Small business online security update

I attended another online security program last week at the New Jersey CPA convention. This remains a topic of major concern for all types of technology users. My focus is on practical solutions for small business user issues. Yesterday an alarming show on National Public Radio reinforced the conclusion that these online security problem issues will get worse for us before they get better. This should prompt us to re-examine our own security protocols

What if we assume that all of our online data security has already been breached and all of our online data is already available to potential hackers? The simple question that remains is what can we do as technology users to ensure our own security in an environment of ongoing online security breaches?

The combination of secure password management plus second factor authentication remains the best available solution.

I asked a question at the NJCPA seminar about the current thinking on random password generators and password management systems like Lastpass.  This approach remains the #1 way to ensure the use of unique randomly generated long passwords for each online service that we use. This is the best way to ensure primary access (username and passwords). It’s effectiveness, however is based on out ability to keep a single master password secure. That is a significant issue since the ability to remember a master password without recording it can still be a challenge.

I first reviewed Lastpass in 2012 for the NJCPA technology blog and found it to be an effective solution for small business users.

Online security can be further enhance y using two factor authentication (2FA). One of the simplest and most effective is Yubikey. The video below introduces the product. The cost is about $50 to $100 per user. Unlike other solutions, this is a one time cost, not a subscription.

Small businesses should use more than one Yubikey to protect from the possibility of loss of a user’s key. One person businesses can incorporate a trusted adviser’s key into their own account in the event that a key is lost or destroyed. A CPA or other adviser working remotely can use the combination of the client’s verbal password plus his own 2FA to remotely deactivate the 2FA in the client’s account in the event of an emergency.

Other methods of 2FA are bio-metric scanning (fingerprints or facial recognition) or smartphone text message codes.

In summary, the combination of Lastpass plus Yubikey remains an effective, most secure and cost-effective approach to small business online security. While I am aware that there are similar products in the marketplace, these are the market share leaders and so I choose to focus my recommendations and reviews on these name brand solutions.

I strongly recommend that a review of security protocol should be included in all personal financial planning and small business accounting engagements. I would  be pleased to discuss these issues as they relate to your small business.

Need more information? Please let me know how to reach you for a free consultation. I serve clients across the country by phone or Skype or can meet in person in the Philadelphia region. Your contact information is not shared with anyone.

Name (required)

Email (required)

Phone #

How can I help you?

CPA-prepared financial statements

A question came up from a small nonprofit business client yesterday for the second time this month. The request was to produce a financial statement for the client’s Treasurer. I found myself thinking about the best words to use to clarify my position. I want to help by making this an easy and seamless process for them but I am bound by specific requirements that we have not yet addressed.

Both the former Treasurer and the incoming Treasurer made requests for different types of financial reports. The in-house bookkeeper doesn’t have any need to understand the difference between reports that she generates with my assistance and reports that I could produce in response to her boss’s request. My job is simply to fulfill the information request as allowed within the boundaries of my work.

Perhaps my best response is: “I am pleased to help your organization with financial statements. However, I must follow the standards established by my profession. Our current engagement agreement does not meet these standards. Let’s discuss how to proceed.”

Of course I understand that clients don’t care about CPA professional standards. That’s my burden. I must bridge the gap between what the client wants and what the profession demands in the easiest and most efficient manner.

The requirements for CPA-prepared financial statements are listed here in an AICPA document known as “AR-C Section 70”  Perhaps the most value I can provide for many small business clients may be to show them when these requirements do not apply. We can avoid these additional requirements when I am engaged to:

  • prepare financial statements only for tax returns
  • audit, review or compile financial reports
  • assist with the instruction or operation of the in-house bookkeeping or accounting system to manually or automatically generate financial reports
  • Show how to produce financial reports within QuickBooks or other software
  • provide litigation support
  • provide personal financial planning

A small business client’s need for financial statements can often be covered by one of these exceptions, saving both time and money. It is worth spending the time to plan our work accordingly. The details should be clarified in a written agreement that makes sense to the the small business client’s key personnel and, when necessary, documents our understanding of how we met the requirements for CPA-prepared financial statements.

I am please to discuss how your organization can most effectively meet the need for CPA-prepared financial statements. Just make a call or submit an online inquiry below.

Need more information? Please let me know how to reach you for a free consultation. I serve clients across the country by phone or Skype or can meet in person in the Philadelphia region. Your contact information is not shared with anyone.

Name (required)

Email (required)

Phone #

How can I help you?

It’s time for a fresh look at computer backup

I revisit this topic of data backup occasionally and I think you should too. The simple question is ‘What’s the best way to keep my digital data safe from disaster?

The conversation involves several steps. First, it is important to recognize the range of risks. It does no good to have a backup system that protects you from every possibility except the one that just wiped out your data. We need to consider a wide range  of possible disasters: disk crash, theft, network or connectivity failure, cyber crime, malicious software attack or even something as mundane as incompatible software updates. Odd as it may sound, our disaster recovery plan should even attempt to protect against risks that we don’t even know about yet.

Consumer Reports did a good job of identifying the basic data security issues in its April 2016 edition but completely omits product recommendations. (I don’t know why but CR seems to be headed in this direction and it is confusing to readers who have come to rely on the publication for product reviews).

There is no single perfect backup solution. If you have a backup drive in the same location as your PC, for example, then both are vulnerable to the same risks. If you use a cloud-based solution then your data may be unavailable in a disaster if you lose internet access. It makes sense to consider as many possible disasters as we can imagine and use multiple approaches to address the risks.

Second, it makes sense to take a fresh look at what people are saying about the popular backup products and services. This seems to be not so easy lately.

I use a simple, cost-effective solution using several 2TB to 4TB external drives running Windows 10 File Recovery program. Windows 10 actually includes two different backup programs: File History and Windows Backup and Restore. File History automatically saves multiple versions of your files, so you can go back in time and restore a previous version file before it was changed or deleted. The Backup and Restore program creates a single backup copy of the latest version of your files. It can be run manually or on an automated schedule. Backup and Restore can also create a system image which is a snapshot of your entire system—operating system, programs, documents, and all—which makes it easy to restore everything in the event of a disk crash. I use all three of these programs: File History, Backup and System Image.

Lately I’ve noticed that the USB connected backup drive is not working properly on my PC. Apparently the USB connections became loose over time so that the drive is not working properly to back up data. There are better/faster cable connections but my 18 month old primary machine doesn’t have them.

I was surprised id an informal discussion of data backup nobody even mentioned Windows 10 backups.

Networked drives called “NAS” are a more popular option especially for systems where multiple drives and devices must be backed up. These are reportedly slower when it comes to copying a whole drive over a wireless connection. A higher speed ethernet connection could solve that issue. However, this only works when you are physically located at home or office where the network is located, which isn’t very often for me.

I’ve used online or cloud-based systems like Carbonite and OneDrive and Google Drive with great success. Theoretically, I could even use my own NAS with a remote connection. backup services.

So right now I am using a combination of two USB drives and various cloud-based systems but am not thrilled with any of them. I’d love to hear what’s working for you for home-based or small business data backup.

It’s not too late for professional tax filing services!

It is still possible to get fast and efficient late season tax services with the full professional attention that your important tax and financial details. I reserve some time late in the season to accommodate new clients and, in fact, this has become a primary marketing tool of my tax practice.

Timing: I offer a limited number of 2nd business day tax return preparation services after submission of your required information. While I welcome face-to-face meetings, this is often not practical late in tax season. This might be better scheduled for a later date. When appropriate, I offer to prepare an estimated tax payment and file an extension to allow more time for filing.

Pricing: Online tax filing service usually costs less than walk-in tax offices. You’ll typically save 1/3 of the fee by using an online tax service and get the work done faster without the need to make a trip outside your home or office.  However, a late season surcharge may be added to review documents and discounted rates do not apply for services that do not use the cost-saving procedures of online tax filing. Tax filing extensions, when necessary, are offered at no additional charge.


Here’s how it works:

  1. First check out the online privacy and security policy. You may also want to read a sample tax services agreement.
  2. Send a text message to 856-723-0294 or email to asking for a personal online portal at no charge. I need your name and email address to open the private online portal.
  3. Send a copy of last year’s tax return and this year’s documents using the secure personal online portal. Follow the simple instructions in the email I send. (You may use text photos, email or fax or any other method but these do not offer the same level of security).
  4. I review your submitted information without cost or obligation. We discuss any specific questions you have it by phone, text or email – also without cost or obligation.
  5. I will send a tax services agreement and invoice. My fee for online tax services is typically about 1/3 less than walk-in tax services (see this sample fee schedule) but a $100 fee applies to tax returns in the last two weeks before a tax filing deadline. (You can avoid the surcharge by fling early or allowing me to file an extension to file later). You sign electronically and pay online using the secure payment processing system.
  6. Within 2 business days after receipt of your signature and fee payment I send the prepared tax return (not filed) for approval or ask for more information.
  7. When you check and approve the tax return, electronically sign the approval to E-file. I normally require a minimum of 48 hours to prepare and then later review the tax return before submission. The review is a separate process that distinguishes professional service from most walk-in tax services but this process requires some patience.
  8. I send proof of e-filing. If you expect a refund, IRS typically reports the status online at Where’s My Refund page within days. Average refund time using direct bank deposit has been about 7 days.

The important thing is for us to stay in communication throughout the process. Text messaging works best for most people. Delays or miscommunication can prevent the timely completion of the work.

This page is an overview and introduction, not a service contract. The terms of service are included in the tax services engagement agreement.


The latest on internet security

I’m disappointed with the reporting of internet security issues this week. This divisive world of fake news the latest political action and public reaction only muddies the core issues. It appears that few news reporters and even fewer readers have an understanding of the issue. Overall, it seems fair to say that there has been more misinformation than useful public information. This blog post summarizes some basic points on the issue.

  • Internet security remains a significant concern of individuals and businesses. I’ve written about specific small business concerns and remedies more than a dozen times here in my blog.
  • In December 2016 the Federal Communications Commission issued a regulation titled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services“. It appears that few people or reporters have actually read the regulation. I skimmed it, but I don’t pretend to have any detailed understanding of the pros and cons of the regulation. Unfortunately, other writers who didn’t read the regulation seem to act as if they did.
  • The December 2016 regulation created a tougher standard to allow internet providers to sell user information. Instead of “opt out” like we are familiar with for the use of cold calling by telephone, the new regulation requires an “opt-in” requirement. The new standard was tougher and offered users a higher basic level of protection. However, it created and uneven playing field for sale of personal information since other big data firms were not subject to the rule.
  • The new rule was instituted with a 90 day waiting period, so it did not become effective.
  • This week both houses of Congress passed a resolution to repeal the regulation.
  • The White House supports the repeal action and President Trump is likely to sign the order into law.
  • The regulation had not taken effect, so neither the regulation nor the recent action by Congress actually has had any real effect on our lives.
  • We see widespread public outcry against Congress’ action and the president’s support of the move has been but it unlikely that public opinion will have any impact in this matter.
  • Several articles were published this week on the topic of ‘what can consumers do now to protect privacy’. Some of those articles contain false information. For example, this article is Vogue says that Firefox browser is safer than Chrome because it allows a higher degree of user control of plug-ins. Taken as a whole, that statement is false.

My advice to small businesses remains the same as always: assume that there is no internet privacy. Understand that there are two types of business attitudes toward online security: 1) those that have to respond because they have already been hacked ,and 2), those who don’t know it yet.

Allowable discrimination in small business operations

There are no legal protections from discrimination in service based on political affiliation or expression

story in the New York Post raises an interesting legal point about allowable discrimination in small business management.

When discussing the topic of discrimination in a small business setting it makes sense to first recognize the terms “legal discrimination and “illegal discrimination”. The importance of this point was hammered home for me years ago when I worked with a prominent black community leader in Philadelphia to repeated “we don’t tolerate any type of discrimination” and I had to repeatedly explain to him that every one of the city’s many employee benefit plans contained provisions for allowable discrimination.  Yes, discrimination exists and is legal. Discrimination in providing business service is legal and allowable in any business situation except where protected by law.

Second, it is important to recognize that the definition of illegal discrimination change depending on jurisdictions that may protect additional groups of people. Under federal law, a business cannot deny service to someone because of his or her race, color, religion, national origin or disability. Also, in some places you also cannot discriminate against people because of their sexual orientation based on state or local law. But if there is no state, federal or local law prohibiting discrimination in public accommodations against a particular group of people, then the business can legally refuse to serve that group of people. There is no protection from discrimination of service on the basis of political affiliation or political opinion or political expression. It is legal to refuse to serve Trump supporters, or Obama supporters, or groups of sports fans, or whatever, as long as it is not a protected group. (This legal standard for providing service is different from employment law, for example, if the man wore his hat to a job interview and got the same treatment then this would be illegal under federal law).

It would appear that the case in the New York Post article is a nuisance lawsuit with no violation of federal or state law. The attorney’s best bet is to create another legal theory to support his claim but he cannot win on the basis of illegal discrimination. He should have known better that he has no basis for a legal claim over discrimination. Perhaps the bar owner can make a counter claim against the complainant to recover legal costs of defense and damages to his business reputation. As a practical matter, however, it is difficult for a business owner to recover the cost of a nuisance lawsuit.

I’ve discussed in my small business blog examples of allowable political discrimination strategies that may be appropriate. These tactics are used now in places like Philadelphia and New York City. Businesses should use this cautiously and sparingly but clearly there are situations where it helps. It is important to communicate management’s stance to employees and apply the practice consistently.

If the intent of the business is to make a statement that Trump supporters are not welcome then it is best to do so evenly and consistently to avoid the possible claim that the discrimination action was based on another legally protected basis.

In my clients’ businesses, for example, I’ve always made it clear that racist attitudes were not welcome and racists would not be welcome as customers. Over the past year I’ve expanded that position to prohibit serving people who espouse attitudes or repeat Trump statements about discrimination or threats against illegal immigrants. My new action extends the business service discrimination policy from protection of a legally protected class to an unprotected class, yet my legal right to do so is the same. I suppose that it is a bit tricky for some to understand the legal framework. I’ve even been falsely accused of harboring illegal immigrants by a local elected official who did not understand the legal or practical distinction and objected to my business operating policies on a crazy twist of logic. Discriminating against individuals who support the law is legal. Accusing a person engaged in legal discrimination of breaking the law that the banned person espouses is neither logical nor legal.

Over the past 30+ years in the practice of employee benefit plan design and general small business consulting I’ve run into many interesting situations involving legal and illegal discrimination practices of businesses. But we’ve not seen anything to prepare us for the backlash of the anti-Trump movement that has taken hold in metropolitan communities this year. We will see many more stories like this to come where Trump supporters are offended to learn that their business patronage is not welcome and their presence is considered a nuisance to be removed.

Receivables management for small businesses

I spend a quarter to a third of my work time in some function related to collection of fees. It’s a shame because I would rather spend my time doing what I do best – putting more money into the checkbooks of my clients. But of course getting paid for my work is a critical part of the business.  My engagement agreements almost always include a “due at time of invoice” provision and stipulation for payment via electronic transfer. Theoretically I have no receivables. But in real life doesn’t work that way. In reality, balancing my staffing costs in advance of client payments and carrying the out-of-pocket expenses for clients with outstanding balances is a constant challenge. This seems to be a stress point for other accountants and many other small businesses.

Recently an entrepreneur introduced me to a possible solution. His receivables management practice fine-tuned the traditional collection practices to make a program that works for small businesses. He charges a flat $15 per receivable account up to 90 days, another $15 for 91 to 150 days and then 35% plus the legal expenses for collections after that date. At any time in the process the business can remove an account from the collection process by reporting it paid or that a payment arrangement has been negotiated.

The interesting thing about his process it that the collection process is kind, supportive of the business relationship, courteous and non-threatening in the first 90 days. Every opportunity is offered to resolve the outstanding payment. The collection reminders come addressed from the business owner, not the collection agent. They become increasingly more urgent every two weeks for the first 90 days. After 90 days the collection agent takes over and the actions become increasingly urgent and threatening. Finally, the agent has a range of attorneys to collect the balance plus the legal fees through the court system.

I decided to give this firm’s service a try for my own practice. The first step is to modify my engagement agreement to include a notification of the receivable management practice. This is what I propose:

Collection of Receivables – The fees payable under this agreement are due and payable on the date of electronic invoice. If, for any reason, the fee is unpaid 10 days after the invoice date and we have not entered into an agreement for a payment arrangement then the following procedure applies:

  • Day 11 – a $15 fee is added and your outstanding account balance will be managed by an accounts receivable firm on my behalf
  • Day 91 – another $15 fee is added and your account is transferred to an account receivable management firm acting on my behalf.
  • Day 151 – a 35% fee is added to the outstanding balance and legal fees may apply as awarded by a court. 

Most accountants, and I presume most other small businesses, would say that a client who goes 150 past due is not likely to be a client in the future. In this case, the risk of taking assertive collection action is unlikely to affect our business.

I will likely write a follow-up post about the results of this practice sometime next year. In the meanwhile, like always, comments and suggestions are welcome.

Need more information? Please let me know how to reach you for a free consultation. I serve clients across the country by phone or Skype or can meet in person in the Philadelphia region. Your contact information is not shared with anyone.

Name (required)

Email (required)

Phone #

How can I help you?

NJ Attorney / Law Firm Directory of CPAs

The New Jersey Society of Certified Public Accountants (NJCPA) is looking into putting together an online attorney/law firm directory accessible to Society members. CPAs often request attorney referrals on a peer-to-peer basis or from the Society staff members. A directory might help make this search process more efficient.

I am often surprised by the difficulty that I have in finding attorneys to refer for specific client and business situations. I spent many months, for example, looking for an attorney when a small nonprofit corporation in New Jersey needed an attorney for representation in a Chapter 12 bankruptcy reorganization. I only found one attorney with prior experience in this area of law.  I typically speak with several attorneys before finding a single attorney who is willing to consider speaking with the client, and the client does not always agree with my recommendation on suitability. A directory would make the process much more efficient. Other CPAs report similar challenges.

The directory project is is early planning stages. If you have ideas, particularly for topical categories to be included or are interested in being included in the directory, please let me know and I will pass this information on to staff.

Novak’s small business health plan bibliography

This is an annotated list of my recent articles and blog posts on the topic of small business health planning and related tax issues. I expect that these issues will be important in the upcoming tax filing season and apparently few other resources are available at this time. Some of the articles are meant for small business owners and others are meant for tax preparers. This listing does not include articles posted on LinkedIn and some professional blogs that have restricted access.

Guerilla strategies for small business health care costs: 2017 and beyond, 3/9/2017

2017 Trends in health insurance enrollment, 3/8/2017, a look at consumer purchase decisions during the transition period.

Small business HRA setup and support services, 2/28/2017, The setup deadline is March 30.

Health care planning for small businesses: 2017, 2/25/2017, a bullet point summary of the Republican health plan issues of most concern to small business owners

Alternatives to Obamacare, 2/23/2017, coverage available now during the transition period

A holistic approach to small business benefit plans, republished 2/11/2017, An introduction to consumer-driven defined contribution health plans

Rethinking our 2017 health care strategy, 10/26/2016, discusses the possibility of combing insurance with HSA, HRA and supplemental insurance for maximum tax-efficient coverage.

A sneak preview of single payer health care, 10/23/2016, suggests that the responses that small businesses make now will direct the future of healthcare finance.

A simple individual health insurance alternative for small business contractors 2/15/2016 a limited time free service offer for members of the National Association of the Remodeling Industry (NARI) and select other small business employers to convert employer-sponsored health plans using individual insurance to the new type of permitted employer payment arrangement. (The same service is available to other small businesses but not with the fee waiver).

What to do if your W-2 includes taxable health benefits, 2/11/2016, covers a topic likely to be asked by many small business employees this year with a “how to” to redirect the preliminary correction work away from tax preparers.

Quick Summary of Small Business Health Plan Informational Tax Filing Requirements for 2015, 1/14/2016 this is an emerging hot topic for small business tax preparers.

Changing opinions on small business health plan penalty taxes, 1/8/2016, why the discussion of tax penalties now might not be the same as in 2015

4980D Small Business Excise Tax Liability, from the January 2016 New Jersey CPA magazine, an article intended for tax professional that includes a discussion of tax penalties and abatement.

News: 2015 small business health plan tax filing extension 12/29/2015 announces an extension to the filing deadlines that affect self-insured non-integrated health plans like HRAs and MERPs.

Common adviser errors with small business health plans, 12/23/2015, focusing on tax treatment of IRC 105 employer-paid health benefits. The core message is “two wrongs don’t male a right” when dealing with the tax treatment of employer-provided health benefits in the post-ACA world.

Watchlist for tax preparers: 2015 small business health plans, 12/21/2015 , includes highlighted buzzwords and a discussion of accuracy-related penalties for tax preparers working on 2015 small business tax returns. This was updated 12/27/2015 to address vague wording on the distinction of what is and what is not an employer health plan. The update is described here.

Small business tax changes for 2015 (for tax preparers). 12/17/2015, the five biggest changes from a tax preparer’s perspective beginning with the preparation of W2 forms and ending with penalty calculation and abatement procedures.

Small business tax changes for 2015 (for owners). 12/16/2015, the four biggest new federal tax issues this year for small business owners.

Plan ahead to avoid tax penalties on W2 health benefits, 12/16/2015, emphasizes that businesses of all types and sizes could be affected and includes a link to resources.

Surprising lawmaker response to small business tax relief effort, 12/15/2015, a summary of NFIB’s last-ditch unsuccessful effort to gain relief from the 2015 tax penalties.

Avoidable small business taxes in 2015, 11/5/2015, a longer article with background on this developing issue and reference links to underlying legal authority.

11 tax traps for small business health plans, 10/22/2015, a big picture view of issues sometimes overlooked by employers and advisers. Some of these indirect consequences tend to be overlooked by advisers.

Retroactive termination of employee benefit plans, 10/22/2015, an introduction of a topic that can not be fully addressed in an online post but should be considered in a one-on-one with your accountant.

What options are available to employers who wish to help employees afford the cost of health care?, 10/16/2015, emphasizes that there are only 5 distinct options available to employers that meet the requirements of current law.

Why employers should not ‘bonus up’ for individual health insurance, 11/10/2015, a common problem described from the employee’s perspective

2015 health plan information returns for small business employers, 12/10/2015, brief information on W2 and 1095B filings.

Health plan checklist for accountants preparing small business tax returns for 2015, 11/2/1015, a practical checklist for tax preparers to help avoid accuracy-related penalties.

Three solid financial planning strategies for dealing with the Unaffordable Care Act, 7/12/2015, ideas for small businesses dealing with the Unaffordable Care Act

Calculating small business health plan excise taxes, 11/3/2015, a discussion of the procedural aspects of calculating tax penalties on non-compliant small business health plans.