Skip to Main Content

insightsarticles

Discovery: Cybersecurity playbook for management #5

04.27.18

A professional sports team is an ever-changing entity. To have a general perspective on the team’s fluctuating strengths and weaknesses, a good coach needs to trust and empower their staff to discover the details. Chapter 5 in BerryDunn’s Cybersecurity Playbook for Management looks at how discovery can help managers understand their organization’s ever-changing IT environment. 

What is discovery, and how does it connect to capacity?
RG: Discovery is the process of mapping your organization’s capacity—people, processes, and tools—so you understand what your organization’s IT environment has. In other words, it’s the auditing of your IT environment.

Of course, the most valuable thing within your IT environment, other than the people who access it, is the “thing” that drives your business. Often this thing is data, but it could be proprietary processes or machinery. For the purposes of this blog, we’ll focus on data. Discovery naturally answer questions such as:

• What in our IT environment is important to our business?
• How is it being used?
• Who has access to it, and how can we better protect it? 

How can managers tackle discovery?
RG: First, you need to understand discovery requires accepting the fact that the environment is always evolving. Discovery is not a one-and-done process—it, never ends. People introduce new things, like updated software, into IT environments all the time. Your IT environment is an always-shifting playing field. Think of Amazon’s Alexa devices. When someone plugs one into your internal wireless network, they’ve just expanded your attack surface for a hacker by introducing a new device with its own set of vulnerabilities.

Second, you have to define the “auditable universe” by establishing manageable boundaries in direct proportion to your discovery team’s capabilities. I often see solicitations for proposals that ask for discovery of all assets in an IT environment. That could include a headquarters building, 20 satellite offices, and remote workers, and is going to take a long time to assess. I recently heard of a hospital discovering 41,000 internet-connected devices on their network—mostly Internet of Things (IoT) resources, such as heart monitors. Originally, the hospital had only been aware of about one-third of these devices. Keeping your boundaries realistic and manageable can prevent your team from being overwhelmed.

Third, your managers should refrain from getting directly involved with discovery because it’s a pretty technical and time-consuming process. You should task a team to conduct discovery, and provide the discovery team with adequate tools. There are a lot of good tools that can help map networks and manage assets; we’ll talk about them later in this blog. Managers should mainly concern themselves with the results of discovery and trust in the team’s ability to competently map out the IT environment. Remember, the IT environment is always evolving, so even as the results roll in, things are changing.

Who should managers select for the discovery team?
RG: Ideally, various groups of people. For instance, it makes sense for HR staff to conduct the people part of discovery. Likewise, it makes sense for data owners—staff responsible for certain data—to conduct the process part of discovery, and for IT staff to conduct the tool part.

However, I should point out that if you have limited internal resources, then the IT staff can conduct all three parts of discovery, working closely with all stakeholders. IT staff will have a pretty good sense of where data is held within the organization’s IT environment, and they will develop an understanding of what is important to the organization.

Could an organization’s security staff conduct discovery?
RG: Interestingly enough, security staff don’t always have day-to-day interactions with data. They are more focused on overall data protection strategies and tactics. Therefore, it makes more sense to leverage other staff, but the results of discovery (e.g., knowing where data resides, understanding the sensitivity of data) need to be shared with security staff. Ultimately, this knowledge will help security staff better protect your data.

What about hiring external resources to conduct discovery?
RG: It depends on what you’re trying to do. If the goal of discovery is to comply with some sort of regulatory standard or framework, then yes, hiring external resources makes sense. These resources could come in and, using the discovery process, conduct a formal assessment. It may also make sense to hire external resources if you’re short-staffed, or if you have a complex environment with undocumented data repositories, processes, and tools. Yet in each of these scenarios, the external resources will only be able to provide a point-in-time baseline. 

Otherwise, I recommend leveraging your internal staff. An internal discovery team should be able to handle the task if adequately staffed and resourced, and team members will learn a lot in the process. And as discovery never really ends, do you want to have to perpetually hire external resources?

People make up a big part of capacity. Should the discovery team focus on people and their roles in this process?
RG: Yes! It sounds odd that people and their roles are included in discovery, but it is important to know who is using and touching your data. At a minimum, the discovery team needs to conduct background checks. (This is one example of where HR staff need to be part of the discovery process.)

How can the discovery team best map processes?
RG: The discovery team has to review each process with the respective data owner. Now, if you are asking the data owners themselves to conduct discovery, then you should have them illustrate their own workflows. There are various process mapping tools, such as Microsoft Visio, that data owners can use for this.

The discovery team needs to acknowledge that data owners often perform their processes correctly through repetition—the problems or potential vulnerabilities stem from an inherently flawed or insecure process, or having one person in charge of too many processes. Managers should watch out for this. I’ll give you a perfect example of the latter sort of situation. I once helped a client walk through the process of system recovery.

During the process we discovered that the individual responsible for system recovery also had the ability to manipulate database records and to print checks. In theory, that person could have been able to cut themselves a check and then erase its history from the system. That’s a big problem!

Other times, data owners perform their processes correctly, but inadvertently use compromised or corrupted tools, such as free software downloaded from the internet. The discovery team has to identify needed policy and procedure changes to prevent these situations from happening.

Your mention of vulnerable software segues nicely to the topic of tools. How can the discovery team best map the technologies the organization uses?
RG: Technology is inherently flawed. You can’t go a week without hearing about a new vulnerability in a widely used system or application. I suggest researching network scanning tools for identifying hosts within your network; vulnerability testing tools for identifying technological weaknesses or gaps; and penetration testing tools for simulating cyber-attacks to assess cybersecurity defenses.

Let’s assume a manager has tasked a team to conduct discovery. What’s the next step?
RG: If you recall, in the previous blog I discussed the value of adopting a cybersecurity risk register, which is a document used to list the organization’s cybersecurity risks, record required risk mitigation actions, and identify who “owns” the risk. The next step is for your discovery team to start completing the risk register. The manager uses this risk register, and subsequent discussions with the team, to make corresponding business decisions to improve cybersecurity, such as purchasing new tools—and to measure the progress of mitigating any vulnerabilities identified in the discovery process. A risk register can become an invaluable resource planning tool for managers.

For discovery purposes, what’s the best format for a cybersecurity risk register?
RG: There are very expensive programs an organization can use to create a risk register. Some extremely large banking companies use the RSA Archer GRC platform. However, you can build a very simple risk register in Excel. An Excel spreadsheet would work well for small and some mid-sized organizations, but there are other relatively inexpensive solutions available. I say this because managers should aim for simplicity. You don’t want the discovery team getting bogged down by a complex risk register.

Finally, what are some discovery resources and reference guides that managers should become familiar with and utilize?
RG: I recommend the National Institute of Standards and Technology (NIST) Special Publication series. They outline very specific and detailed discovery methodologies you can use to improve your discovery process.

So what’s next?
RG: Chapter 6 will focus on synthesizing maturity, capacity, and discovery to create a resilient organization from a cybersecurity point of view.

Read The workflow: Cybersecurity playbook for management #6 here.

Related Industries

Related Services

Assurance

Consulting

Cybersecurity is the responsibility of all employees and managers: it takes a team

When a breach occurs, people tend to focus on what goes wrong at the technical level and often fail to see that cybersecurity begins at the strategic level. 

BerryDunn’s cybersecurity playbook outlines the activities managers need to take to properly oversee cybersecurity. Read the full series:

  1. Maturity modeling
  2. Selecting and implementing a maturity model
  3. Tapping your internal capacity for better results
  4. External capacity
  5. Discovery
  6. The workflow
  7. Incident response
  8. Incident recovery
Cybersecurity playbook
Access the full series

Read this if you are a Chief Financial Officer, Chief Compliance Officer, FINOP, or charged with governance of a broker-dealer.

The results of the Public Company Accounting Oversight Board’s (PCAOB) 2020 inspections are included in its 2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. There were 65 audit firms inspected in 2020 by the PCAOB and, although deficiencies declined 11% from 2019, 51 firms still had deficiencies. This high level of deficiencies, as well as the nature of the deficiencies, provides insight into audit quality for broker-dealer stakeholders. Those charged with governance should be having conversations with their auditor to see how they are addressing these commonly found deficiencies and asking if the PCAOB identified any deficiencies in the auditor’s most recent examination. 

If there were deficiencies identified, what actions have been taken to eliminate these deficiencies going forward? Although the annual report on the Interim Inspection Program acts as an auditor report card, the results may have implications for the broker-dealer, as gaps in audit quality may mean internal control weaknesses or misstatements go undetected.

Attestation Standard (AT) No. 1 examination engagements test compliance with the financial responsibility rules and the internal controls surrounding compliance with the financial responsibility rules. The PCAOB examined 21 of these engagements and found 14 of them to have deficiencies. The PCAOB continued to find high deficiency rates in testing internal control over compliance (ICOC). They specifically found that many audit firms did not obtain sufficient, appropriate evidence about the operating effectiveness of controls important to the auditor’s conclusions regarding the effectiveness of ICOC. This insufficiency was widespread in all four areas of the financial responsibility rules: the Reserve Requirement rule, possession or control requirements of the Customer Protection Rule, Account Statement Rule, and the Quarterly Security Counts Rule.

The PCAOB also identified a firm that included a statement in its examination report that referred to an assertion by the broker-dealer that its ICOC was effective as of its fiscal year-end; however, the broker-dealer did not include that required assertion in its compliance report.

AT No. 2 review engagements test compliance with the broker-dealer’s exemption provisions. The PCAOB examined 83 AT No. 2 engagements and found 19 of them to have deficiencies. The most significant deficiencies were that audit firms:

  • Did not make required inquiries, including inquiries about controls in place to maintain compliance with the exemption provisions, and those involving the nature, frequency, and results of related monitoring activities.
  • Similar to AT No. 1 engagements, included a statement in their review reports that referred to an assertion by the broker-dealer that it met the identified exemption provisions throughout the most recent fiscal year without exception; however, the broker-dealers did not include that required assertion in their exemption reports.

The majority of the deficiencies found were in the audits of the financial statements. The PCAOB did not examine every aspect of the financial statement audit, but focused on key areas. These areas were: revenue, evaluating audit results, identifying and assessing risks of material misstatement, related party relationships and transactions, receivables and payables, consideration of an entity’s ability to continue as a going concern, consideration of materiality in planning and performing an audit, leases, and fair value measurements. Of these areas, revenue and evaluating audit results had the most deficiencies, with 45 and 27 deficiencies, or 47% and 26% of engagements examined, respectively.

Auditing standards indicate there is a rebuttable presumption that improper revenue recognition is a fraud risk. In the PCAOB’s examinations, most audit firms either identified a fraud risk related to revenue or did not rebut the presumption of revenue recognition as a fraud risk. These firms should have addressed the risk of material misstatement through appropriate substantive procedures that included tests of details. The PCAOB noted there were instances of firms that did not perform any procedures for one or more significant revenue accounts, or did not perform procedures to address the assessed risks of material misstatement for one or more relevant assertions for revenue. The PCAOB also identified deficiencies related to revenue in audit firms’ sampling methodologies and substantive analytical procedures. Other deficiencies of note, that were not revenue related, included:

  • Incomplete qualitative and quantitative disclosure information, specifically in regards to revenue from contracts with customers and leases.
  • Missing required elements from the auditor’s report.
  • Missing auditor communications:
    • Not inquiring of the audit committee (or equivalent body) about whether it was aware of matters relevant to the audit.
    • Not communicating the audit strategy and results of the audit to the audit committee (or equivalent body).
  • Engagement quality reviews were not performed for some audit and attestation engagements.
  • Audit firms assisted in the preparation of broker-dealer financial statements and supplemental information.

Although there have been improvements in the amounts of deficiencies found in the PCAOB’s examinations, the 2020 annual report shows that there is still work to be done by audit firms. Just like auditors should be inquiring of broker-dealer clients about the results of their most recent FINRA examination, broker-dealers should be inquiring of auditors about the results of their most recent PCAOB examination. Doing so will help broker-dealers identify where their auditor may reside on the audit quality spectrum. If you have any questions, please don’t hesitate to reach out to our broker-dealer services team.

Article
2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers

Read this if you are at a financial institution that uses FedLine® Solutions.

In response to an evolving security threat landscape, the Federal Reserve Bank has implemented a Security and Resiliency Assurance Program (“Assurance Program”). Financial institutions that use FedLine® Solutions will need to take action before year-end to comply with Assurance Program requirements. Here’s what you need to know.

Required assessment to be completed annually

Financial institutions are already required to implement, maintain, and assess technical and procedural security controls to safeguard their FedLine® connections. Starting in 2021, financial institutions must conduct an assessment of their compliance with the Federal Reserve Bank's FedLine® security requirements and submit an attestation that they have completed the assessment. The deadline for submitting the first attestation is December 31, 2021. Moving forward, this assessment and attestation must be completed annually.

This assessment can be performed internally by an independent internal department/function such as an internal audit or compliance department. The Federal Reserve Bank may, in its discretion, require the assessment be conducted or reviewed by an independent third party. End User Authorization Contacts (EUAC) for each organization were sent an Assurance Program kick-off packet with requirements and instructions in January 2021 to assist with the process. 

Immediate action 

Evaluate the requirements for your financial institution’s Assurance Program assessment as soon as possible. Planning for the 2021 assessment should be well underway. If you would like to discuss the Assurance Program requirements or you’ve been notified that your financial institution needs an independent third party review, contact us today.

Article
The Federal Reserve's FedLine® Solutions Security and Resiliency Assurance Program

Read this if you are a timber harvester, hauler, or timberland owner.

The USDA recently announced its Pandemic Assistance for Timber Harvesters and Haulers (PATHH) initiative to provide financial assistance to timber harvesting and hauling businesses as a result of the pandemic. Businesses may be eligible for up to $125,000 in financial assistance through this initiative. 

Who qualifies for the assistance?

To qualify for assistance under PATHH, the business must have experienced a loss of at least 10% of gross revenue from January, 1, 2020 through December 1, 2020 as compared to the same period in 2019. Also, individuals or legal entities must be a timber harvesting or timber hauling businesses where 50% or more of its revenue is derived from one of the following:

  • Cutting timber
  • Transporting timber
  • Processing wood on-site on the forest land

What is the timeline for applying for the assistance?

Timber harvesting or timber hauling businesses can apply for financial assistance through the USDA from July 22, 2021 through October 15, 2021

Visit the USDA website for more information on the program, requirements, and how to apply.
If you have any questions about your specific situation, please contact our Natural Resources team. We’re here to help. 

Article
Temporary USDA assistance program for timber harvesters and haulers

Read this if you are working with an auditor.

The standard report an auditor issues on an entity’s financial statements was created in 1988, and has only had minor tweaking since. Amazing when we think about how the world has changed since 1988! Back then:

  • The World Wide Web hadn’t been invented
  • The Simpsons wasn’t yet on TV, and neither was Seinfeld
  • The Berlin Wall was still standing
  • The Single Audit Act celebrated its fourth birthday

The Auditing Standards Board (ASB), an independent board of the American Institute of CPAs (AICPA) that establishes auditing rules for not-for-profit organizations (as well as private company and federal, state, and local governmental entities) has decided it was high time to revisit the auditor’s report, and update it to provide additional information about the audit process that stakeholders have been requesting.

In addition to serving as BerryDunn’s quality assurance principal for the past 23 years, I’ve been serving on the ASB since January 2017, and as chair since May 2020. (And thanks to the pandemic our meetings during my tenure as chair have been conducted from my dining room table.)  We thought you might be interested in a high-level overview of the coming changes to the auditor’s report, which will be effective starting with calendar 2021 audits, from an insider’s perspective.

So what’s changing?

The most significant changes you’ll be seeing, based on feedback from various users of auditor’s reports, are:

  1. Opinion first
    The opinion in an audit report is the auditor’s conclusion as to whether the financial statements are in accordance with the applicable accounting standards, in all material respects. People told us this is the most important part of the report, so we’ve moved it to the first section of the report.
  2. Auditor’s ethical responsibilities
    We’ve pointed out that an auditor is required to be independent of the organization being audited, and to meet certain other ethical responsibilities in the conduct of the audit.
  3. “Going concern” responsibilities
    We describe management’s responsibility, under U.S. generally accepted accounting principles, and the auditor’s responsibility, under the auditing rules, for determining whether “substantial doubt” exists about the organization’s ability to continue in existence for at least one year following the date the financial statements are approved for issuance.
  4. Emphasis on professional judgment and professional skepticism
    We explain how an audit requires the auditor to exercise professional judgment (for example, regarding how much testing to perform), and to maintain professional skepticism, i.e., a questioning mind that is alert to the possibility the financial statements may be materially misstated, whether due to error or fraud.
  5. Communications with the board of directors
    We point out that the auditor is required to communicate certain matters to the board, such as difficulties encountered during the audit, material adjustments identified during the audit process, and which areas the auditor treated as “significant risks” in planning and performing the audit.
  6. Responsibility related to the “annual report”
    If the organization issues an “annual report” containing or referring to the audited financial statements, we explain the auditor is required to review it for consistency with the financial statements, and for any known misstatements of fact.
  7. Discussion of “key audit matters”
    While not required, your organization may request the auditor to discuss how certain “key audit matters” (those most significant to the audit) were addressed as part of the audit process. These are similar to the “critical audit matters” publicly traded company auditor’s reports are now required to include.

Yes, this means the auditor’s report will be longer; however, stakeholders told us inclusion of this information will make it more informative, and useful, for them.

Uniform Guidance standards also changing

Is your organization required to have a compliance audit under the federal Uniform Guidance standards? That report is also changing to reflect the items listed above to the extent they’re relevant.

What should you do?

Some actions to consider as you get ready for the first audit to which the new report applies (calendar 2021, or fiscal years ending in 2022) include:

  1. Ask your auditor what your organization’s auditor’s report will look like
    Your auditor can provide examples of auditor’s reports under the new rules, or even draft a pro forma auditor’s report for your organization (subject, of course, to the results of the audit).
  2. Outline and communicate your process for developing your annual report
    If your organization prepares an annual report, it will be important to coordinate its timing with that of the issuance of the auditor’s report, due to the auditor’s new reporting responsibility related to the annual report.
  3. Discuss with your board whether you would like the auditor to include a discussion of “key audit matters” in the auditor’s report
    While not required for not-for-profits, some organizations may decide to request the auditor include a discussion of such matters in the report, from the standpoint of transparency “best practices.”

If you have any questions about the new auditor’s report or your specific situation, please contact us. We’re here to help.
 

Article
A new auditor's report: Seven changes to know

Read this if your facility or organization has received Provider Relief Funds.

The rules over the use of the HHS Provider Relief Funds (PRF) have been in a constant state of flux and interpretation since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of June 14, 2021 on HHS’ reporting requirements. Key highlights:

These requirements apply to:

  • PRF General and Targeted Distributions
  • the Skilled Nursing Facilities (SNF) and Nursing Home Infection Control Distribution
  • and exclude:
    • the Rural Health Clinic COVID-19 Testing Program
    • claims reimbursements from HRSA COVID-19 Uninsured Program and the HRSA COVID-19 Coverage Assistance Fund (CAF)

This notice supersedes the January 15, 2021 reporting requirements.
Deadline for Use of Funds:

Payment Received Period

Deadline to Use Funds

Reporting Time Period

Period 1

4/10/20-6/30/20

6/30/21

7/1/21-9/30/21

Period 2

7/1/20-12/31/20

12/31/21

1/1/22-3/31/22

Period 3

1/1/21-6/30/21

6/30/22

7/1/22-9/30/22

Period 4

7/1/21-12/31/21

12/31/22

1/1/21-3/31/23

Recipients who received one or more payments exceeding $10,000 in the aggregate during each Payment Received Period above (rather than the previous $10,000 cumulative across all PRF payments) are subject to the above reporting requirements 

Responsibility for reporting:

  • The Reporting Entity is the entity that registers its Tax Identification Number (TIN) and reports payments received by that TIN and its subsidiary TINs.
  • For Targeted Distributions, the Reporting Entity is always the original recipient; a parent entity cannot report on the subsidiary’s behalf and regardless of transfer of payment.

Steps for reporting use of funds:

  1. Interest earned on PRF payments
  2. Other assistance received
  3. Use of SNF and Nursing Home Control Distribution Payments if applicable (any interest earned reported here instead), with expenses by CY quarter
  4. Use of General and Other Targeted Distribution Payments, with expenses by CY quarter
  5. Net unreimbursed expenses attributable to Coronavirus, net after other assistance and PRF payments by quarter
  6. Lost revenues reimbursement (not applicable to PRF recipients that received only SNF and Nursing Home Infection Control Distribution payments)

PORTAL WILL OPEN ON JULY 1, 2021!

Access the full update from HHS: Provider Post-Payment Notice of Reporting Requirements.

Article
Provider Relief Funds: HHS Post-Payment Notice of Reporting Requirements

Read this is you are at a financial institution and concerned about fraud.

The numbers tell a story: Financial fraud 

Back in 2016, BerryDunn’s Todd Desjardins wrote about occupational fraud at financial institutions. This article mainly cited information from a 2016 Report to the Nations (2016 Report) published by the Association of Certified Fraud Examiners (ACFE). Fast forward to 2021, and ACFE’s 2020 Report to the Nations: Banking and Financial Services Edition (2020 Report) displays that occupational fraud continues to be a concern.

Financial institutions account for 19% of all occupational fraud worldwide, up from 16.8% in the 2016 Report. These fraud causes have a median loss of $100,000 per case—down from $192,000 per case in the 2016 Report. Cases had risen slightly from the 2016 Report to 386—up from 368 cases.

What does a fraudster look like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And, how can you strengthen an already robust anti-fraud program? These questions, raised in Todd’s 2016 article, remain relevant today. 

A profile in fraud: Who can it be? 

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2020 Report reveals a few commonalities between fraudsters. The amounts from the 2016 Report are shown in parentheses for comparison purposes:

  • 3% of fraudsters had no criminal background (3%)
  • Men committed 71% of frauds and women committed 29% (69%, 31%)
  • 56% of fraudsters were an employee, 27% worked as a manager, and 14% operated at the executive/owner level (3%, 31%, 20%)
  • The median loss for fraudsters who had been with their organizations for more than five years was $150,000 compared to $86,000 for fraudsters who had been with their organizations for five years or less ($230,000, $74,500)

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags in its 2020 Report:

  • Living beyond means: 42% (45.8%)
  • Financial difficulties: 33% (30%)
  • Unusually close association with vendor/customer: 15% (20.1%)
  • Divorce/family problems: 14% (13.4%)

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A commonsense approach that works

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

It all starts at the top: Leadership

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a top-down culture of zero-tolerance for fraud, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but frauds committed at the executive level had a median loss of $1,265,000 per case, compared to a median loss of $77,000 when an employee perpetrated the fraud. This is compared to a median loss of $500,000 and $54,000 per case, respectively, in the 2016 Report.

Improving your internal control culture

Every financial institution uses internal controls in its daily operations. Override of existing internal controls, lack of internal controls, and lack of management review were all cited in the 2020 Report as the most common internal control weaknesses that contribute to occupational fraud in the banking and financial services industry.

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened—even financial institutions with strong anti-fraud measures in place.

We have created a checklist of the top 10 controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud. 

Get the keys to prevent fraud—free fraud prevention white paper

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our white paper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers, and the general public. It’s a good investment for any financial institution. If you have any questions, please contact our team. We’re here to help. 
 

Article
In 2021, an anti-fraud plan is the best investment your financial institution can make

Read this if you work in an alcohol control capacity for state government.

The COVID-19 outbreak has changed the alcoholic beverage industry significantly over the last 14 months. Restrictions forced people to stay at home, limiting their travel to restaurants, bars, and even some stores to purchase their favorite spirits. In at least 32 states, new legislation allowed consumers the option to buy to-go cocktails as a way to help these establishments stay in business. As a result, consumers took advantage of alcohol delivery services. 

There were two large shifts in consumer purchasing for the alcoholic beverage industry in 2020. The first was a shift from on-premise to off-premise purchasing (for example, more takeaway beverages from bars, breweries, and other establishments). The second was the explosion of e-commerce sales for curbside pickup and home delivery. A study by IWSR, an alcoholic beverage market research firm, stated that alcohol e-commerce sales grew 42% in 2020. The head of consumer insights for the online alcoholic beverage delivery service, Drizly, attributes this growth to the “increased consumer awareness of alcohol delivery as a legal option, as well as an overall shift in consumer purchasing behavior toward online ordering and delivery”. 

How state agencies responded

The move to an e-commerce model has impacted state agencies who regulate the distribution and/or sale of alcohol. States such as Oklahoma, Alabama, and Georgia recently passed legislation allowing alcohol delivery to consumers’ homes. In alcoholic beverage control states, where the state controls the sale of alcohol at the wholesale level, curbside pickup programs (New Hampshire) were implemented, while others started online home delivery services (Pennsylvania). 

In a fluid legislative environment, states agencies are working to meet consumer needs in a very competitive marketplace, while fulfilling their regulatory obligation to the health and safety of their constituents.

How alcoholic beverage control states can adapt

Now is an opportune time for control state agencies to keep pace with consumer demand for more flexible purchasing options, such as buying online with home delivery, or some form of curbside and/or in-store pickup programs. Every one of the 17 alcoholic beverage control states has passed legislation to allow the delivery of either beer, wine, and/or distilled spirits in some form, with some limitations.

While for some the COVID-19 outbreak has necessitated these more distant shopping experiences, the option of these sales channels has brought consumers flexibility they will expect going forward. This calls for control state agencies to act on this changing consumer demand. By prioritizing investing in and taking ownership of new sales channels, such as e-commerce and curbside pickup, control state agencies’ technology and logistics teams can develop strategies and tools to effectively adapt to this new demand. 

Adapting technology and logistics

Through technology, control state agencies can take advantage of e-commerce and curbside pickup sales channels, to drive more revenue. We recommend control states consider the following: 

Define the current capabilities to support an online sales strategy

An important first step is to define how to address constituents’ evolving needs as compared to the current e-commerce capabilities control state agencies can support. Considerations include:

  • Are current staff capable of developing and supporting new website capabilities to meet the increased demand on the website?  
  • How will the current customer support team(s) expand to support concerns from the new channels?
  • How will new e-commerce order volume be fulfilled for home delivery (including order errors, breakage, returns, etc.)?   

Control state agencies should complete current and future state assessments in each area above to confirm what capabilities they have today and which they would like to have in the future; which will allow for an accurate gap analysis and comparison to their future state needs. Once the current state assessment, future state strategy, and gap analysis are complete, control state agencies can define the projects required to support the future state requirements. 

Reevaluate existing fulfillment, inventory, and distribution processes

Each control state has existing product fulfillment, inventory and distribution processes, and information technology (IT) tools for delivering alcohol, to their own or licensed retail stores and businesses. These current processes and IT systems should be assessed as part of the current state capabilities assessment mentioned above, to help define the level of change needed to support the control state agency’s future needs in the e-commerce channel. Key assessment questions control state agencies should ask themselves include: 

  • Can the current IT systems (e.g., inventory management, customer relationship management [CRM], customer support/call center, financial, point of sale [POS], and website infrastructure) support required upgrades?
  • Can retail teams and today’s infrastructure support order taking, inventory, fulfillment, and buy online pickup in store programs?
  • How will warehouse and retail stores track and manage the e-commerce shipments and returns related to this channel?
  • If home delivery is part of the strategy, define how the delivery logistics will be met through state or vendor resources.
  • What staffing model and skill sets will support future business needs?
  • What is the total cost of ownership for these new e-commerce capabilities so that the short and long-term costs and profits can be accurately estimated? 

The answers to these questions will help to inform a future e-commerce strategy and accommodate the cost and staff impacts. 

Bring in online retail expertise

It is important to ensure that the control state agency has website and mobile capabilities to support today’s consumer needs. This includes the ability to order a wide range of products online for either home delivery or buy online pickup in store. The design of the website and mobile transactional capabilities is critically important to the success of this channel, the true growth in revenues. Being marketing focused (e.g., allowing consumers to view and order products, save items for later, and see similar products) will help drive traffic and sales on this upgraded channel. 

For control state agencies with a more static product website, consider purchasing a commercial off-the-shelf (COTS) e-commerce product with existing retail-focused website features, or contract with a vendor to build a website that meets more unique needs. The control state agency should bring in at least one online retail subject matter expert vendor to help set the direction, design the upgrades or new site, manage the project(s) needed to implement the online capabilities, and potentially manage the operational support of the website and mobile solution.

BerryDunn provides state alcoholic beverage control boards and commissions with many services along the IT system acquisition lifecycle, including planning, needs assessment, business process analysis, request for proposal (RFP) development, requirements development, technology contract development, and project management services. 

For the full list of steps to consider and to learn more about how you can successfully position your control state agency to adapt to the changing alcoholic beverage landscape, contact us.
 

Article
COVID-19 and the e-commerce explosion

Read this if you are a business owner. 

Now that the Democrats have control of the Presidency, House of Representatives, and Senate, many in Washington, DC and around the country are asking “What is going to happen with business taxes?” 

While candidate Biden expressed interest in raising taxes on corporations and wealthy individuals, it is best to think of that as a framework for where the new administration intends to go, rather than a set-in-stone inevitability. We know his administration is likely to favor a paring back of some of the tax cuts made by the 2017 Tax Cuts and Jobs Act (TCJA). Biden has indicated his administration may consider changes to the corporate tax rate, capital gains rate, individual income tax rates, and the estate and gift tax exemption amount.

Procedurally, it is unclear how tax legislation would be formulated under the Biden administration. A tax package could be included as part of another COVID-19 relief bill. The TCJA could be modified, repealed, or replaced. It is also unclear how any package would proceed through Congress. Under current Senate rules, the legislative filibuster can limit the Senate’s ability to pass standalone tax legislation, thus leaving any such legislation to the budget reconciliation process, as was the case in 2017. It also remains unclear if the two parties will come together to work on any bill. Finally, it will be important to note who fills key Treasury tax positions in the Biden administration, as these individuals will have a strategic role in the development of administration priorities and the negotiation with Congress of any tax bill. Here are three ways tax changes could take shape:

  1. Part of a COVID-19 relief package
    With the Biden administration eager to provide immediate relief to individuals and small- and medium-sized businesses affected by the coronavirus pandemic, some tax changes could be included as part of an additional relief bill on which the administration is likely to seek bipartisan support. Such changes could take the form of tax cuts for some businesses and individuals, tax credits, expanded retirement contributions, and/or other measures. If attached to a COVID-19 relief bill, these changes would likely go into effect immediately and would provide rapid relief to businesses and individuals that have been particularly hard hit during the pandemic and economic downturn.
  2. Repeal and replace TCJA
    Another possibility is for Biden to pursue a full rollback of the TCJA and replace it with his own tax bill. This would be a challenge since the Democrats only have a slim majority in the Senate, meaning that Republicans could filibuster the bill unless Senate Democrats take steps to repeal the filibuster.

    Given that the Biden administration’s immediate priorities will be delivering financial assistance to individuals and businesses, ensuring the rollout of COVID-19 vaccines, and flattening the curve of cases, a repeal and replacement of the TCJA might not be voted on until at least late 2021 and likely would not go into effect until 2022 at the earliest.
  3. Pare back or modify the TCJA
    An overall theme of Biden’s campaign was not sweeping, radical change but making incremental shifts that he views as improvements. This theme may come into play in Biden’s approach to tax legislation. He may choose not to repeal the TCJA completely (prompting a return to 2016 taxation levels), but instead pare back some of the tax changes enacted in 2017. In practice, this could mean raising the corporate tax rate by a few percentage points, which could garner bipartisan support. Again, this likely would not be a legislative priority until after the country has passed through the worst of the COVID-19 pandemic.

Factors that will influence potential tax changes

Senate legislative filibuster

Currently, the minority party in the Senate can delay a vote on an issue if fewer than 60 senators support bringing a measure to a vote. Thus, Republicans would be likely to filibuster any bill that contains more ambitious tax rate increases. The uptick in the use of the filibuster in recent decades is perhaps a symptom of congressional deadlock, and there are calls from many Democrats to eliminate the filibuster in order to pass more ambitious legislation without bipartisan support (in fact, in recent years, the filibuster has been removed for appointments and confirmations). While President Biden and Senate Majority Leader Chuck Schumer may be open to ending or further limiting the filibuster, every Democratic senator would have to agree. West Virginia Senator Joe Manchin has said repeatedly that he will not vote to end the legislative filibuster.

If the filibuster remains in place as it appears it will, tax legislation would likely be passed as part of the budget reconciliation process, which only requires a simple majority to pass. However, the tradeoff is that any changes generally would have to expire at the end of the budget window, which typically is 10 years. This is how both the 2001 Economic Growth and Tax Relief Reconciliation Act and the TCJA were passed.

Appetite for bipartisanship

President Biden has signaled that he wants to work for all Americans and seek to heal the partisan divides in the country. He may be looking to reach across the aisle on certain legislation and seek bipartisan support, even if such support is not necessary to pass a bill. Biden stated during his campaign that he wants to increase the corporate tax rate—not to the 2017 rate of 35%—but to 28%. Achieving this middle ground rate might be viewed as a compromise approach.

As the new government takes office, it remains to be seen how much bipartisanship is desired, or even possible.

What this may mean for your business

It is important to note that sweeping tax changes probably are not an immediate priority for the incoming Biden administration. The new administration’s immediate focus likely will be on addressing the current fragmented approach to COVID-19 vaccinations, accelerating the distribution of the vaccines, taking steps to bring the spread of COVID-19 under control, and providing much needed economic relief. As noted above, there could be some tax changes and impacts resulting from future COVID-19 relief bills.

Those will be the bills to watch for any early tax changes, including cuts or credits, that businesses may be able to take advantage of. Larger scale tax changes, particularly any tax increases, may not go into effect until 2022 at the earliest. Here are some of the current rules and how Biden is proposing to deal with them.

If you have questions about your particular situation, please contact our team. We’re here to help. 

Article
Biden's tax plan: Tax reform details remain unclear