Skip to Main Content

insightsarticles

How healthy is your organization's HIPAA compliance?

04.10.18

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Related Services

Consulting

Organizational and Governance

Success is slippery and can be evasive, even on the simplest of projects. Grasping it grows harder during lengthier and more complex undertakings, such as enterprise-wide technology projects—and requires incorporating a variety of short- and long-term strategies. Yet focusing only on the technological aspects of these projects is not enough. Here are 10 non-tech strategies for success in tech projects.

1. Gain leadership support.

An enterprise-wide technology project can transform an entire organization. Therefore, the first step toward success is to ensure your leadership makes the project an organizational priority. Projects described as "IT projects” in the past must now be seen as strategic business solutions that meet the needs of the organization, prioritized in sync with goals and objectives of the organization. Executives and management need to be on board and demonstrate solid commitment to the project. This dramatically improves the likelihood of project success, and your team knows that leadership is supporting their efforts.

2. Develop and promote a shared vision.

To start a successful project, members across the organization must understand and embrace a shared vision. One way to encourage this is to hold “vision sessions” where key stakeholders meet to talk about how they see the new technology improving operations. Building consensus early on allows your staff to be fully open to change, in turn helping generate positive and creative ideas.

3. Establish project tenets. 

Project leadership must develop a set of project goals and expectations, or tenets, which help staff understand the rationale for the project. They should be clearly defined, meaningful, and when possible, measurable, so the organization knows what success is—and how to achieve it. Tenet examples include:

We will collect and share information across the organization, subject to appropriate security and privacy compliance.

The use of standard business processes across the organization will minimize variations.

We will not design the new system based on existing workflows, and instead will use industry best practices.

4. Create a governance structure.

Early on in the project, identify a clear decision-making structure for resolving issues that arise and preventing delays. Although the project team should address issues first, having an agreed-upon process for issue escalation to leadership will be valuable when you can’t reach consensus.

5. Set realistic timelines.

Set realistic timelines, communicate them clearly, and refer to them often. An easily accessible visual timeline helps maintain project momentum and enthusiasm. It also helps you manage expectations and prevent scope creep. It’s important for the leadership team to inform staff of any changes that will impact their daily responsibilities or affect the timeline or scope of the project.

6. Engage key stakeholders early and often.

Change—even positive change—is stressful. Change management is an essential cornerstone to project success. Building sustainable collaboration and project buy-in from stakeholders at project onset and maintaining it throughout the project life cycle is critical to meeting deadlines and a successful outcome. In the case of a new system selection or implementation project, your operational leads should design and champion new workflows supported by enabled technology. Staff members need to work in sync with your IT department to translate their operational needs into technology requirements.

7. Develop a comprehensive communication plan.

A comprehensive communication plan is vital to the success of any project. It keeps stakeholders engaged and project teams motivated. It also includes the use of visual graphics, website videos, and/or social media for targeting the right groups with the right message at the right time, and in the right manner.

8. Don’t skimp on resources.

Adequate finances, technical infrastructure, and “people” resources must be committed for the long haul—project success is a journey, not a destination. Give your staff enough time to participate in planning, workflow redesign, and ongoing education. In order to help ensure key staff are available for system design and testing work, identify backfill resources for peak time periods in the project.

9. Practice change management for cultural considerations.

Your organization must prepare, support, and sustain all employees through effective change management in order to effect a culture of change. Pre-planning will help to identify potential roadblocks and areas of resistance, and facilitate embracing change.

Resistance comes from the degree of change required, and when staff members believe new technology is just a passing fad. It will take time—and commitment—for your staff members to learn how to use the new technology efficiently and understand its benefits.

10. Develop an effective and sustainable training plan.

An effective and sustainable training plan can’t be overemphasized. It should identify training resources, including personnel, locations, and equipment. In addition, a comprehensive training plan addresses different learning styles of various staff members and multiple training models, such as face-to-face classroom, virtual labs, and online learning. You can supplement these training models with “just in time” 1:1 role-based scenario trainings as needed. The plan should include the development of various training aides, including playbooks, scripts, quick-tip reference sheets, and FAQs. Finally, the plan should include methods for assessing staff proficiency, such as competency assessments and follow-up incremental trainings after go-live.

Additional strategies for tech project success

Ultimately, 10 is an arbitrary number. There are more non-tech strategies you can deploy to achieve tech project success. And of course, there are some tech-specific approaches you should know. If you would like to discuss these strategies—and the concrete tactics your organization can use to implement them on a day-to-day basis—please reach out to me.

Article
10 non-tech strategies for tech project success

Some days, social media seems nothing more than a blur of easily forgettable memes. Yet certain memes keep reappearing to the point where we have no choice but to remember them. Remember the one that displays various images of oceans or forests or mountains with the words “Relax. Nothing Is Under Control”? I do.

Wise words, if you’re on vacation and actually relaxing near an ocean, forest, or mountain. Yet they don’t necessarily apply to the day-to-day world of IT administration and management, particularly when undergoing a system implementation or upgrade. IT directors and staff must have at least some control. One of the best ways to do that, and keep IT chaos at bay, is to apply the change control process.

The Core of Change Control
Before we go any further, let’s clarify one thing: Change control is not change management, the general management of change and development within an organization. Change control refers to the systematic approach of handling midstream changes made during the course of an organization’s project, such as during a new system implementation.

In the world of local government, midstream IT project changes occur both suddenly and regularly due to a variety of factors, including new regulations, modifications to project scope, schedule, budget, and funding. Because many government departments use integrated systems to share data, these changes can have unintended downstream effects, including decreased productivity and revenue, and increased frustration and cost — especially if other departments within the organization don’t know what is going on.

At its core, change control helps you communicate and make decisions to avoid midstream project changes being made in a “vacuum.” It also helps ensure approval from all departments affected by the changes.

When to Use the Change Control Process
There are many types of changes that require change control. These include:

  • Billing changes
  • Mandate changes
  • Operational changes
  • Compliance changes
  • System interface changes
  • Quality assurance changes
  • Changes dictated by grants
  • Revenue management changes
  • Electronic Data Interchange (EDI) changes
  • Changes dictated by external agency requests
  • Electronic Health Records (EHR) or Electronic Resource Planning (ERP) program changes

You can also create an expedited process for time-sensitive changes, based on your organization’s unique needs.

How to Use the Change Control Process
The change control process generally consists of three phases:

Change Request: An individual who wants to make a change to an ongoing project completes a Change Control Request Form. The individual should provide the following information to their supervisor or director, who then determines whether or not to consider the change:

  • The due date of the requested change
  • The affected business lead, if known
  • The description of the requested change
  • The justification/benefit of the requested change
  • The impact of not implementing the requested change
  • Individual(s) who need to be notified and/or trained

Change Response: The CCB informs the requestor of its decision. If the request is approved, the requestor completes a Change Control Implementation Plan. Next, the requestor submits the completed Change Implementation Plan to their supervisor or director for review. Once the supervisor or director approves the Change Control Implementation Plan, they email the approval to both the requestor and a representative of the CCB.

Change Review: If the supervisor approves the change, a governing entity (the Change Control Board, or CCB) reviews the Change Control Request Form. The CCB either approves or declines the proposed change.

The Benefits of Change Control
The benefits of change control are many. Change control:

  • Ensures that midstream changes to IT systems and operations are vetted by all stakeholders
  • Provides opportunities for ongoing business process improvement and staff development
  • Improves training and communication
  • Helps avoid unnecessary changes that can disrupt services
  • Improves resource efficiency

Ultimately, each midstream project change — especially an IT project change — is a bit of a journey. With the change control process, the journey can feel more like a walk on the beach. This blog provides a simple summary of the process, as there are many other things to consider when implementing. But relax: It’s all under control!

Article
Make midstream project changes a walk on the beach: The change control process

Read this if you use QuickBooks. 

Want to break up an estimate into multiple invoices? QuickBooks Online supports progress invoicing.

If you do large, multi-part projects for customers, you may not want to wait until absolutely everything is done before you send an invoice. This can be especially problematic when you have to purchase a lot of materials for a job that will eventually be billed to the customers.

QuickBooks Online has a solution for this: progress invoicing. Once you’ve had an estimate approved, you can split it into as many pieces as you need, sending partial invoices to your customer for products and services as you provide them, rather than waiting until the project is complete. If cash flow is a problem for you, this can be a very effective solution. You might be able to take on work that you otherwise couldn’t because you’ll be getting paid periodically.

Setup Required

Progress invoicing requires some special setup steps. First, you’ll need to see whether QuickBooks Online is prepared for the task. Click the gear icon in the upper right and select Account and settings under Your Company. Click the Sales tab and scroll down to Progress Invoicing. It may just say On to the right of Create multiple partial invoices from a single estimate. If it doesn’t, click the pencil icon to the right and turn it on. Then click Save and Done.

You’ll also have to choose a different template than the one you use for standard invoices. Click the gear icon and select Custom form styles. Click New style in the upper right and then click Invoice. Enter a new name for the template to replace My INVOICE Template, like Progress Invoice. Then click Dive in with a template or Change up the template under the Design tab. Select Airy new by clicking on it. This is the only template you can use for progress invoicing.

When you’re creating a template for your progress invoices, you’ll have to select Airy new.

Now, click on Edit print settings (or When in doubt, print it out). Make sure there’s no checkmark in the box in front of Fit printed form with pay stub in window envelope or Fit to window envelope. Then click on the Content tab. You’ll see a preview of the template (grayed out) to the right. Click the pencil icon in the middle section. Select the Show more activity options link at the bottom of the screen.

If you want to Group activity by (Day, Week, Month, or Type), check that box and select your preference. Go through the other options here and check or uncheck the boxes to meet your needs. Then click Done. You’ll see your new template in the list of Custom form styles.

QuickBooks Online allows you to designate one form style as the default. This is the form that will open when you create a new invoice or estimate template. If you plan to send a lot of progress invoices, you might want to make that the default. To do this, find your new template in the list on this page and click the down arrow next to Edit in the Action column. Click Make default. If you leave your standard invoice as the default, you can always switch when you’re creating an invoice by clicking the Customize button at the bottom of the screen.

Creating a Progress Invoice


You can see what your options are for your progress invoice.

Invoice and estimate forms in QuickBooks Online are very similar. The only major difference is that estimates contain a field for Expiration date. To start the process of progress invoicing, select an estimate that you want to bill that way. Click the Sales tab and select All Sales. Find your estimate and click on Create invoice in the Action column. A window like the one in the above image will appear.

You can bill a percentage of each line item or enter a custom amount for each line.  If you choose the latter, the invoice that opens will have zeroes in the Due column. You can alter the amount due for any of these by either a percentage or an amount and/or leave them at zero if you don’t want to bill a particular product or service. Either way, the Balance due will reflect your changes. When you’ve come to the last invoice for the project, you’ll check Remaining total of all lines.

Once you’ve chosen one of these options, click Create invoice. Double-check the form and then save it. You can now treat it as any other invoice. To see a list of your progress invoices, run the Estimates & Progress Invoicing Summary by Customer report.

As you can see, there are numerous steps involved in creating progress invoices. Each has to be done with precision, so the customer is billed the exact total amount due at the end. We can help you accomplish this. We’re also available to help with any other QuickBooks Online issues you have. Contact our Outsourced Accounting team to set up a consultation.

Article
How does progress invoicing work in QuickBooks Online?

Read this if you are a plan sponsor of employee benefit plans.

This article is the ninth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here

Employee benefit plan loan basics 

If your plan’s adoption agreement is set up to allow loans, participants can borrow against their account balance. Some participants may find this an attractive option as the interest they pay on the loan is returned to their retirement account as opposed to other loans where the interest is paid to the lender. 

Additionally, while interest is charged at the market rate, it may be lower than other options available to the participant, such as a credit card or other unsecured debt. Unlike hardship distributions, there are no restrictions on the circumstances under which a participant may take a loan. A potential downside is that if the borrower defaults on the loan or ends their employment and cannot repay the loan in full, it converts from a loan to a deemed distribution, potentially incurring taxes and penalties.

If a participant decides that an employee benefit plan loan is their best option, they will apply for the loan through your plan administrator. Loans are limited in both size and quantity. Participants may take loans up to 50% of their vested account balance with a maximum loan of $50,000. The provisions of a plan determine how many loans an employee may have at once; however, the combined loan balances cannot exceed 50% of the employee’s vested balance or $50,000. Furthermore, the $50,000 loan maximum must also consider payments made on loans within the previous 12 months.

Repayment of employee benefit plan loans

Repayment of employee benefit plan loans may be done through after tax payroll contributions, making it a relatively easy process for the participant. If a plan sponsor elects to provide this repayment option, they must ensure that repayments are remitted to the plan in a timely manner, just as they must with other employee funded contributions. The term of the loan is typically limited to five years and must be repaid in at least quarterly installments. However, a loan can be extended to as long as thirty years if specified within the plan’s loan policy. If the loan term is for longer than five years, the loan proceeds must be used to purchase a primary residence.

Like any source of debt, there are pros and cons to taking out an employee benefit plan loan, and it remains an important option for participants to understand. The benefits include the ease of applying for such a loan and loan interest that is then added to the participant’s retirement account balance. Potential pitfalls include lost earnings during the loan period and the risk of the loan becoming a deemed distribution if the participant is unable to repay within the allotted time. 

If you would like more information, or have specific questions about your specific situation, please contact our Employee Benefits Audit team.

Article
Retirement plan loans: A brief review

Read this if you are a plan sponsor of employee benefit plans.

This article is the eighth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here

The Department of Labor regulations regarding service provider fee disclosures clarify that plan fiduciaries are responsible for assessing the reasonableness of fees charged to plans in relation to services performed. 

Before a plan fiduciary is able to assess the reasonableness of plan fees, the fiduciary has to receive required fee disclosures from their covered service provider. A covered service provider is considered a party that enters into an agreement with a covered plan to provide certain services. The range of services provided generally include recordkeeping services, investment adviser services, accounting services, auditing services, actuarial services, appraisals, banking, consulting, legal services, third party administration services, or valuation services provided to the plan.

In general, the covered service providers are required to provide the plan fiduciary a disclosure of the following information:

  • All expected services and fees, and
  • All direct and indirect compensation
    • Direct compensation are fees paid to the service providers from the plan
    • Indirect compensation are fees paid to the service providers from sources other than the plan, the plan sponsor, the covered service provider, or an affiliate 

Once the service provider fee disclosures are received, the responsible plan fiduciary must assess the reasonableness of the fees in relation to the services provided. There are numerous ways a plan fiduciary can determine if the fees are reasonable. The following are some of the most common ways to determine if the plan expenses are reasonable:

  • Complete a Request for Proposal (RFP) or Request for Information (RFI) process that compares at least two vendors.
  • Complete a plan “benchmarking” project. The responsible plan fiduciary can have an independent organization compare the fees charged to the plan to plans of similar size and characteristics. Failure to determine the reasonableness of the fees charged can result in a prohibited transaction. The responsible plan fiduciary should determine and document whether the fees are reasonable. Documentation should also include the steps taken to make this determination.

It is important to remember that failure to assess the reasonableness of the service provider fees can result in a prohibited transaction. Documentation of the assessment process, including steps taken to make a determination on fee reasonableness, is the best way to avoid having a prohibited transaction.

If you have any questions while assessing your service providers’ fees, please contact our Employee Benefits Audit team.
 

Article
Service provider fee disclosures: Understanding the process

Read this if you are a plan sponsor of employee benefit plans.

This article is the seventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

The COVID-19 pandemic has challenged individuals and organizations to continue operating during a time where face-to-face interaction may not be plausible, and access to organizational resources may be restricted. However, life has not stopped, and participants in your employee benefit plan may continue to make important decisions based on their financial needs. 

To help you prepare for a potential IRS examination, we’ve listed some requirements for participants to receive Required Minimum Distributions (RMD), hardship distributions, and coronavirus-related distributions, recommendations of actions you can perform, and documentation to retain as added internal controls. 

Required Minimum Distributions

Recently, the IRS issued a memo regarding missing participants, beneficiaries, and RMDs for 403(b) plans. If an employee benefit plan is subject to the RMD rules of Code Section 401(a)(9), then distributions of a participant’s accrued benefits must commence April 1 of the calendar year following the later of 1) the participant attaining age 70½ or 2) the participant’s severance from employment. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, RMDs was temporarily waived for retirement plans for 2020. This change applied to defined contribution plans, such as 401(k), 403(b), 457(b) plans and IRAs. 

In addition, RMDs were waived for IRA owners who turned 70½ in 2019 and were required to take an RMD by April 1, 2020 and have not yet done so. Do note the waiver will not alter a participant’s required beginning date for purposes of applying the minimum distribution rules in future periods. Although you may be applying this waiver during 2020, it is important you prepare to make RMDs once the waiver period ends by verifying participants eligible to receive RMDs are not “missing.”

There are instances in which plans have been unable to make distributions to a terminated participant due to an inability to locate the participant. In this situation, the responsible plan fiduciary should take the following actions in applying the RMD rules:

  1. Search the plan and any related plan, sponsor and publicly available records and/or directories for alternative contact information;
  2. Use any of the following search methods to locate the participant: a commercial locator service, a credit reporting agency, or a proprietary internet search tool for locating individuals; and
  3. Attempt to initiate contact via certified mail sent to the participant’s last known mailing address, and/or through any other appropriate means for any known address(es) or contact information, including email addresses and telephone numbers.

If the plan is selected for audit by the IRS and the above actions have been taken and documented by the plan, the IRS instructs employee plan examiners not to challenge the plan for violation of the RMD rules. If the plan is unable to demonstrate that the above actions have been taken, the employee plan examiners may challenge the plan for violation of the RMD rules.

We typically recommend management review plan records to determine which participants have attained age 70½. Based on the guidelines outlined above, we recommend plans document the actions they have taken to contact these participants and/or their beneficiaries.

Hardship distribution rules

A common issue we identify during our employee benefit plan audits is that the rules for hardship distributions are not always followed by the plan sponsor. If the plan allows hardship withdrawals, they should only be provided if (1) the withdrawal is due to an immediate and heavy financial need, (2) the withdrawal must be necessary to satisfy the need (you have no other funds or ways to meet the need), and (3) the withdrawal must not exceed the amount needed. You may have noted we did not add the plan participant must have first obtained all distribution or nontaxable loans available under the plan to the list of requirements above. This is due to the recently enacted Bipartisan Budget Act of 2018 (the Act), which removed the requirement to obtain available plan loans prior to requesting a hardship. Thus, the removal of this requirement may increase the number of eligible participants to receive hardship withdrawals, if the three requirements noted are satisfied. The plan sponsor should maintain documentation the requirements for the hardship withdrawal have been met before issuing the hardship withdrawal.

The IRS considers the following as acceptable reasons for a hardship withdrawal:

  1. Un-reimbursed medical expenses for the employee, the employee’s spouse, dependents or beneficiary.
  2. Purchase of an employee's principal residence.
  3. Payment of college tuition and related educational costs such as room and board for the next 12 months for the employee, the employee’s spouse, dependents, beneficiary, or children who are no longer dependents.
  4. Payments necessary to prevent eviction of the employee from his/her home, or foreclosure on the mortgage of the principal residence.
  5. For funeral expenses for the employee, the employee’s spouse, children, dependents or beneficiary.
  6. Certain expenses for the repair of damage to the employee's principal residence.
  7. Expenses and losses incurred by the employee as a result of a disaster declared by the Federal Emergency Management Agency (FEMA), provided that the employee’s principal residence or principal place of employment at the time of the disaster was located in an area designated by FEMA for individual assistance with respect to the disaster.

Prior to the enactment of the Act, once a hardship withdrawal was taken, the plan participant would not be allowed to contribute to the plan for six months following the withdrawal. The Act repealed the six-month suspension of elective deferrals, thus plan participants are allowed to continue making contributions to the plan in the pay period following the hardship withdrawal. Prior to the Act we had seen instances where the plan participant was allowed to continue making contributions after the hardship withdrawal was taken. Now we would expect participants who received a hardship distribution to continue making elective deferrals following receipt of the distribution.

Coronavirus-related distributions

Under section 2202 of the CARES Act, qualified participants who are diagnosed with coronavirus, whose spouse or dependent is diagnosed with coronavirus, or who experience adverse financial consequences due to certain virus-related events including quarantine, furlough, or layoff, having hours reduced, or losing child care, are eligible to receive a coronavirus-related distribution. 

Distributions are considered coronavirus-related distributions if the participant or his/her spouse or dependent has experienced adverse effects noted above due to the coronavirus, the distributions do not exceed $100,000 in the aggregate, and the distributions were taken on or after January 1, 2020 and on or before December 30, 2020.  Such distributions are not subject to the 10% penalty tax under Internal Revenue Code (IRC) § 72(t), and participants have the option of including their distributions in income ratably over a three year period, or the entire amount, starting in the year the distribution was received. Such distributions are exempt from the IRC § 402(f) notice requirement, which explains rollover rules, as well as the effects of rolling a distribution to a qualifying IRA and the effects of not rolling it over. Also, participants can be exempt from owing federal taxes by repaying the coronavirus-related distribution. 

Participants receiving this distribution have a three-year window, starting on the distribution date, to contribute up to the full amount of the distribution to an eligible retirement plan as if the contribution were a timely rollover of an eligible rollover distribution. So, if a participant were to include the distribution amount ratably over the three-year period (2020 – 2022), and the full amount of the distribution was repaid to an eligible retirement plan in 2022, the participant may file amended federal income tax returns for 2020 and 2021 to claim a refund for taxes paid on the income included from the distributions, and the participant will not be required to include any amount in income in 2022. We recommend the plan sponsor maintain documentation supporting the participant was eligible to receive the coronavirus-related distribution. 

There is much uncertainty due to the current status of the COVID-19 pandemic, and this has forced many of our clients to review and alter their control environments to maintain effective operations. With this uncertainty comes changes to guidance and treatment of plan transactions. We have provided our current understanding of the guidance the IRS has provided for the treatment surrounding distributions, specifically RMDs, hardship distributions, and coronavirus-related distributions. If you and your team have any additional questions which may be specific to your organization or plan, an expert from our Employee Benefits Audit team will be gladly willing to assist you. 
 

Article
Defined contribution plan distributions: Considerations and recommendations

Read this if you are at a not-for-profit organization.

There is no question that cryptocurrency has been gaining in popularity over the past few years. It may be hard to believe, but Bitcoin, the first and most commonly known form of cryptocurrency, has been around since the good old days of 2009! What was once only seen as a quasi-asset traded solely on the dark web by a handful of private yet savvy investors has recently begun to step out into the light. With this newly found mainstream popularity come many questions from the not-for-profit (NFP) sector about how their organizations should proceed when it comes to donations of cryptocurrency, and how they might benefit (or not) from doing so. 

This article will answer some of the questions we’ve received from clients in this area and attempt to shed some light on the tax reporting and compliance requirements around cryptocurrency donations for not-for-profit organizations, as well as other topics not-for-profit organizations should consider before dipping their toes into the crypto current.

So, what exactly is cryptocurrency? 

Cryptocurrency is a digital asset. It generally has no physical form (no actual coins or paper money). Further, it is not issued by a central bank and is largely unregulated. Its value is dependent upon many factors, the largest being supply and demand.

Can a not-for-profit organization accept cryptocurrency as a donation?

Yes! For tax purposes, cryptocurrency is considered noncash property, and is perfectly acceptable for not-for-profit organizations to accept.

With that said, NFPs absolutely need to review and update their gift acceptance policies as necessary as to whether or not they are willing to accept cryptocurrency. Having a clear and established policy position in place one way or the other can mitigate any confusion or misunderstanding between the organization and a potential donor.

The organization may also want to consider adding language to the policy regarding its intent to either hold the asset or sell it as soon as administratively possible. A savvy donor may request that the organization hold the cryptocurrency donation for a period of time after the donation is made, so organizations will want to have clear policies in place.

What about acknowledging the donor’s gift?

Standard donor acknowledgement rules still apply. Any donation of $250 or more requires a standard “thank you” acknowledgement to the donor. Remember, the IRS has deemed cryptocurrency to be noncash property, which means a description of the donated property (but not its value) should be mentioned in the donor acknowledgement.

Are there any other forms I need to be aware of?

Yes. Forms 8283 & 8282 apply to donations of cryptocurrency. Where the donation is noncash, the donor should be providing the organization with Form 8283, Noncash Charitable Contributions, for a claimed value of more than $500. Further, if the claimed value is more than $5,000, the Form 8283 should be accompanied by a qualified appraisal report. Form 8283 should be signed by the donor, the qualified appraiser (if applicable), as well as the recipient organization upon acceptance.

NOTE: Form 8283, Part V, Donee Acknowledgement, contains a yes/no question asking if the organization intends to use the property for an unrelated use. Where the property in question is cryptocurrency, the answer to this question is likely always to be ‘yes’.

Should the organization sell the underlying cryptocurrency within three years of acceptance, the organization must complete Form 8282, Donee Information Return, and file a copy with the IRS as well as providing a copy to the original donor. Other rules apply if the organization transfers the property to a successor donee.

NOTE: Organizations may want to consider referencing the Forms 8283 & 8282 in their aforementioned gift acceptance policy.

How is a cryptocurrency donation reported on the financial statements and Form 990?

If donated and held by the organization as of the end of the year, it will be reported as an intangible asset on the balance sheet, and contribution revenue on the statement of activities. 

Similar reporting would follow for 990 purposes—the donation would be reported as part of noncash contribution revenue with additional reporting on 990, Schedule B, Schedule of Contributors, and Schedule M, Noncash Contributions, as necessary.

Why should I accept cryptocurrency?

This is by far the hardest question to answer, for a variety of reasons. There is no question that cryptocurrency has its risks. Cryptocurrency is known to be highly volatile. Bitcoin, which originally was valued at eight cents per coin in 2010 soared to an all-time high of over $63,000 back in April of 2021—and then two months later sold for around $34,000 per coin. And who could forget the recent Dogecoin (I’m still not sure how to pronounce that) phenomenon? It too in recent months became a sensation only to see its value plummet by almost 30% in a single day after an appearance by Elon Musk on Saturday Night Live (it did subsequently rebound after a Musk tweet).

The fact is no one really knows where the value of cryptocurrency is headed, so should a not-for-profit organization decide to proceed, you should be aware it may not be worth what it was when originally accepted, which could be either good or bad depending on the day. Ultimately, any value is still good for a not-for-profit organization, but the risks with cryptocurrency and its volatility are very real.

Other things to know about crypto

As of right now, cryptocurrency has its own trading platforms. Robinhood, a platform in the news recently when it halted trading of Gamestop’s stock when speculative traders got the price to soar to all new highs, being the most well known. Large investment firms are well on their way to creating their own platforms as cryptocurrency gains in popularity, so we certainly recommend speaking with your current investment advisors to find the platform that best suits your needs.

Cryptocurrency is held in a digital wallet, which can only be accessed by a password, or private keys. Digital wallets can be stored locally on a computer, but there are also web-based wallets.

There have been horror stories about people losing or forgetting passwords, ultimately rendering the cryptocurrency worthless because it cannot be accessed. Cryptocurrency, due to its private nature, is very desirable by hackers who could also potentially access the wallet and steal its contents. And if stored locally, the currency could be lost forever if the computer containing the wallet were to become corrupted or compromised.

Organizations holding cryptocurrency will need to ensure proper internal controls are in place to make sure the funds are secure and cannot be easily accessed or potentially stolen. Working with your internal IT department is a good strategy here. The questions above are not intended to be all inclusive. Cryptocurrency is still finding its way in the world and we’ll continue to keep an eye on any developments and keep clients up to date as cryptocurrency continues to expand its reach and as further guidance is issued.

If you have any questions, please contact me or another member of our not-for-profit tax services team. We're here to help.

Article
Cryptocurrency and the charitable contribution conundrum

Read this if you are working with an auditor.

The standard report an auditor issues on an entity’s financial statements was created in 1988, and has only had minor tweaking since. Amazing when we think about how the world has changed since 1988! Back then:

  • The World Wide Web hadn’t been invented
  • The Simpsons wasn’t yet on TV, and neither was Seinfeld
  • The Berlin Wall was still standing
  • The Single Audit Act celebrated its fourth birthday

The Auditing Standards Board (ASB), an independent board of the American Institute of CPAs (AICPA) that establishes auditing rules for not-for-profit organizations (as well as private company and federal, state, and local governmental entities) has decided it was high time to revisit the auditor’s report, and update it to provide additional information about the audit process that stakeholders have been requesting.

In addition to serving as BerryDunn’s quality assurance principal for the past 23 years, I’ve been serving on the ASB since January 2017, and as chair since May 2020. (And thanks to the pandemic our meetings during my tenure as chair have been conducted from my dining room table.)  We thought you might be interested in a high-level overview of the coming changes to the auditor’s report, which will be effective starting with calendar 2021 audits, from an insider’s perspective.

So what’s changing?

The most significant changes you’ll be seeing, based on feedback from various users of auditor’s reports, are:

  1. Opinion first
    The opinion in an audit report is the auditor’s conclusion as to whether the financial statements are in accordance with the applicable accounting standards, in all material respects. People told us this is the most important part of the report, so we’ve moved it to the first section of the report.
  2. Auditor’s ethical responsibilities
    We’ve pointed out that an auditor is required to be independent of the organization being audited, and to meet certain other ethical responsibilities in the conduct of the audit.
  3. “Going concern” responsibilities
    We describe management’s responsibility, under U.S. generally accepted accounting principles, and the auditor’s responsibility, under the auditing rules, for determining whether “substantial doubt” exists about the organization’s ability to continue in existence for at least one year following the date the financial statements are approved for issuance.
  4. Emphasis on professional judgment and professional skepticism
    We explain how an audit requires the auditor to exercise professional judgment (for example, regarding how much testing to perform), and to maintain professional skepticism, i.e., a questioning mind that is alert to the possibility the financial statements may be materially misstated, whether due to error or fraud.
  5. Communications with the board of directors
    We point out that the auditor is required to communicate certain matters to the board, such as difficulties encountered during the audit, material adjustments identified during the audit process, and which areas the auditor treated as “significant risks” in planning and performing the audit.
  6. Responsibility related to the “annual report”
    If the organization issues an “annual report” containing or referring to the audited financial statements, we explain the auditor is required to review it for consistency with the financial statements, and for any known misstatements of fact.
  7. Discussion of “key audit matters”
    While not required, your organization may request the auditor to discuss how certain “key audit matters” (those most significant to the audit) were addressed as part of the audit process. These are similar to the “critical audit matters” publicly traded company auditor’s reports are now required to include.

Yes, this means the auditor’s report will be longer; however, stakeholders told us inclusion of this information will make it more informative, and useful, for them.

Uniform Guidance standards also changing

Is your organization required to have a compliance audit under the federal Uniform Guidance standards? That report is also changing to reflect the items listed above to the extent they’re relevant.

What should you do?

Some actions to consider as you get ready for the first audit to which the new report applies (calendar 2021, or fiscal years ending in 2022) include:

  1. Ask your auditor what your organization’s auditor’s report will look like
    Your auditor can provide examples of auditor’s reports under the new rules, or even draft a pro forma auditor’s report for your organization (subject, of course, to the results of the audit).
  2. Outline and communicate your process for developing your annual report
    If your organization prepares an annual report, it will be important to coordinate its timing with that of the issuance of the auditor’s report, due to the auditor’s new reporting responsibility related to the annual report.
  3. Discuss with your board whether you would like the auditor to include a discussion of “key audit matters” in the auditor’s report
    While not required for not-for-profits, some organizations may decide to request the auditor include a discussion of such matters in the report, from the standpoint of transparency “best practices.”

If you have any questions about the new auditor’s report or your specific situation, please contact us. We’re here to help.
 

Article
A new auditor's report: Seven changes to know

Read this if you work at a not-for-profit (NFP) organization.

At our recent not-for-profit CPE Recharge event (you can access presentations from the event here), we asked participants to identify their top three concerns. Overwhelmingly, 83% of respondents identified financial stability as their number one concern, with the remote workforce coming in second at 57%, and cybersecurity and government funding tied for third place as top concerns at the organization.

Remarkably, these responses were consistent across NFP industry groups, including higher education institutions, social services agencies, and healthcare organizations. While remote workforce and cybersecurity concerns go hand-in-hand and are top of mind for not-for-profit leadership as organizations navigate a return to work, the renewed focus on financial stability highlights a change in focus for not-for-profit organizations.

The burden of financial stress for NFPs is not new, as this concern certainly pre-dates the pandemic, but by the end of the first quarter of 2020, many organizations had shifted away from the long-term financial stability planning to an emergency response—more immediate concerns included revenue generating and cost cutting. This shift back toward a discussion of long-term financial stability is a positive sign as organizations (and their finance departments) are beginning to pivot away from the short-time reactive response, to proactive planning for the future.

Our respondents further reported that while financial stability is a top concern, 36% were not concerned and 46% were only somewhat concerned about their organization’s financial health:

We haven’t forgotten the 16% of respondents “very concerned” about their financial health—we are not all out of the woods yet and some industries were feeling economic tightening before the pandemic. Certain relief funding was only recently made available (we’re looking at you, Shuttered Venue Operating Grant), and there will undoubtedly be other programs over the coming year that organizations can use to bridge the funding gap in 2022. We continue to watch state and federal relief programs and our panel of COVID-19 relief program experts are here to help as you continue to navigate the requirements.

As we move away from the short-term emergency response toward more future-oriented planning, it is a good opportunity to learn the lessons from the NFPs that fared well in this time of crisis. While success and profitability have varied across the not-for-profit industry, we have found a few common themes in organizational financial success during the pandemic storm. Those organizations have:

  • Explored new funding opportunities, including taking a thoughtful approach to relief programs 
  • Considered cash flow strategies, like non-critical expense cuts and renegotiating contracts
  • Communicated their value to donors, who responded in kind
  • Evaluated new strategic partnerships 
  • Expanded service delivery options and program offerings 
  • Emergency preparedness plans in place and adequate strategic reserves

While the not-for-profit CFO dream antidote for long-term sustainability may come in the form of a healthy strategic reserve, many organizations without that flexibility continued to thrive throughout the pandemic, a result of dedicated staff members and a continued focus on overall mission. COVID-19 has changed the way NFP organizations do business, and the industry is now ready to look into the future. 

And we’ll be here, as will our Recharge event! If you have any questions about the various funding programs, including HEERF, provider relief funds, employee retention credit, or others, please contact the not-for-profit accounting team. We’re here to help.

Article
Not-for-profit update: Brighter days ahead