One of the most effective ways for a family office to improve efficiency and reduce complexity is by selecting the best accounting software for its needs. While popular accounting software such as QuickBooks is suitable for family offices with relatively straightforward investments and accounting needs, a platform such as Sage Intacct may be a better alternative for more complex situations.

Several factors, such as delays in obtaining financial reports, relying on manual processes, not meeting family expectations about the availability of information, or uncertainty about the reliability of performance data can indicate the need for more sophisticated software.

In contrast, aligning the right software package to your family office’s accounting and reporting needs can enable real-time visibility, deeper insights, and increased efficiency.

In contrast, choosing a more sophisticated financial management software for your family office operations can lead to powerful advantages:

Some of the common challenges that family offices face when graduating to a more advanced accounting platform include the prospect of losing the familiarity of QuickBooks, having to train staff on a new system, and potential disruptions to office routines. While these concerns are understandable, an effective implementation plan can enable the family office to enjoy the considerable benefits of upgrading their basic financial management package to a more sophisticated platform.

If you are ready to switch accounting software or need more information, contact our team. We can help!

Determining the in-scope headcount for your ISO 27001 Information Security Management System (ISMS) is an essential step in preparing for certification. Your headcount reflects the number of people directly involved in performing the processes covered by your ISMS, and its accuracy influences the required audit time and overall management of the ISMS.  

Ensuring this headcount is well-defined and comprehensive will streamline your audit, help your certification body adequately budget time for the audit process, and support the successful implementation of security measures aligned with your business operations. 

The term “in-scope headcount” refers to the employees and contractors directly involved in performing the activities governed by your ISMS. This includes people across various departments who contribute to the development, maintenance, and security of the systems, processes, or services within the defined scope.  

For example, if your ISMS covers the development and operation of a Software-as-a-Service (SaaS) application, your in-scope headcount would include developers, DevOps engineers, system administrators, and, depending on how they interact with the development process, potentially corporate IT. 

When identifying your in-scope headcount, consider these critical factors: 

Step 1: Identify Core ISMS Processes 

Start by identifying the processes that fall under your ISMS. For example, if your ISMS covers a SaaS platform, you would include software development, operations, and maintenance. Focus on the roles directly involved in these processes. 

Step 2: List Departments Involved 

Once the core processes are defined, determine which departments or teams are responsible for these activities.

Step 3: Map Dependencies 

Evaluate the dependencies between departments. For example, if corporate IT provides critical support for the SaaS platform’s security or infrastructure, they should be included in the in-scope headcount and noted within the scope statement interfaces and dependencies. 

Step 4: Include External Parties 

If any external contractors, consultants, or service providers are responsible for aspects of the ISMS processes (e.g., outsourced security monitoring), be sure they are accounted for in the headcount. 

Step 5: Determine Your In-Scope Headcount 

While it’s not a requirement of the standard to document your headcount formally, you should have a clear number in mind to provide your certification body. This headcount is essential for helping them accurately determine the number of days required for the audit and ensuring that all critical components of your ISMS are covered. 

In many cases, departments like sales, marketing, or customer service may have little to no impact on the ISMS and can often be excluded from the headcount. These departments typically do not handle sensitive information or perform activities that fall within the ISMS’s security scope. However, it’s important to assess each department based on their involvement with information security to ensure there are no overlooked risks. 

While it’s common to exclude non-relevant departments, some organizations choose to include the entire company within the ISMS scope. If you decide to include all departments, including those with minimal information security involvement, there are options to reduce the audit days based on the reduced risk associated with certain activities.  

In these cases, you should speak with your certification body to explore opportunities for reducing audit time while ensuring the ISMS remains effective and compliant. 

In many cases, multiple departments contribute to the activities under your ISMS. Involving cross-departmental teams during the headcount determination process ensures no critical roles are overlooked.  

Collaboration across departments can also help identify any indirect roles that contribute to maintaining the security of information assets or systems. By involving stakeholders from different areas, such as HR, IT, and legal, you ensure a more comprehensive view of who should be included in the ISMS scope. 

By carefully identifying the personnel involved, whether selectively or company-wide, and documenting their roles clearly, you can optimize the audit process and align your ISMS with both business and security objectives. 

If you have questions about defining your ISO audit scope or need assistance with your compliance efforts, we’re here to help.  

Bring-your-own-device (BYOD) policies are common among startups and fast-growing businesses. They can reduce hardware costs, minimize redundancy, and offer employees more flexibility. But from a security and compliance perspective, BYOD introduces unique challenges, especially when external standards apply.

Frameworks like SOC 2 tend to offer more flexibility around endpoint device controls. However, standards such as ISO/IEC 27001, CSA STAR, and especially the Consumer Data Right (CDR) come with more prescriptive requirements that may be harder to meet under a BYOD model. 

The central challenge with BYOD is that the devices used to access sensitive systems and data are employee-owned. This raises questions about how much control an organization can or should exercise. For example:

Employees’ personal preferences often conflict with corporate security needs. At the same time, endpoints are increasingly in focus across compliance frameworks because they’re a common point of data leakage.

In most organizations, people—not systems—represent the greatest risk. Endpoint devices are where data can escape secure cloud environments and where oversight is weakest.

SOC 2 generally takes a risk-based approach. If your environment is low-risk and your data resides primarily in secure cloud platforms, an acceptable use policy signed by employees may be sufficient.

ISO/IEC 27001 and CSA STAR offer more structure. However, they allow organizations to reduce or exclude certain controls if they can show the associated risk is effectively managed or not applicable.

CDR, however, sets a higher bar. The standard includes several defined control objectives focused specifically on endpoint device management within the CDR Data Environment. That makes endpoint oversight a key area of concern for data recipients.

One of the most practical ways to manage BYOD risk and reduce your compliance burden is to narrow the scope of in-scope devices. This is particularly important for frameworks like CDR, which define boundaries around a specific environment.

For example, your engineering, security, and operations teams may be required to use company-issued devices or follow stricter security policies if using their own. By mapping the systems in your CDR environment and limiting access to only necessary personnel, you reduce the number of devices that fall within scope.

Fewer devices in scope means fewer compliance obligations and a clearer path to accreditation.

In rare cases, removing endpoints from scope is possible—but only if you can prove those devices pose no material information security risk.

That doesn’t just mean devices don’t store sensitive data. It means they can’t store it.

You’ll need to demonstrate that employees are technically unable to export or save sensitive data to their personal devices. This requires strong access controls, data segregation, and enforcement mechanisms. You must be able to detect or prevent unauthorized activity and show that the risk is remote enough to be acceptable under your chosen framework.

For example, if production database access is tightly restricted, controlled through temporary credentials, and supported by independent approval processes, that risk can be reduced to an acceptable level. However, scoping out endpoints becomes much more difficult if sensitive data is stored in shared folders like Dropbox or Google Drive.

Here’s a checklist, roughly in order of expectation and the breadth of standards that require or generally cover them:

To learn about effective endpoint management, contact us.

To inspire more employers to offer retirement savings plans, a regulatory change has reduced the number of employee benefit plans required to obtain an audit report with Form 5500, “Annual Return/Report of Employee Benefit Plan.”

For plan years beginning on or after January 1, 2023, only plans that have 100 or more participants with account balances at the beginning of the plan year are now counted as a “large plan,” and therefore subject to audit requirements. Previous regulations specified that all eligible employees needed to be counted in determining whether a specific plan was large (whether or not they participated in the plan).

This change means fewer retirement savings plans will need to obtain a Form 5500 audit, saving them the cost and administrative requirements associated with an external audit.

Plans with fewer than 100 participants that have account balances will instead be able to file the Form 5500-SF. This form has fewer schedules and disclosure requirements than Form 5500.

In its Regulatory Impact Analysis, the U.S. Department of Labor estimated more than 19,000 of the nation’s 149,000 large plans, nearly 13%, would no longer be classified as large plans.

In addition to reducing administrative burdens and costs for smaller plans, the new threshold was designed to encourage more small businesses to offer retirement plans to employees.

The “80/120 participant rule,” which was not affected by the 2023 changes, offers an important exception related to Form 5500 filing requirements for employee benefit plans. The 80/120 rule allows plans with between 80 and 120 participants at the beginning of the plan year to file Form 5500 in the same category (large or small) as they did in the previous year.

Under this rule, a plan that filed as a small plan in the previous year can maintain that filing status until it reaches 121 participants. Similarly, any plan that filed as a large plan in the previous year can continue to file as a large plan until it drops below 100 participants.

The rule provides consistency and flexibility for plans hovering around the 100-participant threshold, allowing them to avoid switching between large and small plan status (along with the associated changes in filing requirements) from year to year.

Looking ahead to the 2024 plan years, the Department of Labor is expected to make additional changes under the 2022 SECURE Act (known as SECURE 2.0) designed to simplify plan administration while making retirement plans more accessible and attractive to employees.

For instance, effective January 1, 2025, the definition of a Long-Term Part-Time employee is scheduled to change to include part-time employees who worked at least 500 hours in two consecutive years (rather than the three years required in 2024). This eligibility is determined by looking at hours worked since January 1, 2021.

While this change could expand the number of employees eligible to participate in a plan, the administrative cost is likely to be offset for many plans by the reduced “large plan” criteria outlined above.

Also starting in 2025, companies that request an extension for filing Form 5500 with the Department of Labor will be able to do so electronically, rather than having to file a paper form.

To discuss the filing changes and potential implications for your employee benefit plan, contact us.

U.S. companies with major customers, subsidiaries, or parent companies in Europe need to determine whether they’re required to make disclosures under the European Union’s Corporate Sustainability Reporting Directive (CSRD). Disclosures may be expected as early as 2025, depending upon such factors as headcount, revenue, and status as a publicly traded entity.

The CSRD is an EU regulatory framework designed to enhance corporate sustainability reporting and to promote environmental, social, and governance (ESG) considerations. The regulation is also intended to support investors and other stakeholders in evaluating climate- and sustainability-related risks and opportunities that may affect a businesses’ future cash flows and long-term resilience.

Under the CSRD, companies (known as “undertakings” in the regulation) must conduct a “double materiality” assessment to identify material sustainability issues from two perspectives:

Reporting area requirements cover governance processes and controls, the incorporation of material impact areas into overall business strategy, and impact, risk and opportunity management. CSRD disclosures cover a broad range of ESG issues, such as: 

The related European Sustainability Reporting Standards (ESRS) outline the specific information companies are required to report under the CSRD. The ESRS (see table) includes two general (or “cross-cutting”) categories and 10 standards covering various ESG topics.

In addition to historical data, companies are required to disclose forward-looking information on their sustainability metrics, targets, and progress. Sustainability information must also be included in the entity’s Management Report.

Each filer’s sustainability disclosures must be audited independently for accuracy and completeness. This assurance will be limited at first but may expand over time.

The CSRD establishes a range of reporting criteria and effective dates for mandatory reporting. Large enterprises began reporting in 2024 if they were previously subject to the Non-Financial Reporting Directive (NFRD). Other large companies will begin reporting in 2025. 

Large undertakings are defined as entities that meet at least two of the following criteria:

The relatively low reporting thresholds will likely mean a range of companies that don’t consider themselves to be large will have to meet the CSRD’s requirements.

Companies listed on regulated markets in the EU, including small and medium-sized enterprises (SMEs), must comply with the CSRD starting in 2027.

Beginning in 2027, non-EU companies with a net turnover above €150 million in the EU will need to comply if they have at least one subsidiary or branch in the EU with more than €40 million in net turnover.

Beyond any direct compliance requirements, U.S. companies will need to prepare a variety of disclosures in response to requests from large customers that are required to report on their own. Because those disclosures include the larger organizations’ value chains, many will be asking their suppliers for detailed information about CSRD reporting topics such as greenhouse gas emissions and other ESG data.

Companies throughout the value chain will need to identify their emissions-generating activities and develop reliable systems, controls, and procedures to ensure information is shared with customers accurately.

Recognizing the complexity of obtaining this information from a range of suppliers, the EU is allowing reporting companies to use estimates for value chain reporting after making reasonable efforts to do so. This will likely change as reporting becomes more common and stakeholder expectations increase.

The Voluntary European Sustainability Reporting Standards (VSME) are a related effort designed to allow non-listed SMEs to comply with stakeholder information requests by preparing voluntary disclosures similar to those outlined in the CSRD and ESRS.

The VSME features three modules:

To make it easier for companies to understand and comply with the CSRD reporting requirements, the EU has published an FAQ document outlining the directive’s scope, application dates, and exemptions.

Sensiba has made incorporation of the ESRS standards a core part of our ESG Assessment process. To understand the benefits of planning for disclosures and assess relevance to your business, contact our team to learn more.

With climate considerations playing a larger role in corporate risk management and strategic planning, the ISO/IEC 27001 cybersecurity standard has been updated to include the potential impacts of climate change on an organization’s Information Security Management Systems (ISMS).

Under an amendment issued in February 2024, organizations preparing for an ISO/IEC 27001 audit are required to consider the potential risks climate change can present to their ISMS, as well as any potential implications for interested parties.

In a joint statement, ISO and the International Accreditation Forum highlighted the need for organizations to consider the effects of climate change on their ability to achieve the intended results of the management system.

The statement explained that some climate-related risks, such as regulatory compliance or organizational resilience, may have a general effect on an organization’s ISMS. Some organizations will face more specific climate-related ISMS risks related to their industry (such as energy production or agriculture) or factors such as their geographic location.

The ISO/IEC 27001 standard adds two references to climate change within Clause 4, “Context of the Organization.” Clause 4.1 (Understanding the Organisation and its Context) adds a sentence reading “The organisation shall determine whether climate change is a relevant issue.” Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) adds the sentence “Relevant interested parties can have requirements related to climate change.”

The changes are designed to help organizations address several climate-related risks to their ISMS and its operations. If, for instance, a severe weather event such as a windstorm or flooding affects an organization’s data center, the availability of its systems and data can be disrupted.

Similarly, vendor or supply chain disruptions following climate-related events could affect an organization’s ability to maintain an ISMS and its performance. Customers may also have concerns about whether a climate-related disruption to a service organization can affect their operations.

To comply with the revised standard, organizations need to consider whether climate change can affect their ISMS, and whether they’ve implemented controls or other measures to address climate-related risks. For many organizations without material climate exposures, this can be addressed with language similar to:

“The organization acknowledges the potential impact of climate change on its operations and has considered these risks in the context of its Information Security Management System (ISMS). While no specific mitigation actions are committed at this stage, the organization remains aware of climate-related factors that may affect its business environment.”

Similarly, organizations should also consider addressing climate risk with policy statements in their Management System’s risk assessment documentation. Management should include language saying it has considered the impact of climate risk on the ISMS and whether that risk meets a threshold for mitigation. (If it does, the organization should outline the mitigation measures it has taken.)

If an organization has more than one ISO/IEC Management System, it needs to conduct separate climate risk assessments for each one.

To learn more about ISO 27001 certification and its valuable role in helping your organization protect its systems and information, contact us.

A November 2023 ruling in the U.S. Tax Court specifies that limited partners are not necessarily exempt from self-employment tax.

The court ruled that a “functional analysis test” must be applied to determine whether a limited partner, or a member of an LLC, qualifies for the exception to self-employment tax. The court determined, in part, that someone listed as a limited partner, but who participates in management decisions, cannot use their limited partner status to shield themselves from self-employment tax obligations.

The ruling marks a shift in the practice in which limited liability company (LLC) members claim their shares of LLC income aren’t subject to self-employment tax.

It also marks a victory for the Internal Revenue Service (IRS), which has been pursuing what it believes to be underreported self-employment taxes. Because the definition of who serves as a limited partner has been ambiguous, the IRS believes some people are limited in name only but are otherwise active participants in a partnership, and therefore subject to self-employment tax.

The Tax Court ruled that active participants, regardless of their title, are not exempt from the self-employment tax on their business profits. Each situation must be examined, through a “functional inquiry into the roles and activities” of those limited partners, to determine whether a person should be considered a limited partner for tax purposes.

General partners are subject to self-employment tax on their business income from the partnership, whether or not it’s distributed. In contrast, limited partners are only subject to self-employment tax on guaranteed payments they receive for services provided to the partnership. Limited partners, who don’t have management authority within the partnership, are considered similar to passive investors for tax purposes.

Some states allow limited partners to provide services to businesses they invest in, further blurring the lines of who qualifies for the exception.

Self-employment income is subject to a 12.4% Social Security tax (up to the wage base) and a 2.9% Medicare tax. In most cases, members of partnerships are considered self-employed for tax purposes.

Many LLC members say they are functionally the same as limited partners and, therefore, exempt from self-employment tax for income other than guaranteed payments for services.

But while limited partners and LLC members both have limited personal liability, LLC members (unlike limited partners) can actively participate in management without jeopardizing their liability protection.

The law in this area remains uncertain, particularly for capital-intensive businesses. However, given the IRS’s aggressiveness in recent years in collecting self-employment taxes from LLCs, members should assess their potential obligations.

People who wish to avoid or reduce these taxes may have some options, including restructuring their ownership interests or converting their entity into a different structure. Contact us to discuss your specific situation.

Organizations must handle personally identifiable information (PII) data responsibly within their networks and cloud services to maintain trust with customers and business partners, while complying with an expanding array of state and international laws and regulations.

The ISO/IEC 27701 and ISO/IEC 27018 standards provide valuable guidance in helping organizations improve privacy data security and regulatory compliance—and build trust and credibility with customers and prospects—by aligning their data-protection policies, procedures, and controls with recognized global frameworks.

The ISO/IEC 27701 standard guides organizations on managing personal information securely. The standard extends ISO/IEC 27001, which focuses on general information security, by adding specific requirements for handling personal data. 

ISO/IEC 27701, applicable to any entity that processes or controls personal information, builds on the extensive security practices outlined in ISO/IEC 27001 by focusing on privacy management that provides guidance on handling personal data responsibly.

The ISO/IEC 27018 standard, which provides guidelines for protecting personal data in cloud services, is designed for cloud service providers who process data on behalf of others. This standard helps ensure that personal information stored or processed in the cloud is secure.

By ensuring data privacy in cloud services, complying with the standard helps providers build trust and confidence with customers and prospects.

Both standards offer strong data protection guidance designed to help companies secure personal information against unauthorized access, alteration, theft, or destruction. Organizations that are certified against 27701, or in compliance with 27018, demonstrate compliance with legal and regulatory requirements for maintaining information security and customer privacy, as well as an ongoing commitment to safeguarding the data they’ve been entrusted to process and store.

Both standards are based on ISO/IEC 27001 and use that general information security framework as a foundation.

The two standards differ in the scope of their application. ISO/ICE 27701, for instance, is a certifiable standard. With ISO/IEC 27018, auditors are evaluating the organization’s compliance with the standard.

ISO/IEC 27701 applies broadly to any organization handling personal data, including data controllers and processors. This can include any organization, regardless of its industry or size, that wants to approach information security management systematically. The standard’s framework can be adapted to the specific needs of each organization seeking certification.

In contrast, ISO/IEC 27108 applies specifically to organizations that process PII in public cloud environments. These can be cloud service providers that process PII on behalf of their customers or provide support services for cloud service providers.

It can also be applicable to organizations that handle personal data in cloud environments, such as companies that develop or provide security software or services to protect PII in the cloud.

The standards also have a different regulatory alignment. ISO/IEC 27701 is aligned with several global privacy regulations, offering a comprehensive framework.

By providing guidelines for protecting PII, 27701 aligns with several global privacy regulations, including the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other regional privacy laws.

Most acts share broad principles such as mandating data protection and privacy controls, restrictions on data use or sharing without consumer consent, transparency in data processing, and similar provisions.

The standards also differ in their timing. Including ISO/IEC 27018 essentially adds one additional day to an in-progress ISO/IEC 27001 audit. A 27701 certification can add from 2.5 days to 50% additional time to their 27001 audit if the organization under review is a processor and controller of PII.

Both ISO/IEC 27701 and ISO/IEC 27018 are important for protecting personal information, but they serve different purposes. ISO/IEC 27701 offers a broad framework for privacy management that’s suitable for any organization. ISO/IEC 27018 provides specific guidance for cloud service providers to protect data in the cloud.

Understanding your organization’s needs, along with customer and regulatory expectations, will help you choose the right standard to enhance your data protection efforts.

Contact us to learn more about ISO/IEC 27701 and 27018.

In broad terms, a family office is an entity established to manage the financial and administrative affairs of high-net-worth individuals and their families.

Depending on the family and its needs, this typically involves coordinating the activities of, as well as data and reports from, professionals including accounting, tax, investment, legal, and administrative professionals. These services, and how they interact within a given family office, can be highly customized and guarded by confidentiality.

A family office can be created in a variety of formats, and for varying reasons to serve the specific needs of the families setting them up. If a family’s assets are shared by more than one generation, for example, a formal family office structure can increase reporting transparency and enable a smoother transition to a younger generation.

Family offices often have one or more primarily focuses on how they serve their families and principals:

These broad focuses are often combined to align with a family’s specific needs and preferences. Some family offices are led by a strong principal and others are overseen by a formal board or a less-formal family council.

Similarly, some offices are dedicated to serving a single family, while multi-family offices provide shared services to a small group of families.

While thresholds vary, many families with assets between $10 million and $250 million will be served most effectively with virtual family offices that use a variety of professionals. Families with assets in excess of $750 million will likely benefit from a dedicated family office with in-house professionals and specialized expertise on retainer. Families between those ranges typically have a blend of resources.

Some of the most common family office services include outsourced accounting and bill pay. These services are well-suited for outsourcing because they require professional expertise to perform, and because most busy family office principals would prefer not to take care of the intricate details of financial reporting themselves.

Instead, outsourcing accounting and bill pay allows family members to focus on their business, community, recreation, or other activities while feeling assured someone’s monitoring their accounts and paying their bills on time.

In addition to peace of mind, outsourced accounting and bill pay provides more effective reporting and a deeper understanding of the family’s assets and investment performance. By combining data from different accounts onto a single report or dashboard, busy family members can understand their financial data at a glance.

Outsourcing bill pay also offers stronger financial controls, such as requiring approval for major purchases or two signatures on checks for amounts above a pre-determined threshold.

Another benefit family offices provide is access to sophisticated financial software to help the family optimize its reporting, forecasting, and budgeting. Many families start tracking their finances with checkbook registers, account statements, and spreadsheets, but find the complexity of managing different accounts and asset classes challenging.

Dedicated financial tools such as Sage Intacct help family offices consolidate financial and performance data across multiple accounts, integrate investment management reporting with bill pay, expense management, and payroll, and reduce fraud and manual error risk.

If you would like assistance reviewing your situation and implementing a roadmap to meet your family office’s goals, contact us.

The Social Security Administration has announced the Social Security tax wage base for 2025 will be $176,100, an increase of $ 7,500 (nearly 4.5%) from the $168,600 figure used in 2024.

The $176,100 amount marks the limit of wages and self-employment income subject to Social Security taxes, also known as OASDI (old age, survivors, and disability insurance) tax. This amount is taxed at a 6.2% rate, making the maximum amount an employee and employer will pay $ 10,918.

The Medicare/hospital insurance tax, which has no wage limit, will remain at its current rate of 1.45% each for employees and employers.

High-earning employees will pay 2.35% Medicare tax (the regular 1.45% Medicare tax plus 0.9% additional tax) on all wages above $200,000. (This amount changes to $250,000 for joint returns and $125,000 for married taxpayers filing separate returns).

For self-employed people, who are responsible for both employer and employee taxes, the following rates will apply in 2025:

The Social Security Administration also announced a 2.5% % cost-of-living adjustment (COLA) for more than 66 million beneficiaries beginning in January 2025. The same increase will apply to Supplemental Security Income (SSI) benefits.

If an employee has a second job, each employer must withhold Social Security taxes from the individual’s wages. This applies even if the combined withholding exceeds the maximum amount that can be imposed for the year.

An employee cannot ask an employer to stop withholding Social Security tax if they reach the wage base threshold but will receive a tax credit for any excess withholdings.

Do you have questions about payroll tax filing or payments? Contact us, and we will help you meet your compliance obligations.

Audit confirmations are information requests, typically distributed by email or through secure portals, in which accountants ask third parties to confirm information provided by the company being audited.

Audit confirmations are a powerful tool for auditors that provide independent evidence to substantiate various financial statement assertions.

To be considered credible, the confirmation process should be performed between the auditor and the third party verifying the requested information. Confirmations received directly by the auditor from the confirming parties are more reliable than evidence generated internally by the audited entity.

For example, a company being audited providing bank statements is not considered credible evidence because the statements may have been created or edited by the company. Instead, the auditor interacting directly with the bank to verify balances mitigates the risk of a statement containing inaccurate or modified information. As such, auditors perform bank confirmations to validate the information on the bank statements received from the company.

Audit confirmations can be categorized by their format:

While specific inquiries can vary according to the company, industry, or specific risk factors, common confirmation requests center around:

In late 2023, the SEC and the PCAOB approved AS 2301, The Auditor’s Use of Confirmation, to replace guidance for audits of public companies. The new standard, which emphasizes auditors’ responsibility to use confirmations to obtain reliable audit evidence, makes a number of changes that include:

While these changes do not impact private company audits, it is important to consider these changes when evaluating the sufficiency of confirmations for an audit.

If a third party does not provide the requested confirmation or does not agree with the information presented for confirmation, auditors can use alternative methods to verify information. These may include:

Several potential obstacles can hinder the effective use of confirmation requests in the audit process. For instance, many large enterprises, as a matter of policy, will not respond to requests related to their suppliers or other business partners.

In other instances, a company may have outdated contact information for the third party, so a confirmation request is never received. Another common challenge is a data entry error, such as transposing two digits, that causes a mismatch between specified amounts in two locations. In these situations, auditors will turn to the alternative methods described earlier.

If you have questions about the use of confirmations during the audit process, contact us.

For growing companies navigating SOC 2 or ISO/IEC 27001 compliance, strong internal controls are essential, but not always intuitive. Many tech startups prioritize growth over governance early on, viewing controls as a brake on momentum. But well-designed controls do more than mitigate risk—they streamline operations, reinforce culture, and scale with your business.

To build an internal control framework that supports both compliance and operational success, consider four core concepts: trigger points, gateways, catch-all controls, and MECE (mutually exclusive, collectively exhaustive).

As companies expand, so do their risks. Teams grow, roles diversify, and more customers and transactions enter the mix. This complexity calls for structure. Without defined controls, tasks fall through the cracks, quality drops, and compliance efforts struggle to keep pace.

Auditors and consultants often recommend enterprise-level controls that don’t fit early-stage companies. A better approach is to tailor controls to your company’s size, complexity, and culture, while using the following four concepts as a foundation.

A control without a clear trigger is like a tripwire that never gets tripped. Tasks are forgotten, risks go unaddressed, and key responsibilities are overlooked. One common failure: terminated employees retaining system or building access due to a missing or ineffective offboarding trigger.

Trigger points should be clear and, where possible, automated. Examples include:

When people say something “slipped through the cracks,” it’s often because there was no reliable trigger.

A gateway control requires certain criteria to be met before an action proceeds—think of it as a quality checkpoint. This is especially important in system development, where rushed releases can result in bugs, vulnerabilities, or technical debt.

As your engineering team scales, especially with junior developers, clearly defined gateways become critical. These may include:

Well-designed gateways also account for exceptions. For example, emergency hotfixes may bypass normal approvals but must still follow a defined retrospective review process.

Even the best-designed processes can’t anticipate every scenario. That’s where catch-all controls come in—high-level reviews that spot issues your other controls might miss.

Relying on customers to report issues isn’t a strategy. Instead, organizations should implement catch-all controls such as:

These controls provide the broad oversight needed to catch problems before they escalate.

The concept of “mutually exclusive, collectively exhaustive” (MECE) helps ensure all operational events are categorized clearly and managed consistently. It avoids overlap, confusion, and gaps in accountability.

In IT service management, for instance, events are often classified as:

Each classification has its own process. But what about edge cases? For example, a user reporting a bug that disrupts their workflow may trigger all three categories. A well-structured MECE approach ensures clarity, even in ambiguous situations, by aligning teams on definitions and responsibilities.

These four control concepts aren’t just for audit readiness—they’re tools for building resilient, scalable operations.

The most effective controls are simple, intentional, and embedded in day-to-day operations. When teams understand their purpose and see how controls improve outcomes—not just check compliance boxes—they’re more likely to support and sustain them.

To learn how to design right-sized controls that strengthen both compliance and business performance, contact us. We’re here to help you turn control into a competitive advantage.

For public companies offering employee stock purchase plans or defined contribution plans with options to invest in the plan sponsor’s stock, Form 11-K is an essential compliance document designed to ensure transparency and accountability to employees and investors.  

The annual 11-K report, which provides a detailed account of the plan’s financial health and its policies, is required by the U.S. Securities and Exchange Commission (SEC) to maintain investor confidence in a company’s governance practices. Understanding what Form 11-K entails, stakeholder expectations for the form, and how to file the report can help companies stay compliant and avoid potential compliance risks.

Form 11-K must be filed annually by companies that offer employee stock purchase, savings, or similar plans in which employees have the option to invest in company stock. The filing is generally due within 90 days after the end of a given plan’s fiscal year.

Public companies, as well as certain private entities with registered employee stock plans, are required to submit Form 11-K if they are subject to SEC regulations. The content of Form 11-K covers several key areas:

Other important details include a description of the plan’s purpose, structure, and any significant changes made during the reporting period, as well as disclosures such as administrative fees or conflicts of interest that could affect the plan.

Financial statements must be prepared in accordance with SEC requirements (Regulation S-X) or ERISA requirements.

Meeting the filing requirements involves understanding the process, including the deadlines, electronic filing mandates, and the SEC’s review procedures. Form 11-K must be filed within 90 days after the plan’s fiscal year end, and if the plan is subject to ERISA, it should be filed within 180 days of the plan’s fiscal year-end. Companies can request an extension if necessary.

The form must be submitted electronically via the SEC’s EDGAR system. Once filed, the SEC reviews the document for completeness and compliance, and may ask for additional information or corrections if needed.

Auditors play a crucial role in the Form 11-K process. They are responsible for auditing the plan’s financial statements to ensure accuracy and compliance with applicable standards. Generally, a financial statement audit is required to evaluate the plan’s net assets and overall financial health, and to obtain reasonable assurance the plan is being managed according to its stated terms.

The auditor’s report, which accompanies Form 11-K, provides an opinion on whether the financial statements are presented fairly in all material respects. A clean auditor’s opinion indicates sound management practices, helping to maintain investor trust.

To stay compliant, companies should focus on several best practices:

Understanding and filing Form 11-K correctly is crucial for any company with employee stock purchase plans. By meeting stakeholder and regulatory expectations, companies can maintain compliance, protect their reputation, and continue to foster trust among employees and investors.

To learn more about Form 11-K filling and the audit process, contact us.

As artificial intelligence (AI) continues to transform industries, understanding the roles within the AI lifecycle— production, development, provision, and use—is crucial for organizations involved in AI development, deployment, and usage to manage risk effectively and obtain ISO/IEC 42001 certification.

These roles are defined in the ISO/IEC 42001 and ISO/IEC 22989 standards, which offer a clear breakdown of the key responsibilities within the AI ecosystem. By adopting ISO compliance, organizations can demonstrate their commitment to responsible AI development and usage. This can enhance trust with stakeholders, mitigate risks, and improve overall performance.

Each role is distinct, so it is important to understand their contributions and responsibilities to ensure the creation, implementation, and application of AI systems meet the organization’s goals while maintaining high standards of reliability and performance.

The ISO 42001 standard provides guidance for successful development and use of an Artificial Intelligence Management System (AIMS), including creating and documenting effective policies, processes, and controls. An ISO 42001 certification audit will examine several areas, including AI-specific ethical, security, and operational considerations, system lifecycle management, performance optimization, documentation, and others.

To achieve ISO/IEC 42001 certification, an organization needs to be able to define their role within the AI ecosystem. An organization can perform more than one of the roles listed below.

An AI producer is an organization or entity responsible for designing, developing, testing, and deploying products or services that use one or more AI systems. This role involves the full lifecycle of AI creation, from conceptualizing the AI model to putting it into practical use in real-world applications. AI producers are critical in ensuring AI systems are not only functional, but also meet specified performance and ethical guidelines.

An AI provider focuses on enabling access to AI technologies for other organizations, either by offering AI platforms or delivering specific AI services or products. This role is essential for making AI technologies widely available and supporting stakeholders in building, deploying, and using AI.

An AI user is any organization or entity that uses AI products or services, either directly or as part of its operations. AI users leverage AI to automate processes, gain insights, improve decision-making, or enhance products and services. This role encompasses a wide range of activities, from companies using AI-driven software for internal operations to those deploying AI in customer-facing solutions.

AI users rely on the outputs of AI systems, without necessarily being involved in the technical development of those systems. They focus on applying AI tools and services to improve organizational efficiency, product quality, or service delivery. In doing so, they play a crucial role in realizing the benefits of AI technologies across various industries.

Understanding the specific roles within the AI lifecycle is vital for organizations involved in any part of AI development, provision, or use. The AI producer designs and deploys AI models, with the AI developer playing a key role in implementing and verifying these models. The AI provider enables access to AI services and platforms, while the AI user applies these technologies to achieve operational and business goals.

By defining these roles clearly, organizations can collaborate, allocate resources, and streamline their AI strategies more effectively and facilitate ISO 42001 compliance. Whether building an AI model, offering AI services, or using AI solutions, each role is essential to the broader AI ecosystem.

With AI continuing to evolve, the distinctions between these roles will help organizations manage their AI initiatives more effectively, ensuring that AI technologies are developed, delivered, and applied in ways that maximize their potential impact.

To learn more about ISO compliance within AI applications, contact us.

Preparing an 11-K report is a critical step for companies with certain types of employee benefit plans, serving as a vital tool to ensure compliance with Securities and Exchange Commission (SEC) requirements. These reports, filed annually, detail the financial condition of employee benefit plans in which employees can invest their contributions in employer securities, such as 401(k) plans with a company stock investment option.

Auditors play an essential role in this process by providing expertise to ensure filings are accurate and compliant, which in turn minimizes the risk of penalties or reputational damage.

For compliance professionals contemplating a change in auditors, choosing the right partner is invaluable in helping them navigate the complexities of 11-K filings and achieving 11-K readiness.

11-K filings come with unique challenges, and understanding the specific requirements is important. Auditors are responsible for examining the financial statements of employee benefit plans and attesting to their fairness and compliance with accounting standards. Their work must be independent, objective, and thorough.

Independence and Objectivity 

Independence is a cornerstone of a reliable audit. Auditors must remain free from conflicts of interest and committed to unbiased assessments.

Expertise in ERISA and Employee Benefit Plan Audits 

Auditors need specialized knowledge of the Employee Retirement Income Security Act (ERISA) and employee benefit plan audits to understand key aspects such as fiduciary responsibilities and the associated reporting requirements.

Familiarity With SEC Filing Requirements 

Given the intricate nature of SEC regulations, auditors must be deeply familiar with the SEC’s filing requirements for 11-K reports.

11-K audits can present several challenges, including evolving regulations, complex plan structures, and data management issues. The right auditor can help mitigate these challenges by staying up to date on regulatory changes, maintaining a deep understanding of industry practices, and employing robust data analytics tools to ensure accuracy.

Not all auditors are the right fit for your company, especially when it comes to the unique demands of 11-K filings. Knowing when to consider a change can save time, money, and stress.

For instance, selecting an auditor who matches your company’s risk profile and growth strategy is important. An auditor with a deep understanding of your industry and business model will be better positioned to provide accurate insights and recommendations that support your long-term goals.

Conversely, an auditor who lacks industry-specific experience or fails to stay updated on evolving regulations can put your company at risk. Communication issues, such as delayed responses or a lack of transparency, are another red flag.

When considering a new auditor, it is essential to evaluate several factors to ensure they meet your company’s needs. The following criteria can help you evaluate potential partners:

Industry Specialization and Track Record 

Look for auditors specializing in employee benefit plans with a proven track record with 11-K filings. Their experience can offer peace of mind, knowing they have successfully navigated similar challenges before.

Comprehensive Understanding of 11-K Requirements and SEC Regulations 

Your auditor should demonstrate a strong understanding of 11-K requirements and SEC regulations, ensuring that your filings comply with all applicable standards.

Reputation for Integrity and Independence 

Choose an auditor known for their integrity and independence. This reputation is built through consistent adherence to ethical standards and a commitment to objective assessments. Look for membership in the AICPA’s Employee Benefit Plan Audit Quality Center.

Accessibility and Client Service 

Accessibility and responsiveness are key. An auditor who is available when needed and provides timely feedback can make the 11-K filing process smoother and more efficient.

Use of Technology and Innovative Tools 

The right auditor will leverage technology to enhance audit efficiency and accuracy. Look for firms that use advanced data analytics, digital audit tools, and other innovations to streamline the process.

When selecting a new auditor, ask questions that help determine their alignment with your needs. Inquire about their experience with similar clients, their approach to staying current with regulations, and how they manage client communication and expectations.

A productive working relationship with your auditors and advisors is key to successful 11-K readiness. Regular communication and clear expectations, for instance, are essential. Involve your auditors in planning discussions and leverage their expertise for training and internal process improvement. Building a collaborative relationship fosters trust while improving the efficiency of the 11-K filing process.

By understanding your auditor’s responsibilities, evaluating your current partnerships, and selecting the right team for your needs, you can ensure a smooth path to 11-K readiness.

To learn more about effective 11-K filings, contact us.

How much can you expect to pay for a SOC 2 report? What are the main drivers of the cost? 

Let’s start with a reality check: SOC 2 represents a significant investment. The report requires a CPA firm to sign off, it covers a broad operational perspective, and it’s based on guidance that’s several hundred pages long. The signatory to the report carries legal liability to a broad range of users. 

SOC 2 Type 1 and Type 2 report fees can often start in the five figures, and it’s not uncommon to see Big-4 firms charge on the higher end of this spectrum. There are a lot of different factors that make up the cost of a SOC 2 audit, which makes it hard to say exactly what an audit would cost. We dive into the different factors below, but we wanted to start with our approach to SOC 2 and how pricing comes into that.  

We believe that SOC 2 should be attainable for any business, and our pricing reflects this. Our approach isn’t a one-size-fits-all; we tailor the offering (and price) to suit your needs and stage of business. Combining our best in technology and an experienced team, we offer startups a low barrier entry into SOC 2, and on the flip side, we work with enterprises with thousands of staff across the globe. No matter what stage of business you’re in, we’ll meet you there with a viable option for SOC 2 attestations.  

In short, cost shouldn’t be a barrier to working with a good compliance partner. 

There are a few main drivers of the cost of SOC 2 audits. Without going into all the details, the scope is the biggest cost driver. A Software as a Service provider with a single app, outsourced infrastructure, small headcount and limited supporting system components will have the lowest cost. The number of people, processes, and systems are the key indicators of the scope and work involved. 

As headcount grows, processes become more dispersed, larger in scale and the audit work typically requires more coordination and review meetings, etc. The number of systems increases the volume of work in many of the SOC 2 areas, but in the logical security area, which is the highest volume of the SOC 2 criteria to audit. 

The service organization can, to a large degree, determine the scope of the SOC 2 audit. It may cover, for instance, a single service offering or application rather than the full company’s services. However, within that scope, all the relevant systems, data, processes, and people must be included. If some of that is outsourced, it can be excluded using the carve-out method. 

Let’s look at the report in detail: 

There are five Trust Services Principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Security is required for all reports, so that’s treated as the base cost. Availability and Confidentiality are the most common additional principles and tend to add about 10-20% to the base cost for each. Processing Integrity and Privacy can vary much more as many firms want to avoid reporting on these more complicated and risky areas. Those that do report on them add about 20-50% each to the base cost. 

In theory, a SOC 2 report is supposed to be prepared wholly by the service organization. The auditor then comes in to review that work and provide an opinion. It rarely works like that in practice, though, as the auditors’ experience is often needed to guide the process.  

The less support needed, the lower the time and costs of audit consultants. Support includes identifying and reporting issues, providing high-level recommendations for remediation, performing multiple reviews during the lead up, and reworking the report itself from the auditor’s feedback. Consultants are expensive, so this can be a significant difference and a key driver of cost in first-time SOC 2 reports. 

Most products and services are priced near competitors in the market. This is not the case with SOC 2 audit services, as illustrated by the broad cost ranges noted above. It wouldn’t be appropriate to mention any fees on behalf of other providers, but there are general differences that influence the costs: 

While cost is an important consideration when choosing an SOC 2 auditor, it shouldn’t be the only thing you evaluate. Other important factors include your potential audit partner’s reputation for audit quality, client service, technology enablement, ease of working together, and other important factors.  

Customer reviews can also provide important insights, as can recommendations from allied service providers such as GRC platforms.  

Since end customers rely on SOC 2 reports during their vendor due diligence, working with a respected, high-quality auditor is important in your SOC 2 report providing the desired marketplace assurance about your security commitment and practices.  

To learn more about SOC 2 reports and choosing the best provider for your needs, contact us.