Author: KraftCPAs

If you’re age 50 or older, you can probably make extra catch-up contributions to your tax-favored retirement account(s). It is worth the trouble? Absolutely.

The deal with IRAs 

Eligible taxpayers can make extra catch-up contributions of up to $1,000 annually to a traditional or Roth IRA. If you’ll be 50 or older as of December 31, 2023, you can make a catch-up contribution for the 2023 tax year by April 15, 2024.

Extra deductible contributions to a traditional IRA create tax savings, but your deduction may be limited if you (or your spouse) are covered by a retirement plan at work and your income exceeds certain levels.

Extra contributions to Roth IRAs don’t generate any up-front tax savings, but you can take federal-income-tax-free qualified withdrawals after age 59½. There are also income limits on Roth contributions.

Higher-income individuals can make extra nondeductible traditional IRA contributions and benefit from the tax-deferred earnings advantage.

How company plans stack up 

You also have to be age 50 or older to make extra salary-reduction catch-up contributions to an employer 401(k), 403(b), or 457 retirement plan — assuming the plan allows them and you signed up. You can make extra contributions of up to $7,500 to these accounts for 2023. Check with your human resources department to see how to sign up for extra contributions.

Salary-reduction contributions are subtracted from your taxable wages, so you effectively get a federal income tax deduction. You can use the resulting tax savings to help pay for part of your extra catch-up contribution, or you can set the tax savings aside in a taxable retirement savings account to further increase your retirement wealth.

Tally the amounts

IRAs: Let’s say you’re age 50 and you contribute an extra $1,000 catch-up contribution to your IRA this year and then do the same for the following 15 years. Here’s how much extra you could have in your IRA by age 65 (rounded to the nearest $1,000).

• 4% annual return: $22,000
• 6% annual return: $26,000
• 8% annual return: $30,000

Making larger deductible contributions to a traditional IRA can also lower your tax bills. Making additional contributions to a Roth IRA won’t, but you can take more tax-free withdrawals later in life.

Company plans: If you’ll turn 50 next year, let’s say you contribute an extra $7,500 to your company plan next year. Then, you do the same for the next 15 years. Here’s how much more you could have in your 401(k), 403(b), or 457 plan account (rounded to the nearest $1,000).

• 4% annual return: $164,000
• 6% annual return: $193,000
• 8% annual return: $227,000

In this scenario, making larger contributions can also lower your tax bill.

IRA and company plans: Finally, let’s say you’ll turn age 50 next year. If you’re eligible, you contribute an extra $1,000 to your IRA for next year, plus you make an extra $7,500 contribution to your company plan. Then, you do the same for the next 15 years. Here’s how much extra you could have in the two accounts combined (rounded to the nearest $1,000).

• 4% annual return: $186,000
• 6% annual return: $219,000
• 8% annual return: $257,000

Make retirement more golden 

Obviously, making extra catch-up contributions can add up to pretty big numbers by the time you retire. If your spouse can make them too, you can potentially accumulate even more. Contact a KraftCPAs advisor if you have questions or want more information.

 © 2023 KraftCPAs PLLC

Scammers keep coming up with new and more creative ways to steal information from taxpayers, according to the IRS. New scams in the form of email, text messages, telephone calls, or regular mail regularly target both individuals and businesses, and they often prey on the elderly.

“Scammers are coming up with new ways all the time to try to steal information from taxpayers,” IRS Commissioner Danny Werfel said. “Be wary and avoid sharing sensitive personal data over the phone, email or social media to avoid getting caught up in these scams.”

The biggest key to avoid getting caught by scammers: Remember that the IRS will never contact you by email, text, or social media channels about a tax bill or refund. Most IRS contacts are first made through regular mail. So, if you get a text message saying it’s the IRS and asking for your Social Security number, it’s someone trying to steal your identity and rob you. Remember that the IRS already has your Social Security number.

Here are some of the crimes the IRS has identified in recent months:

Email messages and texts that infect recipients’ computers and phones. In this scam, a phony email claims to come from the IRS. The subject line of the email often states that the message is a notice of underreported income or a refund. There may be an attachment or a link to a bogus web page with your “tax statement.” When you open the attachment or click on the link, a Trojan horse virus is downloaded to your computer.

The trojan horse is an example of malicious code (also known as malware) that can take over your computer hard drive, giving someone remote access to the computer. It may also look for passwords and other information. The scammer will then use whatever information is gathered to commit identity theft, gain access to bank accounts and more.

Phishing and spear phishing messages. Emails or text messages that are designed to get users to provide personal information are called phishing. Spear phishing is a tailored phishing attempt sent to a specific organization or business department.

For example, one spear phishing scam targets employees who work in payroll departments. These employees might get an email that looks like it comes from an official source, such as the company CEO, requesting W-2 forms for all employees. The payroll employees might erroneously reply with these documents, which then provides criminals with personal information about the staff that can be used to commit fraud.

The IRS recommends using a two-person review process if you receive a request for W-2s. In addition, employers should require any requests for payroll to be submitted through an official process, like the employer’s human resources portal.

Scams keep evolving

These are only a few examples of the types of tax scams circulating. Be on guard for any suspicious messages. Don’t open attachments or click on links. Contact us if you get an email about a tax return we prepared. You can also report suspicious emails that claim to come from the IRS at [email protected]. Those who believe they may already be victims of identity theft should find out what do by going to the Federal Trade Commission’s website, OnGuardOnLine.gov.

 

 

© 2023 KraftCPAs PLLC

Financial institutions operate in a dynamic and challenging business environment, characterized by technological advancements, regulatory changes, and increasing demands from stakeholders. To thrive in this landscape, it’s crucial for financial institutions to ensure the efficient allocation of IT spending.

Strategies such as conducting infrastructure technology assessments, preparing for cloud adoption, optimizing Microsoft 365 deployments, implementing secure identity and access management, and reviewing the IT operating model can help achieve that goal. By implementing each one, financial institutions can enhance their operational efficiency, security, and competitiveness.

To learn more about enhancing IT spending efficiency in financial institutions, click the link below.

Read the full article here…

Internal audits can be much more than just a necessary step toward external audits, acquisitions, or public offerings. In fact, with the right investment, an intentional approach to internal audits can yield strategic benefits such as useful insights, identifying competitive advantages, and protecting company assets. But even then, investing resources in internal audit can be a tough sell to the board’s audit committee.

Take a closer look at the key risks and opportunities that can help audit committees see the power and potential of internal audit, including internal controls, increased efficiency, fraud prevention, competitive advantage, strategic threats, and objective insight.

Read the full article here…

If you own or manage a business with employees, there’s a harsh tax penalty that you could be at risk for paying personally. The Trust Fund Recovery Penalty (TFRP) applies to Social Security and income taxes that are withheld by a business from its employees’ wages.

Sweeping penalty

The TFRP is dangerous because it applies to a broad range of actions and to a wide range of people involved in a business.

Here are answers to a few common questions about the penalty:

What actions are penalized? The TFRP applies to any willful failure to collect, or truthfully account for, and pay over taxes required to be withheld from employees’ wages.

Why is it so harsh? Taxes are considered the government’s property. The IRS explains that Social Security and income taxes “are called trust fund taxes because you actually hold the employee’s money in trust until you make a federal tax deposit in that amount.”

The penalty is sometimes called the “100% penalty” because the person found liable is personally penalized 100% of the taxes due. The amounts the IRS seeks are usually substantial and the IRS is aggressive in enforcing the penalty.

Who’s at risk? The penalty can be imposed on anyone deemed “responsible” for collecting and paying tax. This has been broadly defined to include a corporation’s officers, directors and shareholders, a partnership’s partners, and any employee with related duties. In some circumstances, voluntary board members of tax-exempt organizations have been subject to this penalty. In other cases, responsibility has been extended to professional advisors and family members close to the business.

According to the IRS, responsibility is a matter of status, duty, and authority. Anyone with the power to see that taxes are (or aren’t) paid may be responsible. There’s often more than one responsible person in a business, but each is at risk for the entire penalty. For example, you might not be directly involved with the payroll tax withholding process in your business. But if you learn of a failure to pay withheld taxes and have the power to pay them, you are considered to be a responsible person. Although taxpayers held liable can sue other responsible people for contribution, this action is up to the individual and can’t be used to delay the TFRP payment.

What’s considered willful? There doesn’t have to be an overt intent to evade taxes. Simply paying bills or obtaining supplies instead of paying taxes is willful behavior. And just because you delegate responsibilities to someone else doesn’t necessarily mean you’re off the hook. Failing to do the job yourself can be treated as willful.

Recent cases

Here are two cases that illustrate the risks.

• A U.S. Appeals Court held a hospital administrator liable for the TFRP. The administrator was responsible for payroll, as well as signing and reviewing checks. She also knew that the financially troubled hospital wasn’t paying withheld taxes to the IRS. Instead of prioritizing paying taxes, she paid vendors and employees’ wages. (Cashaw, CA 5, 5/31/23)
• A corporation owner’s daughter/corporate officer was assessed a $680,472 TFRP for unpaid payroll taxes. She argued that she wasn’t a responsible party. She owned no stock and couldn’t hire and fire employees. But she did have the power to write checks and pay vendors and was aware of the unpaid taxes. A U.S. Appeals Court found the “great weight of evidence” indicated she was a responsible party and the TFRP was upheld. (Scott, CA 11, 10/31/22)

Best advice

Under no circumstances should you “borrow” from withheld amounts. All funds withheld should be paid over to the government on time. Contact a KraftCPAs advisor with any questions.

© 2023 KraftCPAs PLLC

Authored by RSM US LLP

Not all companies need to go public, but for some it opens a new level of funding and stature. It’s a huge step that requires a great deal of planning and work. Operating as a public company in the U.S. demands a very stringent level of compliance that can require building out additional processes, controls and technology that weren’t necessary as a private company but are essential to planning and executing an initial public offering (IPO).

You need to develop a Sarbanes-Oxley (SOX) compliance strategy—a framework that will help you reduce time, save money and minimize risk, including personal liability of the CEO and CFO, who must certify compliance. Even if you are already a public company, you will need to periodically reassess and possibly update your SOX compliance processes and strategies.

What is involved?

Developing a SOX compliance program is a complex, time-consuming process that requires coordination, specific skills and scrupulous documentation. But as with any huge business task, the key is to tackle it in an incremental fashion. The typical approach contains six distinct stages, each of which results in a set of deliverables to drive the next step in the process. Success requires deep preparation, though, and some of your earliest goals will be to conduct a top-down risk assessment and to calculate materiality—at what dollar level might an error in an account balance materially impact the economic decisions made by the company?

How long will it take?

You should expect to spend 18 months or more readying your organization for SOX compliance. If you are preparing for an IPO, leading practice is to start this process no later than six months prior to your offering, as you have one year from the date of your IPO to document and assess internal controls and provide an independent auditor’s attestation report.

1. Plan and scope (months 1–3)

• Calculate materiality: At what dollar level might an error or omission in an account balance materially affect the economic decisions made by users of the company’s financial statements, such as company management or investors? Materiality will vary from company to company. While $1 million may be material to one company, $10 million may be material to another.
• Perform a top-down risk assessment and define program scope, considering both qualitative and quantitative factors.
• Map the financial statements to the core business processes to determine the accounts to be in scope and identify the relevant financial statement assertions for each material account.
• Review scoping with project sponsor before defining project approach, milestones and timeline.

Deliverables

• Risk assessment, scoping document, and project plan

2. Document critical processes (months 2–4)

• Conduct process walkthrough meetings to identify and document entity-level controls, IT general controls and key internal controls over financial reporting for all significant accounts and processes.
• Prepare risk and control matrices (RCM), process flowcharts and/or process narratives for each significant process.

Deliverables

• RCM, process narratives, and process flowcharts

3. Evaluate design effectiveness (months 3–8)

• Evaluate internal controls using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. This widely accepted framework is designed to provide reasonable assurance that the organization is operating in accordance with established standards.
• Perform a gap analysis on the current internal control structure. Identify any missing control points.
• Perform a design assessment on existing internal controls. Identify any controls not designed to effectively prevent or detect material misstatement.
• Design and implement process improvements while documenting all changes.
• Identify opportunities for process automation and enhancements based on leading practices.

Deliverables

• Gap analysis and proposed remediation plans

4. Evaluate operating effectiveness (months 6–12)

• Generate document request list and select samples to assess whether controls are operating as designed over time. (SOX requires compliance documentation, which must be provided to auditors upon request, and requires that controls operate at their defined frequencies consistently.)
• Evaluate the operating effectiveness of internal control over financial reporting and document the results.
• Review testing results with process owners and project sponsor.

Deliverables

• Operating effectiveness testing results 

5. Remediate control weaknesses (months 10–16)

• Based on the testing results in step 4, validate any identified control deficiencies, identify deficiency root cause and assist management with developing remediation plans.
• Re-perform tests of remediated controls as needed to ensure efficacy.

Deliverables

• Control deficiency list and remediation plans and re-testing results

6. Assess and report (months 15–18)

• Assist management with the final assessment and reporting of any deficiencies. A thoughtful evaluation is needed to determine the significance of each control deficiency identified. Significant deficiencies are required to be reported to those charged with oversight (generally the audit committee of the board of directors), and material weaknesses are required to be disclosed in the company’s public SEC filings.
• Sign off on internal control structure design and operating effectiveness.
• Present results to the audit committee.

Deliverables

• Deficiency assessment template and audit committee presentation

---

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/6-steps-to-achieving-sox-compliance.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

Your business might be able to claim big first-year depreciation tax deductions for eligible real estate expenditures rather than depreciate them over several years. But should you? It’s not as simple as it might seem.

Qualified improvement property

For qualifying assets placed in service in tax years beginning in 2023, the maximum allowable first-year Section 179 depreciation deduction is $1.16 million. Importantly, the Sec. 179 deduction can be claimed for real estate qualified improvement property (QIP), up to the maximum annual allowance.

QIP includes any improvement to an interior portion of a nonresidential building that’s placed in service after the date the building is placed in service. For Sec. 179 deduction purposes, QIP also includes HVAC systems, nonresidential building roofs, fire protection and alarm systems and security systems that are placed in service after the building is first placed in service.

However, expenditures attributable to the enlargement of the building, any elevator or escalator, or the building’s internal structural framework don’t count as QIP and must be depreciated over several years.

Mind the limitations

A taxpayer’s Sec. 179 deduction can’t cause an overall business tax loss, and the maximum deduction is phased out if too much qualifying property is placed in service in the tax year. The Sec. 179 deduction limitation rules can get tricky if you own an interest in a pass-through business entity (partnership, LLC treated as a partnership for tax purposes, or S corporation). Finally, trusts and estates can’t claim Sec. 179 deductions, and noncorporate lessors face additional restrictions. We can give you full details.

First-year bonus depreciation for QIP

Beyond the Sec. 179 deduction, 80% first-year bonus depreciation is also available for QIP that’s placed in service in calendar year 2023. If your objective is to maximize first-year write-offs, you’d claim the Sec. 179 deduction first. If you max out on that, then you’d claim 80% first-year bonus depreciation.

Note that for first-year bonus depreciation purposes, QIP doesn’t include nonresidential building roofs, HVAC systems, fire protection and alarm systems, or security systems.

Consider depreciating QIP over time

Here are two reasons why you should think twice before claiming big first-year depreciation deductions for QIP.

Lower-taxed gain when property is sold: First-year Sec. 179 deductions and bonus depreciation claimed for QIP can create depreciation recapture that’s taxed at higher ordinary income rates when the QIP is sold. Under current rules, the maximum individual rate on ordinary income is 37%, but you may also owe the 3.8% net investment income tax (NIIT).

On the other hand, for QIP held for more than one year, gain attributable to straight-line depreciation is taxed at an individual federal rate of only 25%, plus the 3.8% NIIT if applicable.

Write-offs may be worth more in the future: When you claim big first-year depreciation deductions for QIP, your depreciation deductions for future years are reduced accordingly. If federal income tax rates go up in future years, you’ll have effectively traded potentially more valuable future-year depreciation write-offs for less-valuable first-year write-offs.

As you can see, the decision to claim first-year depreciation deductions for QIP, or not claim them, can be complicated. We can help you determine the best depreciation options.

© 2023 KraftCPAs PLLC

Authored by RSM US LLP

Digital transformation is crucial for manufacturers that want to drive revenue, reduce costs and thrive in the future. To successfully undergo that transformation, industrial companies need to improve their global supply chain with advanced technologies, prioritize data-driven decision-making, and make IT infrastructure enhancements.

Strategic investment in Industry 4.0 technologies is critical in driving the factory of the future. In truly digital factories, real-time metrics make adjusting to supply chain disruptions easier, connected devices make operations more seamless, and a variety of advanced technologies make scenario modeling more accurate.

The possibilities are vast. RSM can help you understand where to start.

Data is the foundation

Data is the thread that runs through virtually every conversation today about the future of manufacturing, from the potential uses of machine learning, to the broader capabilities of factories of the future, to what the workforce will look like in years to come.

Organizations’ ability to harness, filter and analyze data is central to digital transformation. Connectivity among machines, products, employees, suppliers, customers and processes across the value chain is the key to unlocking the value of this data.

To be able to take full advantage of the enormous amount of data they generate and collect, manufacturers need to focus on three foundational areas:

• Data and system architecture
• Data governance
• Data analytics, both traditional and advanced

A robust information technology infrastructure is of particular importance, and most middle market manufacturers’ IT infrastructure is not ready to support advanced Industry 4.0 technologies. Technology should lead the way in how manufacturers think about investments, and manufacturers will need a flexible, scalable and highly interconnected IT architecture to support the shift to more data-driven operations and meet the challenges of the future.

Reimagining global supply chains

The era of globalization is transitioning to a new state, and manufacturers need to take advantage of technology to create more connected supply chains. Companies that prioritize the digitization of their supply chains will be in a better position to respond to future supply and demand disruptions.

With entrenched global supply chains presenting more risk in recent years, manufacturers would do well to explore whether a regionalized supply chain network may better suit their needs and the needs of their customers.

Companies also need to understand how the growing focus on environmental, social and governance issues affects their supply chain decisions. With the right planning and strategy, manufacturers can harness ESG frameworks to improve product quality, production efficiency, profitability and talent attraction.

Harnessing advanced technologies

Companies are using artificial intelligence, cloud computing, the industrial Internet of Things, advanced data analytics, additive manufacturing, smart devices, virtual reality and advanced robotics to accelerate innovation. These advanced technologies enable manufacturers to be more efficient, faster and more focused on optimizing customer lifetime value.

Manufacturing has always used technology to increase efficiency and productivity. It’s a trend we expect to increase, especially as more manufacturers adopt advanced tools to help them increase their agility, enhance productivity, accelerate growth and manage a more dynamic workforce.

Creating a strategy and adopting a business model to take advantage of Industry 4.0 technologies makes it easier to navigate change and allows manufacturers to reinvent their business models to focus on value-added services. These technologies also open opportunities to enter new geographic markets or adjacent market segments.

Resources to help your company forge its digital path

• Data analytics services
• Supply chain services
• Global operations and supply chain strategy
• IT infrastructure consulting

---

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/industries/manufacturing/modern-manufacturing-embracing-the-digital-future.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

Authored by RSM US LLP

Companies put a great deal of time and effort into Sarbanes-Oxley (SOX) compliance, in part because penalties for failure can be severe and the expectations for transparency in the market are so high. But while many companies do well enough meeting the requirements of SOX, few are truly good at it. Staff are stretched too thin and worked too hard. Inefficiencies abound, from poor infrastructure to overreliance on manual processes.

Technological tools, automation in particular, can turn that around.

It’s not enough to throw more people at the problem or work the ones you have harder. Particularly in this tight labor market, SOX compliance specialists are expensive and can be hard to find. Supporting them with the right automation tools can help.

However, even mature companies where leaders realize SOX processes need updating may balk at implementing robotic process automation (RPA) or employing an enterprise governance, risk management and compliance (GRC) solution. They labor under two major misconceptions:

Often, companies look at how much they’re spending on auditing and see that as their cost of SOX compliance without considering the total effort and money they are expending in-house across the entire process. And too many are highly reliant on the performance of a handful of accounting and IT heroes who are performing manual control activities, which leaves the organization vulnerable when these employees burn out or move on.

But automation is not about replacing the people you have. In the world of SOX, more often than not, automation tactics are likely to aid in the day-to-day operations of those individuals rather than replace what they’re doing. Even if you add automation into a process, you still need people for validation functions and the like that allow you to be fully confident in your output.

To make it easier, don’t begin with a vision of wholly reinventing your processes. Take it in steps and look for the quick wins first.

Make existing systems work smarter

Your process begins with practical automation, which is often right under your nose. Rather than rush to adopt new systems, work to better understand your existing landscape. How can your technology architecture drive down the level of effort on manual controls or reduce the level of testing needed on those controls?

Look first to the enterprise systems that serve as your technological foundation. The automated or configurable controls already in place in your ERP are likely not optimized. If you were to adopt best-practice configurable controls, you might gain as much as 25% to 50% efficiency.

Bring RPA into the picture

Adopting RPA sounds scary and difficult, but it need not be either. RPA or monitoring-based controls can help you more easily identify higher-risk types of transactions and other low-hanging fruits that give you a clear return on your investment.

Even five to 10 very simple RPA techniques regularly monitoring data analytic controls could quickly give the accounting team the critical information they need without having to pull it up themselves, manipulate it, digest it, check it several times and then review it.

While not as economical as optimizing your existing controls, RPA still presents a relatively low cost to implement while seeing a notable return on investment.

Take the final step to eGRC

Typically, eGRC tools will be more helpful in the auditing process itself than in terms of enhancing the performance of your controls and other business processes. That’s fine, as streamlining audits will also benefit your bottom line.

Beyond direct audit applications, though, you could leverage eGRC to perform more automated testing techniques related to the audit process. Once again, look at where your people are spending their time and how technology can drive those manual efforts downward so your teams can do more than just keep up with SOX compliance.

Don’t go it alone

Part of the reluctance to adopt more automated processes is the fear of change or just the comfort in traditional or legacy methods. Partner with a provider that knows your industry, can understand your technological architecture, has a broad knowledge of available automation options and knows best practices that will take you farther, faster and more cost-effectively.

Particularly if you are a more mature company, you may have not just legacy systems but multiple ERP systems you took on through acquisitions that were never truly optimized. Sorting through all the systems, processes and opportunities alone only invites more wasted time and thus wasted money.

As with adopting technology itself, the upfront cost of engaging with a consulting and services partner will often be recovered in long-term gains to productivity, efficiency and accuracy.

By automating processes as much as you can, you can concentrate on what matters most—doing the higher-level thinking and analysis required to complete the SOX financial reporting and compliance reports on time.

---

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/reducing-time-on-compliance-through-practical-automation.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

Companies that do business in Tennessee will face new limits to the way they collect, use, and transfer customer information as a result of the new Tennessee Information Protection Act (TIPA).

The law, effective July 1, 2025, will require companies to obtain consent for the processing of sensitive personal data and will allow consumers to opt out of data sales, targeted advertising, and other significant sales and marketing initiatives. Tennessee joins eight other states with consumer data privacy laws, but like Iowa, Utah, and Virginia, it narrowly defines the types of disclosures involved and provides a 60-day grace period for businesses to resolve compliance issues.

The bipartisan legislation passed unanimously in both houses of the Tennessee legislature and was signed into law by Gov. Bill Lee.

Businesses impacted

Specifically, the law will apply to businesses that post more than $25 million in annual revenue and:

• Control or process the personal information of 175,000 or more Tennessee consumers, or
• Control or process the personal information of 25,000 or more Tennessee consumers and obtain more than 50% of gross revenue from the sale of that information.

Noncompliance is punishable by a fine of $7,500 per violation, although a business found in violation will have 60 days to comply before fines are levied. Companies with existing consumer privacy policies can be exempt if the programs “reasonably conform” to the National Institute of Standards and Practices (NIST) Privacy Framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.”

Who’s protected?

The TIPA will require companies to obtain consent from a consumer to collect and process sensitive information such as race, ethnic origin, religious affiliation, mental or physical health, sexual orientation, precise geolocation, genetic and biometric data, and citizenship and immigration status.

The privacy rule applies to any Tennessee resident “acting only in a personal context” and does not shield the personal data of individuals acting in a commercial or employment role. The privacy laws also will not shield data collected by government agencies, insurance companies, nonprofit organizations, financial institutions, higher education facilities, and businesses already subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH).

If you’re unsure whether your business will be subject to new TIPA regulations, reach out to an advisor with our risk assurance and advisory services team for guidance.

© 2023 KraftCPAs PLLC