Skip to Main Content

insightsarticles

Five IT risks everyone should be aware of

09.11.19

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Related Services

Assurance

Related Professionals

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read this is you are a business owner or an advisor to business owners.

With continued uncertainty in the business environment stemming from the COVID-19 pandemic, now may be a good time to utilize trust, gift, and estate strategies in the transfer of privately held business interests. 

As discussed in our May 26, 2020 blog post 2020 estate strategies in times of uncertainty for privately held business owners, there may be opportunity to free up considerable portions of lifetime gift and estate tax exemption amounts through transfers due to suppressed values of privately held businesses, and the uncertainty surrounding the impact of the 2020 presidential election on tax rates and future exemption and exclusion thresholds. 

An element to consider when building on this opportunity is the ability to transfer non-controlling interests in a business. These interests are potentially subject to discounts for lack of control and lack of marketability. This may further reduce the overall value transferred through a given strategy, potentially offloading a larger percentage of ownership in a business while retaining large portions of the gift and estate lifetime exemption. Let’s focus on the discount for lack of control (DLOC).

Discount for lack of control

In the context of a hypothetical willing buyer and willing seller, the buyer may place a greater value on an ownership interest with the ability to make changes at their discretion, compared to an alternative ownership interest lacking control. Simply put, buyers like to be in control, and they will pay less for the investment if the interest lacks these characteristics. 

When valuing non-controlling business interests there is an inherent discount to full value recognized to reflect the fact that the subject interest does not hold a controlling position. As a result of this discount, the value of a non-controlling interest in a company will differ from the pro-rata value per share of the entire company. DLOCs alone commonly reduce the value of the transferred interest by 5% to 15%.

All else being equal, a non-controlling ownership position is less desirable (valuable) than a controlling position. This is because of the majority owner’s right to control any or all of the following activities: managing the assets or selecting agents for this purpose, controlling major business decisions, asset allocation choices, setting salary levels, admitting new investors, acquiring assets, selling the company, and declaring/paying distributions.
 
Market-based evidence of proxies for DLOCs can be found within the following subscription-based databases (including, but not limited to): 

  • Control premium studies published in the Mergerstat® Review series by FactSet Mergerstat/Business Valuation Resources
  • Closed-end fund data
  • The Partnership Profiles, Inc. Minority Interest Database and Executive Summary Report on Re-Sale Discounts for applicable entity types

In addition to these resources, to fully assess the degree of discount applicable to a subject interest, consider company-specific factors when estimating the DLOC. The degree of control for a subject interest may be impacted by relevant state statutes and the governing documents of the subject company. These factors are analyzed in conjunction with the current operational and financial policies established and implemented in practice by management to establish a comprehensive view on the applicable degree of discount.

Conclusion

Hypothetical business owners are knowledgeable of the facts and circumstances surrounding a business interest. They take a close look at what they are buying before they make an offer. Like most people, they like to be in charge, and are therefore generally not willing to pay the pro-rata value for a minority interest in a business when the interest lacks control. To assess an appropriate discount for lack of control, consider resources such as those referred to above, then ensure the selected discounts are appropriate based on the factors specific to the company and interest being valued. 

Our mission at BerryDunn remains constant in helping each client create, grow, and protect value. If you have questions about your unique situation, or would like more information, please contact the business valuation consulting team.

Article
Discounts for lack of control and marketability in business valuations

Read this if you use, manage, or procure public safety and corrections technology.

Recently we discussed the benefits of developing a strong, succinct Request for Proposal (RFP) that attracts Offender Management Systems (OMS) vendors through a competitive solicitation. Conversely, we explored the advantages and disadvantages of leading a non-competitive solicitation. Industry standards and best practices serve as the common thread between competitive and non-competitive solicitations for standard implementations. So, how does an agency prepare to navigate the nuances and avoid the “gotchas” of a non-standard implementation in the corrections realm?

Functional areas in the corrections industry exist in an ever-evolving state. The ongoing functional area refinements serve to overcome potential gaps between standardizing organizations (e.g., CTA, APPA) and your agency’s operations. For example, CTA does not distinguish incidents from disciplines as distinct functional areas. While merging workflows for incidents and disciplines may align with one agency’s practice, your agency may not always correlate the two functions (e.g., disciplinary action might not always result from an incident). Moreover, your agency may not have a need for every functional area, such as community corrections, depending on the scale of your operation.

Your agency should view the industry standards as a guide rather than the source of truth, which helps you cultivate a less parochial approach driven solely by standards and follow instead a more pragmatic plan, comprised of your unique operations and best practices. CTA and APPA specifications alone will result in comprehensive solicitation. For that reason, agencies can enhance an OMS modernization initiative by enhancing solicitation requirements to include jurisdictional specifications resulting from interviews with end-users and policy research. 

Upcoming OMS webinar

On Thursday, November 5, our consulting team will host a webinar on navigating a solicitation for a new OMS. During the webinar, our team will revisit the benefits of an independent third-party on your solicitation and review industry standards, and will discuss:

  1. Crafting requirements that address common OMS functions, as well as jurisdiction-specific functions (i.e., those that address the unique statutes of the state). Crafting requirements helps your agency to ensure a replacement system addresses core business functions, provides a modern technical infrastructure, and complies with local, state, and federal regulations.
  2. Thriving with a collaborative approach when acquiring and implementing an OMS system, helping to ensure all stakeholders not only participate in the project but also buy into the critical success factors.

If you have questions about your specific situation with OMS implementations, or would like to receive more information about the webinar, please contact one of our public safety consultants.
 

Article
Managing non-standard Offender Management System (OMS) implementations

Read this if you are an employer.

Note: The tax deferral situation is very fluid, and information may change frequently. Please check back for updates.

The Treasury Department and Internal Revenue Service released Notice 2020-65 on August 28th, addressing the following questions highlighted in our earlier payroll tax deferral article.

Does the employer or the employee elect to defer taxes?

Notice 2020-65 provides that Affected Taxpayers are defined for purposes of the Notice as the employer, not employee. Therefore, employers will have to choose whether or not to opt-in and defer taxes. Important to note: while the notice doesn’t specifically state that deferral is optional, the IRS press release implies that it is. 

It is unclear if an employee can elect out of the payroll tax deferral, if their employer elects to defer taxes. Absent guidance, it seems that an employer who elects to defer the payroll tax should apply the payroll tax deferral to all employees and not permit an employee to elect out of the deferral. 

The other question for an employer is whether the payroll software will be able to accommodate the deferral feature as of September 1st. It seems highly unlikely that payroll software will be ready for the September 1st effective date. Employers should reach out to their payroll vendor to determine when the system/software will be ready.

How do bonuses, commissions, or other irregular payroll items impact the $4,000/biweekly compensation limit?

Per the Notice, Applicable Wages include wages as defined in Internal Revenue Code (“Code”) Section 3121(a) (i.e., wages for withholding FICA taxes) or compensation as defined in Code Section 3231(e) (i.e., wages for the Railroad Retirement tax) only if the amount of such wages or compensation paid for a bi-weekly pay period is less than the threshold amount of $4,000, or the equivalent threshold amount with respect to other pay periods. Additionally, the Notice states that the determination of Applicable Wages is made on a "pay-period-by-pay period" basis. Therefore, Applicable Wages would include items such as bonuses and commissions. For example, if a bonus of $2,000 caused an employee’s total Applicable Wages to exceed the $4,000 bi-weekly threshold for the respective pay period to which it relates, deferral would not be required for that pay period. In other words, payroll tax deferral applies to Applicable Wages of $4,000 or less for any bi-weekly pay period (or the equivalent threshold for other pay periods) irrespective of amounts paid in other pay periods.

Based on the guidance, an employer’s payroll system will need to be programmed to automatically monitor the $4,000 bi-weekly threshold and accumulate the tax deferral for each employee.

When and how are amounts deferred due to be paid by the employee?

An employer must withhold and pay the deferred taxes ratably from wages and compensation paid between January 1, 2021 and April 30, 2021. Interest, penalties, and additions to tax will begin to accrue on May 1, 2021 with respect to any unpaid taxes.

This means that employers who elect to initiate the payroll tax deferral will double the Social Security tax withholding during the first four months of 2021. The President’s memorandum issued on August 8th states that Secretary of the Treasury shall explore avenues, including legislation, to eliminate the obligation to pay the taxes deferred pursuant to the implementation of this memorandum. However, only Congress can pass legislation to forgive the uncollected taxes, and has thus far been unwilling to do so.

What happens if an employee who is deferring taxes stops working for the employer? Is the employer responsible for collecting the taxes that were deferred?

This question is not addressed; however, the Notice does provide that an employer may make arrangements to otherwise collect the total taxes from the employee, if other than ratably from wages and compensation.

Employers electing to implement the payroll tax deferral may be assuming unnecessary financial risk related to employees who terminate employment during the period of deferral or during the period of repayment. Prior to initiating the payroll tax deferral, an employer will need to determine (and communicate to employees) how it will collect any unpaid tax deferrals when an employee terminates employment. For example, an employer could decide to withhold the deferred taxes from the employee’s final paycheck, if it can do so legally. Further guidance is necessary so an employer can determine the appropriate way to receive payment from employees who terminate employment.

Notice 2020-65 leaves many questions still unanswered.

Most notably, who is responsible for the taxes if an employer is unable to withhold due to an employee terminating employment? The IRS issued a draft version of a revised Form 941 to take into account the deferred payroll taxes.

Additional guidance will hopefully be forthcoming. Until further guidance is issued and payroll systems are updated, it is difficult for an employer to initiate the payroll tax deferral. 
 
 

Article
Payroll tax deferral update

Read this if you use, manage, or procure public safety and corrections technology. 

In our previous post, we discussed the link between developing a technology RFP with meaning, structure, and clarity to enhance the competitive nature of the solicitation. In this article, we ask: How can your agency synthesize and unify existing business processes with industry standards to attract modern OMS providers? The answer? Your agency crosswalks. 

Industry standards, such as those set by the Corrections Technology Association (CTA) and American Probation and Parole Association (APPA), establish the benchmark for modern operations. However, legacy correction software limitations often blur the one-to-one relationship with industry standards. For that reason, crosswalk tools help agencies map current process into industry-wide standards.

CTA Functional Areas

Corrections Technology Association Functional Areas

Agencies crosswalk in preparation for a corrections technology procurement to help align system requirements with commercial-off-the-shelf (COTS) corrections management systems. In revisiting the topics of clarity, meaning, and structure, the crosswalk helps technology vendors understand your current operations, the tools your currently use to support the operations, and the way in which those operations relate to industry functional areas.

In an iterative fashion, the CTA crosswalk first helps you understand your agency’s technology and operational structure, and then communicates system requirements to correction technology providers in an industry-led framework. The approach helps you transition from your legacy processes to your new operational environment.

Although your agency can engage the market with a meaningful, structured, and clear RFP, prequalification and contract vehicles provide a viable alternative of enhancement to procuring a new offender management system. The following advantages and disadvantages can inform your agency’s decision to use a prequalification vehicle.

Advantages:

  1. Non-competitive procurement can often be accomplished more quickly given the absence of the timeframe usually dedicated to the development of the RFP, posting to potential vendors, and evaluation of proposals.
  2. Reduced uncertainties in terms of what a vendor is able to provide since an open dialog starts immediately.
  3. Competitive procurement (secondary competition) under a contract vehicle is limited to the vendors who proposed and were awarded. Only higher performing vendors are likely to be able to respond, particularly if only certain vendors are selected from the list.
  4. Potentially better pricing as a vendor can eliminate unknowns through open communication, so less risk is priced into the proposal.
  5. A better environment around requested changes, as a vendor that has maintained a certain margin in their pricing may be more amenable to no-cost change orders.

Disadvantages:

  1. The agency loses some negotiating advantage when a vendor knows they are the only ones in the procurement conversation. 
  2. A vendor may have less incentive to “put their best foot forward” and offer higher levels of service and functionality.
  3. Competitive cost may not be obtained because the vendor doesn’t have to worry about beating a competitor.
  4. Secondary competition may take a somewhat similar timeframe because the solicitation, evaluation, and award processes take a similar amount of time to an RFP for larger projects.

The trajectory to develop an RFP for new corrections management software spans assessing existing operations and technology to including mapping current operations into industry standards clarity. At the same time your agency should consider the driving and constraining factors for using a prequalification or contract vehicle.

BerryDunn has experience with cross-walking agencies into industry-leading practices, and we also understand the need for non-standard RFPs that extend beyond CTA and APPA guidelines. Reach out to our public safety consultants if you have questions, or look out for our next blog providing insight on adapting to and overlapping challenges in non-standard corrections technology procurements.

Article
Leveraging industry standards to optimize Offender Management Systems (OMS)

Read this if you are an employer.

President Trump signed a memorandum on August 8 (hereinafter the “Memorandum”) ordering the Treasury Department to defer the withholding, deposit, and payment of the Social Security portion of the payroll taxes during the period September 1 through December 31, 2020. 

We have heard from a few employers who have employees asking them when the tax withholding will stop since September 1st is right around the corner. The short answer for employers and employees is the withholding deferral will begin “when Treasury and/or the IRS issues guidance”.

“Defer” and “deferral” are underlined for a reason. Employees must understand that the Memorandum provides for a “deferral” of the Social Security tax. The tax is not eliminated for the period September 1st through December 31st. This means that while an employee may enjoy some additional take-home pay during the period of deferral, the amounts deferred must still be paid to the IRS at some point. Only Congress can eliminate the payroll tax.

This is what we know so far:

  • The deferral only applies to the employee’s share of the Social Security taxes. It does not apply to the employee’s share of the Medicare taxes.
  • The deferral is only available to an employee with biweekly income of $4,000 or less, which translates to annual income of $104,000. 
  • Amounts deferred pursuant to the Memorandum shall be deferred without any penalties or interest.
  • For example, an employee earning $40,000 annually could potentially defer approximately $825 in payroll taxes and would need to pay that amount at a future date.

There are many open questions for both employees and employers to consider. Therefore, it is nearly impossible to move forward with the tax deferral guidance outlined in the memorandum. 

So, what are the operations questions that employers and employees need answers to before any deferrals can begin? Here are some that come to mind:

  • Does the employer or the employee elect to defer taxes?
  • If it is an employee election, how is that election made?
  • How do bonuses, commissions, or other irregular payroll items impact the $4,000/biweekly compensation limit?
  • When and how are amounts deferred due to be paid by the employee?
  • Are the amounts deferred repaid in a lump sum or in installments?
  • How does an employer report the deferred taxes to the IRS?
  • What happens if an employee who is deferring taxes stops working for the employer? Is the employer responsible for collecting the taxes that were deferred?
  • How quickly can payroll systems be set up to accommodate the payroll deferral?

At the moment, all employees and employers can do is wait for the relevant guidance. Hopefully, guidance is issued soon but it is unlikely any employees can begin the tax deferral on September 1st. 

As soon as guidance is issued, we will be sure to communicate the requirements and timing.

Article
To withhold or not to withhold payroll taxes―The dilemma facing employers