able to obtain additional investments.

To prevent these challenges from crippling your company, you need to monitor income and expenses, and keep your board and investors informed, by building a strong back office and choosing the right software and professionals for your needs.

Running a tech startup is all about innovation. Without a strong back office, cash burn, lack of controls, and unclear financials can derail your progress quickly. We’re here to meet you where you’re at—providing flexible, cost-effective solutions that can give you the clarity and control needed to keep your business on track.

Understanding your burn rate and financials provides essential insights to help you plan your investments, finance your operations, and make any necessary adjustments to preserve assets and ensure you’re able to not only remain in business, but to grow it, too.

A well-organized back office isn’t just about managing operations; it’s the backbone that provides your board and investors with the insights they need to make informed decisions. With clear, accurate financials and streamlined reporting, a solid back office ensures the key stakeholders fully understand your business’s performance, risks, and potential.

An effective tech company back office combines tools, people, and processes. Let’s begin with software. Most companies start by trying to manage their finances with spreadsheets. They quickly realize their lives can be easier by switching to dedicated accounting software with robust budgeting and reporting features.

Your software should help you track the funds flowing into and out of the company, post transactions to the appropriate accounts, support your company’s budgeting, and enable financial reporting to interested stakeholders.

No two businesses are alike, and neither should their tech stack be. Building the right tech stack isn’t just about choosing the latest tools—it’s about selecting software that aligns with your unique business needs. A strong partner can help you navigate this complex landscape and develop a stack that not only fits your present needs but is also flexible enough to adapt to future innovations and challenges.

Along with software, it’s also valuable to invest in outsourced accounting and financial management professionals who can provide experienced support and guidance without your company investing in full-time staffers you may not need yet.

Tech startups can benefit from fractional CFO services in which an experienced financial professional provides management and advisory support on a part-time, retainer, or contract basis. Depending on the company’s development stage and needs, this can include advice on:

A fractional CFO can help the rest of the management team understand the company’s performance in detail, communicate effectively with the board and outside stakeholders, and provide guidance as the company pursues additional financing rounds or, potentially, a strategic transaction.

The CFO will be able to provide valuable perspectives they’ve learned from previous work supporting tech startups as well as their technical expertise.

Tech companies can also take advantage of outsourced accounting services to handle their day-to-day needs. The outsourced accounting team will help the organization enhance cash flow by managing accounts payables and receivables, and tracking customer payments. The team will also handle financial management tasks such as:

An outsourced financial team can also support the company’s management by acting as a one-stop shop for any company needs. If we don’t do it, we’ll have a referral for it. This may include, for instance, tax advisors, a payroll service, HR support, legal help, and other functions.

Together with effective financial management and accounting tools, a tech startup’s team can provide the basis for a strong back office that allows the company’s innovation and operational leadership to focus on their core products and services. At the heart of what we do is bridging the gap and eliminating the guesswork, empowering you to focus on what truly matters—fulfilling your purpose and driving the success of your business.

To learn more about how an effective back office can support your technology startup, contact us.

A well-executed risk management process does more than protect an organization—it drives growth. Far from a defensive strategy, risk management is a structured approach to identifying, assessing, and mitigating risks that could disrupt business objectives.

When done right, risk management enhances operational efficiency, promotes resilience, and uncovers new opportunities.

A risk management policy lays the foundation for how your organization identifies, prioritizes, and responds to risk. It defines your overall approach and outlines responsibilities at every level, from the board to the control owners.

When drafting a policy, consider including:

A documented policy helps create a repeatable, transparent process that can evolve with your organization.

A comprehensive risk register starts with input from across the organization. Engaging stakeholders from various departments helps uncover risks from multiple perspectives—financial, operational, strategic, compliance, and reputational.

Risk identification doesn’t need to be intimidating. When approached thoughtfully, it becomes a tool for strengthening security, improving stability, and advancing your mission.

Once risks are identified, the next step is a formal risk assessment. Each risk should be evaluated for likelihood and impact using the framework defined in your policy. This classification allows you to prioritize risks and develop focused mitigation plans.

Risk assessments should be conducted regularly. While annual reviews are standard, your organization may benefit from more frequent evaluations depending on your risk profile and industry changes.

Effective risk management requires using the right mix of mitigation strategies based on the nature of each risk. Common approaches include:

These strategies should reflect your organization’s goals and be grounded in current knowledge of identified risks.  

Risk management doesn’t end after the initial assessment. Ongoing monitoring is essential for adapting to changing circumstances. A strong monitoring plan helps organizations stay ahead of emerging risks and continuously improve their approach.

Your risk register should serve as a living document. Keep it updated with new risks, evolving threat levels, mitigation outcomes, and ownership changes. Clear reporting practices ensure that key stakeholders remain informed and can take timely action.

Managing risk is an ongoing process, not a one-time effort. Organizations that approach risk strategically—building awareness, embedding strong practices, and adapting to change—are better positioned to thrive in a fast-moving world.

Risk management is no longer just about defense. It’s a path to building resilience, fostering innovation, and achieving long-term success.

To learn more about effective risk management, contact us.

Defining the scope of an ISO/IEC 42001 compliance audit is an important early step in aligning the audit with the standard’s requirements, organizational risk, and stakeholder expectations.

In creating the audit scope, organizations need to define their Artificial Intelligence Management System (AIMS) and the associated roles, develop a governance structure, and identify important AI-related risks and controls.

Throughout the scope determination process, organizations should keep risk management and responsible AI use in mind. This should include assessing the organization’s processes for identifying and managing AI-related risks, as well as evaluating different types of exposures (such as risks inherent to AI development and use, control risk, and detection risk).

An important starting point in determining your scope is identifying the AI roles your organization performs. These will typically include being an AI provider, producer, or user (or a combination of these roles). Different AI roles have varying requirements and controls within the ISO/IEC 42001 standard. In addition, understanding these roles will provide valuable organizational context that will influence how the organization approaches AI risk assessment and management.

Once roles have been clarified, the next step is determining which AI systems will be included in the audit scope. Depending on the organization and the roles it performs, this may include specific AI products or services, third-party AI tools the organization uses, or systems or tools in development or testing phases.

After outlining the AI systems that will be reviewed during the audit, it’s time to consider the organizational boundaries of your AIMS. These can include:

You’ll next consider the inside and outside factors that can influence your AIMS. This list may include organizational objectives and strategies, regulatory requirements, or technology and industry trends affecting your AI use or plans.

Next up, consider anyone who could be interested in the responsible governance of your AI tools and systems. This may include, for instance, your internal users or customers, regulators, business partners, or suppliers.

The next phase of the audit scope definition process is ensuring your proposed audit scope aligns with your organization’s AI policies and objectives. Key steps in this phase include:

After reviewing the items discussed above, it’s time to draft a clear and concise scope statement that:

The ISO/IEC 42001 standard’s organizational structure can provide important insights in developing an effective audit scope. The standard includes 10 clauses outlining key requirements, such as:

The standard, and the specific controls outlined in the standard’s Annex A, will influence the type of evidence auditors seek to assess how well the organization’s AIMS aligns with the standard’s core requirements.

For example, the standard outlines methodologies for effective audit planning such as gap analyses to identify discrepancies between current practices and the standard’s requirements, as well as evidence collection through interviews, system testing, and document reviews.

The following examples illustrate the types of information outlined in ISO/IEC 42001 audit scope statements:

The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing ABC Corp’s role as an AI Service/Product Provider, delivering solutions through the Debra AI Agent solution. This includes the deployment, monitoring, and continuous enhancement of AI models to deliver advanced analytics and decision-support capabilities for clients across diverse industries

The scope of certification encompasses the Artificial Intelligence Management System (AIMS) governing the organization’s role as an AI provider, delivering cutting-edge solutions through the ABC Corp Platform (SaaS). This includes the deployment, monitoring, and continuous improvement of AI models to provide advanced analytics and decision-support capabilities for clients across various sectors. The organization is headquartered in Pleasanton, California, United States, with remote employees located globally. This certification aligns with ISO 42001 standards and is based on the SoA version 2.0 dated October 19, 2024.

By taking time to review the standard and plan an appropriate audit scope, organizations can ensure a comprehensive evaluation of their AIMS that in turn promotes more effective and responsible AI system, development, management, and usage.

To learn more about ISO/IEC 42001 and strategies for responsible AI governance and use, contact us.

When handling sensitive health data, HIPAA compliance isn’t optional—it’s legally required. For startups entering the healthcare space or SaaS companies expanding into health tech, understanding the requirements of the Health Insurance Portability and Accountability Act (HIPAA) is essential to reducing risk and building trust.

HIPAA is a U.S. federal law enacted in 1996 to safeguard Protected Health Information (PHI). It sets strict requirements for how PHI must be accessed, stored, and shared, and it applies to healthcare providers, insurers, and any vendors or “business associates” that process PHI on their behalf.

For early-stage companies, HIPAA compliance can seem overwhelming. Limited resources and competing priorities often make it difficult to know where to start. The key is to focus on a few foundational elements:

By focusing on these areas, startups can build a scalable compliance foundation without stalling innovation.

For SaaS providers handling PHI, HIPAA should be a central part of your security and infrastructure strategy. This includes ensuring your application architecture, hosting environment, and data storage align with HIPAA’s technical safeguards.

Working with a HIPAA-compliant cloud provider is a good start, but it’s not enough. Your team is still responsible for ensuring the software you build includes essential features like encrypted communications, user access controls, audit logging, and breach notification processes.

Technically, software can be built to support HIPAA compliance, but software alone isn’t compliant. True HIPAA readiness involves a combination of secure technology, documented policies, employee training, and consistent enforcement. Even the most secure platform can become a liability if people or processes fail.

Automation can dramatically reduce the complexity of managing HIPAA compliance. Tools that streamline risk assessments, policy management, training, and documentation can reduce manual error and scale with your company’s growth.

For SaaS companies, integrating compliance checks directly into the software development lifecycle is a practical way to maintain HIPAA standards as new features are released.

There is no official “HIPAA certification.” Instead, companies may undergo independent audits or assessments to evaluate their compliance posture. These audits don’t result in a government-issued certificate, but they can serve as critical proof of due diligence to clients, partners, and investors.

HIPAA compliance is a significant responsibility, but it’s manageable with the right systems and guidance. By focusing on key requirements, leveraging automation, and embedding compliance into your operations, you can protect sensitive data while supporting business growth.

Whether you’re a health tech startup or an established SaaS company expanding into healthcare, proactive HIPAA compliance reduces risk and builds credibility with your customers.

Need help assessing your HIPAA readiness or preparing for an audit? Contact us to explore how we can support your compliance journey.

One of the most common challenges for taxpayers during the first tax season (running from February 15 through April 15) is a too-common delay in getting Schedule K-1 forms. Since April 15 comes around every year, why do we receive these vital forms later and later each year?

The delay causes stress for taxpayers who want to file by April 15, and there are a number of taxpayers who have to fight to get their K-1s in time for filing even with extensions running to October 15. And what should you do while you’re waiting for K-1s?

Schedule K-1 is a federal tax form used for reporting the income, losses, and dividends to an entity’s partners or shareholders. K-1s are usually issued by pass-through entities that don’t pay corporate tax on their income but shift tax liabilities to their stakeholders.

Most K-1 forms are due to taxpayers by March 15. This is often not enough time for tax preparers to incorporate K-1 data into clients’ tax returns by April 15. This delay is often accentuated when clients don’t transfer the schedules to their CPA immediately.

The timing is tight to begin with. We then have to contend with K-1s that aren’t done by April 15, or even much later, for a variety of reasons.

To start, a K-1 cannot be issued until the entity completes its tax return. And tax laws, partnerships, S-Corps, and investment structures continue to increase in complexity. To deal with this complexity and volume, completing K-1s can be a manual, time-consuming process. Any bump in the road in creating them creates a daisy chain of delays.

For instance, if K-1s are late for a partnership that’s waiting to complete its tax accounting, that affects the partnership’s ability to send timely K-1s to its members. Other reasons K-1s might be delayed include:

There are some things taxpayers can do to speed up the receipt of K-1s, or at least reduce the impact of K1 delays:

K-1 form delays are common and can cause stress for taxpayers. To minimize the impact of K-1 form delays caused by tax law complexities, lack of preparation, and postal issues, taxpayers can request an expected time frame, utilize electronic delivery, and ensure updated mailing information. Our team of experts is here to help ensure that you receive your K-1 forms on time and can accurately report your income, losses, and dividends to the IRS. Contact us today to find out how we can help.

Businesses often pursue attractive opportunities to increase their customer base and revenue by expanding overseas. This can be done in several ways, including through direct exports, or by forming or purchasing a foreign subsidiary to conduct sales on your behalf.

Beyond the direct business benefits of generating international revenue, overseas operations can provide a variety of tax benefits that can further increase a company’s profitability.

If sales are performed as direct exports, for instance, it is important to track these sales as there are multiple ways to gain income tax benefits from the foreign sales if you are organized as a C-Corp.

The first way C-corps can benefit is from the Foreign-Derived Intangible Income (FDII) deduction allowed under section 250 of the Internal Revenue Code. This deduction, intended to incentivize U.S. companies to keep intellectual property and related profits in the United States, was introduced as part of the 2017 Tax Cuts and Jobs Act.

The corporation would be allowed a 37.5% (reduced to 21.875% in 2026) deduction of their foreign derived income after taking into account the ratio of the foreign sales to domestic sales and expense allocation/apportionment. FDII provides a reduced effective tax rate of 13.125% on qualifying foreign-derived income, compared to the standard 21% corporate tax rate.

Qualifying income includes revenue from:

To claim the deduction, corporations need to carefully track and calculate their foreign-derived income and related expenses. The complex calculations and data requirements make it important for companies to analyze their eligibility and potential benefits thoroughly from the FDII deduction.

The deduction rate is scheduled to decrease to 21.875% in 2026, resulting in an effective tax rate of 16.406% on FDII.

The second way to benefit from non-U.S. sales is from the foreign tax credit (FTC), which is a benefit that allows U.S. taxpayers to offset income taxes paid to foreign countries against their U.S. tax liability. The primary purpose of this credit is to prevent double taxation on income earned abroad.

The FTC allows taxpayers to reduce their U.S. tax liability dollar-for-dollar based on the amount of foreign income tax they pay. Taxpayers can choose to claim foreign taxes as either a credit or an itemized deduction. The credit is usually more beneficial as it reduces the U.S. tax liability directly.

Most foreign sales would be considered general limitation income for purposes of the foreign tax credit, as long as:

Any income or withholding foreign taxes paid (not including VAT and similar taxes) can be used to offset the income due in the U.S., subject to the foreign tax credit limitation calculation. The most important point to remember as you prepare for year-end would be to document the amount of foreign sales, and the methodology used to conclude the sales as foreign source.

U.S. corporations must complete Form 1118 to compute and claim their FTC. The form requires extensive documentation about the corporation, its foreign income, and applicable deductions or credits.

Form 1118 requires separate calculations for different categories of foreign income, such as:

When completing Form 1118, corporations must maintain detailed records of foreign taxes paid, including tax receipts, returns, and other relevant documentation. Foreign income, expenses, and reported taxes must be converted to U.S. dollars using IRS-approved exchange rates.

Excess foreign tax credits can be carried back one year or forward up to 10 years.

It is similarly important to track your basis in the foreign entities you own, both in the cases of selling your shares in the foreign entity or receiving a distribution from the entity.

Basis is calculated based on the initial contribution or purchase price. Basis is increased by any future contribution or additional purchase of shares as well as the accumulation of earnings of profits, and, similarly, is decreased by any distributions received.

This is important no matter how the entity is treated in the U.S., whether as a controlled foreign corporation (CFC), a passive foreign investment company (PFIC), controlled foreign partnership (CFP), or simply an entity held for investment.

It takes much more effort and expense to gather the required data together while a transaction is taking place. Instead, it is much more efficient to begin tracking the necessary information ahead of any potential transaction.

This can also be important as companies are often required to book a deferred tax liability for any potential withholding taxes that would be due upon the distribution of all earnings and profits of the foreign entity and document under APB 23 as a temporary difference unless there exists in the tax law a means by which the investment can be recovered tax-free.

The presumption that all undistributed earnings will be transferred to the parent company may be overcome, and no income taxes should be accrued by the parent company, if sufficient evidence shows that the subsidiary has invested or will invest the undistributed earnings indefinitely or that the earnings will be remitted in a tax-free liquidation.

In this case, a memo should be prepared documenting the position and relative evidence including specific plans for the reinvestment of the undistributed earnings showing that the remittance of the earnings will be postponed indefinitely.

To learn more about how international tax incentives can benefit your business, contact us.