Skip to Main Content

insightsarticles

Discovery: Cybersecurity playbook for management #5

04.27.18

A professional sports team is an ever-changing entity. To have a general perspective on the team’s fluctuating strengths and weaknesses, a good coach needs to trust and empower their staff to discover the details. Chapter 5 in BerryDunn’s Cybersecurity Playbook for Management looks at how discovery can help managers understand their organization’s ever-changing IT environment. 

What is discovery, and how does it connect to capacity?
RG: Discovery is the process of mapping your organization’s capacity—people, processes, and tools—so you understand what your organization’s IT environment has. In other words, it’s the auditing of your IT environment.

Of course, the most valuable thing within your IT environment, other than the people who access it, is the “thing” that drives your business. Often this thing is data, but it could be proprietary processes or machinery. For the purposes of this blog, we’ll focus on data. Discovery naturally answer questions such as:

• What in our IT environment is important to our business?
• How is it being used?
• Who has access to it, and how can we better protect it? 

How can managers tackle discovery?
RG: First, you need to understand discovery requires accepting the fact that the environment is always evolving. Discovery is not a one-and-done process—it, never ends. People introduce new things, like updated software, into IT environments all the time. Your IT environment is an always-shifting playing field. Think of Amazon’s Alexa devices. When someone plugs one into your internal wireless network, they’ve just expanded your attack surface for a hacker by introducing a new device with its own set of vulnerabilities.

Second, you have to define the “auditable universe” by establishing manageable boundaries in direct proportion to your discovery team’s capabilities. I often see solicitations for proposals that ask for discovery of all assets in an IT environment. That could include a headquarters building, 20 satellite offices, and remote workers, and is going to take a long time to assess. I recently heard of a hospital discovering 41,000 internet-connected devices on their network—mostly Internet of Things (IoT) resources, such as heart monitors. Originally, the hospital had only been aware of about one-third of these devices. Keeping your boundaries realistic and manageable can prevent your team from being overwhelmed.

Third, your managers should refrain from getting directly involved with discovery because it’s a pretty technical and time-consuming process. You should task a team to conduct discovery, and provide the discovery team with adequate tools. There are a lot of good tools that can help map networks and manage assets; we’ll talk about them later in this blog. Managers should mainly concern themselves with the results of discovery and trust in the team’s ability to competently map out the IT environment. Remember, the IT environment is always evolving, so even as the results roll in, things are changing.

Who should managers select for the discovery team?
RG: Ideally, various groups of people. For instance, it makes sense for HR staff to conduct the people part of discovery. Likewise, it makes sense for data owners—staff responsible for certain data—to conduct the process part of discovery, and for IT staff to conduct the tool part.

However, I should point out that if you have limited internal resources, then the IT staff can conduct all three parts of discovery, working closely with all stakeholders. IT staff will have a pretty good sense of where data is held within the organization’s IT environment, and they will develop an understanding of what is important to the organization.

Could an organization’s security staff conduct discovery?
RG: Interestingly enough, security staff don’t always have day-to-day interactions with data. They are more focused on overall data protection strategies and tactics. Therefore, it makes more sense to leverage other staff, but the results of discovery (e.g., knowing where data resides, understanding the sensitivity of data) need to be shared with security staff. Ultimately, this knowledge will help security staff better protect your data.

What about hiring external resources to conduct discovery?
RG: It depends on what you’re trying to do. If the goal of discovery is to comply with some sort of regulatory standard or framework, then yes, hiring external resources makes sense. These resources could come in and, using the discovery process, conduct a formal assessment. It may also make sense to hire external resources if you’re short-staffed, or if you have a complex environment with undocumented data repositories, processes, and tools. Yet in each of these scenarios, the external resources will only be able to provide a point-in-time baseline. 

Otherwise, I recommend leveraging your internal staff. An internal discovery team should be able to handle the task if adequately staffed and resourced, and team members will learn a lot in the process. And as discovery never really ends, do you want to have to perpetually hire external resources?

People make up a big part of capacity. Should the discovery team focus on people and their roles in this process?
RG: Yes! It sounds odd that people and their roles are included in discovery, but it is important to know who is using and touching your data. At a minimum, the discovery team needs to conduct background checks. (This is one example of where HR staff need to be part of the discovery process.)

How can the discovery team best map processes?
RG: The discovery team has to review each process with the respective data owner. Now, if you are asking the data owners themselves to conduct discovery, then you should have them illustrate their own workflows. There are various process mapping tools, such as Microsoft Visio, that data owners can use for this.

The discovery team needs to acknowledge that data owners often perform their processes correctly through repetition—the problems or potential vulnerabilities stem from an inherently flawed or insecure process, or having one person in charge of too many processes. Managers should watch out for this. I’ll give you a perfect example of the latter sort of situation. I once helped a client walk through the process of system recovery.

During the process we discovered that the individual responsible for system recovery also had the ability to manipulate database records and to print checks. In theory, that person could have been able to cut themselves a check and then erase its history from the system. That’s a big problem!

Other times, data owners perform their processes correctly, but inadvertently use compromised or corrupted tools, such as free software downloaded from the internet. The discovery team has to identify needed policy and procedure changes to prevent these situations from happening.

Your mention of vulnerable software segues nicely to the topic of tools. How can the discovery team best map the technologies the organization uses?
RG: Technology is inherently flawed. You can’t go a week without hearing about a new vulnerability in a widely used system or application. I suggest researching network scanning tools for identifying hosts within your network; vulnerability testing tools for identifying technological weaknesses or gaps; and penetration testing tools for simulating cyber-attacks to assess cybersecurity defenses.

Let’s assume a manager has tasked a team to conduct discovery. What’s the next step?
RG: If you recall, in the previous blog I discussed the value of adopting a cybersecurity risk register, which is a document used to list the organization’s cybersecurity risks, record required risk mitigation actions, and identify who “owns” the risk. The next step is for your discovery team to start completing the risk register. The manager uses this risk register, and subsequent discussions with the team, to make corresponding business decisions to improve cybersecurity, such as purchasing new tools—and to measure the progress of mitigating any vulnerabilities identified in the discovery process. A risk register can become an invaluable resource planning tool for managers.

For discovery purposes, what’s the best format for a cybersecurity risk register?
RG: There are very expensive programs an organization can use to create a risk register. Some extremely large banking companies use the RSA Archer GRC platform. However, you can build a very simple risk register in Excel. An Excel spreadsheet would work well for small and some mid-sized organizations, but there are other relatively inexpensive solutions available. I say this because managers should aim for simplicity. You don’t want the discovery team getting bogged down by a complex risk register.

Finally, what are some discovery resources and reference guides that managers should become familiar with and utilize?
RG: I recommend the National Institute of Standards and Technology (NIST) Special Publication series. They outline very specific and detailed discovery methodologies you can use to improve your discovery process.

So what’s next?
RG: Chapter 6 will focus on synthesizing maturity, capacity, and discovery to create a resilient organization from a cybersecurity point of view.

Read The workflow: Cybersecurity playbook for management #6 here.

Related Industries

Related Services

Accounting and Assurance

Consulting

Cybersecurity is the responsibility of all employees and managers: it takes a team

When a breach occurs, people tend to focus on what goes wrong at the technical level and often fail to see that cybersecurity begins at the strategic level. 

BerryDunn’s cybersecurity playbook outlines the activities managers need to take to properly oversee cybersecurity. Read the full series:

  1. Maturity modeling
  2. Selecting and implementing a maturity model
  3. Tapping your internal capacity for better results
  4. External capacity
  5. Discovery
  6. The workflow
  7. Incident response
  8. Incident recovery
Cybersecurity playbook
Access the full series

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask

Read this if you think your organization may have to prepare an HRSA audit.

Many healthcare providers who have never done an audit before may be required by the Health Resources and Services Administration (HRSA) agency to do so this year because they received Provider Relief Funding (PRF). We’re helping you prepare by answering some common queries about the PRF audit:

Will my organization have to complete a PRF audit?

The HRSA requires organizations to complete a federal single audit when they expend more than $750,000 of federal funding in one year, regardless of whether those federally sourced funds came directly from the federal government or were passed from a state or local government. Healthcare providers who received $10,000 or more from the PRF during a given period must report on usage.

For many providers, this is the first time they’ve received over $750,000 in federal funding. As a result, these providers will need to complete the single audit for the first time.

Other providers, especially physician practices, may not meet the single audit expense threshold, but that doesn’t mean they’re free from audit obligations. While they may not have to complete a single audit, if they received funding from the PRF, they may need to complete a HRSA-required audit—and the data requests for these audits are, in some cases, more involved than those for the single audit.

What will the HRSA’s PRF audit look like?

The audit will address the data used by the providers to report on their usage of PRF money. That means they will need to provide support for lost revenue and expenses that justify the use of the funds that they received.

The HRSA is going to drill down on the revenue numbers, specifically looking at the general ledger (GL) and other select revenue tests. On the expenses side, they’re going to look at the GL, invoice dates, payments and more.

To complete this audit, HRSA will require a significant amount of supporting documentation. Ideally, most of these documents should already have been copied and set aside as support in anticipation of financial reporting requirements. Below is a partial list of items that could be requested during the audit:

  • General Ledger details
  • Listing of expenses reimbursed with PRF payments grouped into specified categories
  • Listing of patient care revenue by payer
  • Listing of other sources of assistance
  • Listing of expenses reimbursed with the other assistance received
  • Detailed inventory listing of IT supplies
  • Budget attestation from CEO or CFO and board minutes showing ratification of the budget before March 27, 2020
  • Documentation of lost revenue methodologies
  • Audit financial statements
  • CMS cost reports for Medicare and Medicaid
  • Other supporting documentation

If certain documentation isn’t available, providers will need to request copies from their vendors. Missing documentation may make it difficult to justify the use of funds, in which case, providers may have to repay a portion or all of their provider relief funding.

It’s possible that certain expenses were not allowable under PRF. However, that doesn’t necessarily mean providers will have to repay their funds. Providers may have other lost revenue or expenses that would be allowed under PRF—but only if they have the documentation to prove it. That’s why it’s crucial that providers have all relevant documentation for expenses and lost revenue over the periods they received provider relief funding.

What challenges should I anticipate when it comes to completing the audit?

According to the 2022 BDO Healthcare CFO Outlook Survey, 35% of respondents identified CARES Act/PRF reporting as a regulatory concern.

Much of this concern likely stems from a lack of resources as well as audit inexperience. Many providers who will have to complete an HRSA audit don’t have the necessary resources to dedicate to navigating the process. In addition, they may not know the type, scope, or time frame of documentation they need to pull. They may also struggle to locate certain documentation, especially documentation that’s more than two years old.

Finding the right people to sift through the information to ensure its accuracy can be extremely difficult, especially if the documents are not filed electronically. This problem is even greater right now, given the professional services labor shortage that makes it difficult to hire the right people for the job if they aren’t already employed at your organization.

What should my next steps be?

To get ready for a potential HRSA audit, there are at least three immediate steps you should take:

  1. Select a responsible point person. One person should be responsible for coordinating the process to ensure that nothing falls through the cracks or is overlooked.
  2. Keep your PRF filing reports on hand. Pull any related supporting documentation and collate it into one place if it isn’t already.
  3. Identify what support is needed by doing a gap analysis. Determine where you need additional support or expertise and seek to close these gaps before the notification of any audit process.

Insufficient documentation may result in the recapture of provider relief funding by the HRSA. Fortunately, a lack of documentation is preventable with the right support and resources in place.

Article
HRSA audit preparation: All you need to know

Read this if you are responsible for cybersecurity at your organization.

Cybersecurity threats aren’t just increasing in number—they’re also becoming more dangerous and expensive. Cyberattacks affect organizations around the globe, but the most expensive attacks occur in the US, where the average cost of a data breach is $9.44 million, according to IBM’s 2022 Cost of a Data Breach Report. The same report shows that the cost of a breach is $10.10 million in the healthcare industry, $5.97 million in the financial industry, $5.01 million in the pharmaceuticals industry, and $4.97 million in the technology industry.

Cyber threat actors are a serious danger to your company, and your customers, stakeholders, and shareholders know this. They expect you to be prepared to defend against and manage cybersecurity threats. How can you demonstrate your cybersecurity controls are up to par? By obtaining a SOC for cybersecurity report.

What is a SOC for cybersecurity report?

It provides an independent assessment of an organization’s cybersecurity risk management program. Specifically, it determines how effectively the organization’s internal controls monitor, prevent, and address cybersecurity threats.

What’s included in a SOC for cybersecurity report?

The report is made up of three key components:

  1. Management’s description of their cybersecurity risk management program, aligned with a control framework (more on that below) and 19 description criteria laid out by the AICPA.
  2. Management’s assertion that controls are effective to achieve cybersecurity objectives.
  3. Service auditor’s opinion on both management’s description and management’s assertion.

Why should you consider a SOC for cybersecurity report?

A SOC for cybersecurity report offers several important benefits for your organization, which include:

  • Align with evolving regulatory requirements. The cybersecurity regulatory environment is constantly evolving. In particular, the SEC’s cybersecurity guidelines are becoming stricter over time. A SOC for cybersecurity report can demonstrate you’re aligned with these guidelines. If you’re a public company or are considering going public in the future, you need to be prepared to meet not just the SEC’s guidelines of today, but their evolved guidelines in the future.
  • Keep your board of directors informed. Your board is responsible for ensuring the business is effectively addressing and mitigating risks—and that includes cyber risk. A SOC for cybersecurity report offers your board a clear and practical illustration of your organization’s cybersecurity risk management controls.
  • Attract and retain more customers. It’s becoming increasingly common for companies to require that their vendors have a SOC for cybersecurity report. Even for companies that don’t require such a report, it’s important to know their vendors are keeping their data safe. Having this report differentiates you from vendors who have not prepared one.
  • Improve your cybersecurity posture. A SOC for cybersecurity report can identify current gaps in your cybersecurity risk management program. Once you’ve addressed these gaps, you can show your customers, stakeholders, and shareholders that you’re continuously improving and evolving your cybersecurity risk management approach.

How do I prepare for my SOC for cybersecurity assessment?

There are several steps you should take to prepare for your assessment.

  1. Choose your control framework. You have several options, including the NIST Cybersecurity Framework, ISO 27002, and the Secure Controls Framework (SCF). There are multiple online resources to help you choose the framework that’s right for your organization.
  2. Determine who your key internal stakeholders are for your cybersecurity risk management program. You’ll need to select a point person to be responsible for ensuring the independent services auditor has all the documentation they need to complete their assessment and act as liaison across internal and external stakeholders.
  3. Collect all cybersecurity-related documentation in one location. Make sure you have an organizational system that makes sense to your point person so it’s easy for them to pull the appropriate materials to give to the independent services auditor.
  4. Conduct a readiness assessment. You can work with an independent services auditor to conduct such an assessment which will identify gaps you can address before performing the attestation.
  5. Select an independent services auditor to perform the attestation. SOC for cybersecurity services are provided by independent CPAs approved by the AICPA. Ideally, you’ll want to select a firm that is experienced in your industry, has a diverse and robust team of cybersecurity professionals, and is accessible when and where you need them.

As always, if you have questions about your specific situation or would like more information about SOC for cybersecurity services, please contact our IT security experts. We’re here to help.

Article
Yes, you need a SOC for cybersecurity report—here's why

Read this if you are interested in GASB updates. 

The Governmental Accounting Standards Board (GASB) issued GASB Statement No. 99, Omnibus 2022 on May 9, 2022. The statement enhances comparability in accounting and financial reporting and improves the consistency of authoritative literature by addressing (1) practice issues that have been identified in previous GASB Statements, and (2) adding guidance on accounting and financial reporting for financial guarantees.

We’ve reviewed the statement in its entirety, and broken down key components for you to know. Here are the highlights.  

Accounting and financial reporting for exchange or exchange-like financial guarantees

Financial guarantees is a guarantee of an obligation of a legally separate entity or individual, including a blended or discretely presented component unit, that requires the guarantor to indemnify a third-part obligation holder under specified conditions, in an exchange or exchange-like transactions. 

An entity that extends an exchange or exchange-like financial guarantee should recognize a liability and expense related to the guarantee when qualitative factors and historical data indicate that is it more than likely not a government will be required to make a payment related to the guarantee.

Statement 99 excludes guarantees related to special assessment debt, financial guarantee contracts within the scope of Statement 53, or guarantees related to conduit debt obligations. 

Certain derivative instruments that are neither hedging derivative instruments nor investment derivative instruments

Derivative instruments that are within the scope of Statement 53, but do not meet the definition of an investment derivative instrument or the definition of a hedging derivative instrument are considered other derivative instruments. These “other derivative instruments” should now be accounted for as follows:

  1. Changes in fair value should be reported on the “resource flows statement” separately from the investment revenue classification.
  2. Information should be disclosed in the notes to financial statements separately from hedging instruments and investment derivative instruments.
  3. Governments should disclose the fair values of derivative instruments that were reclassified from hedging derivative instruments to other derivative instruments. 

Leases

If your entity has leases please review the following as Statement 99 clarifies numerous issues from Statement 87, specifically:

  • Lease terms as it relates to options to terminate and option to purchase the underlying assets, in paragraph 12 of Statement 87 has been clarified;
  • Short-term leases in paragraph 12 of Statement 87 has been clarified as it relates to an option to terminate the lease;
  • Lessee and lessor recognition and measurement for leases other than short-term leases that transfer ownership has been clarified, and
  • Lease incentives in paragraph 61 of Statement 87 has been further defined.

Public Private and Public-Public Partnerships (PPPs)

If your entity has PPPs, Statement 99 clarifies the following: 

  • PPP terms
  • Receivable for installment payments (transferor recognition)
  • Receivable for the underlying PP Asset (transferor recognition)
  • Liability for installment payments (operator recognition)
  • Deferred outflow of resources (operator recognition)

Subscription-Based Information Technology Arrangements (SBITAs)

Subscription terms and definitions have been clarified, specifically as it relates with options to terminate, short-term SBITAs, and measurement of subscription liabilities.

If your entity has SBITAs, review the provisions of each SBITA to ensure compliance with Statement 99 paragraphs 23–25.

Replacement of LIBOR

Check with your banking institutions to confirm when they have phased out of LIBOR. Confirm with your banking institutions what specifically has replaced LIBOR and update Financial Statement disclosures as needed. 

SNAP

State governments should recognize distributions of benefits from Supplemental Nutrition Assistance Program (SNAP) as a nonexchange transaction. Review Financial Statement disclosure and determine if a disclosure is needed. 

Disclosure of Nonmonetary Transactions

If you engage in one or more nonmonetary transactions during the fiscal year, you will need to disclose those transactions in the notes to the financial statements the measurement of attribute(s) applied to the assets transferred, rather than basis of accounting for those assets.

Pledges of future revenues when resources are not received by the pledging government

When blending the financial statement of a debt-issuing component unit into the financial statements of a primary government pledging revenue for the component unit’s debt, the primary government should reclassify an amount due to the component as an interfund payable and an interfund transfer out simultaneously with the recognition of the revenues that are pledged.

Focus of the government-wide financial statement

Statement 99 reiterates that there should be a total overall government-wide column within the MD&A, Statement of Net Position, and Statement of Activities. This column should exclude all fiduciary activities, including custodial funds. 

Terminology updates

No action is needed. Terminology has been updated in previous pronouncements, for terminology as it relates to Statements 63 and 53. 


Effective dates

The requirements related to the extension of the use of LIBOR, accounting for SNAP distributions, disclosures of nonmonetary transactions, pledges of future revenues by pledging governments, clarification of certain provisions in Statement 34 and terminology updates related to GASB 53 and 63 are effective upon issuance.

The requirements related to leases, PPPs, and SBITAs, are effective for fiscal years beginning after June 15, 2022.

The requirements related to financial guarantees and the classification and reporting of derivative instruments within the scope of Statement 53 are effective for fiscal years beginning after June 15, 2023.

Earlier application is encouraged and permitted for all.

If you would like more information regarding Statement 99, please contact our Audits of Governmental Component Units team. We’re here to help.

Article
Key considerations from GASB Statement No. 99 

Read this if you use QuickBooks Online.

With gas prices so high, you need to track your travel costs as closely as possible. Consider getting a tax deduction for your business mileage.

If you drive even a little for business, it’s easy to let mileage costs slide. After all, it’s a pain to keep track of your tax-deductible mileage in a little notebook and do all the calculations required. If you do rack up a lot of business miles, you probably forget to track some trips and end up losing money.

QuickBooks Online offers a much better way. Its Mileage tools include simple fill-in-the-blank records that allow you to document individual trips. You can either enter the starting point and destination and let the site calculate your mileage and deduction or enter the number of miles yourself.

If you use QuickBooks Online’s mobile app, it can track your miles automatically as you drive (as long as you have the correct settings turned on). Here’s a look at how all of this works.

Setting up 

To get started, click the Mileage link in QuickBooks Online’s toolbar. The screen that opens will eventually display a table that contains information about your trips, but you need to do a little setup first. Click the down arrow next to Add Trip in the upper right corner and select Manage vehicles. A panel will slide out from the right. Click Add vehicle.

 
You’ll need to supply information about your vehicles before you can start entering trips.

You’ll need to supply the vehicle’s year, make, and model. Do you own or lease it, and on what date was the vehicle purchased or leased and put into service? Do you want to have your annual mileage calculated by entering odometer readings or have QuickBooks Online track your business miles driven automatically? When you’re done making your selections and entering data, click Save.

Entering trip data

You can download trips as CSV files or import them from Mile IQ, but you’re probably more likely to enter them manually. Click Add Trip in the upper right corner. In the pane that opens, you’ll enter the date of the trip and either the total miles or start and end point. You’ll select the business purpose and vehicle and indicate whether it was a round trip. When you’re done, click Save. The trip will appear in the table on the opening screen, and your current possible total deduction will be in the upper left corner, along with your total business miles and total miles.

If you want to designate a trip as personal, click the box in front of the trip in that table. In the black horizontal box that appears, click the icon that looks like a little person, then click Apply. Now, the trip will appear in the Personal column and will not count toward your business tax-deductible mileage. 

When you select a trip in the Mileage table, you can mark it as personal so it’s not included in your business tax-deductible miles.

Personal trips can count, too

If you use your vehicle(s) for personal as well as business purposes, tracking some of those miles can also mean a tax deduction. For tax year 2022, you can deduct 18 cents per mile for your travel to and from medical appointments. Note: Medical mileage is only deductible if medical exceeds a certain percent of AGI. Be sure to check with the IRS yearly tax code, as they update the mileage amounts annually.

And if you do volunteer work for a qualified charitable organization, the miles you drive in service of it can be deducted at the rate of 14 cents per mile. You can also claim the cost of parking and tolls, as long as you weren’t reimbursed for any of these expenses. Obviously, the IRS wants you to keep careful records of your charitable mileage, and QuickBooks Online can provide them.

QuickBooks Online doesn’t track these deductions, but you’ll at least have a record of the miles driven.

Auto-track your miles

The easiest way to track your mileage in QuickBooks Online is by using its mobile app. You can launch this and have it record your mileage automatically as you’re driving. Versions are available for both Android and iOS, and they’re different from each other. They also have more features than the browser-based version of QuickBooks Online, like maps, rules, and easier designation of trips as business or personal.

 
The iOS version of Mileage in the QuickBooks Online app

In both versions, you’ll need to click the menu in the lower right corner after you’ve opened the QuickBooks Online app and select Mileage. Make sure Auto-Tracking is turned on. Your phone’s location services tool must be turned on, too. There are other settings that vary between the two operating systems. You can search the help system of either app to make sure you get your settings correct if the onscreen instructions aren’t clear enough.

Of course, you won’t see the fruits of your mileage deductions until you file your 2022 taxes. But you can factor these savings in as you’re doing your tax planning during the year. Please contact the Outsourced Accounting team if you’re having any trouble with QuickBooks Online’s Mileage tools, or if you have questions with other elements of the site.

Article
How QuickBooks Online helps you track mileage

Read this if you are a not-for-profit organization.

With springtime upon us, it may be difficult to start thinking about this upcoming fall, but that is exactly what many folks in the nonprofit sector are starting to do. The reason for this? It’s because 2022 brings with it the mid-term election cycle. While technically an off-year election, many congressional and gubernatorial races are being contested, in addition to a myriad of questions that will appear on ballots across the country. It is around this time of year we start to see many questions from clients in the nonprofit sector in the area of political campaign activities, lobbying (both direct and grassroots), and education/advocacy.

This article will discuss the three major types of activities nonprofit organizations may or may not undertake in this arena and will offer guidance to give organizations the vote of confidence they need to not run afoul of the potential pitfalls when it comes to undertaking these activities.

Political campaign activity

Political campaign activities include participating or intervening in any political campaign on behalf of (or in opposition to) any candidate for elective public office, be it at the federal, state, or local level. Examples of such activities include contributions to political campaigns as well as making public statements in favor of or in opposition to any candidate. The IRS explicitly prohibits section 501(c)(3) organizations from conducting political campaign activities, the consequence of doing so being loss of exempt status. However, other types of exempt organizations (such as 501(c)(4) organizations) are allowed to engage in such activities, so long as those activities are not the organization’s primary activity. Only Section 527 organizations may engage in political campaign activities as their primary purpose. 

Direct lobbying

Direct lobbing activities attempt to influence legislation by directly communicating with legislative members regarding specific legislation. Examples of direct lobbying include contacting members of Congress and asking them to vote for or against a specific piece of legislation.

Grassroots lobbying

Grassroots lobbying, on the other hand, attempts to influence legislation by affecting the opinions of the general public and include a call to action. Examples of grassroots lobbying include requesting members of the general public to contact their representatives to urge them to vote for or against specific legislation.  

A quick way to remember the difference:
Political = think “P” for People – advocating for or against a specific candidate 
Lobbying = think “L” for Legislation – advocating for or against a specific bill

Education/advocacy

Organizations may engage in activities designed to educate or advocate for a particular cause so long as it does not take a specific position. For example, telling members of Congress how grants helped constituents would be considered an educational activity. However, attempting to get a member of Congress to vote for or against specific piece of legislation that would affect grant funding would be considered lobbying. Another example would be educating or informing the general public about a specific piece of legislation. Organizations need to be mindful here as taking a specific position one way or the other would lend itself to the activity being deemed to be lobbying, and not merely education of the general public. There is no limit on how much education/advocacy activity a nonprofit organization may conduct.

Why does this matter?

As you can see, there is a very fine line between lobbying and education, so it is important to understand the differences so that an organization conducting educational activities does not inadvertently end up conducting lobbying activities.

Organizations exempt under Code Section 501(c)(3) can conduct only lobbying activities that are not substantial to its overall activities. A 501(c)(3) organization may risk losing its exempt status and may face excise taxes on the lobbying expenditures if it is deemed to be conducting excess lobbying, whereas section 501(c)(4), (c)(5), and (c)(6) organizations may engage in an unlimited amount of lobbying activity.

What is substantial?

Unfortunately, there is no bright line test for determining what is considered substantial versus insubstantial. As an industry standard, many practitioners have taken a position that insubstantial means five percent or less of total expenditures, but that position is not codified and could be challenged by the IRS. 

Section 501(c)(3) organizations that intend to conduct lobbying activities on a regular basis may want to consider making an election under Code Section 501(h). This election is only applicable to 501(c)(3) organizations and provides a defined amount of lobbying activity an organization may conduct without jeopardizing its exempt status or becoming subject to excise tax. The 501(h) election limit is based on total organization expenditures with a maximum allowance of $1 million for “large organizations” (defined as an organization with total expenditures over $17,000,000). 

While the 501(h) election provides some clarity as to how much lobbying activity can be conducted, it may be prohibitive for some organizations whose total expenditures greatly exceed the $17,000,000 threshold. Another item to be aware of is that the lobbying threshold applies to all members of an affiliated group combined, which means the entire group shares the maximum threshold allowed. 

Another option for those engaging in lobbying is to create a separate entity (such as a 501(c)(4) organization) which conducts all lobbying activities, insulating the 501(c)(3) organization from these activities. As previously mentioned, organizations exempt under Code Section 501(c)(4) can conduct an unlimited amount of lobbying activities but can only conduct limited political campaign activities.

What about political campaign activities?

Section 527 organizations, known as political action committees, are exempt organizations dedicated specifically to conducting political campaign activities. If a 501(c)(4), (c)(5), or (c)(6) organization makes a contribution to a 527 organization, it may be required to file a Form 1120-POL and be subject to tax at the corporate tax rate (currently a flat 21%) based on the lesser of the political campaign expenditures or the organization’s net investment income. State income taxes may also be applicable. Section 501(c)(3) organizations may not make contributions to 527 organizations. 

If your organization is considering participation in any of the above activities, we would recommend you reach out to your not-for-profit tax team for additional information. We’re here to help!

Article
Lobbying and politics and education, oh my!

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

  1. Access controls
    Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
  2. Patching
    One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
  3. Logging 
    Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
  4. Test backups and more
    Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
  5. Incident Management Plan 
    We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
  6. Training—phishing attacks
    Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Article
Cyberattack preparation: A basics refresher

Read this if you are at a not-for-profit organization.

Gaming activities are a great way for not-for-profit (NFP) organizations to raise funds which can be used for exempt purposes. While gaming activities can make for fun and fruitful events (after all, who doesn’t like winning something?), they can also be costly to your organization if you don’t play by the rules. This article will highlight what activities are considered gaming, and discuss the potential tax implications and reporting requirements associated with these activities. 

What is a gaming activity? 

The IRS considers any of the following to be gaming activities (NOTE: this is not an all-inclusive list):

Gaming includes: bingo, pull-tabs/instant bingo (including satellite and internet bingo), Texas Hold ‘em poker and other card games, raffles, scratch-offs, charitable gaming tickets, break-opens, hard cards, banded tickets, jar tickets, pickle cards, Lucky Seven cards, Nevada Club tickets, casino nights, Las Vegas nights and coin-operated gambling devices. Coin-operated gambling devices include slot machines, electronic video slot or line games, video poker, video blackjack, video keno, video bingo, video pull-tab games and so on.

Essentially any game of chance is considered a gaming activity. As a general rule, gaming activities are considered an unrelated business income activity (taxable), unless a specific exception applies—more on that later. Whether or not the funds generated through gaming are used to pay for expenses associated with the organization’s mission or exempt purpose does not change the fact that the activity is considered unrelated for tax purposes.

Form 990 reporting requirements 

Gaming activity is always required to be reported on Part VIII (Statement of Revenue) of Form 990 regardless of amount. If gross income generated from gaming activities exceeds $15,000 during the organization’s tax year, the activity is also reported on Schedule G, Part III. Further, organizations who complete either of the support tests on Schedule A will also need to report the net income from gaming activities as part of their overall support. 

Gaming and unrelated business income (UBI)

In general, three conditions must be met for an activity to be classified as UBI:

  1. The activity must be considered a trade or business;
  2. The activity must be regularly carried on; and
  3. The activity must not be substantially related to the organization’s exempt purpose.

If any one of the three conditions above is not met, then the activity will not be considered UBI. By default, gaming activities will likely satisfy the first and third conditions listed above. Gaming activities will be deemed “regularly carried on” if they manifest a frequency and continuity, and are pursued in a manner generally similar to comparable commercial activities of nonexempt organizations. If gaming activities occur infrequently or sporadically, they would likely not meet the standard of being regularly carried on. For example, gaming conducted as part of an annual fundraising event would typically not be classified as regularly carried on, whereas if the same event were to be held weekly it would be classified as regularly carried on. 

But even then there are exceptions. An activity can still be deemed regularly carried on even if held sporadically, depending on the amount of time involved leading up to the event. For example, if an organization holds an annual raffle, but significant time is spent by employees of the organization in the 11 months leading up to the event, the activity can still be deemed regularly carried on by the IRS.

Avoiding the UBI gaming trap

There are a couple of ways organizations can avoid the UBI trap on gaming. The first is to have the activity operated substantially (85% or more of the total time spent) by unpaid volunteers. The volunteer exception to UBI is not just limited to gaming activities, but can be applied to other potential UBI activities also. The other is to operate your gaming activity in such a manner as to qualify as a “bingo game”. Yes, bingo is specifically excluded from the definition of unrelated business income. In fact, the IRS even specifically defines what constitutes a “bingo game” in Regulation 1.513-5(d). The definition is rather narrow in scope, so organizations will need to be careful should they decide to use this defense. It’s important to note that the term “bingo game” does not refer to any game of chance, which includes raffles.

Reporting and withholding requirements for winnings

When conducting any gaming activity it is always important to be aware of how much the winners are receiving. Reportable winnings are reported on Form W-2G. Generally reporting is triggered if the total winnings (reduced by the wager) are $600 or more, and at least 300 times the amount of the wager. Winnings from raffles, lotteries, etc. are subject to this threshold, while other games such as poker and bingo have higher thresholds before Form W-2G is required. 

Tax withholdings can also come into play with gaming winnings. Generally, organizations are required to withhold federal income tax of 24% if the proceeds (the winnings minus the wager) exceed $5,000. This is known as regular gambling withholding. The organization may also be required to withhold 24% of gambling winnings for federal income tax (known as backup withholding) if any of the below circumstances apply:

  • The winner doesn't furnish a correct taxpayer identification number (TIN),
  • Applicable regular gambling withholding has not been withheld, and
  • The winnings are at least $600 and at least 300 times the wager (or the winnings are at least $1,200 from bingo or slot machines or $1,500 from keno, or more than $5,000 from a poker tournament).

It is important to note that state and even local income tax withholdings may also need to be withheld. Organizations that feel they may have a Form W-2G reporting or tax withholding requirement should consult their tax advisors as soon as possible.

Does your state have any special registrations? 

State and municipal registrations for gaming events vary widely. Some require registrations be completed at the state level as well as the city or town level. Before rolling the dice and hosting a charitable gaming event, you will want to do your homework to ensure the event is fully licensed or registered with state and municipal gaming authorities.

While life is full of chances, you shouldn’t gamble when it comes to charitable gaming. When in doubt, don’t take any chances and contact a member of our Not-for-profit Tax Team if you have any questions related to gaming activities for your organization. We’re here to help!

Article
Gaming: Reporting requirements for not-for-profit organizations