Say hello to


CPA, CFE | Principal

Matt is one of several Clark Nuber professionals who are musically inclined. But he’s not just a musician, he’s a music fanatic. When he’s not making music, he’s making spreadsheets that rank his favorite albums and songs. Spreadsheets – it must be an accountant thing.

COSO Series, Part 3 of 6: The following article is part three of a six-part series exploring the high-level basics of the COSO Integrated Internal Control Framework.1 The following article provides a high-level overview of the second component of the framework: Risk Assessment.

There are numerous types of business risk that can impair an organization’s ability to reach its objectives.  Some of these risks include financial, liquidity, exchange-rate, strategic or systematic risk.  But how does a business assess what risks they face and, more importantly, how do those risks get managed?

To answer these questions, the organization must perform a risk assessment process from which they can lay the groundwork for risk response and management.  Performing a risk assessment is an iterative, ongoing process and considers the unique variables and risks that an organization faces.

The COSO Internal Control Framework helps us to understand the underlying principles behind risk assessment.  COSO defines risk as the possibility that an event will occur and adversely affect the achievement of objectives.

The Four Principles of Risk Assessment

Risk assessment can be broken down into four distinct principles (related concepts) as follows:

  1. The organization specifies objectives with sufficient clarity in order to identify and assess risks relating to objectives. Prior to specifying objectives, management must consider their risk tolerance and determine what an acceptable level of risk is.  Within that pre-determined framework, objectives are considered for operations (e.g., operations and financial performance goals), external financial reporting (e.g., complying with accounting standards), external non-financial reporting (e.g., compliance with laws and regulations), internal reporting (e.g., management reporting) and compliance (e.g., minimum standards of conduct as established by laws and regulations).
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The identifying and analyzing phase should be comprehensive in scope.  Management considers risk at all organizational levels and how those risks might impact the organization from a severity and likelihood perspective.  There are many types of risks to consider, two of which are external and internal risks.  Some external risks might include economic (e.g., barriers to competitive entry), regulatory (e.g., new anti-trust law), natural environment (e.g., earthquakes or other natural disasters), and foreign operations (e.g., change of government in a country with operations).  Internal risks might include personnel (e.g., quality of new hires), infrastructure (e.g., use of capital resources), and technology (e.g., disruption in information systems).  After identifying the risk, management must consider whether they want to take no action (accept), stop the activity giving rise to the risk (avoid), take action to mitigate the risk (reduce), or transfer some of the risk (share).
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The consideration of fraud should include multiple areas, including fraudulent financial reporting, loss of assets and the possibility of corruption.  Like the concept of the “Fraud Triangle,” this consideration takes into account incentives and pressures, opportunities, and potential rationalizations that might arise that would lead someone to commit fraud.  Generally, internal controls are put into place to mitigate the risk of fraud and can vary considerably, depending on the organizational structure and individual risks.
  4. The organization identifies and assesses change that could significantly impact the system of internal control. Management must consider the possibility and effect of change to the external environment (e.g., regulatory, economic, physical), business model (e.g., new business lines, newly acquired business operations) and leadership (e.g., resulting in a new philosophy on the system of internal control).  Consideration of change and risk are very similar.  However, it should be discussed separately from the regular risk assessment process due to its importance to the effectiveness of internal control.  Consideration of change should lead to forward-looking mechanisms that can easily anticipate and plan for potential change.

These principles mentioned in this article represent a high-level and basic overview of the risk assessment process.  As you begin performing a risk assessment, it is important that you consider all the underlying principles and how they uniquely apply to your organization.  This can be complicated, but Clark Nuber can help with this process. Contact Mike Nurse at for more information.

For complete and detailed information about the Framework, Components and Principles, we encourage you to explore and learn more at

1COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission. It was formed in 1992 as a joint initiative of five organizations, including the American Institute of CPAs and the Institute of Internal Auditors, among others. Since that time, the committee has been developing and refining frameworks and guidance around enterprise risk management, internal control and fraud deterrence, with the most recent revisions of the Internal Control – Integrated Framework model in 2013.

© Clark Nuber PS and Focus on Fraud, 2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Developing News with appropriate and specific direction to the original content.

Keep Reading

Articles and Publications

Internet Sellers Beware – States Looking at Cookies for Additional Tax Revenue

To expand sales tax revenues, some states are now searching for and using the presence of Internet cookies dropped across state lines to add to their coffers. These cookies are the colloquial expression for small snippets of software code stored on remote computers, phones, and other internet-connected devices. Cookies are extremely common. They’re what allows a website previously visited to “recognize” the computer’s user when the site is revisited. Cookies are everywhere. States aren’t looking to tax the transmission or storage of cookies, but instead want to base a claim of sales tax nexus on the transmission and storage of a cookie once transmitted to an in-state device. Nexus and Who Collects In the United States, sellers who sell to customers in other states are not obligated to collect sales taxes on those sales unless they have a “physical presence” in the state where the customer resides. This physical presence can take many forms, including employees, inventory, or even referral advertising arrangements. Once established, the seller has triggered sales tax nexus and the state can compel that seller to collect and remit sales taxes on sales to in-state customers. Back to the cookies: a few states recently determined the transmission and storage of cookies satisfies the physical presence necessary to trigger sales tax nexus. In late 2017, Massachusetts published regulations on the topic.  Now, sellers who distribute or store apps or cookies on computers or other devices of Massachusetts customers have established a “physical presence” in the state.  The “physical presence” of the apps or cookies triggers sales tax nexus for the sellers who distributed or stored them on the devices of Massachusetts customers.[1] Once sales tax nexus is triggered, a seller must register and report all taxable and exempt retail and wholesale sales into the state. Massachusetts provides thresholds to prevent small sellers from having to collect, for example, sellers who sell less than $500,000 annually into Massachusetts are excluded from the rules. How Does the Cookie Rule Affect Sellers? The approach taken by Massachusetts is novel, daring, and already being challenged.[2]  The results of those legal challenges notwithstanding, Ohio[3] and Rhode Island[4] passed similar legislation in 2017. The arguments for and against the physical attributes of cookies are interesting and can approach the molecular level, but for retailers, the new rules signal the ingenious and aggressive ways that states are looking to tax sales. History shows its likely other states will adopt similar rules in the near future. Companies that sell into Massachusetts, Ohio, or Rhode Island have a new wrinkle to address in determining their likelihood of establishing nexus there and likely will face the same issue in other states as well. For companies that make retail sales anywhere across the United States, the issue of nexus and the obligation to comply with sales tax rules of other states is front and center. Awareness is a key first step. Additionally, any company selling products or services across state lines should develop a sales tax plan with an initial goal of addressing the issue of nexus in a consistent manner. The result should be a rational, repeatable process to help make future decisions about where collection is required. We can help your company identify areas where risk exists in your sales tax compliance efforts and provide proven ideas on how to improve workflows and decrease that risk. For more information on this topic, please contact Shane Ratigan at [1] See Mass. Regs. Code 830 CMR §64H.1.7(1)(b)(2)(a). [2] Crutchfield v. Mass. Dept. of Revenue ( Circuit Court of Abermarle County (Virginia). [3] Ohio FY17-18 Capital Budget. See House Bill 49. [4] Rhode Island FYE 06/30/18 Budget. See House Bill 5175. © Clark Nuber PS, 2018. All Rights Reserved

Tax Reform and Employee Benefits: Should Benefits be Treated as Exempt or Taxable?

Certain transportation and, in some cases, onsite recreational facility benefits have been treated as tax exempt to employees, and tax deductible to employers prior to passing the Tax Cuts and Jobs Act of 2017. However, beginning January 1, 2018, for the benefits listed below, employers must make an important business and economic choice. They must decide whether to treat the benefit as taxable compensation to employees, or continue to treat the benefit as a non-taxable benefit but receive no tax deduction for the expense of providing the benefit.

Benefit Changes as of 2018

Which benefits are losing status as deductible to the employer and non-taxable fringe benefits to the employee?
  • Qualified transportation and commuting fringe benefits associated under Internal Revenue Code section 132(f), including:
    • Any transit pass
    • Qualified parking
    • Transportation in a commuter highway transportation vehicle between the employee’s residence and workplace paid by the employer
  • Any on-premises athletic facility as defined in section 132(j)(4)(B), if the benefit is no longer tax deductible by the employer under Internal Revenue Code section 274(e).
  • The 50-percent deduction previously allowed for meals and entertainment for recreational, social purposes under section 274(n).
Note: the change in the tax law does not automatically result in these benefits being taxable to employees. Also, the deduction is not automatically lost by the employer.  Under Internal Revenue Code section 274(e)(4), if the recreational facility is primarily for the benefit of employees who own less than 10% of the company, a deduction is allowed. If a deduction for any of the above named benefits is not allowed, the employer must make a choice either to treat the benefits as taxable compensation to employees, a deductible payroll expense, or continue to treat the benefit as non-taxable fringe benefit to the employees, but no longer deduct the expense. The net effect of the change is more than just the loss of value of the tax deduction on the benefits to the employer. The corporate tax rate was decreased from 35% to 21%, while individual tax rates shifted only slightly. Also, newly taxable benefits should be assumed to be the last dollars taxed or benefits taxed at the highest rate to which the employee is subject. In addition, because now the benefit is taxable wages, although deductible to the employer if treated as taxable wages, both the employer and employee must pay employment taxes on the benefits at 7.65%, assuming the employee is not over the FICA limit.

What Should Employers Do?

Following is an illustration of the decision employers must make regarding 2018 payroll: Facts: The value of the benefits is $100,000. The employer is a personal service corporation. The average employee is in the 25% marginal tax rate and employment taxes are 7.65% for both the employee and employer. Option 1: The employer may continue to pay for the benefit and forgo the tax deduction, treating the benefit as a tax-free fringe benefit to the employee.
  • Cost to employer: $100,000 cash for benefits and $21,000 in additional taxes paid dues to loss of deduction = $121,000
  • Benefit to U.S. Treasury: $21,000
  • Benefit to employees: $100,000
  • Cost to employees: $0
Option 2: The employer can continue to pay for the benefit, treat the benefit as taxable wages, withhold the value of the benefit from the employees’ other wages, and pay the employer payroll taxes.
  • Cost to employer: $100,000 + 7,650 - $22,606 = $85,044 ($100K benefit + payroll tax less deduction for benefit and payroll taxes = net cost to employer)
  • Benefit to employees: $100,000
  • Cost to employees: $25,000 + $7,650 = $32,650
  • Net benefit to employee: $67,350 (Benefit net of tax liability)
  • Benefit to U.S. Treasury: $25,000 - $22,606 + 7,650 + 7,650 = 2,394 (employee income tax less employer tax deduction plus total payroll taxes)
Option 3: The employer can let the employee decide if they want to continue to receive the benefit and be taxed on the value of the benefit. The taxes and benefits would be a hybrid between Option 1 and 2, depending upon which employees take the benefit, and whether the employer treats the benefit as taxable or non-taxable wages. The employee’s choice to forgo the deduction results in substantial cost to the employer. The employee receives the same benefit, but, depending upon the employee’s marginal tax rate, there is a tax cost to receiving the benefit. The employer may be better off economically splitting the difference and grossing up the employees’ wages to cover all or part of the increased tax cost to be in the same position rather than lose the tax deduction during the tax law’s first year of implementation.


Please contact Jane Searing at if you have questions about how tax reform might affect your employee benefit plan, or visit our Tax Cuts and Jobs Act page for additional resources. © Clark Nuber PS, 2018. All Rights Reserved

Washington Tax Considerations for Property Managers Paying Wages to On-Site Personnel

Payment structures for property management services run the gamut.  For example, property managers may charge a flat fee or a percentage of rental income, or a cost-plus pricing model, or any combination of these.  However, if a property manager pays wages and/or benefits to on-site employees, notwithstanding how management fees are structured, the DOR could recharacterize the payroll expense reimbursements as subject to B&O tax, and possibly sales tax.  Moreover, if sales taxable services comprise more than 10% of a non-itemized management fee or non-itemized reimbursement, the DOR could potentially impose sales tax on the entire fee or reimbursement as a “bundled transaction.”

B&O Tax and Sales Tax on Management Fees and Payroll Reimbursements

Before June 1, 2010, payroll expense reimbursements for wages and benefits paid to leasing, maintenance and similar staff were specifically exempt from B&O tax when there was a written property management agreement and the property manager acted solely as the owner’s agent with respect to compensation, benefits and employment decisions.  Since June 1, 2010, for-profit property managers have not been entitled to the exemption and generally must pay B&O tax on management fees.   Payroll reimbursements are similarly taxable, unless  strict rules for exclusion are met. Receipt of reimbursements will generally trigger B&O tax unless the customer bears exclusive liability for payment of the expenses and the person receiving reimbursement and incurring the expense is acting solely as the customer’s agent. This rule is particularly difficult for the real estate industry since property lessors and managers often receive substantial expense reimbursements from tenants and property owners. Management fees and payroll reimbursements are generally taxed at 1.5% under the “service and other” B&O tax classification.  However, if employees of a property manager perform services that are subject to sales tax, reimbursements for those employees’ work could instead be subject to sales tax and retailing B&O tax. Washington imposes sales tax on labor charges for maintenance, repair, construction and landscaping services.  Thus, if employees of a property manager perform these services, the DOR could require the manager to collect and remit sales tax from the property owner on the resulting management fees or payroll reimbursements.  If it is determined on audit that sales tax was not collected, the property manager could be held liable for it. Avoiding explicit payroll reimbursements may help reduce the risk, but unfortunately does not solve the problem altogether.  For example, in one decision the DOR determined that property management fees based on a percentage of rental collections were effectively used by the property manager to pay on-site employees and, consequently, the property manager was subject to B&O tax measured by the wages and benefits paid to the employees.  In another decision, the DOR assessed sales tax and retailing B&O tax on a property manager when an employee on its payroll was borrowed by a related entity to perform construction services.

Common Paymaster B&O Tax Deduction

In many circumstances, using one entity to provide payroll services for numerous real estate projects can avoid the administrative nightmare that would ensue if each project had to have its own reporting accounts with the IRS, the Washington Employment Security Department and Department of Labor & Industries.  Beginning October 1, 2013, the Washington legislature provided B&O tax relief in the form of a deduction for employee payroll reimbursements received from affiliated businesses by qualified employers of record, also known as “common paymasters.” To qualify for the deduction, reimbursements must be for:
  1. Customary amounts received for paying the employer obligations of a client;
  2. Services performed by employees that the taxpayer does not or cannot render;
  3. Services performed for which the taxpayer has no liability; and
  4. Employer obligations the taxpayer is not liable for, except as agent of the client.
This deduction is strictly construed, and if any one of the above requirements is not met, reimbursements are taxable.  Also, the deduction is not available to taxpayers that share employees among entities; each employee must perform services exclusively for a single employer. Qualifying for the paymaster deduction requires detailed planning, and the DOR has issued specific guidance explaining each of the above requirements.  For example, each employee should agree in writing that the paymaster has no liability to the employee for employer obligations.  Also, the language of any agreements between the paymaster and employer should provide that the paymaster has no obligation to provide labor or services to the employer.  Beyond the contract, such terms must be adhered to in practice as well. Although the requirements are stringent, qualifying for the paymaster deduction could provide significant state tax relief to property managers whose employees perform services for affiliated property owners.  The paymaster deduction is not available on services provided to unrelated property owners. If you are interested in more information about qualifying for the paymaster deduction or have other questions about the information in this article, please contact Clark Nuber or your state and local tax advisor at Jennifar Hill is a manager in Clark Nuber's state and local tax practice team. © Clark Nuber PS, 2018. All Rights Reserved

Featured Resources