Accounting
Practice Profile: Thriving on threats
David Sun is almost always in the middle of a security breach.
Or, at least, that was the half-joking apology the advisory principal at CohnReznick gave for being a few minutes late to an interview — though his colleague, Bhavesh Vadhani, a partner and the global leader of the cybersecurity, technology risk and privacy practice, confirmed that it’s truer than Sun’s playful tone suggested.
Sun and his team are indeed very busy, working out of the digital forensics lab facility the Top 25 Firm built outside of Washington, D.C., in mid-2023. The lab was opened in response to the firm expanding its cybersecurity capabilities, according to Sun, and functions as a central location where the firm can help clients identify cyber incidents, collect and keep digital evidence, and guide them in safeguarding against future attacks and breaches.
“It acts as a state-of-the-art digital forensic lab which serves almost like a nerve center for us, for all kinds of cybersecurity engagements, but predominantly focused on cyber incident response, digital forensics, preserving digital evidence, and then helping clients building resilience against future threats,” explained Vadhani. “Part of what David and team do, they go and they analyze, from a digital forensic standpoint, a root-cause analysis standpoint, they go through all these exercises to eventually make sure of whatever they learn from that, not only supporting the clients that they’re engaged with right now during the incident or the digital forensics, but they take those lessons learned and apply them to all the other clients that we have to make them future-ready. That’s the whole purpose of this.”
The latest cyber risks
Cyberthreats are constantly evolving for the security incident response and recovery services and computer forensic and litigation support services practices that Sun leads, as well as CohnReznick’s wider cybersecurity practice. Sun’s team of approximately 10 professionals and the larger cybersecurity practice of 50 to 70 full-time employees, plus contract employees and staff in India, are offering an ever-wider range of services for the roughly 250 to 300 client engagements the cybersecurity team handles per year.
“Historically, as with many accounting firms, the cybersecurity practice was on the proactive side of things,” Sun explained. “The firm saw a strategic benefit in becoming a more full-spectrum cybersecurity practice, more end to end. Beyond proactive [services] we started handling the reactive side.”
In other words, CohnReznick’s cybersecurity practice handles both end of those services — arming clients with proactive strategies to prevent attacks before they happen, and also working with clients after incidents have occurred, though, as Sun said, lately his team is focusing more on that incident response phase.
And while many clients hire CohnReznick after an attack, they quickly learn the value in being prepared for future incidents. “What we find is that on the proactive side, we tend to have singular engagements more so, not saying exclusively, but then what we find is on the reactive side is the one where we often get multiple engagements,” he said. “So it starts with the reactive, and then that usually spawns off to two or three additional [engagements of] ‘OK, how do we keep this from happening?'”
“As you can imagine in the last 10 years, over the last decade, technology has evolved, right?” Vadhani added. “Our businesses have evolved. We are in a digital economy. So in the midmarket, and the larger firms, as we are providing services in cybersecurity, we quickly realized that we needed to provide full-spectrum services. Just providing proactive services alone was not a solution enough for our clients. They were looking for folks who could provide an end-to-end spectrum of services and we had an advantage there where we had in the middle market, especially in many of our industry verticals, deep knowledge and industry expertise so that we could help clients solve business issues from a cybersecurity perspective and that allowed us to then identify a niche there that many of our competitors don’t have. So for us, it came as a niche play and a strategic play, and getting David on board was one of those strategic initiatives for us, so that he could lead that practice and then eventually build the forensic lab.”
Sun joined the firm when the lab opened in mid-2023, bringing 25 years of advanced cybersecurity and digital forensics experience and an eye for schemes that have been around just as long.
“The niche entails a range of proactive cyber services,” he said. “So in today’s day and age, a lot of the things that you see in the news of cyberattacks, ransomware, things like that, those are happening with more and more frequency. And it’s not just large organizations, but every organization, mom-and-pop shops, they’re all being targeted also in different ways, whether it’s a ransomware attack or a wire-transfer fraud, a business email compromise. There’s just a number of [types of attacks] that many companies are still very susceptible to. So we see a lot of that, and that coupled with historically what’s been happening for 20-plus years and continues to happen.”
“For 25 years I’ve been doing this, and ransomware has only been around for eight or so years,” Sun continued. “But what has always been around, and continues to be still a huge piece that nobody talks about, is what I call insider threat, which is, you know, Bob in accounting, Joe in sales, Jane in HR, whatever. And that can be things like people in the accounting department stealing money and misdirecting it for themselves. Or it could be departing employees taking intellectual property rights and/or clients. And again, it’s 20-plus years I’ve been doing this and it still hasn’t stopped.”
But in terms of newer threats, Sun and Vadhani identified a few, including the “North Korean fake employee scam” where the country gains access to company data and money by impersonating a remote U.S. employee, and deep-fake scams where, using artificial intelligence, someone’s likeness is stolen to fool targets on a video or audio call to exchange information.
“We are seeing a lot of those threats surging, especially when organizations just go after the shiny new object, which is AI, without truly understanding the repercussions and the risks associated with it,” Vadhani said. “So there are quite a bit of lessons learned there for many organizations who fall prey to it. It’s things that the companies have to start thinking about beyond just ‘It’s a technology issue, my IT guy will solve it.’ Deep fake is not a technology issue your IT person is going to be able to solve. It’s more training, it’s more vigilance, it’s more coming up with nontechnical ways of validating whether it’s [the real person] or not.”
A helping of ‘special sauce’
CohnReznick’s holistic, proactive cybersecurity offerings are far beyond the capabilities of many IT departments — and they can also involve a learning curve for its clients.
“A challenge we still see, especially in the middle-market companies, is they still don’t consider cyber as a business issue,” Vadhani explained. “They still think cyber is a technical issue, and because of that, they don’t allocate adequate resources towards what should be done, to have an adequate cybersecurity posture program, strategy and technical configurations and resources applied to this so that IT can enable your business. They still think about this as, ‘I’ve given IT a budget. My IT guys should be figuring this out,’ when in reality this is broader than just IT, right? It impacts the business at the heart of it. Somebody clicking a link is not an IT issue. So that’s the kind of thing you still see as common challenges and sometimes clients have varied opinions of that.”
The CohnReznick cybersecurity practice’s broad scope, meanwhile, includes working on investigations for clients as unique as U.S. state attorney generals. The team then brings those lessons to other clients, which span a variety of industry verticals — all which are susceptible to cyberthreats, Vadhani emphasized.
“We use our forensic lab for many of those investigations and whatever we learn through that, because at the end of the day, the state attorney generals are then investigating organizations who had data breaches impacting their constituents,” Vadhani explained. “We understand from the settlement terms or legal enforceable actions, what are the things that our clients should be proactively thinking about as they design their cybersecurity strategy and program and how they set up their entire teams and technical configurations. So we essentially bring all these different elements that organizations need to think about, or may have thought about, but they’re not enhancing it on a regular basis. We bring all of that together and then help them mature their overall program and their posture.”
One recent improvement had universal applications — and could have even prevented the recent Chinese attacks on Microsoft, according to Sun.
“What is very, very popular is our Microsoft 365 security assessment,” he said. “This is, I would say, an industry-leading service that we have. So Microsoft 365 — great cloud platform, but unfortunately it has lots of problems with how it’s launched by default. As a result, there’s a tremendous number of business email compromises that occur within Microsoft 365 and we’ve responded to hundreds, maybe even thousands of these at this point. And what we found is the same commonalities between all our clients who’ve had an incident, the same issues. And so what we did was we created a highly focused, highly targeted Microsoft 365 assessment, and with that we examine all of the security settings in Microsoft 365 and talk to clients and point out where they are not meeting industry benchmarks that have been established.”
Based on this, the firm has developed “what we refer to as the CohnReznick special sauce,” Sun continued. “That CohnReznick special sauce is about 13 to 25 settings that even the industry’s standard benchmark people don’t talk about or know about, but that we have seen through all our forensic responses.”
“Microsoft actually had an incident eight months ago where the Chinese hacked into Microsoft 365, and Microsoft did the full forensic analysis and issued a report about what the vulnerability was that the Chinese exploited,” he explained. “Well, that vulnerability we have been including in our CohnReznick special sauce for over a year, because we had seen that in other places also. So, if Microsoft had gotten our service, they might not have gotten hacked by the Chinese.”
Depth and breadth
The same level of precision is brought to the firm’s wider client engagements, according to Vadhani. “If their organization is looking at a cybersecurity governance or strategy or program, things that we learn generally during our forensics and security response recovery engagement — it’s not just technical issues, it’s a combination of everything. Including if your governance documents were not updated, or your roles and responsibilities that we identified through the investigations were outdated. Your board was not informed, the communication plan was not in place — so there are many things.”
CohnReznick’s holistic assessment and services include AI’s ever-expanding reach, for which Vadhani offers some general tips to firms utilizing the technology.
“AI governance is very important. Transparency and accountability within AI is very important,” he explained. “Sure, nobody’s saying don’t use AI, but understand what you’re doing, why you’re doing it. Have transparency in it. Make sure everybody understands what the tool is supposed to do and what the outputs are supposed to be. Make sure there’s adequate guardrails and governance in place. Train your employees on how to detect anomalies or patterns, or how do you detect if AI is going rogue on you? Because you’re training AI on something, it’s supposed to do a set of activities. How do you know it’s not doing activities plus something else that you’re not aware of? So there’s a lot of aspects to this where you need to train your AI properly. You need to train your people properly so that you’re keeping the human in the loop and making sure AI does not go rogue. Along with that, making sure that there is enough transparency and accountability in the entire process, and that there’s no bias, there’s no ethical dilemmas that you’re creating using AI. Because all of those can be exploited and will be exploited.”
CohnReznick’s cybersecurity practice also provides an essential service to audit clients, Sun said, vetting any cybersecurity incidents impacting their financial statements “to help make sure that we can then be comfortable attesting to the organization, to the financials going forward.”
“And again, I think that’s part of what makes us a little more special,” Sun continued, “because I don’t think any other accounting firm has that level of expertise, when it comes to that component of a financial audit.”
Despite the breadth of the cybersecurity team’s offerings, Sun laments, “Unfortunately a lot of clients are still asking, ‘Hey, I’ve just been attacked, please come help me.'”
But Sun is optimistic about the tide starting to turn.
“What we’re seeing though, is for the clients that are a little smarter or a little more proactive, a little more willing to get ahead of it, they’re doing the security assessments and all the types of protective measures,” he shared. “But then they’re also saying, ‘OK, we’re going to do everything we can to protect ourselves, but what happens is we still get attacked anyway. How can we be the most prepared and ready for it?’ So it’s [making] sure you’re going to do everything you can to prevent the house from burning down. But let’s do some fire drills anyways, just in case. So everybody knows when or if a fire alarm gets pulled, you know where the nearest exit is. How do you get out? Where do you regroup? All those types of things, right?… And so we’re seeing more — not enough, but more — clients get into that, make a concerted effort to get smarter and be more rehearsed in those areas.”
The Financial Accounting Standards Board met this week to discuss its projects on accounting for transfers of cryptocurrency assets and enhancing the disclosures around certain digital assets, such as stablecoins.
Processing Content
During Wednesday’s meeting, FASB’s board made certain tentative decisions, according to a
At a future meeting, the board plans to consider clarifying the derecognition guidance for crypto transfer arrangements to assess whether the control of a crypto asset has been transferred.
FASB also began deliberations on the
The board decided to provide illustrative examples in Topic 230, Statement of Cash Flows, to clarify whether certain digital assets such as stablecoins can meet the definition of cash equivalents. It also decided to include the following concepts in the illustrative examples:
- Interpretive explanations that link to the current cash equivalents definition;
- The amount and composition of reserve assets; and,
- The nature of qualifying on-demand, contractual cash redemption rights directly with the issuer.
FASB plans to clarify that an entity should consider compliance with relevant laws and regulations when it’s creating a policy concerning which assets that satisfy the Master Glossary definition of the term “cash equivalents“ will be treated as cash equivalents.
“I agree with the staff suggestion to look at examples,” said FASB vice chair Hillary Salo. “From my perspective, I think that is going to help level the playing field. People have been making reasonable judgments. I agree with that. And I think that this is really going to help show those goalposts or guardrails of what types of stablecoins would be in the scope of cash equivalents, and which ones would not be in the scope of cash equivalents. I certainly appreciate that approach, and I think it has the least potential impact of unintended consequences, because I do agree with my fellow board members that we shouldn’t be changing the definition of cash equivalents, and it’s a high bar to get into the cash equivalent definition.”
“I’m definitely supportive of not changing the definition of cash equivalents,” said FASB chair Richard Jones. “I believe that’s settled GAAP in a way, and we’re not really seeing a call to change it for broader issues. I am supportive of the example-based approach. The challenge with examples, though, is everybody’s going to want their exact pattern, but that’s not what we’re doing.”
The examples will explain the rationale for how digital assets such as stablecoins do or do not qualify as cash equivalents and give a roadmap for other types of digital assets with varying fact patterns to be able to apply.
“We really don’t want to be as a board facing a situation where something was a cash equivalent and then no longer is at a later date,” said Jones. “That’s not good for anyone, so keeping it as a high bar with certain rigid criteria, I think, is fine.”
Stablecoins are supposed to be pegged to fiat currencies such as U.S. dollars and thus provide more stability to investors. “In my view, while a stablecoin may meet the accounting definition established for cash equivalents, not every one of those stablecoins in the cash equivalent classification represents the same level of risk,” said FASB member Joyce Joseph.
She noted that the capital markets recognize the distinctions and have established a Stablecoin Stability Assessment Framework to evaluate a stablecoin’s ability to maintain its peg to a fiat currency. Such assessments look at the legal and regulatory framework associated with the stablecoin, and provide investors with information that could enable them to do forward-looking assessments about the stability of the stablecoin.
“However, for an investor to consider and utilize such information for a company analysis the financial statement disclosures would need to include information about the stablecoin itself,” Joseph added. “In outreach, the staff learned that investors supported classifying certain stablecoins as cash equivalents when transparent information is available about the entities at which the reserve assets are held. Therefore, in my view, taking all of this into consideration a relevant and informative company disclosure would include providing investors with the name of the stablecoin and the amount of the stablecoin that is classified as a cash equivalent, so investors can independently assess the liquidity risks more meaningfully and more comprehensively by utilizing broader information that is available in the capital markets and its emerging information.”
Such information could include the issuer, reserves, governance and management, she noted, so investors would get a more holistic look at the risks that holding the stablecoin would entail for a given company.
The board decided to require all entities to disclose the significant classes and related amounts of cash equivalents on an annual basis for each period that a statement of financial position is presented.
Entities should apply the amendments related to the classification of certain digital assets as cash equivalents on a modified prospective basis as of the beginning of the annual reporting period in the year of adoption.
FASB decided that entities should apply the amendments related to the disclosure of the significant classes and amounts of cash equivalents on a prospective basis as of the date of the most recent statement of financial position presented in the period of adoption.
The board will allow early adoption in both interim and annual reporting periods in which financial statements have not been issued or made available for issuance.
FASB also decided to permit entities to adopt the amendments to be illustrated in the examples related to the classification of certain digital assets as cash equivalents without the need to perform a preferability assessment as described in Topic 250, Accounting Changes and Error Corrections.
The board directed the staff to draft a proposed accounting standards update to be voted on by written ballot. The proposed update will have a 90-day comment period.
Senators introduced several pieces of tax-related legislation this week, including measures aimed at improving customer service at the Internal Revenue Service, cracking down on tax evasion and curbing the carried interest tax break, in addition to efforts in the House to repeal the Corporate Transparency Act.
Processing Content
Senators Bill Cassidy, R-Louisiana, and Mark Warner, D-Virginia, teamed up on introducing a bipartisan bill, the
The bill would establish a dashboard to inform taxpayers of backlogs and wait times; expand electronic access to information and refunds; expand callback technology and online accounts; and inform individuals facing economic hardship about collection alternatives.
“Taxpayers deserve a simple, stress-free experience when dealing with the IRS,” Cassidy said in a statement Wednesday. “This bill makes the process quicker and easier for taxpayers to get the information they need.”
He also mentioned the bill during a
“I’m happy to meet with the team … and do all I can to make it as good as you want it to be,” said Bisignano.
“My bill would equip the IRS with the legislative mandate to create an online dashboard so that taxpayers can monitor average call wait time and budget time accordingly,” said Cassidy. He noted that the bill would allow a callback for taxpayers that might need to wait longer than five minutes to speak to a representative, and establish a program to identify and support taxpayers struggling to make ends meet by providing information about alternative payment methods, such as installments, partial payments and offers in compromise.
“I know people are kind of desperate and don’t know where to turn for cash, so I think this could really ease anxiety,” he added. “This legislation is bipartisan and is likely to pass this Congress.”
Cassidy and Warner
“Taxpayers shouldn’t have to jump through hoops to get basic answers from the IRS — and in the last year, those challenges have only gotten worse,” Warner said in a statement. “I am glad to reintroduce this bipartisan legislation on Tax Day to ease some of this frustration by increasing clear communication and making IRS resources more readily available.”
Stop CHEATERS Act
Also on Tax Day, a group of Senate Democrats and an independent who usually caucuses with Democrats teamed up to introduce the Stop Corporations and High Earners from Avoiding Taxes and Enforce the Rules Strictly (Stop CHEATERS) Act.
Senate Finance Committee ranking member Ron Wyden, D-Oregon, joined with Senators Angus King, I-Maine, Elizabeth Warren, D-Massachusetts, Tim Kaine, D-Virginia, and Sheldon Whitehouse, D-Rhode Island. The bill would provide additional funding for the IRS to strengthen and expand tax collection services and systems and crack down on tax cheating by the wealthy.
“Wealthy tax cheats and scofflaw corporations are stealing billions and billions from the American people by refusing to pay what they legally owe, and far too many of them are getting a free pass because Republicans gutted the enforcement capacity of the IRS,” Wyden said in a statement. “A rich tax cheat who shelters mountains of cash among a web of shell companies and passthroughs is likelier to be struck by lightning than face an IRS audit, and Republicans want to keep it that way. This bill is about making sure the IRS has the resources it needs to go after wealthy tax cheats while improving customer service for the vast majority of American taxpayers who follow the law every year.”
Earlier this week. Wyden also
The Stop CHEATERS Act would provide the IRS with additional funding for tax enforcement focused upon high-income tax evasion, technology operations support, systems modernization, and taxpayer services like free tax-payer assistance.
“As Congress seeks ways to fund much-needed policy priorities and address our growing national debt, there is one common sense solution that should have unanimous bipartisan support: let’s enforce the tax laws already on the books,” said King in a statement. “Our legislation will make sure the IRS has the resources it needs to confront the gap between taxes owed and taxes paid – while ensuring that our tax enforcement professionals are focused on the high-income earners who account for the most tax evasion. This is a serious problem with an easy solution; let’s pass this legislation and make sure every American pays what they owe in taxes.”
Carried interest
Wyden, King and Whitehouse also teamed up on another bill Thursday to close the carried interest tax break for hedge fund managers that
Carried interest is a form of compensation received by a fund manager in exchange for investment management services, according to a
Under the bill, the
“Our tax code is rigged to favor ultra-wealthy investors who know how to game the system to dodge paying a fair share, and there is no better example of how it works in practice than the carried interest loophole,” Wyden said in a statement. “For several decades now we’ve had a tax system that rewards the accumulation of wealth by the rich while punishing middle-class wage earners, and the effect of that system has been the strangulation of prosperity and opportunity for everybody but the ultra-wealthy. There are a lot of problems to fix to restore fairness and common sense to our tax code, and closing the carried interest loophole is a great place to start.”
Repealing Corporate Transparency Act
The House Financial Services Committee is also planning to markup a bill next Tuesday that would fully repeal the Corporate Transparency Act, which has already been significantly
If enacted, the repeal would eliminate beneficial ownership reporting requirements, removing a transparency measure designed to help law enforcement and national security officials identify who is behind U.S. companies.
“This repeal would turn the United States back into one of the easiest places in the world to set up anonymous shell companies, something Congress worked for years to fix,” said Erica Hanichak, deputy director of the FACT Coalition, in a statement. “These entities are routinely used to facilitate corruption, financial crime, and abuse. Rolling back the CTA doesn’t just weaken transparency, it signals to bad actors around the world that the U.S. is once again open for illicit business.”
The Internal Revenue Service rarely penalizes taxpayers who have high balances in foreign bank accounts and fail to file the proper forms, according to a new report.
Processing Content
The
Taxpayers with specified foreign financial assets that meet a certain dollar threshold are also required to report the information to the IRS by filing Form 8938. Failure to file the form can result in penalties of up to $60,000. However, TIGTA’s previous reports have demonstrated that the IRS rarely enforces these penalties.
The IRS created an Offshore Private Banking Campaign initiative to address tax noncompliance related to taxpayers’ failure to file Form 8938 and information reporting associated with offshore banking accounts, but it’s had limited success.
Even though the initiative identified hundreds of individual taxpayers with significant foreign bank account deposits who failed to file Forms 8938, the campaign only resulted in relatively few taxpayer examinations and a small number of nonfiling penalties. The campaign identified 405 taxpayers with significant foreign account balances who appeared to be noncompliant with their FATCA reporting requirements.
The IRS used two ways to address the 405 noncompliant taxpayers: referral for examinations and the issuance of letters to them.
- 164 taxpayers (who had an average unreported foreign account balance of $1.3 billion) were referred for possible examination, but only 12 of the 164 were examined, with five having $39.7 million in additional tax and $80,000 in penalties assessed.
- 241 noncompliant taxpayers (who had an average unreported account balance of $377 million) received a combination of 225 educational letters (requiring no response from the taxpayers) and 16 soft letters (requiring taxpayers to respond). None of the 241 taxpayers were assessed the initial $10,000 FATCA nonfiling penalty.
“While taxpayers can hold offshore banking accounts for a number of legitimate reasons, some taxpayers have also used them to hide income and evade taxes,” said the report.
Significant assets and income are factors considered by the IRS when assessing whether taxpayers intentionally evaded their tax responsibilities, the report noted. Given the large size of the average unreported foreign account balances, these taxpayers probably have higher levels of sophistication and an awareness of their obligation to comply with the law.
TIGTA believes the IRS needs to establish specific performance measures to determine the effectiveness of the FATCA program. “If the IRS does not plan to enforce the FATCA provisions even where obvious noncompliance is identified, it should at least quantify the enforcement impact of its efforts,” said the report. “This will ensure that IRS decision makers have the information they need to determine if the FATCA program is worth the investment and improves taxpayer compliance.
TIGTA made three recommendations in the report, including revising Campaign 896 processes to include assessing FATCA failure to file penalties; assessing the viability of using Form 1099 data to identify Form 8938 nonfilers; and implementing additional performance measures to give decision makers comprehensive information about the effectiveness of the FATCA program. The IRS disagreed with two of TIGTA’s recommendations and partially agreed with the remaining recommendation. IRS officials didn’t agree to assess penalties in Campaign 896 or with implementing performance measures to assess the effectiveness of the FATCA program.
“From our perspective, TIGTA’s conclusions regarding IRS Campaign 896 are based, in part, on a misguided premise and overgeneralizations, including the treatment of ‘potential noncompliance’ as tantamount to ‘egregious noncompliance’ that warrants a monetary penalty without contemplating the variety of justifications that may exempt a taxpayer from having to file Form 8938,” wrote Mabeline Baldwin, acting commissioner of the IRS’s Large Business and International Division, in response to the report.
What that means for consumer loans
Checks and Balance newsletter: Of God and MAGA
Why software stocks, 2026’s market dogs, have joined the rally
Armanino adds Strategic Accounting Outsourced Solutions
New 2023 K-1 instructions stir the CAMT pot for partnerships and corporations
