Blog

Describe your role at GJM: I work with business clients, and help them maintain their books throughout the year, as well as assisting with tax planning.  I also get involved with some miscellaneous excel projects.  I am currently certified in QuickBooks Online to be our resident QuickBooks ProAdvisor, with desktop certification coming soon.

What do you think is most gratifying about your work? The critical thinking that it can take to help solve client issues with their books.  I love problem solving.

How long have you been with the Firm? Almost 3 years.

What do you like best about working at GJM? The flexibility and the great team environment.

What community organizations or events are you involved in? I am a volunteer football coach at Seneca East High School in Attica.  I’ve always been a football fan, and although Seneca East was a rival high school for me, living in Attica and my cousin being the head coach made me want to help out.

How do you like to spend your spare time? Currently it is spent with my kids and wife, studying for the CPA exam, coaching football, or watching some University of Toledo football games.

Any stories or anecdotes that you think help to convey “who you are?” Amongst my friends, I am known as the lucky one, always happening to be in the right place at the right time for things to happen.  But my argument is a quote from the philosopher Seneca, “Luck is what happens when preparation meets opportunity.”

What is something people may be surprised to find out about you? I have an associate’s degree in Web Design/Digital Imaging in addition to my accounting degree.

Outsource - verb - obtain (goods or a service) from an outside or foreign supplier, especially in place of an internal source.

For years the word outsource struck fear in the hearts of the American workforce. Worried their jobs were heading overseas, people at all levels dug deep to prove their worth in hopes of not being the next victim. The world has changed and so has how a company thinks about outsourcing. Many organizations have taken a hard look internally and recognized that they don’t have to do everything themselves. Forward-thinking organizations are maximizing their internal resources by focusing on the company’s most important initiatives and activities while handing off those that a third party can do better. Software as a Service (SaaS), Infrastructure as a Service (IaaS), or a specialist who provides that focus on one particular service or product are en vogue. The sheer volume of service providers and their capabilities has radically changed. 20 years ago, few would have expected an online retailer like Amazon to be a service provider. We have entered a new world of outsourcing – one defined by changing ambitions, new priorities, and a different set of challenges. 

Third Parties

Reliance on third parties is increasing in every industry, as organizations can gain greater efficiency, effectiveness and cost savings by shifting non-core functions to more experienced providers. As outsourcing grows in popularity and provider options rapidly increase, regulatory oversight is also expanding to monitor the sensitive data and processes that third parties are managing. What must be remembered is that while processes can be outsourced, their inherent risks cannot. Consequently, companies must pay closer attention to how they manage third parties, as they handle sensitive information more often and as regulatory enforcement increases to protect that data.

Internal Controls

When defining your system of internal control, you must consider the additional risks and controls that are handled by the service provider. Your end to end business process will include activities and controls that you as the company execute, and controls that your service provider executes. It is critical to work in concert to minimize the overall risk to your organization. It is also imperative that you gain a level of assurance that the controls at the service provider are designed in a way that address the risk and are placed in operation throughout the fiscal year.

SSAE 18 SOC 1 SOC 2

The most typical way to gain this assurance is through a SSAE 18 SOC 1 or SOC 2 report.  SSAE 18 is the Statement on Standards for Attestation Engagements revision 18 in which the American Institute of Certified Public Accountants (AICPA) attempts to address concerns over the clarity, length, and complexity of its standards. The good news is the updated standard drives further commonalty amongst reports and raises the bar to meet the ever increasing standards set by regulators. Your expectation should be that your service provider will conduct such an assessment on an annual basis and provide you access to the final report.

There are two types of reports that are most commonly useful in this exercise:

SOC 1 – a report on controls at a service organization that may be relevant to a user entities’ internal control over financial reporting.

SOC 2 – a report based on the existing SysTrust and WebTrust principles. The purpose of a SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing, integrity, confidentiality or privacy.

You must decide what type of report is best for you. If financial controls are most important, then it’s a SOC 1. If technical controls, then it’s a SOC 2.

You do not manage third party risk with a “check the box” approach. It is not enough to receive a report and file it away. You would not assess your own control environment in such a way. This is the most important lesson that many organizations need to learn. If you are relying on a SOC report as part of your Sarbanes-Oxley efforts, the evaluation of the report needs to be thoroughly documented to demonstrate the effectiveness of the review to your auditors.

Report in Hand: Now What?

Step 1:  Read the report!

• Sounds simple enough, but too often this does not happen
• Does the report have a clean opinion?
• Does it cover the specific services and locations you are concerned about?
• Did a reputable audit firm issue the report?
• Does the report include testing the operating effectiveness of controls for a specific period of time (Type 2 report) or does the report only cover a specific point in time (Type 1)?

Step 2:  Map the controls and key reports to your control environment

• Does the report provide coverage of what you view to be the key controls and supporting reports in the process?
• Are there exceptions and how do they impact the overall control objective?
• Do you come to the same conclusions?
• Does the scope include a subservice organization? If so, do you need additional comfort over their control environment? Often the answer is yes.

Step 3:  Review the complimentary user entity controls

• For SOC 1 and SOC 2 reports, there are controls that you are responsible to perform to ensure the overall control objective or criteria within the report is achieved
• Include the identification and testing of such controls in your overall evaluation

While third parties can increase productivity and provide financial benefits, you retain responsibility for their inherent risks. Implementing a robust process to manage third party risk, including an effective review of service provider issued attestation reports, is mission critical. This is your control environment, so own it.

Matt Hoverman, CISA contributed this blog. Matt is a Director with Gilmore Jasion Mahler, LTD and leads the Firm’s IT consulting practice. He has spent his career helping businesses assess their IT risk level and creating a plan to maximize their technology investments.

Established in 1996, Gilmore Jasion Mahler, LTD (GJM) is the largest public accounting firm in Northwest Ohio, with offices in Maumee and Findlay. Locally owned, GJM offers comprehensive services including assurance, business advisory, tax, risk advisory and healthcare management. The Firm’s professionals specialize in industries including construction & real estate, healthcare, manufacturing & distribution and utilities. Follow us on LinkedIn, Twitter and Facebook.

Now’s the time to move forward with updating your employee retirement plan so that its in compliance with the latest IRS requirements.

Every six years the IRS mandates that retirement plans with pre-approved status update their plan document or restate… to incorporate any recent regulatory or legislative changes. In return, they receive a new “opinion letter” from the IRS.   

We’re in the middle of a two-year restatement period for pre-approved defined contribution plans, which includes 401(k)s. The restatement period started August 1, 2020 and will close July 31, 2022. Since it is the third cycle of defined contribution plan restatement since the Pension Protection Act (PPA) of 2006, it’s also known as Cycle 3 Restatement.   

What does it mean to do a plan restatement? In simple terms it is a complete rewrite of your retirement plan document. It will reflect those mandatory regulatory changes and include any voluntary changes you’ve made to your plan document since your last restatement.

Pre-approved document definition: A pre-approved plan document has fixed provisions and pre-selected choices that can be chosen by the plan sponsor. The pre-approved language has already been reviewed and approved by the IRS. Any employer adopting a pre-approved plan can be confident that the terms of the plan will satisfy IRS code requirements. An important terminology note: “prototype”/ “volume submitter” are terms you’re likely familiar with but are no longer recognized by the IRS. There are now two types of pre-approved plans: standardized and non-standardized. The chart below offers a helpful side-by-side comparison.

Why do you need a plan restatement? As laws and regulations change, so must your plan document to remain in compliance. It must reflect new rules because of acts of Congress and new requirements from the IRS and US Department of Labor.

The IRS released its “Cumulative List of Changes” document in 2017, including new regulations in place since the prior restatement period that ended in April of 2016. But the cumulative list of changes happened before some other major changes included in the SECURE Act and the CARES Act.

SECURE Act and CARES Act changes won’t be part of Cycle 3 (or Post-PPA) restatement, but instead be incorporated separately through good faith amendments. 

Why should you act now? The two-year plan restatement period is already half over. If you don’t do a plan restatement by the July 31, 2022 deadline, you’re subject to IRS penalties and can also jeopardize the plan’s tax status.

Some other important considerations:

• Any plans terminated and cashed out prior to the restatement period will only need to address the changes brought on by the SECURE Act and the CARES Act. They won’t need to do a full restatement.
• Plans you’re considering terminating, are inactive or frozen do need to go through the restatement process.

Our Specialization.

GJM Accounting Services Manager Molly Wolf specializes in employee benefit plans and assists many GJM clients with plan restatement. In many cases she works very closely with those responsible for managing their company retirement plan document. Other times the client prefers to be more hands off with the project. Each business must determine their level of comfort and what works best for them.

“There’s quite a bit involved in terms of evaluating a plan document, ensuring compliance, and avoiding any penalties,” says Wolf. “Quite often the retirement plan manager will step aside and let our team take the lead. That way they can rest assured they’ll stay in compliance.” 

If you have yet to begin your plan restatement, Wolf says you probably don’t want to wait much longer. She says now’s the time to reach out to your service provider to be sure Cycle 3 (Post-PPA) restatement isn’t an afterthought, but a priority. GJM clients in need of a plan document restatement who haven’t begun this work already, are encouraged to reach out to their GJM team to discuss what’s needed.

Molly Wolf is an accounting services manager with over 15 years of experience specializing in employee benefit plans. The first 9 years of her career were spent as a dedicated employee benefit plan auditor. Her expertise also includes consulting for third party plan administration and benefit plan design, compliance testing, payroll integration and reconciliation. Since joining Gilmore Jasion Mahler in September of 2019, Molly continues to provide third party administration services, prepares related tax forms, consults on plan design, and prepares plan documents. She is a graduate of Bowling Green State University with a Bachelor of Science in business administration with accounting specialization

Established in 1996, Gilmore Jasion Mahler, LTD (GJM) is the largest public accounting firm in Northwest Ohio, with offices in Maumee and Findlay. Locally owned, GJM offers cloud-based accounting and provides comprehensive services including assurance, business advisory, tax, risk advisory, healthcare management and outsourced accounting. The firm’s professionals specialize in industries including construction & real estate, healthcare, manufacturing & distribution and utilities.

President Biden has signed into law the $1 trillion Infrastructure Investment and Jobs Act approved by the U.S. House of Representatives. The law will bring infrastructure investments across the country, including improved roads, railroad lines and other public transportation infrastructure.

The new law will also do away with what’s become an important benefit for businesses around the country still working to recover from the financial impact of the COVID-19 pandemic. The Infrastructure Investment and Jobs Act will end the Employee Retention Credit (ERC) early for most businesses. Expanded to certain employers as a result of the American Rescue Plan Act, the ERC had applied to the third and fourth quarters of 2021. Now the ERC will end with the third quarter of this year. In other words, any wages paid out after September 30 of this year won’t be eligible for the ERC.

If your business planned to take advantage of the ERC for the fourth quarter, be sure to be in touch with your GJM team so you can make the necessary adjustments in your business planning as we approach yearend.

We continue to watch developments in Washington, D.C. with the Build Back Better Act as lawmakers continue to work to come to an agreement. The proposed legislation addresses climate policy, social spending and would bring many tax policy changes. Lawmakers are hoping to pass something in the next couple of weeks.  

Established in 1996, Gilmore Jasion Mahler, LTD (GJM) is the largest public accounting firm in Northwest Ohio, with offices in Maumee and Findlay. Locally owned, GJM offers cloud-based accounting and provides comprehensive services including assurance, business advisory, tax, risk advisory, healthcare management and outsourced accounting. The firm’s professionals specialize in industries including construction & real estate, healthcare, manufacturing & distribution and utilities.

The GJM Assurance team has grown in recent weeks, with the addition of Zachary Durliat to the team as an assurance associate. Zach has completed multiple internships with GJM in recent years as part of his studies, and while he may not be a completely new face, we’re sure you’ll get to know him better in this Q&A. Welcome “officially” to the GJM team and family, Zach.

Describe your role at GJM. I am currently an Assurance Associate and have worked on Affordable Housing Audits, Employee Benefit Plans, and assisted on other various projects. I am always looking for way to improve processes whether that is by simply documenting the process or by using technology to aid in the efficiency efforts.

When did you start with GJM? September 7^th, 2021, but had a prior part-time internship in the GJM Tax/Administrative departments and two prior internships in Assurance.

Why did you choose the accounting industry? I like seeing the whole picture of things and accounting is the basis and glue that connects the functions of a business together, so it keeps me connected with all the different aspects of a business (the whole picture).

What do you like best about accounting? I like determining and analyzing the numbers to help find efficiencies and improvements in other aspects of the business.

Are you from the Toledo area originally? If not, where are you from? Arlington, OH (South of Findlay).

What do you like about living in Northwest Ohio? Experiencing the four seasons even when it may be all in one day.

Where did you go to school? High School: Arlington Local ’16, College: Bowling Green State University ’20 & ’21.

Do you have any pets, hobbies, family you'd like to mention? No pets yet but a dog at some point. I enjoy woodworking, snowmobiling, and have three younger sisters.

How do you like to spend your free time? Bake desserts, work in a woodshop, going on walks with my girlfriend, playing recreational sports.

Favorite book? Favorite movie? I have never read or seen any of the Harry Potters, but I played Quidditch at BGSU. I am not the biggest fan of reading books. I prefer watching movies instead. Favorites: The Rookie, Field of Dreams, Miracle on 34^th Street.

Are you involved in any community organizations, do any volunteer work? Not yet but I am looking forward to getting into some.

What is something people may be surprised to find out about you? My parents worked and met at the Findlay office.

Welcome, Zach!

Established in 1996, Gilmore Jasion Mahler, LTD (GJM) is the largest public accounting firm in Northwest Ohio, with offices in Maumee and Findlay. Locally owned, GJM offers cloud-based accounting and provides comprehensive services including assurance, business advisory, tax, risk advisory, healthcare management and outsourced accounting. The firm’s professionals specialize in industries including construction & real estate, healthcare, manufacturing & distribution and utilities.