Say hello to

Kaman

CPA | Principal

From watching thrillers, to owning a miniature poodle, to having lived in three countries, there’s no doubt that Kaman leads an exciting life. In her downtime, she enjoys traveling, embarking on culinary adventures, and watching sports.

 » Read more

With the pandemic-driven move to a primarily work-from-home model in 2020, the lines between work and life have never been more blurred. Yet, finding the right balance between the two is still a crucial component to a long and successful career. The shape that balance takes will depend entirely on the unique goals of each individual.

Principal Kelly Rancourt and Shareholder Andrew Prather have learned to create their own sense of balance as they worked full-time throughout their accounting careers. We sat down with them recently to discuss how they’ve done so and pointers for those still figuring it out.

A healthy work-life balance takes a lot of different forms. What does a good balance look like to you personally?

Kelly Rancourt (KR): “For me, a healthy work-life balance means I can be present in my home life, but I’m still meeting all my work commitments. Of course, that takes a different shape depending on what time of year it is – and my focus on work or home ebbs and flows given the circumstances. But if I can meet both my home commitments and my work commitments, that’s where I see there’s balance.”

Andrew Prather (AP): “Same as Kelly; as long as I can pour the gas on when work needs it, and then turn around and focus on my personal life when I need it – then I feel like I’m in balance.

For example, I was very busy last week and had work hours spill into the weekend. But today, I’m heading out early to visit my kids and see one of them perform in the school play. So, I’m leaving my laptop at work, and I get to be present with my family.

Those two weekends are a good snapshot of balance to me.”

When you’re planning time off, what kinds of steps do you take beforehand to make sure that the necessary work is still getting done while you’re away?

AP: “Lots of planning and communication. When I have vacation time coming up, I’ll alert my team members at least a week ahead of time so we can plan around it.”

KR: “I talk with my team at least a week before too so we can get things in order. We’ll go over expectations of what will be completed while I’m gone, and what they’ll need from me before I leave and when I get back. I also include a notice in my email signature for upcoming out-of-office time, so my clients are also aware.”

Was there a time in your career when your work-life balance was way off? What effects did that have on you and when did you realize it was an issue?

KR: “I’ve noticed my work-life balance isn’t great when I’m stepping into a new role. So, whether that’s a new position in the firm – like becoming a senior, a manager, a principal – or a new role in my personal life – like becoming a mother – I tend to get hyper-focused on succeeding in that new space. But then other areas can get neglected and I realize I’m burning out quicker.”

What kinds of steps do you take to find balance again when you notice you’re burning out?

KR: “I know I’m starting to burn out when I struggle with motivation to meet my commitments at home or at work.

So, the first thing I do is make a list of items that need to get done, and those items that can wait a week or two. And that list gives me the ability to take a break. Usually, that means taking a day off with the family or putting a limit on the number of hours I’m working in a week.

It helps reset myself and my priorities. That way I am focused on the must-dos and not everything that eventually needs to get done.”

And what about you, Andrew? Was there a time you realized your balance was off?

AP: “When I first started in my career, I was in, what I would call, an ‘old fashioned’ CPA firm. And the culture was stereotypical of that time. There was a mantra of ‘personal life doesn’t matter,’ and ‘the more hours you work, the more valuable you are.’

Over time I figured out that approach to work isn’t sustainable in the long run. A career is a long marathon, not a short-term sprint. You have to set a pace that works for you.

Looking back, I was trying to conform to a work culture I didn’t like. Now, it’s a different time. But I had to figure out how I defined success on my own terms.”

Based off your experience with your first firm, do you think accounting culture and work-life balance has changed with the times?

AP: “I think, as a whole, it’s getting better. I don’t know about the Big 4 firms. But we’re talking with regional firms and there’s a mindset of ‘let’s think about this as a marathon,’ rather than ‘how much can we grind out of people before the next quarter.’

And part of that is a business reaction too. We have fewer people coming into accounting from college, so you can’t (and shouldn’t!) treat them like an infinite, expendable resource.”

KR: “I agree, I think the next generation really won’t allow for that kind of unhealthy focus on work. Our people are what make us successful, so we need to meet them where they’re at.”

Has the switch to primarily work-from-home made it easier or harder to find balance? And what are some of the negatives/positives of work-from-home when it comes to finding balance?

KR: “Working from home has allowed me to work in longer chunks of time and cut down on the amount of time I spend working at night. When I used to have an hour commute to the office each day, I would jump back on after the kids went to bed and sometimes be working until late at night. But now that I don’t have that commute, I’m done earlier, because I was able to get that full, uninterrupted day in working from home.”

AP: “The ability for everyone to replace in-person meetings with virtual meetings, that’s added so much extra time in the day. There’s commute time, but I would also have several out-of-office meetings a day that would require me to drive, park, walk to the office, and so on. There’s a significant amount of time that’s freed up now.”

What kinds of boundaries do you set on your day or week to separate “work time” and “life time?”

KR: “Personally, I will never work on a Saturday. Even if it’s a busy time of the year, that’s one boundary I absolutely do not break. And it’s my time with my kids, so I’m not going to give that up.”

AP: “It’s important to create time where you’re not thinking about your job. So, no matter how busy your schedule is, you need to have at least one day in a week where you’re completely tuning out from work.

Taking a long vacation is good too. But I think it’s more important to have that regular weekly break from work, so it doesn’t become a grind.”

If someone is struggling with work-life balance, how do you recommend they bring it up to their managers?

KR: “My advice is to not be afraid to ask for help prioritizing your items and understanding when the deadlines are. You may feel you need to work overtime to get something done, but really you have a longer timeframe to work on it. So, communicate often and openly with managers on what the priorities are.

I feel like new opportunities are when people get overworked too. You want to succeed in your career by taking on everything that comes your way. But it’s also okay to say ‘no’ and be protective of your time and how you’re spending it.”

AP: “Part of my response here is in the context of Clark Nuber’s culture. We’re dedicated to the success of our people and our clients. So, we want our staff to be successful. And we understand that looks different to everyone.

Of course, there are always deadlines you’re expected to meet, but each person has their own personal career goals. Some want to hit new milestones as fast as they can. Others are okay with slower career growth because they have other things going on. Any good manager wants their team members to be successful. So, talking with your manager about what that looks to you is an important part of building balance.”

Since you’ve brought up Clark Nuber’s culture and its impact on work-life balance. What are some ways the firm has facilitated a healthy balance between the two?

KR: “I think we’re very good about showing work-life balance. I think the tone at the top from the shareholders is very focused on it. There’s a large variety of work-life balance types here.”

AP: “One of my favorite compliments I received, and it was a simple thing, but it was about walking-your-talk when it comes to this. It was a Thursday afternoon, and I was out as a manager reviewing work. And I told the team, ‘Alright, I’ve got to wrap this up. I’ve got a family event to get to. I’ll pick this up and finish it tomorrow and get back to you timely.’

The senior told me later, ‘It was so great to see someone be transparent about leaving for a family thing.’

That always stuck with me. That someone appreciated that I was honest about it. I think a lot of leaders are trying to balance work and life, but maybe we’re not vocalizing it much. I try to be more verbal, so people can see I’m doing it and it’s normal.”

Any advice for those starting in their career who may feel pressure to put more weight on the ‘work’ side of things?

AP: “That’s a very real feeling. But my advice for them, and we’ve touched on this throughout, is they should be clear with themselves what their career goals are and how quickly they want to progress in the profession. And they should avoid ‘the comparison game.’

One of the books that’s impacted me in this area is Simon Sinek’s The Infinite Game. He focuses on the concept of, ‘You’re not running your career to try to win. You’re trying to stay in the game.’

So yes, I want to be successful. But being successful isn’t about winning. And when I’m trying to win the next thing, that’s when I feel I can start to get off track. I’m trying to take a long-term marathon approach to my career and, with that in mind, maybe I shouldn’t spend every day working endless hours, because that’s not going to help me be successful in the long run.”

KR: “I’ve tried to adopt that ‘long-term’ philosophy in my own career, too. I’ve made distinct choices that have led to slower progression. But that’s been fine with me, because I made choices about how I wanted my career to progress and how I wanted to feel when I got to the next level. I’m happy with the decisions I’ve made.

My success now is less defined on how I’m doing and more on how my team members are doing, and how my clients are doing, and if we’re meeting their expectations. That’s how I define success. I would encourage others to find their ‘why’ and their own definition of ‘success.’”

© Clark Nuber PS and Leadership Perspectives, 2022. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Leadership Perspectives with appropriate and specific direction to the original content.

Keep Reading

Articles and Publications

Crowdfunding and Taxes: What Donors and Recipients Need to Know

Crowdfunding has become a popular way to raise funds for particular causes, but donors and recipients should be aware of the tax requirements involved. In crowdfunding, typically, a third party raises funds for a charity or cause through their internet platform and then turns the contributions over to the charity or beneficiary, less a fee. It is commonly used to raise funds to help individuals struck by tragedy or a broader charitable cause. For example, GofundMe features a campaign to donate to Ukraine relief efforts and another to help victims of the Sacramento mass shooting. So, what does all this mean for crowdfunding donors and recipients?

Models of Crowdfunding

There are a variety of internet crowdfunding platforms available, each offering different fundraising services and models. Some platforms take a percentage fee, and some a monthly fee. Some also provide additional donor management and other services. The two models most common for nonprofit organizations are the donor-based model and the rewards-based model.

Donor-based Model

With the donor-based model, the donor receives nothing in exchange for their donation. The donation is in the nature of a gift, and provided the recipient is a 501(c)(3) charity, a charitable donation deduction should be allowable for the entire amount (unless other limitations apply). We assume, throughout this article, that the funded project is a charitable project and not an unrelated trade or business. Organizations should never use crowdfunding for a business unrelated to its exempt purpose.

Rewards-based Model

In the rewards-based model, the donor receives something in exchange for their donation - sometimes something small like a t-shirt and sometimes something of greater value, like entry into a raffle with a valuable prize. In the rewards-based model, the facts would need to be examined to determine if what the donor receives is de minimis or something of value (typically called a quid pro quo), making part or all of the transaction an exchange rather than a donation. This is important because the donor usually is expecting a full charitable deduction. To determine if the value the donor receives is de minimis, we look to the general charitable donation rules regarding quid pro quo transactions. There are two tests to determine if the value the donor receives can be disregarded:
  1. The value the donor receives is 2% or less of the payment, and the value is not more than $117 in 2022 (this is indexed for inflation), or
  2. The payment is at least $58.50, and the donor received a low-cost article with the donee’s logo that costs less than $11.70 in 2022 (indexed for inflation).
If the value is not disregarded, the charitable deduction is the amount donated that is above the fair market value of the benefit the donor received.

501(c)(3) vs. Individual Contributions

Another important factor in the donors’ deductions is whether the funds are earmarked for a 501(c)(3) exempt charity or specific individuals, as in the case of a campaign to fund a person’s medical expenses, for example. If it is earmarked for individuals, then the donor will not be eligible for a charitable contribution deduction. If the recipient is a qualified Section 501(c)(3) charity, then the donor should be eligible for a charitable contribution deduction.

Fiscal Sponsors

If the charity does not have a determination from the IRS of exemption under Section 501(c)(3), then it could use a fiscal sponsor. Fiscal sponsors are organizations exempt under Section 501(c)(3) that collect funds for nonexempt organizations, with the intent that the donations will be allowable as charitable contribution deductions. Fiscal sponsors must take control of the donated funds and maintain discretion over its use. Earmarking the funds for the nonexempt organization will result in no deduction for the donor. However, one can restrict the use of the donated funds for a specific charitable purpose. Fiscal sponsorship is very complex and beyond the scope of this article. Such arrangements must be carefully set up with help from professional legal and tax advisors.

Donor Acknowledgement Receipts

Donor acknowledgment receipts are also required if the donation is $250 or more, or over $75 if goods or services were provided to the donor in return for the contribution. In some cases, the third-party crowdfunding platform will provide the receipts. The charitable organization should make sure this is done properly regardless of who issues the receipts. If there is a fiscal sponsor, then the fiscal sponsor will typically issue receipts.

Crowdfunding Fees

Another issue is whether the fee charged by the crowdfunding platform is part of the contribution. Even though the charity receives less than the total contribution, it should record the total contribution as revenue and the fee as a fundraising expense. For example, if the donor donated $100 and the crowdfunder keeps $5 and distributes $95 to the charity, then the charity will record a donation of $100 and a fundraising expense of $5. This also provides more transparency to anyone looking at the organization’s financial statements regarding fundraising costs.

State Laws

Organizations must be aware that crowdfunding is far reaching and will likely bring in donors from many states. Most states have charitable solicitation registration requirements, and each state’s requirement is a bit different. Organizations should investigate the requirements of each state and determine what registrations may be required. Fundraising via a crowdfunding platform may be considered “soliciting” in various states which would require registration. Who needs to file is also a question. The solicitor in a state may be the crowdfunding platform and not the recipient charitable organization. If a fiscal sponsor is used, then the fiscal sponsor may need to register. In addition, the crowdfunding platform may need to register as a professional fundraiser in various states. Professional firms that specialize in state charitable solicitations filings can help with determining the requirements for the situation. Even if the initial crowdfunding activity is not considered to be soliciting in some states, it could lead to future soliciting which would require registration. For example, if the crowdfunding platform provides the charity with a donor list and the charity solicits those donors in the future, then it may need to register in the donors’ states before it does so.

Reporting to the IRS

Last, third-party fundraisers may have to report distributions of funds raised to the IRS on a Form 1099-K and provide a copy to the recipient of the funds. Form 1099-K is not required if the contributors to the crowdfunding campaign do not receive goods or services for their contributions. Therefore, this would only apply in the rewards-model. The threshold for reporting is payment of greater than $600.

Conclusion

Crowdfunding may be a great opportunity to reach previously untapped donors, as well as provide a quick and convenient way for donors to make contributions. However, organizations contemplating a crowdfunding campaign should consult a trusted tax professional for information and advice before engaging in the campaign and regarding reporting the funds received from it. If you have questions about your crowdfunding campaign and its tax implications, please send us an email. © Clark Nuber PS, 2022. All Rights Reserved.

NFT Taxation – An Introduction to the Federal Income Tax Implications of Creating or Investing in NFTs

Despite Non-fungible Tokens (NFTs) growing popularity, the Internal Revenue Service (IRS) has not yet published specific federal income tax guidance prescribing how NFT transactions should be taxed. Nevertheless, NFT transactions, like cryptocurrency transactions, are generally considered to be subject to federal (and often state) income taxation. This article is limited to federal income taxation. The next article in this series will address the state and local tax implications of NFT transactions. Investors should expect that the sale of an NFT should be treated as the sale of a capital asset, and some NFTs could meet the definition of “collectibles.” When collectibles are sold or exchanged, the gain is subject to a higher 28% capital gain rate. (See below for more information regarding the definition of collectibles.) This article is intended as an introduction to NFT taxation and offers the reader our perspective on the federal income tax implications of common NFT transactions.

What are NFTs?

To begin, NFTs are unique digital assets/files that are linked to a certificate of authenticity. NFTs have become mainstream in the online world as gaming awards/add-ons, unique art, music, cards, and other digital files. Like cryptocurrency, NFTs are products of blockchain technologies. This allows them to be “tokenized,” where the value is not in the token, but in what it represents. A common analogy is a car title to a car, where the title is the token and the original, unique file is like the car. In the case of NFTs, the ownership can be verified using blockchain records.

Existing IRS Guidance Applicable to Cryptocurrency Extended to NFTs

As mentioned above, IRS guidance specific to NFTs does not yet exist. To understand how NFTs might be taxed, specialists begin by looking to the guidance the IRS has published regarding cryptocurrency activity. According to the IRS guidance, acquiring and holding cryptocurrency through payment of traditional currency is not a taxable event. However, disposing of cryptocurrency generally is a taxable event, even if it’s disposed of in exchange for other digital or non-digital property. That is because cryptocurrency is not treated the same as non-digital forms of fungible currency (e.g., U.S. dollars), instead it’s treated more like owning stock or land. As an example, let’s say Buyer pays for a purchase of shoes with cryptocurrency on Website. Buyer must track the value of her cryptocurrency when it’s acquired and compare that to the value of the cryptocurrency when it’s exchanged for the shoes. If Buyer’s cryptocurrency appreciated while Buyer held it, the appreciation must be reported as gain in her tax return. This means that both Buyer and the Website seller could have income/gain on the transaction. Relying on the IRS guidance for cryptocurrency, tax specialists who have published commentary regarding NFT taxation conclude that the sale or exchange of an NFT is also a taxable sale or exchange of property.

What NFT Transactions are Taxable?

Based on the logic of the guidance mentioned above, we provide the following guidance about how we expect basic NFT transactions to be treated for federal income tax purposes. Because the tax result can vary based on actual details of a specific transaction, we recommend that each transaction be reviewed carefully by an informed tax advisor before proceeding. Further, the tax law related to NFT taxation will continue to evolve. As a result, the assumptions we provide here may quickly become outdated should the IRS, U.S. Treasury, or the courts provide additional guidance.

Creating an NFT

While minting (creating) an NFT is not a taxable event, transactions involving the sale of newly minted NFTs by the creator are taxable. The value of any consideration received, less costs to create the NFT and trading fees, is reportable income. Accordingly, any fees associated with creating and selling NFTs and the cryptocurrencies used to trade them should be carefully documented. What is the federal income tax rate for creators who sell NFTs? Generally, ordinary rates apply to income generated by self-employed artists or creators. Currently, ordinary income rate brackets are graduated, with 37% being the highest rate. In addition to income tax, self-employment tax (the base rate is 15.3%) will also apply.

Investing in an NFT

As mentioned above, using cryptocurrency to purchase an asset generally triggers gain/loss on the disposition of the cryptocurrency when it is offered as consideration in a purchase. Once purchased, the value paid for the NFT and the associated fees become the purchaser’s basis in the NFT. Again, careful documentation of the value of the NFT and any holding or transaction fees is highly recommended.

Selling a Previously Purchased NFT

Disposing of an NFT that was previously purchased (as opposed to an NFT sold by its creator) should be treated like the disposition of stock or land. Any consideration received is offset by the seller’s basis. Resulting gain or loss should be reported as short- or long-term capital gain. Capital gain rates are 0%, 15%, or 20%, depending on the income level of the investor in the year of disposition. However, a higher capital gain rate applies when the NFT meets the definition of a “collectible.” Gain on the sale of collectibles is subject to a 28% capital gain rate. See below for a discussion of collectibles.

Exchanging an NFT for an NFT

If two parties decide to exchange NFTs, both could be required to recognize gain, loss, or ordinary income on the transaction. Each would need to determine the value of the NFT given up in the exchange. When determining the gain or loss on the transaction, the value of the NFT should be offset by the holder’s basis. Such gain will be subject to tax at the applicable short-term or long-term capital gains rate (including the collectible rate), depending on how long the NFT was held by each party to the transaction. Determining the NFT’s value in an NFT-for-NFT exchange may be difficult, depending on the circumstance. There may be little market value information available, such as comparable transactions, and determining what the IRS will accept as documentation of value is hard to predict. Substantiating the value for tax purposes may warrant obtaining a third-party appraisal/opinion (or the equivalent) when the value is significant. The nature of the gain recognized will depend on the type of parties involved in the transactions. Investors should recognize short- or long-term capital gain. Those who created the NFTs exchanged should be subject to ordinary income and self-employment tax as noted above.

Receiving an NFT in a Game or Similar Activity

Receiving an NFT as a reward in a game or other entertainment activity presents potentially ambiguous issues. If the NFT is valuable outside of the game, then it’s likely to be considered ordinary income upon receipt. But what if the NFT only entitles the player to more game advantages, i.e., a game add-on? If the value can be readily established, recipients should expect the IRS to consider the receipt of the NFT to be taxable income. This is especially likely if the same NFT can be purchased for cryptocurrency for a disclosed amount as a game add-on. If it’s not offered as a separate transaction, determining the value of the NFT at the time it is received could be difficult. We can expect the variety of ways to obtain NFTs to proliferate in the near and extended future. Each situation will require careful analysis to determine if and when income is reportable. Again, under general tax principles, any value reported as income and any fees associated with receiving the NFT become the recipient’s basis available to offset the recipient’s gain when the NFT is sold or exchanged. We can only hope that the IRS prescribes reasonable rules, i.e., allowing for deferral of income until the NFT can be easily valued or until it’s disposed of, in the interest of keeping compliance simple and understandable.

Are NFTs Considered Collectibles?

As mentioned above, concern exists that NFTs may fall into a category of assets specifically defined as “collectibles” by the Internal Revenue Code. If the IRS takes this position, any gain realized on sale could be subject to a 28% capital gain tax rate. Collectibles are defined capital assets held for more than one year that are: “(A) any work of art, (B) any rug or antique, (C) any metal or gem, (D) any stamp or coin, (E) any alcoholic beverage, or (F) any other tangible personal property specified by the Secretary for purposes of this subsection.” How do each of the different forms of NFTs square with that definition? Further clarification from the IRS is required before any definitive determination can be made as to when or if an NFT is a collectible. In the meantime, conservative taxpayers are advised to report NFT gain as collectible gain when the NFT involves an image that can reasonably be considered “art.” The determination becomes more difficult for other types of NFTs.

Recent Tax Legislation Concerning NFTs

On November 15, 2021, the Infrastructure Investment and Jobs Act became law. The new law contains several changes to the taxing of digital assets, including NFTs. The changes will be applicable to information returns required to be furnished after December 31, 2023. Under these rules, “brokers” will be required to file Form 1099-B with respect to NFT transactions. As a result, investors and creators who invest, sell, or exchange NFTs should realize that proceeds from these transactions will likely be reported to the IRS. The definition of a broker is beyond the scope of this discussion, but it includes most parties that facilitate exchanges of cryptocurrency and NFTs. In some cases, it could also include companies that issue NFTs in the context of games and other forms of entertainment.

Conclusion

Artists, investors, and gamers who create, purchase, or exchange NFTs should carefully document the details of these transactions, including any associated fees. While the IRS has not yet published specific guidance on the income tax treatment of NFTs, you can expect that reporting of the transaction, including the cryptocurrency exchange associated with the transaction, to be carefully scrutinized if you are subject to audit. The IRS will ask for documentation. Artist and creators generating income from the creation/sale of NFTs are subject to ordinary income tax and self-employment tax. It appears that some NFTs are likely to be considered “collectibles” and will subject investors who realize gain from NFTs held for more than one year to capital gain rates of 28%. In 2024, 1099-B reporting will begin. If you are in the business of creating and selling NFTs, you should also be aware that these transactions may be subject to sales tax collection. Many factors may be relevant to determining which jurisdiction’s rules apply. Our next article in this series will cover state and local tax implications of creating and selling NFTs. If you need help navigating your cryptocurrency or NFT investments, please contact one of our professionals. © Clark Nuber PS, 2022. All Rights Reserved.

What to Expect From an SSPA Independent Audit

For Microsoft suppliers handling sensitive and/or confidential information, compliance with the Supplier Security and Privacy Assurance (SSPA) program is a complicated and varied annual exercise. As we previously discussed in an article on the annual compliance cycle, one of the steps in the program is an audit – known as an independent assessment in the SSPA program guide. This article will focus on that assessment and shed some light on the moving parts and ingredients that make a successful audit (i.e., an audit that is accepted by Microsoft in a timely manner). We will discuss each of the three distinct phases of the audit: pre-testing, testing, and issuance.

1. Pre-Testing

The primary intent of the pre-testing phase is to identify and resolve issues early, before small problems can become big ones. Since this is a foundational stage, with many critical steps, it is vitally important that care and consideration be taken with each of them. More than the other two phases, if the pre-testing phase is not handled with care it can result in the assessment heading off-course or dragging on unnecessarily. To increase the likelihood of a successful audit and a smooth acceptance from the Microsoft SSPA team, the following steps should take place during pre-testing:

a. Review of the Supplier’s Data Protection Requirements (DPR) Self-attestation

The DPR completed by a supplier is the first step in building the independent assessment report. And the review of the supplier’s accepted DPR responses is a critical part in the audit process since it will later be scrutinized by the Microsoft SSPA team. During the acceptance process, SSPA agents will review the scope of requirements tested in the independent assessment and reconcile it with the DPR responses. Microsoft expects these two data points to (a) be the same, or (b) have explanations provided for any differences. If a difference is not explained, the audit report may need to be revised. The revision process is not overly complicated, but it is an added step in the process that can and should be avoided to expedite the process and avoid a “red” status. A supplier may have completed the DPR step in the process before they involve an assessor. In those cases, it is important that the supplier share a copy of the DPR with the assessor, so they are sure to be on the same page. In other cases, the DPR may not have been submitted to Microsoft and the assessor will have an opportunity to provide guidance and answer questions. In either case, it is helpful for suppliers to have submitted the DPR and have it approved/accepted by Microsoft before the assessor completes the assessment. It is important for the assessor and the supplier to both have an accurate copy of the submitted and approved DPR, otherwise it may cause questions and delays in the acceptance process.

b. Agree on Scope and Applicability

A critical review of the DPR responses by the assessor is essential to creating an efficient audit plan and expediting the acceptance process of the audit report by Microsoft. The SSPA program is complex, confusing, and intersects uniquely with each supplier. For these reasons, the responses suppliers offer to certain requirements are not always correct. The assessor will want to look over the DPR responses to make sure they agree. In this scoping process, it is important to note that the Microsoft SSPA team tasked with reviewing and approving DPRs is primarily focused on looking for responses that are inappropriately marked as “Does Not Apply.” They are concerned with a requirement not being audited when it should be. This also means that the Microsoft SSPA team is not critically looking in the other direction – a “Compliant” answer that is incorrect. That is where the assessor can provide some advice and guidance. Remember, when a supplier responds with “Compliant,” they are also indicating that the requirement is applicable to their work for Microsoft. The purpose of the assessor’s analysis for incorrect “Compliant” responses is critical, as the following example demonstrates:
  • Requirement #51 relates to processing credit card transactions on Microsoft’s behalf. In our experience, this requirement is rarely applicable as suppliers are not often asked to do this, yet it is marked as “Compliant” in some cases.
  • If the auditor simply accepts the fact that this requirement is applicable and plans to provide an opinion that the supplier is compliant with this requirement, they need to perform audit procedures to support that opinion.
  • That would involve asking the supplier to complete a Payment Card Industry compliance effort, which is quite an undertaking.
  • If that requirement is not applicable, the supplier would certainly want to avoid that added level of effort.
This demonstrates the importance of the assessor and the supplier being on the same page when it comes to scoping and applicability. If the supplier and assessor agree that a “Compliant” response was submitted in error, then this can be flagged in the audit report as being different from the DPR response and explained by the assessor for Microsoft to consider.

c. Identify Gaps

Once the scoping has been set, the next step is to determine if the supplier is actually compliant with each applicable requirement, and if they have documentation or other evidence that can be provided to the assessor to support their compliance. It is certainly possible that a supplier could have implemented a process – such as a practice of periodically purging data from a database in response to requirement #13 – but not have a documentation trail or automated process to provide to the auditors. If a gap like this is identified, the assessor can work with the supplier to provide guidance or a starting point to fill in the gap.

d. Gather Evidence

Evidence will need to be gathered to support your compliance with each applicable requirement. This sounds simple, but as mentioned earlier, the SSPA program is complex, confusing, and intersects with each supplier in unique ways. Interpreting the evidence needs for each requirement is a role the assessor should play. This should be a collaborative process and an open conversation between supplier and assessor.

2. Testing

If the pre-testing phase was done well, the testing part of the audit process should be straight forward. The assessor will review the materials the supplier provided and complete the necessary documentation to support their conclusions. Materials that are required tend to fall into two categories:
  • Policies, checklists, and other tools that serve as guides for company personnel to operate compliantly, and
  • Screen shots of software tools used to safeguard data (e.g., firewalls, security patches, anti-virus software, password settings, etc.)
Clarifying questions or additional requests are common, but they don’t represent a finding. Even if a previously unidentified gap is found at this stage, it can still be cured without raising any flags or creating a finding in the report.

3. Issuance

Once all questions have been answered and any remaining evidence is provided, the assessor will be able to issue the final report. It is the supplier’s responsibility to submit the audit through the Microsoft compliance portal. Once the audit is submitted, Microsoft will review it for approval. This is the step in the process where they compare the audit report with the self-attestation completed by the supplier and look to reconcile any differences. Once they are satisfied, they will approve the report and reset the compliance process until the next year.

How can a Supplier Make the SSPA Independent Audit Successful?

There are many ways that a supplier can impact the success and expediency of the audit process. We have highlighted some of those above, and offer the following as advice:

Be Thoughtful in Your Responses to the DPR

If you think something doesn’t apply to the work you are doing for Microsoft, submit a “Does Not Apply” response and provide a thoughtful explanation. This will help set the scope accurately and make for a smoother acceptance process. Also, if you have engaged an assessor and have not yet submitted your DPR responses, involve them and seek their guidance prior to submitting.

Initiate the Process Early On

When the audit task is launched, Microsoft starts a 90-day clock. The audit is more likely to be successful, and generate less stress, if the supplier engages with an assessor on day 1 rather than day 71.

Ask Questions

You have been asked to complete the audit, and it may be the first time you have had to do this. The assessor you are working with does many more of these each year. If you have questions, open a dialogue and get your questions answered.

Communicate

Just as it is important for you to ask questions of your assessor, it is equally important for you to be responsive and/or seek clarification from your assessor when they have questions of their own.

Interval Touch Points

SSPA veteran suppliers that have been doing this for years will understand the process and be able to self-manage when it comes to milestones and cadence. Suppliers that are navigating this for the first time will need extra support. Take the time to setup interval touch points. These planned discussions create mutual accountability and also provide a forum for getting questions answered. Plan for discussions where:
  • Scoping will be discussed and decided,
  • Gaps can be ironed out, and
  • Questions about necessary evidence can be addressed.
You may or may not need to have formal discussions each time but having that on the calendar is a big help.

Conclusion

Audits can be intimidating and stressful, especially when continued/uninterrupted business from a large customer is hanging in the balance. A thoughtful investment of time in planning and preparation will pay dividends in the form of a less stressful and smoother acceptance process. If you have questions about the audit process, or if you need an audit, send me an email and I’d be happy to connect. © Clark Nuber PS, 2022. All Rights Reserved.

Featured Resources