Skip to Main Content

insightsarticles

CMS expands flexibility for RHCs and FQHCs

04.21.20

Read this if you are an administrator, manager, or director at a Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC).

CMS just released an article outlining new and expanded flexibilities for RHCs and FQHCs during the COVID-19 public health emergency (PHE). The article includes the following information:

  • Payment rate for telehealth services
  • How to bill for telehealth services
  • Expanded virtual communications services

Payment for telehealth health services during the PHE (from January 27, 2020 through the end of the PHE) is $92. Billing for telehealth is segmented into two periods:

  1. January 27, 2020 – June 30, 2020, bill using the 95 modifier
  2. July 1, 2020 – end of PHE, bill using code G2025

The article further outlines that for telehealth services billed through June 30, they will be paid at the PPS rate. The claims will then be automatically reprocessed in July and a recoupment will occur for the difference between the $92 and your PPS rate. 

It will be important for you to keep track of the telehealth visits paid at your PPS rate and what the recoupment by Medicare will be so that when it occurs you will not be caught unawares.

Virtual communication services have been expanded to include digital evaluation and management services. Online digital evaluation and management services are non-face-to-face, patient initiated, digital communications using a secure patient portal. 

Additionally, the payment rate for these services will be $24.76 beginning March 1, 2020 through the end of the PHE instead of the CY 2020 rate of $13.53, and should bill using code G0071. 

Consider how the medical records component of your system interfaces with the billing component to ensure you capture these services for billing.

The full article can be accessed here: MLN Matters Special Edition Article 20016.
 

Related Services

Consulting

Business Advisory

Related Professionals

Principals

BerryDunn experts and consultants

Read this if your facility or organization has received provider relief funds.

The rules over the use of the provider relief funds (PRF) have been in a constant state of flux since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of November 30, 2020 with allowable uses of the funds.
 
The most recent Post-Payment Notice of Reporting Requirements is dated November 2, 2020. In accordance with the notice, PRF may be used for two purposes:

  1. Healthcare-related expenses attributable to coronavirus that another source has not reimbursed and is not obligated to reimburse
  2. Lost revenue, up to the amount of the difference between 2019 and 2020 actual patient care revenue

The Department of Health and Human Services (HHS) has issued FAQs as recently as November 18, 2020.  The FAQs include the following clarifications on the allowable uses:

Healthcare related expenses attributable to the coronavirus

  1. PRF may be used for the marginal increased expenses or incremental expenses related to coronavirus.
  2. Expenses cannot be reimbursed by another source or another source cannot be obligated to reimburse the expense.
  3. Other sources include, but are not limited to, direct patient billing, commercial insurance, Medicare/Medicaid/Children’s Health Insurance Program (CHIP), or other funds received from the Federal Emergency Management Agency (FEMA), the Provider Relief Fund COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment, and Vaccine Administration for the Uninsured, and the Small Business Administration (SBA) and Department of Treasury’s Paycheck Protection Program (PPP). This would also include any state and federal grants received as a result of the coronavirus.
  4. Providers should apply reasonable assumptions when estimating the portion of costs that are reimbursed from other sources.
  5. The examples in the FAQs for increased cost of an office visit and patient billing seem to point to only supplemental coronavirus related reimbursement needing to be offset against the increased expense.
  6. PRF may be used for the full cost of equipment or facility projects if the purchase was directly related to preventing, preparing for and responding to the coronavirus; however, if you claim the full cost, you cannot also claim the depreciation for any items capitalized.
  7. PRF cannot be used to pay salaries at a rate in excess of Executive Level II which is currently set at $197,300.

Lost revenues attributable to the coronavirus

  1. Lost revenues attributable to coronavirus are calculated based upon a calendar year comparison of 2019 to 2020 actual revenue/net charges from patient care (prior to netting with expenses).
  2. Any unexpended PRF at 12/31/20 is then eligible for use through June 30, 2021 and calculated lost revenues in 2021 are compared to January to June 2019.
  3. Reported patient care revenue is net of uncollectible patient service revenue recognized as bad debts and includes 340B contract pharmacy revenue.
  4. This comparison is cumulative, for example, if your net income improves in Q4, it will reduce lost revenues from Q2.
  5. Retroactive cost report settlements or other payments received that are not related to care provided in 2019 or 2020 can be excluded from the calculation.

Whether you are tracking expenses or lost revenues, the accounting treatment for both is to be consistent with your normal basis of accounting (cash or accrual).
 
As a reminder, the first reporting period (through December 31, 2020) is due February 15, 2021. The reporting portal is supposed to open January 15, 2021. Any unexpended PRF at December 31, 2020 can be used from January 1, 2021 through June 30, 2021, with final reporting due July 31, 2021.

The guidance continues to change rapidly and new FAQs are issued each week. Please check back here for any updates, or contact Mary Dowes for more information.

Article
Provider relief funds: Allowable usesĀ 

Read this if you are an administrator, manager, or director at a Rural Health Clinic (RHC) or Federally Qualified Health Center (FQHC).

The following outlines key due dates related to various CARES Act funding streams that you may have received. Updated as of April 27, 2020.

1. Round two of the Paycheck Protection Program (PPP) was just signed last week. If you have not applied and plan to do so, please do so ASAP as the funds are likely to be exhausted quickly.
2. Your 12-month budget for the CARES Act funding is due on May 8, 2020. As you prepare your budget, please consider the following:
a. If you were lucky enough to get approved for PPP loans, use these funds first to pay for salaries and wages as they are for eight weeks only.
b. We encourage including federal grant expenses in all budget categories to enable you to take advantage of the flexibility HRSA has provided you by allowing reclassifications between budget categories up to the lesser of 25% of the federal award or $250,000 without asking for prior approval. If you wish to reclassify amounts to a budget category which didn’t previously have federal funds budgeted, you will have to submit a budget revision to HRSA for approval. This guidance applies to your base 330 grant as well. 
c. Remember, if an employee is paid more than $197,300 (Executive II salary level as of January 1, 2020), you can only charge $197,300 to any HRSA grant. This salary limitation does not apply to consultants or contracted employees.
d. Use of these funds is very likely to undergo audits, similar to the ARRA funding a number of years ago, therefore make sure you properly track how you use these funds (audit trail).
e. Have your personnel policies been modified for consistency with any new practices you’ve implemented as a result of the public health emergency (for example, hazard pay, family and sick leave and remote working)?

Click here for a list of HRSA’s examples of the allowable uses of the CARES Act funding.    
 
3. The initial distribution you received on April 20, 2020 from the CARES Act Provider Relief Fund has an attestation due on May 10, 2020. There are various provisions governing the use of the funds and we suggest you consider the ability to use these funds to offset lost earnings so you do not have to complete with the other funding programs you have received.

Article
CARES Act funding deadlines: Update for FQHCs and RHCs

Read this if you are a director, manager, or administrator at a Federally Qualified Health Centers (FQHC) or Rural Health Clinic (RHC).

The latest COVID-19 bill, the Coronavirus Aid, Relief, and Economic Security (CARES) Act included enhancing Medicare telehealth services for FQHCs and RHCs. This legislation waives the Section 1834(m) restriction on FQHCs and RHCs that prohibits them from serving as distant sites. This means during the COVID-19 State of Emergency, FQHCs and RHCs will be able to serve as distant sites to provide telehealth services to patients in their homes and other eligible locations. The legislation will reimburse FQHCs and RHCs at a rate that is similar to payment for comparable telehealth services under the physician fee schedule (Medicare Part B). FQHCs and RHCs will not be paid the Medicare PPS rate for these services.

Currently, Medicare, unlike many Medicaid programs and commercial payers, still requires the video component for telehealth. Effective immediately, the Office for Civil Rights at the Department of Health and Human Services will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 State of Emergency. Providers who want to use audio or video communication technology to provide telehealth during the COVID-19 State of Emergency can use any non-public facing remote communication product that is available to communicate with patients. Examples of acceptable platforms (non-public facing) include Apple FaceTime, Google G Suite Hangouts Meet, and Skype for Business.

We would also like to remind you of the ability to bill for virtual communication services. Virtual communication services are a brief, non-face-to-face check-in with a patient via communication technology, to assess whether the patient's condition necessitates an office visit. The call must be initiated by the patient and to be billable, the call must be between the patient and a physician, nurse practitioner, physician assistant, certified nurse midwife, clinical psychologist, or clinical social worker. If the discussion is conducted by a nurse, health educator, or other clinical personnel, it is not billable as a virtual communication service. There is no video component required for virtual communication services. The check-in cannot relate to a visit with the patient during the previous seven days or result in a visit with the patient within the next 24 hours (or next available appointment). Read the FAQs from Medicare on the virtual communication services.

We continue to be here to support you. If you have any questions or concerns, please do not hesitate to reach out to any of us. 

Article
The CARES Act and telehealth services for FQHCs

The Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020, which provides $8.3 billion in emergency funding for federal agencies to respond to the COVID-19 outbreak, has earmarked $100 million for FQHCs to prevent, prepare for, and respond to the COVID-19 national emergency. Pre-award costs will be supported by this funding and may date back to January 20, 2020. We recommend tracking your expenditures related to the coronavirus to the best of your ability. This may be helpful or necessary in providing your organization much needed financial relief.  

As a reminder, FQHCs cannot bill Medicare for telehealth services under the PPS rate. Telehealth can be billed to Medicare under Part B with the FQHC as an originating site and reimbursement is approximately $26. If you do not have home visits on Form 5, be sure to add home visits to 5C as soon as possible.

Amidst rapid hourly changes in contending with the coronavirus and its far-reaching impacts, we are sharing some HRSA and CMS guidance that may be helpful to you: 

Here is a link to HRSA FAQs related to COVID-19

Although we are working remotely, we are available to support you. If you have any questions or concerns, please do not hesitate to reach out to any of us.

Article
COVID-19 emergency funding for FQHCs: What you need to know

Read is you use QuickBooks Online.

Your customers are your company’s lifeblood. Make sure their records are thorough and up-to-date.

When companies buy other companies, the customer list is often considered the most critical asset. When a business is damaged and data possibly lost, the customer list is the set of records do they most hope to recover.

You probably spend most of your time in QuickBooks Online working with transactions and reports, but your customer records deserve equal time. If they’re incomplete or otherwise not well maintained, you lose time filling in the blanks when you’re trying to complete a task that requires complete customer profiles. Your searches and reports may not tell the whole picture. Your relationships can suffer, and you may miss out on sales opportunities.

QuickBooks Online provides excellent tools for creating and maintaining comprehensive customer and sub-customer records. Here’s a look at how it all works.

Moving your customer data in

There are two ways to create customer records in QuickBooks Online. If you have an existing database in Outlook, Excel, Gmail, or Google Sheets, you can import it. This will save you an enormous amount of time, but it’s a challenging process. You select the file you want to import, and then you have to “map” it by matching the fields in your database to fields in QuickBooks Online. You’ll likely need our help with this.


To import a customer file into QuickBooks Online, you’ll have to “map” its fields. We can help you with this.

Your other option is to enter records manually. This is time-consuming, but the more information you can include about your customers from the start, the better. You can always edit your records to add, delete, or modify what you originally entered.

To get started, hover over Sales in the toolbar and click on Customers. Then click on New Customer in the upper right corner to open the Customer information window. The only field you’re required to complete is Display name as. You may want to do this if you have a new customer on the phone and you want to concentrate on the conversation. You can take notes about their contact information and fill in the record later, when you’re off the phone.

But wherever possible, as we’ve already said, complete as many fields as you can. You’ll enter name and billing and shipping address and phone number(s) on the opening screen. You can also supply contact details like fax number and website. 

Creating sub-customers

You’ll notice a checkbox that says Is sub-customer. QuickBooks Online lets you “nest” related records under the “parent” record. This can be an actual customer, but many people use it to document jobs they’re doing for the customer. So if you’re a contractor, for example, you might have sub-customers like Sun deck and Spa

If you want to set up such a record, enter the job name and click in the box next to Is sub-customer. Two fields will open below that allow you to select the parent customer and to indicate the sub-customer’s billing status. The remainder of the fields will automatically fill in with the parent customer’s contact information.


You can set up jobs as sub-customers in QuickBooks Online. 

Supplying details

When you’re setting up individual customers, you should add as much detail as you possibly can to each record, beyond basic contact information. QuickBooks Online’s record templates display a number of tabs running horizontally across the window. The most important of these are:

  • Tax info. Are the customers taxable or exempt? If taxable, what is his or her Default tax code? (If you haven’t set up sales taxes yet and need to, please let us help. It’s complicated.)
  • Payment and billing. Do they have preferred payment and/or delivery methods? Will you be assigning default payment terms, like Net 30 or Due on receipt? What is their Opening balance? If they’re brand-new customers who have never ordered from you, this will be $0.00. If they’re existing, active customers, enter any outstanding balance they have with you as of the date that you enter. This must be correct, to avoid any problems with the customers’ ongoing balances. Questions? Ask us.

Other tabs here are self-explanatory. When you’ve entered everything you can, click Save. The new record will now appear in the Customers list and will be available to select from the drop-down list in transactions.

There will be times when you have to refer back to these forms to answer questions. By maintaining detailed, accurate customer records, you’ll be ready to respond. If you have questions about any of the information requested, or about other elements of QuickBooks Online that are puzzling you, please contact our Outsourced Accounting team. so we can set up a consultation.

Article
How to maintain customer records in QuickBooks Online

Read this if you use QuickBooks Online.

Are you finding that you need more flexibility in an area of QuickBooks Online? Maybe it’s time to try an integrated app.

When you first started using QuickBooks Online, you probably found it supplied the tools you needed to manage your accounting—and then some. But as your business grows or becomes more complex, you may need more functionality and flexibility in one or more areas, like time tracking and billing.

There are hundreds of add-on applications that integrate well with QuickBooks Online in the QuickBooks Apps store, which you can find here. Many of these apps are free, but most have subscription fees. They’re designed to amplify the power of QuickBooks Online’s own features. The site will remain your home base, but you’ll have to learn enough about the add-on apps to understand how they work and how they integrate with QuickBooks Online. Here are some of the most popular add-on solutions from the QuickBooks Apps site.

Expensify

QuickBooks Online allows you to record expenses. Its thorough form templates ask you for numerous details, like the vendor, product or service, amount, and billable status. Completed expenses appear in a table. You can run any of several related reports, like Expenses by Vendor Summary. If you use the QuickBooks Online mobile app, you can snap photos of receipts that are turned into expense forms by QuickBooks Online and partially completed with the receipt data.

Using the QuickBooks Online mobile app, you can snap photos of receipts and complete the expense forms provided.

But Expensify ($5-9 per month for one user) does more. It’s a robust expense management system that handles everything from receipt processing to next-day reimbursement. Where QuickBooks Online only supports basic expense tracking, Expensify allows you to create expense reports and follow them through multi-level approvals. It features automatic credit card reconciliation and expense policy enforcement, as well as bill pay and invoices/payments. Two-way synchronization with QuickBooks Online means you can work in either application and your data will be replicated in the other, as is the case with all of these integrated solutions.

QuickBooks Time

Formerly known as TSheets, this powerful time-tracking application builds on QuickBooks Online’s time management and payroll features. QuickBooks Time ($8-10 per user per month plus $20-40 monthly base fee) is now owned by Intuit, so it’s embedded directly in QuickBooks Online. 

Your employees can track their hours on any device, from any location, and they will instantly be available in QuickBooks Online so managers can review, edit, and approve timesheets. That data can then be used in areas like invoicing, job costing, and payroll. Advanced features include scheduling capabilities, overtime monitoring, GPS tracking, and real-time reports. The Who’s Working window shows you where your staff members are working and what they’re doing, in real time. 

Method:CRM

QuickBooks Online does a good job of helping you create profiles of customers and storing them for quick retrieval. But some businesses need more than that. They need true Customer Relationship Management (CRM). Method:CRM ($28-49 per month per user; discounts for annual subscriptions) is an excellent partner for QuickBooks Online in this area.

You can record and store customer details in QuickBooks Online, but Method:CRM adds true Customer Relationship management to the site.

When you integrate Method:CRM with QuickBooks Online, you no longer have to do duplicate data entry to keep track of your customers and their sales profiles and histories. You get a shared lead list and activity tracking (emails and phone calls), and your customer records contain the information a sales team needs, like customer details, interaction, transactions, and services performed. Leads are stored in Method:CRM until they’re customers, and you can track sales opportunities from a customer’s initial interest through the final sale. 

Two more advanced integrated apps

QuickBooks Online provides basic inventory-tracking capabilities, but if your business has more complex needs, an integrated application like SOS Inventory ($49.95-149.95 per user per month) should be able to meet them. Built for QuickBooks Online from the ground up, the application offers advanced features like sales orders and order management, assemblies, serial inventory, and multiple locations. And if you need more sophisticated bill pay, invoicing, and payment processing (with multiple automated approval levels) than QuickBooks Online offers, you might look into the highly-regarded Bill.com ($39-69 per user per month).

Growth Is good, but challenging

We wanted to introduce you to a few of the hundreds of integrated apps available for QuickBooks Online because you should know that there are options for expanding on the site’s built-in capabilities. As your business grows, so does your need for more sophisticated accounting. QuickBooks Online may still be able to serve you well with the help of one or more of these add-ons.

You may also want to explore the possibility of upgrading your version of QuickBooks Online. We encourage you to consult with us if you’re outgrowing QuickBooks Online. We can help you explore the options so you can spend your time planning for your company’s future instead of wrestling with your accounting application. Please contact our Outsourced Accounting team

Article
Expand QuickBooks Online's features: Use integrated apps

Read this if you are an employee benefit plan fiduciary.

Fiduciary risk management

This is the final article in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements. You can find the full series here.

If, as part of your involvement with an employee benefit plan, you have decision-making ability; you advise those with decision-making ability; or someone tasks you with decision-making related to the plan, you are more likely than not, a fiduciary. As discussed in the first article of the series, this status comes with responsibilities and, therefore, risks and consequences.

The general approach to handling risk is a cycle of identifying, assessing, controlling, and reviewing controls over risks. Based on the assessment of a given risk, there are four ways to manage it: you can avoid, reduce, transfer, or accept the risk. 

Identifying and assessing fiduciary risk1 

The risks facing a plan fiduciary include, but are not limited to, the following:

Removal of fiduciary

In appropriate cases, a fiduciary may be removed and permanently prohibited from acting as a fiduciary or from providing services to ERISA plans.

Civil penalties

Among other penalties, the DOL may assess a civil penalty equal to 20% of the amounts recovered for the plan through litigation or settlement.

Criminal prosecution

Upon a conviction for a willful violation of ERISA’s reporting and disclosure requirements, a fiduciary may be subject to fines and/or imprisonment for not more than ten years. There is also a provision in ERISA that applies to any person, not just ERISA fiduciaries, that makes coercive interference with ERISA rights a criminal offense punishable by fines and/or imprisonment for up to ten years. In addition, outside of ERISA, there are a number of criminal statutes that apply to any person, not just ERISA fiduciaries, including criminal statutes for embezzling from an ERISA plan, making false statements in ERISA documents, and taking illegal kickbacks in connection with an ERISA plan.

Participant lawsuits

Additionally, plan participants may file a lawsuit against the fiduciary for breach of their fiduciary duty. Over the past few years, this has become more common and has generally been related to the fiduciary’s failure to adequately negotiate and monitor plan fees. 

Co-fiduciary liability

ERISA's unique co-fiduciary liability provisions make each fiduciary responsible for the actions of the other plan fiduciaries but only under certain circumstances. As a general rule, fiduciaries aren’t responsible for the breach of another fiduciary unless:

  • They participate knowingly in, or knowingly undertake to conceal, an act or omission of such other fiduciary, knowing such act or omission is a breach;
  • Their failure to be prudent in the administration of their own fiduciary responsibilities enables the other fiduciary to commit a breach; or
  • They have knowledge of a breach by such other fiduciary and don’t make reasonable efforts under the circumstances to remedy the breach.

Controlling fiduciary risk

There are several ways to effectively manage fiduciary risk. When used together, they give you solid controls to greatly reduce your level of risk.

Plan documentation

A fiduciary and/or plan sponsor should reduce their exposure to the risks identified above and their first line of defense is through plan documentation (discussed in depth here). Broadly speaking, the organizers and fiduciaries of the plan should ensure that policies and procedures are laid out to ensure proper oversight and internal controls are in place to prevent any voluntary or involuntary noncompliance with ERISA and the DOL.

Oversight

Fiduciaries should meet formally on a regular basis to review the plan’s offerings, service providers, fees, and other issues that may affect the plan. A single individual who is the sole fiduciary for a plan may not have the knowledge or bandwidth to appropriately fulfill the responsibilities of the plan. Additionally, having an auditor come in and audit the plan can help identify some of the risks identified above, although an audit of the plan does not reduce your responsibility to monitor and review the plan’s activity on an ongoing basis.

Third Party Administrators (TPA) & recordkeepers

Fiduciaries may also be able to mitigate some of the risks identified above through use of a TPA and/or recordkeeper. While TPAs and recordkeepers are not generally considered fiduciaries or co-fiduciaries, TPAs have varying service offerings, including recordkeeping, that are powerful tools to plan administrators to review and operate the plan. For example, depending on the plan sponsor’s existing payroll and HR structure, inclusive of TPAs and recordkeepers, fiduciaries may be able to automate the transfer of contributions to ensure timeliness of deposits. The plan may also be able to add another layer of internal controls by incorporating the TPA’s or recordkeeper’s internal controls into the plan’s control environment assuming the fiduciary has gained an understanding and comfort around the controls present at the TPA and/or recordkeeper.

Professional investment advisors and co-fiduciaries

Employee benefit plans must meet certain requirements with regard to their investment offerings. For instance, the plan must allow participants to invest in a diversified portfolio. The plan may try to transfer some of these risks and employ the help of a professional investment advisor to help ensure the plan’s investment offerings meet such criteria. This could involve hiring either an ERISA 3(21) fiduciary or an ERISA 3(38) fiduciary. The former serves as an advisor and a co-fiduciary, but does not have any authority by themselves, while the latter is an investment manager and therefore authorized to select investments for the plan. Doing so may help demonstrate to regulators that a fiduciary has fulfilled their duty in this regard. Alternatively, a plan may hire a 3(16) Fiduciary. 3(16) Fiduciaries are individuals or organizations that are charged with running plans as the plan administrator. A company may be able to shift most of their fiduciary risk to such a fiduciary. 

In any case, the plan fiduciary must continue to monitor a 3(16), 3(21) or 3(38) advisor to make sure it is still prudent to use that advisor.

Bonding and fiduciary liability insurance

Bonding is required for most EB plans and does not protect the fiduciary from any risk. It does however protect the plan from fraud or dishonesty. On the other hand, fiduciary liability insurance can protect the fiduciary in the case of breach of fiduciary duty. This type of insurance is not required but is another option to transfer fiduciary risk.

As mentioned in our second article, much like owning a car, regular preventative maintenance can help you avoid the need for costly repairs. Plan fiduciaries should periodically refresh their understanding of ERISA requirements and re-evaluate their current and future business activities on an ongoing basis. Doing so will help mitigate any risks associated with non-compliance with the DOL and IRS and keep the plan running smoothly. 

Need help navigating the fiduciary road? Reach out to the BerryDunn employee benefit consulting team today.

1From Fidelity’s Plan Sponsor Webstation: Consequences of breach of fiduciary duties 

Article
Fiduciary risk: Five ways to control and reduce it

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management