- Details
- Written by: T. Steel Rose, CPA
After SAS 70 audits were used improperly the AICPA replaced the standard with SSAE 16. While attempting to correct the problem, the AICPA produced three variations of SSAE 16 for service organizations. SOC 1, like SAS 70, is for financial internal controls. SOC 2 is for data security. SOC 3 is a general use report based on Trust Service Principles. It takes a little research to untangle the variations but it’s worthwhile to know where the reports fit to respond to client needs.
SSAE 16 (effective on June 15, 2011) is the attest standard for issuing SOC 1 reports. A SOC 1 report is the result of reviewing the internal controls of an organization that pertain to producing financial statements. This is where the improper use of SAS 70 took place. Companies who received SAS 70 reports stating that their internal controls were adequate to produce financial statements were using the report to infer overall data security in their organization. Some also claimed to be SAS 70 Certified.
The SAS 70 report on financial internal controls was replaced with the SSAE 16 SOC 1 report and still comes in two flavors. The Type 1 report expresses an opinion based on a snapshot date in time. The Type 2 report covers a period of time, for example, the six months ending December 31, 2012. While modifying the new SOC 1 report, the AICPA also added the SOC 2 and SOC 3 reports. The SOC 2 report covers the data security areas where the SAS 70 report was used improperly. SOC 2 reports are used for service organizations reporting on controls outside the scope of financial reporting. Both the SOC 1 and SOC 2 are special use audits designed to be used for management of service organization and to be provided to a user organization. They are not general use reports designed to broadcast to the world.
A SOC 3 report uses the same predefined trust services criteria as a SOC 2 report, without the auditor’s opinion. A SOC 3 report contains a brief, unaudited description of the system, without a detailed description of the test of controls. Unlike a SOC 2 Type 1 examination, a SOC 3 examination must take place over a period of time. The SOC 3 report also comes with a seal that clients can use on their website and in their collateral marketing material.
A few definitions may help unravel the uses for this emerging audit service. First of all, SOC stands for Service Organization Control. A user organization is the company, like a bank, that is outsourcing a process. Companies like banks that outsource services like debt collection outsource that work to a service organization, in this case a collection agency. The resulting report is usually an unqualified opinion expressed by a CPA. The result does not make a service organization any more SSAE certified than if they were ever SAS 70 certified.
SSAE stands for Statement on Standards for Attestation Engagements. Statement No. 16 represents a migration toward the International Federation of Accountants ISAE 3402 Auditing Standard. Both require a written assertion about organization controls by management. The now outdated SAS 70 standard called only for a description of controls in place.
SOC 2 and SOC 3 reports use AT Section 101 as the professional standard for service auditor guidance to issue reports on controls. AT Section 101 refers to the codification of attestation standards described in section 101 relating to engagements where a CPA issues a report on agreed-upon procedures or issues an opinion about a particular subject matter.
A SOC 2 report issues an opinion on whether “the system” has security, availability and processing integrity by answering several questions such as: Does it have the security to protect against unauthorized access physically and logically? Is it available for operation and use as committed? Is the processing complete, accurate, timely, and authorized? Confidentiality refers to the secure protection of the information held by the service organization, and specifically that Privacy exists to protect personal information. “The system,” referred to above, normally provides a list of control objectives and describes the services provided along with the supporting processes, policies, procedures, personnel and operational activities of the service organization's core activities that are relevant to the user organization.
The SOC 3 report is issued in accordance with the Trust Service Principles using the AICPA and the Canadian Institute of Chartered Accountants (CICA) framework for Trust Services Principles. SOC 3 is used for service organizations who need a general-use report instead of, or in some cases, in addition to, a SOC 2 report. The service organization may not wish to provide details of controls that meet the criteria required for a SOC 2 report. In many cases a SOC 3 will not provide a user with sufficient detail about the design and operation of controls.
Time will tell if SSAE 16 solves the problems created by the over ambitious use of SAS 70 since the inception of the auditing standard in April of 1992. One thing SSAE 16 has done is extend CPAs’ attestation beyond financial internal control and into data security reporting.
Write comment (0 Comments)- Details
- Written by: Gary Adamson, CPA
Almost every firm that I work with has a succession issue in the near term. Baby boomers are retiring at an accelerating rate and firms are coping (or not) with the transition issues surrounding those exits.
One of the topics of conversation especially in this environment is whether the firm has a mandatory retirement age in its partner agreements. And if they do, how does the process work, what is the definition of retirement, what is the right age, and how to structure employment after retirement.
It is almost counter intuitive that firms would want mandatory retirement ages in their agreements when they are struggling with how to replace their partner ranks. The right answer is that you need to do both in a healthy firm; both control and manage retirements and at the same time have the horses in place to succeed those retiring partners.
Protect the firm
It is critical that CPA firms have a stipulated, mandatory retirement age and plans in place to make it work to the advantage of both the individual partners and the firm. First and foremost is the notion that you must protect the firm first and it is more important than the interests of any individual partner. I hope that premise does not need justification or debate.
Set the date
A CPA firm needs to control the retirement dates of the partners. In other words there should be a required age in the partner agreements when the partner will retire. There is no mystery or uncertainty. Everyone knows the date. The firm knows when to begin dealing with client transition and planning for the event. The remaining partners can build in a process and a schedule to make sure retirement is handled properly, in contrast to letting each partner (tell the firm when or if they feel like it) making the determination about the date of retirement.
Each firm needs to define what it means by “retirement”. It is the date when the partner’s ownership interest is redeemed, and the partner has transitioned his or her partner responsibilities; and no longer functions in the firm as a partner with partner responsibilities and relationships.
What is the right age for a required retirement? The age itself is not as important as having the date. There are a lot of firms that use age 65 but there has been quite a bit of movement in the profession in recent years to extend that. In the 80’s and 90’s the required age was trending downward to in some cases low sixties or even fifties. But, firms are back to age 65 and beyond, to in some cases age 70. I consulted with a firm recently that was using age 68. Remember that it is the fact that you stipulate a date that is important, not the age itself. Also, remember that the firm can always extend the date for a high energy, high output partner, but it is very difficult to reduce it for a partner for whom it is time to go.
Client transition. If you have the required date nailed down, how do you plan as the date approaches? Assuming that, as in most firms, you have an unfunded retirement benefit that the firm will be paying to the retired partner, the asset that you will use to pay that is the partner’s client base. If you don’t retain those clients, how will you pay that retirement benefit? You won’t! The transition and retention of those clients must be part of the plan and progressive firms are requiring that a transition plan be completed by the retiring partner to receive full retirement benefits. This transition process is a difficult thing for most partners to do as it means giving up relationships that are in many cases very personal. But, done well and timely, it is the best insurance a retiring partner has that they will receive those unfunded retirement payments down the road.
A two to three year client transition period is preferred with two cycles (client year ends) for business clients being the minimum. The point here is that there needs to be a written client transition plan with the retiring partner. If he or she completes that, then there should be no penalty or reduction of retirement benefits if a client subsequently leaves the firm.
Post retirement employment
As the retirement date approaches, the retiring partner should have less and less to do as other partners and staff in the firm assume the client responsibilities. When the retirement date arrives, the retiring partner should be able to truly retire from the firm and leave. But that rarely happens. Most firms and most retired partners will continue some form of employment, post retirement. Here is the key: the continued employment should be for specific defined duties such as review work, bringing in new clients, and special projects. It is generally on a part time schedule and it is at the option of the firm. It is not continuing to do what you were doing like serving clients in a partner capacity.
The retirement of CPA partners in a fashion that protects the firm is a critical part of succession planning. If CPA partner agreements do not provide guidance and requirements surrounding the age of retirement, pull them out of the drawer, dust them off and make the revisions to address this major issue, and protect the firm.
Gary Adamson is the President of Adamson Advisory, specializing in practice management consulting for CPA firms. He can be reached at 765-488-0691 or
- Details
- Written by: Tina Harris
In the aftermath of accounting scandals, financial crimes, and business collapses, the rapidly growing specialty of forensic accounting continues to define itself. The need for forensic accountants (FAs) in government, industry, and public accounting continues to grow. There is also an incredible need within law firms for the specialized skills of FAs. Litigation often involves multiple, complex accounting and legal issues that overlap and intertwine. FAs with broad business backgrounds and forensic experience are a vital resource to the litigation team and provide valuable insight into financial issues.
“By having a forensic accountant within the firm, we are able to utilize her financial skills early on as we evaluate new matters. Time requirements for locating, interviewing, clearing conflicts, and scheduling meetings with outside experts are minimized,” said Jim Medford, litigation practice area leader for Smith Moore Leatherwood, a regional law firm with offices across the Southeast. “With a forensic accountant in-house, we can offer our clients more sophisticated services and cost savings in one stroke, and ultimately, that’s what they are looking to us to do.”
The skill sets of traditional accountants do not always transition well into forensic services where strong analytical thinking, as well as oral and written communication skills are essential. For FAs possessing these skills, a law firm can offer an exceptionally wide variety of both interesting and challenging work. By analyzing, interpreting, summarizing and presenting financial issues in an understandable format, FAs assist attorneys in identifying a case’s key issues.
As an agent of the law firm, internal FAs are not required to testify or to issue expert reports to the opposing side about their findings. They may communicate freely with attorneys as these communications are not discoverable by the opponents. When outside financial experts are needed for testimony, internal FAs assist in finding experts with the requisite skills and experience. The FA may also assist in preparing experts for trial. In investigating the financial facts of a case, much of the information needed by the outside expert will already have been obtained, organized and summarized by the internal FA.
The law firm-accountant relationship has the potential to grow and can be mutually beneficial as firms realize the benefits of having an internal FA and accountants seek creative ways to use their skills and experience. Working with a law firm as a consulting or testifying expert provides opportunity for the accountant to develop relationships within the firm, to understand the firm’s culture and to find ways that he or she could benefit the firm. An internal FA can be a powerful resource for law firms of all sizes, but the FA must persistently demonstrate this exceptional value.
Skilled examiners seeking employment in a law firm need a broad CPA background; knowledge of accounting principles and applications; auditing and tax. A number of organizations offer specialized forensic training and certifications. The Forensic and Valuation Services section of the AICPA (American Institute of Certified Public Accountants) introduced the CFF (Certified in Financial Forensics) in May 2008. This certification requires that members be licensed as CPAs, pass an examination, have forensic services experience and maintain continuing education requirements.
Tina Harris is an internal forensic accountant at Smith Moore Leatherwood LLP, and a member of AICPA Forensic & Valuation Services Section.
- Details
- Written by: CPA Magazine
Across
2. Appreciated
4. Dividends
6. Exclude
8. Gifts
10. Defer
13. Accelerate
14. Receipt
16. RMD
17. Bonus
18. Flexible
Down
1. Convert
3. Dispose
5. Withholding
7. Education
9. Purchase
11. Exemption
12. Appraisal
14. Recognize
15. Consult
Write comment (0 Comments)- Details
- Written by: Gary Adamson, CPA
Almost every firm that I work with has a succession issue in the near term. Baby boomers are retiring at an accelerating rate and firms are coping (or not) with the transition issues surrounding those exits.
One of the topics of conversation especially in this environment is whether the firm has a mandatory retirement age in its partner agreements. And if they do, how does the process work, what is the definition of retirement, what is the right age, and how to structure employment after retirement.
It is almost counter intuitive that firms would want mandatory retirement ages in their agreements when they are struggling with how to replace their partner ranks. The right answer is that you need to do both in a healthy firm; both control and manage retirements and at the same time have the horses in place to succeed those retiring partners.
Protect the firm
It is critical that CPA firms have a stipulated, mandatory retirement age and plans in place to make it work to the advantage of both the individual partners and the firm. First and foremost is the notion that you must protect the firm first and it is more important than the interests of any individual partner. I hope that premise does not need justification or debate.
Set the date
A CPA firm needs to control the retirement dates of the partners. In other words there should be a required age in the partner agreements when the partner will retire. There is no mystery or uncertainty. Everyone knows the date. The firm knows when to begin dealing with client transition and planning for the event. The remaining partners can build in a process and a schedule to make sure retirement is handled properly, in contrast to letting each partner (tell the firm when or if they feel like it) making the determination about the date of retirement.
Each firm needs to define what it means by “retirement”. It is the date when the partner’s ownership interest is redeemed, and the partner has transitioned his or her partner responsibilities; and no longer functions in the firm as a partner with partner responsibilities and relationships.
What is the right age for a required retirement? The age itself is not as important as having the date. There are a lot of firms that use age 65 but there has been quite a bit of movement in the profession in recent years to extend that. In the 80’s and 90’s the required age was trending downward to in some cases low sixties or even fifties. But, firms are back to age 65 and beyond, to in some cases age 70. I consulted with a firm recently that was using age 68. Remember that it is the fact that you stipulate a date that is important, not the age itself. Also, remember that the firm can always extend the date for a high energy, high output partner, but it is very difficult to reduce it for a partner for whom it is time to go.
Client transition. If you have the required date nailed down, how do you plan as the date approaches? Assuming that, as in most firms, you have an unfunded retirement benefit that the firm will be paying to the retired partner, the asset that you will use to pay that is the partner’s client base. If you don’t retain those clients, how will you pay that retirement benefit? You won’t! The transition and retention of those clients must be part of the plan and progressive firms are requiring that a transition plan be completed by the retiring partner to receive full retirement benefits. This transition process is a difficult thing for most partners to do as it means giving up relationships that are in many cases very personal. But, done well and timely, it is the best insurance a retiring partner has that they will receive those unfunded retirement payments down the road.
A two to three year client transition period is preferred with two cycles (client year ends) for business clients being the minimum. The point here is that there needs to be a written client transition plan with the retiring partner. If he or she completes that, then there should be no penalty or reduction of retirement benefits if a client subsequently leaves the firm.
Post retirement employment
As the retirement date approaches, the retiring partner should have less and less to do as other partners and staff in the firm assume the client responsibilities. When the retirement date arrives, the retiring partner should be able to truly retire from the firm and leave. But that rarely happens. Most firms and most retired partners will continue some form of employment, post retirement. Here is the key: the continued employment should be for specific defined duties such as review work, bringing in new clients, and special projects. It is generally on a part time schedule and it is at the option of the firm. It is not continuing to do what you were doing like serving clients in a partner capacity.
The retirement of CPA partners in a fashion that protects the firm is a critical part of succession planning. If CPA partner agreements do not provide guidance and requirements surrounding the age of retirement, pull them out of the drawer, dust them off and make the revisions to address this major issue, and protect the firm.
Gary Adamson is the President of Adamson Advisory, specializing in practice management consulting for CPA firms. He can be reached at 765-488-0691 or