Say hello to


CPA | Principal

An avid reader of fantasy novels who completes 1,000-piece puzzles in her spare time, it’s no wonder Kelly’s favorite part of her day includes playing make believe with two of her favorite people—her amazing kids.

 » Read more

Pete Miller
posted this blog on

“Failure is simply the opportunity to begin again, this time more intelligently.” – Henry Ford

Failure gets a bad rap. To many, it’s a loaded word, packed with a negative connotation. Failure means something we wanted to happen didn’t, and all we’re left with are feelings of disappointment and self-doubt.

However, if we stop processing failure at that point, we do ourselves a disservice. Beyond the disappointment and doubt, there is an opportunity for reflection, learning, and growth. History has incredible examples of growth from failure, and yet the default negativity stubbornly remains.

Clark Nuber has many successes to celebrate over our nearly 70 years in business, but we have also been blessed with failures from which we can reflect, learn, and grow. The following are personal lessons I’ve learned from failure, and how I integrated those lessons into our business.

Don’t Be Afraid of Failure

Fear is a powerful force that could prevent you from reaching your greatest heights.

As a relatively new employee at Clark Nuber, I remember watching the partners engage in practice development conversations and assist clients with such ease. I thought I could never be as adept in those moments as they were. And when it came to my first solo discussion with a prospective client, I was visibly nervous and undoubtedly less confident in my presentation abilities than I am today.

Thankfully, I have since learned a lot about how to be effective in those conversations, and it’s become a natural extension of who I am. However, without those initial “productive struggles,” I would not have developed into the professional I am today. Had I let fear get the better of me, I would likely no longer be in this profession and my career arc would be vastly different.

Certain things are worth the effort and worth the struggle. Fear can be countered by keeping your eye on the prize. And remember that the prize is not necessarily “closing the deal,” although it can be. The real prize should be personal growth and development of new skills.

Examine the Failure and Learn from It

Mistakes happen. Poor choices happen. Don’t just sweep them under the rug and move on. Acknowledge the failure, learn from it, and help that mistake or poor choice make you stronger.

Several years ago, I heard a message from our clients that they were interested in a more affordable fraud hotline resource. The existing products in the market were either too expensive or too complicated for their liking, and they were looking for something else.

After hearing this from several clients and not having any good answers to point to in the marketplace, I wondered if Clark Nuber could build a service like this on our own. I spoke with our internal team and we built a hotline resource that was simple and provided employees with an outlet to report suspected fraud anonymously and safely. We began to advertise this resource and had some initial interest and adoption by existing clients. But in the long run, the resource never got the traction we were aiming for, and we shut it down.

What I learned through the process of discussing our resource with prospective clients was that the majority of the market really did want the in-depth reporting options, dashboarding, and rollout tools that were offered by the more expensive and elaborate products. What we built wasn’t robust enough for what the majority of the market wanted. We jumped right to build-mode and didn’t take the time to really listen to consumer needs to use in our development process. This was a very valuable lesson and something I have used in building out subsequent, successful, tools for our teams.

Keep Swinging

A single iteration of an effort may fail, but that doesn’t mean the next one can’t be a success.

Thomas Edison famously tried hundreds, if not thousands, of iterations of his various inventions. In fact, he was once asked, “Isn’t it a shame that with the tremendous amount of work you have done you haven’t been able to get any results?”

Edison turned that statement around, and with a smile replied, “Results! Why man, I have gotten lots of results! I know several thousand things that won’t work!”

Much like the quote from Henry Ford at the start of this article, failing one attempt simply means that we are smarter as we begin the next experiment. If the goal you’re working toward is alluring enough, the next attempt is worth it, no matter how many times you fail.

The fraud hotline wasn’t the box office hit I thought it would be. That didn’t stop me from continuing to identify and develop new services for our clients and build new tools for our client service teams. Many of those are thriving today, but they would not be the same if not for the lessons of past failures.

What Must be in Place to Grow from Failure?

To learn, grow, and emerge from the fallout of a failure, an individual needs to not only have the personal constitution to shake it off, examine the situation, and look forward, but they also need to know that they work in a safe and acceptable environment to try something new.

Leaders have an opportunity to create that exact environment and, in doing so, encourage inventors and innovators to step forward and experiment. In my observation, the chances of any given individual accomplishing this are greatly improved if the following conditions exist:

Discuss and Normalize Failure

As a leader, it’s important to talk about times when things didn’t work out the way you planned. What did you learn from it and how did some future event benefit from the learned experience?

Sharing failures will help humanize your role, promote safe and courageous conversations about innovation, and inspire others to take calculated risks to further the organization’s goals.

Go Out of Your Way to Support Emerging Leaders

If someone at your company is interested in trying something new and they’re willing to devote time to it, give them your support. Every idea isn’t necessarily a winner; but support the process. Show them they are valued and supported, regardless of the probability of success of the idea.

Don’t Take Credit

You may have helped shepherd an idea through the process, but it was their idea and their work that made it happen. Again, go out of your way to put them in the limelight.

Seeing peers get recognized and receive credit for their work is another cornerstone of a safe and welcoming test lab. This concept can represent an incredible multiplier for any organization.

Celebrate the Attempts, Not Just the Wins

Recognizing someone for coming forward, the effort that went into the exploration, and the lessons learned might just spark someone else to take the next great idea forward.

Don’t Dwell on It

Failure is something to examine and learn from, but, in the immortal words of Frozen’s Elsa, you then need to let it go. There is no better way to wash out the flames of a recent failure than to apply what you learned from it and execute the next attempt successfully.

As Walt Disney said, “We don’t look backwards for very long. We keep moving forward, opening up new doors, and doing new things, because we’re curious… and curiosity keeps leading us down new paths.”

Curiosity is a natural human phenomenon. When we let curiosity guide and inspire us to push through failures we encounter, great things can happen. Failure, if used properly, can be your friend. Embrace it!

This article is part of the Learning, Adapting, and Growing: Leadership Perspectives series, which explores the role of leadership from a diverse array of perspectives. Each article is written by a Clark Nuber leader who shares their ideas on the unique challenges and opportunities they have experienced, and the lessons they’ve learned along the way.

© Clark Nuber PS and Leadership Perspectives, 2021. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Leadership Perspectives with appropriate and specific direction to the original content.

Keep Reading

Articles and Publications

Washington B&O Tax Alert – Annual B&O Tax Apportionment Reconciliation Due October 31st

For business and occupation (B&O) tax purposes, taxpayers earning apportionable revenue calculate their taxable Washington revenue by applying a “receipts factor” apportionment methodology. Taxpayers computing B&O tax in this manner are required to complete and file an Annual Reconciliation of Apportionable Income form with the Department of Revenue.

When is the Annual Reconciliation of Apportionable Income Form Due?

The form must be submitted to the Department of Revenue by October 31st of each year. Failure to timely file the reconciliation form may result in penalties.

Who Must File?

In-state taxpayers that earn income from apportionable business activities performed for customers located inside and outside of Washington may apportion such revenue to Washington for B&O tax purposes. Out-of-state taxpayers earning apportionable income attributable to Washington are required to apportion their revenue and report to Washington when the taxpayer exceeds the receipts threshold described below. Taxpayers that are required to apportion income, or that take an apportionment deduction for B&O tax purposes, must file an annual reconciliation form. The following is a non-exhaustive list of apportionable activities:
  • Service and other activities
  • Royalties
  • Travel agents and tour operators
  • Public and nonprofit hospitals
  • Real estate brokers
  • International investment management services
  • Aerospace product development
It is important when filing a B&O tax return for taxpayers to properly classify their activity. The Department of Revenue is taking the position that taxpayers who fail to report apportionable income, or who misclassify apportionable activity under a non-apportionable classification, are subject to late payment penalties for failure to file an annual reconciliation if a later audit results in an adjustment or reclassification and no reconciliation was filed. It may be advisable to make a protective annual reconciliation filing if there is uncertainty about whether the correct classification was selected. This can be done by filing a “no change” annual reconciliation by the October 31, 2021 due date.

What is This Filing?

The Department of Revenue allows taxpayers to use the prior year’s apportionment factor for reporting current year liabilities. This simplifies the taxpayer’s reporting method but then requires the business to determine the current year’s factor based on actual data once it becomes available. The purpose of the annual reconciliation is to correct apportionable receipts reported to the Department using the previous year’s factor or incomplete year-to-date data. If additional B&O tax is due as a result of the reconciliation, late payment penalties are automatically waived provided the form is filed by the October 31st deadline. The form is required to be filed even if the true-up results in no additional tax liability.

How is the Single-Factor Apportionment Formula Applied?

The numerator of the factor is the apportionable revenue attributable to Washington State. The denominator of the apportionment factor is the apportionable revenue attributable to those states (including Washington) in which the company files business tax returns or is deemed to have created nexus under Washington’s economic nexus standards. (Apportionable revenue sourced to a state or country in which the business does not have substantial nexus is excluded from the denominator and is commonly known as throw-out revenue.) The business’ gross apportionable income from apportionable activities is multiplied by the apportionment factor to determine the amount of receipts that are subject to B&O tax. For purposes of the annual reconciliation to be filed by October 31, 2021, a business is considered to have substantial B&O tax nexus in Washington if the business:
  • Has physical presence nexus in Washington, or
  • Has more than $100,000 in combined gross receipts from all taxable classifications sourced or attributed to Washington, or
  • Is organized or commercially domiciled in Washington.
Notably, the measure of substantial nexus in Washington changed for return periods beginning January 1, 2020 and the annual reconciliation to be filed by October 31, 2021. The prior payroll and property thresholds were eliminated, so now any physical presence will create nexus. And the receipts factor was lowered from $285,000 of apportionable gross receipts attributed to Washington to $100,000 of gross receipts from all taxable classifications. With the lower receipts threshold, we expect that for years 2020 and after, businesses with sales sourced to multiple states will have a lower Washington apportionment factor because they will be deemed to have created nexus in more states under Washington’s economic nexus standard, reducing the amount of throw-out revenue excluded from the denominator. We also expect that more out-of-state taxpayers will be considered to have substantial nexus in Washington. For taxpayers that used the 2019 apportionment factor for all/part of 2020 reporting, a significant difference in the apportionment factor may result from these changes.

Where do I File?

The form is available on the Department of Revenue’s website. The filing can also be completed online using the Department’s My DOR system.

What if I Need a Filing or Payment Extension Due to COVID-19?

The Department of Revenue has not provided any extension of time for filing the annual reconciliations due to COVID-19. The Department has stated it will provide payment extensions, upon request, to businesses in the industries directly impacted by these restrictions. The Department will waive interest from February 29, 2020, until the termination of the COVID-19 State of Emergency or Proclamation 20-20 is rescinded. At that time, interest will begin accruing on outstanding balances.

What if I Need Help?

Please contact one of the members of the Clark Nuber state and local tax (SALT) practice with any questions regarding apportionment or if you desire any assistance in fulfilling the annual reconciliation requirement. James DeZort is a senior in the State and Local Tax Services Group.  ©2021 Clark Nuber PS. All rights reserved.

Safeguard Your Organization: How to Build a Meaningful Information Security Policy


The Information Security Policy (IS Policy) is the most important security document of an organization. Ideally, it should serve as the guiding principle of an organization’s information security, providing structure and vision to ensure the organization can achieve its mission, while keeping its data safe. The IS Policy requires a mature process to ensure its objectives are met. This article will cover the steps to creating one for your own organization. Click here to download a more in-depth version of this piece, with a template for you to reference when building your own IS Policy.

Step 1: The Policy Statements

The IS Policy typically begins with the Policy Statements, which are declarations based on good, strategic principles. These establish “why” the IS Policy exists and “what” it hopes to achieve. The “what” depends on each organization. An e-commerce company may emphasize that “all” users are responsible for protecting passwords. But a not-for-profit organization with volunteers may not even use passwords; this would later drive a much different “how” to achieve security. (The “how” are called “Procedures” and are outside the scope of a Policy Statement.) The following are common Policy Statements:
  1. All users are responsible for protecting the organization’s confidential information from unauthorized access.
  2. All users are responsible for protecting their passwords and other access credentials from unauthorized use.
  3. Access to confidential information must be authorized with valid business purposes.
  4. Access to a confidential system requires training in protecting such information.
  5. Users of confidential information must be accurately, individually, and uniquely identified.

Step 2: Data Classification

The next element of an IS Policy is Data Classification. Data Classification is the most tactical, relevant, and pragmatic approach in building the IS Policy. Not all information is equal and, thus, does not require an equal level of security effort. Resources should be prioritized to the most sensitive information of an organization. It is therefore critical to establish guidance on prioritization. The prioritization is often laid out in a Data Classification table, which resembles the following example: [table id=35 /]

Step 3: Mapping Policy Statements, Classification, and Requirements and Standards

Once the Policy Statements and the prioritization based on Data Classification have been established, the next step is to develop Requirements. This is where many organizations will have varying security practices. For example, an e-commerce company with a policy that “all” users must protect their passwords may require the use of an encrypted password vaulting system. However, this may not be a requirement for a not-for-profit organization with volunteers that do not need login credentials (in order to optimize security spending). Therefore, it’s important to map the Requirements and Standards to the Policy Statements and Data Classification as it explains the “why” such Requirements exist. This will lead to better security adoption and alignment within an organization. The following is an example: [table id=36 /] Many organizations already have documented standards, such as password standards or email standards. While it’s best to include the actual standards (e.g., number of characters, complexity, etc.,) in the table above, it may be a stylistic choice to document them in separate requirements or standards, such as in the example table above.

Step 4: Linking to Other Policies

In the next phase, consider including links in your IS Policy to the other policies and standards. The following are examples that should be considered at a minimum. Their importance cannot be stressed enough.
  • Incident Detection and Response Policy: All organizational members are responsible for detecting issues that could be symptoms of a security breach. This could be phishing emails or slow background processes on a laptop. It is critical to build incident logging processes (e.g., IT helpdesk), but it is even more critical to build a process to triage incidents to find patterns of a security attack. Then, an organization must understand how to respond.
  • Business Continuity and Disaster Recovery Policy: In case of a disaster, such as a security attack, it’s important to understand how to launch backup processes and initiate recovery procedures. This is often referred to as the BCP/DR Plan.
  • Data Retention Policy: For a variety of business or regulatory reasons, sensitive information is normally backed up and retained. It’s essential to secure backed-up data from any breaches.

Step 5: IS Policy Review and Communication

Once the IS Policy is documented, it should be maintained, reviewed, and monitored periodically. This process is often annual, but this depends on your organization. Typical reviewers include those ultimately accountable for the security of an organization, such as the CEO or the COO. The IS Policy should explicitly state who the reviewers are, and when the review occurred. Certain regulations, such as GDPR, require that a privacy officer is also identified and listed. Once reviewed, the IS Policy should be communicated throughout the entire organization. A very common tactic is to require annual training on the IS Policy, in addition to getting trained on security threats. The IS Policy should also be easily accessible, such as making it available on the intranet. Some organizations take it a step further and disclose consequences for IS Policy violation, but this depends on the culture and other factors of each organization.

In Conclusion

The IS policy is a vital document that charts the course for an organization’s information security. A strong IS policy will lay out an organization’s security philosophy and follow through with the steps employees must take to accomplish the goal of information security. If you have questions on establishing an IS policy, please send me an email. Follow this link for a more in-depth look into the IS Policy and for a template you can follow while building your own. ©2021 Clark Nuber PS. All rights reserved.

Five Security Measures for a Limited IT Budget

There’s no amount of money you can throw at cybersecurity to create a 100%, hacker-proof environment. But even on a limited budget, there are still simple steps you can take to make your organization more secure. The following are five actions and policies you can implement on a budget to keep your sensitive information safer. (We'll assume you already have enterprise network firewalls and anti-virus protections in place. But if not, start there!)

Internal Security Policies

Internal security policies are a great first step for any organization operating on a shoestring budget. That’s because, for the most part, they’re free! As your organization is establishing IT protocol and best practices, remember these points:

Culture is Vital

Organizational culture is the driving force that will make this measure a success or failure. If your organization has a culture where users follow policies and are held accountable when policies are not followed, then having formalized and documented Internal Security Policies is a great foundation. If oversight is slack and best practices are regularly ignored, creating these policies will not help protect your organization.

Policies Must Be Enforced to be Effective

As discussed above, policies are only powerful if they are enforced and have the support of the organization's management team. If policies can be applied and enforced administratively (via systems/applications), that should take precedence over relying on the integrity and trust of users.

Document Your Policies

Documenting security policies helps users understand what they can and can't do, but you have to get users to read it, which is never easy with long policies. To help, summaries and security trainings should be used to supplement the formal policies. In the end though, it all goes back to the organizational culture and holding your users accountable at all levels.


Gone are the days where everyone is working on a desktop computer in the corporate office. Modern work requires mobility and flexibility and, with that, securing communications via encryption should be a requirement.

Encrypt Your Communications

With working from home being part of the new normal, encrypting communications should be a requirement for all organizations. These encrypted methods should include SSL certificates for web communications and VPNs (virtual private networks) for network communications.

Virtual Private Network (VPN)

Outside of enterprise network firewalls, a VPN is another line of defense that should not be taken for granted. With remote work now common, you may not always know where your users are working from and what networks they are connected to. This uncertainty can be a blind spot when trying to keep cyber-threats out. Having an enterprise-level VPN in place can provide you with some level of comfort that your data and communications aren't going through a home/public/wireless network with no security.

Multi-factor Authentication (MFA)

Deploy MFA

MFA should be a default security measure for any external web application/service that has it available. In addition to a password, MFA utilizes a second authentication factor to strengthen security. There are many options for MFAs, from mobile authenticator apps that provide authentication codes to physical hardware authentication keys. Email and text-based MFA codes are simple options that are widely available and better than having no MFA. But if the two previously mentioned MFA methods above are available, they are recommended over email and text codes based on the current attack vectors that target these simpler MFA authentication methods. You can either use the built-in stand-alone MFA feature that is provided by the application/service or, if your environment and the application/service supports it, enable Single Sign-on (SSO) with SAML 2.0 to utilize your enterprise SSO/MFA authentication. Securing access to your physical/virtual devices with MFA is also important. These include laptops, desktops, servers, virtual computers/servers.

Password Policy is Still Important

Remember, having MFA doesn't remove the need for a strong (and long) password policy, as you need both measures to ensure a high level of security. Implementing MFA but using a weak password that can be cracked easily is contrary to the point of having MFA. Your goal should be to have multiple strong authentication measures in place to make it as hard as possible for bad actors to gain access to your accounts.

Email Security

Educate Your Users About Phishing Scams

Phishing is one the most common tactics bad actors use to infiltrate your network. These harmful emails may include fake links and websites to steal your user's credentials; fake attachments and download links that install ransomware; or fake emails from hackers impersonating others for monetary gain. All of these are common attacks that email security platforms can help block before they ever reach your end users.

Use Software to Scan for Harmful Attachments

Advanced scanning of attachments can prevent malicious software from being delivered to users via email. Certain software packages can detect suspicious attachments and fraudulent links before they reach anyone’s inbox, keeping a safe distance between your users and the bad actors.

Email Policies

Granular policies can be used to identify emails that should be held for further inspection by IT personnel or automatically rejected. These policies might include anti-spoofing, attachment management, blocked/permitted senders, impersonation protection, etc.

Assist Your Users However You Can

Even with all the training you give users on what not to do, it's impossible to entirely prevent them from ever clicking on a harmful link and accessing malicious attachments. Help them out by having a system that can pro-actively block (and warn) them from certain actions in email. Protect your users from themselves!

Security Awareness Training

Educate and Update Your Users

Your users can't know what they don't know, so user education, especially on common and current scams and attack vectors, is critical to an overall security posture for an organization. Even if the training prevents just one user from having their account compromised, that's well worth the costs and potential losses a compromised account or ransomware event can have on your organization. For users, the benefits of security awareness training is twofold. Not only does it help their organization stay more secure, but it can also help them keep their personal information and accounts secure.

In Conclusion

Remember, there’s no way to guarantee absolute security. And putting any or all of the above measures into place won’t protect your organization completely. If you've read the news in the past few years, you know large enterprises with vast technology and security budgets are being breached. If that can happen to them, it can happen to anyone. A primary goal for smaller organizations then should be to have security measures in place that block common threats and account for user behaviors that can lead to a security incident. If you have even more budget to align with security initiatives, adding additional layers of protection that utilize artificial intelligence, machine learning, and third-party experts to analyze network traffic and user behavior are great ways to further strengthen your security profile. If you have any questions about your cybersecurity options, or concerns about the vulnerability of your network, contact our IT Services Team. ©2021 Clark Nuber PS. All rights reserved.

Featured Resources