Skip to Main Content

blogpost

Families First Coronavirus Response Act (FFCRA): FAQs for businesses

03.30.20

Read this if you are a business owner, in management, or in HR at a company with less than 500 employees.

We have received many questions regarding the FFCRA and its provisions and how it affects different employers and their employees. Here are some of the questions our clients have asked the most. Please contact us if you have questions regarding your specific situation. We’re here to help.  

Besides compensation, what other costs paid by an employer are eligible for the credit (i.e., employer paid health insurance, employer payroll taxes)?
Employers can deduct the cost of providing continuing health care coverage, and the employer’s share of Medicare taxes related to the leave wages. Any compensation paid under the FFCRA is not subject to the employer’s portion of the Social Security tax.

How do you determine the total number of employees? 
In calculating the total number of employees, all full-time or part-time employees working within the US, including all US territories or possessions, are counted, including all employees on leave and temp employees who are jointly employed with another company as determined under the Fair Labor Standards Act (FLSA). 

How does a business know if it employs less than 500 employees and is subject to the FFCRA?
Generally, a private sector employer is subject to the Family and Medical Leave Act of 1993 (FMLA) if it employs 50 or more employees for each working day during each of 20 or more calendar workweeks in the current or preceding calendar year. The FAQs issued by the Department of Labor (DOL) indicate an employer has fewer than 500 employees if, at the time an employee’s leave is to be taken, there are fewer than 500 full-time and part-time employees within the United States, which includes any state of the United States, the District of Columbia, or any territory or possession of the United States. 

In making this determination, an employer should include employees on leave; temporary employees who are jointly employed by you and another employer (regardless of whether the jointly-employed employees are maintained on only your or another employer’s payroll); and day laborers supplied by a temporary agency (regardless of whether you are the temporary agency or the client firm if there is a continuing employment relationship). Workers who are independent contractors under the FLSA, rather than employees, are not considered employees for purposes of the 500-employee threshold.

Where a corporation has an ownership interest in another corporation, the two corporations are separate employers unless they are joint employers under the FLSA with respect to certain employees. In general, two or more entities are separate employers unless they meet the integrated employer test under the FMLA.

Please check with your advisors if you believe the integrated employer test may apply to your businesses.

Which employees are entitled to the $511 payment under sick leave?
For an employee who is unable to work because of the coronavirus quarantine or self-quarantine or has COVID-19 symptoms and is seeking a medical diagnosis, the employee may receive sick leave wages equal to the employee’s regular rate of pay, up to $511 per day and $5,111 in the aggregate, for a total of 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under sick leave?
For an employee who is caring for someone with COVID-19, or is caring for a child because the child’s school or child care facility is closed, or the child care provider is unavailable due to the coronavirus, the employee may receive sick leave wages equal to two-thirds of the employee’s regular rate of pay, up to $200 per day and $2,000 in the aggregate, for up to 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under the family leave portion of FFCRA?
For an employee who is unable to work because of a need to care for a child whose school or child care facility is closed or whose child care provider is unavailable due to the coronavirus, the employee may receive family leave wages equal to two-thirds of the employee’s regular rate of pay, capped at $200 per day or $10,000 in the aggregate. Up to 10 weeks of qualifying leave can be counted towards the child care leave credit. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

What is “regular rate of pay” for purposes of the FFCRA?
For purposes of the FFCRA, the regular rate of pay used to calculate paid leave is the average of the employee’s regular rate over a period of up to six months prior to the date on which leave is taken. If an employee has not worked for the current employer for six months, the regular rate used to calculate paid leave is the average regular rate of pay for each week the employee has worked for the current employer.

If an employee is paid with commissions, tips, or piece rates, these amounts will be incorporated into the above calculation to the same extent they are included in the calculation of the regular rate under the FLSA.

You can also compute this amount for each employee by adding all compensation that is part of the regular rate over the above period and divide that sum by all hours actually worked in the same period.

What is the effective date of the sick leave/family leave provisions?
Employers must comply with the FFCRA from April 1, 2020, until it expires on December 31, 2020. Paid leave prior to April1, 2020 will not count. The IRS recently issued guidance indicating the tax credits for qualified sick leave wages and qualified family leave wages required to be paid by the FFRCA will apply to wages paid for the period beginning on April 1, 2020, and ending on December 31, 2020.

Who is considered a “health care provider”?
For the purposes of employees who may be exempted from paid sick leave or expanded family and medical leave by their employer under the FFCRA, a health care provider is anyone employed at any doctor’s office, hospital, health care center, clinic, post-secondary educational institution offering health care instruction, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar institution, employer, or entity. This includes any permanent or temporary institution, facility, location, or site where medical services are provided that are similar to such institutions. 

This definition includes any individual employed by an entity that contracts with any of the above institutions, employers, or entities institutions to provide services or to maintain the operation of the facility. This also includes anyone employed by any entity that provides medical services, produces medical products, or is otherwise involved in the making of COVID-19 related medical equipment, tests, drugs, vaccines, diagnostic vehicles, or treatments. This also includes any individual that the highest official of a state or territory, including the District of Columbia, determines is a health care provider necessary for that state’s or territory’s or the District of Columbia’s response to COVID-19.

To minimize the spread of the virus associated with COVID-19, the DOL encourages employers to be judicious when using this definition to exempt health care providers from the provisions of the FFCRA.

For more information
If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Related Services

Related Professionals

Read this if you are an employer looking for more information on the Employee Retention Credit (ERC).

If you are an employer who did not qualify for or request a Paycheck Protection Plan (PPP) loan, the ERC provisions of the CARES Act may be available to you.

The ERC is a fully refundable tax credit for eligible employers equal to 50 percent of qualified wages (including allocable qualified health plan expenses) an eligible employer pays their employees. This ERC applies to qualified wages paid after March 12, 2020, and before January 1, 2021. The maximum amount of qualified wages (including allocable qualified health plan expenses) taken into account with respect to each employee for all calendar quarters is $10,000, so that the maximum credit for an eligible employer can receive on qualified wages paid to any employee is $5,000.

Eligibility

Eligible employers for the ERC carry on a trade or business during calendar year 2020, including tax-exempt organizations, that either:

  • Fully or partially suspend operation during any calendar quarter in 2020 due to orders from an appropriate governmental authority limiting commerce, travel, or group meetings due to COVID-19; or
  • Experience a significant decline in gross receipts during the calendar quarter.

Self-employed individuals are not eligible for this credit for their own self-employment earnings, though they may be able to claim the credit for wages paid to their employees.

If an eligible employer averaged more than 100 full-time employees in 2019, qualified wages are limited to wages paid to an employee for time that the employee is not providing services due to an economic hardship, specifically, either (1) a full or partial suspension of operations by order of a governmental authority due to COVID-19, or (2) a significant decline in gross receipts. If the eligible employer averaged 100 or fewer full-time employees in 2019, qualified wages are the wages paid to any employee during any period of economic hardship described in (1) or (2) above.

As with most provisions of the CARES Act, very limited formal guidance has been issued by the IRS. Instead, the IRS issues and updates FAQs on the IRS website. 

One area where eligible employers have been seeking advice is what qualifies as wages and allocable health insurance costs. Qualified wages include an allocable portion of the qualified health plan expenses paid or incurred by an eligible employer to provide and maintain a group health plan. For purposes of the ERC, this also includes employee pre-tax contributions. 

IRS FAQs

The IRS recently updated the Employee Retention Credit FAQs to indicate an eligible employer can claim the ERC for qualified health plan expenses, regardless of whether the employee is paid qualified wages. Updated FAQs 64-65 clarify that health plan expenses paid to laid off or furloughed employees are considered qualified wages for purposes of the ERC. This is welcome news since most employers continue to a pay their share (if not the full amount) of the health insurance premiums for employees who have been laid off or furloughed. 

Read specific examples in the updated FAQs here.

How are qualified health plan expenses determined and allocated?

Qualified health plan expenses are determined separately for each plan sponsored by an employer. For employers sponsoring more than one health plan, for example a group health plan and a health flexible spending arrangement, expenses for each plan are allocated to the employees who participate in that plan. Allocated expenses will be aggregated for those employees who participate in more than one plan. 

Qualified health plan expenses may be allocated using any reasonable method by those employers sponsoring a fully-insured group health plan, including (1) the COBRA applicable premium for the employee, (2) one average premium rate for all employees, or (3) a substantially similar method that takes into account the average premium rate determined separately for employees with self-only and other than self-only coverage. An eligible employer allocating expenses using the average premium rate for all employees may determine a daily rate as detailed in FAQ 67.

Example

An employer sponsors an insured group health plan that covers 400 employees, some with self-only coverage and some with family coverage. Each employee is expected to have 260 work days a year (5 days/week for 52 weeks). The employees contribute a portion of their premium by pre-tax salary reduction, with different amounts for self-only and family. The total annual premium for the 400 employees is $5.2 million. Using the one average premium rate method, the annual premium rate is $13,000 ($5.2 million divided by 400 employees). For each employee expected to have 260 work days a year, the resulting daily average premium is $50 ($13,000 divided by 260 days). The $50 daily rate represents qualified health plan expenses allocated to each day of the qualified wages per employee.

For those employers sponsoring self-insured group health plans, qualified health plan expenses may be allocated using any reasonable method, including (1) the COBRA applicable premium for the employee, or (2) any reasonable actuarial method to determine the estimated annual expenses of the plan. 

An eligible employer sponsoring a self-insured group health plan and allocating expenses using a reasonable actuarial method to determine estimated annual expenses may determine a daily rate similar to the rules for fully-insured plans—that is, taking the estimated annual expenses, dividing by the number of employees covered, and then dividing by the average number of work days during the year by the employees. 

For both fully-insured and self-insured plans, paid-time off days are considered work days when determining the average daily rate.

FAQs 69 and 70 provide that qualified health plan expenses do not include eligible employer contributions to health savings accounts (HSA), Archer medical saving accounts (Archer MSA), or a qualified small employer health reimbursement arrangement (QSEHRA). 

However, qualified health plan expenses may include contributions to a health reimbursement arrangement (HRA), including an individual coverage HRA, or a health flexible spending account (FSA). To allocate contributions to an HRA or a health FSA, eligible employers should use the amount of contributions made on behalf of the particular employee.

Additionally, qualified health plans expenses do not include health plan expenses allocated to any sick leave and family medical wages under the FFCRA (FAQ 71). 

Summary

For those eligible employers with 100 or more employees, the guidance that can be inferred from the available FAQs appears to be the following:

  • If an employer is paying an employee for more than the hours the employee is actually working then a credit would be available for the difference between wages paid and the wages for the hours worked.
  • If an employer has decreased the hours worked by an employee but continues to pay the same (or greater) cost for health insurance, a credit would be available for the allocable health insurance costs while the employee is not working. For example, if an employee is only working 60% of the his/her normal hours, an employer would be able to receive a credit equal to 40% of the health insurance costs paid for that employee.

For more information

If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Blog
Employee Retention Credit―Updated IRS FAQs provide clarification

Editor’s note: read this if you are a leader in a healthcare organization and have questions concerning the current definition of health care provider in recent legislation regarding COVID-19.

One of the more common questions we receive regarding the paid sick and family leave provisions of the Families First Coronavirus Response Act (the “Act”) is regarding which employees qualify as a “health care provider”, who an organization can elect to exempt from the paid sick and family leave provisions of the Act. The Department of Labor (DOL) has issued FAQs and temporary regulations addressing the issue.

For purposes of determining employees who could be exempt from the paid sick and family leave provisions of the Act, the definition of a “health care provider” has been broadened. It now includes “anyone employed at any doctor’s office, hospital, health care center, clinic, post-secondary educational institution offering health care instructions, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar institution, employer, or entity”. 

This includes any permanent or temporary institution, facility, location, or site where medical services are provided that are similar to such institutions. 

Additionally, the definition includes any individual employed by an entity that contracts with any of the above institutions to provide services or to maintain the operation of the facility. This also includes anyone employed by any entity that provides medical services, produces medical products, or is otherwise involved in the making of COVID-19 related medical equipment, tests, drugs, vaccines, diagnostic vehicles, or treatments. 

The DOL guidance also indicates the definition includes any individual the highest official of a state determines is a health care provider needed for the state’s response to COVID-19. 

For purposes of the health care provider exclusion for the sick and family leave provisions of the Act, the newly released DOL temporary regulations provide that the term health care provider is not limited to diagnosing medical professionals. Rather, such health care providers include any individual who is capable of providing health care services necessary to combat the COVID-19 public health emergency. Such individuals include not only medical professionals, but also other workers who are needed to keep hospitals and similar health care facilities well supplied and operational.

The DOL encourages employers to be judicious when using this definition to exempt health care providers to minimize the spread of COVID-19.

It is important to note that the preambles to the temporary regulations indicate an employer’s exercise of this option (i.e., to exclude a health care provider or emergency responder from the paid sick/family leave benefits) does not authorize an employer to prevent an employee who is a health care provider from taking earned or accrued leave in accordance with established employer policies.

The preamble to the temporary regulations further indicates the paid sick leave and expanded family and medical leave provisions of the Act exist so employees will not be forced to choose between their paychecks and the individual and public health measures necessary to combat COVID-19. The preambles further state, conversely, providing paid sick leave or expanded family and medical leave does not come at the expense of fully staffing the necessary functions of society.

Organizations face a difficult decision whether to exempt health care providers (and emergency responders) from the paid sick and family leave provisions of the Act. It is not an easy decision to make, and an organization may want to contact legal counsel to understand the legal implications with respect to the decision to exclude health care providers (or emergency responders). 

An organization trying to decide whether to exclude health care professionals (or emergency responders) should consider the following:

  • These employees can’t be prevented from taking paid time off under the organization’s existing paid time off guidelines.
  • Any decision related to the paid sick/family leave provisions doesn’t affect an employee’s eligibility to take FMLA leave under the normal FMLA rules.
  • The organization may want to include health care professionals (and emergency responders) in the sick leave provisions of the Act so the organization can be eligible for tax credits if an employee is diagnosed with or has symptoms of COVID-19 or is caring for an individual diagnosed with or who has symptoms of COVID-19. 
  • An organization may be able to elect to exclude health care providers (and first responders) from only the paid family leave provisions of the Act.

Ultimately, each organization must make a decision in the best interests of their business, their employees, and their consumers. Unfortunately, there is no single best answer that covers all organizations struggling with this decision. 

If the decision is made to exclude health care providers from all or a portion of the paid sick and family leave provisions of the Act, we recommend contacting your legal counsel to review the employee communications before it is provided to employees.

For more information
If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Blog
"Health care providers" and Department of Labor regulations under COVID-19

Read this if you are an employer that may have to close, or has closed, due to COVID-19.

Here is a brief recap of definitions and explanations of employee retention credits found in the CARES Act. If you have questions about your specific situation, please don’t hesitate to contact us. We’re here to help.

Eligible employer

The term ‘‘eligible employer’’ means any employer: 

(i) that was carrying on a trade or business during calendar year 2020, and 
(ii) with respect to any calendar quarter, for which...
a.     the operation of the trade or business is fully or partially suspended during the calendar quarter due to orders from an appropriate governmental authority limiting commerce, travel, or group meetings (for commercial, social, religious, or other purposes) due to the coronavirus disease 2019 (COVID–19), or 
b. such calendar quarter where there is a significant decline in gross receipts...
i. beginning with the first calendar quarter in 2020, for which gross receipts for the calendar quarter are less than 50 percent of gross receipts for the same calendar quarter in the prior year, and 
ii. ending with the calendar quarter for which gross receipts of such employer are greater than 80 percent of gross receipts for the same calendar quarter in the prior year.


For tax-exempt organizations described in section 501(c) of the Internal Revenue Code and exempt from tax under section 501(a) of such Code, clauses (i) and (ii)(a) shall apply to all operations of such organization.

Generally, all organizations treated as a single employer under the controlled group or affiliated service group rules will be treated as one employer for purposes of this section.

If an eligible employer participates in the Paycheck Protection Program, such an employer is not eligible for the employee retention credits.

Amount of credit

There shall be allowed, as a credit against applicable employment taxes for each calendar quarter, an amount equal to 50 percent of the qualified wages with respect to each employee of such employer for such calendar quarter.

The amount of qualified wages with respect to any employee which may be taken into account by the eligible employer for all calendar quarters shall not exceed $10,000 (i.e., the maximum credit is $5,000 per employee).

If the credit exceeds the applicable employment taxes on the wages paid for such calendar quarter, such excess shall be treated as an overpayment that shall be refunded.

Qualified wages

The term ‘‘qualified wages’’ means:

(i) in the case of an eligible employer for which the average number of full-time employees (as defined by the Affordable Care Act Employer Mandate Provisions) employed by such eligible employer during 2019 was greater than 100:
a. wages paid by such eligible employer with respect to which an employee is not providing services due to the suspension of the business or a drop in gross receipts circumstances, or 
(ii) in the case of an eligible employer for which the average number of full-time employees (as defined by the Affordable Care Act Employer Mandate Provisions) employed by such eligible employer during 2019 was not greater than 100:
a. all wages paid by an eligible employer when shut down and each quarter where there was a sharp decline in year-over-year receipts.


Wages do not include amounts paid under the expanded sick/family leave provisions of the FFCRA.

Qualified wages paid or incurred by an eligible employer with respect to an employee who is not providing services may not exceed the amount such employee would have been paid for working an equivalent duration during the 30 days immediately preceding leave.

The term ‘‘qualified wages’’ shall include so much of the eligible employer’s qualified health plan expenses as are properly allocable to such wages.


CARES Act: Payroll tax payment delay

An extension of time to remit payroll taxes for the period beginning March 27, 2020 and ending before January 1, 2021 over a two-year period is allowed, with half due by December 31, 2021, and the remainder due by December 31, 2022.

If an eligible employer participates in the payroll tax delay programs, such an employer is not eligible for the employee retention credits.
 

Blog
CARES Act―Employee retention credits for employers subject to closure due to COVID-19

The President signed The Families First Coronavirus Response Act (hereinafter the “Act”) into law on March 18th and the provisions are effective April 2nd. You can read the congressional summary here. There are two provisions of the Act that deal with paid leave provisions for employees. Here are some highlights for employers.

The provisions of the Act are only required for employers with fewer than 500 employees. Employers with over 499 employees are not required to provide the sick/family leave contained in the Act, but could voluntarily elect to follow the new rules. The expectation is that employers with over 499 employees are providing some level of sick/family leave benefits already. In any case, employers with over 499 employees are not eligible for the tax credits. 

Employers with fewer than 500 employees are required to provide employees with up to 80 hours of paid sick leave over a two-week period if the employee:

  • Self-isolates because of a diagnosis with COVID-19, or to comply with a recommendation or order to quarantine;
  • Obtains a medical diagnosis or care if the employee is experiencing COVID-19 symptoms;
  • Needs to care for a family member who is self-isolating due to a COVID-19 diagnosis or quarantining due to COVID-19 symptoms; or
  • Is caring for a child whose school has closed, or childcare provider is unavailable, due to COVID-19.

These rules apply to all employees regardless of the length of time they have worked for the employer. The 80-hours would be pro-rated for those employees who do not normally work a 40-hour week. 

Employees who take leave because they themselves are sick (i.e., the first two bullets above) can receive up to $511 per day, with an aggregate limit of $5,110. If, on the other hand, an employee takes leave to care for a child or other family member (i.e., the last two bullets above), the employee will be paid two-thirds (2/3) of their regular weekly wages up to a maximum of $200 per day, with an aggregate limit of $2,000.

Days when an individual receives pay from their employer (regular wages, sick pay, or other paid time off) or unemployment compensation do not count as leave days for the purposes of this benefit.

Family and Medical Leave Act

Employees who have been employed for at least 30-days also have the right to take up to 12 weeks of job-protected leave under the Family and Medical Leave Act (FMLA). The Act requires that 10 of these 12 weeks (i.e., after the sick leave discussed above is taken) be paid at a rate of no less than two-thirds of the employee’s usual rate of pay. Any leave taken under this portion of the ACT will be limited to $200 per day with an aggregate limit of $10,000.

Exemptions

The Secretary of Labor has the authority to issue regulations exempting: (1) certain healthcare providers and emergency responders from taking leave under the Act; and (2) small businesses with fewer than 50 employees from the requirements of the Act if it would jeopardize the viability of the business.

Expiration

The provisions of the Act are set to expire on December 31, 2020, and unused time will not carry over from one year to the next.

Tax credits 

The Act provides for refundable tax credits to help an employer cover the costs associated with providing paid emergency sick leave or paid FMLA. The tax credits work as follows:

  • A refundable tax credit for employers equal to 100 percent of qualified family leave wages paid under the Act.
  • A refundable tax credit for employers equal to 100 percent of qualified paid sick leave wages paid under the Act. 
  • The tax credits are taken on Form 941 – Employer’s Quarterly Federal Income Tax Return filed for the calendar quarter when the leave is taken and reduce the employer’s portion of the Social Security taxes due. If the credit exceeds the employer’s total liability for Social Security taxes for all employees for any calendar quarter, the excess credit is refundable to the employer.

For more information

We are here to help. Please contact our benefit plan consultants if you have any questions or would like to discuss your specific situation. 

Blog
Highlights of the recently passed paid sick and family leave act: What you need to know

Are you spending enough time on your paid time off plan?
Many questions arise regarding paid time off (PTO) plans and the constructive receipt of income, which can cause payroll complications for employers and phantom income inclusion for employees. In order to avoid being subject to penalties for not withholding income and payroll taxes and having employees be subject to tax on cash they have not received, certain steps need be followed if an employer wants to properly allow employees to cash-out PTO.

What the IRS is looking for.
The Internal Revenue Service (IRS) has issued a number of Private Letter Rulings (PLRs) that examine earned time cash-out programs. While such rulings don’t serve as precedent, it appears the IRS has come up with the following factors that it deems important in order to avoid constructive receipt in a PTO cash-out situation:

  1. Employees must make a written election before the end of December in the year prior to the year they will be earning and receiving the accrued earned time to be cashed-out.  This is an election to receive a cash payout of the earned time to be accrued in the following year.
  2. The election must be irrevocable.
  3. The payout can only happen once the employee has actually earned and accrued the earned time in the following year. Payouts are generally once or twice per year, but may happen more frequently.

The IRS appears to generally require that the earned time being paid out be substantially less than the accrued earned time owed to the employee. This is to ensure that the earned time program remains a bona fide sick or vacation pay plan and not a plan of deferred compensation. This particular requirement can get tricky and may be different in each employer’s case.

Why does it matter?
The danger of failing to follow IRS guidelines regarding earned time cash-outs is that the IRS could claim that the employees offered a choice to cash-out are in constructive receipt of their accrued earned time balances regardless of their choice. This would result in immediate taxation of all accrued amounts to the employees, even if they hadn’t received the cash. The employer would also be subject to penalties for not properly withholding federal and state taxes.

It is important to review your PTO plan to be sure there are no issues regarding constructive receipt and to make sure your payroll systems are correctly reporting income.

The IRS issued proposed regulations under Code Section 457 in June of 2016 regarding, in part, non-qualified deferred compensation plans of not-for-profit (NFP) organizations. Those regulations contain guidance regarding the cash-out of sick and vacation time and the possibility that certain cash-out provisions may create a plan of deferred compensation and not a bona fide sick leave or vacation leave plan. As noted above, such a determination would be disastrous as all amounts accrued would become immediately taxable. NFP organizations and their advisors should keep a close eye on the proposed Section 457 regulations to see how they develop in final form. Once the regulations are finalized, NFP organizations may need to make changes to their cash-out provisions.

Please note that the above information is general in nature and is not meant to provide guidance on any particular case. If you have any questions about your PTO plan, please contact Bill Enck.

Blog
Paid time off plans: IRS guidelines and why they matter

When it comes to offering non-qualified deferred compensation to executives of not-for-profit organizations, there aren’t many options. Your organization must follow the rules and related guidance outlined in Internal Revenue Code Sections 457 and 409A. There are two types of non-qualified deferred compensation plans: Eligible (457(b) plans) and ineligible (457(f) plans)

  • 457(b) plans operate very similarly to 403(b) or 401(k) plans and have an annual benefit limit.
  • 457(f) plans have no annual benefit limit but the participants must include the benefits in taxable income when the substantial risk of forfeiture lapses.

Changes are on the table
And that's largely a good thing.The proposed regulations provide guidance in several key areas used to determine whether a substantial risk of forfeiture exists or not. For the most part, the proposed guidance is welcome news and provides an employer with more flexibility than originally expected.

Earlier this year, the IRS issued proposed regulations which describe just what constitutes a substantial risk of forfeiture under an ineligible 457(f) plan and what types of benefits are not considered to be ineligible 457(f) plans. Because of the tax implications to the executive, this is important for your organization to understand and communicate.

What the proposed regulations cover:

  1. Non-compete agreements
  2. Rolling risks of forfeiture (e.g., rolling vesting schedules)
  3. Determining the present value of accrued benefits
  4. Plans that are not considered 457(f) plans, including bona fide severance pay plans

In each of these areas, the proposed regulations provide employers with specific rules to follow in order to design and operate a plan, whether it's an existing plan or one adopted before or after the rules are finalized. Current plans will not have grandfathered status. 

What you need to do
For existing deferred compensation arrangements or employment contracts that provide for severance pay for deferred compensation arrangements,you must:

  • Take inventory of the types of benefits you provide (e.g., severance pay, 457(b), 457(f) plans)
  • Review plan provisions and determine the changes you need to make in order for them to be in compliance with the guidelines. 
  • Make the appropriate changes to the plan or employment contract provisions before the final regulations are effective.
  • The final regulations generally will not be effective until 90 days after they've been published. You may rely on them in the interim.

If you have questions or concerns
We've helped many not-for-profit organizations design and develop executive compensation packages, including deferred compensation plans. Our Benefits Compensation experts are well versed in the rules that apply to deferred compensation and severance pay plans and can help guide you through the process to:

  1. Create a plan that meets the needs of your executive and your organization
  2. Determine if any changes must be made to the benefits you’re currently offering

Contact Bill Enck if you have questions or need help.

Blog
Do you sponsor a 457(f) plan? If so, keep reading!

Read this if you are a business owner or advisor to business owners.

With continued uncertainty in the business environment stemming from the COVID-19 pandemic, now may be a good time to utilize trust, gift, and estate strategies in the transfer of privately held business interests.

In simple terms, business valuation is a function of future cash flow and the risk in achieving those cash flows. As uncertainty in the ability to achieve future cash flow rises, risk rises at the same time. The value of a business is driven by risk. Holding all else equal, as risk continues to increase, the value of a business decreases. Similarly, if all else is equal, a continuing decline in anticipated cash flow results in decreased business values. An increase in risk, coupled with growing uncertainty and decline in cash flow may create a compounding effect of depressing business values. 

Cash flow challenges

Even if the cash flow of a privately held business has held up thus far, there is great uncertainty as to future cash flow. The duration of this uncertainty is a major concern for many business owners in the current environment. It was not long ago that many were anticipating the pandemic impact would be short-lived, resulting in a v-shaped recovery. Those expectations have given way as national unemployment numbers continue to climb. This continued uncertainty may lessen the value of privately held businesses. Depending on the company, its expectations, and impact from industry and economic factors, the effect on future cash flow may be significant.

With these elements in mind, the current and near-term may serve as an advantageous time to consider the transfer of interests in a privately held business. Increased risk and lowered future expectations will combine, resulting in lower values—particularly as compared to performance during the recent strong economy. 

Further opportunities exist if you are considering transferring a non-controlling interest in a company. Discounts applicable to minority or fractional interests typically include discounts for lack of control and lack of marketability, and in some cases discounts for lack of voting rights. These discounts may serve to further reduce the overall value transferred through a given strategy. 

What strategies can be used to capitalize in this environment?

From a federal perspective, gift and estate tax lifetime exemption amounts are at all-time highs; currently, $11.58 million per individual in 2020. With portability, a married couple can gift or transfer over $23 million in value without incurring a federal gift or estate tax.

Coupled with the ever-increasing annual gift tax exclusion amount of $15,000 per recipient in 2020, executing a succession plan could not come at a better time. Individuals should be aware of the scheduled sunset of the above referenced amounts in 2025 with reversion back to previous levels of $5.0 million (adjusted for inflation).

Building on future uncertainty, the 2020 presidential election is quickly approaching, as well as budget concerns from federal and state administrative agencies resulting from COVID-19. As it is unknown whether the current estate gift and estate tax exemptions will remain at these all-time highs, it may be an opportune time to leverage the current lifetime exemption or annual gift tax exclusion. 

Given the likely decline in value of closely held business interests or marketable securities combined with historically low interest rates currently, transferring assets now that will likely rebound in value later will provide transferors/donors with the most bang for their buck. 

Certain trust vehicles are often beneficial in a low-interest rate environments and provide varying forms of flexibility to the grantor or donor. When combined with the increase in the charitable deduction limits for taxpayers who itemize their deductions, this is an optimal time for transferring assets.  

One of the most important aspects of estate planning is to review and update your estate plan regularly for changes in your financial or family situation. Estate plans are not static and should be periodically reviewed to ensure they achieve your goals based upon your current situation.

Our mission at BerryDunn remains constant in helping each client create, grow, and protect value. If you have questions about your unique situation, or would like more information, please contact the team.

Blog
2020 estate strategies in times of uncertainty for privately held business owners

Read this if you are planning for, or are in the process of implementing a new software solution.

User Acceptance Testing (UAT) is more than just another step in the implementation of a software solution. It can verify system functionality, increase the opportunity for a successful project, and create additional training opportunities for your team to adapt to the new software quickly. Independent verification through a structured user acceptance plan is essential for a smooth transition from a development environment to a production environment. 

Verification of functionality

The primary purpose of UAT is to verify that a system is ready to go live. Much of UAT is like performing a pre-flight checklist on an aircraft. Wings... check, engines... check, tires... check. A structured approach to UAT can verify that everything is working prior to rolling out a new software system for everyone to use. 

To hold vendors accountable for their contractual obligations, we recommend an agency test each functional and technical requirement identified in the statement of work portion of their contract. 

It is also recommended that the agency verify the functional and technical requirements that the vendor replied positivity to in the RFP for the system you are implementing. 

Easing the transition to a new software

Operational change management (OCM) is a term that describes a methodology for making the switch to a new software solution. Think of implementing a new software solution like learning a new language. For some employees, the legacy software solution is the only way they know how to do their job. Like learning a new language, changing the way business and learning a new software can be a challenging and scary task. The benefits outweigh the anxiety associated with learning a new language. You can communicate with a broader group of people, and maybe even travel the world! This is also true for learning a new software solution; there are new and exciting ways to perform your job.

Throughout all organizations there will be some employees resistant to change. Getting those employees involved in UAT can help. By involving them in testing the new system and providing feedback prior to implementation, they will feel ownership and be less likely to resist the change. In our experience, some of the most resistant employees, once involved in the process, become the biggest champions of the new system.  

Training and testing for better results

On top of the OCM and verification benefits a structured UAT can accomplish, UAT can be a great training opportunity. An agency needs to be able to perform actions of the tested functionality. For example, if an agency is testing a software’s ability to import a document, then a tester needs to be trained on how to do that task. By performing this task, the tester learns how to login to the software, navigate the software, and perform tasks that the end user will be accomplishing in their daily use of the new software. 

Effective UAT and change management

We have observed agencies that have installed software that was either not fully configured or the final product was not what was expected when the project started. The only way to know that software works how you want is to test it using business-driven scenarios. BerryDunn has developed a UAT process, customizable to each client, which includes a UAT tracking tool. This process and related tool helps to ensure that we inspect each item and develop steps to resolve issues when the software doesn’t function as expected. 

We also incorporate change management into all aspects of a project and find that the UAT process is the optimal time to do so. Following established and proven approaches for change management during UAT is another opportunity to optimize implementation of a new software solution. 

By building a structured approach to UAT, you can enjoy additional benefits, as additional training and OCM benefits can make the difference between forming a positive or a negative reaction to the new software. By conducting a structured and thorough UAT, you can help your users gain confidence in the process, and increase adoption of the new software. 

Please contact the team if you have specific questions relating to your specific needs, or to see how we can help your agency validate the new system’s functionality and reduce resistance to the software. We’re here to help.   
 

Blog
User Acceptance Testing: A plan for successful software implementation

Read this if you are a solar or wind developer, investor, or have interests in the renewable energy industry.

Given the recent exchange between a bipartisan group of senators and the Treasury Department, it appears that the continuity safe harbor for the Production Tax Credit (PTC) and Energy Investment Tax Credit (ITC) will be extended. 

Under current regulations, taxpayers “lock in” a tax credit based on the beginning of construction date for their facility or property. Taxpayers must then demonstrate continuous efforts to complete construction in order to ultimately be eligible for the tax credit on completion. If the taxpayers place their energy facility or property into service within four years after the beginning of construction they are deemed to satisfy this test. This is known as the continuity safe harbor. The senators wish to extend the continuity safe harbor from four to five years and it appears that the Treasury may agree. Here is a copy of the letter senators sent to the Treasury. Here is a copy of the letter the Treasury sent back. 

The good news

The Treasury plans to “modify the relevant rules in the near future”. It is encouraging that both groups are aware of the unique challenges businesses in the renewables energy industry face in meeting regulatory deadlines to qualify for tax credits, which help make many projects economically viable. 

The so-so news

We don’t know what the rule modification will entail and this is only an extension of the continuity safe harbor. While this is a welcome change, there are many projects in the pipeline still in the planning phase that have not yet started construction. For these projects, the beginning of construction safe harbor date is more important as it determines the ITC credit rate. For example, projects beginning in 2020 get a 26% credit, and projects beginning in 2021 get a 22% credit. 

Looking ahead

Given the uncertainty in all business planning, now would be a good time to extend the ITC credit rates and/or beginning of construction safe harbor date to give businesses more time to lock in the 26% credit rate for 2020. As the Treasury is limited to what they can do without legislative action, we may need to wait for Congress on this change. 

We are watching for new developments on this issue and will provide updates as we can. If you have questions about your specific situation, please contact the team. We’re here to help.  
 

Blog
Treasury Department signals modification of ITC and PTC continuity safe harbor

Read this if you are a business owner.

While recent articles within the exit planning community have noted a slowing of business transitions and exits, during times of uncertainty it may be even more important to focus on the opportunity at hand. Rather than waiting it out, we recommend that business owners try to be active, involved, and focus their efforts on improving their business.

The situation is similar to the ebb and flow of the tide. The current economy is the tide at an extreme low point. We know that the economy will recover, so what can be done in the meantime to take advantage of opportunities, and be ready to succeed when the tide rises?

Changing of tides

Suddenly, there has been a rapid and seismic shift in the landscape. Weaknesses and threats, rocks and hazards, may have emerged. How you choose to approach these perils will make a difference in the long term. Will you take the opportunity to discover, identify, assess, shore up, and mitigate these elements?

It is important to view this current state in the context of the larger, long-term perspective. Once the tide comes back, will you be able to set full sail ahead having built resiliency, redundancy, and strength into those areas while you had the opportunity? While the water is low, it presents a great opportunity for business owners to discover and understand: 

  • What broke first and why? 
  • How can you shore it up for better operations in the days ahead?
  • What weak spots you didn’t know about are now apparent?
  • How can you address those weaknesses?
  • How can you leverage existing resources differently to chart a path forward?

Models of priority

There are various stages or hierarchies of priority in thinking about the progress of a business. 

Each priority model features bases and pinnacles. The pinnacles of each model are realized in a long-term setting, after the remaining bases have been solidified. While continued development of a clear vision for your business is paramount, dynamic shifts in the landscape call for reassessment of the bases. In the long-term, self-fulfillment manifests from properly executed strategy, but in the near- and mid-term, these various frameworks force strategic planning back to assess and address the base components. 

The bases of each model should serve as safe havens for reversion. When facing uncertainty and failure, have you made your base strong enough to redirect your efforts in an actionable plan for the long-term?

Action Planning Pyramid and Value Maturity Index

Action Planning
Five Stages of Value Maturity

The Value Maturity Index, broken into five stages is a stepwise assessment of active exit and business strategy. Inherent in the value acceleration framework are the concepts of resiliency, redundancy, disaster recover, and actionable planning.

While we may have been fully entrenched in the build phase, setbacks due to dynamic changes in the landscape force us back to protect mode—the assessment and methodical shoring up of weaker points of the operation to protect against future downside risks.

Though this stepwise progression is linear in nature, keep in mind that flexibility and adaptability are paramount in changing course to address needs of your current state.

When we look at action planning, parallels can be drawn to the various models. Certainly, we are focused on continuing sales, marketing, and customer relationships, but it becomes a question of reversion to meeting the basic needs and serving client’s pain points rather than  beginning ground-breaking efforts. 

The current climate forces us to the base, with a focus on solidifying the exposed areas that may have been made apparent, and likely compounded, by the current realities. Concerns on management, metrics, core values, and priorities serve as the bases in need of coverage.

Maslow’s Hierarchy of Needs
 

Maslow's Hierarchy of Needs

Maslow’s Hierarchy of Needs1 is a well-known motivational theory in psychology that comprises a five-tiered model of human needs, whereby each successive tier must be fulfilled (beginning at the base) before rising to the next tier. It can be used to view similar information from a psychological perspective.

Value acceleration and creating successful outcomes are largely tied to a clear long-term vision. We typically reside in the Self-actualization level of the hierarchy of needs when undertaking the high-level view of the framework.

Based on the adaptability and call for sudden directional changes in today’s climate, we are not as concerned with these top levels. We have them in our back pocket for easy recall, but they are not the pressing issue staring us in the face.

If we think about shoring up bases (the Protect Stage), in considering this psychological model, our focus is on the “basic needs” level. That is, keeping people (self, family, and employees) safe and remaining connected for immediate continuity.

McKinsey & Company Event Horizons

McKinsey & Company Event Horizons

Many others in related fields are viewing the current situation in similar terms. In the McKinsey & Company Events Horizon view2:

  • Resolve addresses those immediate hurdles and challenges a business is currently facing.
  • Resilience focuses on near-term items to be addressed once the initial base is covered. 
  • Return views the mid-term horizon in understanding how to return to scale by focusing on understanding metrics and increasing the frequency of measurements for informed decision making. 
  • Reimagination and Reform typically go hand in hand, but without covering bases of needs, crafting a dynamic shift in operations to incorporate new environments may be counterproductive. 

However, once these bases have been clearly assessed and addressed, the path forward may appear dramatically different, in which case creative solutions to enhance opportunity should begin to form. Examples of this may include newly emerged revenue streams and opportunity areas, fully integrated systems and dashboards to capture timely decision making data points, or pivots in your business model adaptable and reactive to new environments.

One example that has been in the news recently involves CEOs being pleasantly surprised that productivity of employees has not dropped even though people are working from home. How sustainable is this productivity? What implications might this have for corporate real estate and office settings? The answers will vary widely, depending on your business and competitive environment.

Exposure, discover, and control

Back to our tides analogy for a moment. As the water receded, what new rocks were exposed or what existing challenges became more apparent? What is your plan to address these areas? Is this the time to make large investments in your company or the right investments? Now that the tide is out, it is time to shore up, move the rocks, and address elements of your business to prepare for long-term successes. Through our assessments, risk profiling, and benchmarking analyses, we help business owners discover the largest gaps across the company, prioritize the most impactful problem areas to address, and implement changes to enhance business value through continuous improvement. 

Taking stock of your company’s future through the incorporation of lessons learned will bolster value in the long-term by de-risking and developing new opportunities, methods, work, shifts in productivity, and shifts in mentality. That approach also brings lots of questions: If there are no early warning signs, why not? What should your indicators be? What metrics are crucial in identifying the pulse of your current situation? What is your business reliant on? How can you build information and indicators for rapid shifts in decision making? How strong are your current controls and how integrated are your management and information systems?

To answer these questions, you need to quantify and develop metrics that will aid in the early identification of future challenges, thus increasing your responsiveness with data-driven decision mechanisms. Having your fingers on the pulse of your company and understanding the impact of each input to your strategy will focus your attention on the information that matters most. This allows you to understand, position, and adapt to changes in your business and community environment in a proactive and agile manner. Measurements, forecasts, and dashboards should provide you with regular, valid, and relevant information you can use to take informed action in decision making.

Historical look backs during various points of time will allow you to key in on pivotal data indicators and inflection points. When looking at this from an operational view, industry and economic factors impacting your company can serve as corroborating pieces of evidence to further support data metrics analyzed.

As you perform look backs, it is also best practice to regularly study and update development, pipeline, and reliance metrics for feedback and information discovery with data integrated throughout your operations. This helps avoid lag time in reporting on stale information towards real-time actionable data points.  

Each metric is specific to your business and can be directly mapped back to increases in shareholder value. Understanding these drivers of business value will focus your attention and intention on improving in the right areas, while avoiding distracting and less impactful pain points.

Don’t fret over precision, rather build in flexibility and adaptability with scenario- and sensitivity-based criterion to understand changes, implications, and reliance of each input. Understanding these relationships in a broader scheme aid you in quick, impactful decision making guiding you towards enhanced value.

Resilience until the tides rise

This approach allows opportunity to fully assess the known and unknown problem areas, weaknesses, perils, and hazards your business may be facing. From that base you can begin to address these issues to scale effectively with lower overall risk when activity picks up.

Management metrics, core values, and priorities drive resilience for long-term continuity by shoring up the foundation to build for the future. Assembling evidence in troubled times provides opportunity to capitalize on and fulfill core values. Documenting these decisions and improvements memorialize your decision making, impact on value enhancement, and should serve as a playbook for future events.

What you make of the time you have now through identification, assessment, and addressing newly emerged risk areas provides the opportunity to increase success once the economy rebounds. We are here to help. If you have questions about your particular situation, or would like more information, please contact the business valuation consulting team

1Maslow’s Hierarchy of Needs, Saul McLeod, updated March 20, 2020. SimplyPsychology. www.simplypsychology.org/maslow.html.
2Beyond coronavirus: The path to the next normal, Kevin Sneader and Shubham Singhal, McKinsey & Company, March 23, 2020.  www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/beyond-coronavirus-the-path-to-the-next-normal. COVID-19: Briefing note, March 30, 2020, Our latest perspectives on the coronavirus pandemic. Matt Craven, Mihir Mysore, Shubham Singhal, Sven Smit, and Matt Wilson. McKinsey & Company. www.mckinsey.com/business-functions/risk/our-insights/covid-19-implications-for-business.

Blog
Value acceleration in times of uncertainty

The BerryDunn Recovery Advisory Team has compiled this guide to COVID-19 consulting resources for state and local government agencies and higher education institutions.

We have provided a list of our consulting services related to data analysis, CARES Act funding and procurement, and legislation and policy implementation. Many of these services can be procured via the NASPO ValuePoint Procurement Acquisition Support Services contract.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact us at info@berrydunn.com

Blog
COVID-19 consulting resources

Read this if you are a CFO, CEO, COO, or CLO at a financial institution.

The preparation of financial statements by financial institutions involves a number of accounting estimates, some of which can be quite complex. As these estimates are often a significant focus of audits of those financial statements, financial institution personnel affected by the audit process might benefit from a discussion of the rules auditors need to follow when auditing estimates.

Accounting estimates

Across all industries, there are financial statement items that require a degree of estimation because they cannot be measured precisely. These amounts, called accounting estimates, are determined using a wide array of information available to management. In using such information to arrive at the estimates, a degree of estimation uncertainty exists, which has a direct effect on the risks of material misstatement of the resulting accounting estimates. For financial institutions, common examples of accounting estimates include the allowance for loan losses, valuation of investment securities, allocation of the purchase price in a bank or branch acquisition, and depreciation and amortization of premises and equipment, in addition to intangibles and goodwill. 

For entities other than public companies, the auditing rules are established by the American Institute of Certified Public Accountants’ Auditing Standards Board (ASB). Under these requirements a financial statement auditor has a responsibility to assess the risks of material misstatement for accounting estimates by obtaining an understanding of the following items: 

  • The requirements of generally accepted accounting principles (GAAP) relevant to accounting estimates, including related disclosures. 
  • How management identifies those transactions, events, and conditions that may give rise to the need for accounting estimates to be recognized or disclosed in the financial statements. In obtaining this understanding, the auditor should make inquiries of management about changes in circumstances that may give rise to new, or the need to revise existing, accounting estimates. 
  • How management makes the accounting estimates and the data on which they are based. 

This final item—determining how management has calculated the accounting estimate in question—includes the following specific aspects for the auditor to address:

  • the method(s), including, when applicable, the model, used in making the accounting estimate; 
  • relevant controls; 
  • whether management has used a specialist; 
  • the assumptions underlying the accounting estimates; 
  • whether there has been or ought to have been a change from the prior period in the method(s) or assumption(s) for making the accounting estimates, and if so, why; and 
  • if so, how management has assessed the effects of estimation uncertainty. 

Professional skepticism

When analyzing management’s assessment of the effects of estimation uncertainty, the auditor needs to apply professional skepticism to the accounting estimate by considering whether management considered alternative assumptions, and, if a range of assumptions was reasonable, how they determined the amount chosen was the most appropriate. If estimation uncertainty is determined to be high, this is one indicator to the auditor that estimation uncertainty may pose a significant risk of material misstatement. An identified significant risk requires the auditor to perform a test of controls and/or details during the audit; in other words, analytical procedures and testing performed in previous audits will not suffice. 

CECL considerations

For audits of financial institutions, including those that have implemented the FASB CECL standard as well as those still using the incurred loss method, the allowance for loan losses will likely be deemed a significant risk due to its materiality, estimation uncertainty, complexity, and sensitivity from a user’s perspective.   

Additional factors the auditor needs to consider include whether management performed a sensitivity analysis as part of its consideration of estimation uncertainty as described above, and whether management performed a lookback analysis to evaluate the previous process used. Auditors of accounting estimates are required to do at least a high-level lookback analysis to gain an understanding of any differences between previous estimates and actual results, and to assess the reliability of management’s process. 

Auditing estimate procedures

Procedures for auditing estimates include an evaluation of subsequent events, tests of management’s methodology, tests of controls, and, in some instances, preparation of an independent estimate by the auditor. Tests of management’s method and tests of controls, including auditing the design and implementation of controls, are the most practical and likely procedures to apply to audits of the allowance for loan losses at financial institutions, both under the current guidance and following adoption of the current expected credit loss (CECL) method under Financial Accounting Standards Board (FASB) Accounting Standards Update No. 2016-13, Financial Instruments – Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments. As FASB has not prescribed a specific model, auditors must be prepared to tailor their procedures to address the facts and circumstances in place at each respective financial institution. 

In addition to auditing management’s estimate, auditors have the responsibility to audit related disclosures, including information about management’s methods and the model used, assumptions used in developing the estimate, and any other disclosures required by GAAP or necessary for a fair presentation of the financial statements. Throughout the audit process, auditors need to continue to exercise professional skepticism to consider what could have gone wrong during management’s process and to assess indicators of management bias, if any. 

For public companies, the Public Company Accounting Oversight Board (PCAOB) specifies auditors must evaluate both evidence that corroborates and evidence that contradicts management’s financial statement assertions in order to avoid confirmation bias. When considering the assessment of risks, as risk increases, the level of evidence obtained by the auditor should increase. As with audits of private companies, the auditor needs to consider whether the data is accurate, complete, and sufficiently precise and detailed to be used as audit evidence.

An added consideration under PCAOB rules is that the auditor is typically opining on the institution’s internal controls as well as its financial statements. This may restrict the results of control testing performed by parties independent of the function being tested from being used as audit evidence from a financial statement audit perspective. For financial institutions, this is often the case with independent loan review, since the loan review is considered part of the institution’s internal control upon which the auditor is opining. 

Supporting evidence

As with the incurred loss method, PCAOB auditing standards will require the auditor consider how much evidence is necessary to support the allowance for loan losses under CECL. All significant components of management’s allowance for loan losses estimate, including qualitative factors, will need to be supported by institution-specific data. If such data is unavailable (for example, because the institution introduces a new type of loan offering), the FASB standard indicates appropriate peer data may be acceptable. In such cases, management and the auditor may need to understand the controls in place at the vendor providing the peer data to determine its reliability. You may provide this information in the form of System and Organization Controls (commonly know as SOC1) reports of the vendor’s system.  

Recently, the International Auditing and Assurance Standards Board revised its auditing rules for estimates, with a goal of enhancing guidance regarding application of the basic audit risk model in the context of auditing estimates. The revised rules require that auditors must separately assess inherent and control risk when obtaining an understanding of controls, identifying and assessing risks, and designing and performing further audit procedures. The ASB seeks convergence of rules both internationally and domestically, and has therefore proposed changes to its requirements for auditing estimates to align with the IAASB revised rules. The ASB’s proposal on these changes indicated they would be effective beginning with audits of fiscal year ending December 31, 2022; the final effective date will be determined in conjunction with its issuance of the final rules.

The best CECL approach 

The best approach to take? Management should discuss planned changes to estimate the process with your auditors to get their perspective on best practices under CECL. Key areas to review in the discussion include documenting the decision-making process, key players involved, and the resulting review and approval process (especially for changes to methods or assumptions). Always retain copies of your final documentation for auditor review. If you would like more information, or have a specific question about your situation, please contact the team. We’re here to help. 

Blog
CECL: Understand the audit requirements and prepare for what's to come

Read this if your organization, business, or institution has leases and you’ve been eagerly awaiting and planning for the implementation of the new lease standards.

Ready? Set? Not yet. As we have prepared for and experienced delays related to Financial Accounting Standards Board (FASB) Accounting Standards Codification Topic 842, Leases, we thought the time had finally come for implementation. With the challenges that COVID-19 has brought to everyone, the FASB recognizes the significant impact COVID-19 has brought to commercial businesses and not-for-profits and is proposing a one-year delay in implementation, as described in this article posted to the Journal of Accountancy: FASB effective date delay proposals to include private company lease accounting.

But what about lease concessions? We all recognize many lessors are making concessions due to the pandemic. Under current guidance in Topics 840 and 842, changes to lease contracts that were not included in the original lease are generally accounted for as lease modifications and, therefore, a separate contract. This would require remeasurement of the new lease contract and related right-of-use asset. FASB recognized this issue and has published a FASB Staff Questions and Answers (Q&A) Document,  Topic 842 and Topic 840: Accounting for Lease Concessions Related to the Effects of the COVID-19 Pandemic. Under this new guidance, if lease concessions are made relating to COVID-19, entities do not need to analyze each contract to determine if a new contract has been entered into, and will have the option to apply, or not to apply, the lease modification provisions of Topics 840 and 842.

Implementation of the lease accounting standard will most likely be delayed for Governmental Accounting Standards Board (GASB) entities as well. On April 15, 2020, the GASB issued an exposure draft that would delay most GASB statements and implementation guides due to be implemented for fiscal years 2019 and later. Most notably, this includes Statement 84, Fiduciary Activities, and Statement 87, Leases. Comments on the proposal will be accepted through April 30, and the board plans to consider a final statement for issuance on May 8. More information may be found in this article from the Journal of Accountancy: GASB proposes postponing effective dates due to pandemic.

More information

Whether you are a FASB or GASB entity, you can expect a delay in the implementation of the lease standard. If you have questions, please contact a member of our financial statement audit team. For other COVID-19 related resources, please refer to BerryDunn’s COVID-19 Resources Page.

Blog
FASB and GASB news: Postponement of the lease accounting standards

Read this if your company is seeking assistance under the PPP.

With additional funding for the PPP pending, we’re updating this blog post with more recent information.


This information is current as of April 21, 2020.

The Treasury Department has issued guidance and answers to Frequently Asked Questions that alters some of the original assumptions around PPP:

  1. At least 75% of the forgiven amount should be used for payroll (changed due to anticipated high demand for program)
  2. Repayment of non-forgiven amounts are now repaid over 2 years at 1.0% interest (not 2 years and 0.5% as previously stated or 10 years and 4% as in the CARES Act)

Although the “covered period” is February 15, 2020 to June 30, 2020, forgiveness of the loan is based on expenses (primarily payroll) during the eight-week period after the loan is received. Loan amounts should be disbursed within 10 calendar days of being approved.

Important to note:

  1. Questions around size:
    1. 500 employees. The SBA has clarified that it measures employees consistent with the existing 7(a) loan program guidance. See CFR Section 121.106 for details.
    2. The SBA has also clarified that if a business meets both tests in the “alternative size standard”, it qualifies to participate in the program
      1. Maximum tangible net worth of the business is not more than $15 million.
      2. Average net income after Federal income taxes for the two full fiscal years before the date of application is not more than $5 million. 
    3. If the existing SBA definition of a small business for your industry (found on SBA websites) has over 500 employees, your business may qualify if you meet that expanded definition. 
  2. The CARES Act states that loans taken from January 31, 2020, until “covered loans are made available may be refinanced as part of a covered loan.”
  3. People may want to tap into available credit now. If they are granted a covered loan (PPP loan), they can refinance. Given anticipated demand, it may take time to get the PPP loan processed.
  4. Participation in PPP (Section 1102 and 1106 of the CARES Act) precludes participation in the Employee Retention Credit (Section 2301).
  5. The IRS clarified that companies may still defer Payment of Employer Payroll Taxes (Section 2302) even if participating in PPP until a decision on forgiveness is reached by your lender. This is a change from our prior understanding.

Economic Injury Disaster Loans (EIDL)

EIDLs are available through the SBA and were expanded under section 1110 of the CARES Act. Eligible are businesses with 500 or fewer employees, including ESOPs, cooperatives, and others. Up to $2 million per loan. Up to 30 years to repay. Comes with an emergency advance (available within 3 days) of $10,000 that does not have to be repaid – even if your loan application is turned down. This $10,000 does not impact participation in other programs/sections of the CARES Act. Some portion of the EIDL may reduce your loan forgiveness under PPP, but receiving an EIDL does not preclude you from participating in the PPP.

From the Treasury: Small business PPP

The Paycheck Protection Program provides small businesses with funds to pay up to 8 weeks of payroll costs including benefits. Funds can also be used to pay interest on mortgages, rent, and utilities. More details at treasury.gov.

Fully forgiven

Funds are provided in the form of loans that will be fully forgiven when used for payroll costs, interest on mortgages, rent, and utilities (due to likely high subscription, at least 75% of the forgiven amount must have been used for payroll). Loan payments will also be deferred for six months. No collateral or personal guarantees are required. Neither the government nor lenders will charge small businesses any fees.

Must keep employees on the payroll—or rehire quickly

Forgiveness is based on the employer maintaining or quickly rehiring employees and maintaining salary levels. Forgiveness will be reduced if full-time headcount declines, or if salaries and wages decrease.

All small businesses eligible

Small businesses with 500 or fewer employees—including nonprofits, veterans organizations, tribal concerns, self-employed individuals, sole proprietorships, and independent contractors— are eligible. Businesses with more than 500 employees are eligible in certain industries.

When to apply

Starting April 3, 2020, small businesses and sole proprietorships can apply. Starting April 10, 2020, independent contractors and self-employed individuals can apply.

How to apply

You can apply through any existing SBA 7(a) lender or any federally insured depository institution, federally insured credit union, or Farm Credit System institution that is participating. Other regulated lenders will be available to make these loans once they are approved and enrolled in the program. You should consult with your local lender as to whether it is participating. All loans will have the same terms regardless of lender or borrower. Find a list of participating lenders and additional information and full terms at sba.gov.

The Paycheck Protection Program is implemented by the Small Business Administration with support from the Department of the Treasury. Lenders should also visit sba.gov or coronavirus.gov for more information.

BerryDunn COVID-19 resources

We’re here to help. If you have questions about the PPP, contact a BerryDunn professional.

Blog
Updated: Funding for the Paycheck Protection Program (PPP)

Read this if your financial institution is providing funding under the PPP. This information is current as of April 6, 2020.

The Paycheck Protection Program provides small businesses with funds to pay up to 8 weeks of payroll costs including benefits. Funds can also be used to pay interest on mortgages, rent, and utilities. 

The Treasury Department is encouraging people to apply ASAP because there is a funding cap.


When to accept applications?

Starting April 3, 2020, small businesses and sole proprietorships can apply. Starting April 10, 2020, independent contractors and self-employed individuals can apply.

What underwriting is required?

In evaluating the eligibility of a borrower for a covered loan, a lender shall consider whether the borrower:

  • was in operation on February 15, 2020.
  • had employees for whom the borrower paid salaries and payroll taxes.
  • paid independent contractors, as reported on a Form 1099-MISC.

Lenders are also required to follow applicable Bank Secrecy Act requirements. Refer to the SBA’s Paycheck Protection Program Information Sheet for Lenders and recent FAQs issued by the Treasury on April 6, 2020.

Loan provisions

The Treasury Department issued guidance on March 31, 2020, that alters some of the assumptions around PPP:

  1. At least 75% of the forgiven amount should be used for payroll (changed due to anticipated high demand for program)
  2. Repayment of non-forgiven amounts are now repaid over 2 years at 0.5% interest (not 10 years and 4% as in the CARES Act)

Although the “covered period” is February 15, 2020 to June 30, 2020, forgiveness of the loan is based on expenses (primarily payroll) during the eight-week period after the loan is received.

Regulatory capital requirements

With respect to the appropriate Federal banking agencies or the National Credit Union Administration Board applying capital requirements under their respective risk-based capital requirements, a covered loan shall receive a risk weight of zero percent.

Borrower certification

An eligible recipient applying for a covered loan shall make a good faith certification: 

  1. that the uncertainty of current economic conditions makes necessary the loan request to support the ongoing operations of the eligible recipient; 
  2. acknowledging that funds will be used to retain workers and maintain payroll or make mortgage payments, lease payments, and utility payments;
  3. that the eligible recipient does not have an application pending for a PPP  loan for the same purpose and duplicative of amounts applied for or received under a covered loan; and
  4. during the period beginning on February 15, 2020 and ending on December 31, 2020, that the eligible recipient has not received amounts under the PPP for the same purpose and duplicative of amounts applied for or received under a covered loan.

What are considered payroll costs?

Payments of any compensation with respect to employees that is:

  • Salary, wage, commission, or similar compensation
  • Payment for vacation, parental, family, medical, or sick leave
  • Payment required for the provisions of group health care benefits, including insurance premiums
  • Payment of any retirement benefit
  • Other qualified payroll costs under Sec. 1102 of the CARES Act

Payroll costs are limited to $100,000 per employee, as prorated for the covered period, and exclude qualified sick leave wages and family leave wages for which a credit is allowed under sections 7001 and 7003 of the Families First Coronavirus Response Act.

Important to note:

  1. Questions around 500 employees
    We don’t know for certain how the 500 employees are counted. Other SBA programs use average headcount over the prior 12-month periods. Some companies are proceeding on that assumption. We are awaiting additional guidance from the SBA for confirmation. Certain industries have an expanded headcount. The list can be found on SBA websites and BerryDunn has a lookup tool to help. If you don’t know, please reach out to us. We’re here to help.
  2. The CARES Act states that loans taken from January 31, 2020, until “covered loans are made available may be refinanced as part of a covered loan.”
  3. Participation in PPP (Section 1102 and 1106 of the CARES Act) precludes participation in the Employee Retention Credit (Section 2301) Payment of Employer Payroll Taxes (Section 2302)

Fully forgiven

Funds are provided in the form of loans that will be fully forgiven when used for payroll costs, interest on mortgages, rent, and utilities (due to likely high subscription, at least 75% of the forgiven amount must have been used for payroll). Loan payments will also be deferred for six months. No collateral or personal guarantees are required. Neither the government nor lenders will charge small businesses any fees.

Must keep employees on the payroll—or rehire quickly

Forgiveness is based on the employer maintaining or quickly rehiring employees and maintaining salary levels. Forgiveness will be reduced if full-time headcount declines, or if salaries and wages decrease.

All small businesses eligible

Small businesses with 500 or fewer employees—including nonprofits, veterans organizations, tribal concerns, self-employed individuals, sole proprietorships, and independent contractors— are eligible. Businesses with more than 500 employees are eligible in certain industries.

The Paycheck Protection Program is implemented by the Small Business Administration with support from the Department of the Treasury. Lenders should also visit sba.gov or coronavirus.gov for more information.

Economic Injury Disaster Loans (EIDL)

EIDLs are available through the SBA and were expanded under section 1110 of the CARES Act. Eligible are businesses with 500 or fewer employees, including ESOPs, cooperatives, and others. Terms: Up to $2 million per loan. Up to 30 years to repay. Comes with an emergency advance (available within 3 days) of $10,000 that does not have to be repaid – even if the loan application is turned down. This $10,000 does not impact participation in other programs/sections of the CARES Act. Some portion of the EIDL may reduce loan forgiveness under PPP, but receiving an EIDL does not preclude the borrower from participating in the PPP.


BerryDunn COVID-19 resources

We’re here to help. If you have questions about the PPP, contact a BerryDunn professional.

Blog
Paycheck Protection Program (PPP): Resource for lenders

Read this if you want more information about the Paycheck Protection Program (PPP).

Most likely you have heard of the PPP within the Coronavirus Aid Relief and Economic Security (CARES) Act that was passed into law March 27, 2020. Below, we’ve shared some of the questions we have heard from many of our clients. If you need more information or have questions regarding your specific question, please contact us

Question #1: What was the PPP designed for? 
Answer:
The PPP was designed with the goal of keeping American workers paid and employed. It aims to accomplish this by issuing loans to qualified businesses so that they can continue paying employees and other qualified expenses.

Question #2: Do you or your business qualify for this? 
Answer: There are several considerations when determining whether or not a business qualifies. For more information, see this recent blog post from Seth Webber, which address a number of these considerations. 

Question #3: What should the PPP loan be used to cover in your business?
Answer: The intent of allowable uses includes: (i) payroll costs, including (a) employee salaries, commissions, or similar compensations, (b) group health care benefits, (c) paid vacation, parental, sick, medical, or family leave, (d) allowances for dismissal or separation, (e) retirement benefits, and (f) state or local tax assessed on the compensation on employee;  (ii) payments of interest on any mortgage obligation, but not prepayment or payment of principal amounts; (ii) rent (including rent under a lease agreement); (iv) utilities; and (v) interest on any other debt obligations incurred before February 15, 2020. However, certain payroll costs are excluded, including salaries and wages which annualized amounts would result in compensation over $100,000 and sick and family leave wages for which a credit is allowed under the Families First Coronavirus Response Act.  

Additionally, you should consider the time period your allowable expenses are designated for. The Small Business Administration (SBA), in consultation with the Department of the Treasury (Treasury) issued a list of frequently asked questions (FAQs) and responses to these FAQs as of April 10, 2020, Paycheck Protection Program Loans FAQs. Within these FAQs, Question 20 asked, “The amount of forgiveness of a PPP loan depends on the borrower’s payroll costs over an eight-week period; when does that eight-week period begin?” The SBA and Treasury noted, “The eight-week period begins on the date the lender makes the first disbursement of the PPP loan to the borrower. The lender must make the first disbursement of the loan no later than ten (10) calendar days from the date of loan approval.” 

Question #4: What portion of the loan, if any, can be forgiven?
Answer:
The Treasury Department issued guidance on March 31, 2020 indicating that at least 75% of the forgiven amount should be used for qualified payroll costs. Although the covered period is specified as February 15, 2020 through June 30, 2020, forgiveness amounts of the loan are based on expenses (primarily payroll) during the eight-week period following the receipt of the loan. There are other aspects of the forgiveness provisions that impact the actual amount forgiven, including maintaining or quickly rehiring employees and maintaining salary levels, with the overall forgiveness amount being reduced if full-time headcount declines, or if salaries and wages decrease more than 25%.

Question #5: What about the portion of your loan that is not forgiven?
Answer:
For the portion of loan not forgiven, the life and terms of the residual loan appear favorable. Current guidance indicates a repayment period of two year loan at 1% interest. Included within this is a six-month deferral period on principal repayment. The loan does not require collateral or a personal guarantee.

Question #6: How should you keep track of the funding and allowable costs?
Answer
: Best practice would be to set up a separate banking account. This will allow you to bifurcate the funding source and offset that amount by costs tracked over the covered period directly. This allows you to use other cash reserves and funding sources to meet other expense needs during the covered period. The funds need to be brought over (into that separate banking account) within 10 days of the application being approved.

Question #7: What other resources are available if the PPP is not a good fit for you?
Answer:
There are additional programs available through the Small Business Administration (SBA) including the Economic Injury Disaster Loan (EIDL) program, which features an advance amount (EIDL Emergency Grant) of up to $10,000. Guidance remains outstanding on exact implications of the EIDL Emergency Grant amount with some SBA offices pointing to $1,000 per employee up to a total max of $10,000. This EIDL Emergency Grant does not have to be repaid, but if you subsequently receive funding through the PPP, your forgiveness amount will be reduced by the EIDL Emergency Grant amount. The EIDL program also features a max life of 30 year loan with interest rates of 3.75% and 2.75% for entities that are for-profit and non-profit, respectively. More information on this is detailed in Dave Erb’s recent blog post.

If you do not need to make use of the PPP and EIDL programs, but still face significant downturns in your revenue base, tax relief in the form of the Employee Retention Credit (ERC) may also be an option. The provisions of the ERC within the CARES Act specify eligibility as, an employer that does not participate in the PPP and: (i) a complete or partial shutdown in operations; or (ii) at least a 50% decline in gross receipts, based on quarterly comparison from 2020 to 2019. The ERC allows for a tax credit of 50% of qualified wages (max wages of $10,000 per employee and max credit of $5,000 per employee). For more information on the ERC provisions, see Bill Enck’s blog post.

As developments continue to unfold and changes in guidance continue to emerge, the BerryDunn Recovery Advisory Team can help you stay informed through the BerryDunn COVID-19 Resource Center.

Blog
Paycheck Protection Program: FAQs

Read this if you would like a refresher of common-sense approaches to protect against fraud while working remotely.

Coronavirus (COVID-19) has imposed many challenges upon us physically, mentally, and financially. Directly or indirectly, we all are affected by the outbreak of this life-threatening disease. Anxious times like this provide perfect opportunities for fraudsters. The fraud triangle is a model commonly used to explain the three components that may cause someone to commit fraud when they occur together:

  1. Financial pressure/motivation 
    In March 2020, the unemployment rate increased by 0.9 percent to 4.4 percent, and the number of unemployed persons rose by 1.4 million to 7.1 million.
  2. Perceived opportunity to commit fraud 
    Many people are online all day, providing more opportunities for internet crime. People are also desperate for something, from masks and hand sanitizers to coronavirus immunization and cures, which do not yet exist. 
  3. Rationalization 
    People use their physical, mental, or financial hardship to justify their unethical behaviors.

To combat the increasing coronavirus-related fraud and crime, the Department of Justice (DOJ) launched a national coronavirus fraud task force on March 23, 2020. It focuses on the detection, investigation, and prosecution of fraudulent activity, hoarding, and price gouging related to medical resources needed to respond to the coronavirus. US attorney’s offices are also forming local task forces where federal, state, and local law enforcement work together to combat the coronavirus related crimes. Things are changing fast, and the DOJ has daily updates on the task force activities. 

Increased awareness for increased threats

Given the increase in fraudulent activity during the COVID-19 outbreak, it’s important for employees now working from home to be aware of ways to protect themselves and their companies and prevent the spread of fraud. Here are some of the top COVID-19-related fraud schemes to be aware of. 

  • Phishing emails regarding virus information, general financial relief, stimulus payments, and airline carrier refunds
  • Fake charities requesting donations for illegitimate or non-existent organizations 
  • Supply scams including fake shops, websites, social media accounts, and email addresses claiming to sell supplies in high demand but then never providing the supplies and keeping the money 
  • Website and app scams that share COVID-19 related information and then insert malware that could compromise the device and your personal information
  • Price gouging and hoarding of scarce products
  • Robocalls or scammers asking for personal information or selling of testing, cures, and essential equipment
  • Zoom bombing and teleconference hacking

If you have encountered suspicious activity listed above, please report it to the FBI’s Internet Crime Complaint Center.

Staying vigilant

To protect yourself from these threats, remember to use proper security measures and follow these tips provided by the Federal Bureau of Investigation (FBI) and DOJ:

  • Verify the identity of the company, charity, or individual that attempts to contact you in regards to COVID-19.
  • Do not send money to any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. 
  • Understand the features of your teleconference platform and utilize private meetings with a unique code or password that is not shared publicly.
  • Do not open attachments or click links within emails from senders you do not recognize.
  • Do not provide your username, password, date of birth, social security number, insurance information, financial data, or other personal information in response to an email or robocall.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or wrong domains within a link (for example, an address that should end in a ".gov" ends in .com" instead).

Stay aware, and stay informed. If you have specific concerns or questions, or would like more information, please contact our team. We’re here to help.
 

Blog
COVID-19 and fraud―a security measures refresher

Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

While COVID-19 has forced many of us into a remote work environment, we also have to deal with the challenges that come along with it. The stark contrast between an office environment and one that potentially involves working in isolation can be a difficult adjustment. Office kitchen conversations have evolved into conversations with pets, our newest co-workers. A quick, in-person question has now turned into an email, phone, or video call. And job responsibilities expand as we try to not only juggle work but also ensure our children focus on school work―and don’t destroy the house. 

Not only has this forced environment caused social challenges, it has also opened the door for internal control challenges, as  internal controls designed to operate effectively in an office environment may not be ideal for a remote workplace. Even ones that are appropriately designed, may prove to be operating ineffectively in this new environment. Let’s take a look at some internal control challenges, and potential solutions, faced by working in a remote environment.

Establishing a remote control environment

Exercising appropriate tone at the top and establishing appropriate oversight can be challenging with a remote workforce. Ethics and governance policies play an important role in setting clear expectations about workplace behaviors. But, a workforce is much more apt to follow a leadership team’s example rather than a policy. All of those office conversations, even the conversations that are not work related, help set an expectation of appropriate and inappropriate behaviors. These conversations often happen naturally in the office via a quick conversation in passing in the hallway or a late-Friday happy hour with your department. However, these interactions do not naturally occur in a remote workplace. Leadership and department heads should make an active effort to maintain communication with their workforce. Some things to consider:

  • Send out weekly emails to the entire department and possibly more personal, one-on-one videoconferences or phone calls between your department heads or managers and individual members of their teams.
  • These department-wide emails should stress the importance of communication as well as continuing to produce high quality work and maintaining accountability. 
  • One-on-one meetings should be used to check in with employees to ensure their work needs are being met. 

Employees will most likely have many suggestions to improve their new work environment, including suggestions on how to improve communication amongst team members. 

The power of video

Videoconferencing also provides a great opportunity to stay connected. Virtual happy hours simulate an in-person happy hour. This is a great way to check-in with team members and show that, although people are out of sight, they are not out of mind. Town hall-type meetings can also be explored. Your leadership team can solicit open discussion. Agenda items may include office status updates, technological considerations, and an opportunity for employees to openly discuss current challenges due to working in a remote environment. Employees are going to have anxiety about the current environment. These meetings can help put employees at ease.

Risk assessment

Internal control environments are constantly evolving. Employees leave. Software is updated.  Offered services and products change. The list goes on. However, it is unprecedented that an internal control environment has changed so rapidly. Given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Those responsible for designing internal controls (control owners) should reassess your company’s environment. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred. 

For instance, let’s say the employee responsible for reviewing loan file maintenance changes is now working an alternative work schedule due to personal obligations. This employee does not have the ability to make loan file changes; therefore, segregation of duties has never been an issue. An employee within loan servicing has agreed to take some of the employee’s responsibilities and is now reviewing some of the loan file maintenance changes, which has put this employee in a position to review some of their own changes. 

Furthermore, some internal controls that require employees be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas, and if there are compensating controls that can be designed to alleviate some of the control risk.

Control activities

Accounts payable and check signing

The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, lend themselves as feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.

Segregation of duties

As mentioned above, it is possible processes have inadvertently changed, exposing certain internal controls to ineffectiveness. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and is something that should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.

Digital sign-offs

You should also consider the manner in which you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a sign-off and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.

Timely review

Given the circumstances, it is not unreasonable that preparation and review may take longer than under normal circumstances. Even if additional time is granted for the preparation and review of documents, you should consider the implications this has on the transaction class as a whole. The longer it takes to complete a control, the greater the consequences may be if you identify an error. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.

Information and communication

For many companies that have moved from a paper to a digital environment, sharing of information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may prove to be difficult. And, those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.

Monitoring

Monitoring your internal control environment is of the utmost importance given these significant changes. Frequent conversations should be had with control owners to ensure changes to processes do not render controls ineffective. Identified gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal control. This also gives these departments the opportunity to cover any resulting gaps.

Permanent changes

Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies to be found in working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let’s take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic. 
 

Blog
How does your control environment look in a remote world?

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Blog
COVID-19 FAQs—Not-for-Profit Edition

Read this if your company would like to request an advance payment of the tax credits.

In response to the paid sick and family medical leave credit provisions enacted by the Families First Coronavirus Response Act (FFCRA) and the employee retention credit enacted by the CARES Act, the IRS has issued Form 7200 to request an advance payment of the tax credits.

Who may file Form 7200?

Employers that file Form(s) 941, 943, 944, or CT-1 may file Form 7200 to request an advance payment of the tax credit for qualified sick and family leave wages and the employee retention credit.

Eligible employers who pay qualified sick and family leave wages or qualified wages eligible for the employee retention credit should retain the amounts qualified for either credit rather than depositing these amounts with the IRS.

With respect to the sick and family leave payments, the credit includes amounts paid for qualified sick and family leave wages, related health plan expenses, and the employer’s share of the Medicare taxes on the qualified wages.

With respect to the employee retention credit, the credit equals 50% of the qualified wages, including certain health plan expense allocable to the wages, and may not exceed $5,000 per qualifying employee. Of note:

  • Employment taxes available for the credits include withheld federal income tax, the employee's share of Social Security and Medicare taxes, and the employer's share of Social Security and Medicare taxes with respect to all employees.
  • If there aren’t sufficient employment taxes to cover the cost of qualified sick and family leave wages (plus the qualified health expenses and the employer share of Medicare tax on the qualified leave wages) and the employee retention credit, employers can file Form 7200 to request an advance payment from the IRS.
  • The IRS instructs employers not to reduce their deposits and request advance credit payments for the same expected credit. Rather, an employer will need to reconcile any advance credit payments and reduced deposits on its applicable employment tax return.

Examples

If an employer is entitled to a credit of $5,000 for qualified sick leave, certain related health plan expenses, and the employer’s share of Medicare tax on the leave wages and is otherwise required to deposit $8,000 in employment taxes, the employer could reduce its federal employment tax deposits by $5,000. The employer would only be required to deposit the remaining $3,000 on its next regular deposit date.

If an employer is entitled to an employee retention credit of $10,000 and was required to deposit $8,000 in employment taxes, the employer could retain the entire $8,000 of taxes as a portion of the refundable tax credit it is entitled to and file a request for an advance payment for the remaining $2,000 using Form 7200.

When to file

Form 7200 can be filed at any time before the end of the month following the quarter in which qualified wages were paid, and may be filed several times during each quarter, if needed. The form cannot be filed after an employer has filed its last employment tax return for 2020.

Please note that Form 7200 cannot be corrected. Any error made on Form 7200 will be corrected when the employer files its employment tax form.

How to file

Fax Form 7200, which you can access here, to 855-248-0552. Form 7200 instructions.

If you need more information, or have any questions, please contact a BerryDunn tax professional. We’re here to help.

Blog
IRS releases Form 7200: Advance payment of employer credits due to COVID-19

Focus: Disaster Loan Program and Paycheck Protection Program (PPP)

Background

The Coronavirus Aid, Relief and Economic Security (CARES) Act will provide $562 million to cover administrative expenses and program subsidy for the US Small Business Administration (SBA) Economic Injury Disaster Loans and small business programs. 

Additionally, the CARES Act specifically provides the authorization for $349 billion for the SBA 7(a) program through December 31, 2020. 

SBA disaster loan program (updated for CARES Act) highlights


General
The US Small Business Administration is offering designated states and territories low-interest federal disaster loans for working capital to small businesses suffering substantial economic injury as a result of the coronavirus and COVID-19.

Eligibility 
Industry may be subject to different standards, but the general rule of thumb is that the SBA defines most small businesses as having less than 500 people, both calculated on a standalone basis and together with its affiliates (see PPP below for more information). A company’s average annual sales may also be used for the small business designation. 

Historically, businesses that are not eligible for this program included casinos, charitable organizations, religious organizations, agricultural enterprises and real estate developers that are primarily involved in subdividing real property into lots and developing it for resale for themselves (other real estate entities may apply, such as landlords). 

However, the CARES Act expanded eligibility to include (i) any individual operating as a sole proprietor or independent contractor; (ii) private non-profits and (iii) Tribal businesses, cooperatives and ESOPs with fewer than 500 employees during January 31, 2020 to December 31, 2020.

If the entity has bad credit or has defaulted on a prior SBA loan, the entity is not eligible. The CARES Act removed the credit elsewhere requirement (i.e., previously if the business had credit available through another source, such as a line of credit, it was ineligible). 

Basic terms

  • Loan amount
    The lesser of $2 million or an amount determined that that borrower can repay (i.e., underwriting requirement).
  • Maximum term
    Up to 30 years and all payments on these loans will be deferred for 12 months from disbursement date. Interest will accrue.
  • Interest rate
    3.75% for for-profit business and 2.75% for a non-profit entity.
  • Collateral
    Loans for under $25,000 do not require collateral.  Any person with an interest in the company worth 20% or more must be a guarantor; however the CARES Act eliminates the guaranty requirement on advances and loans under $200,000. 
  • Use of proceeds
    Loan proceeds may be used to pay fixed debts (including short-term notes and balloon payments that are due within the next 12 months), payroll, accounts payable, and other bills the borrower would have to pay that but for the disaster would have been paid, such as mortgage payments. Landlords and other passive entities are eligible. Agriculture-related entities are eligible, but farmers are not. Borrowers must maintain proof of how the loan proceeds were used for three years from the date of disbursement. Borrowers cannot use the proceeds to expand their business, buy assets, make repairs to real estate or refinance long-term debt. 
  • Forgiveness
    No forgiveness provision.

Applying
Loan applications are available here

Length of time for funding
Upon submittal of a completed application, it can take 18-21 days to be approved and another four to five business days for funding. However, the SBA has never dealt with this much volume so expect delays.  

If funding is needed immediately, contact any SBA partnering non-profit lender and request an SBA microloan up to $50,000 or contact a commercial lending partner to see if they offer SBA express loans up to $1,000,000 (CARES Act increases this from $350,000 to $1,000,000) and/or SBA 7(a) loans up to $5 million. The 7(a) loans are typically processed within 30 days, while microloans and express loans are processed even more quickly. 

The CARES Act has also established an emergency grant to allow eligible entities who have applied for a disaster loan because of COVID-19 to request an advance of up to $10,000 on that loan. The SBA is to distribute the advance within three days. 

This advance does not need to be repaid, even if the applicant is denied a Disaster Loan. ($10,000,000,000 is appropriated for this program and funds will be distributed on a first come, first served basis). An applicant must self-certify that it is an eligible entity prior to receiving such an advance. Advances may be used for providing sick leave to employees, maintaining payroll, meeting increased costs to obtain materials, rent or mortgage payments, and payment of business obligations that cannot be paid due to loss of revenues. Applicants must apply directly with the SBA for this program.

Other considerations
Each company should review any current loan obligations and confirm that it does not include a provision forbidding that applicant from acquiring additional debt. If the document does, the applicant will want to discuss a waiver of that provision with its current lender. The lender should be amenable to this waiver and the applicant will want the waiver verified in writing. The lender should be amenable because the SBA disaster loan can be used to satisfy monthly debt obligations and any collateral taken by the SBA would be subordinate, if the same collateral secures the lender’s loan.

Under the CARES Act, Congress has also directed the SBA to use funds to make principal and interest payments, along with associated fees that may be owed on an existing SBA 7(a), 504 or micro-loan program covered loan, for a period of six months from the next payment due date. Any loan that may currently be on deferment will receive the six months of covered payments once the deferral period has ended. This provision will also cover loans that are made up to six months after the enactment of the CARES Act. If the loan maturity date conflicts with benefiting from this amendment, the lender can extend the maturity date of the loan. 

Newly enacted Paycheck Protection Program (PPP)


General
This new program will be offered with a 100% SBA guaranty through December 31, 2020, to lenders, after which the guaranty percentage will return to 75% for loans above $150,000 and 85% for loans below that amount. 

Eligibility 
A business, including a qualifying nonprofit organization, that was in operation on February 15, 2020, and either had employees for whom it paid salaries and payroll taxes or paid independent contractors, is eligible for PPP loans if it (a) meets the applicable North American Industry Classification System (NAICS) Code-based size standard or other applicable 7(a) loan size standard, both alone and together with its affiliates; or (b) has an employee headcount that is lower than the greater of (i) 500 employees or (ii) the employee size standard, if any, under the applicable NAICS Code. 

Businesses that fall within NAICS Code 72, which applies to accommodations and food services, are also eligible if they employ no more than 500 people per physical location. Sole proprietorships, independent contractors, and self-employed individuals are also eligible. It is unclear as of what date the size test will be applied, but historically, SBA size tests have been applied on the date of application for financing. More information on the NAICS-Code-based size standards can be found here

Borrowers are required to provide a good faith certification that the loan is necessary due to economic conditions brought about because of COVID-19 and that the borrower will use the funds to retain workers, maintain payroll and pay utilities, lease and/or mortgage payments.

The credit elsewhere test is waived under this program. 

Lenders shall base their underwriting on whether a business was operational on February 15, 2020, and had employees for whom it was responsible for or paid for services from an independent contractor. The legislation has directed lenders not to base their determinations on repayment ability at the present time because of the effects of COVID-19.

Applicants for SBA loan programs, including PPP loans, typically must include their affiliates when applying size tests to determine eligibility. That means that employees of other businesses under common control would count toward the maximum number of permitted employees. A business that is controlled by a private equity sponsor would likely be deemed an affiliate of the other businesses controlled by that sponsor and could thus be ineligible for PPP loans. However, the CARES Act waives the affiliation requirement for the following applicants:  

  1. Businesses within NAICS Code 72 with no more than 500 employees
  2. Franchises with codes assigned by the SBA, as reflected on the SBA franchise registry
  3. Businesses that receive financial assistance from one or more small business investment companies (SBIC) 

Basic terms

  • Loan amount
    Lesser of $10 million or 2.5 times the applicant’s average monthly payroll costs of the business over the year prior to the making of the loan (practically, this may become the year prior to the loan application), excluding the prorated portion of any annual compensation above $100,000 for any person. Note that under the CARES Act, “payroll costs” include vacation, parental, family, medical, and sick leave; allowances for dismissal or separation; payments for group health care benefits, including insurance premiums; and retirement benefits. Calculations vary slightly for seasonal businesses and businesses that were not in operation between February 15 and June 30, 2019. To the extent that a SBA Disaster Loan was used for a purpose other than those permitted for PPP Loans, the Disaster Loans may be refinanced with proceeds of PPP loans, in which case the maximum available PPP loan amount is increased by the amount of the Disaster Loans being refinanced. 
  • Maximum term
    Payments will be deferred for a minimum of 6 months and a maximum of 12. SBA is directed to issue guidance on the terms of this deferral. Any portion of the PPP loan that is not forgiven (see below) on or before December 31, 2020, shall automatically be a term loan for a maximum of 10 years. For PPP loans, the SBA has waived prepayment penalties.
  • Fees
    SBA will waive the guaranty fee and annual fee applicable to other 7(a) loans. 
  • Interest rate
    Maximum rate of 4%.
  • Collateral
    The standard requirements of collateral and a personal guaranty are waived under this program. Accordingly, there will be no recourse to owners or borrowers for nonpayment, except to the extent proceeds are used for an unauthorized purpose.
  • Use of proceeds
    This loan can be used for: (i) payroll support, excluding the prorated portion of any compensation above $100,000 per year for any person; (ii) group healthcare benefits costs and insurance premiums; (iii) mortgage interest (but not prepayments or principal payments) and rent payments incurred in the ordinary course of business, and (iv) utility payments. 
  • Forgiveness
    A borrower will be eligible for loan forgiveness related to a PPP loan in an amount equal to 8 weeks of payroll costs, and the interest on mortgage payments (not principal) made in the ordinary course of business, rent payments, or utility payments so long as all payments were obligations of the borrower prior to February 15, 2020. Payroll costs are limited to compensation for a single employee to be no more than $100,000 in wages and the amount of forgiveness cannot exceed the principal loan amount. 

    The amount of loan forgiveness will be reduced proportionally by any reduction in the borrower’s workforce, based on the full-time equivalent employees versus the period from either February 15, 2019, through June 30, 2019, or January 1, 2020, through February 29, 2020, as selected by the borrower, or a reduction of more than 25% of any employee’s compensation, measured against the most recent full quarter. If a borrower has already had to lay off employees due to COVID-19, employers are encouraged to rehire them by not being penalized for having a reduced payroll at the beginning of the covered period, which means the initial 8 week period after the loan’s origination date. 

    Accordingly, reductions in the number of employees or compensation occurring between February 15, 2020, and 30 days after enactment of the CARES Act will generally be ignored to the extent reversed by June 30, 2020. Any additional wages that may be paid to tipped workers are also covered in the calculation of payroll forgiveness. Borrowers must keep accurate records and document their payments because lenders will need to verify the payments to allow for loan forgiveness. Borrowers will not have to include any forgiven indebtedness as taxable income. 

Applying
A company needs to apply on or before June 30, 2020, with a lender who is currently approved as a 7(a) lender or who is approved by the SBA and the Treasury Department to become a PPP lender. PPP lenders have delegated authority to make and approve PPP loan, with no additional SBA approval required. 

There are certain portions of the CARES Act that require SBA to provide further guidance so there may be some slight changes to the rules and procedures as best practices present themselves. 

We recommend contacting existing 7(a) lenders as soon as possible to learn what you will need to provide for underwriting and approving a PPP loan. 

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
Impact of CARES Act on SBA loans

On March 27, 2020, President Trump signed into law the Coronavirus Aid, Relief and Economic Security (CARES) Act, which provides relief to taxpayers affected by the novel coronavirus and COVID-19. The CARES Act is the third round of federal government aid related to COVID-19. We have summarized the top provisions in the new legislation below, with more detailed alerts on individual provisions to follow. Click here for a link to the full text of the bill.

Compensation, benefits, and payroll relief
The law temporarily increases the amount of and expands eligibility for unemployment benefits, and it provides relief for workers who are self-employed. Additionally, several provisions assist certain employers who keep employees on payroll even though the employees are not able or needed to work. 

The cornerstone of the payroll protection aid is a streamlined application process for SBA loans that can be forgiven if an eligible employer maintains its workforce at certain levels. 

Additionally, certain employers affected by the pandemic who retain their employees will receive a credit against payroll taxes for 50% of eligible employee wages paid or incurred from March 13 to December 31, 2020. This employee retention credit would be provided for as much as $10,000 of qualifying wages, including health benefits. Eligible employers may defer remitting employer payroll tax payments that remain due for 2020 (after the credits are deducted), with half being due by December 31, 2021, and the balance due by December 31, 2022. 

Employers with fewer than 500 employees are also allowed to give terminated employees access to the mandated paid federal sick and child care leave benefits for which the employer is 100% reimbursed by the government through payroll tax credits, if the employer rehires the qualifying employees.

Any benefit that is driven off the definition of “employee” raises the issue of partner versus employee. The profits interest member that is receiving a W-2 may not be eligible for inclusion in the various benefit computations.

Eligible individuals can withdraw vested amounts up to $100,000 during 2020 without a 10% early distribution penalty, and income inclusion can be spread over three years. Repayment of distributions during the next three years will be treated as tax-free rollovers of the distribution. The bill also makes it easier to borrow money from 401(k) accounts, raising the limit to $100,000 from $50,000 for the first 180 days after enactment, and the payment dates for any loans due the rest of 2020 would be extended for a year.

Individuals do not have to take their 2020 required minimum distributions from their retirement funds. This avoids lost earnings power on the taxes due on distributions and maximizes the potential gain as the market recovers.

Two long-awaited provisions allow employers to assist employees with college loan debt through tax free payments up to $5,250 and restores over-the-counter medical supplies as permissible expenses that can be reimbursed through health care flexible spending accounts and health care savings accounts.

Deferral of net business losses for three years
Section 461(l) limits non-corporate taxpayers in their use of net business losses to offset other sources of income. As enacted in 2017, this limitation was effective for taxable years beginning after 2017 and before 2026, and applied after the basis, at-risk, and passive activity loss limitations. The amount of deductible net business losses is limited to $500,000 for married taxpayers filing a joint return and $250,000 for all other taxpayers. These amounts are indexed for inflation after 2018 (to $518,000 and $259,000, respectively, in 2020). Excess business losses are carried forward to the next succeeding taxable year and treated as a net operating loss in that year.

The CARES Act defers the effective date of Section 461(l) for three years, but also makes important technical corrections that will become effective when the limitation on excess business losses once again becomes applicable. Accordingly, net business losses from 2018, 2019, or 2020 may offset other sources of income, provided they are not otherwise limited by other provisions that remain in the Code. Beginning in 2021, the application of this limitation is clarified with respect to the treatment of wages and related deductions from employment, coordination with deductions under Section 172 (for net operating losses) or Section 199A (relating to qualified business income), and the treatment of business capital gains and losses.

Section 163(j) amended for taxable years beginning in 2019 and 2020
The CARES Act amends Section 163(j) solely for taxable years beginning in 2019 and 2020. With the exception of partnerships, and solely for taxable years beginning in 2019 and 2020, taxpayers may deduct business interest expense up to 50% of their adjusted taxable income (ATI), an increase from 30% of ATI under the TCJA, unless an election is made to use the lower limitation for any taxable year. Additionally, for any taxable year beginning in 2020, the taxpayer may elect to use its 2019 ATI for purposes of computing its 2020 Section 163(j) limitation. 

This will benefit taxpayers who may be facing reduced 2020 earnings as a result of the business implications of COVID-19. As such, taxpayers should be mindful of elections on their 2019 return that could impact their 2019 and 2020 business interest expense deduction. With respect to partnerships, the increased Section 163(j) limit from 30% to 50% of ATI only applies to taxable years beginning in 2020. However, in the case of any excess business interest expense allocated from a partnership for any taxable year beginning in 2019, 50% of such excess business interest expense is treated as not subject to the Section 163(j) limitation and is fully deductible by the partner in 2020. The remaining 50% of such excess business interest expense shall be subject to the limitations in the same manner as any other excess business interest expense so allocated. Each partner has the ability, under regulations to be prescribed by Treasury, to elect to have this special rule not applied. No rules are provided for application of this rule in the context of tiered partnership structures.

Net operating losses carryback allowed for taxable years beginning in 2018 and before 2021
The CARES Act provides for an elective five-year carryback of net operating losses (NOLs) generated in taxable years beginning after December 31, 2017, and before January 1, 2021. Taxpayers may elect to relinquish the entire five-year carryback period with respect to a particular year’s NOL, with the election being irrevocable once made. In addition, the 80% limitation on NOL deductions arising in taxable years beginning after December 31, 2017, has temporarily been pushed to taxable years beginning after December 31, 2020. 

Several ambiguities in the application of Section 172 arising as a result of drafting errors in the Tax Cuts and Jobs Act have also been corrected. As certain benefits (i.e., charitable contributions, Section 250 “GILTI” deductions, etc.) may be impacted by an adjustment to taxable income, and therefore reduce the effective value of any NOL deduction, taxpayers will have to determine whether to elect to forego the carryback. Moreover, the bill provides for two special rules for NOL carrybacks to years in which the taxpayer included income from its foreign subsidiaries under Section 965. Please consider the impact of this interaction with your international tax advisors. 

However, given the potential offset to income taxed under a 35% federal rate, and the uncertainty regarding the long-term impact of the COVID-19 crisis on future earnings, it seems likely that most companies will take advantage of the revisions. This is a technical point, but while the highest average federal rate was 35% before 2018, the highest marginal tax rate was 38.333% for taxable amounts between $15 million and $18.33 million. This was put in place as part of our progressive tax system to eliminate earlier benefits of the 34% tax rate. Companies may wish to revisit their tax accounting methodologies to defer income and accelerate deductions in order to maximize their current year losses to increase their NOL carrybacks to earlier years.

Alternative minimum tax credit refunds
The CARES Act allows the refundable alternative minimum tax credit to be completely refunded for taxable years beginning after December 31, 2018, or by election, taxable years beginning after December 31, 2017. Under the Tax Cuts and Jobs Act, the credit was refundable over a series of years with the remainder recoverable in 2021.

Technical correction to qualified improvement property
The CARES Act contains a technical correction to a drafting error in the Tax Cuts and Jobs Act that required qualified improvement property (QIP) to be depreciated over 39 years, rendering such property ineligible for bonus depreciation. With the technical correction applying retroactively to 2018, QIP is now 15-year property and eligible for 100% bonus depreciation. This will provide immediate current cash flow benefits and relief to taxpayers, especially those in the retail, restaurant, and hospitality industries. Taxpayers that placed QIP into service in 2019 can claim 100% bonus depreciation prospectively on their 2019 return and should consider whether they can file Form 4464 to quickly recover overpayments of 2019 estimated taxes. Taxpayers that placed QIP in service in 2018 and that filed their 2018 federal income tax return treating the assets as bonus-ineligible 39-year property should consider amending that return to treat such assets as bonus-eligible. For C corporations, in particular, claiming the bonus depreciation on an amended return can potentially generate NOLs that can be carried back five years under the new NOL provisions of the CARES Act to taxable years before 2018 when the tax rates were 35%, even though the carryback losses were generated in years when the tax rate was 21%. With the taxable income limit under Section 172(a) being removed, an NOL can fully offset income to generate the maximum cash refund for taxpayers that need immediate cash. Alternatively, in lieu of amending the 2018 return, taxpayers may file an automatic Form 3115, Application for Change in Accounting Method, with the 2019 return to take advantage of the new favorable treatment and claim the missed depreciation as a favorable Section 481(a) adjustment.

Effects of the CARES Act at the state and local levels
As with the Tax Cuts and Jobs Act, the tax implications of the CARES Act at the state level first depends on whether a state is a “rolling” Internal Revenue Code (IRC) conformity state or follows “fixed-date” conformity. For example, with respect to the modifications to Section 163(j), rolling states will automatically conform, unless they specifically decouple (but separate state ATI calculations will still be necessary). However, fixed-date conformity states will have to update their conformity dates to conform to the Section 163(j) modifications. 

A number of states have already updated during their current legislative sessions (e.g., Idaho, Indiana, Maine, Virginia, and West Virginia). Nonetheless, even if a state has updated, the effective date of the update may not apply to changes to the IRC enacted after January 1, 2020 (e.g., Arizona). 

A number of other states have either expressly decoupled from Section 163(j) or conform to an earlier version and will not follow the CARES Act changes (e.g., California, Connecticut, Georgia, Missouri, South Carolina, Tennessee (starting in 2020), Wisconsin). Similar considerations will apply to the NOL modifications for states that adopted the 80% limitation, and most states do not allow carrybacks. Likewise, in fixed-dated conformity states that do not update, the Section 461(l) limitation will still apply resulting in a separate state NOL for those states. 

These conformity questions add another layer of complexity to applying the tax provisions of the CARES Act at the state level. Further, once the COVID-19 crisis is past, rolling IRC conformity states must be monitored, as these states could decouple from these CARES Act provisions for purposes of state revenue.

2020 recovery refund checks for individuals
The CARES Act provides eligible individuals with a refund check equal to $1,200 ($2,400 for joint filers) plus $500 per qualifying child. The refund begins to phase out if the individual’s adjusted gross income (AGI) exceeds $75,000 ($150,000 for joint filers and $112,500 for head of household filers). The credit is completely phased out for individuals with no qualifying children if their AGI exceeds $99,000 ($198,000 for joint filers and $136,500 for head of household filers).

Eligible individuals do not include nonresident aliens, individuals who may be claimed as a dependent on another person’s return, estates, or trusts. Eligible individuals and qualifying children must all have a valid social security number. For married taxpayers who filed jointly with their most recent tax filings (2018 or 2019) but will file separately in 2020, each spouse will be deemed to have received one half of the credit.

A qualifying child (i) is a child, stepchild, eligible foster child, brother, sister, stepbrother, or stepsister, or a descendent of any of them, (ii) under age 17, (iii) who has not provided more than half of their own support, (iv) who has lived with the taxpayer for more than half of the year, and (v) who has not filed a joint return (other than only for a claim for refund) with the individual’s spouse for the taxable year beginning in the calendar year in which the taxable year of the taxpayer begins.

The refund is determined based on the taxpayer’s 2020 income tax return but is advanced to taxpayers based on their 2018 or 2019 tax return, as appropriate. If an eligible individual’s 2020 income is higher than the 2018 or 2019 income used to determine the rebate payment, the eligible individual will not be required to pay back any excess rebate. However, if the eligible individual’s 2020 income is lower than the 2018 or 2019 income used to determine the rebate payment such that the individual should have received a larger rebate, the eligible individual will be able to claim an additional credit generally equal to the difference of what was refunded and any additional eligible amount when they file their 2020 income tax return.

Individuals who have not filed a tax return in 2018 or 2019 may still receive an automatic advance based on their social security benefit statements (Form SSA-1099) or social security equivalent benefit statement (Form RRB-1099). Other individuals may be required to file a return to receive any benefits.

The CARES Act provides that the IRS will make automatic payments to individuals who have previously filed their income tax returns electronically, using direct deposit banking information provided on a return any time after January 1, 2018.

Charitable contributions

  • Above-the-line deductions: Under the CARES Act, an eligible individual may take a qualified charitable contribution deduction of up to $300 against their AGI in 2020. An eligible individual is any individual taxpayer who does not elect to itemize his or her deductions. A qualified charitable contribution is a charitable contribution (i) made in cash, (ii) for which a charitable contribution deduction is otherwise allowed, and (iii) that is made to certain publicly supported charities.

    This above-the-line charitable deduction may not be used to make contributions to a non-operating private foundation or to a donor advised fund.
  • Modification of limitations on cash contributions: Currently, individuals who make cash contributions to publicly supported charities are permitted a charitable contribution deduction of up to 60% of their AGI. Any such contributions in excess of the 60% AGI limitation may be carried forward as a charitable contribution in each of the five succeeding years.

    The CARES Act temporarily suspends the AGI limitation for qualifying cash contributions, instead permitting individual taxpayers to take a charitable contribution deduction for qualifying cash contributions made in 2020 to the extent such contributions do not exceed the excess of the individual’s contribution base over the amount of all other charitable contributions allowed as a deduction for the contribution year. Any excess is carried forward as a charitable contribution in each of the succeeding five years. Taxpayers wishing to take advantage of this provision must make an affirmative election on their 2020 income tax return.

    This provision is useful to taxpayers who elect to itemize their deductions in 2020 and make cash contributions to certain public charities. As with the aforementioned above-the-line deduction, contributions to non-operating private foundations or donor advised funds are not eligible.

    For corporations, the CARES Act temporarily increases the limitation on the deductibility of cash charitable contributions during 2020 from 10% to 25% of the taxpayer’s taxable income. The CARES Act also increases the limitation on deductions for contributions of food inventory from 15% to 25%.

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
The CARES Act: Implications for businesses

On March 18, 2020, the SBA issued relaxed criteria for Economic Injury Disaster Loans (EIDLs).

The two immediate impacts:

  • States are now only required to certify that a minimum of five small businesses within the state/territory have suffered significant economic injury, as opposed to proof of five small businesses within each reporting county/parish.
  • Prior regulation only made disaster assistance loans available to small businesses within counties declared disaster areas by a governor. Relaxed standards state the EIDLs will be available statewide following an economic injury declaration. This applies to current and future disaster declarations related to COVID-19.

Some SBA loan specifics:

  • EIDL amounts range from $25,000 to $2,000,000, at interest rates of 3.75% for small businesses and 2.75% for not-for-profits.
  • Companies can use the loans to pay bills that can’t be paid due to the disaster’s impact, including but not limited to fixed debts, payroll, and accounts payable.
  • Loan terms are determined on a case-by-case basis, based on the borrower’s ability to repay. SBA is offering repayment terms up to a maximum of 30 years.
  • EIDLs are one facet of an expanded and coordinated federal government response.

Small businesses in need of economic assistance may apply for an EIDL here. We will update as more information becomes available.

If you have questions about SBA loans, please contact your BerryDunn tax consultant
 

Blog
Small Business Administration (SBA) eases criteria for disaster loans

Over the last few weeks, CMS and the President have enacted legislation and released guidance to assist the senior living industry in coping with the impact of COVID-19. We recognize the elderly residents of our country are the most vulnerable population and your days are filled caring for your population’s needs and health. Our senior living professionals have written this article to highlight new regulations impacting the industry and offer practical tips for guarding your facility's financial health through the COVID-19 outbreak.

Amidst rapid hourly changes in contending with the coronavirus and its far-reaching impacts, the way you run your facility has changed. Along with this change comes an increase in expenditures. To ensure that your facility is getting much needed financial relief and being properly reimbursed for the full impact of COVID-19, we recommend tracking your expenditures related to the coronavirus. Expenditures related to COVID-19 go beyond the cost of additional Personal Protective Equipment (PPE), they will likely include additional direct care staffing, along with housekeeping, dietary and laundry staffing, and supplies needed to maintain the heightened level of hygiene required to combat the spread of COVID-19 in your facility.

CMS issues waiver of 3-Day Stay and Spell of Illness
On March 14, Centers for Medicare and Medicaid Services (CMS) issued two waivers to aid skilled nursing facilities in addressing the national COVID-19 outbreak. CMS is waiving both the 3-Day Stay and Spell of Illness requirements. Read the COVID-19 Emergency Declaration.

Key provisions to consider with regard to 3-midnight qualifying stay requirement:

  • The exception applies to traditional Medicare coverage only (Medicare Advantage plans may or may not follow this exception);
  • It is in effect as of March 1, 2020, and will only be in effect while public health emergency is declared;
  • Applies only to beneficiaries affected by the emergency or who experience dislocations;
  • Providers have to document medical necessity and clinical reasons for not meeting 3-midnight requirement, understanding that the intent of this provision is to free up hospital beds and reduce potential risk of exposure to the patient;
  • Providers are to use condition code “DR” on the claims. 

Read additional AHCA clarifications and guidance regarding the waivers of 3-Day Stay and Spell of Illness requirements.

MDS completion and submission waivers
CMS is waiving 42 CFR 483.20 to provide relief to SNFs on the timeframe requirements for Minimum Data Set (MDS) assessments and transmissions. CMS has yet to issue technical guidance on how to implement.

On March 22, 2020, CMS announced temporary administrative burden relief related to Quality Reporting which includes certain SNF-specific changes:

  • Quality Reporting Program (QRP) April/May deadline for 10/1/19 - 12/31/19 data submission is optional for those facilities that have not yet submitted data;
  • Facilities do not need to submit 1/1/20 - 6/30/20 data for purposes of compliance with QRP;
  • CMS will not use any data for the first 2 quarters of 2020, 1/1/20 - 6/30/20, in its calculations;
  • Claims for 1/1/20 - 6/30/20 will be excluded from calculation of all-cause readmission measures that result in value-based purchasing adjustments.

Read the full CMS press release.

Families First Coronavirus Response Act (FFCRA)
On March 18, 2020, the President signed into law, H.R. 6201, the Families First Coronavirus Response Act. The legislation eliminates patient cost-sharing for COVID-19 testing and related services, establishes an emergency paid leave program, and expands unemployment and nutrition assistance. Moreover, the bill provides a temporary 6.2% increase in Federal Medical Assistance Percentages (FMAP) for each calendar quarter occurring during an emergency period.

FMAP is the federal portion of funds for state Medicaid programs. With this temporary increase states can use the increased federal funds for any portion of the state Medicaid program. Due to significant increases in unemployment from business closures, the increase may be used to provide Medicaid coverage for the newly unemployed and uninsured. This would result in less funding for provider rate increases to cover COVID-19 related costs. However, on March 21, 2020, the federal government also announced that it is considering a special enrollment period for Affordable Care Act Health Insurance Exchange coverage. A special enrollment period would offer lower cost coverage to individuals with reduced incomes and could influence how the FMAP increase will be used, possibly resulting in more being allocated to covering provider rates. As of today, it is still unclear how states will use the increased funds.

A table released by AHCA on March 14, 2020, provides estimates of the increase in Federal Medicaid funding from FMAP assuming the increase is in effect January through December 2020. 

There are two provisions of the FFCRA that deal with paid leave provisions for employees. BerryDunn's employee benefits consultants provide insight and clarity on the paid leave provisions for employees.

Prioritization of survey activities
CMS released guidance prioritizing and suspending most federal and state survey agency (SSA) surveys, and delaying revisit surveys, for the next three weeks beginning on March 20, 2020, for all nursing homes. Standard surveys and non-Immediate Jeopardy (IJ) related onsite surveys will be suspended for three weeks. Complaints and facility-reported incidents that are considered at the IJ level will be conducted during this time. Facilities are encouraged to use the CDC developed COVID-19 Focused Survey for Nursing Homes. Get additional CMS guidance

Coronavirus Aid, Relief, and Economic Security (CARES) Act
On March 25, 2020, the US Senate unanimously approved the $2 trillion CARES Act (The “Act”). It is anticipated that the House of Representatives will vote on the Act today, March 27, 2020. The White House has signaled that it will sign the measure as approved by the Senate. 

Major provisions of the proposed legislation include:

  • The Medicare 2% sequester will be temporarily suspended starting in late May 2020. 
  • $150 million for modifications of existing hospital, nursing home, and “domiciliary facilities” undertaken as part of COVID-19 response.
  • $65 million for housing for the elderly and people with disabilities for rental assistance, service coordinators and support services for the more than 114,000 affordable households for the elderly, and more than 30,000 affordable households for low-income people with disabilities.
  • $2.8 million to provide staff treating veterans living at Armed Forces Retirement Homes with the personal protective equipment they need. The funding provides this and other necessary equipment and staffing support to help minimize the spread of the coronavirus among residents.
  • $955 million for the Administration for Community Living to support nutrition programs, home- and community-based services, support for family caregivers, and expand oversight and protections for seniors and individuals with disabilities.
  • $200 million for the Centers for Medicare & Medicaid Services to assist nursing homes with infection control and support states’ efforts to prevent the spread of the coronavirus in nursing homes.

Practical tips for monitoring and maintaining your organization’s financial health 
As we navigate these next few months, facilities will face challenges to maintain the health and safety of their residents and staff as well as the financial health of the organization. Some things you should be doing now:

  • Calculate your working capital and cash position weekly or bi-weekly.
  • Perform cash flow projections for the next few months. Be sure the timing of your cash receipts will cover payroll and supplies expenditures each week. 
  • Contact your lenders to obtain or increase available working capital lines of credit.
  • Ascertain if you can release any investment balances if needed.


We are here to help
Please contact the BerryDunn senior living team if you have any questions, or would like to discuss your specific situation.

Blog
Senior living organizations and COVID-19

Read this if you are a solar investor, developer, or installer.

The Investment Tax Credit and Residential Energy Credit were originally established to promote investment in renewable energies. These credits are available to taxpayers who install solar equipment to generate electricity for either a commercial or residential property. The credits have different origins within the Internal Revenue Code but are very similar with respect to how they are calculated. 

The starting point is to determine what property is eligible, typically by reviewing the equipment, materials, and labor costs. Qualified property is defined within the Code and while there are several years of judicial history further clarifying what is eligible, there is one unsettled question routinely asked: Can we include the entire cost of a roof replacement?

To answer that question, we look to each of the separate Code sections establishing the credits, Section 48–Commercial Energy Credit and Section 25D–Residential Energy Credit. The credits afforded by these sections are available for a variety of renewable energy properties, but for this discussion we will focus specifically on the solar property provisions.

Solar property provisions

The Section 48 definition of qualified property includes “equipment which uses solar energy to generate electricity, to heat or cool (or provide hot water for use in) a structure, or to provide solar process heat….” The regulations further define solar energy property as “equipment that uses solar energy to generate electricity, and includes storage devices, power conditioning equipment, transfer equipment, and parts relating to the functioning of those items.” 

Essentially, all costs to acquire and install the equipment used to generate electricity to the point of either transmitting it or consuming it would be eligible for the credit.

Section 48 Regulations state that building and structural components generally are not qualified property for the credit. An exception was provided by Revenue Ruling 79-183, allowing structural components to the extent that they are specifically engineered to be part of the machinery and equipment. Two significant private letter rulings have also been issued to address whether a roof would be treated as qualified solar property based on these limitations, and to what extent.

In PLR 201121005, issued in May 2011, the IRS ruled that the roof was qualified property but the qualified cost did not include the portion that performs the normal functions of a roof. This follows Regulation Section 1.48-9(k) that only permits the “incremental cost” over what would have been spent if the roof were replaced with no qualified property. The facts in this ruling did not include the type of solar power system and how it was integrated with the roof which left many questions unanswered until PLR 201523014 was issued in June 2015.

The 2015 ruling addressed solar property that included a reflective roof membrane to generate electricity from the underside of the roof mounted solar panels. The reflective roof was clearly integrated to the solar power system and the process of generating electricity. The IRS again ruled that qualified property included only the portion of the reflective roof that exceeded the cost of reroofing the building with a non-reflective roof.

The IRS has consistently held that only the “incremental cost” of the roof installation may qualify as solar energy property if it is integrated with the machinery and equipment. 

The Section 25D definition of qualified expenses includes “property which uses solar energy to generate electricity for use in a dwelling unit located in the United States and used as a residence by the taxpayer.” The Section identifies qualified costs for labor and solar panels and specifically states, “no expenditure relating to a solar panel or other property installed as a roof (or portion thereof) shall fail to be treated as qualified property solely because it constitutes a structural component…”

Unlike the Section 48 Commercial Energy Credit, the Section 25D Residential Energy Credit has little guidance on whether the entire cost of a roof would be allowed as qualified solar property. If the IRS were consistent in application, they would follow the “incremental cost” regulations that apply to non-residential projects.

Determining qualifying machinery and equipment costs is critical to maximizing the commercial or residential energy credit. 

BerryDunn has the expertise to review the project costs and provide a cost certification for what qualifies. We can identify any portion of the roof that may be eligible. If you have questions or would like to discuss whether there may be an opportunity for your project, please don’t hesitate to call us.
 

Blog
The Investment Tax Credit and roof replacement

Editor’s note: Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

Last month, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2019. The report addresses key issues facing banks and focuses on those that pose threats to their safety and soundness. According to the report:

  • Bank financial performance is strong due to a favorable credit environment and the longest economic expansion in U.S. history.
  • Capital levels have reached historical highs.
  • Return on equity was above its 2006 pre-crisis level for the first time at 12.7%.
  • Net income grew 8.22% from the same period a year ago; however, net interest income grew only 4%, as loan growth is below historical averages and an increasing number of banks are facing a flat or declining net interest margin.
  • There is continued weakness in residential and commercial real estate loan growth.
  • Delinquent and nonperforming loans remain below their long-term averages.


Banks can thrive even with economic uncertainty

While these trends indicate that 2019 was by and large an excellent year, banks cannot afford to be complacent, as 2019 also saw increasing risks to the industry. For instance, in 2019 there was much discussion of the future cessation of the London InterBank Offer Rate (LIBOR). The OCC has indicated it will increase its regulatory oversight regarding the anticipated cessation, to ensure banks assess their exposure to LIBOR and are appropriately planning their transition from the widely used benchmark rate. The Financial Accounting Standards Board (FASB) is also working on a project to address accounting issues that could arise from the transition from LIBOR.

And, although 2019 continued the longest economic expansion in US history, economic uncertainty exists due to, in part, the US-China trade conflict and ongoing Brexit discussions. This economic uncertainty has caused volatility in the interest rate environment. Aside from the yield curve inverting in 2019, banks also saw the Federal Funds target rate increase 25 basis points prior to decreasing 50 basis points. Given the typically asset-sensitive nature of banks’ balance sheets, the current interest rate environment will also put pressure on net interest margins. The current volatility of interest rates has caused the OCC to conclude interest rate risk is currently at heightened levels. 

Net interest income continues to be the most significant driver of net revenues for community banks, comprising nearly 80% of net revenues. With a difficult interest rate environment and lackluster loan growth in residential and commercial real estate, banks may face a difficult path ahead. Banks should tread cautiously, especially if this uncertainty persists. Asset-liability management will need be a significant focus (more than usual) as banks try to position themselves to not only maintain profitability through this uncertainty, but also come out stronger than before. Specifically, if lower rates persist, asset growth will need be a priority over deposit growth to maintain profitability at lower net interest margins. If loan growth continues to wane, this will prove to be difficult.

Innovations to compete with new lending sources

Adding to the list of threats to performance is the increasing amount of alternative financial resources available to borrowers. Banks have traditionally been the only source of credit for borrowers. However, technology has rapidly changed that landscape. Person-to-person (P2P) lending (also known as crowd lending, or social lending), allows people to borrow funds directly from another person, cutting out traditional lending sources (banks). Additionally, blockchain technology, if the hype is accurate, has the potential to eliminate the need of a financial intermediary altogether. 

Banks are adapting to this competition and to customers looking for more convenience and alternative services by offering new, unique services that differentiate themselves from others and provide added value to the customer. Banks have delivered through remote deposit, ATMs, and interactive teller machines (ITMs). Banks will need to continue to adopt innovative services to remain competitive. 

For instance, banks could offer video conferencing services, in which customers could have a live conversation with a bank representative through their smartphone. This convenience would allow a customer to conduct a transaction, such as apply for a loan, from the convenience of their home, while still maintaining human interaction throughout the transaction. Such a service would help banks compete with digital channels offered by non-banks, such as Quicken Loans, which is now the largest mortgage originator in the United States.

Strategies to protect against technological risks

These services all require the use of existing and new technologies, which have caused banks to hold more personally identifiable information (PII) digitally across an increasing number of digital platforms. As noted by the OCC, this digital exposure has created persistent cybersecurity risks for banks. Adopting a robust cybersecurity framework is no longer an option. 

Banks should bring cybersecurity to the forefront of their strategic planning. Any strategic plan must consider cybersecurity implications, as a single disaster can be detrimental to a bank’s reputation. And, given this rapidly changing environment, the cybersecurity conversation must be ongoing through relevant bank committees and the board of directors.

Furthermore, these technological solutions require partnerships with businesses that banks would not traditionally partner with. Financial technology (fintech) companies don’t just pose as a competitor to traditional banks. Many fintech companies are offering their technological solutions to traditional banks. However, outsourcing technological solutions to fintech companies and other businesses does not relieve a bank from performing its own due diligence and ensuring those companies meet the bank’s standards. 

Banks should evaluate potential vendors to ensure they comply with the bank’s vendor management policy. Since environments are constantly changing, this evaluation should be ongoing. Many vendors now provide System and Organization Controls (SOC) reports which detail the control environment at the vendor and involve independent third-party testing of those controls that exist at the vendor. SOC reports can provide a useful starting point for evaluating a vendor’s ongoing compliance with the bank’s vendor management policy. However, it is not a substitute for ongoing communication with a vendor.

There is no doubt 2019 was a successful year for banks. But past performance is not a guarantee of future success. Banks face many challenges, risks, and uncertainties, of which only a few have been outlined above. The current landscape may be challenging but it is also filled with opportunity. Banks should consider expanding their services, adopting new technologies, and partnering with other companies to leverage their strengths. Doing so should help position themselves for an exciting decade ahead.

If you have specific concerns about challenges facing your institution, please contact the team

Blog
Banking and finance: 2020 challenges and what to do to overcome them

Editor's note: Read this if you are a current or future owner of solar or other renewable energy equipment, or a solar investor, developer, or installer.

Maine LD 1430: An opportunity for businesses with solar energy systems

In 2019, Maine passed bill LD 1430, which introduces a solar tax exemption for both business and residential owners enabling renewable energy adopters to save money―while adding real value to their property and assets. As our experience in Massachusetts has shown, eligible businesses should take advantage of these types of laws, as you can reduce your property tax assessment by the value of your solar or wind energy equipment.  

Let’s look at a simple example assuming a $20 mill rate and a business owner who owns land and installs a large commercial solar energy system on it to meet the electrical demand of his business:   

Land 50,000 
Solar Equipment 200,000
LD 1430 Property Tax Exemption for solar equipment (200,000)
Net Property valuation 50,000
Property Tax 1,000
Property Tax without LD 1430 5,000
Annual Savings 4,000

Standardized valuation methodology provides clear guidance for taxpayers

In December, the Maine Revenue Service expanded on the bill by providing standardized solar valuation methodology. It provides much-needed guidance to municipalities on how to assess property tax on solar equipment, helps prevent over taxation of businesses, and streamlines the process for applying for the solar property tax exemption. 

Solar tax exempt laws in other states

Maine was not the first state to enact this type of legislation to help improve renewable energy adoption in the commercial space, nor will it be the last. Massachusetts, among others, has a similar law on the books, which allows for an exemption on solar or wind equipment used to supply the energy needs of a taxable property. Over the past few years, many of our clients in Massachusetts have taken advantage of the exemption, and have saved thousands of dollars doing so. 

Not surprisingly, Massachusetts has seen strong growth in renewable energy in the commercial sector. According to the Massachusetts Clean Energy Center, Massachusetts went from a few hundred solar energy systems in 2006 to nearly 100,000 in 2018. Other states have also enacted this type of legislation. In fact, all but 12 states have enacted some form of solar tax exemption laws.  

Looking ahead

This law and others like it will continue to help renewable energy projects get off the ground. As the number of solar projects increases, so too does the ability to create more opportunity. 

We’ve been working with Massachusetts providers for many years, helping our clients grow as the market has been maturing. For more information on how we can help you in Maine (or other states) take advantage of these exemptions, please contact the renewable energy team.  

The Maine Revenue Service is planning to release a standard application for the property tax exemption in the coming weeks. Please stay tuned for updates.  

Blog
Maine adopts solar property tax exemptions

Read this if you are a solar investor, developer, or installer.

After a recent article where we highlighted some of the major points of the ITC safe harbor, we received many calls and e-mails looking for clarification on some of the related issues. In working to answer these questions we teamed up with Klavens Law Group, P.C., a Boston law firm that specializes in clean energy. Together with Brendan Beasley and Jon Klavens we have compiled a list of frequently asked questions that may be helpful as you navigate the last few weeks of the year. 

Q: My project is not ready for construction due to a pending decision on a land use permit. How can I minimize capital expenditure while still qualifying the project for the 5% safe harbor?
A: There are a couple approaches you as a taxpayer can take. First, if this project is among several in your portfolio, you can pay or incur expenses prior to December 31, 2019 for enough safe harbor equipment under a single binding contract to qualify each project in your portfolio and retain flexibility to allocate that equipment. Applying the master contract approach (per Section 7.03(2) of IRS Notice 2018-59), you would then transfer equipment, even after December 31, 2019, to affiliate special purpose entities under a second binding contract. Second, you can enter into a binding contract that is subject to a condition, applying section (ii)(B) of the “binding contract” definition at 26 CFR Section 1.168(k)-1(b)(4). In this case, the condition would be the project receiving the land use permits and clearing any related appeals period. Under this approach you would still need to pay or incur―or have your EPC contractor pay or incur under the look-through rule―at least 5% of the project’s depreciable cost basis by December 31, 2019. A limitation on this approach is that, if the condition is not likely to be satisfied within three-and-a-half months of the date of your binding contract, either you or your EPC contractor (applying the look-through rule) must take delivery of the equipment while the condition―and presumably the viability of the project―is still open and uncertain. 

Q: Can I finance a purchase of safe harbor equipment for my project?
A: Yes; however, you can’t use vendor financing. 

Q: I have a project that will be ready to construct in Q2 2020. The project company will execute a binding EPC agreement by December 31, 2019 that includes a procurement component. It will make an initial milestone payment of 7% upon execution. Does my project qualify for the 5% safe harbor?
A: Maybe. There is not enough information here to confirm. As taxpayer you must pay or incur expenses amounting to at least 5% of the total cost of the energy property prior to December 31, 2019, and must take delivery within three-and-a-half months from the date of payment under your binding contract. So the critical question here is what your EPC contractor is doing with that 7% payment. Here are some possible outcomes:

  • The EPC contractor purchases inverters on December 31, 2019 pursuant to a binding contract with a vendor. Applying the look-through rule, the safe harbor is satisfied.
  • The EPC contractor self-constructs a specialized racking system in January 2020, per your EPC agreement, and delivers it to you within three-and-a-half months of the binding contract. The safe harbor is satisfied.
  • The EPC contractor prepares 10% construction drawings and applies for a building permit, each at nominal cost, and holds your 7% payment while waiting for module prices to come down. The safe harbor is not satisfied.
  • The EPC contractor allocates its previously purchased inverters to your project, per your EPC agreement, holding them in its warehouse until May 2020 before delivering them to your site. The safe harbor is likely satisfied. Applying the look-through rule, the EPC contractor’s purchase of the inverters pursuant to a binding contract in 2019 (even if prior to the EPC agreement) will qualify the inverters for safe harbor purposes. The EPC contractor must take steps to identify and segregate the particular inverters within its warehouse.

Q: Can I sell safe-harbored equipment?
A: The buyer of your equipment (unless it is an affiliate) may not utilize the safe harbor unless you are selling the equipment together with the solar project. If, for example, your sale also includes a site lease and a PPA, the purchaser would receive the benefit of the safe harbor. In certain circumstances, you may also be able to become an affiliate of a project LLC by acquiring a membership interest of at least 20% and make an in-kind contribution of the safe-harbored equipment to the project LLC.           

Q: Can I satisfy the physical work test by building roads within my site?
A: Yes; however, the roads must be integral to the energy property. An access road would likely not be interpreted as integral to the property. However, roads used for purposes of operations and maintenance activity―within the area of the facility itself―are considered integral to the energy property.

Q: What constitutes work of a physical nature?
A: This is really open to the facts and circumstances interpretation. The IRS notice instructions referenced previously indicate some specific activities that do not qualify, but there is no quantification of how much of a qualifying activity must be done in order to satisfy the safe harbor requirement. Preliminary planning and site work do not count. But starting construction would, so you could satisfy the requirement with excavation for a foundation, drilling for moorings, pouring concrete, etc. The best bet would be to actually put up a section of panels.

Q: What is the continuing work requirement?
A: There is an additional safe harbor that says if your project is placed in service within four years of the end of the calendar year in which you started it you will have automatically met the continuous work requirement. If your project goes beyond that you will need to show facts and circumstances showing you were taking steps to continue working towards completing the project. For example, if the delay was due to a delay in getting interconnected, be prepared to show documentation that you were continuously working towards resolving that issue.

Unless there are changes to the current tax law, these same provisions will be in effect for each step of the phase-out through the end of 2023. If you have further questions, please contact a member of our renewable energy team

Please note that this Q&A, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Klavens Law Group, P.C. or its attorneys. Please seek the services of a competent professional if you need legal or other professional assistance.

Blog
ITC safe harbor frequently asked questions

Read this if you are a solar investor, developer, or installer.

With December well under way, thoughts turn to year-end and tax filing preparation. While we get many questions this time of year related to changes in the tax law and what taxpayers can do before the end of the year to minimize their tax burden, different this year is the impending phase-out of the Investment Tax Credit (ITC) and Residential Energy Credit (REC) from 30% to 26%. 

Last month, we gave some pointers on the safe harbor provision available for the Investment Tax Credit which would allow qualifying projects to still be eligible for the 30% credit after the end of the year. No such provision exists for the residential credit, however, and any project not complete by 12/31/19 (and completed in 2020) will receive the reduced 26% credit.

The phase-out was designed to coincide with the projected decline in solar costs, and would help smooth the transition to a market where solar competes directly with fossil fuels for energy production. Since then, we have seen component costs increase due to artificially inflated prices resulting from the tariffs imposed on imported goods. This results in a mismatch on the timing of the phase-out to the cost of the materials, a still immature market for solar, and a missed opportunity. Enter a new bill in the House of Representatives.

Growing Renewable Energy and Efficiency Now Act

On November 19, 2019 Chairman Thompson of the House Ways and Means Subcommittee released a discussion draft of a bill titled the Growing Renewable Energy and Efficiency Now (“GREEN”) Act. This draft bill is not ready for a vote yet, but does promote an extension and/or expansion of tax incentives for taxpayers investing in cleantech. With the GREEN Act, solar investors, installers, and other related businesses would benefit from:

  • Revival and extension of the Production Tax Credit (PTC) through 2024
  • Delay of the ITC and REC phaseout until 2024
  • Expansion of the ITC to include additional technologies, most notably energy storage
  • A provision allowing the taxpayer to receive the ITC or PTC as a refund in the year it is claimed for 15% reduction in the value of the credit

A delay in the phase-out would allow time for the costs of components to return to pre-tariff levels and help achieve the original intention of the phase-out. The expansion of the ITC to include energy storage would be a huge boon to that emerging market, and provide an additional incentive for consumers to install storage on an existing project―creating a more efficient energy grid. 

Currently, due to accelerated depreciation, many taxpayers are not able to take the ITC or PTC in the first year due to not having a tax to offset. Allowing for the option to treat the ITC or PTC as a tax payment (which can be refunded) instead of a credit (which can’t) would help investors realize their return much faster and free up capital to invest in other projects. 

Some of these provisions are fairly aggressive, and it is unlikely that they will all remain as they are now in any future passed legislation. However, it is promising to see the House of Representatives considering these types of extensions and expansions when it comes to clean energy incentives. As renewable energy is still a relatively new and rapidly changing marketplace, this is a prime time for renewable energy professionals to keep representatives informed of what they need to help the industry continue to grow. 

Stay tuned, and please contact Mark Vitello if you have any questions or need more information.
 

Blog
The GREEN Act―a ray of hope for the solar carve out and the ITC?

Read this if you are a solar investor, developer, or installer.

The solar carve out of the Investment Tax Credit (ITC) has been a great incentive for taxpayers to invest in solar assets over the last several years. It established an increased 30% tax credit for solar assets placed in service, up from the normal 10%. 

Starting January 1, 2020, the solar carve out will begin to phase out and will return to 10% by January 1, 2024. 

With the first phase-out of the ITC set to drop the credit from 30% to 26% after December 31, 2019, many taxpayers are evaluating ways to make sure their project still qualifies for the 30% credit. The IRS has issued two safe harbor provisions (IRS Notice 2018-59) to allow for projects placed in service after December 31, 2019 and before January 1, 2024 to still qualify for the 30% credit, but timing is key and certain actions must be taken before midnight on December 31, 2019.

Safe harbor methods

The two safe harbor methods are the Physical Work Test and the Five Percent of Cost Test. If a project satisfies either of these tests it can still qualify for the 30% tax credit as long as it is completed and in service before January 1, 2024.

The Physical Work Test requires that the taxpayer performs, or has performed on their behalf, “work of a significant nature” on the project prior to December 31, 2019. This is a little open to interpretation, but generally involves physical construction of the asset, such as the installation of mounting equipment, rails, racking, inverters, or even the panels themselves. Purchasing of equipment generally held in inventory by either the taxpayer or the vendor does not qualify. However, if the equipment is customized or specially designed for the specific project, it might. Preliminary activities do not qualify, which include planning, designing, surveying, and permitting. 

In general, the purpose of this test is to prove that construction has already begun, and is in place to help projects that have been started but won’t be in service before year end still maintain the 30% tax credit. Projects that are substantially complete and waiting for an interconnection or a permission to operate in order to be considered as in service will most easily qualify for this safe harbor test.

The Five Percent of Cost Test is a little more straightforward, and is likely to be more commonly used to qualify projects for the safe harbor provision as the end of the year deadline approaches. This test requires at least five percent of the total project cost be paid or incurred before December 31, 2019. It is important to note that the denominator in this test is the final total cost of the project when it goes in service. The taxpayer may wish to pay more than the five percent to account for project overruns or unanticipated changes to the project in order to make sure they maintain the qualification for safe harbor. 

Another consideration is if the taxpayer files on the cash or accrual method as to whether the project cost needs to be paid or incurred in order to satisfy the chosen filing method.

In either case, the taxpayer should also evaluate the cost of prepaying for equipment that may decrease in cost in the future, compared to the benefit they will receive in maintaining the additional four percent of the tax credit that can safe harbor from the phase out. 

Additionally, an analysis of total project costs and eligible vs. ineligible ITC costs early on in project development can help identify how best to spend the cash before the end of the year, and ensure that the taxpayer receives the return they require once the project goes into service.

Have questions?

If you have questions on these safe harbors or need more information, please contact the green tax experts on our renewable energy team

Blog
Safe harbor options for taxpayers as the solar ITC begins to sunset

Editor's note: read this blog if you are a state liquor administrator or at the C-level in state government. 

Surprisingly, the keynote address to this year’s annual meeting of the National Alcohol Beverage Control Association (NABCA) featured few comments on, well, alcohol. 

Why? Because cannabis is now the hot topic in state government, as consumers await its legalization. While the thought of selling cannabis may seem foreign to some state administrators, many liquor agencies are―and should be―watching. The fact is, state liquor agencies are already equipped with expertise and the technology infrastructure needed to lawfully sell a controlled substance. This puts them in a unique position to benefit from the industry’s continued growth. Common technology includes enterprise resource planning (ERP) and point-of-sale (POS) systems.

ERP

State liquor agencies typically use an ERP system to integrate core business functions, including finance, human resources, and supply chain management. Whether the system is handling bottles of wine, cases of spirits, or bags of cannabis, it is capable of achieving the same business goals. 

The existing checks and balances on controlled substances like alcohol in their current ERP system translate well to cannabis products. This leads to an important point: state governments do not need to procure a new IT system solely for regulating cannabis.

By leveraging existing ERP systems, state liquor agencies can sidestep much of the time, effort, and expense of selecting, procuring, and implementing a new system solely for cannabis sales and management. In control states, where the state has exclusively control of alcohol sales, liquor agencies are often involved in every stage of product lifecycle, from procurement to distribution to retailing.

With a few modifications, the spectrum of business functions that control states require for liquor—procuring new product, communicating with vendors and brokers, tracking inventory, and analyzing sales—can work just as well for cannabis.

POS

POS systems are necessary for most retail stores. If a state liquor agency decides to sell cannabis products in stores, they can use a POS system to integrate with the agency’s ERP system, though store personnel may require training to help ensure compliance with related regulations.

Cannabis is cash only (for now)

There is one major difference in conducting liquor versus cannabis sales at any level: currently states conduct all cannabis sales in cash. With cannabis illegal on the federal level, major banks have opted to decline any deposit of funds earned from cannabis-related sales. While some community banks are conducting cannabis-related banking, many retailers selling recreational cannabis in places like Colorado and California still deal in cash. While risky and not without challenges, these transactions are possible and less onerous to federal regulators. 

Taxes 

As markets develop, monthly tax revenue collections from cannabis continue to grow. Colorado and California have found cannabis-related tax revenue a powerful tool in hedging against uncertainty in year-over-year cash flows. Similar to beer sold wholesale, which liquor agencies tax even in control states, cannabis can be taxed at multiple levels depending on the state’s business model.

E-commerce

Even with liquor, few state agencies have adopted direct-to-consumer online sales. However, as other industries continue shifting toward e-commerce and away from brick and mortar retailing, private sector competition will likely feed increased consumer demand for online sales. Similar to ERP and POS systems, states can increase revenue by selling cannabis through e-commerce sales channels. In today’s online retail world, many prefer to buy products from their computer or smart phone instead of shopping in stores. State agencies should consider selling cannabis via the web to maximize this revenue opportunity. 

Applying expertise in the systems and processes of alcoholic beverage control can translate into the sale and regulation of cannabis, easing the transition states face to this burgeoning industry. If your agency is considering bringing in cannabis under management, you should consider strategic planning sessions and even begin a change management approach to ensure your agency adapts successfully. 

Blog
Considering cannabis: How state liquor agencies can manage the growing industry

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you. 

This is the second blog post in the blog series: “Procuring Agile vs. Non-Agile Service”. Read the first blog. This blog post demonstrates the differences in Stage 1: Plan Project in the five stages of procuring agile vs. non-agile services.

Overview of Procurement Process for Agile vs. Non-Agile IT Services

What is important to consider in agile procurement?

Here are some questions that can help focus the planning for procurement of IT services for agile vs. non-agile projects.

Plan Project Considerations for Agile vs. Non-Agile IT Services

Why are these considerations important?

When you procure agile IT services, you can define the scope of your procurement around a vision of what your organization intends to become, as opposed to being restricted to an end-date for a final delivery.

In an agile project, you get results iteratively; this allows you to constantly reassess requirements throughout the project, including the project plan, the guiding principles, and the project schedule. Your planning is not restricted to considering the effect of one big result at the end of the project schedule. Instead, your plan allows for sequencing of changes and improvements that best reflect the outcomes and priorities your organization needs

Since planning impacts the people-aspect of your strategy, it is important to consider how various teams and stakeholders will provide input, and how you will make ongoing communication updates throughout the project. With an agile procurement project, your culture will shift, and you will need a different approach to planning, scheduling, communicating, and risk management. You need to communicate daily, allowing for reviewing and adjusting priorities and plans to meet project needs. 

How do you act on these considerations?

A successful procurement plan of agile IT services should include the following steps:

  1. Develop a project charter and guiding principles for the procurement that reflect a vision of how your organization’s teams will work together in the future
  2. Create a communication plan that includes the definition of project success and communicates project approach
  3. Be transparent about the development strategy, and outline how iterations are based on user needs, that features will be re-prioritized on an ongoing basis, and that users, customers, and stakeholders are needed to help define requirements and expected outcomes
  4. Provide agile training to your management, procurement, and program operation teams to help them accept and understand the project will present deliverables in iterations, to include needed features, functionality and working products
  5. Develop requirements for the scope of work that align with services and outcomes you want, rather than documented statements that merely map to your current processes 

What’s next? 

Now that you have gained insight into the approach to planning an agile project, consider how you may put this first stage into practice in your organization. Stay tuned for guidance on how to execute the second stage of the procurement process—how to draft the RFP. Our intention is that, following this series, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.
 

Blog
Plan agile projects: Stage 1

Editor’s note: read this if you are a Maine business owner or officer.

New state law aligns with federal rules for partnership audits

On June 18, 2019, the State of Maine enacted Legislative Document 1819, House Paper 1296, An Act to Harmonize State Income Tax Law and the Centralized Partnership Audit Rules of the Federal Internal Revenue Code of 1986

Just like it says, LD 1819 harmonizes Maine with updated federal rules for partnership audits by shifting state tax liability from individual partners to the partnership itself. It also establishes new rules for who can—and can’t—represent a partnership in audit proceedings, and what that representative’s powers are.

Classic tunes—The Tax Equity and Fiscal Responsibility Act of 1982

Until recently, the Tax Equity and Fiscal Responsibility Act of 1982 (TEFRA) set federal standards for IRS audits of partnerships and those entities treated as partnerships for income tax purposes (LLCs, etc.). Those rules changed, however, following passage of the Bipartisan Budget Act of 2015 (BBA) and the Protecting Americans from Tax Hikes Act of 2015 (PATH Act). Changes made by the BBA and PATH Act included:

  • Replacing the Tax Matters Partner (TMP) with a Partnership Representative (PR);
  • Generally establishing the partnership, and not individual partners, as liable for any imputed underpayment resulting from an audit, meaning current partners can be held responsible for the tax liabilities of past partners; and
  • Imputing tax on the net audit adjustments at the highest individual or corporate tax rates.

Unlike TEFRA, the BBA and PATH Act granted Partnership Representatives sole authority to act on behalf of a partnership for a given tax year. Individual partners, who previously held limited notification and participation rights, were now bound by their PR’s actions.

Fresh beats—new tax liability laws under LD 1819

LD 1819 echoes key provisions of the BBA and PATH Act by shifting state tax liability from individual partners to the partnership itself and replacing the Tax Matters Partner with a Partnership Representative.

Eligibility requirements for PRs are also less than those for TMPs. PRs need only demonstrate “substantial presence in the US” and don’t need to be a partner in the partnership, e.g., a CFO or other person involved in the business. Additionally, partnerships may have different PRs at the federal and state level, provided they establish reasonable qualifications and procedures for designating someone other than the partnership’s federal-level PR to be its state-level PR.

LD 1819 applies to Maine partnerships for tax years beginning on or after January 1, 2018. Any additional tax, penalties, and/or interest arising from audit are due no later than 180 days after the IRS’ final determination date, though some partnerships may be eligible for a 60-day extension. In addition, LD 1819 requires Maine partnerships to file a completed federal adjustments report.

Partnerships should review their partnership agreements in light of these changes to ensure the goals of the partnership and the individual partners are reflected in the case of an audit. 

Remix―Significant changes coming to the Maine Capital Investment Credit 

Passage of LD 1671 on July 2, 2019 will usher in a significant change to the Maine Capital Investment Credit, a popular credit which allows businesses to claim a tax credit for qualifying depreciable assets placed in service in Maine on which federal bonus depreciation is claimed on the taxpayer's federal income tax return. 

Effective for tax years beginning on or after January 1, 2020, the credit is reduced to a rate of 1.2%. This is a significant reduction in the current credit percentages, which are 9% and 7% for corporate and all other taxpayers, respectively. The change intends to provide fairness to companies conducting business in-state over out-of-state counterparts. Taxpayers continue to have the option to waive the credit and claim depreciation recapture in a future year for the portion of accelerated federal bonus depreciation disallowed by Maine in the year the asset is placed in service. 

As a result of this meaningful reduction in the credit, taxpayers who have historically claimed the credit will want to discuss with their tax advisors whether it makes sense to continue claiming the credit for 2020 and beyond.
 

Blog
Maine tax law changes: Music to the ears, or not so much?

Proposed House bill brings state income tax standards to the digital age

On June 3, 2019, the US House of Representatives introduced H.R. 3063, also known as the Business Activity Tax Simplification Act of 2019, which seeks to modernize tax laws for the sale of personal property, and clarify physical presence standards for state income tax nexus as it applies to services and intangible goods. But before we can catch up on today, we need to go back in time—great Scott!

Fly your DeLorean back 60 years (you’ve got one, right?) and you’ll arrive at the signing of Public Law 86-272: the Interstate Income Act of 1959. Established in response to the Supreme Court’s ruling on Northwestern States Portland Cement Co. v. Minnesota, P.L. 86-272 allows a business to enter a state, or send representatives, for the purposes of soliciting orders for the sale of tangible personal property without being subject to a net income tax.

But now, in 2019, personal property is increasingly intangible—eBooks, computer software, electronic data and research, digital music, movies, and games, and the list goes on. To catch up, H.R. 3063 seeks to expand on 86-272’s protection and adds “all other forms of property, services, and other transactions” to that exemption. It also redefines business activities of independent contractors to include transactions for all forms of property, as well as events and gathering of information.

Under the proposed bill, taxpayers meet the standards for physical presence in a taxing jurisdiction, if they:

  1.  Are an individual physically located in or have employees located in a given state; 
  2. Use the services of an agent to establish or maintain a market in a given state, provided such agent does not perform the same services in the same state for any other person or taxpayer during the taxable year; or
  3. Lease or own tangible personal property or real property in a given state.

The proposed bill excludes a taxpayer from the above criteria who have presence in a state for less than 15 days, or whose presence is established in order to conduct “limited or transient business activity.”

In addition, H.R. 3063 also expands the definition of “net income tax” to include “other business activity taxes”. This would provide protection from tax in states such as Texas, Ohio and others that impose an alternate method of taxing the profits of businesses.

H.R. 3063, a measure that would only apply to state income and business activity tax, is in direct contrast to the recent overturn of Quill Corp. v. North Dakota, a sales and use tax standard. Quill required a physical presence but was overturned by the decision in South Dakota v. Wayfair, Inc. Since the Wayfair decision, dozens of states have passed legislation to impose their sales tax regime on out of state taxpayers without a physical presence in the state.

If enacted, the changes made via H.R. 3063 would apply to taxable periods beginning on or after January 1, 2020. For more information: https://www.congress.gov/bill/116th-congress/house-bill/3063/text?q=%7B%22search%22%3A%5B%22hr3063%22%5D%7D&r=1&s=2
 

Blog
Back to the future: Business activity taxes!

The IRS announced plans to conduct examinations of the universal availability requirements for 403(b) plans (Plans) this summer. Noncompliance with these requirements results in operational errors for Plans―ultimately requiring correction. Plan sponsors should review their Plans for proper inclusion and exclusion of employees. Such review can help you avoid costly penalties if the IRS does conduct an examination and uncovers an issue with the Plan’s implementation of universal availability.

Universal availability requires that, if you permit one employee to make elective deferrals into a 403(b) plan, then all other employees must receive the same opportunity. There are a few exceptions to this rule. Plan sponsors may exclude employees who meet one of the following exceptions:

  • Employees who will contribute $200 annually or less
  • Employees eligible to participate in a § 401(k), 457(b), or other 403(b) plan of the same employer
  • Employees who normally work less than 20 hours per week (the equivalent of less than 1,000 hours in a year)
  • Students performing services described in Internal Revenue Code § 3121(b)(10)

Of these exceptions, errors in applying the universal availability requirements are typically found with the less than 20 hours per week exception. Even if an employee works less than 20 hours per week (essentially a part-time employee), if this employee works 1,000 hours or more, you must allow this employee to make elective deferrals into the Plan. Further, you can’t revoke this permission in subsequent years―once the employee meets the 1,000 hour requirement, they are no longer included in the less than 20 hours per week employee class.

We recommend Plan sponsors review their Plan documents to ensure they are appropriately applying elected eligibility provisions. Further, we recommend Plan sponsors annually review an employee census to ensure those exceptions (listed above) remain appropriate for any employees excluded from the Plan. For instance, if you note that an employee worked 1,000 hours during the year, who was being excluded as part of the “less than 20 hours per week” category, you should ensure you notify this employee of their eligibility to participate in the Plan. In addition, you should retain documentation regarding the employee’s deferral election or election to opt out of the Plan. Such practices will help ensure, if your Plan is selected for IRS examination, it passes with no issues.

For more information: https://www.irs.gov/retirement-plans/403b-plan-fix-it-guide-you-didnt-give-all-employees-of-the-organization-the-opportunity-to-make-a-salary-deferral
 

Blog
Not the summer of love: IRS universal availability examinations

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

  • No right-to-audit clause
    Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
  • Unclear and/or inadequate rights and responsibilities around service disruptions
    In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
  • No defined recovery standards
    Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

  • Establish your right-to-audit
    All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.

    Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.
  • Ensure connectivity with outsourced data centers
    If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.
  • Set standards for incident response communications 
    Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.
  • Ensure regular testing of defined disaster recovery standards
    While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.

    Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Blog
Are your vendor contracts putting you at risk?

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you.

What is the difference in how government organizations procure agile vs. non-agile information technology (IT) services? (Learn more about agile here).

In each case, they typically follow five stages through the process as shown in Figure A:
 

Figure A: Overview of Procurement Process for Agile vs. Non-Agile IT Services

However, there are differences in how these stages are carried out if procuring agile vs. non-agile IT services. 

Unfortunately, most government organizations are unaware of these differences, which could result in unsuccessful procurements and ultimately not meeting your project’s needs and expectations. 
This blog series will illustrate how to strategically adjust the standard stages outlined in Figure A to successfully procure agile IT services.

Stage 1: Plan project
In Stage 1, you define the scope of the project by identifying what your organization wants, needs, and can achieve within the available timeframe and budget. You then determine the project’s objectives while strategically considering their impact on your organization before developing the RFP. Figure B summarizes the key differences between the impacts of agile vs. non-agile services to consider in this stage.


Figure B: Plan Project for Agile vs. Non-Agile IT Services

The nuances of planning for agile services reflect an organization’s readiness for a culture shift to a continuous process of development and deployment of software and system updates. 

Stage 2: Draft RFP
In Stage 2, as part of RFP drafting, define the necessary enhancements and functionality needed to achieve the project objectives determined in Stage 1. You then translate these enhancements and functionalities into business requirements. Requirement types might include business needs as functionality, services, staffing, deliverables, technology, and performance standards. Figure C summarizes the key differences between drafting the RFP for a project procuring agile vs. non-agile services.


Figure C: Draft RFP for Agile vs. Non-Agile IT Services

In drafting the RFP, the scope of work emphasizes expectations for how your team and the vendor team will work together, the terms of how progress will be monitored, and the description of requirements for agile tools and methods.

Stage 3: Issue RFP
In Stage 3, issue the RFP to the vendor community, answer vendor questions, post amendments, and manage the procurement schedule. Since this stage of the process requires you to comply with your organization’s purchasing and procurement rules, Figure D illustrates very little difference between issuing an RFP for a project procuring agile or non-agile services.


Figure D: Issue RFP for Agile vs. Non-Agile IT Services 

Stage 4: Review proposals
In Stage 4, you evaluate vendor proposals against the RFP’s requirements and project objectives to determine the best proposal response. Figure E summarizes the key differences in reviewing proposals for a project that is procuring agile vs. non-agile services.


Figure E: Reviewing Proposals for Agile vs. Non-Agile IT Services 

Having appropriate evaluation priorities and scoring weights that align with how agile services are delivered should not be under-emphasized. 

Stage 5: Award and implement contract
In Stage 5, you award and implement the contract with the best vendor proposal identified during Stage 4. Figure F summarizes the key differences in awarding and implementing the contract for agile vs. non-agile services.


Figure F:  Award and Implement Contract for Agile vs. Non-Agile Services 

Due to the iterative and interactive requirements of agile, it is necessary to have robust and frequent collaboration among program teams, executives, sponsors, and the vendor to succeed in your agile project delivery.

What’s next?
The blog posts in this series will explain step-by-step how to procure agile services through the five stages, and at the series conclusion, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.  

Blog
Procuring agile vs. non-agile projects in five stages: An overview

LIBOR is leaving—is your financial institution ready to make the most of it?

In July 2017, the UK’s Financial Conduct Authority announced the phasing out of the London Interbank Offered Rate, commonly known as LIBOR, by the end of 20211. With less than two years to go, US federal regulators are urging financial institutions to start assessing their LIBOR exposure and planning their transition. Here we offer some general impacts of the phasing out, some specific actions your institution can take to prepare, and, finally, background on how we got here (see Background at right).

How will the phase-out impact financial institutions?

The Federal Reserve estimates roughly $200 trillion in LIBOR-indexed notional value transactions in the cash and derivatives market2. LIBOR is used to help price a variety of financial services products,  including $3.4 trillion in business loans and $1.3 trillion in consumer loans, as well as derivatives, swaps, and other credit instruments. Even excluding loans and financial instruments set to mature before 2021—estimated by the FDIC at 82% of the above $200 trillion—LIBOR exposure is still significant3.

A financial institution’s ability to lend money is largely dependent on the relative stability of its capital position, or lack thereof. For institutions with a significant amount of LIBOR-indexed assets and liabilities, that means less certainty in expected future cash flows and a less stable capital position, which could prompt institutions to deny loans they might otherwise have approved. A change in expected cash flows could also have several indirect consequences. Criticized assets, assessed for impairment based on their expected future cash flows, could require a specific reserve due to lower present value of expected future cash flows.

The importance of fallback language in loan agreements

Fallback language in loan agreements plays a pivotal role in financial institutions’ ability to manage their LIBOR-related financial results. Most loan agreements include language that provides guidance for determining an alternate reference rate to “fall back” on in the event the loan’s original reference rate is discontinued. However, if this language is non-existent, contains fallbacks that are no longer adequate, or lacks certain key provisions, it can create unexpected issues when it comes time for financial institutions to reprice their LIBOR loans. Here are some examples:

  • Non-existent or inadequate fallbacks
    According to the Alternative Reference Rates Committee, a group of private-market participants convened by the Federal Reserve to help ensure a successful LIBOR transition, "Most contracts referencing LIBOR do not appear to have envisioned a permanent or indefinite cessation of LIBOR and have fallbacks that would not be economically appropriate"4.

    For instance, industry regulators have warned that without updated fallback language, the discontinuation of LIBOR could prompt some variable-rate loans to become fixed-rate2, causing unanticipated changes in interest rate risk for financial institutions. In a declining rate environment, this may prove beneficial as loans at variable rates become fixed. But in a rising rate environment, the resulting shrink in net interest margins would have a direct and adverse impact on the bottom line.

  • No spread adjustment
    Once LIBOR is discontinued, LIBOR-indexed loans will need to be repriced at a new reference rate, which could be well above or below LIBOR. If loan agreements don’t provide for an adjustment of the spread between LIBOR and the new rate, that could prompt unexpected changes in the financial position of both borrowers and lenders3. Take, for instance, a loan made at the Secured Overnight Financing Rate (SOFR), generally considered the likely replacement for USD LIBOR. Since SOFR tends to be lower than three-month LIBOR, a loan agreement using it that does not allow for a spread adjustment would generate lower loan payments for the borrower, which means less interest income for the lender.

    Not allowing for a spread adjustment on reference rates lower than LIBOR could also cause a change in expected prepayments—say, for instance, if borrowers with fixed-rate loans decide to refinance at adjustable rates—which would impact post-CECL allowance calculations like the weighted-average remaining maturity (WARM) method, which uses estimated prepayments as an input.

What can your financial institution do to prepare?

The Federal Reserve and the SEC have urged financial institutions to immediately evaluate their LIBOR exposure and expedite their transition. Though the FDIC has expressed no intent to examine financial institutions for the status of LIBOR planning or critique loans based on use of LIBOR3, Federal Reserve supervisory teams have been including LIBOR transitions in their regular monitoring of large financial institutions5. The SEC has also encouraged companies to provide investors with robust disclosures regarding their LIBOR transition, which may include a notional value of LIBOR exposure2.

Financial institutions should start by analyzing their LIBOR exposure beyond 2021. If you don’t expect significant exposure, further analysis may be unnecessary. However, if you do expect significant future LIBOR exposure, your institution should conduct stress testing using LIBOR as an isolated variable by running hypothetical transition scenarios and assessing the potential financial impact.

Closely examine and assess fallback language in loan agreements. For existing loan agreements, you may need to make amendments, which could require consent from counterparties2. For new loan agreements maturing beyond 2021, lenders should consider selecting an alternate reference rate. New contract language for financial instruments and residential mortgages is currently being drafted by the International Securities Dealers Association and the Federal Housing Finance Authority, respectively3—both of which may prove helpful in updating loan agreements.

Lenders should also consider their underwriting policies. Loan underwriters will need to adjust the spread on new loans to accurately reflect the price of risk, because volatility and market tendencies of alternate loan reference rates may not mirror LIBOR’s. What’s more, SOFR lacks abundant historical data for use in analyzing volatility and market tendencies, making accurate loan pricing more difficult.

Conclusion: Start assessing your LIBOR risk soon

The cessation of LIBOR brings challenges and opportunities that will require in-depth analysis and making difficult decisions. Financial institutions and consumers should heed the advice of regulators and start assessing their LIBOR risk now. Those that do will not only be better prepared―but also better positioned―to capitalize on the opportunities it presents.

Need help assessing your LIBOR risk and preparing to transition? Contact BerryDunn’s financial services specialists.

1 https://www.washingtonpost.com/business/2017/07/27/acdd411c-72bc-11e7-8c17-533c52b2f014_story.html?utm_term=.856137e72385
2 Thomson Reuters Checkpoint Newsstand April 10, 2019
3 https://www.fdic.gov/regulations/examinations/supervisory/insights/siwin18/si-winter-2018.pdf
4 https://bankingjournal.aba.com/2019/04/libor-transition-panel-recommends-fallback-language-for-key-instruments/
5 https://www.reuters.com/article/us-usa-fed-libor/fed-urges-u-s-financial-industry-to-accelerate-libor-transition-idUSKCN1RM25T

Blog
When one loan rate closes, another opens

This blog is the first in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements.

On Labor Day, 1974, President Gerald Ford signed the Employee Retirement Income Security Act, commonly known as ERISA, into law. Prior to ERISA, employee pensions had scant protections under the law, a problem made clear when the Studebaker automobile company closed its South Bend, Indiana production plant in 1963. Upon the plant’s closing, some 4,000 employees—whose average age was 52 and average length of service with the company was 23 years—received approximately 15 cents for each dollar of benefit they were owed. Nearly 3,000 additional employees, all of whom had less than 10 years of service with the company, received nothing.

A decade later, ERISA established statutory requirements to preserve and protect the rights of employees to their pensions upon retirement. Among other things, ERISA defines what a plan fiduciary is and sets standards for their conduct.

Who is—and who isn’t—a plan fiduciary?
ERISA defines a fiduciary as a person who:

  1. Exercises discretionary authority or control over the management of an employee benefit plan or the disposition of its assets,
  2. Gives investment advice about plan funds or property for a fee or compensation or has the authority to do so,
  3. Has discretionary authority or responsibility in plan administration, or
  4. Is designated by a named fiduciary to carry out fiduciary responsibility. (ERISA requires the naming of one or more fiduciaries to be responsible for managing the plan's administration, usually a plan administrator or administrative committee, though the plan administrator may engage others to perform some administrative duties).

If you’re still unsure about exactly who is and isn’t a plan fiduciary, don’t worry, you’re not alone. Disagreements over whether or not a person acting in a certain capacity and in a specific situation is a fiduciary have sometimes required legal proceedings to resolve them. Here are some real-world examples.

Employers who maintain employee benefit plans are typically considered fiduciaries by virtue of being named fiduciaries or by acting as a functional fiduciary. Accordingly, employer decisions on how to execute the intent of the plan are subject to ERISA’s fiduciary standards.

Similarly, based on case law, lawyers and consultants who effectually manage an employee benefit plan are also generally considered fiduciaries.

A person or company that performs purely administrative duties within the framework, rules, and procedures established by others is not a fiduciary. Examples of such duties include collecting contributions, maintaining participants' service and employment records, calculating benefits, processing claims, and preparing government reports and employee communications.

What are a fiduciary’s responsibilities?
ERISA requires fiduciaries to discharge their duties solely in the interest of plan participants and beneficiaries, and for the exclusive purpose of providing benefits for them and defraying reasonable plan administrative expenses. Specifically, fiduciaries must perform their duties as follows:

  1. With the care, skill, prudence, and diligence of a prudent person under the circumstances;
  2. In accordance with plan documents and instruments, insofar as they are consistent with the provisions of ERISA; and
  3. By diversifying plan investments so as to minimize risk of loss under the circumstances, unless it is clearly prudent not to do so.

A fiduciary is personally liable to the plan for losses resulting from a breach of their fiduciary responsibility, and must restore to the plan any profits realized on misuse of plan assets. Not only is a fiduciary liable for their own breaches, but also if they have knowledge of another fiduciary's breach and either conceals it or does not make reasonable efforts to remedy it.

ERISA provides for a mandatory civil penalty against a fiduciary who breaches a fiduciary responsibility under ERISA or commits a violation, or against any other person who knowingly participates in such breach or violation. That penalty is equal to 20 percent of the "applicable recovery amount" paid pursuant to any settlement agreement with ERISA or ordered by a court to be paid in a judicial proceeding instituted by ERISA.

ERISA also permits a civil action to be brought by a participant, beneficiary, or other fiduciary against a fiduciary for a breach of duty. ERISA allows participants to bring suit to recover losses from fiduciary breaches that impair the value of the plan assets held in their individual accounts, even if the financial solvency of the entire plan is not threatened by the alleged fiduciary breach. Courts may require other appropriate relief, including removal of the fiduciary.

Over the coming months, we’ll share a series of blogs for employee benefit plan fiduciaries, covering everything from common terminology to best practices for plan documentation, suggestions for navigating fiduciary risks, and more.

Blog
What's in a name? A lot, if you manage a benefit plan.

Best Practices for Educating Your Financial Institution’s Board of Directors on Cybersecurity

According to Cybersecurity Ventures, cybercrime will account for $6 trillion annually by 2021—that’s more than the global trade of all major illegal drugs combined. Data breaches and other information security events adversely impact organizations through significant losses in revenue, erosion of customer trust, substantial remediation costs, increased insurance premiums, and more.

The financial services industry has always led the way with internal controls, vendor management, and now with cybersecurity for one simple reason—you are in the business of money and it is critical to protect it.

That said, cybersecurity controls require more than just a strong IT department—an effective cybersecurity program, much like ethical behavior, depends on culture. Since your organization’s leadership plays a key role in driving your cybersecurity culture, boards of directors and senior management need a solid understanding of cybersecurity risks and impacts.

According to a 2018 Technology Survey of bank directors by Bank Director, 79% say they need to enhance their level of technology expertise. Many board members come from non-technology backgrounds and careers, and though they are able to support their institution’s mission and drive growth, they may not be able to provide direction in the areas of information technology and security. They may also not recognize what attractive targets they make for phishing and other cybercrimes due to their high level of access to valuable information, their ability to send and receive data from financial institution personnel, and their potential exemption from certain employee policies.

Keeping board members up-to-date on the evolving landscape of cybersecurity risks can present a serious challenge due to board members’ time constraints. To help, here are some best practices you can follow to make educating your institution’s board and senior management a relatively simple and sustainable process.

Leverage Existing Cybersecurity Training Resources

In most cases, you already provide and require cybersecurity training for employees, typically through internal IT experts, third-party vendors, or self-paced courses available online. Board members should complete the same training at least annually.

Require Board Members to Comply with Information Security Policies

Despite their high-risk profile, board members are often exempted from policies applicable to employees, including password requirements and other critical information security policies. Given the sensitive information and levels of access board members have, it is imperative that they fully comply with all information security policies.

Facilitate Regular Review of Information Security Audits and Assessments

Information security audits and assessments provide valuable insights into areas for improvement. Keep your board members aware of any findings, recommendations, or potential risks noted in recent audits and assessments. Provide a regular status report to the board of ongoing efforts and progress to resolve or mitigate findings and risks. Use these regular communications as an opportunity to provide cybersecurity education to the board, and don’t hesitate to speak up about any specific areas and emerging risks you may be concerned about.

Regular Cybersecurity Updates and Discussions

Keep the board and senior management updated on cybersecurity threats, incidents, and any changes to the bank’s cybersecurity program. Provide this information on a quarterly basis and include the cause of and any remediation for such events, as well as any trends in incidents. Regular updates to the board and senior management provide guidance for budgets, goals, and overall strategic direction. With more awareness of security incidents and events, trends in occurrences, and potential risks, the board and senior management are more likely to support greater investments in the bank’s security efforts.

Annual Board Approval of Information Security Plans and Policies

The board should review and approve all information security policies and relevant procedures on an annual basis, as these board-approved policies will establish the financial institution’s directive for effective internal control and cybersecurity programs. Important examples include Information Security and Acceptable Use Policies, Cybersecurity Policy, Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan.

Knowing your current position and having a plan are key. Through continuous assessment of your board’s fluency with cybersecurity and establishing a process of ongoing education that’s both effective and manageable, your financial institution can improve its culture of cybersecurity awareness—helping reduce the likelihood of future security incidents and events that could adversely impact your board, your financial institution’s employees, and your customers.

Blog
Creating a culture of cybersecurity awareness

In auditing, the concept of professional skepticism is ubiquitous. Just as a Jedi in Star Wars is constantly trying to hone his understanding of the “force”, an auditor is constantly crafting his or her ability to apply professional skepticism. It is professional skepticism that provides the foundation for decision-making when conducting an attestation engagement.

A brief definition

The professional standards define professional skepticism as “an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.” Given this definition, one quickly realizes that professional skepticism can’t be easily measured. Nor is it something that is cultivated overnight. It is a skill developed over time and a skill that auditors should constantly build and refine.

Recently, the extent to which professional skepticism is being employed has gained a lot of criticism. Specifically, regulatory bodies argue that auditors are not skeptical enough in carrying out their duties. However, as noted in the white paper titled Scepticism: The Practitioners’ Take, published by the Institute of Chartered Accountants in England and Wales, simply asking for more skepticism is not a practical solution to this issue, nor is it necessarily always desirable. There is an inevitable tug of war between professional skepticism and audit efficiency. The more skeptical the auditor, typically, the more time it takes to complete the audit.

Why does it matter? Audit quality.

First and foremost, how your auditor applies professional skepticism to your audit directly impacts the quality of their service. Applying an appropriate level of professional skepticism enhances the likelihood the auditor will understand your industry, lines of business, business processes, and any nuances that make your company different from others, as it naturally causes the auditor to ask questions that may otherwise go unasked.

These questions not only help the auditor appropriately apply professional standards, but also help the auditor gain a deeper understanding of your business. This will enable the auditor to provide insights and value-added services an auditor who doesn’t apply the right degree of skepticism may never identify.

Therefore, as the white paper notes, audit committees, management, and investors should be asking “How hard do our auditors get pushed on fees, and what effect does that have on the quality of the audit?” If your auditor is overly concerned with completing the audit within a fixed time budget, professional skepticism and, ultimately, the quality of the audit, may suffer.

Applying skepticism internally

By its definition, professional skepticism is a concept that specifically applies to auditors, and is not on point when it comes to other audit stakeholders. This is because the definition implies that the individual applying professional skepticism is independent from the information he or she is analyzing. Other audit stakeholders, such as members of management or the board of directors, are naturally advocates for the organizations they manage and direct and therefore can’t be considered independent, whereas an auditor is required to remain independent.

However, rather than audit stakeholders applying professional skepticism as such, these other stakeholders should apply an impartial and diligent mindset to their work and the information they review. This allows the audit stakeholder to remain an advocate for his or her organization, while applying critical skills similar to those applied in the exercise of professional skepticism. This nuanced distinction is necessary to maintain the limited scope to which the definition of professional skepticism applies: the auditor.

Specific to the financial statement reporting function, these stakeholders should be assessing the financial statements and ask questions that can help prevent or detect flaws in the financial reporting process. For example, when considering significant estimates, management should ask: are we considering all relevant information? Are our estimates unbiased? Are there alternative accounting treatments we haven’t considered? Can we justify our selected accounting treatment? Essentially, management should start by asking itself: what questions would we expect our auditor to ask us?

It is also important to be critical of your own work, and never become complacent. This may be the most difficult type of skepticism to apply, as most of us do not like to have our work criticized. However, critically reviewing one’s own work, essentially as an informal first level of review, will allow you to take a step back and consider it from a different vantage point, which may in turn help detect errors otherwise left unnoticed. Essentially, you should both consider evidence that supports the initial conclusion and evidence that may be contradictory to that conclusion.

The discussion in auditing circles about professional skepticism and how to appropriately apply it continues. It is a challenging notion that’s difficult to adequately articulate. Although it receives a lot of attention in the audit profession, it is a concept that, slightly altered, can be of value to other audit stakeholders. Doing so will help you create a stronger relationship with your auditor and, ultimately, improve the quality of the financial reporting process—and resulting outcome.

Blog
Professional skepticism and why it matters to audit stakeholders

All teams experience losing streaks, and all franchise dynasties lose some luster. Nevertheless, the game must go on. What can coaches do? The answer: be prepared, be patient, and be PR savvy. Business managers should keep these three P’s in mind as they read Chapter 8 in BerryDunn’s Cybersecurity Playbook for Management, which highlights how organizations can recover from incidents.

In the last chapter, we discussed incident response. What’s the difference between incident response and incident recovery?

RG: Incident response refers to detecting and identifying an incident—and hopefully eradicating the source or cause of the incident, such as malware. Incident recovery refers to getting things back to normal after an incident. They are different sides of the same resiliency coin.

I know you feel strongly that organizations should have incident response plans. Should organizations also have incident recovery plans?

RG: Absolutely. Have a recovery plan for each type of possible incident. Otherwise, how will your organization know if it has truly recovered from an incident? Having incident recovery plans will also help prevent knee-jerk decisions or reactions that could unintentionally cover up or destroy an incident’s forensic evidence.

In the last chapter, you stated managers and their teams can reference or re-purpose National Institute of Standards and Technology (NIST) special publications when creating incident response plans. Is it safe to assume you also suggest referencing or re-purposing NIST special publications when creating incident recovery plans?

RG: Yes. But keep in mind that incident recovery plans should also mesh with, or reflect, any business impact analyses developed by your organization. This way, you will help ensure that your incident recovery plans prioritize what needs to be recovered first—your organization’s most valuable assets.

That said, I should mention that cybersecurity attacks don’t always target an organization’s most valuable assets. Sometimes, cybersecurity attacks simply raise the “misery index” for a business or group by disrupting a process or knocking a network offline.

Besides having incident recovery plans, what else can managers do to support incident recovery?

RG: Similar to what we discussed in the last chapter, managers should make sure that internal and external communications about the incident and the resulting recovery are consistent, accurate, and within the legal requirements for your business or industry. Thus, having a good incident recovery communication plan is crucial. 

When should managers think about bringing in a third party to help with incident recovery?

RG: That’s a great question. I think this decision really comes down to the confidence you have in your team’s skills and experience. An outside vendor can give you a lot of different perspectives but your internal team knows the business. I think this is one area that it doesn’t hurt to have an outside perspective because it is so important and we often don’t perceive ourselves as the outside world does. 

This decision also depends on the scale of the incident. If your organization is trying to recover from a pretty significant or high-impact breach or outage, you shouldn’t hesitate to call someone. Also, check to see if your organization has cybersecurity insurance. If your organization has cybersecurity insurance, then your insurance company is likely going to tell you whether or not you need to bring in an outside team. Your insurance company will also likely help coordinate outside resources, such as law enforcement and incident recovery teams.

Do you think most organizations should have cybersecurity insurance? 

RG: In this day and age? Yes. But organizations need to understand that, once they sign up for cybersecurity insurance, they’re going to be scrutinized by the insurance company—under the microscope, so to speak—and that they’ll need to take their “cybersecurity health” very seriously.

Organizations need to really pay attention to what they’re paying for. My understanding is that many different types of cybersecurity insurance have very high premiums and deductibles. So, in theory, you could have a $1 million insurance policy, but a $250,000 deductible. And keep in mind that even a simple incident can cost more than $1 million in damages. Not surprisingly, I know of many organizations signing up for $10 million insurance policies. 

How can managers improve internal morale and external reputation during the recovery process?

RG: Well, leadership sets the tone. It’s like in sports—if a coach starts screaming and yelling, then it is likely that the players will start screaming and yelling. So set expectations for measured responses and reactions. 

Check in on a regular basis with your internal security team, or whoever is conducting incident recovery within your organization. Are team members holding up under pressure? Are they tired? Have you pushed them to the point where they are fatigued and making mistakes? The morale of these team members will, in part, dictate the morale of others in the organization.

Another element that can affect morale is—for lack of a better word—idleness resulting from an incident. If you have a department that can’t work due to an incident, and you know that it’s going to take several days to get things back to normal, you may not want department members coming into work and just sitting around. Think about it. At some point, these idle department members are going to grumble and bicker, and eventually affect the wider morale. 

As for improving external reputation?I don’t think it really matters, honestly, because I don’t think most people really, truly care. Why? Because everyone is vulnerable, and attacks happen all the time. At this point in time, cyberattacks seem to be part of the normal course and rhythm of business. Look at all the major breaches that have occurred over the past couple of years. There’s always some of immediate, short-term fallout, but there’s been very little long-term fallout. Now, that being said, it is possible for organizations to suffer a prolonged PR crisis after an incident. How do you avoid this? Keep communication consistent—and limit interactions between employees and the general public. One of the worst things that can happen after an incident is for a CEO to say, “Well, we’re not sure what happened,” and then for an employee to tweet exactly what happened. Mixed messages are PR death knells. 

Let’s add some context. Can you identify a business or group that, in your opinion, has handled the incident recovery process well?

RG: You know, I can’t, and for a very good reason. If a business or group does a really good job at incident recovery, then the public quickly forgets about the incident—or doesn’t even hear about it in the first place. Conversely, I can identify many businesses or groups that have handled the incident recovery process poorly, typically from a PR perspective.

Any final thoughts about resiliency?

RG: Yes. As you know, over the course of this blog series, I have repeated the idea that IT is not the same as security. These are two different concepts that should be tackled by two different teams—or approached in their appropriate context. Similarly, managers need to remember that resiliency is not an IT process—it’s a business process. You can’t just shove off resiliency responsibilities onto your IT team. As managers, you need to get directly involved with resiliency, just as you need to get directly involved with maturity, capacity, and discovery. 

So, we’ve reached the end of this blog series. Above all else, what do you hope managers will gain from it? 

RG: First, the perspective that to understand your organization’s cybersecurity, is to truly understand your organization and its business. And I predict that some managers will be able to immediately improve business processes once they better grasp the cybersecurity environment. Second, the perspective that cybersecurity is ultimately the responsibility of everyone within an organization. Sure, having a dedicated security team is great, but everyone—from the CEO to the intern—plays a part. Third, the perspective that effective cybersecurity is effective communication. A siloed, closed-door approach will not work. And finally, the perspective that cybersecurity is always changing, so that it’s a best practice to keep reading and learning about it. Anyone with questions should feel free to reach out to me directly.

Blog
Incident recovery: Cybersecurity playbook for management

Reading through the 133-page exposure draft for the Proposed Statement on Auditing Standards (SAS) Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA, issued back in April 2017, and then comparing it to the final 100+ page standard approved in September 2018, may not sound like a fun way to spend a Sunday morning sipping a coffee (or three), but I disagree.

Lucky for you, I have captured the highlights here. And it really is exciting. Our feedback was incorporated into the final standard both through written comments on the exposure draft and a voice via our firm’s Director of Quality Assurance, who holds a seat on the Auditing Standards Board.

"Limited scope" audits will no longer exist

The debate over the “limited scope” audit has been going on for years. The new standard is designed to help auditors clearly understand their responsibilities in performing an audit, and provide plan sponsors, plan participants, the Department of Labor (DOL), and other interested parties with more information about what auditors do in situations when audits are limited in scope by the plan’s management, which is permitted by DOL reporting and disclosure rules.

Once effective, Audit Committee and Board of Director meetings in which plan financial statements are presented will include more clarity into what an employee benefit plan audit entails, based on revisions to the auditor’s report. I know I would frequently kick off meetings covering the auditor’s report opinion by explaining what a “limited scope” audit was. As a “limited scope” audit will no longer exist, the revised auditor’s report language clearly articulates what the auditor is, and is not, opining on.

When is the new standard effective?

The effective date is “to be determined” as it will be aligned with the new overall auditor’s reporting standard once that is finalized, and the standard does not permit early adoption. So there is still time to educate and prepare all parties involved.

Probably the biggest conversation piece around the water cooler for the new standard is the lingo. The “limited scope” audit language will be going away and now the auditor’s report and all related language will refer to an “ERISA section 103(a)(3)(C)” audit. I know, it’s a mouthful?try and say that one three times fast!

The auditor's report will look much different

The auditor’s report under an ERISA section 103(a)(3)(C) audit will look significantly different from the old “limited scope” auditor’s report, once the standard is effective. There are several illustrative examples of reports included in the standard to refer to. One thing you will immediately notice?the auditor’s report is getting longer and not shorter. Some highlights:

The Opinion section will include two bullets that explicitly state, in basic summarized terms: (1) the certified information agrees to the financial statements, and (2)  the auditor’s opinion on everything else, which the auditor has audited.

Other Matter—Supplemental Schedules Required by ERISA section will include two bullets that explicitly state, in basic summarized terms, (1) the certified information agrees to the financial statements and (2) the auditor’s opinion on everything else, which the auditor has audited in relation to the financial statements. Sound similar to the Opinion section? Well, that’s because it is!).

Other key takeaways

  • Auditors will be required to make inquiries of management to gain assurance they performed procedures to determine the certifying institution is qualified for the ERISA section 103(a)(3)(C) audit, as it is management’s responsibility to make that determination.
  • Fair value disclosures included within the plan’s financial statements are also included under the certification umbrella and subject to the same audit procedures. As an auditor, if anything comes to our attention that does not meet expectations, we would further assess as necessary.
  • The auditor is required to obtain and read a draft Form 5500 prior to issuance of the auditor’s report.

The final standard also removed some highly debated provisions included in the draft proposal as follows:

  • There is no report on findings required, but the auditor is required to follow AU-C 250, AU-C 260 and AU-C 265. Should anything arise that warrants communication to those charged with governance, those findings must be communicated in writing. Be sure to grab another coffee and refresh yourself on AU-C 250, AU-C 260 and AU-C 265!
  • The new required procedures section for an audit was scrapped and replaced with an Appendix A for recommended audit procedures based on risk assessments. There are some great tools there to look at.
  • The required emphasis-of-matter section paragraph section of the auditor’s report was also scrapped.

Questions about the new employee benefit audit standard or employee benefit plan audits

At BerryDunn, we perform over 200 employee benefit plan audits each year. If you have any questions, we would love to help. And we’ll keep the acronyms to a minimum. Please reach out with any questions.

Blog
Auditing standards board approves new employee benefit plan auditing standard: What you need to know

Artificial Intelligence, or AI, is no longer the exclusive tool of well-funded government entities and defense contractors, let alone a plot device in science fiction film and literature. Instead, AI is becoming as ubiquitous as the personal computer. The opportunities of what AI can do for internal audit are almost as endless as the challenges this disruptive technology represents.

To understand how AI will influence internal audit, we must first understand what AI is.The concept of AI—a technology that can perceive the world directly and respond to what it perceives—is often attributed to Alan Turing, though the term “Artificial Intelligence” was coined much later in 1956 at Dartmouth College, in Hanover, New Hampshire. Turing was a British scientist who developed the machine that cracked the Nazis’ Enigma code. Turing thought of AI as a machine that could convince a human that it also was human. Turing’s humble description of AI is as simple as it is elegant. Fast-forward some 60 years and AI is all around us and being applied in novel ways almost every day. Just consider autonomous self- driving vehicles, facial recognition systems that can spot a fugitive in a crowd, search engines that tailor our online experience, and even Pandora, which analyzes our tastes in music.

Today, in practice and in theory, there are four types of AI. Type I AI may be best represented by IBM’s Deep Blue, a chess-playing computer that made headlines in 1996 when it won a match against Russian chess champion Gary Kasparov. Type I AI is reactive. Deep Blue can beat a chess champion because it evaluates every piece on the chessboard, calculates all possible moves, then predicts the optimal move among all possibilities. Type I AI is really nothing more than a super calculator, processing data much faster than the human mind can. This is what gives Type I AI an advantage over humans.

Type II AI, which we find in autonomous cars, is also reactive. For example, it applies brakes when it predicts a collision; but, it has a low form of memory as well. Type II AI can briefly remember details, such as the speed of oncoming traffic or the distance between the car and a bicyclist. However, this memory is volatile. When the situation has passed, Type II AI deletes the data from its memory and moves on to the next challenge down the road.

Type II AI's simple form of memory management and the ability to “learn” from the world in which it resides is a significant advancement. 
The leap from Type II AI to Type III AI has yet to occur. Type III AI will not only incorporate the awareness of the world around it, but will also be able to predict the responses and motivations of other entities and objects, and understand that emotions and thoughts are the drivers of behavior. Taking the autonomous car analogy to the next step, Type III AI vehicles will interact with the driver. By conducting a simple assessment of the driver’s emotions, the AI will be able to suggest a soothing playlist to ease the driver's tensions during his or her commute, reducing the likelihood of aggressive driving. Lastly, Type IV AI–a milestone that will likely be reached at some point over the next 20 or 30 years—will be self-aware. Not only will Type IV AI soothe the driver, it will interact with the driver as if it were another human riding along for the drive; think of “HAL” in Arthur C. Clarke’s 2001: A Space Odyssey.

So what does this all mean to internal auditors?
While it may be a bit premature to predict AI’s impact on the internal audit profession, AI is already being used to predict control failures in institutions with robust cybersecurity programs. When malicious code is detected and certain conditions are met, AI-enabled devices can either divert the malicious traffic away from sensitive data, or even shut off access completely until an incident response team has had time to investigate the nature of the attack and take appropriate actions. This may seem a rather rudimentary use of AI, but in large financial institutions or manufacturing facilities, minutes count—and equal dollars. Allowing AI to cut off access to a line of business that may cost the company money (and its reputation) is a significant leap of faith, and not for the faint of heart. Next generation AI-enabled devices will have even more capabilities, including behavioral analysis, to predict a user’s intentions before gaining access to data.

In the future, internal audit staff will no doubt train AI to seek conditions that require deeper analysis, or even predict when a control will fail. Yet AI will be able to facilitate the internal audit process in other ways. Consider AI’s role in data quality. Advances in inexpensive data storage (e.g., the cloud) have allowed the creation and aggregation of volumes of data subject to internal audit, making the testing of the data’s completeness, integrity, and reliability a challenging task considering the sheer volume of data. Future AI will be able to continuously monitor this data, alerting internal auditors not only of the status of data in both storage and motion, but also of potential fraud and disclosures.

The analysis won’t stop there.
AI will measure the performance of the data in meeting organizational objectives, and suggest where efficiencies can be gained by focusing technical and human resources to where the greatest risks to the organization exist in near real-time. This will allow internal auditors to develop a common operating picture of the day-to-day activities in their business environments, alerting internal audit when something doesn’t quite look right and requires further investigation.

As promising as AI is, the technology comes with some ethical considerations. Because AI is created by humans, it is not always vacant of human flaws. For instance, AI can become unpredictably biased. AI used in facial recognition systems has made racial judgments based on certain common facial characteristics. In addition, AI that gathers data from multiple sources that span a person’s financial status, credit status, education, and individual likes and dislikes could be used to profile certain groups for nefarious intentions. Moreover, AI has the potential to be weaponized in ways that we have yet to comprehend.

There is also the question of how internal auditors will be able to audit AI. Keeping AI safe from internal fraudsters and external adversaries is going to be paramount. AI’s ability to think and act faster than humans will challenge all of us to create novel ways of designing and testing controls to measure AI’s performance. This, in turn, will likely make partnerships with consultants that can fill knowledge gaps even more valuable. 

Challenges and pitfalls aside, AI will likely have a tremendous positive effect on the internal audit profession by simultaneously identifying risks and evaluating processes and control design. In fact, it is quite possible that the first adopters of AI in many organizations may not be the cybersecurity departments at all, but rather the internal auditor’s office. As a result, future internal auditors will become highly technical professionals and perhaps trailblazers in this new and amazing technology.

Blog
Artificial intelligence and the future of internal audit

The world of professional sports is rife with instability and insecurity. Star athletes leave or become injured; coaching staff make bad calls or public statements. The ultimate strength of a sports team is its ability to rebound. The same holds true for other groups and businesses. Chapter 7 in BerryDunn’s Cybersecurity Playbook for Management looks at how organizations can prepare for, and respond to, incidents.

The final two chapters of this Cybersecurity Playbook for Management focus on the concept of resiliency. What exactly is resiliency?
RG
: Resiliency refers to an organization’s ability to keep the lights on—to keep producing—after an incident. An incident is anything that disrupts normal operations, such as a malicious cyberattack or an innocent IT mistake.

Among security professionals, attitudes toward resiliency have changed recently. Consider the fact that the U.S. Department of Defense (DOD) has come out and said, in essence, that cyberwarfare is a war that it cannot win—because cyberwarfare is so complex and so nuanced. The battlefield changes daily and the opponents have either a lot of resources or a lot of time on their hands. Therefore, the DOD is placing an emphasis on responding and recovering from incidents, rather than preventing them.

That’s sobering.
RG
: It is! And businesses and organizations should take note of this attitude change. Protection, which was once the start and endpoint for security, has given way to resiliency.

When and why did this attitude change occur?
RG
: Several years ago, security experts started to grasp just how clever certain nation states, such as China and Russia, were at using malicious software. If you could point to one significant event, likely the 2013 Target breach is it.

What are some examples of incidents that managers need to prepare for?
RG
: Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with their specific line of business. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons.

Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest that security teams include staff members with liberal arts backgrounds. I’m generalizing, but these people tend to be creative. And when you’re responding to incidents, you want people who can look at a problem or situation from a global or external perspective, not just a technical or operational perspective. These team members can help answer questions such as, what does the world see when they look at our organization? What organizational information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?
RG
: They can be as short as needed; I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?
RG
: There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities so your team can assign and track tasks.

Any other tips for developing incident response plans?
RG
: First, managers should work with, and solicit feedback from, different data owners and groups within the organization—such as IT, HR, and Legal—when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your organization’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your organization’s customers in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your business or industry. The last thing you want is customers receiving conflicting messages about the incident. This can cause unnecessary grief for you, but can also cause an unmeasurable loss of customer confidence.

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?
RG
: Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should organizations have dedicated incident response teams?
RG: Definitely. Larger organizations usually have the resources and ability to staff these teams internally. Smaller organizations may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, even larger organizations should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every organization can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your organization about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?
RG
: Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a “hackathon.” The word can elicit negative reactions from upper management—whose support you really need. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the organization for another, higher-paying job. I think you should be committed to the growth of your team members; it’ll only make your organization more secure.

What are some best practices managers should follow when reporting incidents to their leadership?
RG
: Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in a business context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the business. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

Above all else, don’t scare leadership. If you present them with panic, you’re going to get panic back. Be a calm voice in the storm. Management will respond better, as will your team.

Another thing to keep in mind is different business leaders have different responses to this sort of news. An elected official, for example, might react differently than the CEO of a private company, simply due to possible political fallout. Keep this context in mind when reporting incidents. It can help you craft the message.

How much organization-wide communication should there be about incidents?
RG
: That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole organization know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire organization about an incident, refer to your Legal Department. In general, organization-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

So what’s next?
RG
: Chapter 8 will focus on how managers can help their organizations recover from a cybersecurity incident.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Incident response: Cybersecurity playbook for management

Any sports team can pull off a random great play. Only the best sports teams, though, can pull off great plays consistently — and over time. The secret to this lies in the ability of the coaching staff to manage the team on a day-to-day basis, while also continually selling their vision to the team’s ownership. Chapter Six in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can achieve similar success through similar actions.

The title of this chapter is “The Workflow.” What are we talking about today?
RG
: In previous chapters, we’ve walked managers through cybersecurity concepts like maturity, capacity, and discovery. Today, we’re going to discuss how you can foster a consistent and repeatable cybersecurity program — the cybersecurity workflow, if you will. And for managers, this is where game planning begins. To achieve success, they need to effectively oversee their team on a day-to-day basis, and continually sell the cybersecurity program to the business leadership for whom they work — the board or CEO.

Let’s dive right in. How exactly do managers oversee a cybersecurity program on a day-to-day basis?
RG
: Get out of the way, and let your team do its work. By this point, you should know what your team is capable of. Therefore, you need to trust your team. Yet you should always verify. If your team recommends purchasing new software, have your team explain, in business terms, the reasons for the purchase. Then verify those reasons. Operationalizing tools, for example, can be difficult and costly, so make sure they put together a road map with measurable outcomes before you agree to buy any tools — even if they sound magical!

Second, empower your team by facilitating open dialogue. If your team brings you bad news, listen to the bad news — otherwise, you’ll end up alienating people. Know that your team is going to find things within your organization’s “auditable universe” that are going to make you uncomfortable from a cybersecurity point of view. Nevertheless, you need to encourage your team to share the information, so don’t overreact.

Third, give your team a communication structure that squelches a crisis-mode mentality — “Everything’s a disaster!” In order to do that, make sure your team gives every weakness or issue they discover a risk score, and log the score in a risk register. That way, you can prioritize what is truly important.

Fourth, resolve conflicts between different people or groups on your team. Take, for example, conflict between IT staff and security staff, (read more here). It is a common issue, as there is natural friction between these groups, so be ready to deal with it. IT is focused on running operations, while security is focused on protecting operations. Sometimes, protection mechanisms can disrupt operations. Therefore, managers need to act as peacemakers between the two groups. Don’t show favoritism toward one group or another, and don’t get involved in nebulous conversations regarding which group has “more skin in the game.” Instead, focus on what is best for your organization from a business perspective. The business perspective ultimately trumps either IT or security concerns.

Talk about communication for a moment. Managers often come from business backgrounds, while technical staff often come from IT backgrounds. How do you foster clear communication across this divide?
RG
: Have people talk in simple terms. Require everyone on your team use plain language to describe what they know or think. I recommend using what I call the Colin Powell method of reporting:

1. Tell me what you know.
2. Tell me what you don’t know.
3. Tell me what you think.
4. Tell me what you recommend.

When you ask team members questions in personal terms — “Tell me what you know”—you tend to receive easy-to-understand, non-jargon answers.

Something that we really haven’t talked about in this series is cybersecurity training. Do you suggest managers implement regular cybersecurity training for their team?
RG
: This is complicated, and my response will likely be be a little controversial to many. Yes, most organizations should require some sort of cybersecurity training. But I personally would not invest a lot of time or money into cybersecurity training beyond the basics for most users and specific training for technical staff. Instead, I would plan to spend more money on resiliency — responding to, and recovering from, a cybersecurity attack or incident. (We’ll talk about resiliency more in the next two chapters.) Why? Well, you can train people all day long, but it only takes one person to be malicious, or to make an innocent mistake, that leads to a cybersecurity attack or incident. Let’s look at my point from a different perspective. Pretend you’re the manager of a bank, and you have some money to spend on security. Are you going to spend that money on training your employees how to identify a robber? Or are you going to spend that money on a nice, state-of-the-art vault?

Let’s shift from talking about staff to talking about business leadership. How do managers sell the cybersecurity program to them?
RG
: Use business language, not technical language. For instance, a CEO may not necessarily care much about the technical behavior of a specific malware, but they are going to really care about the negative effects that malware can have on the business.

Also, keep the conversation short, simple, and direct. Leadership doesn’t have time to hear about all you’re doing. Leadership wants progress updates and a clear sense of how the cybersecurity program is helping the business. I suggest discussing three to four high-priority security risks, and summarizing how you and your team are addressing those risks.

And always remember that in times of crisis, those who keep a cool head tend to gain the most support. Therefore, when talking to the board or CEO, don’t be the bearer of “doom and gloom.” Be calm, positive, empowering, and encouraging. Provide a solution. And make leadership part of the solution by reminding them that they, too, have cybersecurity responsibilities, such as communicating the value of the cybersecurity program to the organization — internal PR, in other words.

How exactly should a manager communicate this info to leadership? Do you suggest one-on-one chats, reports, or presentations?
RG
: This all depends on leadership. You know, some people are verbal learners; some people are visual learners. It might take some trial and error to figure out the best medium for conveying your information, and that’s OK. Remember: cybersecurity is an ongoing process, not a one-and-done event. However, if you are going to pursue the one-on-one chat route, just be prepared, materials-wise. If leadership asks for a remediation plan, then you better have that remediation plan ready to present!

What is one of the biggest challenges that managers face when selling cybersecurity programs to leadership?RG: One of the biggest challenges is addressing questions about ROI, because there often are no quantifiable financial ROIs for cybersecurity. But organizations have to protect themselves. So the question is, how much money is your organization willing to spend to protect itself? Or, in other words, how much risk can your organization reduce — and does this reduction justify the cost?

One possible way to communicate the value of cybersecurity to leadership is to compare it to other necessary elements within the organization, such as HR. What is the ROI of HR? Who knows? But do you really want your organization to lack an HR department? Think of all the possible logistic and legal issues that could swamp your organization without an HR department. It’s terrifying to think about! And the same goes for cybersecurity.

We’ve talked about how managers should communicate with their team and with business leadership. What about the organization as a whole?
RG
: Sure! Regular email updates are great, especially if you keep them “light,” so to speak. Don’t get into minutia. That said, I also think a little bit of secrecy goes a long way. Organizations need to be aware of, and vigilant toward, insider threats. Loose lips sink ships, you know? Gone are the days when a person works for an organization for 30+ years. Employees come and go pretty frequently. As a result, the concept of company loyalty has changed. So make sure your organization-wide updates don’t give away too much cybersecurity information.

So what’s next?
RG:
Chapter 7 will focus on how managers can help their organizations respond to a cybersecurity attack or incident.

Blog
The workflow: Cybersecurity playbook for management

For over four years the business community has been discussing the impact Accounting Standards Codification (ASC) 606, Revenue from Contracts with Customers, will have on financial reporting. As you evaluate the impact this standard will have on a manufacturers’ financial reporting practices, there are certain provisions of ASC 606 you should consider.

Then: Prior to ASC 606, manufacturers generally recognize revenue when persuasive evidence of an arrangement exists, delivery has occurred, the fees are fixed or determinable, and collection is reasonably assured. For most, this typically occurs when a product ships and the title to the product transfers to the customer.

Now: Under ASC 606, effective for annual reporting periods beginning after December 15, 2018 for non-public entities (December 15, 2017 for public entities), an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services. Under this core principle, an entity should:

  1. Identify its contracts with its customers,
  2. Identify performance obligations (promises) in the contract,
  3. Determine the transaction price,
  4. Allocate the transaction price to the performance obligations in the contract; and
  5. Recognize revenue when (or as) the entity satisfies the performance obligation. 

Who does it impact, and how?

For some manufacturers, ASC 606 will not impact their financial reporting practices since they satisfy their performance obligation when the product is shipped and the title has transferred to the customer. However, entities who manufacture highly specialized products may be required to recognize revenue over time if the entity’s performance creates an asset without an alternative use to the entity, and the entity has an enforceable right to compensation for performance completed to date.

Limitations

To determine if a product has an alternative use, the entity must assess whether it is restricted contractually from redirecting the asset for another use during production, or if there are practical limitations on the entity’s ability to redirect the product for another use. A contractual limitation must be substantive for it to be determined to not have an alternative use, e.g., the customer can enforce rights for delivery of the product. A restriction is not substantive if the product is largely interchangeable with other products the entity could transfer between customers without incurring a significant loss.

A practical limitation exists if the entity’s ability to redirect the product for another use results in significant economic losses, either from significant rework costs or having to sell the product at a loss. The alternative use assessment should be done at contract inception based on the product in its completed state, and not during the production process. Therefore, the point in time during production when a product becomes customized and not generic is irrelevant. If it is determined there is no alternative use, the entity has satisfied this criterion and must evaluate its enforceable right to compensation for performance completed to date.

Definitions and Distinctions

ASC 606 defines a contract as “an agreement between two or more parties that creates enforceable rights and obligations”. Accordingly, the definition of a contract may include, but not be limited to, a Purchase Order, Agreement for the Sale of Goods, Bill of Sale, Independent Contractor Agreement, etc. In applying this definition to business operations and revenue recognition, an entity must consider its individual business practices, and possibly individual customer arrangements in determining enforceability.

Once it is determined that the entity has an enforceable right to a payment, the amount of payment must also be considered. The amount that would “compensate” an entity for performance to date should be the estimated selling price of the goods or services transferred to date (for example, recovery of costs incurred plus a reasonable profit margin) rather than compensation for only the entity’s potential loss of profit if the contract were to be terminated. Accordingly, a payment that only covers the entity’s costs incurred to date or for the entity’s potential loss of profit if the contract was terminated does not allow for the recognition of revenue over time.

Compensation for a reasonable profit margin need not equal the profit margin expected if the contract was fulfilled as promised. Once the “enforceable right to compensation for performance completed to date” requirement has been met, an entity will then assess the appropriate method of recognizing revenue over a period of time using input or output methods, as provided under ASC 606.

For manufacturers of highly specialized products there may not be a simple answer for determining appropriate revenue recognition policies for each customer contract and evaluating the impact can be a challenging endeavor.

Next steps

If you would like guidance in analyzing the impact ASC 606 will have on a manufacturer’s financial reporting practices, including the potential impact it may have on bank covenants, borrowing base calculations, etc., please contact one of our dedicated commercial industry practice professionals.
 

Blog
New revenue recognition rules: Evaluating the impact on manufacturers

Just as sports teams need to bring in outside resources — a new starting pitcher, for example, or a free agent QB — in order to get better and win more games, most organizations need to bring in outside resources to win the cybersecurity game. Chapter 4 in our Cybersecurity Playbook for Management looks at how managers can best identify and leverage these outside resources, known as external capacity.

In your last blog, you mentioned that external capacity refers to outside resources — people, processes, and tools — you hire or purchase to improve maturity. So let’s start with people. What advice would you give managers for hiring new staff?
RG: I would tell them to search for new staff within their communities of interest. For instance, if you’re in financial services, use the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a resource. If you’re in government, look to the Multi-State Information Sharing and Analysis Center (MS-ISAC). Perhaps more importantly, I would tell managers what NOT to do.

First, don’t get caught up in the certification trap. There are a lot of people out there who are highly qualified on paper, but who don’t have a lot of the real-world experience. Make sure you find people with relevant experience.

Second, don’t blindly hire fresh talent. If you need to hire a security strategist, don’t hire someone right out of college just getting started. While they might know security theories, they’re not going to know much about business realities.

Third, vet your prospective hires. Run national background checks on them, and contact their references. While there is a natural tendency to trust people, especially cybersecurity professionals, you need to be smart, as there are lots of horror stories out there. I once worked for a bank in Europe that had hired new security and IT staff. The bank noticed a pattern: these workers would work for six or seven months, and then just disappear. Eventually, it became clear that this was an act of espionage. The bank was ripe for acquisition, and a second bank used these workers to gather intelligence so it could make a takeover attempt. Every organization needs to be extremely cautious.

Finally, don’t try to hire catchall staff. People in management often think: “I want someone to come in and rewrite all of our security policies and procedures, and oversee strategic planning, and I also want them to work on the firewall.” It doesn’t work that way. A security strategist is very different from a firewall technician — and come with two completely different areas of focus. Security strategists focus on the high-level relationship between business processes and outside threats, not technical operations. Another point to consider: if you really need someone to work on your firewall, look at your internal capacity first. You probably already have staff who can handle that. Save your budget for other resources.

You have previously touched upon the idea that security and IT are two separate areas.
RG
: Yes. And managers need to understand that. Ideally, an organization should have a Security Department and an IT Department. Obviously, IT and Security work hand-in-glove, but there is a natural friction between the two, and that is for good reason. IT is focused on running operations, while security is focused on protecting them. Sometimes, protection mechanisms can disrupt operations or impede access to critical resources.

For example, two-factor authentication slows down the time to access data. This friction often upsets both end users and IT staff alike; people want to work unimpeded, so a balance has to be struck between resource availability and safeguarding the system itself. Simply put, IT sometimes cares less about security and more about keeping end users happy — and while that it is important, security is equally important.

What’s your view on hiring consultants instead of staff?
RG
: There are plenty of good security consultants out there. Just be smart. Vet them. Again, run national background checks, and contact their references. Confirm the consultant is bonded and insured. And don’t give them the keys to the kingdom. Be judicious when providing them with administrative passwords, and distinguish them in the network so you can keep an eye on their activity. Tell the consultant that everything they do has to be auditable. Unfortunately, there are consultants who will set up shop and pursue malicious activities. It happens — particularly when organizations hire consultants through a third-party hiring agency. Sometimes, these agencies don’t conduct background checks on consultants, and instead expect the client to.

The consultant also needs to understand your business, and you need to know what to expect for your money. Let’s say you want to hire a consultant to implement a new firewall. Firewalls are expensive and challenging to implement. Will the consultant simply implement the firewall and walk away? Or will the consultant not only implement the firewall, but also teach and train your team in using and modify the firewall? You need to know this up front. Ask questions and agree, in writing, the scope of the engagement — before the engagement begins.

What should managers be aware of when they hire consultants to implement new processes?
RG
: Make sure that the consultant understands the perspectives of IT, security, and management, because the end result of a new process is always a business result, and new processes have to make financial sense.

Managers need to leverage the expertise of consultants to help make process decisions. I’ll give you an example. In striving to improve their cybersecurity maturity, many organizations adopt a cybersecurity risk register, which is a document used to list the organization’s cybersecurity risks, record actions required to mitigate those risks, and identify who “owns” the risk. However, organizations usually don’t know best practices for using a risk register. This sort of tool can easily become complex and unruly, and people lose interest when extracting data from a register becomes difficult or consumes a lot of time reading.

A consultant can help train staff in processes that maximize a risk register’s utility. Furthermore, there’s often debate about who owns certain risks. A consultant can objectively arbitrate who owns each risk. They can identify who needs to do X, and who needs to do Y, ultimately saving time, improving staff efficiency, and greatly improving your chances of project success.

Your mention of a cybersecurity risk register naturally leads us to the topic of tools. What should managers know about purchasing or implementing new technology?
RG
: As I mentioned in the last blog, organizations often buy tools, yet rarely maximize their potential. So before managers give the green light to purchase new tools, they should consider ways of leveraging existing tools to perform more, and more effective, processes.

If a manager does purchase a new tool, they should purchase one that is easy to use. Long learning curves can be problematic, especially for smaller organizations. I recommend managers seek out tools that automate cybersecurity processes, making the processes more efficient.

For example, you may want to consider tools that perform continuous vulnerability scans or that automatically analyze data logs for anomalies. These tools may look expensive at first glance, but you have to consider how much it would cost to hire multiple staff members to look for vulnerabilities or anomalies.

And, of course, managers should make sure that a new tool will truly improve their organization’s safeguards against cyber-attack. Ask yourself and your staff: Will this tool really reduce our risk?

Finally, managers need to consider eliminating tools that aren’t working or being used. I once worked with an organization that had expensive cybersecurity tools that simply didn’t function well. When I asked why it kept them, I was told that the person responsible for them was afraid that a breach would occur if they were removed. Meanwhile, these tools were costing the organization around $60,000 a month. That’s real money. The lesson: let business goals, and not fear, dictate your technology decisions.

So, what’s next?
RG
: So far in this series we have covered the concepts of maturity and capacity. Next, we’re going to look at the concept of discovery. Chapter 5 will focus on internal audit strategies that you can use to determine, or discover, whether or not your organization is using tools and processes effectively.

Blog
External capacity: Cybersecurity playbook for management

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG
: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG
: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG
: Developing new ones can be difficult  we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG
: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG
: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG
: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Tapping your internal capacity for better results: Cybersecurity playbook for management

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Selecting and implementing a maturity model: Cybersecurity playbook for management

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG
: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG
: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG
: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG
: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG
: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG
: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG
: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Maturity modeling: Cybersecurity playbook for management

Are you in control? Preparing the internal control documentation required by the COSO framework can be difficult and daunting for some financial institutions. In our work with clients who are preparing to meet COSO requirements, we see a handful of areas banks can address to keep their implementation on track:

  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring activities

Because the framework is not highly prescriptive about specific internal controls, there are several practical considerations and actions to take that can help you focus on areas that are easily overlooked. Spreadsheet controls, sample sizes, exception monitoring, testing, and commonly missed controls make up the bulk of the what to consider. By focusing your efforts on these areas, you can more efficiently reduce potential audit findings by making changes to your internal control process.

My colleagues and I provide more detail about specifically how and what to address in our white paper "INTERNAL CONTROL OVER FINANCIAL REPORTING: Best Practices & Useful Strategies for Creating an Effective System of Internal Control."

The bottom line? Prepare now to save time -- and potentially reduce audit findings -- later. Once you have your process in place, you won't have to scramble to implement controls during the year you become subject to an integrated audit under SOX 404 / FDICIA. Learn more about improving your institution's internal controls: Download our whitepaper and get ready now!

Blog
Be prepared: Hit the right notes and avoid an implementation scramble when preparing for COSO

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. Once you develop those forecasts, how does that information translate into amounts to set aside for loan losses?

A portion of the ALLL will continue to be based on specifically identified loans you’re concerned about. For those loans, you will continue to establish a specific component of the ALLL based on your estimate of the loss ultimately expected on the loans.

The tricky part, of course, is estimating an ALLL for the other 99% of the loan portfolio. This is where the forecasts come in. The new rules do not prescribe a particular methodology, and banking regulators have indicated community banks will likely be able to continue with their current approach, adjusted to use appropriate inputs in a manner that complies with the CECL model. One of the biggest challenges is the expectation in CECL that the ALLL will be estimated using the institution’s historical information, to the extent available and relevant.

Following is just one of many ways  you can approach it. I’ve also included a link at the end of this article to an example illustrating this approach.

Step One: Historical Loss Factors

  1. First, for a given subset of the loan portfolio (e.g., the residential loan pool), you might first break down the portfolio by the number of years remaining until expected payoff (via maturity or refinancing). This is important because, on average, a loan with seven years remaining until expected payoff will have a higher level of remaining lifetime losses than a loan with one year remaining. It therefore generally wouldn’t be appropriate to use the same loss factor for both loans.
     
  2. Next, decide on a set of drivers that tend to correlate with loan losses over time. FASB has indicated it doesn’t expect highly mathematical correlation models will be necessary, especially for community banks. Instead, select factors in your bank’s experience indicative of future losses. These may include:
    • External factors, such as GDP growth, unemployment rates, and housing prices
    • Internal factors such as delinquency rates, classified asset ratios, and the percentage of loans in the portfolio for which certain policy exceptions (e.g., loan-to-value ratio or minimum credit score) were granted
       
  3. Once you select this set of drivers, find an historical loss period — a period of years corresponding to the estimated remaining life of the portfolio in question — where the historical drivers best approximate those you’re expecting in the future, based on your forecasts. For that historical loss period, determine the lifetime remaining loss rates of the loans outstanding at the beginning of that period, broken down by the number of years remaining until payoff. (This may require significant data mining, especially if that historical loss period was quite a few years ago.
     
  4. Apply those loss rates to the breakdown derived in (a) above, by years remaining until maturity.

    Step Two: Adjustments to Historical Loss Rates

    The CECL model requires we adjust historical loss factors for conditions that may not be adequately captured by the historical loss period analysis we’ve just described. Let’s say a particular geographical subset of your market area is significantly affected by the economic fortunes of a large employer in that area.  Based on economic trends or recent developments, you might expect that employer to have a particularly bright – or dim – future over the forecast period; accordingly, you forecast loans to borrowers in that area will have losses that differ significantly from the rest of the portfolio.

    The approach for these loans is the same as in the previous step. However:

    These loans would be segregated from the remainder of the portfolio, which would be subject to the general approach in step one. As you think through this approach, there are myriad variations and many decisions to make, such as:

    Our intent in describing this methodology is to help your CECL implementation team start the dialogue in terms of converting theoretical concepts in the CECL model to actual loans and historical experience.

    To facilitate that discussion, we’ve included a very simple example here that illustrates the steps described above. Analyzing an entire loan portfolio under the CECL model is an exponentially more complex process, but the concepts are the same — forecasting future conditions, and establishing an ALLL based on the bank’s (or, when necessary, peers’) lifetime loan loss experience under similar historical conditions.

    Given the amount of number crunching and analysis necessary, and the potentially significant increase in the ALLL that may result from a lifetime-of-loan loss model, it’s safe to say the time to start is now! If you have any questions about CECL implementation, please contact Tracy Harding or Rob Smalley.

    Other resources
    For more information on CECL, check out our other blogs:

    CECL: Where to Start
    CECL: Bank and Branch Acquisitions
    CECL: Reasonable and Supportable

    To sign up to receive notification of our next CECL update, click here.

    • In substep (c), you would focus on forecasted conditions (such as unemployment rate and changes in real estate values) in the geographical area in which the significant employer is located.
    • You would then select an historical loss period that had actual conditions for that area that best correspond to those you’ve just forecasted.
    • In substep (d), you would determine the lifetime remaining loss rates of loans outstanding at the beginning of that period.
    • In substep (e), you would apply those rates to loans in that geographic area.
    • How to break down the portfolio
    • Which conditions to analyze
    • How to analyze the conditions for correlation with historical loss periods
    • Which resulting loss factors to apply to which loans
Blog
CECL implementation: So, you've developed reasonable and supportable forecasts — now what?

Recently, federal banking regulators released an interagency financial institution letter on CECL, in the form of a Q&A. Read it here. While there weren’t a lot of new insights into expectations examiners may have upon adoption, here is what we gleaned, and what you need to know, from the letter.

ALLL Documentation: More is better

Your management will be required to develop reasonable and supportable forecasts to determine an appropriate estimate for their allowance for loan and lease losses (ALLL). Institutions have always worked under the rule that accounting estimates need to be supported by evidence. Everyone knows both examiners and auditors LOVE documentation, but how much is necessary to prove whether the new CECL estimate is reasonable and supportable? The best answer I can give you is “more”.

And regardless of the exact model institutions develop, there will be significantly more decision points required with CECL than with the incurred loss model. At each point, both your management and your auditors will need to ask, “Why this path vs. another?” Defining those decision points and developing a process for documenting the path taken while also exploring alternatives is essential to build a model that estimates losses under both the letter and the spirit of the new rules. This is especially true when developing forecasts. We know you are not fortune tellers. Neither are we.

The challenge will be to document the sources used for forecasts, making the connections between that information and its effect on your loss data as clear as possible, so the model bases the loss estimate on your institution’s historical experience under conditions similar to those you’re forecasting, to the extent possible.

Software may make this easier… or harder.               

The leading allowance software applications allow for virtually instantaneous switching between different models, permitting users to test various assumptions in a painless environment. These applications feature collection points that enable users to document the basis for their decisions that become part of the final ALLL package. Take care to try and ensure that the support collected matches the decisions made and assumptions used.

Whether you use software or not there is a common set of essential controls to help ensure your ALLL calculation is supported. They are:

  • Documented review and recalculation of the ALLL estimate by a qualified individual(s) independent of the preparation of the calculation
  • Control over reports and spreadsheets that include data that feed into the overall calculation
  • Documentation supporting qualitative factors, including reasonableness of the resulting reserve amounts
  • Controls over loan ratings if they are a factor in your model
  • Controls over the timeliness of charge-offs

In the process of implementing the new CECL guidance it can be easy to focus all of your effort on the details of creating models, collecting data and getting to a reasonable number. Based on the regulators’ new Q&A document, you’ll also want to spend some time making sure the ALLL number is supportable.  

Next time, we’ll look at a lesser known section of the CECL guidance that could have a significantly negative impact on the size of the ALLL and capital as a result: off-balance-sheet credit exposures.  

Want a heads-up the next time we have a CECL update? Sign up here and get the information first!

Blog
CECL: Reasonable and supportable? Be ready to be ALLL in

By now, pretty much everyone in the banking industry has heard plenty of talk about CECL – the forthcoming “Current Expected Credit Loss” model of accounting for an institution’s allowance for loan losses (ALL). While the previous “Incurred Loss” model has been problematic to implement conceptually, and most of us thought CECL would improve ALL accounting and make it more comparable to how banks account for other debt instruments, it’s beginning to feel a bit like the dog who caught the car – now that we have this model, how the heck do we implement it?

The good news  we have a number of years before CECL’s effective date, and thus have some time to better understand the new rules and how to adapt an institution’s ALL model to reflect them. The bad news – the banking regulators recently announced they want banks to get cracking on this, and will expect to see some progress when they visit during upcoming exams – maybe not immediately, but likely at some point during the 2017 exam cycle.

This is the third in a series of articles addressing various aspects of this complex pronouncement. We hope that they provide you with practical advice that can help you get started on the nuts and bolts of CECL implementation.

Our previous article offered pointers on building the CECL team, brainstorming the process, and starting the data gathering conversation. In this article, we look at how to implement CECL when acquiring another bank, one or more branches of another bank, or simply a loan portfolio, such as a group of auto or credit card loans.

First, Let’s Remember the Basics

The basic premise of CECL is that lifetime expected losses are to be booked at origination (or, in the case of an acquisition, at the acquisition date). You’ve likely heard some gnashing of teeth over the fact that this means losses are recorded “on Day One”, which many of us have some degree of conceptual difficulty with: For example, a higher risk loan will likely carry a higher yield at origination, so booking a higher level of expected losses on Day One (through the ALL) and the offsetting higher yield over the loan term (through interest income) feels like a mismatch between income and expense.

The Financial Accounting Standards Board (FASB) was sympathetic to this point, and spent a lot of time pondering it. Its international equivalent, the International Accounting Standards Board (IASB), which establishes – you guessed it – international accounting standards, actually tackled this issue by precluding Day One losses, unless they were expected to materialize within one year of origination (Day 365 losses?).

This approach, however, has led to a fairly convoluted – and challenging – model, which is already drawing a fair amount of criticism in the international community. In the end, although they had hoped to have a “converged” standard that would result in the same approach for U.S. and international institutions, FASB and the IASB decided to part company and use different models.

The short answer? We have to accept the notion of Day One losses as the price to pay for a less convoluted (but still complex to implement) model. This becomes important to remember as we look at accounting for acquisitions.

Accounting for Acquisitions

Whether you’re acquiring a pool of loans, a branch, or an entire institution, the basic accounting under CECL is the same, and it’s the same (with a twist) as the accounting for originated loans: an ALL should be established for the purchase price allocated to the loans, and that ALL should reflect management’s estimate of the lifetime losses in the acquired portfolio.

Before we get into the details of how to do this, let’s take a moment to celebrate. Prior to CECL, it was not permissible to establish an initial ALL for acquired loans. Many bankers – and investors – complained that this made it difficult to compare one bank to another on metrics such as ALL coverage ratios. If one bank had a strategy that included acquisitions, and another didn’t, their ALLs would likely be quite different even if their loan portfolios and estimated incurred losses were similar. Now, with the CECL model, these two banks’ financial statements are much easier to compare.

As noted above, an ALL should be established for these loans under CECL, using the same methodology you would use for originated loans. The twist relates to what to do with the other side of the entry. The solution:

  • For loans with a more-than-insignificant amount of credit deterioration since origination, the offset is to add this amount to the amount originally recorded for the purchase price allocated to the loans.
  • For the rest of the acquired portfolio, the offset is to loan loss expense. That’s right, your provision is increased by the amount of ALL recorded in the transaction, except as noted in the previous bullet.

Why is this so? FASB is apparently assuming that:

  • Buyers adjust the purchase price for the first item above. These loans, which we used to call “purchased – credit impaired (PCI)”, and now will call “purchased – credit deteriorated (PCD)” under CECL, are the loans with hair on them. They probably got some extra scrutiny during due diligence, thus theoretically depressing the purchase price a bit. Therefore, the amount of the purchase price allocated to loans is a lower number, and offsetting the establishment of the ALL by adding that amount to the purchase price assigned to the loans properly “grosses up” the recorded loan balance.
  • Buyers don’t adjust the purchase price for other loans. This is probably true, as the lifetime losses on loans that aren’t PCD are just the cost of doing business for financial institutions. Therefore, as it is with originated loans, a big Day One provision is booked at closing.

It should be noted that the extent to which the definition of PCD loans differs from the previous definition of PCI loans depends on your interpretation of the old PCI definition. It appears clear that the new definition of PCD loans refers to loans that have specific indicators of significant credit deterioration since origination.

Let’s look at an example:

A bank buys three branches from another bank, which have total loans with a principal balance of $20 million and a fair value of $20,100,000. The portfolio includes loans with a principal balance of $1 million, and a fair value of $910,000, that are PCD.

The buyer bank determines the ALL under CECL would be $100,000 for the PCD loans and $475,000 for the rest of the acquired portfolio. Thus, the buyer bank records an ALL of $575,000. What’s the offset? As noted above:

  • For the PCD loans, the offsetting $100,000 will be added to the $910,000 of purchase price allocated to those loans. As a result, these loans will have a gross amount allocated of $910,000 plus $100,000, or $1,010,000, which will then be reduced by an ALL of $100,000 on the balance sheet, for a net reported amount of $910,000 (their fair value). The difference between the gross amount assigned ($1,010,000) and the principal balance ($1 million), or $10,000, represents an implied adjustment to reflect current market interest rates, and is therefore amortized over the expected loan term through interest income.
  • For the rest, the offsetting $475,000 will be an increase to the provision for loan losses, and will thus reduce income.

The last number could be a big one for institutions that do large or frequent acquisitions; thus, their balance sheets may be more comparable to other banks, but their income statements in the year of acquisition won’t be! The good news – like other acquisition costs such as legal fees and conversion expenses, this amount will be separately disclosed, so a reader can adjust for it if they believe it’s appropriate to do so.

Next time, we’ll look at the nuts and bolts of CECL’s concept of “reasonable and supportable” by considering proper documentation and controls over the ALL.   

Want a heads-up the next time we have a CECL update? Sign up here and get the information first!

Blog
How our new friend CECL affects bank and branch acquisitions

So you want to be a chief financial officer?

Whether you are looking to transition into a new role for your current company or head out into the job market, taking your financial skills to the next level is within your reach. As a controller, you already have a number of skills that will serve as a foundation for the role of CFO. Putting it all together is the next step.

Chances are, you’ve already been responsible for the accounting, budgeting, cash-flow management, and all the financial data coming in and out of your organization. If it’s numbers related, you’ve got it covered – and you’re on time, all the time, when reports and analytics are due.

But you also know that becoming a CFO requires an additional set of skills – not just the technical skills you’ve honed over the years, but additional leadership and strategic financial skills. So, how do you know if you’re doing what you can to take your financial career to the next level? Consider these seven keys to transition success:

  1. Prepare to be a leader. Whereas your focus was once on the day-to-day operations, carrying out directives from the CFO and/or CEO, as a CFO you are now in a position to create financial and operational strategies that drive growth for the organization. According to a 2014 survey released by ACCA Global entitled “Tomorrow’s Finance Enterprise” leadership skills were identified as the most important future CFO management skills. Focus on the long-term and to be able to articulate your ideas and vision to other executives in the company. Try and get assigned to specific projects that allow you to be involved in the initial planning and decision making stages to demonstrate your vision to others.”
     
  2. Embrace technology. 93 percent of the senior financial executives surveyed in a CFO research study reported that the CFO of the future will need a much stronger technology skill set than is currently required for the job. This means the relationship between IT and Finance is intricately linked. The cloud is dramatically changing the way companies are doing business, as records and information reside outside the company’s walls, bringing in new questions about control, security, and potentially, costs. Staying on top of how technology is changing and impacting business operations will be paramount as you look to step into a broader role.
     
  3. Identify trends. According to the ACCA survey, articulating and understanding business value drivers and broader industry trends are listed as the most important areas of business knowledge needed by future CFOs. It’s not enough to keep up with quality control or to make sure the company’s financial reporting is accurate and in compliance. As a CFO, you must have a good understanding of the business issues and conditions underlying the financials and be able to analyze your company’s financial strengths and weaknesses. As a strategic partner to the CEO, you play a critical role in the direction the company will take to capitalize on opportunities needed to remain successful.
     
  4. Delegate tasks. Embrace this idea. Removing yourself from the minute details of the day-to-day allows you to better see the forest for the trees and develop the leadership and strategic skills of a CFO. Surround yourself with people you trust who can focus on the detailed (and very important) aspects of financial systems and processes. By delegating appropriately, you build a strong team that allows you to step more fully into a leadership position within the company. It is still your responsibility to see that tasks and projects are done correctly, so make sure expectations and deadlines are clear from the beginning.
     
  5. Build relationships. Ask questions, observe the interaction between leaders of different parts of your organization, and understand how the team leads—together. Get to know your colleagues and what they do. Be generous with your knowledge and ask questions – a lot of them.
     
  6. Find a mentor. Realize that you will need support. Moving from Controller to CFO is a significant change in responsibility, so find people who have already succeeded at doing the same thing. It’s important to have your own “board of directors” – a team that can help you in various ways, from being a sounding board to offering some tough love, or helping you hash out a challenge. And you will indeed have challenges. As you stretch into your new role or take on new types of assignments, they can feel overwhelming. They [probably] are not. Learn to embrace them and work with your mentor or mentors to handle them more effectively.
     
  7. Allow for growth and learn from your mistakes. No one wants to make mistakes, but you will. Moving into a bigger role always provides for “teachable moments” and growth. This is good! People understand that mistakes are part of the territory, as long as you learn from them and understand how to avoid making the same one again. Set your expectations high while giving yourself a period of time to adjust to your new position. Stay accountable and communicate well — and remember to ask for help when you need it.

Moving into a larger, more strategic role can be an exciting, albeit daunting transition. With thought, preparation and vision, it’s something you can prepare yourself for, and continue to excel at the next level.

Blog
Making the transition from controller to CFO: 7 keys to success

Financial fraud by the numbers

In a June 2016 Gallup poll, 72 percent of respondents said they had “very little” or only “some” confidence in banks.1 This lack of confidence lives alongside recent headlines—including major fraud schemes revealed at Deutsche Bank this summer—and the fact that the financial services industry is the most affected sector in the world when it comes to occupational fraud.

Financial institutions account for 16.8% of all occupational fraud worldwide, with a median loss of $192,000 per case.2 Longer running, complex schemes can cost organizations much more—overall, 23% of fraud cases in 2015 caused losses of $1 million or more.3

What does a fraudster looks like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And how can you strengthen an already robust anti-fraud program?

Profile of a fraudster

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2016 report from the Association of Certified Fraud Examiners (ACFE) reveals a few commonalities between fraudsters:4

  • 3% of fraudsters had no criminal background
  • Men committed 69% of frauds and women committed 31%
  • More than half of fraudsters were between the ages of 31 and 45
  • 3% of fraudsters were an employee, 31% worked as a manager and 20% operated at the executive/owner level

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags:5

  • Living beyond means – 45.8%
  • Financial difficulties – 30.0%
  • Unusually close association with vendor/customer – 20.1%
  • Control issues, unwillingness to share duties – 15.3%

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A two-pronged approach

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

Leadership tone

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a culture of zero-tolerance for fraud at the top of an organization, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but in the United States, frauds committed at the executive level had a median loss of $500,000 per case, compared to a median loss of $54,000 when a lower level employee perpetrated the fraud.6

A specific action plan for the Board of Directors is outlined in our free white paper on financial institution fraud.

Internal controls

Every financial institution uses internal controls in its daily operations. Yet over half of all frauds could be prevented if internal controls were implemented or more strongly enforced.7

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened – even financial institutions with strong anti-fraud measures in place. 

The experts at BerryDunn have created a checklist of the top 10 internal controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud.

Read more to prevent fraud

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud-prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our free whitepaper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers and the general public. It’s a good investment for any financial institution.

1http://www.gallup.com/poll/1597/confidence-institutions.aspx 2-7Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, The Association of Certified Fraud Examiners, p. 34-35

Blog
Preventing fraud at financial institutions: An anti-fraud plan is the best investment you can make