Skip to Main Content

blogpost

FASB and GASB news: Postponement of the lease accounting standards

04.27.20

Read this if your organization, business, or institution has leases and you’ve been eagerly awaiting and planning for the implementation of the new lease standards.

Ready? Set? Not yet. As we have prepared for and experienced delays related to Financial Accounting Standards Board (FASB) Accounting Standards Codification Topic 842, Leases, we thought the time had finally come for implementation. With the challenges that COVID-19 has brought to everyone, the FASB recognizes the significant impact COVID-19 has brought to commercial businesses and not-for-profits and is proposing a one-year delay in implementation, as described in this article posted to the Journal of Accountancy: FASB effective date delay proposals to include private company lease accounting.

But what about lease concessions? We all recognize many lessors are making concessions due to the pandemic. Under current guidance in Topics 840 and 842, changes to lease contracts that were not included in the original lease are generally accounted for as lease modifications and, therefore, a separate contract. This would require remeasurement of the new lease contract and related right-of-use asset. FASB recognized this issue and has published a FASB Staff Questions and Answers (Q&A) Document,  Topic 842 and Topic 840: Accounting for Lease Concessions Related to the Effects of the COVID-19 Pandemic. Under this new guidance, if lease concessions are made relating to COVID-19, entities do not need to analyze each contract to determine if a new contract has been entered into, and will have the option to apply, or not to apply, the lease modification provisions of Topics 840 and 842.

Implementation of the lease accounting standard will most likely be delayed for Governmental Accounting Standards Board (GASB) entities as well. On April 15, 2020, the GASB issued an exposure draft that would delay most GASB statements and implementation guides due to be implemented for fiscal years 2019 and later. Most notably, this includes Statement 84, Fiduciary Activities, and Statement 87, Leases. Comments on the proposal will be accepted through April 30, and the board plans to consider a final statement for issuance on May 8. More information may be found in this article from the Journal of Accountancy: GASB proposes postponing effective dates due to pandemic.

More information

Whether you are a FASB or GASB entity, you can expect a delay in the implementation of the lease standard. If you have questions, please contact a member of our financial statement audit team. For other COVID-19 related resources, please refer to BerryDunn’s COVID-19 Resources Page.

Related Professionals

Read this if your organization, business, or institution is receiving financial assistance as a direct result of the COVID-19 pandemic.

Many for-profit and not-for-profit organizations are receiving financial assistance as a direct result of the COVID-19 pandemic. While there has been some guidance, there are still many unanswered questions. One unanswered question has been whether or not any of this financial assistance will be subject to the Single Audit Act. Good news―there’s finally some guidance:

  • For organizations receiving financial assistance through the Small Business Administration (SBA) Payroll Protection Program (PPP), the SBA made the determination that financial assistance is not subject to the Single Audit.
  • The other common type of financial assistance through the SBA is the Emergency Injury Disaster Loan (EIDL) program. The SBA has made the determination that as these are direct loans with the federal government, they will be subject to the Single Audit. 

It is unlikely there will be guidance within the 2020 Office of Management and Budget (OMB) Compliance Supplement related to testing the EIDL program as the Compliance Supplement anticipated in June 2020 will not have any specific information relative to COVID-19. The OMB announced they will likely be issuing an addendum to the June supplement information specific to COVID-19 by September 2020.

Small and medium-sized for-profit organizations have been able to access funds through the Main Street Lending Program, which is comprised of the Main Street New Loan Facility, the Main Street Priority Loan Facility, and the Main Street Expanded Loan Facility. We do not currently know how, or if, the Single Audit Act will apply to these loans. Term sheets and frequently asked questions can be accessed on the Federal Reserve web page for the Main Street Lending Program.

Not-for-profits have also received additional financial assistance to help during the COVID-19 pandemic, through Medicare and Medicaid, and through the Higher Education Emergency Relief Fund (HEERF). While no definitive guidance has been received, HEERF funds, which are distributed through the Department of Education’s Education Stabilization Fund, have been assigned numbers in the Catalog of Federal Domestic Assistance, which seems to indicate they will be subject to audit. We are currently awaiting guidance if these programs will be subject to the Single Audit Act and will update this blog as that information becomes available.

If you have questions about accounting for, or reporting on, funds that you have received as a result of the COVID-19 pandemic, please contact a member of our Single Audit Team. We’re here to help.

Blog
COVID-19: Single audit and uniform guidance clarifications

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Blog
COVID-19 FAQs—Not-for-Profit Edition

As we begin the second year of Uniform Guidance, here’s what we’ve learned from year one, and some strategies you can use to approach various challenges, all told from a runner's point of view.

A Runner’s Perspective

As I began writing this article, the parallels between strategies that I use when competing in road races — and the strategies that we have used in navigating the Uniform Guidance — started to emerge. I’ve been running competitively for six years, and one of the biggest lessons I’ve learned is that implementing real-time adjustments to various challenges that pop up during a race makes all the difference between crossing — or falling short of — the finish line. This lesson also applies to implementing Uniform Guidance. On your mark, get set, go!

Challenge #1: Unclear Documentation

Federal awarding agencies have been unclear in the documentation within original awards, or funding increments, making it hard to know which standards to follow: the previous cost circulars, or the Uniform Guidance?

Racing Strategy: Navigate Decision Points

Take the time to ask for directions. In a long race, if you’re apprehensive about what’s ahead, stop and ask a volunteer at the water station, or anywhere else along the route.

If there is a question about the route you need to take in order to remain compliant with the Uniform Guidance, it’s your responsibility to reach out to the respective agency single audit coordinators or program officials. Unlike in a race, where you have to ask questions on the fly, it’s best to document your Uniform Guidance questions and answers via email, and make sure to retain your documentation.  Taking the time to make sure you’re headed in the right direction will save you energy, and lost time, in the long run.    

Challenge #2: Subrecipient Monitoring

The responsibilities of pass-through entities (PTEs) have significantly increased under the Uniform Guidance with respect to subaward requirements. Under OMB Circular A-133, the guidance was not very explicit on what monitoring procedures needed to be completed with regard to subrecipients. However, it was clear that monitoring to some extent was a requirement.

Racing Strategy: Keep a Healthy Pace

Take the role of “pacer” in your relationships with subrecipients. In a long-distance race, pacers ensure a fast time and avoid excessive tactical racing. By taking on this role, you can more efficiently fulfill your responsibilities under the Uniform Guidance.

Under the Uniform Guidance, a PTE must:

  • Perform risk assessments on its subrecipients to determine where to devote the most time with its monitoring procedures.
  • Provide ongoing monitoring, which includes site visits, provide technical assistance and training as necessary, and arrange for agreed-upon procedures to the extent needed.
  • Verify subrecipients have been audited under Subpart F of the Uniform Guidance, if they meet the threshold.
  • Report and follow up on any noncompliance at the subrecipient level.
  • The time you spend determining the energy you need to expend, and the support you need to lend to your subrecipients will help your team perform at a healthy pace, and reach the finish line together.

Challenge #3: Procurement Standards

The procurement standards within the Uniform Guidance are similar to those under OMB Circular A-102, which applied to state and local governments. They are likely to have a bigger impact on those entities that were subject to OMB Circular A-110, which applied to higher education institutions, hospitals, and other not-for-profit organizations.

Racing Strategy: Choose the Right Equipment

Do your research before procuring goods and services. In the past, serious runners had limited options when it came to buying new shoes and food to boost energy. With the rise of e-commerce, we can now purchase everything faster and cheaper online than we can at our local running store. But is this really an improvement?

Under A-110, we were guided to make prudent decisions, but the requirements were less stringent. Now, under Uniform Guidance, we must follow prescribed guidelines.

Summarized below are some of the differences between A-110 and the Uniform Guidance:

A-110 UNIFORM GUIDANCE
Competition
Procurement transaction shall be conducted in a manner to provide, to the maximum extent practical, open and free competition.
Competition
Procurement transaction must be conducted in a manner providing full and open competition consistent with the standards of this section.
 
Procurement
Organizations must establish written procurement procedures, which avoid purchasing unnecessary items, determine whether lease or purchase is most economical and practical, and in solicitation provide requirements for awards.
Procurement
Organizations must use one of the methods provided in this section:
  1. Procurement by Micro Purchase (<$3,000)
  2. Procurement by Small Purchase Procedures (<$150,000)
  3. Procurement by Sealed Bids
  4. Procurement by Competitive Proposal
  5. Procurement by Noncompetitive Proposal

While the process is more stringent under the Uniform Guidance, you still have the opportunity to choose the vendor or product best suited to the job. Just make sure you have the documentation to back up your decision.

A Final Thought
Obviously, this article is not an all-inclusive list of the changes reflected in the Uniform Guidance. Yet we hope that it does provide direction as you look for new grant awards and revisit internal policies and procedures.

And here’s one last tip: Do you know the most striking parallel that I see between running a race and implementing the Uniform Guidance? The value of knowing yourself.

It’s important to know what your challenges are, and to have the self-awareness to see when and where you will need help. And if you ever need someone to help you navigate, set the pace, or provide an objective perspective on purchasing equipment, let us know. We’re with you all the way to the finish line.

Grant Running.jpg

Blog
A runner's guide to Uniform Guidance, year two

Read this if you are an employer looking for more information on the Employee Retention Credit (ERC).

If you are an employer who did not qualify for or request a Paycheck Protection Plan (PPP) loan, the ERC provisions of the CARES Act may be available to you.

The ERC is a fully refundable tax credit for eligible employers equal to 50 percent of qualified wages (including allocable qualified health plan expenses) an eligible employer pays their employees. This ERC applies to qualified wages paid after March 12, 2020, and before January 1, 2021. The maximum amount of qualified wages (including allocable qualified health plan expenses) taken into account with respect to each employee for all calendar quarters is $10,000, so that the maximum credit for an eligible employer can receive on qualified wages paid to any employee is $5,000.

Eligibility

Eligible employers for the ERC carry on a trade or business during calendar year 2020, including tax-exempt organizations, that either:

  • Fully or partially suspend operation during any calendar quarter in 2020 due to orders from an appropriate governmental authority limiting commerce, travel, or group meetings due to COVID-19; or
  • Experience a significant decline in gross receipts during the calendar quarter.

Self-employed individuals are not eligible for this credit for their own self-employment earnings, though they may be able to claim the credit for wages paid to their employees.

If an eligible employer averaged more than 100 full-time employees in 2019, qualified wages are limited to wages paid to an employee for time that the employee is not providing services due to an economic hardship, specifically, either (1) a full or partial suspension of operations by order of a governmental authority due to COVID-19, or (2) a significant decline in gross receipts. If the eligible employer averaged 100 or fewer full-time employees in 2019, qualified wages are the wages paid to any employee during any period of economic hardship described in (1) or (2) above.

As with most provisions of the CARES Act, very limited formal guidance has been issued by the IRS. Instead, the IRS issues and updates FAQs on the IRS website. 

One area where eligible employers have been seeking advice is what qualifies as wages and allocable health insurance costs. Qualified wages include an allocable portion of the qualified health plan expenses paid or incurred by an eligible employer to provide and maintain a group health plan. For purposes of the ERC, this also includes employee pre-tax contributions. 

IRS FAQs

The IRS recently updated the Employee Retention Credit FAQs to indicate an eligible employer can claim the ERC for qualified health plan expenses, regardless of whether the employee is paid qualified wages. Updated FAQs 64-65 clarify that health plan expenses paid to laid off or furloughed employees are considered qualified wages for purposes of the ERC. This is welcome news since most employers continue to a pay their share (if not the full amount) of the health insurance premiums for employees who have been laid off or furloughed. 

Read specific examples in the updated FAQs here.

How are qualified health plan expenses determined and allocated?

Qualified health plan expenses are determined separately for each plan sponsored by an employer. For employers sponsoring more than one health plan, for example a group health plan and a health flexible spending arrangement, expenses for each plan are allocated to the employees who participate in that plan. Allocated expenses will be aggregated for those employees who participate in more than one plan. 

Qualified health plan expenses may be allocated using any reasonable method by those employers sponsoring a fully-insured group health plan, including (1) the COBRA applicable premium for the employee, (2) one average premium rate for all employees, or (3) a substantially similar method that takes into account the average premium rate determined separately for employees with self-only and other than self-only coverage. An eligible employer allocating expenses using the average premium rate for all employees may determine a daily rate as detailed in FAQ 67.

Example

An employer sponsors an insured group health plan that covers 400 employees, some with self-only coverage and some with family coverage. Each employee is expected to have 260 work days a year (5 days/week for 52 weeks). The employees contribute a portion of their premium by pre-tax salary reduction, with different amounts for self-only and family. The total annual premium for the 400 employees is $5.2 million. Using the one average premium rate method, the annual premium rate is $13,000 ($5.2 million divided by 400 employees). For each employee expected to have 260 work days a year, the resulting daily average premium is $50 ($13,000 divided by 260 days). The $50 daily rate represents qualified health plan expenses allocated to each day of the qualified wages per employee.

For those employers sponsoring self-insured group health plans, qualified health plan expenses may be allocated using any reasonable method, including (1) the COBRA applicable premium for the employee, or (2) any reasonable actuarial method to determine the estimated annual expenses of the plan. 

An eligible employer sponsoring a self-insured group health plan and allocating expenses using a reasonable actuarial method to determine estimated annual expenses may determine a daily rate similar to the rules for fully-insured plans—that is, taking the estimated annual expenses, dividing by the number of employees covered, and then dividing by the average number of work days during the year by the employees. 

For both fully-insured and self-insured plans, paid-time off days are considered work days when determining the average daily rate.

FAQs 69 and 70 provide that qualified health plan expenses do not include eligible employer contributions to health savings accounts (HSA), Archer medical saving accounts (Archer MSA), or a qualified small employer health reimbursement arrangement (QSEHRA). 

However, qualified health plan expenses may include contributions to a health reimbursement arrangement (HRA), including an individual coverage HRA, or a health flexible spending account (FSA). To allocate contributions to an HRA or a health FSA, eligible employers should use the amount of contributions made on behalf of the particular employee.

Additionally, qualified health plans expenses do not include health plan expenses allocated to any sick leave and family medical wages under the FFCRA (FAQ 71). 

Summary

For those eligible employers with 100 or more employees, the guidance that can be inferred from the available FAQs appears to be the following:

  • If an employer is paying an employee for more than the hours the employee is actually working then a credit would be available for the difference between wages paid and the wages for the hours worked.
  • If an employer has decreased the hours worked by an employee but continues to pay the same (or greater) cost for health insurance, a credit would be available for the allocable health insurance costs while the employee is not working. For example, if an employee is only working 60% of the his/her normal hours, an employer would be able to receive a credit equal to 40% of the health insurance costs paid for that employee.

For more information

If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Blog
Employee Retention Credit―Updated IRS FAQs provide clarification

Read this if you are a police executive, city/county administrator, or elected government official responsible for a law enforcement agency. 

Who you gonna call? 

Law enforcement agencies provide essential services to our communities vital to maintaining order and public safety. These critical organizations always answer the call, and they are prepared for every type of disaster imaginable: floods, hurricanes, tornadoes, blizzards, train derailments, and even... a pandemic?

Police agencies plan, prepare, and train for disasters, and are particularly adept and agile in their response to them. As an industry, law enforcement agencies are also very good at helping one another in times of need. When there is a major disaster in your community, your agency can always count on neighboring departments sending you some much needed resources―that is, unless everyone has the same problem. Then what do you do?

Although law enforcement agencies are very capable, their strength is in sprinting, not running marathons. Even the best and most-qualified police agencies struggle with the strain of long-lasting disasters, particularly when there are no other resources to help. That is when having the right patrol-schedule design can be critical. If your patrol schedule is inefficient in the first place, managing a lengthy disaster or critical event will magnify those inefficiencies, exhausting your personnel and fiscal resources at the same time.

Flaws in patrol schedule design = reduced efficiency

Flaws in the patrol schedule design often contribute to reduced efficiency and suboptimal performance, and design issues may work against your ability to maintain operational staffing during critical times of need. So, how do you know if your patrol schedule is serving you well? 

To help agencies evaluate their patrol schedules, BerryDunn has developed at free tool. Click here to measure your patrol schedule against key design components and considerations. If your agency scores low in this self-assessment, it may be time to consider making some adjustments. 

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority Calls for Service  in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Accomplishing these goals requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). BerryDunn can help your agency assess the patrol schedule, and if necessary, provide guidance and assistance on implementation of a more effective model. 

If you are interested in a patrol work-schedule assessment or redesign or a patrol staffing study, our dedicated Justice & Public Safety consultants are available to discuss your organization’s needs.

Blog
Continuity of patrol operations in a COVID-19 environment

Our senior living and long-term care professionals have compiled this guide to financial resources for senior living providers, segregated by federal and state programs.

In this guide, you will receive a breakdown of the critical components of each program, related compliance requirements, payment and accounting considerations, and the provider type for which the program is available.

Included on the guide is a publication date. Please check back regularly for updates.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact a member of our senior living consulting team.

Blog
Senior living COVID-19 financial resources guide

Read this if you are a business owner or advisor to business owners.

With continued uncertainty in the business environment stemming from the COVID-19 pandemic, now may be a good time to utilize trust, gift, and estate strategies in the transfer of privately held business interests.

In simple terms, business valuation is a function of future cash flow and the risk in achieving those cash flows. As uncertainty in the ability to achieve future cash flow rises, risk rises at the same time. The value of a business is driven by risk. Holding all else equal, as risk continues to increase, the value of a business decreases. Similarly, if all else is equal, a continuing decline in anticipated cash flow results in decreased business values. An increase in risk, coupled with growing uncertainty and decline in cash flow may create a compounding effect of depressing business values. 

Cash flow challenges

Even if the cash flow of a privately held business has held up thus far, there is great uncertainty as to future cash flow. The duration of this uncertainty is a major concern for many business owners in the current environment. It was not long ago that many were anticipating the pandemic impact would be short-lived, resulting in a v-shaped recovery. Those expectations have given way as national unemployment numbers continue to climb. This continued uncertainty may lessen the value of privately held businesses. Depending on the company, its expectations, and impact from industry and economic factors, the effect on future cash flow may be significant.

With these elements in mind, the current and near-term may serve as an advantageous time to consider the transfer of interests in a privately held business. Increased risk and lowered future expectations will combine, resulting in lower values—particularly as compared to performance during the recent strong economy. 

Further opportunities exist if you are considering transferring a non-controlling interest in a company. Discounts applicable to minority or fractional interests typically include discounts for lack of control and lack of marketability, and in some cases discounts for lack of voting rights. These discounts may serve to further reduce the overall value transferred through a given strategy. 

What strategies can be used to capitalize in this environment?

From a federal perspective, gift and estate tax lifetime exemption amounts are at all-time highs; currently, $11.58 million per individual in 2020. With portability, a married couple can gift or transfer over $23 million in value without incurring a federal gift or estate tax.

Coupled with the ever-increasing annual gift tax exclusion amount of $15,000 per recipient in 2020, executing a succession plan could not come at a better time. Individuals should be aware of the scheduled sunset of the above referenced amounts in 2025 with reversion back to previous levels of $5.0 million (adjusted for inflation).

Building on future uncertainty, the 2020 presidential election is quickly approaching, as well as budget concerns from federal and state administrative agencies resulting from COVID-19. As it is unknown whether the current estate gift and estate tax exemptions will remain at these all-time highs, it may be an opportune time to leverage the current lifetime exemption or annual gift tax exclusion. 

Given the likely decline in value of closely held business interests or marketable securities combined with historically low interest rates currently, transferring assets now that will likely rebound in value later will provide transferors/donors with the most bang for their buck. 

Certain trust vehicles are often beneficial in a low-interest rate environments and provide varying forms of flexibility to the grantor or donor. When combined with the increase in the charitable deduction limits for taxpayers who itemize their deductions, this is an optimal time for transferring assets.  

One of the most important aspects of estate planning is to review and update your estate plan regularly for changes in your financial or family situation. Estate plans are not static and should be periodically reviewed to ensure they achieve your goals based upon your current situation.

Our mission at BerryDunn remains constant in helping each client create, grow, and protect value. If you have questions about your unique situation, or would like more information, please contact the team.

Blog
2020 estate strategies in times of uncertainty for privately held business owners

For management, it’s the perennial question: Keep things in-house or outsource?


Most companies or organizations have outsourcing opportunities, from PR to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives.

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers, so we should be all set. I can stop worrying at night about our system reliability.” Not true.

You may be outsourcing a component of your technology environment, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are server monitoring samples of how precisely you should drill down:

  • What will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to produce an alert?
  • What does a specific alert mean?
  • Who will be notified if one occurs?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an IT expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Blog
Oxymoron of the month: Outsourced accountability

Read this if your organization is required to perform physician time studies.

Currently hospitals allocate physician compensation costs to Part A (provider) and Part B (professional/patient) time based on either time studies or allocation agreements. The basic instructions for periodic time studies are that they must be based on the following criteria:

  1. One full week per month of the cost reporting period
  2. Based on a full work week
  3. Use three weeks from the first week of the month, three weeks from the second week of the month, three weeks from the third week of the month and three weeks from the fourth week of the month
  4. Consecutive months cannot use the same week of the month

Per a CMS Special Edition of mlnconnects published May 15, 2020, during the COVID-19 Public Health Emergency (PHE) CMS has made the following time study options available to hospitals as follows:

  • A one-week time study every six months (two weeks per year);
  • Time studies completed prior to January 27, 2020 (the PHE effective date) for the applicable cost report period can be used with no time studies needed for 1/27/2020 – 6/30/2020; or
  • Time studies for the same period in CY 2019 (e.g., if unable to complete time studies during February through July 2020, use time studies completed February through July 2019)

If you have any questions regarding the information in this article please contact Ellen Donahue.

Blog
Physician Time Studies during the COVID-19 Public Health Emergency

Read this if you are planning for, or are in the process of implementing a new software solution.

User Acceptance Testing (UAT) is more than just another step in the implementation of a software solution. It can verify system functionality, increase the opportunity for a successful project, and create additional training opportunities for your team to adapt to the new software quickly. Independent verification through a structured user acceptance plan is essential for a smooth transition from a development environment to a production environment. 

Verification of functionality

The primary purpose of UAT is to verify that a system is ready to go live. Much of UAT is like performing a pre-flight checklist on an aircraft. Wings... check, engines... check, tires... check. A structured approach to UAT can verify that everything is working prior to rolling out a new software system for everyone to use. 

To hold vendors accountable for their contractual obligations, we recommend an agency test each functional and technical requirement identified in the statement of work portion of their contract. 

It is also recommended that the agency verify the functional and technical requirements that the vendor replied positivity to in the RFP for the system you are implementing. 

Easing the transition to a new software

Operational change management (OCM) is a term that describes a methodology for making the switch to a new software solution. Think of implementing a new software solution like learning a new language. For some employees, the legacy software solution is the only way they know how to do their job. Like learning a new language, changing the way business and learning a new software can be a challenging and scary task. The benefits outweigh the anxiety associated with learning a new language. You can communicate with a broader group of people, and maybe even travel the world! This is also true for learning a new software solution; there are new and exciting ways to perform your job.

Throughout all organizations there will be some employees resistant to change. Getting those employees involved in UAT can help. By involving them in testing the new system and providing feedback prior to implementation, they will feel ownership and be less likely to resist the change. In our experience, some of the most resistant employees, once involved in the process, become the biggest champions of the new system.  

Training and testing for better results

On top of the OCM and verification benefits a structured UAT can accomplish, UAT can be a great training opportunity. An agency needs to be able to perform actions of the tested functionality. For example, if an agency is testing a software’s ability to import a document, then a tester needs to be trained on how to do that task. By performing this task, the tester learns how to login to the software, navigate the software, and perform tasks that the end user will be accomplishing in their daily use of the new software. 

Effective UAT and change management

We have observed agencies that have installed software that was either not fully configured or the final product was not what was expected when the project started. The only way to know that software works how you want is to test it using business-driven scenarios. BerryDunn has developed a UAT process, customizable to each client, which includes a UAT tracking tool. This process and related tool helps to ensure that we inspect each item and develop steps to resolve issues when the software doesn’t function as expected. 

We also incorporate change management into all aspects of a project and find that the UAT process is the optimal time to do so. Following established and proven approaches for change management during UAT is another opportunity to optimize implementation of a new software solution. 

By building a structured approach to UAT, you can enjoy additional benefits, as additional training and OCM benefits can make the difference between forming a positive or a negative reaction to the new software. By conducting a structured and thorough UAT, you can help your users gain confidence in the process, and increase adoption of the new software. 

Please contact the team if you have specific questions relating to your specific needs, or to see how we can help your agency validate the new system’s functionality and reduce resistance to the software. We’re here to help.   
 

Blog
User Acceptance Testing: A plan for successful software implementation

Read this if you are a solar or wind developer, investor, or have interests in the renewable energy industry.

Given the recent exchange between a bipartisan group of senators and the Treasury Department, it appears that the continuity safe harbor for the Production Tax Credit (PTC) and Energy Investment Tax Credit (ITC) will be extended. 

Under current regulations, taxpayers “lock in” a tax credit based on the beginning of construction date for their facility or property. Taxpayers must then demonstrate continuous efforts to complete construction in order to ultimately be eligible for the tax credit on completion. If the taxpayers place their energy facility or property into service within four years after the beginning of construction they are deemed to satisfy this test. This is known as the continuity safe harbor. The senators wish to extend the continuity safe harbor from four to five years and it appears that the Treasury may agree. Here is a copy of the letter senators sent to the Treasury. Here is a copy of the letter the Treasury sent back. 

The good news

The Treasury plans to “modify the relevant rules in the near future”. It is encouraging that both groups are aware of the unique challenges businesses in the renewables energy industry face in meeting regulatory deadlines to qualify for tax credits, which help make many projects economically viable. 

The so-so news

We don’t know what the rule modification will entail and this is only an extension of the continuity safe harbor. While this is a welcome change, there are many projects in the pipeline still in the planning phase that have not yet started construction. For these projects, the beginning of construction safe harbor date is more important as it determines the ITC credit rate. For example, projects beginning in 2020 get a 26% credit, and projects beginning in 2021 get a 22% credit. 

Looking ahead

Given the uncertainty in all business planning, now would be a good time to extend the ITC credit rates and/or beginning of construction safe harbor date to give businesses more time to lock in the 26% credit rate for 2020. As the Treasury is limited to what they can do without legislative action, we may need to wait for Congress on this change. 

We are watching for new developments on this issue and will provide updates as we can. If you have questions about your specific situation, please contact the team. We’re here to help.  
 

Blog
Treasury Department signals modification of ITC and PTC continuity safe harbor

Read this if you are a business owner.

While recent articles within the exit planning community have noted a slowing of business transitions and exits, during times of uncertainty it may be even more important to focus on the opportunity at hand. Rather than waiting it out, we recommend that business owners try to be active, involved, and focus their efforts on improving their business.

The situation is similar to the ebb and flow of the tide. The current economy is the tide at an extreme low point. We know that the economy will recover, so what can be done in the meantime to take advantage of opportunities, and be ready to succeed when the tide rises?

Changing of tides

Suddenly, there has been a rapid and seismic shift in the landscape. Weaknesses and threats, rocks and hazards, may have emerged. How you choose to approach these perils will make a difference in the long term. Will you take the opportunity to discover, identify, assess, shore up, and mitigate these elements?

It is important to view this current state in the context of the larger, long-term perspective. Once the tide comes back, will you be able to set full sail ahead having built resiliency, redundancy, and strength into those areas while you had the opportunity? While the water is low, it presents a great opportunity for business owners to discover and understand: 

  • What broke first and why? 
  • How can you shore it up for better operations in the days ahead?
  • What weak spots you didn’t know about are now apparent?
  • How can you address those weaknesses?
  • How can you leverage existing resources differently to chart a path forward?

Models of priority

There are various stages or hierarchies of priority in thinking about the progress of a business. 

Each priority model features bases and pinnacles. The pinnacles of each model are realized in a long-term setting, after the remaining bases have been solidified. While continued development of a clear vision for your business is paramount, dynamic shifts in the landscape call for reassessment of the bases. In the long-term, self-fulfillment manifests from properly executed strategy, but in the near- and mid-term, these various frameworks force strategic planning back to assess and address the base components. 

The bases of each model should serve as safe havens for reversion. When facing uncertainty and failure, have you made your base strong enough to redirect your efforts in an actionable plan for the long-term?

Action Planning Pyramid and Value Maturity Index

Action Planning
Five Stages of Value Maturity

The Value Maturity Index, broken into five stages is a stepwise assessment of active exit and business strategy. Inherent in the value acceleration framework are the concepts of resiliency, redundancy, disaster recover, and actionable planning.

While we may have been fully entrenched in the build phase, setbacks due to dynamic changes in the landscape force us back to protect mode—the assessment and methodical shoring up of weaker points of the operation to protect against future downside risks.

Though this stepwise progression is linear in nature, keep in mind that flexibility and adaptability are paramount in changing course to address needs of your current state.

When we look at action planning, parallels can be drawn to the various models. Certainly, we are focused on continuing sales, marketing, and customer relationships, but it becomes a question of reversion to meeting the basic needs and serving client’s pain points rather than  beginning ground-breaking efforts. 

The current climate forces us to the base, with a focus on solidifying the exposed areas that may have been made apparent, and likely compounded, by the current realities. Concerns on management, metrics, core values, and priorities serve as the bases in need of coverage.

Maslow’s Hierarchy of Needs
 

Maslow's Hierarchy of Needs

Maslow’s Hierarchy of Needs1 is a well-known motivational theory in psychology that comprises a five-tiered model of human needs, whereby each successive tier must be fulfilled (beginning at the base) before rising to the next tier. It can be used to view similar information from a psychological perspective.

Value acceleration and creating successful outcomes are largely tied to a clear long-term vision. We typically reside in the Self-actualization level of the hierarchy of needs when undertaking the high-level view of the framework.

Based on the adaptability and call for sudden directional changes in today’s climate, we are not as concerned with these top levels. We have them in our back pocket for easy recall, but they are not the pressing issue staring us in the face.

If we think about shoring up bases (the Protect Stage), in considering this psychological model, our focus is on the “basic needs” level. That is, keeping people (self, family, and employees) safe and remaining connected for immediate continuity.

McKinsey & Company Event Horizons

McKinsey & Company Event Horizons

Many others in related fields are viewing the current situation in similar terms. In the McKinsey & Company Events Horizon view2:

  • Resolve addresses those immediate hurdles and challenges a business is currently facing.
  • Resilience focuses on near-term items to be addressed once the initial base is covered. 
  • Return views the mid-term horizon in understanding how to return to scale by focusing on understanding metrics and increasing the frequency of measurements for informed decision making. 
  • Reimagination and Reform typically go hand in hand, but without covering bases of needs, crafting a dynamic shift in operations to incorporate new environments may be counterproductive. 

However, once these bases have been clearly assessed and addressed, the path forward may appear dramatically different, in which case creative solutions to enhance opportunity should begin to form. Examples of this may include newly emerged revenue streams and opportunity areas, fully integrated systems and dashboards to capture timely decision making data points, or pivots in your business model adaptable and reactive to new environments.

One example that has been in the news recently involves CEOs being pleasantly surprised that productivity of employees has not dropped even though people are working from home. How sustainable is this productivity? What implications might this have for corporate real estate and office settings? The answers will vary widely, depending on your business and competitive environment.

Exposure, discover, and control

Back to our tides analogy for a moment. As the water receded, what new rocks were exposed or what existing challenges became more apparent? What is your plan to address these areas? Is this the time to make large investments in your company or the right investments? Now that the tide is out, it is time to shore up, move the rocks, and address elements of your business to prepare for long-term successes. Through our assessments, risk profiling, and benchmarking analyses, we help business owners discover the largest gaps across the company, prioritize the most impactful problem areas to address, and implement changes to enhance business value through continuous improvement. 

Taking stock of your company’s future through the incorporation of lessons learned will bolster value in the long-term by de-risking and developing new opportunities, methods, work, shifts in productivity, and shifts in mentality. That approach also brings lots of questions: If there are no early warning signs, why not? What should your indicators be? What metrics are crucial in identifying the pulse of your current situation? What is your business reliant on? How can you build information and indicators for rapid shifts in decision making? How strong are your current controls and how integrated are your management and information systems?

To answer these questions, you need to quantify and develop metrics that will aid in the early identification of future challenges, thus increasing your responsiveness with data-driven decision mechanisms. Having your fingers on the pulse of your company and understanding the impact of each input to your strategy will focus your attention on the information that matters most. This allows you to understand, position, and adapt to changes in your business and community environment in a proactive and agile manner. Measurements, forecasts, and dashboards should provide you with regular, valid, and relevant information you can use to take informed action in decision making.

Historical look backs during various points of time will allow you to key in on pivotal data indicators and inflection points. When looking at this from an operational view, industry and economic factors impacting your company can serve as corroborating pieces of evidence to further support data metrics analyzed.

As you perform look backs, it is also best practice to regularly study and update development, pipeline, and reliance metrics for feedback and information discovery with data integrated throughout your operations. This helps avoid lag time in reporting on stale information towards real-time actionable data points.  

Each metric is specific to your business and can be directly mapped back to increases in shareholder value. Understanding these drivers of business value will focus your attention and intention on improving in the right areas, while avoiding distracting and less impactful pain points.

Don’t fret over precision, rather build in flexibility and adaptability with scenario- and sensitivity-based criterion to understand changes, implications, and reliance of each input. Understanding these relationships in a broader scheme aid you in quick, impactful decision making guiding you towards enhanced value.

Resilience until the tides rise

This approach allows opportunity to fully assess the known and unknown problem areas, weaknesses, perils, and hazards your business may be facing. From that base you can begin to address these issues to scale effectively with lower overall risk when activity picks up.

Management metrics, core values, and priorities drive resilience for long-term continuity by shoring up the foundation to build for the future. Assembling evidence in troubled times provides opportunity to capitalize on and fulfill core values. Documenting these decisions and improvements memorialize your decision making, impact on value enhancement, and should serve as a playbook for future events.

What you make of the time you have now through identification, assessment, and addressing newly emerged risk areas provides the opportunity to increase success once the economy rebounds. We are here to help. If you have questions about your particular situation, or would like more information, please contact the business valuation consulting team

1Maslow’s Hierarchy of Needs, Saul McLeod, updated March 20, 2020. SimplyPsychology. www.simplypsychology.org/maslow.html.
2Beyond coronavirus: The path to the next normal, Kevin Sneader and Shubham Singhal, McKinsey & Company, March 23, 2020.  www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/beyond-coronavirus-the-path-to-the-next-normal. COVID-19: Briefing note, March 30, 2020, Our latest perspectives on the coronavirus pandemic. Matt Craven, Mihir Mysore, Shubham Singhal, Sven Smit, and Matt Wilson. McKinsey & Company. www.mckinsey.com/business-functions/risk/our-insights/covid-19-implications-for-business.

Blog
Value acceleration in times of uncertainty

The BerryDunn Recovery Advisory Team has compiled this guide to COVID-19 consulting resources for state and local government agencies and higher education institutions.

We have provided a list of our consulting services related to data analysis, CARES Act funding and procurement, and legislation and policy implementation. Many of these services can be procured via the NASPO ValuePoint Procurement Acquisition Support Services contract.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact us at info@berrydunn.com

Blog
COVID-19 consulting resources

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Blog
COVID-19: Key considerations for IT leaders in Higher Ed

Read this if you are at a state Medicaid agency or CHIP agency.

CMS has posted additional Frequently Asked Questions (FAQs) to Medicaid.gov, to aid state Medicaid and Children’s Health Insurance Program (CHIP) agencies in their response to the coronavirus disease 2019 (COVID-19) pandemic.

These new FAQs have been integrated into the previously released COVID-19 FAQ document. The new FAQs cover a variety of Medicaid and CHIP topics, including:

  • Emergency Preparedness and Response
  • Eligibility and Enrollment Flexibilities
  • Benefit Flexibilities
  • Cost-Sharing Flexibilities
  • Financing Flexibilities  
  • Managed Care Flexibilities
  • Information Technology  
  • Data Reporting

Updated CMS processes for reviewing 2021 contracts between states and Medicare Dual Eligible Special Needs Plans (D-SNPs)

CMS has issued a reminder to states of the upcoming submission deadline for the Contract Year (CY) 2021 contracts with Medicare Advantage Dual Eligible Special Needs Plans (D-SNPs). The due date for D-SNPs to submit to CMS their CY 2021 contracts with the state Medicaid agencies is July 6, 2020.

  • CMS encourages state Medicaid agencies to review the November 14, 2019 Informational Bulletin that describes new requirements for CY 2021 D-SNP contracts, which CMS finalized in rulemaking to implement new statutory provisions of the Bipartisan Budget Act (BBA) of 2018.
  • The Integrated Care Resource Center (ICRC) continues to provide technical assistance to states to help with the implementation of these new requirements. CMS and ICRC have a number of important resources for states regarding the new requirements for contracts with D-SNPs. Additional resources for states can be found here.
  • As a result of COVID-19, CMS is extending the review and approval timelines to allow D-SNPs more time to work with states on the new CY 2021 requirements. As a result, D-SNPs will have until November 2, 2020 to resubmit revised state Medicaid agency contracts or contract amendments.

CMS announces rule changes to support healthcare workforce augmentation

CMS has taken steps to limit or remove potential barriers for hiring and retaining physicians, nurses, and other healthcare professionals in order to keep staffing levels high at healthcare facilities.

  • In response to the need for in-home services during the COVID-19 crisis, nurse practitioners, clinical nurse specialists, and physician assistants can now provide home health services. These changes are effective for both Medicare and Medicaid.
  • Prior to this, Medicare and Medicaid home health member were only able to receive home health services with the certification of a physician. 
  • Physicians and other practitioners whose privileges are expiring will be able to continue taking care of patients. Consistent with a change made for hospitals, CMS is waiving a requirement for ambulatory surgery centers to periodically reappraise medical staff privileges during the COVID-19 emergency declaration. 

Interim Final Rule Updating Requirements for Notification of Confirmed and Suspected COVID-19 Cases Among Residents and Staff in Nursing Homes 

CMS has issued a memo along with frequently asked questions which address the new requirement that nursing homes and long term care facilities report COVID-19 facility data to the Centers for Disease Control and Prevention (CDC).

  • CMS will be requiring nursing homes to report COVID-19 facility data to the CDC and to residents, their representatives, and families of residents in facilities. 
  • CMS has updated the COVID-19 Focused Survey for Nursing Homes, Entrance Conference Worksheet, COVID-19 Focused Survey Protocol, and Summary of the COVID-19 Focused Survey for Nursing Homes to reflect COVID-19 reporting requirements. 
  • CMS will begin posting data from the CDC National Healthcare Safety Network (NHSN) for viewing by facilities, stakeholders, or the general public. The COVID-19 public use file will be available on https://data.cms.gov/.
     

Increase hospital capacity - CMS Hospitals Without Walls

On April 30, CMS announced expansions of the Hospitals Without Walls initiative, granting flexibility for services to be provided outside of traditional venues.

  • CMS is encouraging the use of existing flexibilities that allow outpatient hospital services to be delivered outside of traditional settings, such as at expansion locations, converted hotels or parking lots, or patients’ homes.
  • Certain outpatient departments that relocate off-site can qualify to be paid under the Outpatient Prospective Payment System (OPPS), rather than the Physician Fee Schedule.
  • Hospitals may relocate outpatient departments to more than one off-campus location, or partially relocate while still furnishing care at the original site.
  • As part of the CARES Act, long-term acute-care hospitals can now accept patients from any acute-care hospital and be paid at a higher Medicare rate.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Additional Medicaid & CHIP COVID-19 FAQs

Read this if you are in administration at a college or university.

Colleges and universities have been working around the clock to convert their in-person academic programming to online learning and to quickly disburse grant funding to students in line with broad eligibility requirements, all while adjusting to their own new work environments. In the search for funding in a time when many institutions are refunding student payments at unexpected and unprecedented levels, many institutions have found themselves ineligible for the Payroll Protection Program (PPP) offered under the CARES Act if the federal work study students were included in the employee count. In a welcome change, a recent interim final rule issued by the US Small Business Administration (SBA) has been released that will change the eligibility criteria for the emergency relief offered under the PPP. One of the most notable changes in the interim rule will allow colleges and universities to exclude federal work study students in determining their eligibility. 

Student workers have historically counted as employees under SBA programs. This temporary change would provide relief for many small institutions, whose federal work study programs would otherwise drive up their employment pool over the 500 employee threshold and exclude them from participation in the PPP. While federal work study positions fill important roles throughout many campus facilities, this interim final rule recognizes the primary function of a federal work study program is to provide financial aid for students attending school and is incidental to the role of the student on campus. As expected, as these positions are mostly federally funded, the interim final rule excludes these expenditures in determining the available loan amount under the PPP.

These changes are consistent with other areas of existing federal law, as noted in the interim final rule, these workers are already generally exempt from other federal employment requirements, like Federal Unemployment taxes. In order to allow for swift action, the interim final rule is effective immediately upon posting to the federal register.

We’re here to help.
For more information, or if you have questions about your specific situation, please contact the higher education consulting team.

Blog
Federal Work-Study (FWS) excluded from PPP eligibility determination

Read this if you are a CFO, CEO, COO, or CLO at a financial institution.

The preparation of financial statements by financial institutions involves a number of accounting estimates, some of which can be quite complex. As these estimates are often a significant focus of audits of those financial statements, financial institution personnel affected by the audit process might benefit from a discussion of the rules auditors need to follow when auditing estimates.

Accounting estimates

Across all industries, there are financial statement items that require a degree of estimation because they cannot be measured precisely. These amounts, called accounting estimates, are determined using a wide array of information available to management. In using such information to arrive at the estimates, a degree of estimation uncertainty exists, which has a direct effect on the risks of material misstatement of the resulting accounting estimates. For financial institutions, common examples of accounting estimates include the allowance for loan losses, valuation of investment securities, allocation of the purchase price in a bank or branch acquisition, and depreciation and amortization of premises and equipment, in addition to intangibles and goodwill. 

For entities other than public companies, the auditing rules are established by the American Institute of Certified Public Accountants’ Auditing Standards Board (ASB). Under these requirements a financial statement auditor has a responsibility to assess the risks of material misstatement for accounting estimates by obtaining an understanding of the following items: 

  • The requirements of generally accepted accounting principles (GAAP) relevant to accounting estimates, including related disclosures. 
  • How management identifies those transactions, events, and conditions that may give rise to the need for accounting estimates to be recognized or disclosed in the financial statements. In obtaining this understanding, the auditor should make inquiries of management about changes in circumstances that may give rise to new, or the need to revise existing, accounting estimates. 
  • How management makes the accounting estimates and the data on which they are based. 

This final item—determining how management has calculated the accounting estimate in question—includes the following specific aspects for the auditor to address:

  • the method(s), including, when applicable, the model, used in making the accounting estimate; 
  • relevant controls; 
  • whether management has used a specialist; 
  • the assumptions underlying the accounting estimates; 
  • whether there has been or ought to have been a change from the prior period in the method(s) or assumption(s) for making the accounting estimates, and if so, why; and 
  • if so, how management has assessed the effects of estimation uncertainty. 

Professional skepticism

When analyzing management’s assessment of the effects of estimation uncertainty, the auditor needs to apply professional skepticism to the accounting estimate by considering whether management considered alternative assumptions, and, if a range of assumptions was reasonable, how they determined the amount chosen was the most appropriate. If estimation uncertainty is determined to be high, this is one indicator to the auditor that estimation uncertainty may pose a significant risk of material misstatement. An identified significant risk requires the auditor to perform a test of controls and/or details during the audit; in other words, analytical procedures and testing performed in previous audits will not suffice. 

CECL considerations

For audits of financial institutions, including those that have implemented the FASB CECL standard as well as those still using the incurred loss method, the allowance for loan losses will likely be deemed a significant risk due to its materiality, estimation uncertainty, complexity, and sensitivity from a user’s perspective.   

Additional factors the auditor needs to consider include whether management performed a sensitivity analysis as part of its consideration of estimation uncertainty as described above, and whether management performed a lookback analysis to evaluate the previous process used. Auditors of accounting estimates are required to do at least a high-level lookback analysis to gain an understanding of any differences between previous estimates and actual results, and to assess the reliability of management’s process. 

Auditing estimate procedures

Procedures for auditing estimates include an evaluation of subsequent events, tests of management’s methodology, tests of controls, and, in some instances, preparation of an independent estimate by the auditor. Tests of management’s method and tests of controls, including auditing the design and implementation of controls, are the most practical and likely procedures to apply to audits of the allowance for loan losses at financial institutions, both under the current guidance and following adoption of the current expected credit loss (CECL) method under Financial Accounting Standards Board (FASB) Accounting Standards Update No. 2016-13, Financial Instruments – Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments. As FASB has not prescribed a specific model, auditors must be prepared to tailor their procedures to address the facts and circumstances in place at each respective financial institution. 

In addition to auditing management’s estimate, auditors have the responsibility to audit related disclosures, including information about management’s methods and the model used, assumptions used in developing the estimate, and any other disclosures required by GAAP or necessary for a fair presentation of the financial statements. Throughout the audit process, auditors need to continue to exercise professional skepticism to consider what could have gone wrong during management’s process and to assess indicators of management bias, if any. 

For public companies, the Public Company Accounting Oversight Board (PCAOB) specifies auditors must evaluate both evidence that corroborates and evidence that contradicts management’s financial statement assertions in order to avoid confirmation bias. When considering the assessment of risks, as risk increases, the level of evidence obtained by the auditor should increase. As with audits of private companies, the auditor needs to consider whether the data is accurate, complete, and sufficiently precise and detailed to be used as audit evidence.

An added consideration under PCAOB rules is that the auditor is typically opining on the institution’s internal controls as well as its financial statements. This may restrict the results of control testing performed by parties independent of the function being tested from being used as audit evidence from a financial statement audit perspective. For financial institutions, this is often the case with independent loan review, since the loan review is considered part of the institution’s internal control upon which the auditor is opining. 

Supporting evidence

As with the incurred loss method, PCAOB auditing standards will require the auditor consider how much evidence is necessary to support the allowance for loan losses under CECL. All significant components of management’s allowance for loan losses estimate, including qualitative factors, will need to be supported by institution-specific data. If such data is unavailable (for example, because the institution introduces a new type of loan offering), the FASB standard indicates appropriate peer data may be acceptable. In such cases, management and the auditor may need to understand the controls in place at the vendor providing the peer data to determine its reliability. You may provide this information in the form of System and Organization Controls (commonly know as SOC1) reports of the vendor’s system.  

Recently, the International Auditing and Assurance Standards Board revised its auditing rules for estimates, with a goal of enhancing guidance regarding application of the basic audit risk model in the context of auditing estimates. The revised rules require that auditors must separately assess inherent and control risk when obtaining an understanding of controls, identifying and assessing risks, and designing and performing further audit procedures. The ASB seeks convergence of rules both internationally and domestically, and has therefore proposed changes to its requirements for auditing estimates to align with the IAASB revised rules. The ASB’s proposal on these changes indicated they would be effective beginning with audits of fiscal year ending December 31, 2022; the final effective date will be determined in conjunction with its issuance of the final rules.

The best CECL approach 

The best approach to take? Management should discuss planned changes to estimate the process with your auditors to get their perspective on best practices under CECL. Key areas to review in the discussion include documenting the decision-making process, key players involved, and the resulting review and approval process (especially for changes to methods or assumptions). Always retain copies of your final documentation for auditor review. If you would like more information, or have a specific question about your situation, please contact the team. We’re here to help. 

Blog
CECL: Understand the audit requirements and prepare for what's to come

Read this if you are a leader at a state Medicaid agency.

Leveraging Medicaid to support and fund state efforts
In infectious disease control and prevention, contact tracing is the process of identifying people who may have come into contact with an infected person and tracking with whom the infected person has been in contact. The intent is to halt the chain of transmission. State Medicaid Agencies (SMAs) may be able to leverage the Medicaid program to support state efforts with systems, training, and reimbursement for contact tracing. 

What is contact tracing?
Tracing the contacts of infected individuals throughout a community, testing their contacts for infection, and treating and quarantining the disease when it is found is a long-standing practice to address infectious diseases. While contact tracing may not be a service that is reimbursable by Medicaid, it may be possible for Medicaid to cover a broader package of services designed to slow the spread of COVID-19.

Contact tracing has three major components:

  1. Contact identification—Confirmation of an individual’s infection is the first step. Once identified, it is essential to identify any additional people with whom that person came into contact, including family, co-workers, community members, etc.
  2. Contact tracing—After conducting a complete review of the individual's contacts, outreach begins to inform them of their contact status and discuss critical next steps, starting with testing.
  3. Contact follow-up—Continued follow-up with identified contacts helps prevent the spread of infection by monitoring spread and/or additional symptoms.

Public health experts maintain that contact tracing is one of the tools needed to manage the pandemic. Medicaid can play a key role in supporting systems, training, and reimbursement for contact tracing. This is enabled through Medicaid’s unique role as a significant payer in the healthcare system, along with its role as a government partnership between federal and state governments. In addition, acting to implement contact tracing may offer an opportunity to increase employment at a time when the economy has shed countless jobs. 

Systems and training: Medicaid support for health IT system
To support contact tracing, Medicaid agencies can leverage 75% or 90% federal match or Federal Financial Participation (FFP) for the systems, training, and equipment. This match is applicable for the Medicaid population, while the remainder likely needs to be cost-allocated to other state programs. Activities that can qualify include:

  • Design, development, and installation (DDI) of Medicaid solutions. The Centers for Medicare and Medicaid Services (CMS) may allow this funding to apply to data-tracking systems or changes to support new reimbursement models. 
  • Provider outreach and training related to systems operation, such as training on claims submissions, claims processing, and eligibility inquiries related to case management and care coordination.
  • Training of vendor or state personnel directly engaged in the operation of an approved system, including workers processing claims or determining eligibility.

To obtain this type of funding, states must submit an advanced planning document (APD). 

Reimbursement: Services and authority options for contact tracing
For Medicaid to support contact tracing, SMAs need to identify both state plan services and authority to provide the service. Defining a service and authority may be challenging, as contact tracing is historically a public health intervention and not a medical service that directly benefits a Medicaid member. CMS does not typically allow this type of service under Medicaid. Given the flexibility afforded under current disaster declarations, however, CMS may have more flexibility than usual. Some options for services include: 

Case management

  • How it works 
    First, an individual tests positive and contact-tracing interviews occur. Then, a healthcare provider, such as a hospital, reaches out to the individual, facilitates testing and education, delivers results, and follows up for any care needed. This process applies to any Medicaid members or other individuals who have private insurance that is identified. The provider can discharge the member from case management once the individual recovers. Case management as a Medicaid service is unique in that a diagnosis requiring medical management is the impetus for providing the service.
  • Federal approval rationale
    Hospitals may be a good partner for this service due to CMS’s Hospital Without Walls guidance. If the hospital partners with the Public Health Entity for contact tracing, then the case management piece could—in theory—be billed by the staff providing case management through the hospital. The hospital would also be able to bill for testing and lab, care, etc. Public Health could track where there is capacity through the medical community for treatment, especially hospital beds, ventilators, and alternative testing sites. The case manager providing coordination of care for COVID-19 testing and treatment would have access to the hospital medical record system, and the hospital could bill for the service.

Health home

  • How it works
    A health home under the state plan could also serve as a vehicle for services for this population. To better care for Medicaid members with chronic conditions, the Affordable Care Act created an optional Medicaid state plan benefit to coordinate care. Health homes are designed to integrate all physical and behavioral healthcare. Participation in health homes is voluntary. In order for members to participate, they must possess at least one chronic condition (e.g., high blood pressure, asthma, obesity, diabetes, or any serious chronic condition) and be at risk for a second (e.g., COVID-19).
  • Federal approval rationale
    The health home may be a good support model, as it is eligible for FFP of 90% for the first two years—likely long enough to respond to the pandemic—making it economically attractive. 

The most flexible potential authority for a Medicaid agency to use for contact tracing is the 1115 waiver. As part of the Medicaid Disaster Response Toolkit, CMS made expedited review available. In addition, State Medicaid Director Letter (SMDL) #20-002 provides guidance on a new section 1115 waiver available to assist states in addressing the COVID-19 public health emergency. 

Section 1115 demonstration waiver
The 1115 waiver is the most dynamic option available, and states can access it through the 1115 disaster waiver option under the Medicaid toolkit. The state may be able to show that providing contact tracing will result in savings for services billed under Medicaid. These savings may be able to be justified by decreasing the number of people who test positive for the virus, leading to budget neutrality. The budget neutrality model would need to show “with” and “without waiver” scenarios that demonstrate to Medicaid the cost of the spread of the virus with and without contact tracing. A challenge to this approach is the time necessary to develop the waiver and budget neutrality model and gain CMS approval. 

Recently, CMS approved one of these new section 1115 waivers for the state of Washington. While Washington did not request to cover contact tracing, the speed of approval and the fact that CMS has indicated for the pandemic 1115 requests states will not be required to submit budget neutrality calculations, is a positive indicator for states to consider in envisioning creative models for leveraging Medicaid to minimize the impacts of COVID-19. 

Next steps

  • Check in with your CMS contacts. COVID-19 is new, and America’s response continues to evolve. Check in with your CMS contact for input on the latest guidance that may be applicable to your agency. 
  • Develop an APD. Develop your state’s APD to help fund the technology needs for tracking COVID-19, along with training for your SMA team and providers. 
  • Determine services. In partnership with CMS, determine if case management, a health home, or other service makes the most sense for your state to help trace contacts, reduce the spread of COVID-19, and encourage employment in this important work. 
  • Submit your waiver for state plan amendment. After working with CMS to determine the service that makes sense for your state, develop and submit the request to provide this service through a 1115 waiver, 1135 waiver, or if necessary, emergency state plan amendment. 

We’re here to help
If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team

Blog
Contact tracing for COVID-19: What it is and how Medicaid can use it

Read this if you are a tax-exempt organization.

The IRS recently issued proposed regulations (REG-106864-18) related to Internal Revenue Code Section 512(a)(6), which requires tax-exempt entities to calculate unrelated business taxable income (UBTI) separately for each unrelated trade or business carried on by the organization.

For years beginning after December 31, 2017, exempt organizations with more than one unrelated trade or business are no longer permitted to aggregate income and deductions from all unrelated trades or businesses when calculating UBTI. In August 2018, the IRS issued Notice 2018-67, which discussed and solicited comments regarding various issues arising under Code Section 512(a)(6) and set forth interim guidance and transition rules relating to that section. 

The good news
The new proposed regulations expand upon Notice 2018-67 and provide for the following:

  • An exempt organization would identify each of its separate unrelated trades or businesses using the first two digits of the NAICS code that most accurately describes the trade or business. Activities in different geographic areas may be aggregated.
  • The total UBTI of an organization with more than one unrelated trade or business would be the sum of the UBTI computed with respect to each separate unrelated trade or business (subject to the limitation that UBTI with respect to any separate unrelated trade or business cannot be less than zero). 
  • An exempt organization with more than one unrelated trade or business would determine the NOL deduction allowed separately with respect to each of its unrelated trades or businesses.
  • An organization with losses arising in a tax year beginning before January 1, 2018 (pre-2018 NOLs), and with losses arising in a tax year beginning after December 31, 2017 (post-2017 NOLs), would deduct its pre-2018 NOLs from total UBTI before deducting any post-2017 NOLs with regard to a separate unrelated trade or business against the UBTI from such trade or business. 
  • An organization's investment activities would be treated collectively as a separate unrelated trade or business. In general, an organization's investment activities would be limited to its:
     
    1. Qualifying partnership interests
    2. Qualifying S corporation interests
    3. Debt-financed property or properties 

Organizations described in Code Sec. 501(c)(3) are classified as publicly supported charities if they meet certain support tests. The proposed regulations would permit an organization with more than one unrelated trade or business to aggregate its net income and net losses from all of its unrelated business activities for purposes of determining whether the organization is publicly supported. 

The missing news: Unaddressed items from the new guidance
With the changes provided by these proposed regulations we anticipate less complexity and lower compliance costs in applying Code Section 512(a)(6). While this new guidance is considered taxpayer friendly, the IRS still has more work to do. Items not yet addressed include:

  • Allocation of expenses among unrelated trade or businesses and between exempt and non-exempt activities.
  • The ordering rules for applying charitable deductions and NOLs.
  • Net operating losses as changed under the CARES Act.

The IRS is requesting comments on numerous key situations. Until the regulations are finalized, organizations can rely on either these proposed regulations, Notice 2018-67, or a reasonable good-faith interpretation of Code Sections 511-514 considering all the facts and circumstances.
We will keep you informed with the latest developments.

If you have any questions, please contact the not-for-profit consulting team

Blog
IRS unrelated business taxable income update: The good news and the missing news

Editor's note: Read this if you are a leader in higher education.

The Department of Education has released guidance to colleges and universities on how the CARES Act grants to institutions, under the Higher Education Emergency Relief Fund (HEERF), may be used. The guidance comes in the form of answers to frequently asked questions, which we recommend institutions read before accepting the funds. Some key answers included in the document:

  1. A school has to participate in the HEERF funding to be used for grants to students to get the institutional share.
  2. Schools can use these funds to cover the costs of refunds for room and board provided as a result of campus closure.
  3. These funds can be used to make additional emergency financial aid grants to students impacted by campus closure.

We urge schools to retain supporting documentation of the proper use of these funds to allow for a compliance audit, should that be required. 

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
The Higher Education Emergency Relief Fund (HEERF): Guidelines

Read this if you are a leader at a state Medicaid agency, Long-Term Care Hospital, Rural Health Clinic, Federally Qualified Health Center, or intermediate care facility.

New toolkit launches to help states navigate COVID-19 health workforce challenges 

In order to maximize workforce flexibility to help confront COVID-19, CMS and the Assistant Secretary of Preparedness and Response (ASPR) have released a new toolkit to assist state and local healthcare decision makers. The toolkits are available as a set of resource collections including:

Our team will be taking a closer look at these resource collections in the coming week and plan to have detailed information on the opportunities within.

Compliance flexibilities announced for implementation of interoperability final rules due to COVID-19

CMS and the Office of the National Coordinator for Health IT (ONC), in conjunction with the Health and Human Services (HHS) Office of Inspector General (OIG), have announced a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the interoperability final rules previously announced on March 9, 2020.

  • Announced in March, the Interoperability and Patient Access final rule (CMS-9115-F) is focused on the pursuit of interoperability and patient access to health information.
  • CMS-regulated payers, including Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, and CHIP managed care entities are required to implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API that allows members access their claims and encounter information, as well as provider directory information available through third-party applications of their choice.
  • Due to the public health emergency posed by COVID-19, CMS is exercising the “enforcement discretion” to adopt a temporary policy of relaxed enforcement for the final rule.

CMS releases additional blanket waivers for Long-Term Care Hospitals (LTCHs), Rural Health Clinics (RHCs), Federally Qualified Health Centers (FQHCs) and intermediate care facilities

CMS is providing additional blanket waivers related to care for patients in LTCHs, temporary expansion locations of RHCs and FQHCs, staffing and training modifications in intermediate care facilities for individuals with intellectual disabilities, and the limit for substitute billing arrangements (locum tenens).

  • The new flexibilities do not require a waiver or any requests be sent to CMS electronically or any other notification to CMS regional offices.
  • The guidance includes flexibilities related to provider location, staffing, reporting requirements, discharge, patient rights and other areas regulated by CMS.
  • The blanket waiver authority exercised by CMS in this case applies only to federal requirements and does not apply to state requirements for licensure or conditions of participation.

State of Washington COVID-19-related section 1115(a) demonstration approval

Washington’s approval is the first section 1115(a) demonstration specifically intended to combat the effects of COVID-19 in a state.

  • CMS authorized a time-limited approval for several of the requests in Washington’s March 24, 2020 section 1115(a) demonstration with a retroactive effective date of March 1, 2020 through 60 days after the public health emergency declaration.
  • CMS approved two waiver authority requests, as well as six expenditure authority requests from Washington’s section 1115(a) demonstration. 
  • CMS did not require the state to submit budget neutrality calculations for the Washington COVID-19 section 1115(a) demonstration. 

CMS issues guidance allowing Independent Freestanding Emergency Departments (IFEDs) to provide care to Medicare and Medicaid beneficiaries during the COVID-19 Public Health Emergency

CMS issued guidance On April 21, 2020 which allows licensed IFEDs in the states of Colorado, Delaware, Rhode Island, and Texas to temporarily provide care to Medicare and Medicaid patients to address any surge.

  • IFEDs generally offer a range of services including basic imaging services, computed tomography (CT) scans, ultrasound, and basic on-site laboratory services. During this public health emergency these entities can temporarily bill Medicare and Medicaid as a certified hospital.
  • CMS is waiving certain conditions of participation for hospital operations to maximize patient care capabilities during this public health emergency. IFEDs may participate in Medicare and Medicaid in one of three ways: 
     
    • Becoming affiliated with a Medicare/Medicaid-certified hospital under the temporary expansion 1135 emergency waiver; 
    • Participating in Medicaid under the clinic benefit if permitted by the state; or
    • Enrolling temporarily as a Medicare/Medicaid-certified hospital to provide hospital services.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS launches toolkits, releases guidance, and loosens some restrictions to help states and others address COVID-19

Read this if you are an administrator, manager, or director at a Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC).

The following outlines key due dates related to various CARES Act funding streams that you may have received. Updated as of April 27, 2020.

1. Round two of the Paycheck Protection Program (PPP) was just signed last week. If you have not applied and plan to do so, please do so ASAP as the funds are likely to be exhausted quickly.
2. Your 12-month budget for the CARES Act funding is due on May 8, 2020. As you prepare your budget, please consider the following:
a. If you were lucky enough to get approved for PPP loans, use these funds first to pay for salaries and wages as they are for eight weeks only.
b. We encourage including federal grant expenses in all budget categories to enable you to take advantage of the flexibility HRSA has provided you by allowing reclassifications between budget categories up to the lesser of 25% of the federal award or $250,000 without asking for prior approval. If you wish to reclassify amounts to a budget category which didn’t previously have federal funds budgeted, you will have to submit a budget revision to HRSA for approval. This guidance applies to your base 330 grant as well. 
c. Remember, if an employee is paid more than $197,300 (Executive II salary level as of January 1, 2020), you can only charge $197,300 to any HRSA grant. This salary limitation does not apply to consultants or contracted employees.
d. Use of these funds is very likely to undergo audits, similar to the ARRA funding a number of years ago, therefore make sure you properly track how you use these funds (audit trail).
e. Have your personnel policies been modified for consistency with any new practices you’ve implemented as a result of the public health emergency (for example, hazard pay, family and sick leave and remote working)?

Click here for a list of HRSA’s examples of the allowable uses of the CARES Act funding.    
 
3. The initial distribution you received on April 20, 2020 from the CARES Act Provider Relief Fund has an attestation due on May 10, 2020. There are various provisions governing the use of the funds and we suggest you consider the ability to use these funds to offset lost earnings so you do not have to complete with the other funding programs you have received.

Blog
CARES Act funding deadlines: Update for FQHCs and RHCs

Editor's note: Read this if you are a leader in higher education.

The Department of Education (ED) has released the first round of guidance to colleges and universities, with more detail to begin issuing much-needed emergency funding grants to students from the Higher Education Emergency Relief Fund (HEERF), provided as part of the CARES Act.

The guidance clarifies a variety of questions about the portion of the funding to be used for emergency financial aid grants to students, most notably:

  • These funds cannot be used to fund room and board refunds.
  • These funds cannot be used to cover overdue student bills at the institution.
  • Only students eligible to participate in Title IV programs may receive emergency financial aid grants. Students who have not filed a FAFSA but who are eligible to file a FAFSA may receive emergency financial aid grants.

A broader summary from NASFAA can be found here.

While not specifically addressed in this guidance, the HEERF has been provided a CFDA number which leads our team to believe there is a good likelihood these funds will be included in some fashion under the Uniform Guidance compliance audits. We urge schools to retain adequate documentation from their decision making process to allow for a compliance audit, should that be required. We anticipate additional guidance on the HEERF will be forthcoming as schools begin to award the grants to students.

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
Update from ED on CARES Act grants to students

Read this if you are a not-for-profit looking to learn more about tax filing deadlines.

State of New Hampshire: If your organization has a December 31 year-end, your annual report filing with the Charitable Trusts Unit and related payment are still due by May 15. If you are not ready to file, you may file Form NHCT-4 for an extension by May 15. If your organization has a June 30 year-end, you may email the State Attorney General to ask for additional time to July 15.

April 24, 2020, UPDATE: Commonwealth of Massachusetts: The Massachusetts Attorney General’s office has extended the Form PC filing requirement. All filing deadlines for annual charities filings for fiscal year 2019 have been extended by six months. This extension is in addition to the automatic six month extension that many not-for-profits receive. In addition, original signatures, photocopies of signatures, and e-signatures (e.g., DocuSign) will be accepted.

On April 9, 2020, the Internal Revenue Service (IRS) issued Notice 2020-23, its third round of tax filing relief guidance, which amplifies relief set forth in previously issued IRS notices providing relief to taxpayers affected by COVID-19. Notice 2020-23 also provides additional time to perform certain other actions. The Notice holds the special distinction of being the first to provide specific relief to not-for-profit organizations with return filing and tax payment obligations due between April 1 and July 15, 2020. The details are highlighted below:

Tax deadline extended to July 15, 2020
The Notice explicitly states that Form 990-T tax payment and filing obligations due during the period between April 1 and July 15 will be automatically extended to July 15, 2020. Additionally, Form 990-PF (and associated tax payments) as well as quarterly Federal estimated tax payments remitted via Form 990-W are also explicitly noted and are granted an extension to July 15.
    
While this is certainly good news, the more eagerly anticipated news is the Notice also includes “Affected Taxpayers” who are required to perform “Specified Time-Sensitive Actions” referenced in Revenue Procedure 2018-58. The Revenue Procedure specifically mentions exempt organizations as “Affected Taxpayers” required to perform “specified time-sensitive actions”—one such action being the filing of Form 990.

In summary (with the combined power of the Notice and Revenue Procedure), any entity with a Form 990, Form 990-EZ, Form 990-PF, Form 990-T, Form 990-W estimated tax filing requirement, Form 1120-POL or Form 4720 filing obligation due between April 1 and July 15, 2020 now have until July 15, 2020 to file. Needless to say this is very welcome news for an industry that like so many others, is being pushed to the brink during this turbulent and difficult time.

Additional extensions
Notice 2020-23 (with reference to Revenue Procedure 2018-58) also extends the due date of certain forms, notices, applications, and other exempt organization activities due between April 1 and July 15, 2020, until July 15, 2020 as noted below: 

  • Community health needs assessments (CHNAs) and Implementation Strategies
  • Application for Recognition of Exemption (Forms 1023 and 1024) 
  • Section 501(h) Elections and Revocations (Form 5768)
  • Information Return of US Persons with Respect to Certain Foreign Corporations (Form 5471)
  • Political Organization Notices and Reports (Forms 8871 and 8872)
  • Notification of Intent to Operate as a Section 501(c)(4) Organization (Form 8976) 

We are here to help
Please contact the BerryDunn not-for-profit tax team if you have any questions, or would like to discuss your specific situation.

Blog
Not-for-profit May 15 tax deadline extended

As resources are released to help higher education institutions navigate the rapidly changing landscape, we will add important links and information to this blog post:

Industry resources:
US Department of Education (ED)

Guidance for colleges:

Guidance on leases:
FASB and GASB news: Postponement of the lease accounting standards

We are here to help
Please contact the BerryDunn higher education team if you have any questions, or would like to discuss your specific situation.

Blog
Resources for higher education institutions affected by COVID-19

Read this is if you are at a healthcare organization and considering telehealth options. 

Given the COVID-19 emergency declaration, telehealth service regulations have been greatly modified to provide flexibility and payment. The guidance on telehealth is very dispersed and can be difficult to navigate. Here are some FAQs based on the many questions we have received. If you have questions related to your specific situation, please contact us. We're here to help.

UPDATED: Are RHCs and FQHCs now eligible as distant site providers for telehealth services? If so, how will they be paid by Medicare?
Yes, the CARES Act includes RHCs and FQHCs as distant sites during the COVID-19 Public Health Emergency (PHE). Distant site telehealth services can be provided by any health care practitioner of the RHC or FQHC within their scope of practice. The practitioners can provide any distant site telehealth service that is approved as a distant site telehealth service under the Physician Fee Schedule (PFS) and from any location, including from the practitioner’s home. CMS has approved an interim payment rate of $92 for RHCs and FQHCs for these services. The rate is based on the average payment for all PFS telehealth services, weighted by the volume of those services paid under the PFS. This rate will apply for services furnished between January 27, 2020 and June 30, 2020. Modifier “95” must be included on the claim. In July 2020, these claims will be automatically reprocessed and be paid at the RHC all-inclusive rate (AIR) and the FQHC prospective payment system (PPS) rate. Reprocessing will begin when the Medicare claims processing system is updated for the new payment rate.

For telehealth distant site services furnished between July 1, 2020 and the end of the COVID-19 PHE, RHCs and FQHCs will need to use RHC/FQHC specific G code, G2025, for services provided via telehealth. These claims will be paid at the $92 rate, not the AIR or PPS rates. If the COVID-19 PHE continues beyond December 31, 2020, the $92 will be updated based on the 2021 PFS average payment rate for these services, again weighted by the volume of those services.

For services in which the coinsurance is waived, RHCs and FQHCs must put the “CS” modifier on the service line. RHC and FQHC claims with the “CS” modifier will be paid with the coinsurance applied, and the Medicare Administrative Contractor (MAC) will automatically reprocess these claims beginning on July 1. Coinsurance should not be collected from beneficiaries if the coinsurance is waived.

UPDATED: Will telehealth visits of any kind affect my FQHC or RHC encounter rate?
Costs associated with telehealth will not affect the prospective payment system rate for FQHCs or the all-inclusive rate calculation for RHCs, but the costs will need to be reported on the cost report. Costs of originating and distant site telehealth services will be reported as follows:

  • Form CMS-222-17 on line 79 (Cost Other Than RHC Services) of Worksheet A for RHCs
  • Form CMS-224-14 on line 66 (Other FQHC Services) of Worksheet A for FQHCs.

What is telehealth versus telemedicine?
Telemedicine refers to a remote clinical service while telehealth is a broader term that embodies a consumer-based approach to medical care, incorporating both delivery of care and education of patients.

UPDATED: What types of service levels are available?
There are three main types of Medicare virtual services with different payment levels. Here are the key things to know for each type:

Telehealth visits

  1. These are considered the same as in-person visits and paid at the same PFS rates as regular, in-person visits.
  2. Pre-existing patient relationship requirements have been waived.
  3. The patient originating site can be any healthcare facility or the patient’s home.

Virtual check-ins

  1. These are brief communications in a variety of technology-based manners.
  2. They do require the patient to initiate and consent to the check-in.
  3. It cannot be preceded by a medical visit within the previous 7 days and cannot lead to a medical visit within the next 24 hours. 
  4. A pre-existing relationship with the patient is required.
  5. Common billing codes include HCPCS code G2012 (telephone) and G2010 (captured video or images).

E-visits:

  1. These also need to be initiated by the patient in order to be billable and would be conducted using online patient portals (no face-to-face), for example.
  2. A pre-existing relationship with the patient is required.
  3. Common billing codes include CPT codes 99421-99423 and HCPCS codes G2061-G2063. 

The payment rate for these services will be $24.76 beginning March 1, 2020, through the end of the PHE, instead of the CY 2020 rate of $13.53, and should be billed using code G0071. MACs will automatically reprocess any claims with G00771 furnished on or after March 1, 2020, that were not paid at the new rate.

What codes can be billed as telehealth services?
Here is the listing effective as of March 1, 2020. 

Since this time, 85 additional codes have been added. Click here for the list. 

Do we need to request an 1135 waiver or are these changes covered by a blanket waiver from CMS?
A blanket waiver is in effect, retroactive to March 1, 2020 though the end of the emergency declaration. 

Is patient consent required?
Yes, patients must verbally consent to services. This includes brief telecommunications (which currently have a cost share for Medicare). We recommend it for all payers as a best practice.

Is there additional information expected from Medicare?
Yes, Medicare, Medicaid, and other payers are continually updating their guidance. 

What can we bill for telehealth services for Medicaid and insurance carriers?
This is the most problematic to track as it is continually evolving and every state and carrier is different. Providers must understand each payor’s requirements around audio and video, allowable CPT/HCPCS codes, modifiers, and place of service codes. As you have questions, please reach out to us so we can be sure to provide the most current answer.

Resources
Given how quickly information related to telehealth is changing, please feel free to contact us for the latest resources. 

Blog
Telehealth FAQs

Read this if your company is seeking assistance under the PPP.

With additional funding for the PPP pending, we’re updating this blog post with more recent information.


This information is current as of April 21, 2020.

The Treasury Department has issued guidance and answers to Frequently Asked Questions that alters some of the original assumptions around PPP:

  1. At least 75% of the forgiven amount should be used for payroll (changed due to anticipated high demand for program)
  2. Repayment of non-forgiven amounts are now repaid over 2 years at 1.0% interest (not 2 years and 0.5% as previously stated or 10 years and 4% as in the CARES Act)

Although the “covered period” is February 15, 2020 to June 30, 2020, forgiveness of the loan is based on expenses (primarily payroll) during the eight-week period after the loan is received. Loan amounts should be disbursed within 10 calendar days of being approved.

Important to note:

  1. Questions around size:
    1. 500 employees. The SBA has clarified that it measures employees consistent with the existing 7(a) loan program guidance. See CFR Section 121.106 for details.
    2. The SBA has also clarified that if a business meets both tests in the “alternative size standard”, it qualifies to participate in the program
      1. Maximum tangible net worth of the business is not more than $15 million.
      2. Average net income after Federal income taxes for the two full fiscal years before the date of application is not more than $5 million. 
    3. If the existing SBA definition of a small business for your industry (found on SBA websites) has over 500 employees, your business may qualify if you meet that expanded definition. 
  2. The CARES Act states that loans taken from January 31, 2020, until “covered loans are made available may be refinanced as part of a covered loan.”
  3. People may want to tap into available credit now. If they are granted a covered loan (PPP loan), they can refinance. Given anticipated demand, it may take time to get the PPP loan processed.
  4. Participation in PPP (Section 1102 and 1106 of the CARES Act) precludes participation in the Employee Retention Credit (Section 2301).
  5. The IRS clarified that companies may still defer Payment of Employer Payroll Taxes (Section 2302) even if participating in PPP until a decision on forgiveness is reached by your lender. This is a change from our prior understanding.

Economic Injury Disaster Loans (EIDL)

EIDLs are available through the SBA and were expanded under section 1110 of the CARES Act. Eligible are businesses with 500 or fewer employees, including ESOPs, cooperatives, and others. Up to $2 million per loan. Up to 30 years to repay. Comes with an emergency advance (available within 3 days) of $10,000 that does not have to be repaid – even if your loan application is turned down. This $10,000 does not impact participation in other programs/sections of the CARES Act. Some portion of the EIDL may reduce your loan forgiveness under PPP, but receiving an EIDL does not preclude you from participating in the PPP.

From the Treasury: Small business PPP

The Paycheck Protection Program provides small businesses with funds to pay up to 8 weeks of payroll costs including benefits. Funds can also be used to pay interest on mortgages, rent, and utilities. More details at treasury.gov.

Fully forgiven

Funds are provided in the form of loans that will be fully forgiven when used for payroll costs, interest on mortgages, rent, and utilities (due to likely high subscription, at least 75% of the forgiven amount must have been used for payroll). Loan payments will also be deferred for six months. No collateral or personal guarantees are required. Neither the government nor lenders will charge small businesses any fees.

Must keep employees on the payroll—or rehire quickly

Forgiveness is based on the employer maintaining or quickly rehiring employees and maintaining salary levels. Forgiveness will be reduced if full-time headcount declines, or if salaries and wages decrease.

All small businesses eligible

Small businesses with 500 or fewer employees—including nonprofits, veterans organizations, tribal concerns, self-employed individuals, sole proprietorships, and independent contractors— are eligible. Businesses with more than 500 employees are eligible in certain industries.

When to apply

Starting April 3, 2020, small businesses and sole proprietorships can apply. Starting April 10, 2020, independent contractors and self-employed individuals can apply.

How to apply

You can apply through any existing SBA 7(a) lender or any federally insured depository institution, federally insured credit union, or Farm Credit System institution that is participating. Other regulated lenders will be available to make these loans once they are approved and enrolled in the program. You should consult with your local lender as to whether it is participating. All loans will have the same terms regardless of lender or borrower. Find a list of participating lenders and additional information and full terms at sba.gov.

The Paycheck Protection Program is implemented by the Small Business Administration with support from the Department of the Treasury. Lenders should also visit sba.gov or coronavirus.gov for more information.

BerryDunn COVID-19 resources

We’re here to help. If you have questions about the PPP, contact a BerryDunn professional.

Blog
Updated: Funding for the Paycheck Protection Program (PPP)

Read this if you are considering adding telehealth services, or enhancing your your current telehealth services.

Consumer and provider’s perceptions and adoption of telehealth in the US have been mixed at best. The current COVID-19 pandemic has necessitated and supported broader use of non-face-to-face provider interactions. Payor changes will likely continue post-pandemic, and the communities we serve may expect more virtual care options.    

The regulatory changes necessitated by the pandemic provide new flexibility and options to serve our patients remotely and generate revenue. Leveraging this opportunity demands:

  • understanding each payor’s requirements, 
  • educating providers, 
  • creating revenue cycle processes, and
  • ensuring compliance with payor requirements. 

Providers need to understand the “flavors” of non-face-to-face visits, the payor requirements, and the significant payment differences. Simple documentation, modifier, and/or claim form omissions can mean the difference between being paid for a face-to-face office visit versus a non-chargeable service. The effort in getting it right today will have immediate benefits that should extend into post-pandemic operations.

The first step is researching and documenting each payor’s requirements. The rules and regulations are not the same for RHCs, FQHCs, Method II billing, and the different provider types such as physical therapists and MDs. Providers need to understand documentation, CPT/HCPC, modifier, place-of-service, video requirements versus audio only, and other nuances. Simplification of each payor’s rules into an easy-to-digest grid creates an invaluable tool for everyone involved. Below is an example of a payor grid:

Payor Sample payor 1 Sample payor 2
Video requirement waived? Yes No
Place of service 02 02 for 11
Virtual check-in/brief communication codes G2012 or G2010 G2012 or telephone E/M codes (G99441-99433)
Telehealth service codes All codes in CPT Appendix P All codes in CPT Appendix P, video required, use office POS
Modifier rules V3 required for audio only visits 95 or GT
Note Use G2012 for triage Payor notes that most appropriate level is 99212 or 99213

Other questions on payor requirements that may prove worth tracking:

  • Will cost shares be waived?
  • Is payor reimbursing at face-to-face rates?
  • Are telehealth services limited to established patients?
  • Are requirements around follow-up appointments bundled or not?
  • For organizations with multiple provider types, what claim type is required?

Every member of the revenue cycle must be involved to optimize telehealth services. Do not overlook the importance of registration, IT/system configuration (from a documentation and billing perspective), and physician education. Providers should consider simple flow charts to assist in operationalizing the rules by payor. For example (click to expand):   

Operationalize Telehealth Rules by Payor

The government relaxed HIPAA rules allowing providers many more options for telehealth technology (such as using Web-Ex, Skype, Zoom, and other readily available services). These options are of no value if not available and/or adopted by providers and patients. In terms of payment, the lack of a video component is often the difference between billing and being paid at the face-to-face in office rate versus a non-chargeable or minimal payment service. Some payors are allowing and paying audio-only visits at the office rate, which further highlights the need to understand the rules.  

Here is an example from Medicare showing the potential payment difference between an audio-only and video-enabled service:

Code Long description Medicare fee schedule rate
99442 Telephone evaluation and management service; 11-20 minutes of medical discussion. $27.82
99213 Office or other outpatient visit for the evaluation and management of an established patient, which requires at least 2 of these 3 key components: an expanded problem focused history, an expanded problem focused examination, and/or medical decision making of low complexity.

Counseling and coordination of care with other physicians, other qualified health care professionals, or agencies are provided consistent with the nature of the problem(s) and the patient's and/or family's needs. Usually, the presenting problem(s) are of low to moderate severity. Typically, 15 minutes are spent face-to-face with the patient and/or family.
$77.15

In this example, the physician time is about 15 minutes with the patient. However, if video were used the payment would be 177 percent more. When you account for the number of physicians in your organization that are providing these visits every day times the payment difference, the delta is substantial. The payment difference is even more significant for other codes and payor rates (and further exacerbated by payers that do not pay for audio-only visits).

There are significant payment difference between the different codes that can be billed for telehealth visits by payor. These are difficult financial times for providers and every dollar counts. BerryDunn is available to help if you have questions around rules, regulations, and/or best practice processes around billing for these services. You can e-mail Denny Roberge or call 603.518.2623 with any questions or for assistance optimizing your telehealth program.

Blog
COVID-19 telehealth changes: Every charge counts

Read this if you are an administrator, manager, or director at a Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC).

CMS just released an article outlining new and expanded flexibilities for RHCs and FQHCs during the COVID-19 public health emergency (PHE). The article includes the following information:

  • Payment rate for telehealth services
  • How to bill for telehealth services
  • Expanded virtual communications services

Payment for telehealth health services during the PHE (from January 27, 2020 through the end of the PHE) is $92. Billing for telehealth is segmented into two periods:

  1. January 27, 2020 – June 30, 2020, bill using the 95 modifier
  2. July 1, 2020 – end of PHE, bill using code G2025

The article further outlines that for telehealth services billed through June 30, they will be paid at the PPS rate. The claims will then be automatically reprocessed in July and a recoupment will occur for the difference between the $92 and your PPS rate. 

It will be important for you to keep track of the telehealth visits paid at your PPS rate and what the recoupment by Medicare will be so that when it occurs you will not be caught unawares.

Virtual communication services have been expanded to include digital evaluation and management services. Online digital evaluation and management services are non-face-to-face, patient initiated, digital communications using a secure patient portal. 

Additionally, the payment rate for these services will be $24.76 beginning March 1, 2020 through the end of the PHE instead of the CY 2020 rate of $13.53, and should bill using code G0071. 

Consider how the medical records component of your system interfaces with the billing component to ensure you capture these services for billing.

The full article can be accessed here: MLN Matters Special Edition Article 20016.
 

Blog
CMS expands flexibility for RHCs and FQHCs

Read this if your financial institution is providing funding under the PPP. This information is current as of April 6, 2020.

The Paycheck Protection Program provides small businesses with funds to pay up to 8 weeks of payroll costs including benefits. Funds can also be used to pay interest on mortgages, rent, and utilities. 

The Treasury Department is encouraging people to apply ASAP because there is a funding cap.


When to accept applications?

Starting April 3, 2020, small businesses and sole proprietorships can apply. Starting April 10, 2020, independent contractors and self-employed individuals can apply.

What underwriting is required?

In evaluating the eligibility of a borrower for a covered loan, a lender shall consider whether the borrower:

  • was in operation on February 15, 2020.
  • had employees for whom the borrower paid salaries and payroll taxes.
  • paid independent contractors, as reported on a Form 1099-MISC.

Lenders are also required to follow applicable Bank Secrecy Act requirements. Refer to the SBA’s Paycheck Protection Program Information Sheet for Lenders and recent FAQs issued by the Treasury on April 6, 2020.

Loan provisions

The Treasury Department issued guidance on March 31, 2020, that alters some of the assumptions around PPP:

  1. At least 75% of the forgiven amount should be used for payroll (changed due to anticipated high demand for program)
  2. Repayment of non-forgiven amounts are now repaid over 2 years at 0.5% interest (not 10 years and 4% as in the CARES Act)

Although the “covered period” is February 15, 2020 to June 30, 2020, forgiveness of the loan is based on expenses (primarily payroll) during the eight-week period after the loan is received.

Regulatory capital requirements

With respect to the appropriate Federal banking agencies or the National Credit Union Administration Board applying capital requirements under their respective risk-based capital requirements, a covered loan shall receive a risk weight of zero percent.

Borrower certification

An eligible recipient applying for a covered loan shall make a good faith certification: 

  1. that the uncertainty of current economic conditions makes necessary the loan request to support the ongoing operations of the eligible recipient; 
  2. acknowledging that funds will be used to retain workers and maintain payroll or make mortgage payments, lease payments, and utility payments;
  3. that the eligible recipient does not have an application pending for a PPP  loan for the same purpose and duplicative of amounts applied for or received under a covered loan; and
  4. during the period beginning on February 15, 2020 and ending on December 31, 2020, that the eligible recipient has not received amounts under the PPP for the same purpose and duplicative of amounts applied for or received under a covered loan.

What are considered payroll costs?

Payments of any compensation with respect to employees that is:

  • Salary, wage, commission, or similar compensation
  • Payment for vacation, parental, family, medical, or sick leave
  • Payment required for the provisions of group health care benefits, including insurance premiums
  • Payment of any retirement benefit
  • Other qualified payroll costs under Sec. 1102 of the CARES Act

Payroll costs are limited to $100,000 per employee, as prorated for the covered period, and exclude qualified sick leave wages and family leave wages for which a credit is allowed under sections 7001 and 7003 of the Families First Coronavirus Response Act.

Important to note:

  1. Questions around 500 employees
    We don’t know for certain how the 500 employees are counted. Other SBA programs use average headcount over the prior 12-month periods. Some companies are proceeding on that assumption. We are awaiting additional guidance from the SBA for confirmation. Certain industries have an expanded headcount. The list can be found on SBA websites and BerryDunn has a lookup tool to help. If you don’t know, please reach out to us. We’re here to help.
  2. The CARES Act states that loans taken from January 31, 2020, until “covered loans are made available may be refinanced as part of a covered loan.”
  3. Participation in PPP (Section 1102 and 1106 of the CARES Act) precludes participation in the Employee Retention Credit (Section 2301) Payment of Employer Payroll Taxes (Section 2302)

Fully forgiven

Funds are provided in the form of loans that will be fully forgiven when used for payroll costs, interest on mortgages, rent, and utilities (due to likely high subscription, at least 75% of the forgiven amount must have been used for payroll). Loan payments will also be deferred for six months. No collateral or personal guarantees are required. Neither the government nor lenders will charge small businesses any fees.

Must keep employees on the payroll—or rehire quickly

Forgiveness is based on the employer maintaining or quickly rehiring employees and maintaining salary levels. Forgiveness will be reduced if full-time headcount declines, or if salaries and wages decrease.

All small businesses eligible

Small businesses with 500 or fewer employees—including nonprofits, veterans organizations, tribal concerns, self-employed individuals, sole proprietorships, and independent contractors— are eligible. Businesses with more than 500 employees are eligible in certain industries.

The Paycheck Protection Program is implemented by the Small Business Administration with support from the Department of the Treasury. Lenders should also visit sba.gov or coronavirus.gov for more information.

Economic Injury Disaster Loans (EIDL)

EIDLs are available through the SBA and were expanded under section 1110 of the CARES Act. Eligible are businesses with 500 or fewer employees, including ESOPs, cooperatives, and others. Terms: Up to $2 million per loan. Up to 30 years to repay. Comes with an emergency advance (available within 3 days) of $10,000 that does not have to be repaid – even if the loan application is turned down. This $10,000 does not impact participation in other programs/sections of the CARES Act. Some portion of the EIDL may reduce loan forgiveness under PPP, but receiving an EIDL does not preclude the borrower from participating in the PPP.


BerryDunn COVID-19 resources

We’re here to help. If you have questions about the PPP, contact a BerryDunn professional.

Blog
Paycheck Protection Program (PPP): Resource for lenders

Read this if you work at a public health department and would like a brief summary of how you can maximize funding and meet new federal requirements.

Unpacking the trillions

In response to the COVID-19 pandemic, several pieces of legislation were passed by congress and signed into law. The three bills, H.R. 6074 Coronavirus Preparedness and Response Supplemental Appropriations Act, H.R. 6201 Families First Coronavirus Response Act, and H.R. 748 Coronavirus Aid, Relief, and Economic Security (CARES) Act, have provided funding for various federal agencies with different roles in responding to the crisis. Because of the urgency required, much of the guidance for use of funds and reporting requirements were released after passage of the bills or have yet to be released.

Here is a brief timeline and summary of the acts:

Implication and next steps for state public health departments

While little guidance has been provided for how state public health departments should prepare to access federal funds, BerryDunn will continue to monitor and release updates as they become available. 

While at this point HR 6074 has the greatest implications for public health departments, here are some actions that states should take now for their public health programs from the recent legislation:

  1. H.R. 6074: Provides appropriations to the CDC to be allocated to states for COVID-19 expenses.
    • To ensure maximum funding, prepare a spend plan to submit to CDC.
    • To ensure compliance, provide CDC with copies or access to COVID-19 data collected with these funds.
    • To maximize the impact of new funding, develop a COVID-19 community intervention plan.
    • To support streamlined operations, submit revised work plans to CDC.
    • To prevent missed deadlines, submit any requests for deadline extensions to the CDC.
  2. H.R. 6201: Provides guidance specific to the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) programs.
    • To encourage social distancing and loosen administrative requirements, seek waivers through the USDA’s Food and Nutrition Service (FNS).
    • To ensure compliance, prepare to submit a report summarizing the use of waivers on population outcomes by March 2021.
  3. H.R. 748: Allocates $150 billion to a coronavirus relief fund for state, local, and tribal governments.
  • To secure funding, monitor the US Department of Health & Human Services (HHS) for guidance on using funds for:
    • Coronavirus prevention and preparation
    • Tools to build health data infrastructure
    • COVID-19 Public Health Emergency expenses
    • Developing countermeasures and vaccines for coronavirus
    • Telehealth and rural health activities
       
  • To ensure HIPAA compliance when sharing protected patient health information, monitor the US Department of Health & Human Services (HHS) for guidance.

For more information

For specific issues your agency has, or if you have other questions, please contact us. We’re here to help. 

Blog
COVID-19 laws and their impact on state public health agencies

Read this if you want more information about the Paycheck Protection Program (PPP).

Most likely you have heard of the PPP within the Coronavirus Aid Relief and Economic Security (CARES) Act that was passed into law March 27, 2020. Below, we’ve shared some of the questions we have heard from many of our clients. If you need more information or have questions regarding your specific question, please contact us

Question #1: What was the PPP designed for? 
Answer:
The PPP was designed with the goal of keeping American workers paid and employed. It aims to accomplish this by issuing loans to qualified businesses so that they can continue paying employees and other qualified expenses.

Question #2: Do you or your business qualify for this? 
Answer: There are several considerations when determining whether or not a business qualifies. For more information, see this recent blog post from Seth Webber, which address a number of these considerations. 

Question #3: What should the PPP loan be used to cover in your business?
Answer: The intent of allowable uses includes: (i) payroll costs, including (a) employee salaries, commissions, or similar compensations, (b) group health care benefits, (c) paid vacation, parental, sick, medical, or family leave, (d) allowances for dismissal or separation, (e) retirement benefits, and (f) state or local tax assessed on the compensation on employee;  (ii) payments of interest on any mortgage obligation, but not prepayment or payment of principal amounts; (ii) rent (including rent under a lease agreement); (iv) utilities; and (v) interest on any other debt obligations incurred before February 15, 2020. However, certain payroll costs are excluded, including salaries and wages which annualized amounts would result in compensation over $100,000 and sick and family leave wages for which a credit is allowed under the Families First Coronavirus Response Act.  

Additionally, you should consider the time period your allowable expenses are designated for. The Small Business Administration (SBA), in consultation with the Department of the Treasury (Treasury) issued a list of frequently asked questions (FAQs) and responses to these FAQs as of April 10, 2020, Paycheck Protection Program Loans FAQs. Within these FAQs, Question 20 asked, “The amount of forgiveness of a PPP loan depends on the borrower’s payroll costs over an eight-week period; when does that eight-week period begin?” The SBA and Treasury noted, “The eight-week period begins on the date the lender makes the first disbursement of the PPP loan to the borrower. The lender must make the first disbursement of the loan no later than ten (10) calendar days from the date of loan approval.” 

Question #4: What portion of the loan, if any, can be forgiven?
Answer:
The Treasury Department issued guidance on March 31, 2020 indicating that at least 75% of the forgiven amount should be used for qualified payroll costs. Although the covered period is specified as February 15, 2020 through June 30, 2020, forgiveness amounts of the loan are based on expenses (primarily payroll) during the eight-week period following the receipt of the loan. There are other aspects of the forgiveness provisions that impact the actual amount forgiven, including maintaining or quickly rehiring employees and maintaining salary levels, with the overall forgiveness amount being reduced if full-time headcount declines, or if salaries and wages decrease more than 25%.

Question #5: What about the portion of your loan that is not forgiven?
Answer:
For the portion of loan not forgiven, the life and terms of the residual loan appear favorable. Current guidance indicates a repayment period of two year loan at 1% interest. Included within this is a six-month deferral period on principal repayment. The loan does not require collateral or a personal guarantee.

Question #6: How should you keep track of the funding and allowable costs?
Answer
: Best practice would be to set up a separate banking account. This will allow you to bifurcate the funding source and offset that amount by costs tracked over the covered period directly. This allows you to use other cash reserves and funding sources to meet other expense needs during the covered period. The funds need to be brought over (into that separate banking account) within 10 days of the application being approved.

Question #7: What other resources are available if the PPP is not a good fit for you?
Answer:
There are additional programs available through the Small Business Administration (SBA) including the Economic Injury Disaster Loan (EIDL) program, which features an advance amount (EIDL Emergency Grant) of up to $10,000. Guidance remains outstanding on exact implications of the EIDL Emergency Grant amount with some SBA offices pointing to $1,000 per employee up to a total max of $10,000. This EIDL Emergency Grant does not have to be repaid, but if you subsequently receive funding through the PPP, your forgiveness amount will be reduced by the EIDL Emergency Grant amount. The EIDL program also features a max life of 30 year loan with interest rates of 3.75% and 2.75% for entities that are for-profit and non-profit, respectively. More information on this is detailed in Dave Erb’s recent blog post.

If you do not need to make use of the PPP and EIDL programs, but still face significant downturns in your revenue base, tax relief in the form of the Employee Retention Credit (ERC) may also be an option. The provisions of the ERC within the CARES Act specify eligibility as, an employer that does not participate in the PPP and: (i) a complete or partial shutdown in operations; or (ii) at least a 50% decline in gross receipts, based on quarterly comparison from 2020 to 2019. The ERC allows for a tax credit of 50% of qualified wages (max wages of $10,000 per employee and max credit of $5,000 per employee). For more information on the ERC provisions, see Bill Enck’s blog post.

As developments continue to unfold and changes in guidance continue to emerge, the BerryDunn Recovery Advisory Team can help you stay informed through the BerryDunn COVID-19 Resource Center.

Blog
Paycheck Protection Program: FAQs

Read this if you are a leader at a state Medicaid agency.

CMS has delivered nearly  $34 billion, later updated to $51 billion, in the past week to the healthcare providers on the frontlines battling the 2019 novel coronavirus

  • The process in which CMS is implementing requests has reduced times of an accelerated or advance payment to four to six days. Previously the timeframe was three to four weeks. 
  • To date, CMS has received over 25,000 requests from providers and suppliers for accelerated and advance payments. Of these, CMS has approved over 17,000 requests in the past week. 
  • It should be noted that this funding is separate and distinct from the $100 billion provided in the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

CMS issues new wave of infection control guidance based on CDC guidelines to protect patients and healthcare workers 

CMS has issued a series of updated guidance documents focused on infection control to prevent the spread of COVID-19 in a variety of inpatient and outpatient care settings.

  • The updated guidance includes a number of updates, notably the option of providing home dialysis training and support services. These are designed to help some dialysis patients stay home during the pandemic.
  • In particular, the guidance includes the establishment of Special Purpose Renal Dialysis Facilities (SPRDFs), which can allow dialysis facilities to isolate vulnerable or infected patients.
  • For hospitals, psychiatric hospitals and CAHs, the updated guidance provides recommendations on screening and visitation restrictions, discharge to subsequent care locations, as well as staff screening and testing.

CMS acts to ensure US healthcare facilities can maximize frontline workforces to confront COVID-19 crisis 

CMS has temporarily suspended a number of rules in order for hospitals, clinics, and other healthcare facilities to boost their frontline medical staffs.

The CMS guidance focuses on reducing supervision and certification requirements so that practitioners can both be hired rapidly and perform work to the extent of their licensure. CMS guidance allows the following:

  • Doctors can now directly care for patients in certain settings without having to be physically present.
  • Nurse practitioners may now perform some medical exams on Medicare patients at skilled nursing.

CMS approves additional state Medicaid waivers and amendments to give states flexibility to address coronavirus pandemic

CMS continues to deliver regulatory relief to a number of new states in the form of waivers and state plan amendments.

  • In total, CMS has now approved 49 emergency 1135 waivers, 26 state amendments, seven COVID-19 related Medicaid disaster amendments and the first CHIP COVID-related disaster amendment
  • The COVID-related Children’s Health Insurance Program (CHIP) disaster amendment is for the State of Maine. 
  • CMS has now approved COVID-related Medicaid disaster state plan amendments for North Dakota, Rhode Island, and Wyoming.

HHS authorizes licensed pharmacists to order and administer COVID-19 tests

On April 8, HHS released new guidance under the Public Readiness and Emergency Preparedness Act that authorizes licensed pharmacists to order and administer FDA-approved COVID-19 tests.

  • The guidance allows pharmacists to order and administer COVID-19 tests to their patients will provide easier access to testing and will expand testing for healthcare workers and first responders. 

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS approves over $51 billion for providers with the accelerated/advance payment program for Medicare providers

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Blog
Social distancing case study: Hosting remote vendor demonstrations

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Blog
The three P's of improving your company's cybersecurity soft skills

Read this if you would like a refresher of common-sense approaches to protect against fraud while working remotely.

Coronavirus (COVID-19) has imposed many challenges upon us physically, mentally, and financially. Directly or indirectly, we all are affected by the outbreak of this life-threatening disease. Anxious times like this provide perfect opportunities for fraudsters. The fraud triangle is a model commonly used to explain the three components that may cause someone to commit fraud when they occur together:

  1. Financial pressure/motivation 
    In March 2020, the unemployment rate increased by 0.9 percent to 4.4 percent, and the number of unemployed persons rose by 1.4 million to 7.1 million.
  2. Perceived opportunity to commit fraud 
    Many people are online all day, providing more opportunities for internet crime. People are also desperate for something, from masks and hand sanitizers to coronavirus immunization and cures, which do not yet exist. 
  3. Rationalization 
    People use their physical, mental, or financial hardship to justify their unethical behaviors.

To combat the increasing coronavirus-related fraud and crime, the Department of Justice (DOJ) launched a national coronavirus fraud task force on March 23, 2020. It focuses on the detection, investigation, and prosecution of fraudulent activity, hoarding, and price gouging related to medical resources needed to respond to the coronavirus. US attorney’s offices are also forming local task forces where federal, state, and local law enforcement work together to combat the coronavirus related crimes. Things are changing fast, and the DOJ has daily updates on the task force activities. 

Increased awareness for increased threats

Given the increase in fraudulent activity during the COVID-19 outbreak, it’s important for employees now working from home to be aware of ways to protect themselves and their companies and prevent the spread of fraud. Here are some of the top COVID-19-related fraud schemes to be aware of. 

  • Phishing emails regarding virus information, general financial relief, stimulus payments, and airline carrier refunds
  • Fake charities requesting donations for illegitimate or non-existent organizations 
  • Supply scams including fake shops, websites, social media accounts, and email addresses claiming to sell supplies in high demand but then never providing the supplies and keeping the money 
  • Website and app scams that share COVID-19 related information and then insert malware that could compromise the device and your personal information
  • Price gouging and hoarding of scarce products
  • Robocalls or scammers asking for personal information or selling of testing, cures, and essential equipment
  • Zoom bombing and teleconference hacking

If you have encountered suspicious activity listed above, please report it to the FBI’s Internet Crime Complaint Center.

Staying vigilant

To protect yourself from these threats, remember to use proper security measures and follow these tips provided by the Federal Bureau of Investigation (FBI) and DOJ:

  • Verify the identity of the company, charity, or individual that attempts to contact you in regards to COVID-19.
  • Do not send money to any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. 
  • Understand the features of your teleconference platform and utilize private meetings with a unique code or password that is not shared publicly.
  • Do not open attachments or click links within emails from senders you do not recognize.
  • Do not provide your username, password, date of birth, social security number, insurance information, financial data, or other personal information in response to an email or robocall.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or wrong domains within a link (for example, an address that should end in a ".gov" ends in .com" instead).

Stay aware, and stay informed. If you have specific concerns or questions, or would like more information, please contact our team. We’re here to help.
 

Blog
COVID-19 and fraud―a security measures refresher

Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

While COVID-19 has forced many of us into a remote work environment, we also have to deal with the challenges that come along with it. The stark contrast between an office environment and one that potentially involves working in isolation can be a difficult adjustment. Office kitchen conversations have evolved into conversations with pets, our newest co-workers. A quick, in-person question has now turned into an email, phone, or video call. And job responsibilities expand as we try to not only juggle work but also ensure our children focus on school work―and don’t destroy the house. 

Not only has this forced environment caused social challenges, it has also opened the door for internal control challenges, as  internal controls designed to operate effectively in an office environment may not be ideal for a remote workplace. Even ones that are appropriately designed, may prove to be operating ineffectively in this new environment. Let’s take a look at some internal control challenges, and potential solutions, faced by working in a remote environment.

Establishing a remote control environment

Exercising appropriate tone at the top and establishing appropriate oversight can be challenging with a remote workforce. Ethics and governance policies play an important role in setting clear expectations about workplace behaviors. But, a workforce is much more apt to follow a leadership team’s example rather than a policy. All of those office conversations, even the conversations that are not work related, help set an expectation of appropriate and inappropriate behaviors. These conversations often happen naturally in the office via a quick conversation in passing in the hallway or a late-Friday happy hour with your department. However, these interactions do not naturally occur in a remote workplace. Leadership and department heads should make an active effort to maintain communication with their workforce. Some things to consider:

  • Send out weekly emails to the entire department and possibly more personal, one-on-one videoconferences or phone calls between your department heads or managers and individual members of their teams.
  • These department-wide emails should stress the importance of communication as well as continuing to produce high quality work and maintaining accountability. 
  • One-on-one meetings should be used to check in with employees to ensure their work needs are being met. 

Employees will most likely have many suggestions to improve their new work environment, including suggestions on how to improve communication amongst team members. 

The power of video

Videoconferencing also provides a great opportunity to stay connected. Virtual happy hours simulate an in-person happy hour. This is a great way to check-in with team members and show that, although people are out of sight, they are not out of mind. Town hall-type meetings can also be explored. Your leadership team can solicit open discussion. Agenda items may include office status updates, technological considerations, and an opportunity for employees to openly discuss current challenges due to working in a remote environment. Employees are going to have anxiety about the current environment. These meetings can help put employees at ease.

Risk assessment

Internal control environments are constantly evolving. Employees leave. Software is updated.  Offered services and products change. The list goes on. However, it is unprecedented that an internal control environment has changed so rapidly. Given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Those responsible for designing internal controls (control owners) should reassess your company’s environment. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred. 

For instance, let’s say the employee responsible for reviewing loan file maintenance changes is now working an alternative work schedule due to personal obligations. This employee does not have the ability to make loan file changes; therefore, segregation of duties has never been an issue. An employee within loan servicing has agreed to take some of the employee’s responsibilities and is now reviewing some of the loan file maintenance changes, which has put this employee in a position to review some of their own changes. 

Furthermore, some internal controls that require employees be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas, and if there are compensating controls that can be designed to alleviate some of the control risk.

Control activities

Accounts payable and check signing

The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, lend themselves as feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.

Segregation of duties

As mentioned above, it is possible processes have inadvertently changed, exposing certain internal controls to ineffectiveness. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and is something that should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.

Digital sign-offs

You should also consider the manner in which you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a sign-off and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.

Timely review

Given the circumstances, it is not unreasonable that preparation and review may take longer than under normal circumstances. Even if additional time is granted for the preparation and review of documents, you should consider the implications this has on the transaction class as a whole. The longer it takes to complete a control, the greater the consequences may be if you identify an error. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.

Information and communication

For many companies that have moved from a paper to a digital environment, sharing of information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may prove to be difficult. And, those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.

Monitoring

Monitoring your internal control environment is of the utmost importance given these significant changes. Frequent conversations should be had with control owners to ensure changes to processes do not render controls ineffective. Identified gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal control. This also gives these departments the opportunity to cover any resulting gaps.

Permanent changes

Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies to be found in working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let’s take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic. 
 

Blog
How does your control environment look in a remote world?

The COVID-19 emergency has caused CMS (Centers for Medicare & Medicaid Services) to expand eligibility for expedited payments to Medicare providers and suppliers for the duration of the public health emergency.

Accelerated payments have been available to providers/suppliers in the past due to a disruption in claims submission or claims processing, mainly due to natural disasters. Because of the COVID-19 public health emergency, CMS has expanded the accelerated payment program to provide necessary funds to eligible providers/suppliers who submit a request to their Medicare Administrative Contractor (MAC) and meet the required qualifications.

Eligibility requirements―Providers/suppliers who:

  1. Have billed Medicare for claims within 180 days immediately prior to the date of signature on the provider’s/supplier’s request form,
  2. Are not in bankruptcy,
  3. Are not under active medical review or program integrity investigation, and
  4. Do not have any outstanding delinquent Medicare overpayments.

Amount of payment:
Eligible providers/suppliers will request a specific amount for an accelerated payment. Most providers can request up to 100% of the Medicare payment amount for a three-month period. Inpatient acute care hospitals and certain other hospitals can request up to 100% of the Medicare payment amount for a six-month period. Critical access hospitals (CAHs) can request up to 125% of the Medicare payment for a six-month period.

Processing time:
CMS has indicated that MACs will work to review and issue payment within seven calendar days of receiving the request.

Repayment, recoupment, and reconciliation:
Repayment of the accelerated payment begins 120 days after the date of the issuance of the payment.

  • Inpatient acute care hospitals, certain other hospitals, and CAHs have up to one year from the payment date to repay the balance.
  • All other Part A providers and Part B suppliers will have 210 days from the payment date to repay the balance.
  • Providers/suppliers should continue to submit claims as usual after the issuance of the accelerated payment, but recoupment will not begin for 120 days. Full payment will be made on claims during the 120-day period. At the end of the 120-day period, the recoupment process automatically begins. Every claim submitted will be offset from the new claims to repay the accelerated payment. No payment will be made on newly submitted claims and repayment will begin.
  • The majority of hospitals will have up to one year from the date of the accelerated payment to repay the balance. One year after the accelerated payment is made, the MAC will check to determine if there is a remaining balance. If there is an un-recouped balance, the MAC will send a request for repayment which is to be made by direct payment. Part A and Part B providers not subject to the one-year recoupment plan will have up to 210 days for the reconciliation process to begin.
  • For Part A providers who receive Periodic Interim Payments, the accelerated payment reconciliation process will happen at the final cost report process (180 days after the fiscal period closes).

Application:
The MAC for Jurisdiction 6 and Jurisdiction K is NGS (National Government Services). The NGS application for accelerated payment can be found here.

The NGS Hotline telephone number is 1.888.802.3898. Per NGSMedicare.com, representatives are available Monday through Friday during regular business hours.

The MAC will review the application to ensure the eligibility requirements are met. The provider/supplier will be notified of approval or denial by mail or email. If the request is approved, the MAC will issue the accelerated payment within seven calendar days from the request.

Tips for filing the Request for Accelerated/Advance Payment:
The key to determining whether a provider should apply under Part A or Part B is the Medicare Identification number. For hospitals, the majority of funding would originate under Part A based on the CMS Certification Number (CCN) also known as the Provider Transaction Access Number (PTAN). As an example, Maine hospitals have CCN / PTAN numbers that use the following numbering convention "20-XXXX". Part B requests would originate when the provider differs from this convention. In short, everything reported on a cost report or Provider Statistical and Reimbursement report  (PS&R) would fall under Part A for the purpose of this funding. 
 
When funding is approved, the requested amount is compared to a database with amounts calculated by Medicare and provides funding at the lessor of the two amounts. The current form allows the provider to request the maximum payment amount as calculated by CMS or a lesser specified amount.
 
A representative from National Government Services indicated the preference was to receive one request for Part A per hospital. The form provides for attachment of a listing of multiple PTAN and NPI numbers that fall under the organization.

Interest after recoupment period:
On Monday, April 6, 2020, the American Hospital Association (AHA) wrote a letter to the Department of Health and Human Services and CMS requesting the interest rate applied to the repayment of the accelerated/advanced payments be waived or substantially reduced. AHA received clarification from CMS that any remaining balance at the end of the recoupment period is subject to interest. Currently that interest rate is set at 10.25% or the “prevailing rate set by the Treasury Department”. Without relief from CMS, interest will accrue as of the 31st day after the hospital has received a demand letter for the repayment of the remaining balance. The hospital does have 30 days to pay the balance without incurring interest.  

We are here to help
If you have questions or need more information about your specific situation, please contact the hospital consulting team. We’re here to help.

Blog
Medicare Accelerated Payment Program

Editor’s note: read this if you are a leader in a healthcare organization and have questions concerning the current definition of health care provider in recent legislation regarding COVID-19.

One of the more common questions we receive regarding the paid sick and family leave provisions of the Families First Coronavirus Response Act (the “Act”) is regarding which employees qualify as a “health care provider”, who an organization can elect to exempt from the paid sick and family leave provisions of the Act. The Department of Labor (DOL) has issued FAQs and temporary regulations addressing the issue.

For purposes of determining employees who could be exempt from the paid sick and family leave provisions of the Act, the definition of a “health care provider” has been broadened. It now includes “anyone employed at any doctor’s office, hospital, health care center, clinic, post-secondary educational institution offering health care instructions, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar institution, employer, or entity”. 

This includes any permanent or temporary institution, facility, location, or site where medical services are provided that are similar to such institutions. 

Additionally, the definition includes any individual employed by an entity that contracts with any of the above institutions to provide services or to maintain the operation of the facility. This also includes anyone employed by any entity that provides medical services, produces medical products, or is otherwise involved in the making of COVID-19 related medical equipment, tests, drugs, vaccines, diagnostic vehicles, or treatments. 

The DOL guidance also indicates the definition includes any individual the highest official of a state determines is a health care provider needed for the state’s response to COVID-19. 

For purposes of the health care provider exclusion for the sick and family leave provisions of the Act, the newly released DOL temporary regulations provide that the term health care provider is not limited to diagnosing medical professionals. Rather, such health care providers include any individual who is capable of providing health care services necessary to combat the COVID-19 public health emergency. Such individuals include not only medical professionals, but also other workers who are needed to keep hospitals and similar health care facilities well supplied and operational.

The DOL encourages employers to be judicious when using this definition to exempt health care providers to minimize the spread of COVID-19.

It is important to note that the preambles to the temporary regulations indicate an employer’s exercise of this option (i.e., to exclude a health care provider or emergency responder from the paid sick/family leave benefits) does not authorize an employer to prevent an employee who is a health care provider from taking earned or accrued leave in accordance with established employer policies.

The preamble to the temporary regulations further indicates the paid sick leave and expanded family and medical leave provisions of the Act exist so employees will not be forced to choose between their paychecks and the individual and public health measures necessary to combat COVID-19. The preambles further state, conversely, providing paid sick leave or expanded family and medical leave does not come at the expense of fully staffing the necessary functions of society.

Organizations face a difficult decision whether to exempt health care providers (and emergency responders) from the paid sick and family leave provisions of the Act. It is not an easy decision to make, and an organization may want to contact legal counsel to understand the legal implications with respect to the decision to exclude health care providers (or emergency responders). 

An organization trying to decide whether to exclude health care professionals (or emergency responders) should consider the following:

  • These employees can’t be prevented from taking paid time off under the organization’s existing paid time off guidelines.
  • Any decision related to the paid sick/family leave provisions doesn’t affect an employee’s eligibility to take FMLA leave under the normal FMLA rules.
  • The organization may want to include health care professionals (and emergency responders) in the sick leave provisions of the Act so the organization can be eligible for tax credits if an employee is diagnosed with or has symptoms of COVID-19 or is caring for an individual diagnosed with or who has symptoms of COVID-19. 
  • An organization may be able to elect to exclude health care providers (and first responders) from only the paid family leave provisions of the Act.

Ultimately, each organization must make a decision in the best interests of their business, their employees, and their consumers. Unfortunately, there is no single best answer that covers all organizations struggling with this decision. 

If the decision is made to exclude health care providers from all or a portion of the paid sick and family leave provisions of the Act, we recommend contacting your legal counsel to review the employee communications before it is provided to employees.

For more information
If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Blog
"Health care providers" and Department of Labor regulations under COVID-19

Editor's note: read this if you are a leader in higher education. 

The Department of Education’s Office of Postsecondary Education posted an Electronic Announcement on April 3, 2020, to provide an update to the policy and operational guidance issued in March as a result of the COVID-19 pandemic national emergency. 

In addition to extending the March 5, 2020 guidance to apply to payment periods or terms beginning between March 5, 2020 and June 1, 2020, the Department has confirmed the temporary closure will not result in loss of institutional eligibility or participation. A few other changes to note:

  • Leaves of absence due to COVID-19-related concerns or limitations (such as interruption of a travel-abroad program) can be requested after the date the leave has begun.
  • Updates to the academic calendar requirements will allow institutions to offer courses on a schedule that would otherwise cause the program to be considered a non-standard term if it allows students to complete the term.
  • Calculated expected family contribution amounts will exclude from income any grants or low-interest loans received by victims of an emergency from a federal or state entity as part of the needs analysis.

One trend that continues to permeate the Department’s guidance is for institutions to document, as contemporaneously as possible, actions taken as a result of COVID-19 (including professional judgment decisions, on a case-by-case basis). 

The Department will be issuing more guidance on the impact of the CARES Act on R2T4 calculations, satisfactory academic progress requirements, the extension of the single audit by the Office of Management and Budget, and the potential impact to future FISAP filings. We highly recommend you read the full announcement as it outlines a wide variety of important details. 

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.


 

Blog
COVID-19: Department of Education operational guidance

Read this if you are an IT Leader, CMO, CNO, CFO, or COO in a healthcare setting that may be looking at offering telehealth services.

Adopting telehealth technology is happening rapidly in response to social distancing and the strain that COVID-19 is putting on health systems. In response to this strain and with focus on "flattening the curve" by improving access amid a torrent of temporarily closed provider offices, some state and federal restrictions on telehealth have been lifted with the passage of the CARES Act.  

So, now, the question is not if your organization should implement telehealth services but how do you do it rapidly, effectively, holistically, and with an eye on wide-spread adoption?  

Telehealth is a bit more complex than other services, because it requires a patient to be able to use technology and follow through on provider advice―without physical discussion and interaction. Taking the time with your clinicians to increase their comfort using the technology can help put your patients at ease during this uncertain time while maintaining the clinician-patient relationship. Here are things to consider to become effective with telehealth programs:

  1. Identify purpose and goals. Do you want to expand access, support more patients, improve outcomes, support social distancing, or have further geographic reach? All of the above? 
  2. Choose an approach. Use existing technology within your EHR or use a third party solution.
  3. Test the solution. Check connectivity, devices (iPhone vs Android), and patient skill level.
  4. Camera placement is important. Making sure the patient can see the provider will be important for patients.
  5. Practice with a colleague and an open mind. Develop confidence and help foster patient trust. 
  6. Be adaptable to this being different. As this is new for all parties, showing patience and maintaining calm goes a long way to help ease patient worry.
  7. Consider and plan for the patient’s technical ability, or lack thereof. Be prepared to help troubleshoot minor technical barriers or utilize alternative processes without hampering the clinical encounter. 
  8. Look directly into the camera. Helps establish and maintain the patient-provider relationship. 
  9. Document in real time. Complete good notes, as the volume of telehealth visits and lack of physical proximity to the patient will make it more challenging to remember details later. 
  10. Develop “how to” content for your staff. This will help front line staff explain what the patient should expect before the visit and will outline clear follow up procedures, should there be any technical issues.

Once you have the more technical pieces planned, the keys to success will be testing technology and workflow and embracing the change. As we know, it doesn’t take much for a vulnerable patient to lose ground. Now is the time to expand your reach, lower costs, improve outcomes, improve relationships, show adaptability, sustain progress, and send healthcare directly into the home.

We are here to help
If you have any questions about your specific needs, please contact the healthcare consulting team.

Blog
How to effectively implement telehealth services

Read this if you are a leader at a state Medicaid agency.

Here is a summary of information we have gleaned from the Center for Medicare and Medicaid Services (CMS) Administrator Verma’s recent call.

CMS is implementing new rules and waivers that increase provider flexibility and free up resources to deal with a surge in COVID-19 patients. CMS is working with the provider community to provide clarity around specific changes that impact their operations.

  • The rulemaking process has been dramatically expedited to accommodate recent and forthcoming regulatory changes
  • CMS is in the process of working out details to administer CARES Act provisions, including further regulatory flexibilities, expansion of accelerated payment program, and $100 billion appropriated to reimburse eligible health care providers
  • CMS clarifies that the 3-Day Rule Waiver for skilled nursing facilities applies throughout the country and to all patients, regardless of their COVID-19 status

Medicaid Substance Use Disorder Treatment via Telehealth, and Rural Health Care and Medicaid Telehealth Flexibilities Guidance

This informational bulletin is composed of two parts: Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder Treatment via Telehealth.

  • The informational bulletin identifies opportunities for telehealth delivery for services to increase access to Medicaid services. It is composed of two parts, Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder (SUD) Treatment Services Furnished via Telehealth
  • The bulletin provides SUD guidance around Medication Assisted Treatment (MAT), counseling, high risk populations, and other areas critical to providing SUD services.

Long-Term Care Nursing Homes Telehealth and Telemedicine Tool Kit

CMS is issuing an electronic toolkit regarding telehealth and telemedicine for Long Term Care Nursing Home Facilities.

  • The toolkit includes electronic links to sources of information regarding telehealth and telemedicine, including the changes made by CMS over the last week in response to the national health emergency.
  • Much of the toolkit’s information is intended for providers who may wish to establish a permanent telemedicine program, but there is information here that will help in the temporary deployment of a telemedicine program as well.
  • There are specific documents identified that may be useful in choosing telemedicine vendors, equipment, and software, initiating a telemedicine program, monitoring patients remotely, and developing documentation tools. 


CMS makes regulatory changes to help US healthcare system address COVID-19 patient surge

CMS has issued a number of temporary regulatory waivers and new rules to assist the nation’s healthcare system with improved flexibility.

  • Increased hospital capacity. CMS will allow communities to take advantage of local ambulatory surgery centers that have canceled elective surgeries, per federal recommendations.
  • Healthcare workforce expansion. CMS’s temporary requirements allow hospitals and healthcare systems to increase their workforce capacity by removing barriers for physicians, nurses, and other clinicians to be readily hired from the local community as well as those licensed from other states without violating Medicare rules.
  • Paperwork requirements. CMS is temporarily eliminating paperwork requirements.
  • Telehealth in Medicare. CMS will now allow for more than 80 additional services to be furnished via telehealth.

Additional COVID-19 FAQs for state Medicaid and Children's Health Insurance Program (CHIP) agencies

CMS released an update to the COVID-19 FAQs posted on March 18, 2020 related to emergency preparedness and response, eligibility and enrollment flexibilities, benefit flexibilities, cost sharing flexibilities, financial flexibilities, managed care flexibilities, fair hearing flexibilities, health information exchange flexibilities, and COVID-19 T-MSIS coding guidance. Notably:

  • States that have CHIP disaster provisions in their state plans can activate these provisions. CMS considers a significant outbreak of an infectious disease to be a disaster. CMS also recommends that states that do not have disaster relief provisions in their CHIP state plans include language that a federal- or governor-declared emergency is considered an event that can trigger the disaster provisions.

States may not suspend use of their AVS, however CMS reminds states that they can rely on self-attestation of assets and verify financial assets using their AVS post-enrollment in Medicaid.

  • CMS can help provide technical assistance regarding approaches states can use to rapidly scale telehealth technologies.
  • CMS clarified and provided COVID-19 T-MSIS coding guidance.

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Takeaways from CMS national stakeholder call

Read this if your company would like to request an advance payment of the tax credits.

In response to the paid sick and family medical leave credit provisions enacted by the Families First Coronavirus Response Act (FFCRA) and the employee retention credit enacted by the CARES Act, the IRS has issued Form 7200 to request an advance payment of the tax credits.

Who may file Form 7200?

Employers that file Form(s) 941, 943, 944, or CT-1 may file Form 7200 to request an advance payment of the tax credit for qualified sick and family leave wages and the employee retention credit.

Eligible employers who pay qualified sick and family leave wages or qualified wages eligible for the employee retention credit should retain the amounts qualified for either credit rather than depositing these amounts with the IRS.

With respect to the sick and family leave payments, the credit includes amounts paid for qualified sick and family leave wages, related health plan expenses, and the employer’s share of the Medicare taxes on the qualified wages.

With respect to the employee retention credit, the credit equals 50% of the qualified wages, including certain health plan expense allocable to the wages, and may not exceed $5,000 per qualifying employee. Of note:

  • Employment taxes available for the credits include withheld federal income tax, the employee's share of Social Security and Medicare taxes, and the employer's share of Social Security and Medicare taxes with respect to all employees.
  • If there aren’t sufficient employment taxes to cover the cost of qualified sick and family leave wages (plus the qualified health expenses and the employer share of Medicare tax on the qualified leave wages) and the employee retention credit, employers can file Form 7200 to request an advance payment from the IRS.
  • The IRS instructs employers not to reduce their deposits and request advance credit payments for the same expected credit. Rather, an employer will need to reconcile any advance credit payments and reduced deposits on its applicable employment tax return.

Examples

If an employer is entitled to a credit of $5,000 for qualified sick leave, certain related health plan expenses, and the employer’s share of Medicare tax on the leave wages and is otherwise required to deposit $8,000 in employment taxes, the employer could reduce its federal employment tax deposits by $5,000. The employer would only be required to deposit the remaining $3,000 on its next regular deposit date.

If an employer is entitled to an employee retention credit of $10,000 and was required to deposit $8,000 in employment taxes, the employer could retain the entire $8,000 of taxes as a portion of the refundable tax credit it is entitled to and file a request for an advance payment for the remaining $2,000 using Form 7200.

When to file

Form 7200 can be filed at any time before the end of the month following the quarter in which qualified wages were paid, and may be filed several times during each quarter, if needed. The form cannot be filed after an employer has filed its last employment tax return for 2020.

Please note that Form 7200 cannot be corrected. Any error made on Form 7200 will be corrected when the employer files its employment tax form.

How to file

Fax Form 7200, which you can access here, to 855-248-0552. Form 7200 instructions.

If you need more information, or have any questions, please contact a BerryDunn tax professional. We’re here to help.

Blog
IRS releases Form 7200: Advance payment of employer credits due to COVID-19

Focus: Disaster Loan Program and Paycheck Protection Program (PPP)

Background

The Coronavirus Aid, Relief and Economic Security (CARES) Act will provide $562 million to cover administrative expenses and program subsidy for the US Small Business Administration (SBA) Economic Injury Disaster Loans and small business programs. 

Additionally, the CARES Act specifically provides the authorization for $349 billion for the SBA 7(a) program through December 31, 2020. 

SBA disaster loan program (updated for CARES Act) highlights


General
The US Small Business Administration is offering designated states and territories low-interest federal disaster loans for working capital to small businesses suffering substantial economic injury as a result of the coronavirus and COVID-19.

Eligibility 
Industry may be subject to different standards, but the general rule of thumb is that the SBA defines most small businesses as having less than 500 people, both calculated on a standalone basis and together with its affiliates (see PPP below for more information). A company’s average annual sales may also be used for the small business designation. 

Historically, businesses that are not eligible for this program included casinos, charitable organizations, religious organizations, agricultural enterprises and real estate developers that are primarily involved in subdividing real property into lots and developing it for resale for themselves (other real estate entities may apply, such as landlords). 

However, the CARES Act expanded eligibility to include (i) any individual operating as a sole proprietor or independent contractor; (ii) private non-profits and (iii) Tribal businesses, cooperatives and ESOPs with fewer than 500 employees during January 31, 2020 to December 31, 2020.

If the entity has bad credit or has defaulted on a prior SBA loan, the entity is not eligible. The CARES Act removed the credit elsewhere requirement (i.e., previously if the business had credit available through another source, such as a line of credit, it was ineligible). 

Basic terms

  • Loan amount
    The lesser of $2 million or an amount determined that that borrower can repay (i.e., underwriting requirement).
  • Maximum term
    Up to 30 years and all payments on these loans will be deferred for 12 months from disbursement date. Interest will accrue.
  • Interest rate
    3.75% for for-profit business and 2.75% for a non-profit entity.
  • Collateral
    Loans for under $25,000 do not require collateral.  Any person with an interest in the company worth 20% or more must be a guarantor; however the CARES Act eliminates the guaranty requirement on advances and loans under $200,000. 
  • Use of proceeds
    Loan proceeds may be used to pay fixed debts (including short-term notes and balloon payments that are due within the next 12 months), payroll, accounts payable, and other bills the borrower would have to pay that but for the disaster would have been paid, such as mortgage payments. Landlords and other passive entities are eligible. Agriculture-related entities are eligible, but farmers are not. Borrowers must maintain proof of how the loan proceeds were used for three years from the date of disbursement. Borrowers cannot use the proceeds to expand their business, buy assets, make repairs to real estate or refinance long-term debt. 
  • Forgiveness
    No forgiveness provision.

Applying
Loan applications are available here

Length of time for funding
Upon submittal of a completed application, it can take 18-21 days to be approved and another four to five business days for funding. However, the SBA has never dealt with this much volume so expect delays.  

If funding is needed immediately, contact any SBA partnering non-profit lender and request an SBA microloan up to $50,000 or contact a commercial lending partner to see if they offer SBA express loans up to $1,000,000 (CARES Act increases this from $350,000 to $1,000,000) and/or SBA 7(a) loans up to $5 million. The 7(a) loans are typically processed within 30 days, while microloans and express loans are processed even more quickly. 

The CARES Act has also established an emergency grant to allow eligible entities who have applied for a disaster loan because of COVID-19 to request an advance of up to $10,000 on that loan. The SBA is to distribute the advance within three days. 

This advance does not need to be repaid, even if the applicant is denied a Disaster Loan. ($10,000,000,000 is appropriated for this program and funds will be distributed on a first come, first served basis). An applicant must self-certify that it is an eligible entity prior to receiving such an advance. Advances may be used for providing sick leave to employees, maintaining payroll, meeting increased costs to obtain materials, rent or mortgage payments, and payment of business obligations that cannot be paid due to loss of revenues. Applicants must apply directly with the SBA for this program.

Other considerations
Each company should review any current loan obligations and confirm that it does not include a provision forbidding that applicant from acquiring additional debt. If the document does, the applicant will want to discuss a waiver of that provision with its current lender. The lender should be amenable to this waiver and the applicant will want the waiver verified in writing. The lender should be amenable because the SBA disaster loan can be used to satisfy monthly debt obligations and any collateral taken by the SBA would be subordinate, if the same collateral secures the lender’s loan.

Under the CARES Act, Congress has also directed the SBA to use funds to make principal and interest payments, along with associated fees that may be owed on an existing SBA 7(a), 504 or micro-loan program covered loan, for a period of six months from the next payment due date. Any loan that may currently be on deferment will receive the six months of covered payments once the deferral period has ended. This provision will also cover loans that are made up to six months after the enactment of the CARES Act. If the loan maturity date conflicts with benefiting from this amendment, the lender can extend the maturity date of the loan. 

Newly enacted Paycheck Protection Program (PPP)


General
This new program will be offered with a 100% SBA guaranty through December 31, 2020, to lenders, after which the guaranty percentage will return to 75% for loans above $150,000 and 85% for loans below that amount. 

Eligibility 
A business, including a qualifying nonprofit organization, that was in operation on February 15, 2020, and either had employees for whom it paid salaries and payroll taxes or paid independent contractors, is eligible for PPP loans if it (a) meets the applicable North American Industry Classification System (NAICS) Code-based size standard or other applicable 7(a) loan size standard, both alone and together with its affiliates; or (b) has an employee headcount that is lower than the greater of (i) 500 employees or (ii) the employee size standard, if any, under the applicable NAICS Code. 

Businesses that fall within NAICS Code 72, which applies to accommodations and food services, are also eligible if they employ no more than 500 people per physical location. Sole proprietorships, independent contractors, and self-employed individuals are also eligible. It is unclear as of what date the size test will be applied, but historically, SBA size tests have been applied on the date of application for financing. More information on the NAICS-Code-based size standards can be found here

Borrowers are required to provide a good faith certification that the loan is necessary due to economic conditions brought about because of COVID-19 and that the borrower will use the funds to retain workers, maintain payroll and pay utilities, lease and/or mortgage payments.

The credit elsewhere test is waived under this program. 

Lenders shall base their underwriting on whether a business was operational on February 15, 2020, and had employees for whom it was responsible for or paid for services from an independent contractor. The legislation has directed lenders not to base their determinations on repayment ability at the present time because of the effects of COVID-19.

Applicants for SBA loan programs, including PPP loans, typically must include their affiliates when applying size tests to determine eligibility. That means that employees of other businesses under common control would count toward the maximum number of permitted employees. A business that is controlled by a private equity sponsor would likely be deemed an affiliate of the other businesses controlled by that sponsor and could thus be ineligible for PPP loans. However, the CARES Act waives the affiliation requirement for the following applicants:  

  1. Businesses within NAICS Code 72 with no more than 500 employees
  2. Franchises with codes assigned by the SBA, as reflected on the SBA franchise registry
  3. Businesses that receive financial assistance from one or more small business investment companies (SBIC) 

Basic terms

  • Loan amount
    Lesser of $10 million or 2.5 times the applicant’s average monthly payroll costs of the business over the year prior to the making of the loan (practically, this may become the year prior to the loan application), excluding the prorated portion of any annual compensation above $100,000 for any person. Note that under the CARES Act, “payroll costs” include vacation, parental, family, medical, and sick leave; allowances for dismissal or separation; payments for group health care benefits, including insurance premiums; and retirement benefits. Calculations vary slightly for seasonal businesses and businesses that were not in operation between February 15 and June 30, 2019. To the extent that a SBA Disaster Loan was used for a purpose other than those permitted for PPP Loans, the Disaster Loans may be refinanced with proceeds of PPP loans, in which case the maximum available PPP loan amount is increased by the amount of the Disaster Loans being refinanced. 
  • Maximum term
    Payments will be deferred for a minimum of 6 months and a maximum of 12. SBA is directed to issue guidance on the terms of this deferral. Any portion of the PPP loan that is not forgiven (see below) on or before December 31, 2020, shall automatically be a term loan for a maximum of 10 years. For PPP loans, the SBA has waived prepayment penalties.
  • Fees
    SBA will waive the guaranty fee and annual fee applicable to other 7(a) loans. 
  • Interest rate
    Maximum rate of 4%.
  • Collateral
    The standard requirements of collateral and a personal guaranty are waived under this program. Accordingly, there will be no recourse to owners or borrowers for nonpayment, except to the extent proceeds are used for an unauthorized purpose.
  • Use of proceeds
    This loan can be used for: (i) payroll support, excluding the prorated portion of any compensation above $100,000 per year for any person; (ii) group healthcare benefits costs and insurance premiums; (iii) mortgage interest (but not prepayments or principal payments) and rent payments incurred in the ordinary course of business, and (iv) utility payments. 
  • Forgiveness
    A borrower will be eligible for loan forgiveness related to a PPP loan in an amount equal to 8 weeks of payroll costs, and the interest on mortgage payments (not principal) made in the ordinary course of business, rent payments, or utility payments so long as all payments were obligations of the borrower prior to February 15, 2020. Payroll costs are limited to compensation for a single employee to be no more than $100,000 in wages and the amount of forgiveness cannot exceed the principal loan amount. 

    The amount of loan forgiveness will be reduced proportionally by any reduction in the borrower’s workforce, based on the full-time equivalent employees versus the period from either February 15, 2019, through June 30, 2019, or January 1, 2020, through February 29, 2020, as selected by the borrower, or a reduction of more than 25% of any employee’s compensation, measured against the most recent full quarter. If a borrower has already had to lay off employees due to COVID-19, employers are encouraged to rehire them by not being penalized for having a reduced payroll at the beginning of the covered period, which means the initial 8 week period after the loan’s origination date. 

    Accordingly, reductions in the number of employees or compensation occurring between February 15, 2020, and 30 days after enactment of the CARES Act will generally be ignored to the extent reversed by June 30, 2020. Any additional wages that may be paid to tipped workers are also covered in the calculation of payroll forgiveness. Borrowers must keep accurate records and document their payments because lenders will need to verify the payments to allow for loan forgiveness. Borrowers will not have to include any forgiven indebtedness as taxable income. 

Applying
A company needs to apply on or before June 30, 2020, with a lender who is currently approved as a 7(a) lender or who is approved by the SBA and the Treasury Department to become a PPP lender. PPP lenders have delegated authority to make and approve PPP loan, with no additional SBA approval required. 

There are certain portions of the CARES Act that require SBA to provide further guidance so there may be some slight changes to the rules and procedures as best practices present themselves. 

We recommend contacting existing 7(a) lenders as soon as possible to learn what you will need to provide for underwriting and approving a PPP loan. 

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
Impact of CARES Act on SBA loans

Read this if you are a director, manager, or administrator at a Federally Qualified Health Centers (FQHC) or Rural Health Clinic (RHC).

The latest COVID-19 bill, the Coronavirus Aid, Relief, and Economic Security (CARES) Act included enhancing Medicare telehealth services for FQHCs and RHCs. This legislation waives the Section 1834(m) restriction on FQHCs and RHCs that prohibits them from serving as distant sites. This means during the COVID-19 State of Emergency, FQHCs and RHCs will be able to serve as distant sites to provide telehealth services to patients in their homes and other eligible locations. The legislation will reimburse FQHCs and RHCs at a rate that is similar to payment for comparable telehealth services under the physician fee schedule (Medicare Part B). FQHCs and RHCs will not be paid the Medicare PPS rate for these services.

Currently, Medicare, unlike many Medicaid programs and commercial payers, still requires the video component for telehealth. Effective immediately, the Office for Civil Rights at the Department of Health and Human Services will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 State of Emergency. Providers who want to use audio or video communication technology to provide telehealth during the COVID-19 State of Emergency can use any non-public facing remote communication product that is available to communicate with patients. Examples of acceptable platforms (non-public facing) include Apple FaceTime, Google G Suite Hangouts Meet, and Skype for Business.

We would also like to remind you of the ability to bill for virtual communication services. Virtual communication services are a brief, non-face-to-face check-in with a patient via communication technology, to assess whether the patient's condition necessitates an office visit. The call must be initiated by the patient and to be billable, the call must be between the patient and a physician, nurse practitioner, physician assistant, certified nurse midwife, clinical psychologist, or clinical social worker. If the discussion is conducted by a nurse, health educator, or other clinical personnel, it is not billable as a virtual communication service. There is no video component required for virtual communication services. The check-in cannot relate to a visit with the patient during the previous seven days or result in a visit with the patient within the next 24 hours (or next available appointment). Read the FAQs from Medicare on the virtual communication services.

We continue to be here to support you. If you have any questions or concerns, please do not hesitate to reach out to any of us. 

Blog
The CARES Act and telehealth services for FQHCs

Read this if you are an employer that may have to close, or has closed, due to COVID-19.

Here is a brief recap of definitions and explanations of employee retention credits found in the CARES Act. If you have questions about your specific situation, please don’t hesitate to contact us. We’re here to help.

Eligible employer

The term ‘‘eligible employer’’ means any employer: 

(i) that was carrying on a trade or business during calendar year 2020, and 
(ii) with respect to any calendar quarter, for which...
a.     the operation of the trade or business is fully or partially suspended during the calendar quarter due to orders from an appropriate governmental authority limiting commerce, travel, or group meetings (for commercial, social, religious, or other purposes) due to the coronavirus disease 2019 (COVID–19), or 
b. such calendar quarter where there is a significant decline in gross receipts...
i. beginning with the first calendar quarter in 2020, for which gross receipts for the calendar quarter are less than 50 percent of gross receipts for the same calendar quarter in the prior year, and 
ii. ending with the calendar quarter for which gross receipts of such employer are greater than 80 percent of gross receipts for the same calendar quarter in the prior year.


For tax-exempt organizations described in section 501(c) of the Internal Revenue Code and exempt from tax under section 501(a) of such Code, clauses (i) and (ii)(a) shall apply to all operations of such organization.

Generally, all organizations treated as a single employer under the controlled group or affiliated service group rules will be treated as one employer for purposes of this section.

If an eligible employer participates in the Paycheck Protection Program, such an employer is not eligible for the employee retention credits.

Amount of credit

There shall be allowed, as a credit against applicable employment taxes for each calendar quarter, an amount equal to 50 percent of the qualified wages with respect to each employee of such employer for such calendar quarter.

The amount of qualified wages with respect to any employee which may be taken into account by the eligible employer for all calendar quarters shall not exceed $10,000 (i.e., the maximum credit is $5,000 per employee).

If the credit exceeds the applicable employment taxes on the wages paid for such calendar quarter, such excess shall be treated as an overpayment that shall be refunded.

Qualified wages

The term ‘‘qualified wages’’ means:

(i) in the case of an eligible employer for which the average number of full-time employees (as defined by the Affordable Care Act Employer Mandate Provisions) employed by such eligible employer during 2019 was greater than 100:
a. wages paid by such eligible employer with respect to which an employee is not providing services due to the suspension of the business or a drop in gross receipts circumstances, or 
(ii) in the case of an eligible employer for which the average number of full-time employees (as defined by the Affordable Care Act Employer Mandate Provisions) employed by such eligible employer during 2019 was not greater than 100:
a. all wages paid by an eligible employer when shut down and each quarter where there was a sharp decline in year-over-year receipts.


Wages do not include amounts paid under the expanded sick/family leave provisions of the FFCRA.

Qualified wages paid or incurred by an eligible employer with respect to an employee who is not providing services may not exceed the amount such employee would have been paid for working an equivalent duration during the 30 days immediately preceding leave.

The term ‘‘qualified wages’’ shall include so much of the eligible employer’s qualified health plan expenses as are properly allocable to such wages.


CARES Act: Payroll tax payment delay

An extension of time to remit payroll taxes for the period beginning March 27, 2020 and ending before January 1, 2021 over a two-year period is allowed, with half due by December 31, 2021, and the remainder due by December 31, 2022.

If an eligible employer participates in the payroll tax delay programs, such an employer is not eligible for the employee retention credits.
 

Blog
CARES Act―Employee retention credits for employers subject to closure due to COVID-19

CARES Act update:

As anticipated, the House of Representatives approved the CARES Act on March 27, 2020, and the President has signed the measure. The provisions highlighted in our prior summary remain intact in the final measure. 

So…how are the emergency relief funds in the legislation accessed by healthcare providers?

  • Public Health & Social Services Emergency Fund (PHSSEF): The guidance on how hospitals will access the $100 billion in PHSSEF funds to offset “COVID-19 related expenses and lost revenue” is expected to be released shortly. Keep an eye on this space for further updates as information becomes available.
  • Medicare Advanced Lump Sum or Periodic Interim Payments: Application is made through the Fiscal Intermediary (FI). It should be noted that healthcare organizations do not qualify if they are in bankruptcy, under active medical review or program integrity investigation, or have outstanding, delinquent Medicare overpayments.
  • SBA Paycheck Protection Program (PPP): This application process begins with your local lender. Do not hesitate—contact your lender immediately as it is anticipated that application volume will be tremendous. For more specifics on this program compiled by BerryDunn experts, visit our blog.

We will continue to provide updates as more information becomes available. In the meantime, please feel free to contact the hospital consulting team. Despite the current circumstances we remain available to support your needs. 


On March 25, 2020 the US Senate unanimously approved the $2 trillion Coronavirus Aid, Relief, and Economic Security (CARES) Act (The “Act”). The White House has signaled that it will sign the measure as approved by the Senate. 

Major provisions of the proposed legislation include:

  • $100 billion for hospital “COVID-19 related expenses and lost revenue”
  • $275 million for rural hospitals, telehealth, poison control centers, and HIV/AIDS programs
  • $250 million for hospital capacity expansion and response
  • $150 million for modifications of existing hospital, nursing home, and “domiciliary facilities” undertaken as part of COVID-19 response

The CARES Act also includes the following targeted relief and payment modifications under the Medicare and Medicaid programs:

  • The Medicare 2% sequester will be suspended from May 1, 2020 through December 31, 2020. 
  • “Through the duration of the COVID-19 emergency period”, the Act will increase by 20% hospital payments for the treatment of patients admitted with COVID-19. The add-on applies to hospitals paid through the Inpatient Prospective Payment System.
  • $4 billion in scheduled cuts to Medicaid Disproportionate Share Hospital payments will be further delayed from May 22, 2020 to November 30, 2020.
  • Certain hospitals, including those designated as rural or frontier, have the option to request up to a six month advanced lump sum or periodic interim payments from Medicare. The payments will:
    1. Be based upon net payments represented by unbilled discharges or unpaid bills,
    2. Equal up to 100% of prior period payments, 125% for Critical Access Hospitals
    3. In terms of paying down the “no interest loans”, hospitals will be given a four month grace period to begin making payments and at least 12 months to fully liquidate the obligation.

Non-financing provisions contained in the Act that will impact hospital operations include:

  • Providing acute care hospitals the option to transfer patients out of their facilities and into alternative care settings to "prioritize resources needed to treat COVID-19 cases." That flexibility will come through the waiver of the Inpatient Rehabilitation Facility (IRF) three-hour rule, which requires patients to need at least three hours of intensive rehabilitation at least five days per week to be admitted to an IRF.
  • Allowing Long-Term Care Hospitals (LTCH) to maintain their designation even if more than 50% of their cases are less intensive and would temporarily pause LTCH site-neutral payments.
  • Suspending scheduled Medicare payment cuts for durable medical equipment during the length of the COVID-19 emergency period, to help patients transition from hospital to home.
  • Disallow Medicare beneficiary cost-sharing payments for any COVID-19 vaccine.
  • Ensuring that uninsured individuals could receive free COVID-19 tests "and related service" through any state Medicaid program that elects to enroll them.

Other emergency-period provisions that directly affect other entities but have implications for hospitals:

  • Affording $150 billion to states, territories, and tribal governments to cover their costs for responding to the coronavirus public health emergency.
  • Physician assistants, nurse practitioners, and other professionals will be allowed to order home health services for Medicare beneficiaries, to increase "beneficiary access to care in the safety of their home."
  • Requiring HHS to clarify guidance encouraging the use of telecommunications systems, including remote patient monitoring, for home health services.
  • Allowing qualified providers to use telehealth technologies to fulfill the hospice face-to-face recertification requirement.
  • Eliminating the requirement that a nephrologist conduct some of the required periodic evaluations of a home-dialysis patient face-to-face.
  • Allowing federally qualified health centers and rural health clinics to serve as a distant site for telehealth consultations.
  • Eliminating the telehealth requirement that physicians or other professionals have treated a patient in the past three years.
  • Allowing high-deductible health plans with a health savings account (HSA) to cover telehealth services before a patient reaches the deductible.
  • Allowing patients to use HSA and flexible spending accounts to buy over-the-counter medical products without a prescription.

For more information
If you have questions or need more information about your specific situation, please contact the hospital consulting team. We’re here to help. 
 

Blog
CARES Act provides hospitals with emergency funding and policy wins

On March 27, 2020, President Trump signed into law the Coronavirus Aid, Relief and Economic Security (CARES) Act, which provides relief to taxpayers affected by the novel coronavirus and COVID-19. The CARES Act is the third round of federal government aid related to COVID-19. We have summarized the top provisions in the new legislation below, with more detailed alerts on individual provisions to follow. Click here for a link to the full text of the bill.

Compensation, benefits, and payroll relief
The law temporarily increases the amount of and expands eligibility for unemployment benefits, and it provides relief for workers who are self-employed. Additionally, several provisions assist certain employers who keep employees on payroll even though the employees are not able or needed to work. 

The cornerstone of the payroll protection aid is a streamlined application process for SBA loans that can be forgiven if an eligible employer maintains its workforce at certain levels. 

Additionally, certain employers affected by the pandemic who retain their employees will receive a credit against payroll taxes for 50% of eligible employee wages paid or incurred from March 13 to December 31, 2020. This employee retention credit would be provided for as much as $10,000 of qualifying wages, including health benefits. Eligible employers may defer remitting employer payroll tax payments that remain due for 2020 (after the credits are deducted), with half being due by December 31, 2021, and the balance due by December 31, 2022. 

Employers with fewer than 500 employees are also allowed to give terminated employees access to the mandated paid federal sick and child care leave benefits for which the employer is 100% reimbursed by the government through payroll tax credits, if the employer rehires the qualifying employees.

Any benefit that is driven off the definition of “employee” raises the issue of partner versus employee. The profits interest member that is receiving a W-2 may not be eligible for inclusion in the various benefit computations.

Eligible individuals can withdraw vested amounts up to $100,000 during 2020 without a 10% early distribution penalty, and income inclusion can be spread over three years. Repayment of distributions during the next three years will be treated as tax-free rollovers of the distribution. The bill also makes it easier to borrow money from 401(k) accounts, raising the limit to $100,000 from $50,000 for the first 180 days after enactment, and the payment dates for any loans due the rest of 2020 would be extended for a year.

Individuals do not have to take their 2020 required minimum distributions from their retirement funds. This avoids lost earnings power on the taxes due on distributions and maximizes the potential gain as the market recovers.

Two long-awaited provisions allow employers to assist employees with college loan debt through tax free payments up to $5,250 and restores over-the-counter medical supplies as permissible expenses that can be reimbursed through health care flexible spending accounts and health care savings accounts.

Deferral of net business losses for three years
Section 461(l) limits non-corporate taxpayers in their use of net business losses to offset other sources of income. As enacted in 2017, this limitation was effective for taxable years beginning after 2017 and before 2026, and applied after the basis, at-risk, and passive activity loss limitations. The amount of deductible net business losses is limited to $500,000 for married taxpayers filing a joint return and $250,000 for all other taxpayers. These amounts are indexed for inflation after 2018 (to $518,000 and $259,000, respectively, in 2020). Excess business losses are carried forward to the next succeeding taxable year and treated as a net operating loss in that year.

The CARES Act defers the effective date of Section 461(l) for three years, but also makes important technical corrections that will become effective when the limitation on excess business losses once again becomes applicable. Accordingly, net business losses from 2018, 2019, or 2020 may offset other sources of income, provided they are not otherwise limited by other provisions that remain in the Code. Beginning in 2021, the application of this limitation is clarified with respect to the treatment of wages and related deductions from employment, coordination with deductions under Section 172 (for net operating losses) or Section 199A (relating to qualified business income), and the treatment of business capital gains and losses.

Section 163(j) amended for taxable years beginning in 2019 and 2020
The CARES Act amends Section 163(j) solely for taxable years beginning in 2019 and 2020. With the exception of partnerships, and solely for taxable years beginning in 2019 and 2020, taxpayers may deduct business interest expense up to 50% of their adjusted taxable income (ATI), an increase from 30% of ATI under the TCJA, unless an election is made to use the lower limitation for any taxable year. Additionally, for any taxable year beginning in 2020, the taxpayer may elect to use its 2019 ATI for purposes of computing its 2020 Section 163(j) limitation. 

This will benefit taxpayers who may be facing reduced 2020 earnings as a result of the business implications of COVID-19. As such, taxpayers should be mindful of elections on their 2019 return that could impact their 2019 and 2020 business interest expense deduction. With respect to partnerships, the increased Section 163(j) limit from 30% to 50% of ATI only applies to taxable years beginning in 2020. However, in the case of any excess business interest expense allocated from a partnership for any taxable year beginning in 2019, 50% of such excess business interest expense is treated as not subject to the Section 163(j) limitation and is fully deductible by the partner in 2020. The remaining 50% of such excess business interest expense shall be subject to the limitations in the same manner as any other excess business interest expense so allocated. Each partner has the ability, under regulations to be prescribed by Treasury, to elect to have this special rule not applied. No rules are provided for application of this rule in the context of tiered partnership structures.

Net operating losses carryback allowed for taxable years beginning in 2018 and before 2021
The CARES Act provides for an elective five-year carryback of net operating losses (NOLs) generated in taxable years beginning after December 31, 2017, and before January 1, 2021. Taxpayers may elect to relinquish the entire five-year carryback period with respect to a particular year’s NOL, with the election being irrevocable once made. In addition, the 80% limitation on NOL deductions arising in taxable years beginning after December 31, 2017, has temporarily been pushed to taxable years beginning after December 31, 2020. 

Several ambiguities in the application of Section 172 arising as a result of drafting errors in the Tax Cuts and Jobs Act have also been corrected. As certain benefits (i.e., charitable contributions, Section 250 “GILTI” deductions, etc.) may be impacted by an adjustment to taxable income, and therefore reduce the effective value of any NOL deduction, taxpayers will have to determine whether to elect to forego the carryback. Moreover, the bill provides for two special rules for NOL carrybacks to years in which the taxpayer included income from its foreign subsidiaries under Section 965. Please consider the impact of this interaction with your international tax advisors. 

However, given the potential offset to income taxed under a 35% federal rate, and the uncertainty regarding the long-term impact of the COVID-19 crisis on future earnings, it seems likely that most companies will take advantage of the revisions. This is a technical point, but while the highest average federal rate was 35% before 2018, the highest marginal tax rate was 38.333% for taxable amounts between $15 million and $18.33 million. This was put in place as part of our progressive tax system to eliminate earlier benefits of the 34% tax rate. Companies may wish to revisit their tax accounting methodologies to defer income and accelerate deductions in order to maximize their current year losses to increase their NOL carrybacks to earlier years.

Alternative minimum tax credit refunds
The CARES Act allows the refundable alternative minimum tax credit to be completely refunded for taxable years beginning after December 31, 2018, or by election, taxable years beginning after December 31, 2017. Under the Tax Cuts and Jobs Act, the credit was refundable over a series of years with the remainder recoverable in 2021.

Technical correction to qualified improvement property
The CARES Act contains a technical correction to a drafting error in the Tax Cuts and Jobs Act that required qualified improvement property (QIP) to be depreciated over 39 years, rendering such property ineligible for bonus depreciation. With the technical correction applying retroactively to 2018, QIP is now 15-year property and eligible for 100% bonus depreciation. This will provide immediate current cash flow benefits and relief to taxpayers, especially those in the retail, restaurant, and hospitality industries. Taxpayers that placed QIP into service in 2019 can claim 100% bonus depreciation prospectively on their 2019 return and should consider whether they can file Form 4464 to quickly recover overpayments of 2019 estimated taxes. Taxpayers that placed QIP in service in 2018 and that filed their 2018 federal income tax return treating the assets as bonus-ineligible 39-year property should consider amending that return to treat such assets as bonus-eligible. For C corporations, in particular, claiming the bonus depreciation on an amended return can potentially generate NOLs that can be carried back five years under the new NOL provisions of the CARES Act to taxable years before 2018 when the tax rates were 35%, even though the carryback losses were generated in years when the tax rate was 21%. With the taxable income limit under Section 172(a) being removed, an NOL can fully offset income to generate the maximum cash refund for taxpayers that need immediate cash. Alternatively, in lieu of amending the 2018 return, taxpayers may file an automatic Form 3115, Application for Change in Accounting Method, with the 2019 return to take advantage of the new favorable treatment and claim the missed depreciation as a favorable Section 481(a) adjustment.

Effects of the CARES Act at the state and local levels
As with the Tax Cuts and Jobs Act, the tax implications of the CARES Act at the state level first depends on whether a state is a “rolling” Internal Revenue Code (IRC) conformity state or follows “fixed-date” conformity. For example, with respect to the modifications to Section 163(j), rolling states will automatically conform, unless they specifically decouple (but separate state ATI calculations will still be necessary). However, fixed-date conformity states will have to update their conformity dates to conform to the Section 163(j) modifications. 

A number of states have already updated during their current legislative sessions (e.g., Idaho, Indiana, Maine, Virginia, and West Virginia). Nonetheless, even if a state has updated, the effective date of the update may not apply to changes to the IRC enacted after January 1, 2020 (e.g., Arizona). 

A number of other states have either expressly decoupled from Section 163(j) or conform to an earlier version and will not follow the CARES Act changes (e.g., California, Connecticut, Georgia, Missouri, South Carolina, Tennessee (starting in 2020), Wisconsin). Similar considerations will apply to the NOL modifications for states that adopted the 80% limitation, and most states do not allow carrybacks. Likewise, in fixed-dated conformity states that do not update, the Section 461(l) limitation will still apply resulting in a separate state NOL for those states. 

These conformity questions add another layer of complexity to applying the tax provisions of the CARES Act at the state level. Further, once the COVID-19 crisis is past, rolling IRC conformity states must be monitored, as these states could decouple from these CARES Act provisions for purposes of state revenue.

2020 recovery refund checks for individuals
The CARES Act provides eligible individuals with a refund check equal to $1,200 ($2,400 for joint filers) plus $500 per qualifying child. The refund begins to phase out if the individual’s adjusted gross income (AGI) exceeds $75,000 ($150,000 for joint filers and $112,500 for head of household filers). The credit is completely phased out for individuals with no qualifying children if their AGI exceeds $99,000 ($198,000 for joint filers and $136,500 for head of household filers).

Eligible individuals do not include nonresident aliens, individuals who may be claimed as a dependent on another person’s return, estates, or trusts. Eligible individuals and qualifying children must all have a valid social security number. For married taxpayers who filed jointly with their most recent tax filings (2018 or 2019) but will file separately in 2020, each spouse will be deemed to have received one half of the credit.

A qualifying child (i) is a child, stepchild, eligible foster child, brother, sister, stepbrother, or stepsister, or a descendent of any of them, (ii) under age 17, (iii) who has not provided more than half of their own support, (iv) who has lived with the taxpayer for more than half of the year, and (v) who has not filed a joint return (other than only for a claim for refund) with the individual’s spouse for the taxable year beginning in the calendar year in which the taxable year of the taxpayer begins.

The refund is determined based on the taxpayer’s 2020 income tax return but is advanced to taxpayers based on their 2018 or 2019 tax return, as appropriate. If an eligible individual’s 2020 income is higher than the 2018 or 2019 income used to determine the rebate payment, the eligible individual will not be required to pay back any excess rebate. However, if the eligible individual’s 2020 income is lower than the 2018 or 2019 income used to determine the rebate payment such that the individual should have received a larger rebate, the eligible individual will be able to claim an additional credit generally equal to the difference of what was refunded and any additional eligible amount when they file their 2020 income tax return.

Individuals who have not filed a tax return in 2018 or 2019 may still receive an automatic advance based on their social security benefit statements (Form SSA-1099) or social security equivalent benefit statement (Form RRB-1099). Other individuals may be required to file a return to receive any benefits.

The CARES Act provides that the IRS will make automatic payments to individuals who have previously filed their income tax returns electronically, using direct deposit banking information provided on a return any time after January 1, 2018.

Charitable contributions

  • Above-the-line deductions: Under the CARES Act, an eligible individual may take a qualified charitable contribution deduction of up to $300 against their AGI in 2020. An eligible individual is any individual taxpayer who does not elect to itemize his or her deductions. A qualified charitable contribution is a charitable contribution (i) made in cash, (ii) for which a charitable contribution deduction is otherwise allowed, and (iii) that is made to certain publicly supported charities.

    This above-the-line charitable deduction may not be used to make contributions to a non-operating private foundation or to a donor advised fund.
  • Modification of limitations on cash contributions: Currently, individuals who make cash contributions to publicly supported charities are permitted a charitable contribution deduction of up to 60% of their AGI. Any such contributions in excess of the 60% AGI limitation may be carried forward as a charitable contribution in each of the five succeeding years.

    The CARES Act temporarily suspends the AGI limitation for qualifying cash contributions, instead permitting individual taxpayers to take a charitable contribution deduction for qualifying cash contributions made in 2020 to the extent such contributions do not exceed the excess of the individual’s contribution base over the amount of all other charitable contributions allowed as a deduction for the contribution year. Any excess is carried forward as a charitable contribution in each of the succeeding five years. Taxpayers wishing to take advantage of this provision must make an affirmative election on their 2020 income tax return.

    This provision is useful to taxpayers who elect to itemize their deductions in 2020 and make cash contributions to certain public charities. As with the aforementioned above-the-line deduction, contributions to non-operating private foundations or donor advised funds are not eligible.

    For corporations, the CARES Act temporarily increases the limitation on the deductibility of cash charitable contributions during 2020 from 10% to 25% of the taxpayer’s taxable income. The CARES Act also increases the limitation on deductions for contributions of food inventory from 15% to 25%.

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
The CARES Act: Implications for businesses

Read this if you are a business owner, in management, or in HR at a company with less than 500 employees.

We have received many questions regarding the FFCRA and its provisions and how it affects different employers and their employees. Here are some of the questions our clients have asked the most. Please contact us if you have questions regarding your specific situation. We’re here to help.  

Besides compensation, what other costs paid by an employer are eligible for the credit (i.e., employer paid health insurance, employer payroll taxes)?
Employers can deduct the cost of providing continuing health care coverage, and the employer’s share of Medicare taxes related to the leave wages. Any compensation paid under the FFCRA is not subject to the employer’s portion of the Social Security tax.

How do you determine the total number of employees? 
In calculating the total number of employees, all full-time or part-time employees working within the US, including all US territories or possessions, are counted, including all employees on leave and temp employees who are jointly employed with another company as determined under the Fair Labor Standards Act (FLSA). 

How does a business know if it employs less than 500 employees and is subject to the FFCRA?
Generally, a private sector employer is subject to the Family and Medical Leave Act of 1993 (FMLA) if it employs 50 or more employees for each working day during each of 20 or more calendar workweeks in the current or preceding calendar year. The FAQs issued by the Department of Labor (DOL) indicate an employer has fewer than 500 employees if, at the time an employee’s leave is to be taken, there are fewer than 500 full-time and part-time employees within the United States, which includes any state of the United States, the District of Columbia, or any territory or possession of the United States. 

In making this determination, an employer should include employees on leave; temporary employees who are jointly employed by you and another employer (regardless of whether the jointly-employed employees are maintained on only your or another employer’s payroll); and day laborers supplied by a temporary agency (regardless of whether you are the temporary agency or the client firm if there is a continuing employment relationship). Workers who are independent contractors under the FLSA, rather than employees, are not considered employees for purposes of the 500-employee threshold.

Where a corporation has an ownership interest in another corporation, the two corporations are separate employers unless they are joint employers under the FLSA with respect to certain employees. In general, two or more entities are separate employers unless they meet the integrated employer test under the FMLA.

Please check with your advisors if you believe the integrated employer test may apply to your businesses.

Which employees are entitled to the $511 payment under sick leave?
For an employee who is unable to work because of the coronavirus quarantine or self-quarantine or has COVID-19 symptoms and is seeking a medical diagnosis, the employee may receive sick leave wages equal to the employee’s regular rate of pay, up to $511 per day and $5,111 in the aggregate, for a total of 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under sick leave?
For an employee who is caring for someone with COVID-19, or is caring for a child because the child’s school or child care facility is closed, or the child care provider is unavailable due to the coronavirus, the employee may receive sick leave wages equal to two-thirds of the employee’s regular rate of pay, up to $200 per day and $2,000 in the aggregate, for up to 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under the family leave portion of FFCRA?
For an employee who is unable to work because of a need to care for a child whose school or child care facility is closed or whose child care provider is unavailable due to the coronavirus, the employee may receive family leave wages equal to two-thirds of the employee’s regular rate of pay, capped at $200 per day or $10,000 in the aggregate. Up to 10 weeks of qualifying leave can be counted towards the child care leave credit. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

What is “regular rate of pay” for purposes of the FFCRA?
For purposes of the FFCRA, the regular rate of pay used to calculate paid leave is the average of the employee’s regular rate over a period of up to six months prior to the date on which leave is taken. If an employee has not worked for the current employer for six months, the regular rate used to calculate paid leave is the average regular rate of pay for each week the employee has worked for the current employer.

If an employee is paid with commissions, tips, or piece rates, these amounts will be incorporated into the above calculation to the same extent they are included in the calculation of the regular rate under the FLSA.

You can also compute this amount for each employee by adding all compensation that is part of the regular rate over the above period and divide that sum by all hours actually worked in the same period.

What is the effective date of the sick leave/family leave provisions?
Employers must comply with the FFCRA from April 1, 2020, until it expires on December 31, 2020. Paid leave prior to April1, 2020 will not count. The IRS recently issued guidance indicating the tax credits for qualified sick leave wages and qualified family leave wages required to be paid by the FFRCA will apply to wages paid for the period beginning on April 1, 2020, and ending on December 31, 2020.

Who is considered a “health care provider”?
For the purposes of employees who may be exempted from paid sick leave or expanded family and medical leave by their employer under the FFCRA, a health care provider is anyone employed at any doctor’s office, hospital, health care center, clinic, post-secondary educational institution offering health care instruction, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar institution, employer, or entity. This includes any permanent or temporary institution, facility, location, or site where medical services are provided that are similar to such institutions. 

This definition includes any individual employed by an entity that contracts with any of the above institutions, employers, or entities institutions to provide services or to maintain the operation of the facility. This also includes anyone employed by any entity that provides medical services, produces medical products, or is otherwise involved in the making of COVID-19 related medical equipment, tests, drugs, vaccines, diagnostic vehicles, or treatments. This also includes any individual that the highest official of a state or territory, including the District of Columbia, determines is a health care provider necessary for that state’s or territory’s or the District of Columbia’s response to COVID-19.

To minimize the spread of the virus associated with COVID-19, the DOL encourages employers to be judicious when using this definition to exempt health care providers from the provisions of the FFCRA.

For more information
If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Blog
Families First Coronavirus Response Act (FFCRA): FAQs for businesses

On March 18, 2020, the SBA issued relaxed criteria for Economic Injury Disaster Loans (EIDLs).

The two immediate impacts:

  • States are now only required to certify that a minimum of five small businesses within the state/territory have suffered significant economic injury, as opposed to proof of five small businesses within each reporting county/parish.
  • Prior regulation only made disaster assistance loans available to small businesses within counties declared disaster areas by a governor. Relaxed standards state the EIDLs will be available statewide following an economic injury declaration. This applies to current and future disaster declarations related to COVID-19.

Some SBA loan specifics:

  • EIDL amounts range from $25,000 to $2,000,000, at interest rates of 3.75% for small businesses and 2.75% for not-for-profits.
  • Companies can use the loans to pay bills that can’t be paid due to the disaster’s impact, including but not limited to fixed debts, payroll, and accounts payable.
  • Loan terms are determined on a case-by-case basis, based on the borrower’s ability to repay. SBA is offering repayment terms up to a maximum of 30 years.
  • EIDLs are one facet of an expanded and coordinated federal government response.

Small businesses in need of economic assistance may apply for an EIDL here. We will update as more information becomes available.

If you have questions about SBA loans, please contact your BerryDunn tax consultant
 

Blog
Small Business Administration (SBA) eases criteria for disaster loans

Over the last few weeks, CMS and the President have enacted legislation and released guidance to assist the senior living industry in coping with the impact of COVID-19. We recognize the elderly residents of our country are the most vulnerable population and your days are filled caring for your population’s needs and health. Our senior living professionals have written this article to highlight new regulations impacting the industry and offer practical tips for guarding your facility's financial health through the COVID-19 outbreak.

Amidst rapid hourly changes in contending with the coronavirus and its far-reaching impacts, the way you run your facility has changed. Along with this change comes an increase in expenditures. To ensure that your facility is getting much needed financial relief and being properly reimbursed for the full impact of COVID-19, we recommend tracking your expenditures related to the coronavirus. Expenditures related to COVID-19 go beyond the cost of additional Personal Protective Equipment (PPE), they will likely include additional direct care staffing, along with housekeeping, dietary and laundry staffing, and supplies needed to maintain the heightened level of hygiene required to combat the spread of COVID-19 in your facility.

CMS issues waiver of 3-Day Stay and Spell of Illness
On March 14, Centers for Medicare and Medicaid Services (CMS) issued two waivers to aid skilled nursing facilities in addressing the national COVID-19 outbreak. CMS is waiving both the 3-Day Stay and Spell of Illness requirements. Read the COVID-19 Emergency Declaration.

Key provisions to consider with regard to 3-midnight qualifying stay requirement:

  • The exception applies to traditional Medicare coverage only (Medicare Advantage plans may or may not follow this exception);
  • It is in effect as of March 1, 2020, and will only be in effect while public health emergency is declared;
  • Applies only to beneficiaries affected by the emergency or who experience dislocations;
  • Providers have to document medical necessity and clinical reasons for not meeting 3-midnight requirement, understanding that the intent of this provision is to free up hospital beds and reduce potential risk of exposure to the patient;
  • Providers are to use condition code “DR” on the claims. 

Read additional AHCA clarifications and guidance regarding the waivers of 3-Day Stay and Spell of Illness requirements.

MDS completion and submission waivers
CMS is waiving 42 CFR 483.20 to provide relief to SNFs on the timeframe requirements for Minimum Data Set (MDS) assessments and transmissions. CMS has yet to issue technical guidance on how to implement.

On March 22, 2020, CMS announced temporary administrative burden relief related to Quality Reporting which includes certain SNF-specific changes:

  • Quality Reporting Program (QRP) April/May deadline for 10/1/19 - 12/31/19 data submission is optional for those facilities that have not yet submitted data;
  • Facilities do not need to submit 1/1/20 - 6/30/20 data for purposes of compliance with QRP;
  • CMS will not use any data for the first 2 quarters of 2020, 1/1/20 - 6/30/20, in its calculations;
  • Claims for 1/1/20 - 6/30/20 will be excluded from calculation of all-cause readmission measures that result in value-based purchasing adjustments.

Read the full CMS press release.

Families First Coronavirus Response Act (FFCRA)
On March 18, 2020, the President signed into law, H.R. 6201, the Families First Coronavirus Response Act. The legislation eliminates patient cost-sharing for COVID-19 testing and related services, establishes an emergency paid leave program, and expands unemployment and nutrition assistance. Moreover, the bill provides a temporary 6.2% increase in Federal Medical Assistance Percentages (FMAP) for each calendar quarter occurring during an emergency period.

FMAP is the federal portion of funds for state Medicaid programs. With this temporary increase states can use the increased federal funds for any portion of the state Medicaid program. Due to significant increases in unemployment from business closures, the increase may be used to provide Medicaid coverage for the newly unemployed and uninsured. This would result in less funding for provider rate increases to cover COVID-19 related costs. However, on March 21, 2020, the federal government also announced that it is considering a special enrollment period for Affordable Care Act Health Insurance Exchange coverage. A special enrollment period would offer lower cost coverage to individuals with reduced incomes and could influence how the FMAP increase will be used, possibly resulting in more being allocated to covering provider rates. As of today, it is still unclear how states will use the increased funds.

A table released by AHCA on March 14, 2020, provides estimates of the increase in Federal Medicaid funding from FMAP assuming the increase is in effect January through December 2020. 

There are two provisions of the FFCRA that deal with paid leave provisions for employees. BerryDunn's employee benefits consultants provide insight and clarity on the paid leave provisions for employees.

Prioritization of survey activities
CMS released guidance prioritizing and suspending most federal and state survey agency (SSA) surveys, and delaying revisit surveys, for the next three weeks beginning on March 20, 2020, for all nursing homes. Standard surveys and non-Immediate Jeopardy (IJ) related onsite surveys will be suspended for three weeks. Complaints and facility-reported incidents that are considered at the IJ level will be conducted during this time. Facilities are encouraged to use the CDC developed COVID-19 Focused Survey for Nursing Homes. Get additional CMS guidance

Coronavirus Aid, Relief, and Economic Security (CARES) Act
On March 25, 2020, the US Senate unanimously approved the $2 trillion CARES Act (The “Act”). It is anticipated that the House of Representatives will vote on the Act today, March 27, 2020. The White House has signaled that it will sign the measure as approved by the Senate. 

Major provisions of the proposed legislation include:

  • The Medicare 2% sequester will be temporarily suspended starting in late May 2020. 
  • $150 million for modifications of existing hospital, nursing home, and “domiciliary facilities” undertaken as part of COVID-19 response.
  • $65 million for housing for the elderly and people with disabilities for rental assistance, service coordinators and support services for the more than 114,000 affordable households for the elderly, and more than 30,000 affordable households for low-income people with disabilities.
  • $2.8 million to provide staff treating veterans living at Armed Forces Retirement Homes with the personal protective equipment they need. The funding provides this and other necessary equipment and staffing support to help minimize the spread of the coronavirus among residents.
  • $955 million for the Administration for Community Living to support nutrition programs, home- and community-based services, support for family caregivers, and expand oversight and protections for seniors and individuals with disabilities.
  • $200 million for the Centers for Medicare & Medicaid Services to assist nursing homes with infection control and support states’ efforts to prevent the spread of the coronavirus in nursing homes.

Practical tips for monitoring and maintaining your organization’s financial health 
As we navigate these next few months, facilities will face challenges to maintain the health and safety of their residents and staff as well as the financial health of the organization. Some things you should be doing now:

  • Calculate your working capital and cash position weekly or bi-weekly.
  • Perform cash flow projections for the next few months. Be sure the timing of your cash receipts will cover payroll and supplies expenditures each week. 
  • Contact your lenders to obtain or increase available working capital lines of credit.
  • Ascertain if you can release any investment balances if needed.


We are here to help
Please contact the BerryDunn senior living team if you have any questions, or would like to discuss your specific situation.

Blog
Senior living organizations and COVID-19

Per CMS, all state Medicaid agencies, including territories, are eligible for the increased Federal Medical Assistance Percentage (FMAP), provided they adhere to the conditions outlined in the Families First Coronavirus Response Act (FFCRA). 

Key takeaways:

  • The increase in FMAP will be retroactive to January 1, 2020 and will be available to state Medicaid agencies through the end of the quarter in which the public health emergency for COVID-19 ends.
  • This guidance answers some of the following questions for states, including:
    • How long the funding will be available and when it begins
    • What costs are matchable under the enhanced funding 
    • The specific conditions under which states are eligible to claim the funds 
    • What documentation and processes will be needed in order to gain full access to funding

Trump administration releases COVID-19 checklists and tools to accelerate relief for state Medicaid & CHIP programs

In order to assist states as part of the COVID-19 outbreak, the Trump administration has released a number of tools and checklists that constitute a federal authority toolkit to support states in applying for and receiving federal waivers and other key flexibilities for their program. 

Key takeaways:
The tools released today include:

CMS issues FAQs on catastrophic health coverage and the coronavirus

A catastrophic health plan may not provide coverage of an essential health benefit prior to an enrollee meeting the deductible for that plan. In order to clarify treatment and coverage of COVID-19 for catastrophic health plans CMS has issued Frequently Asked Questions (FAQs).

Key takeaways:

  • Catastrophic plans currently include coverage for the diagnosis and treatment of COVID-19 as they must cover the essential health benefits (EHB) as required by the Patient Protection and Affordable Care Act (PPACA).
  • Issuers of catastrophic plans will be able to provide coverage for the diagnosis and treatment of COVID-19 for enrollees who have not yet met their deductible without CMS taking enforcing action.
  • The FAQ document encourages states to take an enforcement approach and CMS does not “consider a state to have failed to substantially enforce section 1302(e) of the PPACA if it takes such an approach.”

Relief for clinicians, providers, hospitals, and facilities participating in quality reporting programs in response to COVID-19

CMS is granting exceptions from reporting requirements and extensions for clinicians and providers participating in Medicare quality reporting programs.  

Key takeaways:

  • The exceptions include pending dates for measure reporting and data submission for related programs. 
  • For data submission deadlines in April and May of 2020, submission of those data will be optional, based on the facility’s choice to report.
  • 2019 data submission
    • Deadline extended from March 31, 2020 to April 30, 2020.
    • Deadlines for October 1, 2019 - December 31, 2019 (Q4) 
    • Data submission is optional for inpatient rehabilitation and hospital-acquired conditions.

CMS releases telehealth toolkits for general practitioners and End-Stage Renal Disease (ESRD) providers

CMS has released two toolkits on telehealth which follow the broadened access to Medicare telehealth services under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • The toolkit consists of electronic links to sources of information pursuant to telehealth and telemedicine. 
  • Generally directed towards providers, particularly ones who may be considering a permanent telemedicine program.
  • CMS notes that most of the resources were established prior to the current COVID-19 crisis. As a result, there are likely references to rules and regulations whose requirements may have been waived for the duration of the outbreak.

Toolkits:

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
New guidance regarding enhanced Medicaid funding for states

Read this if you are a solar investor, developer, or installer.

The Investment Tax Credit and Residential Energy Credit were originally established to promote investment in renewable energies. These credits are available to taxpayers who install solar equipment to generate electricity for either a commercial or residential property. The credits have different origins within the Internal Revenue Code but are very similar with respect to how they are calculated. 

The starting point is to determine what property is eligible, typically by reviewing the equipment, materials, and labor costs. Qualified property is defined within the Code and while there are several years of judicial history further clarifying what is eligible, there is one unsettled question routinely asked: Can we include the entire cost of a roof replacement?

To answer that question, we look to each of the separate Code sections establishing the credits, Section 48–Commercial Energy Credit and Section 25D–Residential Energy Credit. The credits afforded by these sections are available for a variety of renewable energy properties, but for this discussion we will focus specifically on the solar property provisions.

Solar property provisions

The Section 48 definition of qualified property includes “equipment which uses solar energy to generate electricity, to heat or cool (or provide hot water for use in) a structure, or to provide solar process heat….” The regulations further define solar energy property as “equipment that uses solar energy to generate electricity, and includes storage devices, power conditioning equipment, transfer equipment, and parts relating to the functioning of those items.” 

Essentially, all costs to acquire and install the equipment used to generate electricity to the point of either transmitting it or consuming it would be eligible for the credit.

Section 48 Regulations state that building and structural components generally are not qualified property for the credit. An exception was provided by Revenue Ruling 79-183, allowing structural components to the extent that they are specifically engineered to be part of the machinery and equipment. Two significant private letter rulings have also been issued to address whether a roof would be treated as qualified solar property based on these limitations, and to what extent.

In PLR 201121005, issued in May 2011, the IRS ruled that the roof was qualified property but the qualified cost did not include the portion that performs the normal functions of a roof. This follows Regulation Section 1.48-9(k) that only permits the “incremental cost” over what would have been spent if the roof were replaced with no qualified property. The facts in this ruling did not include the type of solar power system and how it was integrated with the roof which left many questions unanswered until PLR 201523014 was issued in June 2015.

The 2015 ruling addressed solar property that included a reflective roof membrane to generate electricity from the underside of the roof mounted solar panels. The reflective roof was clearly integrated to the solar power system and the process of generating electricity. The IRS again ruled that qualified property included only the portion of the reflective roof that exceeded the cost of reroofing the building with a non-reflective roof.

The IRS has consistently held that only the “incremental cost” of the roof installation may qualify as solar energy property if it is integrated with the machinery and equipment. 

The Section 25D definition of qualified expenses includes “property which uses solar energy to generate electricity for use in a dwelling unit located in the United States and used as a residence by the taxpayer.” The Section identifies qualified costs for labor and solar panels and specifically states, “no expenditure relating to a solar panel or other property installed as a roof (or portion thereof) shall fail to be treated as qualified property solely because it constitutes a structural component…”

Unlike the Section 48 Commercial Energy Credit, the Section 25D Residential Energy Credit has little guidance on whether the entire cost of a roof would be allowed as qualified solar property. If the IRS were consistent in application, they would follow the “incremental cost” regulations that apply to non-residential projects.

Determining qualifying machinery and equipment costs is critical to maximizing the commercial or residential energy credit. 

BerryDunn has the expertise to review the project costs and provide a cost certification for what qualifies. We can identify any portion of the roof that may be eligible. If you have questions or would like to discuss whether there may be an opportunity for your project, please don’t hesitate to call us.
 

Blog
The Investment Tax Credit and roof replacement

The Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020, which provides $8.3 billion in emergency funding for federal agencies to respond to the COVID-19 outbreak, has earmarked $100 million for FQHCs to prevent, prepare for, and respond to the COVID-19 national emergency. Pre-award costs will be supported by this funding and may date back to January 20, 2020. We recommend tracking your expenditures related to the coronavirus to the best of your ability. This may be helpful or necessary in providing your organization much needed financial relief.  

As a reminder, FQHCs cannot bill Medicare for telehealth services under the PPS rate. Telehealth can be billed to Medicare under Part B with the FQHC as an originating site and reimbursement is approximately $26. If you do not have home visits on Form 5, be sure to add home visits to 5C as soon as possible.

Amidst rapid hourly changes in contending with the coronavirus and its far-reaching impacts, we are sharing some HRSA and CMS guidance that may be helpful to you: 

Here is a link to HRSA FAQs related to COVID-19

Although we are working remotely, we are available to support you. If you have any questions or concerns, please do not hesitate to reach out to any of us.

Blog
COVID-19 emergency funding for FQHCs: What you need to know

Here is a summary of information we have gleaned from recent CMS updates and guidance. 

COVID-19 stakeholder call - March 16 

CMS held a National Stakeholder Call on March 16, 2020 to update the healthcare community on the rapidly evolving COVID-19 situation, which was declared a national emergency by President Trump on March 13, 2020.

Key takeaways:

  • Administrator Verma reaffirmed the goal of reducing administrative barriers in the way of healthcare workers and agencies and to support them as best CMS is able.
  • Acknowledging that there were questions on testing, Administrator Verma outlined that there will be a ramp-up in testing in conjunction with state and local governments. 
  • CMS is relaxing clinician enrollment requirements for Medicare and making the same option available to states in their Medicaid programs.
  • The administration has been clear that it wants agencies to focus on infection control efforts. CMS is designing a streamlined template to evaluate infection control.
  • CMS sends guidance to Programs of All-Inclusive Care for the Elderly (PACE) Organizations.

On March 17, 2020, CMS issued guidance to all Programs of All-Inclusive Care for the Elderly (PACE) Organizations (POs) on accepted policies and standard procedures with respect to infection control.

Key takeaways:

  • POs will need to create, apply, and sustain a documented infection control plan that involves procedures to recognize, examine, regulate, and avert infections in PACE centers
  • POs will need to work to prevent infections within each participant’s place of residence, as well as implement procedures to record and develop corrective actions related to incidents of infection.
  • CMS provides guidance that recognizes POs may need to undertake strategies that do not traditionally comply with CMS PACE program requirements in order to provide benefits while guarding from COVID-19. Some examples of this may include telehealth services.
  • President Trump expands telehealth benefits for Medicare beneficiaries during COVID-19 outbreak.

CMS is expanding Medicare’s telehealth benefits under the 1135 waiver authority and the Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • Under the new 1135 waiver, Medicare can pay for office, hospital, and other visits provided via telehealth across the country and including in patient’s place of residence starting March 6, 2020. 
  • Medicare telehealth visits: These visits are considered the same as in-person visits and are paid at the same rate as regular, in-person visits.
  • Virtual check-ins: Virtual check-in services can only be reported when the billing practice has an established relationship with the member.  
  • E-visits: Such services can only be reported when the billing practice has an established relationship with the patient.  

CMS coronavirus partner virtual toolkit

CMS has released a virtual toolkit to help stakeholders stay up-to-date on CMS materials available on COVID-19. Here is specific guidance from the toolkit designed for states and health plans:

CMS approves first state request for 1135 Medicaid waiver in Florida and Washington

The 1135 waiver allows Florida and Washington to modify certain Medicaid program requirements, policies, operational procedures, and deadlines applicable to each state’s administration of its Medicaid program during the period of the national state of emergency to prevent further transmission of COVID-19. 

Key takeaways from Florida’s waiver

  • Provider participation flexibilities for Medicaid and CHIP Waiver of Service Prior Authorization (PA) Requirements for fee-for-service delivery systems
  • Waiver for Pre-Admission Screening and Annual Resident Review (PASRR) Level II Level II Assessments for 30 Days
  • Waiver to allow evacuating facilities to provide services in alternative settings, such as a temporary shelter when a provider’s facility is inaccessible
  • Waiver to temporarily delay scheduling for state fair hearing requests and appeal deadlines (NOTE: CMS was unable to waive all of Florida’s requested authorities in this area)

If you have questions or would like more information, we are here to help. Please contact us

Blog
CMS update for the healthcare community: Our takeaways

In early March 2020, the US Department of Education (ED) issued a Dear Colleague Letter, “Guidance for interruptions of study related to Coronavirus (COVID-19),” posting a subsequent update March 20 to include the document “Frequently Asked Questions Related to COVID-19.” The information below has been excerpted directly from the letter and compiled with the needs of our higher education clients in mind.

This electronic announcement addresses concerns regarding how higher education leaders should comply with Title IV, Higher Education Act (HEA) policies for students whose activities are impacted by the coronavirus and COVID-19:

  • Either directly because the student is ill or quarantined, or 
  • Indirectly because the student was recalled from travel-abroad experiences, can no longer participate in internships or clinical rotations, or attends a campus that has temporarily suspended operations.

This information provides some flexibility for schools working to help students complete the term in which they are currently enrolled. Some of the most important changes to note:

  • Federal Work Study (FWS)
    For students enrolled and performing FWS at a campus that must close due to COVID-19, or for a FWS student who works for an employer that closes as a result of COVID-19, the institution may continue paying the student federal work-study wages during that closure if it occurred after the beginning of the term, the institution is continuing to pay its other employees (including faculty and staff), and the institution continues to meet its institutional wage share requirement.
  • Length of academic year
    If at any point an institution determines it will close as the result of a campus health emergency, it may contact the school participation team to request a temporary reduction in the length of its academic year.
  • Professional judgement
    Financial aid administrators (FAA) have statutory authority to use professional judgement to make adjustments on a case-by-case basis to the cost of attendance or to the data elements used in calculating the EFC to reflect a student’s special circumstances. The use of professional judgement where students and/or their families have been affected by COVID-19 is permitted, such as in the case where an employer closes for a period of time as a result of COVID-19. 
  • Reentering the same payment period
    If an institution that has closed subsequently re-opens during the same payment period or period of enrollment, and permits students to continue coursework that they were taking at the time of the closure, students that return to class at that time are considered to have reentered the same period and retain eligibility for Title IV aid that they were otherwise eligible to receive before the closure.

We highly recommend you read the full letter, as it outlines additional important details and includes recently added FAQ documents.

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

For further reading
Guidance for interruptions of study related to Coronavirus (COVID-19) 
FAQs
COVID-19 ("Coronavirus") Information and Resources for Schools and School Personnel
 

Blog
Guidance from the US Department of Education Dear Colleague Letter

The President signed The Families First Coronavirus Response Act (hereinafter the “Act”) into law on March 18th and the provisions are effective April 2nd. You can read the congressional summary here. There are two provisions of the Act that deal with paid leave provisions for employees. Here are some highlights for employers.

The provisions of the Act are only required for employers with fewer than 500 employees. Employers with over 499 employees are not required to provide the sick/family leave contained in the Act, but could voluntarily elect to follow the new rules. The expectation is that employers with over 499 employees are providing some level of sick/family leave benefits already. In any case, employers with over 499 employees are not eligible for the tax credits. 

Employers with fewer than 500 employees are required to provide employees with up to 80 hours of paid sick leave over a two-week period if the employee:

  • Self-isolates because of a diagnosis with COVID-19, or to comply with a recommendation or order to quarantine;
  • Obtains a medical diagnosis or care if the employee is experiencing COVID-19 symptoms;
  • Needs to care for a family member who is self-isolating due to a COVID-19 diagnosis or quarantining due to COVID-19 symptoms; or
  • Is caring for a child whose school has closed, or childcare provider is unavailable, due to COVID-19.

These rules apply to all employees regardless of the length of time they have worked for the employer. The 80-hours would be pro-rated for those employees who do not normally work a 40-hour week. 

Employees who take leave because they themselves are sick (i.e., the first two bullets above) can receive up to $511 per day, with an aggregate limit of $5,110. If, on the other hand, an employee takes leave to care for a child or other family member (i.e., the last two bullets above), the employee will be paid two-thirds (2/3) of their regular weekly wages up to a maximum of $200 per day, with an aggregate limit of $2,000.

Days when an individual receives pay from their employer (regular wages, sick pay, or other paid time off) or unemployment compensation do not count as leave days for the purposes of this benefit.

Family and Medical Leave Act

Employees who have been employed for at least 30-days also have the right to take up to 12 weeks of job-protected leave under the Family and Medical Leave Act (FMLA). The Act requires that 10 of these 12 weeks (i.e., after the sick leave discussed above is taken) be paid at a rate of no less than two-thirds of the employee’s usual rate of pay. Any leave taken under this portion of the ACT will be limited to $200 per day with an aggregate limit of $10,000.

Exemptions

The Secretary of Labor has the authority to issue regulations exempting: (1) certain healthcare providers and emergency responders from taking leave under the Act; and (2) small businesses with fewer than 50 employees from the requirements of the Act if it would jeopardize the viability of the business.

Expiration

The provisions of the Act are set to expire on December 31, 2020, and unused time will not carry over from one year to the next.

Tax credits 

The Act provides for refundable tax credits to help an employer cover the costs associated with providing paid emergency sick leave or paid FMLA. The tax credits work as follows:

  • A refundable tax credit for employers equal to 100 percent of qualified family leave wages paid under the Act.
  • A refundable tax credit for employers equal to 100 percent of qualified paid sick leave wages paid under the Act. 
  • The tax credits are taken on Form 941 – Employer’s Quarterly Federal Income Tax Return filed for the calendar quarter when the leave is taken and reduce the employer’s portion of the Social Security taxes due. If the credit exceeds the employer’s total liability for Social Security taxes for all employees for any calendar quarter, the excess credit is refundable to the employer.

For more information

We are here to help. Please contact our benefit plan consultants if you have any questions or would like to discuss your specific situation. 

Blog
Highlights of the recently passed paid sick and family leave act: What you need to know

Editor’s note: read this if you are a hospital or senior living facility administrator, CFO, finance director or manager, patient financial services staff, or revenue team member. 

Unless you own a working crystal ball, no one knows the true impact COVID-19 will have on our communities and our healthcare ecosystem. The very nature of being a healthcare provider demands being prepared for emergencies, crises, and pandemics. This particular pandemic highlights how critical yet fragile the healthcare system is in our country—and across the globe.

Despite differences in payment mechanisms, terminology, and cultural expectations, registration is a critical function shared with all developed health systems across the globe and must be considered when preparing for COVID-19 and other community disasters. This function is responsible for correctly identifying patients, managing where they are in the systems (arrivals, bed management, scheduling, and other functions), and accurately identifying financial responsibility for services provided.  

Insurance verification is important during crisis, but the other functions are more important, as they ensure providers have access to timely and correct medical information and can document each patient's course of treatment and transfer care to other providers. Delays and inaccuracy in upfront functions can lead to decreased patient throughput and possibly impede patient care if access to medical records is delayed.

Preparation for successful patient care

Now is a great time to assess if your system’s patient access teams are properly staffed and trained, and you have contingency plans in place for emergencies and pandemics. Many systems continue to staff their registration functions with entry level/inexperienced staff. Are they dependable and able to handle the high stress that can accompany a crisis in your community? Systems must have contingency plans and training in place before it is needed.

Patient access staffpeople are at the front end of care and we must ensure they have the training, equipment, and tools to protect themselves from sick patients (this is true every day). If there is a health emergency in your community, a high likelihood exists that your patient access staff will be impacted. What is your plan for decreased patient access staff during times of increased/unprecedented demand? Many options exist and preparation prior to a crisis is important to successfully care for patients during the crisis. Here are some options to consider:

  • Cross-train billing and coding staff to register patients
    Cross-train revenue cycle staff to improve the strength of your revenue cycle. Billers and coders that fully understand registration can problem solve and collaborate quickly during a crisis, saving valuable time and improving efficiency.
  • Develop mass registration processes
    Create forms and/or have mobile laptops and technology ready to register patients in conference rooms and other non-traditional access points. This eliminates bottlenecks at ED and other high-demand registration points, speeding up treatment.
  • Continue to invest in self-service and telehealth tools
    Telehealth and self-service registration tools can alleviate staff demands, prevent non-emergency patients from coming to the facility, and improve patient satisfaction.

Patient access assessments

Patient access has been and will continue to be the foundation of the revenue cycle. This is true during normal operations and even more so during emergency and crisis situations. When is the last time you assessed your system’s patient access emergency plans and overall performance of your patient access department?  

BerryDunn’s patient access consultants can assist in ensuring your front-end functions are performing at best-practice levels, based on registration related denials and rework, processes flows, point-of-service collections, authorizations, and other metrics. The assessment will identify financial and revenue cycle improvement opportunities dependent on your people, processes, and technology. Assessments will also review the department’s preparedness for emergencies and provide recommendations to support the needs of the community during normal operations and during a crisis.

For more information, or if you have questions or comments about your specific situation, we're here to help. Please contact the team.

Blog
Preparing your revenue cycle for the pandemic: COVID-19

Editor’s note: Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

Last month, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2019. The report addresses key issues facing banks and focuses on those that pose threats to their safety and soundness. According to the report:

  • Bank financial performance is strong due to a favorable credit environment and the longest economic expansion in U.S. history.
  • Capital levels have reached historical highs.
  • Return on equity was above its 2006 pre-crisis level for the first time at 12.7%.
  • Net income grew 8.22% from the same period a year ago; however, net interest income grew only 4%, as loan growth is below historical averages and an increasing number of banks are facing a flat or declining net interest margin.
  • There is continued weakness in residential and commercial real estate loan growth.
  • Delinquent and nonperforming loans remain below their long-term averages.


Banks can thrive even with economic uncertainty

While these trends indicate that 2019 was by and large an excellent year, banks cannot afford to be complacent, as 2019 also saw increasing risks to the industry. For instance, in 2019 there was much discussion of the future cessation of the London InterBank Offer Rate (LIBOR). The OCC has indicated it will increase its regulatory oversight regarding the anticipated cessation, to ensure banks assess their exposure to LIBOR and are appropriately planning their transition from the widely used benchmark rate. The Financial Accounting Standards Board (FASB) is also working on a project to address accounting issues that could arise from the transition from LIBOR.

And, although 2019 continued the longest economic expansion in US history, economic uncertainty exists due to, in part, the US-China trade conflict and ongoing Brexit discussions. This economic uncertainty has caused volatility in the interest rate environment. Aside from the yield curve inverting in 2019, banks also saw the Federal Funds target rate increase 25 basis points prior to decreasing 50 basis points. Given the typically asset-sensitive nature of banks’ balance sheets, the current interest rate environment will also put pressure on net interest margins. The current volatility of interest rates has caused the OCC to conclude interest rate risk is currently at heightened levels. 

Net interest income continues to be the most significant driver of net revenues for community banks, comprising nearly 80% of net revenues. With a difficult interest rate environment and lackluster loan growth in residential and commercial real estate, banks may face a difficult path ahead. Banks should tread cautiously, especially if this uncertainty persists. Asset-liability management will need be a significant focus (more than usual) as banks try to position themselves to not only maintain profitability through this uncertainty, but also come out stronger than before. Specifically, if lower rates persist, asset growth will need be a priority over deposit growth to maintain profitability at lower net interest margins. If loan growth continues to wane, this will prove to be difficult.

Innovations to compete with new lending sources

Adding to the list of threats to performance is the increasing amount of alternative financial resources available to borrowers. Banks have traditionally been the only source of credit for borrowers. However, technology has rapidly changed that landscape. Person-to-person (P2P) lending (also known as crowd lending, or social lending), allows people to borrow funds directly from another person, cutting out traditional lending sources (banks). Additionally, blockchain technology, if the hype is accurate, has the potential to eliminate the need of a financial intermediary altogether. 

Banks are adapting to this competition and to customers looking for more convenience and alternative services by offering new, unique services that differentiate themselves from others and provide added value to the customer. Banks have delivered through remote deposit, ATMs, and interactive teller machines (ITMs). Banks will need to continue to adopt innovative services to remain competitive. 

For instance, banks could offer video conferencing services, in which customers could have a live conversation with a bank representative through their smartphone. This convenience would allow a customer to conduct a transaction, such as apply for a loan, from the convenience of their home, while still maintaining human interaction throughout the transaction. Such a service would help banks compete with digital channels offered by non-banks, such as Quicken Loans, which is now the largest mortgage originator in the United States.

Strategies to protect against technological risks

These services all require the use of existing and new technologies, which have caused banks to hold more personally identifiable information (PII) digitally across an increasing number of digital platforms. As noted by the OCC, this digital exposure has created persistent cybersecurity risks for banks. Adopting a robust cybersecurity framework is no longer an option. 

Banks should bring cybersecurity to the forefront of their strategic planning. Any strategic plan must consider cybersecurity implications, as a single disaster can be detrimental to a bank’s reputation. And, given this rapidly changing environment, the cybersecurity conversation must be ongoing through relevant bank committees and the board of directors.

Furthermore, these technological solutions require partnerships with businesses that banks would not traditionally partner with. Financial technology (fintech) companies don’t just pose as a competitor to traditional banks. Many fintech companies are offering their technological solutions to traditional banks. However, outsourcing technological solutions to fintech companies and other businesses does not relieve a bank from performing its own due diligence and ensuring those companies meet the bank’s standards. 

Banks should evaluate potential vendors to ensure they comply with the bank’s vendor management policy. Since environments are constantly changing, this evaluation should be ongoing. Many vendors now provide System and Organization Controls (SOC) reports which detail the control environment at the vendor and involve independent third-party testing of those controls that exist at the vendor. SOC reports can provide a useful starting point for evaluating a vendor’s ongoing compliance with the bank’s vendor management policy. However, it is not a substitute for ongoing communication with a vendor.

There is no doubt 2019 was a successful year for banks. But past performance is not a guarantee of future success. Banks face many challenges, risks, and uncertainties, of which only a few have been outlined above. The current landscape may be challenging but it is also filled with opportunity. Banks should consider expanding their services, adopting new technologies, and partnering with other companies to leverage their strengths. Doing so should help position themselves for an exciting decade ahead.

If you have specific concerns about challenges facing your institution, please contact the team

Blog
Banking and finance: 2020 challenges and what to do to overcome them

Editor's note: Read this if you are a current or future owner of solar or other renewable energy equipment, or a solar investor, developer, or installer.

Maine LD 1430: An opportunity for businesses with solar energy systems

In 2019, Maine passed bill LD 1430, which introduces a solar tax exemption for both business and residential owners enabling renewable energy adopters to save money―while adding real value to their property and assets. As our experience in Massachusetts has shown, eligible businesses should take advantage of these types of laws, as you can reduce your property tax assessment by the value of your solar or wind energy equipment.  

Let’s look at a simple example assuming a $20 mill rate and a business owner who owns land and installs a large commercial solar energy system on it to meet the electrical demand of his business:   

Land 50,000 
Solar Equipment 200,000
LD 1430 Property Tax Exemption for solar equipment (200,000)
Net Property valuation 50,000
Property Tax 1,000
Property Tax without LD 1430 5,000
Annual Savings 4,000

Standardized valuation methodology provides clear guidance for taxpayers

In December, the Maine Revenue Service expanded on the bill by providing standardized solar valuation methodology. It provides much-needed guidance to municipalities on how to assess property tax on solar equipment, helps prevent over taxation of businesses, and streamlines the process for applying for the solar property tax exemption. 

Solar tax exempt laws in other states

Maine was not the first state to enact this type of legislation to help improve renewable energy adoption in the commercial space, nor will it be the last. Massachusetts, among others, has a similar law on the books, which allows for an exemption on solar or wind equipment used to supply the energy needs of a taxable property. Over the past few years, many of our clients in Massachusetts have taken advantage of the exemption, and have saved thousands of dollars doing so. 

Not surprisingly, Massachusetts has seen strong growth in renewable energy in the commercial sector. According to the Massachusetts Clean Energy Center, Massachusetts went from a few hundred solar energy systems in 2006 to nearly 100,000 in 2018. Other states have also enacted this type of legislation. In fact, all but 12 states have enacted some form of solar tax exemption laws.  

Looking ahead

This law and others like it will continue to help renewable energy projects get off the ground. As the number of solar projects increases, so too does the ability to create more opportunity. 

We’ve been working with Massachusetts providers for many years, helping our clients grow as the market has been maturing. For more information on how we can help you in Maine (or other states) take advantage of these exemptions, please contact the renewable energy team.  

The Maine Revenue Service is planning to release a standard application for the property tax exemption in the coming weeks. Please stay tuned for updates.  

Blog
Maine adopts solar property tax exemptions

In our consulting work with Skilled Nursing Facilities (SNFs) we have identified some early trends in PDPM implementation we would like to share. PDPM has been in place for a little over three months and while there were some hiccups in the first month, claims appear to be processing normally. SNFs are reporting that PDPM has been positive for their facilities. Many are reporting increases in Medicare revenues and feel PDPM has also been positive for the industry. However, it will still be a few months until we can really measure the financial and operational impacts of PDPM. As we continue to evaluate the early results, here are several lessons learned thus far:

  1. The good news is we were ready! 
    There were predictions that SNFs were not going to be prepared and smaller providers were going to go out of business because they could not adapt to PDPM. This has not been the case. Providers report they have been able to successfully bill under PDPM and most providers are reporting increased reimbursement under PDPM. Initial PDPM news is positive for the industry, but to be successful providers must continue to adapt.
  2. There still needs to be more education on the Minimum Data Set (MDS) to optimize reimbursement.
    SNFs are unsure how sections of the MDS work together under PDPM. MDS nurses need more training on what section to enter diagnosis codes and they are unsure when a diagnosis or a check box will generate the PDPM score. Diagnoses that impact Speech Language Pathology (SLP) and any diagnoses that impact Non-Therapy Ancillaries (NTAs) should be recorded on MDS Section I8000. Some diagnoses entered in Section I8000 also have check boxes in Section I that must be checked in order to be properly reimbursed.
  3. There were some missed reimbursement opportunities.
    There are several factors contributing to missed reimbursement opportunities, including delays in receiving information from physicians and other departments. Facilities need to build better relationships with physicians and provider networks to improve communication that focuses on clinical conditions and co-morbidities of the resident. Additionally, procedures need to be in place to gather clinical information within the first three days in order to get all relevant information on the five-day MDS.
  4. Diagnosis should be supported by patient care plan.
    To be in compliance with Medicare regulations and prevent takebacks on audit, diagnoses must be supported by the resident care plan. For example, if a diagnosis code for malnutrition is entered in Section I, then the resident care plan and medical records need to support the diagnosis. The care plan should document information, such as specific risk factors, lab results, and weight tracking results. Reimbursement and treatment decisions need to have a demonstrable benefit to the resident and must be supported by the resident care plan.
  5. Providers need to evaluate how they provide therapy.
    Before making significant changes to their therapy programs, facilities should analyze their therapy utilization and outcomes under PDPM, as compared to outcomes and utilization under RUGS IV. This ensures you are providing high-quality care at the lowest cost. Things to consider are per patient day utilization ratios, cost per minute under PDPM vs RUGS IV, productivity standards under PDPM, and outcomes. SNFs that are decreasing their therapy minutes should be sure they still have good quality outcomes. 
  6. The bad news? Rate adjustments may be coming sooner than expected.
    PDPM was intended to be budget neutral. Based on early results, this does not seem to be the case. More SNFs are reporting they are winners rather than losers under PDPM. The belief is if PDPM continues to track with early results there will be a rate adjustment that could come as early as mid-year. However, it is more likely that CMS will make an adjustment to weights and rates as part of the 2020 rulemaking process.

As we move further into 2020, you can expect to see more data on PDPM claims and reimbursements, which will help you make operational and financial decisions about your facility. In the meantime, you should keep focusing on patient care and achieving quality outcomes while thinking about what you can do now to adapt to be successful under PDPM.

Blog
Patient Driven Payment Model (PDPM) implementation lessons learned

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Blog
Save time and effort—our list of tips to prepare for year-end reporting

Read this if you are a solar investor, developer, or installer.

After a recent article where we highlighted some of the major points of the ITC safe harbor, we received many calls and e-mails looking for clarification on some of the related issues. In working to answer these questions we teamed up with Klavens Law Group, P.C., a Boston law firm that specializes in clean energy. Together with Brendan Beasley and Jon Klavens we have compiled a list of frequently asked questions that may be helpful as you navigate the last few weeks of the year. 

Q: My project is not ready for construction due to a pending decision on a land use permit. How can I minimize capital expenditure while still qualifying the project for the 5% safe harbor?
A: There are a couple approaches you as a taxpayer can take. First, if this project is among several in your portfolio, you can pay or incur expenses prior to December 31, 2019 for enough safe harbor equipment under a single binding contract to qualify each project in your portfolio and retain flexibility to allocate that equipment. Applying the master contract approach (per Section 7.03(2) of IRS Notice 2018-59), you would then transfer equipment, even after December 31, 2019, to affiliate special purpose entities under a second binding contract. Second, you can enter into a binding contract that is subject to a condition, applying section (ii)(B) of the “binding contract” definition at 26 CFR Section 1.168(k)-1(b)(4). In this case, the condition would be the project receiving the land use permits and clearing any related appeals period. Under this approach you would still need to pay or incur―or have your EPC contractor pay or incur under the look-through rule―at least 5% of the project’s depreciable cost basis by December 31, 2019. A limitation on this approach is that, if the condition is not likely to be satisfied within three-and-a-half months of the date of your binding contract, either you or your EPC contractor (applying the look-through rule) must take delivery of the equipment while the condition―and presumably the viability of the project―is still open and uncertain. 

Q: Can I finance a purchase of safe harbor equipment for my project?
A: Yes; however, you can’t use vendor financing. 

Q: I have a project that will be ready to construct in Q2 2020. The project company will execute a binding EPC agreement by December 31, 2019 that includes a procurement component. It will make an initial milestone payment of 7% upon execution. Does my project qualify for the 5% safe harbor?
A: Maybe. There is not enough information here to confirm. As taxpayer you must pay or incur expenses amounting to at least 5% of the total cost of the energy property prior to December 31, 2019, and must take delivery within three-and-a-half months from the date of payment under your binding contract. So the critical question here is what your EPC contractor is doing with that 7% payment. Here are some possible outcomes:

  • The EPC contractor purchases inverters on December 31, 2019 pursuant to a binding contract with a vendor. Applying the look-through rule, the safe harbor is satisfied.
  • The EPC contractor self-constructs a specialized racking system in January 2020, per your EPC agreement, and delivers it to you within three-and-a-half months of the binding contract. The safe harbor is satisfied.
  • The EPC contractor prepares 10% construction drawings and applies for a building permit, each at nominal cost, and holds your 7% payment while waiting for module prices to come down. The safe harbor is not satisfied.
  • The EPC contractor allocates its previously purchased inverters to your project, per your EPC agreement, holding them in its warehouse until May 2020 before delivering them to your site. The safe harbor is likely satisfied. Applying the look-through rule, the EPC contractor’s purchase of the inverters pursuant to a binding contract in 2019 (even if prior to the EPC agreement) will qualify the inverters for safe harbor purposes. The EPC contractor must take steps to identify and segregate the particular inverters within its warehouse.

Q: Can I sell safe-harbored equipment?
A: The buyer of your equipment (unless it is an affiliate) may not utilize the safe harbor unless you are selling the equipment together with the solar project. If, for example, your sale also includes a site lease and a PPA, the purchaser would receive the benefit of the safe harbor. In certain circumstances, you may also be able to become an affiliate of a project LLC by acquiring a membership interest of at least 20% and make an in-kind contribution of the safe-harbored equipment to the project LLC.           

Q: Can I satisfy the physical work test by building roads within my site?
A: Yes; however, the roads must be integral to the energy property. An access road would likely not be interpreted as integral to the property. However, roads used for purposes of operations and maintenance activity―within the area of the facility itself―are considered integral to the energy property.

Q: What constitutes work of a physical nature?
A: This is really open to the facts and circumstances interpretation. The IRS notice instructions referenced previously indicate some specific activities that do not qualify, but there is no quantification of how much of a qualifying activity must be done in order to satisfy the safe harbor requirement. Preliminary planning and site work do not count. But starting construction would, so you could satisfy the requirement with excavation for a foundation, drilling for moorings, pouring concrete, etc. The best bet would be to actually put up a section of panels.

Q: What is the continuing work requirement?
A: There is an additional safe harbor that says if your project is placed in service within four years of the end of the calendar year in which you started it you will have automatically met the continuous work requirement. If your project goes beyond that you will need to show facts and circumstances showing you were taking steps to continue working towards completing the project. For example, if the delay was due to a delay in getting interconnected, be prepared to show documentation that you were continuously working towards resolving that issue.

Unless there are changes to the current tax law, these same provisions will be in effect for each step of the phase-out through the end of 2023. If you have further questions, please contact a member of our renewable energy team

Please note that this Q&A, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Klavens Law Group, P.C. or its attorneys. Please seek the services of a competent professional if you need legal or other professional assistance.

Blog
ITC safe harbor frequently asked questions

Read this if you are a solar investor, developer, or installer.

With December well under way, thoughts turn to year-end and tax filing preparation. While we get many questions this time of year related to changes in the tax law and what taxpayers can do before the end of the year to minimize their tax burden, different this year is the impending phase-out of the Investment Tax Credit (ITC) and Residential Energy Credit (REC) from 30% to 26%. 

Last month, we gave some pointers on the safe harbor provision available for the Investment Tax Credit which would allow qualifying projects to still be eligible for the 30% credit after the end of the year. No such provision exists for the residential credit, however, and any project not complete by 12/31/19 (and completed in 2020) will receive the reduced 26% credit.

The phase-out was designed to coincide with the projected decline in solar costs, and would help smooth the transition to a market where solar competes directly with fossil fuels for energy production. Since then, we have seen component costs increase due to artificially inflated prices resulting from the tariffs imposed on imported goods. This results in a mismatch on the timing of the phase-out to the cost of the materials, a still immature market for solar, and a missed opportunity. Enter a new bill in the House of Representatives.

Growing Renewable Energy and Efficiency Now Act

On November 19, 2019 Chairman Thompson of the House Ways and Means Subcommittee released a discussion draft of a bill titled the Growing Renewable Energy and Efficiency Now (“GREEN”) Act. This draft bill is not ready for a vote yet, but does promote an extension and/or expansion of tax incentives for taxpayers investing in cleantech. With the GREEN Act, solar investors, installers, and other related businesses would benefit from:

  • Revival and extension of the Production Tax Credit (PTC) through 2024
  • Delay of the ITC and REC phaseout until 2024
  • Expansion of the ITC to include additional technologies, most notably energy storage
  • A provision allowing the taxpayer to receive the ITC or PTC as a refund in the year it is claimed for 15% reduction in the value of the credit

A delay in the phase-out would allow time for the costs of components to return to pre-tariff levels and help achieve the original intention of the phase-out. The expansion of the ITC to include energy storage would be a huge boon to that emerging market, and provide an additional incentive for consumers to install storage on an existing project―creating a more efficient energy grid. 

Currently, due to accelerated depreciation, many taxpayers are not able to take the ITC or PTC in the first year due to not having a tax to offset. Allowing for the option to treat the ITC or PTC as a tax payment (which can be refunded) instead of a credit (which can’t) would help investors realize their return much faster and free up capital to invest in other projects. 

Some of these provisions are fairly aggressive, and it is unlikely that they will all remain as they are now in any future passed legislation. However, it is promising to see the House of Representatives considering these types of extensions and expansions when it comes to clean energy incentives. As renewable energy is still a relatively new and rapidly changing marketplace, this is a prime time for renewable energy professionals to keep representatives informed of what they need to help the industry continue to grow. 

Stay tuned, and please contact Mark Vitello if you have any questions or need more information.
 

Blog
The GREEN Act―a ray of hope for the solar carve out and the ITC?

Editor’s note: read this if you work for, or are affiliated with, a charitable organization that receives donations. Even the most mature nonprofit organizations may miss one of these filings once in a while. Some items (e.g., the donor acknowledgement letter) may feel commonplace, but a refresher—especially at a particularly busy time of the year as it pertains to giving—can fend off fines.

As the holiday season is now in full swing, the season of giving is also upon us. Perhaps not surprisingly, the month of December is by far the most charitable month of the year, accounting for almost one-third of all charitable gifts made annually. And with all that giving comes the requirement of charitable organizations to provide donor acknowledgements, a formal “thank you” of the gift being received. Different gifts require differing levels of acknowledgement, and in some cases an additional IRS form (or two) may need to be filed. Doing some work now may save you time (and a fine or two) later. 

While children are currently busy making lists for Santa Claus, in the spirit of giving we present to you our list of donor acknowledgement requirements―and best practices―to help you gain control of this issue for the holiday season and beyond.

Donor acknowledgement letters

Charitable (i.e., 501(c)(3)) organizations are required to provide a donor acknowledgement letter to each donor contributing $250 or more to the organization, whether it be cash or non-cash items (i.e., publicly traded securities, real estate, artwork, vehicles, etc.) received. The letter should include the following: 

  1. Name of the organization
  2. Amount of cash contribution
  3. Description of non-cash items (but not the value) 
  4. Statement that no goods and services were provided (assuming this is the case)
  5. Description and good faith estimate of the value of goods and services provided by the organization in return for the contribution, if any
  6. Statement that goods or services provided by the organization in return for the contribution consisted entirely of intangible religious benefit, if any

It is not necessary to include either the donor’s social security number or tax identification number on the written acknowledgment and as a best practice should not be included in the letter.

In addition to including the elements above, the written acknowledgement is also required to be contemporaneous, that is, sent out in a timely fashion. According to the IRS, a donor must receive the acknowledgment by the earlier of:

  • The date on which the donor actually files his or her individual federal income tax return for the year of the contribution
  • The due date (including extensions) of the return in order to be considered contemporaneous

Quid pro quo disclosure statements

When a donor makes a payment greater than $75 to a charitable organization partly as a contribution and partly as a payment for goods and services, a disclosure statement is required to notify the donor of the value of the goods and services received in order for the donor to determine the charitable contribution component of their payment.

An example of this would be if the organization sold tickets to its annual fundraising dinner event. Assume the ticket costs $100 and at the event the ticketholder receives a dinner valued at $40. In this example, the donor’s tax deduction may not exceed $60. Because the donor’s payment (quid pro quo contribution) exceeds $75, the charitable organization must furnish a disclosure statement to the donor, even though the deductible amount doesn’t exceed $75.

It’s important to note that there are some exclusions to these requirements if the value received is considered to be de minimis (known as the Token Exception), but the value received needs to be relatively small (ex: receiving a coffee mug with a picture of the organization’s logo on it). Please consult your tax advisor for more details.

If the organization does not issue disclosure statements, the IRS can issue penalties of $10 per contribution, not to exceed $5,000 per fundraising event or mailing. An organization may be able to avoid the penalty if reasonable cause can be demonstrated.

Receiving or selling donated noncash property? Forms 8283 & 8282 may be required.

If a charitable organization receives noncash donations, it may be asked to sign Form 8283. This form is required to be filed by the donor and included with their personal income tax return. If a donor contributes noncash property (excluding publicly traded securities) valued at over $5,000, the organization will need to sign Form 8283, Section B, Part IV acknowledging receipt of the noncash item(s) received.

By signing Form 8283, the donee organization is not only acknowledging receipt, but is also affirming that if the property being received is sold, exchanged, or otherwise disposed of within three years of the original donation date, the organization will be required to file Form 8282. A copy of this form is filed with the IRS and must also be provided to the original donor. Form 8282 is not required for sales of donated publicly traded securities. The penalty for failure to file Form 8282 when required is generally $50 per form.

Cars, boats, and yes, even airplanes? That would be Form 1098-C.

An airplane? Yes, even an airplane can be donated, and the donee organization must file a separate Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, with the IRS for each contribution of a qualified vehicle that has a claimed value of more than $500. Contemporaneous written acknowledgement requirements apply here too, and Form 1098-C can act as acknowledgement for this purpose. An acknowledgment is considered contemporaneous if it is furnished to the donor no later than 30 days after the date of the contribution if you plan to use the item for a mission-related purpose, or 30 days after the date of the sale of the item to an unrelated third party.

Penalties for failure to provide contemporaneous written acknowledgement for qualified vehicles can be pretty stiff, generally calculated as a percentage of the sale price if sold, or a percentage of the claimed value if not sold. Should you have any questions or receive a request regarding any of the forms noted above, please consult your tax advisor.

As you can see, the rules around donor acknowledgements can seem a lot like Grandma’s fruitcake―complex and perhaps a bit on the nutty side. When issuing donor acknowledgements this holiday season and beyond, be sure to review the list above and check it twice. Doing so may end up keeping you off of the IRS’s naughty list!

Blog
Donor acknowledgements: We have to file what?

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

On October 24, 2019, the Centers for Medicaid and Medicare Services (CMS) published the Outcomes-Based Certification (OBC) guidance for the Electronic Visit Verification (EVV) module. Now, CMS is looking to bring the OBC process to the rest of the Medicaid Enterprise. 

The shift from a technical-focused certification to a business outcome-focused approach presents a unique opportunity for states as they begin re-procuring—and certifying—their Medicaid Enterprise Systems (MES).

Once you have defined the scope of your MES project—and know you need to undertake CMS certification—you need to ask “what’s next?” OBC can be a more efficient certification process to secure Federal Financial Participation (FFP).

What does OBC certification entail?

Rethinking certification in terms of business outcomes will require agencies to engage business and operations units at the earliest possible point of the project development process to define the program goals and define what a successful implementation is. One way to achieve this is to consider MES projects in three steps. 

Three steps to OBC evaluation

Step 1: Define outcomes

The first step in OBC planning seems easy enough: define outcomes. But what is an outcome? To answer that, it’s important to understand what an outcome isn’t. An outcome isn’t an activity. Instead, an outcome is the result of the activity. For example, the activity could be procuring an EVV solution. In this instance, an outcome could be that the state has increased the ability to detect fraud, waste, and abuse through increased visibility into the EVV solution.

Step 2: Determine measurements

The second step in the OBC process is to determine what to measure and how exactly you will measure it. Deciding what metrics will accurately capture progress toward the new outcomes may be intuitive and therefore easy to define. For example, a measure might simply be that each visit is captured within the EVV solution.

Increasing the ability to detect fraud, waste, and abuse could simply be measured by the number of cases referred to a Medicaid fraud unit or dollars recovered. However, you may not be able to easily measure that in the short-term. Instead, you may need to determine its measurement in terms of an intermediate goal, like increasing the number of claims checked against new data as a result of the new EVV solution. By increasing the number of checked claims, states can ensure that claims are not being paid for unverified visits. 

Step 3: Frequency and reporting

Finally, the state will need to determine how often to report to measure success. States will need to consider the nuances of their own Medicaid programs and how those nuances fit into CMS’ expectations, including what data is available at what intervals.

OBC represents a fundamental change to the certification process, but it’s important to highlight that OBC isn’t completely unfamiliar territory. There is likely to be some carry-over from the certification process as described in the Medicaid Enterprise Certification Toolkit (MECT) version 2.3. The current Medicaid Enterprise Certification (MEC) checklists serve as the foundation for a more abbreviated set of criteria. New evaluation criteria will look and feel like the criteria of old but are likely to be a fraction of the 741 criteria present in the MECT version 2.3.

OBC offers several benefits to states as you navigate federal certification requirements:

  1. You will experience a reduction in the amount of time, effort, and resources necessary to undertake the certification process. 
  2. OBC refocuses procurement in terms of enhancements to the program, not in new functions. Consequently, states will also be able to demonstrate the benefits that each module brings to the program which can be integral to stakeholder support of each module. 
  3. Early adoption of the OBC process can allow you to play a more proactive role in certification efforts.

Continue to check back for a series of our project case studies. Additionally, if you are considering an OBC effort and have questions, please contact our team. You can read the OBC guidance on the CMS website here
 

Blog
Three steps to outcomes-based certification

Editor's note: Read this if you are a CTO, CIO, or administrator at a college or university. This is the first blog in a series on business lessons and best practices from American literature. For this series, interviewees select from a list of American literary quotes through which to view, and discuss, their focus or industry. The goal? To generate some novel insight.

The interviewees: David Houle and Joseph Traino, consultants at BerryDunn
The focus: Higher education
The quote: “Our inventions are wont to be pretty toys . . . They are but improved means to an unimproved end.”  -- Henry David Thoreau, Walden; or, Life in the Woods

Thoreau wrote this shortly after the Industrial Revolution. How does its cynicism apply to higher education during the Digital Revolution?

David Houle (DH): It speaks to my basic philosophy about applying technology to the needs of higher education clients. I’m not a “technology for the sake of technology” cheerleader. 

Joseph Traino (JT): People often believe that applying new technology to a business problem is going to solve the business problem. That rarely happens. For example, most higher education clients have a student information system. These clients often feel that, in order to resolve certain issues, they should update the system software, whereas the issues are often resolved by updating business practices to be more efficient and effective. 

DH: Right. We are often brought in to identify needed technology changes but end up stressing practices, processes, and people. If staff can’t correctly use a new technology, then the technology will not provide a real, valuable service.

When implementing a new technology, what’s the #1 thing that a higher education institution can do to prevent or avoid “an unimproved end”?

JT: Fully understand the technology’s impact on stakeholders, such as students, faculty, and staff, and answer the “why?”

DH: Keep people in mind and gain their buy-in when making technology decisions.

What technology, or technology-related change, is going to have the biggest effect on higher education over the next five years?

DH: Clients love to ask us this question (laughs). And if I truly knew the answer, I’d be on some Caribbean island right now, filthy rich and sipping a piña colada. That said, I think the technology demands of the new workforce are going to have the biggest effect. To paraphrase the new workforce: “I don’t want to stare at a green screen. And what in the world is DOS?” Conversely, the personnel who used to support these homegrown, in-house “green screen” products want to retire and leave the workforce. 

JT: I agree that the demands of the new workforce will continue to affect higher education and steer institutions away from term-based courses and programs and toward more flexible, student-centric courses and programs. From a technology standpoint, I think AI and bots are going to replace many of the manual processes that we still see today in higher education. These new technologies will create greater efficiencies—but also possibly reduce jobs—at institutions.

DH: Higher education leaders with vision have already grasped this idea of cutting administrative costs wherever possible, because those costs are not what place students in seats—or in front of screens. On the flip side, advising is currently an underserved area in higher education. So there is an opportunity for leaders to reallocate administrative resources to fulfill advising roles and to help students—such as at-risk and first-generation students—not just in the classroom, but through their learning journey.

Circling back to the Thoreau quote, I’m sure many higher education staff fear technology will lead to “unimproved ends” for their careers. How do you navigate those fears when working with clients? 

JT: It’s certainly a challenge. We currently face some of those fears when working with IT departments—more services are being moved to the cloud, and there is less of a need for on-site database administrators and system administrators, as an example. Alluding to what Dave said about advising, I think many higher education jobs can be shifted to provide interactive high-tech, high-touch services to students.

DH: And to be blunt, some people don’t want to shift, don’t want to change. The people part is the most challenging part of technology adoption. 

In this discussion about technology, we keep returning to people—and the people side of change. Are higher education clients typically responsive to the concept of change management?

JT: There’s typically some reticence, and a lack of understanding about the value of change management. In most cases, change management requires an investment beyond the technology investment. But change management is key to success. 

DH: Reticence is a good word. Yet I do think that views about change management are changing rapidly. Higher education leaders who have been through a significant system or process change now seem to understand the value of change management and know that change management is a necessity, not a luxury. 

In the end, are you confident that new technology is going to benefit students and their educational goals? 

DH: I’m unsure if technology improves the quality of education. However, I am sure that technology increases the options for the delivery of education. And greater flexibility in education delivery is certainly beneficial, especially because the traditional student is now non-traditional. Ongoing and 24/7 access demands in education are here to stay.

JT: I agree with Dave wholeheartedly. I think technology will help improve the means to the end, but I’m not sure if technology is going to improve the end. Technology is just one part of the education equation. 
 

Blog
Technology ≠ Education

Read this if you are a solar investor, developer, or installer.

The solar carve out of the Investment Tax Credit (ITC) has been a great incentive for taxpayers to invest in solar assets over the last several years. It established an increased 30% tax credit for solar assets placed in service, up from the normal 10%. 

Starting January 1, 2020, the solar carve out will begin to phase out and will return to 10% by January 1, 2024. 

With the first phase-out of the ITC set to drop the credit from 30% to 26% after December 31, 2019, many taxpayers are evaluating ways to make sure their project still qualifies for the 30% credit. The IRS has issued two safe harbor provisions (IRS Notice 2018-59) to allow for projects placed in service after December 31, 2019 and before January 1, 2024 to still qualify for the 30% credit, but timing is key and certain actions must be taken before midnight on December 31, 2019.

Safe harbor methods

The two safe harbor methods are the Physical Work Test and the Five Percent of Cost Test. If a project satisfies either of these tests it can still qualify for the 30% tax credit as long as it is completed and in service before January 1, 2024.

The Physical Work Test requires that the taxpayer performs, or has performed on their behalf, “work of a significant nature” on the project prior to December 31, 2019. This is a little open to interpretation, but generally involves physical construction of the asset, such as the installation of mounting equipment, rails, racking, inverters, or even the panels themselves. Purchasing of equipment generally held in inventory by either the taxpayer or the vendor does not qualify. However, if the equipment is customized or specially designed for the specific project, it might. Preliminary activities do not qualify, which include planning, designing, surveying, and permitting. 

In general, the purpose of this test is to prove that construction has already begun, and is in place to help projects that have been started but won’t be in service before year end still maintain the 30% tax credit. Projects that are substantially complete and waiting for an interconnection or a permission to operate in order to be considered as in service will most easily qualify for this safe harbor test.

The Five Percent of Cost Test is a little more straightforward, and is likely to be more commonly used to qualify projects for the safe harbor provision as the end of the year deadline approaches. This test requires at least five percent of the total project cost be paid or incurred before December 31, 2019. It is important to note that the denominator in this test is the final total cost of the project when it goes in service. The taxpayer may wish to pay more than the five percent to account for project overruns or unanticipated changes to the project in order to make sure they maintain the qualification for safe harbor. 

Another consideration is if the taxpayer files on the cash or accrual method as to whether the project cost needs to be paid or incurred in order to satisfy the chosen filing method.

In either case, the taxpayer should also evaluate the cost of prepaying for equipment that may decrease in cost in the future, compared to the benefit they will receive in maintaining the additional four percent of the tax credit that can safe harbor from the phase out. 

Additionally, an analysis of total project costs and eligible vs. ineligible ITC costs early on in project development can help identify how best to spend the cash before the end of the year, and ensure that the taxpayer receives the return they require once the project goes into service.

Have questions?

If you have questions on these safe harbors or need more information, please contact the green tax experts on our renewable energy team

Blog
Safe harbor options for taxpayers as the solar ITC begins to sunset

Editor's note: read this blog if you are a state liquor administrator or at the C-level in state government. 

Surprisingly, the keynote address to this year’s annual meeting of the National Alcohol Beverage Control Association (NABCA) featured few comments on, well, alcohol. 

Why? Because cannabis is now the hot topic in state government, as consumers await its legalization. While the thought of selling cannabis may seem foreign to some state administrators, many liquor agencies are―and should be―watching. The fact is, state liquor agencies are already equipped with expertise and the technology infrastructure needed to lawfully sell a controlled substance. This puts them in a unique position to benefit from the industry’s continued growth. Common technology includes enterprise resource planning (ERP) and point-of-sale (POS) systems.

ERP

State liquor agencies typically use an ERP system to integrate core business functions, including finance, human resources, and supply chain management. Whether the system is handling bottles of wine, cases of spirits, or bags of cannabis, it is capable of achieving the same business goals. 

The existing checks and balances on controlled substances like alcohol in their current ERP system translate well to cannabis products. This leads to an important point: state governments do not need to procure a new IT system solely for regulating cannabis.

By leveraging existing ERP systems, state liquor agencies can sidestep much of the time, effort, and expense of selecting, procuring, and implementing a new system solely for cannabis sales and management. In control states, where the state has exclusively control of alcohol sales, liquor agencies are often involved in every stage of product lifecycle, from procurement to distribution to retailing.

With a few modifications, the spectrum of business functions that control states require for liquor—procuring new product, communicating with vendors and brokers, tracking inventory, and analyzing sales—can work just as well for cannabis.

POS

POS systems are necessary for most retail stores. If a state liquor agency decides to sell cannabis products in stores, they can use a POS system to integrate with the agency’s ERP system, though store personnel may require training to help ensure compliance with related regulations.

Cannabis is cash only (for now)

There is one major difference in conducting liquor versus cannabis sales at any level: currently states conduct all cannabis sales in cash. With cannabis illegal on the federal level, major banks have opted to decline any deposit of funds earned from cannabis-related sales. While some community banks are conducting cannabis-related banking, many retailers selling recreational cannabis in places like Colorado and California still deal in cash. While risky and not without challenges, these transactions are possible and less onerous to federal regulators. 

Taxes 

As markets develop, monthly tax revenue collections from cannabis continue to grow. Colorado and California have found cannabis-related tax revenue a powerful tool in hedging against uncertainty in year-over-year cash flows. Similar to beer sold wholesale, which liquor agencies tax even in control states, cannabis can be taxed at multiple levels depending on the state’s business model.

E-commerce

Even with liquor, few state agencies have adopted direct-to-consumer online sales. However, as other industries continue shifting toward e-commerce and away from brick and mortar retailing, private sector competition will likely feed increased consumer demand for online sales. Similar to ERP and POS systems, states can increase revenue by selling cannabis through e-commerce sales channels. In today’s online retail world, many prefer to buy products from their computer or smart phone instead of shopping in stores. State agencies should consider selling cannabis via the web to maximize this revenue opportunity. 

Applying expertise in the systems and processes of alcoholic beverage control can translate into the sale and regulation of cannabis, easing the transition states face to this burgeoning industry. If your agency is considering bringing in cannabis under management, you should consider strategic planning sessions and even begin a change management approach to ensure your agency adapts successfully. 

Blog
Considering cannabis: How state liquor agencies can manage the growing industry

This spring, I published a blog about the importance of data governance in higher education institutions. In the summer, a second blog covered implementing baseline principles for data governance. With fall upon us, it is time to transition to discussing three critical steps to create a data governance culture. 

1.    Understand the people side of change.

The culture of any organization begins and ends with its people. As you know, people are notoriously finicky when it comes to change (especially change like data governance initiatives that may alter the way we have to understand or interact with institutional data). I recommend that any higher education institution apply a change management methodology (e.g., Prosci®, Lewin’s Change Management Model) in order to gauge the awareness of, the desire for, and the practical realities of this change. If you apply your chosen methodology in an effective and consistent manner, change management will help you increase buy-in and break down resistance. 

2.    Identify and empower the right people for the right roles.

Higher education institutions often focus on data governance processes and technologies. While this is necessary, you can’t overlook the people part of data governance. In fact, you can argue it is the most important part, because without people, there will be no one to follow the processes you create or use the technologies you implement. 

To find the right people, you need to identify and establish three specific roles for your institution: data trustees, data stewards, and data managers. Once you have organized these roles and responsibilities, data governance becomes easier to manage. Some definitions:

Data trustees (the sponsors) – senior leadership (or designees) who oversee data policy, planning, and management. Their responsibilities include: 

  • Promoting data governance 
  • Approving and updating data policies​​
  • Assigning and overseeing data stewards
  • Being responsible for data governance

Data stewards (the owners) – directors, managers, associate deans, or associate vice presidents who manage one or more data types. Their responsibilities include:

  • Applying and overseeing data governance policies in their functional areas
  • Following legal requirements pertaining to data in their functional areas
  • Classifying data and identifying data safeguards
  • Being accountable for data governance

Data managers (the caretakers) – data system managers, senior data analysts, or functional users (registrar, financial aid, human resources, etc.) who perform day-to-day data collection and management operations. Their responsibilities include:

  • Implementing data governance policies in their functional areas
  • Resolving data issues in their functional areas 
  • Provide training and appropriate documentation to data users
  • Being informed and consulted about data governance

3.    Be consistent and hold people accountable.

Ultimately, your data governance team needs accountability in order to thrive. Therefore, it is up to data trustees, data stewards, and data managers to hold regular meetings, take and distribute meeting notes, and identify and follow up on meeting action items. Without this follow through, data governance initiatives will likely stall or stop altogether. 

More information on data governance 

Are you still curious about additional guiding principles of data governance in higher education? Please contact the team
 

Blog
People Power: Enacting Sustainable Data Governance

Editors note: read this if you are a leader in an accountable care organization and interested in value-based contracting.

Accountable Care Organizations (ACOs) and value-based payments: an introduction

With the goal of slowing the rising cost of healthcare while maintaining the delivery of high-quality care, the Centers for Medicare & Medicaid Services (CMS) and private payers utilize a number of different provider payment models. The primary approach to address increasing healthcare costs has been to move away from fee-for-service payment models—which incentivize increasing the volume of care provided—to value-based payment models, which hold providers accountable for both the cost and quality of care they provide. The models have the potential to lead to reduced revenue for some providers, an outcome that can be avoided by successfully attracting larger patient populations. 

Value-based payment model options 

CMS has been a driver in this transition by moving physician reimbursement from being solely based on the Resource-Based Relative Value Scale (RBRVS) fee-for-service methodology to one that adds performance-based elements either through the Merit-based Incentive Payment System (MIPS) or Advanced Alternative Payment Models (Advanced APMs):

  • Providers that are MIPS eligible will have up to 9% of their RBRVS-based payments adjusted for four categories: quality, cost, clinical practice improvement activities, and promoting interoperability.
  • Providers in an Advanced APM may earn an incentive payment based on their participation in an innovative payment model―with more opportunity for incentive rewards being given to those who take downside financial risk. 

On the hospital side, CMS developed the Hospital Value-Based Purchasing (VBP) Program in order to move away from reimbursement based strictly on Diagnosis Related Groups (DRGs). The Hospital VBP Program rewards hospitals with incentive payments based on the quality of care they provide to Medicare beneficiaries. 

ACO value-based payment models are APMs that typically incorporate quality and the total cost of care for all services for a specific population, rather than just a specific clinical condition or care episode. Under the ACO model, CMS contracts with providers to assume increasing financial risk and reward opportunities while also being held accountable for their quality performance managing defined sub-populations they serve. These types of models are also employed by private payers.

How can ACOs succeed with payment models constantly changing?

ACOs should proceed with caution as they enter models with accountability for financial risk such as the newly finalized CMS Pathways to Success program and certain private payer commercial models. In order to be successful in any model, it is critical that ACOs have an adequate foundation in place and a provider network built to provide coordinated care. Some of the key elements for your success include:

  • Population data: Data for the ACO members that is a comprehensive record of their recent health utilization and spending history is critical.
  • Eligibility reporting: Require that eligibility files are provided on a monthly basis, and understand the way in which members are attributed or assigned. 
  • Claims data: Ensure accurate and complete claims data will be provided by payers monthly for the ACO members.
  • Financial/quality reporting: Ensure creation of infrastructure to generate reporting from the population data on a timely basis. Without timely reporting, the actual performance against benchmarks will not be known until it is too late to take any action.
  • Actuarial support: Validating spending targets and performance settlement should draw on the expertise of a qualified actuary.
  • Clinical documentation: Ambulatory clinical documentation categorizes patients based on the complexity of their diagnoses, which can be a predictor of future health care costs and used to identify at risk members for care management, disease management, and other programs. 
  • Population health management tools: Establish capabilities around population health management, specifically data aggregation and analysis that results in actionable recommendations
  • Audit capability: Verify the accuracy of payer financial and quality reports including the risk adjustment methodology.

Success in value-based payment models will require ACOs to understand changes to their population and quickly respond to address quality, utilization, and cost trends. 

WEBINAR
Demystifying Value-Based Contracting: Key Steps To Empower Your Organization

Want to learn more? Watch our value-based contracting webinar.

Blog
Success in value-based payment for ACOs

Follow these six steps to help your senior living organization improve cash flow, decrease days in accounts receivable, and reduce write offs.

From regulatory and reimbursement rule changes to new software and staff turnover, senior living facilities deal with a variety of issues that can result in eroding margins. Monitoring days in accounts receivable and creeping increases in bad debt should be part of a regular review of your facility’s financial indicators.

Here are six steps you and your organization can take to make your review more efficient and potentially improve your bottom line:

Step 1: Understand your facility’s current payer mix.

Understanding your payer mix and various billing requirements and reimbursement schedules will help you set reasonable goals and make an accurate cash flow forecast. For example, government payers often have a two-week reimbursement turn-around for a clean claim, while commercial insurance reimbursement may take up to 90 days. Discovering what actions you can take to keep the payment process as short as possible can lessen your average days in accounts receivable and improve cash flow.

Step 2: Gain clarity on your facility’s billing calendar.

Using data from Step 1, review (or develop) your team’s billing calendar. The faster you send a complete and accurate bill, the sooner you will receive payment.

Have a candid discussion with your billers and work on removing (or at least reducing) existing or perceived barriers to producing timely and accurate bills. Facilities frequently find opportunities for cash flow optimization by communicating their expectations for vendors and care partners. For example, some facilities rely on their vendors to provide billing logs for therapy and ancillary services in order to finalize Resource Utilization Groups (RUGs) and bill Medicare and advantage plans. Delayed medical supply and pharmacy invoices frequently hold up private pay billing. Working with vendors to shorten turnaround time is critical to receiving faster payments.

Interdependencies and areas outside the billers’ control can also negatively influence revenue cycle and contribute to payment delays. Nursing and therapy department schedules, documentation, and the clinical team’s understanding of the principles of reimbursement all play significant roles in timeliness and accuracy of Minimum Data Sets (MDSs) — a key component of Medicare and Medicaid billing. Review these interdependencies for internal holdups and shorten time to get claims produced.

Step 3: Review billing practices.

Observe your staff and monitor the billing logs and insurance claim acceptance reports to locate and review rejected invoices. Since rejected claims are not accepted into the insurer’s system, they will never be reflected as denied on remittance advice documents. Review of submitted claims for rejections is also important as frequently billing software marks claims as billed after a claim is generated. Instruct billers to review rejections immediately after submitting the bill, so rework, resubmission, and payment are timely.

Encourage your billers to generate pull communications (using available reporting tools on insurance portals) to review claim status and resolve any unpaid or suspended claims. This is usually a quicker process than waiting for a push communication (remittance advice) to identify unpaid claims.

Step 4: Review how your facility receives payments.

Challenge any delays in depositing money. Many insurance companies offer payment via ACH transfer. Discuss remote check deposit solutions with your financial institution to eliminate delays. If the facility acts as a representative payee for residents, make sure social security checks are directly deposited to the appropriate account. If you use a separate non-operating account to receive residents’ pensions, consider same day bill pay transfer to the operating account.

Step 5: Review industry benchmarks.

This is critical to understanding where your facility stands and seeing where you can make improvements. BerryDunn’s database of SNF Medicare cost reports filed for FY 2015 - 2018 shows:

Skilled Nursing Facilities: Days in Accounts Receivable

Step 6: Celebrate successes!

Clearly some facilities are doing it very well, while some need to take corrective action. This information can also help you set reasonable goals overall (see Step 1) as well as payer-specific reimbursement goals that make sense for your facility. Review them with the revenue cycle team and question any significant variances; challenge staff to both identify reasons for variances and propose remedial action. Helping your staff see the big picture and understanding how they play a role in achieving department and company goals are critical to sustaining lasting change AND constant improvement.

Change, even if it brings intrinsic rewards (like decreased days in accounts receivable, increased margin to facilitate growth), can be difficult. Acknowledge that changing processes can be tough and people may have to do things differently or learn new skills to meet the facility’s goal. By celebrating the improvements — even little ones — like putting new processes in place, you encourage and engage people to take ownership of the process. Celebrating the wins helps create advocates and lets your team know you appreciate their work. 

To learn more, contact one of our revenue cycle specialists.

Blog
Six steps to gain speed on collections

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Blog
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

Read this if you are a police executive, city/county administrator, or elected government official, responsible for a law enforcement agency. 

“We need more cops!”  

Do your patrol officers complain about being short-staffed or too busy, or that they are constantly running from call to call? Does your agency struggle with backed-up calls for service (CFS) or lengthy response times? Do patrol staff regularly find themselves responding to another patrol area to handle a CFS because the assigned officer is busy on another call? Are patrol officers denied leave time or training opportunities because of staffing issues? Does the agency routinely use overtime to cover predictable shift vacancies for vacations, holidays, or training? 

If one or more of these concerns sound familiar, you may need additional patrol resources, as staffing levels are often a key factor in personnel deployment challenges. Flaws in the patrol schedule design may also be responsible, as they commonly contribute to reduced efficiency and optimal performance, and design issues may be partially responsible for some of these challenges, regardless of authorized staffing levels.
 
With community expectations at an all-time high, and resource allocations remaining relatively flat, many agencies have growing concerns about managing increasing service volumes while controlling quality and building/maintaining public trust and confidence. Amid these concerns, agencies struggle with designing work schedules that efficiently and optimally deploy available patrol resources, as patrol staff become increasingly frustrated at what they consider a lack of staff.

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority CFS in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Scheduling alternatives

One common design issue that presents an ongoing challenge for agencies is the continued use of traditional, balanced work schedules, which spread officer work hours equally over the year. Balanced schedules rely on over-scheduling and overtime to manage personnel allocation and leave needs and, by design, are very rigid. Balanced work schedules have been used for a very long time, not because they’re most efficient, but because they’re common, familiar, and easily understood―and because patrol staff are comfortable with them (and typically reluctant to change). However, short schedules offer a proven alternative to balanced patrol work schedules, and when presented with the benefits of an alternative work schedule design (e.g., increased access to back-up, ease of receiving time off or training, consistency in staffing, less mandatory overtime), many patrol staff are eager to change.

Short schedules

Short schedules involve a more contemporary design that includes a flexible approach that focuses on a more adaptive process of allocating personnel where and when they are needed. They are significantly more efficient than balanced schedules and, when functioning properly, they can dramatically improve personnel deployments, bring continuity to daily staffing, and reduce overtime, among other operational benefits. Given the current climate, most agencies are unlikely to receive substantial increases in personnel allocations. If that is true of your agency, it may be time to explore the benefits of alternative patrol work schedules.

A tool you can use

Finding scheduling strategies that work in this climate requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). To help guide you through this process, BerryDunn has developed a free tool for evaluating patrol schedules. Click here to measure your patrol schedule against key design components and considerations.

If you are curious about alternative patrol work schedules, our dedicated justice and public Safety consultants are available to discuss your organization’s needs.

Blog
Efficient police patrol work schedules―By design

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Blog
Cyberattacks in higher education—How prepared are you?

Phew! We did it—The Medicaid Enterprise Systems Conference (MESC) 2019 is one for the books! And, it was a great one. Here is my perspective on objectives and themes that will guide our work for the year.

Monday 

My day started in the fog—I live on an island in Maine, take a boat to get into Portland, and taxi to the airport. Luckily, I got to Portland, and, ultimately Chicago, on time and ready to go. 

Public Sector Technology Group (PSTG) meeting

At the PSTG meetings, we reviewed activities from the previous year and did some planning for the coming year. Areas for consideration included:

  • Modernization Schedule
  • Module Definitions
  • Request for Proposal (RFP) Requirements
  • National Association of State Procurement Officers

Julie Boughn, Centers for Medicare and Medicaid (CMS) Director, Data and Systems Group (DSG) introduced her new boss, Karen Shields, who is the Deputy Director for the Center for Medicaid and CHIP Services (CMCS) within CMS. Karen shared her words of wisdom and encouragement with us, while Julie reminded us that being successful in our work is about the people. CMS also underscored the goal of speeding up delivery of service to the Medicaid program and asking ourselves: “What is the problem we are trying to resolve?” 

CMS’ “You be the State” officer workshop

Kudos to CMS for creating this open environment of knowledge sharing and gathering input.  Areas for discussion and input included:

  • APD Processes
  • Outcomes-Based Certification
  • Increasing and Enhancing Accountability

Tuesday
Opening Plenary

I was very touched by the Girls Inc. video describing the mission of Girls Inc. to inspire girls to be strong, smart, and bold. With organizations like this, and our awareness and action, I am optimistic for the future. Thank you to NESCSO for including this in their opening program.

John Doerr, author of Measure What Matters: OKRs: The Simple Idea that Drives 10x Growth and famed investor, shared his thoughts on how to create focus and efficiency in what we do. Julie’s interview with him was excellent, and I appreciated how John’s Objectives and Key Results (OKR) process prompted Julie to create objectives for what we are trying to do. The objectives Julie shared with us:

  • Improve the quality of our services for users and other stakeholders 
  • Ensure high-quality data is available to manage the program and improve policy making 
  • Improve procurement and delivery of Medicaid technology projects

Sessions

The sessions were well attended and although I can't detail each specific session I attended, I will note that I did enjoy using the app to guide me through the conference. NESCSO has uploaded the presentations. 

Auxiliary meetings

Whether formal or informal, meetings are one of the big values of the conference—relationships are key to everyone’s success, and meeting with attendees in one-on-one environments was incredibly productive. 

Poster session

The poster sessions were excellent. States are really into this event, and it is a great opportunity for the MESC community to engage with the states and see what is going on in the Medicaid Enterprise space.

Wednesday

Some memorable phrases heard in the sessions:

  • Knowledge is power only if you share it
  • We are in this together and want the same outcomes, so let’s share more
  • Two challenges to partnering projects—the two “P”s—are purchasing and personnel
  • Don’t let perfection be the enemy of the good
  • Small steps matter
  • Sharing data is harder than it needs to be—keep in mind the reason for what you are doing

Our evening social event was another great opportunity to connect with the community at MESC and the view of Chicago was beautiful.

Julie Boughn challenged us to set a goal (objective) in the coming year, and, along with it, to target some key results in connection with that goal. Here are some of her conference reflections:

  • Awesome
    • Several State Program and Policy leaders participated at MESC—impressed with Medicaid Director presence and participation
    • Smaller scoped projects are delivering in meeting the desired improved speed of delivery and quality
    • Increased program-technology alignment
  • Not so awesome
    • Pending state-vendor divorces
    • Burden of checklists and State Self-Assessments (SS-As)—will have something to report next year
    • There are still some attempts at very large, multi-year replacement projects—there is going to be a lot of scrutiny on gaining outcomes. Cannot wait five years to change something.

OKRs and request for states and vendors

  • Objective: Improve the quality of services for our users and other stakeholders
    • Key Result (KR): Through test results and audits, all States and CMS can state with precision, the overall accuracy of Medicaid eligibility systems.
    • KR: 100% of State electronic visit verification (EVV) systems are certified and producing annual performance data.
    • KR: 100% of States have used CMS-required testing guidance to produce testing results and evidence for their eligibility systems.
  • Objective: Ensure high-quality data is available to manage the program and improve policy making
    • KR: Transformed Medicaid Statistical Information System (T-MSIS) data is of sufficient quality that it is used to inform at least one key national Medicaid policy decision that all states have implemented.
    • KR:  Eliminate at least two state reporting requirements because T-MSIS data can be used instead.
    • KR: At least five states have used national or regional T-MSIS data to inform their own program oversite and/or policy-making decisions.
  • Objective: Improve how Medicaid technology projects are procured and delivered
    • KR: Draft standard language for outcomes metrics for at least four Medicaid business areas.
    • KR:  Five states make use of the standard NASPO Medicaid procurement.
    • KR:  CMS reviews of RFPs and contracts using NASPO vehicle are completed within 10 business days.
    • KR:  Four states test using small incremental development phases for delivery of services.
  • Request: Within 30 days, states/vendors will identify at least one action to take to help us achieve at least one of the KRs within the next two years.

Last thoughts

There is a lot to digest, and I am energized to carry on. There are many follow-up tasks we all have on our list. Before we know it, we’ll be back at next year’s MESC and can check in on how we are doing with the action we have chosen to help meet CMS’s requirements. See you in Boston!

Blog
MESC 2019―Reflections and Daily Recap

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you. 

This is the second blog post in the blog series: “Procuring Agile vs. Non-Agile Service”. Read the first blog. This blog post demonstrates the differences in Stage 1: Plan Project in the five stages of procuring agile vs. non-agile services.

Overview of Procurement Process for Agile vs. Non-Agile IT Services

What is important to consider in agile procurement?

Here are some questions that can help focus the planning for procurement of IT services for agile vs. non-agile projects.

Plan Project Considerations for Agile vs. Non-Agile IT Services

Why are these considerations important?

When you procure agile IT services, you can define the scope of your procurement around a vision of what your organization intends to become, as opposed to being restricted to an end-date for a final delivery.

In an agile project, you get results iteratively; this allows you to constantly reassess requirements throughout the project, including the project plan, the guiding principles, and the project schedule. Your planning is not restricted to considering the effect of one big result at the end of the project schedule. Instead, your plan allows for sequencing of changes and improvements that best reflect the outcomes and priorities your organization needs

Since planning impacts the people-aspect of your strategy, it is important to consider how various teams and stakeholders will provide input, and how you will make ongoing communication updates throughout the project. With an agile procurement project, your culture will shift, and you will need a different approach to planning, scheduling, communicating, and risk management. You need to communicate daily, allowing for reviewing and adjusting priorities and plans to meet project needs. 

How do you act on these considerations?

A successful procurement plan of agile IT services should include the following steps:

  1. Develop a project charter and guiding principles for the procurement that reflect a vision of how your organization’s teams will work together in the future
  2. Create a communication plan that includes the definition of project success and communicates project approach
  3. Be transparent about the development strategy, and outline how iterations are based on user needs, that features will be re-prioritized on an ongoing basis, and that users, customers, and stakeholders are needed to help define requirements and expected outcomes
  4. Provide agile training to your management, procurement, and program operation teams to help them accept and understand the project will present deliverables in iterations, to include needed features, functionality and working products
  5. Develop requirements for the scope of work that align with services and outcomes you want, rather than documented statements that merely map to your current processes 

What’s next? 

Now that you have gained insight into the approach to planning an agile project, consider how you may put this first stage into practice in your organization. Stay tuned for guidance on how to execute the second stage of the procurement process—how to draft the RFP. Our intention is that, following this series, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.
 

Blog
Plan agile projects: Stage 1

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

Measuring performance of Medicaid Enterprise Systems (MES) is emerging as the next logical step in moving Medicaid programs toward modularity. As CMS continues to refine and implement outcomes-based modular certification, it is critical that states adapt to this next step in order to continue to meet CMS funding requirements.

This measurement, in terms of program outcomes, presents a unique set of challenges, many of which a state may not have considered before. A significant challenge is determining how and where to begin measuring program outcomes―to meet it, states can leverage a trusted, independent partner as they undertake an outcomes-based effort.

Outcomes-based planning can be thought of as a three-step process. First, and perhaps most fundamental, is to define outcomes. Second, you need to determine what measurements will demonstrate progress toward achieving those outcomes. And the final step is to create reporting measurements and their frequency. Your independent partner can help you answer these critical questions and meet CMS requirements efficiently by objectively guiding you toward realizing your goals.

  1. Defining Outcomes
    When defining an outcome, it is important to understand what it is and what it isn’t. An outcome is a benefit or added value to the Medicaid program. It is not an output, which is a new or enhanced function of a new MES module. An output is the product that supports the outcome. For example, the functionality of a new Program Integrity (PI) module represents an output. The outcome of the new PI module could be that the Medicaid program continuously improves based on data available because of the new PI module. Some outcomes may be intuitive or obvious. Others may not be as easy to articulate. Regardless, you need to direct the focus of your state and solution vendor teams on the outcome to uncover what the underlying goal of your Medicaid program is.
     
  2. Determining Measurements
    The second step is to measure progress. Well-defined Key Performance Indicators (KPIs) will accurately capture progress toward these newly defined outcomes. Your independent partner can play a key role by posing questions to help ensure the measurements you consider align with CMS’ goals and objectives. Additionally, they can validate the quality of the data to ensure accuracy of all measurements, again helping to meet CMS requirements.
     
  3. Reporting Measurements
    Finally, your state must decide how―and how often―to report on outcomes-based measurements. Your independent partner can collaborate with both your state and CMS by facilitating conversations to determine how you should report, based on a Medicaid program’s nuances and CMS’ goals. This can help ensure the measurements (and support information) you present to CMS are useful and reliable, giving you the best chance for attaining modular certification.

Are you considering an outcomes-based CMS modular certification, or do you have questions about how to best leverage an independent partner to succeed with your outcomes-based modular certification effort? BerryDunn’s extensive experience as an independent IV&V and Project Management Office (PMO) partner includes the first pilot outcomes-based certification effort with CMS. Please visit our IV&V and certification experts at our booth at MESC 2019 or contact our team now.

Blog
Three steps to measure Medicaid Enterprise Systems outcomes

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

As CMS moves away from the monolithic Medicaid Management Information System (MMIS) toward an outcomes-based approach that includes a modular Medicaid Enterprise System (MES), there is now more emphasis on system integration (SI). 

In the August 16, 2016 letter, State Medicaid Director (SMD) #16-010, CMS clarified the role of the system integrator (SI) by stating:

CMS envisions a discrete role for the system integrator (SI) in each state, with specific focus on ensuring the integrity and interoperability of the Medicaid IT architecture and cohesiveness of the various modules incorporated into the Medicaid enterprise. 

While the importance of the SI role is apparent, not all states have the resources to build the SI capability within their own organizations. Some state Medicaid IT teams try to solve this by delegating management roles to vendors or contractors. This approach has various risks. A state could lose:

  • Institutional knowledge, as vendors and contractors transition off the project
  • Control of governance, oversight, and leadership
  • The ability to enforce contractual requirements across each vendor, especially the SI

In addition, the ramifications of loss of state accountability can have wide-reaching implementation, operational, and financial impacts, including:

  • The loss of timely decision making, causing projects to fall behind schedule
  • State-specific policy needs not being met, impacting how the MMIS functions in production 
  • Poor integration into the state-specific Operation and Maintenance (O&M) support model, increasing the state’s portion of long-term O&M costs
  • Inefficient and ineffective contract management of each module vendor and contractor (including the SI), possibly leading to unneeded change requests and cost overruns
  • Lack of coordination with the state’s business or IT roadmap initiatives (i.e., system consolidation or cloud migration vendor/approach), possibly leading to rework and missed opportunities to reduce cost or improve interoperability 

Apply strong governance and IV&V to tackle risks

Because the SI vendor is responsible for the integration of multiple modules across multiple vendors, you may consider delegating oversight of module vendors to the SI vendor. 

The major benefit states get from using the SI vendor is efficiency. Having your vendor as the central point of contact can quickly resolve technical issues, while allowing easy coordination of project tasks across each module vendor on a continual basis. 

If you choose to use a vendor for the SI role, establish safeguards and governance to make sure your goals are being met:

  • Build a project-specific governance model (executive committee [EC]) to oversee the vendors and the project
  • Establish a regular meeting cadence for the EC to allow for status updates on milestones and discuss significant project risks and issues 
  • Allocate state resources into project leadership roles (i.e., project manager, vendor contract manager, security lead, testing/Quality Assurance lead, etc.)
  • Conduct regular (weekly) SI status meetings to track progress and address risks and issues 

You also need a strong, involved governance structure that includes teams of state senior leadership, state program managers, SI vendor engagement/contract managers, and Independent Verification and Validation (IV&V) vendors. By definition, one responsibility of IV&V is to identify and monitor project risks and issues that could arise from a lack of independence. 

Your governance teams can debate decisions and disputes, risks and issues, and federal compliance issues with their vendors to define direction and action plans. However, a state representative within these teams should always make the final management decisions, approve all SI scope items and changes, and approve all contractual deliverables from each vendor or contractor.

Your state staff (business and IT) provides project management decision, business needs, requirements (functional and non-functional), policy guidance, and continuity as the vendors and/or contractors change over time. 

The conclusion? In order to be successful, you must retain certain controls and expertise to deploy and operate a successful MMIS system. Our consultants understand the need to keep you in control of managing key portions of implementation projects/programs and operational tasks. If you have questions, please contact BerryDunn’s Medicaid team.  
 

Blog
Risks when using vendors to manage Medicaid system implementation projects

Editor’s note: read this if you are a Maine business owner or officer.

New state law aligns with federal rules for partnership audits

On June 18, 2019, the State of Maine enacted Legislative Document 1819, House Paper 1296, An Act to Harmonize State Income Tax Law and the Centralized Partnership Audit Rules of the Federal Internal Revenue Code of 1986

Just like it says, LD 1819 harmonizes Maine with updated federal rules for partnership audits by shifting state tax liability from individual partners to the partnership itself. It also establishes new rules for who can—and can’t—represent a partnership in audit proceedings, and what that representative’s powers are.

Classic tunes—The Tax Equity and Fiscal Responsibility Act of 1982

Until recently, the Tax Equity and Fiscal Responsibility Act of 1982 (TEFRA) set federal standards for IRS audits of partnerships and those entities treated as partnerships for income tax purposes (LLCs, etc.). Those rules changed, however, following passage of the Bipartisan Budget Act of 2015 (BBA) and the Protecting Americans from Tax Hikes Act of 2015 (PATH Act). Changes made by the BBA and PATH Act included:

  • Replacing the Tax Matters Partner (TMP) with a Partnership Representative (PR);
  • Generally establishing the partnership, and not individual partners, as liable for any imputed underpayment resulting from an audit, meaning current partners can be held responsible for the tax liabilities of past partners; and
  • Imputing tax on the net audit adjustments at the highest individual or corporate tax rates.

Unlike TEFRA, the BBA and PATH Act granted Partnership Representatives sole authority to act on behalf of a partnership for a given tax year. Individual partners, who previously held limited notification and participation rights, were now bound by their PR’s actions.

Fresh beats—new tax liability laws under LD 1819

LD 1819 echoes key provisions of the BBA and PATH Act by shifting state tax liability from individual partners to the partnership itself and replacing the Tax Matters Partner with a Partnership Representative.

Eligibility requirements for PRs are also less than those for TMPs. PRs need only demonstrate “substantial presence in the US” and don’t need to be a partner in the partnership, e.g., a CFO or other person involved in the business. Additionally, partnerships may have different PRs at the federal and state level, provided they establish reasonable qualifications and procedures for designating someone other than the partnership’s federal-level PR to be its state-level PR.

LD 1819 applies to Maine partnerships for tax years beginning on or after January 1, 2018. Any additional tax, penalties, and/or interest arising from audit are due no later than 180 days after the IRS’ final determination date, though some partnerships may be eligible for a 60-day extension. In addition, LD 1819 requires Maine partnerships to file a completed federal adjustments report.

Partnerships should review their partnership agreements in light of these changes to ensure the goals of the partnership and the individual partners are reflected in the case of an audit. 

Remix―Significant changes coming to the Maine Capital Investment Credit 

Passage of LD 1671 on July 2, 2019 will usher in a significant change to the Maine Capital Investment Credit, a popular credit which allows businesses to claim a tax credit for qualifying depreciable assets placed in service in Maine on which federal bonus depreciation is claimed on the taxpayer's federal income tax return. 

Effective for tax years beginning on or after January 1, 2020, the credit is reduced to a rate of 1.2%. This is a significant reduction in the current credit percentages, which are 9% and 7% for corporate and all other taxpayers, respectively. The change intends to provide fairness to companies conducting business in-state over out-of-state counterparts. Taxpayers continue to have the option to waive the credit and claim depreciation recapture in a future year for the portion of accelerated federal bonus depreciation disallowed by Maine in the year the asset is placed in service. 

As a result of this meaningful reduction in the credit, taxpayers who have historically claimed the credit will want to discuss with their tax advisors whether it makes sense to continue claiming the credit for 2020 and beyond.
 

Blog
Maine tax law changes: Music to the ears, or not so much?

Read this if you are a City/County Administrator, Building Official, Community Development Director, Planning Director, Development Services Manager or work with customers providing a service for a fee.

Planning and development service fees are, for many municipalities, often discussed but rarely changed. There are a number of reasons you might need to consider or defend your fee structure―complaints from developers, rising costs of operation, and changes in code or process are just a few. 

But when is the right time for a formal review of your service fees? There are several key organizational factors that should prompt an in-depth study of your fees, either internally or with the assistance of an objective advisor. It may be time for an update if:

  • You’re considering a new permitting system. New technology may streamline your workflows, simplify processes for your customers, or necessitate changes in your staffing. All of these secondary changes can impact the cost of your services. In addition, if you’re anticipating significant changes to your fee structure or methodology (e.g., moving to full cost recovery), you’ll want to configure your new system to support that going forward.
  • You have an enterprise development fund. Development fees are collected to cover the cost of providing a service. The methodology you use to charge fees should be based on defensible formulas that can withstand the scrutiny of your customers and cover the cost to provide the service. In addition, reserve funds should be adequate to ensure your development service is funded through the completion of the project. 
  • The regulations in your municipality are changing. Perhaps your organization is moving to a unified or form-based code or making changes to the International Building or Fire Codes. Changes in the process and requirements for development may require a reevaluated fee structure.
  • It’s been a while. Even if your organization is not experiencing any significant or sweeping change, small shifts can accumulate over the years, resulting in significant fee adjustments that may be tough for you to implement and for your customers to understand. Periodically reviewing service demand and benchmarking your individual fees against those of neighboring communities can help to avoid sticker shock.

If any of these scenarios sound familiar, you may want to consider a fee review, which may consist of benchmarking against similar jurisdictions. Not sure what level of review your organization needs? Our dedicated government consultants include former planners and community development leaders who have walked in your shoes and can talk through the considerations with you.
 

Blog
When time is money: Reviewing your planning and development service fees

Read this if you are a Nursing Home Administrator, Admissions Coordinator, MDS Nurse, Nursing Home Owner, Business Office Manager, Case Manager, Nursing Home CEO, CFO, or COO.

Patient Driven Payment Model (PDPM) implementation is less than three months away. Is your facility ready for admissions under PDPM? The way you think about admissions and the admission process will change under PDPM. Some highlights:

  • The resident’s clinical characteristics will now be the determinant of payment rather than therapy provided.
  • Facilities that admit medically complex residents—those who need higher levels of potentially expensive care, including high-cost medications, ventilator care, and care for residents with HIV/AIDS—will receive reimbursement that more closely reflects those higher costs.
  • PDPM will eliminate the 14-day, 30-day, 60-day and 90-day assessments and will only require a five-day and discharge assessment. 
  • The five-day assessment will drive payment for the entire resident stay unless there is change in the resident’s clinical characteristics. 

With the elimination of the five scheduled assessments under PDPM, facilities will save time spent on assessments; however, PDPM will require a higher degree of accuracy on the Day Five assessment. For proper reimbursement, your staff will have to gather all relevant clinical information on the resident in a shorter period of time. A strong admissions team and processes will help you achieve financial success under PDPM. 

Screening residents for admission will also become more critical for appropriate reimbursement. Under RUGS-IV, most facilities relied only on their admissions coordinator to handle admissions. Under PDPM, facilities are going to have to involve more team members in the pre-admission process to ensure proper and thorough screening of residents. 

Since PDPM focuses on all the resident’s clinical characteristics, you will need pre-admission input from many team members, including but not limited to physicians, nurses, therapy providers, and case management. You will need to assess many other elements up front―if you miss something in the screening, you won’t receive adequate reimbursement. 

With payment tied not only to the residents' primary reasons for being in the facility, but also the comorbidities that affect their health, you need to know more about potential residents prior to admission. The admissions team will need to get a comprehensive background on each resident―including all comorbidities, recent surgical history, and other clinical characteristics and services that determine a resident’s case-mix.

For example, in some cases, two diagnoses, such as aftercare for major joint surgery and an infectious complication, may compete for the primary diagnosis. These two diagnoses would place the resident in different clinical categories and would result in different rates of reimbursement. Working as a team, your staff will have to determine which of these diagnoses most accurately reflects the characteristics of the resident, the services needed by that resident, and the resources that he or she requires.

To emphasize again, under the new PDPM assessment schedule, facilities cannot make changes to resident clinical characteristics on the five-day assessment unless a resident has a significant change in status and the facility performs an interim payment assessment. You really only have one shot at getting it right!

Here are some actions you can take now to strengthen your admissions process:

Standardize practices―Examine inconsistent and/or manual practices within the revenue cycle that may cause delays in gathering documentation and, ultimately, delay billing. Policies and procedures should include items such as team members and responsibilities, pre-admission screening procedures, protocols for communicating with physicians and the admitting hospital, and procedures for capturing and storing supporting documentation. This can help capture all information needed for proper reimbursement.

Review changes to the Minimum Data Set (MDS)―The entire admissions team needs to understand the changes to the MDS so that they capture all the required resident information. There are nearly 40 new MDS items that directly influence a resident’s clinical classification and payment rates. The most significant of these?

  • I0020B―To report the ICD-10-CM primary diagnosis code representing the main reason for Skilled Nursing Facility (SNF) admission
  • J2100-J5000―New patient surgical history items that affect the PDPM physical and occupational therapy and speech-language pathology components
  • I8000―To report comorbidities that affect non-therapy ancillaries
  • O425A1-O0425C5―To capture discharge information on therapy delivery over the course of the resident's entire Part A stay, including use of group and concurrent therapy.

Educate staff―Train your staff on the new processes and tools, as these processes directly impact daily job functions. In addition, staff should have an understanding of the functions of the entire revenue cycle so they can see how their functions affect the overall reimbursement of the facility.

Review and monitor―To better prepare for PDPM, you should review your resident charts to understand what information you are currently documenting and know what additional information you will need to gather upon admission. Even though you are not yet billing under PDPM, you can start gathering and documenting that additional information. Review your facility's utilization review and triple check processes. You should have a cross-functional utilization review team that includes a physician or mid-level practitioner to ensure comprehensive reviews. Once you begin documenting, under PDPM you will need to audit MDS to be sure they are accurate and supported by medical documentation.

You will only have until Day Eight of a resident stay to capture and document all the resident's clinical characteristics that drive payment for the entire stay. It is more important than ever to have a clearly defined, well-executed plan for getting the right information to the right people as soon as possible.

Read more
You can read Part One of this series here. Part Three is coming soon.

Get ready with our PDPM Checklist!

Download our helpful PDPM checklist and see what you need to do. 

Blog
PDPM is coming: Is your admissions team ready?

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, State Procurement Officer, or work in a State Medicaid Program Integrity Unit.

The Centers for Medicare & Medicaid Services (CMS) issued a Payment Error Rate Measurement (PERM) Final Rule on July 5, 2017, that made several changes to the PERM requirements. One important change was the updates to the Medicaid Eligibility Quality Control (MEQC) requirement. 

The Final Rule restructures the MEQC program into a pilot program that requires states to conduct eligibility reviews during the two years between PERM cycles. CMS has also introduced the potential for imposing disallowances or reductions in federal funding percentage (FFP) as a result of PERM eligibility error rates that do not meet the national standard. One measure states can use to lessen the chance of this happening is by successfully carrying out the requirements of the MEQC pilot. 

What states should know―important points to keep in mind regarding MEQC reviews:

  • Each state must have a team in place to conduct MEQC reviews. The individuals responsible for the MEQC reviews and associated activities must be separate from the state agencies and personnel responsible for Medicaid and Children’s Health Insurance Program (CHIP) policy and operations, including eligibility determinations.
  • States can apply for federal funding to help cover the costs of the MEQC activities. CMS encourages states to partner with a contractor in conducting the MEQC reviews.
  • The deadline to submit the state planning document to CMS is November 1 following the end of your state’s PERM cycle. If you are a Cycle 2 state, your MEQC planning document is due by November 1, 2019. 
  • If you are a Cycle 1 state, you are (or should be) currently undergoing the MEQC reviews.
  • There are minimum sample size requirements for the MEQC review period: 400 negative cases and 400 active cases (consisting of both Medicaid and CHIP cases) over a period of 12 months.
  • Upon conclusion of all MEQC reviews, states must submit a final findings report along with a corrective action plan that addresses all error findings identified during the MEQC review period.

CMS encourages states to utilize federal funding to carry out and fulfill MEQC requirements. BerryDunn has staff with experience in preparing Advanced Planning Documents (APD) and can assist your state in submitting an APD request to CMS for these MEQC activities. 

Check out the previously released blog, “PERM: Prepared or Not Prepared?” and stay tuned for upcoming blogs about specific PERM topics, including the financial impacts of PERM, and how each review phase will affect your state.   

For questions or to find out more, contact the team

Blog
PERM: Does MEQC affect states?

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Blog
Governance: It's good for your data

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

When I was growing up, my dad would leave the Bureau of Motor Vehicles or hang up the phone after talking with the phone company and say sarcastically, “I’m from the government (or the phone company) and I’m here to help you. Yeah, right.” I could hear the frustration in his voice. As I’ve gotten older, I understand the hassle of dealing with bureaucracy, where the red tape can make things more difficult than they need to be, and where customers don’t come first. It doesn’t have to be that way.

In my role performing Independent Verification and Validation (IV&V) at BerryDunn, I hear the same skepticism in the voices of some of my clients. I can hear them thinking, “Let me get this straight… I’m spending millions of dollars to replace my old Medicaid Management Information System (MMIS), and the Centers for Medicare and Medicaid Services (CMS) says I have to hire an IV&V consultant to show me what I am doing wrong? I don’t even control the contract. You’re here to help me? Yeah, right.” Here are some things to assuage your doubt. 

Independent IV&V―what they should do for you and your organization

An independent IV&V partner that is invested in your project’s success can:

  • Enhance your system implementation to help you achieve compliance
  • Help you share best practice experience in the context of your organization’s culture to improve efficiency in other areas
  • Assist you in improving your efficiency and timeliness with project management capabilities.

Even though IV&V vendors are federally mandated from CMS, your IV&V vendor should also be a trusted partner and advisor, so you can achieve compliance, improve efficiency, and save time and effort. 

Not all IV&V vendors are equal. Important things to consider:

Independence―independent vendors are a good place to start, as they are solely focused on your project’s success. They should not be selling you software or other added services, push vendor affiliations, or rubber stamp CMS, nor the state. You need a non-biased sounding board, a partner willing to share lessons learned from experience that will help your organization improve.

Well-rounded perspective―IV&V vendors should approach your project from all perspectives. A successful implementation relies on knowledge of Medicaid policy and processes, Medicaid operations and financing, CMS certification, and project management.

“Hello, we are IV&V from BerryDunn, and we are here to help.”

BerryDunn offers teams that consist of members with complementary skills to ensure all aspects of your project receive expert attention. Have questions about IV&V? Contact our team.
 

Blog
We're IV&V and we are here to help you improve your Medicaid organization

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

  • Analyzing prior errors cited or known issues, along with the root cause of the error
  • Identifying remedies to reduce future errors
  • Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
  • Assisting federal contractors with current reviews and findings
  • Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
  • Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

  • Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
  • Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
  • Do you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
  • Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
  • Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
  • Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me
 

Blog
PERM: Prepared or not prepared?

Proposed House bill brings state income tax standards to the digital age

On June 3, 2019, the US House of Representatives introduced H.R. 3063, also known as the Business Activity Tax Simplification Act of 2019, which seeks to modernize tax laws for the sale of personal property, and clarify physical presence standards for state income tax nexus as it applies to services and intangible goods. But before we can catch up on today, we need to go back in time—great Scott!

Fly your DeLorean back 60 years (you’ve got one, right?) and you’ll arrive at the signing of Public Law 86-272: the Interstate Income Act of 1959. Established in response to the Supreme Court’s ruling on Northwestern States Portland Cement Co. v. Minnesota, P.L. 86-272 allows a business to enter a state, or send representatives, for the purposes of soliciting orders for the sale of tangible personal property without being subject to a net income tax.

But now, in 2019, personal property is increasingly intangible—eBooks, computer software, electronic data and research, digital music, movies, and games, and the list goes on. To catch up, H.R. 3063 seeks to expand on 86-272’s protection and adds “all other forms of property, services, and other transactions” to that exemption. It also redefines business activities of independent contractors to include transactions for all forms of property, as well as events and gathering of information.

Under the proposed bill, taxpayers meet the standards for physical presence in a taxing jurisdiction, if they:

  1.  Are an individual physically located in or have employees located in a given state; 
  2. Use the services of an agent to establish or maintain a market in a given state, provided such agent does not perform the same services in the same state for any other person or taxpayer during the taxable year; or
  3. Lease or own tangible personal property or real property in a given state.

The proposed bill excludes a taxpayer from the above criteria who have presence in a state for less than 15 days, or whose presence is established in order to conduct “limited or transient business activity.”

In addition, H.R. 3063 also expands the definition of “net income tax” to include “other business activity taxes”. This would provide protection from tax in states such as Texas, Ohio and others that impose an alternate method of taxing the profits of businesses.

H.R. 3063, a measure that would only apply to state income and business activity tax, is in direct contrast to the recent overturn of Quill Corp. v. North Dakota, a sales and use tax standard. Quill required a physical presence but was overturned by the decision in South Dakota v. Wayfair, Inc. Since the Wayfair decision, dozens of states have passed legislation to impose their sales tax regime on out of state taxpayers without a physical presence in the state.

If enacted, the changes made via H.R. 3063 would apply to taxable periods beginning on or after January 1, 2020. For more information: https://www.congress.gov/bill/116th-congress/house-bill/3063/text?q=%7B%22search%22%3A%5B%22hr3063%22%5D%7D&r=1&s=2
 

Blog
Back to the future: Business activity taxes!

As the Project Management Body of Knowledge® (PMBOK®) explains, organizations fall along a structure and reporting spectrum. On one end of this spectrum are functional organizations, in which people report to their functional managers. (For example, Finance staff report to a Finance director.) On the other end of this spectrum are projectized organizations, in which people report to a project manager. Toward the middle of the spectrum lie hybrid—or matrix—organizations, in which reporting lines are fairly complex; e.g., people may report to both functional managers and project managers. 

Problem: Weak Matrix Medicaid System Vendors

This brings us to weak matrix organizations, in which functional managers have more authority than project managers. Many Medicaid system vendors happen to fall into the weak matrix category, for a number of different reasons. Yet the primary factor is the volume and duration of operational work—such as provider enrollment, claims processing, and member enrollment—that Medicaid system vendors perform once they exit the design, development, and implementation (DDI) phase.

This work spans functional areas, which can muddy the reporting waters. Without strong and clear reporting lines to project managers, project success can be seriously (and negatively) affected if the priorities of the functional leads are not aligned with those of the project. And when a weak matrix Medicaid system vendor enters a multi-vendor environment in which it is tasked with implementing a system that will serve multiple departments and bureaus within a state government, the reporting waters can become even muddier.


Solution: Using a Project Management Office (PMO) Vendor

Conversely, consulting firms that provide Project Management Office (PMO) services to government agencies tend to be strong matrix organizations, in which project managers have more authority over project teams and can quickly reallocate team members to address the myriad of issues that arise on complex, multi-year projects to help ensure project success. PMOs are also typically experienced at creating and running project governance structures and can add significant value in system implementation-related work across government agencies.

Additional benefits of a utilizing a PMO vendor include consistent, centralized reporting across your portfolio of projects and the ability to quickly onboard subject matter expertise to meet program and project needs. 
For more in-depth information on the benefits of using a PMO on state Medicaid projects, stay tuned for my second blog in this series. In the meantime, feel free to send your PMO- or Medicaid-related questions to me
 

Blog
The power of the PMO: Fixing the weak matrix

As your organization works to modernize and improve your Medicaid Enterprise System (MES), are you using independent verification and validation (IV&V) to your advantage? Does your relationship with your IV&V provider help you identify high-risk project areas early, or provide you with an objective view of the progress and quality of your MES modernization initiative? Maybe your experience hasn’t shown you the benefits of IV&V. 

If so, as CMS focuses on quality outcomes, there may be opportunities for you to leverage IV&V in a way that can help advance your MES to increase the likelihood of desired outcomes for your clients. 

According to 45 Code of Federal Regulations (CFR) § 95.626, IV&V may be required for Advanced Planning Document (APD) projects that meet specific criteria. That said, what is the intended role and benefit of IV&V? 

To begin, let’s look at the meaning of “verification” and “validation.” The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Standard for Software Verification and Validation (1012-1998) defines verification as, “confirmation of objective evidence that the particular requirements for a specific intended use are fulfilled.” Validation is “confirmation of objective evidence that specified requirements have been fulfilled.” 

Simply put, verification and validation ensure the right product is built, and the product is built right. 
As an independent third party, IV&V should not be influenced by any vendor or software application. This objectivity means IV&V’s perspective is focused on benefiting your organization. This support includes: 

  • Project management processes and best practices support to help increase probability of project success
  • Collaboration with you, your vendors, and stakeholders to help foster a positive and efficient environment for team members to interact 
  • Early identification of high-risk project areas to minimize impact to schedule, cost, quality, and scope 
  • Objective examination of project health in order for project sponsors, including the federal government, to address project issues
  • Impartial analysis of project health that allows state management to make informed decisions 
  • Unbiased visibility into the progress and quality of the project effort to increase customer satisfaction and reduce the risk and cost of rework
  • Reduction of errors in delivered products to help increase productivity of staff, resulting in a more efficient MES 

Based on our experience, when a trusted relationship exists between state governments and IV&V, an open, collaborative dialogue of project challenges—in a non-threatening manner—allows for early resolution of risks. This leads to improved quality of MES outcomes.    

Is your IV&V provider helping you advance the quality of your MES? Contact our team.

Blog
Leveraging IV&V to achieve quality outcomes

The IRS announced plans to conduct examinations of the universal availability requirements for 403(b) plans (Plans) this summer. Noncompliance with these requirements results in operational errors for Plans―ultimately requiring correction. Plan sponsors should review their Plans for proper inclusion and exclusion of employees. Such review can help you avoid costly penalties if the IRS does conduct an examination and uncovers an issue with the Plan’s implementation of universal availability.

Universal availability requires that, if you permit one employee to make elective deferrals into a 403(b) plan, then all other employees must receive the same opportunity. There are a few exceptions to this rule. Plan sponsors may exclude employees who meet one of the following exceptions:

  • Employees who will contribute $200 annually or less
  • Employees eligible to participate in a § 401(k), 457(b), or other 403(b) plan of the same employer
  • Employees who normally work less than 20 hours per week (the equivalent of less than 1,000 hours in a year)
  • Students performing services described in Internal Revenue Code § 3121(b)(10)

Of these exceptions, errors in applying the universal availability requirements are typically found with the less than 20 hours per week exception. Even if an employee works less than 20 hours per week (essentially a part-time employee), if this employee works 1,000 hours or more, you must allow this employee to make elective deferrals into the Plan. Further, you can’t revoke this permission in subsequent years―once the employee meets the 1,000 hour requirement, they are no longer included in the less than 20 hours per week employee class.

We recommend Plan sponsors review their Plan documents to ensure they are appropriately applying elected eligibility provisions. Further, we recommend Plan sponsors annually review an employee census to ensure those exceptions (listed above) remain appropriate for any employees excluded from the Plan. For instance, if you note that an employee worked 1,000 hours during the year, who was being excluded as part of the “less than 20 hours per week” category, you should ensure you notify this employee of their eligibility to participate in the Plan. In addition, you should retain documentation regarding the employee’s deferral election or election to opt out of the Plan. Such practices will help ensure, if your Plan is selected for IRS examination, it passes with no issues.

For more information: https://www.irs.gov/retirement-plans/403b-plan-fix-it-guide-you-didnt-give-all-employees-of-the-organization-the-opportunity-to-make-a-salary-deferral
 

Blog
Not the summer of love: IRS universal availability examinations

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

  • No right-to-audit clause
    Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
  • Unclear and/or inadequate rights and responsibilities around service disruptions
    In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
  • No defined recovery standards
    Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

  • Establish your right-to-audit
    All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.

    Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.
  • Ensure connectivity with outsourced data centers
    If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.
  • Set standards for incident response communications 
    Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.
  • Ensure regular testing of defined disaster recovery standards
    While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.

    Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Blog
Are your vendor contracts putting you at risk?

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you.

What is the difference in how government organizations procure agile vs. non-agile information technology (IT) services? (Learn more about agile here).

In each case, they typically follow five stages through the process as shown in Figure A:
 

Figure A: Overview of Procurement Process for Agile vs. Non-Agile IT Services

However, there are differences in how these stages are carried out if procuring agile vs. non-agile IT services. 

Unfortunately, most government organizations are unaware of these differences, which could result in unsuccessful procurements and ultimately not meeting your project’s needs and expectations. 
This blog series will illustrate how to strategically adjust the standard stages outlined in Figure A to successfully procure agile IT services.

Stage 1: Plan project
In Stage 1, you define the scope of the project by identifying what your organization wants, needs, and can achieve within the available timeframe and budget. You then determine the project’s objectives while strategically considering their impact on your organization before developing the RFP. Figure B summarizes the key differences between the impacts of agile vs. non-agile services to consider in this stage.


Figure B: Plan Project for Agile vs. Non-Agile IT Services

The nuances of planning for agile services reflect an organization’s readiness for a culture shift to a continuous process of development and deployment of software and system updates. 

Stage 2: Draft RFP
In Stage 2, as part of RFP drafting, define the necessary enhancements and functionality needed to achieve the project objectives determined in Stage 1. You then translate these enhancements and functionalities into business requirements. Requirement types might include business needs as functionality, services, staffing, deliverables, technology, and performance standards. Figure C summarizes the key differences between drafting the RFP for a project procuring agile vs. non-agile services.


Figure C: Draft RFP for Agile vs. Non-Agile IT Services

In drafting the RFP, the scope of work emphasizes expectations for how your team and the vendor team will work together, the terms of how progress will be monitored, and the description of requirements for agile tools and methods.

Stage 3: Issue RFP
In Stage 3, issue the RFP to the vendor community, answer vendor questions, post amendments, and manage the procurement schedule. Since this stage of the process requires you to comply with your organization’s purchasing and procurement rules, Figure D illustrates very little difference between issuing an RFP for a project procuring agile or non-agile services.


Figure D: Issue RFP for Agile vs. Non-Agile IT Services 

Stage 4: Review proposals
In Stage 4, you evaluate vendor proposals against the RFP’s requirements and project objectives to determine the best proposal response. Figure E summarizes the key differences in reviewing proposals for a project that is procuring agile vs. non-agile services.


Figure E: Reviewing Proposals for Agile vs. Non-Agile IT Services 

Having appropriate evaluation priorities and scoring weights that align with how agile services are delivered should not be under-emphasized. 

Stage 5: Award and implement contract
In Stage 5, you award and implement the contract with the best vendor proposal identified during Stage 4. Figure F summarizes the key differences in awarding and implementing the contract for agile vs. non-agile services.


Figure F:  Award and Implement Contract for Agile vs. Non-Agile Services 

Due to the iterative and interactive requirements of agile, it is necessary to have robust and frequent collaboration among program teams, executives, sponsors, and the vendor to succeed in your agile project delivery.

What’s next?
The blog posts in this series will explain step-by-step how to procure agile services through the five stages, and at the series conclusion, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.  

Blog
Procuring agile vs. non-agile projects in five stages: An overview

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Blog
Perspectives of an Ex-CIO

LIBOR is leaving—is your financial institution ready to make the most of it?

In July 2017, the UK’s Financial Conduct Authority announced the phasing out of the London Interbank Offered Rate, commonly known as LIBOR, by the end of 20211. With less than two years to go, US federal regulators are urging financial institutions to start assessing their LIBOR exposure and planning their transition. Here we offer some general impacts of the phasing out, some specific actions your institution can take to prepare, and, finally, background on how we got here (see Background at right).

How will the phase-out impact financial institutions?

The Federal Reserve estimates roughly $200 trillion in LIBOR-indexed notional value transactions in the cash and derivatives market2. LIBOR is used to help price a variety of financial services products,  including $3.4 trillion in business loans and $1.3 trillion in consumer loans, as well as derivatives, swaps, and other credit instruments. Even excluding loans and financial instruments set to mature before 2021—estimated by the FDIC at 82% of the above $200 trillion—LIBOR exposure is still significant3.

A financial institution’s ability to lend money is largely dependent on the relative stability of its capital position, or lack thereof. For institutions with a significant amount of LIBOR-indexed assets and liabilities, that means less certainty in expected future cash flows and a less stable capital position, which could prompt institutions to deny loans they might otherwise have approved. A change in expected cash flows could also have several indirect consequences. Criticized assets, assessed for impairment based on their expected future cash flows, could require a specific reserve due to lower present value of expected future cash flows.

The importance of fallback language in loan agreements

Fallback language in loan agreements plays a pivotal role in financial institutions’ ability to manage their LIBOR-related financial results. Most loan agreements include language that provides guidance for determining an alternate reference rate to “fall back” on in the event the loan’s original reference rate is discontinued. However, if this language is non-existent, contains fallbacks that are no longer adequate, or lacks certain key provisions, it can create unexpected issues when it comes time for financial institutions to reprice their LIBOR loans. Here are some examples:

  • Non-existent or inadequate fallbacks
    According to the Alternative Reference Rates Committee, a group of private-market participants convened by the Federal Reserve to help ensure a successful LIBOR transition, "Most contracts referencing LIBOR do not appear to have envisioned a permanent or indefinite cessation of LIBOR and have fallbacks that would not be economically appropriate"4.

    For instance, industry regulators have warned that without updated fallback language, the discontinuation of LIBOR could prompt some variable-rate loans to become fixed-rate2, causing unanticipated changes in interest rate risk for financial institutions. In a declining rate environment, this may prove beneficial as loans at variable rates become fixed. But in a rising rate environment, the resulting shrink in net interest margins would have a direct and adverse impact on the bottom line.

  • No spread adjustment
    Once LIBOR is discontinued, LIBOR-indexed loans will need to be repriced at a new reference rate, which could be well above or below LIBOR. If loan agreements don’t provide for an adjustment of the spread between LIBOR and the new rate, that could prompt unexpected changes in the financial position of both borrowers and lenders3. Take, for instance, a loan made at the Secured Overnight Financing Rate (SOFR), generally considered the likely replacement for USD LIBOR. Since SOFR tends to be lower than three-month LIBOR, a loan agreement using it that does not allow for a spread adjustment would generate lower loan payments for the borrower, which means less interest income for the lender.

    Not allowing for a spread adjustment on reference rates lower than LIBOR could also cause a change in expected prepayments—say, for instance, if borrowers with fixed-rate loans decide to refinance at adjustable rates—which would impact post-CECL allowance calculations like the weighted-average remaining maturity (WARM) method, which uses estimated prepayments as an input.

What can your financial institution do to prepare?

The Federal Reserve and the SEC have urged financial institutions to immediately evaluate their LIBOR exposure and expedite their transition. Though the FDIC has expressed no intent to examine financial institutions for the status of LIBOR planning or critique loans based on use of LIBOR3, Federal Reserve supervisory teams have been including LIBOR transitions in their regular monitoring of large financial institutions5. The SEC has also encouraged companies to provide investors with robust disclosures regarding their LIBOR transition, which may include a notional value of LIBOR exposure2.

Financial institutions should start by analyzing their LIBOR exposure beyond 2021. If you don’t expect significant exposure, further analysis may be unnecessary. However, if you do expect significant future LIBOR exposure, your institution should conduct stress testing using LIBOR as an isolated variable by running hypothetical transition scenarios and assessing the potential financial impact.

Closely examine and assess fallback language in loan agreements. For existing loan agreements, you may need to make amendments, which could require consent from counterparties2. For new loan agreements maturing beyond 2021, lenders should consider selecting an alternate reference rate. New contract language for financial instruments and residential mortgages is currently being drafted by the International Securities Dealers Association and the Federal Housing Finance Authority, respectively3—both of which may prove helpful in updating loan agreements.

Lenders should also consider their underwriting policies. Loan underwriters will need to adjust the spread on new loans to accurately reflect the price of risk, because volatility and market tendencies of alternate loan reference rates may not mirror LIBOR’s. What’s more, SOFR lacks abundant historical data for use in analyzing volatility and market tendencies, making accurate loan pricing more difficult.

Conclusion: Start assessing your LIBOR risk soon

The cessation of LIBOR brings challenges and opportunities that will require in-depth analysis and making difficult decisions. Financial institutions and consumers should heed the advice of regulators and start assessing their LIBOR risk now. Those that do will not only be better prepared―but also better positioned―to capitalize on the opportunities it presents.

Need help assessing your LIBOR risk and preparing to transition? Contact BerryDunn’s financial services specialists.

1 https://www.washingtonpost.com/business/2017/07/27/acdd411c-72bc-11e7-8c17-533c52b2f014_story.html?utm_term=.856137e72385
2 Thomson Reuters Checkpoint Newsstand April 10, 2019
3 https://www.fdic.gov/regulations/examinations/supervisory/insights/siwin18/si-winter-2018.pdf
4 https://bankingjournal.aba.com/2019/04/libor-transition-panel-recommends-fallback-language-for-key-instruments/
5 https://www.reuters.com/article/us-usa-fed-libor/fed-urges-u-s-financial-industry-to-accelerate-libor-transition-idUSKCN1RM25T

Blog
When one loan rate closes, another opens

Law enforcement, courts, prosecutors, and corrections personnel provide many complex, seemingly limitless services. Seemingly is the key word here, for in reality these personnel provide a set number of incredibly important services.

Therefore, it should surprise no one that justice and public safety (J&PS) IT departments should also provide a well-defined set of services. However, these departments are often viewed as parking lots for all technical problems. The disconnect between IT and other J&PS business units often stems from differences in organizational culture and structure, and differing department objectives and goals. As a result, J&PS organizations often experience misperception between business units and IT. The solution to this disconnect and misperception? Defining IT department services.

The benefits of defined IT services

  1. Increased business customer satisfaction. Once IT services align with customer needs, and expectations are established (e.g., service costs and service level agreements), customers can expect to receive the services they agreed to, and the IT department can align staff and skill levels to successfully meet those needs.
  2. Improved IT personnel morale. With clear definition of the services they provide to their customers, including clearly defined processes for customers to request those services, IT personnel will no longer be subject to “rogue” questions or requests, and customers won’t be inclined to circumvent the process. This decreases IT staff stress and enables them to focus on their roles in providing the defined services. 
  3. Better alignment of IT services to organizational needs. Through collaboration between the business and IT organizations, the business is able to clearly articulate the IT services that are, and aren’t, required. IT can help define realistic service levels and associated services costs, and can align IT staff and skills to the agreed-upon services. This results in increased IT effectiveness and reduced confusion regarding what services the business can expect from IT.
  4. More collaboration between IT and the organization. The collaboration between the IT and business units in defining services results in an enhanced relationship between these organizations, increasing trust and clarifying expectations. This collaborative model continues as the services required by the business evolve, and IT evolves to support them.
  5. Reduced costs. J&PS organizations that fail to strategically align IT and business strategy face increasing financial costs, as the organization is unable to invest IT dollars wisely. When a business doesn’t see IT as an enabler of business strategy, IT is no longer the provider of choice—and ultimately risks IT services being outsourced to a third-party vendor.

Next steps
Once a J&PS IT department defines its services to support business needs, it then can align the IT staffing model (i.e., numbers of staff, skill sets, roles and responsibilities), and continue to collaborate with the business to identify evolving services, as well as remove services that are no longer relevant. Contact us for help with this next step and other IT strategies and tactics for justice and public safety organizations.

Blog
The definition of success: J&PS IT departments must define services

This blog is the first in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements.

On Labor Day, 1974, President Gerald Ford signed the Employee Retirement Income Security Act, commonly known as ERISA, into law. Prior to ERISA, employee pensions had scant protections under the law, a problem made clear when the Studebaker automobile company closed its South Bend, Indiana production plant in 1963. Upon the plant’s closing, some 4,000 employees—whose average age was 52 and average length of service with the company was 23 years—received approximately 15 cents for each dollar of benefit they were owed. Nearly 3,000 additional employees, all of whom had less than 10 years of service with the company, received nothing.

A decade later, ERISA established statutory requirements to preserve and protect the rights of employees to their pensions upon retirement. Among other things, ERISA defines what a plan fiduciary is and sets standards for their conduct.

Who is—and who isn’t—a plan fiduciary?
ERISA defines a fiduciary as a person who:

  1. Exercises discretionary authority or control over the management of an employee benefit plan or the disposition of its assets,
  2. Gives investment advice about plan funds or property for a fee or compensation or has the authority to do so,
  3. Has discretionary authority or responsibility in plan administration, or
  4. Is designated by a named fiduciary to carry out fiduciary responsibility. (ERISA requires the naming of one or more fiduciaries to be responsible for managing the plan's administration, usually a plan administrator or administrative committee, though the plan administrator may engage others to perform some administrative duties).

If you’re still unsure about exactly who is and isn’t a plan fiduciary, don’t worry, you’re not alone. Disagreements over whether or not a person acting in a certain capacity and in a specific situation is a fiduciary have sometimes required legal proceedings to resolve them. Here are some real-world examples.

Employers who maintain employee benefit plans are typically considered fiduciaries by virtue of being named fiduciaries or by acting as a functional fiduciary. Accordingly, employer decisions on how to execute the intent of the plan are subject to ERISA’s fiduciary standards.

Similarly, based on case law, lawyers and consultants who effectually manage an employee benefit plan are also generally considered fiduciaries.

A person or company that performs purely administrative duties within the framework, rules, and procedures established by others is not a fiduciary. Examples of such duties include collecting contributions, maintaining participants' service and employment records, calculating benefits, processing claims, and preparing government reports and employee communications.

What are a fiduciary’s responsibilities?
ERISA requires fiduciaries to discharge their duties solely in the interest of plan participants and beneficiaries, and for the exclusive purpose of providing benefits for them and defraying reasonable plan administrative expenses. Specifically, fiduciaries must perform their duties as follows:

  1. With the care, skill, prudence, and diligence of a prudent person under the circumstances;
  2. In accordance with plan documents and instruments, insofar as they are consistent with the provisions of ERISA; and
  3. By diversifying plan investments so as to minimize risk of loss under the circumstances, unless it is clearly prudent not to do so.

A fiduciary is personally liable to the plan for losses resulting from a breach of their fiduciary responsibility, and must restore to the plan any profits realized on misuse of plan assets. Not only is a fiduciary liable for their own breaches, but also if they have knowledge of another fiduciary's breach and either conceals it or does not make reasonable efforts to remedy it.

ERISA provides for a mandatory civil penalty against a fiduciary who breaches a fiduciary responsibility under ERISA or commits a violation, or against any other person who knowingly participates in such breach or violation. That penalty is equal to 20 percent of the "applicable recovery amount" paid pursuant to any settlement agreement with ERISA or ordered by a court to be paid in a judicial proceeding instituted by ERISA.

ERISA also permits a civil action to be brought by a participant, beneficiary, or other fiduciary against a fiduciary for a breach of duty. ERISA allows participants to bring suit to recover losses from fiduciary breaches that impair the value of the plan assets held in their individual accounts, even if the financial solvency of the entire plan is not threatened by the alleged fiduciary breach. Courts may require other appropriate relief, including removal of the fiduciary.

Over the coming months, we’ll share a series of blogs for employee benefit plan fiduciaries, covering everything from common terminology to best practices for plan documentation, suggestions for navigating fiduciary risks, and more.

Blog
What's in a name? A lot, if you manage a benefit plan.

“The world is one big data problem,” says MIT scientist and visionary Andrew McAfee.

That’s a daunting (though hardly surprising) quote for many in data-rich sectors, including higher education. Yet blaming data is like blaming air for a malfunctioning wind turbine. Data is a valuable asset that can make your institution move.

To many of us, however, data remains a four-letter word. The real culprit behind the perceived data problem is our handling and perception of data and the role it can play in our success—that is, the relegating of data to a select, responsible few, who are usually separated into hardened silos. For example, a common assumption in higher education is that the IT team can handle it. Not so. Data needs to be viewed as an institutional asset, consumed by many and used by the institution for the strategic purposes of student success, scholarship, and more.

The first step in addressing your “big” data problem? Data governance.

What is data governance?

There are various definitions, but the one we use with our clients is “the ongoing and evolutionary process driven by leaders to establish principles, policies, business rules, and metrics for data sharing.”

Please note that the phrase “IT” does not appear anywhere in this definition.

Why is data governance necessary? For many reasons, including:

  1. Data governance enables analytics. Without data governance, it’s difficult to gain value from analytics initiatives which will produce inconsistent results. A critical first step in any data analytics initiative is to make sure that definitions are widely accepted and standards have been established. This step allows decision makers to have confidence in the data being analyzed to describe, predict, and improve operations.
     
  2. Data governance strengthens privacy, security, and compliance. Compliance requirements for both public and private institutions constantly evolve. The more data-reliant your world becomes, the more protected your data needs to be. If an organization does not implement security practices as part of its data governance framework, it becomes easier to fall out of compliance. 
     
  3. Data governance supports agility. How many times have reports for basic information (part-time faculty or student FTEs per semester, for example) been requested, reviewed, and returned for further clarification or correction? And that’s just within your department! Now add multiple requests from the perspective of different departments, and you’re surely going through multiple iterations to create that report. That takes time and effort. By strengthening your data governance framework, you can streamline reporting processes by increasing the level of trust you have in the information you are seeking. Understanding the value of data governance is the easy part/ The real trick is implementing a sustainable data governance framework that recognizes that data is an institutional asset and not just a four-letter word.

Stay tuned for part two of this blog series: The how of data governance in higher education. In the meantime, reach out to me if you would like to discuss additional data governance benefits for your institution.

Blog
Data is a four-letter word. Governance is not.

Best Practices for Educating Your Financial Institution’s Board of Directors on Cybersecurity

According to Cybersecurity Ventures, cybercrime will account for $6 trillion annually by 2021—that’s more than the global trade of all major illegal drugs combined. Data breaches and other information security events adversely impact organizations through significant losses in revenue, erosion of customer trust, substantial remediation costs, increased insurance premiums, and more.

The financial services industry has always led the way with internal controls, vendor management, and now with cybersecurity for one simple reason—you are in the business of money and it is critical to protect it.

That said, cybersecurity controls require more than just a strong IT department—an effective cybersecurity program, much like ethical behavior, depends on culture. Since your organization’s leadership plays a key role in driving your cybersecurity culture, boards of directors and senior management need a solid understanding of cybersecurity risks and impacts.

According to a 2018 Technology Survey of bank directors by Bank Director, 79% say they need to enhance their level of technology expertise. Many board members come from non-technology backgrounds and careers, and though they are able to support their institution’s mission and drive growth, they may not be able to provide direction in the areas of information technology and security. They may also not recognize what attractive targets they make for phishing and other cybercrimes due to their high level of access to valuable information, their ability to send and receive data from financial institution personnel, and their potential exemption from certain employee policies.

Keeping board members up-to-date on the evolving landscape of cybersecurity risks can present a serious challenge due to board members’ time constraints. To help, here are some best practices you can follow to make educating your institution’s board and senior management a relatively simple and sustainable process.

Leverage Existing Cybersecurity Training Resources

In most cases, you already provide and require cybersecurity training for employees, typically through internal IT experts, third-party vendors, or self-paced courses available online. Board members should complete the same training at least annually.

Require Board Members to Comply with Information Security Policies

Despite their high-risk profile, board members are often exempted from policies applicable to employees, including password requirements and other critical information security policies. Given the sensitive information and levels of access board members have, it is imperative that they fully comply with all information security policies.

Facilitate Regular Review of Information Security Audits and Assessments

Information security audits and assessments provide valuable insights into areas for improvement. Keep your board members aware of any findings, recommendations, or potential risks noted in recent audits and assessments. Provide a regular status report to the board of ongoing efforts and progress to resolve or mitigate findings and risks. Use these regular communications as an opportunity to provide cybersecurity education to the board, and don’t hesitate to speak up about any specific areas and emerging risks you may be concerned about.

Regular Cybersecurity Updates and Discussions

Keep the board and senior management updated on cybersecurity threats, incidents, and any changes to the bank’s cybersecurity program. Provide this information on a quarterly basis and include the cause of and any remediation for such events, as well as any trends in incidents. Regular updates to the board and senior management provide guidance for budgets, goals, and overall strategic direction. With more awareness of security incidents and events, trends in occurrences, and potential risks, the board and senior management are more likely to support greater investments in the bank’s security efforts.

Annual Board Approval of Information Security Plans and Policies

The board should review and approve all information security policies and relevant procedures on an annual basis, as these board-approved policies will establish the financial institution’s directive for effective internal control and cybersecurity programs. Important examples include Information Security and Acceptable Use Policies, Cybersecurity Policy, Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan.

Knowing your current position and having a plan are key. Through continuous assessment of your board’s fluency with cybersecurity and establishing a process of ongoing education that’s both effective and manageable, your financial institution can improve its culture of cybersecurity awareness—helping reduce the likelihood of future security incidents and events that could adversely impact your board, your financial institution’s employees, and your customers.

Blog
Creating a culture of cybersecurity awareness

On October 1, 2019, the Medicare Skilled Nursing Facility (SNF) payment system will transition from RUGS-IV to the Patient Driven Payment Model. This payment model is a major change from the way SNFs are currently reimbursed. Under PDPM, International Classification of Disease, Tenth Edition (ICD-10) diagnosis codes and other patient clinical characteristics, such as the patient’s activities of daily living (ADL) and recent surgeries, will be used as the basis for patient classification and reimbursement.

Resident days up to September 30 will be paid under RUGS–IV and resident days from October 1 forward will be paid under PDPM. This includes patients admitted prior to September 30. There will be no transition period. The change to PDPM represents the most significant change to Medicare A SNF PPS reimbursement since its implementation in 1998. To ensure a smooth transition, prevent denials, and avoid resulting cash flow disruptions, your revenue cycle team needs to be prepared for PDPM. This article outlines steps your facility can take to prepare for PDPM.

Know your current revenue cycle performance

In order to know how you are performing under PDPM, you need to know your current revenue cycle performance. Are there current processes delaying the completion of the Minimum Data Set (MDS)? What is your current case mix? How long does it take the facility to close the month and generate bills? If you have inefficiencies in your workflow and processes, now is the time to fix them. Are there open lines of communication between financial and clinical operations? Financial and clinical must work together to make PDPM work for the facility’s long-term sustainability.

Facilities should be benchmarking their key revenue cycle indicators including, but not limited to, accounts receivable aging comparisons, days in accounts receivables, and collections as a percentage of revenues. Benchmarking can help a facility detect issues early on and resolve them before they become a bigger problem.

Providers will need to communicate with IT providers to be sure they configure electronic health record systems and financial systems for compliance with PDPM. MDS software must be robust enough to help MDS coordinators manage the new process or else facility reimbursement will be affected.

Understand how ICD-10 coding impacts reimbursement under PDPM

Do you know how diagnoses are currently captured on your facility’s MDS? Most facilities are not tracking or monitoring ICD-10 diagnosis codes, as the majority of diagnoses don’t impact quality measures or reimbursement. The implementation of PDPM will require the use of ICD-10 diagnosis codes, which are more detailed and call for accurate documentation. For SNF providers, this means the old ways of documenting resident assessments on the MDS won’t work under the new model.

One of the most important changes under PDPM is that ICD-10 diagnoses will be the key drivers for reimbursement. ICD-10 diagnosis codes will be used to place a resident into one of 10 PDPM clinical categories, that will determine the payment components for physical therapy (PT), occupational therapy (OT), speech (SLP), and skilled nursing services, as well as non-therapy ancillaries (NTA).

How can your facility prepare for ICD-10 diagnosis coding?

  • Determine the diagnoses codes your facility uses most frequently.
  • Compare the codes you most frequently use to the CMS PDPM Clinical Category Mapping
  • If codes map to “Return to Provider” you need to review the patient record to find a more specific primary diagnosis
  • Make sure you capture the resident’s comorbidities on I8000 to ensure appropriate payment for Non-Therapy Ancillaries (NTA).
  • Aftercare codes will be the primary diagnosis if that is the primary reason for the admission.

Preparing for ICD-10 coding requires a coordinated care team. Communicate with anyone who contributes to the diagnosis documentation, including the physician, medical director, PT/OT/SLP, and other specialty care professionals such as wound specialists or dietitians to understand why the resident is there. Identifying the reason the resident is there and assigning the correct diagnosis code will help a facility to be successful with PDPM.

Review the changes being made to the Minimum Data Set (MDS)

In early January, CMS issued a draft version of the MDS 3.0. The draft indicates that there are more than 80 items will be added, deleted, or changed for PDPM implementation. There are 40 new items that will impact reimbursement rates. These changes fall into three categories:

  1. Streamlined assessment policies 
  2. New PDPM assessment item sets
  3.  Additions to MDS items

The MDS assessments will be more streamlined under PDPM. There are only two required assessments: the five-day assessment and the discharge assessment. The five-day assessment must be completed between days one and eight and will be effective for the entire length of stay unless an optional assessment is performed. The 14-day, 30-day, 60-day and 90-day assessments have been discontinued. The discharge assessment will not impact reimbursement―however, this is where therapy will be reported. Facilities also have the option to perform an interim payment assessment if the patient’s clinical characteristics change. This assessment must be completed within 14 days of the change in characteristics and can affect reimbursement.

The MDS has two new item sets: 1) Interim Payment Assessment (IPA), used for optional assessment if a patient’s characteristics change; and 2) Optional State Assessment (OSA), which will be used by states where RUGS-IV is the basis for Medicaid payments. The IPA should only be used if a patient’s clinical characteristics are not expected to change in the short term.

Significant changes to MDS items are in the following sections:

  1. Section I: SNF Primary Diagnosis – Item I0020B will allow providers to report, using an ICD-10 diagnosis code, the patient's primary SNF diagnosis. This item will ask, “What is the primary reason the patient is being admitted into the SNF?”
  2. Section J: Patient Surgical History – To capture information that may be relevant to classifying a resident in a PDPM clinical category, J1000 – J5000 identifies major surgeries from the most recent hospital stay.
  3. Section O: Discharge Therapy Items – Items 0425A1-O0425C5 will be added to Section O to document therapy delivery information. Therapy delivery will only be reported on the discharge MDS and must include information by each discipline, mode of therapy, and minutes received by the patient. Group and concurrent therapy cannot exceed 25% of total therapy.
  4. Section GG: Interim Performance – This section is the basis for the resident’s functional analysis. Section GG is more standardized and has more comprehensive measures of functional status. Providers need to be sure to complete Section GG in its entirety as missing responses will receive zero points for the functional score calculation. Section GG is taking on an increased importance under PDPM, as CMS’s goal for this section is to standardize assessment items across payment settings.

Over the years, the MDS has primarily been utilized as an assessment tool to drive the plan of care with little impact to reimbursement. With implementation of PDPM, and the shift from therapy-driven reimbursement to clinical characteristics as the basis for reimbursement, the MDS will be vital to obtaining proper reimbursement. You may need to revise the systems you currently have in place to make sure that the information critical to reimbursement is recorded accurately on the five-day assessment. Missing an item on the five-day MDS will impact reimbursement for the entire resident stay.

Skilled Nursing Facilities will need internal processes, workflows, and staff training in place well before October 1, 2019, in order to be successful under PDPM. Preparation for PDPM is key and it will take teamwork from the entire facility. Focusing on each of the areas outlined above—even if it is just to confirm that you’ve addressed the issue—will put you in good shape to meet the looming deadline. Without a doubt, there will be things that arise at the last minute or processes that don’t work as planned. Don’t panic. We can help you address issues and problems or work with you to create a new workflow process. Just give us a call.

Get ready with our PDPM Checklist!

Download our helpful PDPM checklist and see what you need to do. 

Blog
Is your revenue cycle team ready for Medicare's Patient Driven Payment Model?

We are two for two when choosing value acceleration presentation dates that align with winter storms. It turns out we may be a more reliable indicator of winter weather than Punxsutawney Phil, who has a track record of 36 percent accuracy over the last 50 years.

After a last-minute rescheduling due to the weather, we held our second discussion in the value acceleration series on Friday, February 15th. Value acceleration is our process of helping clients increase the value of their business and build liquidity into their lives. In the first session, we presented an overview of the three stages of the value acceleration process (Discover, Prepare, and Decide). In our conversation on Friday, we took a closer look at the first stage of the value acceleration process: the Discover stage, aka the “triggering event.”

In our first session, we walked through a high-level overview of the value acceleration process. This process has three stages, diagrammed here:

© Exit Planning Institute

In the Discover stage, business owners take inventory of their personal, financial, and business goals, noting ways to increase alignment and reduce risk. The objective of the Discover stage is to gather data and assemble information into a prioritized action plan, using the following general framework.

 

Every client we have talked to so far has plans and priorities outside of their business. Accordingly, the first topic in the Discover stage is to explore your personal plans and how they may affect business goals and operations. What do you want to do next in your personal life? How will you get it done?

Another area to explore is your personal financial plan, and how this interacts with your personal goals and business plans. What do you currently have? How much do you need to fund your other goals?

The third leg of the value acceleration “three-legged stool” is business goals. How much can the business contribute to your other goals? How much do you need from your business? What are the strengths and weaknesses of your business? How do these compare to other businesses? How can business value be enhanced? A business valuation can help you to answer these questions.

A business valuation can clarify the standing of your business regarding the qualities buyers find attractive. Relevant business attractiveness factors include the following:

Market factors, such as barriers to entry, competitive advantages, market leadership, economic prosperity, and market growth
Forecast factors, such as potential profit and revenue growth, revenue stream predictability, and whether or not revenue comes from recurring sources
Business factors, such as years of operation, management strength, customer loyalty, branding, customer database, intellectual property/technology, staff contracts, location, business owner reliance, marketing systems, and business systems


Your company’s performance in these areas may lead to a gap between what your business is worth and what it could be worth. Armed with the information from this assessment, you can prepare a plan to address this “value gap” and look towards your plans for the future.

Next up in our value acceleration blog series is all about what we call the four C's of the value acceleration process. 

Blog
The discover stage: Value acceleration series part two (of five)

In auditing, the concept of professional skepticism is ubiquitous. Just as a Jedi in Star Wars is constantly trying to hone his understanding of the “force”, an auditor is constantly crafting his or her ability to apply professional skepticism. It is professional skepticism that provides the foundation for decision-making when conducting an attestation engagement.

A brief definition

The professional standards define professional skepticism as “an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.” Given this definition, one quickly realizes that professional skepticism can’t be easily measured. Nor is it something that is cultivated overnight. It is a skill developed over time and a skill that auditors should constantly build and refine.

Recently, the extent to which professional skepticism is being employed has gained a lot of criticism. Specifically, regulatory bodies argue that auditors are not skeptical enough in carrying out their duties. However, as noted in the white paper titled Scepticism: The Practitioners’ Take, published by the Institute of Chartered Accountants in England and Wales, simply asking for more skepticism is not a practical solution to this issue, nor is it necessarily always desirable. There is an inevitable tug of war between professional skepticism and audit efficiency. The more skeptical the auditor, typically, the more time it takes to complete the audit.

Why does it matter? Audit quality.

First and foremost, how your auditor applies professional skepticism to your audit directly impacts the quality of their service. Applying an appropriate level of professional skepticism enhances the likelihood the auditor will understand your industry, lines of business, business processes, and any nuances that make your company different from others, as it naturally causes the auditor to ask questions that may otherwise go unasked.

These questions not only help the auditor appropriately apply professional standards, but also help the auditor gain a deeper understanding of your business. This will enable the auditor to provide insights and value-added services an auditor who doesn’t apply the right degree of skepticism may never identify.

Therefore, as the white paper notes, audit committees, management, and investors should be asking “How hard do our auditors get pushed on fees, and what effect does that have on the quality of the audit?” If your auditor is overly concerned with completing the audit within a fixed time budget, professional skepticism and, ultimately, the quality of the audit, may suffer.

Applying skepticism internally

By its definition, professional skepticism is a concept that specifically applies to auditors, and is not on point when it comes to other audit stakeholders. This is because the definition implies that the individual applying professional skepticism is independent from the information he or she is analyzing. Other audit stakeholders, such as members of management or the board of directors, are naturally advocates for the organizations they manage and direct and therefore can’t be considered independent, whereas an auditor is required to remain independent.

However, rather than audit stakeholders applying professional skepticism as such, these other stakeholders should apply an impartial and diligent mindset to their work and the information they review. This allows the audit stakeholder to remain an advocate for his or her organization, while applying critical skills similar to those applied in the exercise of professional skepticism. This nuanced distinction is necessary to maintain the limited scope to which the definition of professional skepticism applies: the auditor.

Specific to the financial statement reporting function, these stakeholders should be assessing the financial statements and ask questions that can help prevent or detect flaws in the financial reporting process. For example, when considering significant estimates, management should ask: are we considering all relevant information? Are our estimates unbiased? Are there alternative accounting treatments we haven’t considered? Can we justify our selected accounting treatment? Essentially, management should start by asking itself: what questions would we expect our auditor to ask us?

It is also important to be critical of your own work, and never become complacent. This may be the most difficult type of skepticism to apply, as most of us do not like to have our work criticized. However, critically reviewing one’s own work, essentially as an informal first level of review, will allow you to take a step back and consider it from a different vantage point, which may in turn help detect errors otherwise left unnoticed. Essentially, you should both consider evidence that supports the initial conclusion and evidence that may be contradictory to that conclusion.

The discussion in auditing circles about professional skepticism and how to appropriately apply it continues. It is a challenging notion that’s difficult to adequately articulate. Although it receives a lot of attention in the audit profession, it is a concept that, slightly altered, can be of value to other audit stakeholders. Doing so will help you create a stronger relationship with your auditor and, ultimately, improve the quality of the financial reporting process—and resulting outcome.

Blog
Professional skepticism and why it matters to audit stakeholders

As a new year is upon us, many people think about “out with the old and in with the new”. For those of us who think about technology, and in particular, blockchain technology, the new year brings with it the realization that blockchain is here to stay (at least in some form). Therefore, higher education leaders need to familiarize themselves with some of the technology’s possible uses, even if they don’t need to grasp the day-to-day operational requirements. Here’s a high-level perspective of blockchain to help you answer some basic questions.

Are blockchain and bitcoin interchangeable terms?

No they aren’t. Bitcoin is an electronic currency that uses blockchain technology, (first developed circa 2008 to record bitcoin transactions). Since 2008, many companies and organizations utilize blockchain technology for a multitude of purposes.

What is a blockchain?

In its simplest terms, a blockchain is a decentralized, digital list (“chain”) of timestamped records (“blocks”) that are connected, secured by cryptography, and updated by participant consensus.

What is cryptography?

Cryptography refers to converting unencrypted information into encrypted information—and vice versa—to both protect data and authenticate users.

What are the pros of using blockchain?

Because blockchain technology is inherently decentralized, you can reduce the need for “middleman” entities (e.g., financial institutions or student clearinghouses). This, in turn, can lower transactional costs and other expenses, and cybersecurity risks—as hackers often like to target large, info-rich, centralized databases.

Decentralization removes central points of failure. In addition, blockchain transactions are generally more secure than other types of transactions, irreversible, and verifiable by the participants. These transaction qualities help prevent fraud, malware attacks, and other risks and issues prevalent today.

What are the cons of using blockchain technology?

Each blockchain transaction requires signature verification and processing, which can be resource-intensive. Furthermore, blockchain technology currently faces strong opposition from certain financial institutions for a variety of reasons. Finally, although blockchains offer a secure platform, they are not impervious to cyberattacks. Blockchain does not guarantee a hacker-proof environment.

How can blockchain benefit higher education institutions?

Blockchain technology can provide higher education institutions with a more secure way of making and recording financial transactions. You can use blockchains to verify and transfer academic credits and certifications, protect student personal identifiable information (PII) while simultaneously allowing students to access and transport their PII, decentralize academic content, and customize learning experiences. At its core, blockchain provides a fresh alternative to traditional methods of identity verification, an ongoing challenge for higher education administration.

As blockchain becomes less of a buzzword and begins to expand beyond the realm of digital currency, colleges and universities need to consider it for common challenges such as identity management, application processing, and student credentialing. If you’d like to discuss the potential benefits blockchain technology provides, please contact me.

Blog
Higher education and blockchain 101: It's not just for bitcoin anymore

Effective October 1, 2019, Skilled Nursing Facilities (SNF)s will be reimbursed under a new payment system.

The existing case mix classification group, Resource Utilization Group IV (RUG- IV) will be replaced with a new case mix model, the Patient Driven Payment Model (PDPM). CMS has indicated factors leading to the change in the payment system include over utilization of therapy and incentives for longer lengths of stay.

Background and overview
PDPM is one of the initiatives resulting from the Improving Medicare Post-Acute Care Transformation Act of 2014 (the IMPACT Act). The IMPACT Act requires standardized patient assessment data across post-acute care (PAC) settings to enable:

  • Comparisons of quality and information exchange across post-acute settings
  • Improvement of Medicare beneficiary outcomes through shared-decision making, care coordination, and enhanced discharge planning
  • Non-therapy ancillaries (NTA) payment is determined by a base rate and separate CMI. NTA is a variable payment, paid at 300% for the first three days, and then reduced to 100% after day four.
  • Payments based on patient characteristics

PDPM will be a significant shift in how SNFs are paid, and facilities need to start preparing for the change. PDPM:

  • Removes therapy minutes as a determinant of payment and creates a new model where payment is linked to differences in clinical characteristics
  • Creates a separate payment component for non-therapy ancillaries (NTA), using resident characteristics to predict utilization of these services
  • Focuses on clinically relevant factors and ICD-10 diagnosis codes to determine payment

Value Base Purchasing (VBP), SNF Quality Reporting Program and PDPM are all initiatives advancing the IMPACT act and moving payment from fee for service to value. SNFs have been reporting quality measures since May 2017, and are subject to a 2% (VBP) payment adjustment if they don’t submit the quality measures.

In October of 2018, SNFs began receiving a payment adjustment based on hospital readmissions under the SNF Quality Reporting Program. The implementation of PDPM will be one more step towards moving reimbursement for care from volume to value.

PDPM shifts payment to residents with complex clinical needs, and targets the resources towards beneficiaries with diverse care needs. Its goal is to aim care at the more medically complex patients. There are six components in the daily rate:

  • Physical therapy
  • Occupational therapy
  • Speech therapy
  • Nursing
  • Non-therapy ancillary services
  • Non-case mix

The components are all taken from the five-day minimum data set (MDS), and assigned a daily rate based on that components case mix index (CMI). Therapy is broken out into the three disciplines (physical, speech and occupational), with each having its own base rate and case mix index:

  • Therapy payment is a variable payment paid at 100% for the first 20 days, and then reduced by 2% every seven days. 
  • Nursing services payment is a base rate with a separate case mix, with no variable payment.
  • Non-therapy ancillaries (NTA) payment is determined by a base rate and separate CMI. NTA is a variable payment, paid at 300% for the first three days, and then reduced to 100% after day four.

Under PDPM, payment is based on each aspect of the resident’s care. Payment is still a per diem payment—however, it is adjusted to reflect varying costs throughout the resident’s stay.

The admissions process is going to be critical to ensure appropriate payment. Accurate coding of patient conditions must occur at the time of admission, and while the information coming from the hospital will be helpful, facilities cannot rely on hospital information when coding the MDS. Diagnosis and accurate coding are critical to assigning the appropriate case mix group to make certain there is adequate payment for the stay.

Patients over Paperwork
PDPM emphasizes patients over paperwork, as it eliminates the current (MDS) schedule. The new model only requires an assessment at five days and a final discharge assessment.

Facilities can perform an optional interim payment assessment within 14 days of a change in the resident’s characteristics. An interim payment assessment will not reset the NTA and therapy payments to day one. CMS is still working on guidance as to how you will need to report this.

If a patient leaves the facility and is away from the facility for less than three days, then the stay is considered the same admission. If the resident is away for more than three days, the admission is considered a new admission, and the NTAs and therapy payments are returned to day one payment.

The MDS has been an important tool in driving resident care over that last 30 years, and is relied upon for reimbursement and quality data. With the implementation of PDPM, the MDS will become even more important to reimbursement. As payment shifts from therapy focus to clinical characteristics focus, there will need to be more detailed documentation to support the medical condition. Under RUGs, there are approximately 20 items on the MDS which impact reimbursement?under PDPM, there will be approximately 160 items which impact reimbursement.

The implementation of PDPM will increase the importance of the role of the MDS coordinator. Facilities need to invest in a strong MDS coordinator to ensure appropriate assessment and documentation that support medical conditions—which drive payment.

While therapy minutes will no longer drive payment under PDPM, you still have to monitor them. Therapy will be reported on the final discharge MDS, separately by discipline. MDS will report therapy minutes by one-to-one sessions, concurrent, and group therapy. Total therapy delivered concurrently and/or in group sessions cannot be more than 25% of total therapy time.

Given the depth and breadth of the changes to the payment system, facilities need to begin preparing for the change now. What can you do in preparation for PDPM?

Educate yourself so you can plan for the transition to PDPM:

  • Know what is driving your current payments
  • Assess the skills of your staff and know your gaps
  • Attend education sessions
  • Train or retrain MDS nurse and billers on ICD-10 and the MDS
  • If you don’t already have care teams, form care teams
  • Determine who with in the facility should be on care teams

Align resources to be sure you are ready to bill on October 1, 2019:

  • Determine your hiring and training needs
  • Look at therapy contracts, how do they align with new payment model
  • Talk to software vendors to be sure they will be ready for the new MDS and ICD-10

For more information or assistance with PDPM contact Lisa Trundy-Whitten.

Blog
New Patient Driven Payment Model from CMS―What to expect and what to do

Good fundraising and good accounting do not always seamlessly align. While they all feed the same mission, fundraisers work to meet revenue goals while accountants focus on recording transactions in compliance with accounting standards. We often see development department totals reported to boards that are not in line with annual financial statements, causing confusion and concern. To bridge this information gap, here are five accounting concepts every not-for-profit fundraiser should know:

1.

GAAP Accounting: Generally Accepted Accounting Principles (GAAP) refers to a common set of accounting standards and procedures. There are as many ways for a donor to structure a gift as there are donors?GAAP provides a common foundation for when and how you should record these gifts.

2.

Pledges: Under GAAP, if there is a true, unconditional “promise to give,” you should record the total pledge as revenue in the current year (with a little present value discounting thrown in the mix for payments expected in future periods). A conditional pledge relies on a specific event happening in the future (think matching gift) and is not considered revenue until that condition is met. (See more on pledges and matching gifts here.) 

3.

Intentions: We sometimes see donors indicating they “intend” to donate a certain amount in the future. An intention on its own is not considered a true unconditional promise under GAAP, and isn’t recorded as revenue. This has a big impact with planned giving as we often see bequests recorded as revenue by the development department in the year the organization is named in the will of the donor—while the accounting guidance specifically identifies bequests as intentions to give that would generally not be recorded by the finance team until the will has been declared valid by the probate court.

4.

Restrictions: Donors often impose restrictions on some contributions, limiting the use of that gift to a specific time, program, or purpose. Usually, a gift like this arrives with some explicit communication from donors, noting how they want to apply the gift. A gift can also be considered restricted to a specific project if it is made in direct response to a solicitation for that project. The donor restriction does not generally determine when to record the gift but how to record it, as these contributions are tracked separately.

5. Gifts vs. Exchange: New accounting guidance has been released that provides more clarity on when a gift or grant is truly a contribution and when it might be an exchange transaction. Contact us if you have any questions.


Understanding the differences in how the development department and finance department track these gifts will allow for better reporting to the board throughout the year—and fewer surprises when you present financial statements at the end of the year. Stay tuned for parts two and three of our contribution series. Have questions? Please contact Emily Parker of Sarah Belliveau.

 

Blog
Accounting 101 for development directors: Five things to know

Your government agency just signed the contract to purchase and implement a shiny new commercial off-the-shelf (COTS) software to replace your aging legacy software. The project plan and schedule are set; the vendor is ready to begin configuration and customization tasks; and your team is eager to start the implementation process.

You are, in a word, optimistic. But here comes the next phase of the project—the gap analysis, in which your project team and the vendor’s project team test the new software to see how well it fulfills your requirements. Spending sufficient time and energy on the gap analysis increases the likelihood the resulting software is configured to support the desired workflows and processes of the agency, while taking advantage of the software’s features and benefits. Yet this phase can be stressful because it will identify some gaps between what you want and what the software can provide.

While some of the gaps may be resolved by simple adjustments to software configuration, others may not—and can result in major issues impacting project scope, schedule, and/or cost. How do you resolve these major gaps?

Multiple Methods. Don’t let your optimism die on the vine. There are, in fact, multiple ways to address major gaps to keep you on schedule and on budget. They include:

Documenting a change request through a formal change control process. This will likely result in the vendor documenting the results of the new project scope. This, in turn, may impact the project’s schedule and cost. It promotes best practice by formally documenting approved changes to project scope, including any impact on schedule and cost. However, the change request process may take longer than you may originally anticipate, as it includes:

Documenting the proposed change
Scoping the change, including the impact on cost and schedule
Review of the proposed scope change with the project team and vendor
Final approval of the change before the vendor can begin work

Collaborating with the vendor on a solution that fits within the confines of the selected software. With no actual customization required, this may result in a functionality compromise, and may also involve compromise by the project team and the vendor. However, it does not require a formal process to document and approve a change in scope, schedule or cost, since there are no impacts on these triple constraints.

Collaborating with the vendor and internal project stakeholders to redefine business processes. This may or may not result in a change request. It also promotes best practice, as the business processes become more efficient, and are supported by the selected software product without customization. This will require a focus on organizational change management, since the resulting processes are not reflective of the “way things are done today.”

Accepting the gap—and doing nothing. If the gap has little or no impact on business process efficiency or effectiveness, this method is likely the least impactful on the project, as there are no changes to scope, schedule, or cost. However, the concept of “doing nothing” to address the gap may have the same organizational change ramifications as the previous point.

Of course, there are other methods for addressing major software gaps. The BerryDunn team brings experience in facilitating discussions with agencies and their vendors to discuss gaps, their root causes, and possible solutions. We leverage a combination of project management discipline, organizational change management qualifications, and deep expertise to help clients increase the success likelihood for COTS software implementations—while maintaining their vital relationships with vendors.

Blog
Grappling with software gaps

All teams experience losing streaks, and all franchise dynasties lose some luster. Nevertheless, the game must go on. What can coaches do? The answer: be prepared, be patient, and be PR savvy. Business managers should keep these three P’s in mind as they read Chapter 8 in BerryDunn’s Cybersecurity Playbook for Management, which highlights how organizations can recover from incidents.

In the last chapter, we discussed incident response. What’s the difference between incident response and incident recovery?

RG: Incident response refers to detecting and identifying an incident—and hopefully eradicating the source or cause of the incident, such as malware. Incident recovery refers to getting things back to normal after an incident. They are different sides of the same resiliency coin.

I know you feel strongly that organizations should have incident response plans. Should organizations also have incident recovery plans?

RG: Absolutely. Have a recovery plan for each type of possible incident. Otherwise, how will your organization know if it has truly recovered from an incident? Having incident recovery plans will also help prevent knee-jerk decisions or reactions that could unintentionally cover up or destroy an incident’s forensic evidence.

In the last chapter, you stated managers and their teams can reference or re-purpose National Institute of Standards and Technology (NIST) special publications when creating incident response plans. Is it safe to assume you also suggest referencing or re-purposing NIST special publications when creating incident recovery plans?

RG: Yes. But keep in mind that incident recovery plans should also mesh with, or reflect, any business impact analyses developed by your organization. This way, you will help ensure that your incident recovery plans prioritize what needs to be recovered first—your organization’s most valuable assets.

That said, I should mention that cybersecurity attacks don’t always target an organization’s most valuable assets. Sometimes, cybersecurity attacks simply raise the “misery index” for a business or group by disrupting a process or knocking a network offline.

Besides having incident recovery plans, what else can managers do to support incident recovery?

RG: Similar to what we discussed in the last chapter, managers should make sure that internal and external communications about the incident and the resulting recovery are consistent, accurate, and within the legal requirements for your business or industry. Thus, having a good incident recovery communication plan is crucial. 

When should managers think about bringing in a third party to help with incident recovery?

RG: That’s a great question. I think this decision really comes down to the confidence you have in your team’s skills and experience. An outside vendor can give you a lot of different perspectives but your internal team knows the business. I think this is one area that it doesn’t hurt to have an outside perspective because it is so important and we often don’t perceive ourselves as the outside world does. 

This decision also depends on the scale of the incident. If your organization is trying to recover from a pretty significant or high-impact breach or outage, you shouldn’t hesitate to call someone. Also, check to see if your organization has cybersecurity insurance. If your organization has cybersecurity insurance, then your insurance company is likely going to tell you whether or not you need to bring in an outside team. Your insurance company will also likely help coordinate outside resources, such as law enforcement and incident recovery teams.

Do you think most organizations should have cybersecurity insurance? 

RG: In this day and age? Yes. But organizations need to understand that, once they sign up for cybersecurity insurance, they’re going to be scrutinized by the insurance company—under the microscope, so to speak—and that they’ll need to take their “cybersecurity health” very seriously.

Organizations need to really pay attention to what they’re paying for. My understanding is that many different types of cybersecurity insurance have very high premiums and deductibles. So, in theory, you could have a $1 million insurance policy, but a $250,000 deductible. And keep in mind that even a simple incident can cost more than $1 million in damages. Not surprisingly, I know of many organizations signing up for $10 million insurance policies. 

How can managers improve internal morale and external reputation during the recovery process?

RG: Well, leadership sets the tone. It’s like in sports—if a coach starts screaming and yelling, then it is likely that the players will start screaming and yelling. So set expectations for measured responses and reactions. 

Check in on a regular basis with your internal security team, or whoever is conducting incident recovery within your organization. Are team members holding up under pressure? Are they tired? Have you pushed them to the point where they are fatigued and making mistakes? The morale of these team members will, in part, dictate the morale of others in the organization.

Another element that can affect morale is—for lack of a better word—idleness resulting from an incident. If you have a department that can’t work due to an incident, and you know that it’s going to take several days to get things back to normal, you may not want department members coming into work and just sitting around. Think about it. At some point, these idle department members are going to grumble and bicker, and eventually affect the wider morale. 

As for improving external reputation?I don’t think it really matters, honestly, because I don’t think most people really, truly care. Why? Because everyone is vulnerable, and attacks happen all the time. At this point in time, cyberattacks seem to be part of the normal course and rhythm of business. Look at all the major breaches that have occurred over the past couple of years. There’s always some of immediate, short-term fallout, but there’s been very little long-term fallout. Now, that being said, it is possible for organizations to suffer a prolonged PR crisis after an incident. How do you avoid this? Keep communication consistent—and limit interactions between employees and the general public. One of the worst things that can happen after an incident is for a CEO to say, “Well, we’re not sure what happened,” and then for an employee to tweet exactly what happened. Mixed messages are PR death knells. 

Let’s add some context. Can you identify a business or group that, in your opinion, has handled the incident recovery process well?

RG: You know, I can’t, and for a very good reason. If a business or group does a really good job at incident recovery, then the public quickly forgets about the incident—or doesn’t even hear about it in the first place. Conversely, I can identify many businesses or groups that have handled the incident recovery process poorly, typically from a PR perspective.

Any final thoughts about resiliency?

RG: Yes. As you know, over the course of this blog series, I have repeated the idea that IT is not the same as security. These are two different concepts that should be tackled by two different teams—or approached in their appropriate context. Similarly, managers need to remember that resiliency is not an IT process—it’s a business process. You can’t just shove off resiliency responsibilities onto your IT team. As managers, you need to get directly involved with resiliency, just as you need to get directly involved with maturity, capacity, and discovery. 

So, we’ve reached the end of this blog series. Above all else, what do you hope managers will gain from it? 

RG: First, the perspective that to understand your organization’s cybersecurity, is to truly understand your organization and its business. And I predict that some managers will be able to immediately improve business processes once they better grasp the cybersecurity environment. Second, the perspective that cybersecurity is ultimately the responsibility of everyone within an organization. Sure, having a dedicated security team is great, but everyone—from the CEO to the intern—plays a part. Third, the perspective that effective cybersecurity is effective communication. A siloed, closed-door approach will not work. And finally, the perspective that cybersecurity is always changing, so that it’s a best practice to keep reading and learning about it. Anyone with questions should feel free to reach out to me directly.

Blog
Incident recovery: Cybersecurity playbook for management

Reading through the 133-page exposure draft for the Proposed Statement on Auditing Standards (SAS) Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA, issued back in April 2017, and then comparing it to the final 100+ page standard approved in September 2018, may not sound like a fun way to spend a Sunday morning sipping a coffee (or three), but I disagree.

Lucky for you, I have captured the highlights here. And it really is exciting. Our feedback was incorporated into the final standard both through written comments on the exposure draft and a voice via our firm’s Director of Quality Assurance, who holds a seat on the Auditing Standards Board.

"Limited scope" audits will no longer exist

The debate over the “limited scope” audit has been going on for years. The new standard is designed to help auditors clearly understand their responsibilities in performing an audit, and provide plan sponsors, plan participants, the Department of Labor (DOL), and other interested parties with more information about what auditors do in situations when audits are limited in scope by the plan’s management, which is permitted by DOL reporting and disclosure rules.

Once effective, Audit Committee and Board of Director meetings in which plan financial statements are presented will include more clarity into what an employee benefit plan audit entails, based on revisions to the auditor’s report. I know I would frequently kick off meetings covering the auditor’s report opinion by explaining what a “limited scope” audit was. As a “limited scope” audit will no longer exist, the revised auditor’s report language clearly articulates what the auditor is, and is not, opining on.

When is the new standard effective?

The effective date is “to be determined” as it will be aligned with the new overall auditor’s reporting standard once that is finalized, and the standard does not permit early adoption. So there is still time to educate and prepare all parties involved.

Probably the biggest conversation piece around the water cooler for the new standard is the lingo. The “limited scope” audit language will be going away and now the auditor’s report and all related language will refer to an “ERISA section 103(a)(3)(C)” audit. I know, it’s a mouthful?try and say that one three times fast!

The auditor's report will look much different

The auditor’s report under an ERISA section 103(a)(3)(C) audit will look significantly different from the old “limited scope” auditor’s report, once the standard is effective. There are several illustrative examples of reports included in the standard to refer to. One thing you will immediately notice?the auditor’s report is getting longer and not shorter. Some highlights:

The Opinion section will include two bullets that explicitly state, in basic summarized terms: (1) the certified information agrees to the financial statements, and (2)  the auditor’s opinion on everything else, which the auditor has audited.

Other Matter—Supplemental Schedules Required by ERISA section will include two bullets that explicitly state, in basic summarized terms, (1) the certified information agrees to the financial statements and (2) the auditor’s opinion on everything else, which the auditor has audited in relation to the financial statements. Sound similar to the Opinion section? Well, that’s because it is!).

Other key takeaways

  • Auditors will be required to make inquiries of management to gain assurance they performed procedures to determine the certifying institution is qualified for the ERISA section 103(a)(3)(C) audit, as it is management’s responsibility to make that determination.
  • Fair value disclosures included within the plan’s financial statements are also included under the certification umbrella and subject to the same audit procedures. As an auditor, if anything comes to our attention that does not meet expectations, we would further assess as necessary.
  • The auditor is required to obtain and read a draft Form 5500 prior to issuance of the auditor’s report.

The final standard also removed some highly debated provisions included in the draft proposal as follows:

  • There is no report on findings required, but the auditor is required to follow AU-C 250, AU-C 260 and AU-C 265. Should anything arise that warrants communication to those charged with governance, those findings must be communicated in writing. Be sure to grab another coffee and refresh yourself on AU-C 250, AU-C 260 and AU-C 265!
  • The new required procedures section for an audit was scrapped and replaced with an Appendix A for recommended audit procedures based on risk assessments. There are some great tools there to look at.
  • The required emphasis-of-matter section paragraph section of the auditor’s report was also scrapped.

Questions about the new employee benefit audit standard or employee benefit plan audits

At BerryDunn, we perform over 200 employee benefit plan audits each year. If you have any questions, we would love to help. And we’ll keep the acronyms to a minimum. Please reach out with any questions.

Blog
Auditing standards board approves new employee benefit plan auditing standard: What you need to know

With the wind down of the Federal Perkins Loan Program and announcement that the Federal Capital Contribution (FCC) (the federal funds contributed to the loan program over time) will begin to be repaid, higher education institutions must now decide how to handle these outstanding loans. The Department of Education’s (DOE)’s plans to recover their FCC (or “distribution of assets”) in the coming 2018-19 year can be found here, with the Fiscal Operations Report and Application to Participate (FISAP) playing a crucial role in the close-out excess cash calculation. Colleges and universities are now faced with two options:

  1. Continue servicing their loans, refunding future FCC excess cash as loans are repaid
  2. Assigning loans back to the DOE (subject to certain requirements)

Colleges and universities have been evaluating these options since the decision was made to not renew the loan program. There are many considerations when deciding which path to choose:

  • Continuing to service loans has the disadvantage of ongoing administrative costs. While there is potential an administrative cost allowance could be paid to institutions that continue to service loans in the future, legislation would need to be enacted for this to occur.
  • In assigning loans back to the DOE, the institution will lose any Institutional Capital Contribution (ICC).  It is important to note the decision of whether or not to assign loans has not reached “now or never” status. You can assign loans your institution continues to service to the DOE in the future.

NACUBO recently published advisory guidance on the Perkins Loan Program close-out. This guidance provides a broader look at the close-out process, and explores the ramifications of how the two options above can impact alumni relations. The guidance also provides a useful cost/benefit calculation template and sample accounting entries for the close-out process.

Need help or have additional questions? Our experience with Perkins Loan liquidation/closeout can help as you plot a course through the Perkins wind down.

Blog
Winding down the Perkins Loan Program: "Should I stay or should I go?"

Modernization means different things to different people—especially in the context of state government. For some, it is the cause of a messy chain reaction that ends (at best) in frustration and inefficiency. For others, it is the beneficial effect of a thoughtful and well-planned series of steps. The difference lies in the approach to transition - and states will soon discover this as they begin using the new Comprehensive Child Welfare Information System (CCWIS), a case management information system that helps them provide citizens with customized child welfare services.

The benefits of CCWIS are numerous and impressive, raising the bar for child welfare and providing opportunities to advance through innovative technology that promotes interoperability, flexibility, improved management, mobility, and integration. However, taking advantage of these benefits will also present challenges. Gone are the days of the cookie-cutter, “one-size-fits-all” approach. Here are five facts to consider as you transition toward an effective modernization.

  1. There are advantages and challenges to buying a system versus building a system internally. CCWIS transition may involve either purchasing a complete commercial off-the-shelf (COTS) product that suits the state, or constructing a new system internally with the implementation of a few purchased modules. To decide which option is best, first assess your current systems and staff needs. Specifically, consider executing a cost-benefit analysis of options, taking into account internal resource capabilities, feasibility, flexibility, and time. This analysis will provide valuable data that help you assess the current environment and identify functional gaps. Equipped with this information, you should be ready to decide whether to invest in a COTS product, or an internally-built system that supports the state’s vision and complies with new CCWIS regulations.
     
  2. Employ a modular approach to upgrading current systems or building new systems. The Children’s Bureau—an office of the Administration for Children & Families within the U.S. Department of Health and Human Services—defines “modularity” as the breaking down of complex functions into separate, manageable, and independent components. Using this modular approach, CCWIS will feature components that function independently, simplifying future upgrades or procurements because they can be completed on singular modules rather than the entire system. Modular systems create flexibility, and enable you to break down complex functions such as “Assessment and Intake,” “Case Management,” and “Claims and Payment” into modules during CCWIS transition. This facilitates the development of a sustainable system that is customized to the unique needs of your state, and easily allows for future augmentation.
     
  3. Use Organizational Change Management (OCM) techniques to mitigate stakeholder resistance to change. People are notoriously resistant to change. This is especially true during a disruptive project that impacts day-to-day operations—such as building a new or transitional CCWIS system. Having a comprehensive OCM plan in place before your CCWIS implementation can help ensure that you assign an effective project sponsor, develop thorough project communications, and enact strong training methods. A clear OCM strategy should help mitigate employee resistance to change and can also support your organization in reaching CCWIS goals, due to early buy-in from stakeholders who are key to the project’s success.
     
  4. Data governance policies can help ensure you standardize mandatory data sharing. For example, the Children’s Bureau notes that a Title IV-E agency with a CCWIS must support collaboration, interoperability, and data sharing by exchanging data with Child Support Systems?Title IV-D, Child Abuse/Neglect Systems, Medicaid Management Information Systems (MMIS), and many others as described by the Children’s Bureau.

    Security is a concern due to the large amount of data sharing involved with CCWIS systems. Specifically, if a Title IV-E agency with a CCWIS does not implement foundational data security measures across all jurisdictions, data could become vulnerable, rendering the system non-compliant. However, a data governance framework with standardized policies in place can protect data and surrounding processes.
     
  5. Continuously refer to federal regulations and resources. With the change of systems comes changes in federal regulations. Fortunately, the Children’s Bureau provides guidance and toolkits to assist you in the planning, development, and implementation of CCWIS. Particularly useful documents include the “Child Welfare Policy Manual,” “Data Sharing for Courts and Child Welfare Agencies Toolkit,” and the “CCWIS Final Rule”. A comprehensive list of federal regulations and resources is located on the Children’s Bureau website.

    Additionally, the Children’s Bureau will assign an analyst to each state who can provide direction and counsel during the CCWIS transition. Continual use of these resources will help you reduce confusion, avoid obstacles, and ultimately achieve an efficient modernization program.

Modernization doesn’t have to be messy. Learn more about how OCM and data governance can benefit your agency or organization.

Blog
Five things to keep in mind during your CCWIS transition

Truly effective preventive health interventions require starting early, as evidenced by the large body of research and the growing federal focus on the role of Medicaid in addressing Social Determinants of Health (SDoH) and Adverse Childhood Experiences (ACEs).

Focusing on early identification of SDoH and ACEs, CMS recently announced its Integrated Care for Kids (InCK) model and will release the related Notice of Funding Opportunity this fall.

CMS describes InCK as a child-centered approach that uses community-based service delivery and alternative payment models (APMs) to improve and expand early identification, prevention, and treatment of priority health concerns, including behavioral health issues. The model’s goals are to improve child health, reduce avoidable inpatient stays and out-of-home placement, and create sustainable APMs. Such APMs would align payment with care quality and support provider/payer accountability for improved child health outcomes by using care coordination, case management, and mobile crisis response and stabilization services.

State Medicaid agencies have many things to consider when evaluating this funding opportunity. Building on current efforts and innovations, building or leveraging strong partnerships with community organizations, incentivizing evidence-based interventions, and creating risk stratification of the target population are critical parts of the InCK model. Here are three additional areas to consider:

1. Data. States will need information for early identification of children in the target population. State agencies?like housing, justice, child welfare, education, and public health have this information?and external organizations—such as childcare, faith-based, and recreation groups—are also good sources of early identification. It is immensely complicated to access data from these disparate sources. State Medicaid agencies will be required to support local implementation by providing population-level data for the targeted geographic service area.

  • Data collection challenges include a lack of standardized measures for SDoH and ACEs, common data field definitions, or consistent approaches to data classification; security and privacy of protected health information; and IT development costs.
  • Data-sharing agreements with internal and external sources will be critical for state Medicaid agencies to develop, while remaining mindful of protected health information regulations.
  • Once data-sharing agreements are in place, these disparate data sources, with differing file structures and nomenclature, will require integration. The integrated data must then be able to identify and risk-stratify the target population.

For any evaluative approach or any APM to be effective, clear quality and outcome measures must be developed and adopted across all relevant partner organizations.

2. Eligibility. Reliable, integrated eligibility and enrollment systems are crucial points of identification and make it easier to connect to needed services.

  • Applicants for one-benefit programs should be screened for eligibility for all programs they may need to achieve positive health outcomes.
  • Any agency at which potential beneficiaries appear should also have enrollment capability, so it is easier to access services.

3. Payment models. State Medicaid agencies may cover case management services and/or targeted case management as well as health homes; leverage Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) services; and modify managed care organization contract language to encourage, incent, and in some cases, require services related to the InCK model and SDoH. Value-based payment models, already under exploration in numerous states, include four basic approaches:

  • Pay for performance—provider payments are tied directly to specific quality or efficiency indicators, including health outcomes under the provider organization’s control. 
  • Shared savings/risk—some portion of the organization’s compensation depends on the managed care entity achieving cost savings for the targeted patient population, while realizing specific health outcomes or quality improvement.
  • Pay for success—payment is dependent upon achieving desired outcomes rather than underlying services.
  • Capitated or bundled payments—managed care entities pay an upfront per member per month lump sum payment to an organization for community care coordination activities and link that with fee-for-service reimbursement for delivering value-added services.

By focusing on upstream prevention, comprehensive service delivery, and alternative payment models, the InCK model is a promising vehicle to positively impact children’s health. Though its components require significant thought, strategy, coordination, and commitment from state Medicaid agencies and partners, there are early innovators providing helpful examples and entities with vast Section 1115 waiver development and Medicaid innovation experience available to assist.

As state Medicaid agencies develop and implement primary and secondary prevention, cost savings can be achieved while meaningful improvements are made in children’s lives.

Blog
Three factors state medicaid agencies should consider when applying for InCK funding

Artificial Intelligence, or AI, is no longer the exclusive tool of well-funded government entities and defense contractors, let alone a plot device in science fiction film and literature. Instead, AI is becoming as ubiquitous as the personal computer. The opportunities of what AI can do for internal audit are almost as endless as the challenges this disruptive technology represents.

To understand how AI will influence internal audit, we must first understand what AI is.The concept of AI—a technology that can perceive the world directly and respond to what it perceives—is often attributed to Alan Turing, though the term “Artificial Intelligence” was coined much later in 1956 at Dartmouth College, in Hanover, New Hampshire. Turing was a British scientist who developed the machine that cracked the Nazis’ Enigma code. Turing thought of AI as a machine that could convince a human that it also was human. Turing’s humble description of AI is as simple as it is elegant. Fast-forward some 60 years and AI is all around us and being applied in novel ways almost every day. Just consider autonomous self- driving vehicles, facial recognition systems that can spot a fugitive in a crowd, search engines that tailor our online experience, and even Pandora, which analyzes our tastes in music.

Today, in practice and in theory, there are four types of AI. Type I AI may be best represented by IBM’s Deep Blue, a chess-playing computer that made headlines in 1996 when it won a match against Russian chess champion Gary Kasparov. Type I AI is reactive. Deep Blue can beat a chess champion because it evaluates every piece on the chessboard, calculates all possible moves, then predicts the optimal move among all possibilities. Type I AI is really nothing more than a super calculator, processing data much faster than the human mind can. This is what gives Type I AI an advantage over humans.

Type II AI, which we find in autonomous cars, is also reactive. For example, it applies brakes when it predicts a collision; but, it has a low form of memory as well. Type II AI can briefly remember details, such as the speed of oncoming traffic or the distance between the car and a bicyclist. However, this memory is volatile. When the situation has passed, Type II AI deletes the data from its memory and moves on to the next challenge down the road.

Type II AI's simple form of memory management and the ability to “learn” from the world in which it resides is a significant advancement. 
The leap from Type II AI to Type III AI has yet to occur. Type III AI will not only incorporate the awareness of the world around it, but will also be able to predict the responses and motivations of other entities and objects, and understand that emotions and thoughts are the drivers of behavior. Taking the autonomous car analogy to the next step, Type III AI vehicles will interact with the driver. By conducting a simple assessment of the driver’s emotions, the AI will be able to suggest a soothing playlist to ease the driver's tensions during his or her commute, reducing the likelihood of aggressive driving. Lastly, Type IV AI–a milestone that will likely be reached at some point over the next 20 or 30 years—will be self-aware. Not only will Type IV AI soothe the driver, it will interact with the driver as if it were another human riding along for the drive; think of “HAL” in Arthur C. Clarke’s 2001: A Space Odyssey.

So what does this all mean to internal auditors?
While it may be a bit premature to predict AI’s impact on the internal audit profession, AI is already being used to predict control failures in institutions with robust cybersecurity programs. When malicious code is detected and certain conditions are met, AI-enabled devices can either divert the malicious traffic away from sensitive data, or even shut off access completely until an incident response team has had time to investigate the nature of the attack and take appropriate actions. This may seem a rather rudimentary use of AI, but in large financial institutions or manufacturing facilities, minutes count—and equal dollars. Allowing AI to cut off access to a line of business that may cost the company money (and its reputation) is a significant leap of faith, and not for the faint of heart. Next generation AI-enabled devices will have even more capabilities, including behavioral analysis, to predict a user’s intentions before gaining access to data.

In the future, internal audit staff will no doubt train AI to seek conditions that require deeper analysis, or even predict when a control will fail. Yet AI will be able to facilitate the internal audit process in other ways. Consider AI’s role in data quality. Advances in inexpensive data storage (e.g., the cloud) have allowed the creation and aggregation of volumes of data subject to internal audit, making the testing of the data’s completeness, integrity, and reliability a challenging task considering the sheer volume of data. Future AI will be able to continuously monitor this data, alerting internal auditors not only of the status of data in both storage and motion, but also of potential fraud and disclosures.

The analysis won’t stop there.
AI will measure the performance of the data in meeting organizational objectives, and suggest where efficiencies can be gained by focusing technical and human resources to where the greatest risks to the organization exist in near real-time. This will allow internal auditors to develop a common operating picture of the day-to-day activities in their business environments, alerting internal audit when something doesn’t quite look right and requires further investigation.

As promising as AI is, the technology comes with some ethical considerations. Because AI is created by humans, it is not always vacant of human flaws. For instance, AI can become unpredictably biased. AI used in facial recognition systems has made racial judgments based on certain common facial characteristics. In addition, AI that gathers data from multiple sources that span a person’s financial status, credit status, education, and individual likes and dislikes could be used to profile certain groups for nefarious intentions. Moreover, AI has the potential to be weaponized in ways that we have yet to comprehend.

There is also the question of how internal auditors will be able to audit AI. Keeping AI safe from internal fraudsters and external adversaries is going to be paramount. AI’s ability to think and act faster than humans will challenge all of us to create novel ways of designing and testing controls to measure AI’s performance. This, in turn, will likely make partnerships with consultants that can fill knowledge gaps even more valuable. 

Challenges and pitfalls aside, AI will likely have a tremendous positive effect on the internal audit profession by simultaneously identifying risks and evaluating processes and control design. In fact, it is quite possible that the first adopters of AI in many organizations may not be the cybersecurity departments at all, but rather the internal auditor’s office. As a result, future internal auditors will become highly technical professionals and perhaps trailblazers in this new and amazing technology.

Blog
Artificial intelligence and the future of internal audit

The world of professional sports is rife with instability and insecurity. Star athletes leave or become injured; coaching staff make bad calls or public statements. The ultimate strength of a sports team is its ability to rebound. The same holds true for other groups and businesses. Chapter 7 in BerryDunn’s Cybersecurity Playbook for Management looks at how organizations can prepare for, and respond to, incidents.

The final two chapters of this Cybersecurity Playbook for Management focus on the concept of resiliency. What exactly is resiliency?
RG
: Resiliency refers to an organization’s ability to keep the lights on—to keep producing—after an incident. An incident is anything that disrupts normal operations, such as a malicious cyberattack or an innocent IT mistake.

Among security professionals, attitudes toward resiliency have changed recently. Consider the fact that the U.S. Department of Defense (DOD) has come out and said, in essence, that cyberwarfare is a war that it cannot win—because cyberwarfare is so complex and so nuanced. The battlefield changes daily and the opponents have either a lot of resources or a lot of time on their hands. Therefore, the DOD is placing an emphasis on responding and recovering from incidents, rather than preventing them.

That’s sobering.
RG
: It is! And businesses and organizations should take note of this attitude change. Protection, which was once the start and endpoint for security, has given way to resiliency.

When and why did this attitude change occur?
RG
: Several years ago, security experts started to grasp just how clever certain nation states, such as China and Russia, were at using malicious software. If you could point to one significant event, likely the 2013 Target breach is it.

What are some examples of incidents that managers need to prepare for?
RG
: Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with their specific line of business. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons.

Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest that security teams include staff members with liberal arts backgrounds. I’m generalizing, but these people tend to be creative. And when you’re responding to incidents, you want people who can look at a problem or situation from a global or external perspective, not just a technical or operational perspective. These team members can help answer questions such as, what does the world see when they look at our organization? What organizational information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?
RG
: They can be as short as needed; I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?
RG
: There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities so your team can assign and track tasks.

Any other tips for developing incident response plans?
RG
: First, managers should work with, and solicit feedback from, different data owners and groups within the organization—such as IT, HR, and Legal—when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your organization’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your organization’s customers in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your business or industry. The last thing you want is customers receiving conflicting messages about the incident. This can cause unnecessary grief for you, but can also cause an unmeasurable loss of customer confidence.

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?
RG
: Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should organizations have dedicated incident response teams?
RG: Definitely. Larger organizations usually have the resources and ability to staff these teams internally. Smaller organizations may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, even larger organizations should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every organization can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your organization about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?
RG
: Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a “hackathon.” The word can elicit negative reactions from upper management—whose support you really need. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the organization for another, higher-paying job. I think you should be committed to the growth of your team members; it’ll only make your organization more secure.

What are some best practices managers should follow when reporting incidents to their leadership?
RG
: Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in a business context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the business. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

Above all else, don’t scare leadership. If you present them with panic, you’re going to get panic back. Be a calm voice in the storm. Management will respond better, as will your team.

Another thing to keep in mind is different business leaders have different responses to this sort of news. An elected official, for example, might react differently than the CEO of a private company, simply due to possible political fallout. Keep this context in mind when reporting incidents. It can help you craft the message.

How much organization-wide communication should there be about incidents?
RG
: That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole organization know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire organization about an incident, refer to your Legal Department. In general, organization-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

So what’s next?
RG
: Chapter 8 will focus on how managers can help their organizations recover from a cybersecurity incident.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Incident response: Cybersecurity playbook for management

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Blog
Cloud services 101: An almanac for higher education leaders

Any sports team can pull off a random great play. Only the best sports teams, though, can pull off great plays consistently — and over time. The secret to this lies in the ability of the coaching staff to manage the team on a day-to-day basis, while also continually selling their vision to the team’s ownership. Chapter Six in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can achieve similar success through similar actions.

The title of this chapter is “The Workflow.” What are we talking about today?
RG
: In previous chapters, we’ve walked managers through cybersecurity concepts like maturity, capacity, and discovery. Today, we’re going to discuss how you can foster a consistent and repeatable cybersecurity program — the cybersecurity workflow, if you will. And for managers, this is where game planning begins. To achieve success, they need to effectively oversee their team on a day-to-day basis, and continually sell the cybersecurity program to the business leadership for whom they work — the board or CEO.

Let’s dive right in. How exactly do managers oversee a cybersecurity program on a day-to-day basis?
RG
: Get out of the way, and let your team do its work. By this point, you should know what your team is capable of. Therefore, you need to trust your team. Yet you should always verify. If your team recommends purchasing new software, have your team explain, in business terms, the reasons for the purchase. Then verify those reasons. Operationalizing tools, for example, can be difficult and costly, so make sure they put together a road map with measurable outcomes before you agree to buy any tools — even if they sound magical!

Second, empower your team by facilitating open dialogue. If your team brings you bad news, listen to the bad news — otherwise, you’ll end up alienating people. Know that your team is going to find things within your organization’s “auditable universe” that are going to make you uncomfortable from a cybersecurity point of view. Nevertheless, you need to encourage your team to share the information, so don’t overreact.

Third, give your team a communication structure that squelches a crisis-mode mentality — “Everything’s a disaster!” In order to do that, make sure your team gives every weakness or issue they discover a risk score, and log the score in a risk register. That way, you can prioritize what is truly important.

Fourth, resolve conflicts between different people or groups on your team. Take, for example, conflict between IT staff and security staff, (read more here). It is a common issue, as there is natural friction between these groups, so be ready to deal with it. IT is focused on running operations, while security is focused on protecting operations. Sometimes, protection mechanisms can disrupt operations. Therefore, managers need to act as peacemakers between the two groups. Don’t show favoritism toward one group or another, and don’t get involved in nebulous conversations regarding which group has “more skin in the game.” Instead, focus on what is best for your organization from a business perspective. The business perspective ultimately trumps either IT or security concerns.

Talk about communication for a moment. Managers often come from business backgrounds, while technical staff often come from IT backgrounds. How do you foster clear communication across this divide?
RG
: Have people talk in simple terms. Require everyone on your team use plain language to describe what they know or think. I recommend using what I call the Colin Powell method of reporting:

1. Tell me what you know.
2. Tell me what you don’t know.
3. Tell me what you think.
4. Tell me what you recommend.

When you ask team members questions in personal terms — “Tell me what you know”—you tend to receive easy-to-understand, non-jargon answers.

Something that we really haven’t talked about in this series is cybersecurity training. Do you suggest managers implement regular cybersecurity training for their team?
RG
: This is complicated, and my response will likely be be a little controversial to many. Yes, most organizations should require some sort of cybersecurity training. But I personally would not invest a lot of time or money into cybersecurity training beyond the basics for most users and specific training for technical staff. Instead, I would plan to spend more money on resiliency — responding to, and recovering from, a cybersecurity attack or incident. (We’ll talk about resiliency more in the next two chapters.) Why? Well, you can train people all day long, but it only takes one person to be malicious, or to make an innocent mistake, that leads to a cybersecurity attack or incident. Let’s look at my point from a different perspective. Pretend you’re the manager of a bank, and you have some money to spend on security. Are you going to spend that money on training your employees how to identify a robber? Or are you going to spend that money on a nice, state-of-the-art vault?

Let’s shift from talking about staff to talking about business leadership. How do managers sell the cybersecurity program to them?
RG
: Use business language, not technical language. For instance, a CEO may not necessarily care much about the technical behavior of a specific malware, but they are going to really care about the negative effects that malware can have on the business.

Also, keep the conversation short, simple, and direct. Leadership doesn’t have time to hear about all you’re doing. Leadership wants progress updates and a clear sense of how the cybersecurity program is helping the business. I suggest discussing three to four high-priority security risks, and summarizing how you and your team are addressing those risks.

And always remember that in times of crisis, those who keep a cool head tend to gain the most support. Therefore, when talking to the board or CEO, don’t be the bearer of “doom and gloom.” Be calm, positive, empowering, and encouraging. Provide a solution. And make leadership part of the solution by reminding them that they, too, have cybersecurity responsibilities, such as communicating the value of the cybersecurity program to the organization — internal PR, in other words.

How exactly should a manager communicate this info to leadership? Do you suggest one-on-one chats, reports, or presentations?
RG
: This all depends on leadership. You know, some people are verbal learners; some people are visual learners. It might take some trial and error to figure out the best medium for conveying your information, and that’s OK. Remember: cybersecurity is an ongoing process, not a one-and-done event. However, if you are going to pursue the one-on-one chat route, just be prepared, materials-wise. If leadership asks for a remediation plan, then you better have that remediation plan ready to present!

What is one of the biggest challenges that managers face when selling cybersecurity programs to leadership?RG: One of the biggest challenges is addressing questions about ROI, because there often are no quantifiable financial ROIs for cybersecurity. But organizations have to protect themselves. So the question is, how much money is your organization willing to spend to protect itself? Or, in other words, how much risk can your organization reduce — and does this reduction justify the cost?

One possible way to communicate the value of cybersecurity to leadership is to compare it to other necessary elements within the organization, such as HR. What is the ROI of HR? Who knows? But do you really want your organization to lack an HR department? Think of all the possible logistic and legal issues that could swamp your organization without an HR department. It’s terrifying to think about! And the same goes for cybersecurity.

We’ve talked about how managers should communicate with their team and with business leadership. What about the organization as a whole?
RG
: Sure! Regular email updates are great, especially if you keep them “light,” so to speak. Don’t get into minutia. That said, I also think a little bit of secrecy goes a long way. Organizations need to be aware of, and vigilant toward, insider threats. Loose lips sink ships, you know? Gone are the days when a person works for an organization for 30+ years. Employees come and go pretty frequently. As a result, the concept of company loyalty has changed. So make sure your organization-wide updates don’t give away too much cybersecurity information.

So what’s next?
RG:
Chapter 7 will focus on how managers can help their organizations respond to a cybersecurity attack or incident.

Blog
The workflow: Cybersecurity playbook for management

For over four years the business community has been discussing the impact Accounting Standards Codification (ASC) 606, Revenue from Contracts with Customers, will have on financial reporting. As you evaluate the impact this standard will have on a manufacturers’ financial reporting practices, there are certain provisions of ASC 606 you should consider.

Then: Prior to ASC 606, manufacturers generally recognize revenue when persuasive evidence of an arrangement exists, delivery has occurred, the fees are fixed or determinable, and collection is reasonably assured. For most, this typically occurs when a product ships and the title to the product transfers to the customer.

Now: Under ASC 606, effective for annual reporting periods beginning after December 15, 2018 for non-public entities (December 15, 2017 for public entities), an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services. Under this core principle, an entity should:

  1. Identify its contracts with its customers,
  2. Identify performance obligations (promises) in the contract,
  3. Determine the transaction price,
  4. Allocate the transaction price to the performance obligations in the contract; and
  5. Recognize revenue when (or as) the entity satisfies the performance obligation. 

Who does it impact, and how?

For some manufacturers, ASC 606 will not impact their financial reporting practices since they satisfy their performance obligation when the product is shipped and the title has transferred to the customer. However, entities who manufacture highly specialized products may be required to recognize revenue over time if the entity’s performance creates an asset without an alternative use to the entity, and the entity has an enforceable right to compensation for performance completed to date.

Limitations

To determine if a product has an alternative use, the entity must assess whether it is restricted contractually from redirecting the asset for another use during production, or if there are practical limitations on the entity’s ability to redirect the product for another use. A contractual limitation must be substantive for it to be determined to not have an alternative use, e.g., the customer can enforce rights for delivery of the product. A restriction is not substantive if the product is largely interchangeable with other products the entity could transfer between customers without incurring a significant loss.

A practical limitation exists if the entity’s ability to redirect the product for another use results in significant economic losses, either from significant rework costs or having to sell the product at a loss. The alternative use assessment should be done at contract inception based on the product in its completed state, and not during the production process. Therefore, the point in time during production when a product becomes customized and not generic is irrelevant. If it is determined there is no alternative use, the entity has satisfied this criterion and must evaluate its enforceable right to compensation for performance completed to date.

Definitions and Distinctions

ASC 606 defines a contract as “an agreement between two or more parties that creates enforceable rights and obligations”. Accordingly, the definition of a contract may include, but not be limited to, a Purchase Order, Agreement for the Sale of Goods, Bill of Sale, Independent Contractor Agreement, etc. In applying this definition to business operations and revenue recognition, an entity must consider its individual business practices, and possibly individual customer arrangements in determining enforceability.

Once it is determined that the entity has an enforceable right to a payment, the amount of payment must also be considered. The amount that would “compensate” an entity for performance to date should be the estimated selling price of the goods or services transferred to date (for example, recovery of costs incurred plus a reasonable profit margin) rather than compensation for only the entity’s potential loss of profit if the contract were to be terminated. Accordingly, a payment that only covers the entity’s costs incurred to date or for the entity’s potential loss of profit if the contract was terminated does not allow for the recognition of revenue over time.

Compensation for a reasonable profit margin need not equal the profit margin expected if the contract was fulfilled as promised. Once the “enforceable right to compensation for performance completed to date” requirement has been met, an entity will then assess the appropriate method of recognizing revenue over a period of time using input or output methods, as provided under ASC 606.

For manufacturers of highly specialized products there may not be a simple answer for determining appropriate revenue recognition policies for each customer contract and evaluating the impact can be a challenging endeavor.

Next steps

If you would like guidance in analyzing the impact ASC 606 will have on a manufacturer’s financial reporting practices, including the potential impact it may have on bank covenants, borrowing base calculations, etc., please contact one of our dedicated commercial industry practice professionals.
 

Blog
New revenue recognition rules: Evaluating the impact on manufacturers

The late science fiction writer (and college professor) Isaac Asimov once said: “I do not fear computers. I fear the lack of them.” Had Asimov worked in higher ed IT management, he might have added: “but above all else, I fear the lack of computer staff.”

Indeed, it can be a challenge for higher education institutions to recruit and retain IT professionals. Private companies often pay more in a good economy, and in certain areas of the nation, open IT positions at colleges and universities outnumber available, qualified IT workers. According to one study from 2016, almost half of higher education IT workers are at risk of leaving the institutions they serve, largely for better opportunities and more supportive workplaces. Understandably, IT leadership fears an uncertain future of vacant roles—yet there are simple tactics that can help you improve the chances of filling open positions.

Emphasize the whole package

You need to leverage your institution’s strengths when recruiting IT talent. A focus on innovation, project leadership, and responsibility for supporting the mission of the institution are important attributes to promote when recruiting. Your institution should sell quality of life, which can be much more attractive than corporate culture. Many candidates are attracted to the energy and activity of college campuses, in addition to the numerous social and recreational outlets colleges provide.

Benefit packages are another strong asset for recruiting top talent. Schools need to ensure potential candidates know the amount of paid leave, retirement, and educational assistance for employees and employee family members. These added perks will pique the interest of many candidates who might otherwise have only looked at salary during the process.

Use the right job title

Some current school vacancies have very specific job titles, such as “Portal Administrator” or “Learning Multimedia Developer.” However, this specificity can limit visibility on popular job posting sites, reducing the number of qualified applicants. Job titles, such as “Web Developer” and “Java Developer,” can yield better search results. Furthermore, some current vacancies include a number or level after the job title (e.g., “System Administrator 2”), which also limits visibility on these sites. By removing these indicators, you can significantly increase the applicant pool.

Focus on service, not just technology

Each year, institutions deploy an increasing number of Software as a Service (SaaS) and hosted applications. As higher education institutions invest more in these applications, they need fewer personnel for day-to-day technology maintenance support. In turn, this allows IT organizations to focus limited resources on services that identify and analyze technology solutions, provide guidance to optimize technology investments, and manage vendor relationships. IT staff with soft skills will become even more valuable to your institution as they engage in more people- and process-centric efforts.

Fill in the future

It may seem like science fiction, but by revising your recruiting and retention tactics, your higher education institution can improve its chances of filling IT positions in a competitive job market. In a future blog, I’ll provide ideas for cultivating staff from your institution via student workers and upcoming graduates. If you’d like to discuss additional staffing tactics, send me an email.

Blog
No science fiction: Tactics for recruiting and retaining higher education IT positions

People are naturally resistant to change. Employees facing organizational change that will impact day-to-day operations are no exception, and they can feel threatened or fearful of what that change will bring. Even more challenging are multiyear initiatives where the project’s completion is years away.

How can your agency or organization help employees prepare for change—and stay motivated for an outcome—many years in the making?


Start With the Individual

Organizational change requires individual change. For the change to be successful and lasting, an agency should apply organizational change management strategies that help lead people to your desired outcome.

With any new project or initiative, people need to understand why the project is happening before they support it. Communicate the reasons for the change—and the benefit to the employee (what’s in it for them)—so each individual is more inclined to actively support the project. Clearly communicating the why at the onset of the project can help employees feel vested in, and part of, the change. As Socrates said, “The secret of change is to focus all your energy, not on fighting the old, but building the new.” A clear vision can inspire each employee’s desire for the “new” to succeed.

Shift to Individual Goals

It’s a challenge to maintain your employees’ motivation for an organizational change occurring over the long haul. Below are some suggestions on how to sustain interest and enthusiasm for multi-year projects:

  1. Break the project down into smaller, specific milestones. Short-term goals highlight important deadlines and create tangible progress points to reach and celebrate. The master project schedule should be an integration of the organizational change management plan and the project management plan so any resource constraints you identify in the project management plan also become an input when identifying change management resources and activity levels. This integration also highlights the importance of key organizational change management milestones and activities in an effort to ensure they are on a parallel tack as traditional project tasks.
  2. Effectively communicate status updates and successes. In large, agency-wide projects, there are often a variety of stakeholders, each with different communication expectations and needs. The methods, content, and frequency of communication will vary accordingly. Develop a communications strategy as part of your organizational change management plan, to identify who will be responsible to send communications, when and how they will be sent, key messages of the communications, and what feedback mechanisms are in place to continue the conversation after initial delivery. For example, the project team needs a different level of detail than the legislature, or the public. Making the content relevant to each stakeholder group is important because it gives each group what they need to know so they don’t drown in a flood of unneeded information.
  3. Create buy-in by involving employees. A feeling of ownership naturally results from participation in a project, which helps increase enthusiasm. Often the time to do this is when discussing changes to business processes. Once you determine the mandatory features of the future state, (e.g., financial controls, legal requirements, legislative mandates) consider including stakeholder feedback on decisions more focused on preference. It is important for stakeholders to see their suggestions accepted and implemented, or if not implemented, that there was at least a structured process for thoughtfully considering their feedback, and a business case for why their suggestions didn’t make it into the project.
  4. Conduct lessons learned assessments after each major milestone. The purpose of conducting lessons learned activities is to capture what worked and what didn’t. Using surveys or other feedback systems, such as debrief meetings, allows stakeholders to voice their thoughts or concerns. By soliciting feedback after each milestone, leadership can quickly adapt to challenges, address any misunderstandings or concerns, and capitalize on successes.
  5. Reinforce how the project meets the goals of the agency or organization. Maintaining enthusiasm and support for a long-term goal takes a constant reminder of the overall organizational goals. It is important for senior leadership to communicate the impact of the project on the agency or organization and to stakeholders and keep the project at the forefront of people’s minds. Project goals may change during the duration of the project, but the project sponsor should continue to be active and visible in communicating the goals and leading the project.

Change is difficult—change that is years in the making is even more challenging. Applying a structured organizational change management process and using these tips can help keep employees energized and help ensure you reach the desired project goals.

Blog
Change management: Keeping employees motivated during multiyear projects

Cost increases and labor issues have contributed to the rise of outsourcing as an option for senior living and health care providers.  While outsourcing of all types is a growing trend — from the C-suite to food service, it is a decision that should be considered carefully, as lack of planning could result in significant long-lasting financial, public relations and personnel losses. Let’s examine the outsourcing of billing services and collections.

If you are concerned with efficiencies and focusing on your core business needs — nursing care and rehabilitation — then your facility owners and management may have or are currently considering outsourcing one or both end stages of the revenue cycle.

There are some compelling reasons to outsource.

When choosing to outsource, your facility can reduce or even eliminate the challenge of keeping up with increasing complexities of medical billing, staff development and retraining, software costs, and workforce challenges. Smaller facilities can mitigate billing office resource shortages caused by staff vacations, medical leaves and turnover via outsourcing portions of their revenue cycle processes.

Because of a variety of software options, extensive coding and evolving reimbursement policies, professional billing and collection companies may be more efficient, delivering a stronger cash flow by reducing the rate of denied or rejected claims and assuring accurate coding. As facilities normally pay either a “per claim” fee or a percentage of their patient service revenue for this service, the facility’s cost fluctuates with changes in census or payer mix. Facilities may serve their customers better by decreasing insurance denials and reducing balance transfers to patients.

Outsourcing may help organizations to focus on their core business: senior living services.

Your facility should assess your organization’s readiness, fit and contract limitations prior to outsourcing. Here are some things to consider.

1. Be accountable. It is your facility’s ultimate responsibility to comply with all applicable rules and regulations, including HIPAA. And while signing a business associate agreement is a step in right direction, it may not guarantee peace of mind.

  • Ask a potential vendor about data transmission, storage, sharing, access and destruction policies, as well as processes designed to monitor compliance. Question any recent breaches or unauthorized access incidents — how were they handled? As HIPAA non-compliance and unauthorized access to protected health information (PHI) may result in financial penalties and bad publicity, you should evaluate the need to consult with an expert.
  • Ensure the vendor knows your state’s facility licensing regulations. For example, some states prohibit charging patients or residents any collection fees. Some states or payers require refunds for any overpayments to within certain defined periods. A good vendor will meet your state’s regulations. Ask to review their standard collection forms and collection procedures and protect your organization from unexpected non-compliance tags. 

2. Communicate. Discuss what information they require, when, in what format, and how they will make corrections. In-house billing staff can normally access a resident’s medical file, whether electronic or paper, or inquire with the facility operations team regarding a particular claim. This is not the case with an external vendor. 

  • To outsource effectively, you need to designate an in-house position to respond to missing information requests promptly. Facilities operating on web-based medical records software should evaluate the risks of granting a billing vendor even limited access to residents’ electronic medical files.
  • Review contract terms for any up charges assessed by the vendor if your facility can’t respond to information requests in a timely fashion. 

3. Understand and agree upon the scope of the contract. Contract scope misunderstanding can have long-lasting financial implications for the facility, and result in increased bad debt. Your management team should compile a list of assumptions and agreement terms not stated clearly in the contract, and address them in a meeting before accepting the terms. At a minimum, get answers to these questions:

  • Is the vendor submitting bills for all types of payers, levels of care and billing forms, including private, private long-term care insurance, adult day and outpatient, or only certain electronic claims?
  • Is the vendor responsible for notifying your organization of any delays with claim processing, payer requests for supporting medical records and any other identified administrative requests and rejections? If so, how fast and in what format?
  • Is the vendor responsible for assisting with regulatory compliance reporting, such as required data for a cost report preparation, audit, etc.?
  • What minimum quality assurance steps does the vendor apply when generating and processing claims, and how do they remedy identified issues?
  • Is the vendor only submitting bills or are they also working on collections?
  • Is the facility or a vendor responding to resident requests for additional information or questions about the billing statements?

4. Maintain alignment with the organization’s philosophy and vision. As with any other area of operations you consider outsourcing, outsourcing billing and collections requires careful examination of its impact on customer service and community relations. If a vendor produces co-pay and private pay invoices or statements, will you have control over the format and presentation of these mailings? If a vendor is engaged to perform collections follow up, your management team needs to understand collections procedures and methods used and ensure they are a good fit with your mission.

5. Set goals and benchmarks. Your management should analyze days in accounts receivable, accounts receivable aging trends, and cash as a percent of net revenue monthly, and then meet with the vendor promptly to understand the causes of any undesired trends and work on remedial plan. 

6. Understand your organization’s reasons for outsourcing. If your facility struggles with completing resident pre-admission screening, obtaining prior authorizations, or staying on top of Medicaid applications and recertifications — stop. Outsourcing is very unlikely to remedy these situations and could even make them worse. We recommend seeking the assistance of an experienced revenue cycle or process improvement consultant before outsourcing any portion of the billing and collections process.

The BerryDunn Senior Living team welcomes your feedback, and is always one phone call or email away, should your organization need to take a deeper look at revenue cycle and process improvement opportunities.

Blog
Can outsourcing increase revenues and reduce cycle time? Yes, if it's the right fit

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Blog
How healthy is your organization's HIPAA compliance?

Just as sports teams need to bring in outside resources — a new starting pitcher, for example, or a free agent QB — in order to get better and win more games, most organizations need to bring in outside resources to win the cybersecurity game. Chapter 4 in our Cybersecurity Playbook for Management looks at how managers can best identify and leverage these outside resources, known as external capacity.

In your last blog, you mentioned that external capacity refers to outside resources — people, processes, and tools — you hire or purchase to improve maturity. So let’s start with people. What advice would you give managers for hiring new staff?
RG: I would tell them to search for new staff within their communities of interest. For instance, if you’re in financial services, use the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a resource. If you’re in government, look to the Multi-State Information Sharing and Analysis Center (MS-ISAC). Perhaps more importantly, I would tell managers what NOT to do.

First, don’t get caught up in the certification trap. There are a lot of people out there who are highly qualified on paper, but who don’t have a lot of the real-world experience. Make sure you find people with relevant experience.

Second, don’t blindly hire fresh talent. If you need to hire a security strategist, don’t hire someone right out of college just getting started. While they might know security theories, they’re not going to know much about business realities.

Third, vet your prospective hires. Run national background checks on them, and contact their references. While there is a natural tendency to trust people, especially cybersecurity professionals, you need to be smart, as there are lots of horror stories out there. I once worked for a bank in Europe that had hired new security and IT staff. The bank noticed a pattern: these workers would work for six or seven months, and then just disappear. Eventually, it became clear that this was an act of espionage. The bank was ripe for acquisition, and a second bank used these workers to gather intelligence so it could make a takeover attempt. Every organization needs to be extremely cautious.

Finally, don’t try to hire catchall staff. People in management often think: “I want someone to come in and rewrite all of our security policies and procedures, and oversee strategic planning, and I also want them to work on the firewall.” It doesn’t work that way. A security strategist is very different from a firewall technician — and come with two completely different areas of focus. Security strategists focus on the high-level relationship between business processes and outside threats, not technical operations. Another point to consider: if you really need someone to work on your firewall, look at your internal capacity first. You probably already have staff who can handle that. Save your budget for other resources.

You have previously touched upon the idea that security and IT are two separate areas.
RG
: Yes. And managers need to understand that. Ideally, an organization should have a Security Department and an IT Department. Obviously, IT and Security work hand-in-glove, but there is a natural friction between the two, and that is for good reason. IT is focused on running operations, while security is focused on protecting them. Sometimes, protection mechanisms can disrupt operations or impede access to critical resources.

For example, two-factor authentication slows down the time to access data. This friction often upsets both end users and IT staff alike; people want to work unimpeded, so a balance has to be struck between resource availability and safeguarding the system itself. Simply put, IT sometimes cares less about security and more about keeping end users happy — and while that it is important, security is equally important.

What’s your view on hiring consultants instead of staff?
RG
: There are plenty of good security consultants out there. Just be smart. Vet them. Again, run national background checks, and contact their references. Confirm the consultant is bonded and insured. And don’t give them the keys to the kingdom. Be judicious when providing them with administrative passwords, and distinguish them in the network so you can keep an eye on their activity. Tell the consultant that everything they do has to be auditable. Unfortunately, there are consultants who will set up shop and pursue malicious activities. It happens — particularly when organizations hire consultants through a third-party hiring agency. Sometimes, these agencies don’t conduct background checks on consultants, and instead expect the client to.

The consultant also needs to understand your business, and you need to know what to expect for your money. Let’s say you want to hire a consultant to implement a new firewall. Firewalls are expensive and challenging to implement. Will the consultant simply implement the firewall and walk away? Or will the consultant not only implement the firewall, but also teach and train your team in using and modify the firewall? You need to know this up front. Ask questions and agree, in writing, the scope of the engagement — before the engagement begins.

What should managers be aware of when they hire consultants to implement new processes?
RG
: Make sure that the consultant understands the perspectives of IT, security, and management, because the end result of a new process is always a business result, and new processes have to make financial sense.

Managers need to leverage the expertise of consultants to help make process decisions. I’ll give you an example. In striving to improve their cybersecurity maturity, many organizations adopt a cybersecurity risk register, which is a document used to list the organization’s cybersecurity risks, record actions required to mitigate those risks, and identify who “owns” the risk. However, organizations usually don’t know best practices for using a risk register. This sort of tool can easily become complex and unruly, and people lose interest when extracting data from a register becomes difficult or consumes a lot of time reading.

A consultant can help train staff in processes that maximize a risk register’s utility. Furthermore, there’s often debate about who owns certain risks. A consultant can objectively arbitrate who owns each risk. They can identify who needs to do X, and who needs to do Y, ultimately saving time, improving staff efficiency, and greatly improving your chances of project success.

Your mention of a cybersecurity risk register naturally leads us to the topic of tools. What should managers know about purchasing or implementing new technology?
RG
: As I mentioned in the last blog, organizations often buy tools, yet rarely maximize their potential. So before managers give the green light to purchase new tools, they should consider ways of leveraging existing tools to perform more, and more effective, processes.

If a manager does purchase a new tool, they should purchase one that is easy to use. Long learning curves can be problematic, especially for smaller organizations. I recommend managers seek out tools that automate cybersecurity processes, making the processes more efficient.

For example, you may want to consider tools that perform continuous vulnerability scans or that automatically analyze data logs for anomalies. These tools may look expensive at first glance, but you have to consider how much it would cost to hire multiple staff members to look for vulnerabilities or anomalies.

And, of course, managers should make sure that a new tool will truly improve their organization’s safeguards against cyber-attack. Ask yourself and your staff: Will this tool really reduce our risk?

Finally, managers need to consider eliminating tools that aren’t working or being used. I once worked with an organization that had expensive cybersecurity tools that simply didn’t function well. When I asked why it kept them, I was told that the person responsible for them was afraid that a breach would occur if they were removed. Meanwhile, these tools were costing the organization around $60,000 a month. That’s real money. The lesson: let business goals, and not fear, dictate your technology decisions.

So, what’s next?
RG
: So far in this series we have covered the concepts of maturity and capacity. Next, we’re going to look at the concept of discovery. Chapter 5 will focus on internal audit strategies that you can use to determine, or discover, whether or not your organization is using tools and processes effectively.

Blog
External capacity: Cybersecurity playbook for management

As a leader in a higher education institution, you'll be familiar with this paradox: Every solution can lead to more problems, and every answer can lead to more questions. It’s like navigating an endless maze. When it comes to mobile apps, the same holds true. So, the question: Should your institution have a mobile app? The Answer? Absolutely.

Devices, not computers, are how millenials communicate, gather, inform, and engage. Millennials, on average, spend 90 hours per month on mobile apps, not including web searches and website visits.

Students are no exception. A 2016 Nielsen study showed that 98% of millennials aged 18 – 24, and 97% of millennials aged 25 – 34, owned a smartphone, while a 2017 comScore report stated that one out of five millennials no longer use desktop devices, including laptops. Mobile apps have quickly filled the desktop void, and as students grow more reliant on mobile technology, colleges and universities are in the mix, creating apps to bolster student engagement.

So should you create an app? Here are some questions you should answer before creating a mobile app. Welcome to the labyrinth! But don’t be frustrated—answer these questions to help you avoid dead ends and overspending.

1. Is a mobile app part of your IT Strategy? Including a mobile app in your IT strategy minimizes confusion at all levels about the objectives of mobile app implementation. It also helps dictate whether an institution needs multiple mobile apps for various functions, or a primary app that connects users with other functionality. If an institution has multiple campuses, should you align all campuses with a single app, or if will each campus develop their own?

2. What will the app do? Mobile apps can perform a multitude of functions, but for the initial implementation, select a few key functions in one main area, such as academics or student life. Institutions can then add functionality in the future as mobile adoption grows, and demand for more functions increases.

3. Who will use the app? Mobile apps certainly improve engagement throughout the student life cycle—from prospect to student to alumni—but they also present opportunities for increased faculty, staff, and community engagement. And while institutions should identify the immediate audience of the app, they should also identify future users, based upon functionality.

4. Who will manage the app? Institutions should determine who is going to manage the mobile app, and how. The discussion should focus on access, content, and functionality. Is the institution going to manage everything in house, from development to release to support, or will a mobile app vendor provide this support under contract? Depending on your institution, these discussions will vary.

5. What data will the app use? Like any new software system, an app is only as good as its supporting data. It’s important to assess the systems to integrate with the mobile app, and determine if the systems’ data is up-to-date and ready for integration. Consider the use of application program interfaces, or APIs. APIs allow apps and platforms to interact with one another. They can enable social media, news, weather, and entertainment apps to connect with your institution’s app, enhancing the user experience with more content for users.

6. How much data security does your app need? Depending on the functionality of the app you create, you will need varying degrees of security, including user authentication safeguards and other protections to keep information safe.

7. How much can you spend for the app? Your institution should decide how much you will spend on initial app development, with an eye toward including maintenance and development costs for future functionality. Complexity increases costs, so you will need to  budget accordingly. Include budget planning for updates and functionality improvements after launch.

You will also need to establish a timeline for the project and roll out. And note that apps deployed toward the end of the academic year experience less adoption than apps deployed at the beginning of the academic year.

Once your institution answers these questions, you will be off to a good start. And as I stated earlier, every answer to a question can lead to more questions. If your institution needs help navigating the mobile app labyrinth, please reach out to me

Blog
The mobile app labyrinth: Seven questions higher education institutions should ask

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG
: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG
: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG
: Developing new ones can be difficult  we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG
: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG
: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG
: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Tapping your internal capacity for better results: Cybersecurity playbook for management

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Selecting and implementing a maturity model: Cybersecurity playbook for management

In a previous blog post, “Six Steps to Gain Speed on Collections”, we discussed the importance of regular reviews of long-term care facility financial performance indicators and benchmarks, and suggestions to speed up collections. We also noted that knowledge of your facility’s current payer mix is critical to understanding days in accounts receivable (A/R).

The purpose of a regular A/R review is to facilitate prompt and complete collections by identifying trends and potential system issues and then implementing an action plan. Additionally, an A/R review is used to report on certain regulatory compliance requirements, and could help management identify staff training and development needs. Here are some tips on how to make your review both effective and efficient.

  • Practice professional skepticism. Generate your own A/R reports. While your staff may be competent and trustworthy, it is a good habit to get information directly from your billing system.
     
  • Understand your revenue cycle calendar. A common approach is to generate A/R reports at the end of each month. While you can generate reports at any time, always ask your staff whether all recent cash receipts and adjustments have been posted.
     
  • Know your software. Billing software usually has a few pre-set A/R reports available, and you can customize some of them to simplify your review and analysis. Consult with your IT department or software vendor to gain a better understanding of available report types, parameters, options and limitations. Three frequently-used reports are:

    A/R Transaction Report: This report shows selected transaction details (date, payer, account, transaction type) and can help you understand changes in those parameters. Start with a “summary by type” then drill down to further detail if needed. Run and review this report monthly to identify any unexpected write-offs or adjustments in the prior period.

    A/R Aging Report: This report breaks A/R data into aging buckets (current, 30, 60, 90, etc.). It is used to fine-tune collection efforts and evaluate a bad debt allowance (as older balances are less likely to be collected). Using a higher number of buckets will provide more detailed information, and replacing “age” of accounts with a “month” label will make it easier to see trends in month-to-month changes. Your facility’s payer mix will determine a reasonable “Days in A/R” benchmark. Generally, you should see the most dramatic drop in open accounts within 30 days for Medicare, Medicaid and private payers; and within 60-90 days for other payers. Focus your staff’s attention on balances nearing 300 days, as many insurers have a claim filing limit of one year from the service date. Develop an action plan to follow up within two to three weeks.

    Unbilled Claims Report: This report shows un-submitted claims. Discuss unbilled claims with your staff, understand why they are unbilled to reduce the number of un-submitted claims, and develop an action plan for submission to responsible parties.
     
  • Understand available report formats. Billing software usually offers the option to run reports in different file formats (web, PDF, Excel, etc.). Know your options and select the one you are most comfortable with. We recommend Excel for easy data analysis and trending.
     
  • Segment, segment, segment — and look for trends! Data segmentation and filtering is the best approach to effective and efficient A/R review. At a minimum, you should be separating Medicare A, Medicare B, Medicare Advantage, Medicaid, private pay, pending/presumed Medicaid and any other payers with a particularly high volume of claims. The differences in timing of billing, complexity, compliance requirements, benchmarking and submission of claim methods warrant a separate, more-detailed review of claims. Here are some examples of what to look for.

    Medicare: An open claim will hold payments for all following claims within that stay. Instruct your billing team to ensure claim submission, and review any rejected or suspended claims. Carefully analyze any Medicare credits. Small credit and debit balances may indicate errors in the rate-setting module of your software. Review for rate changes, contractual adjustments and sequestration set up. Review any credit balances over $25 for potential overpayment. These credits have to be corrected in that quarter or listed on your quarterly credit balance report to Medicare. Balances of $160 or more may indicate incorrectly calculated co-pay days, while balances over $200 may indicate billing for an incorrect number of days. Medicare has a one-year limit on submitting claims so act promptly to resolve any balances over 300 days.

    Medicaid: Open balances may indicate eligibility gaps, changes in coverage levels, rate set-up errors or incorrect classification as primary or secondary payer. This payer also has a one-year limit on submitting claims. Again, act promptly to resolve any balances over 300 days.

    Pending/Presumed Medicaid: Medicaid application processing times vary by state. Normally eligibility is determined within a few months at the most. Open claims older than 120 days should be investigated promptly.
     
  • Filter data for the highest and lowest balances. Focus on your five to ten highest balances and work with staff to resolve. Discuss reasons for any credit balances with staff, as regulations often require a prompt refund or claim adjustment. Credit balances could also indicate incorrectly posted payments (to the wrong patient account or service date). Instruct staff to routinely review and resolve credits to prevent collection activities on paid-off accounts. 

Ask questions, follow up and recognize good work. If you notice an improvement in your facility’s A/R report, make sure you recognize team and individual efforts. If improvements are slow to come, discuss obstacles with staff, refine your A/R reporting, and review the plan as needed.

Blog
Segmenting accounts receivable reports: How to use your reports to understand where you are

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG
: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG
: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG
: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG
: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG
: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG
: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG
: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Maturity modeling: Cybersecurity playbook for management

NEW UPDATE October 2017:

The Federal Perkins Loan Program expiration date has passed without extension and now the countdown is on for the program wind-down. On October 6, the Department of Education issued a Dear Colleague Letter, GEN-17-10, which provides important wind-down information and indicates the Department will begin collecting the Federal share of institutions’ Perkins Loan Revolving Funds following the submission of the 2019-2020 FISAP (due October 1, 2018) using a similar process to the Excess Liquid Capital currently in place under HEA section 466(c). The Department of Education has promised more information on this process ahead of the October 2018 deadline.

Institutions should be reviewing their portfolios to determine if they will choose to assign their Perkins Loans to the Department or continue servicing their portfolio. Once the loans are assigned, institutions lose all rights to future loan collections, including their institutional share.

Loans that are not assigned to the department should continue to be serviced under Perkins Loan Program regulations until all loans are paid in full, fully retired or assigned to the Department. The process of requiring the distribution of assets from the Perkins Loan Revolving Fund will continue each year based on the annual submission of the FISAP, until all of the Perkins Loans held by the institution have been paid in full, fully retired or assigned to the Department of Education.

An administrative cost allowance cannot be charged against the Perkins Loan Revolving Fund after June 30, 2018.

For those considering liquidation and assignment, the Assignment and Liquidation Guide provides step-by-step instructions through the process, including the required a Perkins closeout audit. We are experienced with the Perkins closeout and stand ready to assist.
 

NEW UPDATE March 30, 2016: 

A new combined Federal Perkins Loan Assignment and Liquidation Guide has been posted. You can see the announcement and links to the updated guide here.

The Federal Perkins Loan Program has expired, effective October 1. While guidance has not yet been issued by the Department of Education in response to program’s expiration, there is a published process for institutions to follow to liquidate a Perkins Loan Revolving Fund.

We'll keep you informed as guidance is issued

BerryDunn’s Higher Education experts are monitoring the situation and assessing the implications for colleges and universities and their loan recipients with outstanding balances.

Need help or have additional questions?

Our experience with Perkins loan liquidation/closeout audits can be of great help to you as you navigate the complexities of closing your Perkins loans. Feel free to contact Renee Bishop, Emily Parker, Mark LaPrade or any of our Higher Education experts.

Blog
New federal perkins loan update

Are you in control? Preparing the internal control documentation required by the COSO framework can be difficult and daunting for some financial institutions. In our work with clients who are preparing to meet COSO requirements, we see a handful of areas banks can address to keep their implementation on track:

  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring activities

Because the framework is not highly prescriptive about specific internal controls, there are several practical considerations and actions to take that can help you focus on areas that are easily overlooked. Spreadsheet controls, sample sizes, exception monitoring, testing, and commonly missed controls make up the bulk of the what to consider. By focusing your efforts on these areas, you can more efficiently reduce potential audit findings by making changes to your internal control process.

My colleagues and I provide more detail about specifically how and what to address in our white paper "INTERNAL CONTROL OVER FINANCIAL REPORTING: Best Practices & Useful Strategies for Creating an Effective System of Internal Control."

The bottom line? Prepare now to save time -- and potentially reduce audit findings -- later. Once you have your process in place, you won't have to scramble to implement controls during the year you become subject to an integrated audit under SOX 404 / FDICIA. Learn more about improving your institution's internal controls: Download our whitepaper and get ready now!

Blog
Be prepared: Hit the right notes and avoid an implementation scramble when preparing for COSO

As more state and local government workers enter retirement, state and local agencies are becoming more dependent on millennial workers — the largest and most educated generation of workers in American history. But there is a serious gap between supply and demand.

As noted in a 2016 report by the Bureau of Labor Statistics titled 
Household Data Annual Averages 15, only 25.6% of current
government workers are between the ages of 18 and 35.

This trend isn’t necessarily shocking; many millennials choose higher-paying jobs in the private sector over lower-paying jobs in the public sector, especially when the days of a lifelong government career, and generous pensions, are dwindling. But it is a serious labor problem for government agencies — one that requires creative solutions. To entice these new workers, state and local governments need to adopt new recruiting and retaining methods.

Recruiting Methods

While money matters to millennials, they also want to live a life of adventure, try new things, embrace trailblazing technology, pursue meaningful goals, and gain a sense of both personal and civic accomplishment. In short, these new workers have values that differ from previous generations. You can help entice them by:

  • Highlighting your state and local agency’s mission and greater purpose. Many millennials want to affect change and find careers consistent with their values. Include information in your job descriptions about the positive environmental and social impact your agency makes.

  • Updating your technology. Millennials have grown up with technology (literally at their fingertips), can adapt to change as no other generation before them, and often strive to remain on the “cutting edge.” By updating your agency’s technology, you will not only improve your organization and benefit the public you serve, but also have a better chance of recruiting the best and brightest millennials.

  • Providing them with a work-life balance. Life outside of work is just as important to millennials as their careers. They don’t plan to wait for retirement to finally pursue their interests, so providing them with a level of flexibility is key to recruitment. Consider offering flexible workdays, remote working capabilities, extended parental leave, sabbatical opportunities, and “mental health days.” The more flexibility state and local agencies provide, the more incentive there is for millennials.

Retaining Methods

Recruiting millennials for government jobs is challenging enough, and retaining them can prove even harder, as job hopping is standard practice for many members of this generation. Nevertheless, there are certain methods your agency can adopt to prevent millennial turnover. We suggest:

  • Investing in employee development and training. Training and creating opportunities for promotion and career advancement are motivating incentives to millennials. Professional development excites millennials and investing in them will pay off for the agency — and the employees will be more engaged and likely to stay.

  • Showing employees they are valued. Recognition is the biggest motivator besides money — millennials want acknowledgement for the good work that they do. Communicate achievements and provide awards to recipients in front of their peers. This not only gives them credit, but also motivates others. Continuing to communicate to your employees how their work supports their values reminds them they made the right decision in joining the public sector in the first place.

Make Your Move

Millennials are worthy of your attention! To compete with the private sector — to recruit and retain them — your government agency has to take an innovative approach to capitalize on this ever-growing demographic. If your state or local agency needs help refreshing your technology, reviewing current policies and procedures, or taking a fresh look at your processes, contact BerryDunn. We would love to talk about your commitment to your future!

You may also be interested in: CFOs for Hire; How to Attract and Retain Workers in a Seller's Market

Blog
Getting millennial with it: How state and local governments can recruit and retain a new generation of workers

A year ago, CMS released the Medicaid Enterprise Certification Toolkit (MECT) 2.1: a new Medicaid Management Information Systems (MMIS) Certification approach that aligns milestone reviews with the systems development life cycle (SDLC) to provide feedback at key points throughout design, development, and implementation (DDI).

The MECT (recently updated to version 2.2) incorporates lessons learned from pilot certifications in several states, including the successful West Virginia pilot that BerryDunn supported. MECT updates have a direct impact on E&E systems—an impact that may increase in the near future. Here is what you need to know:         

Then: Initial Release

In February 2017, CMS introduced six Eligibility & Enrollment (E&E) checklists. Five were leveraged from the MECT, while the sixth checklist contained unique E&E system functionality criteria and provided a new E&E SDLC that—like the MECT—depicted three milestone reviews and increased the Independent Verification and Validation (IV&V) vendor’s involvement in the checklists completion process.

Now: Getting Started

Completing the E&E checklists will help states ensure the integrity of their E&E systems and help CMS guide future funding. This exercise is no easy task, particularly when a project is already in progress. Completion of the E&E checklists involves many stakeholders, including:

  • The state (likely more than one agency)
  • CMS
  • IV&V
  • Project Management Office (PMO)
  • System vendor(s)

As with any new processes, there are challenges with E&E checklists completion. Some early challenges include:

  • Completing the E&E checklists with limited state project resources
  • Determining applicable criteria for E&E systems, especially for checklists shared with the MMIS
  • Identifying and collecting evidence for iterative projects where criteria may not fall cleanly into one milestone review phase
  • Completing the E&E checklists with limited state project resources
  • Working with the system vendor(s) to produce evidence

What’s Next?

Additionally, working with system vendors may prove tricky for projects that already have contracts with E&E vendors, as E&E systems are not currently subject to certification (unlike the MMIS). This may lead to instances where E&E vendors are not contractually obligated to provide the evidence that would best satisfy CMS criteria. To handle this and other challenges, states should communicate risks and issues to CMS and work together to resolve or mitigate them.

As CMS partners with states to implement the E&E checklists, some questions are expected to be asked. For example, how much information can be leveraged from the MECT, and how much of the checklists completion process must be E&E-specific? Might certification be required in the near future for E&E systems?

While there will be more to learn and challenges to overcome, the first states completing the E&E checklists have an opportunity to lead the way on working with CMS to successfully build and implement E&E systems that benefit all stakeholders.

On July 31, 2017, CMS released the MECT 2.2 as an update to the MECT 2.1.1. As the recent changes continue to be analyzed, what will the impact be to current and future MMIS and E&E projects?

Check back here at BerryDunn Briefings in the coming weeks and we will help you sort it out.

Blog
Check this: CMS checklists aren't just for MMIS anymore.

Because we’ve been through this process many times, we’ve learned a few lessons and determined some best practices. Here are some tips to help you promote a positive post go-live experience.

The road to go-live is paved with good intentions. When an organization identifies a need to procure a new or upgraded system, that road can be long. It requires extensive planning, building a business case, defining requirements, procuring the system, testing it, and implementing it. Not to mention preparing your team to start using it. You’ve worked really hard to get to this point, and it feels like you’re about to cross the finish line. Well, grab some Gatorade because you’re not quite there yet. Post go-live is your cool-down, and it’s an important part of the race.

Preparation is key.
If you haven’t built a go-live plan into your overall implementation plan, you may see stress levels rise significantly in the days and weeks leading up to go-live. Like a runner prepares for a big race, a project lead must adequately prepare the team to begin using the new system, while still handling unexpected obstacles.  While there are many questions you should ask as you prepare to go live, you need to gain buy-in on the plan from the beginning and manage it to ensure follow-through.

Have your contract and deliverables handy.
Your system vendor implementation team will look to hand you off to their support team soon after go-live. It is crucial that you review all of the deliverables outlined in your contract to ensure all of the agreed-upon functionality is up and running, and all contracted deliverables have been provided and approved. Don’t transition to support until you’ve had enough time to see the system through significant processes (e.g. payroll, month-end close). In the period immediately after go-live, the vendor implementation team is your best resource to help address these issues, so it’s a good idea to have easy access to them.

Encourage use and feedback.
Functional leads and project champions need to continue communications past go-live to encourage use and provide a mechanism for addressing feedback. Employing change management best practices will go a long way in ensuring you use the system properly — and to its best capabilities.

Plan ahead for expanded use and future issues. 
Because a system implementation can be extremely resource-intensive, it is common to suppress or forgo functionality to implement at a later date (e.g., citizen and vendor self-service). In addition, we sometimes see issues arise during significant operational milestones (e.g., renewal processing, year-end close). Have a plan in place to decide how you will address known and unknown issues that arise.

While there is no silver bullet to solve all of the potential go-live woes, you can promote a smooth transition from a legacy system to a new system by implementing these tips. The time you spend up front will help offset many headaches down the road, promote end-user engagement, and ensure you’re getting the most from your investment.

Blog
We're live! Now what?

We all know them. In fact, you might be one of them — people who worry the words “go live” will lead to job loss (theirs). This feeling is not entirely irrational. When an organization is ready to go live from an existing legacy system to a new enterprise system, stress levels rise and doubts emerge: What can go wrong? How much time will be lost? Are we really ready for this?

We’re here to help. Here is a list of go-live essentials to help you mitigate stress and assess your readiness. While not all-encompassing, it’s a good place to start. Here’s what you need:

  1. A detailed project plan which specifies all of the implementation tasks
    A project plan is one of the most important parts of an implementation. A detailed plan that identifies all of the implementation tasks along with an assigned resource for each task is critical to success. The implementation vendor and the organization should develop this plan together to get buy-in from both teams.
  1. A completed system configuration
    New system configuration is one of the most time-consuming aspects of a technology implementation. If you don’t complete the implementation in a timely manner, it will impact your go-live date. Configure the new system based upon the best practices of the system — not how the existing system was — for timely implementation.
  1. External system interface identification
    While replacement of some external systems may be a goal of an implementation, there may be situations where external systems are not replaced or the organization has to send and/or receive data from external organizations. And while new systems have advanced interface technology capabilities, the external systems may not share these capabilities. Therefore it is imperative that you identify external system interfaces to avoid gaps in functionality.
  1. Testing, testing, testing
    End-to-end testing or User Acceptance Testing (UAT) is often overlooked. It involves completing testing scenarios for each module to ensure appropriate system configuration. While the timing of UAT may vary, allow adequate time to identify solutions to issues that may result from UAT.
  1. Data conversion validation
    When you begin using a new system, it’s best to ensure you’re working with clean, up-to-date data. Identify data conversion tasks in the project plan and include multiple data conversion passes. You must also determine if the existing data is actually worth converting. When you complete the data conversion, check for accuracy.
  1. End user training
    You must train all end users to ensure proper utilization across the organization. Don’t underestimate the amount of time needed for end user training. It is also important to provide a feedback mechanism for end users to determine if the training was successful.
  1. A go-live cutover plan
    The overall project plan may indicate go-live as an activity. List specific activities to complete as part of go-live. You can build these tasks into the project plan or maintain them as a separate checklist to promote a smooth transition.
  1. Support structure
    Establish an internal support structure when preparing for go-live to help address issues that may arise. Most organizations take time to configure and test the system and provide training to end users prior to go-live. Questions will arise as part of this process — establish a process to track and address these questions.

Technology implementations can significantly impact your organization, and it’s common for stress levels to rise during the go-live process. But with the right assessment and preparation, you can lessen their impact and reduce staff stress. Our experienced, objective advisors work with public and private sector organizations across the country to oversee large enterprise projects from inception to successful completion. Please reach out to us to learn more about preparing for your next big project.

Blog
Don't worry, just assess: Eight tips for reducing go-live stress

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. Once you develop those forecasts, how does that information translate into amounts to set aside for loan losses?

A portion of the ALLL will continue to be based on specifically identified loans you’re concerned about. For those loans, you will continue to establish a specific component of the ALLL based on your estimate of the loss ultimately expected on the loans.

The tricky part, of course, is estimating an ALLL for the other 99% of the loan portfolio. This is where the forecasts come in. The new rules do not prescribe a particular methodology, and banking regulators have indicated community banks will likely be able to continue with their current approach, adjusted to use appropriate inputs in a manner that complies with the CECL model. One of the biggest challenges is the expectation in CECL that the ALLL will be estimated using the institution’s historical information, to the extent available and relevant.

Following is just one of many ways  you can approach it. I’ve also included a link at the end of this article to an example illustrating this approach.

Step One: Historical Loss Factors

  1. First, for a given subset of the loan portfolio (e.g., the residential loan pool), you might first break down the portfolio by the number of years remaining until expected payoff (via maturity or refinancing). This is important because, on average, a loan with seven years remaining until expected payoff will have a higher level of remaining lifetime losses than a loan with one year remaining. It therefore generally wouldn’t be appropriate to use the same loss factor for both loans.
     
  2. Next, decide on a set of drivers that tend to correlate with loan losses over time. FASB has indicated it doesn’t expect highly mathematical correlation models will be necessary, especially for community banks. Instead, select factors in your bank’s experience indicative of future losses. These may include:
    • External factors, such as GDP growth, unemployment rates, and housing prices
    • Internal factors such as delinquency rates, classified asset ratios, and the percentage of loans in the portfolio for which certain policy exceptions (e.g., loan-to-value ratio or minimum credit score) were granted
       
  3. Once you select this set of drivers, find an historical loss period — a period of years corresponding to the estimated remaining life of the portfolio in question — where the historical drivers best approximate those you’re expecting in the future, based on your forecasts. For that historical loss period, determine the lifetime remaining loss rates of the loans outstanding at the beginning of that period, broken down by the number of years remaining until payoff. (This may require significant data mining, especially if that historical loss period was quite a few years ago.
     
  4. Apply those loss rates to the breakdown derived in (a) above, by years remaining until maturity.

    Step Two: Adjustments to Historical Loss Rates

    The CECL model requires we adjust historical loss factors for conditions that may not be adequately captured by the historical loss period analysis we’ve just described. Let’s say a particular geographical subset of your market area is significantly affected by the economic fortunes of a large employer in that area.  Based on economic trends or recent developments, you might expect that employer to have a particularly bright – or dim – future over the forecast period; accordingly, you forecast loans to borrowers in that area will have losses that differ significantly from the rest of the portfolio.

    The approach for these loans is the same as in the previous step. However:

    These loans would be segregated from the remainder of the portfolio, which would be subject to the general approach in step one. As you think through this approach, there are myriad variations and many decisions to make, such as:

    Our intent in describing this methodology is to help your CECL implementation team start the dialogue in terms of converting theoretical concepts in the CECL model to actual loans and historical experience.

    To facilitate that discussion, we’ve included a very simple example here that illustrates the steps described above. Analyzing an entire loan portfolio under the CECL model is an exponentially more complex process, but the concepts are the same — forecasting future conditions, and establishing an ALLL based on the bank’s (or, when necessary, peers’) lifetime loan loss experience under similar historical conditions.

    Given the amount of number crunching and analysis necessary, and the potentially significant increase in the ALLL that may result from a lifetime-of-loan loss model, it’s safe to say the time to start is now! If you have any questions about CECL implementation, please contact Tracy Harding or Rob Smalley.

    Other resources
    For more information on CECL, check out our other blogs:

    CECL: Where to Start
    CECL: Bank and Branch Acquisitions
    CECL: Reasonable and Supportable

    To sign up to receive notification of our next CECL update, click here.

    • In substep (c), you would focus on forecasted conditions (such as unemployment rate and changes in real estate values) in the geographical area in which the significant employer is located.
    • You would then select an historical loss period that had actual conditions for that area that best correspond to those you’ve just forecasted.
    • In substep (d), you would determine the lifetime remaining loss rates of loans outstanding at the beginning of that period.
    • In substep (e), you would apply those rates to loans in that geographic area.
    • How to break down the portfolio
    • Which conditions to analyze
    • How to analyze the conditions for correlation with historical loss periods
    • Which resulting loss factors to apply to which loans
Blog
CECL implementation: So, you've developed reasonable and supportable forecasts — now what?

Recently, federal banking regulators released an interagency financial institution letter on CECL, in the form of a Q&A. Read it here. While there weren’t a lot of new insights into expectations examiners may have upon adoption, here is what we gleaned, and what you need to know, from the letter.

ALLL Documentation: More is better

Your management will be required to develop reasonable and supportable forecasts to determine an appropriate estimate for their allowance for loan and lease losses (ALLL). Institutions have always worked under the rule that accounting estimates need to be supported by evidence. Everyone knows both examiners and auditors LOVE documentation, but how much is necessary to prove whether the new CECL estimate is reasonable and supportable? The best answer I can give you is “more”.

And regardless of the exact model institutions develop, there will be significantly more decision points required with CECL than with the incurred loss model. At each point, both your management and your auditors will need to ask, “Why this path vs. another?” Defining those decision points and developing a process for documenting the path taken while also exploring alternatives is essential to build a model that estimates losses under both the letter and the spirit of the new rules. This is especially true when developing forecasts. We know you are not fortune tellers. Neither are we.

The challenge will be to document the sources used for forecasts, making the connections between that information and its effect on your loss data as clear as possible, so the model bases the loss estimate on your institution’s historical experience under conditions similar to those you’re forecasting, to the extent possible.

Software may make this easier… or harder.               

The leading allowance software applications allow for virtually instantaneous switching between different models, permitting users to test various assumptions in a painless environment. These applications feature collection points that enable users to document the basis for their decisions that become part of the final ALLL package. Take care to try and ensure that the support collected matches the decisions made and assumptions used.

Whether you use software or not there is a common set of essential controls to help ensure your ALLL calculation is supported. They are:

  • Documented review and recalculation of the ALLL estimate by a qualified individual(s) independent of the preparation of the calculation
  • Control over reports and spreadsheets that include data that feed into the overall calculation
  • Documentation supporting qualitative factors, including reasonableness of the resulting reserve amounts
  • Controls over loan ratings if they are a factor in your model
  • Controls over the timeliness of charge-offs

In the process of implementing the new CECL guidance it can be easy to focus all of your effort on the details of creating models, collecting data and getting to a reasonable number. Based on the regulators’ new Q&A document, you’ll also want to spend some time making sure the ALLL number is supportable.  

Next time, we’ll look at a lesser known section of the CECL guidance that could have a significantly negative impact on the size of the ALLL and capital as a result: off-balance-sheet credit exposures.  

Want a heads-up the next time we have a CECL update? Sign up here and get the information first!

Blog
CECL: Reasonable and supportable? Be ready to be ALLL in

Electronic accessibility in every aspect of modern life has increased ten-fold, but government — and courts in particular — has been slow to follow.

History Lesson
The idea that criminal court proceedings are accessible by the public is a pillar of our justice system, rooted in the First Amendment. This public right to unrestricted access in criminal and civil court proceedings has been interpreted by many states to extend to court documents and court records (as long as not otherwise protected).

Traditionally, public access to court proceedings and records has been limited to those taking place in the courthouse, between the hours of 8:00 am and 4:00 pm. In most every other aspect of our lives, we have 24/7 access to everything from live streaming of our home security systems, to ordering our groceries or dinner from our mobile devices — while traveling at 30,000 feet! Government — and courts in particular — has been slow to follow in the rush to 24/7 electronic accessibility.

Part of the rationale behind the hesitation to jump on the electronic bandwagon, are the ethical issues surrounding unlimited electronic public access. So while the First Amendment provides for public access to information, conversely the Fourteenth Amendment interprets the definition of “liberty” to include a right to privacy. Deciding between these two semmingly contradictory rights becomes a challenge for courts when determining what form of electronic access is appropriate for court documents.

The pros
Unlimited electronic access to publicly available documents:

  • Serve a variety of public interests while eliminating the need to travel to the courthouse to research and copy documents.
  • Acts both as a deterrent to violating laws and as protection to those whose rights have been violated.
  • Tends to instill fairness, transparency, and equality of court proceedings.
  • Protects the community and allows the media to report on matters of public interest in a more convenient, timely, and streamlined manner.

The cons
While there are compelling reasons to provide electronic public access, they don’t take into account the potential for it to be used inappropriately. Risks include:

  • Increased chance of identity theft, leading to loss of property, finances, and credit
  • Exposure to sensitive information that may be harmful to all those involved
  • Negative impact on privacy
  • Deter public interest lawsuits for fear of overexposure
  • Mistakes or abuse of legal process can have far-reaching implications on individuals

What can states do?
Allowing unlimited remote electronic access to court documents could compromise the privacy rights and concerns of individuals and increase the risk of harm to those participating in court proceedings. This issue demands the full attention of the courts nationwide, but not with an “all-or-nothing” approach.

Many states struggle with striking this balance. To mitigate some of the potentially damning effects, states have taken different approaches. The National Center for State Courts (NCSC) has brought attention to the issues on several occasions. In 2002, the NCSC and the State Justice Institute funded the project, “Developing a Model Written Policy Governing Access to Court Records” and more recently the NCSC has published the “Privacy/Public Access to Court Records Resource Guide”.

Some states have redacted confidential information from electronic documents and some have limited what information or categories are available on the internet, only posting some combination of the following:

  • Appellate decisions
  • Final judgments, orders, and decrees
  • Basic information of the litigant or party to the case
  • Calendars and case docket lists

Our recommendation
States must agree upon the amount of access they will provide electronically. To tackle this, each state should:

  • Consider forming an access committee(s) to determine what guidelines are needed to balance the free access rights of the public with the privacy rights of individuals
  • Policy decisions should be publicly posted to the judiciary, legislators, and the public at large; and
  • Should be regularly revisited to ensure an appropriate balance is continually achieved

Interested in learning how your state can address this or similar issues? Reach out to BerryDunn's justice and public safety experts and we can discuss the particular issue facing your state and the best practices for approaching it.

Blog
Striking a balance: Public right of access to court records vs. the privacy rights of individuals

By now, pretty much everyone in the banking industry has heard plenty of talk about CECL – the forthcoming “Current Expected Credit Loss” model of accounting for an institution’s allowance for loan losses (ALL). While the previous “Incurred Loss” model has been problematic to implement conceptually, and most of us thought CECL would improve ALL accounting and make it more comparable to how banks account for other debt instruments, it’s beginning to feel a bit like the dog who caught the car – now that we have this model, how the heck do we implement it?

The good news  we have a number of years before CECL’s effective date, and thus have some time to better understand the new rules and how to adapt an institution’s ALL model to reflect them. The bad news – the banking regulators recently announced they want banks to get cracking on this, and will expect to see some progress when they visit during upcoming exams – maybe not immediately, but likely at some point during the 2017 exam cycle.

This is the third in a series of articles addressing various aspects of this complex pronouncement. We hope that they provide you with practical advice that can help you get started on the nuts and bolts of CECL implementation.

Our previous article offered pointers on building the CECL team, brainstorming the process, and starting the data gathering conversation. In this article, we look at how to implement CECL when acquiring another bank, one or more branches of another bank, or simply a loan portfolio, such as a group of auto or credit card loans.

First, Let’s Remember the Basics

The basic premise of CECL is that lifetime expected losses are to be booked at origination (or, in the case of an acquisition, at the acquisition date). You’ve likely heard some gnashing of teeth over the fact that this means losses are recorded “on Day One”, which many of us have some degree of conceptual difficulty with: For example, a higher risk loan will likely carry a higher yield at origination, so booking a higher level of expected losses on Day One (through the ALL) and the offsetting higher yield over the loan term (through interest income) feels like a mismatch between income and expense.

The Financial Accounting Standards Board (FASB) was sympathetic to this point, and spent a lot of time pondering it. Its international equivalent, the International Accounting Standards Board (IASB), which establishes – you guessed it – international accounting standards, actually tackled this issue by precluding Day One losses, unless they were expected to materialize within one year of origination (Day 365 losses?).

This approach, however, has led to a fairly convoluted – and challenging – model, which is already drawing a fair amount of criticism in the international community. In the end, although they had hoped to have a “converged” standard that would result in the same approach for U.S. and international institutions, FASB and the IASB decided to part company and use different models.

The short answer? We have to accept the notion of Day One losses as the price to pay for a less convoluted (but still complex to implement) model. This becomes important to remember as we look at accounting for acquisitions.

Accounting for Acquisitions

Whether you’re acquiring a pool of loans, a branch, or an entire institution, the basic accounting under CECL is the same, and it’s the same (with a twist) as the accounting for originated loans: an ALL should be established for the purchase price allocated to the loans, and that ALL should reflect management’s estimate of the lifetime losses in the acquired portfolio.

Before we get into the details of how to do this, let’s take a moment to celebrate. Prior to CECL, it was not permissible to establish an initial ALL for acquired loans. Many bankers – and investors – complained that this made it difficult to compare one bank to another on metrics such as ALL coverage ratios. If one bank had a strategy that included acquisitions, and another didn’t, their ALLs would likely be quite different even if their loan portfolios and estimated incurred losses were similar. Now, with the CECL model, these two banks’ financial statements are much easier to compare.

As noted above, an ALL should be established for these loans under CECL, using the same methodology you would use for originated loans. The twist relates to what to do with the other side of the entry. The solution:

  • For loans with a more-than-insignificant amount of credit deterioration since origination, the offset is to add this amount to the amount originally recorded for the purchase price allocated to the loans.
  • For the rest of the acquired portfolio, the offset is to loan loss expense. That’s right, your provision is increased by the amount of ALL recorded in the transaction, except as noted in the previous bullet.

Why is this so? FASB is apparently assuming that:

  • Buyers adjust the purchase price for the first item above. These loans, which we used to call “purchased – credit impaired (PCI)”, and now will call “purchased – credit deteriorated (PCD)” under CECL, are the loans with hair on them. They probably got some extra scrutiny during due diligence, thus theoretically depressing the purchase price a bit. Therefore, the amount of the purchase price allocated to loans is a lower number, and offsetting the establishment of the ALL by adding that amount to the purchase price assigned to the loans properly “grosses up” the recorded loan balance.
  • Buyers don’t adjust the purchase price for other loans. This is probably true, as the lifetime losses on loans that aren’t PCD are just the cost of doing business for financial institutions. Therefore, as it is with originated loans, a big Day One provision is booked at closing.

It should be noted that the extent to which the definition of PCD loans differs from the previous definition of PCI loans depends on your interpretation of the old PCI definition. It appears clear that the new definition of PCD loans refers to loans that have specific indicators of significant credit deterioration since origination.

Let’s look at an example:

A bank buys three branches from another bank, which have total loans with a principal balance of $20 million and a fair value of $20,100,000. The portfolio includes loans with a principal balance of $1 million, and a fair value of $910,000, that are PCD.

The buyer bank determines the ALL under CECL would be $100,000 for the PCD loans and $475,000 for the rest of the acquired portfolio. Thus, the buyer bank records an ALL of $575,000. What’s the offset? As noted above:

  • For the PCD loans, the offsetting $100,000 will be added to the $910,000 of purchase price allocated to those loans. As a result, these loans will have a gross amount allocated of $910,000 plus $100,000, or $1,010,000, which will then be reduced by an ALL of $100,000 on the balance sheet, for a net reported amount of $910,000 (their fair value). The difference between the gross amount assigned ($1,010,000) and the principal balance ($1 million), or $10,000, represents an implied adjustment to reflect current market interest rates, and is therefore amortized over the expected loan term through interest income.
  • For the rest, the offsetting $475,000 will be an increase to the provision for loan losses, and will thus reduce income.

The last number could be a big one for institutions that do large or frequent acquisitions; thus, their balance sheets may be more comparable to other banks, but their income statements in the year of acquisition won’t be! The good news – like other acquisition costs such as legal fees and conversion expenses, this amount will be separately disclosed, so a reader can adjust for it if they believe it’s appropriate to do so.

Next time, we’ll look at the nuts and bolts of CECL’s concept of “reasonable and supportable” by considering proper documentation and controls over the ALL.   

Want a heads-up the next time we have a CECL update? Sign up here and get the information first!

Blog
How our new friend CECL affects bank and branch acquisitions

So you want to be a chief financial officer?

Whether you are looking to transition into a new role for your current company or head out into the job market, taking your financial skills to the next level is within your reach. As a controller, you already have a number of skills that will serve as a foundation for the role of CFO. Putting it all together is the next step.

Chances are, you’ve already been responsible for the accounting, budgeting, cash-flow management, and all the financial data coming in and out of your organization. If it’s numbers related, you’ve got it covered – and you’re on time, all the time, when reports and analytics are due.

But you also know that becoming a CFO requires an additional set of skills – not just the technical skills you’ve honed over the years, but additional leadership and strategic financial skills. So, how do you know if you’re doing what you can to take your financial career to the next level? Consider these seven keys to transition success:

  1. Prepare to be a leader. Whereas your focus was once on the day-to-day operations, carrying out directives from the CFO and/or CEO, as a CFO you are now in a position to create financial and operational strategies that drive growth for the organization. According to a 2014 survey released by ACCA Global entitled “Tomorrow’s Finance Enterprise” leadership skills were identified as the most important future CFO management skills. Focus on the long-term and to be able to articulate your ideas and vision to other executives in the company. Try and get assigned to specific projects that allow you to be involved in the initial planning and decision making stages to demonstrate your vision to others.”
     
  2. Embrace technology. 93 percent of the senior financial executives surveyed in a CFO research study reported that the CFO of the future will need a much stronger technology skill set than is currently required for the job. This means the relationship between IT and Finance is intricately linked. The cloud is dramatically changing the way companies are doing business, as records and information reside outside the company’s walls, bringing in new questions about control, security, and potentially, costs. Staying on top of how technology is changing and impacting business operations will be paramount as you look to step into a broader role.
     
  3. Identify trends. According to the ACCA survey, articulating and understanding business value drivers and broader industry trends are listed as the most important areas of business knowledge needed by future CFOs. It’s not enough to keep up with quality control or to make sure the company’s financial reporting is accurate and in compliance. As a CFO, you must have a good understanding of the business issues and conditions underlying the financials and be able to analyze your company’s financial strengths and weaknesses. As a strategic partner to the CEO, you play a critical role in the direction the company will take to capitalize on opportunities needed to remain successful.
     
  4. Delegate tasks. Embrace this idea. Removing yourself from the minute details of the day-to-day allows you to better see the forest for the trees and develop the leadership and strategic skills of a CFO. Surround yourself with people you trust who can focus on the detailed (and very important) aspects of financial systems and processes. By delegating appropriately, you build a strong team that allows you to step more fully into a leadership position within the company. It is still your responsibility to see that tasks and projects are done correctly, so make sure expectations and deadlines are clear from the beginning.
     
  5. Build relationships. Ask questions, observe the interaction between leaders of different parts of your organization, and understand how the team leads—together. Get to know your colleagues and what they do. Be generous with your knowledge and ask questions – a lot of them.
     
  6. Find a mentor. Realize that you will need support. Moving from Controller to CFO is a significant change in responsibility, so find people who have already succeeded at doing the same thing. It’s important to have your own “board of directors” – a team that can help you in various ways, from being a sounding board to offering some tough love, or helping you hash out a challenge. And you will indeed have challenges. As you stretch into your new role or take on new types of assignments, they can feel overwhelming. They [probably] are not. Learn to embrace them and work with your mentor or mentors to handle them more effectively.
     
  7. Allow for growth and learn from your mistakes. No one wants to make mistakes, but you will. Moving into a bigger role always provides for “teachable moments” and growth. This is good! People understand that mistakes are part of the territory, as long as you learn from them and understand how to avoid making the same one again. Set your expectations high while giving yourself a period of time to adjust to your new position. Stay accountable and communicate well — and remember to ask for help when you need it.

Moving into a larger, more strategic role can be an exciting, albeit daunting transition. With thought, preparation and vision, it’s something you can prepare yourself for, and continue to excel at the next level.

Blog
Making the transition from controller to CFO: 7 keys to success

Financial fraud by the numbers

In a June 2016 Gallup poll, 72 percent of respondents said they had “very little” or only “some” confidence in banks.1 This lack of confidence lives alongside recent headlines—including major fraud schemes revealed at Deutsche Bank this summer—and the fact that the financial services industry is the most affected sector in the world when it comes to occupational fraud.

Financial institutions account for 16.8% of all occupational fraud worldwide, with a median loss of $192,000 per case.2 Longer running, complex schemes can cost organizations much more—overall, 23% of fraud cases in 2015 caused losses of $1 million or more.3

What does a fraudster looks like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And how can you strengthen an already robust anti-fraud program?

Profile of a fraudster

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2016 report from the Association of Certified Fraud Examiners (ACFE) reveals a few commonalities between fraudsters:4

  • 3% of fraudsters had no criminal background
  • Men committed 69% of frauds and women committed 31%
  • More than half of fraudsters were between the ages of 31 and 45
  • 3% of fraudsters were an employee, 31% worked as a manager and 20% operated at the executive/owner level

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags:5

  • Living beyond means – 45.8%
  • Financial difficulties – 30.0%
  • Unusually close association with vendor/customer – 20.1%
  • Control issues, unwillingness to share duties – 15.3%

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A two-pronged approach

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

Leadership tone

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a culture of zero-tolerance for fraud at the top of an organization, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but in the United States, frauds committed at the executive level had a median loss of $500,000 per case, compared to a median loss of $54,000 when a lower level employee perpetrated the fraud.6

A specific action plan for the Board of Directors is outlined in our free white paper on financial institution fraud.

Internal controls

Every financial institution uses internal controls in its daily operations. Yet over half of all frauds could be prevented if internal controls were implemented or more strongly enforced.7

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened – even financial institutions with strong anti-fraud measures in place. 

The experts at BerryDunn have created a checklist of the top 10 internal controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud.

Read more to prevent fraud

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud-prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our free whitepaper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers and the general public. It’s a good investment for any financial institution.

1http://www.gallup.com/poll/1597/confidence-institutions.aspx 2-7Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, The Association of Certified Fraud Examiners, p. 34-35

Blog
Preventing fraud at financial institutions: An anti-fraud plan is the best investment you can make

Online banking? Check.
Online shopping? You bet.
Online permit application submittal? What? Actually, yes.


As Americans are becoming more and more accustomed to performing everyday functions online, local governments are evolving and keeping up with the times. This online evolution is coming in the form of implementing modern enterprise applications with electronic workflow and a public-facing portal that allows residents to apply for permits, submit documentation, pay for, and collaborate with local government staff to perform a variety of processes.

One area of recent focus is the online submittal and routing of electronic planning and permit applications, and supporting plans and drawings. This effort is often driven by a desire to expand e-government offerings available to the public, while also realizing internal efficiencies through electronic workflow and simultaneous review, and a reduction in paper usage.

If you were to take a tour of most City or County Building, Planning, or Development Departments, in many instances you would see bins containing rolls of large (24”x36”) scale drawings that support planning (e.g., subdivision, rezoning, etc.) or permit (e.g., new family residential dwelling, accessory building, etc.) documents. With local government agencies receiving hundreds of paper applications each year, the internal driver for moving to an electronic submittal and review environment is evident. Additionally, when it is understood that the applicant develops these documents in a Computer Aided Design (CAD) system prior to printing, and are also required to submit applications in-person during business hours, the need for simplified online processes is even more pressing.

On the surface, moving to an electronic application submittal and review platform may appear pretty straightforward. However, like any major process and technology change there are several major considerations. Here are three that each agency should look at prior to starting an electronic application submittal and review project.

  1. Change to Current Business Processes
    Current processes related to application submittal, completeness review, routing to reviewers, consolidation of review comments, and return of comments and mark-ups to applicants are paper intensive.
    • Are current processes designed around paper submittals?
    • Will reviews be simultaneous or sequential? Should this change?
    • How will electronic copies be distributed to reviewers? How about third-party reviewers?
    • How will comments be consolidated and returned to the applicant?
    • Will plans be submitted online and/or in person via USB/CD?
  2. Change to Current Policies
    Current policies are most likely based on a paper plan set being received, routed, and archived. It is very likely that these policies will require updating with a change to electronic submittal and review.
    • Will plans be required to be submitted electronically? For some case types?
    • Will a hard copy plan set still be required?
    • How will final plans be archived?
    • Will an additional fee be charged to offset equipment and hardware costs?
    • Will the fee schedule incentivize electronic submittals?
    • Will staff be required to perform their mark-ups electronically?
  3. Change to Technology Tools
    Drafting tables, light tables, red pens, and rulers are common tools used to support a paper-based environment. Electronic submittal and review will require a different set of tools.
    • Does your current planning/permitting system have the tools to support an electronic workflow?
    • What software and hardware tools will staff use to complete their review?
    • Will all reviewers be required to complete their reviews electronically?
    • How will revised plans be provided to an applicant (e.g., portal, email, etc.)?
    • How will signatures and stamps be applied to electronic plans?
    • How will resubmittals and multiple versions of plans be managed?

Transitioning to an electronic plan submittal and review environment may seem overwhelming, but when done correctly the benefits can be significant. BerryDunn can assist with answering questions related to transitioning to an electronic plan submittal and review environment. Get more information on how BerryDunn can help your agency navigate this here.

Blog
Moving to electronic plan submittal and review: Three things to consider