GASB 97: What's new, what to do, and what you need to know

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Private-sector pundits love to drone on about drones! Also known as Unmanned Aircraft Systems (UASs), drones are dramatically altering processes and increasing opportunities in the for-profit world. There is no doubt that these changes and resulting benefits are helping to increase drone usage; in March 2017, technology news website Recode reported that since December 2015 almost 800,000 drones had been registered with the Federal Aviation Administration (FAA).

Yet private businesses don’t operate all 800,000. Various government organizations have seen the value of UASs—especially local government agencies—and are using them. Public safety departments are using UASs to reduce risk and increase situational awareness during hostage negotiations, SWAT operations, search and rescue, firefighting, accident investigations, hazardous material situations, and disaster surveillance. Many use drones to quickly (and inexpensively) document projects, survey land, and create maps. As officials in places such as Appleton, Wisconsin know, the possibilities of drone usage by local governments are endless.

Still, drone technology remains relatively new, and navigating the regulatory environment can be difficult. As a result, establishing a local government UAS program is time-consuming and full of obstacles. Local officials have many questions, including:

• How can we establish drone programs that meet regulatory requirements?

• How do we inform and educate constituents about drone programs?

• What is the typical budget for a local government drone program?

• How can we determine if we can operate as civil users under FAA Part 107, or as public aircraft operators?

• What are general best practices for local government drone use?

Daunting, certainly, but help is here. We have assisted local governments for over two decades, and have developed a comprehensive drone program that we can tailor to meet individual agency needs. We can assist in establishing requirements, develop a concept of operations, write policy, conduct FAA filings, and, if desired, provide training for public aircraft operators.

A further benefit to local governments: BerryDunn is not affiliated with any drone manufacturer, and does not sell hardware or software. Our independence allows us to conduct a truly objective analysis and provide drone program recommendations that are in your best interest.

As more state and local government workers enter retirement, state and local agencies are becoming more dependent on millennial workers — the largest and most educated generation of workers in American history. But there is a serious gap between supply and demand.

As noted in a 2016 report by the Bureau of Labor Statistics titled 
Household Data Annual Averages 15, only 25.6% of current
government workers are between the ages of 18 and 35.

This trend isn’t necessarily shocking; many millennials choose higher-paying jobs in the private sector over lower-paying jobs in the public sector, especially when the days of a lifelong government career, and generous pensions, are dwindling. But it is a serious labor problem for government agencies — one that requires creative solutions. To entice these new workers, state and local governments need to adopt new recruiting and retaining methods.

Recruiting Methods

While money matters to millennials, they also want to live a life of adventure, try new things, embrace trailblazing technology, pursue meaningful goals, and gain a sense of both personal and civic accomplishment. In short, these new workers have values that differ from previous generations. You can help entice them by:

• Highlighting your state and local agency’s mission and greater purpose. Many millennials want to affect change and find careers consistent with their values. Include information in your job descriptions about the positive environmental and social impact your agency makes.

• Updating your technology. Millennials have grown up with technology (literally at their fingertips), can adapt to change as no other generation before them, and often strive to remain on the “cutting edge.” By updating your agency’s technology, you will not only improve your organization and benefit the public you serve, but also have a better chance of recruiting the best and brightest millennials.

• Providing them with a work-life balance. Life outside of work is just as important to millennials as their careers. They don’t plan to wait for retirement to finally pursue their interests, so providing them with a level of flexibility is key to recruitment. Consider offering flexible workdays, remote working capabilities, extended parental leave, sabbatical opportunities, and “mental health days.” The more flexibility state and local agencies provide, the more incentive there is for millennials.

Retaining Methods

Recruiting millennials for government jobs is challenging enough, and retaining them can prove even harder, as job hopping is standard practice for many members of this generation. Nevertheless, there are certain methods your agency can adopt to prevent millennial turnover. We suggest:

• Investing in employee development and training. Training and creating opportunities for promotion and career advancement are motivating incentives to millennials. Professional development excites millennials and investing in them will pay off for the agency — and the employees will be more engaged and likely to stay.

• Showing employees they are valued. Recognition is the biggest motivator besides money — millennials want acknowledgement for the good work that they do. Communicate achievements and provide awards to recipients in front of their peers. This not only gives them credit, but also motivates others. Continuing to communicate to your employees how their work supports their values reminds them they made the right decision in joining the public sector in the first place.

Make Your Move

Millennials are worthy of your attention! To compete with the private sector — to recruit and retain them — your government agency has to take an innovative approach to capitalize on this ever-growing demographic. If your state or local agency needs help refreshing your technology, reviewing current policies and procedures, or taking a fresh look at your processes, contact BerryDunn. We would love to talk about your commitment to your future!

You may also be interested in: CFOs for Hire; How to Attract and Retain Workers in a Seller's Market

While GASB has been talking about split-interest agreements for a long time (the proposal first released in June of 2015, with GASB Statement No. 81, Irrevocable Split-Interest Agreements released in March of 2016), time is quickly running out for a well-planned implementation. With the effective date looming on the horizon, (statement effective for periods beginning after December 15, 2016 unless early adopted), now is the time to start gathering needed information to record existing agreements under GASB 81.

We have learned from GASB’s not-for-profit FASB cousins that irrevocable agreements are rarely where they should be: in the hands of financial professionals. Compiling these agreements will require participation from many stakeholders. Your finance team will likely have to provide some education to avoid a great deal of confusion when asking the “do we have any irrevocable split-interest agreements?” question.

So, where do you start?

1. Have you been tracking this information right along, nicely documented in a folder by your desk? Great! Do a quick check of others in your organization to be sure your file is complete and skip steps 2-5.
    
2. Dig into your general ledger. Have you been receiving regular distributions from a trust? Some of these trust agreements pay out on a quarterly or annual basis and your accounting staff should be able to identify these payors. It may require a quick call to the administrator for the trust agreement to be sure the agreement qualifies under GASB 81.
    
3. Look to your fundraising professionals. Development departments like to keep track of all types of donations. It helps to quantify their good fundraising work. Be clear about what you need from them. Remember, irrevocable split-interest agreements, often trusts or other legally enforceable agreements, are agreements wherein a donor irrevocably transfers resources to a third party to hold for the benefit of the government and at least one other beneficiary —the “split” in “split-interest agreement”!
    
4. Keep talking to your fundraising professionals. Many of the split-interest agreements we find are very old, often created well before your current development software was put into place. Do you have old files that track this kind of information? It may require some digging in the paper files. Remember those?
    
5. All hands on deck. While the finance and fundraising teams are scouring their records, look to others in the organization that might have record of these types of agreements. You know who holds the keys to historical knowledge at your organization, so be sure to include them in your search.

Once the finance department has collected all of the agreements, take one more look to be sure they meet the requirements of GASB 81.“Are they really irrevocable? Or do we just hope they are?” Then you can get down to the business of accounting for them. If you have questions about the accounting for these agreements, please contact me. I would love to chat. And that is irrevocable.

Because we’ve been through this process many times, we’ve learned a few lessons and determined some best practices. Here are some tips to help you promote a positive post go-live experience.

The road to go-live is paved with good intentions. When an organization identifies a need to procure a new or upgraded system, that road can be long. It requires extensive planning, building a business case, defining requirements, procuring the system, testing it, and implementing it. Not to mention preparing your team to start using it. You’ve worked really hard to get to this point, and it feels like you’re about to cross the finish line. Well, grab some Gatorade because you’re not quite there yet. Post go-live is your cool-down, and it’s an important part of the race.

Preparation is key.
If you haven’t built a go-live plan into your overall implementation plan, you may see stress levels rise significantly in the days and weeks leading up to go-live. Like a runner prepares for a big race, a project lead must adequately prepare the team to begin using the new system, while still handling unexpected obstacles.  While there are many questions you should ask as you prepare to go live, you need to gain buy-in on the plan from the beginning and manage it to ensure follow-through.

Have your contract and deliverables handy.
Your system vendor implementation team will look to hand you off to their support team soon after go-live. It is crucial that you review all of the deliverables outlined in your contract to ensure all of the agreed-upon functionality is up and running, and all contracted deliverables have been provided and approved. Don’t transition to support until you’ve had enough time to see the system through significant processes (e.g. payroll, month-end close). In the period immediately after go-live, the vendor implementation team is your best resource to help address these issues, so it’s a good idea to have easy access to them.

Encourage use and feedback.
Functional leads and project champions need to continue communications past go-live to encourage use and provide a mechanism for addressing feedback. Employing change management best practices will go a long way in ensuring you use the system properly — and to its best capabilities.

Plan ahead for expanded use and future issues. 
Because a system implementation can be extremely resource-intensive, it is common to suppress or forgo functionality to implement at a later date (e.g., citizen and vendor self-service). In addition, we sometimes see issues arise during significant operational milestones (e.g., renewal processing, year-end close). Have a plan in place to decide how you will address known and unknown issues that arise.

While there is no silver bullet to solve all of the potential go-live woes, you can promote a smooth transition from a legacy system to a new system by implementing these tips. The time you spend up front will help offset many headaches down the road, promote end-user engagement, and ensure you’re getting the most from your investment.

We all know them. In fact, you might be one of them — people who worry the words “go live” will lead to job loss (theirs). This feeling is not entirely irrational. When an organization is ready to go live from an existing legacy system to a new enterprise system, stress levels rise and doubts emerge: What can go wrong? How much time will be lost? Are we really ready for this?

We’re here to help. Here is a list of go-live essentials to help you mitigate stress and assess your readiness. While not all-encompassing, it’s a good place to start. Here’s what you need:

1. A detailed project plan which specifies all of the implementation tasks
   A project plan is one of the most important parts of an implementation. A detailed plan that identifies all of the implementation tasks along with an assigned resource for each task is critical to success. The implementation vendor and the organization should develop this plan together to get buy-in from both teams.

2. A completed system configuration
   New system configuration is one of the most time-consuming aspects of a technology implementation. If you don’t complete the implementation in a timely manner, it will impact your go-live date. Configure the new system based upon the best practices of the system — not how the existing system was — for timely implementation.

3. External system interface identification
   While replacement of some external systems may be a goal of an implementation, there may be situations where external systems are not replaced or the organization has to send and/or receive data from external organizations. And while new systems have advanced interface technology capabilities, the external systems may not share these capabilities. Therefore it is imperative that you identify external system interfaces to avoid gaps in functionality.

4. Testing, testing, testing
   End-to-end testing or User Acceptance Testing (UAT) is often overlooked. It involves completing testing scenarios for each module to ensure appropriate system configuration. While the timing of UAT may vary, allow adequate time to identify solutions to issues that may result from UAT.

5. Data conversion validation
   When you begin using a new system, it’s best to ensure you’re working with clean, up-to-date data. Identify data conversion tasks in the project plan and include multiple data conversion passes. You must also determine if the existing data is actually worth converting. When you complete the data conversion, check for accuracy.

6. End user training
   You must train all end users to ensure proper utilization across the organization. Don’t underestimate the amount of time needed for end user training. It is also important to provide a feedback mechanism for end users to determine if the training was successful.

7. A go-live cutover plan
   The overall project plan may indicate go-live as an activity. List specific activities to complete as part of go-live. You can build these tasks into the project plan or maintain them as a separate checklist to promote a smooth transition.

8. Support structure
   Establish an internal support structure when preparing for go-live to help address issues that may arise. Most organizations take time to configure and test the system and provide training to end users prior to go-live. Questions will arise as part of this process — establish a process to track and address these questions.

Technology implementations can significantly impact your organization, and it’s common for stress levels to rise during the go-live process. But with the right assessment and preparation, you can lessen their impact and reduce staff stress. Our experienced, objective advisors work with public and private sector organizations across the country to oversee large enterprise projects from inception to successful completion. Please reach out to us to learn more about preparing for your next big project.

Recently the Governmental Accounting Standards Board (GASB) finished its Governmental Accounting Research System (GARS), a full codification of governmental accounting standards. The completion of the project allows preparers easy access to accounting guidance from GASB. The overall project, starting from the codification of older pre-1989 Financial Accounting Standards Board (FASB) pronouncements in 2010, was focused on pulling together all authoritative guidance, similar to what FASB had done in 2009.

Here’s what we found interesting.

Poking around the GARS (Basic View is free) I was struck by a paragraph surrounded by a thick-lined box that read “The provisions of this Codification need not be applied to immaterial items.” If you have ever read a GASB or FASB pronouncement, you have seen a similar box. But probably, like me, you didn’t fully consider its potential benefits. Understanding this, GASB published an article on its website aimed at (in my opinion) prompting financial statement preparers to consider reducing disclosure for the many clearly insignificant items often included within governmental financial statements.

After issuing more than 80 pronouncements since its inception in 1984, including 19 in the last five years, GASB accounting requirements continue to grow. Many expect the pace to continue, with issues like leases accounting, potential revision of the financial reporting model, and comprehensive review of revenue and expense recognition accounting currently in process. With these additional accounting standards come more disclosure requirements.

With many still reeling from implementation of the disclosure heavy pension guidance, GASB is already under pressure from stakeholders with respect to information overload. Users of financial statements can be easily overwhelmed by the amount of detailed disclosure, often finding it difficult to identify and focus on the most significant issues for the entity. Balancing the perceived need to meet disclosure requirements with the need to highlight significant information can be a difficult task for preparers. Often preparers lean towards providing too much information in an effort to “make sure everything is in there that should be”. So, what can you do to ease the pain?

While the concept of materiality is not addressed specifically in the GASB standards, by working with your auditors there are a number of ways to reduce the overall length and complexity of the statements. We recommend reviewing your financial statements periodically with your auditor, focusing on the following types of questions:

• On the face of the financial statements, are we breaking out items that are clearly inconsequential in nature and the amount?
• Are there opportunities to combine items where appropriate?
• In the notes to the financial statements are we providing excessive details about insignificant items?
• Do we have an excess amount of historical disclosure from years past?
• In the management’s discussion & analysis, is the analysis completed to an appropriate level? Is there discussion on items that are insignificant?

The spirit behind the box is that GASB was specifically thinking about material amounts and disclosures. It was not their intention to clutter the financials with what their article referred to as “nickel and dime” items. With more disclosure requirements on the way, now might be the time to think INSIDE the box.  

For more guidance on this and other GASB information, please contact Rob Smalley.

Electronic accessibility in every aspect of modern life has increased ten-fold, but government — and courts in particular — has been slow to follow.

History Lesson
The idea that criminal court proceedings are accessible by the public is a pillar of our justice system, rooted in the First Amendment. This public right to unrestricted access in criminal and civil court proceedings has been interpreted by many states to extend to court documents and court records (as long as not otherwise protected).

Traditionally, public access to court proceedings and records has been limited to those taking place in the courthouse, between the hours of 8:00 am and 4:00 pm. In most every other aspect of our lives, we have 24/7 access to everything from live streaming of our home security systems, to ordering our groceries or dinner from our mobile devices — while traveling at 30,000 feet! Government — and courts in particular — has been slow to follow in the rush to 24/7 electronic accessibility.

Part of the rationale behind the hesitation to jump on the electronic bandwagon, are the ethical issues surrounding unlimited electronic public access. So while the First Amendment provides for public access to information, conversely the Fourteenth Amendment interprets the definition of “liberty” to include a right to privacy. Deciding between these two semmingly contradictory rights becomes a challenge for courts when determining what form of electronic access is appropriate for court documents.

The pros
Unlimited electronic access to publicly available documents:

• Serve a variety of public interests while eliminating the need to travel to the courthouse to research and copy documents.
• Acts both as a deterrent to violating laws and as protection to those whose rights have been violated.
• Tends to instill fairness, transparency, and equality of court proceedings.
• Protects the community and allows the media to report on matters of public interest in a more convenient, timely, and streamlined manner.

The cons
While there are compelling reasons to provide electronic public access, they don’t take into account the potential for it to be used inappropriately. Risks include:

• Increased chance of identity theft, leading to loss of property, finances, and credit
• Exposure to sensitive information that may be harmful to all those involved
• Negative impact on privacy
• Deter public interest lawsuits for fear of overexposure
• Mistakes or abuse of legal process can have far-reaching implications on individuals

What can states do?
Allowing unlimited remote electronic access to court documents could compromise the privacy rights and concerns of individuals and increase the risk of harm to those participating in court proceedings. This issue demands the full attention of the courts nationwide, but not with an “all-or-nothing” approach.

Many states struggle with striking this balance. To mitigate some of the potentially damning effects, states have taken different approaches. The National Center for State Courts (NCSC) has brought attention to the issues on several occasions. In 2002, the NCSC and the State Justice Institute funded the project, “Developing a Model Written Policy Governing Access to Court Records” and more recently the NCSC has published the “Privacy/Public Access to Court Records Resource Guide”.

Some states have redacted confidential information from electronic documents and some have limited what information or categories are available on the internet, only posting some combination of the following:

• Appellate decisions
• Final judgments, orders, and decrees
• Basic information of the litigant or party to the case
• Calendars and case docket lists

Our recommendation
States must agree upon the amount of access they will provide electronically. To tackle this, each state should:

• Consider forming an access committee(s) to determine what guidelines are needed to balance the free access rights of the public with the privacy rights of individuals
• Policy decisions should be publicly posted to the judiciary, legislators, and the public at large; and
• Should be regularly revisited to ensure an appropriate balance is continually achieved

Interested in learning how your state can address this or similar issues? Reach out to BerryDunn's justice and public safety experts and we can discuss the particular issue facing your state and the best practices for approaching it.