Skip to Main Content

blogpost

How healthy is your organization's HIPAA compliance?

04.10.18

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Related Services

Consulting

Organizational and Governance

Success is slippery and can be evasive, even on the simplest of projects. Grasping it grows harder during lengthier and more complex undertakings, such as enterprise-wide technology projects—and requires incorporating a variety of short- and long-term strategies. Yet focusing only on the technological aspects of these projects is not enough. Here are 10 non-tech strategies for success in tech projects.

1. Gain leadership support.

An enterprise-wide technology project can transform an entire organization. Therefore, the first step toward success is to ensure your leadership makes the project an organizational priority. Projects described as "IT projects” in the past must now be seen as strategic business solutions that meet the needs of the organization, prioritized in sync with goals and objectives of the organization. Executives and management need to be on board and demonstrate solid commitment to the project. This dramatically improves the likelihood of project success, and your team knows that leadership is supporting their efforts.

2. Develop and promote a shared vision.

To start a successful project, members across the organization must understand and embrace a shared vision. One way to encourage this is to hold “vision sessions” where key stakeholders meet to talk about how they see the new technology improving operations. Building consensus early on allows your staff to be fully open to change, in turn helping generate positive and creative ideas.

3. Establish project tenets. 

Project leadership must develop a set of project goals and expectations, or tenets, which help staff understand the rationale for the project. They should be clearly defined, meaningful, and when possible, measurable, so the organization knows what success is—and how to achieve it. Tenet examples include:

We will collect and share information across the organization, subject to appropriate security and privacy compliance.

The use of standard business processes across the organization will minimize variations.

We will not design the new system based on existing workflows, and instead will use industry best practices.

4. Create a governance structure.

Early on in the project, identify a clear decision-making structure for resolving issues that arise and preventing delays. Although the project team should address issues first, having an agreed-upon process for issue escalation to leadership will be valuable when you can’t reach consensus.

5. Set realistic timelines.

Set realistic timelines, communicate them clearly, and refer to them often. An easily accessible visual timeline helps maintain project momentum and enthusiasm. It also helps you manage expectations and prevent scope creep. It’s important for the leadership team to inform staff of any changes that will impact their daily responsibilities or affect the timeline or scope of the project.

6. Engage key stakeholders early and often.

Change—even positive change—is stressful. Change management is an essential cornerstone to project success. Building sustainable collaboration and project buy-in from stakeholders at project onset and maintaining it throughout the project life cycle is critical to meeting deadlines and a successful outcome. In the case of a new system selection or implementation project, your operational leads should design and champion new workflows supported by enabled technology. Staff members need to work in sync with your IT department to translate their operational needs into technology requirements.

7. Develop a comprehensive communication plan.

A comprehensive communication plan is vital to the success of any project. It keeps stakeholders engaged and project teams motivated. It also includes the use of visual graphics, website videos, and/or social media for targeting the right groups with the right message at the right time, and in the right manner.

8. Don’t skimp on resources.

Adequate finances, technical infrastructure, and “people” resources must be committed for the long haul—project success is a journey, not a destination. Give your staff enough time to participate in planning, workflow redesign, and ongoing education. In order to help ensure key staff are available for system design and testing work, identify backfill resources for peak time periods in the project.

9. Practice change management for cultural considerations.

Your organization must prepare, support, and sustain all employees through effective change management in order to effect a culture of change. Pre-planning will help to identify potential roadblocks and areas of resistance, and facilitate embracing change.

Resistance comes from the degree of change required, and when staff members believe new technology is just a passing fad. It will take time—and commitment—for your staff members to learn how to use the new technology efficiently and understand its benefits.

10. Develop an effective and sustainable training plan.

An effective and sustainable training plan can’t be overemphasized. It should identify training resources, including personnel, locations, and equipment. In addition, a comprehensive training plan addresses different learning styles of various staff members and multiple training models, such as face-to-face classroom, virtual labs, and online learning. You can supplement these training models with “just in time” 1:1 role-based scenario trainings as needed. The plan should include the development of various training aides, including playbooks, scripts, quick-tip reference sheets, and FAQs. Finally, the plan should include methods for assessing staff proficiency, such as competency assessments and follow-up incremental trainings after go-live.

Additional strategies for tech project success

Ultimately, 10 is an arbitrary number. There are more non-tech strategies you can deploy to achieve tech project success. And of course, there are some tech-specific approaches you should know. If you would like to discuss these strategies—and the concrete tactics your organization can use to implement them on a day-to-day basis—please reach out to me.

Blog
10 non-tech strategies for tech project success

Some days, social media seems nothing more than a blur of easily forgettable memes. Yet certain memes keep reappearing to the point where we have no choice but to remember them. Remember the one that displays various images of oceans or forests or mountains with the words “Relax. Nothing Is Under Control”? I do.

Wise words, if you’re on vacation and actually relaxing near an ocean, forest, or mountain. Yet they don’t necessarily apply to the day-to-day world of IT administration and management, particularly when undergoing a system implementation or upgrade. IT directors and staff must have at least some control. One of the best ways to do that, and keep IT chaos at bay, is to apply the change control process.

The Core of Change Control
Before we go any further, let’s clarify one thing: Change control is not change management, the general management of change and development within an organization. Change control refers to the systematic approach of handling midstream changes made during the course of an organization’s project, such as during a new system implementation.

In the world of local government, midstream IT project changes occur both suddenly and regularly due to a variety of factors, including new regulations, modifications to project scope, schedule, budget, and funding. Because many government departments use integrated systems to share data, these changes can have unintended downstream effects, including decreased productivity and revenue, and increased frustration and cost — especially if other departments within the organization don’t know what is going on.

At its core, change control helps you communicate and make decisions to avoid midstream project changes being made in a “vacuum.” It also helps ensure approval from all departments affected by the changes.

When to Use the Change Control Process
There are many types of changes that require change control. These include:

  • Billing changes
  • Mandate changes
  • Operational changes
  • Compliance changes
  • System interface changes
  • Quality assurance changes
  • Changes dictated by grants
  • Revenue management changes
  • Electronic Data Interchange (EDI) changes
  • Changes dictated by external agency requests
  • Electronic Health Records (EHR) or Electronic Resource Planning (ERP) program changes

You can also create an expedited process for time-sensitive changes, based on your organization’s unique needs.

How to Use the Change Control Process
The change control process generally consists of three phases:

Change Request: An individual who wants to make a change to an ongoing project completes a Change Control Request Form. The individual should provide the following information to their supervisor or director, who then determines whether or not to consider the change:

  • The due date of the requested change
  • The affected business lead, if known
  • The description of the requested change
  • The justification/benefit of the requested change
  • The impact of not implementing the requested change
  • Individual(s) who need to be notified and/or trained

Change Response: The CCB informs the requestor of its decision. If the request is approved, the requestor completes a Change Control Implementation Plan. Next, the requestor submits the completed Change Implementation Plan to their supervisor or director for review. Once the supervisor or director approves the Change Control Implementation Plan, they email the approval to both the requestor and a representative of the CCB.

Change Review: If the supervisor approves the change, a governing entity (the Change Control Board, or CCB) reviews the Change Control Request Form. The CCB either approves or declines the proposed change.

The Benefits of Change Control
The benefits of change control are many. Change control:

  • Ensures that midstream changes to IT systems and operations are vetted by all stakeholders
  • Provides opportunities for ongoing business process improvement and staff development
  • Improves training and communication
  • Helps avoid unnecessary changes that can disrupt services
  • Improves resource efficiency

Ultimately, each midstream project change — especially an IT project change — is a bit of a journey. With the change control process, the journey can feel more like a walk on the beach. This blog provides a simple summary of the process, as there are many other things to consider when implementing. But relax: It’s all under control!

Blog
Make midstream project changes a walk on the beach: The change control process

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Blog
COVID-19 FAQs—Not-for-Profit Edition

Focus: Disaster Loan Program and Paycheck Protection Program (PPP)

Background

The Coronavirus Aid, Relief and Economic Security (CARES) Act will provide $562 million to cover administrative expenses and program subsidy for the US Small Business Administration (SBA) Economic Injury Disaster Loans and small business programs. 

Additionally, the CARES Act specifically provides the authorization for $349 billion for the SBA 7(a) program through December 31, 2020. 

SBA disaster loan program (updated for CARES Act) highlights


General
The US Small Business Administration is offering designated states and territories low-interest federal disaster loans for working capital to small businesses suffering substantial economic injury as a result of the coronavirus and COVID-19.

Eligibility 
Industry may be subject to different standards, but the general rule of thumb is that the SBA defines most small businesses as having less than 500 people, both calculated on a standalone basis and together with its affiliates (see PPP below for more information). A company’s average annual sales may also be used for the small business designation. 

Historically, businesses that are not eligible for this program included casinos, charitable organizations, religious organizations, agricultural enterprises and real estate developers that are primarily involved in subdividing real property into lots and developing it for resale for themselves (other real estate entities may apply, such as landlords). 

However, the CARES Act expanded eligibility to include (i) any individual operating as a sole proprietor or independent contractor; (ii) private non-profits and (iii) Tribal businesses, cooperatives and ESOPs with fewer than 500 employees during January 31, 2020 to December 31, 2020.

If the entity has bad credit or has defaulted on a prior SBA loan, the entity is not eligible. The CARES Act removed the credit elsewhere requirement (i.e., previously if the business had credit available through another source, such as a line of credit, it was ineligible). 

Basic terms

  • Loan amount
    The lesser of $2 million or an amount determined that that borrower can repay (i.e., underwriting requirement).
  • Maximum term
    Up to 30 years and all payments on these loans will be deferred for 12 months from disbursement date. Interest will accrue.
  • Interest rate
    3.75% for for-profit business and 2.75% for a non-profit entity.
  • Collateral
    Loans for under $25,000 do not require collateral.  Any person with an interest in the company worth 20% or more must be a guarantor; however the CARES Act eliminates the guaranty requirement on advances and loans under $200,000. 
  • Use of proceeds
    Loan proceeds may be used to pay fixed debts (including short-term notes and balloon payments that are due within the next 12 months), payroll, accounts payable, and other bills the borrower would have to pay that but for the disaster would have been paid, such as mortgage payments. Landlords and other passive entities are eligible. Agriculture-related entities are eligible, but farmers are not. Borrowers must maintain proof of how the loan proceeds were used for three years from the date of disbursement. Borrowers cannot use the proceeds to expand their business, buy assets, make repairs to real estate or refinance long-term debt. 
  • Forgiveness
    No forgiveness provision.

Applying
Loan applications are available here

Length of time for funding
Upon submittal of a completed application, it can take 18-21 days to be approved and another four to five business days for funding. However, the SBA has never dealt with this much volume so expect delays.  

If funding is needed immediately, contact any SBA partnering non-profit lender and request an SBA microloan up to $50,000 or contact a commercial lending partner to see if they offer SBA express loans up to $1,000,000 (CARES Act increases this from $350,000 to $1,000,000) and/or SBA 7(a) loans up to $5 million. The 7(a) loans are typically processed within 30 days, while microloans and express loans are processed even more quickly. 

The CARES Act has also established an emergency grant to allow eligible entities who have applied for a disaster loan because of COVID-19 to request an advance of up to $10,000 on that loan. The SBA is to distribute the advance within three days. 

This advance does not need to be repaid, even if the applicant is denied a Disaster Loan. ($10,000,000,000 is appropriated for this program and funds will be distributed on a first come, first served basis). An applicant must self-certify that it is an eligible entity prior to receiving such an advance. Advances may be used for providing sick leave to employees, maintaining payroll, meeting increased costs to obtain materials, rent or mortgage payments, and payment of business obligations that cannot be paid due to loss of revenues. Applicants must apply directly with the SBA for this program.

Other considerations
Each company should review any current loan obligations and confirm that it does not include a provision forbidding that applicant from acquiring additional debt. If the document does, the applicant will want to discuss a waiver of that provision with its current lender. The lender should be amenable to this waiver and the applicant will want the waiver verified in writing. The lender should be amenable because the SBA disaster loan can be used to satisfy monthly debt obligations and any collateral taken by the SBA would be subordinate, if the same collateral secures the lender’s loan.

Under the CARES Act, Congress has also directed the SBA to use funds to make principal and interest payments, along with associated fees that may be owed on an existing SBA 7(a), 504 or micro-loan program covered loan, for a period of six months from the next payment due date. Any loan that may currently be on deferment will receive the six months of covered payments once the deferral period has ended. This provision will also cover loans that are made up to six months after the enactment of the CARES Act. If the loan maturity date conflicts with benefiting from this amendment, the lender can extend the maturity date of the loan. 

Newly enacted Paycheck Protection Program (PPP)


General
This new program will be offered with a 100% SBA guaranty through December 31, 2020, to lenders, after which the guaranty percentage will return to 75% for loans above $150,000 and 85% for loans below that amount. 

Eligibility 
A business, including a qualifying nonprofit organization, that was in operation on February 15, 2020, and either had employees for whom it paid salaries and payroll taxes or paid independent contractors, is eligible for PPP loans if it (a) meets the applicable North American Industry Classification System (NAICS) Code-based size standard or other applicable 7(a) loan size standard, both alone and together with its affiliates; or (b) has an employee headcount that is lower than the greater of (i) 500 employees or (ii) the employee size standard, if any, under the applicable NAICS Code. 

Businesses that fall within NAICS Code 72, which applies to accommodations and food services, are also eligible if they employ no more than 500 people per physical location. Sole proprietorships, independent contractors, and self-employed individuals are also eligible. It is unclear as of what date the size test will be applied, but historically, SBA size tests have been applied on the date of application for financing. More information on the NAICS-Code-based size standards can be found here

Borrowers are required to provide a good faith certification that the loan is necessary due to economic conditions brought about because of COVID-19 and that the borrower will use the funds to retain workers, maintain payroll and pay utilities, lease and/or mortgage payments.

The credit elsewhere test is waived under this program. 

Lenders shall base their underwriting on whether a business was operational on February 15, 2020, and had employees for whom it was responsible for or paid for services from an independent contractor. The legislation has directed lenders not to base their determinations on repayment ability at the present time because of the effects of COVID-19.

Applicants for SBA loan programs, including PPP loans, typically must include their affiliates when applying size tests to determine eligibility. That means that employees of other businesses under common control would count toward the maximum number of permitted employees. A business that is controlled by a private equity sponsor would likely be deemed an affiliate of the other businesses controlled by that sponsor and could thus be ineligible for PPP loans. However, the CARES Act waives the affiliation requirement for the following applicants:  

  1. Businesses within NAICS Code 72 with no more than 500 employees
  2. Franchises with codes assigned by the SBA, as reflected on the SBA franchise registry
  3. Businesses that receive financial assistance from one or more small business investment companies (SBIC) 

Basic terms

  • Loan amount
    Lesser of $10 million or 2.5 times the applicant’s average monthly payroll costs of the business over the year prior to the making of the loan (practically, this may become the year prior to the loan application), excluding the prorated portion of any annual compensation above $100,000 for any person. Note that under the CARES Act, “payroll costs” include vacation, parental, family, medical, and sick leave; allowances for dismissal or separation; payments for group health care benefits, including insurance premiums; and retirement benefits. Calculations vary slightly for seasonal businesses and businesses that were not in operation between February 15 and June 30, 2019. To the extent that a SBA Disaster Loan was used for a purpose other than those permitted for PPP Loans, the Disaster Loans may be refinanced with proceeds of PPP loans, in which case the maximum available PPP loan amount is increased by the amount of the Disaster Loans being refinanced. 
  • Maximum term
    Payments will be deferred for a minimum of 6 months and a maximum of 12. SBA is directed to issue guidance on the terms of this deferral. Any portion of the PPP loan that is not forgiven (see below) on or before December 31, 2020, shall automatically be a term loan for a maximum of 10 years. For PPP loans, the SBA has waived prepayment penalties.
  • Fees
    SBA will waive the guaranty fee and annual fee applicable to other 7(a) loans. 
  • Interest rate
    Maximum rate of 4%.
  • Collateral
    The standard requirements of collateral and a personal guaranty are waived under this program. Accordingly, there will be no recourse to owners or borrowers for nonpayment, except to the extent proceeds are used for an unauthorized purpose.
  • Use of proceeds
    This loan can be used for: (i) payroll support, excluding the prorated portion of any compensation above $100,000 per year for any person; (ii) group healthcare benefits costs and insurance premiums; (iii) mortgage interest (but not prepayments or principal payments) and rent payments incurred in the ordinary course of business, and (iv) utility payments. 
  • Forgiveness
    A borrower will be eligible for loan forgiveness related to a PPP loan in an amount equal to 8 weeks of payroll costs, and the interest on mortgage payments (not principal) made in the ordinary course of business, rent payments, or utility payments so long as all payments were obligations of the borrower prior to February 15, 2020. Payroll costs are limited to compensation for a single employee to be no more than $100,000 in wages and the amount of forgiveness cannot exceed the principal loan amount. 

    The amount of loan forgiveness will be reduced proportionally by any reduction in the borrower’s workforce, based on the full-time equivalent employees versus the period from either February 15, 2019, through June 30, 2019, or January 1, 2020, through February 29, 2020, as selected by the borrower, or a reduction of more than 25% of any employee’s compensation, measured against the most recent full quarter. If a borrower has already had to lay off employees due to COVID-19, employers are encouraged to rehire them by not being penalized for having a reduced payroll at the beginning of the covered period, which means the initial 8 week period after the loan’s origination date. 

    Accordingly, reductions in the number of employees or compensation occurring between February 15, 2020, and 30 days after enactment of the CARES Act will generally be ignored to the extent reversed by June 30, 2020. Any additional wages that may be paid to tipped workers are also covered in the calculation of payroll forgiveness. Borrowers must keep accurate records and document their payments because lenders will need to verify the payments to allow for loan forgiveness. Borrowers will not have to include any forgiven indebtedness as taxable income. 

Applying
A company needs to apply on or before June 30, 2020, with a lender who is currently approved as a 7(a) lender or who is approved by the SBA and the Treasury Department to become a PPP lender. PPP lenders have delegated authority to make and approve PPP loan, with no additional SBA approval required. 

There are certain portions of the CARES Act that require SBA to provide further guidance so there may be some slight changes to the rules and procedures as best practices present themselves. 

We recommend contacting existing 7(a) lenders as soon as possible to learn what you will need to provide for underwriting and approving a PPP loan. 

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
Impact of CARES Act on SBA loans

On March 27, 2020, President Trump signed into law the Coronavirus Aid, Relief and Economic Security (CARES) Act, which provides relief to taxpayers affected by the novel coronavirus and COVID-19. The CARES Act is the third round of federal government aid related to COVID-19. We have summarized the top provisions in the new legislation below, with more detailed alerts on individual provisions to follow. Click here for a link to the full text of the bill.

Compensation, benefits, and payroll relief
The law temporarily increases the amount of and expands eligibility for unemployment benefits, and it provides relief for workers who are self-employed. Additionally, several provisions assist certain employers who keep employees on payroll even though the employees are not able or needed to work. 

The cornerstone of the payroll protection aid is a streamlined application process for SBA loans that can be forgiven if an eligible employer maintains its workforce at certain levels. 

Additionally, certain employers affected by the pandemic who retain their employees will receive a credit against payroll taxes for 50% of eligible employee wages paid or incurred from March 13 to December 31, 2020. This employee retention credit would be provided for as much as $10,000 of qualifying wages, including health benefits. Eligible employers may defer remitting employer payroll tax payments that remain due for 2020 (after the credits are deducted), with half being due by December 31, 2021, and the balance due by December 31, 2022. 

Employers with fewer than 500 employees are also allowed to give terminated employees access to the mandated paid federal sick and child care leave benefits for which the employer is 100% reimbursed by the government through payroll tax credits, if the employer rehires the qualifying employees.

Any benefit that is driven off the definition of “employee” raises the issue of partner versus employee. The profits interest member that is receiving a W-2 may not be eligible for inclusion in the various benefit computations.

Eligible individuals can withdraw vested amounts up to $100,000 during 2020 without a 10% early distribution penalty, and income inclusion can be spread over three years. Repayment of distributions during the next three years will be treated as tax-free rollovers of the distribution. The bill also makes it easier to borrow money from 401(k) accounts, raising the limit to $100,000 from $50,000 for the first 180 days after enactment, and the payment dates for any loans due the rest of 2020 would be extended for a year.

Individuals do not have to take their 2020 required minimum distributions from their retirement funds. This avoids lost earnings power on the taxes due on distributions and maximizes the potential gain as the market recovers.

Two long-awaited provisions allow employers to assist employees with college loan debt through tax free payments up to $5,250 and restores over-the-counter medical supplies as permissible expenses that can be reimbursed through health care flexible spending accounts and health care savings accounts.

Deferral of net business losses for three years
Section 461(l) limits non-corporate taxpayers in their use of net business losses to offset other sources of income. As enacted in 2017, this limitation was effective for taxable years beginning after 2017 and before 2026, and applied after the basis, at-risk, and passive activity loss limitations. The amount of deductible net business losses is limited to $500,000 for married taxpayers filing a joint return and $250,000 for all other taxpayers. These amounts are indexed for inflation after 2018 (to $518,000 and $259,000, respectively, in 2020). Excess business losses are carried forward to the next succeeding taxable year and treated as a net operating loss in that year.

The CARES Act defers the effective date of Section 461(l) for three years, but also makes important technical corrections that will become effective when the limitation on excess business losses once again becomes applicable. Accordingly, net business losses from 2018, 2019, or 2020 may offset other sources of income, provided they are not otherwise limited by other provisions that remain in the Code. Beginning in 2021, the application of this limitation is clarified with respect to the treatment of wages and related deductions from employment, coordination with deductions under Section 172 (for net operating losses) or Section 199A (relating to qualified business income), and the treatment of business capital gains and losses.

Section 163(j) amended for taxable years beginning in 2019 and 2020
The CARES Act amends Section 163(j) solely for taxable years beginning in 2019 and 2020. With the exception of partnerships, and solely for taxable years beginning in 2019 and 2020, taxpayers may deduct business interest expense up to 50% of their adjusted taxable income (ATI), an increase from 30% of ATI under the TCJA, unless an election is made to use the lower limitation for any taxable year. Additionally, for any taxable year beginning in 2020, the taxpayer may elect to use its 2019 ATI for purposes of computing its 2020 Section 163(j) limitation. 

This will benefit taxpayers who may be facing reduced 2020 earnings as a result of the business implications of COVID-19. As such, taxpayers should be mindful of elections on their 2019 return that could impact their 2019 and 2020 business interest expense deduction. With respect to partnerships, the increased Section 163(j) limit from 30% to 50% of ATI only applies to taxable years beginning in 2020. However, in the case of any excess business interest expense allocated from a partnership for any taxable year beginning in 2019, 50% of such excess business interest expense is treated as not subject to the Section 163(j) limitation and is fully deductible by the partner in 2020. The remaining 50% of such excess business interest expense shall be subject to the limitations in the same manner as any other excess business interest expense so allocated. Each partner has the ability, under regulations to be prescribed by Treasury, to elect to have this special rule not applied. No rules are provided for application of this rule in the context of tiered partnership structures.

Net operating losses carryback allowed for taxable years beginning in 2018 and before 2021
The CARES Act provides for an elective five-year carryback of net operating losses (NOLs) generated in taxable years beginning after December 31, 2017, and before January 1, 2021. Taxpayers may elect to relinquish the entire five-year carryback period with respect to a particular year’s NOL, with the election being irrevocable once made. In addition, the 80% limitation on NOL deductions arising in taxable years beginning after December 31, 2017, has temporarily been pushed to taxable years beginning after December 31, 2020. 

Several ambiguities in the application of Section 172 arising as a result of drafting errors in the Tax Cuts and Jobs Act have also been corrected. As certain benefits (i.e., charitable contributions, Section 250 “GILTI” deductions, etc.) may be impacted by an adjustment to taxable income, and therefore reduce the effective value of any NOL deduction, taxpayers will have to determine whether to elect to forego the carryback. Moreover, the bill provides for two special rules for NOL carrybacks to years in which the taxpayer included income from its foreign subsidiaries under Section 965. Please consider the impact of this interaction with your international tax advisors. 

However, given the potential offset to income taxed under a 35% federal rate, and the uncertainty regarding the long-term impact of the COVID-19 crisis on future earnings, it seems likely that most companies will take advantage of the revisions. This is a technical point, but while the highest average federal rate was 35% before 2018, the highest marginal tax rate was 38.333% for taxable amounts between $15 million and $18.33 million. This was put in place as part of our progressive tax system to eliminate earlier benefits of the 34% tax rate. Companies may wish to revisit their tax accounting methodologies to defer income and accelerate deductions in order to maximize their current year losses to increase their NOL carrybacks to earlier years.

Alternative minimum tax credit refunds
The CARES Act allows the refundable alternative minimum tax credit to be completely refunded for taxable years beginning after December 31, 2018, or by election, taxable years beginning after December 31, 2017. Under the Tax Cuts and Jobs Act, the credit was refundable over a series of years with the remainder recoverable in 2021.

Technical correction to qualified improvement property
The CARES Act contains a technical correction to a drafting error in the Tax Cuts and Jobs Act that required qualified improvement property (QIP) to be depreciated over 39 years, rendering such property ineligible for bonus depreciation. With the technical correction applying retroactively to 2018, QIP is now 15-year property and eligible for 100% bonus depreciation. This will provide immediate current cash flow benefits and relief to taxpayers, especially those in the retail, restaurant, and hospitality industries. Taxpayers that placed QIP into service in 2019 can claim 100% bonus depreciation prospectively on their 2019 return and should consider whether they can file Form 4464 to quickly recover overpayments of 2019 estimated taxes. Taxpayers that placed QIP in service in 2018 and that filed their 2018 federal income tax return treating the assets as bonus-ineligible 39-year property should consider amending that return to treat such assets as bonus-eligible. For C corporations, in particular, claiming the bonus depreciation on an amended return can potentially generate NOLs that can be carried back five years under the new NOL provisions of the CARES Act to taxable years before 2018 when the tax rates were 35%, even though the carryback losses were generated in years when the tax rate was 21%. With the taxable income limit under Section 172(a) being removed, an NOL can fully offset income to generate the maximum cash refund for taxpayers that need immediate cash. Alternatively, in lieu of amending the 2018 return, taxpayers may file an automatic Form 3115, Application for Change in Accounting Method, with the 2019 return to take advantage of the new favorable treatment and claim the missed depreciation as a favorable Section 481(a) adjustment.

Effects of the CARES Act at the state and local levels
As with the Tax Cuts and Jobs Act, the tax implications of the CARES Act at the state level first depends on whether a state is a “rolling” Internal Revenue Code (IRC) conformity state or follows “fixed-date” conformity. For example, with respect to the modifications to Section 163(j), rolling states will automatically conform, unless they specifically decouple (but separate state ATI calculations will still be necessary). However, fixed-date conformity states will have to update their conformity dates to conform to the Section 163(j) modifications. 

A number of states have already updated during their current legislative sessions (e.g., Idaho, Indiana, Maine, Virginia, and West Virginia). Nonetheless, even if a state has updated, the effective date of the update may not apply to changes to the IRC enacted after January 1, 2020 (e.g., Arizona). 

A number of other states have either expressly decoupled from Section 163(j) or conform to an earlier version and will not follow the CARES Act changes (e.g., California, Connecticut, Georgia, Missouri, South Carolina, Tennessee (starting in 2020), Wisconsin). Similar considerations will apply to the NOL modifications for states that adopted the 80% limitation, and most states do not allow carrybacks. Likewise, in fixed-dated conformity states that do not update, the Section 461(l) limitation will still apply resulting in a separate state NOL for those states. 

These conformity questions add another layer of complexity to applying the tax provisions of the CARES Act at the state level. Further, once the COVID-19 crisis is past, rolling IRC conformity states must be monitored, as these states could decouple from these CARES Act provisions for purposes of state revenue.

2020 recovery refund checks for individuals
The CARES Act provides eligible individuals with a refund check equal to $1,200 ($2,400 for joint filers) plus $500 per qualifying child. The refund begins to phase out if the individual’s adjusted gross income (AGI) exceeds $75,000 ($150,000 for joint filers and $112,500 for head of household filers). The credit is completely phased out for individuals with no qualifying children if their AGI exceeds $99,000 ($198,000 for joint filers and $136,500 for head of household filers).

Eligible individuals do not include nonresident aliens, individuals who may be claimed as a dependent on another person’s return, estates, or trusts. Eligible individuals and qualifying children must all have a valid social security number. For married taxpayers who filed jointly with their most recent tax filings (2018 or 2019) but will file separately in 2020, each spouse will be deemed to have received one half of the credit.

A qualifying child (i) is a child, stepchild, eligible foster child, brother, sister, stepbrother, or stepsister, or a descendent of any of them, (ii) under age 17, (iii) who has not provided more than half of their own support, (iv) who has lived with the taxpayer for more than half of the year, and (v) who has not filed a joint return (other than only for a claim for refund) with the individual’s spouse for the taxable year beginning in the calendar year in which the taxable year of the taxpayer begins.

The refund is determined based on the taxpayer’s 2020 income tax return but is advanced to taxpayers based on their 2018 or 2019 tax return, as appropriate. If an eligible individual’s 2020 income is higher than the 2018 or 2019 income used to determine the rebate payment, the eligible individual will not be required to pay back any excess rebate. However, if the eligible individual’s 2020 income is lower than the 2018 or 2019 income used to determine the rebate payment such that the individual should have received a larger rebate, the eligible individual will be able to claim an additional credit generally equal to the difference of what was refunded and any additional eligible amount when they file their 2020 income tax return.

Individuals who have not filed a tax return in 2018 or 2019 may still receive an automatic advance based on their social security benefit statements (Form SSA-1099) or social security equivalent benefit statement (Form RRB-1099). Other individuals may be required to file a return to receive any benefits.

The CARES Act provides that the IRS will make automatic payments to individuals who have previously filed their income tax returns electronically, using direct deposit banking information provided on a return any time after January 1, 2018.

Charitable contributions

  • Above-the-line deductions: Under the CARES Act, an eligible individual may take a qualified charitable contribution deduction of up to $300 against their AGI in 2020. An eligible individual is any individual taxpayer who does not elect to itemize his or her deductions. A qualified charitable contribution is a charitable contribution (i) made in cash, (ii) for which a charitable contribution deduction is otherwise allowed, and (iii) that is made to certain publicly supported charities.

    This above-the-line charitable deduction may not be used to make contributions to a non-operating private foundation or to a donor advised fund.
  • Modification of limitations on cash contributions: Currently, individuals who make cash contributions to publicly supported charities are permitted a charitable contribution deduction of up to 60% of their AGI. Any such contributions in excess of the 60% AGI limitation may be carried forward as a charitable contribution in each of the five succeeding years.

    The CARES Act temporarily suspends the AGI limitation for qualifying cash contributions, instead permitting individual taxpayers to take a charitable contribution deduction for qualifying cash contributions made in 2020 to the extent such contributions do not exceed the excess of the individual’s contribution base over the amount of all other charitable contributions allowed as a deduction for the contribution year. Any excess is carried forward as a charitable contribution in each of the succeeding five years. Taxpayers wishing to take advantage of this provision must make an affirmative election on their 2020 income tax return.

    This provision is useful to taxpayers who elect to itemize their deductions in 2020 and make cash contributions to certain public charities. As with the aforementioned above-the-line deduction, contributions to non-operating private foundations or donor advised funds are not eligible.

    For corporations, the CARES Act temporarily increases the limitation on the deductibility of cash charitable contributions during 2020 from 10% to 25% of the taxpayer’s taxable income. The CARES Act also increases the limitation on deductions for contributions of food inventory from 15% to 25%.

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
The CARES Act: Implications for businesses

On March 18, 2020, the SBA issued relaxed criteria for Economic Injury Disaster Loans (EIDLs).

The two immediate impacts:

  • States are now only required to certify that a minimum of five small businesses within the state/territory have suffered significant economic injury, as opposed to proof of five small businesses within each reporting county/parish.
  • Prior regulation only made disaster assistance loans available to small businesses within counties declared disaster areas by a governor. Relaxed standards state the EIDLs will be available statewide following an economic injury declaration. This applies to current and future disaster declarations related to COVID-19.

Some SBA loan specifics:

  • EIDL amounts range from $25,000 to $2,000,000, at interest rates of 3.75% for small businesses and 2.75% for not-for-profits.
  • Companies can use the loans to pay bills that can’t be paid due to the disaster’s impact, including but not limited to fixed debts, payroll, and accounts payable.
  • Loan terms are determined on a case-by-case basis, based on the borrower’s ability to repay. SBA is offering repayment terms up to a maximum of 30 years.
  • EIDLs are one facet of an expanded and coordinated federal government response.

Small businesses in need of economic assistance may apply for an EIDL here. We will update as more information becomes available.

If you have questions about SBA loans, please contact your BerryDunn tax consultant
 

Blog
Small Business Administration (SBA) eases criteria for disaster loans

In early March 2020, the US Department of Education (ED) issued a Dear Colleague Letter, “Guidance for interruptions of study related to Coronavirus (COVID-19),” posting a subsequent update March 20 to include the document “Frequently Asked Questions Related to COVID-19.” The information below has been excerpted directly from the letter and compiled with the needs of our higher education clients in mind.

This electronic announcement addresses concerns regarding how higher education leaders should comply with Title IV, Higher Education Act (HEA) policies for students whose activities are impacted by the coronavirus and COVID-19:

  • Either directly because the student is ill or quarantined, or 
  • Indirectly because the student was recalled from travel-abroad experiences, can no longer participate in internships or clinical rotations, or attends a campus that has temporarily suspended operations.

This information provides some flexibility for schools working to help students complete the term in which they are currently enrolled. Some of the most important changes to note:

  • Federal Work Study (FWS)
    For students enrolled and performing FWS at a campus that must close due to COVID-19, or for a FWS student who works for an employer that closes as a result of COVID-19, the institution may continue paying the student federal work-study wages during that closure if it occurred after the beginning of the term, the institution is continuing to pay its other employees (including faculty and staff), and the institution continues to meet its institutional wage share requirement.
  • Length of academic year
    If at any point an institution determines it will close as the result of a campus health emergency, it may contact the school participation team to request a temporary reduction in the length of its academic year.
  • Professional judgement
    Financial aid administrators (FAA) have statutory authority to use professional judgement to make adjustments on a case-by-case basis to the cost of attendance or to the data elements used in calculating the EFC to reflect a student’s special circumstances. The use of professional judgement where students and/or their families have been affected by COVID-19 is permitted, such as in the case where an employer closes for a period of time as a result of COVID-19. 
  • Reentering the same payment period
    If an institution that has closed subsequently re-opens during the same payment period or period of enrollment, and permits students to continue coursework that they were taking at the time of the closure, students that return to class at that time are considered to have reentered the same period and retain eligibility for Title IV aid that they were otherwise eligible to receive before the closure.

We highly recommend you read the full letter, as it outlines additional important details and includes recently added FAQ documents.

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

For further reading
Guidance for interruptions of study related to Coronavirus (COVID-19) 
FAQs
COVID-19 ("Coronavirus") Information and Resources for Schools and School Personnel
 

Blog
Guidance from the US Department of Education Dear Colleague Letter

The President signed The Families First Coronavirus Response Act (hereinafter the “Act”) into law on March 18th and the provisions are effective April 2nd. You can read the congressional summary here. There are two provisions of the Act that deal with paid leave provisions for employees. Here are some highlights for employers.

The provisions of the Act are only required for employers with fewer than 500 employees. Employers with over 499 employees are not required to provide the sick/family leave contained in the Act, but could voluntarily elect to follow the new rules. The expectation is that employers with over 499 employees are providing some level of sick/family leave benefits already. In any case, employers with over 499 employees are not eligible for the tax credits. 

Employers with fewer than 500 employees are required to provide employees with up to 80 hours of paid sick leave over a two-week period if the employee:

  • Self-isolates because of a diagnosis with COVID-19, or to comply with a recommendation or order to quarantine;
  • Obtains a medical diagnosis or care if the employee is experiencing COVID-19 symptoms;
  • Needs to care for a family member who is self-isolating due to a COVID-19 diagnosis or quarantining due to COVID-19 symptoms; or
  • Is caring for a child whose school has closed, or childcare provider is unavailable, due to COVID-19.

These rules apply to all employees regardless of the length of time they have worked for the employer. The 80-hours would be pro-rated for those employees who do not normally work a 40-hour week. 

Employees who take leave because they themselves are sick (i.e., the first two bullets above) can receive up to $511 per day, with an aggregate limit of $5,110. If, on the other hand, an employee takes leave to care for a child or other family member (i.e., the last two bullets above), the employee will be paid two-thirds (2/3) of their regular weekly wages up to a maximum of $200 per day, with an aggregate limit of $2,000.

Days when an individual receives pay from their employer (regular wages, sick pay, or other paid time off) or unemployment compensation do not count as leave days for the purposes of this benefit.

Family and Medical Leave Act

Employees who have been employed for at least 30-days also have the right to take up to 12 weeks of job-protected leave under the Family and Medical Leave Act (FMLA). The Act requires that 10 of these 12 weeks (i.e., after the sick leave discussed above is taken) be paid at a rate of no less than two-thirds of the employee’s usual rate of pay. Any leave taken under this portion of the ACT will be limited to $200 per day with an aggregate limit of $10,000.

Exemptions

The Secretary of Labor has the authority to issue regulations exempting: (1) certain healthcare providers and emergency responders from taking leave under the Act; and (2) small businesses with fewer than 50 employees from the requirements of the Act if it would jeopardize the viability of the business.

Expiration

The provisions of the Act are set to expire on December 31, 2020, and unused time will not carry over from one year to the next.

Tax credits 

The Act provides for refundable tax credits to help an employer cover the costs associated with providing paid emergency sick leave or paid FMLA. The tax credits work as follows:

  • A refundable tax credit for employers equal to 100 percent of qualified family leave wages paid under the Act.
  • A refundable tax credit for employers equal to 100 percent of qualified paid sick leave wages paid under the Act. 
  • The tax credits are taken on Form 941 – Employer’s Quarterly Federal Income Tax Return filed for the calendar quarter when the leave is taken and reduce the employer’s portion of the Social Security taxes due. If the credit exceeds the employer’s total liability for Social Security taxes for all employees for any calendar quarter, the excess credit is refundable to the employer.

For more information

We are here to help. Please contact our benefit plan consultants if you have any questions or would like to discuss your specific situation. 

Blog
Highlights of the recently passed paid sick and family leave act: What you need to know

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

  • A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
  • An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

  1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
  2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
  3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
  4. Leverage others who have had success with these processes to improve process and implementation
  5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

  • Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
  • Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
  • Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us

Blog
Internal audit potential for not-for-profit organizations

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Blog
Save time and effort—our list of tips to prepare for year-end reporting

Editor’s note: read this if you work for, or are affiliated with, a charitable organization that receives donations. Even the most mature nonprofit organizations may miss one of these filings once in a while. Some items (e.g., the donor acknowledgement letter) may feel commonplace, but a refresher—especially at a particularly busy time of the year as it pertains to giving—can fend off fines.

As the holiday season is now in full swing, the season of giving is also upon us. Perhaps not surprisingly, the month of December is by far the most charitable month of the year, accounting for almost one-third of all charitable gifts made annually. And with all that giving comes the requirement of charitable organizations to provide donor acknowledgements, a formal “thank you” of the gift being received. Different gifts require differing levels of acknowledgement, and in some cases an additional IRS form (or two) may need to be filed. Doing some work now may save you time (and a fine or two) later. 

While children are currently busy making lists for Santa Claus, in the spirit of giving we present to you our list of donor acknowledgement requirements―and best practices―to help you gain control of this issue for the holiday season and beyond.

Donor acknowledgement letters

Charitable (i.e., 501(c)(3)) organizations are required to provide a donor acknowledgement letter to each donor contributing $250 or more to the organization, whether it be cash or non-cash items (i.e., publicly traded securities, real estate, artwork, vehicles, etc.) received. The letter should include the following: 

  1. Name of the organization
  2. Amount of cash contribution
  3. Description of non-cash items (but not the value) 
  4. Statement that no goods and services were provided (assuming this is the case)
  5. Description and good faith estimate of the value of goods and services provided by the organization in return for the contribution, if any
  6. Statement that goods or services provided by the organization in return for the contribution consisted entirely of intangible religious benefit, if any

It is not necessary to include either the donor’s social security number or tax identification number on the written acknowledgment and as a best practice should not be included in the letter.

In addition to including the elements above, the written acknowledgement is also required to be contemporaneous, that is, sent out in a timely fashion. According to the IRS, a donor must receive the acknowledgment by the earlier of:

  • The date on which the donor actually files his or her individual federal income tax return for the year of the contribution
  • The due date (including extensions) of the return in order to be considered contemporaneous

Quid pro quo disclosure statements

When a donor makes a payment greater than $75 to a charitable organization partly as a contribution and partly as a payment for goods and services, a disclosure statement is required to notify the donor of the value of the goods and services received in order for the donor to determine the charitable contribution component of their payment.

An example of this would be if the organization sold tickets to its annual fundraising dinner event. Assume the ticket costs $100 and at the event the ticketholder receives a dinner valued at $40. In this example, the donor’s tax deduction may not exceed $60. Because the donor’s payment (quid pro quo contribution) exceeds $75, the charitable organization must furnish a disclosure statement to the donor, even though the deductible amount doesn’t exceed $75.

It’s important to note that there are some exclusions to these requirements if the value received is considered to be de minimis (known as the Token Exception), but the value received needs to be relatively small (ex: receiving a coffee mug with a picture of the organization’s logo on it). Please consult your tax advisor for more details.

If the organization does not issue disclosure statements, the IRS can issue penalties of $10 per contribution, not to exceed $5,000 per fundraising event or mailing. An organization may be able to avoid the penalty if reasonable cause can be demonstrated.

Receiving or selling donated noncash property? Forms 8283 & 8282 may be required.

If a charitable organization receives noncash donations, it may be asked to sign Form 8283. This form is required to be filed by the donor and included with their personal income tax return. If a donor contributes noncash property (excluding publicly traded securities) valued at over $5,000, the organization will need to sign Form 8283, Section B, Part IV acknowledging receipt of the noncash item(s) received.

By signing Form 8283, the donee organization is not only acknowledging receipt, but is also affirming that if the property being received is sold, exchanged, or otherwise disposed of within three years of the original donation date, the organization will be required to file Form 8282. A copy of this form is filed with the IRS and must also be provided to the original donor. Form 8282 is not required for sales of donated publicly traded securities. The penalty for failure to file Form 8282 when required is generally $50 per form.

Cars, boats, and yes, even airplanes? That would be Form 1098-C.

An airplane? Yes, even an airplane can be donated, and the donee organization must file a separate Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, with the IRS for each contribution of a qualified vehicle that has a claimed value of more than $500. Contemporaneous written acknowledgement requirements apply here too, and Form 1098-C can act as acknowledgement for this purpose. An acknowledgment is considered contemporaneous if it is furnished to the donor no later than 30 days after the date of the contribution if you plan to use the item for a mission-related purpose, or 30 days after the date of the sale of the item to an unrelated third party.

Penalties for failure to provide contemporaneous written acknowledgement for qualified vehicles can be pretty stiff, generally calculated as a percentage of the sale price if sold, or a percentage of the claimed value if not sold. Should you have any questions or receive a request regarding any of the forms noted above, please consult your tax advisor.

As you can see, the rules around donor acknowledgements can seem a lot like Grandma’s fruitcake―complex and perhaps a bit on the nutty side. When issuing donor acknowledgements this holiday season and beyond, be sure to review the list above and check it twice. Doing so may end up keeping you off of the IRS’s naughty list!

Blog
Donor acknowledgements: We have to file what?

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you. 

This is the second blog post in the blog series: “Procuring Agile vs. Non-Agile Service”. Read the first blog. This blog post demonstrates the differences in Stage 1: Plan Project in the five stages of procuring agile vs. non-agile services.

Overview of Procurement Process for Agile vs. Non-Agile IT Services

What is important to consider in agile procurement?

Here are some questions that can help focus the planning for procurement of IT services for agile vs. non-agile projects.

Plan Project Considerations for Agile vs. Non-Agile IT Services

Why are these considerations important?

When you procure agile IT services, you can define the scope of your procurement around a vision of what your organization intends to become, as opposed to being restricted to an end-date for a final delivery.

In an agile project, you get results iteratively; this allows you to constantly reassess requirements throughout the project, including the project plan, the guiding principles, and the project schedule. Your planning is not restricted to considering the effect of one big result at the end of the project schedule. Instead, your plan allows for sequencing of changes and improvements that best reflect the outcomes and priorities your organization needs

Since planning impacts the people-aspect of your strategy, it is important to consider how various teams and stakeholders will provide input, and how you will make ongoing communication updates throughout the project. With an agile procurement project, your culture will shift, and you will need a different approach to planning, scheduling, communicating, and risk management. You need to communicate daily, allowing for reviewing and adjusting priorities and plans to meet project needs. 

How do you act on these considerations?

A successful procurement plan of agile IT services should include the following steps:

  1. Develop a project charter and guiding principles for the procurement that reflect a vision of how your organization’s teams will work together in the future
  2. Create a communication plan that includes the definition of project success and communicates project approach
  3. Be transparent about the development strategy, and outline how iterations are based on user needs, that features will be re-prioritized on an ongoing basis, and that users, customers, and stakeholders are needed to help define requirements and expected outcomes
  4. Provide agile training to your management, procurement, and program operation teams to help them accept and understand the project will present deliverables in iterations, to include needed features, functionality and working products
  5. Develop requirements for the scope of work that align with services and outcomes you want, rather than documented statements that merely map to your current processes 

What’s next? 

Now that you have gained insight into the approach to planning an agile project, consider how you may put this first stage into practice in your organization. Stay tuned for guidance on how to execute the second stage of the procurement process—how to draft the RFP. Our intention is that, following this series, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.
 

Blog
Plan agile projects: Stage 1

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Blog
Governance: It's good for your data

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you.

What is the difference in how government organizations procure agile vs. non-agile information technology (IT) services? (Learn more about agile here).

In each case, they typically follow five stages through the process as shown in Figure A:
 

Figure A: Overview of Procurement Process for Agile vs. Non-Agile IT Services

However, there are differences in how these stages are carried out if procuring agile vs. non-agile IT services. 

Unfortunately, most government organizations are unaware of these differences, which could result in unsuccessful procurements and ultimately not meeting your project’s needs and expectations. 
This blog series will illustrate how to strategically adjust the standard stages outlined in Figure A to successfully procure agile IT services.

Stage 1: Plan project
In Stage 1, you define the scope of the project by identifying what your organization wants, needs, and can achieve within the available timeframe and budget. You then determine the project’s objectives while strategically considering their impact on your organization before developing the RFP. Figure B summarizes the key differences between the impacts of agile vs. non-agile services to consider in this stage.


Figure B: Plan Project for Agile vs. Non-Agile IT Services

The nuances of planning for agile services reflect an organization’s readiness for a culture shift to a continuous process of development and deployment of software and system updates. 

Stage 2: Draft RFP
In Stage 2, as part of RFP drafting, define the necessary enhancements and functionality needed to achieve the project objectives determined in Stage 1. You then translate these enhancements and functionalities into business requirements. Requirement types might include business needs as functionality, services, staffing, deliverables, technology, and performance standards. Figure C summarizes the key differences between drafting the RFP for a project procuring agile vs. non-agile services.


Figure C: Draft RFP for Agile vs. Non-Agile IT Services

In drafting the RFP, the scope of work emphasizes expectations for how your team and the vendor team will work together, the terms of how progress will be monitored, and the description of requirements for agile tools and methods.

Stage 3: Issue RFP
In Stage 3, issue the RFP to the vendor community, answer vendor questions, post amendments, and manage the procurement schedule. Since this stage of the process requires you to comply with your organization’s purchasing and procurement rules, Figure D illustrates very little difference between issuing an RFP for a project procuring agile or non-agile services.


Figure D: Issue RFP for Agile vs. Non-Agile IT Services 

Stage 4: Review proposals
In Stage 4, you evaluate vendor proposals against the RFP’s requirements and project objectives to determine the best proposal response. Figure E summarizes the key differences in reviewing proposals for a project that is procuring agile vs. non-agile services.


Figure E: Reviewing Proposals for Agile vs. Non-Agile IT Services 

Having appropriate evaluation priorities and scoring weights that align with how agile services are delivered should not be under-emphasized. 

Stage 5: Award and implement contract
In Stage 5, you award and implement the contract with the best vendor proposal identified during Stage 4. Figure F summarizes the key differences in awarding and implementing the contract for agile vs. non-agile services.


Figure F:  Award and Implement Contract for Agile vs. Non-Agile Services 

Due to the iterative and interactive requirements of agile, it is necessary to have robust and frequent collaboration among program teams, executives, sponsors, and the vendor to succeed in your agile project delivery.

What’s next?
The blog posts in this series will explain step-by-step how to procure agile services through the five stages, and at the series conclusion, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.  

Blog
Procuring agile vs. non-agile projects in five stages: An overview

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Blog
Trusting privileged accounts in the age of data breaches

Not-for-profit board members need to wear many hats for the organization they serve. Every board member begins their term with a different set of skills, often chosen specifically for those unique abilities. As board members, we often assist the organization in raising money and as such, it is important for all members of the board to be fluent in the language of fundraising. Here are some basic definitions you need to know, and the differences between them.

Gifts with donor restriction

While many organizations can use all donations for their operating costs, many donors prefer to specify how―or when―they can use the donation. Gift restrictions come in several forms:

1.    Purpose-restricted gifts are, as their name implies, for a specific use. These can be in response to a request from your organization for that specific purpose or the donor can indicate its purpose when they make the gift. Consider how you solicit gifts from donors to be sure you don’t inadvertently apply restrictions. Not all gifts need to (or even should) be accepted by an organization, so take care in considering if specific restrictions are in line with your mission. 

2.    Time-restricted gifts can come with or without a restricted purpose. You can treat gifts for future periods as revenue today, though the funds would be considered restricted for use until the time restrictions have lapsed. These are often in the form of pledges of gifts for the future, but can also be actual donations provided today for use in coming years.

3.    Some donors prefer the earnings of their gift be available for use, while their actual donation be held in perpetuity. These are often in the form of endowments and specific restrictions may or may not be placed by the donor on the endowment’s earnings. Laws can differ from state-to-state for the treatment of those earnings, but your investment policy should govern the spending from these earnings.

The bottom line? Restricted-purpose gifts must be used for that restricted purpose.

Gifts without restriction are always welcome by organizations. The board has the ability to direct the spending of these gifts, and may designate funds for a future purpose, but unlike gifts with donor restrictions, the board does have the discretion to change their own designations.

Whether raising money or reviewing financial information, understanding fundraising language is key for board members to make the most out of donations. See A CPA’s guide to starting a capital campaign and Accounting 101 for development directors blogs for more information. Have questions or want to learn more? Please contact Emily Parker or Sarah Belliveau.

Blog
The language of fundraising: A primer for NFP board members

Of all the changes that came with the sweeping Tax Cuts and Jobs Act (TCJA) in late 2017, none has prompted as big a response from our clients as the changes TCJA makes to the qualified parking deduction. Then, last month, the IRS issued its long-waited guidance on this code section in the form of Notice 2018-99

We've taken a look at both the the original provisions, and the new guidance, and have collected the salient points and things we think you need to consider this tax season. For not-for-profit organizations, visit my article here. And for-profit companies can read here.  

Blog
IRS guidance on qualified parking: Our take

As 2018 is about to come to a close, organizations with fiscal year ends after December 15, 2018, are poised to start implementing the new not-for-profit reporting standard. Here are three areas to address before the close of the fiscal year to set your organization up for a smooth and successful transition, and keep in compliance:

  1. Update and approve policies—organizations need to both change certain disclosures and add new ones. The policies in place at the end of the year will be pivotal in creating the framework within which to draft these new disclosures (for example, treatment of board designations, underwater endowments, and liquidity).
  2. Functional expense reporting—if you have not historically reported expenses by natural and functional classification, develop the methodology for cost allocation. If you already have a framework in place, revisit it to determine if this still fits your organization. Finally, determine where you will present this information in the financial statements.
  3. Internal investment costs—be sure you have a methodology to segregate the organization’s internal investment costs such as internal staff time (remember, this is the cost to generate the income, not account for it) and consider the overall disclosure.

While the implementation of the new reporting standard will not be without cost (both internal costs and audit costs), if your organization considers this an opportunity to better tell your story, the end result will be a much more useful financial narrative. Don’t forget to include the BerryDunn implementation whitepaper in your implementation strategy.

We at BerryDunn are helping organizations gain momentum with a personal touch, through our not-for-profit reporting checkup. This checkup includes initial recast of the prior financial statements to the new format, a personalized review of the checklist to identify opportunities for success, and consideration of the footnotes to be updated. Contact me and find out how you can join the list of organizations getting ahead of the new standard.

Blog
Three steps to ace the new not-for-profit reporting standard

IRS Notice 2018-67 Hits the Charts
Last week, in addition to The Eagles Greatest Hits (1971-1975) album becoming the highest selling album of all time, overtaking Michael Jackson’s Thriller, the IRS issued Notice 2018-67its first formal guidance on Internal Revenue Code Section 512(a)(6), one of two major code sections added by the Tax Cuts and Jobs Act of 2017 that directly impacts tax-exempt organizations. Will it too, be a big hit? It remains to be seen.

Section 512(a)(6) specifically deals with the reporting requirements for not-for-profit organizations carrying on multiple unrelated business income (UBI) activities. Here, we will summarize the notice and help you to gain an understanding of the IRS’s thoughts and anticipated approaches to implementing §512(a)(6).

While there have been some (not so quiet) grumblings from the not-for-profit sector about guidance on Code Section 512(a)(7) (aka the parking lot tax), unfortunately we still have not seen anything yet. With Notice 2018-67’s release last week, we’re optimistic that guidance may be on the way and will let you know as soon as we see anything from the IRS.

Before we dive in, it’s important to note last week’s notice is just that—a notice, not a Revenue Procedure or some other substantive legislation. While the notice can, and should be relied upon until we receive further guidance, everything in the notice is open to public comment and/or subject to change. With that, here are some highlights:

No More Netting
512(a)(6) requires the organization to calculate unrelated business taxable income (UBTI), including for purposes of determining any net operating loss (NOL) deduction, separately with respect to each such trade or business. The notice requires this separate reporting (or silo-ing) of activities in order to determine activities with net income from those with net losses.

Under the old rules, if an organization had two UBI activities in a given year, (e.g., one with $1,000 of net income and another with $1,000 net loss, you could simply net the two together on Form 990-T and report $0 UBTI for the year. That is no longer the case. From now on, you can effectively ignore activities with a current year loss, prompting the organization to report $1,000 as taxable UBI, and pay associated federal and state income taxes, while the activity with the $1,000 loss will get “hung-up” as an NOL specific to that activity and carried forward until said activity generates a net income.

Separate Trade or Business
So, how does one distinguish (or silo) a separate trade or business from another? The Treasury Department and IRS intend to propose some regulations in the near future, but for now recommend that organizations use a “reasonable good-faith interpretation”, which for now includes using the North American Industry Classification System (NAICS) in order to determine different UBI activities.

For those not familiar, the NAICS categorizes different lines of business with a six-digit code. For example, the NAICS code for renting* out a residential building or dwelling is 531110, while the code for operating a potato farm is 111211. While distinguishing residential rental activities from potato farming activities might be rather straight forward, the waters become muddier if an organization rents both a residential property and a nonresidential property (NAICS code 531120). Does this mean the organization has two separate UBI rental activities, or can both be grouped together as rental activities? The notice does not provide anything definitive, but rather is requesting public comments?we expect to see something more concrete once the public comment period is over.

*In the above example, we’re assuming the rental properties are debt-financed, prompting a portion of the rental activity to be treated as UBI.

UBI from Partnership Investments (Schedule K-1)
Notice 2018-67 does address how to categorize/group unrelated business income for organizations that receive more than one partnership K-1 with UBI reported. In short, if the Schedule K-1s the organization receives can meet either of the tests below, the organization may treat the partnership investments as a single activity/silo for UBI reporting purposes. The notice offers the following:

De Minimis Test
You can aggregate UBI from multiple K-1s together as long as the exempt organization holds directly no more than 2% of the profits interest and no more that 2% of the capital interest. These percentages can be found on the face of the Schedule K-1 from the Partnership and the notice states those percentages as shown can be used for this determination. Additionally, the notice allows organizations to use an average of beginning of year and end of year percentages for this determination.

Ex: If an organization receives a K-1 with UBI reported, and the beginning of year profit & capital percentages are 3%, and the end of year percentages are 1%, the average for the year is 2% (3% + 1% = 4%/2 = 2%). In this example, the K-1 meets the de minimis test.

There is a bit of a caveat here—when determining an exempt organization's partnership interest, the interest of a disqualified person (i.e. officers, directors, trustees, substantial contributors, and family members of any of those listed here), a supporting organization, or a controlled entity in the same partnership will be taken into account. Organizations need to review all K-1s received and inquire with the appropriate person(s) to determine if they meet the terms of the de minimis test.

Control Test
If an organization is not able to pass the de minimis test, you may instead use the control test. An organization meets the requirements of the control test if the exempt organization (i) directly holds no more than 20 percent of the capital interest; and (ii) does not have control or influence over the partnership.

When determining control or influence over the partnership, you need to apply all relevant facts and circumstances. The notice states:

“An exempt organization has control or influence if the exempt organization may require the partnership to perform, or may prevent the partnership from performing, any act that significantly affects the operations of the partnership. An exempt organization also has control or influence over a partnership if any of the exempt organization's officers, directors, trustees, or employees have rights to participate in the management of the partnership or conduct the partnership's business at any time, or if the exempt organization has the power to appoint or remove any of the partnership's officers, directors, trustees, or employees.”

As noted above, we recommend your organization review any K-1s you currently receive. It’s important to take a look at Line I1 and make sure your organization is listed here as “Exempt Organization”. All too often we see not-for-profit organizations listed as “Corporations”, which while usually technically correct, this designation is really for a for-profit corporation and could result in the organization not receiving the necessary information in order to determine what portion, if any, of income/loss is attributable to UBI.

Net Operating Losses
The notice also provides some guidance regarding the use of NOLs. The good news is that any pre-2018 NOLs are grandfathered under the old rules and can be used to offset total UBTI on Form 990-T.

Conversely, any NOLs generated post-2018 are going to be considered silo-specific, with the intent being that the NOL will only be applicable to the activity which gave rise to the loss. There is also a limitation on post-2018 NOLs, allowing you to use only 80% of the NOL for a given activity. Said another way, an activity that has net UBTI in a given year, even with post-2017 NOLs, will still potentially have an associated tax liability for the year.

Obviously, Notice 2018-67 provides a good baseline for general information, but the details will be forthcoming, and we will know then if they have a hit. Hopefully the IRS will not Take It To The Limit in terms of issuing formal guidance in regards to 512(a)(6) & (7). Until they receive further IRS guidance,  folks in the not-for-profit sector will not be able to Take It Easy or have any semblance of a Peaceful Easy Feeling. Stay tuned.

Blog
Tax-exempt organizations: The wait is over, sort of

As we begin the second year of Uniform Guidance, here’s what we’ve learned from year one, and some strategies you can use to approach various challenges, all told from a runner's point of view.

A Runner’s Perspective

As I began writing this article, the parallels between strategies that I use when competing in road races — and the strategies that we have used in navigating the Uniform Guidance — started to emerge. I’ve been running competitively for six years, and one of the biggest lessons I’ve learned is that implementing real-time adjustments to various challenges that pop up during a race makes all the difference between crossing — or falling short of — the finish line. This lesson also applies to implementing Uniform Guidance. On your mark, get set, go!

Challenge #1: Unclear Documentation

Federal awarding agencies have been unclear in the documentation within original awards, or funding increments, making it hard to know which standards to follow: the previous cost circulars, or the Uniform Guidance?

Racing Strategy: Navigate Decision Points

Take the time to ask for directions. In a long race, if you’re apprehensive about what’s ahead, stop and ask a volunteer at the water station, or anywhere else along the route.

If there is a question about the route you need to take in order to remain compliant with the Uniform Guidance, it’s your responsibility to reach out to the respective agency single audit coordinators or program officials. Unlike in a race, where you have to ask questions on the fly, it’s best to document your Uniform Guidance questions and answers via email, and make sure to retain your documentation.  Taking the time to make sure you’re headed in the right direction will save you energy, and lost time, in the long run.    

Challenge #2: Subrecipient Monitoring

The responsibilities of pass-through entities (PTEs) have significantly increased under the Uniform Guidance with respect to subaward requirements. Under OMB Circular A-133, the guidance was not very explicit on what monitoring procedures needed to be completed with regard to subrecipients. However, it was clear that monitoring to some extent was a requirement.

Racing Strategy: Keep a Healthy Pace

Take the role of “pacer” in your relationships with subrecipients. In a long-distance race, pacers ensure a fast time and avoid excessive tactical racing. By taking on this role, you can more efficiently fulfill your responsibilities under the Uniform Guidance.

Under the Uniform Guidance, a PTE must:

  • Perform risk assessments on its subrecipients to determine where to devote the most time with its monitoring procedures.
  • Provide ongoing monitoring, which includes site visits, provide technical assistance and training as necessary, and arrange for agreed-upon procedures to the extent needed.
  • Verify subrecipients have been audited under Subpart F of the Uniform Guidance, if they meet the threshold.
  • Report and follow up on any noncompliance at the subrecipient level.
  • The time you spend determining the energy you need to expend, and the support you need to lend to your subrecipients will help your team perform at a healthy pace, and reach the finish line together.

Challenge #3: Procurement Standards

The procurement standards within the Uniform Guidance are similar to those under OMB Circular A-102, which applied to state and local governments. They are likely to have a bigger impact on those entities that were subject to OMB Circular A-110, which applied to higher education institutions, hospitals, and other not-for-profit organizations.

Racing Strategy: Choose the Right Equipment

Do your research before procuring goods and services. In the past, serious runners had limited options when it came to buying new shoes and food to boost energy. With the rise of e-commerce, we can now purchase everything faster and cheaper online than we can at our local running store. But is this really an improvement?

Under A-110, we were guided to make prudent decisions, but the requirements were less stringent. Now, under Uniform Guidance, we must follow prescribed guidelines.

Summarized below are some of the differences between A-110 and the Uniform Guidance:

A-110 UNIFORM GUIDANCE
Competition
Procurement transaction shall be conducted in a manner to provide, to the maximum extent practical, open and free competition.
Competition
Procurement transaction must be conducted in a manner providing full and open competition consistent with the standards of this section.
 
Procurement
Organizations must establish written procurement procedures, which avoid purchasing unnecessary items, determine whether lease or purchase is most economical and practical, and in solicitation provide requirements for awards.
Procurement
Organizations must use one of the methods provided in this section:
  1. Procurement by Micro Purchase (<$3,000)
  2. Procurement by Small Purchase Procedures (<$150,000)
  3. Procurement by Sealed Bids
  4. Procurement by Competitive Proposal
  5. Procurement by Noncompetitive Proposal

While the process is more stringent under the Uniform Guidance, you still have the opportunity to choose the vendor or product best suited to the job. Just make sure you have the documentation to back up your decision.

A Final Thought
Obviously, this article is not an all-inclusive list of the changes reflected in the Uniform Guidance. Yet we hope that it does provide direction as you look for new grant awards and revisit internal policies and procedures.

And here’s one last tip: Do you know the most striking parallel that I see between running a race and implementing the Uniform Guidance? The value of knowing yourself.

It’s important to know what your challenges are, and to have the self-awareness to see when and where you will need help. And if you ever need someone to help you navigate, set the pace, or provide an objective perspective on purchasing equipment, let us know. We’re with you all the way to the finish line.

Grant Running.jpg

Blog
A runner's guide to uniform guidance, year two

With the most recent overhaul to the Form 990, Return of Organization Exempt From Income Tax, the IRS has made clear its intention to increase the transparency of a not-for-profit organization’s mission and activities and to promote active governance. To point, the IRS asks whether a copy has been provided to an organization’s board prior to filing and requires organizations to describe the process, if any, its board undertakes to review the 990.

This lack of ambiguity aside, it is just good governance to have an understanding of the information included in your organization’s Form 990. After all, it is available to anyone who wants a copy. But the volume of information included in a typical return can be daunting.

Where do you even start? Let’s take a look at the key components of a Form 990 that warrant at least a read-through:

  • Income and expense activity (Page 1 and Schedule D) – Does this agree to, or reconcile to, the financial reporting of the organization?
  • Narratives on Page 2 – Does it accurately describe your mission and “tell your story”?
  • Questions in Part VI about governance, management, and disclosures – If any governance or policy questions are answered in the negative, have you given consideration to implementing changes?
  • Part VII – Board information and key employee/contractor compensation – Is the list complete? Does the information agree with compensation set by the board? Does it seem appropriate in light of responsibilities and the organization’s activities

Depending on how questions were answered earlier in the Form 990, several schedules may be required. Key schedules include:

  • Schedule C – Political and lobbying expenditures
  • Schedule F – Foreign transactions and investments reported (alternative investments may have pass-through foreign activity)
  • Schedule J – Detailed compensation reporting for employees whose package exceeds $150,000
  • Schedule L – Transactions with officers, board members, and key employees (conflict-of-interest disclosures)

In addition to the Form 990, an organization may be required to file a Form 990-T, Exempt Organization Business Income Tax Return, if it earns unrelated business income. In general, it’s good practice to review the Form 990 with the organization’s management or tax preparer to be able to ask questions as they arise.

Filing and reviewing the Form 990 can be more than a compliance exercise. It’s an opportunity for a good conversations about your mission, policies, and compensation—a “health check-up” that can benefit more areas than just compliance. Understanding your not-for-profit’s operations and being an engaged and informed board member are essential to effectively fulfilling your fiduciary responsibilities.

Blog
Good governance: Understanding your organization's Form 990