x

A PHP Error was encountered

Severity: Notice

Message: Undefined variable: content_category

Filename: user/transcript.php

Line Number: 106

A PHP Error was encountered

Severity: Warning

Message: Invalid argument supplied for foreach()

Filename: user/transcript.php

Line Number: 106

The New World of the Computer Hacker – and Forensic Technology Specialists - March 2016

Total Views  :   920
Total Likes  :  0
Total Shares  :  0
Total Comments :  0
Total Downloads :  0

Add Comments
Presentation Slides

1) Pantone 7540 C (coated) Pantone 7540 U (uncoated) CMYK: 40, 30, 22, 60 RGB: 94, 97, 103 HTML #5E6167 Developed by Suissa Messer Inc. www.suissamesser.com green gray EisnerAmper LLP Accountants and Advisors Pantone 370 C (coated) Pantone 370 U (uncoated) CMYK: 64, 5, 100, 24 RGB: 91, 143, 34 HTML #5B8F22 www.eisneramper.com March 2016 Trends & Developments Estate Planning News from the Heckerling Institute on Estate Planning Fraud Prevention and Detection Pre-Emptive Fraud Auditing 2016 2015 2014 award EisnerAmper Recognized as Leading Accounting Firm 3 Consecutive Years! The consistent alternative to the Big 4 Computer Forensics The New World of the Computer Hacker – and Forensic Technology Specialists Hospitality Management Loyalty and Cybersecurity: Don’t Risk a Breach Firm News EisnerAmper LLP Announces New Executive Corporate Structure 1 9 14 16 18

2) E S TAT E P L A N N I N G Trends & Developments | 2 News from the Heckerling Institute on Estate Planning Estate Planning for Same-Sex Couples and Unmarried Couples After Obergefell: Detriment or Opportunity? By Barbara Taibi, CPA The 50th annual Heckerling Institute on Estate Planning recently convened in Orlando, Florida. Heckerling is the largest and most prestigious estate planning conference in the nation. Several EisnerAmper professionals attended this year’s Institute and blogged about current hot topics. Following is a summary of some of the discussions: Estate Planning for Same-Sex Couples and Unmarried Couples After Obergefell: Detriment or Opportunity? The Nuts and Bolts of Charitable Remainder and Charitable Lead Trusts Special Needs—Special Trusts: What You Do Not Know Can Hurt Your Clients and You! Navigating the Shoals of Nonprofit Board Service: The Legal and Ethical Issues that Can Take You Off Course A Fine Tasting Opinion: The Art of Reviewing an Appraisal, Ethically Protecting Privileges and Popping the Cork off of Kovel Don’t Be Afraid of the Dark—Navigating Trusts Through NIIT Planning for Clients with Diminished Capacity Joshua S. Rubenstein of Katten Muchin and Rosenman LLP and William P. LaPiana from New York Law School presented a very informative session on estate planning for same-sex and unmarried couples under the current environment. It provided several income tax and estate planning scenarios where the decision requires attention to estate plans in effect and income tax planning for 2015 and forward. As a brief summary of where we stand now, on June 26, 2015, the U.S. Supreme Court ruled that a state ban on same-sex marriage is unconstitutional, in violation of the equal protection clause of the Fourteenth Amendment. This landmark ruling in the combined cases known as Obergefell v. Hodges struck down every state ban on samesex marriage in the country, and by virtue of this ruling, Section 2 of DOMA was also struck down, which declared that states have the right to deny same-sex marriages licensed in other states. In 2015, all states now follow federal law so for the very first time we are finally in a position where all married couples — same-sex or not — are treated equally for tax purposes. For estate tax purposes, it is important that same-sex couples who may have done planning prior to marrying or prior to their marriage being recognized re-visit their estate plan. Mr. Rubenstein provided some planning opportunities; the following outlines a few to consider: • Get married to take advantage of the unlimited marital deduction. Now that same-sex marriage is legal in all 50 states and Washington DC, those couples who have been holding off getting married or who have entered into civil unions or domestic partnerships should get married if they desire to take advantage of the federal benefits afforded to married couples, such as the unlimited marital deduction from federal estate and gift tax. • Review current estate planning documents to ensure that the amount and structure of any spousal bequests remain appropriate. Existing estate planning documents may have been prepared under the assumption that any gift or bequest to a spouse of the same-sex couple over and above the individual’s Applicable Exclusion Amount would be subject to federal estate tax (currently at a rate of 40%). However, that assumption is no longer true, and such gifts and bequests, if properly structured, are

3) and joint and survivor annuity elections to ensure that they remain appropriate. A surviving spouse is entitled to roll over a decedent spouse’s retirement account into the surviving spouse’s retirement account without being required to take minimum distributions or lump sum distributions until such time as the surviving spouse ordinarily would be required to take minimum distributions (usually upon attaining age 70K). Since this benefit is now available to married same-sex couples, spouses should consider naming each other as the beneficiary of his or her retirement accounts in order to defer income tax recognition as long as possible. • Consider replacing individual life insurance policies with survivor policies. Many same-sex spouses previously purchased individual life insurance policies of which the other spouse is the beneficiary in order to provide the surviving spouse with sufficient liquid assets that may be used to pay federal estate taxes due upon the death of the first to die. With the unlimited marital deduction and DSUE available to married same-sex couples, there may be no need for such liquidity upon the death of the first spouse to die. Thus, a married same-sex couple should consider whether such policies should be maintained or replaced with so-called “second-to-die” policies that pay benefits only upon the death of the surviving spouse. Such policies provide liquidity to children or other beneficiaries of the married same-sex couple, and are generally less expensive than individual policies having the same death benefits. • Consider splitting gifts between spouses. Until now, each spouse could make gifts only up to the annual exclusion amount from federal gift tax and federal generation-skipping transfer tax (the “Annual Gift Tax Exclusion Amount” and the “Annual GST Exclusion Amount,” respectively — each currently $14,000) without using any portion of his or her Applicable Exclusion Amount. Going forward, however, each spouse may now make gifts from his or her own assets and, with the other spouse’s consent, have While these are just a few suggestions that should be looked at immediately there are many reasons that married same-sex couples should be speaking to their attorney and accountant immediately. The Nuts and Bolts of Charitable Remainder and Charitable Lead Trusts By Kathryn Allgor, CPA Michele A.W. McKinnon of McGuireWoods LLP and Richard L. Fox of Dilworth Paxson LLP led an in-depth discussion of the intricacies of charitable remainder trusts (“CRTs”) and charitable lead trusts (“CLTs”). Both of these planning techniques provide benefits to high-networth individuals that are seeking either income or estate tax planning, coupled with charitable intent. Both CRTs and CLTs can be structured as annuity trusts where the annual payments are based on a fixed percentage of the initial trust value or dollar amount, or as a unitrust where the annual payments are based on a percentage of the value of the trust principal (as valued each year). The basic function of a CRT is to enable a taxpayer to transfer property to an irrevocable trust, which in turn will return a stream of payments over a fixed period of time to A CRT is generally seen as an income tax planning technique ideal for individuals with highly appreciated capital gain property, since the sale of that property (once placed in the CRT) will escape capital gains tax and other associated taxes on investment income (including NII tax, state income tax, or even increased tax rates on collectibles). | 3 • Review retirement account beneficiary designations such gifts deemed to have been made one-half by the other spouse for purposes of federal gift tax and GST tax laws. This way, both spouses currently may give up to $28,000 to any individual without using any portion of either spouse’s Applicable Exclusion Amount. March 2016 now entitled to the unlimited marital deduction. Accordingly, a married same-sex couple may wish to modify their estate planning documents to provide that any assets included in their estates in excess of the Applicable Exclusion Amounts will pass to the surviving spouse, either outright or in a properly structured marital trust for the spouse’s benefit, thus deferring all federal estate taxes until the death of the surviving spouse.

4) Trends & Developments | 4 News from the Heckerling Institute on Estate Planning (continued) a non-charitable beneficiary (either to the original settlor, or some other individual). At the end of the fixed term, the remainder of the trust property must pass to one or more qualified charitable organizations, or continue to be held in trust for those charities. A CRT is generally seen as an income tax planning technique ideal for individuals with highly appreciated capital gain property, since the sale of that property (once placed in the CRT) will escape capital gains tax and other associated taxes on investment income (including NII tax, state income tax, or even increased tax rates on collectibles). Although the payments to non-charitable beneficiaries will be subject to income tax on an annual basis, the ability to sell an appreciated asset without income tax at the trust level can provide for increased cash flow and asset diversification. If the CRT is established during the lifetime of the individual, the donor (or settlor of the CRT) will receive a current income tax and gift tax deduction based on the remainder interest passing to the charity. If the CRT is established at death, an estate will receive a charitable estate tax deduction instead. A CLT is used more frequently for estate tax planning purposes and is generally seen as the reverse of a CRT. In a CLT, income is paid to a charity for a specified term and upon the term end, the assets pass to non-charitable beneficiaries. If established during a donor’s life, a CLT is effective at removing appreciating assets from an estate, without limits on charitable deductions. If established upon death, the estate will be able to claim a charitable deduction for the income payable to the charity. Both Today’s board members serve in an era of increased scrutiny from state attorneys general, federal agencies, watchdogs and donors. inter-vivos and testamentary deductions are based on the present value of the income payments made to the charitable organization over the term of the CLT. The assets used to fund a CLT would ideally appreciate over the term of the trust, so as to provide sufficient income for annual charitable payments, and provide increased value in the remainder assets passing to the noncharitable beneficiaries. As with CRTs, the rules surrounding qualified CLTs are intricate, and require a skilled advisor to help navigate both drafting and administration. Unlike a CRT, the charitable beneficiaries are often unnamed in the trust document, and trustees or other responsible parties are granted broad discretion for these distributions. The speakers cautioned against the grantor’s retained rights to participate in any of these decisions, as it could cause an unintended inclusion in the grantor’s estate under IRC § 2036. In each case, practitioners and clients are advised to give careful consideration to the establishment of a charitable trust. They should contemplate their own philanthropic intentions and family commitments, along with monetary concerns, such as cash flow needs, income tax, and estate tax in conjunction with their overall planning goals. Special Needs—Special Trusts: What You Do Not Know Can Hurt Your Clients and You! By Stephanie Hines, CPA Bernard A. Krooks of Littman Krooks LLP provided the attendees of the Heckerling Institute on Estate Planning an overview of special needs planning and special needs trusts (“SNTs”). One of the primary goals of special needs planning is to allow an individual with a disability to qualify for government benefits, while maintaining a source of additional funds to pay for expenses not covered by such benefits. This goal sets a certain standard for special needs planners and advisors who should have a working knowledge of not only tax law, but trusts and estates, public benefits and various state laws. The primary government benefit available to an individual with a disability is Medicaid. Medicaid is a jointly funded,

5) federal and state program that will generally pay for medical expenses, including long-term care. Another benefit available for an individual with a disability is Supplemental Security Income (“SSI”). SSI is not social security; it is a federal program which pays a monthly stipend to the individuals that qualify. In addition to food and shelter, SSI may also cover expenses related to the cost of group homes or other residences. Both the Medicaid and SSI programs are “means-based” which means that to qualify, an individual must not exceed certain income levels and asset requirements. This is where SNTs become relevant. 3. Creating a first-party SNT for an individual age 65 or over 4. Requiring mandatory distributions 5. Spending assets in a-third party SNT prior to a first-party SNT ….and these are to name just a few. To achieve the goal of qualifying for government benefits, there are 3 entities that can be established. Two entities are SNTs; first-party SNTs and third-party SNTs, with the principal difference being the source of funding. Firstparty SNTs are funded by assets owned by the individual with a disability, whereas third-party SNTs are funded by assets owned by individuals other than the individual with a disability. The third entity is a pooled trust. Pooled trusts are similar to first-party SNTs, as they are funded with assets owned by an individual with a disability, with the difference being that pooled funds are managed/operated by a not-for-profit. Each of the above entities requires certain provisions to be met in order for the individual to qualify for government benefits, otherwise Medicaid concerns become a reality. Navigating the Shoals of Nonprofit Board Service: The Legal and Ethical Issues that Can Take You Off Course The ABLE (Achieving a Better Life Experience) Act , signed into law during December 2014, established Section 529A of the IRC. These accounts are modelled after Section 529 plans, in that they grow income taxfree; however, they are structured in order for individuals to fund a separate account in the name of an individual with a disability (the beneficiary). In addition, if certain requirements are satisfied, these accounts will not disqualify the individual beneficiary from qualifying for government benefits. There have been a number of common considerations and errors that have generated Medicaid concern or, even further, disqualified an individual with a disability from receiving government benefits, such as: 1. Not providing flexibility in drafting 2. Not creating third-party SNTs for individuals age 65 or over By Marie Arrigo, CPA, MBA Kathryn W. Miree of Kathryn W. Miree &Associates, Inc. spoke on how important not-for-profit board service is in our country. Board members serve a critical role in the complex network of not-for-profits that provide vital services to our communities. They have the critical skills, expertise, and funds to enable philanthropy. Charitable organizations in the U.S. contribute substantially to the quality of life in the U.S. In 2012, more than 1.4 million not-for-profits contributed $88.73 billion to the U.S. economy (5.47% of the nation’s GDP). These charities generated revenue of $1.65 trillion and held assets of $2.99 trillion. Not-for-profits employ 10.1% of the workforce. Today’s board members serve in an era of increased scrutiny from state attorneys general, federal agencies, watchdogs and donors. To serve effectively as a board member and avoid the personal impact of poor legal and ethical decisions require a clear understanding of applicable laws and the board member’s fiduciary role. The fiduciary role focuses on exercising a high standard of care in managing the charity’s assets. The board is responsible for setting the strategic direction for the organization and for thinking strategically as it makes decisions for the organization. The key fiduciary responsibilities, which are largely codified in state statutes, are: March 2016 | 5 The bottom line, as suggested by Mr. Krooks, is to work with the appropriate service providers whose niche is in the area of special needs planning. “What you don’t know can hurt your clients and you.”

6) Trends & Developments | 6 1. Duty of care, which requires a board member to participate in the activities of governance and provide operational and policy oversight. Directors must exercise a reasonable level of care in making decisions on behalf of the organization. This would include participating in board and committee meetings and reviewing the charity’s budget, fundraising results, audited financial statements and investment returns. Directors are not generally liable for bad decisions, as long as the decisions were made in good faith and without a conflict of interest. 2. Duty of loyalty, which says that the director must place the interests of the charity above his/her personal interests. The focus is on disclosure, confidentiality and avoiding conflicts of interest. 3. Duty of obedience, which requires a board director to ensure that the charity carries out the organization’s mission, as defined in its governing documents. The director must comply with all applicable laws. Ms. Miree also discussed several practical duties as detailed by the BoardSource publication, The Ten Responsibilities of Nonprofit Boards. These responsibilities include selecting, supporting, and evaluating the chief executive officer, monitoring and strengthening programs and services, and ensuring adequate financial oversight. The IRS is the chief federal regulatory agency for notfor-profits. Charities apply for exempt status by filing the Form 1023. Charities annually file a Form 990 with the IRS. Directors have a responsibility to review the Form 990 prior to submission to the IRS. Also, after the Pension Protection Act of 2006, the IRS can now share information with the states. The role of the attorney general is to represent and protect the charitable interests in the state as well as enforcing the laws applicable to charitable organizations in the state. In conclusion, board service plays a critical role in our society, and is often a rewarding personal experience. It is also important to note that there are responsibilities that come with being a board director. A Fine Tasting Opinion: The Art of Reviewing an Appraisal, Ethically Protecting Privileges and Popping the Cork off of Kovel By Joan D’Uva, CPA, ASA, CFE Stephanie Loomis-Price of Winstead, PC and Louis S. Harrison of Harrison, Held, Carroll and Wall, LLP provided guidance to advisors in reading and commenting on valuation reports. The emphasis was on the defensibility of preparing transfer tax returns and privileges in hiring appraisers. The focus was on business appraisal reports used to support values used in transfer tax returns. Ms. Loomis-Price suggests selecting a qualified independent appraiser; look for credentials. Some of the credentialing organizations include the American Society of Appraisers, the Institute of Business Appraisers and the National Association of Certified Valuation Analysts. Without valuation credentials, the appraisal report may be disregarded by the courts. Have a methodology as to how to review the appraisal report. Ask questions rather than making edits to report in order to preserve the appraiser’s independent opinion. Details are important! Review grammar and look for typos. Be sure to check quotes and cites. Checking math may seem basic but is necessary. Ask yourself, does the valuation opinion pass the smell test? Is the conclusion logical and are the facts correct? Courts look for thoroughness, integrity and logic. Be sure that the appraisal takes into account Revenue Ruling 59-60 which sets forth the factors to consider in the valuation of a small closely-held company. Most strategies to reduce a trust’s exposure to NIIT involve the current distribution of income to beneficiaries who won’t be subject to the NIIT, something that may be contrary to the grantor’s objective of creating a long-term generation-skipping trust to minimize the exposure of the assets to estate tax.

7) Market approaches involve determining a multiple. A favored methodology which is a market approach is a multiple of EBITDA (Earnings Before Income Taxes, Depreciation and Amortization). Determining the market multiple of EBITDA starts with a search for comparable or guideline public companies. Calculations are performed to determine the price to earnings or EBITDA. Typically, the mean or median is selected. Mr. Harrison warned to be careful in enumerating the reasons for the selection of the multiple to support the multiple selected to apply to the company being valued. Such factors may include competition, number of customers, quality of workforce, compressed margins and size of company. Mr. Harrison favors the market approach and in particular the multiple of EBITDA method for S corporations because tax effects are very subtle. The asset approach is typically used to value family limited partnership interests. The assets of the family limited partnership such as marketable securities are valued as if they are being liquidated. This approach is less complex than the income and market approaches and is not often used for operating entities. Appraisals can be very complex and detailed so it is important to review them carefully yet allow the appraiser to maintain his or her objectivity. Ms. Loomis-Price and Mr. Harrison warn that the client should review the report before it is finalized to be sure that the facts are correct and the appropriate comparable companies have been selected. All of the points discussed will help to refine the appraisal and make sure that transfer tax returns are prepared most defensibly! Don’t Be Afraid of the Dark— Navigating Trusts Through NIIT By Karen Goldberg, JD, LLM | 7 Robert Romanoff of Levenfeld Pearlstein, LLC discussed the implications of the net investment income tax (“NIIT”) on the design, creation and administration of trusts and suggested that trusts should be designed and administered with a focus on minimizing the NIIT to the extent consistent with the grantor’s intent. In the case of trusts primarily consisting of investment assets, this tax can impede the growth of the trust assets. Most strategies to reduce a trust’s exposure to NIIT involve the current distribution of income to beneficiaries who won’t be subject to the NIIT, something that may be contrary to the grantor’s objective of creating a long-term generation-skipping trust to minimize the exposure of the assets to estate tax. Mr. Romanoff suggested that a single trust for the collective benefit of a group of beneficiaries (a “one-pot trust”) is better from a NIIT perspective than separate trusts for each beneficiary. This is because with a onepot trust, the trustee can time distributions and allocate income among beneficiaries who may not be subject to NIIT, whereas with a separate trust for each beneficiary that opportunity would be limited. In addition, he suggested that distributions to younger family members, rather than their parents, can be attractive from a tax perspective because even though the kiddie tax would apply to the distribution, it would not be subject to the NIIT unless the minor had a significant amount of net investment income which in most cases would be unlikely. Mr. Romanoff also suggested that practitioners should consider changing how they draft distribution standards. The use of an ascertainable standard, even though attractive for other reasons, may not allow for planning to minimize the NIIT. With such a standard, the trustee may not have discretion to make distributions to beneficiaries in an effort to reduce the trust’s NIIT. To give a trustee greater flexibility with respect to distributions, Mr. Romanoff suggested a non-ascertainable “best interests” standard for distributions. March 2016 Mr. Harrison talked about the many methods of valuing a business. The basics are that all methodologies will fall into one of three approaches: income, market or asset. Income approaches that are based on projected income or cash flows involve determining a discount rate. Generally, income streams or cash flow streams used in the income approach will be tax-effected for C corporations. There is some debate as to whether such income streams or cash flow streams should be tax-effected for S corporations. Recently, the courts have taken the position that S corporation income should not be tax-effected. This results in a higher value. Many appraisers disagree with not tax-effecting the income or cash flows.

8) News from the Heckerling Institute on Estate Planning (continued) include resolution provisions. 5. Include instructions for hypothetical health (care) issues. Trends & Developments | 8 In addition, the practitioner and the individual should: Finally, Mr. Romanoff addressed the importance of the selection of trustees, especially if the trust holds a business interest. The choice of trustee in the case of a non-grantor trust will control whether the income/loss from a business interest is passive or not. This is because whether the trust materially participates in an activity depends upon the trustee’s level of participation. Planning for Clients with Diminished Capacity By James Jacaruso, EA Disability, as defined by the Americans with Disability Act, is an individual’s physical or mental impairment that substantially limits one or more major activities of that individual. Studies have shown that disability rates rise with age and longer life expectancies. The number of people with a disability has increased at a staggering rate. Practitioners should consider drafting documents that provide flexibility to avoid an adversarial guardianship. Thoughtful estate planning documents may survive a guardianship or, at a minimum, memorialize the individuals’ wishes. Consider succession provisions in any document designed to take effect when an individual is “unable to act,” “incapacitated” or “incompetent.” The documents should: 1. Provide successors to themselves on estate documents and give successors the authority to name additional successors. 2. Set forth the individual’s wishes by listing their values and desires to ensure coordination of the financial and health care wishes of the incapacitated. 3. Coordinate that all documents are consistent with the incapacitated person’s desire, but allow amendments for unforeseen circumstances. 4. Anticipate the potential for family conflicts and 1. Consider if ongoing estate planning should be addressed. 2. Consider preparing documents in the most favorable state where a home may be owned. 3. Determine which individuals should have access to HIPAA codes. Protecting the assets of an incapacitated individual from imprudence or abuse is of the utmost importance to implement and sustain the individual’s action plan and preserve the estate plan. These are challenging initiatives that should be undertaken and communicated with family members and health care providers. Questions? Feel free to contact our authors: Barbara Taibi, 732.243.7305, barbara.taibi@eisneramper.com Kathryn Allgor, 732.243.7458, kathryn.allgor@eisneramper.com Stephanie Hines, 212.891.6046, stephanie.hines@eisneramper.com Marie Arrigo, 212.891.4232, marie.arrigo@eisneramper.com Joan D’Uva, 732.243.7382, joan.duva@eisneramper.com Karen Goldberg, 212.891.4005, karen.goldberg@eisneramper.com James Jacaruso, 347.735.4655, james.jacaruso@eisneramper.com

9) FRAUD PREVENTION AND DETECTION Fraud Prevention and Detection Pre-Emptive Fraud Auditing Books of accounts and records have existed in some form for thousands of years going back to ancient Egypt and other civilizations in the Middle and Near East, the Zhao Dynasty in the Far East, as well as the Greek and Roman republics in the West. Such record keeping was usually maintained to comply with government taxation requirements. Access to accounts and records was often restricted and record-keeping duties were often segregated as early forms of internal control began to develop. Any record-keeping inconsistencies found through government tax “audits,”[1] however, weren’t tolerated and carried severe consequences, especially if such inconsistencies were thought to have been committed intentionally. While the COSO Framework was updated in 2013, its definition of internal control and the components of internal control have remained unchanged from the original framework: In today’s global economy, multiple regulators, creditors, business partners, suppliers, and customers are placing information demands on organizations far beyond those required by the taxing authorities of the past.[2] Moreover, donors, and the public in general, are more engaged today than in years past and have similar information requests from not-for-profit organizations and government entities as well.[3] These constituencies, as well as boards of directors, trustees, and audit and other committees charged with governance, are all seeking greater transparency and accountability from management regarding the integrity and effectiveness of an organization’s internal controls, including how management addresses the potential that fraud will subvert the achievement of its objectives. The COSO Internal Control – Integrated Framework The COSO Internal Control – Integrated Framework[4] has become the generally accepted standard for designing Definition of internal control: • Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance. Components of internal control: 1) Control environment 2) Risk assessment 3) Control activities 4) Information and communication 5) Monitoring activities Internal control is not unidimensional. A deficiency or a change in one of the components can have repercussions throughout all the components, which should be appropriately addressed by management. For example, risk assessment not only influences the control environment and control activities but also may highlight a need to reconsider the entity’s requirements for information and communication or for its monitoring activities.[6] Addressing Fraud with a Strong Control Environment In establishing a control environment, management must consider the potential for fraud in assessing risks to the achievement of an entity’s objectives and be knowledgeable about the various ways that fraud can occur. As part of the process for identifying and analyzing | 9 and implementing systems of internal control and assessing the effectiveness of internal control.[5] March 2016 By David A. Cace, CPA and Saurav K. Dutta, Ph.D., State University of New York at Albany

10) Trends & Developments | 10 Fraud Prevention and Detection Pre-Emptive Fraud Auditing (continued) fraud risks, management forms a basis for determining how such risks should be managed[7] and establishes control and monitoring activities, formalized in policies and procedures, to help ensure that management directives to mitigate fraud risks to the achievement of objectives are communicated and carried out.[8] While no control activity can stop a person who is determined to commit a fraud from doing so, a strong control environment, combined with an understanding of the incentives to commit fraud, acts as a form of preventive control against fraud by making the potential perpetrator assess the high risk of getting caught. Conversely, a weak control environment provides opportunity to those thinking of committing a fraudulent act because the risk of getting caught is low. In this regard, a variety of transaction control activities can be selected and developed to address fraud risk, which in its basic form includes such actions as authorizations and approvals, verifications, reconciliations, and restrictions (physical controls and technology access controls). Segregation of duties and job rotation are typically built into the selection and development of such control activities. Additionally, variance analysis can be used to manage operations and identify possible areas of fraud by directing attention to areas that appear unusual; the preventive control being the establishment of budgeting and standard cost accounting systems that compare actual results to budgets or standards and the detective control being management follow-up in investigating the reasons for a variance from the budget or standard, which may be indicative of fraud, or at the very least require a management response to correct an apparent operational problem. Pre-Emptive Fraud Auditing The primary factor that distinguishes fraud from error is whether the underlying action is intentional or unintentional. Moreover, attempts are made to conceal fraud. This makes looking for fraud a lot like looking for the proverbial needle in a haystack, or as a recent U.S. Secretary of Defense put it, “We don’t know [what] we don’t know.”[9] EisnerAmper’s pre-emptive fraud auditing approach addresses the “unknown unknowns” by proactively anticipating scenarios where fraud may occur and designing monitoring activities[10], using data-mining techniques combined with statistical and other quantitative analysis, to identify possible instances of fraud. Data Mining and Statistical Analysis Business transactions generate data to accomplish the primary purpose for which it was collected; for example, the preparation of financial statements and various types of management reports. When this primary data is accumulated entity-wide, however, it becomes a standalone island of unrelated information, or secondary data. The objective of data mining is to take disparate data and convert it into relevant information, transforming an organization from an accumulator of unrelated data into a proactive responder to risk. Data-mining techniques can be developed to look for patterns and trends not evident in large amounts of secondary data, looking for the unknown unknowns in an attempt to draw inferences from such patterns and trends. For example, a database may include data that does not conform to the general rule derived for the data set or the general behavior of other data elements.[11] No single professional discipline possesses the knowledge and expertise needed to identify data anomalies that require further investigation. A combination of experts – such as information-technology professionals, corporate and compliance attorneys, subject matter and industry experts, internal and external accountants and auditors, forensic accountants, and financial analysts – and those with quantitative data analysis and correlation skills, such as statisticians, are needed.

11) Outlier Analysis: Lehman Brothers and Repo 105 On September 15, 2008, Lehman Brothers Holdings Inc. filed for bankruptcy protection. This was an extraordinary turn of events for a company that reported a 2007 fiscal year-end net income of $4.2 billion on revenue of approximately $59 billion and whose stock was trading in the mid-60s less than nine months earlier. How did this happen? For the complete answer, the reader is referred to the 2,200 page report of Lehman’s bankruptcy examiner Anton Valukas, chairman of Jenner & Block.[12] This article will focus only on the risk assessment control breakdowns and aggressive accounting applications discussed in the Valukas Report. What the Valukas bankruptcy team uncovered in its investigation, however, was that for certain repurchase agreements, which Lehman called Repo 105[14] transactions, Lehman recorded the short-term collateralized borrowings as sales of its securities. Lehman also entered into Repo 105 transactions at the end of quarterly reporting periods, the effect of which was to show no collateralized debt on its balance sheet, thereby lowering Lehman’s leverage ratio. This pleased rating agencies and Lehman’s creditors. When the unrecorded debt was paid, the collateralized securities would reappear on Lehman’s balance sheet, even though during the repurchase agreement period, Lehman continued to receive interest from its “sold” investments. Some background first. In 2006, Lehman changed its business model from being primarily a broker and underwriter to acquiring large amounts of investment assets for its own speculation. Moreover, such investments were principally in illiquid assets, primarily commercial real estate, private equity and leverage loans. Lehman’s investment strategy continued, and its investment portfolio increased, even during the subprime mortgage crisis that gripped the U.S. economy from 2007 through 2008. This increase in long-term, highrisk investments was at odds with Lehman’s own risk management policies. The use of outlier analysis could have highlighted an increase in Repo 105 transactions at quarter ends and their subsequent drop off in activity during the quarters. Using outlier analysis, the dates, the amounts of collateral used and other data regarding the recording of all repurchase agreements would be entered into a program that would calculate the variance around the mean, thus highlighting the days in which the use of repurchase agreements was excessively high, and an examination of the composition of those repurchase agreements would have revealed the use of Repo 105 transactions and how they differed from the standard repurchase agreement. Lehman was highly leveraged and financed its longterm investment acquisitions primarily with short-term borrowing that needed to be rolled over frequently, e.g., through the use of repurchase agreements. In a typical repurchase agreement, Lehman would enter into an arrangement with an entity that had funds to invest for a short period of time in exchange for specific securities designated as collateral in an amount in excess of the cash transferred.[13] Concurrently, Lehman would agree to repurchase the securities from the investor at a specified future date at a slightly higher cash amount than the amount received, the difference in the cash amount representing the interest earned by the investor and interest expense to Lehman. It is that combination of investigative skills, as previously discussed, and an understanding of management incentives to commit fraud in financial reporting, that would have identified what types of transactions were suspect and should be analyzed further. The outlier analysis discussed above would have at least brought attention to the abnormal usage of Repo 105 transactions at the end of a reporting period and focused attention on an unusual, nonstandard accounting treatment that did not appear to have a credible business purpose and otherwise lacked economic substance. | 11 Because of the continued receipt of income from the collateralized securities by the borrower, repurchase agreements are typically not treated as sales of securities but as financing transactions. Thus, the collateralized securities would stay on Lehman’s balance sheet, the ownership for which would return to Lehman when it repaid the loan. March 2016 Data anomalies are referred to as outliers, and while outliers are usually discounted when making a statistical inference regarding a population taken from a sample, outliers should be examined closely when looking for the unknown unknowns in secondary data. Outliers can be identified by measuring the way data are dispersed around the mean.

12) Trends & Developments | 12 Fraud Prevention and Detection Pre-Emptive Fraud Auditing (continued) Points of Focus COSO Principle 8 An organization must consider the potential for fraud when assessing risks to the achievement of objectives. First, consider the various ways that fraud and misconduct can occur. 1) Fraudulent reporting: When an entity’s reports, financial and nonfinancial, do not achieve financial reporting objectives because such reports are willfully prepared with omissions or misstatements. a) Fraudulent financial reporting: An intentional act designed to deceive users of external financial reports that may result in a material omission from or misstatement of such financial reports. i) Includes misappropriation of assets where the effect may cause a material omission or misstatement in the external financial reports. b) Fraudulent nonfinancial reporting: An intentional act designed to deceive users of nonfinancial reporting – including sustainability reporting, health and safety, or employment activity – that may result in reporting with less than the intended level of precision.[15] c) Illegal acts: Violations of laws or governmental regulations that could have a direct or indirect material impact on the external financial reports. 2) Loss of assets: Protecting and safeguarding assets against unauthorized and willful acquisition, use or disposal, including a) Theft of assets b) Theft of intellectual property c) Illegal marketing d) Late trading e) Money laundering f) Other related risks: i) Waste ii) Abuse iii) Neglect 3) Corruption: a) By entity personnel b) By outsourced service providers directly impacting the entity’s ability to achieve its objectives 4) Management override: Acts taken by management to override an entity’s controls for an illegitimate purpose including personal gain or an enhanced presentation of an entity’s financial condition or compliance status. Second, assess incentives and pressures, opportunities, and attitudes and rationalizations. Work incentives may not be aligned with business goals and objectives that, by their nature, create pressures within the organization. Or there are excessive pressures put on employees to achieve unrealistic performance targets, particularly in the short-term, which may be coupled with a weak control environment that creates opportunities for fraudulent behavior, along with attitudes and rationalizations that claim to justify such actions. 1 While the common colloquial usage of the word “audit” usually involves an examination of financial books and records, accounts or statements, for the purpose of verifying their accuracy, the technical definition is provided by the American Accounting Association in its 1973 A Statement of Basic Auditing Concepts: “A systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users.” 2 For example, in the public sector, businesses must comply with the Foreign Corrupt Practices Act of 1977 and the Sarbanes-Oxley Act of 2002. 3 For example, in the government sector, federal agencies must comply with the Federal Manager’s Financial Integrity Act of 1982. In the not-for-profit sector, OMB Circular A-133, Audits of States, Local Governments, and Non Profit Organizations, applies to all nonfederal entities that expend $500,000 or more in federal awards in a single year. Note: Effective December 31, 2015, eight OMB Circulars, including A-133, will be combined into one “super circular” or “Uniform Guide” with additional new requirements and guidelines. See Part 200 of the Federal Register “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. 4 COSO is an acronym for the Committee of Sponsoring Organizations of the Treadway Commission. 5 The COSO Internal Control - Integrated Framework was written in 1992 (the original framework) and updated in 2013. 6 COSO Internal Control – Integrated Framework, Chapter 2: Objectives, Components, and Principles. 7 COSO Internal Control – Integrated Framework, Chapter 6: Risk Assessment. To further assist management in designing, implementing and conducting internal control, COSO established 17 principles and points of focus within the principles that represent the fundamental concepts associated with each of the five components of internal control. A summary of the points of focus specifically addressing the various ways that fraud can occur is presented as a sidebar to this article. 8 COSO Internal Control – Integrated Framework, Chapter 7: Control Activities. 9 “[T]here are known knowns ... things we know we know ... there are known unknowns ... some things we do not know ... there are also unknown unknowns ... the ones we don’t know we don’t know” comes from a response to a question to for-

13) mer Secretary of Defense Donald Rumsfeld at a U.S. Department of Defense news briefing on February 12, 2002. While these terms are used in scientific research, they are generally attributed to 19th-century British poet John Keats. 10 COSO Internal Control – Integrated Framework, Chapter 9: Monitoring Activities. Monitoring is the proactive, ongoing and continuous evaluations taken by management. 11 Statistical Techniques for Forensic Accounting, Understanding the Theory and Application of Data Analysis by Saurav K. Dutta, FT Press, 2013. 12 For a case study on the Lehman bankruptcy, see “Lehman on the Brink of Bankruptcy: A Case about Aggressive Application of Accounting Standards,” published in Issues in Accounting Education, May 2012 (pp. 441–459) by Dennis H. Caplan, Saurav K. Dutta and David J. Marcinko. 15 The Securities and Exchange Commission (SEC) created the term “disclosure controls” to address this risk of error because it is the position of the SEC that the concept of controls as contemplated in the Sarbanes-Oxley Act covers not only financial disclosures required by generally accepted accounting principles (GAAP) and Regulation S-X but all material nonfinancial disclosures as well. For more information, please contact David Cace, a partner in EisnerAmper’s Forensic, Litigation and Valuation Services Group, at 212.891.4024 or david.cace@eisneramper.com. This article was first published in the January 2016 issue of Metropolitan Corporate Counsel. March 2016 14 Lehman’s collateralized securities were 5 percent above the cash amount received in such transactions, thus the creation of the term “Repo 105.” | 13 13 Typically 2 percent above the cash amount received.

14) COMPUTER FORENSICS The New World of the Computer Hacker – and Forensic Technology Specialists Trends & Developments | 14 By Steven Konecny, CFE, CIRA, CEH Cybercrime has thrust into the forefront of public attention due to a glut of high-profile, well-publicized cases of compromised computer systems at organizations like Sony, Target, Home Depot, and J.P. Morgan Chase. These cases have brought the “hacker” out of a shadowy netherworld and into the consciousness of the general public as well as security experts. These stories make most people think that the risk of “high-tech crime” is from the outside or remote hacker — that organized group overseas or the solitary technology genius banging away at the keyboard in the dark, looking for sensitive corporate data, personal information, and credit card data to steal. While outside hackers are a significant component of high-tech crime, insiders — threats from within the organization — are often overlooked. The resulting damage can be just as dramatic, if not more so, than an attack from the outside. Computer Forensics and Investigations Require Detective Skills High-technology investigators never know what sort of case will appear next. A cross between evil intent by those who would try to cheat, steal or game the system to their advantage; innovation in using the new technologies in nefarious ways (or ignorance at how to use the technologies properly); and good old-fashioned opportunity to do mischief presents significant risk to any organization. While new technologies may provide new opportunities, they also leave behind footprints and artifacts that can be discovered. Users’ activities can be traced, often without their knowledge, and can reside on devices years after they have left. Forensic technology specialists aid their clients in securing data and finding those deep, hidden, and/or obscure artifacts that may still reside on their devices most often without their knowledge. In a cybercrime or hacking investigation, it is imperative to first ascertain the extent of a compromise within an organization and then proceed with the wider scope of the investigation to determine responsibility for the compromise. It is not uncommon that an organization will not detect a compromised system for months or even years after a breach has already occurred. It also is not uncommon for the organization to learn of the compromise except from a third party, such as a law enforcement agency or another organization doing its own investigation, rather than only from their own internal scanning and monitoring devices. Cybercrime cases can also take many different forms: an outside hacker accessing the corporate network to steal credit card information or to use the corporations’ computers as robots to attack other computers on the Internet; the head of IT intercepting and reading others’ emails or configuring the corporate servers to mine for Bitcoins after hours; or the disgruntled ex-employee who, because of weak controls, is sent a new password and begins deleting medical records or downloads an entire customer database. Not all high-tech investigation matters necessarily contain crime, fraud or litigation. Many might involve a system failure, negligence, natural disaster or other occurrence that affects an organization’s systems. Often, a root cause investigation is conducted to ascertain why the end result occurred, what can be done to remediate it, and what steps can be taken in the future to mitigate the impact of such events occurring again. It is not unheard of to recover data from burned file servers, or hard drives submerged in water, intentionally erased, and even zapped in a microwave oven! Typically, the need for forensic technology services involve some form of dispute: pending litigation, bankruptcy, fraud or white collar crime, intellectual property theft, divorce, or employee misconduct. More often than not, the need is to analyze the contents of computers, cell phones, tablets, and storage media (hard drives, thumb drives, flash drives, etc.) looking to uncover evidence that potentially could be used in a legal matter. Steven Konecny is a director in our Forensic, Litigation and Valuation Services Group and spends a great deal of time delivering innovative e-discovery services to our clients. Questions? For more information, please contact Steven at 916.426.1118 or steven.konecny@eisneramper.com

15) FRAUD PREVENTION AND DETECTION Fraud Prevention and Detection Pre-Emptive Fraud Auditing (continued)

16) H O S P I TA L I T Y M A N A G E M E N T Loyalty and Cybersecurity: Don’t Risk a Breach Trends & Developments | 16 By Deborah S. Friedland Taylor Swift is considered the most famous and influential entertainer in the world, according to a recent article in “Vanity Fair” magazine. How is this statement qualified? By her number of Twitter followers (60 million), followed by her 140 million albums sold. Now what, you ask, does Taylor Swift’s social media power have to do with hotel loyalty programs? It’s simple: Many travelers choose their hotels through social channel chatter and customer reviews. Social media dominates our everyday world including our travel experiences. Hotel brands such as Marriott International and Kimpton Hotels & Restaurants have taken notice and offer loyalty program members opportunities to earn points or tangible rewards by following the brand’s social media profiles or tagging their brands in social media posts. Social media is used by many brands to increase guest satisfaction and increase online reputation, with the main goal of increasing guest loyalty. They’re working aggressively to transform traditional loyalty programs to meet the needs of millennials who demand immediate gratification, seamless electronic communication, faster ways to accumulate points and personalized service. Those brands that anticipate hotel guest needs likely will dominate their competitors in capturing the loyalty of the millennial traveler. In return, millennial travelers will reward these brands with incremental spend per stay. A win-win, but with risks Sounds like a win-win, but with all the innovations in technology that go into creating these intelligent loyalty programs, increased cybersecurity risk is almost sure to follow. In order for these loyalty programs to offer the personalized service demanded by today’s traveler, customers are asked to share a significant amount of personal data, including income levels, travel schedules and credit card numbers. According to several studies, customers say they would reconsider continued participation if a data breach were to occur within their loyalty program. This jeopardizes loyalty to the brand and results in potential revenue loss. Loyalty to a certain brand implies trust in the provider. Because retaining a customer is far less costly than acquiring a new customer, hotel companies should designate significant resources to safeguard loyalty members’ personal information. Many fraud prevention policies and controls are reactive rather than proactive. Further, loyalty members are less diligent with respect to active security practices when it comes to safeguarding access to their loyalty profile than with credit card and bank account information. With travel loyalty programs increasing in popularity and value (larger programs have valuations in the billions of dollars), cyber thieves have taken notice of the imbalance of ease/reward associated with hacking a loyalty program vs. a bank account. Loyalty points can be monetized and used as a digital currency to buy jewelry, computers, and other valuable products via online shopping sites affiliated with hotel brands. Recent data breaches experienced by Hilton’ HHonors loyalty program, Starwood Preferred Guest, American’s AAdvantage and United’s MileagePlus demonstrate the prevalence of cyber risk and the need for companies offering these program to take a proactive approach to reducing the risk of loyalty account hacking. Loyalty program fraud occurs in 3 main ways: 1. Inside the company by employees Employees within the organization are able to perpetrate fraud due to insufficient processes and internal controls. An example of this type of fraud is when employees of the company enter their own loyalty number when customers do not have or do not enter a frequent guest number, thus accumulating points in their own accounts. 2. Through outside attacks by hackers Accounts are taken over by cyber terrorists using false

17) Put protections in place Here are some practical steps for brands to consider in minimizing cybersecurity risk: • Educate loyalty members regularly about the potential risks of a data breach and urge increased monitoring of account activity, regularly changing passwords, and avoiding using the same password for multiple sites, which reduces the possibility of a hacker obtaining access to multiple sites. Brands should consider rewarding customers who demonstrate active security practices by offering complimentary points for those members who regularly change their passwords. • Implement a system in which customers are notified via email or text message when a password or email address has been changed. • Implement a 2-factor authentication process, which adds more reliance on personal devices. An example of this technique is a user receiving a code on his mobile phone after inputting his login and password on the website. The code is then entered on the site as a second authentication step. Customer loyalty is an invaluable asset for a brand. By implementing proactive measures to protect against cyber risk, the risk of losing this asset will be minimized. Deborah S. Friedland is a director in the EisnerAmper’s Corporate Finance Group and also works extensively with our Real Estate Services Group. For more information, please contact Debora at 212.891.4108 or deborah.friedland@eisneramper.com. This article was first published by Hotel News Now, September 10, 2015. March 2016 3. By customers themselves Loyalty members perpetrate fraud by not abiding by program rules and allowing family members to take over accounts or selling points to “mileage brokers,” who then resell award tickets as discounted business or first-class travel. | 17 identities or stolen personal credentials. An example includes using the data from a boarding pass left on a seat by a passenger who does not have a frequent flyer account number. In another example, hackers can exploit weak security systems and passwords to gain access to program accounts.

18) NEWS Trends & Developments | 18 EisnerAmper LLP Announces New Executive Corporate Structure Spurred by significant growth, our firm recently announced a new executive corporate structure that will enable us to manage our expanding capabilities and resources across rapidly growing markets, service lines and regions, both domestically and internationally. Charly Weinstein, CEO, said “Delivering exceptional client service, attracting the best people and building national practices are the driving factors behind the new organizational structure. Our firm has grown considerably in size in just a few years, and as a result we are a significantly more complex organization.” The new structure is designed to address complexity while preserving the firm’s differentiating characteristic of being highly responsive at the partner level. “A key to our success has always been our ability to be nimble; to address client needs quickly and directly,” Weinstein said. “We’ve always operated internally on close contact and collaboration, and our new structure is driven by the need to continue along those lines.” The firm has recently expanded its geographic reach with offices in Miami and Broward County, Florida; Sacramento, California; and Israel. The formation of EisnerAmper Global resulted in the establishment of practices in Dublin, Ireland and the Cayman Islands. Weinstein noted that “given our growth and plans, this is the right time to implement an organizational structure that enables us to serve the needs of our growing client base, while setting the stage for future growth as well.” www.eisneramper.com © 2016 EisnerAmper LLP This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter. Jay Weinstein, Managing Partner – Markets and Segments, is responsible for executing business strategies for existing markets and segments and identifying emerging opportunities. Jay works closely with practice leaders to develop goals and success metrics, as well as business development capabilities. Christopher Loiacono, Managing Partner – Services, is responsible for the growth and quality of service offerings. Chris works with service line leaders to integrate client services and ensure the firm has the talent, capabilities and capacity to deliver high quality work and exceptional client service across existing and potential lines of business. Chris also works to drive efficiency efforts and manage costs of services. Michael Breit, Managing Partner – Regions, will concentrate on the growth and expansion of the firm’s offices. Working closely with the partners-in-charge of the offices, Michael will set goals and monitor results for profitability and local market penetration. Along with Jay and Chris, Michael will also seek to identify M&A opportunities, both geographically and in practice markets. Charly Weinstein said, “There are limitless possibilities for EisnerAmper on the horizon and under our new leadership team we’re ready to reach out and make them realities.”