What would you do if you got an email from your CEO, asking you to provide a report of taxable stock plan transactions, including employee IDs—stat? A) Respond with the requested information as quickly as possible or B) forward the email to your IT department for investigation?
As it turns out, B might be the correct answer.
Phishing Scheme Targets Payroll and HR
If you are on the IRS’s mailing list, you know that it’s once again that time of year when the IRS sends out alert after alert about tax phishing schemes. Most have nothing to do with stock compensation, but a recent alert hits a little close to home. A new tax phishing scheme targets payroll and HR personnel. In a phishing scheme, a scammer masquerades as a representative of a legitimate business to trick people into giving out personal information that the scammer can use for illicit purposes.
This phishing scheme involves an email that purports to be from the company’s CEO or other executives and requests that the recipient provide employee data, including personal and W-2 information.
According to the IRS, the email may include the following (or similar) requests:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary) as at 2/2/2016.
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Kindly?
It seems to me that the big giveaway here is the use of the word “kindly” in the above requests. What executive ever used that word when asking for a report ASAP?
Let’s Be Careful Out There
While the schemes don’t yet seem to involve stock compensation, payroll and HR aren’t that far removed from stock plan administration. Some of my readers probably wear both hats. It’s always a good idea to verify any unusual requests from executives and to make sure that any personal data for employees, including compensation data, is transmitted in a secure manner, especially if that data includes employee identifiers, such as names and ID numbers.
– Barbara
Tags: controls, data protection, data security, internal controls, IRS alert, phishing scheme
In case you were wondering (in your spare time), the IRS now has a techniques guide for auditing equity compensation. The “guide” is actually an instruction to internal IRS auditors on how to evaluate equity compensation during an “examination” (fancy word for “audit”). The guide, published in August 2015, is available on the IRS web site. I’ll try to summarize some of the more interesting points in today’s blog.
The Angles of Audit
Before I dive into what the guide says, I want to cover a thought that came to me as I was reading the guide. Stock Plan Administrators and their vendors are focused on tax compliance relative to the company’s corporate tax obligations (reporting, withholding, etc.). However, it’s important to remember that as compliant as we may be from a issuer standpoint, there is still audit exposure potential from the individual angle of tax compliance. An employee may get audited, even if the company is not being audited. The company’s documentation may be requested from the IRS as part of that audit. It’s important that issuers are aware that there are a variety of audit angles that could attract attention to their equity compensation record-keeping and disclosures at any given time, and the IRS guide seems to support that thought – providing detailed information on the types of transactions and potential tax issues that could arise. With that detail comes guidance on how to source documents attached to equity compensation. According to a blog dedicated to explaining the guide by Porter Wright Morris & Arthur LLP,
“Interestingly, the Guide devotes a fair amount of detail to explaining where auditors may find these documents, encouraging them to review Securities and Exchange Commission (“SEC”) filings as well as internal documents. As such, the Guide serves as an important reminder to employers to be mindful that the IRS (or other third parties) someday could seek to review their corporate documents. ”
Documents Galore
Let’s cut to the chase. Where are auditors instructed to look?
- SEC documents – This is an obvious one, but it’s where the IRS recommends their auditors start. Disclosures such as the 10K (Form 10-K), proxy statement (DEF 14A) and Section 16 reports of changes in beneficial ownership (Form 4) are places to identify types of plans and awards, as well as detailed compensation data for named executive officers and directors. The IRS recommends comparing data from these disclosures to individual Form W-2s and 1099-MISCs to verify proper tax withholding and reporting. If discrepancies surface, the IRS recommends expanding the audit (yikes).
- Internal Documents – Types of internal documents subject to scrutiny include employment contracts, and meeting minutes from Board of Director and Compensation Committee meetings.
The Porter et al blog summarized this into some key awareness factors for employers:
“Employers should be aware of these instructions. Often times, it is easy for someone to prepare internal documents using jargon or short-hand that is familiar among people at the company but that may be difficult to explain to a third party or worse could be misleading. The Guide demonstrates that internal documents may not be restricted to internal personnel. Instead, the IRS very well could review these internal documents. As such, employees and advisers who prepare these documents should be mindful of both the information contained in the documents and how they present that information.”
Takeaways
When preparing documentation or disclosures (including supporting documents for those disclosures), it’s good to look at the process as if a third party will eventually come in and evaluate the information. The Porter blog made a great point – often times records are maintained in manner that internal parties may easily understand, or there’s someone on hand who can “interpret” that scrawl made by a board member. However, once that information is subject to review by an auditor, questions can arise. Companies should be aware of the IRS audit instructions relatives to equity compensation and maintain their records in a way that will make it easy to explain if audited.
-Jenn
Tags: audit, auditor, controls, IRS, tax compliance