Skip to Main Content

insightsarticles

Five IT risks everyone should be aware of

09.11.19

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Related Services

Assurance

Related Professionals

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read this if you are a business owner or interested in upcoming changes to current tax law.

As Joe Biden prepares to be inaugurated as the 46th President of the United States, and Congress is now controlled by Democrats, his tax policy takes center stage.

Although the Democrats hold the presidency and both houses of Congress for the next two years, any changes in tax law may still have to be passed through budget reconciliation, because 60 votes in the Senate generally are needed to avoid that process. Both in 2017 and 2001, passing tax legislation through reconciliation meant that most of the changes were not permanent; that is, they expired within the 10-year budget window. Here is a comparison of current tax law with Biden’s proposed tax plan.

Current Tax Law
(TCJA–present)
Biden’s stated goals
Corporate tax rates and AMT

Corporations have a flat 21% tax rate and no corporate alternative minimum tax (AMT), which were both changed by the TCJA.

These do not expire.

Biden would raise the flat rate to the pre-TCJA level of 28% and reinstate the corporate AMT, requiring corporations to pay the greater of their regular corporate income tax or the 15% minimum tax (while still allowing for net operating loss (NOL) and foreign tax credits).

Capital gains and Qualified Dividend Income

The top tax rate is 20% for income over $441,450 for individuals and $496,600 for married filing jointly. There is an additional 3.8% net investment income tax.

Biden would eliminate breaks for long-term capital gains and dividends for income above $1 million. Instead, these would be taxed at ordinary rates.

Payroll taxes

The 12.4% payroll tax is divided evenly between employers and employees and applies to the first $137,700 of an individual’s income (scheduled to go up to $142,400 in 2020). There is also a 2.9% Medicare Tax which is split equally between the employer and the employee with no income limit.

Biden would maintain the 12.4% tax split between employers and employees and keep the $142,400 cap but would institute the tax on earned income above $400,000. The gap between the two wage levels would gradually close with annual inflationary increases.

International taxes (GILTI, offshoring)

GILTI (Global Intangible Low-Tax Income): Established by the TCJA, U.S. multinationals are required to pay a foreign tax rate of between 10.5% and 13.125%.

A scheduled increase in the effective rate to 16.406% is scheduled to begin in 2026.

Offshoring taxes: The TCJA includes a tax deduction for corporations that manufacture in the U.S. and sell overseas.

GILTI: Biden would double the tax rate to 21% and assess a minimum tax on a country-by-country basis.

Offshoring taxes: Biden would establish a 10% penalty surtax on profits for goods and services manufactured offshore and a 10% advanceable “Made in America” tax credit to create U.S. manufacturing jobs. Biden would also close offshoring tax loopholes in the TCJA.

Estate taxes

The estate tax exemption for 2020 is $11,580,000. Transfers of appreciated property at death get a step-up in basis.

The exemption is scheduled to revert to pre-TCJA levels.

Biden would return the estate tax to 2009 levels, eliminate the current step-up in basis on inherited assets, and eliminate the step-up at death provision for inherited property passed along by the decedent.

Individual tax rates

The top marginal rate is 37% for income over $518,400 for individuals and $622,050 for married filing jointly. This was lowered from 39.6% pre-TCJA.

Biden would restore the 39.6% rate for taxable income above $400,000. This represents only the top rate.

Individual tax credits

Currently, individuals can claim a maximum of $2,000 Child Tax Credit (CTC) plus a $500 dependent credit.

Individuals may claim a maximum dependent care credit of $600 ($1,200 for two or more children).

The CTC is scheduled to revert to pre-TCJA levels ($1,000) after 2025.

Biden would expand the CTC to $3,000 for children age 17 and under and offer a $600 bonus for children age 6 and under. It would also be fully refundable.

He has also proposed increasing the child and dependent care tax credit to $8,000 ($16,000 for two or more children), and he has proposed a new tax credit of up to $5,000 for informal caregivers.

Separately, Biden has also proposed a $15,000 tax credit for first-time homebuyers.

Qualified Business Income Deduction under Section 199A

As previously discussed, many businesses qualify for a 20% qualified business income tax deduction lowering the effective rate of tax for S corporation shareholders and partners in partnerships to 29.6% for qualifying businesses.

Biden would phase out the tax benefits associated with the qualified business income deduction for those making more than $400,000 annually.

Education

Forgiven student loan debt is included in taxable income.

There is no tax credit for contributions to state-authorized organizations that sponsor scholarships.

Biden would exclude forgiven student loan debt from taxable income.

Small businesses

There are current tax credits for some of the costs to start a retirement plan.

Biden would offer tax credits for businesses that adopt a retirement savings plan and offer most workers without a pension or 401(k) access to an “automatic 401(k)”.

Itemized deductions

For 2020, the standard deduction is $12,400 for single/married filing separately and $24,800 for married filing jointly.

After 2025, the standard deduction is scheduled to revert to pre-TCJA amounts, or $6,350 for single /married filing separately and $12,700 for married filing jointly.

The TCJA suspended the personal exemption and most individual deductions through 2025.

It also capped the SALT deduction at $10,000, which will remain in place until 2025, unless repealed.

Biden would enact a provision that would cap the tax benefit of itemized deductions at 28%.

SALT cap: Senate minority leader Charles Schumer has pledged to repeal the cap should Biden win in November (the House of Representatives has already passed legislation to repeal the SALT cap).

Opportunity Zones

Biden has proposed incentivizing - opportunity zone funds to partner with community organizations and have the Treasury Department review the program’s regulations of the tax incentives. He would also increase reporting and public disclosure requirements.
Alternative energy Biden would expand renewable energy tax credits and credits for residential energy efficiency and restore the Energy Investment Tax Credit (ITC) and the Electric Vehicle Tax Credit.


If you have questions about your specific situation, please contact us. We’re here to help.

Article
Biden's tax plan and what may change from current tax law

Read this if you are an employer looking for more information on the Employee Retention Credit (ERC).

The Coronavirus Disease 2019 (COVID-19) stimulus package signed into law by President Trump on December 27 makes very favorable enhancements to the Employee Retention Credit (ERC) enacted under the Coronavirus Aid, Relief and Economic Security (CARES) Act. 

Background

The CARES Act passed in March 2020 provided certain employers with the opportunity to receive a refundable tax credit equal to 50 percent of the qualified wages (including allocable qualified health plan expenses) an eligible employer paid to its employees. This tax credit applied to qualified wages paid after March 12, 2020, and before January 1, 2021. The maximum amount of qualified wages (including allocable qualified health plan expenses) taken into account with respect to each eligible employee for all calendar quarters in 2020 is $10,000, so that the maximum credit an eligible employer can receive in 2020 on qualified wages paid to any eligible employee is $5,000.

The ERC was for eligible employers who carried on a trade or business during calendar year 2020, including certain tax-exempt organizations, that either:

  • Fully or partially suspend operation during any calendar quarter in 2020 due to orders from an appropriate governmental authority limiting commerce, travel, or group meetings due to COVID-19; or
  • Experienced a significant decline in gross receipts during the calendar quarter.

If an eligible employer averaged more than 100 full-time employees in 2019, qualified wages were limited to wages paid to an employee for time that the employee was not providing services due to an economic hardship described above. If the eligible employer averaged 100 or fewer full-time employees in 2019, qualified wages are the wages paid to any employee during any period of economic hardship described above.

Updated guidance: ERC changes

The bill makes the following changes to the ERC, which will apply from January 1 to June 30, 2021:

  • The credit rate increases from 50% to 70% of qualified wages and the limit on per-employee wages increases from $10,000 per year to $10,000 per quarter.
  • The gross receipts eligibility threshold for employers changes from a more than 50% decline to a more than 20% decline in gross receipts for the same calendar quarter in 2019. A safe harbor is provided, allowing employers that were not in existence during any quarter in 2019 to use prior quarter gross receipts to determine eligibility and the ERC. 
  • The 100-employee threshold for determining “qualified wages” based on all wages increases to 500 or fewer employees.
  • The credit is available to state or local run colleges, universities, organizations providing medical or hospital care, and certain organizations chartered by Congress (including organizations such as Fannie Mae, FDIC, Federal Home Loan Banks, and Federal Credit Unions). 
  • New, expansive provisions regarding advance payments of the ERC to small employers are included, including special rules for seasonal employers and employers that were not in existence in 2019. The bill also provides reconciliation rules and provides that excess advance payments of the credit during a calendar quarter will be subject to tax that is the amount of the excess.
  • Employers who received PPP loans may still qualify for the ERC with respect to wages that are not paid for with proceeds from a forgiven PPP loan. This change is retroactive to March 12, 2020. Treasury and the SBA will issue guidance providing that payroll costs paid during the PPP covered period can be treated as qualified wages to the extent that such wages were not paid from the proceeds of a forgiven PPP loan.
  • Removal of the limitation that qualified wages paid or incurred by an eligible employer with respect to an employee may not exceed the amount that employee would have been paid for working during the 30 days immediately preceding that period (which, for example, allows employers to take the ERC for bonuses paid to essential workers).

Takeaways

For most employers, the ERC has been difficult to use due to original requirements that prevented employers who received a PPP loan from ERC eligibility and, for those employers who did not receive a PPP loan, the requirement that there be a more than 50% decline in gross receipts. In addition, those employers who qualified for the ERC and had more than 100 employees could only receive the credit for wages paid to employees who did not perform services.

It is important to note that most of the new rules are prospective only and do not change the rules that applied in 2020. The new guidance should make it easier for more employers to utilize the ERC for the first two quarters of 2021. The following types of employers should evaluate the ability to receive the ERC during the first and/or second quarter of 2021:

  • Those that used the ERC in 2020 (the wage limit for the credit is now based on wages paid each quarter and the credit is 70% of eligible wages);
  • Those that previously received a PPP loan;
  • Those that have a more than 20% reduction in gross receipts in 2021 over the same calendar quarter in 2019;
  • Those employers with more than 100 but less than 500 employees who have had a significant reduction in gross receipts (i.e., more than 20%)1

For more information

If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help.

Article
Stimulus bill extends and expands the Employee Retention Credit

Read this if your company is seeking guidance on PPP loans.

The Consolidated Appropriations Act, 2021 (H.R. 133) was signed into law on December 27, 2020. This bill contains guidance on the existing Paycheck Protection Program (PPP) and guidelines for the next round of PPP funding.

Updates on existing PPP loans

Income and expense treatment of PPP loans. Forgiven PPP loans will not be included in taxable income and eligible expenses paid with PPP funds will be tax-deductible. This tax treatment applies to both current and future PPP loans.

Tax attributes and basis adjustments. Tax attributes such as net operating losses and passive loss carryovers, and basis increases generated from the result of the PPP loans will not be reduced if the loans are forgiven.

Economic Injury Disaster Loans (EIDL). Any previous or future EIDL advance will not reduce PPP loan forgiveness. Any borrowers who already received forgiveness of their PPP loans and had their EIDL subtracted from the forgiveness amount will be able to file an amended forgiveness application to have their PPP forgiveness amount increased by the amount of the EIDL advance. The SBA has 15 days from the effective date of this bill to produce an amended forgiveness application. 

Simplified forgiveness application for loans under $150,000. Borrowers who received PPP loans for $150,000 or less will now be able to file a simplified one-page forgiveness application and will not be required to submit documentation with the application. The SBA has 24 days from the effective date of this bill to make this new forgiveness application available. 

Use of PPP funds. Congress expanded the types of expenses that may be paid with PPP funds. Prior eligible expenses were limited to payroll (including health benefits), rent, covered mortgage interest, and utilities. Additional expenses now include software and cloud computing services to support business operations, the purchase of essential goods from suppliers, and expenditures for complying with government guidance relating to COVID-19.

These additional expenses apply to both existing and new PPP loans, but they do not apply to existing loans if forgiveness has already been obtained.
 
In addition, the definition of "payroll costs" has been expanded to include costs for group life, disability, dental, and vision insurance. These additions also apply to both existing and new loans.

Information for new PPP loans

Application deadline. March 31, 2021 

Eligibility for first-time borrowers. A business that did not previously apply for or receive a PPP loan may apply for a new loan. The same requirements apply from the first round of loans. The business must employ fewer than 500 employees per physical location and the borrower must certify the loan is necessary due to economic uncertainty.

Eligibility for second-time borrowers. Businesses that received a prior PPP loan may apply for a second loan, however the eligibility requirements are a little more stringent. The business must have fewer than 300 employees per physical location (down from 500 previously) and it must have experienced a decline in gross revenue of at least 25% in any quarter in 2020 as compared to the same quarter in 2019. The business must have also expended (or will expend) their initial PPP loan proceeds. 

Maximum loan amount. Lesser of $2 million or 2.5x average monthly payroll for either calendar 2019 or the 12-month period prior to the date of the loan. Businesses operating in the accommodations and food service industry (NAICS code 72) can use a 3.5x average monthly payroll multiple. If the business previously received a loan less than the new amount allowed, or if it returned a portion or all of the previous loan, it can apply for additional funds up to the maximum loan amount. 

New types of businesses eligible for loans.

  • Broadcast news stations, radio stations, and newspapers that will use the proceeds to support the production and distribution of local and emergency information 
  • Certain 501(c)(6) organizations with fewer than 300 employees and that are not significantly involved in lobbying activities 
  • Housing cooperatives with fewer than 300 employees 
  • Companies in bankruptcy if the bankruptcy court approves

Ineligible businesses. A business that was ineligible to receive a PPP loan during the first round is still ineligible to receive a loan in the new round. The new legislation also prohibits the following businesses from receiving a loan in the second round:

  • Publicly traded companies 
  • Businesses owned 20% or more by a Chinese or Hong Kong entity or have a resident of China on its board 
  • Businesses engaged primarily in political or lobbying activities
  • Businesses required to register under the Foreign Agents Registration Act 
  • Businesses not in operation on February 15, 2020 

Forgiveness qualifications. New PPP loans will be eligible for forgiveness if at least 60% of the proceeds are used on payroll costs. Partial forgiveness will still be available if less than 60% of the funds are used on payroll costs. 

Covered period. The borrower may choose a covered period (i.e., the amount of time in which the PPP funds must be spent) between 8 and 24 weeks from the date of the loan disbursement.

Employee Retention Tax Credit. The CARES Act prohibited a business from claiming the Employee Retention Tax Credit if they received a PPP loan. The new legislation retroactively repeals that prohibition, although it is unclear how an employer can claim retroactive relief. The new bill also expands the tax credit for 2021. 

Additional guidance is expected from the SBA in the coming weeks on many of these items and we will provide updates when the information is released.

We’re here to help.
If you have questions about PPP loans, contact a BerryDunn professional.

Article
Paycheck Protection Program: Updates on new and existing loans

Read this if your facility or organization has received provider relief funds.

The rules over the use of the provider relief funds (PRF) have been in a constant state of flux since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of November 30, 2020 with allowable uses of the funds.
 
The most recent Post-Payment Notice of Reporting Requirements is dated November 2, 2020. In accordance with the notice, PRF may be used for two purposes:

  1. Healthcare-related expenses attributable to coronavirus that another source has not reimbursed and is not obligated to reimburse
  2. Lost revenue, up to the amount of the difference between 2019 and 2020 actual patient care revenue

The Department of Health and Human Services (HHS) has issued FAQs as recently as November 18, 2020.  The FAQs include the following clarifications on the allowable uses:

Healthcare related expenses attributable to the coronavirus

  1. PRF may be used for the marginal increased expenses or incremental expenses related to coronavirus.
  2. Expenses cannot be reimbursed by another source or another source cannot be obligated to reimburse the expense.
  3. Other sources include, but are not limited to, direct patient billing, commercial insurance, Medicare/Medicaid/Children’s Health Insurance Program (CHIP), or other funds received from the Federal Emergency Management Agency (FEMA), the Provider Relief Fund COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment, and Vaccine Administration for the Uninsured, and the Small Business Administration (SBA) and Department of Treasury’s Paycheck Protection Program (PPP). This would also include any state and federal grants received as a result of the coronavirus.
  4. Providers should apply reasonable assumptions when estimating the portion of costs that are reimbursed from other sources.
  5. The examples in the FAQs for increased cost of an office visit and patient billing seem to point to only supplemental coronavirus related reimbursement needing to be offset against the increased expense.
  6. PRF may be used for the full cost of equipment or facility projects if the purchase was directly related to preventing, preparing for and responding to the coronavirus; however, if you claim the full cost, you cannot also claim the depreciation for any items capitalized.
  7. PRF cannot be used to pay salaries at a rate in excess of Executive Level II which is currently set at $197,300.

Lost revenues attributable to the coronavirus

  1. Lost revenues attributable to coronavirus are calculated based upon a calendar year comparison of 2019 to 2020 actual revenue/net charges from patient care (prior to netting with expenses).
  2. Any unexpended PRF at 12/31/20 is then eligible for use through June 30, 2021 and calculated lost revenues in 2021 are compared to January to June 2019.
  3. Reported patient care revenue is net of uncollectible patient service revenue recognized as bad debts and includes 340B contract pharmacy revenue.
  4. This comparison is cumulative, for example, if your net income improves in Q4, it will reduce lost revenues from Q2.
  5. Retroactive cost report settlements or other payments received that are not related to care provided in 2019 or 2020 can be excluded from the calculation.

Whether you are tracking expenses or lost revenues, the accounting treatment for both is to be consistent with your normal basis of accounting (cash or accrual).
 
As a reminder, the first reporting period (through December 31, 2020) is due February 15, 2021. The reporting portal is supposed to open January 15, 2021. Any unexpended PRF at December 31, 2020 can be used from January 1, 2021 through June 30, 2021, with final reporting due July 31, 2021.

The guidance continues to change rapidly and new FAQs are issued each week. Please check back here for any updates, or contact Mary Dowes for more information.

Article
Provider relief funds: Allowable uses 

Read this if you have a responsibility for acquiring and implementing victim notifications for your jurisdiction.

In the first article of this three-part series we explored the challenges and risks associated with utilizing multiple victim notification systems across your state, while the second focused on exploring what the choices are to address these challenges. In this final installment, we demystify the process of developing requirements for a victim notification system. Here are some things to address when developing requirements:

  • Considering all of your victim notification stakeholders and their specific needs
  • “Mining” requirements from your current victim notification system to ensure that your current needs are met in the future system 
  • Determining what the market can support (and what it can’t)
  • Utilizing standards to increase the likelihood that market solutions, designed based on these standards, will meet the needs of your jurisdiction 

Understanding the needs (and wants) of your stakeholder group is critical to defining a successful set of requirements that meets your specific needs. Representative stakeholders may include:

  • Victim advocacy groups (both government run and private sector)
  • Police and sheriff departments
  • Department of Corrections 
  • The courts
  • Probation department
  • Prosecutor offices
  • The victims themselves

Of course the stakeholder group in your jurisdiction may differ, and the needs of these groups will also differ. For example, victims and advocacy groups are concerned about ease of use, accuracy, and timeliness of notifications. Police and sheriff departments may be concerned about ensuring they are meeting their statutory and moral obligations to notify the victims when offenders are released from custody. 

Since these groups have varied needs, it’s important to engage them early and throughout the requirements development process. Talk to them, observe their practices, and review their current systems. It’s possible, for example, that it’s important that sheriff departments can integrate their jail management system to the replacement victim notification system and the integration creates a seamless and timeline notification process when an offender is processed out of jail and into the community. Because the Department of Corrections is designed to hold offenders for a longer period of time, the department may require that their offender management system triggers an alert to victims when pre-release planning activities begin.

Scaling victim notification systems

Utilization of victim notification systems can also include a broad spectrum; from a single jail engaging with a victim notification system vendor to provide specific notification services, to a statewide victim notification system that provides these services for the larger stakeholder group. Because of this, your requirements must reflect that “scale.” Consider the utilization of the system before developing your requirements so that you don’t over (or under) engineer the system for your jurisdiction.

As mentioned in the second article in this series, there are many victim notification system options to consider, from home-grown applications to turnkey software as a service (SaaS) services. Regardless of the path you choose, consider leveraging the victim notification system standards as defined by the Department of Justice (DOJ) Bureau of Justice Assistance (BJA SAVIN Guidelines). These guidelines and standards are terrific sources for victim notification system requirements, and can be thought-provoking as you engage your stakeholder groups. 

Though these standards are extremely useful, be sure to identify and include any jurisdiction-specific needs in your set of requirements. They may be driven by state statutes or by local policy or process. In defining your unique requirements, just ask, “Why are they important? Were they defined based on processes put in place because you don’t have a strong victim notification system, or are they critical to satisfying statute or policy?”

Stakeholder communication and engagement

Once you develop a preliminary set of requirements, it’s important to meet with the stakeholder groups to refine and prioritize the requirements. This exercise will result in a clear and concise set of requirements that are understandable by victim notification system vendors that may be responding to the resulting solicitation. When defining the requirements themselves, we find it useful to follow the guidelines from the Institute of Electrical and Electronics Engineers, Inc. (IEEE) called “IEEE Recommended Practice for Software Requirements Specifications.” According to the IEEE standard, good software and hardware requirements should be: 

  1. Correct
  2. Unambiguous
  3. Complete
  4. Consistent
  5. Ranked for importance
  6. Verifiable
  7. Modifiable
  8. Traceable

Prioritization of the requirements also helps responding vendors understand which requirements are most important to your jurisdiction. This prioritization model can also be used when scoring the vendors’ responses to the requirements once proposals have been received. 

Conclusion

In summary, it is important your victim notification system requirements reflect the needs of your stakeholders, are realistic, and clear. Vendors will be asked to respond to how they can accommodate the requirements, so using the IEEE method described above can be useful. 

Though this article doesn’t dive deeply into the development of the request for proposals (RFP) for the victim notification system, below are some actions to take to improve your chances for a successful system selection project:

  1. Define a meaningful project scope to scale the vendor market
  2. Assign a balanced evaluation committee with impartial scoring criteria
  3. Craft a structured procurement package that attracts multiple vendors
  4. Design a reasonable and achievable RFP schedule of events
  5. Reduce ambiguity and increasing clarity of RFP terms

If you have questions about your specific situation, please contact our Justice & Public Safety consulting team. We’re here to help. The BerryDunn team has developed a mature methodology for determining victim notification system requirements, and has a rich repository of requirements to start with so that you don’t need to start from scratch.
 

Article
Victim notification system requirements: It's easier (and harder) than you think