Say hello to


CPA, MST | Shareholder

Whether it’s water skiing, golfing, scuba diving, spending time with family, or attending sporting events, when he’s not hard at work in the office, Jeff can be found outdoors.

The threat of a cyberattack is ever present on executives’ minds, and cybersecurity is the  hot topic in governance circles. The issue facing executives is that many different standards and frameworks regarding cybersecurity have evolved, and each framework tends to be more widely adopted in certain parts of the globe.

Variations in Frameworks

In the U.S., the trust services principles established by the AICPA have emerged. This is the backbone of what is commonly known as a Service Organization Controls (SOC) 2 report. The International Organization for Standardization,(ISO), is a globally recognized standard setter that has established benchmarks for quality for many different concerns and industries for over 70 years. The European Union has seen the emergence and wide adoption of general data protection requirements (GDPRs). There are other industry standards, such as the Payment Card Industry  Data Security Standards(PCI), in play as well.

Not all of these frameworks overlap with one another. There are common themes, but there are also unique characteristics to each framework or standard. As you begin to develop and enhance your own security posture, be mindful of the options available to you.

Considerations for Choosing your Framework

If you have, or expect to have, any formal reporting requirements around security or data protection, take your audience into consideration when selecting a reporting framework. If your customers, or regulators, are largely based in the U.S., the SOC 2 report would be a good option. If your customers are based internationally, then a standard established by the ISO or the GDPR may be a better fit.

For example, Microsoft recently updated their Supplier Security and Privacy Assurance program (SSPA) data protection requirements to align with and consider the elements of the GDPR and other frameworks. Domestic companies with a global reach are also beginning to focus on the GDPR as a gold standard.

The concern over cyberthreats is here to stay. Selecting the framework to measure your security and IT infrastructure should be done carefully, with your audience in mind. Regardless of the framework you choose, begin the process by identifying gaps between your systems and controls and the established criteria in your chosen framework. Then, you can get to work remediating those gaps and building for the future.

© Clark Nuber PS and Focus on Fraud, 2017. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Focus on Fraud with appropriate and specific direction to the original content.

Keep Reading

Articles and Publications

Washington B&O Tax Alert: Annual B&O Tax Apportionment Reconciliation Due October 31

The form must be submitted to the Department of Revenue by October 31st of each year. Failing to file the reconciliation may result in penalties. The Department of Revenue allows businesses to use the prior year’s apportionment factor for reporting current year liabilities. This simplifies the business’ reporting method, but requires the business perform a true up at the end of the year. The true up helps determine the current year’s factor, based on actual data.

What is the Reconciliation’s Purpose?

The purposes of the annual reconciliation are to correct incomplete year-to-date data and update apportionable receipts that have been reported to the Department using the previous year’s factor. If a business owes additional B&O tax as a result of the reconciliation, late payment penalties are automatically waived – provided the form is filed by the October 31st deadline. We recommend that businesses that conduct apportionable activities file the form, regardless as to whether they have any differences to report. This is because the Department will impose up to a 29% penalty in cases where the reconciliation was not filed, should they discover that additional taxes are due in a future examination – say in the case of an audit. In addition to the late payment/late filing penalty, the Department may also impose an additional 5% substantial underpayment penalty if the taxpayer has paid less than 80% of the tax determined to be due, as calculated by the Department. The Annual Reconciliation of Apportionable Income form is available here.


As of June 1, 2010, businesses that earn revenue from “apportionable activities” are required to calculate B&O tax using a single sales factor apportionment method. “Apportionable activities” include most services and intangible licensing. They also include services provided by other specified businesses, such as travel agents, tour operators, and real estate or insurance brokers. When performing the calculations, the apportionable revenue attributable to Washington State acts as the factor’s numerator. The denominator of the apportionment factor is the apportionable revenue attributable to those states, including Washington, wherein the business files business tax returns, or is deemed to have created nexus under Washington’s “economic” nexus standards. To determine how many of the business’ receipts are subject to B&O tax, the business’ total gross income from apportionable activities is multiplied by the apportionment factor. For B&O tax purposes, taxpayers are statutorily permitted to determine the apportion revenue using a receipts factor that is based on the most recent completed calendar year’s data. For example, a business could use the 2015 apportionment factor to calculate B&O tax on the company’s monthly or quarterly 2016 B&O tax returns, or use year-to-date data on each return. Regardless of the method the business chooses, taxpayers are required to complete an “Annual Reconciliation of Apportionable Income” once actual data for the year has been compiled. But again, this must happen no later than October 31st of the following year.


Please contact Bob Heller, Nicole Lyons, or another member of the CN state and local tax practice at with any questions, or if you’d like assistance fulfilling this requirement. Nicole Lyons is a manager in Clark Nuber's state and local tax group. © 2017 Clark Nuber PS All Rights Reserved

Not-for-Profit UBI: Oregon Tax Bills on Unrelated Business Income May Increase in 2018

Oregon recently followed the direction of many other states in attempting to collect more tax revenue from out-of-state businesses. The shift will come into effect through changes in how sales of services and intangibles are sourced to the state. The changes to Oregon’s apportionment rules are effective on January 1, 2018. ​Not-for-profits with employees in Oregon may see a significant decrease in their tax bill if they provide taxable services to customers located outside of Oregon. Meanwhile, Washington-based service providers with Oregon customers should expect the opposite.

What is Apportionment?

Oregon’s excise tax changes concern how certain taxpayers, including not-for-profit organizations with UBI, must determine their taxable income in Oregon. Generally, UBI must be divided between the states in which an organization does business, and tax is calculated on the portion of UBI attributable to each state. The method of determining the UBI attributable to each state is known as apportionment. For example, here is a simplified illustration of UBI apportionment: A not-for-profit organization has $1,000 of UBI, $600 of which is sourced to Washington and $400 of which is sourced to Oregon.   Oregon may only impose its excise tax on $400. The apportionment method imposed by the states determines how much of the organization’s income is sourced to each. States have broad discretion to formulate an apportionment method, as long as they do not impose different rules on in-state and out-of-state businesses. Each state with an income tax may have a different formula for apportioning UBI. Oregon’s apportionment formula governs how the organization’s income is sourced in the above example.

Current Law

Historically, most states used a three-factor apportionment formula that considered a business’ payroll, property, and sales in the state, compared to outside of the state. Under a three-factor formula, not-for-profits would generally have a higher UBI tax bill in states where they had offices and employees. However, more than 20 states have switched to a one-factor formula that only considers a business’ gross receipts within and outside of the state. Oregon made this switch in 2005, but in doing so, its sourcing rules continued to source in-state sales of services based on where services are performed. Under Oregon’s current rules, sales of services are deemed to be made in Oregon if the services are performed in Oregon. Customer location is irrelevant. If services are performed both in Oregon and in another state, the sale is considered to be made in Oregon if a greater portion of the related costs (i.e., payroll) are incurred in Oregon. As a result of Oregon’s current sourcing rules, not-for-profit ​organizations do not pay Oregon excise tax on UBI if they hire employees who perform services exclusively outside of the state – even if their customers are ​in Oregon.

What’s Changing?

Under Oregon’s new sourcing rules, beginning in 2018, sales of services will be deemed to be made in Oregon if the services are “delivered” in Oregon. Typically, services are delivered in a state if a customer is in the state. Therefore, the focus of sourcing sales of services changes from employee location to customer location. The new rules could dramatically increase or decrease the Oregon UBI tax paid. Not-for-profits located outside of Oregon that perform services for Oregon customers will likely pay more tax to the state. Not-for-profits in Oregon with customers in many states will likely pay less tax.

Is Your Nonprofit Organization Affected by the New Apportionment Rules?

Since Oregon generally follows the federal rules for income tax exemptions, with few exception, organizations exempt from federal income tax are also exempt from Oregon excise taxes. However, if your organization has UBI, it may also have an Oregon filing requirement. If it does, 2017 is a great time to plan for the changes ahead. Other states are likely to follow the trend of switching to a one-factor sales formula and sourcing sales based on customer location. Washington made this switch for purposes of the B&O tax in 2010 and California followed for its income tax in 2013. Whether or not your organization files an Oregon excise tax return, if it has UBI from sales of services to customers in many states, it is important to periodically review state apportionment methods. This will allow you to make sure the organization is taking full advantage of opportunities to minimize state tax liabilities.


If you have questions regarding Oregon’s, or another state’s, UBI tax, contact Clark Nuber at for more information. © 2017 Clark Nuber PS All Rights Reserved

OMB Releases Updates to the Frequently Asked Questions for Uniform Guidance

The FAQs have been issued and updated several times since the Uniform Guidance’s issuance, with the last update being September, 2015. The updated FAQs provide additional guidance in the areas of indirect costs, subrecipient monitoring, payments to non-federal entities, and the Schedule of Expenditures of Federal Awards. They are intended to provide additional context and background for the guidance as Federal and non-Federal entities seek to understand the policy changes.

Indirect Costs

Most of the FAQ updates relate to the subject of indirect costs. This includes discussion regarding administrative costs, the de minimis rate, and indirect cost rates negotiated by a pass-through entity. In some areas, the updated FAQs provide a reminder of changes made to indirect cost recovery in the Uniform Guidance, including the methods from which pass-through entities must select when being asked to reimburse indirect costs. These methods include:
  • Federally negotiated indirect cost rate
  • De minimis rate
  • Negotiated rate with a pass-through entity
The updated COFAR FAQs provide guidance in the following key indirect cost areas:
  • Federal program statutes can sometimes have a cap on administrative costs. The FAQs provide a discussion comparing the terms “indirect costs” to “administrative costs.” Generally, administrative costs include both direct administrative costs, as well as indirect costs. The FAQs further clarify that facilities costs, in an approved Facilities and Administrative (F&A) rate, would not normally be included in an administrative cost cap. If there is an administrative cap, the federal program statutes should be further referenced for the specific requirements and definitions [FAQ 200.56-1, 56-2].
  • Clarification was provided that, even though rental costs are excludable costs for purposes of defining modified total direct costs, the Uniform Guidance considers rental costs to be an allowable cost as long as the requirements of §200.465 Rental Costs of Real Property and Equipment are met [FAQ 200.68-3].
  • The FAQs state that pass-through entities that had previously negotiated indirect cost rates with subrecipients, or paid actual indirect costs, should continue to do so. This clarification will be helpful to a non-Federal entity whose pass-through entities are looking to lower their indirect cost recovery from previously negotiated indirect cost methodologies to the lower, de minimis rate. Furthermore, the FAQ provides clarification that, unless there is agreement between state agencies, the non-federal entity cannot utilize a negotiated indirect cost rate with one state agency for negotiating indirect cost recovery with another State agency [FAQ 200.331-9].
  • The updated FAQ’s provided even more clarification on use of the de minimis rate in the following areas:
    • Non-federal entities do not need to provide documentation to prove their indirect cost rate when using the de minimis rate. However, non-Federal entities are reminded in the OMB Compliance Supplement that they cannot keep or earn a profit on Federal financial assistance [FAQ 200.414-12].
    • The de minimis rate is not the “de facto” rate between pass-through entities and subrecipients.
  • The FAQs now include a listing of the various federal agency indirect cost guides, including the US Department of Labor, US Department of Health and Human Services, and the National Science Foundation as example methods for documenting negotiated indirect cost rates [FAQ 200.414-15].
Capitalization Level for Software The FAQs clarify that software that is (1) purchased, (2) comes with hardware, and (3) costs over $5,000, should be capitalized as equipment. If the software is internally developed, the non-federal entity should capitalize in accordance with generally accepted accounting principles [FAQ 200.33-1].

Effective Dates and Grace Period for Procurement

In May 2017, the OMB added one year to the Uniform Guidance procurement standards’ optional three-year extension grace period. The FAQ is updated to discuss the three-year grace period. For example, this means that a non-federal entity that has a year end of June 30, can defer the procurement standards through fiscal year June 30, 2018 [FAQ 200.110-6]. As was the case before, the election of the procurement grace period must be documented in the non-federal entity’s procurement policy. This means that entities would need to update their procurement policy to reflect the additional grace period year, if elected.

Payments to Non-Federal Entities – Advance or Reimbursement

The Uniform Guidance [200.305(b)(1)] presented some ambiguity as to whether it was requiring all Federal awards on a cost reimbursement basis to be changed to the advanced payment basis. The FAQs clarify that this is not the case. Though the Uniform Guidance states that advance payment method is considered the default option, the FAQ clarifies that the conditions for advanced payment were to be applied if the non-federal entity requested the advance payment basis be used.

Subrecipient Monitoring

FAQs were also added to help pass-through entities understand their subrecipient monitoring requirements, including timing of the subrecipient risk assessment and suggested ways the pass-through entity could efficiently verify the subrecipient’s Single Audit. The FAQ clarifies that the subrecipient risk assessment does not need to be performed prior to when the subaward agreement is issued. The FAQs also affirm that a written confirmation from the subrecipient would suffice as proof when a Single Audit is performed and if audit findings are disclosed [FAQ 200.331-10-11].

Schedule of Expenditures of Federal Awards (SEFA), Summary Schedule of Prior Audit Findings and Corrective Action Plan

The OMB’s FAQs clarify that non-federal entities can organize the SEFA by department. The requirement to list awards by federal agency was intended to provide a useful presentation to readers. However, non-federal agencies can organize the SEFA in alternative ways. The OMB also provides additional guidance, which states that non-federal entities are not required to provide subtotals by federal agency. Further, cluster name reporting is required, even if only one program in the cluster has expenditures [FAQ 200.510-1 to 3]. Another FAQ was added, which confirms that the auditee is required to prepare the summary schedule of prior audit findings and corrective action plans for current year findings. The findings must be reported separately from the audit finding. In addition, the corrective action plan must be prepared on client letterhead [FAQ 200.511-1]. The FAQs continue to be “required reading” when it comes to understanding and interpreting the Uniform Guidance. Though the COFAR disbanded since issuance of the FAQs, Chief Financial Officers Council will carry on its work in coordinating financial assistance and transforming the delivery of grant assistance. Staying on top of newly issued FAQs, and updates to the Uniform Guidance itself, will be critical in ensuring continued compliance. See below for a listing of helpful resources related to the Uniform Guidance:


Questions about information in this article? Please contact Troy Rector or Kelly Rancourt at © 2017 Clark Nuber PS All Rights Reserved

Featured Resources