Skip to Main Content

insightsarticles

Cybersecurity update for organizations: Considerations for boards and senior management

12.07.21

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Topics: cybersecurity

Related Professionals

Principals

BerryDunn experts and consultants

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Article
Five IT risks everyone should be aware of

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read is you use QuickBooks Online.

Your customers are your company’s lifeblood. Make sure their records are thorough and up-to-date.

When companies buy other companies, the customer list is often considered the most critical asset. When a business is damaged and data possibly lost, the customer list is the set of records do they most hope to recover.

You probably spend most of your time in QuickBooks Online working with transactions and reports, but your customer records deserve equal time. If they’re incomplete or otherwise not well maintained, you lose time filling in the blanks when you’re trying to complete a task that requires complete customer profiles. Your searches and reports may not tell the whole picture. Your relationships can suffer, and you may miss out on sales opportunities.

QuickBooks Online provides excellent tools for creating and maintaining comprehensive customer and sub-customer records. Here’s a look at how it all works.

Moving your customer data in

There are two ways to create customer records in QuickBooks Online. If you have an existing database in Outlook, Excel, Gmail, or Google Sheets, you can import it. This will save you an enormous amount of time, but it’s a challenging process. You select the file you want to import, and then you have to “map” it by matching the fields in your database to fields in QuickBooks Online. You’ll likely need our help with this.


To import a customer file into QuickBooks Online, you’ll have to “map” its fields. We can help you with this.

Your other option is to enter records manually. This is time-consuming, but the more information you can include about your customers from the start, the better. You can always edit your records to add, delete, or modify what you originally entered.

To get started, hover over Sales in the toolbar and click on Customers. Then click on New Customer in the upper right corner to open the Customer information window. The only field you’re required to complete is Display name as. You may want to do this if you have a new customer on the phone and you want to concentrate on the conversation. You can take notes about their contact information and fill in the record later, when you’re off the phone.

But wherever possible, as we’ve already said, complete as many fields as you can. You’ll enter name and billing and shipping address and phone number(s) on the opening screen. You can also supply contact details like fax number and website. 

Creating sub-customers

You’ll notice a checkbox that says Is sub-customer. QuickBooks Online lets you “nest” related records under the “parent” record. This can be an actual customer, but many people use it to document jobs they’re doing for the customer. So if you’re a contractor, for example, you might have sub-customers like Sun deck and Spa

If you want to set up such a record, enter the job name and click in the box next to Is sub-customer. Two fields will open below that allow you to select the parent customer and to indicate the sub-customer’s billing status. The remainder of the fields will automatically fill in with the parent customer’s contact information.


You can set up jobs as sub-customers in QuickBooks Online. 

Supplying details

When you’re setting up individual customers, you should add as much detail as you possibly can to each record, beyond basic contact information. QuickBooks Online’s record templates display a number of tabs running horizontally across the window. The most important of these are:

  • Tax info. Are the customers taxable or exempt? If taxable, what is his or her Default tax code? (If you haven’t set up sales taxes yet and need to, please let us help. It’s complicated.)
  • Payment and billing. Do they have preferred payment and/or delivery methods? Will you be assigning default payment terms, like Net 30 or Due on receipt? What is their Opening balance? If they’re brand-new customers who have never ordered from you, this will be $0.00. If they’re existing, active customers, enter any outstanding balance they have with you as of the date that you enter. This must be correct, to avoid any problems with the customers’ ongoing balances. Questions? Ask us.

Other tabs here are self-explanatory. When you’ve entered everything you can, click Save. The new record will now appear in the Customers list and will be available to select from the drop-down list in transactions.

There will be times when you have to refer back to these forms to answer questions. By maintaining detailed, accurate customer records, you’ll be ready to respond. If you have questions about any of the information requested, or about other elements of QuickBooks Online that are puzzling you, please contact our Outsourced Accounting team. so we can set up a consultation.

Article
How to maintain customer records in QuickBooks Online

Read this if your State Medicaid Agency is planning Medicaid Enterprise System enhancements.

Are you a system integrator (SI) or a State Medicaid Agency (SMA) implementing or enhancing a Medicaid system or specific module? Have you considered how decisions made during design and implementation could impact the federal Payment Error Rate Measurement (PERM) reviews for SMAs?

The goal of PERM is to measure and report an unbiased estimate of the true improper payment rate for Medicaid and Children’s Health Insurance Program (CHIP). Every state is reviewed once every three years using a sample that includes both fee for service (FFS) and managed care (MC) payments. A state assigned error rate is not the only consequence resulting from the PERM review; there are also financial implications.

Risk reduction from PERM review

Maintaining a focus on PERM review factors when making decisions during design and implementation can protect states by reducing the risk of:

  • Submitting change requests (CR) during implementation, which can result in additional cost and time
  • Implementing changes to existing Medicaid systems during maintenance and operations
  • Findings reported during certification efforts
  • Refunding federal dollars due to improperly paid claims
  • A reduction in federal match on all claims paid

It is also important to understand the benefits of a dedicated PERM team within the state organization that includes members from the system vendor and outside PERM experts. These benefits include providing states an additional level of security to help ensure a positive outcome to the federal PERM review, helping to protect federal funding.

Having a dedicated team will help ensure all decisions made during system updates and/or implementations are made while keeping focus on PERM requirements and the further impacts of PERM reviews, saving time and remaining compliant.

Plan ahead for best results

When planning for a new module or Medicaid system request for proposal (RFPs), consider PERM-related requirements to help ensure all PERM needs are met to prevent errors and repayment of federal funds. Including PERM requirements can also help your agency ensure federal compliance and successful PERM audits. Doing so will likely reduce the amount of time system integrators spend re-working earlier development decisions and help ensure claim payments are processed, and eligibility determinations are made in accordance with federal and state regulations.

If you have questions about PERM or your specific situation, please contact our Medicaid Consulting team. We’re here to help.

Article
PERM success for Medicaid agencies through system implementations

Read this if you use QuickBooks Online.

Are you finding that you need more flexibility in an area of QuickBooks Online? Maybe it’s time to try an integrated app.

When you first started using QuickBooks Online, you probably found it supplied the tools you needed to manage your accounting—and then some. But as your business grows or becomes more complex, you may need more functionality and flexibility in one or more areas, like time tracking and billing.

There are hundreds of add-on applications that integrate well with QuickBooks Online in the QuickBooks Apps store, which you can find here. Many of these apps are free, but most have subscription fees. They’re designed to amplify the power of QuickBooks Online’s own features. The site will remain your home base, but you’ll have to learn enough about the add-on apps to understand how they work and how they integrate with QuickBooks Online. Here are some of the most popular add-on solutions from the QuickBooks Apps site.

Expensify

QuickBooks Online allows you to record expenses. Its thorough form templates ask you for numerous details, like the vendor, product or service, amount, and billable status. Completed expenses appear in a table. You can run any of several related reports, like Expenses by Vendor Summary. If you use the QuickBooks Online mobile app, you can snap photos of receipts that are turned into expense forms by QuickBooks Online and partially completed with the receipt data.

Using the QuickBooks Online mobile app, you can snap photos of receipts and complete the expense forms provided.

But Expensify ($5-9 per month for one user) does more. It’s a robust expense management system that handles everything from receipt processing to next-day reimbursement. Where QuickBooks Online only supports basic expense tracking, Expensify allows you to create expense reports and follow them through multi-level approvals. It features automatic credit card reconciliation and expense policy enforcement, as well as bill pay and invoices/payments. Two-way synchronization with QuickBooks Online means you can work in either application and your data will be replicated in the other, as is the case with all of these integrated solutions.

QuickBooks Time

Formerly known as TSheets, this powerful time-tracking application builds on QuickBooks Online’s time management and payroll features. QuickBooks Time ($8-10 per user per month plus $20-40 monthly base fee) is now owned by Intuit, so it’s embedded directly in QuickBooks Online. 

Your employees can track their hours on any device, from any location, and they will instantly be available in QuickBooks Online so managers can review, edit, and approve timesheets. That data can then be used in areas like invoicing, job costing, and payroll. Advanced features include scheduling capabilities, overtime monitoring, GPS tracking, and real-time reports. The Who’s Working window shows you where your staff members are working and what they’re doing, in real time. 

Method:CRM

QuickBooks Online does a good job of helping you create profiles of customers and storing them for quick retrieval. But some businesses need more than that. They need true Customer Relationship Management (CRM). Method:CRM ($28-49 per month per user; discounts for annual subscriptions) is an excellent partner for QuickBooks Online in this area.

You can record and store customer details in QuickBooks Online, but Method:CRM adds true Customer Relationship management to the site.

When you integrate Method:CRM with QuickBooks Online, you no longer have to do duplicate data entry to keep track of your customers and their sales profiles and histories. You get a shared lead list and activity tracking (emails and phone calls), and your customer records contain the information a sales team needs, like customer details, interaction, transactions, and services performed. Leads are stored in Method:CRM until they’re customers, and you can track sales opportunities from a customer’s initial interest through the final sale. 

Two more advanced integrated apps

QuickBooks Online provides basic inventory-tracking capabilities, but if your business has more complex needs, an integrated application like SOS Inventory ($49.95-149.95 per user per month) should be able to meet them. Built for QuickBooks Online from the ground up, the application offers advanced features like sales orders and order management, assemblies, serial inventory, and multiple locations. And if you need more sophisticated bill pay, invoicing, and payment processing (with multiple automated approval levels) than QuickBooks Online offers, you might look into the highly-regarded Bill.com ($39-69 per user per month).

Growth Is good, but challenging

We wanted to introduce you to a few of the hundreds of integrated apps available for QuickBooks Online because you should know that there are options for expanding on the site’s built-in capabilities. As your business grows, so does your need for more sophisticated accounting. QuickBooks Online may still be able to serve you well with the help of one or more of these add-ons.

You may also want to explore the possibility of upgrading your version of QuickBooks Online. We encourage you to consult with us if you’re outgrowing QuickBooks Online. We can help you explore the options so you can spend your time planning for your company’s future instead of wrestling with your accounting application. Please contact our Outsourced Accounting team

Article
Expand QuickBooks Online's features: Use integrated apps

Read this if you are at a not-for-profit organization.

There is no question the investment landscape is forever changing. Even before COVID-19 placed a vice grip on all aspects of society, many not-for-profit organizations were looking for ways to maximize the value of their current investment holdings. One such way of accomplishing this is through the use of alternative investments, defined for our purposes as investments outside of standard assets such as traditional stocks and bonds. Alternative investments have become increasingly specialized and are often seen in the form of foreign corporations or partnerships (often times domiciled in locales such as the Cayman Islands where tax laws are more favorable to investors) and are much more commonplace than ever before.

While promises of higher rates of return are received warmly by not-for-profit organizations, alternative investments often carry with them the potential for additional compliance costs in the form of tax filing obligations and substantial penalties should those filings be overlooked.

This article will highlight some of those potential foreign filings, as well as highlight potential consequences they carry and what you need to know in order to avoid the pitfalls. 

Potential foreign filings related to investment activities

Not-for profit organizations should be aware of the potential filings/disclosures required in regards to their ownership of investments located outside of the United States. The federal government uses a variety of forms to track transfers of property, ownership, and account balances related to foreign activity/investments. A list of some of the potential foreign filings are detailed below (not an all-inclusive list):

Form 926 – Return by a US Transferor of Property to a Foreign Corporation

This form is generally required when a US investor transfers more than $100,000 in a 12-month period, or any other contribution when the investor owns 10% or more of a foreign corporation. The requirement to file this form can be via a direct investment in the foreign corporation, or indirectly through another entity (such as a partnership interest). The penalty for failure to file is equal to 10 percent of the transfer amount, up to $100,000 per missed filing.

Form 8865 – Return of US Persons with Respect to Certain Foreign Partnerships

Similar to Form 926, this filing arises when a US person (which includes not-for-profit organizations) transfers $100,000 or more in a given year, or if they own 10% or more of the foreign partnership. There are different levels of disclosure required for different categories of filers. Filings are also triggered by both direct and indirect investments. The penalty for failure to file varies by category type, ranging from $10,000 to up to $100,000 per missed filing.

FinCEN Form 114 – Report of Foreign Bank and Financial Accounts

Commonly referred to as the FBAR, this form tracks assets that US taxpayers hold in offshore accounts, whether they be foreign bank accounts, brokerage accounts, or mutual funds. This form is required when the aggregate value of all foreign financial accounts exceeds $10,000 at any time during the calendar year. Further, any individual or entity that owns more than 50 percent of the account directly or indirectly must file the form. Lastly, individuals who have signature authority over accounts held by the organization are also required to file the FinCEN Form 114 with their individual income tax return. The penalty for failure to file can vary, but can be as high as 50 percent of the account’s value.

Please note: there is a specific definition of the term “foreign financial account” which excludes certain items from the definition. Organizations are encouraged to consult their tax advisors for more information.

Form 5471 – Information Return of US Persons with Respect to Certain Foreign Corporations

Form 5471 is required to be filed when ownership is at least 10% in a foreign corporation. There are different disclosures required for different categories of ownership. Organizations required to file Form 5471 are typically operating internationally and have ownership of a foreign corporation which triggers the filing, but this form would also apply to investments in foreign corporations if ownership is at least 10%. The penalty for failure to file is typically $10,000 per missed filing.

Recommendations to avoid the pitfalls of alternative investments

In order to avoid missed filing requirements, exempt organizations should ask their investment advisors if any investment will involve organizations outside of the United States. If the answer is “yes,” then your organization needs to understand any additional filing requirements up front in order to take into consideration any additional compliance costs related to foreign filings. You should review and share all relevant investment documentation and subsequent information (e.g., prospectus and any other offering materials) with your finance/accounting department, as well as your tax advisors—prior to investment.

We also recommend you engage in open and frequent communication with your investment managers and advisors (both within and outside the organization). Those who manage the entity’s investments should also stay in close contact with fund managers who can help communicate when assets are invested in a way that might trigger a foreign filing obligation.

As investment practices and strategies become increasingly complex, organizations need to stay vigilant and aware in this forever changing landscape. We’re here to help. If you have any questions or concerns about current investment holdings and potential foreign filings, please do not hesitate to reach out to a member of our not-for-profit tax team.

Article
Alternative investments: Potential pitfalls not-for-profit organizations need to know