Skip to Main Content

blogpost

A runner's guide to uniform guidance, year two

03.06.17

As we begin the second year of Uniform Guidance, here’s what we’ve learned from year one, and some strategies you can use to approach various challenges, all told from a runner's point of view.

A Runner’s Perspective

As I began writing this article, the parallels between strategies that I use when competing in road races — and the strategies that we have used in navigating the Uniform Guidance — started to emerge. I’ve been running competitively for six years, and one of the biggest lessons I’ve learned is that implementing real-time adjustments to various challenges that pop up during a race makes all the difference between crossing — or falling short of — the finish line. This lesson also applies to implementing Uniform Guidance. On your mark, get set, go!

Challenge #1: Unclear Documentation

Federal awarding agencies have been unclear in the documentation within original awards, or funding increments, making it hard to know which standards to follow: the previous cost circulars, or the Uniform Guidance?

Racing Strategy: Navigate Decision Points

Take the time to ask for directions. In a long race, if you’re apprehensive about what’s ahead, stop and ask a volunteer at the water station, or anywhere else along the route.

If there is a question about the route you need to take in order to remain compliant with the Uniform Guidance, it’s your responsibility to reach out to the respective agency single audit coordinators or program officials. Unlike in a race, where you have to ask questions on the fly, it’s best to document your Uniform Guidance questions and answers via email, and make sure to retain your documentation.  Taking the time to make sure you’re headed in the right direction will save you energy, and lost time, in the long run.    

Challenge #2: Subrecipient Monitoring

The responsibilities of pass-through entities (PTEs) have significantly increased under the Uniform Guidance with respect to subaward requirements. Under OMB Circular A-133, the guidance was not very explicit on what monitoring procedures needed to be completed with regard to subrecipients. However, it was clear that monitoring to some extent was a requirement.

Racing Strategy: Keep a Healthy Pace

Take the role of “pacer” in your relationships with subrecipients. In a long-distance race, pacers ensure a fast time and avoid excessive tactical racing. By taking on this role, you can more efficiently fulfill your responsibilities under the Uniform Guidance.

Under the Uniform Guidance, a PTE must:

  • Perform risk assessments on its subrecipients to determine where to devote the most time with its monitoring procedures.
  • Provide ongoing monitoring, which includes site visits, provide technical assistance and training as necessary, and arrange for agreed-upon procedures to the extent needed.
  • Verify subrecipients have been audited under Subpart F of the Uniform Guidance, if they meet the threshold.
  • Report and follow up on any noncompliance at the subrecipient level.
  • The time you spend determining the energy you need to expend, and the support you need to lend to your subrecipients will help your team perform at a healthy pace, and reach the finish line together.

Challenge #3: Procurement Standards

The procurement standards within the Uniform Guidance are similar to those under OMB Circular A-102, which applied to state and local governments. They are likely to have a bigger impact on those entities that were subject to OMB Circular A-110, which applied to higher education institutions, hospitals, and other not-for-profit organizations.

Racing Strategy: Choose the Right Equipment

Do your research before procuring goods and services. In the past, serious runners had limited options when it came to buying new shoes and food to boost energy. With the rise of e-commerce, we can now purchase everything faster and cheaper online than we can at our local running store. But is this really an improvement?

Under A-110, we were guided to make prudent decisions, but the requirements were less stringent. Now, under Uniform Guidance, we must follow prescribed guidelines.

Summarized below are some of the differences between A-110 and the Uniform Guidance:

A-110 UNIFORM GUIDANCE
Competition
Procurement transaction shall be conducted in a manner to provide, to the maximum extent practical, open and free competition.
Competition
Procurement transaction must be conducted in a manner providing full and open competition consistent with the standards of this section.
 
Procurement
Organizations must establish written procurement procedures, which avoid purchasing unnecessary items, determine whether lease or purchase is most economical and practical, and in solicitation provide requirements for awards.
Procurement
Organizations must use one of the methods provided in this section:
  1. Procurement by Micro Purchase (<$3,000)
  2. Procurement by Small Purchase Procedures (<$150,000)
  3. Procurement by Sealed Bids
  4. Procurement by Competitive Proposal
  5. Procurement by Noncompetitive Proposal

While the process is more stringent under the Uniform Guidance, you still have the opportunity to choose the vendor or product best suited to the job. Just make sure you have the documentation to back up your decision.

A Final Thought
Obviously, this article is not an all-inclusive list of the changes reflected in the Uniform Guidance. Yet we hope that it does provide direction as you look for new grant awards and revisit internal policies and procedures.

And here’s one last tip: Do you know the most striking parallel that I see between running a race and implementing the Uniform Guidance? The value of knowing yourself.

It’s important to know what your challenges are, and to have the self-awareness to see when and where you will need help. And if you ever need someone to help you navigate, set the pace, or provide an objective perspective on purchasing equipment, let us know. We’re with you all the way to the finish line.

Grant Running.jpg

Related Industries

Related Services

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here, five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

We can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Blog
Governance: It's good for your data

Not-for-profit board members need to wear many hats for the organization they serve. Every board member begins their term with a different set of skills, often chosen specifically for those unique abilities. As board members, we often assist the organization in raising money and as such, it is important for all members of the board to be fluent in the language of fundraising. Here are some basic definitions you need to know, and the differences between them.

Gifts with donor restriction

While many organizations can use all donations for their operating costs, many donors prefer to specify how―or when―they can use the donation. Gift restrictions come in several forms:

1.    Purpose-restricted gifts are, as their name implies, for a specific use. These can be in response to a request from your organization for that specific purpose or the donor can indicate its purpose when they make the gift. Consider how you solicit gifts from donors to be sure you don’t inadvertently apply restrictions. Not all gifts need to (or even should) be accepted by an organization, so take care in considering if specific restrictions are in line with your mission. 

2.    Time-restricted gifts can come with or without a restricted purpose. You can treat gifts for future periods as revenue today, though the funds would be considered restricted for use until the time restrictions have lapsed. These are often in the form of pledges of gifts for the future, but can also be actual donations provided today for use in coming years.

3.    Some donors prefer the earnings of their gift be available for use, while their actual donation be held in perpetuity. These are often in the form of endowments and specific restrictions may or may not be placed by the donor on the endowment’s earnings. Laws can differ from state-to-state for the treatment of those earnings, but your investment policy should govern the spending from these earnings.

The bottom line? Restricted-purpose gifts must be used for that restricted purpose.

Gifts without restriction are always welcome by organizations. The board has the ability to direct the spending of these gifts, and may designate funds for a future purpose, but unlike gifts with donor restrictions, the board does have the discretion to change their own designations.

Whether raising money or reviewing financial information, understanding fundraising language is key for board members to make the most out of donations. See A CPA’s guide to starting a capital campaign and Accounting 101 for development directors blogs for more information. Have questions or want to learn more? Please contact Emily Parker or Sarah Belliveau.

Blog
The language of fundraising: A primer for NFP board members

Of all the changes that came with the sweeping Tax Cuts and Jobs Act (TCJA) in late 2017, none has prompted as big a response from our clients as the changes TCJA makes to the qualified parking deduction. Then, last month, the IRS issued its long-waited guidance on this code section in the form of Notice 2018-99

We've taken a look at both the the original provisions, and the new guidance, and have collected the salient points and things we think you need to consider this tax season. For not-for-profit organizations, visit my article here. And for-profit companies can read here.  

Blog
IRS guidance on qualified parking: Our take

As 2018 is about to come to a close, organizations with fiscal year ends after December 15, 2018, are poised to start implementing the new not-for-profit reporting standard. Here are three areas to address before the close of the fiscal year to set your organization up for a smooth and successful transition, and keep in compliance:

  1. Update and approve policies—organizations need to both change certain disclosures and add new ones. The policies in place at the end of the year will be pivotal in creating the framework within which to draft these new disclosures (for example, treatment of board designations, underwater endowments, and liquidity).
  2. Functional expense reporting—if you have not historically reported expenses by natural and functional classification, develop the methodology for cost allocation. If you already have a framework in place, revisit it to determine if this still fits your organization. Finally, determine where you will present this information in the financial statements.
  3. Internal investment costs—be sure you have a methodology to segregate the organization’s internal investment costs such as internal staff time (remember, this is the cost to generate the income, not account for it) and consider the overall disclosure.

While the implementation of the new reporting standard will not be without cost (both internal costs and audit costs), if your organization considers this an opportunity to better tell your story, the end result will be a much more useful financial narrative. Don’t forget to include the BerryDunn implementation whitepaper in your implementation strategy.

We at BerryDunn are helping organizations gain momentum with a personal touch, through our not-for-profit reporting checkup. This checkup includes initial recast of the prior financial statements to the new format, a personalized review of the checklist to identify opportunities for success, and consideration of the footnotes to be updated. Contact me and find out how you can join the list of organizations getting ahead of the new standard.

Blog
Three steps to ace the new not-for-profit reporting standard

With the wind down of the Federal Perkins Loan Program and announcement that the Federal Capital Contribution (FCC) (the federal funds contributed to the loan program over time) will begin to be repaid, higher education institutions must now decide how to handle these outstanding loans. The Department of Education’s (DOE)’s plans to recover their FCC (or “distribution of assets”) in the coming 2018-19 year can be found here, with the Fiscal Operations Report and Application to Participate (FISAP) playing a crucial role in the close-out excess cash calculation. Colleges and universities are now faced with two options:

  1. Continue servicing their loans, refunding future FCC excess cash as loans are repaid
  2. Assigning loans back to the DOE (subject to certain requirements)

Colleges and universities have been evaluating these options since the decision was made to not renew the loan program. There are many considerations when deciding which path to choose:

  • Continuing to service loans has the disadvantage of ongoing administrative costs. While there is potential an administrative cost allowance could be paid to institutions that continue to service loans in the future, legislation would need to be enacted for this to occur.
  • In assigning loans back to the DOE, the institution will lose any Institutional Capital Contribution (ICC).  It is important to note the decision of whether or not to assign loans has not reached “now or never” status. You can assign loans your institution continues to service to the DOE in the future.

NACUBO recently published advisory guidance on the Perkins Loan Program close-out. This guidance provides a broader look at the close-out process, and explores the ramifications of how the two options above can impact alumni relations. The guidance also provides a useful cost/benefit calculation template and sample accounting entries for the close-out process.

Need help or have additional questions? Our experience with Perkins Loan liquidation/closeout can help as you plot a course through the Perkins wind down.

Blog
Winding down the Perkins Loan Program: "Should I stay or should I go?"

IRS Notice 2018-67 Hits the Charts
Last week, in addition to The Eagles Greatest Hits (1971-1975) album becoming the highest selling album of all time, overtaking Michael Jackson’s Thriller, the IRS issued Notice 2018-67its first formal guidance on Internal Revenue Code Section 512(a)(6), one of two major code sections added by the Tax Cuts and Jobs Act of 2017 that directly impacts tax-exempt organizations. Will it too, be a big hit? It remains to be seen.

Section 512(a)(6) specifically deals with the reporting requirements for not-for-profit organizations carrying on multiple unrelated business income (UBI) activities. Here, we will summarize the notice and help you to gain an understanding of the IRS’s thoughts and anticipated approaches to implementing §512(a)(6).

While there have been some (not so quiet) grumblings from the not-for-profit sector about guidance on Code Section 512(a)(7) (aka the parking lot tax), unfortunately we still have not seen anything yet. With Notice 2018-67’s release last week, we’re optimistic that guidance may be on the way and will let you know as soon as we see anything from the IRS.

Before we dive in, it’s important to note last week’s notice is just that—a notice, not a Revenue Procedure or some other substantive legislation. While the notice can, and should be relied upon until we receive further guidance, everything in the notice is open to public comment and/or subject to change. With that, here are some highlights:

No More Netting
512(a)(6) requires the organization to calculate unrelated business taxable income (UBTI), including for purposes of determining any net operating loss (NOL) deduction, separately with respect to each such trade or business. The notice requires this separate reporting (or silo-ing) of activities in order to determine activities with net income from those with net losses.

Under the old rules, if an organization had two UBI activities in a given year, (e.g., one with $1,000 of net income and another with $1,000 net loss, you could simply net the two together on Form 990-T and report $0 UBTI for the year. That is no longer the case. From now on, you can effectively ignore activities with a current year loss, prompting the organization to report $1,000 as taxable UBI, and pay associated federal and state income taxes, while the activity with the $1,000 loss will get “hung-up” as an NOL specific to that activity and carried forward until said activity generates a net income.

Separate Trade or Business
So, how does one distinguish (or silo) a separate trade or business from another? The Treasury Department and IRS intend to propose some regulations in the near future, but for now recommend that organizations use a “reasonable good-faith interpretation”, which for now includes using the North American Industry Classification System (NAICS) in order to determine different UBI activities.

For those not familiar, the NAICS categorizes different lines of business with a six-digit code. For example, the NAICS code for renting* out a residential building or dwelling is 531110, while the code for operating a potato farm is 111211. While distinguishing residential rental activities from potato farming activities might be rather straight forward, the waters become muddier if an organization rents both a residential property and a nonresidential property (NAICS code 531120). Does this mean the organization has two separate UBI rental activities, or can both be grouped together as rental activities? The notice does not provide anything definitive, but rather is requesting public comments?we expect to see something more concrete once the public comment period is over.

*In the above example, we’re assuming the rental properties are debt-financed, prompting a portion of the rental activity to be treated as UBI.

UBI from Partnership Investments (Schedule K-1)
Notice 2018-67 does address how to categorize/group unrelated business income for organizations that receive more than one partnership K-1 with UBI reported. In short, if the Schedule K-1s the organization receives can meet either of the tests below, the organization may treat the partnership investments as a single activity/silo for UBI reporting purposes. The notice offers the following:

De Minimis Test
You can aggregate UBI from multiple K-1s together as long as the exempt organization holds directly no more than 2% of the profits interest and no more that 2% of the capital interest. These percentages can be found on the face of the Schedule K-1 from the Partnership and the notice states those percentages as shown can be used for this determination. Additionally, the notice allows organizations to use an average of beginning of year and end of year percentages for this determination.

Ex: If an organization receives a K-1 with UBI reported, and the beginning of year profit & capital percentages are 3%, and the end of year percentages are 1%, the average for the year is 2% (3% + 1% = 4%/2 = 2%). In this example, the K-1 meets the de minimis test.

There is a bit of a caveat here—when determining an exempt organization's partnership interest, the interest of a disqualified person (i.e. officers, directors, trustees, substantial contributors, and family members of any of those listed here), a supporting organization, or a controlled entity in the same partnership will be taken into account. Organizations need to review all K-1s received and inquire with the appropriate person(s) to determine if they meet the terms of the de minimis test.

Control Test
If an organization is not able to pass the de minimis test, you may instead use the control test. An organization meets the requirements of the control test if the exempt organization (i) directly holds no more than 20 percent of the capital interest; and (ii) does not have control or influence over the partnership.

When determining control or influence over the partnership, you need to apply all relevant facts and circumstances. The notice states:

“An exempt organization has control or influence if the exempt organization may require the partnership to perform, or may prevent the partnership from performing, any act that significantly affects the operations of the partnership. An exempt organization also has control or influence over a partnership if any of the exempt organization's officers, directors, trustees, or employees have rights to participate in the management of the partnership or conduct the partnership's business at any time, or if the exempt organization has the power to appoint or remove any of the partnership's officers, directors, trustees, or employees.”

As noted above, we recommend your organization review any K-1s you currently receive. It’s important to take a look at Line I1 and make sure your organization is listed here as “Exempt Organization”. All too often we see not-for-profit organizations listed as “Corporations”, which while usually technically correct, this designation is really for a for-profit corporation and could result in the organization not receiving the necessary information in order to determine what portion, if any, of income/loss is attributable to UBI.

Net Operating Losses
The notice also provides some guidance regarding the use of NOLs. The good news is that any pre-2018 NOLs are grandfathered under the old rules and can be used to offset total UBTI on Form 990-T.

Conversely, any NOLs generated post-2018 are going to be considered silo-specific, with the intent being that the NOL will only be applicable to the activity which gave rise to the loss. There is also a limitation on post-2018 NOLs, allowing you to use only 80% of the NOL for a given activity. Said another way, an activity that has net UBTI in a given year, even with post-2017 NOLs, will still potentially have an associated tax liability for the year.

Obviously, Notice 2018-67 provides a good baseline for general information, but the details will be forthcoming, and we will know then if they have a hit. Hopefully the IRS will not Take It To The Limit in terms of issuing formal guidance in regards to 512(a)(6) & (7). Until they receive further IRS guidance,  folks in the not-for-profit sector will not be able to Take It Easy or have any semblance of a Peaceful Easy Feeling. Stay tuned.

Blog
Tax-exempt organizations: The wait is over, sort of

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Blog
How healthy is your organization's HIPAA compliance?

NEW UPDATE October 2017:

The Federal Perkins Loan Program expiration date has passed without extension and now the countdown is on for the program wind-down. On October 6, the Department of Education issued a Dear Colleague Letter, GEN-17-10, which provides important wind-down information and indicates the Department will begin collecting the Federal share of institutions’ Perkins Loan Revolving Funds following the submission of the 2019-2020 FISAP (due October 1, 2018) using a similar process to the Excess Liquid Capital currently in place under HEA section 466(c). The Department of Education has promised more information on this process ahead of the October 2018 deadline.

Institutions should be reviewing their portfolios to determine if they will choose to assign their Perkins Loans to the Department or continue servicing their portfolio. Once the loans are assigned, institutions lose all rights to future loan collections, including their institutional share.

Loans that are not assigned to the department should continue to be serviced under Perkins Loan Program regulations until all loans are paid in full, fully retired or assigned to the Department. The process of requiring the distribution of assets from the Perkins Loan Revolving Fund will continue each year based on the annual submission of the FISAP, until all of the Perkins Loans held by the institution have been paid in full, fully retired or assigned to the Department of Education.

An administrative cost allowance cannot be charged against the Perkins Loan Revolving Fund after June 30, 2018.

For those considering liquidation and assignment, the Assignment and Liquidation Guide provides step-by-step instructions through the process, including the required a Perkins closeout audit. We are experienced with the Perkins closeout and stand ready to assist.
 

NEW UPDATE March 30, 2016: 

A new combined Federal Perkins Loan Assignment and Liquidation Guide has been posted. You can see the announcement and links to the updated guide here.

The Federal Perkins Loan Program has expired, effective October 1. While guidance has not yet been issued by the Department of Education in response to program’s expiration, there is a published process for institutions to follow to liquidate a Perkins Loan Revolving Fund.

We'll keep you informed as guidance is issued

BerryDunn’s Higher Education experts are monitoring the situation and assessing the implications for colleges and universities and their loan recipients with outstanding balances.

Need help or have additional questions?

Our experience with Perkins loan liquidation/closeout audits can be of great help to you as you navigate the complexities of closing your Perkins loans. Feel free to contact Renee Bishop, Emily Parker, Mark LaPrade or any of our Higher Education experts.

Blog
New federal perkins loan update

With the most recent overhaul to the Form 990, Return of Organization Exempt From Income Tax, the IRS has made clear its intention to increase the transparency of a not-for-profit organization’s mission and activities and to promote active governance. To point, the IRS asks whether a copy has been provided to an organization’s board prior to filing and requires organizations to describe the process, if any, its board undertakes to review the 990.

This lack of ambiguity aside, it is just good governance to have an understanding of the information included in your organization’s Form 990. After all, it is available to anyone who wants a copy. But the volume of information included in a typical return can be daunting.

Where do you even start? Let’s take a look at the key components of a Form 990 that warrant at least a read-through:

  • Income and expense activity (Page 1 and Schedule D) – Does this agree to, or reconcile to, the financial reporting of the organization?
  • Narratives on Page 2 – Does it accurately describe your mission and “tell your story”?
  • Questions in Part VI about governance, management, and disclosures – If any governance or policy questions are answered in the negative, have you given consideration to implementing changes?
  • Part VII – Board information and key employee/contractor compensation – Is the list complete? Does the information agree with compensation set by the board? Does it seem appropriate in light of responsibilities and the organization’s activities

Depending on how questions were answered earlier in the Form 990, several schedules may be required. Key schedules include:

  • Schedule C – Political and lobbying expenditures
  • Schedule F – Foreign transactions and investments reported (alternative investments may have pass-through foreign activity)
  • Schedule J – Detailed compensation reporting for employees whose package exceeds $150,000
  • Schedule L – Transactions with officers, board members, and key employees (conflict-of-interest disclosures)

In addition to the Form 990, an organization may be required to file a Form 990-T, Exempt Organization Business Income Tax Return, if it earns unrelated business income. In general, it’s good practice to review the Form 990 with the organization’s management or tax preparer to be able to ask questions as they arise.

Filing and reviewing the Form 990 can be more than a compliance exercise. It’s an opportunity for a good conversations about your mission, policies, and compensation—a “health check-up” that can benefit more areas than just compliance. Understanding your not-for-profit’s operations and being an engaged and informed board member are essential to effectively fulfilling your fiduciary responsibilities.

Blog
Good governance: Understanding your organization's Form 990

This site uses cookies to provide you with an improved user experience. By using this site you consent to the use of cookies. Please read our Privacy Policy for more information on the cookies we use and how you can manage them.