Say hello to

Andrew

CPA | Shareholder

He considered both art and architecture as majors in college, but for reasons unknown to him still, Andrew ended up in accounting.

Taxpayers taking advantage of any one of the available State of Washington tax incentives – including tax deferrals, reduced B&O tax rates, exemptions, and credits – may be required to file an Annual Report or Annual Survey.

Some incentives require that both the report and the survey be filed, while other programs do not have a reporting requirement.

For tax incentives taken in 2018, the due date for the Annual Report and Annual Survey is May 31, 2019.

There are over 50 different tax incentive programs in Washington. A partial list of common incentives includes:

  • High Technology B&O Tax Credit for R&D Spending
  • High Technology Sales & Use Tax Deferral/Waiver
  • Biotechnology & Medical Device Manufacturing Sales & Use Tax Deferral/Waiver
  • B&O Tax Exemption for Manufacturing Fresh Fruit and Vegetables, Dairy, and Seafood Products
  • Aerospace Industry Incentives
  • Incentives for Manufacturers and Retail Sellers/Distributors of Biofuels
  • Renewable Energy/Green Industry Incentives
  • Deduction for Government Funded Payments for Mental Health Services Provided by Non-Profit Organizations

Failure to file the annual report/survey by the due date will result in immediate repayment of 35 percent of the tax incentive claimed and an additional 15 percent of the tax incentive if the taxpayer has filed previous years’ reports/surveys late.

The Department of Revenue requires that the report/survey be filed electronically using the Department’s electronic filing system, accessible from its website. An extension is available, but it must be granted prior to the May 31 filing deadline.

Please contact Nicole Lyons, State and Local Tax manager, at info@clarknuber.com if you have questions about whether these requirements apply to your business or organization, or if you’d like to find out if you are missing out on any available incentives.

Nicole Lyons is a manager in Clark Nuber’s State and Local Tax team.

© Clark Nuber PS, 2019. All Rights Reserved

Keep Reading

Articles and Publications

Washington Legislature Enacts B&O Tax Rate Increase and Real Estate Excise Tax Changes

he 2019 Washington legislative session has ended, but it was a busy year in terms of tax related bills. The enacted legislation includes business and occupation (“B&O”) tax increases on certain service businesses and financial institutions, changes to the international investment management B&O tax classification, and a move to a graduated real estate excise tax. (more…)

Bad Actors and Charities Are a Bad Mix: What the Form 990 Can Tell Us About the College Admissions Scandal

Watching the story develop, it was interesting how quickly attention turned to how the IRS should have done more to stop the misdeeds of the scofflaws and how the Form 990 should have uncovered these transgressions. It is important to understand the purpose of the Form 990 and everyone’s role in producing the Form 990.

What is the Role of the Form 990?

The Form 990 has three goals:
  • Transparency – A reasonably informed reader should be able to get a clear picture of the financial and operational workings of the organization.
  • Accountability – The Form 990 disclosures around governance and transactions with insiders and related organizations are designed to hold those charged with governance accountable.
  • Compliance – If the organization knows it must file the Form 990 each year, in alignment with the first two goals, the theory is its governance practices and the organization as a whole will be more compliant with federal and state tax exempt and nonprofit laws.

What is the Role of the IRS?

The U.S. income tax system relies on the “voluntary compliance” of taxpayers. That means each taxpayer is expected to prepare and file tax returns that are honest and accurate, without burdensome government involvement. This holds true for all tax returns filed with the IRS, including the Form 990.  Thus, the goals described above cannot be accomplished without voluntary cooperation of the public and individual taxpayers. The role of the IRS is education and enforcement with the ultimate goal of collecting revenues from taxpayers voluntarily complying with tax laws passed by Congress. The tax exempt sector is an ever expanding portion of the overall part of the U.S. Treasury’s workload. In 2019, the IRS reported the 2017 data on exempt organizations. There are nearly 1.8 million tax exempt organizations in total. This includes all types of organizations, including the National Football League, which is not charitable but is tax-exempt nonetheless. The one-year increase in the number of organizations identified as charities exempt under 501(c)(3) alone in 2017 grew from 1,237,094 to 1,286,181. Providing oversight is a big task which depends upon voluntary compliance.

What Does This Say About KWF and its Managers?

Perhaps the most important lesson for those following this story may be gleaned from comparing what has been reported in the news with the information KWF’s management reported on the Form 990. There are several instances where the information reported by KWF on its Form 990 appears to possibly deviate from the news reports. The FBI and IRS have alleged the founder of KWF committed a fraud which, if true, would support a conclusion that KWF provided inaccurate information on its Form 990. In particular, this case provides a good example of three areas of disclosure in the Form 990 that should not be overlooked by tax-exempt organizations and tax preparers.

Transparency in Leadership

Independence of leadership is an important question to address when interviewing any potential new nonprofit client. Any pushback or equivocation on this topic is a sign the nonprofit may not be a suitable client. In 2014, Schedule L, Parts II, III, and IV expanded the requirements for disclosing loans, assistance, and certain business transactions with a founder/creator. There is no definition of founder/creator in the Form 990 instructions. However, if a prospective client finds the question challenging to answer, this may be a sign they are not excited about the three goals of the Form 990. (See above.) If the charity has a business transaction with a founder or creator, there is likely a need for transparency. Rick Singer, who was at the center of the controversy, owns a for-profit company, The Edge College & Career Network, LLC., also known as The Key. KWF reported no business transactions between itself and The Key on its Form 990. KWF also disclosed no financial transactions with any board member except a $200 loan to Mr. Singer. Finally, KWF disclosed no board member as independent on the 2013 through 2015 Forms 990 with no explanation on Schedule O, while the 2016 return reported all board members as independent. It is unknown whether the information reported on the Form 990 was accurate or not.  However, such disclosures are critical for meeting the goal of transparency and for IRS enforcement.

Transparency with Substantial Donors

This is another Schedule L sunlight disclosure. Any transaction between KWF and a contributor listed on the organization’s current Schedule B, List of Donors who contributed more than $5,000 (or in some cases more than 2% of total support), which is involved in a loan, assistance, or business transaction reportable on Schedule L, will generate a Schedule L reporting requirement. The news accounts indicate there may have been some financial transactions with parents who should have been reported on Schedule L as “substantial contributors.” Because Schedule B Donor Information is only provided to the IRS and not open to public disclosure by public charities, it is impossible to determine if the relationships and transactions are fully disclosed on the Form 990. However, for any organization filing a Form 990, this is an area for self-reflection and an often-missed disclosure.

Transparency in Revenue and Fundraising

This last issue has been ongoing in the exempt sector for years and at one time generated compliance check letters from the IRS. Does the organization have significant contributed revenue reported on Part VIII, line 1 but little or no expenses on either Part VIII, line 8 (special events) or Part IX, column D (fundraising expenses)? If so, it is possible there is a logical explanation. The organization may have board members or others who conduct all fundraising activities on a volunteer basis. The organization may be a research organization and the fundraising activities are a recoverable cost under general and administrative grant recovery costs included in Column (C) or (B), direct program costs. Alternatively, the organization may be part of a group of related organizations and one organization provides fundraising services for the organizations in the group. If there is a legitimate reason for having no fundraising expenses while garnering virtually all revenue from contributions, the organization may check the box at the top of Part IX, Statement of Functional Expenses, and explain Schedule O. Again, this is not a required disclosure, but it would help meet the goal of transparency. In each of the four years of KWF returns from 2013 – 2016, this is a visible issue. The organization shows $451K, $900K, $1.977M, and $3.736M in contributions between 2013 and 2016, with no fundraising expense reported. There is no supplemental explanation on the return so there is no way for a casual reader to know if there is a logical explanation.

The Role of the Practitioners in Oversight

To be clear, the IRS did not uncover the circumstances that have been reported in the news. Rather, the FBI uncovered the alleged fraud after conducting a thorough investigation. The tax preparer likely provided KWF management with an organizer and prepared a straight-forward return based upon those responses. The three issues above are a good starting point and should be addressed in the “reasonable efforts” questions the organization asks of those charged with management to ensure full disclosure on the Form 990. According to news reports, Mr. Singer transferred part of his scheme to the nonprofit and what was once a pay-to-play through his company became a faux charitable contribution scheme to a nonprofit –and tax fraud. The allegations state the charity was issuing donor acknowledgment letters to parents stating no goods or services were provided in exchange for the contributions paid for the services Mr. Singer was providing. In addition, KWF was reporting no fundraising costs, zero in special events expenses, and offering no explanation of this apparent disconnect between the millions raised and the lack of expenses to garner this amount of revenue. This may simply be because Mr. Singer was providing these services as a volunteer to KWF. However, the FBI and the IRS appear to cast a different light on these transactions. The news reports and the Form 990 do not factually line up. But given Mr. Singer’s apparent unwillingness to be truthful and transparent in other areas, it is unsurprising the Form 990 is not completely in alignment with the later disclosed allegations.

What is the Future of the Form 990?

The function of the Form 990 is unchanged. It is still the most comprehensive and publicly available document tax exempt organizations produce each year. It is uniform and comparable between all organizations across the sector. It should be of little surprise a case such as KWF would occur, where some people formed a nonprofit and used it for non-exempt purposes, or that it existed for four years.  If news reports are correct, the facts were not transparently reported on the Form 990, which was the responsibility of KWF’s management in a system of voluntary compliance. Transparency, accountability, and compliance are still the hallmarks of a well-prepared Form 990. For donors and charities benchmarking performance with their peers, an accurate and well-prepared return compliant with the law and instructions is an invaluable source of data. We should continue to strive for a compliant, self-regulated, transparent, and accountable sector. We must not let a few bad actors tarnish the faith and trust in the entire sector. © Clark Nuber PS, 2019. All Rights Reserved

What is Cybersecurity?

Cybersecurity is a business process, not just a technology one. It is a business process of keeping your assets secure from threats. It is a cost vs. benefit decision on how to optimize – not maximize – security. Large organizations can often afford to throw money at their IT infrastructure just to be secure and comply with laws and regulations. But many smaller organizations don’t have this capital. Therefore, it’s important to stay true to what cybersecurity is: a management process to identify your assets, figure out how to protect them, and, in case of a breach, how to detect, respond, and timely recover. It’s impossible to protect an organization from every threat out there. As an analogy, applying all the preventative care, vitamins, supplements, and exercise does not ensure that you will be disease-free. But this discipline will sure make you healthier. So, the question is, in the context of cybersecurity, how do you know that you’re healthy? How do you know that you’re doing a reasonably good job at protecting your data? And if you get breached, how do you know that your organization has documented rules, processes, roles, and responsibilities in how to respond?

Identifying Important Assets

The first step towards this journey is to identify the most important assets to an organization. These assets should be identified (through a security risk assessment) and be prioritized, classified, and inventoried based on their value to the organization. Most assets will come in the form of some type of data, device, application, system, the network, or communication channels (i.e., data integrations). But the most important asset of them all is the people. On one hand, a breach could expose very sensitive information about people within your organization. On the other, there’s new code being developed every day designed to actually injure people. As an example, a piece of code called Triton was discovered at a chemical plant in Saudi Arabia in 2017. The code could have caused explosions or released poisonous gases.

Protecting Assets

Next, once the most critical assets are identified, organizations need to figure out how to protect them. The first way is through physical security. Nobody should be able to walk into your organization, make copies of social security numbers, and casually walk out the door (this happens more often than imagined). Next comes the technical processes, and this is where I lose a lot of my audience. But to summarize, good technical processes will always involve some or all of the following:
  • Anti-malware/virus: These tools will constantly scan for known vulnerabilities or bad code that could get an organization breached.
  • Firewalls: A system to prevent unauthorized access from the outside. For example, access to an organization’s intranet site may be blocked from the outside.
  • Intrusion Detection Systems: A system to analyze communication to find dangerous content.
  • Intrusion Prevention Systems: Once dangerous content is found, this system will automatically reject and prevent the content from gaining access to an organization.
  • Data Loss Prevention: This is a strategy and collection of systems to prevent information from being sent outside of an organization. After all, no matter how sophisticated and impactful the breach is, if the attacker can’t leave with the information they stole, then their ability to cause true damage may be limited.
  • Encryption at-rest: Sensitive data that resides in a database, file, or even a USB should be encrypted. For example, employee social security numbers should be encrypted so that even HR/Payroll personnel can’t see it.
  • Encryption in-transit: Sensitive data that is being transmitted should also be encrypted. As an example, when logging into your bank account, sensitive data (i.e., password) is being transmitted over the internet. This should be encrypted.
  • Identity and access controls: This is a discipline of preventing inappropriate access; for example, to ensure that only authorized users gain access to mission-critical systems, access may only be granted through a combination of user ID, password, and authorization token.
The definitions above are simplified versions, and there are many other technical processes and controls, such as virtualization and containerization. The focus of this article isn’t to go through these technical controls. However, the point is to raise awareness that the most important activity to secure assets is through documented processes. For example, a firewall and intrusion detection systems could produce very useful information but if they are not monitored, what’s the use? And even if they are monitored, what is the escalation path? Are roles and responsibilities documented to filter through these logs? And if these logs reveal a weakness in an environment, who’s responsible to fix it? These processes are often the weakest link in any organization’s cybersecurity posture.

Developing Processes

The examples above also apply to the next steps in any good cybersecurity process, which are processes to detect, recover, and respond. When organizations get breached, the problem is, they don’t even know it. This not only applies to small organizations, but to the big enterprise breaches that we see on the news. Most systems and tools, such as firewalls and intrusion detection systems, will produce some form of logs. They should be monitored by the internal IT department or an outsourced managed service provider. There are many systems and tools out in the marketplace that are designed to raise the right level of alerts based on intelligence. Some intelligence feeds are even free. The key takeaway is to understand that detecting a breach is critical, because, without it, the breach will never get fixed. And fixing something may be as easy as deleting a file or even restoring a fresh copy.

Next Steps for Securing Your Organization

There are many use cases in securing an organization. The most common ways are through compliance regulations, but the right thing to do is execute a healthy, disciplined cybersecurity management program. When implementing a new IT system for example, it’s always cheaper and more effective to embed “security by design” earlier on in the process, rather than to secure it after the system is built. And when it comes to security requirements, there are many leading frameworks and standards that not only address compliance requirements but can also help implement good security controls and processes. For smaller organizations that are interested in doing the right thing to secure themselves (outside of any compliance requirement), I recommend, at least, an annual penetration test and a quarterly vulnerability scan. A penetration test will reveal your security weaknesses and show the path an attacker took to gain access to your asset. A vulnerability scan tells you what/where those weaknesses are. Awareness as to what these weaknesses are and how your asset can be exploited may be the very first step in your journey to creating a disciplined cybersecurity program: which is to identify your most critical assets. For assistance with developing and enhancing your cybersecurity measures, contact Clark Nuber. © Clark Nuber PS, 2019. All Rights Reserved

Featured Resources