The HITRUST cybersecurity framework provides a comprehensive approach to managing data protection, information risk, and regulatory compliance.

First developed for the healthcare industry, HITRUST has been adopted by organizations in a variety of sectors. It offers a broad-ranging framework that integrates requirements from more than 40 global data security standards and regulations.

This blended approach can help organizations take a unified approach to addressing multiple compliance needs such as:

Beyond compliance, HITRUST certification reduces the risk of data breaches by ensuring strong cybersecurity controls and demonstrates an organization’s commitment to data privacy that builds trust with clients and partners.

HITRUST certification is pursued most often by service providers, business partners, and vendors. HITRUST provides assurance to stakeholders that ththe organization has robust controls, policies, and procedures in place to process, store, and manage sensitive data responsibly.

HITRUST, originally an acronym for Health Information Trust Alliance, is designed to provide a standardized approach to managing data protection, information risk, and regulatory compliance.

The HITRUST organization is a privately held company. It provides the HITRUST CSF (Common Security Framework) and other tools for managing information risk and compliance. The organization collaborates with public and private sector experts to identify emerging cybersecurity threats and develop effective countermeasures.

The HITRUST CSF encompasses a range of security controls organized into 19 high-level domains covering various aspects of information security. Each domain contains control specifications that organizations must implement to achieve compliance.

The framework also includes five levels of maturity that are aligned with a given organization’s risk factors: Policy, Procedure, Implementation, Measured, and Managed. Organizations need to complete the first three to obtain certification. The “Measured” and “Management” levels are optional, but can increase an organization’s certification score and demonstrate a stronger commitment to the framework’s goals.

This risk-based approach helps organizations align their security and compliance efforts with their exposures, and potentially offers a more cost-effective approach to cybersecurity by enabling organizations to customize their efforts for their specific needs.

Achieving HITRUST certification offers numerous benefits:

Obtaining compliance certification from a HITRUST Authorized External Assessor involves a process that, depending on an organization’s size, complexity, risk factors, and readiness, can take between three to 18 months to complete.

There are several steps for most organizations:

Based on the assessment results and quality assurance review, HITRUST will make the final decision for approving or denying the certification. If approved, HITRUST will issue a Certification that is valid for two years (r2) or one year (e1 & i1).

While the process can seem complex, HITRUST certification can help organizations enhance and streamline their overall cybersecurity and compliance while providing other compelling benefits. To learn more about HITRUST certification, contact us.

Section 174 rules requiring businesses to capitalize their R&D expenditures instead of immediately deducting them as expenses increases the company’s gross assets, which can jeopardize the eligibility of a qualified small business (QBS) for attractive tax benefits and capital gains exclusions.

The capitalization requirement under the Tax Cuts and Jobs Act (TCJA) Section 174, which took effect in 2022, can create unpleasant surprises for business owners and investors by increasing their adjusted tax basis.

The One Big Beautiful Bill Act was signed into law in July 2025. It repeals the mandatory domestic portion of Section 174 capitalization and amortization for tax years starting after December 31, 2025. The international portion remains unchanged.

Read our article for more information: OBBBA Delivers Section 174 Capitalization Relief.

A Qualified Small Business (QSB) is defined as:

There are a number of other requirements as well, including industry-specific eligibility.

Qualified Small Business Stock (QSBS) are shares in a QSB that need to meet certain criteria. Section 1202 is the Internal Revenue Code Section that lays out the rules related to QSB and QSBS requirements. 

Section 1202 is designed to encourage long-term investment in small businesses by giving QSB owners generous tax benefits and allowing the exclusion of up to 100% of the capital gains on sale or exchange, depending on when the stock was acquired. Investors must hold the QSBS for at least five years to be eligible for the favorable tax treatment.

A company can lose its valuable QSB status for several reasons. The one we will focus on here is the $50 million gross asset threshold. Prior to the 2022 change, companies often lost their QSB status after several rounds of funding as increasingly large cash infusions pushed the company past this threshold. Now, however, the added burden of a large tax basis being created by R&D capitalization is spoiling QSB status earlier in startup lifecycles.

Section 174 has been a part of the tax code since the 1950s. Previously, companies had the option of EITHER currently deducting OR capitalizing and amortizing R&D expenses over a period of years (five years for domestic expenses, 15 for foreign, and using the mid-year convention). Most companies elected to deduct expenditures in the year incurred. The Tax Cuts and Jobs Act (TCJA) of 2017 changed the tax code to require MANDATORY capitalization for tax years beginning after 2022.

Under current rules, if a company spends $1 million on domestic R&D, it is only able to amortize $100,000 of expenses the first year (note: only 10% can be deducted in the year incurred, while 20% will be deducted the next four years with the final 10% in year).

Because the first year of amortization under Section 174 only allows 10% of the amount as a current expense, the remaining 90% becomes part of the adjusted tax basis. This potentially counts toward the hard limit of $50 million under Section 1202 required to maintain QSB status.

In year 2, while an additional 20% of year 1 expense can be amortized, 90% of the year 2 amount becomes a tax asset. During 2024 (typically year 3), 50% of year 1 remains, 70% of year 2, and 90% of year 3. If the company is investing consistently in R&D, this substantial increase in tax basis can count toward the $50 million gross asset limit.

For entities with Controlled Foreign Corporations (CFCs) or other foreign R&D, the outlook is even more dramatic given the 15-year amortization, rather than five-year amortization for domestic expenses.

The QSB status and associated QSBS tax exclusion are lost the day the company reaches the threshold, impacting future stock issuances. Shareholders who invest after the loss of QSB status are not able to take advantage of the capital gains exclusion. Investments made prior to the QSB status change are not impacted, assuming the other QSBS requirements are met.

A simple example is shown below for a start-up company that received a round of funding and has a major investment in R&D. Other property includes capitalized and not yet amortized start-up costs and equipment depreciation, prior year Section 174 unamortized capitalization, fixed assets, and others.

While it looks like the company is well below the $50 million QSB threshold, it is normal for high-tech startups to invest heavily in R&D.

Companies that use a basic General Ledger approach to determine R&D expenses under Section 174 often over-include amounts for personnel and the associated expenses incidental to R&D. A detailed review that investigates spending at the individual expense level can substantially reduce the capitalization amounts.

Individual expense analysis for Section 174 can identify exactly when the company reaches a specified deferred tax asset amount. This can help determine the date QSBS status was lost, potentially protecting investors before the cap is breached. Continuing the example from above, here is the Section 174 impact of a basic vs. detailed approach:

If the company is close to the QSB threshold, evaluating the amounts included under Section 174 to make sure over capitalization has not occurred can potentially defer the company reaching the threshold by a critical period of time.

If you are concerned your company might be over-capitalizing under Section 174 or are close to the $50 million cap and may lose your QSBS status, please reach out to our team. We can work with you to see if a detailed Section 174 analysis can help!

Navigating the GS 007 audit framework can be overwhelming. This guide offers a clear overview of GS 007, who it applies to, and how to determine whether it’s the right fit for your organization’s assurance needs.

GS 007 is an assurance framework used in Australia to evaluate the controls of service organizations that provide investment management services. The framework is issued by the Australian Auditing and Assurance Standards Board (AUASB) and follows ASA 402 and ASAE 3402, which are Australian equivalents of ISA 402 and ISAE 3402.

GS 007 applies to service providers that support investment management. These typically include:

GS 007 outlines seven key control areas representing critical functions within investment management services.

Not all seven are mandatory for every service organization. The applicability of each control area depends on the specific services provided by the organization.

Like SOC 1 and SOC 2, GS 007 includes two types of reports:

Each investment management service area includes specific control objectives outlining minimum expectations for assurance reporting. These should be addressed in your organization’s description of its systems and controls. While comprehensive, the objectives are not exhaustive—additional controls may be needed, depending on your services.

The seven service areas include:

Custody involves managing assets on behalf of user entities, including:

Asset management involves investing client funds and includes:

Property management involves managing real estate assets and includes:

Superannuation member administration involves managing member accounts and includes:

Investment administration involves supporting investment operations and includes:

Registry involves maintaining investor records and supporting shareholder or unitholder transactions, including:

Information technology (IT) control objectives apply to all investment management services, as IT is essential to their delivery. IT controls are assessed alongside the specific control objectives for each service, focusing on systems relevant to the financial reporting of user entities.

Understanding which parts of GS 007 apply to your organization is key in preparing for an audit.

Start by mapping out your organization’s investment management services, such as custody, registry, or investment administration.

Each service corresponds to a GS 007 control area. For example:

Regardless of the services provided, IT controls are generally required, as they support all other functions.

Clearly document:

This documentation is essential for scoping your Type 1 or 2 assurance engagement.

If your organization is considering a GS 007 audit or evaluating its control readiness, our team can help. We’ll guide you through scoping, applicability, and preparation so your audit delivers meaningful, actionable assurance.

Contact us to learn how GS 007 applies to your organization.

In today’s dynamic business landscape, organizations face the challenge of analyzing and managing financial variances effectively. BlackLine’s Variance Analysis tool offers a powerful solution that enables businesses to gain valuable insights into financial performance, make informed decisions, and enhance operational efficiency.

Variance analysis plays a crucial role in effective financial management by enabling organizations to gain a deeper understanding of financial performance. Variance analysis helps you assess profitability, identify areas of improvement, and align strategies with financial goals. Moreover, it helps your organization enhance decision-making processes by providing insights into cost drivers, revenue fluctuations, and other key factors influencing your financial outcomes.

BlackLine Variance Analysis is a robust tool that enables organizations to analyze and understand deviations between planned and actual financial results. By providing a comprehensive view of variances, the tool empowers financial professionals to evaluate performance, identify trends, and implement corrective actions.

The tool encompasses various types of variances, including revenue, expenses, production, and budget. Revenue variances analyze discrepancies between actual and expected revenue, while expense variances assess differences between expected and actual expenses. For manufacturing organizations, production variances focus on analyzing variations in production costs. Finally, budget variances evaluate deviations from planned budgets.

Effective variance analysis offers numerous benefits to organizations:

To maximize the benefits of variance analysis, organizations can implement these strategies:

Leveraging advanced data analysis techniques, such as statistical modeling and data visualization, allows organizations to gain deeper insights from variance analysis. Through these techniques, businesses can uncover patterns, correlations, and trends within their financial data, enabling more accurate and meaningful analysis.

Automation and technology, including artificial intelligence (AI), can significantly enhance the efficiency and effectiveness of BlackLine Variance Analysis. Automated data collection and integration, coupled with AI-powered analytics, accelerate the analysis process, reduce manual effort, and provide real-time insights.

Organizations should establish standardized and transparent variance analysis methodologies to ensure consistency and accuracy in the analysis process. Clear guidelines and defined metrics for evaluating variances enable meaningful comparisons and facilitate effective decision-making.

Timely and accurate data collection is essential for reliable variance analysis. Organizations should establish robust data collection processes that ensure data integrity and completeness. This includes implementing proper controls, validation mechanisms, and automated data feeds from relevant systems.

Optimizing variance analysis requires cross-functional collaboration. Finance teams must actively engage with other departments, such as operations and sales, to gain a comprehensive understanding of the factors driving variances. This collaboration facilitates more accurate analysis and the development of effective corrective measures.

Investing in the training and development of financial personnel is vital to optimize BlackLine Variance Analysis. Training programs should focus on developing analytical skills, deepening understanding of financial data, and ensuring proficiency in using the tool effectively.

Optimizing BlackLine Variance Analysis empowers organizations to gain valuable insights into financial performance, make informed decisions, and enhance operational efficiency. By prioritizing strategies such as advanced data analysis techniques, automation, standardized methodologies, accurate data collection, collaboration, and training, businesses can unlock the full potential of this powerful tool. Investing in optimizing BlackLine Variance Analysis enables organizations to maximize their financial management capabilities and achieve sustainable growth.

Prioritize and invest in optimizing BlackLine Variance Analysis today to unleash the true power of financial insights and drive your organization’s success. Schedule a free consultation today with one of our certified BlackLine implementation professionals.

When it comes to managing controls for information security (InfoSec) compliance, event-based controls are among the most challenging to execute consistently and the most prone to failure.

These controls are triggered by ad hoc events like onboarding new employees, responding to incidents, or managing system changes. Despite accounting for roughly 30% of InfoSec compliance activities, they are frequently the source of exceptions in SOC 1, SOC 2, and ISO/IEC 27001 audits.

A well-rounded InfoSec compliance program includes three control types:

The primary reason event-based controls fail is simple: the event occurs, but the corresponding control doesn’t. It may be skipped, forgotten, or left incomplete—just like any other business task. And if the audit evidence isn’t documented, it’s as if the control was never implemented.

Here are common event triggers that require documented controls:

Controls must be applied consistently and documented in line with requirements, whether those stem from SOC 2 criteria or specific customer expectations.

Complicating matters, no two events are the same. A new hire might be a relative of an executive, bypassing typical onboarding steps. A change release might seem minor and be rolled out without the usual review. While auditors are allowed judgment in such cases, these deviations may still be noted as exceptions, unless the reasoning is documented clearly. Proactive explanation shows governance in action and may help avoid formal findings.

To improve the consistency and effectiveness of event-based controls, consider these best practices:

Software can trigger or carry out controls to help ensure nothing is missed. Automation promotes consistency, creates audit trails, and reduces manual error. While not every control can be automated, many tools can streamline execution.

Controls are more effective when they’re baked into core workflows. For instance, asking employees to sign a Code of Conduct is less reliable if it’s a separate HR task. But if it’s part of the employment contract or onboarding checklist, it’s far more likely to be completed. Wherever possible, tie controls to natural process checkpoints.

Clear ownership improves accountability. A dual-level ownership model works well—an individual operator manages day-to-day control execution (e.g., an HR manager). At the same time, a senior leader (e.g., the COO or CFO) owns oversight of the broader control category.

Monthly or quarterly check-ins can surface issues before they escalate. These don’t need to be formal audits—just brief meetings or touchpoints with control owners to verify nothing critical is slipping through the cracks.

Controls tied to unpredictable events, like risk reporting or incident management, benefit from widespread awareness. When more people understand their role in these processes, they’re more likely to contribute to control effectiveness.

Need help identifying or strengthening your event-based controls? Contact us to learn more about how we can support your InfoSec compliance efforts.

If your company offers a 401(k) retirement plan, you understand the extraordinary benefits it can offer your workforce. What many companies don’t realize is that the size of your company dictates whether or not your 401(k) plan requires a third-party audit.

Ensuring your plan is up-to-date with compliance standards is key, and there are often overlooked issues that serve as red flags for the Department of Labor (DOL) and/or the IRS. To make your audit process as smooth as possible, there are some critical points to consider when preparing for your retirement plan audit and maintaining 401(k) compliance.

Generally, a plan is considered a “large” plan and requires an audit when there are more than 100 participants with account balances on the first day of the plan year. If the plan had more than 80 participants with account balances the previous year but has fewer than 120 participants in the current year, it can follow prior year’s filing as a small plan and forego the audit requirement.

Whether or not every participant is employed by the company, an employee is eligible to participate if they meet the definition of eligibility outlined in the plan documents. Eligibility is the minimum age and service requirement that the plan requires as a condition of participation. Based on eligibility requirements of the plan, the plan should determine which individuals are eligible to participate to join the plan or would be automatically enrolled in accordance with plan provisions.

Under Section 412 of the Employee Retirement Income Security Act (ERISA), a fidelity bond must cover the plan’s assets in case of fraud or dishonesty. The fidelity bond must cover at least 10% of the plan’s assets as the beginning of each plan year, subject to a minimum bond amount of $1,000 and a maximum of $500,000 ($1,000,000 for plans that hold employer securities). As plan assets increase each year, an increase in coverage could be required if the bond no longer meets the 10% minimum requirement.

It’s important to ensure that all deferred contributions were calculated properly under the definition of eligible compensation outlined in the plan documents. There are various types of compensation that may be considered ineligible in accordance with plan documents and should be excluded from the calculation of deferrals.

Always keep your plan documents updated with the most current compliance standards and laws. It’s helpful to keep records and make all amendments easily accessible. This allows all participants to fully benefit from the plan, particularly when the documentation has not been recently revised.

It is important to establish a Fiduciary Committee to provide oversight for vital functions such as:

It’s a good idea to draft, record, and retain your annual 401(k) committee meeting minutes to help prove and defend any allegations of breach of duty.

Ensure that employee contributions are deposited within a reasonable amount of time. This can be either a timeframe outlined in the plan’s documentation or as administratively feasible. Businesses considered to have a small plan are eligible for a safe harbor rule that allows for a seven-business day window to deposit contributions.

There is an annual addition limitation designated by the IRS, subject to change every year, that is placed on the dollar amount participants are allowed to contribute to their 401(k) plan each year. If an excess contribution is found, necessary actions must be taken to remove the excess contribution and avoid penalties and potential tax issues.

If your company offers employer matching, it is important to note any maximums in your plan documents, as well as to not surpass the Plan’s matching cap. There is also an annual addition limit, subject to change by the IRS, placed on the combined contribution of employee and employer. This limit should be monitored each year by the plan to ensure compliance.

When employees are offered the option of managing their investment portfolio, make sure participants are given adequate information on the investment choices as well as the fees associated with those options. While providing participants with investment choices may reduce fiduciary liability, the committee should still maintain oversight and ensure participants are well-informed.

For companies that require an audit, Form 5500 is due by the last day of the seventh month after the plan’s year-end with a two and a half month extension. For example, if the plan’s year ends on December 31, Form 5500 will be due on July 31, with an optional extension through October 15 (Form 5558).

If you would like to learn more about the rules and regulations surrounding 401(k) compliance, or if you want to find out how Sensiba can help make your 401(k) plan audit as seamless as possible, don’t hesitate to get in touch with one of our employee benefit plan audit specialists.

In today’s business environment, organizations face the daunting challenge of managing large volumes of financial transactions efficiently and accurately. BlackLine Transaction Matching offers a powerful solution that optimizes the matching process. It enables businesses to streamline operations, enhance financial controls, and reallocate employee resources to increase company value.

BlackLine Transaction Matching is a robust tool designed to match and reconcile financial transactions, reducing manual effort and mitigating the risk of errors. By automating the matching process, organizations can achieve greater accuracy, speed, and control over their financial data.

Effective transaction matching offers several benefits.

Organizations may face challenges when implementing transaction matching tools. Common challenges include data quality issues, complex integrations with existing systems, and the need for proper training and documentation to ensure successful adoption.

BlackLine Transaction Matching can be applied across various industries, including banking, insurance, retail, healthcare, and manufacturing. Use cases range from bank statement reconciliations and intercompany matching to invoice/purchase order reconciliations and credit card or P-card reconciliations.

We also have experience helping clients match inventory quantities, rather than dollar amounts. The flexibility and scalability of BlackLine Transaction Matching make it adaptable to diverse business needs.

Integrating your transaction matching tool with your existing systems is essential for seamless operations. Organizations must ensure compatibility with multiple data sources and establish robust integration interfaces. Moreover, planning for scalability and future growth is crucial, as the volume of transactions and data sources may increase over time.

Similarly, data security and privacy are paramount when implementing transaction matching. Organizations should prioritize data encryption, access controls, and user authentication to safeguard sensitive financial information. Compliance with data protection regulations, regular IT security audits, and risk assessments contribute to maintaining a secure environment.

To achieve the full potential of effective transaction matching, organizations should do thorough preparation, including process design and establishing clear efficiency goals.

To maximize the benefits of transaction matching, organizations can implement several optimization strategies.

Automated data extraction tools can capture transactional data from various sources, eliminating manual data entry and reducing the risk of errors. By leveraging optical character recognition (OCR) and intelligent data capture techniques, organizations can extract relevant data seamlessly.

Data standardization facilitates accurate matching by ensuring consistent formatting across transactions. By cleansing and validating data, organizations can identify and rectify any anomalies, enhancing the overall quality of the matching process.

Look for a transaction matching tool with the flexibility to employ rule-based matching and artificial intelligence techniques. Rule-based matching enables organizations to define specific matching rules based on predefined criteria. Artificial intelligence can also identify patterns and make automated matching decisions, optimizing accuracy and efficiency.

Your transaction matching tool should flag and handle exceptions automatically, reducing the need for manual intervention. By implementing intelligent exception handling, organizations can streamline the resolution process and improve overall matching efficiency.

Real-time monitoring and reporting capabilities enable organizations to track the progress of the matching process and identify any issues promptly. By leveraging customizable dashboards and scheduled reports, finance teams can gain actionable insights and make informed decisions.

Effective user and administrator training are essential for successful transaction matching adoption and optimization. Organizations should invest in comprehensive training programs to empower users with the necessary knowledge and skills. Furthermore, user-friendly documentation and guides, along with a knowledge sharing platform such as the BlackLine Community, can serve as valuable resources for ongoing support.

Thoroughly testing scenarios and benchmarking exercises help validate the accuracy and performance of your transaction matching solution. By simulating various matching scenarios, organizations can identify any gaps or areas for improvement and fine-tune their matching processes accordingly.

Similarly, organizations must prioritize continuous improvement and maintenance to maximize the benefits of their transaction matching tool and processes. Gathering feedback from users and stakeholders, tracking performance, resolving issues, and improving features contribute to an optimized matching process.

Implementing and optimizing a transaction matching tool empowers organizations to achieve greater efficiency, accuracy, and control over their financial data. By leveraging automation, data standardization, artificial intelligence, and exception handling, businesses can materially streamline operations and enhance financial controls. With comprehensive training, integration, and ongoing maintenance, organizations can unlock the full potential of effective transaction matching.

Start optimizing your BlackLine transaction matching today by scheduling time with one of Sensiba’s certified implementation experts. We’ll review your implementation and help you revolutionize your financial reconciliation processes. The goal of our BlackLineBoost is to save you time and resources while ensuring accuracy and compliance.

As Artificial intelligence (AI) introduces new organizational opportunities and risks, the ISO/IEC 42001 standard offers guidance and controls to help organizations deploy AI efficiently and mitigate the related security risks by developing an Artificial Intelligence Management System (AIMS).

ISO/IEC 42001, published in 2023, addresses the AI system lifecycle from initial concepts to final system deployment and operations. The standard is designed to help organizations manage the risks associated with AI and ensure their systems are developed and used responsibly.

ISO/IEC 42001 compliance should be considered by any organization with public-facing products or services leveraging AI.

To evaluate compliance with the standard, an ISO/IEC 42001 certification audit will examine several areas, including AI-specific ethical, security, and operational considerations, system lifecycle management, performance optimization, and documentation.

Organizations should also evaluate the various organizational roles within the AI lifecycle—production, development, provision, and use—to understand and manage risk effectively.

ISO/IEC 42001 places significant emphasis on AI risk and impact assessments. For the standard’s mandatory risk assessment, organizations are required to identify potential risks related to AI systems, evaluate those risks, and develop risk mitigation plans.

The standard’s AI Impact Assessment process involves:

Organizations are required to document this process and measure AI-related risks and their potential consequences.

The ISO/IEC 42001 standard follows a similar structure as ISO/IEC 27001 (Information Security Management System), making it easier for organizations to integrate their security and compliance efforts. Thanks to this similarity, and the overlap in the information evaluated during a certification audit, organizations that have ISO/IEC 27001 certification can be well on their way to obtaining ISO/IEC 42001 certification if they choose to.

The ISO/IEC 42001 standard consists of 10 main clauses:

The first three clauses are shared with other standards, and specific considerations are addressed in Clauses 4-10:

ISO/IEC 42001 also includes two annexes that are important to an organization’s certification efforts and provide additional guidance and information:

These annexes offer detailed guidance on AI management ranging from development to risk assessment and sector-specific applications.

Achieving ISO/IEC 42001 certification can provide several benefits for organizations that include:

Like other notable security frameworks, ISO/IEC 42001 certification demonstrates an organization’s commitment to data protection and responsible policies and procedures.

An ISO/IEC 42001 certification audit is a comprehensive process that involves multiple stages to evaluate an organization’s AIMS. 

The stage one audit includes:

The stage two audit is more in-depth and involves

After the audit, organizations must address any identified non-conformities and provide evidence of corrective actions before receiving a decision from the certification body.

Once certified, organizations must undergo annual surveillance audits to maintain certification and participate in a recertification audit every three years.

As a certification body, Sensiba conducts audits against a variety of standards including ISO/IEC 42001, ISO/IEC 27001, ISO/IEC 27701, and others. To learn more, contact us.

As it becomes more imperative for companies to measure and manage their greenhouse gas (GHG) emissions, an effective starting point is reviewing the business and economic activities that produce those emissions.

Because any GHG emissions will result from an activity that requires an economic cost, financial accounting provides a powerful starting place to identify corporate emissions sources that can then be augmented with activity-based carbon accounting for even deeper insights.

By examining the intersection of carbon-emitting activities and their resulting financial impact, you’ll be better able to prioritize your emissions-reduction efforts by targeting high-priority activities that can also help reduce operating costs, enhance efficiency, or mitigate other environmental risk factors.

GHG emissions are classified in three categories, known as “Scopes,” to help organizations understand, measure, and report those emissions:

Scope 1, or direct, emissions are produced from sources an organization owns or controls. These can include:

Scope 2 emissions result from the generation of purchased energy such as electricity, steam, heat, and cooling. Although these emissions occur where the energy is generated, the consuming organization is responsible for reporting them. As such, they are also considered direct emissions.

Scope 3, also known as value chain emissions, are the indirect emissions that occur in an organization’s upstream and downstream activities. These often include:

Understanding these business activities provides valuable insights into organizational emissions, and the associated opportunities to reduce emissions and operational costs across a company’s entire value chain.

Consider an organization’s vehicle expenses. Identifying how much fuel the organization (or a business unit) spends on fuel in a year provides a great baseline for estimating annual fuel-related Scope 1 emissions. Augment this with reliable activity-level data such as how many gallons are purchased, how many miles are driven, and the mileage the organization’s fleet gets per gallon will provide a much more precise, and actionable, picture.

Repeating this analysis for additional organizational activities, such as product packaging or end-of-life disposal strategies, will provide insights into what the organization is doing, the related costs, and the resulting emissions. This will enable management to identify patterns and understand the core sources of organizational emissions.

This data, in turn, will help the organization develop emissions-reduction action plans by uncovering the highest emissions as well as the areas with the highest financial impact. The organization can then cut back or change the activities to be more efficient, reduce emissions, and save money.

As the realities of climate change increasingly take a financial toll on private enterprise and civil society, companies will undoubtedly face enhanced regulatory, marketplace, and investor mandates to expand the breadth and depth of their GHG emissions measurement and reduction, and broader sustainability efforts.

In the United States, for instance, California’s Climate Corporate Data Accountability Act includes two separate bills that require companies to measure and report their emissions and climate-related financial impacts:

These regulations are likely to inspire similar legislation in other states.

Internationally, many U.S.-based companies face mandates, such as the European Union’s Corporate Sustainability Reporting Directive (CSRD) to disclose sustainability-related information. Common reporting frameworks include the International Sustainability Standards Board’s IFRS Sustainability Disclosure Standards (ISSB) and the European Sustainability Reporting Standards (ESRS).

Interoperability guidance developed by the IFRS Foundation and the European Financial Reporting Advisory Group (EFRAG) is available to help companies reduce complexity, fragmentation, and duplication by understanding the alignment of general requirements including key concepts such as materiality, presentation and disclosures for sustainability topics other than climate. The guidance also helps companies starting with one set of standards identify how to apply the same data to another. 

Aside from direct disclosure mandates at the sub-national or national level, U.S. companies are increasingly subject to sustainability information requests from larger customers and business partners who face disclosure requirements for their value chains. To meet these mandates, many large companies are asking suppliers for detailed information about their GHG emissions and other ESG data.

A growing number of investors are also factoring climate-related evaluations into their due diligence and risk management processes.

Sensiba provides sustainability services that help middle-market companies integrate GHG reporting and emissions reductions into their planning initiatives. To learn more, reach out to our sustainability professionals today.

The IRS has announced an increase in the standard business mileage rate for 2025. Starting January 1, 2025, the rate for business travel became 70 cents per mile, up from the previous rate of 67 cents per mile in 2024.

There are two ways taxpayers can deduct expenses for the business use of a motor vehicle. Under the Actual Expense Method, taxpayers can deduct certain motor vehicle expenses related to your business use of the vehicle. This includes costs like gas, oil, tires, insurance, repairs, licenses, and registration fees. Additionally, you can claim a depreciation allowance for the vehicle based on the percentage of its business use.

If you prefer not to track each vehicle-related expense throughout the year, you have the option of choosing the standard cents-per-mile rate to calculate a deduction.  The standard mileage rate can be used to calculate deductible costs for companies operating an automobile for business use. Employers often use the standard mileage rate to pay tax-free reimbursements to employees who use their own vehicles for business.

To use this method, you’ll need to record the mileage for each business trip, your travel dates, and the business purpose of the travel.

The mileage rates apply to fully electric and hybrid vehicles as well as gasoline and diesel-powered vehicles.

Certain rules may restrict your ability to use the standard cents-per-mile rate or the actual expense method. For example, if you lease a vehicle and choose the standard mileage rate for the first year, you must continue using that method for the entire lease period (including renewals).

You can also use the standard mileage rate for medical reasons if you deduct medical expenses on your tax return. Starting January 1, the rate for deductible medical expenses remained 21 cents per mile, the same rate as 2024.

For active-duty military members making a permanent station change, the moving expense motor vehicle rate is 21 cents per mile, up from 18 cents per mile.

The rate for charitable motor vehicle usage, which is not indexed to inflation and is set by Congress annually, remained unchanged at 14 cents per mile for 2025.

If you want to use the standard mileage rate method in any tax year, you must do so in the first year you use your car for business. In later years, you can choose to switch back and forth between the methods from year to year.

In some years, you may find that the actual expense method is more beneficial than the standard mileage rates, even with the rate increases.  In other years, such as one you drive a significant amount of miles, the mileage method might produce a larger tax deduction.

Contact us to discuss your specific situation and determine the best option for your business motor vehicle expenses.

Keeping proper documentation of your R&D activities is crucial to ensuring your R&D tax credits will be compliant with the new tax form for 2024 and making sure the amounts claimed are supported in the case of an audit. The Internal Revenue Service (IRS) and the state Departments of Revenue (DoRs) are intentionally generous with these credits, but also want to ensure accurate credit amounts.

Looking at the R&D documentation process can initially seem overwhelming, but don’t fret! Taxpayers do not need to track every single task that every single employee completes. Our goal is to avoid overwhelming the team, while still compiling strong evidence to support the credit claim in the event of an audit.

Congress has outlined the eligibility requirements for the R&D credit under the Code of Federal Regulations (CFR). Under CFR, taxpayers need to retain records detailing the following:

Many new companies, smaller organizations, and companies not doing consulting work do not elect to track employee time to projects.  When time tracking documentation is not available, the IRS will allow estimation as per Cohan V. Commissioner.  General project data taxpayers have available to link personnel to projects and costs can be used. The IRS calls this linking nexus.

Alternative documentation that illustrates the “who did what” of your projects might include:

Taxpayers should note that while the IRS and DoRs are flexible about the type and format of evidence provided, the existence and provision of documentation to prove nexus as per United States v. McFerrin is mandatory. These guidelines provide the framework for computing and substantiating the R&D tax credit.

When considering the best ways to document your R&D activities, first analyze what information is already available. Working within existing systems to find documents that illustrate included activities can eliminate a lot of extra work. Often, the key to eliminating duplication is to store copies of in-process documents in electronic storage. Things like photos of whiteboards can also be utilized: keep it simple and save e-copies before getting rid of any hard copies!

Items to make sure you compile and keep are:

Starting in 2025, even companies that do not have time tracking will need to provide information about project (the IRS calls these “business components”) level expenses to fill out the R&D Credit tax form. Having R&D team members or managers allocate their time periodically or at the end of the year against the project list will bridge the gap between the people and the expenses.

Get in touch with our R&D Tax Credit Team to get your questions asked and answered. We’re available to discuss how we can help you prepare your R&D documentation and substantiate your tax credit.

Sponsoring a 401(k) plan can bring tremendous value to your organization. Having a great benefits plan can boost the morale of your team members, for example, and improve your ability to attract and retain top talent.

Managing your 401(k) plan, however, can get more complicated.

Many companies fail to meet their basic responsibilities as plan sponsors. Whether you sponsor a large or small plan, your fiduciary responsibilities are the same. The Department of Labor (DOL) and Internal Revenue Service (IRS) both conduct examinations of 401(k) plan sponsors, so it is critical to understand and meet your responsibilities.

Many plan sponsors are overly reliant on third-party service providers, assuming that because they are paying a service provider manage their plan, all of their responsibilities have been met. In reality, many 401(k) sponsors neglect their fiduciary duties, harming their employees and organization. Failing to meet regulatory requirements can lead to larger investigations from the IRS and the DOL, and more money from your pocketbook.

As a plan sponsor, you are responsible for managing your employees’ assets. The IRS and the DOL have published requirements on the fiduciary responsibilities of plan sponsors.

Some of the commonly overlooked requirements include:

Your third-party provider can also help you understand your responsibilities. Just remember that hiring a third-party plan provider alone doesn’t ensure you are meeting your obligations; in fact, reviewing their work is part of your fiduciary responsibility.

Government examinations are not the best time to discover problems with your plan. Understanding the problems that are typically found during an examination can help plan sponsors find and correct issues before they are revealed under examination.

For instance, many sponsors fail to meet document retention requirements, mistakenly assuming their third-party plan provider keeps all documents. When participants take a hardship distribution or borrow money from the plan, these activities must be documented, and records should be retained.

It is common for plans to fail to adequately define ‘compensation’ and ‘contributions,’ which leads to incorrect matching contributions that can create liability and interest for the plan sponsor. Many smaller plans have nondiscrimination issues, where plan contributions are unfairly top heavy. Other plans have problems omitting eligible employees. Management must notify employees when they become eligible and follow up on participation.

The DOL voluntary fiduciary correction program generally provides plan sponsors with the opportunity to self-report and correct problems before fines are assessed. The IRS and DOL are generally much more lenient regarding self-reported corrections than problems found under examination.

Regardless of the size of your plan, you have a fiduciary duty as the plan sponsor. While larger plans require audits that often identify problems during the audit process, smaller plans must also ensure that their fiduciary responsibilities have been met.

For more information regarding the responsibilities of 401k sponsors, get in touch with one of our 401k plan auditors.

If your organization is exploring opportunities under Australia’s Open Banking framework, the most significant hurdle (in effort and cost) is meeting the Consumer Data Right (CDR) information security requirements outlined in Schedule 2.

To gain accreditation as a CDR data recipient, your systems and processes must satisfy 24 prescribed security requirements. These include multi-factor authentication, data loss prevention, system monitoring, and user access controls. To demonstrate compliance, you’ll need an independent assurance report—typically under SOC 1, SOC 2, or ASAE 3150.

Here’s how to evaluate which report is right for you, and how to make the most of your investment.

If your organization already maintains a SOC 1 or SOC 2 report, you’re ahead of the curve. You may be working with frameworks like GS 007, ISAE/ASAE 3402, ASAE 3150 (which aligns with SOC 2 Trust Services Criteria), or AT-105 (the official SOC 2 standard). These frameworks vary slightly in structure and origin but share a common goal: validating that your controls meet specified objectives.

Notably, ISO/IEC 27001 certification—while widely recognized—does not meet CDR accreditation requirements.

If you don’t currently have a SOC report, the fastest and most cost-effective option may be a one-time ASAE 3150 report tailored to the CDR criteria. However, this type of report has limited utility beyond CDR accreditation.

If you anticipate needing assurance reports for customers or want to streamline future due diligence efforts, investing in a SOC 2 report may offer greater long-term value. Whichever option you choose, be sure the report specifically addresses CDR requirements.

If you already have a SOC report, you may need to expand its scope. For example:

Either way, extending your existing SOC reporting approach is likely the most efficient path forward.

CDR compliance introduces a few nuances that differ from standard SOC reporting. These areas require special attention:

Under Schedule 2, Part 1, CDR requires a clearly defined “CDR Data Environment.” This includes the systems, people, and processes that collect, store, or interact with CDR data.

While traditional SOC reporting starts with the scope of services and associated systems, CDR flips the model: it starts with the consumer data and works outward to define scope. If your current SOC report wasn’t built with this in mind, you may need to expand its boundaries to meet CDR expectations.

Standard SOC reports typically use a “carve-out” approach, excluding the controls of third-party service providers. Instead, the focus is on how your organization oversees those providers.

The CDR requires a “carve-in” approach. You must demonstrate all third parties supporting your CDR Data Environment meet the same stringent security standards. Cloud infrastructure providers like AWS, Microsoft, and Google typically meet this requirement with their own SOC reports.

However, challenges may arise with vendors that don’t offer SOC reports—such as certain software developers, IT service providers, or data center operators. In these cases, ISO/IEC 27001 or similar certifications are not considered sufficient under CDR, which may require a more thorough evaluation of your third-party risk strategy.

CDR is unique in that it prescribes specific control activities. For example, it mandates multi-factor authentication across all in-scope systems. This contrasts with traditional SOC reporting, which allows more flexibility in how organizations meet control objectives.

To satisfy CDR, your report must directly align with each of these specific requirements.

While Schedule 2, Part 2, is often the most challenging and costly piece of the CDR framework, it’s not the only requirement. To achieve full accreditation, organizations must also:

Some of these may already be addressed in your existing SOC report. Others will require additional planning and documentation.

Achieving CDR accreditation requires a strategic, prescriptive approach to assurance. Whether you pursue a SOC 1, SOC 2, or ASAE 3150 report, your selected framework must fully address CDR’s rigorous security requirements.

For many, the best path is building on an existing SOC reporting process—updating its scope and controls to align with CDR expectations. If starting from scratch, carefully weigh the value of a report tailored solely to CDR against the broader benefits of a SOC 2 that can support future business needs.

To evaluate the best approach for your organization’s CDR accreditation strategy, contact us. We’re here to help you align compliance with opportunity.

Food and beverage companies face new and familiar risks as the industry evolves in an ever-changing global economy. Leading trends shaping the industry today include ongoing inflation, an increased push toward sustainability, regenerative agriculture, carbon labeling, food safety, and more.

Although inflation has moderated for many consumer categories in the United States, consumers’ sentiments are that food prices remain high. Grocery prices are maintaining levels above the inflation rates due to a mixture of labor shortages tied to the pandemic, continued supply chain disruptions, droughts, avian flu, and other factors.

There are indicators that inflation is slowing as certain commodity prices are beginning to decrease and forecasting models suggest food prices will have only increased 2.9% for 2024 (marking the smallest percentage increase of the last seven years). Despite this significant decrease from recent inflation levels, consumer sentiments are that food prices remain too high, primarily resulting from the impact of recent years’ elevated inflation results.

Even as price increases moderate and food prices stabilize or even decline, food producers and retailers are facing market risks and pressure to reduce costs. It will likely take a significant time for consumers to adjust from the current perception that everything costs more. In the meantime, well-positioned companies are using price positioning to increase volume and take market share.

Consumers are starting to worry even more about how traditional food production methods are harming the environment.  As a potential solution, industry professionals have gained interest in the use of “cultivated meat.” The cultivation process produces meat created in large-scale lab operations that are marketed as a more sustainable option.

Advocates present cultivated meat as an environmentally friendly alternative to conventionally farmed meat and boast about the carbon-cutting advantages of lab-grown meat. But despite the potential advantages of relying less on traditional farming and ranching methods for meat, many challenges remain before production and consumer acceptance become common.

For example, genetically modified organisms (“GMOs”) have been a controversial fixture in the food and beverage industry for decades, and consumer acceptance of these products remains mixed. At present, cultivated meat products are costly and scaling the industry will be critical to making these products affordable for consumers. Scaling comes with its own challenges, as the scope of manufacturing required to reach economies of scale requires significant capital, time, and labor supply to be met.

Lab-grown food will also likely face regulatory hurdles. The U.S. Food and Drug Administration, Environmental Protection Agency, and Department of Agriculture all have responsibility for food safety, including foods that are GMOs or have GMO ingredients. Inevitably, lobbying interests will impact the pace in which new products will be able to come to market and with what regulation they are likely to face.

Regenerative agriculture—farming and ranching in harmony with nature to restore soil and ecosystem health, address inequity, and leave land, waters, and climate in better shape for future generations—is gaining momentum among food producers.  

The practices of regenerative agriculture—many of which have been utilized by Indigenous communities for centuries—include techniques such as:

Regenerative agriculture offers ecological, economic, and social benefits.

The broader idea involves prioritizing soil health, reducing synthetic inputs, and giving back to the community. Conversely, more intrusive agricultural methods emphasize short-term crop output with less regard for the effects on the larger ecosystem.

Long-term resilience balanced with short-term profitability are essential components of the equation when it comes to adopting more regenerative approaches; regenerative farms must be able to maintain profitability in the short run for changes to techniques to be attractive. 

Current U.S. farm policy does not promote or encourage regenerative practices, though some states, including California, have implemented incentive programs. Story-telling and the willingness to share the successes (and failures) of early adopters will be critical to achieving increases in consumer demand and mitigation of producer risk while adopting new processes on the farm.

Much like how nutrition labels quantify the ingredients and energy composition of products, a carbon label empowers consumers to make more sustainable choices by providing data on how a product’s production, manufacturing, and packaging negatively impacts the environment (or positively impacts the environment as the case may be for certain regenerative products).  

Every product’s carbon footprint can be calculated. While the specific methodology for calculating per-product emissions varies, the objective is to quantify the environmental impact of consumption through consideration of a product’s entire carbon lifecycle: emissions from the start of being grown, during transportation, and through recycling of packaging.

The type of label can vary by product, but studies have shown simplicity is a key consideration when it comes to effectiveness for consumers at this time.  As more companies adopt reporting and customer education on this topic increases, best practices are expected to emerge. As with any product claim, companies should be prepared to substantiate their claims. Greenhouse gas (GHG) calculations or life cycle analyses conducted by independent third parties are highly recommended, as is obtaining assurance for GHG calculations.

Policies for carbon labeling are starting to emerge in the European Union, and some U.S.-based companies are starting to provide this information to consumers.

In response to enhanced regulation, food processors are leveraging technology to provide enhanced visibility into the supply chain, as well as traceability and transparency so consumers can know more about the food they’re consuming.

The Interagency Food Safety Analytics Collaboration was formed by the Centers for Disease Control and Prevention (“CDC”), Food and Drug Administration (“FDA”), and Food Safety and Inspection Services (“FSIS”) to help improve the country’s understanding of foodborne diseases. The group will focus its efforts on reducing illness from four pathogens commonly cited in foodborne diseases (Salmonella, E. coli O157:H7, Listeria Monocytogenes, and Campylobacter).

The group recently published its 2024-2028 strategic priorities, focusing on more clearly identifying the sources of illness outbreaks, improving data quality to reduce potential exposures, and enhancing food safety.

Research continues to demonstrate the positive relationship between nutrition and mental health, suggesting an opportunity to enhance therapeutic and pharmacological treatments with dietary intervention.

Evidence-based guidelines can be based on clinical research and “prescribed” by medical professionals, but there are gaps in the guidance when it comes to labeling foods as being “good” for mental health.

The FDA oversees health claims, which are defined as statements linking a food to a reduced risk of disease or a health-related condition. These claims are more commonly associated with physical ailments, such as heart disease. However, structure/function claims—describing how a food or ingredient affects a function of the body—do not require FDA authorization.

To learn more about how we can help your food or beverage business with any or all of the above topics, contact us.

The Research and Experimentation (R&E) Credit, also known as the Research and Development (R&D) Credit, is submitted on federal form 6765. It compiles the amounts of Qualified Research Expenses (QREs) and computes the total credit for the tax year. Taxpayers seeking to amend a prior year’s return to claim the R&D tax credit are now required to provide the IRS with additional documentation at the time of filing rather than waiting for IRS review.

Historically, the IRS only required that the company maintain data to support the claim upon examination (audit) for credits claimed on either a timely filed or amended return. The IRS has stated that reviewing claims is consuming substantial resources and released a memo in October 2021 with new guidelines. The new guidance, which does not currently apply to timely filed returns, is intended to diminish this burden on taxpayers and the agency. However, the effect is actually the opposite for taxpayers who now bear an additional reporting burden.

In addition to the traditional filing of the 6765 and maintaining documentation, taxpayers will need to provide the following when filing the claim for refund: 

This supporting information must be provided using a written statement, not just submitting a stack of documents. The IRS is also allowing the new Form 6765, Credit for Increasing Research Activities to be used for companies provide this information. Claims that do not comply with the new guidance will be rejected.

The IRS has again, as of October 2025, extended the research credit claim transition period to January 10, 2027. This gives taxpayers 45 days to perfect a research credit claim for refund prior to the IRS’s final determination on the claim. 

The landscape for claims for R&D Credit refunds has changed dramatically in the last several months. This enhanced documentation requirement may add significant administrative efforts for taxpayers and preparers.  Even though the memorandum was released with no period for public commentary, practitioners and taxpayers will likely see additional publications from the IRS in the upcoming months and years.

If you plan to claim the research and development tax credit in the future, start documenting the five requirements in advance.

Our team of research & development tax credit experts provide engineering-based tax credit studies customized to meet your needs. Contact us with any questions regarding the R&D Tax Credit.

San Francisco voters approved sweeping changes to the city’s business tax structure by approving the Proposition M ballot measure. The proposition, designed to simplify the city’s business tax system, makes several changes to San Francisco’s gross receipts tax (GRT) and homelessness gross receipts tax (HGRT), impacting businesses across industries.

These changes are effective January 1, 2025, and will first affect 2025 San Francisco returns originally due February 28, 2025.  

Proposition M shifts how businesses assign their gross receipts to San Francisco. For many industries, the calculation will move from a payroll-based apportionment formula to a heavier reliance on a market-based apportionment formula.

Effective January 1, 2025, most businesses will use a two-factor apportionment method, based on payroll within the city (weighted 25%) and where the product or service is delivered or consumed in San Francisco (weighted 75%). This marks a significant change for industries like professional and financial services, which previously were required to source gross receipts to San Francisco based entirely on payroll expense within the city.

The number of business classifications and tax rates has been reduced from 14 to seven, making it easier for businesses to determine applicable tax rates and apportionment methodologies. However, businesses operating in multiple classifications will still be required to calculate their taxes separately for each unique business activity.

The small business exemption threshold for gross receipts taxes has been increased from $2.25 million to $5 million.

The HGRT now applies to businesses with taxable gross receipts exceeding $25 million, down from the previous $50 million threshold. Certain categories, like real estate, maintain the $50 million threshold.

The OEGRT, a tax targeting business with excessive executive pay ratios, has been significantly reduced. The tax now applies at 10% of its previous rates, adjusting the tax tiers from 0.1%–0.6% to 0.02%–0.129%.

Businesses can now benefit from a new 110% safe harbor rule, which allows a nine-month extension for filing annual tax returns if a payment of 110% of the prior year’s liability is made by the original due date. The rule applies to registration fees and several taxes, including the GRT, HGRT, and OEGRT.

According to the Golden Gate Restaurant Association, which advocated for the measure, the approved changes will eliminate gross receipts taxes for more than 2,700 small businesses within the city while reducing licensing fees for restaurants, hotels, arts venues, and small retail shops.

The move will also reduce San Francisco’s reliance on large employers paying gross receipts taxes based on their payroll expenses. According to a 2023 report by the city’s controller’s office, San Francisco’s five largest employers accounted for nearly a quarter of the city’s payroll-based gross receipts taxes.

To discuss these tax changes and how they affect your company, contact us.