Say hello to


CPA | Shareholder

Meet our own Dora the Explorer, and like the intrepid Nickelodeon heroine our Dora has a love of journeying to new places and learning new things.

One of the perennial challenges faced by taxing authorities is identifying and contacting individuals and businesses who are unaware (or purposefully ignorant) of the tax filing obligations they may have. In an effort to encourage unregistered taxpayers with outstanding excise tax liabilities for prior periods to come forward and voluntarily register with the Washington Department of Revenue (DOR), the DOR offers a Voluntary Disclosure Agreement (VDA) Program that includes the following benefits:

  • a limited “look back” period on previous liabilities of four years plus the current year (the period open under the traditional statute of limitations for taxpayers registered with the DOR); and
  • waiver of late filing, substantial understatement, and assessment penalties that could otherwise be as high as 39 percent of the tax due (but interest is not eligible to be waived).

Historically, the VDA Program has been available only to individuals and businesses who have not previously been registered with the DOR and have never been contacted by the DOR regarding their potential Washington excise tax (such as B&O tax or sales/use tax) obligations. However, the DOR announced on June 1, 2020 that it is temporarily relaxing these restrictions with respect to certain taxpayers that did not qualify previously. The following categories of businesses will be eligible for the benefits of the VDA program between July 15, 2020 and November 30, 2020:

  • Businesses that were previously registered with the DOR but closed their tax registration or were placed on Active Non-Reporting status prior to January 1, 2020. Under the normal rules, businesses that were previously registered with the Department for any period of time were not eligible for the VDA Program, even if their registration was voluntarily closed many years ago.
  • Businesses who were contacted by the DOR for tax enforcement purposes prior to July 1, 2019. Under the normal rule, taxpayers that were contacted at any point by the DOR for tax enforcement purposes were not eligible for the VDA Program, but now those businesses may qualify as long as the most recent contact did not occur within the last year.
  • Businesses who have not been named as an affiliate of another business through an enforcement contact. Under the normal rule, when a taxpayer receives a Washington business activities questionnaire from the DOR, all affiliates of that taxpayer become ineligible for the VDA Program. Under the expanded provisions, only the entities addressed specifically by name by the Department or the taxpayer as a part of an enforcement contact are ineligible.

The following businesses will remain ineligible (even if they would otherwise qualify for a VDA under the expanded criteria):

  • businesses that have been contacted at any time by the DOR regarding Wayfair, Marketplace Fairness, or Remote Seller Relief; and
  • businesses that have collected Washington retail sales tax from customers, but have not remitted that tax to the DOR. Note that such businesses may still be eligible for the expanded VDA Program with respect to their B&O tax liabilities.

More details on the expanded program are available on the DOR’s website. Based on information from the DOR, it will revert to the historical (and more restrictive) VDA requirements for all applications received after November 30, 2020.

All requests for voluntary disclosure must be submitted through the DOR’s online application. You will receive a confirmation that your application has been received. In order to protect anonymity during the initial contacts with the DOR, many taxpayers choose to have a tax advisor or attorney submit the VDA application on their behalf and represent them through the VDA process. Members of Clark Nuber’s SALT practice have extensive experience working with the DOR on VDA agreements and ensuring our clients receive all the potential benefits available to them under this valuable program. We would be happy to talk to you about whether the expanded VDA Program makes sense for your business.

Contact a Clark Nuber SALT professional.

© Clark Nuber PS and Developing News, 2020. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Developing News with appropriate and specific direction to the original content.

Keep Reading

Articles and Publications

SOC Reports: What Are They, and Why Should You Request One From Your Software Provider?

Is your software provider following best practices in keeping their data, and by extension your data, safe? A System and Organization Controls (SOC) report can help you determine how closely a third-party organization is adhering to federal guidelines on cybersecurity. This article will highlight why SOC reports exist and why you should request them from your software vendors.

Third-Party Software Systems Come with Risk

While powerful technology tools have become more streamlined and available, keeping your data safe is still an uphill battle. Today, the capability to breach a system far outpaces the industry’s ability to develop secure code. This is because learning how to write secure code is most-often accomplished through on-the-job coaching and online self-learning. The issue is further compounded by the legacy code found in many software programs; this is code that was once accepted as high quality and secure but no longer is. In the meantime, hackers have gotten smarter and faster, leveraging this low-quality and insecure code to breach systems and access your data.

How Do Software Providers Keep Your Data Secure?

To better address these security risks, software companies, academia, and even the federal government have partnered to develop good management tools and practices to release high-quality code. For example, processes were built to ensure that smaller chunks of code are written at faster rates. These snippets are then reviewed and scanned for quality and security gaps. Third-party tools were also developed that alert users when a potential breach has occurred, removing the need to painfully review endless logs of complicated data. Today, these leading practices are organized as security frameworks that third-party software providers can adopt. The question is, are they adopting these leading practices and how do you know if they are? The better question is, if they aren’t, should you trust them with your data? Should you maintain a relationship with them?

What is a SOC Report?

The AICPA recognized this problem a few decades ago and built an auditable framework to communicate these practices to end-user organizations (e.g., you). This framework became what’s called the System and Organization Controls (SOC) report, issued by the software provider and assessed by a third-party auditor, such as Clark Nuber PS. The SOC report includes information such as:
  • The independent auditor’s opinion on whether your software provider has the right controls and processes (design and operating effectiveness of controls).
  • An inventory of all the third party’s internal controls and processes and the results of their testing, including any deficiencies in these controls.
  • An inventory of responsibilities that your organization is responsible for–not the software provider.
The last bullet point above warrants a discussion. Many organizations believe that the software provider is responsible for everything. This couldn’t be further from the truth. For example, a payroll processing provider ensures that payroll gets processed timely and accurately. The user organization is responsible to ensure that appropriate compensation data is recorded and that only relevant Human Resources personnel have access. A SOC report lays out this division of labor.

The Different Types of Reports: SOC 1 vs. SOC 2

[table id=19 /]

What is a “Type 1” and a “Type 2”?

Both SOC 1 and SOC 2 reports can come in two varieties, a “Type 1” or a “Type 2”:
  • Type 1: This is a “point-in-time” report. It does not guarantee that your software providers had good controls, processes, and practices over a “period of time.”
  • Type 2: This is a “period of time” report. This is the stricter report, and the independent auditor will test various samples through a certain period, typically nine months.

Do All Software Providers Have a SOC Report?

There are many ways to monitor a software provider and hold them accountable for their obligations. For example, it’s common practice for user organizations to send a questionnaire with inquiries ranging from financial health to implemented security controls. Another option is to audit the software provider, but considering the time and cost, that is rarely the most sensible approach. The better option is to directly request a SOC report. However, not all software providers have a SOC report. This might be because they’re still relatively young and are in the process of implementing good controls. They could also have failed their audit and are in the process of remediation. Whatever the reason is, a software provider that can produce a passing SOC report demonstrates that they’ve established a level of leading practices. If your third-party software provider is a strategic partner, and they don’t have a SOC report, you have every right as a user/customer to require they comply with the standards–this is a common request.

How to Request and Review SOC Reports

Though many organizations are not aware they can request to see a SOC report from their software provider, it is considered a best practice. End-user organizations have every right to see and understand how a third-party manages their data. SOC reports are usually lengthy documents and can appear daunting for the untrained eye. The report should be reviewed by someone with sufficient knowledge of accounting and IT processes for the entire organization, such as the controller or the IT Director (often times, both), depending on the size and complexity of the organization. The following is a rubric on how to read a SOC report and evaluate software providers:

1. Read the Auditor’s Opinion

  • Is this a clean, “unqualified” opinion? (Is this a passing SOC report?)
  • If not, have you (the user) assessed risk? (See Section 4 in the report for details.)
Many SOC reports have a “qualified” opinion, which means that certain controls are deficient, as tested by the auditor. These controls are identified in detail at Section 4.

2. Read Section 4 (The Results of Auditor’s Testing)

  • Were there any control deficiencies?
  • If yes, have you (the user) assessed risk?
This section contains an inventory of all the controls in place by the software provider and a summary of the auditor’s testing and results. It’s also common to have an optional Section 5, which is a summary of all control deficiencies. Either way, these deficiencies may have an impact on the user organization. For example, consider the following deficiency for a vendor that makes financial software: [table id=20 /] In this example, the auditor identified that the entire IT department had access to code. This increased the risk that the code could have been inappropriately modified, resulting in the likelihood that cash transactions may not have been processed completely. To compensate for this risk, an end-user organization may opt to rely on its month-end bank statement reconciliations to ensure that all cash transactions have been properly recorded. This assessment process may reveal that while a deficiency was identified, it has a limited impact on the end-user organization.

3. Read Section “User Responsibilities” (Your Responsibilities)

  • Does your organization have controls implemented that are recommended by the software provider?
  • If not, why not? Should you?
As previously discussed, SOC reports also communicate what you’re responsible for (instead of the software provider). These are called user responsibilities and are often too tactical to be listed in contractual agreements and can therefore “fall through the cracks.” Common user responsibilities include:
  • Reviewing and approving transactions to ensure accuracy
  • Reviewing that users have the correct access permissions within the system to ensure segregation of duties
  • Performing a review or reconciliation of key reports
A review of these user responsibilities may reveal the need to improve internal processes because certain risks are not reduced.

Always Trust but Verify

In today’s world, the relationship with software providers has transformed from a mere business-to-consumer relationship to a more strategic one. Well-crafted technologies enable organizations to better meet their mission and vision. As such, third-party software providers should be a part of the team and understand the role their product plays within the organization. However, success measures must be defined and progress must be monitored. If a software provider has a breach due to ineffective internal controls, they are responsible for the data compromised, depending on contractual agreements, such as compensation, etc., However, your organization is ultimately accountable to address the risk of any compromise; these risks could be your reputation, chance of litigation, or financial costs. As such, you have every right, and even an obligation, to monitor whether your software provider is keeping your data safe and secure. You can best accomplish this by requesting a SOC report from them. If you have any questions regarding SOC reports, or wish to obtain one for your technology company, contact the Clark Nuber IT team. © Clark Nuber PS, 2020. All Rights Reserved

Roadmap to Paycheck Protection Program Loan Forgiveness – Part I: The Covered Period

This is the first post in a series of articles on Paycheck Protection Program loan forgiveness. Parts II and III will be published in the coming weeks.  As borrowers near the end of their covered period for Paycheck Protection Program (PPP) loans, many questions are surfacing on the forgiveness process. These uncertainties have arisen from the evolving rules issued since the COVID-19 crisis began. In early June, the Paycheck Protection Flexibility Act (PPPFA) was passed, which modified many PPP loan provisions. The SBA and Treasury have also issued various forms of interim guidance over the past months, including two versions of the loan forgiveness application. These ongoing changes have made it challenging for borrowers to know whether they are eligible for maximum forgiveness. This three-part series will help to clear up some of the confusion.

Overview of Loan Forgiveness Process

The PPP loan application program initially closed on June 30. However, an extension bill was signed on July 4, granting a new deadline of August 8. Through the PPP, Congress made over $659 billion of loan funding available to qualifying borrowers. At the end of June, over $130 billion remained undistributed. Achieving maximum loan forgiveness requires the following:
  1. Utilize at least 60% of the proceeds for payroll costs during the covered period (previously the threshold was 75%, but the PPPFA reduced it to 60%);
  2. Entire loan proceeds are spent on eligible expenses – payroll costs, interest on loans, rental payments, and utility costs;
  3. Restore the number of full-time equivalent employees by the end of the covered period; and
  4. Restore wages to employees by the end of the covered period.
Failure to meet any of these required elements may reduce the forgivable amount. Interim rules provide safe harbor provisions for the full-time employee and wage requirements above.

Determining Your Covered Period – 8 weeks vs. 24 weeks

PPP loan forgiveness is driven by the expenses paid or incurred during your “covered period.” When the CARES Act was passed in March, loans were subject to an eight-week covered period. In June, the PPPFA extended this covered period to 24 weeks. Borrowers who received their loan disbursements on June 5 or later are required to use a 24-week covered period. Borrowers with loans prior to the PPPFA date can continue to use the original eight-week covered period or opt to use the extended 24-week period. The covered period begins on the date the lender distributes the loan funds to the borrower.  Sometimes, the covered period starts before the borrower has access to the funds. Some borrowers could not obtain a PPP loan from their primary bank as not all banks are qualified SBA lenders.  Additionally, many borrowers struggled in the early weeks to get a PPP loan from their primary bank due to application backlogs. Secondary banks have been utilized in these instances, with the loan proceeds transferring back to the borrower’s primary bank. This fund transfer sometimes takes a few days. Even though the borrower may not have actual receipt of the funds, the covered period begins as soon as the secondary bank initiates the transfer of loan proceeds. For the PPP loan recipients with a choice in covered periods, determining the one to use is dependent on many factors. If a borrower determines it will receive maximum forgiveness under the eight-week covered period, the recommendation generally is to choose that. This allows the forgiveness process to start earlier. If the forgiveness amount is limited for a borrower due to one of the four requirements above, a borrower may want to choose a 24-week period instead. This gives additional time for the borrower to turn around its business, spend the proceeds as permitted, and reinstate employees and wages as necessary.

Applying for Forgiveness Before the Covered Period Ends

Questions have come up on whether you may apply for forgiveness prior to when the covered period ends. Yes, you can. However, there is a trade-off. If a borrower has reduced its payroll costs by over 25% during the covered period, its eligible forgiveness amount is reduced as well. Regardless of when the borrower applies for forgiveness, it must reduce the forgivable amount by the excess wage reduction for the full covered period. The reduction is not prorated if the borrower applies for forgiveness early. If there is no possibility that the borrower will increase its wages in the remaining weeks of its covered period, then early forgiveness won’t matter – its wage reduction is the same either way. However, if there is a possibility for wages to increase in the remaining weeks of the covered period, the borrower may benefit from waiting to apply. Now, there may be reasons to apply for forgiveness early. If you don’t have a greater than 25% reduction in wages, the trade-off mentioned above won’t matter. And if a borrower has used the entire PPP loan proceeds, they may want to apply early so the liability can be removed from their financial statements for GAAP reporting purposes. It also simplifies tax reporting if the loan is issued and forgiven within the same tax year. However, the early bird doesn’t always get the worm. Even if you are ready to apply for forgiveness prior to your covered period ending, your lender may not be ready for you. Many banks are still working out their loan forgiveness process and building their systems to accept the applications.

Key Dates for Loan Forgiveness

Unfortunately, the forgiveness decision is not an immediate one. Both the lender and the SBA are given time to review the application to determine whether a borrower may qualify for forgiveness. Below are the key deadlines when navigating the forgiveness process with your lender. Work with your lender to determine if any other deadlines exist. While the PPP loans are backed by the SBA, the loans themselves are between borrowers and individual banks. Therefore, additional deadlines may exist with the lender when navigating the forgiveness process. Also, your original lender may not be the ultimate lender you seek forgiveness with. Lenders can sell their PPP loans to other investors. If the loan forgiveness process becomes too burdensome in the upcoming weeks, we may see more lenders selling their loan portfolios to other parties. This may create other complications as borrowers navigate the forgiveness process.

10 Months After Covered Period Ends – Forgiveness Application Deadline

Originally, there was no deadline for a borrower to apply for loan forgiveness. The PPPFA, however, put a deadline of 10 months after the last day of the covered period. If a borrower does not apply for forgiveness by this date, it must begin making payments of principal, interest, and fees by this date instead. For example, if a borrower’s PPP loan is distributed on June 25, 2020, its 24-week covered period will end on December 10, 2020. The borrower must then submit its loan forgiveness application by October 10, 2021, otherwise loan payments are due.

60 Days from Receipt of Completed Forgiveness Application – Lender Approval

Once the loan forgiveness application is complete and submitted to the lender, the lender has 60 days to review the application and provide the SBA with a decision. The lender may approve the forgiveness application, either in part or in whole. Alternatively, the lender may deny the forgiveness application due to failure to meet the loan and/or forgiveness requirements. If the lender denies a borrower’s forgiveness application, either in whole or in part, the lender will notify the borrower in writing of its decision. The borrower has 30 days to appeal the decision to the SBA. This will prompt the SBA to review the lender’s decision and determine whether it agrees with the lender.

90 Days from Lender Decision – SBA Approval

If the lender determines the borrower is eligible for forgiveness, either in whole or in part, that decision is submitted to the SBA. The SBA has 90 days from that date to review the documents and pay the lender. During this time, the SBA may review the loan or loan application in efforts to prevent fraud or misuse of PPP loan funds, ensure the borrower is an intended recipient of the funds, and that the loan follows all necessary compliance requirements. The SBA announced it intends to review all loans over $2 million. It also has the authority to review any other loan, regardless of amount, when deemed appropriate. It is unclear at this time what this review process will look like and whether it will extend the 90-day decision window for the SBA. One potential area the SBA may look at is whether a borrower properly certified that “current economic uncertainty makes this loan request necessary to support the ongoing operations.” This has been a contentious issue for some borrowers and heavily scrutinized in the media. However, borrowers with less than $2 million of PPP loans are granted a safe harbor and automatically deemed to have made the certification in good faith.

What If My Loan Isn’t Fully Forgiven?

As borrowers work through their initial loan forgiveness calculations, we are seeing situations where full forgiveness is not possible. The extended shutdown of businesses has prevented some borrowers from resuming full operations, while others are rethinking their entire business model. If your PPP loan isn’t fully forgivable, the unforgiven amount simply becomes a traditional loan with monthly principal and interest payments. The terms of the loan are far better than what most banks currently offer – interest of 1% and a loan term of up to five years. PPP loans distributed prior to the PPPFA have a loan term of two years, however, this term may be extended up to five years if the borrower and lender agree. All loan payments are deferred for 10 months after the end of the covered period; however, interest will still accrue during this time. The PPP loans also have no prepayment penalties, giving borrowers additional flexibility on repayment options. If you have questions as you navigate the loan forgiveness process, please reach out to your advisor at Clark Nuber for up to date information on the latest rules surrounding the program. © Clark Nuber PS, 2020. All Rights Reserved

Opportunities in Times of Crisis

It’s no secret the COVID-19 pandemic has had a substantial negative impact on businesses. Companies deemed non-essential have closed their doors, employees have been furloughed or laid off, supply chains have been disrupted, and consumer demand is down. In these trying times, a quote by John F. Kennedy can help remind us of the opportunities that also exist: “The Chinese use two brush strokes to write the word ‘crisis’. One brush stroke stands for danger; the other for opportunity. In a crisis, be aware of the danger, but recognize the opportunity.” Many business owners are responding to the danger this crisis has created by managing expenses, identifying sources of cash, postponing investments, dipping into reserves, and communicating regularly with family and shareholders. Times are tough, but the current circumstances have also provided opportunities for leaders to reset for the long-term health and sustainability of the business. The following are key areas to review at this time of opportunity:

Strategic Plan

The COVID-19 crisis has brought about rapid change in business operations and consumer preferences. Employees are largely working from home, consumers are picking up dinner curbside, students are learning online, doctors are prescribing treatment through videoconferences, and fitness classes are being held remotely. Will these trends continue? If so, is your business positioned to succeed in this new environment? Can the company meet the change in consumer preferences? During times of change, a clear business strategy is needed to set priorities and guide decision making. The business’ strengths, weaknesses, threats, and opportunities identified in the last strategic planning process may now be significantly different. Going through this planning process provides an opportunity to assess what is happening inside and outside the company and identify where change needs to be made. The strategic plan should detail the company’s present situation, outline a program for the future, and provide a process to get there.


We can learn a lot about ourselves, family members, and management during times of crisis. Take this opportunity to document the reactions you observe from those involved in the business. What are their concerns? Are there consistent values shared amongst family members? What risk tolerance do owners have? Business leaders should continually prepare for a crisis. Without a plan and governance structure already in place, owners may have found themselves particularly vulnerable during this crisis. It’s possible they’ve made reactive decisions that will not benefit the business over the long-term or have unintentionally caused family conflict. To mitigate these issues, consider establishing a board of directors that can assist management in reviewing strategy, risk management, and emerging issues. The board can act as a resource when discussing “what could go wrong” scenarios and help develop business responses to those potential events. What business risks have you identified during this crisis? And what should be established now to alleviate those risks going forward? A documented decision-making process that includes management and family members is another valuable governance tool. The tool provides transparency in the decision process, creates consistency, reduces the time to make decisions, and provides clarity on roles. One of the benefits of a documented process is that it can help avoid snap decisions, since it requires gathering sufficient information and supports logical thinking and thoughtful consideration. Another benefit is that the documented process will clarify who the decision makers are and what needs to be communicated to specific stakeholders. Read my article Peace, Love, and Family Harmony: Safeguarding the Long-Term Interest of Your Family Business for more thoughts on this subject.

Financial Resiliency

In order to support the legacy of the family business for generations to come, management must take steps to position their companies for financial resiliency during times of crisis, while also being a steward to the long-term financial health of the company. The current crisis required a quick response by business leaders to assess cash flow and liquidity concerns. Operating expenses had to be reduced as revenues declined. Budgets and cash flow forecasts had to be revised. Some business owners had to look for alternative means to raise cash to fund operations. In an economic crunch, companies must make these types of moves to ensure that enough cash is on hand to meet current obligations. Reductions to shareholder distributions may also be necessary; making for some difficult conversations with family members who rely on them. It may be time to consider documenting a distribution policy that specifies how cash flow available for distributions is calculated and situations when distributions may not be justified. The policy should balance the needs of both the business and the family shareholders. Hopefully, management has learned a lot about the financial needs of the business during this crisis and how quickly the business can respond. This knowledge can be applied when determining an adequate cash reserve and how maintaining one may affect the terms of the distribution policy.

In Conclusion

As family businesses move toward recovery, the lessons learned provide opportunities for families and their businesses to recommit to their values, reset their business strategies, develop governance policies, and establish strong balance sheets. What have you learned during your observations of this current crisis that, if addressed now, can set your business up for success in the future? What opportunities have you recognized? If you have further questions about this article or your family business, please contact me. © Clark Nuber PS, 2020. All Rights Reserved

Featured Resources