Skip to Main Content

insightsarticles

Benchmarking: Satisfy your board and gain a competitive advantage

12.27.16

Benchmarking doesn’t need to be time and resource consuming. Read on for four simple steps you can take to improve efficiency and maximize resources.

Stop us if you’ve heard this one before (from your Board of Trustees or Finance Committee): “I wish there was a way we could benchmark ourselves against our competitors.”

Have you ever wrestled with how to benchmark? Or struggled to identify what the Board wants to measure? Organizations can fall short on implementing effective methods to benchmark accurately. The good news? With a planned approach, you can overcome traditional obstacles and create tools to increase efficiency, improve operations and reporting, and maintain and monitor a comfortable risk level. All of this creates competitive advantage — and isn’t as hard as you might think.

Even with a structured process, remember that benchmarking data has pitfalls, including:

  • Peer data can be difficult to find. Some industries are better than others at tracking this information. Some collect too much data that isn’t relevant, making it hard to find the data that is.
     
  • The data can be dated. By the time you close your books for the year and data is available, you’re at least six months into the next fiscal year. Knowing this, you can still build year-over-year models you can measure consistently.
     
  • The underlying data may be tainted. As much as we’d like to rely on financial data from other organization and industry surveys, there’s no guarantee that all participants have applied accounting principles consistently, or calculated inputs (full-time equivalents), in the same way, making comparisons inaccurate.

Despite these pitfalls, it is a useful tool for your organization. It lets you take stock of your current financial condition and risk profile, identify areas for improvement and find a realistic and measurable plan to strengthen your organization.

Here are four steps to take to start a successful benchmarking program and overcome these pitfalls:

  1. Benchmark against yourself. Use year-over-year and month-to-month data to identify trends, inconsistencies and unexplained changes. Once you have the information, you can see where you want to direct improvement efforts.
  2. Look to industry/peer data. We’d love to tell you that all financial statements and survey inputs are created equally, but we can’t. By understanding the source of your information, and the potential strengths and weaknesses in the data (e.g., too few peers, different size organizations and markets, etc.), you will better know how to use it. Understanding the data source allows you to weigh metrics that are more susceptible to inconsistencies.
  1. Identify what is important to your organization and focus on it. Remove data points that have little relevance for your organization. Trying to address too many measures is one of the primary reasons benchmarking fails. Identify key metrics you will target, and watch them over time. Remember, keeping it simple allows you to put resources where you need them most.
  1. Use the data as a tool to guide decisions. Identify aspects of the organization that lie beyond your risk tolerance and then define specific steps for improvement.

Once you take these steps, you can add other measurement strategies, including stress testing, monthly reporting, use in budgeting, and forecasting. By taking the time to create and use an effective methodology, competitive advantage can be yours. Want to learn more? Check out our resources for not-for-profit organizations here.

Related Industries

Related Services

Consulting

Business Advisory

Related Professionals

Principals

Read this if you are a plan sponsor of employee benefit plans.

This article is the ninth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here

Employee benefit plan loan basics 

If your plan’s adoption agreement is set up to allow loans, participants can borrow against their account balance. Some participants may find this an attractive option as the interest they pay on the loan is returned to their retirement account as opposed to other loans where the interest is paid to the lender. 

Additionally, while interest is charged at the market rate, it may be lower than other options available to the participant, such as a credit card or other unsecured debt. Unlike hardship distributions, there are no restrictions on the circumstances under which a participant may take a loan. A potential downside is that if the borrower defaults on the loan or ends their employment and cannot repay the loan in full, it converts from a loan to a deemed distribution, potentially incurring taxes and penalties.

If a participant decides that an employee benefit plan loan is their best option, they will apply for the loan through your plan administrator. Loans are limited in both size and quantity. Participants may take loans up to 50% of their vested account balance with a maximum loan of $50,000. The provisions of a plan determine how many loans an employee may have at once; however, the combined loan balances cannot exceed 50% of the employee’s vested balance or $50,000. Furthermore, the $50,000 loan maximum must also consider payments made on loans within the previous 12 months.

Repayment of employee benefit plan loans

Repayment of employee benefit plan loans may be done through after tax payroll contributions, making it a relatively easy process for the participant. If a plan sponsor elects to provide this repayment option, they must ensure that repayments are remitted to the plan in a timely manner, just as they must with other employee funded contributions. The term of the loan is typically limited to five years and must be repaid in at least quarterly installments. However, a loan can be extended to as long as thirty years if specified within the plan’s loan policy. If the loan term is for longer than five years, the loan proceeds must be used to purchase a primary residence.

Like any source of debt, there are pros and cons to taking out an employee benefit plan loan, and it remains an important option for participants to understand. The benefits include the ease of applying for such a loan and loan interest that is then added to the participant’s retirement account balance. Potential pitfalls include lost earnings during the loan period and the risk of the loan becoming a deemed distribution if the participant is unable to repay within the allotted time. 

If you would like more information, or have specific questions about your specific situation, please contact our Employee Benefits Audit team.

Article
Retirement plan loans: A brief review

This article is the first in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements.

On Labor Day, 1974, President Gerald Ford signed the Employee Retirement Income Security Act, commonly known as ERISA, into law. Prior to ERISA, employee pensions had scant protections under the law, a problem made clear when the Studebaker automobile company closed its South Bend, Indiana production plant in 1963. Upon the plant’s closing, some 4,000 employees—whose average age was 52 and average length of service with the company was 23 years—received approximately 15 cents for each dollar of benefit they were owed. Nearly 3,000 additional employees, all of whom had less than 10 years of service with the company, received nothing.

A decade later, ERISA established statutory requirements to preserve and protect the rights of employees to their pensions upon retirement. Among other things, ERISA defines what a plan fiduciary is and sets standards for their conduct.

Who is—and who isn’t—a plan fiduciary?
ERISA defines a fiduciary as a person who:

  1. Exercises discretionary authority or control over the management of an employee benefit plan or the disposition of its assets,
  2. Gives investment advice about plan funds or property for a fee or compensation or has the authority to do so,
  3. Has discretionary authority or responsibility in plan administration, or
  4. Is designated by a named fiduciary to carry out fiduciary responsibility. (ERISA requires the naming of one or more fiduciaries to be responsible for managing the plan's administration, usually a plan administrator or administrative committee, though the plan administrator may engage others to perform some administrative duties).

If you’re still unsure about exactly who is and isn’t a plan fiduciary, don’t worry, you’re not alone. Disagreements over whether or not a person acting in a certain capacity and in a specific situation is a fiduciary have sometimes required legal proceedings to resolve them. Here are some real-world examples.

Employers who maintain employee benefit plans are typically considered fiduciaries by virtue of being named fiduciaries or by acting as a functional fiduciary. Accordingly, employer decisions on how to execute the intent of the plan are subject to ERISA’s fiduciary standards.

Similarly, based on case law, lawyers and consultants who effectually manage an employee benefit plan are also generally considered fiduciaries.

A person or company that performs purely administrative duties within the framework, rules, and procedures established by others is not a fiduciary. Examples of such duties include collecting contributions, maintaining participants' service and employment records, calculating benefits, processing claims, and preparing government reports and employee communications.

What are a fiduciary’s responsibilities?
ERISA requires fiduciaries to discharge their duties solely in the interest of plan participants and beneficiaries, and for the exclusive purpose of providing benefits for them and defraying reasonable plan administrative expenses. Specifically, fiduciaries must perform their duties as follows:

  1. With the care, skill, prudence, and diligence of a prudent person under the circumstances;
  2. In accordance with plan documents and instruments, insofar as they are consistent with the provisions of ERISA; and
  3. By diversifying plan investments so as to minimize risk of loss under the circumstances, unless it is clearly prudent not to do so.

A fiduciary is personally liable to the plan for losses resulting from a breach of their fiduciary responsibility, and must restore to the plan any profits realized on misuse of plan assets. Not only is a fiduciary liable for their own breaches, but also if they have knowledge of another fiduciary's breach and either conceals it or does not make reasonable efforts to remedy it.

ERISA provides for a mandatory civil penalty against a fiduciary who breaches a fiduciary responsibility under ERISA or commits a violation, or against any other person who knowingly participates in such breach or violation. That penalty is equal to 20 percent of the "applicable recovery amount" paid pursuant to any settlement agreement with ERISA or ordered by a court to be paid in a judicial proceeding instituted by ERISA.

ERISA also permits a civil action to be brought by a participant, beneficiary, or other fiduciary against a fiduciary for a breach of duty. ERISA allows participants to bring suit to recover losses from fiduciary breaches that impair the value of the plan assets held in their individual accounts, even if the financial solvency of the entire plan is not threatened by the alleged fiduciary breach. Courts may require other appropriate relief, including removal of the fiduciary.

Over the coming months, we’ll share a series of blogs for employee benefit plan fiduciaries, covering everything from common terminology to best practices for plan documentation, suggestions for navigating fiduciary risks, and more.

Article
What's in a name? A lot, if you manage a benefit plan.

Editor's note: Read this if you are a leader in higher education.

The Department of Education has released guidance to colleges and universities on how the CARES Act grants to institutions, under the Higher Education Emergency Relief Fund (HEERF), may be used. The guidance comes in the form of answers to frequently asked questions, which we recommend institutions read before accepting the funds. Some key answers included in the document:

  1. A school has to participate in the HEERF funding to be used for grants to students to get the institutional share.
  2. Schools can use these funds to cover the costs of refunds for room and board provided as a result of campus closure.
  3. These funds can be used to make additional emergency financial aid grants to students impacted by campus closure.

We urge schools to retain supporting documentation of the proper use of these funds to allow for a compliance audit, should that be required. 

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Article
The Higher Education Emergency Relief Fund (HEERF): Guidelines

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Article
COVID-19 FAQs—Not-for-Profit Edition

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Read this if you are a plan sponsor of employee benefit plans.

This article is the eleventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

Most employee benefit plans have outsourced a significant portion of the internal controls to a service organization, such as a third-party administrator. The plan administrator has a fiduciary responsibility to monitor the internal controls of the service organization and to determine if the outsourced controls are suitably designed and effective.

SOC 1 reports: Internal controls and financial reporting

Generally, the most efficient way to obtain an understanding of the outsourced controls is to obtain a report on controls issued by the service organization’s auditor. Commonly referred to as a System and Organization Controls (SOC) report, the SOC report should be based on the American Institute of Certified Public Accountants’ (AICPA) attestation standards and should cover internal controls relevant to financial reporting, also known as a SOC 1 report (the “1” indicating it covers internal controls over financial reporting).

Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s significant service organizations. The documented review should include the plan sponsor’s assessment of the complementary user entity controls outlined in the SOC 1 report. The complementary user entity controls are internal control activities that should be in place at the plan sponsor to provide reasonable assurance that the controls tested at the service organization are operating effectively at your plan. If a service organization’s internal controls are operating effectively, but complementary user entity controls are not in place at your organization, the effectiveness of the service organization’s internal controls may not transfer to your plan’s operations.

Creditability and CPA firms: Considerations

Creditability of the CPA firm completing the SOC 1 report examination may impact the reliability of the CPA firm’s opinion and thus your reliability on the service organization’s internal controls. Unfamiliarity with the service auditor’s qualifications may be mitigated through additional research. Items to consider are: 

  • The firm’s expertise in SOC 1 reporting
    • Are they familiar with the service organization’s industry?
    • How many professionals do they have that perform SOC 1 examination services?
  • The evaluation of AICPA peer reviews 
    Audit firms are required to have a periodic peer review conducted. The results of the peer review are public knowledge and can be found on the AICPA’s website.
    • Did the service auditor receive a “pass” rating during their most recent peer review?
    • Did the peer review cover SOC 1 examination services?
  • Evaluation of the service organization’s due diligence procedures surrounding the selection of an auditor

Some of this information may be readily available via the service auditor’s website, while other information may need to be gathered through direct communication with the service organization. A qualified service auditor should be able to provide a SOC 1 report that contains sufficient detail, relevant transactional activity, relevant control objectives, and a timely reporting period.

SOC 1 reports may contain an unqualified, qualified, adverse, or disclaimer of opinion. The report determines if the controls in place are adequate for complete and accurate financial reporting. Report qualifications may affect the risk of relying on the service organization and may result in the need for additional procedures or safeguards to help ensure the plan’s financial statements are presented fairly. Even if the SOC 1 report received an unqualified opinion, you should review the controls tested by the service auditor and the results of such testing for any exceptions. Exceptions, even if they don’t result in a qualified opinion, may have an impact on the plan’s control environment. 

You should also review the scope of the audit to check that all significant transaction cycles, processes, and IT applications were properly assessed for their impact on the plan’s financial statements. Areas outside the scope of the SOC 1 report may require additional consideration, including the possibility of obtaining more than one SOC 1 report for subservice organizations whose functions were carved out from the service organization’s SOC 1 report.

Subservice organizations

Subservice organizations are frequently utilized to process certain transactions or perform certain functions at the service organization. Management of the service organization may identify certain transaction cycles and processes that are performed by a subservice organization and choose to exclude relevant control objectives and related controls from the SOC 1 report description and the scope of the auditor’s engagement. In such cases, multiple SOC 1 reports may need to be acquired to gain adequate coverage of all controls and objectives relevant to your plan. 

Furthermore, you need to consider the time period the SOC 1 report covers. Coverage should be obtained for your plan’s full fiscal year. For SOC 1 reports that lack coverage of your plan’s full fiscal year, a bridge letter should be obtained to help ensure that no significant changes in controls occurred between the SOC 1 report examination period and the end of your plan’s fiscal year.

Although plans commonly outsource a significant portion of their day-to-day operations to service organizations, plan fiduciaries cannot outsource their responsibilities surrounding the maintenance of a sound control environment. SOC 1 reports are a great resource to assess the control environments of service organizations. However, such reports can be lengthy and daunting to review. We hope this article provides some best practices in reviewing SOC 1 reports. If you have any questions, or would like to receive a copy of our SOC 1 report review template, please don’t hesitate to reach out to our Employee Benefits Audit team.

Article
Service organizations and review of SOC 1 reports: Considerations and recommendations

Read this if you use QuickBooks online.

The money you spend to run your business must be recorded conscientiously for your taxes and reports. Here’s how to do it.

You undoubtedly keep a very close watch on the money coming into your business. You record payments as soon as they come in and deposit them in your company’s bank account. But are you as careful about your purchases?

It’s easy to go out to lunch with a client and forget to save the receipt. You figure it’s not that much money, anyway. Or you pick up a ream of printing paper and a cartridge at the office supply store and neglect to record the purchase. When you disregard even small expenses, you can have two problems. One, your books won’t be accurate. And two, you never know how an extra $42.21 under Meals and Entertainment might affect your income taxes.

QuickBooks Online provides two ways to enter expenses. You can create a record on the site itself. Or you can snap a photo with your phone using the QuickBooks Online mobile app to document the money spent. Here’s how these two methods work.

Documenting at your desk

Let’s say you just had lunch with a vendor to discuss some products you’re planning to buy for a project you’re doing for a customer. You charged it to your company credit card, which you track in QuickBooks Online. You still have to enter it as an expense on the site so that when your credit card statement comes, you can match the credit card transaction to the expense you recorded.

Hover over Expenses in the navigation toolbar and click on Expenses. Click the down arrow in the New transaction button and select Expense. Fill in the fields at the top of the screen with details like Payee, Payment date, and any Tags you want to specify. Under Category details, select the correct category from the drop-down list and enter a Description and Amount

QuickBooks Online allows you to thoroughly document expenses. You can attach a picture of a receipt if you’d like.

Since you’re going to bill this to the customer as a part of your project fee, click in the Billable box to create a checkmark. Select the Customer/Project. Add a Memo to remind yourself of the reason for the lunch (very important!) and attach a photo of the receipt if you take one. Click Save. Your record of the lunch will now appear on the Expense Transactions screen. It will also show up in the Expenses by Vendor Summary and Unbilled Charges reports, among others.

Recording with QuickBooks Online on the road

In the example we just went through, attaching a photo of the receipt was the last thing we did to record an expense in QuickBooks Online. There’s another way to document a purchase that starts with a photo of a receipt and should save you a bit of data entry: using the QuickBooks Online mobile app. The app uses Optical Character Recognition (OCR) to “read” the receipt and transfer some of its data to fields on an expense record. (If you haven’t installed the QBO app on your smartphone, you should. You can do a lot of your accounting work that synchronizes automatically with QBO. It’s free, too.)

Open the app and log in. On the opening screen, you’ll see an icon labeled Snap Receipt. Click on it, and your phone’s camera will open (you’ll be asked for permission to use it). Position your phone over the receipt and move it around until you see the blue box covering the content of the receipt.  Take the picture. You’ll see it displayed on the phone with a message saying, “Use this photo.” If it seems OK, click the link. 

A message on the screen will tell you that the upload is complete and that the app is extracting the information from it. Click “Got it!” It should only take about a minute for your receipt to appear in the list on the Receipt snap screen. You’ll see the details that the app has pulled from your receipt. Tap the matching expense and click Done on the next screen.

You can snap a photo of the receipt in the QuickBooks Online mobile app, and some fields will be automatically entered on a receipt form in QBO.

When you’re back at your computer, open QuickBooks Online and go to Transactions | Receipts. At the end of the row that contains your receipt, click the down arrow next to Delete and select Review. QBO will display the partially-completed receipt form next to the photo you took of the receipt. Fill in any missing fields and save the transaction. Click Create expense on the screen that opens. Then open the Expenses menu and select Expenses, and there should be an entry for the receipt you just added.

This tool isn’t perfect, of course. Every receipt has different fields in different places, and sometimes they’re just not very readable. But in our tests, the app picked up an average of four fields.

Documenting your expenses using one of these two methods is so important. It will help you remember why you stored the receipt and make your reports more accurate. As long as you’re categorizing each transaction correctly, it will also make your tax preparation easier and faster and ensure that you’re charging customers for billable expenses. And if you’re ever audited, your careful work will come in handy.

QuickBooks Online does expense management well, but there are enough moving parts in these recording tools that you may have some questions. Please contact our Outsourced Accounting team. We're here to help. 

Article
Record expenses in QuickBooks Online and on your phone

Read this if you are a plan sponsor of employee benefit plans.

This article is the tenth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here

ERISA bonding requirements

Generally, every fiduciary of a plan and every person who handles funds or other property of the plan must be bonded. ERISA's bonding requirements are intended to protect employee benefit plans from risk of loss due to fraud or dishonesty on the part of persons who handle plan funds or other property. ERISA refers to persons who handle funds or other property of an employee benefit plan as plan officials. A plan official must be bonded for at least 10% of the amount of funds he or she handles, subject to a minimum bond amount of $1,000 per plan with respect to which the plan official has handling functions. In most instances, the maximum bond amount that can be required under ERISA with respect to any one plan official is $500,000 per plan. If the plan holds employer securities, the maximum required bond amount increases to $1,000,000. The bond must be fixed or estimated at the beginning of the plan's reporting year; that is, as soon after the date when such year begins as the necessary information from the preceding reporting year can practicably be ascertained. The amount of the bond must be based on the highest amount of funds handled by the person in the preceding plan year. Bonds must be placed with a surety or reinsurer that is named on the Department of the Treasury's Listing of Approved Sureties, Department Circular 570.

The US Department of Labor Field Assistance Bulletin No. 2008-04 provides answers to a number of questions that have been raised concerning the bonding rules.

Compliance testing

The Internal Revenue Code requires retirement plans to undergo certain non-discrimination and compliance testing on an annual basis to ensure contributions or benefits do not discriminate in favor of highly compensated employees and contributions are not in excess of amounts prescribed by the Internal Revenue Service (IRS).

The tests the plan should perform varies based on the plan’s provisions. However, some of the more common tests for defined contribution plans are:

Actual Deferral Percentage (ADP) Test: This test ensures employee salary deferrals made to the plan do not disproportionately benefit highly compensated employees (HCEs). If this test is failed, the most common correction method is distributing excess contributions to HCEs in the amount necessary to make the test pass. Corrections should be made no later than two-and-a-half months following the close of the plan year to avoid a 10% excise tax. The final deadline is 12 months following the close of the plan year.

Actual Contribution Percentage (ACP) Test: This test ensures the matching and voluntary employer contributions made to the plan do not disproportionately benefit HCEs. If this test is failed, the most common correction method is removing excess contributions from HCE’s accounts in the amount necessary to make the test pass. These excess contributions do not leave the plan. Rather, they are transferred into the forfeiture account of the plan, typically to be used to pay plan expenses or fund future employer contributions. Corrections should be made no later than two-and-a-half months following the close of the plan year to avoid a 10% excise tax. The final deadline is 12 months following the close of the plan year.

416 Top Heavy Test: This test ensures key employees do not represent a disproportionate percentage of plan assets. If this test is failed, the most common correction method is to allocate a 3% top heavy minimum contribution to non-key participants (any participant that is not a key employee). Other employer contributions can be used to offset the 3% contribution. Corrections should be made no later than 12 months following the close of the plan year in which the plan is top heavy.

The ADP, ACP, and Top Heavy Tests can be forgone if the plan qualifies for safe harbor status. Also, 403(b) plans are not required to perform the ADP nor the top-heavy test.

410(b) Minimum Coverage Test: This test ensures each contribution made to the plan benefits a sufficient percentage of non-HCEs. This test is performed for each different contribution type offered within the plan. If this test is failed, the most common correction method is to retroactively amend the plan to benefit more non-HCEs until the test passes. Corrections should be made no later than nine-and-a-half months following the close of the plan year in which the failure occurred.

402(g) Elective Deferral Limit: Participants are limited in the amount of elective deferrals they may contribute to qualified plans and thus exclude from taxable income each calendar year. If a participant contributes in excess of this limit, the most common correction method is to distribute the excess contribution amount. In 2021, the 402(g) Elective Deferral Limit is $19,500. Corrections should be made no later than April 15th following the close of the calendar year during which the excess deferral was made.

415(c) Annual Addition Limit: Participants are also limited in the amount of total contributions that can be credited to their account each limitation year (usually the plan year). If a participant receives total contributions in excess of this limit, the most common correction method is to first distribute elective contributions in excess of the limit. If an excess still remains, employer contributions should then be transferred to the plan’s forfeiture account. In 2021, the 415(c) Annual Addition Limit is $58,000. Corrections should be made no later than nine-and-a-half months following the close of the limitation year in which the failure occurred.

ERISA bonding requirements and compliance testing, although not necessarily related, are two of the compliance matters we, as auditors, commonly look at during our audits. For ERISA bonding requirements, we review to make sure the plan had adequate coverage and the bond is with an approved surety. For compliance testing, we look to make sure the testing has been performed and failed tests, if any, have been appropriately and timely resolved. Plan fiduciaries are not alone in addressing these matters—insurance carriers can help guide plan management in finding a fidelity bond appropriate for their plan and third-party administrators will typically perform compliance testing on behalf of the plan and guide plan management through any necessary corrections. However, it is still important for plan fiduciaries to be aware of the overall purpose of the bonding requirements and the compliance tests and be familiar with the correction methods and deadlines.

If you would like more information, or have specific questions about your specific situation, please contact our Employee Benefits Audit team.

Article
Other ERISA compliance matters: ERISA bonding requirements and compliance testing