MGO CPA | Tax, Audit, and Consulting Services

Topic: Compliance

Your Guide to Navigating the Intoxicating Hemp Market

Key Takeaways:

  • The intoxicating hemp industry offers exciting opportunities for innovation and revenue growth, but navigating its complex and changing regulatory landscape requires adaptability and strategic planning.
  • While consumer demand for intoxicating hemp products is surging, businesses face challenges like a changing regulatory environment, banking hurdles, and the need for extensive consumer education.
  • Success in this evolving market demands a comprehensive strategy addressing compliance, financial management, and risk mitigation to capitalize on opportunities while navigating regulatory changes.
  • Whether you agree with how these products came to market, many now believe that they will survive the regulatory process in some form, most likely in an environment with state-by-state regulations.

~

Intoxicating hemp products have had explosive growth but are now facing regulatory and other headwinds, with states like California, Missouri, and New Jersey introducing new regulations to control their sale and distribution. For intoxicating hemp companies, or those considering entering this space, you are navigating a complex landscape that offers both significant opportunities and substantial challenges. In this evolving industry, it is essential to understand the market dynamics, regulatory environment, and how to manage your business effectively.

The Rise of Intoxicating Hemp

Intoxicating hemp products are the result of wording in the 2018 Farm Bill, which created a gray area where alternative cannabinoids — such as Delta-8 THC, Delta-10 THC, HHC, and a host of other compounds — have come into existence.

Since then, due to the ability to access traditional retail channels (including direct-to-consumer) and a lower tax and regulatory burden compared to cannabis, the market for intoxicating hemp products has exploded. These products, which offer consumers a legal alternative to traditional cannabis, have gained popularity in the form of beverage, tinctures, vapes, and other consumables. While this boom presents exciting opportunities, it also introduces a host of challenges for those entering or already operating in the intoxicating hemp industry.

Opportunities in the Intoxicating Hemp Market

The intoxicating hemp industry offers several key opportunities for companies looking to expand or diversify their product lines:

1. Rising Consumer Demand

The demand for intoxicating hemp products has skyrocketed. Products such as Delta-8 THC and Delta-9 THC are increasingly popular due to their similar effects to cannabis while staying within a legal gray area and being more widely available. Gummies and beverages, in particular, have emerged as popular product forms — with beverages providing an appealing alternative as younger generations report decreased alcohol consumption. This creates a growing market for your business to tap into.

Curaleaf, Kiva, Medterra, Wyld, 1906, and Tilray — which just recently launched a lineup of hemp-derived Delta-9 THC mocktails, seltzers, and sparkling drinks in the U.S. — are among the cannabis companies that have already entered the hemp market. In a recent Cannabis Business Times survey, 17% of participants from state-legal cannabis businesses said they are currently growing or selling intoxicating hemp-derived cannabinoid products and 26% said they are considering or would consider growing or selling intoxicating hemp products.

2. New Revenue Streams

For cannabis operators and hemp sellers, the intoxicating hemp market offers a way to diversify revenue streams. If you are already in the cannabis business, adding hemp-derived products can provide a complementary line that broadens your market reach. While regulations continue to evolve, potential remains to sell in more mainstream retail spaces — further increasing revenue opportunities.

3. National Scaling and Partnerships

One of the key advantages of intoxicating hemp is the ability to scale your brand nationally through interstate commerce. Unlike cannabis, which faces strict state-by-state regulations, intoxicating hemp can be legally shipped across state lines. Additionally, forming strategic partnerships with other brands, such as those in the food and beverage industry, can further enhance your product offerings and brand visibility.

Infographic-Growing-Intoxicating-Hemp_v01

Challenges Facing Intoxicating Hemp Companies

Despite the many opportunities, the intoxicating hemp industry is not without its challenges — including:

1. Regulatory Uncertainty

Perhaps the most significant challenge facing intoxicating hemp businesses is regulatory uncertainty. While the update to the 2018 Farm Bill appears to be deferred, many states have moved to restrict intoxicating hemp derivatives like Delta-8.

For example, New Jersey recently mandated that intoxicating hemp goods fall under the same regulatory system as cannabis. California has implemented emergency regulations, while Missouri’s governor ordered the removal of intoxicating hemp products from the market. Other states, like Louisiana and Connecticut, are implementing new restrictions without outright bans.

This regulatory landscape is likely to continue evolving, with the possibility of stricter federal oversight in the future. Your business model and product offerings need to be flexible enough to adapt to these changes — and the potential uncertainty ahead.

2. Market Saturation and Consumer Confusion

The initial boom in Delta-8 and other intoxicating hemp products has led to market saturation in some regions, increasing competition and potentially driving down profit margins. Adding to this challenge is consumer confusion. Many customers still struggle to differentiate between hemp, cannabis, CBD, and various THC isomers. As a result, educating consumers about products is crucial to building trust and expanding your customer base.

3. Financial Hurdles

While intoxicating hemp companies generally face fewer banking restrictions than cannabis companies, many financial institutions remain hesitant to work with businesses in this space. This can make basic operations challenging — from processing payments to securing loans. You may need to work with specialized financial service providers or explore alternative banking solutions. It is also crucial to maintain meticulous financial records and be prepared for extra scrutiny from financial institutions.

Navigating the Industry’s Complexities

While the intoxicating hemp market offers exciting opportunities for growth and innovation, it also comes with its fair share of challenges. To succeed in this evolving industry, it is crucial to have a comprehensive strategy that addresses compliance, financial management, and risk mitigation. With the right support, you can navigate these complexities and position your business for growth in this fast-growing market.

How We Can Help

Our dedicated Cannabis team understands the unique challenges you face in the intoxicating hemp landscape. We offer a range of services to help guide your efforts — from inventory accounting to tax strategy to help obtaining banking services. Reach out to our team today to learn how we can help you thrive in the intoxicating hemp market.

Preparing Your Government for GASB 103 Compliance

Key Takeaways: 

  • GASB 103 introduces changes to governmental financial reporting, including updates to three key areas: Management’s Discussion and Analysis, presentation of proprietary fund financial statements, and budgetary comparison information.
  • While significant, GASB 103 is less extensive than initially anticipated — with changes scaled back compared to earlier drafts.
  • Governments should prepare for GASB 103 implementation by educating their teams, updating processes and templates, and considering the need for additional data collection or external assistance.

~

The Governmental Accounting Standards Board (GASB) has issued Statement No. 103Financial Reporting Model Improvements (GASB 103), introducing changes to the financial reporting model for state and local governments. This new guidance aims to enhance the clarity and usefulness of financial reports, providing stakeholders with more comprehensive and relevant information.

Here is what GASB 103 means for your government and how you can prepare for these changes.

Understanding the Scope of GASB 103

GASB 103 introduces new or modified guidance in several crucial areas:

  1. Management’s Discussion and Analysis (MD&A)
  2. Presentation of proprietary fund financial statements
  3. Budgetary comparison information
  4. Unusual or infrequent items
  5. Information about major component units
  6. Statistical section

Notably, GASB 103 does not change the basis of accounting or measurement focus for governmental funds financial statements.

Management’s Discussion and Analysis (MD&A)

The MD&A is an essential component of your financial reporting, providing a narrative overview and analysis of your financial activities for the reporting period. GASB 103 aims to make this section more insightful and user-friendly.

Follow these tips to align MD&A with GASB 103 emphasis and requirements:

  • Keep your analysis objective and easily readable.
  • Base it on currently known facts, decisions, or conditions.
  • Present short- and long-term analyses (but don’t duplicate your transmittal letter or the same information within your MD&A).
  • Write for users who may not have deep accounting knowledge.
  • Compare current year results with the prior year, emphasizing the current year.
  • Include three years of comparative data for two-year financial statement presentations.
  • Use charts, graphs, and tables to enhance understanding.
  • Focus on the primary government, distinguishing it from component units.

Remember, your MD&A should tell a story, not just present numbers. Explain why changes occurred and their significance. Avoid “boilerplate” discussions and focus on what’s most relevant each year.

MD&A Structure

GASB 103 requires that information presented in your MD&A be confined to topics in the following five sections:

  1. Overview of the Financial Statements
  2. Financial Summary
  3. Detailed Analyses
  4. Significant Capital Asset and Long-Term Financing Activity
  5. Currently Known Facts, Decisions, or Conditions

Significant capital asset/long-term financing activity should include the following:

  • Capital assets include intangible assets under GASB 51 and intangible right-to-use assets under GASB 87 (leases), GASB 94 (PPP), and GASB 96 (SBITA)
  • Long-term financing includes debt and obligations from GASB 87 (leases), GASB 94 (PPP), and GASB 96 (SBITA)

Presentation of Proprietary Fund Financial Statements

For proprietary funds, your statement of revenues, expenses, and changes in fund net position must now distinguish between operating and nonoperating revenues and expenses, as well as separately report noncapital subsidies (a type of nonoperating revenue and expense). Here are simplified definitions of how these are categorized:

  • Operating revenues and expenses — These are derived from the fund’s principal ongoing operations.
  • Nonoperating revenues and expenses — Includes subsidies, contributions to endowments, financing-related revenues and expenses, capital asset disposal, and investment income.
  • Subsidies — Resources exchanged between funds or other parties without a corresponding exchange of goods or services that either reduce the receiving fund’s fees/charges or are recoverable through the providing fund’s pricing policies. Subsidies also encompass any other transfers not meeting these specific criteria.

These changes aim to provide a clearer picture of your proprietary funds’ performance and financial position. Don’t underestimate the need to evaluate and separately classify subsidies from capital-related contributions and/or transfers, along with their impact on the statement of cash flows.

Budgetary Comparison Information

GASB 103 is standardizing how you present budgetary information. While budgetary comparison schedules continue to be required for the general fund and each major special revenue fund with a legally adopted annual budget, it must now be presented as required supplementary information (RSI) only (i.e., there is no longer a basic financial statement option). This includes:

  • Variance columns — Separate columns for the variances between original and final budget amounts and final budget amounts and actual results.
  • Explanation of variances in Notes to RSI — Detailed discussion explaining significant variations between the original and final budget amounts and final budget amounts to actual results. Also of note, the budget analysis will no longer be included in the MD&A.

Unusual or Infrequent Items

GASB 103 retains the definition of unusual or infrequent items from GASB 62 but adds requirements for presenting these items:

  • Separate presentation — Present inflows and outflows related to unusual or infrequent items separately as the last presented flows of resources before the net change.
  • Disclosure — Disclose in notes the program, function, or activity related to the unusual or infrequent item, and whether it is within management’s control.

Information About Major Component Units

Each major component unit should be presented separately in the statements of net position and activities — unless this reduces the readability of your statements. If readability is affected, you can include combining statements of major component units in your basic financial statements (after fund financial statements).

Statistical Section – Business-Type Activities (BTA)

Due to the changes in the presentation of proprietary fund financial statements discussed above, the statistical section needs an update for BTAs. In the statistical section of separately issued financial reports, governments engaged only in business-type activities or only in business-type and fiduciary activities should present revenues by major source for their business-type activities — distinguishing between operating, noncapital subsidy, and other nonoperating revenues and expenses.

How to Prepare Your Government for GASB 103

The requirements listed above will take effect for fiscal years beginning after June 15, 2025. Now that you know what’s coming, how do you prepare? Here’s a roadmap to help you navigate the transition:

  • Educate your team — Help your finance team understand the new requirements. Consider training sessions or workshops on GASB 103.
  • Assess your current reporting — Review your existing financial reports against the new standards. Identify areas that will need changes.
  • Update your processes — Develop new procedures for collecting and presenting the required information. This might involve changes to your accounting systems or reporting tools.
  • Revise your report templates — Create new templates for your financial statements and MD&A that align with GASB 103 requirements.
  • Engage stakeholders — Communicate with your governing board, audit committee, and external auditors about the upcoming changes. Their input and understanding will be crucial.
  • Plan for data collection — Some new requirements may necessitate collecting data you haven’t tracked before. Start planning for this now.
  • Consider external help — If you’re short-staffed or need additional knowledge, consider engaging consultants familiar with GASB 103 to assist with the transition.

How MGO Can Help

Transitioning to the new requirements of GASB 103 can be complex. Our dedicated and experienced State and Local Government team can assist you in navigating these changes, facilitating a smooth transition and compliance with the new standards.

Reach out to our team today to learn how we can support your government in adopting GASB 103 and enhancing your financial reporting processes.

5 Tips for Setting Up Your Business in the U.S. 

This article is part of an ongoing series, “Navigating the Complexities of Setting Up a Business in the USA”.

Key Takeaways:

  • Expand into the U.S. market to access a large and diverse customer base.
  • Navigate the multi-layered U.S. tax system and adapt to cultural differences.
  • Choose the right business entity and plan for compliance with U.S. regulations.

~

Expanding your business into the United States can significantly increase your market share and open the door to new opportunities. However, the process involves navigating a complex landscape of regulations, tax considerations, and operational challenges. This series provides an overview to help you understand how to successfully set up your business in the U.S.

Why Expand to the U.S.?

Expanding into the U.S. market allows you to:

  • Access a large and diverse customer base.
  • Leverage the economic scale of the U.S. market.
  • Explore opportunities for growth and innovation that may not be available in other countries.
  • Have access to what may be a significant amount of capital (whether this may be equity or debt or other arrangements).

Moving into the U.S. market can help you drive more sales and reach new types of customers. You may also launch new products here that might not succeed in your home market.

5 Key Considerations for Foreign Businesses

When setting up a business in the U.S., you must navigate a range of unique challenges — including:

1. Multi-Layered Tax System

In many countries, businesses deal with a single national tax system where their provinces or states mimic or have congruent rules with federal rules. In contrast, the U.S. has a multi-layered tax system involving federal, state, and local taxes that at many times are not congruent.

When you start a business in the United States you are dealing with 50 states (and the District of Columbia), multiple localities, and certain territories. Each state has its own set of rules and regulations applicable to income taxes, which can be quite different from a single national system (and often at odds with the federal rules).

In addition, state and local jurisdictions impose taxes unique to the state and local level — including sales tax, property tax, and gross receipt tax. Finally, not all states honor the provisions of U.S. tax treaties with foreign countries.

2. Cultural and Business Practice Differences

Understanding and adapting to cultural and business practice differences is crucial. For instance, business practices that are common in Europe or Asia might not be as effective in the U.S. Additionally, legal agreements and formalities that might be less stringent abroad are often necessary in the U.S. to protect business interests.

3. Legal Structure and Entity Choice

Choosing the right business entity is vital as it affects tax obligations, legal liability, and operational flexibility. Options include C corporations (or C corps), limited liability companies (LLCs), foreign corporations with or without U.S. branches, partnerships or joint ventures, or franchising or direct importing. An S corporation (S corp) is not an option for foreign businesses due to ownership restrictions.

Each structure has its own set of advantages and legal implications, which should be carefully considered.

4. Regulatory Compliance

The Corporate Transparency Act is one newly created obligation for all businesses operating in the U.S. Failure to comply can result in significant penalties. It is important to understand the reporting requirements and file all necessary documentation on time.

In addition, you should consult a lawyer to ensure the entity form is respected — including prompt organizational filings with the Secretary of State and obtaining necessary business licenses.

These are just a few of the myriad of regulations your business must navigate. That’s why it’s critical to hire the right professionals to build your team, as missing any of these requirements may place your business in peril.

5. Operational Challenges  

Operational planning is essential for a successful U.S. expansion. Key operational considerations include: 

  • Employee benefits and regulations: U.S. regulations on health insurance, retirement plans, and other employee benefits can be significantly different from those in other countries. For example, in Europe, many employee benefits are government-run, while in the U.S., they are often the responsibility of the employer.
  • Logistics and supply chain management: Choosing the right location for operations includes considerations such as proximity to logistics centers and understanding regional operational costs.
  • Insurance and banking: Obtaining necessary insurance coverage and opening bank accounts can be challenging for foreign businesses. Some U.S. banks may not provide accounts to foreign-owned companies, and those that do might have stringent requirements. Certain banks may refuse to conduct business with certain entities in industries such as cannabis and cryptocurrency, to name a couple.

Establishing a U.S. Presence for Your Business

Setting up a business in the U.S. requires thorough planning and an understanding of various regulatory and operational challenges. From navigating the multi-layered tax system to selecting the right business entity and following U.S. regulations, each step is crucial for a successful expansion. By addressing these key considerations and seeking professional guidance, you can effectively establish your presence in the U.S. market.  

For more detailed insights and personalized help, connect with our International Tax team and start your journey towards successful U.S. market entry today. 

Setting up a business in the U.S., requires thorough planning and an understanding of various regulatory and operational challenges. This series will delve into various aspects of this process, providing guidance and practical tips. Our next article will discuss navi

Defense Wins Championships – Why Your Government Needs Internal Auditing on Its Team

Executive Summary:

  • State and local governments need defensive strategies to protect against risks like fraud, financial loss, and reputational damage, and checks to ensure those strategies are working.
  • The Three Lines Model executes three levels of protection designed to prevent risks from disrupting your operations and causing damage or loss.
  • As the third-line defense, internal auditing analyzes the entire field to identify potential weaknesses and ensure your defensive strategies are effective at averting risks.

~

At the start of the football season, sports analysts spend a lot of time talking about who will be the player to lead their team to a championship. Yet, as we learn year after year, championships are not won by a single player. It is a collective effort, based on an assembly of individuals pooling their talents together in pursuit of a common goal.

In sports, the common goal is a championship. In business, the goal is to generate profit by establishing customer loyalty for your products or services. In government, the goal is to make our communities ideal places to live, work, and play. To win in all these instances, you need a strong team with contributions from every player.

Football fans often hear the refrain, “offense wins games, but defense wins championships.” Government teams looking to achieve their goals should not overlook the necessity of a robust defense — with internal auditing giving you the upper hand over your opponent.

What is Internal Auditing?

According to The Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Internal auditing provides a systematic approach to evaluating and improving the effectiveness of governance, risk management, and controls processes.

To simplify: Your organization has goals (objectives). However, obstacles (risks) may exist that keep your organization from reaching its goals. You should develop strategies (internal controls) to prevent those obstacles from occurring, and continuously check to make sure your strategies are working properly (monitoring). To avoid confirmation bias — where you only seek and accept information that supports your goals — you should seek validation from an objective entity (internal audit) to evaluate if your strategies truly position your organization to succeed.

To accomplish all this, you need a coalition of talented individuals that can identify risks, strategize against them, prevent or detect risk infiltration, and consistently monitor emerging risks to provide guidance on how to stay ahead of the curve. In football terms, you need a strong defensive line!

Three Lines of Defense 

Let’s say that risk is the offensive team. Its goal is to get into your organization’s end zone to disrupt operations. The quarterback could be a hacker, fraudster, or unintentional human error. The offensive team also has other formidable players: fraud risks, cyber-attack risks, liquidity risks, etc.

Organizations need a more skilled, agile, and experienced defensive team to counteract the activity of the risk offense. Enter IIA’s Three Lines Model. This defensive strategy executes three levels of protection designed to keep risk from causing extreme financial or other damage.

The Three Lines Model defines defensive roles and responsibilities as follows:

  • First Line of Defense – develops strategies to address risks
  • Second Line of Defense – monitors strategies
  • Third Line of Defense – provides assurance that strategies are truly effective at mitigating risks

Let’s look at the organizational playbook to understand the goals of the offensive and defensive teams and the Three Lines defensive strategy.

Understanding the Offensive Opponent

Organizations are trying to prevent risks from disrupting operations and causing financial and/or other damages. If the risk team scores in your end zone, that means they have exposed a weakness in your organization. Depending on the weakness, it could cost you a little (inefficient operations) or it could cost you a lot (major cyberbreach with financial and reputational damages) … but it will cost you!

Defining Each Line of Defense

First Line of Defense: Management, Staff, and Internal Controls

The first line of defense consists of the organizational staff associated with daily operations, delivery of goods and services, and identifying and addressing risks. For example, to minimize the risk of hacking via password breaches, this line would create a password policy and accompanying procedure, set up systems requirements accordingly, and follow the policy and procedures in daily operations.

Second Line of Defense: Risk Management and Compliance Functions

The second line of defense consists of the organizational staff that monitor your organization’s adherence to its own policies and procedures and other required guidance (e.g., regulations, laws, etc.). For example, to ensure that your organization is following its policies and procedures for minimizing hacking via password breaches, this line would periodically analyze data to ensure compliance with internal guidance, industry best practices, etc.

Third Line of Defense: Internal Audit

The third line of defense consists of internal audit professionals with knowledge in various industries. Internal audit conducts real-time assessments and communicates any weaknesses in the first two lines. Using the prevention of hacking example from above, in addition to assessing password protocols and practice, internal audit may identify that your organization has improper access controls that increase the risk of hackers infiltrating your organization’s systems. Internal audit would provide recommendations for improvement and express urgency for corrective action.

Defensive Benefits of Internal Auditing

Internal audit is not an adversary, it is part of your team. Internal audit collaborates with your management and staff, in real time, to understand your organizational goals, concerns, strengths, and weaknesses. Where external audit provides your management with an analysis of a snapshot in time, internal audit continuously and systematically provides value-added feedback to your management and your board and/or audit committee.

Internal audit assists with ensuring your organizational playbook(s) remain relevant. As the third or last line of defense, it analyzes the entire field (the organization) to make sure your defensive strategies (internal controls) are effective at averting risks from scoring (causing financial, operational, reputational, etc., losses).

Part of the analyses conducted by internal audit include (but are not limited to):

  • Conducting risk assessments to identify the likelihood and potential impact of risks to assist the organization in focusing resources on prioritized areas for improvement.
  • Assessing your information technology and cybersecurity environments to identify and advise on protecting organizational data, improving IT infrastructure, preparing disaster recovery strategies, etc.
  • Assisting in preparing for external audits by assessing if the organization’s financial statements are accurate, complete, compliant with regulations, and free from material misstatement. 
  • Conducting performance assessments to identify areas for efficiency and effectiveness improvements.

Internal audit strengthens your organization’s improvement efforts by bringing reinforcements to your already stellar team. The internal audit group delivers additional resource capacity, skills, and perspectives — including extensive knowledge about various industry standards as internal audit professionals are required to maintain continuing education in their specific areas of focus.

How MGO Can Strengthen Your Team’s Defense

MGO has a defensive line that is ready and motivated to support your organization. Stacked with professionals experienced in areas like state and local government, fraud, audit and assurance, government audit, and cybersecurity, our team is diverse in thought, knowledge, and culture — and we bring those perspectives to the field for you. Contact us today to learn how our internal auditing solutions can boost your organization’s defense.

How to Elevate Your Company’s IPE Documentation to Optimize SOX Compliance

By Jonathan Bayeff, CPA & Cesar Reynoso, CPA

Executive Summary:

  • The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
  • IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
  • Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

~

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

  1. Is the data complete?  
  1. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk   

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE? 

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.  

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

  1. Match the list of individual debt instruments to the signed agreements.  
  1. Validate the reconciliation and each individual schedule for mathematical accuracy.  
  1. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

  1. Send confirmations to outside counsel (where possible).  
  1. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

  1. Have you identified the report or saved search that was used?   
  1. What parameters were used to generate this report?   
  1. In what format is the data exported?   
  1. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

  1. PDF (portable document format) 
  1. Excel  
  1. CSV (comma-separated values)   
  1. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

  1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  
  1. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   
  1. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

  1. Totals (dollar amounts, hash amounts, etc.)   
  1. Lines count   
  1. Parameters utilized 
  1. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.   

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.

Understanding New Employer Reporting Requirements for New York State

As of January 1, 2022, New York employers must report new hires who are listed as independent contractors and have contracts worth more than $2,500 to the New York State Department of Taxation and Finance.

Previously, you were not mandated to include independent contractors under the state’s new hire reporting requirement; now you’ll have to add them to the list of other new hires or rehires to report.

If your organization falls into one of the following categories, you’re required to report your new hires for tax purposes:

  • Labor organizations, including union-operated placement offices (I.e., hiring halls),
  • Employers of individuals performing domestic services,
  • Government entities excluding federal agencies.

Your organization will have to report those new hires or rehires, including independent contractors, within 20 calendar days from the date hired. The hiring date is defined as the first day the employee or contractor:

  • Is eligible to collect commissions for any job performed based only on commissions,
  • Completes the services for which they will be paid (collecting tips, wages, commissions, or another agreed-upon compensation).

If you are an employer looking for clarification regarding additional reporting requirements in New York State (including how to actually file), please contact MGO’s tax team to talk to an advisor who can comprehensively walk you through the steps and ensure you avoid any missteps that could affect your organization.

How  Strong  Is Your Grant Compliance Framework?  

Grant requirements can be complicated. Developing a systematic grant management program provides a framework to mitigate against noncompliance. A sound framework includes five main elements. Answering the following questions will help identify areas you may need to strengthen to ensure your organization’s compliance.

Who is your grant administrator?

This seems like a simple question, but if an organization only has a few grants, grant administration may be one of many roles. Or, responsibility may be shared among several roles. That situation works until the size of the organization and the complexity of the grants make responsible grant management impossible.

When the responsibility and complexity of grant management becomes too demanding to include as one of many responsibilities, it’s time to identify one person to take the lead. Eventually, that person may build the team responsible for overseeing and coordinating grant administration.

It is easy to see the benefits of having one person develop the full knowledge of grant requirements and take responsibility for establishing policies and procedures for the organization. This person provides guidance for the organization and monitors compliance requirements. They also serve as the point person for grant related audits.

Do you have policies and procedures for grant administration?

A grant administrator’s first priority is to develop policies and procedures that outline each step in the lifecycle of the grant. Typically, this document will answer the following questions:

  • Who approves grant applications?
  • Who executes grant agreements?
  • What systems will be used to track grant activities, such as qualifying expenses, reporting dates, performance metrics (both financial and programmatic)?
  • What documentation is required for compliance?
  • Who reviews and approves grant activities to ensure compliance?
  • Who develops and manages a schedule and process for annual financial reporting (financial statements and grant reporting, e.g., single audit)?
  • Who is responsible for training staff in grant requirements?
  • Are subrecipient contracts standardized, and do they comply with your responsibilities as a grantor?
  • Who is responsible for resolving audit findings?

Are you prepared for grant reporting?

One of the key responsibilities of a grant administrator is to manage deadlines (monthly, quarterly, biannually, annually, and grant close out). In addition to the initial application deadline, grants require consistent attention. You need to file updates and reports throughout the life of the grant, and they will often require specific documentation. The information in these reports must be complete, accurate, and filed promptly. If they are not, you can count on the grantor requiring you to follow-up and resolve the issues.

Do you have the resources to monitor activities?

It’s true, monitoring grants is a full-time job. Or it should be.

Being awarded a grant is the first chapter of a long story. The rest of the tale involves using the grant for its intended purposes and documenting that fact. Responsible monitoring and documentation require time, energy, systems, and personnel.

Someone should be assigned responsibility for the continuous monitoring and evaluation of grant administrative policies and procedures. This involves looking for changes in grant requirements communicated by the grantor.

For subrecipients, the grant administrator must convey the expectations about their activities and then monitor the progress toward the stated goals. On-site visits will sometimes be necessary and require time. Verifying the status of periodic reporting responsibilities can also take up resources that may already be scarce.

The final chapter of monitoring activities is to develop a clearly defined plan for responding to audit findings. Depending on the complexity of the findings, resolving these issues can require rewriting procedures, documenting changes, and verifying the implementation.

Are you ready for an audit?

While this may seem obvious, knowing your requirements should be the first step in preparing for the possibility of an audit.

In addition to reviewing grant requirements, look back at your prior year findings to confirm that they were fully resolved. If they were not, they need to be addressed immediately.

The next step in being prepared for an audit is to ensure all necessary documentation is complete and accurate. Your documentation should demonstrate compliance with the grant requirements. Usually, your materials will need to include evidence of internal controls that supports the process of reviews and approvals. Internal policies and procedures should be easily accessible. (Thankfully, once this document is complete, it only needs to be updated going forward.) When these items are assembled, make sure all reconciliations connected to the grant are complete.

Once the preparations are made, the hardest part of an audit is done. You will still need to meet with auditors and discuss expectations, timelines, and requests for information, but these are more scheduling and time management issues. If your paperwork and systems are in good order, your work will consist mainly of providing evidentiary support, and possibly providing explanations on details that may not appear obvious to an outsider.

Continuously improving your grant compliance processes

With a lot of subjectivity in the process of managing grants, along with requirements changing on a regular basis, it is important to continuously evaluate the adequacy of your grant administration policies and procedures. So, no matter what your situation is, your processes can always improve, and any deficiencies can be remediated. But it takes commitment as an organization to devote the resources to do the ongoing work of grant compliance.

Many state and local governments have compliance questions about the federal grants that were distributed during the pandemic. The reporting rules of these programs are complex, and requirements continue to evolve.

MGO’s state and local government professionals can help answer questions about these federal grants and help organizations document their systems of internal controls, improve their audit preparation, and address audit findings. Contact Linda Hurley at +1 (949) 296-4340 or [email protected] for more information on how to improve your grant compliance processes.

Cannabis Regulatory Round-Up – SAFE Act, STATES Act, New York, New Jersey and more

The legal, legislative, and regulatory landscape of cannabis in North America is dynamic and if there has been one constant since pioneering states implemented a legal ‘seed-to-sale’ adult-use market in 2014, it is change. And it is unrelenting.

To help cannabis entrepreneurs and investors keep up with the fast pace of change in the cannabis industry we will be providing monthly summaries of the latest regulatory and legislative news to provide a snapshot of latest happenings while also highlighting matters of interest looking forward.

This month the focus is on prominent federal legislative activity (e.g. the SAFE Act and the STATES Act), state legalization measures (e.g. NJ, NY, IL, and others), and two bills in Colorado that have the potential to attract out-of-state investment to that market.

Changes in federal cannabis legislation

With control of the House of Representatives being transferred to the Democratic party, several bills that have the potential to profoundly impact the cannabis landscape have advanced in Congress.  For example, the last week of March saw the House Financial Services Committee move forward the Secure And Fair Enforcement (SAFE) Banking Act to a full House vote, reportedly “within weeks.” Following the momentum of the House bill, U.S. Sens. Jeff Merkley (D-OR) and Cory Gardner (R-CO) have introduced the companion bill in the Senate.

The latest SAFE iteration addresses the cannabis banking crisis and includes amendments that offer protection to insurance companies and other financial services companies.

The banking issue is long-standing and predates even the implementation of recreational cannabis in the US. The lack of straight forward access to fundamental banking services for the cannabis industry creates a multitude of challenges, most notably the operational and financial difficulties of a multi-billion-dollar industry operating almost entirely in cash. This has obvious implications for public safety and potential diversion to the black market, among other concerns.

The inability to access banking services is often identified as a major hindrance to market entry for large and well-resourced corporations and removal of this barrier could herald a seismic shift in investment into the cannabis industry. At time of writing the House Bill had 152 cosponsors, including 12 Republicans, whereas the Senate bill has 20 co-sponsors.

Adding further momentum to the SAFE bill, last week Last week,  Secretary Steve Mnuchin offered his support for a legislative fix for the banking issues facing the cannabis industry. “There is not a Treasury solution to this. There is not a regulator solution to this,” he said. “If this is something that Congress wants to look at on a bipartisan basis, I’d encourage you to do this.”

Another potentially substantial piece of legislation is the Strengthening the Tenth Amendment Through Entrusting States Act (STATES Act), which aims to reduce conflict between federal and state laws as they relate to cannabis. The STATES Act is a potential gamechanger for the cannabis industry, allowing legal certainty for companies seeking to operate in dozens of jurisdictions across the US.

Although this legislation stalled in December, it was reintroduced on April 4th, alongside other measures, which include:

  • the Ending Federal Marijuana Prohibition Act that would effectively legalize marijuana at the federal level by removing it from the Controlled Substances Act.
  • The Marijuana Justice Act of 2019

The extent to which these bills have bipartisan support may be crucial if they are move beyond the House.

Four steps forward and two steps back in state legalization efforts

It has been a mixed month in terms of advancing cannabis legalization measures at the state level. On the one hand, there has been progress in multiple states, such as Connecticut, Illinois, and New Hampshire. While on the other hand there was a couple of snags holding up the implementation of recreational markets in New Jersey and New York.

Recent adult-use cannabis legalization headlines include:

  • The New Jersey cannabis legalization bill was pulled due to lack of support although Gov. Murphey (D) reportedly stated he remained committed to getting the bill passed.
  • New York dropped cannabis legalization from its budget bill where it was viewed as more likely to pass, however, regulators remain optimistic of progress later in the year. The New York City Council also voted to ban cannabis testing for job applicants.
  • A General Law Committee in the Connecticut Legislature approved a bill that would legalize an adult-use cannabis market in the state.
  • In New Hampshire, the House Ways and Means Committee approved a vote on the floor on legislation that would legalize an adult-use cannabis market.
  • A bill to legalize retail cannabis in Illinois was introduced and passed to a subcommittee for further consideration.
  • Governor of Guam signed a bill legalizing cannabis, becoming the first US territory to do so.

Despite the hiccups outlined above, there is a clear trend towards legal cannabis across the US. Moreover, several states took steps towards expansion or liberalization of their medical cannabis markets. Certainly in the long term, the outlook is optimistic for the cannabis industry on a number of fronts.

Back to the future as Colorado looks to position itself as an investment hub for cannabis

When Colorado became the first state to implement an adult-us cannabis framework in 2014, out of state investment was restricted. This allowed the state to build upon its existing medical cannabis market.

The understandable caution has since been questioned, however, and a Bill offering more flexibility in investment passed both the Colorado House and Senate in 2018, only for then Gov. Hickenlooper to veto it. In 2019, a replacement Bill was introduced and has recently passed its third reading in the House unamended.

As an established market with mature regulations and market stability, Colorado has low-risk potential when compared to emerging markets in other states – although competition is likely to be strong, with ever-thinning margins as prices continue to drop in the state.

Out-of-state investors exploring options in Colorado may be interested in acquiring social consumption licenses in Denver, or seek opportunities for market expansion in the delivery segment of the market. If passed, HB19-1234 would allow licensed dispensaries to offer these services for the first time.

Does Your Organization have a Need for an Independent Eye on Performance?

Alternative Engagement Types: Consulting Services, Agreed-Upon Procedures, and Performance Audits

By Scott P. Johnson, CPA, CGMA
Partner, Macias Gini & O’Connell LLP
State and Local Government Advisory Services

I have spent most of my professional career over the past 35 years serving government agencies and focusing on performance improvement, accountability, and transparency. I recognize the need for continuous monitoring and oversight in the public sector to ensure performance, public accountability, and stewardship of public resources. While participating on a number of professional panels and presentations throughout my career, I have often stated that I embraced the auditor and have welcomed them with open arms into the organizations that I had responsibility over. Why? Because I see auditors as an independent and objective lens, adding value to review and evaluate performance and to make recommendations for improvement. The organizations I have had the pleasure to work for took public accountability very seriously and supported performance improvement as a means to better serve their communities and stakeholders.

Much like a traditional CPA firm can provide different types of services related to an entity’s financial statements, i.e., audit, review, or compilation, based on need, when government agencies are considering an independent evaluation of performance of their programs or operations, the CPA firm’s advisory or consulting arm can step in and offer a number of engagement types based on the agency’s unique needs: consulting services engagements, attestation engagements (e.g., agreed-upon procedures), and performance audits. It all depends on if, and at what level, assurance is needed. The primary driver of what type of product should be considered is typically based on, for instance, issue complexity, taxpayer concerns or expectations, statute requirements, or increased need for transparency on the efficiency and effectiveness of operations. While the driver of the engagement may differ, time constraints and budget are also determining factors.

This is the first article in a three-part series focusing on performance audits. The primary focus of this article is to discuss the differences of the three aforementioned types of engagements – consulting services, agreed-upon procedures, and performance audits – and to provide guidance when a performance audit might be an option.

It is important to identify the differences between (1) performance audits, (2) consulting services engagements, and (3) agreed-upon procedures attestation engagements. On numerous occasions throughout my government service career and also while serving clients, questions have come up regarding the objectives sought, the scope of the engagement, and the engagement type when considering an evaluation of performance for a particular program or area of operations. Each of these engagements differ in purpose and reporting requirements, as well as potential cost, as shown below in Figure 1.0. These engagements are governed by different standards, formal reports are not always required for each, and independence is not always required (i.e., consulting services).

Performance Audits Defined

Performance audits are defined as engagements that provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight to, among other things, improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. *1

Furthermore, GAGAS states that management and officials of government programs are responsible for providing reliable, useful, and timely information for transparency and accountability of these programs and their operations. Legislators, oversight bodies, those charged with governance, and the public need to know whether (1) management and officials manage government resources and use their authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; and (3) government services are provided effectively, efficiently, economically, ethically, and equitably. *2

Agreed-Upon Procedures (AUP)

Based on my experience, it usually comes down to identifying a few factors that determine the engagement. First, the agency must determine the purpose and scope of the work, specifically what questions they would like to have answered. These questions can be broad or very narrow. For example, in an AUP, management may make an assertion about whether a subject matter is in accordance with, or based on, established criteria that is the responsibility of a third party and hires a CPA to add credibility to that assertion by performing specific procedures to test compliance with the criteria. If an agency needs to know something very specific and wants an independent party to perform specific procedures and tell them what was found, then an AUP is appropriate. However, an AUP report does not provide recommendations, an opinion, or conclusion about whether the subject matter is in accordance with, or based on, the criteria, or state whether the assertion is fairly stated. While the agency may want to use an AUP, some key steps that are taken in consulting engagements and performance auditing, such as planning, are not required in an AUP engagement. Also, risk is not assessed in developing the scope, nor does the auditor use a risk-based approach, which is required in a performance audit. Finally, in an AUP, auditors do not perform sufficient work to be able to develop elements of a finding or provide recommendations.

1 See Paragraph 1.21 of GAGAS.
2 See Paragraph 1.02 of GAGAS.

Consulting Services Engagement vs. Performance Audit

For a consulting services engagement or performance audit, the initial questions are then turned into the objectives of the engagement. If the agency wants an objective review of operations or a program to assist them in making decisions, for example, to assess the management of specific funds, and wants findings and recommendations to improve operations, then the agency should discuss the options of a consulting services engagement or a performance audit. From here, the decisions are truncated. The agency needs to consider whether the report is for an internal audience, such as governing officials, management, or staff, or an external audience, e.g., a regulatory agency or the public. If the communication is intended for internal use, then a consulting services engagement with observations and recommendations may suffice. For these engagements, findings, recommendations, and a conclusion is provided to assist management in decision making. Or, an independent third party, such as a CPA or an internal auditor, may be asked to answer the engagement’s objectives to an external audience, in which case a performance audit may be more appropriate due to the need for an independent, objective report that can withstand scrutiny and is subject to peer review. Sometimes there isn’t a choice; some agencies are bound by the government code or local ordinance to conduct audits under GAGAS.

Performance audits are typically the more costly engagement type of the three, given the amount of work required to conduct an audit and adhere to stringent standards. As we’ll explore in later articles, performance audits conducted under GAGAS provide the highest level of assurance among the three options, based on the level of work required. These audits involve developing the required elements of a finding and the documentary evidence required for planning, fieldwork, and reporting. The amount of work involved is much greater than in consulting services engagements, where observations and recommendations will suffice. Consulting services engagements are not audits and, therefore, offer no assurance. Similarly, in attestation engagements, where only specific procedures are performed, no assurance is provided. *3

Conclusion

Having been on both sides of deciding what engagement to recommend, either for an agency I worked at or to a client, it’s important to discuss the level of work required for each engagement type, the number of hours required to do the work under the appropriate standard within a reasonable time period, and the available budget. Finally, and most importantly, clients should understand that performance audits and consulting services engagements each have their place and serve unique purposes. A performance audit offers independence and objectivity at a step above a consulting services engagement, and might be the best option if a rigorous audit of a program or agency is needed. This is where the consideration of the agency’s need is paramount. There may not always be the budget or time available to conduct a comprehensive performance audit, nor a need for an in-depth evaluation or a legislative requirement to do so. In these instances, a consulting services engagement is a good option, especially when time and budget are factors. A consulting services engagement can provide a sufficient report with recommendations and advice. However, it’s important to make the agency aware of the limitations of non-audit services. In addition, the audience of the final report product and any regulatory requirements should strongly influence the decision-making process.

Forthcoming articles in this series will drill down and focus in more detail on the professional standards associated with performance audits as compared to other types of engagements, “why” an agency would want a performance audit instead of a consulting engagement or an agreed-upon procedures engagement, when a performance audit would be recommended, what key factors should be considered, and what are the expectations of the audience of the report. The third article in this series will focus on the reporting elements of a performance audit and a sample performance audit report.

*3  Attestation engagement standards are covered in GAGAS Chapter 7, and include agreed-upon-procedures, reviews, and examination engagements. Attestation examinations have the highest level of assurance, as an opinion is given; not so for the others. Auditors may use GAGAS in conjunction with other professional standards such as American Institute of Certified Public Accountants (AICPA), International Auditing and Assurance Standards Board (IAASB), or Public Company Accounting Oversight Board (PCAOB) standards. For financial audits and attestation engagements, GAGAS incorporates by reference for AICPA Statements on Auditing Standards and Statements on Standards for Attestation Engagements. In addition, the AICPA promulgates the consulting standards. AICPA standard committees have taken the position that only the U.S. Government Accountability Office (GAO) sets performance audit standards.

CLICK HERE to download article from AICPA >

SOURCES OF INFORMATION AND DOCUMENTATION CONSIDERED

  • Government Auditing Standards, issued by the Comptroller General of the United States
    – July 2018 Revision (effective for performance audits beginning on or after July 1, 2019; effective for attestation engagements for periods ending on or after June 30, 2020; early implementation is not permitted)
  • United States General Accounting Office. Best Practices Methodology – A New Approach for Improving Government Operations. May 1995

About the Author

Scott Johnson has 35 years of experience in government administration, with a focus on successfully overseeing internal service operations including; debt management, information technology, human resources, municipal finance, and budget. He has led large and mid-sized operations for California government agencies including the cities of Santa Clara, Milpitas, San Jose, Oakland, and Concord and the County of Santa Clara. Scott is a past president of the California Society of Municipal Finance Officers (CSMFO) and a member of the AICPA Government Performance and Accountability Committee (GPAC). He is currently a partner with Macias Gini & O’Connell LLP (MGO), leading the Advisory Services sector specializing in State and Local Governments, based out of California. He welcomes any questions or comments via email: [email protected].

Greta MacDonald, MPA – Special recognition is given to Ms. MacDonald for her contributions and research for this article. Ms. MacDonald is a Director with MGO in the State and Local Government Advisory Services division. She has over 17 years of experience conducting over 35 performance audits in accordance with GAGAS, which is her specialization area.

Disclaimer: The views expressed in this article are those of the author and do not reflect the official policy or position of the GAO, AICPA, or Macias Gini & O’Connell LLP.