Say hello to


CPA, CFE | Principal

Matt is one of several Clark Nuber professionals who are musically inclined. But he’s not just a musician, he’s a music fanatic. When he’s not making music, he’s making spreadsheets that rank his favorite albums and songs. Spreadsheets – it must be an accountant thing.

Mike Nurse
posted this blog on

COSO Series, Part 3 of 6: The following article is part three of a six-part series exploring the high-level basics of the COSO Integrated Internal Control Framework.1 The following article provides a high-level overview of the second component of the framework: Risk Assessment.

There are numerous types of business risk that can impair an organization’s ability to reach its objectives.  Some of these risks include financial, liquidity, exchange-rate, strategic or systematic risk.  But how does a business assess what risks they face and, more importantly, how do those risks get managed?

To answer these questions, the organization must perform a risk assessment process from which they can lay the groundwork for risk response and management.  Performing a risk assessment is an iterative, ongoing process and considers the unique variables and risks that an organization faces.

The COSO Internal Control Framework helps us to understand the underlying principles behind risk assessment.  COSO defines risk as the possibility that an event will occur and adversely affect the achievement of objectives.

The Four Principles of Risk Assessment

Risk assessment can be broken down into four distinct principles (related concepts) as follows:

Specify objectives with sufficient clarity in order to identify and assess risks relating to objectives.

Prior to specifying objectives, management must consider their risk tolerance and determine what an acceptable level of risk is.  Within that pre-determined framework, objectives are considered for operations (e.g., operations and financial performance goals), external financial reporting (e.g., complying with accounting standards), external non-financial reporting (e.g., compliance with laws and regulations), internal reporting (e.g., management reporting) and compliance (e.g., minimum standards of conduct as established by laws and regulations).

Identify risks to the objectives and analyze risks as a basis for determining how the risks should be managed.

The identifying and analyzing phase should be comprehensive in scope.  Management considers risk at all organizational levels and how those risks might impact the organization from a severity and likelihood perspective.  There are many types of risks to consider, two of which are external and internal risks.  Some external risks might include economic (e.g., barriers to competitive entry), regulatory (e.g., new anti-trust law), natural environment (e.g., earthquakes or other natural disasters), and foreign operations (e.g., change of government in a country with operations).  Internal risks might include personnel (e.g., quality of new hires), infrastructure (e.g., use of capital resources), and technology (e.g., disruption in information systems).  After identifying the risk, management must consider whether they want to take no action (accept), stop the activity giving rise to the risk (avoid), take action to mitigate the risk (reduce), or transfer some of the risk (share).

Consider the potential for fraud in assessing risks to the achievement of objectives.

The consideration of fraud should include multiple areas, including fraudulent financial reporting, loss of assets and the possibility of corruption.  Like the concept of the “Fraud Triangle,” this consideration takes into account incentives and pressures, opportunities, and potential rationalizations that might arise that would lead someone to commit fraud.  Generally, internal controls are put into place to mitigate the risk of fraud and can vary considerably, depending on the organizational structure and individual risks.

Identify and assess change that could significantly impact the system of internal control.

Management must consider the possibility and effect of change to the external environment (e.g., regulatory, economic, physical), business model (e.g., new business lines, newly acquired business operations) and leadership (e.g., resulting in a new philosophy on the system of internal control).  Consideration of change and risk are very similar.  However, it should be discussed separately from the regular risk assessment process due to its importance to the effectiveness of internal control.  Consideration of change should lead to forward-looking mechanisms that can easily anticipate and plan for potential change.

These principles mentioned in this article represent a high-level and basic overview of the risk assessment process.  As you begin performing a risk assessment, it is important that you consider all the underlying principles and how they uniquely apply to your organization.  This can be complicated, but Clark Nuber can help with this process. Contact Mike Nurse for more information.

For complete and detailed information about the Framework, Components and Principles, we encourage you to explore and learn more at

1COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission. It was formed in 1992 as a joint initiative of five organizations, including the American Institute of CPAs and the Institute of Internal Auditors, among others. Since that time, the committee has been developing and refining frameworks and guidance around enterprise risk management, internal control and fraud deterrence, with the most recent revisions of the Internal Control – Integrated Framework model in 2013.

© Clark Nuber PS and Focus on Fraud, 2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Developing News with appropriate and specific direction to the original content.

Keep Reading

Articles and Publications

States Looking at Internet Cookies for Additional Tax Revenue

These cookies are the colloquial expression for small snippets of software code stored on remote computers, phones, and other internet-connected devices. Cookies are extremely common. They’re what allows a website previously visited to “recognize” the computer’s user when the site is revisited. Cookies are everywhere. States aren’t looking to tax the transmission or storage of cookies, but instead want to base a claim of sales tax nexus on the transmission and storage of a cookie once transmitted to an in-state device. Nexus and Who Collects In the United States, sellers who sell to customers in other states are not obligated to collect sales taxes on those sales unless they have a “physical presence” in the state where the customer resides. This physical presence can take many forms, including employees, inventory, or even referral advertising arrangements. Once established, the seller has triggered sales tax nexus and the state can compel that seller to collect and remit sales taxes on sales to in-state customers. Back to the cookies: a few states recently determined the transmission and storage of cookies satisfies the physical presence necessary to trigger sales tax nexus. In late 2017, Massachusetts published regulations on the topic.  Now, sellers who distribute or store apps or cookies on computers or other devices of Massachusetts customers have established a “physical presence” in the state.  The “physical presence” of the apps or cookies triggers sales tax nexus for the sellers who distributed or stored them on the devices of Massachusetts customers.[1] Once sales tax nexus is triggered, a seller must register and report all taxable and exempt retail and wholesale sales into the state. Massachusetts provides thresholds to prevent small sellers from having to collect, for example, sellers who sell less than $500,000 annually into Massachusetts are excluded from the rules. How Does the Cookie Rule Affect Sellers? The approach taken by Massachusetts is novel, daring, and already being challenged.[2]  The results of those legal challenges notwithstanding, Ohio[3] and Rhode Island[4] passed similar legislation in 2017. The arguments for and against the physical attributes of cookies are interesting and can approach the molecular level, but for retailers, the new rules signal the ingenious and aggressive ways that states are looking to tax sales. History shows its likely other states will adopt similar rules in the near future. Companies that sell into Massachusetts, Ohio, or Rhode Island have a new wrinkle to address in determining their likelihood of establishing nexus there and likely will face the same issue in other states as well. For companies that make retail sales anywhere across the United States, the issue of nexus and the obligation to comply with sales tax rules of other states is front and center. Awareness is a key first step. Additionally, any company selling products or services across state lines should develop a sales tax plan with an initial goal of addressing the issue of nexus in a consistent manner. The result should be a rational, repeatable process to help make future decisions about where collection is required. We can help your company identify areas where risk exists in your sales tax compliance efforts and provide proven ideas on how to improve workflows and decrease that risk. For more information on this topic, please contact Shane Ratigan. [1] See Mass. Regs. Code 830 CMR §64H.1.7(1)(b)(2)(a). [2] Crutchfield v. Mass. Dept. of Revenue ( Circuit Court of Abermarle County (Virginia). [3] Ohio FY17-18 Capital Budget. See House Bill 49. [4] Rhode Island FYE 06/30/18 Budget. See House Bill 5175. © Clark Nuber PS, 2018. All Rights Reserved

Finance and Development Collaboration

1. Year-end Cut Off: Establish a collaborative process for proper donation cut-off to ensure recording in the correct year for both the organization and donor, as well as sending timely acknowledgement letters. If the organization’s fiscal year-end is different than 12/31, you will need to work together on this issue twice a year. While acknowledgement letters are often the responsibility of development and compliance with IRS regulations is often the responsibility of finance, both departments can re-read IRS Publication 1771 Charitable Contributions Substantiation and Disclosure Requirements. Don’t forget that the IRS has disallowed donor contributions when the taxpayer doesn’t have the contemporaneous donor acknowledgement letter required by IRC Section 170 or when the letter fails to include the required information. This is a good refresher and an opportunity for both departments to meet and discuss the impact on current organizational practices. 2. Pledges: First, ensure both departments are working off the same definition of pledges and secondly, that there is clarity on the information the organization requires from the donor. Remember, there are requirements under Generally Accepted Accounting Principles (GAAP) that dictate whether the pledge and allowance can be recorded in the organization’s financial statements. This is a good opportunity for finance and development to discuss the impact of the requirements on organizational practices. For a comprehensive resource on the accounting requirements under generally accepted accounting principles (GAAP), the AICPA has developed the Not-for-Profit Entities – Audit and Accounting Guide. This would be a worthwhile investment for any finance department. Clark Nuber also offers a training, Not-for-Profit “Basics” Workshop twice a year that discusses the nuances of these requirements. 3. In-kind Contributions: The biggest area of differences we see between the two departments is in recording and valuing in-kind contributions. Collaboratively determine the approach each department will take in evaluating and documenting these special contributions. This is a good opportunity for finance to educate development on the types of in-kind contributions that are reported in financial statements and the different requirements for reporting on the IRS Form 990. A methodology can be developed for reconciling between the departments for these differences. IRS Publication 1771 is also a helpful resource in preparing appropriate acknowledgment letters for non-cash contributions. 4. Special Events: Ultimately, management wants to know if the amount of money and staff/volunteer time spent in planning and executing a special event supported the accomplishment of organizational goals (not just financial goals). The financial information is important to ensure events are properly recorded in the financial statements and on the IRS Form 990. There are significant differences between the reporting in the financials and the Form 990 that could be confusing to Development. Use this as an opportunity to achieve clarity on these different reporting models. Also, keep in mind, that raffles, sponsorships, auctions, etc. associated with special events can have tax ramifications if not handled appropriately. Clarity surrounding the purpose for having the event and the results of the event need to be communicated and this can become a great discussion topic for finance and development. If finance and development are only reconciling their information annually in preparation for the audit, this is a good time to establish a plan for quarterly reviews, starting with March 31. If the two departments are already reconciling quarterly, this is a good time to establish a plan for monthly reviews. To discuss the processes or technology used in integrating finance and development, contact Cheryl R. Olson.   For additional assistance or consulting on any of the tax or GAAP matters discussed, please ask your Clark Nuber service team or contact us. © Clark Nuber PS, 2018. All Rights Reserved

Should Employee Benefits be Treated as Exempt or Taxable?

Certain transportation and, in some cases, onsite recreational facility benefits have been treated as tax exempt to employees, and tax deductible to employers prior to passing the Tax Cuts and Jobs Act of 2017. However, beginning January 1, 2018, for the benefits listed below, employers must make an important business and economic choice. They must decide whether to treat the benefit as taxable compensation to employees, or continue to treat the benefit as a non-taxable benefit but receive no tax deduction for the expense of providing the benefit.

Benefit Changes as of 2018

Which benefits are losing status as deductible to the employer and non-taxable fringe benefits to the employee?
  • Qualified transportation and commuting fringe benefits associated under Internal Revenue Code section 132(f), including:
    • Any transit pass
    • Qualified parking
    • Transportation in a commuter highway transportation vehicle between the employee’s residence and workplace paid by the employer
  • Any on-premises athletic facility as defined in section 132(j)(4)(B), if the benefit is no longer tax deductible by the employer under Internal Revenue Code section 274(e).
  • The 50-percent deduction previously allowed for meals and entertainment for recreational, social purposes under section 274(n).
Note: the change in the tax law does not automatically result in these benefits being taxable to employees. Also, the deduction is not automatically lost by the employer.  Under Internal Revenue Code section 274(e)(4), if the recreational facility is primarily for the benefit of employees who own less than 10% of the company, a deduction is allowed. If a deduction for any of the above named benefits is not allowed, the employer must make a choice either to treat the benefits as taxable compensation to employees, a deductible payroll expense, or continue to treat the benefit as non-taxable fringe benefit to the employees, but no longer deduct the expense. The net effect of the change is more than just the loss of value of the tax deduction on the benefits to the employer. The corporate tax rate was decreased from 35% to 21%, while individual tax rates shifted only slightly. Also, newly taxable benefits should be assumed to be the last dollars taxed or benefits taxed at the highest rate to which the employee is subject. In addition, because now the benefit is taxable wages, although deductible to the employer if treated as taxable wages, both the employer and employee must pay employment taxes on the benefits at 7.65%, assuming the employee is not over the FICA limit.

What Should Employers Do?

Following is an illustration of the decision employers must make regarding 2018 payroll: Facts: The value of the benefits is $100,000. The employer is a personal service corporation. The average employee is in the 25% marginal tax rate and employment taxes are 7.65% for both the employee and employer. Option 1: The employer may continue to pay for the benefit and forgo the tax deduction, treating the benefit as a tax-free fringe benefit to the employee.
  • Cost to employer: $100,000 cash for benefits and $21,000 in additional taxes paid dues to loss of deduction = $121,000
  • Benefit to U.S. Treasury: $21,000
  • Benefit to employees: $100,000
  • Cost to employees: $0
Option 2: The employer can continue to pay for the benefit, treat the benefit as taxable wages, withhold the value of the benefit from the employees’ other wages, and pay the employer payroll taxes.
  • Cost to employer: $100,000 + 7,650 - $22,606 = $85,044 ($100K benefit + payroll tax less deduction for benefit and payroll taxes = net cost to employer)
  • Benefit to employees: $100,000
  • Cost to employees: $25,000 + $7,650 = $32,650
  • Net benefit to employee: $67,350 (Benefit net of tax liability)
  • Benefit to U.S. Treasury: $25,000 - $22,606 + 7,650 + 7,650 = 2,394 (employee income tax less employer tax deduction plus total payroll taxes)
Option 3: The employer can let the employee decide if they want to continue to receive the benefit and be taxed on the value of the benefit. The taxes and benefits would be a hybrid between Option 1 and 2, depending upon which employees take the benefit, and whether the employer treats the benefit as taxable or non-taxable wages. The employee’s choice to forgo the deduction results in substantial cost to the employer. The employee receives the same benefit, but, depending upon the employee’s marginal tax rate, there is a tax cost to receiving the benefit. The employer may be better off economically splitting the difference and grossing up the employees’ wages to cover all or part of the increased tax cost to be in the same position rather than lose the tax deduction during the tax law’s first year of implementation.


Please contact Jane Searing if you have questions about how tax reform might affect your employee benefit plan, or visit our Tax Cuts and Jobs Act page for additional resources. © Clark Nuber PS, 2018. All Rights Reserved

Featured Resources

Fight fraud at your organization with the Clark Nuber Fraud Reporting Center.

Looking for a Form 990 Questionnaire that meets IRS reasonable efforts? Check out our new cloud-based questionnaire.