Skip to main content
Business people discussion advisor concept

Q3 2024 Financial Reporting Recap

Read about key Q3 accounting developments and other topics related to your financial reporting.

In the “Quarterly Perspectives: Financial Reporting & Beyond / Q3 2024” webinar from Forvis Mazars, we examined federal oversight of pandemic funding and the types and use of System and Organization Controls (SOC) reports and what they could mean for your organization. We also looked at other topics that may influence your current and future financial reporting. Read our webinar recap below and sign up for our upcoming webinars for more timely insights.

Looking Back

Nonprofits

During the past quarter, we observed that most of the federal funding distributed during the COVID-19 pandemic has been spent. Federal agencies are significantly increasing their follow-up as they review fund use for fraud and waste, focusing on oversight, accountability, and transparency.

Leases

Sale leaseback transactions remain a popular mechanism for freeing up cash flow, but they often fail the accounting tests to qualify. Some individuals do not involve their accountants or auditors to make sure they are creating qualified transactions.

SOC Reporting

It’s important that organizations use the proper type of SOC report as part of their controls and to support the financial audit, particularly as they move to the cloud.

We often see entities using a service organization to outsource some processing offsite instead of doing everything in-house. However, the outside service organization doesn’t have all the responsibility for related internal controls. Entities should have complementary user entity controls (CUECs) within their environment that map to the controls the service organization expects their customers to have.

We’ve observed a number of SOC reports with bridge letters—addressing the gap period between the SOC report end date and the actual customer year-end— covering a gap greater than 90 days, which can be problematic for auditors. More details are provided on SOC reports later in this article.

Here & Now

Pandemic Funding

A significant amount of COVID-19 pandemic assistance went to individuals, businesses, nonprofits, governments, and healthcare organizations. Only a relatively small proportion of entities probably didn’t receive any related funding. According to the federal website Pandemic Oversight, through September 2021, more than $5 trillion was provided in pandemic funding, including an estimated $1.1 trillion for individuals and $1 trillion for unemployment.

Accounting professionals have had to understand each type of funding and how it should be accounted for. For example, Paycheck Protection Program (PPP) loans may have potentially been accounted for under either a grant model or a debt and forgiveness model. Employee Retention Credits (ERCs) also raised questions regarding who will get money and what will happen with filings. Rules for funding have continued to change, such as the Provider Relief Fund for healthcare organizations (dentist offices or nursing homes), which was especially challenging for organizations that may not have received federal funding before and now must follow program requirements.

The trillions in pandemic funding prompted Congress to form the Pandemic Response Accountability Committee (PRAC) to oversee the various programs. The group will continue to operate for a few years after all the funding has been disbursed and enforcement actions are anticipated through the relevant federal agencies. One area of oversight is ERCs, where voluntary disclosure programs were opened by the IRS in an effort to recoup funds after some ineligible individuals made claims based on advice from bad actor advisors. Officials also are focused on PPP loans, with the Small Business Administration estimating that 70,000 PPP loans may be fraudulent.

We have also observed an increase in external audit findings of government and nonprofit funding where some documentation doesn’t exist due to turnover or other complications, and government agencies seek repayment or an explanation. Organizations concerned about the government investigating their use of pandemic funding should make sure they have proper documentation. If any information is lost, they should go back and try to “recreate the wheel” and begin contingency planning if they are not going to be able to, including talking to the agency. In addition, some recipients are failing to recognize they are subject to incremental governmental reporting or federal Single Audit compliance requirements.

We asked our audience, “Did your organization receive any federal pandemic funding (PPP loan, ERC, grants)?

SOC Reports

The two most typical SOC report forms are SOC 1 and SOC 2, which are helpful to review if an entity is outsourcing an activity to a service organization. A SOC 1 report addresses processing and, importantly, controls relevant for financial reporting. It is the most common report that user organizations will need for details on what their service organization will do, as it affects financial reporting.

A SOC 2 report is broader and addresses nonfinancial types of risk, such as security availability, privacy, and confidentiality. But in the absence of a SOC 1 report, a SOC 2 report can address some control objectives, especially around security and access. Some service organizations will have both reports to cover themselves from a financial reporting perspective as well as a process integrity standpoint. Business partners, customers, and regulators may be interested in both reports. Entities considering outsourcing processes will likely be interested in both areas. But a customer (user) and its external auditor will have a primary focus on elements addressing financial reporting related control objectives.

There are two types of SOC reports. Type 1 is as of a specific point in time and includes design and implementation of controls. Type 2 also includes testing the operating effectiveness of the identified controls over a specified period of time; for example, six months to a year. The type and form of SOC report describe the report, such that a service provider may have a Type 1 SOC 1 report.

Management of service organizations may provide bridge letters to users to cover any “gap period” between the issuance of the last SOC Type 2 report and whatever time period aligns with the reporting dates of a user. However, bridge letters covering a period longer than 90 days are typically not acceptable by external auditors that may want to rely on the SOC report in testing controls.

When evaluating a SOC report, users should consider the following, in part because the external auditors are interested in these as well:

  • Nature of services provided or what operating centers are covered. A service organization could have multiple services and locations that aren’t all covered by the SOC report.
  • Applications covered and key reports coming from these applications.
  • Period covered by the report’s scope and if an appropriate bridge letter is available.
  • Whether the report has an unqualified (“clean”) opinion.
  • Are there any expected CUECs that should be in place?
  • Anything the service provider outsources to a third party and how it is handled in the opinion.

We asked our audience, “Did your organization have a delay in getting a SOC report this year?”

Conversations You Should Be Having

As we approach the new year, we encourage accounting professionals to shore up internal control over financial reporting. Remote work, talent shortages and turnover, new technologies, complex transactions, and complex accounting decision trees can lead to material misstatements and weaknesses. In addition, expect to see continued oversight of federal money and more SOC reports that are qualified.

Forvis Mazars will continue to cover the latest in the accounting profession at our next Quarterly Perspectives webinar. Register now!

If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.