Internal theft is a persistent problem for dealers. It is estimated that dealership employees are stealing the equivalent of $9 per employee per day, so a dealership with 100 employees is suffering a theft loss of $234,000 each year.

With the impact to dealers so high, what can you do to prevent and protect yourself from fraud? Listed below are a few internal controls that if implemented could help prevent theft.

New Department
• Perform frequent unannounced physical inventory counts
• Establish strict inspection procedures
• Allow no options or equipment to be removed without an internal repair order

Used Department
• Maintain an approved list of wholesalers and do business only with those approved
• Verify dealer licenses and sales tax permits
• Review all wholesale transactions that result in a loss and retail transactions with low grosses

Parts Department
• All parts and repair orders need to be computer generated with changes crossed off and initialed by the manager. Then the ticket should be properly voided with the corrected ticket referencing the original document.
• Establish a clear policy for discounted purchases by customers and employees
• Frequently check shipments of parts in company vehicles

Service Department
• Service work should be spot checked to ensure parts charged are being used in the repair order
• During month end procedures, all WIP should be computed and inventoried and all repair orders should be listed
• Ensure no unit leaves the shop without proper payment arrangements being made

Other Items
• Department managers must sign off on payrolls approving the individual and amount
• Bank statements should be delivered to the dealer unopened and should be reviewed for unusual items and cancelled checks. It should also be reconciled by an individual with no access to cash.
• Further, special procedures should be developed to control electronic banking transactions.
• Make sure all clearing accounts are current (payroll tax withholdings, vehicle payoffs)

Fraud can have devastating effects on profits. If are not protecting yourself against fraud, you need to get there. You do not want to be the dealer who has fraud resulting in a $200,000 hit to the bottom line.

Clint Whitehair can be reached by email at CWhitehair@hbkcpa.com or by phone at 317-886-1624.To discuss ways to implement a system of Internal Controls to avoid internal fraud at your dealership or for any other inquiries, contact a member of the HBK DIG at 330-758-8613.

As a business owner or chief executive you focus on increasing the value of your business. Costs that don’t produce a return, if sometimes necessary, are unwanted expenses.

As the practice of cybersecurity has emerged, many organizations have looked at implementing a cybersecurity program as an expense. But even beyond protecting your organization from potentially catastrophic data thievery, a cybersecurity program is an investment that adds real, quantifiable value to your business—added value clearly evident as owners look to merge or sell their businesses.

Consider the many businesses spanning myriad industries that have fallen victim to cyber attacks or data breaches subsequent to being acquired. FitMetrix, a MindBody acquisition; Starwood Group, a Marriot acquisition; MyfitnessPal, an Under Armor acquisition; and Bongo International, a FedEx acquisition are glaring examples.

All markets and industries have been affected. As a result, a company’s cybersecurity program –or lack thereof– is a central consideration in current M&A due diligence.

In a recent survey conducted by the International Information System Security Certification Consortium, or (ISC)², 96 percent of respondents say they take the maturity of cybersecurity programs into consideration when determining the value of a company. (ISC)² is a non-profit organization offering training and various certifications to cybersecurity professionals.

Moreover, 53 percent of respondents said values can vary widely depending on the maturity and effectiveness of the cyber program; 45 percent agreed that a cybersecurity program adds value but said that they assign value via a plus-or-minus or pass-or-fail indicator.

Perhaps most interesting, the study revealed cybersecurity infrastructure—including “soft” assets such as a risk management policy, security awareness training programs and other governance initiatives that might not traditionally be considered infrastructure—actually has a greater impact on value than IT.

Conversely, the lack of cybersecurity infrastructure indicates a liability potentially devaluing the company.

To illustrate the value of your cybersecurity initiative, we recommend you develop a formalized and documented cybersecurity program. The program should be continually improved and reviewed at least annually by an appropriate third party firm.

Simply put: Invest in cybersecurity. Secure the future of your business and its value.

HBK can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Contact Matthew Schiavone, CPA, CISSP, CISA for questions or to schedule an assessment.

Adapting to technological change is a challenge all businesses face. Some changes force the matter — like required compliance with privacy and cyber regulations — while others, such as implementing a vendor risk management program, may seem less urgent. Regardless, businesses must recognize the need for a particular change and act accordingly.

A recent study conducted by the Information Systems Audit and Control Association (ISACA) and the global consulting firm Protiviti revealed the top five technology challenges faced by businesses today as:

1. IT security and privacy/cyber security
2. Data management and governance
3. Emerging technology and infrastructure changes
4. Resource/staffing/skills
5. Third-party/vendor risk management

While all organizations face the same challenges, small and medium-sized businesses can find them more difficult to overcome, especially as they relate to number four on the list: a lack of resources, staffing and skills.

Monetary considerations aside, it is difficult to find qualified personnel. Addressing security, privacy, governance and infrastructure (effectivel, numbers one through three on the list) requires professionals with sophisticated skill sets. The difficulty and expense associated with trying to meet these demands internally make it more reasonable to outsource them.

We are here to help. HBK offers cost-effective solutions to address these challenges. We have IT professionals across numerous disciplines, from specialists in privacy regulations to technicians who facilitate infrastructure changes. Get access to the specific skill sets and resources you need when you need them. For more information or to schedule an appointment, call (724) 934-5300; or email me at MSchiavone@hbkcpa.com.

Parts managers are using complex mathematical formulas to compute their optimal inventory quantities these days – though they might not be aware of it. Your DMS system is thinking through the process using calculus to create formulas and cost curves with the ultimate goal of minimizing the cost of ordering, stocking and holding the parts inventory.

Generally, the more of a part you order, the less expensive it is – not only is the part price reduced, but so are other costs, like transportation and labor. On the other hand, ordering in quantities that don’t sell in a timely manner, even to the point of obsolescence, raises costs, not just for parts that don’t get sold but for “frozen capital.” In essence, this leaves money sitting on the parts shelf that could be used in more productive ways. In the language of your DMS system, where the part cost and carrying cost curves meet is theoretically the optimal order quantity.

Of course, running the calculus is the computer software’s job, not the parts manager’s. But even without a computerized formula it’s important to think about where these curves meet, and what tools you have available to ensure you are inventorying intelligently.

Inventory and Turn Rates
Optimally parts inventories are going to turn four to six times a year. Accordingly, a dealership should retain 60 to 90 days of parts on hand. To compute your dealership’s turn rate, take your cost of goods sold for parts (sales minus gross profit) and divide that number by the cost of the parts inventory you have on hand. Then use your turn rate to determine how many days supply you have in inventory.

An example calculation:
The factors:
Parts sales for a year = $3 million
Gross profit on those sales = $1 million
Current parts inventory = $380,000

The calculation:
Cost of goods sold ($3 million minus $1 million) = $2 million
Parts turn rate ($2 million divided by $380,000) = 5.26
Current supply ($380,000 divided by $166,670 [$2 million divided by 12 months]) = 2.27 months or 68 days

Dealerships will necessarily find some inventory stale and not turning, while other parts are turning quickly. The only way to counteract the losses associated with the slow moving or obsolete parts might be moving the fast moving parts even faster. Understanding which parts are slowing the turn rate will help the dealer make adjustments to minimize losses.

So yes, there is real value in the math you learned in middle school that you thought you’d never use. Math makes for better parts management, a better return on your investment.

Three Key Reports
There are several DMS reports that can help to make your parts operation more efficient, but there are three that are essential to having the right parts on the shelves at the right time.

1. Emergency Purchase Report. Buying from another dealer or suppliers as needed decreases net profit in both parts and service departments through higher initial prices, transportation costs, and service department downtime. Recording emergency purchases in your DMS as they occur and reviewing them regularly –at least weekly– will help you adjust your inventory accordingly.
2. Lost Sales Report. If a sale is lost because a part is not in stock, it should be properly reported. A lost sale is defined as a sale that it is reasonable to assume would have been made if the part was on hand.
3. Service Department Fill Rate Report. A weekly fill rate report gives parts managers a clear look at what’s going on in the shop. To correct fill rate inefficiencies, run the report by part number and same-day fill rate.

Take the following into consideration when reviewing these reports:

• If the unit requiring the part is a new model – and could this be a trend?
• Is the required part essential to operation of the unit?
• Is an emergency purchase or a lost sale recorded for a part used in routine maintenance?
• Does the parts locator section in your DMS indicate that other dealers are stocking a part you don’t stock?
• Does the factory maintain a large quantity of a particular part?
• Does my inventory reflect the population of models in my area?

Doing the math and reviewing your reports on a weekly basis will make for happier customers, more efficient employees and, by thawing out your frozen capital, a better bottom line.

Governance, Risk Management and Compliance (GRC) is a methodology that provides organizations with an integrated approach to cyber security maintenance. It is most efficient when executed in its entirety as a three-pronged but single initiative though they are often considered separately.

• Governance is the process ensuring effective and efficient use of Information Technology (IT) to enable an organization to achieve its fundamental goals.
• Risk Management is the process of identifying, assessing and managing risk as a way to help achieve an organization’s objectives and based on its tolerance for threats — in short, clearly establishing the company’s risk acceptance or risk avoidance.
• Compliance involves adhering to accepted practices, rules and regulations within a business at an industry or governmental level –or both.

One should take a holistic approach to GRC, as with any control or protocol it establishes to mitigate a risk. That is, the cost to implement the control should be less than the cost of actual exposure to the risk being mitigated. This approach is expanded by GRC when an individual or business considers costs associated with non-compliance — namely, fines or penalties.

The culmination of Governance, Risk Management and Compliance occurs when IT policies help convert the desired behaviors of team members into a formal, successful cyber security plan.

HBK Risk Advisory Services can help you design and develop your own GRC program to protect your business. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. As always, HBK is here to answer your questions and discuss your concerns.

Dealers can’t afford to carry a lot of dead weight. You have to run lean and mean. That is particularly true when it comes to your staff. When an employee is absent or late excessively, it can have a meaningfully negative impact on operations.

Dealing with employee absenteeism raises two questions: what is excessive and how as a manager to deal with it? For example, your policy provides for 15 days off a year for parts department employees, but one of your employees has taken all 15 days within the last two months: is that excessive? A talented mechanic is habitually late, 15 or 20 minutes or sometimes a half hour, two or three times a week. Is that excessive and what do you do about it?

DEFINING ABSENTEEISM
So what is excessive? If you consult with your attorney, the likely answer is, “It depends.” There’s really no strict rule or standard as to what is considered excessive absenteeism. It is more about whether or not the absenteeism violates your policy.

There are exceptions, such as when the absenteeism is covered under the Family and Medical Leave Act (FMLA). The FMLA permits time off of up to 12 weeks for medical treatment of the employee or a dependent family member. Your policy can require an employee to use other compensated time off first, before the FMLA time begins.

ESTABLISHING POLICY
Policies for absenteeism can be flexible, and often are, as dealership employees are typically close-knit groups, even family-like, in many instances. A flexible policy might have different requirements for various dealership departments or job classifications, or might allow for more time off during times when business is typically slow.

Still, the dealer needs a set policy for absenteeism. In the past those policies have broken down time off into different categories, such as vacation time and sick leave. But over the years we have seen that such categorization often forces employees to lie, such as calling in sick when they aren’t. So we recommend policies that simply provide for a set number of days of paid absence, regardless of reason – vacation, personal, sick. You don’t need to know and your employees don’t need to lie. Clearly state that any additional time off must be approved by management as unpaid leave. Most dealers find a vacation calendar helpful, where vacations are scheduled in advance and spaced so as not to leave the dealership understaffed.

Some dealers tend to shy away from rigid rules and prefer more general policies that permit supervisors to make determinations about excessive absenteeism. But while you want to be flexible you have to be careful because flexibility often leads to inconsistency, which can spur accusations of favoritism and even wrongful termination lawsuits. It may be best to consult an employment attorney when drafting any HR policy.

ADDRESSING ABSENTEEISM
When absenteeism is a problem with an individual, it is important to have a discipline program in place. All counseling and verbal warnings should be documented. If not, it can be problematic if you have to defend yourself in court against accusations of wrongful termination. Human Resources or management should be involved in any discussions with employees on absentee issues, and an employee’s file should contain records of notices issued, counseling provided, all warnings and steps taken in an attempt to correct the behavior. Only then can the dealer be in a strong position to take action including terminating employment when warranted.

Whatever your policy, it is most important that it clearly spells out attendance and punctuality expectations as well as job requirements. If your policy is simple, straightforward and easy to understand, your employees are likely to follow it.

Rex Collins is a Principal at HBK CPAs & Consultants. He directs HBK’s Dealership Industry Group, which provides tax, accounting, transaction, and operational consulting exclusively to dealers. Rex can be reached by email at RCollins@hbkcpa.com or by phone at 317-886-1624.

Sir Winston Churchill’s definition of Russia as a “a riddle, wrapped in a mystery, inside an enigma” aptly describes the state of affairs between the bevy of cyber and data security laws and business enterprises forced to contend with the onslaught of cyber thieves and hackers. The “rock” of cyber thieves on one side and “hard place” of cybersecurity rules on the other can make life difficult for businesses.

Understanding the basics
When your business must adhere to disparate and fragmented cyber rules, regulations and laws, the first task at hand is to prioritize your needs, identifying, in effect, the “low hanging cyber fruit.” First, understand the requirements common to most cyber legislation. What are the states requiring a business such as yours to do in the event of a breach of “protected information”?

All 50 states and U.S. territories have laws mandating that businesses provide notifications to those whose protected information has been breached while in the care of the business. But each state has different requirements. It is conceivable that a single data breach will require a business to comply with 50 different sets of requirements. Consequently, a business should:

• Take inventory of the states of residence of its clientele
• Determine what it must do to comply with those states’ requirements
• Prepare a plan to implement in the event of a data breach

Getting down to specifics
Following are details on the data breach notice laws for the states in which most HBK client reside: Florida, Ohio, Pennsylvania and New Jersey.

Florida Information Protection Act of 2014ⁱ: Any commercial entity that acquires, maintains, stores, or uses Personally Identifiable Information (PI) must notify affected Florida residents by written mail or electronic mail within 30 days of the breach.

• If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, the business may use other means and methods of notifying those affected.
• If the data breach involves more than 500 Florida residents, the business must report the breach to the Florida Department of Legal Affairs.
• A breach affecting more than 1,000 Florida residents must be reported to credit reporting agencies.

Ohio Notification requirementsⁱⁱ: In Ohio, any business that experiences a harmful data breach must notify affected Ohio residents within 45 days by mail, telephone, or electronic mail.

• Businesses can use public service announcements in the event than 500,000 Ohio residents are affected, if notification costs exceed $250,000, or the business has ten or fewer employees and notification costs exceed $10,000.
• When more than 1,000 Ohio residents are affected by a breach, all consumer-reporting agencies must be informed.

Pennsylvania Breach of Personal Information Notification Actⁱⁱⁱ: When a Pennsylvania business experiences a harmful data breach, it must notify affected Pennsylvania residents as soon as possible by mail, telephone, or email.

• If the security breach affects more than 175,000 people, or the cost of notification exceeds $100,000, public service announcements can be used instead.
• When a breach affects 1,000 or more people, you must report it to all consumer-reporting agencies.

New Jersey Data Breach Identity Theft Prevention Act^iv: Businesses in New Jersey are required to respond to a data breach quickly. A business must first notify the Division of the State Police in the Department of Law and Public Safety, then alert the affected consumers through email or written notice.

• If the breach affects more than 1,000 people, the business owner must notify all consumer-reporting agencies.
• A business that willfully, knowingly, or recklessly violates the New Jersey Consumer Fraud Act, including failing to adhere to the Theft Prevention Act, may have to pay the injured party three times the damages, plus attorney fees and court costs.

While the laws are similar, the nuances require businesses to attend to the particulars of each. And the nuances turn into stark reminders of the perils of cyber-crime. Having to author a letter to clients admitting their data was stolen while they entrusted it to your care can make for a formidable backlash.

We will explore various other cyber and data security laws that impact your business in our next article.

Sources:
i. https://www.flsenate.gov/Session/Bill/2014/1524/BillText/er/PDF

ii. http://codes.ohio.gov/orc/1349.19

iii. https://www.legis.state.pa.us/CFDOCS/Legis/PN/Public/btCheck.cfm?txtType=HTM&sessYr=2005&sessInd=0&billBody=S&billTyp=B&billNbr=0712&pn=0898

iv. https://www.njleg.state.nj.us/2004/bills/pl05/226_.htm

In today’s world we are seeing drastic changes in how we interact with our environment. Those interactions are becoming predominantly electronic through the use of phones, computers, watches, etc. Our currency is following suit. By now, many have heard the terms “bitcoin” or “cryptocurrency” – but do they understand the concept? The news regularly reports on how this electronic currency enables us to complete transactions in ways that we have not experienced in the past. While this technology is being embraced by some, there may be unexpected tax-reporting implications that the headlines often miss. It’s imperative for taxpayers engaging in foreign banking and potentially, in cryptocurrencies, to understand basic information related to foreign reporting requirements. The Basics of Cryptocurrency What is “Bitcoin” and how does it work? Bitcoin is a type of cryptocurrency, which is a digital virtual currency housed online. It is generally held in a virtual “wallet.” These virtual wallets operate like bank accounts in which a third party holds the currency. Cryptocurrency can be purchased using traditional analog currency, such as U.S. Dollars, Euros, British Pounds, etc. Bitcoin is the most popular form of cryptocurrency, and it is used as a functional currency by many major retailers including Amazon, Sears, Home Depot, and CVS. While some use cryptocurrency to function like traditional currency, many are using it for investment purposes in a manner similar to that of stocks being traded on an exchange. Foreign Bank Account Reporting in General The U.S. Department of the Treasury and the IRS want to be informed as to where taxpayers are keeping their bank accounts and their respective balances. Two main documents that taxpayers involved in the use of foreign banking should be aware of are the U.S. Department of the Treasury Foreign Bank and Financial Accounts Report (Form 114) and the IRS Statement of Specified Foreign Financial Assets (Form 8938). These two foreign reporting forms are applicable to U.S. citizens, residents, corporations, partnerships, and even trusts, and must be filed (along with a normal federal income tax return) if the filing requirements are met. In general, Form 114 is applicable if a taxpayer is holding a bank account outside the United States and the balance in the account exceeds $10,000 USD at any point during the tax year. Form 8938 would become applicable (in addition to or separate from Form 114) if the bank account balance exceeds $50,000 ($100,000 for married filers) for the tax year. Both forms are informational to the applicable governmental agency and no taxes are paid on the balance. However, severe penalties can and will be assessed for a failure to file these required forms. Cryptocurrencies as Foreign Bank Accounts Since cryptocurrencies are electronic currencies tied to a virtual wallet, it is possible that the wallet where the cryptocurrency is held may be located in a foreign country. While there is currently no official guidance related to foreign reporting for cryptocurrencies, it is possible that a taxpayer owning cryptocurrency could have foreign reporting requirements based solely on the location of the wallet. The IRS recently notified the public that letters are being sent to taxpayers who are cryptocurrency holders, urging them to comply with U.S. tax laws related to cryptocurrencies. We will provide details about additional reporting requirements, and other potential tax implications for cryptocurrency holders, as they become available. Please contact a member of the HBK Tax Advisory Group at 239-263-2111 if you would like to discuss potential foreign reporting requirements for cryptocurrency or any foreign banking matters. Additional Resources: https://www.irs.gov/businesses/comparison-of-form-8938-and-fbar-requirements https://www.irs.gov/businesses/small-businesses-self-employed/report-of-foreign-bank-and-financial-accounts-fbar https://www.irs.gov/pub/irs-utl/irsfbarreferenceguide.pdf https://www.irs.gov/businesses/small-businesses-self-employed/virtual-currencies https://bitcoin.org/en/how-it-works

On July 18, 2019, Ohio Governor Mike DeWine signed the Ohio budget into law. There were an estimated $700 million in across the board tax cuts. The changes include:

• For pass-through entities, the $250,000 business income tax deduction and 3% flat tax remains. However, the tax break was eliminated for lawyers and lobbyists.
• The elimination of the state’s bottom two income brackets and a corresponding 4% cut to the remaining five brackets for personal income tax.
• Required remittance of sales tax for sellers with gross receipts of at least $100,000 from sales into Ohio or engage in 200 or more separate sales. The bill also requires Marketplace facilitators to collect.
• The Film Tax Credit has been broadened to cover post-production work and Broadway-style productions.
• All state manufacturers will be able to apply for a “job retention” tax credit. To qualify, manufacturers need to make a capital investment equal to 5% of tangible property at the facility site, or $50 million, whichever is less.
• Ohio will piggyback off the federal Opportunity Zone program with a state income tax credit equal to 10% of an investment into a qualified fund up to $1 million every two years.

Other measures include:

• Raising the age to buy cigarettes from 18 to 21.
• Creating a new tax on vape products of 10 cents per milliliter.
• Creating a tax credit for property owners worth up to $10,000 for lead paint removal.

Please contact Suzanne Leighton of the HBK Tax Advisory Group at SLeighton@hbkcpa.comfor more information on how these changes to state law could affect your business.

You’ve likely heard of FaceApp, maybe you have even tried it. It is unquestionably one of the most popular Apps circulating today. It quickly went viral due to the “#AgeChallenge,” where celebrities as well as ordinary folks download it to use an old-age filter generating an image of what a user might look like in a decade or more. Launched by a Russian start-up in 2017, FaceApp has come under fire lately because of fears that user data was being sent to Russian servers. There are other potential privacy concerns as well, including some claims that the App has an ability to access a user’s entire photo gallery.

Is FaceApp safe to use? Probably; though I’m not planning on using it personally, as I have zero interest in seeing what I’ll look like in 20 to 30 years. But as I was watching a TV news report on FaceApp, it reminded me of an important Cybersecurity issue that might fall under the category, “Social Media: Be Careful What You Share.”

When you use FaceApp and agree to its user terms, what are you sanctioning? For one, the App is permitted access to your photos, location information, usage history, and browsing history. During a news report, an executive representing FaceApp told CNBC that it only uploads the photo selected for editing. Further, the FaceApp rep said it does not take other images from a user’s library, and that most images accessed by FaceApp are deleted from its servers within 48 hours. Still, the user agreement allows the developer access to a user’s personal data. And, again, the developers of FaceApp and its Research and Development team are all based in Russia.

The amount and type of personal data we share, especially online, is something to consider. By way of example, the Apple X phone offers facial recognition as an alternative to using a personal identification number or password; does that suggest the Russian FaceApp programmers have developed a way to access a user’s entire online account, since they have access to their photos? Remember that passwords are giving way to other log-in options, including biometrics. Consider the pace of technological development, including artificial intelligence when making decisions about where and how you share your personal information.

While Cybersecurity experts don’t appear particularly nervous about the FaceApp itself, the scenario should give us pause and prompt us to consider the potential ramifications of sharing our personal information.

HBK can help you with your Cybersecurity issues, including protecting your data. For assistance, call 330-758-8613 or email WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.