Skip to Main Content

blogpost

Governance: It's good for your data

07.12.19

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Related Services

Consulting

Related Professionals

This spring, I published a blog about the importance of data governance in higher education institutions. In the summer, a second blog covered implementing baseline principles for data governance. With fall upon us, it is time to transition to discussing three critical steps to create a data governance culture. 

1.    Understand the people side of change.

The culture of any organization begins and ends with its people. As you know, people are notoriously finicky when it comes to change (especially change like data governance initiatives that may alter the way we have to understand or interact with institutional data). I recommend that any higher education institution apply a change management methodology (e.g., Prosci®, Lewin’s Change Management Model) in order to gauge the awareness of, the desire for, and the practical realities of this change. If you apply your chosen methodology in an effective and consistent manner, change management will help you increase buy-in and break down resistance. 

2.    Identify and empower the right people for the right roles.

Higher education institutions often focus on data governance processes and technologies. While this is necessary, you can’t overlook the people part of data governance. In fact, you can argue it is the most important part, because without people, there will be no one to follow the processes you create or use the technologies you implement. 

To find the right people, you need to identify and establish three specific roles for your institution: data trustees, data stewards, and data managers. Once you have organized these roles and responsibilities, data governance becomes easier to manage. Some definitions:

Data trustees (the sponsors) – senior leadership (or designees) who oversee data policy, planning, and management. Their responsibilities include: 

  • Promoting data governance 
  • Approving and updating data policies​​
  • Assigning and overseeing data stewards
  • Being responsible for data governance

Data stewards (the owners) – directors, managers, associate deans, or associate vice presidents who manage one or more data types. Their responsibilities include:

  • Applying and overseeing data governance policies in their functional areas
  • Following legal requirements pertaining to data in their functional areas
  • Classifying data and identifying data safeguards
  • Being accountable for data governance

Data managers (the caretakers) – data system managers, senior data analysts, or functional users (registrar, financial aid, human resources, etc.) who perform day-to-day data collection and management operations. Their responsibilities include:

  • Implementing data governance policies in their functional areas
  • Resolving data issues in their functional areas 
  • Provide training and appropriate documentation to data users
  • Being informed and consulted about data governance

3.    Be consistent and hold people accountable.

Ultimately, your data governance team needs accountability in order to thrive. Therefore, it is up to data trustees, data stewards, and data managers to hold regular meetings, take and distribute meeting notes, and identify and follow up on meeting action items. Without this follow through, data governance initiatives will likely stall or stop altogether. 

More information on data governance 

Are you still curious about additional guiding principles of data governance in higher education? Please contact the team
 

Blog
People Power: Enacting Sustainable Data Governance

“The world is one big data problem,” says MIT scientist and visionary Andrew McAfee.

That’s a daunting (though hardly surprising) quote for many in data-rich sectors, including higher education. Yet blaming data is like blaming air for a malfunctioning wind turbine. Data is a valuable asset that can make your institution move.

To many of us, however, data remains a four-letter word. The real culprit behind the perceived data problem is our handling and perception of data and the role it can play in our success—that is, the relegating of data to a select, responsible few, who are usually separated into hardened silos. For example, a common assumption in higher education is that the IT team can handle it. Not so. Data needs to be viewed as an institutional asset, consumed by many and used by the institution for the strategic purposes of student success, scholarship, and more.

The first step in addressing your “big” data problem? Data governance.

What is data governance?

There are various definitions, but the one we use with our clients is “the ongoing and evolutionary process driven by leaders to establish principles, policies, business rules, and metrics for data sharing.”

Please note that the phrase “IT” does not appear anywhere in this definition.

Why is data governance necessary? For many reasons, including:

  1. Data governance enables analytics. Without data governance, it’s difficult to gain value from analytics initiatives which will produce inconsistent results. A critical first step in any data analytics initiative is to make sure that definitions are widely accepted and standards have been established. This step allows decision makers to have confidence in the data being analyzed to describe, predict, and improve operations.
     
  2. Data governance strengthens privacy, security, and compliance. Compliance requirements for both public and private institutions constantly evolve. The more data-reliant your world becomes, the more protected your data needs to be. If an organization does not implement security practices as part of its data governance framework, it becomes easier to fall out of compliance. 
     
  3. Data governance supports agility. How many times have reports for basic information (part-time faculty or student FTEs per semester, for example) been requested, reviewed, and returned for further clarification or correction? And that’s just within your department! Now add multiple requests from the perspective of different departments, and you’re surely going through multiple iterations to create that report. That takes time and effort. By strengthening your data governance framework, you can streamline reporting processes by increasing the level of trust you have in the information you are seeking. Understanding the value of data governance is the easy part/ The real trick is implementing a sustainable data governance framework that recognizes that data is an institutional asset and not just a four-letter word.

Stay tuned for part two of this blog series: The how of data governance in higher education. In the meantime, reach out to me if you would like to discuss additional data governance benefits for your institution.

Blog
Data is a four-letter word. Governance is not.

As a new year is upon us, many people think about “out with the old and in with the new”. For those of us who think about technology, and in particular, blockchain technology, the new year brings with it the realization that blockchain is here to stay (at least in some form). Therefore, higher education leaders need to familiarize themselves with some of the technology’s possible uses, even if they don’t need to grasp the day-to-day operational requirements. Here’s a high-level perspective of blockchain to help you answer some basic questions.

Are blockchain and bitcoin interchangeable terms?

No they aren’t. Bitcoin is an electronic currency that uses blockchain technology, (first developed circa 2008 to record bitcoin transactions). Since 2008, many companies and organizations utilize blockchain technology for a multitude of purposes.

What is a blockchain?

In its simplest terms, a blockchain is a decentralized, digital list (“chain”) of timestamped records (“blocks”) that are connected, secured by cryptography, and updated by participant consensus.

What is cryptography?

Cryptography refers to converting unencrypted information into encrypted information—and vice versa—to both protect data and authenticate users.

What are the pros of using blockchain?

Because blockchain technology is inherently decentralized, you can reduce the need for “middleman” entities (e.g., financial institutions or student clearinghouses). This, in turn, can lower transactional costs and other expenses, and cybersecurity risks—as hackers often like to target large, info-rich, centralized databases.

Decentralization removes central points of failure. In addition, blockchain transactions are generally more secure than other types of transactions, irreversible, and verifiable by the participants. These transaction qualities help prevent fraud, malware attacks, and other risks and issues prevalent today.

What are the cons of using blockchain technology?

Each blockchain transaction requires signature verification and processing, which can be resource-intensive. Furthermore, blockchain technology currently faces strong opposition from certain financial institutions for a variety of reasons. Finally, although blockchains offer a secure platform, they are not impervious to cyberattacks. Blockchain does not guarantee a hacker-proof environment.

How can blockchain benefit higher education institutions?

Blockchain technology can provide higher education institutions with a more secure way of making and recording financial transactions. You can use blockchains to verify and transfer academic credits and certifications, protect student personal identifiable information (PII) while simultaneously allowing students to access and transport their PII, decentralize academic content, and customize learning experiences. At its core, blockchain provides a fresh alternative to traditional methods of identity verification, an ongoing challenge for higher education administration.

As blockchain becomes less of a buzzword and begins to expand beyond the realm of digital currency, colleges and universities need to consider it for common challenges such as identity management, application processing, and student credentialing. If you’d like to discuss the potential benefits blockchain technology provides, please contact me.

Blog
Higher education and blockchain 101: It's not just for bitcoin anymore

The late science fiction writer (and college professor) Isaac Asimov once said: “I do not fear computers. I fear the lack of them.” Had Asimov worked in higher ed IT management, he might have added: “but above all else, I fear the lack of computer staff.”

Indeed, it can be a challenge for higher education institutions to recruit and retain IT professionals. Private companies often pay more in a good economy, and in certain areas of the nation, open IT positions at colleges and universities outnumber available, qualified IT workers. According to one study from 2016, almost half of higher education IT workers are at risk of leaving the institutions they serve, largely for better opportunities and more supportive workplaces. Understandably, IT leadership fears an uncertain future of vacant roles—yet there are simple tactics that can help you improve the chances of filling open positions.

Emphasize the whole package

You need to leverage your institution’s strengths when recruiting IT talent. A focus on innovation, project leadership, and responsibility for supporting the mission of the institution are important attributes to promote when recruiting. Your institution should sell quality of life, which can be much more attractive than corporate culture. Many candidates are attracted to the energy and activity of college campuses, in addition to the numerous social and recreational outlets colleges provide.

Benefit packages are another strong asset for recruiting top talent. Schools need to ensure potential candidates know the amount of paid leave, retirement, and educational assistance for employees and employee family members. These added perks will pique the interest of many candidates who might otherwise have only looked at salary during the process.

Use the right job title

Some current school vacancies have very specific job titles, such as “Portal Administrator” or “Learning Multimedia Developer.” However, this specificity can limit visibility on popular job posting sites, reducing the number of qualified applicants. Job titles, such as “Web Developer” and “Java Developer,” can yield better search results. Furthermore, some current vacancies include a number or level after the job title (e.g., “System Administrator 2”), which also limits visibility on these sites. By removing these indicators, you can significantly increase the applicant pool.

Focus on service, not just technology

Each year, institutions deploy an increasing number of Software as a Service (SaaS) and hosted applications. As higher education institutions invest more in these applications, they need fewer personnel for day-to-day technology maintenance support. In turn, this allows IT organizations to focus limited resources on services that identify and analyze technology solutions, provide guidance to optimize technology investments, and manage vendor relationships. IT staff with soft skills will become even more valuable to your institution as they engage in more people- and process-centric efforts.

Fill in the future

It may seem like science fiction, but by revising your recruiting and retention tactics, your higher education institution can improve its chances of filling IT positions in a competitive job market. In a future blog, I’ll provide ideas for cultivating staff from your institution via student workers and upcoming graduates. If you’d like to discuss additional staffing tactics, send me an email.

Blog
No science fiction: Tactics for recruiting and retaining higher education IT positions

We humans have a complex attitude toward change. In one sense, we like finding it. For instance: “Now I can buy something from the vending machine!” In reality, we try to avoid change as much as possible. Why? Because it’s frightening. Consider this quote from Mary Shelley’s Frankenstein: “Nothing is so painful to the human mind as a great and sudden change.”

The key word in that quote is “sudden.” Because the more we prepare for change, the less painful it becomes. One crucial way to prepare for change is to assess how ready we are for something new.

Which brings us to you. The fact you are reading a blog post with the words “Readiness for Enterprise Systems” in its title suggests that you have considered, or are considering, changing your institution’s Enterprise Resource Planning (ERP) system or other enterprise software, such as LMS, SIS, CRM, etc. This change is no minor adjustment.

Enterprise systems are complex, impacting institutional activities at many levels, from managing student records, finances, and human resources, to enabling student enrollment and registration. Is your institution prepared for transformation across the organization? To find out, assess your institution’s readiness for change. To help illustrate what an assessment might entail, I’ll outline BerryDunn’s method.

Step #1: Understanding Key Indicators for Readiness
When assisting a client to determine readiness, BerryDunn begins engaging stakeholders from across the institution (e.g., staff, faculty, and students) to understand the current environment. This allows us to address seven key indicators for change readiness:

  1. Stakeholder Buy-In. The key to success in changing an ERP platform is for users to understand the value that the change will bring. “Do stakeholders know how the new system will benefit them? Or, from their perspective, ‘What’s in it for me (aka, WIIFM)?’”
  2. Executive Sponsorship. In order to obtain stakeholder buy-in, leaders have to communicate effectively with various parties about change. They will be required to display strong and consistent leadership when stakeholders are faced with challenges with vendors, timing, scope creep, or other issues. “Are leaders prepared to lead the charge? Are they committed to change?”
     
  3. Vendor Ability. Each institution has specific operational needs and programmatic objectives. ERP vendors will highlight their strengths and may de-emphasize weaknesses that may exist in their products. “Are vendors actually able to meet the institution’s functional needs and align their software with strategic objectives?”
     
  4. Business Process Redesign. As mentioned above, it can be a struggle to align operational needs and programmatic objectives with vendor software. It’s even harder to achieve this while ensuring that, in implementing a new ERP system, an institution won’t lose valuable functionality that had been provided by the previous ERP. “Does the client fully understand the impact of a new ERP system on their processes?”
     
  5. Project Management. Proactive project management is critical when changing an ERP system. Project managers need to engage institutional stakeholders, project sponsors, and vendors to keep them apprised of progress. “Are project managers empowered to maintain strong communication with all stakeholders?”
     
  6. Data Governance. Another key indicator of ERP readiness is how well-defined data management is before implementation. ERP replacement projects are jeopardized when institutions don’t understand their data assets, or don’t know what level of data migration is necessary. “Is the institution prepared for data migration?”
     
  7. Software Change Management. As ERP vendors move their products to the cloud, the software they sell will become less customizable, but more configurable. In other words, customers won’t necessarily be able to modify the base software code, but they will have more options in regards to defined fields, workflow, and user interface. Although this sounds limiting, it is actually an opportunity to streamline operations, add discipline to software update timelines, and require organizations to consider how to best complete their administrative functions. It is critical that an institution adapt its software change management practices to meet this reality. “Do the institution’s software change management practices reflect how software is delivered by vendors today?”

Step #2: Establish Agreed-Upon Metrics
Based on our analysis from Step #1, we then score these indicators of readiness based on a maturity scale from 0 – 5, using the following parameters:

0  Non-existent
1  Aware, but not ready to change
2  Aware and open to change, but lack understanding of path forward
3  Accept that change is needed, but clear action plan is not in place
4  Accept that change is imminent and is being planned for
5  Readiness for change has broad understanding, is accepted, and is being executed 

Step #3: Score the Readiness of Your Organization
When you work with a consulting firm to assess your institution’s readiness for change, you should expect tangible takeaways that will inform stakeholders and provide a baseline metric. For example, we prepare a brief report that outlines a score for each of the seven maturity indicators of ERP readiness and provides supporting information for the basis of each score.

Here is an example of a Software Change Management section from a hypothetical ERP Readiness Report:

READINESS INDICATORS

BASIS FOR SCORE

SCORE (0 – 5)

Software Change Management

The University does have an effective software change management methodology, and a standard process for prioritizing requests to its current ERP system. This model may change significantly if a cloud system is chosen, and will require a new approach to configuration and asset management.

3


Finally, based on the weighted aggregate score of the report, BerryDunn determines the institution’s readiness for change, and provides recommendations on how to remediate low scores, and sustain higher scores.

Now for the good news. By setting a baseline early in your readiness planning, the scoring can be revisited over time to measure progress and provide project leadership with a simple, but effective, approach to tracking change management within the organization.

Next Steps
As you can see, implementing a new ERP doesn’t have to be a monstrous experience. You simply need to determine your ERP readiness, and follow a common-sense plan for change management. If you’d like to talk more about this process, send me an email: dhoule@berrydunn.com. I look forward to learning about the great changes your institution has planned.

Blog
Assessing organizational readiness for enterprise systems

Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

While COVID-19 has forced many of us into a remote work environment, we also have to deal with the challenges that come along with it. The stark contrast between an office environment and one that potentially involves working in isolation can be a difficult adjustment. Office kitchen conversations have evolved into conversations with pets, our newest co-workers. A quick, in-person question has now turned into an email, phone, or video call. And job responsibilities expand as we try to not only juggle work but also ensure our children focus on school work―and don’t destroy the house. 

Not only has this forced environment caused social challenges, it has also opened the door for internal control challenges, as  internal controls designed to operate effectively in an office environment may not be ideal for a remote workplace. Even ones that are appropriately designed, may prove to be operating ineffectively in this new environment. Let’s take a look at some internal control challenges, and potential solutions, faced by working in a remote environment.

Establishing a remote control environment

Exercising appropriate tone at the top and establishing appropriate oversight can be challenging with a remote workforce. Ethics and governance policies play an important role in setting clear expectations about workplace behaviors. But, a workforce is much more apt to follow a leadership team’s example rather than a policy. All of those office conversations, even the conversations that are not work related, help set an expectation of appropriate and inappropriate behaviors. These conversations often happen naturally in the office via a quick conversation in passing in the hallway or a late-Friday happy hour with your department. However, these interactions do not naturally occur in a remote workplace. Leadership and department heads should make an active effort to maintain communication with their workforce. Some things to consider:

  • Send out weekly emails to the entire department and possibly more personal, one-on-one videoconferences or phone calls between your department heads or managers and individual members of their teams.
  • These department-wide emails should stress the importance of communication as well as continuing to produce high quality work and maintaining accountability. 
  • One-on-one meetings should be used to check in with employees to ensure their work needs are being met. 

Employees will most likely have many suggestions to improve their new work environment, including suggestions on how to improve communication amongst team members. 

The power of video

Videoconferencing also provides a great opportunity to stay connected. Virtual happy hours simulate an in-person happy hour. This is a great way to check-in with team members and show that, although people are out of sight, they are not out of mind. Town hall-type meetings can also be explored. Your leadership team can solicit open discussion. Agenda items may include office status updates, technological considerations, and an opportunity for employees to openly discuss current challenges due to working in a remote environment. Employees are going to have anxiety about the current environment. These meetings can help put employees at ease.

Risk assessment

Internal control environments are constantly evolving. Employees leave. Software is updated.  Offered services and products change. The list goes on. However, it is unprecedented that an internal control environment has changed so rapidly. Given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Those responsible for designing internal controls (control owners) should reassess your company’s environment. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred. 

For instance, let’s say the employee responsible for reviewing loan file maintenance changes is now working an alternative work schedule due to personal obligations. This employee does not have the ability to make loan file changes; therefore, segregation of duties has never been an issue. An employee within loan servicing has agreed to take some of the employee’s responsibilities and is now reviewing some of the loan file maintenance changes, which has put this employee in a position to review some of their own changes. 

Furthermore, some internal controls that require employees be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas, and if there are compensating controls that can be designed to alleviate some of the control risk.

Control activities

Accounts payable and check signing

The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, lend themselves as feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.

Segregation of duties

As mentioned above, it is possible processes have inadvertently changed, exposing certain internal controls to ineffectiveness. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and is something that should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.

Digital sign-offs

You should also consider the manner in which you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a sign-off and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.

Timely review

Given the circumstances, it is not unreasonable that preparation and review may take longer than under normal circumstances. Even if additional time is granted for the preparation and review of documents, you should consider the implications this has on the transaction class as a whole. The longer it takes to complete a control, the greater the consequences may be if you identify an error. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.

Information and communication

For many companies that have moved from a paper to a digital environment, sharing of information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may prove to be difficult. And, those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.

Monitoring

Monitoring your internal control environment is of the utmost importance given these significant changes. Frequent conversations should be had with control owners to ensure changes to processes do not render controls ineffective. Identified gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal control. This also gives these departments the opportunity to cover any resulting gaps.

Permanent changes

Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies to be found in working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let’s take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic. 
 

Blog
How does your control environment look in a remote world?

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Blog
COVID-19 FAQs—Not-for-Profit Edition

Editor's note: read this if you are a leader in higher education. 

The Department of Education’s Office of Postsecondary Education posted an Electronic Announcement on April 3, 2020, to provide an update to the policy and operational guidance issued in March as a result of the COVID-19 pandemic national emergency. 

In addition to extending the March 5, 2020 guidance to apply to payment periods or terms beginning between March 5, 2020 and June 1, 2020, the Department has confirmed the temporary closure will not result in loss of institutional eligibility or participation. A few other changes to note:

  • Leaves of absence due to COVID-19-related concerns or limitations (such as interruption of a travel-abroad program) can be requested after the date the leave has begun.
  • Updates to the academic calendar requirements will allow institutions to offer courses on a schedule that would otherwise cause the program to be considered a non-standard term if it allows students to complete the term.
  • Calculated expected family contribution amounts will exclude from income any grants or low-interest loans received by victims of an emergency from a federal or state entity as part of the needs analysis.

One trend that continues to permeate the Department’s guidance is for institutions to document, as contemporaneously as possible, actions taken as a result of COVID-19 (including professional judgment decisions, on a case-by-case basis). 

The Department will be issuing more guidance on the impact of the CARES Act on R2T4 calculations, satisfactory academic progress requirements, the extension of the single audit by the Office of Management and Budget, and the potential impact to future FISAP filings. We highly recommend you read the full announcement as it outlines a wide variety of important details. 

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.


 

Blog
COVID-19: Department of Education operational guidance

As resources are released to help higher education institutions navigate the rapidly changing landscape, we will add important links and information to this blog post:

Industry resources:
US Department of Education

Guidance for colleges:
How might colleges benefit from the coronavirus stimulus package?

We are here to help
Please contact the BerryDunn higher education team if you have any questions, or would like to discuss your specific situation.

Blog
Resources for higher education institutions affected by COVID-19

Focus: Disaster Loan Program and Paycheck Protection Program (PPP)

Background

The Coronavirus Aid, Relief and Economic Security (CARES) Act will provide $562 million to cover administrative expenses and program subsidy for the US Small Business Administration (SBA) Economic Injury Disaster Loans and small business programs. 

Additionally, the CARES Act specifically provides the authorization for $349 billion for the SBA 7(a) program through December 31, 2020. 

SBA disaster loan program (updated for CARES Act) highlights


General
The US Small Business Administration is offering designated states and territories low-interest federal disaster loans for working capital to small businesses suffering substantial economic injury as a result of the coronavirus and COVID-19.

Eligibility 
Industry may be subject to different standards, but the general rule of thumb is that the SBA defines most small businesses as having less than 500 people, both calculated on a standalone basis and together with its affiliates (see PPP below for more information). A company’s average annual sales may also be used for the small business designation. 

Historically, businesses that are not eligible for this program included casinos, charitable organizations, religious organizations, agricultural enterprises and real estate developers that are primarily involved in subdividing real property into lots and developing it for resale for themselves (other real estate entities may apply, such as landlords). 

However, the CARES Act expanded eligibility to include (i) any individual operating as a sole proprietor or independent contractor; (ii) private non-profits and (iii) Tribal businesses, cooperatives and ESOPs with fewer than 500 employees during January 31, 2020 to December 31, 2020.

If the entity has bad credit or has defaulted on a prior SBA loan, the entity is not eligible. The CARES Act removed the credit elsewhere requirement (i.e., previously if the business had credit available through another source, such as a line of credit, it was ineligible). 

Basic terms

  • Loan amount
    The lesser of $2 million or an amount determined that that borrower can repay (i.e., underwriting requirement).
  • Maximum term
    Up to 30 years and all payments on these loans will be deferred for 12 months from disbursement date. Interest will accrue.
  • Interest rate
    3.75% for for-profit business and 2.75% for a non-profit entity.
  • Collateral
    Loans for under $25,000 do not require collateral.  Any person with an interest in the company worth 20% or more must be a guarantor; however the CARES Act eliminates the guaranty requirement on advances and loans under $200,000. 
  • Use of proceeds
    Loan proceeds may be used to pay fixed debts (including short-term notes and balloon payments that are due within the next 12 months), payroll, accounts payable, and other bills the borrower would have to pay that but for the disaster would have been paid, such as mortgage payments. Landlords and other passive entities are eligible. Agriculture-related entities are eligible, but farmers are not. Borrowers must maintain proof of how the loan proceeds were used for three years from the date of disbursement. Borrowers cannot use the proceeds to expand their business, buy assets, make repairs to real estate or refinance long-term debt. 
  • Forgiveness
    No forgiveness provision.

Applying
Loan applications are available here

Length of time for funding
Upon submittal of a completed application, it can take 18-21 days to be approved and another four to five business days for funding. However, the SBA has never dealt with this much volume so expect delays.  

If funding is needed immediately, contact any SBA partnering non-profit lender and request an SBA microloan up to $50,000 or contact a commercial lending partner to see if they offer SBA express loans up to $1,000,000 (CARES Act increases this from $350,000 to $1,000,000) and/or SBA 7(a) loans up to $5 million. The 7(a) loans are typically processed within 30 days, while microloans and express loans are processed even more quickly. 

The CARES Act has also established an emergency grant to allow eligible entities who have applied for a disaster loan because of COVID-19 to request an advance of up to $10,000 on that loan. The SBA is to distribute the advance within three days. 

This advance does not need to be repaid, even if the applicant is denied a Disaster Loan. ($10,000,000,000 is appropriated for this program and funds will be distributed on a first come, first served basis). An applicant must self-certify that it is an eligible entity prior to receiving such an advance. Advances may be used for providing sick leave to employees, maintaining payroll, meeting increased costs to obtain materials, rent or mortgage payments, and payment of business obligations that cannot be paid due to loss of revenues. Applicants must apply directly with the SBA for this program.

Other considerations
Each company should review any current loan obligations and confirm that it does not include a provision forbidding that applicant from acquiring additional debt. If the document does, the applicant will want to discuss a waiver of that provision with its current lender. The lender should be amenable to this waiver and the applicant will want the waiver verified in writing. The lender should be amenable because the SBA disaster loan can be used to satisfy monthly debt obligations and any collateral taken by the SBA would be subordinate, if the same collateral secures the lender’s loan.

Under the CARES Act, Congress has also directed the SBA to use funds to make principal and interest payments, along with associated fees that may be owed on an existing SBA 7(a), 504 or micro-loan program covered loan, for a period of six months from the next payment due date. Any loan that may currently be on deferment will receive the six months of covered payments once the deferral period has ended. This provision will also cover loans that are made up to six months after the enactment of the CARES Act. If the loan maturity date conflicts with benefiting from this amendment, the lender can extend the maturity date of the loan. 

Newly enacted Paycheck Protection Program (PPP)


General
This new program will be offered with a 100% SBA guaranty through December 31, 2020, to lenders, after which the guaranty percentage will return to 75% for loans above $150,000 and 85% for loans below that amount. 

Eligibility 
A business, including a qualifying nonprofit organization, that was in operation on February 15, 2020, and either had employees for whom it paid salaries and payroll taxes or paid independent contractors, is eligible for PPP loans if it (a) meets the applicable North American Industry Classification System (NAICS) Code-based size standard or other applicable 7(a) loan size standard, both alone and together with its affiliates; or (b) has an employee headcount that is lower than the greater of (i) 500 employees or (ii) the employee size standard, if any, under the applicable NAICS Code. 

Businesses that fall within NAICS Code 72, which applies to accommodations and food services, are also eligible if they employ no more than 500 people per physical location. Sole proprietorships, independent contractors, and self-employed individuals are also eligible. It is unclear as of what date the size test will be applied, but historically, SBA size tests have been applied on the date of application for financing. More information on the NAICS-Code-based size standards can be found here

Borrowers are required to provide a good faith certification that the loan is necessary due to economic conditions brought about because of COVID-19 and that the borrower will use the funds to retain workers, maintain payroll and pay utilities, lease and/or mortgage payments.

The credit elsewhere test is waived under this program. 

Lenders shall base their underwriting on whether a business was operational on February 15, 2020, and had employees for whom it was responsible for or paid for services from an independent contractor. The legislation has directed lenders not to base their determinations on repayment ability at the present time because of the effects of COVID-19.

Applicants for SBA loan programs, including PPP loans, typically must include their affiliates when applying size tests to determine eligibility. That means that employees of other businesses under common control would count toward the maximum number of permitted employees. A business that is controlled by a private equity sponsor would likely be deemed an affiliate of the other businesses controlled by that sponsor and could thus be ineligible for PPP loans. However, the CARES Act waives the affiliation requirement for the following applicants:  

  1. Businesses within NAICS Code 72 with no more than 500 employees
  2. Franchises with codes assigned by the SBA, as reflected on the SBA franchise registry
  3. Businesses that receive financial assistance from one or more small business investment companies (SBIC) 

Basic terms

  • Loan amount
    Lesser of $10 million or 2.5 times the applicant’s average monthly payroll costs of the business over the year prior to the making of the loan (practically, this may become the year prior to the loan application), excluding the prorated portion of any annual compensation above $100,000 for any person. Note that under the CARES Act, “payroll costs” include vacation, parental, family, medical, and sick leave; allowances for dismissal or separation; payments for group health care benefits, including insurance premiums; and retirement benefits. Calculations vary slightly for seasonal businesses and businesses that were not in operation between February 15 and June 30, 2019. To the extent that a SBA Disaster Loan was used for a purpose other than those permitted for PPP Loans, the Disaster Loans may be refinanced with proceeds of PPP loans, in which case the maximum available PPP loan amount is increased by the amount of the Disaster Loans being refinanced. 
  • Maximum term
    Payments will be deferred for a minimum of 6 months and a maximum of 12. SBA is directed to issue guidance on the terms of this deferral. Any portion of the PPP loan that is not forgiven (see below) on or before December 31, 2020, shall automatically be a term loan for a maximum of 10 years. For PPP loans, the SBA has waived prepayment penalties.
  • Fees
    SBA will waive the guaranty fee and annual fee applicable to other 7(a) loans. 
  • Interest rate
    Maximum rate of 4%.
  • Collateral
    The standard requirements of collateral and a personal guaranty are waived under this program. Accordingly, there will be no recourse to owners or borrowers for nonpayment, except to the extent proceeds are used for an unauthorized purpose.
  • Use of proceeds
    This loan can be used for: (i) payroll support, excluding the prorated portion of any compensation above $100,000 per year for any person; (ii) group healthcare benefits costs and insurance premiums; (iii) mortgage interest (but not prepayments or principal payments) and rent payments incurred in the ordinary course of business, and (iv) utility payments. 
  • Forgiveness
    A borrower will be eligible for loan forgiveness related to a PPP loan in an amount equal to 8 weeks of payroll costs, and the interest on mortgage payments (not principal) made in the ordinary course of business, rent payments, or utility payments so long as all payments were obligations of the borrower prior to February 15, 2020. Payroll costs are limited to compensation for a single employee to be no more than $100,000 in wages and the amount of forgiveness cannot exceed the principal loan amount. 

    The amount of loan forgiveness will be reduced proportionally by any reduction in the borrower’s workforce, based on the full-time equivalent employees versus the period from either February 15, 2019, through June 30, 2019, or January 1, 2020, through February 29, 2020, as selected by the borrower, or a reduction of more than 25% of any employee’s compensation, measured against the most recent full quarter. If a borrower has already had to lay off employees due to COVID-19, employers are encouraged to rehire them by not being penalized for having a reduced payroll at the beginning of the covered period, which means the initial 8 week period after the loan’s origination date. 

    Accordingly, reductions in the number of employees or compensation occurring between February 15, 2020, and 30 days after enactment of the CARES Act will generally be ignored to the extent reversed by June 30, 2020. Any additional wages that may be paid to tipped workers are also covered in the calculation of payroll forgiveness. Borrowers must keep accurate records and document their payments because lenders will need to verify the payments to allow for loan forgiveness. Borrowers will not have to include any forgiven indebtedness as taxable income. 

Applying
A company needs to apply on or before June 30, 2020, with a lender who is currently approved as a 7(a) lender or who is approved by the SBA and the Treasury Department to become a PPP lender. PPP lenders have delegated authority to make and approve PPP loan, with no additional SBA approval required. 

There are certain portions of the CARES Act that require SBA to provide further guidance so there may be some slight changes to the rules and procedures as best practices present themselves. 

We recommend contacting existing 7(a) lenders as soon as possible to learn what you will need to provide for underwriting and approving a PPP loan. 

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
Impact of CARES Act on SBA loans

On March 27, 2020, President Trump signed into law the Coronavirus Aid, Relief and Economic Security (CARES) Act, which provides relief to taxpayers affected by the novel coronavirus and COVID-19. The CARES Act is the third round of federal government aid related to COVID-19. We have summarized the top provisions in the new legislation below, with more detailed alerts on individual provisions to follow. Click here for a link to the full text of the bill.

Compensation, benefits, and payroll relief
The law temporarily increases the amount of and expands eligibility for unemployment benefits, and it provides relief for workers who are self-employed. Additionally, several provisions assist certain employers who keep employees on payroll even though the employees are not able or needed to work. 

The cornerstone of the payroll protection aid is a streamlined application process for SBA loans that can be forgiven if an eligible employer maintains its workforce at certain levels. 

Additionally, certain employers affected by the pandemic who retain their employees will receive a credit against payroll taxes for 50% of eligible employee wages paid or incurred from March 13 to December 31, 2020. This employee retention credit would be provided for as much as $10,000 of qualifying wages, including health benefits. Eligible employers may defer remitting employer payroll tax payments that remain due for 2020 (after the credits are deducted), with half being due by December 31, 2021, and the balance due by December 31, 2022. 

Employers with fewer than 500 employees are also allowed to give terminated employees access to the mandated paid federal sick and child care leave benefits for which the employer is 100% reimbursed by the government through payroll tax credits, if the employer rehires the qualifying employees.

Any benefit that is driven off the definition of “employee” raises the issue of partner versus employee. The profits interest member that is receiving a W-2 may not be eligible for inclusion in the various benefit computations.

Eligible individuals can withdraw vested amounts up to $100,000 during 2020 without a 10% early distribution penalty, and income inclusion can be spread over three years. Repayment of distributions during the next three years will be treated as tax-free rollovers of the distribution. The bill also makes it easier to borrow money from 401(k) accounts, raising the limit to $100,000 from $50,000 for the first 180 days after enactment, and the payment dates for any loans due the rest of 2020 would be extended for a year.

Individuals do not have to take their 2020 required minimum distributions from their retirement funds. This avoids lost earnings power on the taxes due on distributions and maximizes the potential gain as the market recovers.

Two long-awaited provisions allow employers to assist employees with college loan debt through tax free payments up to $5,250 and restores over-the-counter medical supplies as permissible expenses that can be reimbursed through health care flexible spending accounts and health care savings accounts.

Deferral of net business losses for three years
Section 461(l) limits non-corporate taxpayers in their use of net business losses to offset other sources of income. As enacted in 2017, this limitation was effective for taxable years beginning after 2017 and before 2026, and applied after the basis, at-risk, and passive activity loss limitations. The amount of deductible net business losses is limited to $500,000 for married taxpayers filing a joint return and $250,000 for all other taxpayers. These amounts are indexed for inflation after 2018 (to $518,000 and $259,000, respectively, in 2020). Excess business losses are carried forward to the next succeeding taxable year and treated as a net operating loss in that year.

The CARES Act defers the effective date of Section 461(l) for three years, but also makes important technical corrections that will become effective when the limitation on excess business losses once again becomes applicable. Accordingly, net business losses from 2018, 2019, or 2020 may offset other sources of income, provided they are not otherwise limited by other provisions that remain in the Code. Beginning in 2021, the application of this limitation is clarified with respect to the treatment of wages and related deductions from employment, coordination with deductions under Section 172 (for net operating losses) or Section 199A (relating to qualified business income), and the treatment of business capital gains and losses.

Section 163(j) amended for taxable years beginning in 2019 and 2020
The CARES Act amends Section 163(j) solely for taxable years beginning in 2019 and 2020. With the exception of partnerships, and solely for taxable years beginning in 2019 and 2020, taxpayers may deduct business interest expense up to 50% of their adjusted taxable income (ATI), an increase from 30% of ATI under the TCJA, unless an election is made to use the lower limitation for any taxable year. Additionally, for any taxable year beginning in 2020, the taxpayer may elect to use its 2019 ATI for purposes of computing its 2020 Section 163(j) limitation. 

This will benefit taxpayers who may be facing reduced 2020 earnings as a result of the business implications of COVID-19. As such, taxpayers should be mindful of elections on their 2019 return that could impact their 2019 and 2020 business interest expense deduction. With respect to partnerships, the increased Section 163(j) limit from 30% to 50% of ATI only applies to taxable years beginning in 2020. However, in the case of any excess business interest expense allocated from a partnership for any taxable year beginning in 2019, 50% of such excess business interest expense is treated as not subject to the Section 163(j) limitation and is fully deductible by the partner in 2020. The remaining 50% of such excess business interest expense shall be subject to the limitations in the same manner as any other excess business interest expense so allocated. Each partner has the ability, under regulations to be prescribed by Treasury, to elect to have this special rule not applied. No rules are provided for application of this rule in the context of tiered partnership structures.

Net operating losses carryback allowed for taxable years beginning in 2018 and before 2021
The CARES Act provides for an elective five-year carryback of net operating losses (NOLs) generated in taxable years beginning after December 31, 2017, and before January 1, 2021. Taxpayers may elect to relinquish the entire five-year carryback period with respect to a particular year’s NOL, with the election being irrevocable once made. In addition, the 80% limitation on NOL deductions arising in taxable years beginning after December 31, 2017, has temporarily been pushed to taxable years beginning after December 31, 2020. 

Several ambiguities in the application of Section 172 arising as a result of drafting errors in the Tax Cuts and Jobs Act have also been corrected. As certain benefits (i.e., charitable contributions, Section 250 “GILTI” deductions, etc.) may be impacted by an adjustment to taxable income, and therefore reduce the effective value of any NOL deduction, taxpayers will have to determine whether to elect to forego the carryback. Moreover, the bill provides for two special rules for NOL carrybacks to years in which the taxpayer included income from its foreign subsidiaries under Section 965. Please consider the impact of this interaction with your international tax advisors. 

However, given the potential offset to income taxed under a 35% federal rate, and the uncertainty regarding the long-term impact of the COVID-19 crisis on future earnings, it seems likely that most companies will take advantage of the revisions. This is a technical point, but while the highest average federal rate was 35% before 2018, the highest marginal tax rate was 38.333% for taxable amounts between $15 million and $18.33 million. This was put in place as part of our progressive tax system to eliminate earlier benefits of the 34% tax rate. Companies may wish to revisit their tax accounting methodologies to defer income and accelerate deductions in order to maximize their current year losses to increase their NOL carrybacks to earlier years.

Alternative minimum tax credit refunds
The CARES Act allows the refundable alternative minimum tax credit to be completely refunded for taxable years beginning after December 31, 2018, or by election, taxable years beginning after December 31, 2017. Under the Tax Cuts and Jobs Act, the credit was refundable over a series of years with the remainder recoverable in 2021.

Technical correction to qualified improvement property
The CARES Act contains a technical correction to a drafting error in the Tax Cuts and Jobs Act that required qualified improvement property (QIP) to be depreciated over 39 years, rendering such property ineligible for bonus depreciation. With the technical correction applying retroactively to 2018, QIP is now 15-year property and eligible for 100% bonus depreciation. This will provide immediate current cash flow benefits and relief to taxpayers, especially those in the retail, restaurant, and hospitality industries. Taxpayers that placed QIP into service in 2019 can claim 100% bonus depreciation prospectively on their 2019 return and should consider whether they can file Form 4464 to quickly recover overpayments of 2019 estimated taxes. Taxpayers that placed QIP in service in 2018 and that filed their 2018 federal income tax return treating the assets as bonus-ineligible 39-year property should consider amending that return to treat such assets as bonus-eligible. For C corporations, in particular, claiming the bonus depreciation on an amended return can potentially generate NOLs that can be carried back five years under the new NOL provisions of the CARES Act to taxable years before 2018 when the tax rates were 35%, even though the carryback losses were generated in years when the tax rate was 21%. With the taxable income limit under Section 172(a) being removed, an NOL can fully offset income to generate the maximum cash refund for taxpayers that need immediate cash. Alternatively, in lieu of amending the 2018 return, taxpayers may file an automatic Form 3115, Application for Change in Accounting Method, with the 2019 return to take advantage of the new favorable treatment and claim the missed depreciation as a favorable Section 481(a) adjustment.

Effects of the CARES Act at the state and local levels
As with the Tax Cuts and Jobs Act, the tax implications of the CARES Act at the state level first depends on whether a state is a “rolling” Internal Revenue Code (IRC) conformity state or follows “fixed-date” conformity. For example, with respect to the modifications to Section 163(j), rolling states will automatically conform, unless they specifically decouple (but separate state ATI calculations will still be necessary). However, fixed-date conformity states will have to update their conformity dates to conform to the Section 163(j) modifications. 

A number of states have already updated during their current legislative sessions (e.g., Idaho, Indiana, Maine, Virginia, and West Virginia). Nonetheless, even if a state has updated, the effective date of the update may not apply to changes to the IRC enacted after January 1, 2020 (e.g., Arizona). 

A number of other states have either expressly decoupled from Section 163(j) or conform to an earlier version and will not follow the CARES Act changes (e.g., California, Connecticut, Georgia, Missouri, South Carolina, Tennessee (starting in 2020), Wisconsin). Similar considerations will apply to the NOL modifications for states that adopted the 80% limitation, and most states do not allow carrybacks. Likewise, in fixed-dated conformity states that do not update, the Section 461(l) limitation will still apply resulting in a separate state NOL for those states. 

These conformity questions add another layer of complexity to applying the tax provisions of the CARES Act at the state level. Further, once the COVID-19 crisis is past, rolling IRC conformity states must be monitored, as these states could decouple from these CARES Act provisions for purposes of state revenue.

2020 recovery refund checks for individuals
The CARES Act provides eligible individuals with a refund check equal to $1,200 ($2,400 for joint filers) plus $500 per qualifying child. The refund begins to phase out if the individual’s adjusted gross income (AGI) exceeds $75,000 ($150,000 for joint filers and $112,500 for head of household filers). The credit is completely phased out for individuals with no qualifying children if their AGI exceeds $99,000 ($198,000 for joint filers and $136,500 for head of household filers).

Eligible individuals do not include nonresident aliens, individuals who may be claimed as a dependent on another person’s return, estates, or trusts. Eligible individuals and qualifying children must all have a valid social security number. For married taxpayers who filed jointly with their most recent tax filings (2018 or 2019) but will file separately in 2020, each spouse will be deemed to have received one half of the credit.

A qualifying child (i) is a child, stepchild, eligible foster child, brother, sister, stepbrother, or stepsister, or a descendent of any of them, (ii) under age 17, (iii) who has not provided more than half of their own support, (iv) who has lived with the taxpayer for more than half of the year, and (v) who has not filed a joint return (other than only for a claim for refund) with the individual’s spouse for the taxable year beginning in the calendar year in which the taxable year of the taxpayer begins.

The refund is determined based on the taxpayer’s 2020 income tax return but is advanced to taxpayers based on their 2018 or 2019 tax return, as appropriate. If an eligible individual’s 2020 income is higher than the 2018 or 2019 income used to determine the rebate payment, the eligible individual will not be required to pay back any excess rebate. However, if the eligible individual’s 2020 income is lower than the 2018 or 2019 income used to determine the rebate payment such that the individual should have received a larger rebate, the eligible individual will be able to claim an additional credit generally equal to the difference of what was refunded and any additional eligible amount when they file their 2020 income tax return.

Individuals who have not filed a tax return in 2018 or 2019 may still receive an automatic advance based on their social security benefit statements (Form SSA-1099) or social security equivalent benefit statement (Form RRB-1099). Other individuals may be required to file a return to receive any benefits.

The CARES Act provides that the IRS will make automatic payments to individuals who have previously filed their income tax returns electronically, using direct deposit banking information provided on a return any time after January 1, 2018.

Charitable contributions

  • Above-the-line deductions: Under the CARES Act, an eligible individual may take a qualified charitable contribution deduction of up to $300 against their AGI in 2020. An eligible individual is any individual taxpayer who does not elect to itemize his or her deductions. A qualified charitable contribution is a charitable contribution (i) made in cash, (ii) for which a charitable contribution deduction is otherwise allowed, and (iii) that is made to certain publicly supported charities.

    This above-the-line charitable deduction may not be used to make contributions to a non-operating private foundation or to a donor advised fund.
  • Modification of limitations on cash contributions: Currently, individuals who make cash contributions to publicly supported charities are permitted a charitable contribution deduction of up to 60% of their AGI. Any such contributions in excess of the 60% AGI limitation may be carried forward as a charitable contribution in each of the five succeeding years.

    The CARES Act temporarily suspends the AGI limitation for qualifying cash contributions, instead permitting individual taxpayers to take a charitable contribution deduction for qualifying cash contributions made in 2020 to the extent such contributions do not exceed the excess of the individual’s contribution base over the amount of all other charitable contributions allowed as a deduction for the contribution year. Any excess is carried forward as a charitable contribution in each of the succeeding five years. Taxpayers wishing to take advantage of this provision must make an affirmative election on their 2020 income tax return.

    This provision is useful to taxpayers who elect to itemize their deductions in 2020 and make cash contributions to certain public charities. As with the aforementioned above-the-line deduction, contributions to non-operating private foundations or donor advised funds are not eligible.

    For corporations, the CARES Act temporarily increases the limitation on the deductibility of cash charitable contributions during 2020 from 10% to 25% of the taxpayer’s taxable income. The CARES Act also increases the limitation on deductions for contributions of food inventory from 15% to 25%.

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
The CARES Act: Implications for businesses

On March 18, 2020, the SBA issued relaxed criteria for Economic Injury Disaster Loans (EIDLs).

The two immediate impacts:

  • States are now only required to certify that a minimum of five small businesses within the state/territory have suffered significant economic injury, as opposed to proof of five small businesses within each reporting county/parish.
  • Prior regulation only made disaster assistance loans available to small businesses within counties declared disaster areas by a governor. Relaxed standards state the EIDLs will be available statewide following an economic injury declaration. This applies to current and future disaster declarations related to COVID-19.

Some SBA loan specifics:

  • EIDL amounts range from $25,000 to $2,000,000, at interest rates of 3.75% for small businesses and 2.75% for not-for-profits.
  • Companies can use the loans to pay bills that can’t be paid due to the disaster’s impact, including but not limited to fixed debts, payroll, and accounts payable.
  • Loan terms are determined on a case-by-case basis, based on the borrower’s ability to repay. SBA is offering repayment terms up to a maximum of 30 years.
  • EIDLs are one facet of an expanded and coordinated federal government response.

Small businesses in need of economic assistance may apply for an EIDL here. We will update as more information becomes available.

If you have questions about SBA loans, please contact your BerryDunn tax consultant
 

Blog
Small Business Administration (SBA) eases criteria for disaster loans

In early March 2020, the US Department of Education (ED) issued a Dear Colleague Letter, “Guidance for interruptions of study related to Coronavirus (COVID-19),” posting a subsequent update March 20 to include the document “Frequently Asked Questions Related to COVID-19.” The information below has been excerpted directly from the letter and compiled with the needs of our higher education clients in mind.

This electronic announcement addresses concerns regarding how higher education leaders should comply with Title IV, Higher Education Act (HEA) policies for students whose activities are impacted by the coronavirus and COVID-19:

  • Either directly because the student is ill or quarantined, or 
  • Indirectly because the student was recalled from travel-abroad experiences, can no longer participate in internships or clinical rotations, or attends a campus that has temporarily suspended operations.

This information provides some flexibility for schools working to help students complete the term in which they are currently enrolled. Some of the most important changes to note:

  • Federal Work Study (FWS)
    For students enrolled and performing FWS at a campus that must close due to COVID-19, or for a FWS student who works for an employer that closes as a result of COVID-19, the institution may continue paying the student federal work-study wages during that closure if it occurred after the beginning of the term, the institution is continuing to pay its other employees (including faculty and staff), and the institution continues to meet its institutional wage share requirement.
  • Length of academic year
    If at any point an institution determines it will close as the result of a campus health emergency, it may contact the school participation team to request a temporary reduction in the length of its academic year.
  • Professional judgement
    Financial aid administrators (FAA) have statutory authority to use professional judgement to make adjustments on a case-by-case basis to the cost of attendance or to the data elements used in calculating the EFC to reflect a student’s special circumstances. The use of professional judgement where students and/or their families have been affected by COVID-19 is permitted, such as in the case where an employer closes for a period of time as a result of COVID-19. 
  • Reentering the same payment period
    If an institution that has closed subsequently re-opens during the same payment period or period of enrollment, and permits students to continue coursework that they were taking at the time of the closure, students that return to class at that time are considered to have reentered the same period and retain eligibility for Title IV aid that they were otherwise eligible to receive before the closure.

We highly recommend you read the full letter, as it outlines additional important details and includes recently added FAQ documents.

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

For further reading
Guidance for interruptions of study related to Coronavirus (COVID-19) 
FAQs
COVID-19 ("Coronavirus") Information and Resources for Schools and School Personnel
 

Blog
Guidance from the US Department of Education Dear Colleague Letter

The President signed The Families First Coronavirus Response Act (hereinafter the “Act”) into law on March 18th and the provisions are effective April 2nd. You can read the congressional summary here. There are two provisions of the Act that deal with paid leave provisions for employees. Here are some highlights for employers.

The provisions of the Act are only required for employers with fewer than 500 employees. Employers with over 499 employees are not required to provide the sick/family leave contained in the Act, but could voluntarily elect to follow the new rules. The expectation is that employers with over 499 employees are providing some level of sick/family leave benefits already. In any case, employers with over 499 employees are not eligible for the tax credits. 

Employers with fewer than 500 employees are required to provide employees with up to 80 hours of paid sick leave over a two-week period if the employee:

  • Self-isolates because of a diagnosis with COVID-19, or to comply with a recommendation or order to quarantine;
  • Obtains a medical diagnosis or care if the employee is experiencing COVID-19 symptoms;
  • Needs to care for a family member who is self-isolating due to a COVID-19 diagnosis or quarantining due to COVID-19 symptoms; or
  • Is caring for a child whose school has closed, or childcare provider is unavailable, due to COVID-19.

These rules apply to all employees regardless of the length of time they have worked for the employer. The 80-hours would be pro-rated for those employees who do not normally work a 40-hour week. 

Employees who take leave because they themselves are sick (i.e., the first two bullets above) can receive up to $511 per day, with an aggregate limit of $5,110. If, on the other hand, an employee takes leave to care for a child or other family member (i.e., the last two bullets above), the employee will be paid two-thirds (2/3) of their regular weekly wages up to a maximum of $200 per day, with an aggregate limit of $2,000.

Days when an individual receives pay from their employer (regular wages, sick pay, or other paid time off) or unemployment compensation do not count as leave days for the purposes of this benefit.

Family and Medical Leave Act

Employees who have been employed for at least 30-days also have the right to take up to 12 weeks of job-protected leave under the Family and Medical Leave Act (FMLA). The Act requires that 10 of these 12 weeks (i.e., after the sick leave discussed above is taken) be paid at a rate of no less than two-thirds of the employee’s usual rate of pay. Any leave taken under this portion of the ACT will be limited to $200 per day with an aggregate limit of $10,000.

Exemptions

The Secretary of Labor has the authority to issue regulations exempting: (1) certain healthcare providers and emergency responders from taking leave under the Act; and (2) small businesses with fewer than 50 employees from the requirements of the Act if it would jeopardize the viability of the business.

Expiration

The provisions of the Act are set to expire on December 31, 2020, and unused time will not carry over from one year to the next.

Tax credits 

The Act provides for refundable tax credits to help an employer cover the costs associated with providing paid emergency sick leave or paid FMLA. The tax credits work as follows:

  • A refundable tax credit for employers equal to 100 percent of qualified family leave wages paid under the Act.
  • A refundable tax credit for employers equal to 100 percent of qualified paid sick leave wages paid under the Act. 
  • The tax credits are taken on Form 941 – Employer’s Quarterly Federal Income Tax Return filed for the calendar quarter when the leave is taken and reduce the employer’s portion of the Social Security taxes due. If the credit exceeds the employer’s total liability for Social Security taxes for all employees for any calendar quarter, the excess credit is refundable to the employer.

For more information

We are here to help. Please contact our benefit plan consultants if you have any questions or would like to discuss your specific situation. 

Blog
Highlights of the recently passed paid sick and family leave act: What you need to know

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

  • A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
  • An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

  1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
  2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
  3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
  4. Leverage others who have had success with these processes to improve process and implementation
  5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

  • Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
  • Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
  • Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us

Blog
Internal audit potential for not-for-profit organizations

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Blog
Save time and effort—our list of tips to prepare for year-end reporting

Editor’s note: read this if you work for, or are affiliated with, a charitable organization that receives donations. Even the most mature nonprofit organizations may miss one of these filings once in a while. Some items (e.g., the donor acknowledgement letter) may feel commonplace, but a refresher—especially at a particularly busy time of the year as it pertains to giving—can fend off fines.

As the holiday season is now in full swing, the season of giving is also upon us. Perhaps not surprisingly, the month of December is by far the most charitable month of the year, accounting for almost one-third of all charitable gifts made annually. And with all that giving comes the requirement of charitable organizations to provide donor acknowledgements, a formal “thank you” of the gift being received. Different gifts require differing levels of acknowledgement, and in some cases an additional IRS form (or two) may need to be filed. Doing some work now may save you time (and a fine or two) later. 

While children are currently busy making lists for Santa Claus, in the spirit of giving we present to you our list of donor acknowledgement requirements―and best practices―to help you gain control of this issue for the holiday season and beyond.

Donor acknowledgement letters

Charitable (i.e., 501(c)(3)) organizations are required to provide a donor acknowledgement letter to each donor contributing $250 or more to the organization, whether it be cash or non-cash items (i.e., publicly traded securities, real estate, artwork, vehicles, etc.) received. The letter should include the following: 

  1. Name of the organization
  2. Amount of cash contribution
  3. Description of non-cash items (but not the value) 
  4. Statement that no goods and services were provided (assuming this is the case)
  5. Description and good faith estimate of the value of goods and services provided by the organization in return for the contribution, if any
  6. Statement that goods or services provided by the organization in return for the contribution consisted entirely of intangible religious benefit, if any

It is not necessary to include either the donor’s social security number or tax identification number on the written acknowledgment and as a best practice should not be included in the letter.

In addition to including the elements above, the written acknowledgement is also required to be contemporaneous, that is, sent out in a timely fashion. According to the IRS, a donor must receive the acknowledgment by the earlier of:

  • The date on which the donor actually files his or her individual federal income tax return for the year of the contribution
  • The due date (including extensions) of the return in order to be considered contemporaneous

Quid pro quo disclosure statements

When a donor makes a payment greater than $75 to a charitable organization partly as a contribution and partly as a payment for goods and services, a disclosure statement is required to notify the donor of the value of the goods and services received in order for the donor to determine the charitable contribution component of their payment.

An example of this would be if the organization sold tickets to its annual fundraising dinner event. Assume the ticket costs $100 and at the event the ticketholder receives a dinner valued at $40. In this example, the donor’s tax deduction may not exceed $60. Because the donor’s payment (quid pro quo contribution) exceeds $75, the charitable organization must furnish a disclosure statement to the donor, even though the deductible amount doesn’t exceed $75.

It’s important to note that there are some exclusions to these requirements if the value received is considered to be de minimis (known as the Token Exception), but the value received needs to be relatively small (ex: receiving a coffee mug with a picture of the organization’s logo on it). Please consult your tax advisor for more details.

If the organization does not issue disclosure statements, the IRS can issue penalties of $10 per contribution, not to exceed $5,000 per fundraising event or mailing. An organization may be able to avoid the penalty if reasonable cause can be demonstrated.

Receiving or selling donated noncash property? Forms 8283 & 8282 may be required.

If a charitable organization receives noncash donations, it may be asked to sign Form 8283. This form is required to be filed by the donor and included with their personal income tax return. If a donor contributes noncash property (excluding publicly traded securities) valued at over $5,000, the organization will need to sign Form 8283, Section B, Part IV acknowledging receipt of the noncash item(s) received.

By signing Form 8283, the donee organization is not only acknowledging receipt, but is also affirming that if the property being received is sold, exchanged, or otherwise disposed of within three years of the original donation date, the organization will be required to file Form 8282. A copy of this form is filed with the IRS and must also be provided to the original donor. Form 8282 is not required for sales of donated publicly traded securities. The penalty for failure to file Form 8282 when required is generally $50 per form.

Cars, boats, and yes, even airplanes? That would be Form 1098-C.

An airplane? Yes, even an airplane can be donated, and the donee organization must file a separate Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, with the IRS for each contribution of a qualified vehicle that has a claimed value of more than $500. Contemporaneous written acknowledgement requirements apply here too, and Form 1098-C can act as acknowledgement for this purpose. An acknowledgment is considered contemporaneous if it is furnished to the donor no later than 30 days after the date of the contribution if you plan to use the item for a mission-related purpose, or 30 days after the date of the sale of the item to an unrelated third party.

Penalties for failure to provide contemporaneous written acknowledgement for qualified vehicles can be pretty stiff, generally calculated as a percentage of the sale price if sold, or a percentage of the claimed value if not sold. Should you have any questions or receive a request regarding any of the forms noted above, please consult your tax advisor.

As you can see, the rules around donor acknowledgements can seem a lot like Grandma’s fruitcake―complex and perhaps a bit on the nutty side. When issuing donor acknowledgements this holiday season and beyond, be sure to review the list above and check it twice. Doing so may end up keeping you off of the IRS’s naughty list!

Blog
Donor acknowledgements: We have to file what?

Editor's note: Read this if you are a CTO, CIO, or administrator at a college or university. This is the first blog in a series on business lessons and best practices from American literature. For this series, interviewees select from a list of American literary quotes through which to view, and discuss, their focus or industry. The goal? To generate some novel insight.

The interviewees: David Houle and Joseph Traino, consultants at BerryDunn
The focus: Higher education
The quote: “Our inventions are wont to be pretty toys . . . They are but improved means to an unimproved end.”  -- Henry David Thoreau, Walden; or, Life in the Woods

Thoreau wrote this shortly after the Industrial Revolution. How does its cynicism apply to higher education during the Digital Revolution?

David Houle (DH): It speaks to my basic philosophy about applying technology to the needs of higher education clients. I’m not a “technology for the sake of technology” cheerleader. 

Joseph Traino (JT): People often believe that applying new technology to a business problem is going to solve the business problem. That rarely happens. For example, most higher education clients have a student information system. These clients often feel that, in order to resolve certain issues, they should update the system software, whereas the issues are often resolved by updating business practices to be more efficient and effective. 

DH: Right. We are often brought in to identify needed technology changes but end up stressing practices, processes, and people. If staff can’t correctly use a new technology, then the technology will not provide a real, valuable service.

When implementing a new technology, what’s the #1 thing that a higher education institution can do to prevent or avoid “an unimproved end”?

JT: Fully understand the technology’s impact on stakeholders, such as students, faculty, and staff, and answer the “why?”

DH: Keep people in mind and gain their buy-in when making technology decisions.

What technology, or technology-related change, is going to have the biggest effect on higher education over the next five years?

DH: Clients love to ask us this question (laughs). And if I truly knew the answer, I’d be on some Caribbean island right now, filthy rich and sipping a piña colada. That said, I think the technology demands of the new workforce are going to have the biggest effect. To paraphrase the new workforce: “I don’t want to stare at a green screen. And what in the world is DOS?” Conversely, the personnel who used to support these homegrown, in-house “green screen” products want to retire and leave the workforce. 

JT: I agree that the demands of the new workforce will continue to affect higher education and steer institutions away from term-based courses and programs and toward more flexible, student-centric courses and programs. From a technology standpoint, I think AI and bots are going to replace many of the manual processes that we still see today in higher education. These new technologies will create greater efficiencies—but also possibly reduce jobs—at institutions.

DH: Higher education leaders with vision have already grasped this idea of cutting administrative costs wherever possible, because those costs are not what place students in seats—or in front of screens. On the flip side, advising is currently an underserved area in higher education. So there is an opportunity for leaders to reallocate administrative resources to fulfill advising roles and to help students—such as at-risk and first-generation students—not just in the classroom, but through their learning journey.

Circling back to the Thoreau quote, I’m sure many higher education staff fear technology will lead to “unimproved ends” for their careers. How do you navigate those fears when working with clients? 

JT: It’s certainly a challenge. We currently face some of those fears when working with IT departments—more services are being moved to the cloud, and there is less of a need for on-site database administrators and system administrators, as an example. Alluding to what Dave said about advising, I think many higher education jobs can be shifted to provide interactive high-tech, high-touch services to students.

DH: And to be blunt, some people don’t want to shift, don’t want to change. The people part is the most challenging part of technology adoption. 

In this discussion about technology, we keep returning to people—and the people side of change. Are higher education clients typically responsive to the concept of change management?

JT: There’s typically some reticence, and a lack of understanding about the value of change management. In most cases, change management requires an investment beyond the technology investment. But change management is key to success. 

DH: Reticence is a good word. Yet I do think that views about change management are changing rapidly. Higher education leaders who have been through a significant system or process change now seem to understand the value of change management and know that change management is a necessity, not a luxury. 

In the end, are you confident that new technology is going to benefit students and their educational goals? 

DH: I’m unsure if technology improves the quality of education. However, I am sure that technology increases the options for the delivery of education. And greater flexibility in education delivery is certainly beneficial, especially because the traditional student is now non-traditional. Ongoing and 24/7 access demands in education are here to stay.

JT: I agree with Dave wholeheartedly. I think technology will help improve the means to the end, but I’m not sure if technology is going to improve the end. Technology is just one part of the education equation. 
 

Blog
Technology ≠ Education

Editor's note: read this blog if you are a state liquor administrator or at the C-level in state government. 

Surprisingly, the keynote address to this year’s annual meeting of the National Alcohol Beverage Control Association (NABCA) featured few comments on, well, alcohol. 

Why? Because cannabis is now the hot topic in state government, as consumers await its legalization. While the thought of selling cannabis may seem foreign to some state administrators, many liquor agencies are―and should be―watching. The fact is, state liquor agencies are already equipped with expertise and the technology infrastructure needed to lawfully sell a controlled substance. This puts them in a unique position to benefit from the industry’s continued growth. Common technology includes enterprise resource planning (ERP) and point-of-sale (POS) systems.

ERP

State liquor agencies typically use an ERP system to integrate core business functions, including finance, human resources, and supply chain management. Whether the system is handling bottles of wine, cases of spirits, or bags of cannabis, it is capable of achieving the same business goals. 

The existing checks and balances on controlled substances like alcohol in their current ERP system translate well to cannabis products. This leads to an important point: state governments do not need to procure a new IT system solely for regulating cannabis.

By leveraging existing ERP systems, state liquor agencies can sidestep much of the time, effort, and expense of selecting, procuring, and implementing a new system solely for cannabis sales and management. In control states, where the state has exclusively control of alcohol sales, liquor agencies are often involved in every stage of product lifecycle, from procurement to distribution to retailing.

With a few modifications, the spectrum of business functions that control states require for liquor—procuring new product, communicating with vendors and brokers, tracking inventory, and analyzing sales—can work just as well for cannabis.

POS

POS systems are necessary for most retail stores. If a state liquor agency decides to sell cannabis products in stores, they can use a POS system to integrate with the agency’s ERP system, though store personnel may require training to help ensure compliance with related regulations.

Cannabis is cash only (for now)

There is one major difference in conducting liquor versus cannabis sales at any level: currently states conduct all cannabis sales in cash. With cannabis illegal on the federal level, major banks have opted to decline any deposit of funds earned from cannabis-related sales. While some community banks are conducting cannabis-related banking, many retailers selling recreational cannabis in places like Colorado and California still deal in cash. While risky and not without challenges, these transactions are possible and less onerous to federal regulators. 

Taxes 

As markets develop, monthly tax revenue collections from cannabis continue to grow. Colorado and California have found cannabis-related tax revenue a powerful tool in hedging against uncertainty in year-over-year cash flows. Similar to beer sold wholesale, which liquor agencies tax even in control states, cannabis can be taxed at multiple levels depending on the state’s business model.

E-commerce

Even with liquor, few state agencies have adopted direct-to-consumer online sales. However, as other industries continue shifting toward e-commerce and away from brick and mortar retailing, private sector competition will likely feed increased consumer demand for online sales. Similar to ERP and POS systems, states can increase revenue by selling cannabis through e-commerce sales channels. In today’s online retail world, many prefer to buy products from their computer or smart phone instead of shopping in stores. State agencies should consider selling cannabis via the web to maximize this revenue opportunity. 

Applying expertise in the systems and processes of alcoholic beverage control can translate into the sale and regulation of cannabis, easing the transition states face to this burgeoning industry. If your agency is considering bringing in cannabis under management, you should consider strategic planning sessions and even begin a change management approach to ensure your agency adapts successfully. 

Blog
Considering cannabis: how state liquor agencies can manage the growing industry

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Blog
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

Read this if you are a police executive, city/county administrator, or elected government official, responsible for a law enforcement agency. 

“We need more cops!”  

Do your patrol officers complain about being short-staffed or too busy, or that they are constantly running from call to call? Does your agency struggle with backed-up calls for service (CFS) or lengthy response times? Do patrol staff regularly find themselves responding to another patrol area to handle a CFS because the assigned officer is busy on another call? Are patrol officers denied leave time or training opportunities because of staffing issues? Does the agency routinely use overtime to cover predictable shift vacancies for vacations, holidays, or training? 

If one or more of these concerns sound familiar, you may need additional patrol resources, as staffing levels are often a key factor in personnel deployment challenges. Flaws in the patrol schedule design may also be responsible, as they commonly contribute to reduced efficiency and optimal performance, and design issues may be partially responsible for some of these challenges, regardless of authorized staffing levels.
 
With community expectations at an all-time high, and resource allocations remaining relatively flat, many agencies have growing concerns about managing increasing service volumes while controlling quality and building/maintaining public trust and confidence. Amid these concerns, agencies struggle with designing work schedules that efficiently and optimally deploy available patrol resources, as patrol staff become increasingly frustrated at what they consider a lack of staff.

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority CFS in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Scheduling alternatives

One common design issue that presents an ongoing challenge for agencies is the continued use of traditional, balanced work schedules, which spread officer work hours equally over the year. Balanced schedules rely on over-scheduling and overtime to manage personnel allocation and leave needs and, by design, are very rigid. Balanced work schedules have been used for a very long time, not because they’re most efficient, but because they’re common, familiar, and easily understood―and because patrol staff are comfortable with them (and typically reluctant to change). However, short schedules offer a proven alternative to balanced patrol work schedules, and when presented with the benefits of an alternative work schedule design (e.g., increased access to back-up, ease of receiving time off or training, consistency in staffing, less mandatory overtime), many patrol staff are eager to change.

Short schedules

Short schedules involve a more contemporary design that includes a flexible approach that focuses on a more adaptive process of allocating personnel where and when they are needed. They are significantly more efficient than balanced schedules and, when functioning properly, they can dramatically improve personnel deployments, bring continuity to daily staffing, and reduce overtime, among other operational benefits. Given the current climate, most agencies are unlikely to receive substantial increases in personnel allocations. If that is true of your agency, it may be time to explore the benefits of alternative patrol work schedules.

A tool you can use

Finding scheduling strategies that work in this climate requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). To help guide you through this process, BerryDunn has developed a free tool for evaluating patrol schedules. Click here to measure your patrol schedule against key design components and considerations.

If you are curious about alternative patrol work schedules, our dedicated justice and public Safety consultants are available to discuss your organization’s needs.

Blog
Efficient police patrol work schedules―By design

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Blog
Cyberattacks in higher education—How prepared are you?

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Blog
Perspectives of an Ex-CIO

If you’ve been tasked with leading a high-impact project for your organization, you may find managing the scope, budget and schedule is not enough to ensure project success—especially when you encounter resistance to change. When embarking on large-scale change projects spanning people, processes and technology, appointing staff as “coaches” to help support stakeholders through the change—and to manage resistance to the change—can help increase adoption and buy-in for a new way of doing things.

The first step is to identify candidates for the coaching role. These candidates are often supervisory staff who have credibility in the organization—whether as a subject matter expert, through internal leadership, or from having a history of client satisfaction. Next, you need a work plan to orient them to this role. One critical component is making sure the coaches themselves understand what the change means for their role, and have fully committed before asking them to coach others. They may exhibit initial resistance to the change you will need to manage before they can be effective coaches. According to research done by Prosci®, a leading change management research organization, some of the most common reasons for supervisor resistance in large-scale change projects are:

  • Lack of awareness about and involvement in the change
  • Loss of control or negative impact on job role
  • Increased work load (i.e., lack of time)
  • Culture of change resistance and past failures
  • Impact to their team

You should anticipate encountering these and other types of resistance from staff while preparing them to be coaches. Once coaches buy into the change, they will need ongoing support and guidance to fulfill their role. This support will vary by individual, but may be correlated to what managerial skills they already possess, or don’t. How can you focus on developing coaching skills among your staff for purposes of the project? Prosci® recommends a successful change coach take on the following roles:

  • Communicator—communicate with direct reports about the change
  • Liaison—engage and liaise with the project team
  • Advocate—advocate and champion the change
  • Resistance manager—identify and manage resistance
  • Coach—coach employees through the change

One of the initial tasks for your coaches will be to assess the existing level of change resistance and evaluate what resistance you may encounter. Prosci® identifies three types of resistance management work for your coaches to begin engaging in as they meet with their employees about the change:

  • Resistance prevention―by providing engagement opportunities for stakeholders throughout the project, building awareness about the change early on, and reinforcing executive-level support, coaches can often head off expected resistance.
  • Proactive resistance management―this approach requires coaches to anticipate the needs and understand the characteristics of their staff, and assess how they might react to change in light of these attributes. Coaches can then plan for likely forms of resistance in advance, with a structured mitigation approach.
  • Reactive resistance management―this focuses on resistance that has not been mitigated with the previous two types of resistance management, but instead persists or endures for an extended amount of time. This type of management may require more analysis and planning, particularly as the project nears its completion date.

Do you have candidates in your organization who may need support transitioning into coaching roles? Do you anticipate change resistance among your stakeholders? Contact us and we can help you develop a plan to address your specific challenges.

Blog
How to identify and prepare change management coaches

Not-for-profit board members need to wear many hats for the organization they serve. Every board member begins their term with a different set of skills, often chosen specifically for those unique abilities. As board members, we often assist the organization in raising money and as such, it is important for all members of the board to be fluent in the language of fundraising. Here are some basic definitions you need to know, and the differences between them.

Gifts with donor restriction

While many organizations can use all donations for their operating costs, many donors prefer to specify how―or when―they can use the donation. Gift restrictions come in several forms:

1.    Purpose-restricted gifts are, as their name implies, for a specific use. These can be in response to a request from your organization for that specific purpose or the donor can indicate its purpose when they make the gift. Consider how you solicit gifts from donors to be sure you don’t inadvertently apply restrictions. Not all gifts need to (or even should) be accepted by an organization, so take care in considering if specific restrictions are in line with your mission. 

2.    Time-restricted gifts can come with or without a restricted purpose. You can treat gifts for future periods as revenue today, though the funds would be considered restricted for use until the time restrictions have lapsed. These are often in the form of pledges of gifts for the future, but can also be actual donations provided today for use in coming years.

3.    Some donors prefer the earnings of their gift be available for use, while their actual donation be held in perpetuity. These are often in the form of endowments and specific restrictions may or may not be placed by the donor on the endowment’s earnings. Laws can differ from state-to-state for the treatment of those earnings, but your investment policy should govern the spending from these earnings.

The bottom line? Restricted-purpose gifts must be used for that restricted purpose.

Gifts without restriction are always welcome by organizations. The board has the ability to direct the spending of these gifts, and may designate funds for a future purpose, but unlike gifts with donor restrictions, the board does have the discretion to change their own designations.

Whether raising money or reviewing financial information, understanding fundraising language is key for board members to make the most out of donations. See A CPA’s guide to starting a capital campaign and Accounting 101 for development directors blogs for more information. Have questions or want to learn more? Please contact Emily Parker or Sarah Belliveau.

Blog
The language of fundraising: A primer for NFP board members

Of all the changes that came with the sweeping Tax Cuts and Jobs Act (TCJA) in late 2017, none has prompted as big a response from our clients as the changes TCJA makes to the qualified parking deduction. Then, last month, the IRS issued its long-waited guidance on this code section in the form of Notice 2018-99

We've taken a look at both the the original provisions, and the new guidance, and have collected the salient points and things we think you need to consider this tax season. For not-for-profit organizations, visit my article here. And for-profit companies can read here.  

Blog
IRS guidance on qualified parking: Our take

As 2018 is about to come to a close, organizations with fiscal year ends after December 15, 2018, are poised to start implementing the new not-for-profit reporting standard. Here are three areas to address before the close of the fiscal year to set your organization up for a smooth and successful transition, and keep in compliance:

  1. Update and approve policies—organizations need to both change certain disclosures and add new ones. The policies in place at the end of the year will be pivotal in creating the framework within which to draft these new disclosures (for example, treatment of board designations, underwater endowments, and liquidity).
  2. Functional expense reporting—if you have not historically reported expenses by natural and functional classification, develop the methodology for cost allocation. If you already have a framework in place, revisit it to determine if this still fits your organization. Finally, determine where you will present this information in the financial statements.
  3. Internal investment costs—be sure you have a methodology to segregate the organization’s internal investment costs such as internal staff time (remember, this is the cost to generate the income, not account for it) and consider the overall disclosure.

While the implementation of the new reporting standard will not be without cost (both internal costs and audit costs), if your organization considers this an opportunity to better tell your story, the end result will be a much more useful financial narrative. Don’t forget to include the BerryDunn implementation whitepaper in your implementation strategy.

We at BerryDunn are helping organizations gain momentum with a personal touch, through our not-for-profit reporting checkup. This checkup includes initial recast of the prior financial statements to the new format, a personalized review of the checklist to identify opportunities for success, and consideration of the footnotes to be updated. Contact me and find out how you can join the list of organizations getting ahead of the new standard.

Blog
Three steps to ace the new not-for-profit reporting standard

IRS Notice 2018-67 Hits the Charts
Last week, in addition to The Eagles Greatest Hits (1971-1975) album becoming the highest selling album of all time, overtaking Michael Jackson’s Thriller, the IRS issued Notice 2018-67its first formal guidance on Internal Revenue Code Section 512(a)(6), one of two major code sections added by the Tax Cuts and Jobs Act of 2017 that directly impacts tax-exempt organizations. Will it too, be a big hit? It remains to be seen.

Section 512(a)(6) specifically deals with the reporting requirements for not-for-profit organizations carrying on multiple unrelated business income (UBI) activities. Here, we will summarize the notice and help you to gain an understanding of the IRS’s thoughts and anticipated approaches to implementing §512(a)(6).

While there have been some (not so quiet) grumblings from the not-for-profit sector about guidance on Code Section 512(a)(7) (aka the parking lot tax), unfortunately we still have not seen anything yet. With Notice 2018-67’s release last week, we’re optimistic that guidance may be on the way and will let you know as soon as we see anything from the IRS.

Before we dive in, it’s important to note last week’s notice is just that—a notice, not a Revenue Procedure or some other substantive legislation. While the notice can, and should be relied upon until we receive further guidance, everything in the notice is open to public comment and/or subject to change. With that, here are some highlights:

No More Netting
512(a)(6) requires the organization to calculate unrelated business taxable income (UBTI), including for purposes of determining any net operating loss (NOL) deduction, separately with respect to each such trade or business. The notice requires this separate reporting (or silo-ing) of activities in order to determine activities with net income from those with net losses.

Under the old rules, if an organization had two UBI activities in a given year, (e.g., one with $1,000 of net income and another with $1,000 net loss, you could simply net the two together on Form 990-T and report $0 UBTI for the year. That is no longer the case. From now on, you can effectively ignore activities with a current year loss, prompting the organization to report $1,000 as taxable UBI, and pay associated federal and state income taxes, while the activity with the $1,000 loss will get “hung-up” as an NOL specific to that activity and carried forward until said activity generates a net income.

Separate Trade or Business
So, how does one distinguish (or silo) a separate trade or business from another? The Treasury Department and IRS intend to propose some regulations in the near future, but for now recommend that organizations use a “reasonable good-faith interpretation”, which for now includes using the North American Industry Classification System (NAICS) in order to determine different UBI activities.

For those not familiar, the NAICS categorizes different lines of business with a six-digit code. For example, the NAICS code for renting* out a residential building or dwelling is 531110, while the code for operating a potato farm is 111211. While distinguishing residential rental activities from potato farming activities might be rather straight forward, the waters become muddier if an organization rents both a residential property and a nonresidential property (NAICS code 531120). Does this mean the organization has two separate UBI rental activities, or can both be grouped together as rental activities? The notice does not provide anything definitive, but rather is requesting public comments?we expect to see something more concrete once the public comment period is over.

*In the above example, we’re assuming the rental properties are debt-financed, prompting a portion of the rental activity to be treated as UBI.

UBI from Partnership Investments (Schedule K-1)
Notice 2018-67 does address how to categorize/group unrelated business income for organizations that receive more than one partnership K-1 with UBI reported. In short, if the Schedule K-1s the organization receives can meet either of the tests below, the organization may treat the partnership investments as a single activity/silo for UBI reporting purposes. The notice offers the following:

De Minimis Test
You can aggregate UBI from multiple K-1s together as long as the exempt organization holds directly no more than 2% of the profits interest and no more that 2% of the capital interest. These percentages can be found on the face of the Schedule K-1 from the Partnership and the notice states those percentages as shown can be used for this determination. Additionally, the notice allows organizations to use an average of beginning of year and end of year percentages for this determination.

Ex: If an organization receives a K-1 with UBI reported, and the beginning of year profit & capital percentages are 3%, and the end of year percentages are 1%, the average for the year is 2% (3% + 1% = 4%/2 = 2%). In this example, the K-1 meets the de minimis test.

There is a bit of a caveat here—when determining an exempt organization's partnership interest, the interest of a disqualified person (i.e. officers, directors, trustees, substantial contributors, and family members of any of those listed here), a supporting organization, or a controlled entity in the same partnership will be taken into account. Organizations need to review all K-1s received and inquire with the appropriate person(s) to determine if they meet the terms of the de minimis test.

Control Test
If an organization is not able to pass the de minimis test, you may instead use the control test. An organization meets the requirements of the control test if the exempt organization (i) directly holds no more than 20 percent of the capital interest; and (ii) does not have control or influence over the partnership.

When determining control or influence over the partnership, you need to apply all relevant facts and circumstances. The notice states:

“An exempt organization has control or influence if the exempt organization may require the partnership to perform, or may prevent the partnership from performing, any act that significantly affects the operations of the partnership. An exempt organization also has control or influence over a partnership if any of the exempt organization's officers, directors, trustees, or employees have rights to participate in the management of the partnership or conduct the partnership's business at any time, or if the exempt organization has the power to appoint or remove any of the partnership's officers, directors, trustees, or employees.”

As noted above, we recommend your organization review any K-1s you currently receive. It’s important to take a look at Line I1 and make sure your organization is listed here as “Exempt Organization”. All too often we see not-for-profit organizations listed as “Corporations”, which while usually technically correct, this designation is really for a for-profit corporation and could result in the organization not receiving the necessary information in order to determine what portion, if any, of income/loss is attributable to UBI.

Net Operating Losses
The notice also provides some guidance regarding the use of NOLs. The good news is that any pre-2018 NOLs are grandfathered under the old rules and can be used to offset total UBTI on Form 990-T.

Conversely, any NOLs generated post-2018 are going to be considered silo-specific, with the intent being that the NOL will only be applicable to the activity which gave rise to the loss. There is also a limitation on post-2018 NOLs, allowing you to use only 80% of the NOL for a given activity. Said another way, an activity that has net UBTI in a given year, even with post-2017 NOLs, will still potentially have an associated tax liability for the year.

Obviously, Notice 2018-67 provides a good baseline for general information, but the details will be forthcoming, and we will know then if they have a hit. Hopefully the IRS will not Take It To The Limit in terms of issuing formal guidance in regards to 512(a)(6) & (7). Until they receive further IRS guidance,  folks in the not-for-profit sector will not be able to Take It Easy or have any semblance of a Peaceful Easy Feeling. Stay tuned.

Blog
Tax-exempt organizations: The wait is over, sort of

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Blog
Cloud services 101: An almanac for higher education leaders

People are naturally resistant to change. Employees facing organizational change that will impact day-to-day operations are no exception, and they can feel threatened or fearful of what that change will bring. Even more challenging are multiyear initiatives where the project’s completion is years away.

How can your agency or organization help employees prepare for change—and stay motivated for an outcome—many years in the making?


Start With the Individual

Organizational change requires individual change. For the change to be successful and lasting, an agency should apply organizational change management strategies that help lead people to your desired outcome.

With any new project or initiative, people need to understand why the project is happening before they support it. Communicate the reasons for the change—and the benefit to the employee (what’s in it for them)—so each individual is more inclined to actively support the project. Clearly communicating the why at the onset of the project can help employees feel vested in, and part of, the change. As Socrates said, “The secret of change is to focus all your energy, not on fighting the old, but building the new.” A clear vision can inspire each employee’s desire for the “new” to succeed.

Shift to Individual Goals

It’s a challenge to maintain your employees’ motivation for an organizational change occurring over the long haul. Below are some suggestions on how to sustain interest and enthusiasm for multi-year projects:

  1. Break the project down into smaller, specific milestones. Short-term goals highlight important deadlines and create tangible progress points to reach and celebrate. The master project schedule should be an integration of the organizational change management plan and the project management plan so any resource constraints you identify in the project management plan also become an input when identifying change management resources and activity levels. This integration also highlights the importance of key organizational change management milestones and activities in an effort to ensure they are on a parallel tack as traditional project tasks.
  2. Effectively communicate status updates and successes. In large, agency-wide projects, there are often a variety of stakeholders, each with different communication expectations and needs. The methods, content, and frequency of communication will vary accordingly. Develop a communications strategy as part of your organizational change management plan, to identify who will be responsible to send communications, when and how they will be sent, key messages of the communications, and what feedback mechanisms are in place to continue the conversation after initial delivery. For example, the project team needs a different level of detail than the legislature, or the public. Making the content relevant to each stakeholder group is important because it gives each group what they need to know so they don’t drown in a flood of unneeded information.
  3. Create buy-in by involving employees. A feeling of ownership naturally results from participation in a project, which helps increase enthusiasm. Often the time to do this is when discussing changes to business processes. Once you determine the mandatory features of the future state, (e.g., financial controls, legal requirements, legislative mandates) consider including stakeholder feedback on decisions more focused on preference. It is important for stakeholders to see their suggestions accepted and implemented, or if not implemented, that there was at least a structured process for thoughtfully considering their feedback, and a business case for why their suggestions didn’t make it into the project.
  4. Conduct lessons learned assessments after each major milestone. The purpose of conducting lessons learned activities is to capture what worked and what didn’t. Using surveys or other feedback systems, such as debrief meetings, allows stakeholders to voice their thoughts or concerns. By soliciting feedback after each milestone, leadership can quickly adapt to challenges, address any misunderstandings or concerns, and capitalize on successes.
  5. Reinforce how the project meets the goals of the agency or organization. Maintaining enthusiasm and support for a long-term goal takes a constant reminder of the overall organizational goals. It is important for senior leadership to communicate the impact of the project on the agency or organization and to stakeholders and keep the project at the forefront of people’s minds. Project goals may change during the duration of the project, but the project sponsor should continue to be active and visible in communicating the goals and leading the project.

Change is difficult—change that is years in the making is even more challenging. Applying a structured organizational change management process and using these tips can help keep employees energized and help ensure you reach the desired project goals.

Blog
Change management: Keeping employees motivated during multiyear projects

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Blog
How healthy is your organization's HIPAA compliance?

As a leader in a higher education institution, you'll be familiar with this paradox: Every solution can lead to more problems, and every answer can lead to more questions. It’s like navigating an endless maze. When it comes to mobile apps, the same holds true. So, the question: Should your institution have a mobile app? The Answer? Absolutely.

Devices, not computers, are how millenials communicate, gather, inform, and engage. Millennials, on average, spend 90 hours per month on mobile apps, not including web searches and website visits.

Students are no exception. A 2016 Nielsen study showed that 98% of millennials aged 18 – 24, and 97% of millennials aged 25 – 34, owned a smartphone, while a 2017 comScore report stated that one out of five millennials no longer use desktop devices, including laptops. Mobile apps have quickly filled the desktop void, and as students grow more reliant on mobile technology, colleges and universities are in the mix, creating apps to bolster student engagement.

So should you create an app? Here are some questions you should answer before creating a mobile app. Welcome to the labyrinth! But don’t be frustrated—answer these questions to help you avoid dead ends and overspending.

1. Is a mobile app part of your IT Strategy? Including a mobile app in your IT strategy minimizes confusion at all levels about the objectives of mobile app implementation. It also helps dictate whether an institution needs multiple mobile apps for various functions, or a primary app that connects users with other functionality. If an institution has multiple campuses, should you align all campuses with a single app, or if will each campus develop their own?

2. What will the app do? Mobile apps can perform a multitude of functions, but for the initial implementation, select a few key functions in one main area, such as academics or student life. Institutions can then add functionality in the future as mobile adoption grows, and demand for more functions increases.

3. Who will use the app? Mobile apps certainly improve engagement throughout the student life cycle—from prospect to student to alumni—but they also present opportunities for increased faculty, staff, and community engagement. And while institutions should identify the immediate audience of the app, they should also identify future users, based upon functionality.

4. Who will manage the app? Institutions should determine who is going to manage the mobile app, and how. The discussion should focus on access, content, and functionality. Is the institution going to manage everything in house, from development to release to support, or will a mobile app vendor provide this support under contract? Depending on your institution, these discussions will vary.

5. What data will the app use? Like any new software system, an app is only as good as its supporting data. It’s important to assess the systems to integrate with the mobile app, and determine if the systems’ data is up-to-date and ready for integration. Consider the use of application program interfaces, or APIs. APIs allow apps and platforms to interact with one another. They can enable social media, news, weather, and entertainment apps to connect with your institution’s app, enhancing the user experience with more content for users.

6. How much data security does your app need? Depending on the functionality of the app you create, you will need varying degrees of security, including user authentication safeguards and other protections to keep information safe.

7. How much can you spend for the app? Your institution should decide how much you will spend on initial app development, with an eye toward including maintenance and development costs for future functionality. Complexity increases costs, so you will need to  budget accordingly. Include budget planning for updates and functionality improvements after launch.

You will also need to establish a timeline for the project and roll out. And note that apps deployed toward the end of the academic year experience less adoption than apps deployed at the beginning of the academic year.

Once your institution answers these questions, you will be off to a good start. And as I stated earlier, every answer to a question can lead to more questions. If your institution needs help navigating the mobile app labyrinth, please reach out to me

Blog
The mobile app labyrinth: Seven questions higher education institutions should ask

As we begin the second year of Uniform Guidance, here’s what we’ve learned from year one, and some strategies you can use to approach various challenges, all told from a runner's point of view.

A Runner’s Perspective

As I began writing this article, the parallels between strategies that I use when competing in road races — and the strategies that we have used in navigating the Uniform Guidance — started to emerge. I’ve been running competitively for six years, and one of the biggest lessons I’ve learned is that implementing real-time adjustments to various challenges that pop up during a race makes all the difference between crossing — or falling short of — the finish line. This lesson also applies to implementing Uniform Guidance. On your mark, get set, go!

Challenge #1: Unclear Documentation

Federal awarding agencies have been unclear in the documentation within original awards, or funding increments, making it hard to know which standards to follow: the previous cost circulars, or the Uniform Guidance?

Racing Strategy: Navigate Decision Points

Take the time to ask for directions. In a long race, if you’re apprehensive about what’s ahead, stop and ask a volunteer at the water station, or anywhere else along the route.

If there is a question about the route you need to take in order to remain compliant with the Uniform Guidance, it’s your responsibility to reach out to the respective agency single audit coordinators or program officials. Unlike in a race, where you have to ask questions on the fly, it’s best to document your Uniform Guidance questions and answers via email, and make sure to retain your documentation.  Taking the time to make sure you’re headed in the right direction will save you energy, and lost time, in the long run.    

Challenge #2: Subrecipient Monitoring

The responsibilities of pass-through entities (PTEs) have significantly increased under the Uniform Guidance with respect to subaward requirements. Under OMB Circular A-133, the guidance was not very explicit on what monitoring procedures needed to be completed with regard to subrecipients. However, it was clear that monitoring to some extent was a requirement.

Racing Strategy: Keep a Healthy Pace

Take the role of “pacer” in your relationships with subrecipients. In a long-distance race, pacers ensure a fast time and avoid excessive tactical racing. By taking on this role, you can more efficiently fulfill your responsibilities under the Uniform Guidance.

Under the Uniform Guidance, a PTE must:

  • Perform risk assessments on its subrecipients to determine where to devote the most time with its monitoring procedures.
  • Provide ongoing monitoring, which includes site visits, provide technical assistance and training as necessary, and arrange for agreed-upon procedures to the extent needed.
  • Verify subrecipients have been audited under Subpart F of the Uniform Guidance, if they meet the threshold.
  • Report and follow up on any noncompliance at the subrecipient level.
  • The time you spend determining the energy you need to expend, and the support you need to lend to your subrecipients will help your team perform at a healthy pace, and reach the finish line together.

Challenge #3: Procurement Standards

The procurement standards within the Uniform Guidance are similar to those under OMB Circular A-102, which applied to state and local governments. They are likely to have a bigger impact on those entities that were subject to OMB Circular A-110, which applied to higher education institutions, hospitals, and other not-for-profit organizations.

Racing Strategy: Choose the Right Equipment

Do your research before procuring goods and services. In the past, serious runners had limited options when it came to buying new shoes and food to boost energy. With the rise of e-commerce, we can now purchase everything faster and cheaper online than we can at our local running store. But is this really an improvement?

Under A-110, we were guided to make prudent decisions, but the requirements were less stringent. Now, under Uniform Guidance, we must follow prescribed guidelines.

Summarized below are some of the differences between A-110 and the Uniform Guidance:

A-110 UNIFORM GUIDANCE
Competition
Procurement transaction shall be conducted in a manner to provide, to the maximum extent practical, open and free competition.
Competition
Procurement transaction must be conducted in a manner providing full and open competition consistent with the standards of this section.
 
Procurement
Organizations must establish written procurement procedures, which avoid purchasing unnecessary items, determine whether lease or purchase is most economical and practical, and in solicitation provide requirements for awards.
Procurement
Organizations must use one of the methods provided in this section:
  1. Procurement by Micro Purchase (<$3,000)
  2. Procurement by Small Purchase Procedures (<$150,000)
  3. Procurement by Sealed Bids
  4. Procurement by Competitive Proposal
  5. Procurement by Noncompetitive Proposal

While the process is more stringent under the Uniform Guidance, you still have the opportunity to choose the vendor or product best suited to the job. Just make sure you have the documentation to back up your decision.

A Final Thought
Obviously, this article is not an all-inclusive list of the changes reflected in the Uniform Guidance. Yet we hope that it does provide direction as you look for new grant awards and revisit internal policies and procedures.

And here’s one last tip: Do you know the most striking parallel that I see between running a race and implementing the Uniform Guidance? The value of knowing yourself.

It’s important to know what your challenges are, and to have the self-awareness to see when and where you will need help. And if you ever need someone to help you navigate, set the pace, or provide an objective perspective on purchasing equipment, let us know. We’re with you all the way to the finish line.

Grant Running.jpg

Blog
A runner's guide to uniform guidance, year two

With the most recent overhaul to the Form 990, Return of Organization Exempt From Income Tax, the IRS has made clear its intention to increase the transparency of a not-for-profit organization’s mission and activities and to promote active governance. To point, the IRS asks whether a copy has been provided to an organization’s board prior to filing and requires organizations to describe the process, if any, its board undertakes to review the 990.

This lack of ambiguity aside, it is just good governance to have an understanding of the information included in your organization’s Form 990. After all, it is available to anyone who wants a copy. But the volume of information included in a typical return can be daunting.

Where do you even start? Let’s take a look at the key components of a Form 990 that warrant at least a read-through:

  • Income and expense activity (Page 1 and Schedule D) – Does this agree to, or reconcile to, the financial reporting of the organization?
  • Narratives on Page 2 – Does it accurately describe your mission and “tell your story”?
  • Questions in Part VI about governance, management, and disclosures – If any governance or policy questions are answered in the negative, have you given consideration to implementing changes?
  • Part VII – Board information and key employee/contractor compensation – Is the list complete? Does the information agree with compensation set by the board? Does it seem appropriate in light of responsibilities and the organization’s activities

Depending on how questions were answered earlier in the Form 990, several schedules may be required. Key schedules include:

  • Schedule C – Political and lobbying expenditures
  • Schedule F – Foreign transactions and investments reported (alternative investments may have pass-through foreign activity)
  • Schedule J – Detailed compensation reporting for employees whose package exceeds $150,000
  • Schedule L – Transactions with officers, board members, and key employees (conflict-of-interest disclosures)

In addition to the Form 990, an organization may be required to file a Form 990-T, Exempt Organization Business Income Tax Return, if it earns unrelated business income. In general, it’s good practice to review the Form 990 with the organization’s management or tax preparer to be able to ask questions as they arise.

Filing and reviewing the Form 990 can be more than a compliance exercise. It’s an opportunity for a good conversations about your mission, policies, and compensation—a “health check-up” that can benefit more areas than just compliance. Understanding your not-for-profit’s operations and being an engaged and informed board member are essential to effectively fulfilling your fiduciary responsibilities.

Blog
Good governance: Understanding your organization's Form 990