The regulation that governs the working condition fringe exclusion for executive security includes its own cautionary tale. It's called Example 5, it appears in §1.132-5(m)(8), and it describes the most common way a well-intentioned ISS program fails on IRS examination.
Understanding it is not optional if you're running one of these programs.
What Example 5 actually says
The scenario is straightforward. A company commissions an Independent Security Study. The study concludes that 24-hour protection isn't necessary and recommends two specific components: workplace security and ground transportation security. Both are documented in the study. Both are supposed to be implemented.
The company implements only the ground transportation piece. The workplace security recommendations go unfunded, understaffed, or simply unimplemented.
The IRS examines the program.
The result: no overall security program is deemed to exist. The ground transportation benefit - the piece the company did implement - is taxable compensation to the executive. The W-2 exclusion the company had been taking collapses. Multiple years of prior returns are potentially affected.
That's it. One gap between what the study said and what the company actually did, and the entire tax position goes with it.
Why this keeps happening
Example 5 isn't a theoretical failure mode. It's a description of how these programs actually break down in practice, and the structural reason it happens is consistent across companies.
Security programs are run by security teams. Tax positions are maintained by tax teams. In most companies, those functions have minimal overlap. The security director's job is to implement the program the board approved and the budget supports. The tax director's job is to classify compensation correctly and keep the W-2s clean. Neither has automatic visibility into what the other is doing.
The study gets completed and filed. The recommendations go to the security team. Some get implemented immediately. Others get deferred because the budget runs out, because a vendor relationship changes, because the executive objects to a particular measure, or because a facilities project takes priority. Nobody tells the tax director that the workplace access controls from page 14 of the study never got installed.
A year passes. Two years. The W-2s go out with the working condition fringe exclusion applied. The study is in the file. From the tax team's perspective, everything looks clean.
Then the IRS examines the program, asks what was actually implemented, and compares the answer to what the study recommended. The gap surfaces.
What the regulation requires
The consistent application requirement is in §1.132-5(m)(2)(v). It says the employer must apply the specific security recommendations from the study on a consistent basis. Not most of them. Not the ones that were convenient. All of them, consistently, from the time the study is implemented.
"Consistent" has a time dimension too. Gaps in implementation, even temporary ones, create exposure. If a measure was implemented for two years and then quietly dropped when the executive pushed back, the exclusion for the period after the gap is at risk.
The regulation also requires that the overall security program be evaluated periodically to determine whether the bona fide business-oriented security concern still exists. A study done in 2022 and never revisited is a study the IRS can challenge as stale by 2025 or 2026. Trigger-based reassessment - when the executive's role changes, when a material threat event occurs, when the security measures change - is the operational standard. A full re-evaluation every three years is a reasonable baseline absent specific triggers.
What a defensible program looks like from the consistency standpoint
The companies that survive IRS examination on this issue have one thing in common: they treat the ISS recommendations as a compliance obligation, not a checklist item.
That means a named owner for implementation - someone whose job it is to know what the study recommends and whether each item is in place. It means contemporaneous documentation of what was implemented and when, not a reconstruction after an audit letter arrives. It means a process for flagging when a recommended measure changes, so the tax team can decide whether the study needs to be updated or the exclusion needs to be revised.
Our engagement file includes an implementation tracker that maps each recommendation to a responsible party and documents the evidence of consistent application. That tracker isn't a courtesy - it's the document that bridges the study and the tax position when someone asks.
When measures change - when the security team adjusts the program for legitimate operational reasons - the study should be updated before the next W-2 cycle reflects a changed program. Updated studies aren't a sign of weakness; they're a sign that the company is running a live compliance process rather than a one-time document exercise.
What to do if you're already running a program
If your company commissioned an ISS and has been applying the working condition fringe exclusion, the question worth answering now is whether everything in that study is actually in place.
Pull the study. List every recommendation. Match each one to current implementation. If there are gaps, document when they opened and assess whether the exclusion for the affected periods is defensible.
If the gaps are significant, the honest path is to either restore the measures and update the study, or adjust the W-2 treatment going forward and consult with tax counsel about the prior years. Neither is an attractive option, but both are better than having the IRS surface the gap on examination.
If you're not sure what the study says or whether the program matches it, that's the conversation to have before the W-2 cycle closes.
This post is for informational purposes and does not constitute tax or legal advice. Readers should consult qualified tax and legal counsel regarding the treatment of specific programs.