AICPA Cybersecurity Risk Management Examination, and New Cybersecurity Regulations for Financial Institutions

November 16th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletThe American Institute of Certified Public Accountants (AICPA) has recently released an exposure draft (Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program) for cybersecurity risk management program examination, in addition to a draft of revised Trust Services Principles Criteria (“TSP”). The cybersecurity risk management examination is a new attest standard in addition to the Service Organization Control (“SOC”) 2 reports that you may already be familiar with. SOC2 reports provide an auditors opinion over the design and operating effectiveness of an organizations controls to meet one or more of security, availability, confidentiality, and processing integrity principles as defined by the TSP. The TSP defines the criteria to be met by each of the aforementioned principles. The updated TSP have been aligned with the 17 principles of Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) 2013 internal control framework. These proposals are open for public comment until December 5th, so it is unlikely that the attestation standard and TSP revisions will be available for use in reports until 2018.

One clear benefit of the new cybersecurity risk management examination criteria is that it allows organizations to choose the information security management framework to report on, rather than mapping your preferred standard to the TSP. This allows organizations that have designed their information security management framework around ISO 27001 or National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to report on the framework that they use.

Considering all of the cybersecurity breaches that have occurred in recent years, it should come as no surprise that new regulations are on the horizon. The New York Department of Financial Services (DFS) and the Society for Worldwide Interbank Financial Telecommunications (SWIFT) both recently released new draft cybersecurity rules that will impact many financial institutions and their service providers. The DFS rules call for an annual certification similar to Sarbanes-Oxley, and the SWIFT rules require that organizations self-attest to their compliance annually. Both regulations extend requirements to service providers, and SWIFT also calls for its user organizations to have access to each other’s compliance reports in order to evaluate counter party risk. Inspections are expected to begin in January 2018.

The AICPA’s new cybersecurity risk management examination is well positioned to meet the needs of organizations that may be required to comply with these new regulations. Whether it be service providers that need to provide assurance to their customers over their compliance with these regulations, or officers at these organizations that desire an independent third party examination before certifying that their organization is compliant.

If these regulations affect your organization, then consider performing an assessment utilizing the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Self-Assessment. The Financial Services Information Sharing and Analysis Center (“FS-ISAC”) has made an automated version of the FFIEC self-assessment available on their website. It’s important to note that the assessment is based upon maturity levels, so all 494 questions may not apply to your organization based upon the inherent risk profile.

Whitley Penn’s Risk Advisory Services team can help improve your information security program by performing the cybersecurity assessment and examination. Our Risk Advisory Services team can also perform IT control reviews, vulnerability scanning, and penetration testing to test the effectiveness of your information security program. To learn more about how Whitley Penn can assist in developing, assessing, or auditing your information security and anti-fraud controls, please visit our website or contact Scott Geye at or 214-393-9592.

Scott Geye Risk Advisory Services Senior Dallas Office

Scott Geye
Risk Advisory Services Senior
Dallas Office

Whitley Penn Recognized by the University of Houston Alumni Association as a Cougar 100 Company

November 7th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletOn October 26th at a luncheon in Houston, Whitley Penn, LLP was recognized by the University of Houston Alumni Association as a Cougar 100 company. The Cougar 100 award identifies, recognizes and celebrates the world’s fastest growing UH Cougar-owned and Cougar-led businesses. Over 4,000 companies worldwide are owned and led by UH alumni, and the Cougar 100 demonstrates to all that Cougar-owned and Cougar-led businesses are among the finest commercial and industry leaders in the world. The listing not only celebrates their success, but also gives Cougars a point of pride and achievement to share with the entire community.

In addition to several UH alumni who work at the firm, Jim Penn, CPA/ABV is one of the founders of Whitley Penn and is the Partner-in-Charge of the Forensic, Litigation & Valuation Services practice group. In addition, Mr. Penn serves as the firm’s Chief Financial Officer and is a member of the firm’s Management Committee. He earned his Bachelor of Business Administration from the University of Houston in 1978. With a compound annual growth rate in revenue of 11% for the period from 2013 to 2015, Whitley Penn was recognized as a Cougar 100 company at #59. Of companies with 300 or more employees, Whitley Penn came in at #8.  This is the third consecutive year the firm and Mr. Penn have been recognized as a Cougar 100 company.

The Cougar 100 list was featured in a special section of the Houston Business Journal’s October 28th weekly edition.

Click here to view the Houston Business Journal’s Cougar 100 feature.

Lupe Garcia Audit Senior Manager Houston Office

Lupe Garcia
Audit Senior Manager
Houston Office

Estate Tax Portability Election Available For Surviving Spouses

October 11th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletThe estate tax concept known as “portability” was first introduced for married persons dying on or after January 1, 2011.  Portability was originally scheduled to expire on December 31, 2012, but was made a permanent feature of the estate tax as part of “The American Taxpayer Relief Act of 2012”.

Portability allows the executor of an estate to elect to transfer any unused estate tax exemption to a surviving spouse.  The unused exemption received by the surviving spouse is referred to as the “Deceased Spousal Unused Exclusion” (DSUE) amount.  Once the election is made by the executor, a surviving spouse can use the DSUE amount received against any future taxable gifts or transfers at death.  An example of the utilization of the DSUE is:

  • Husband dies on July 1, 2016 with a taxable estate of $4 million.  For 2016, the estate and gift tax exemption is $5.45 million per individual.  The husband has $1.45 million of unused exemption on his date of death.  If the executor of the estate makes the portability election, the $1.45 million of DSUE will transfer to the surviving spouse.  This leaves the surviving spouse with a total exemption of $6.9 million (her $5.45 million exemption + $1.45 million from her husband) that she can use against future taxable gifts or transfers at her death.

For a surviving spouse to receive the DSUE amount, the executor of the estate of the first spouse to die must make an election on a timely filed Form 706, United States Estate (and Generation-Skipping Transfer) Tax Return.  However, an estate with a gross estate below the $5.45 million exemption is not required to file Form 706.  This can create a dilemma for the executor of such an estate who then must make a cost-benefit analysis to determine whether the administrative costs and requirements of filing Form 706 are worth the future benefit of transferring the DSUE.   If the executor chooses not the file Form 706, the surviving spouse’s estate will not be able to claim the DSUE.

The executor should consider the potential that the surviving spouse will amass additional wealth through appreciation of estate assets, inheritance, or some other means.  If this is a valid contingency, the executor should consider filing Form 706 even though it is not required in order to make the portability election.  Using the facts of the prior example:

  • The executor of the husband’s estate did not make the portability election.  The spouse’s taxable estate grows to $6.5 million at her death.  The estate and gift tax exemption is $5.45 million at the time of her death.  In this scenario, the spouse’s taxable estate would be $1.05 million and it would owe approximately $366,000 in estate tax.  However, if the husband’s executor had filed Form 706 in order to make the portability election, the additional $1.45 million DSUE would have resulted in the total available exemption reducing the spouse’s taxable estate to $0.

If you are the executor of an estate and have questions about the estate portability election, please contact Josh Plunk at (817) 259-9074 or

Josh Plunk, CPA Tax Senior Manager Fort Worth Office

Josh Plunk, CPA
Tax Senior Manager
Fort Worth Office


Overview of Presidential Candidate Tax Plans

October 4th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletAs the date of the 2016 Presidential election gets closer, much attention will be given to the two main candidates’ federal tax plans.   In addition to such major issues as international and domestic policy, the effect of the candidates’ tax plans on the economic growth of the U.S. will be a key decision point for many voters.

At this time, many of the discussions regarding proposed tax policy involve theoretical arguments in lieu of actual detailed provisions.  However, based on the information currently available, some of the key provisions that are proposed under the tax plans for each candidate are listed in the subsequent discussion.

Donald Trump

Individual Income Tax and Estate Tax Provisions

  • Collapse the current seven tax brackets to three brackets. The three brackets would be 12%, 25%, and 33%.   The income level for each bracket will vary depending on filing status.
  • The maximum capital gains rate of 20% will not change.
  • The 3.8% net investment income tax and the alternative minimum tax will be repealed.
  • The standard deduction for joint filers will increase from $12,600 to $30,000. The standard deduction for single filers will be $15,000.
  • Itemized deductions will be capped at $200,000 for married-joint filers and $100,000 for single filers.
  • Tax “carried interests” at ordinary income rates.
  • The estate tax will be eliminated, but capital gains held until death would be subject to tax. The first $10 million would be tax-free to exempt small businesses and family farms.
  • Provide favorable childcare cost treatment, including above-the line deductions, exclusions, and tax rebates for childcare expenses.
  • Establish tax deductible Dependent Care Savings Accounts (DCSAs) including a governmental match for low-income families.

Business Income Tax Provisions

  • Lower the business tax rate from 35% to 15%.
  • Eliminate the corporate alternative minimum tax.
  • Provide a deemed repatriation tax of corporate profits held offshore at a one-time rate of 10%.
  • Companies engaged in manufacturing operations within the U.S. may elect to expense capital investment in lieu of deducting corporate interest expense.

Hillary Clinton

Individual Income Tax and Estate Tax Provisions

  • Enact a 4% surtax on income over $5 million per year.
  • Raise rates on capital gains held less than 6 years to between 23.8% and 43.4%. The current capital gains tax rate would only apply to assets held six or more years.
  • Limit the tax benefit for certain deductions and exclusions to 28%.
  • Implement the “Buffett Rule” which would establish a minimum effective tax rate of 30% for taxpayers earning over $1 million per year.
  • Tax “carried interests” at ordinary income rates.
  • Limit additional contributions for taxpayers with high balance tax-favored retirement plans.
  • Provide tax credits for caregiver expenses for elderly family members and high out-of-pocket health care expenses.
  • Increase the top estate tax rate to 65% and lower the estate tax exclusion to $3.5 million.
  • Limit basis step-up on inherited assets.

Business Income Tax Provisions

  • Corporate income tax rates would remain constant.
  • Implement more stringent foreign ownership requirements for “inversion” transactions.
  • Implement an “exit tax” on unrepatriated earnings.
  • Limit interest expense deductions for U.S. affiliates of multinational companies.
  • Eliminate tax incentives for fossil fuels.
  • Provide tax credits for businesses that invest in community development and infrastructure and share profits with employees.
  • Limit deferral of gain on like-kind exchanges.

For more information, contact your Whitley Penn Tax Advisor.

Join us for a Post Election Tax, Legislative and Economic Update to learn more about what changes could be coming your way once the President-elect takes office.

Click here to register.

Cybersecurity Road Map

September 19th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletAs we have witnessed in the last few years, the cost of cyber threats has grown to be a substantial risk that all organizations face. According to Forbes, cybercrimes are projected to reach $2 trillion globally by 2019. The attempt to mitigate cyber risks through the use of anti-virus software and other turnkey solutions has been proven to be inadequate when faced with today’s threats.

In the past, risk mitigation could be achieved by employing a single dedicated department. That is no longer the case. Executive management and the Board of Directors (“BOD”) must collaborate with Information Technology (“IT”) personnel to develop a dynamic plan that considers both current and future threats. The scale of the plan should not be disproportionately weighted on the financial goals of the company, but should be aligned with the organizations business or mission objectives, regulatory requirements, and threat environment.

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) released the Framework for Improving Critical Infrastructure Cybersecurity. This voluntary guidance should be a roadmap for the Chief Financial Officer (“CFO”) when recommending a robust cybersecurity IT plan. The NIST Framework is divided into four tiers to provide context on how an organization views cybersecurity risk and the effort to mitigate those risk.

Tier 1: Partial

  • Risk Management Process – Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
  • Integrated Risk Management Program – There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
  • External Participation – An organization may not have the processes in place to participate in coordination or collaboration with other entities.

Tier 2: Risk Informed

  • Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
  • Integrated Risk Management Program – There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Risk-informed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis.
  • External Participation – The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally.

Tier 3: Repeatable

  • Risk Management Process – The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
  • Integrated Risk Management Program – There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.
  • External Participation – The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

Tier 4: Adaptive

  • Risk Management Process – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.
  • Integrated Risk Management Program – There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.
  • External Participation – The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.

Once an initial tier has been selected, the CFO and the Chief Information Officer (“CIO”) should collaborate frequently to determine if the initially selected tier is sufficient based upon the achievement of the organization’s target profile. The decision to progress to a higher tier should only be made if the change would reduce the organization’s risk and would be cost effective to do so. As a result, justifying the progression to the BOD may be difficult, especially if the current tier appears to be providing the security necessary to meet the organization’s goals. Utilizing the expertise of the CFO, who understands the financial implications of a breach, and the CIO, who can provide valuable insight based upon observations within the organization and trends that are occurring within the industry, a business case can be presented that addresses the risks, costs, and benefits.

The damage that occurs as a result of a cyber-attack is often embarrassing and in many cases could have been prevented if the proper precautions were taken. Performing a risk assessment is not only considered a best practice, in many cases it is a required step to meet many compliance obligations. Placing emphasis on strategic risks focuses on risks that can have the largest impact on the organizations value, well-being, and reputation.

For more information, please contact a member of the Whitley Penn Risk Advisory Services Team.

Daniel Pitts Audit Staff Dallas Office

Daniel Pitts
Audit Staff
Dallas Office


Changes Coming for Not-for-Profit Financial Statements – Are you ready?

September 8th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletFully comprehending the substance of a Not-for-Profit (“NFP”) entity’s financial statements can be a difficult task for an external user. In fact, current reporting requirements raise many questions for both external users and board members alike, such as:

  • What is or is not donor restricted, and are those restrictions temporary or permanent?
  • How do restrictions imposed by donors, grantors, and governing boards affect an entity’s liquidity, classes of net assets, and financial performance?
  • How should users make sense of inconsistencies in the type of information provided about expenses of the period?

The Financial Accounting Standards Board (“FASB”) hopes to have clarified and improved NFP financial statements for all users with Accounting Standards Update (“ASU”) No. 2016-14, which was issued in August 2016.  The main objective of this ASU is to provide more useful and consistent information to financial statement users from donors, grantors, creditors, or other users, and enable organizations to be more transparent in sharing the results of their mission. Although, this ASU is effect for fiscal years beginning after December 15, 2017 (with early adoption permitted); there are several key provisions that we believe NFP entities should be aware of now.

First, NFP entities will present two classes of net assets on their financial statements, rather than for the currently required three classes.  In other words, rather than presenting Unrestricted, Temporarily Restricted, and Permanently Restricted classes, upon adoption of the ASU NFPs will report amounts for net assets “With Donor Restrictions” and “Without Donor Restrictions”. Disclosures describing the nature and amounts of different types of donor restrictions will still be required.  Additionally, under-water amounts of donor restricted endowments will be classified under net assets with donor restrictions.

Additionally, all NFP entities will be required to present expenses by both their natural and functional classifications, provided in one location, which could be on the face of the statement of activities, as a separate statement, or in notes to financial statements. NFPs will also be required to disclose the method(s) used to allocate costs among program and support functions. It should be noted in the first year of applying this ASU, a NFP entity may omit comparative information for any periods presented before the adoption.

The ASU also provides for disclosures specifically regarding qualitative and quantitative information on the NFP’s liquidity and availability of resources for one year from the date of the statement of financial position.   These disclosures will provide financial statement users with meaningful information regarding the NFP’s ability to meet cash needs within one year of the balance sheet date. Similar to the functional expense requirement, NFPs may omit comparative information in the first year of adoption.

NFP entities will continue to have the choice in using the direct or indirect method of reporting for the statement of cash flows.  If the direct method is utilized, the reconciliation of changes in net assets to cash provided by operating activities is no longer required.

The summary above is not all-inclusive of the updates; however, please contact a member of the Whitley Penn Not-for-Profit team who will be glad to guide you through these and the other changes discussed in the ASU.  We can work together to improve the classification, presentation and disclosures in your NFP’s financial statements.

For more information please contact Susan Powell or Kimberly DeWoody.

Hillari Rawls Audit Staff Fort Worth Office

Hillari Rawls
Audit Staff
Fort Worth Office


Proposed Treasury Regulations Curtail Estate and Gift Tax Valuation Discounts

September 6th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletOn August 2, the Treasury Department issued proposed regulations under Internal Revenue Code Section 2704. The regulations are designed to eliminate the use of certain valuation discounts for controlled entities for estate, gift, and generation-skipping transfer taxes.

Specifically, if the proposed regulations are finalized, they would essentially disallow valuation discounts customarily applied to closely-held family business entities including family limited partnerships (“FLP”). The regulations implement the new rules by revising the existing regulations that define various valuation discount concepts such as what constitutes control and determine the effect of lapses in voting and liquidation rights and restrictions.

The proposed regulations will become effective 30 days after they are finalized by the Treasury Department. With regard to the timing of that effective date, the Treasury Department has provided a 90-day comment period which ends on November 2, 2016.  All comments on the regulations are due on that date.  A hearing is scheduled for December 1, 2016.

The Treasury Department has indicated the new rules will be applied on a prospective basis.  Since the regulations will not become effective until 30 days after finalization, taxpayers may have a window of time to receive the benefits of discounting by gifting FLP or other closely-held family business entity interests before the end of 2016.

Due to the extreme time sensitivity surrounding these changes, we recommend that you contact your Whitley Penn LLP tax advisor who can work with you and our Estate and Gift Tax group to determine what planning techniques can be implemented before the end of the year.

Telephone Scammers Use Threatening Phone Calls to Con Taxpayers

August 18th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletAs you may be aware, a recent tactic used by telephone scammers is calling taxpayers at their homes or places of business posing as IRS agents.  The telephone scammers will demand the immediate payment of federal taxes from taxpayers by threatening them with civil or even criminal action.  In the event that you receive a call from anyone purporting to be affiliated with the IRS, do not give any information over the phone. The IRS website provides a list of several actions that they will never take when attempting to collect a debt from a taxpayer:

  1. Call and demand immediate payment over the phone.
  2. Call regarding a federal tax debt without first mailing a formal notice of assessment and request for payment.
  3. Demand payment of tax without providing the opportunity to challenge or appeal the amount of the assessment.
  4. Require the use of a specific payment method to satisfy a tax liability including a credit card or prepaid debit card.
  5. Request a credit or debit card number over the phone.
  6. Threaten to utilize local police departments or other law enforcement organizations to arrest a taxpayer for failure to pay a federal tax debt.
  7. Request personal or financial information using electronic communication sources including text messages, e-mail, or social media.
  8. Request PIN numbers, passwords, or other similar confidential information.

The scammers often sound authentic and use increasingly sophisticated methods to establish legitimacy.  These tactics include the use of Caller ID, e-mails from the IRS, local law enforcement or administrative agencies such as the DMV, and the provision of certain personal taxpayer information such as home or work addresses or the last four digits of social security numbers.  If you are contacted by someone claiming to be an IRS agent, remember the items previously described and take one or more of the following IRS recommended actions:

  1. Hang up the telephone immediately.
  2. Call the IRS at 1-800-829-1040 to verify your current federal tax status.
  3. Contact the U.S. Treasury Inspector General for Tax Administration (TIGTA) at 1-800-366-4484 or
  4. Contact the Federal Trade Commission at to file a complaint.

If you have already provided your federal tax information via telephone or other method or if you have any questions or concerns regarding this issue, please contact your Whitley Penn tax advisor.

Kristen Sayegh Tax Senior Houston Office

Kristen Sayegh
Tax Senior
Houston Office

Erroneous Employment Tax Deposit Penalty Notices Issued by IRS

August 12th, 2016 by Whitley Penn | Permalink

WPlogoColorbulletThe due dates for remitting employment taxes depends on several factors and vary for each employer.  An employer may be required to deposit employment taxes on a next-day, semi-weekly, or monthly basis.   However, if the applicable due date falls on a Saturday, Sunday, or legal holiday, special rules may change that due date for employment tax deposits.

This year the Memorial Day holiday was observed on May 30, 2016.  Therefore, the due date for next-day payroll tax deposits that normally would have been due on May 30 was instead Tuesday, May 31, 2016.   The due date for semi-weekly deposits that normally would have been due on Wednesday, June 1, 2016 was instead Thursday, June 2, 2016.

Due to a programming error, the IRS taxpayer records system did not recognize the changed due dates attributable to the Memorial Day holiday and incorrectly issued late payroll tax notices to certain next-day and semi-weekly payroll tax depositors.  The IRS has acknowledged the error and issued official guidance on its website regarding the remedy for any assessment related to the error.

Taxpayers who received Notice CP161 regarding a failure to deposit penalty will receive updated notice CP210/220 stating that their account has been  adjusted and that no penalty will be assessed.  Taxpayers who received Notice CP276B regarding an incorrect payroll tax deposit with no corresponding penalty assessment will not receive any further correspondence.

If you are an affected employer who received a notice solely related to the changed due dates attributable to the Memorial Day holiday, your employer tax accounts should be automatically updated and no further correspondence is required on your part.   If you continue to receive correspondence from the IRS or have any concerns that your accounts have not been properly adjusted, please contact your Whitley Penn tax advisor to discuss the additional steps necessary to correct any errors.

The 2016 OMB Compliance Supplement is finally available!

August 3rd, 2016 by Whitley Penn | Permalink

WPlogoColorbulletThe 2016 OMB Compliance Supplement (CS) is effective for single audits of fiscal years beginning after June 30, 2015, and supersedes the 2015 OMB CS.

The link where to find the CS has changed. If you have a bookmark in your browser, be sure to change it to this link.

Please click this link to access the 2016 OMB CS.

There are several changes to the 2016 CS, this is a brief summary of notable changes:

  • The Uniform Guidance (2 CFR 200) is referenced throughout the compliance supplement.
  • The usage of the terms “must” and “should” was reviewed and clarified.
  • Requirements D and K are still shown as “reserved”.
    • The “old” requirement D (Davis-Bacon Act) is now part of requirement N (Special Tests and Provisions) for certain federal grants.
    • The “old” requirement K (Real Property Acquisition and Relocation Assistance) has been removed.
  • The matrix of compliance requirements (Part 2) will clearly show “N” if the program normally does not have activity subject to that type of compliance requirement. This is a small change, in that the 2015 CS showed shaded cells when a requirement was not applicable.
    • Keep in mind that although a compliance requirement is labeled as “N” in the matrix, understanding the program’s grant agreement or contract is key since it might require the auditor to test the compliance requirement if the requirement could have a direct and material effect on a major program.
  • Part 3 – Compliance Requirements
    • This part is still divided in two: Part 3.1 (requirements for Federal awards made prior to December 26, 2014) and Part 3.2 (requirements for Federal awards made on or after December 26, 2014).
    • Discusses effect of Council on Financial Assistance Reform (COFAR) published Frequently Asked Questions (FAQs) updated September 2015, related to the Uniform Guidance and its application.
      • Per the 2016 CS these FAQs should be considered when planning and performing single audits subject to the Uniform Guidance.
      • The FAQs can be found here.
    • Discusses the current micro-purchase, small purchase and simplified acquisition thresholds for procurements methods.
    • Reflects the two full fiscal year grace period for the implementation of the procurement standards specified in the Uniform Guidance.
  • Part 6 – Internal control is added back to the 2016 CS, it was removed from the 2015 CS.
    • This section discusses: the objectives of internal control, the 5 components of internal control, and the 17 principles of internal control. It also provides overall assistance for the auditor to plan and perform the audit.
  • Appendix VII Other Audit Advisories
    • Discusses the effect that the Uniform Guidance has on the major program determination.
    • Covers the effect that the non-availability of the Federal Audit Clearinghouse has, during part of 2015 for the submission of the data collection form, on the low-risk auditee status.

For a full list of the 2016 CS changes consult Appendix V “List of Changes for the 2016 Compliance Supplement”.

The AICPA GAQC has released Alert # 311 listing other key changes and important aspects of the 2016 CS.

For more information, please contact a member of the Whitley Penn Public Sector Audit Team.

Thania Gonzalez Audit Manager Houston Office

Thania Gonzalez
Audit Senior Manager
Houston Office

Whitley Penn

About Whitley Penn

Established in 1983, Whitley Penn has become one of the region's most distinguished accounting firms by providing exceptional service that reaches far beyond traditional accounting.

Today, with offices in Dallas, Fort Worth and Houston, 40 partners, approximately 300 exceptional employees, and a worldwide network affiliation through Nexia International, we are strategically positioned to grow and excel in the future.

Contact Whitley Penn

Dallas: 214-393-9300

Fort Worth: 817-259-9100

Houston: 713-621-1515

masters in accounting

AICPA’s CPA Letter Daily