Skip to Main Content

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

RANSOMWARE UPDATE: It happened again. Another ransomware attack hit very large corporations around the globe. Much like WannaCry, a worm spread through entire networks, and locked out encryption data and systems.

For management, it’s the perennial question: Keep things in-house or outsource?


Most companies or organizations have outsourcing opportunities, from PR to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives.

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers, so we should be all set. I can stop worrying at night about our system reliability.” Not true.

You may be outsourcing a component of your technology environment, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are server monitoring samples of how precisely you should drill down:

  • What will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to produce an alert?
  • What does a specific alert mean?
  • Who will be notified if one occurs?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an IT expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Blog
Oxymoron of the month: Outsourced accountability

Read this if your organization is required to perform physician time studies.

Currently hospitals allocate physician compensation costs to Part A (provider) and Part B (professional/patient) time based on either time studies or allocation agreements. The basic instructions for periodic time studies are that they must be based on the following criteria:

  1. One full week per month of the cost reporting period
  2. Based on a full work week
  3. Use three weeks from the first week of the month, three weeks from the second week of the month, three weeks from the third week of the month and three weeks from the fourth week of the month
  4. Consecutive months cannot use the same week of the month

Per a CMS Special Edition of mlnconnects published May 15, 2020, during the COVID-19 Public Health Emergency (PHE) CMS has made the following time study options available to hospitals as follows:

  • A one-week time study every six months (two weeks per year);
  • Time studies completed prior to January 27, 2020 (the PHE effective date) for the applicable cost report period can be used with no time studies needed for 1/27/2020 – 6/30/2020; or
  • Time studies for the same period in CY 2019 (e.g., if unable to complete time studies during February through July 2020, use time studies completed February through July 2019)

If you have any questions regarding the information in this article please contact Ellen Donahue.

Blog
Physician Time Studies during the COVID-19 Public Health Emergency

Read this if your organization, business, or institution is receiving financial assistance as a direct result of the COVID-19 pandemic.

Many for-profit and not-for-profit organizations are receiving financial assistance as a direct result of the COVID-19 pandemic. While there has been some guidance, there are still many unanswered questions. One unanswered question has been whether or not any of this financial assistance will be subject to the Single Audit Act. Good news―there’s finally some guidance:

  • For organizations receiving financial assistance through the Small Business Administration (SBA) Payroll Protection Program (PPP), the SBA made the determination that financial assistance is not subject to the Single Audit.
  • The other common type of financial assistance through the SBA is the Emergency Injury Disaster Loan (EIDL) program. The SBA has made the determination that as these are direct loans with the federal government, they will be subject to the Single Audit. 

It is unlikely there will be guidance within the 2020 Office of Management and Budget (OMB) Compliance Supplement related to testing the EIDL program as the Compliance Supplement anticipated in June 2020 will not have any specific information relative to COVID-19. The OMB announced they will likely be issuing an addendum to the June supplement information specific to COVID-19 by September 2020.

Small and medium-sized for-profit organizations have been able to access funds through the Main Street Lending Program, which is comprised of the Main Street New Loan Facility, the Main Street Priority Loan Facility, and the Main Street Expanded Loan Facility. We do not currently know how, or if, the Single Audit Act will apply to these loans. Term sheets and frequently asked questions can be accessed on the Federal Reserve web page for the Main Street Lending Program.

Not-for-profits have also received additional financial assistance to help during the COVID-19 pandemic, through Medicare and Medicaid, and through the Higher Education Emergency Relief Fund (HEERF). While no definitive guidance has been received, HEERF funds, which are distributed through the Department of Education’s Education Stabilization Fund, have been assigned numbers in the Catalog of Federal Domestic Assistance, which seems to indicate they will be subject to audit. We are currently awaiting guidance if these programs will be subject to the Single Audit Act and will update this blog as that information becomes available.

If you have questions about accounting for, or reporting on, funds that you have received as a result of the COVID-19 pandemic, please contact a member of our Single Audit Team. We’re here to help.

Blog
COVID-19: Single audit and uniform guidance clarifications

Read this if you are planning for, or are in the process of implementing a new software solution.

User Acceptance Testing (UAT) is more than just another step in the implementation of a software solution. It can verify system functionality, increase the opportunity for a successful project, and create additional training opportunities for your team to adapt to the new software quickly. Independent verification through a structured user acceptance plan is essential for a smooth transition from a development environment to a production environment. 

Verification of functionality

The primary purpose of UAT is to verify that a system is ready to go live. Much of UAT is like performing a pre-flight checklist on an aircraft. Wings... check, engines... check, tires... check. A structured approach to UAT can verify that everything is working prior to rolling out a new software system for everyone to use. 

To hold vendors accountable for their contractual obligations, we recommend an agency test each functional and technical requirement identified in the statement of work portion of their contract. 

It is also recommended that the agency verify the functional and technical requirements that the vendor replied positivity to in the RFP for the system you are implementing. 

Easing the transition to a new software

Operational change management (OCM) is a term that describes a methodology for making the switch to a new software solution. Think of implementing a new software solution like learning a new language. For some employees, the legacy software solution is the only way they know how to do their job. Like learning a new language, changing the way business and learning a new software can be a challenging and scary task. The benefits outweigh the anxiety associated with learning a new language. You can communicate with a broader group of people, and maybe even travel the world! This is also true for learning a new software solution; there are new and exciting ways to perform your job.

Throughout all organizations there will be some employees resistant to change. Getting those employees involved in UAT can help. By involving them in testing the new system and providing feedback prior to implementation, they will feel ownership and be less likely to resist the change. In our experience, some of the most resistant employees, once involved in the process, become the biggest champions of the new system.  

Training and testing for better results

On top of the OCM and verification benefits a structured UAT can accomplish, UAT can be a great training opportunity. An agency needs to be able to perform actions of the tested functionality. For example, if an agency is testing a software’s ability to import a document, then a tester needs to be trained on how to do that task. By performing this task, the tester learns how to login to the software, navigate the software, and perform tasks that the end user will be accomplishing in their daily use of the new software. 

Effective UAT and change management

We have observed agencies that have installed software that was either not fully configured or the final product was not what was expected when the project started. The only way to know that software works how you want is to test it using business-driven scenarios. BerryDunn has developed a UAT process, customizable to each client, which includes a UAT tracking tool. This process and related tool helps to ensure that we inspect each item and develop steps to resolve issues when the software doesn’t function as expected. 

We also incorporate change management into all aspects of a project and find that the UAT process is the optimal time to do so. Following established and proven approaches for change management during UAT is another opportunity to optimize implementation of a new software solution. 

By building a structured approach to UAT, you can enjoy additional benefits, as additional training and OCM benefits can make the difference between forming a positive or a negative reaction to the new software. By conducting a structured and thorough UAT, you can help your users gain confidence in the process, and increase adoption of the new software. 

Please contact the team if you have specific questions relating to your specific needs, or to see how we can help your agency validate the new system’s functionality and reduce resistance to the software. We’re here to help.   
 

Blog
User Acceptance Testing: A plan for successful software implementation

Read this if you are a solar or wind developer, investor, or have interests in the renewable energy industry.

Given the recent exchange between a bipartisan group of senators and the Treasury Department, it appears that the continuity safe harbor for the Production Tax Credit (PTC) and Energy Investment Tax Credit (ITC) will be extended. 

Under current regulations, taxpayers “lock in” a tax credit based on the beginning of construction date for their facility or property. Taxpayers must then demonstrate continuous efforts to complete construction in order to ultimately be eligible for the tax credit on completion. If the taxpayers place their energy facility or property into service within four years after the beginning of construction they are deemed to satisfy this test. This is known as the continuity safe harbor. The senators wish to extend the continuity safe harbor from four to five years and it appears that the Treasury may agree. Here is a copy of the letter senators sent to the Treasury. Here is a copy of the letter the Treasury sent back. 

The good news

The Treasury plans to “modify the relevant rules in the near future”. It is encouraging that both groups are aware of the unique challenges businesses in the renewables energy industry face in meeting regulatory deadlines to qualify for tax credits, which help make many projects economically viable. 

The so-so news

We don’t know what the rule modification will entail and this is only an extension of the continuity safe harbor. While this is a welcome change, there are many projects in the pipeline still in the planning phase that have not yet started construction. For these projects, the beginning of construction safe harbor date is more important as it determines the ITC credit rate. For example, projects beginning in 2020 get a 26% credit, and projects beginning in 2021 get a 22% credit. 

Looking ahead

Given the uncertainty in all business planning, now would be a good time to extend the ITC credit rates and/or beginning of construction safe harbor date to give businesses more time to lock in the 26% credit rate for 2020. As the Treasury is limited to what they can do without legislative action, we may need to wait for Congress on this change. 

We are watching for new developments on this issue and will provide updates as we can. If you have questions about your specific situation, please contact the team. We’re here to help.  
 

Blog
Treasury Department signals modification of ITC and PTC continuity safe harbor