Skip to Main Content

insightsarticles

Oxymoron of the month: Outsourced accountability

By: Dan Vogt
07.20.20

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Related Services

Consulting

Related Professionals

Principals

BerryDunn experts and consultants

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Article
The three P's of improving your company's cybersecurity soft skills

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Article
Social distancing case study: Hosting remote vendor demonstrations

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

  • Texting is permissible between care team members if accomplished through a secure platform.
  • Texting of orders: prohibited.
  • Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?

  • Establish a policy to govern the use of text messaging and update your mobile device policy.
  • Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.
  • Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 
  • Educate your patients about secure messaging available on your patient portal.
  • Assess your organization’s usage and level of risk.

  • Stop using unsecure text messaging for patient related communications.

For more information, contact me.

Related content:

Watch our video on adopting technology for success
Read Dan's article on soft cybersecurity skills.

Article
Texting in healthcare? Best be secure.

Read this if you are an employer with basic knowledge of benefit plans and want to learn more. 

This article is the third in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. Our first article covers the background of ERISA, while our second article covers the definitions and rules of parties-in-interest and prohibited transactions.

Form 5500 is an informational return filed annually with the US Department of Labor (DOL). The purpose of Form 5500 is to report information concerning the operation, funding, assets, and investments of pension and other employee benefit plans to the Internal Revenue Service (IRS) and DOL. All pension benefit plans covered by the Employee Retirement Income Security Act (ERISA), and, generally, health and welfare plans covering 100 or more participants are subject to filing Form 5500. Any retirement plan covering less than 100 participants at the beginning of the plan year may be able to file Form 5500-SF, Short Form Annual Return/Report of Small Employee Benefit Plan. Read on for important filing requirements, as noncompliance can result in substantial penalties assessed by both the DOL and IRS. 

Who has to file, and which Form 5500 is required?

Pension plans

The most common types of pension benefit plan filers include:

  • Retirement plans qualified under Internal Revenue Code (IRC) § 401(a)
  • Tax sheltered annuity plans under IRC § 403(b)(1) and 403(b)(7)
  • SIMPLE 401(k) Plan under IRC § 401(k)(11)
  • Direct Filing Entity (DFE)

Which Form 5500 you should file depends on the type of plan. Small plans covering less than 100 participants as of the beginning of the plan year will normally file a Form 5500-SF. Conversely, large plans, mainly those plans covering 100 or more participants as of the beginning of the plan year, will file Form 5500 as a general rule. 

Participants include all current employees eligible for the plan, former employees still covered, and deceased employees who have one or more beneficiaries eligible for or receiving benefits under the plan.

Welfare plans

Generally, all welfare benefit plans covered by ERISA are required to file a Form 5500. Common types of welfare benefit plans include but are not limited to medical, dental, life insurance, severance pay, disability, and scholarship funds.

Similar to pension plans, the required Form 5500 to be filed typically depends on whether the plan is a small plan with less than 100 participants at the beginning of the year, or a large plan with 100 or more participants at the beginning of the plan year. However, certain welfare benefit plans are not required to file an annual Form 5500, including, but not limited to:

  • Plans with fewer than 100 participants at the beginning of the plan year and that are unfunded, fully insured, or a combination of the two
  • Governmental plans 
  • Employee benefit plans maintained only to comply with workers’ compensation, unemployment compensation, or disability insurance laws

Participants for welfare benefit plans include current employees covered by the plan, former employees still covered, and deceased employees who have one or more beneficiaries receiving or entitled to receive benefits under the plan (e.g., COBRA). 

Required financial schedules for Form 5500

Small plans that do not file Form 5500-SF require the following schedules to be filed along with the Form 5500:

  • Schedule A—Insurance information
  • Schedule D—DFE/Participating plan information
  • Schedule I—Financial information for a small plan

Large plans require the following schedules in addition to small plan schedules:

  • Plan Audit (Accountant’s Opinion)
  • Schedule C—Service provider information
  • Schedule G—Financial transaction schedules
  • Schedule H—Financial information (instead of Schedule I)

Welfare plans with 100 or more participants that are unfunded, fully insured or a combination of the two are not required to attach Schedule H or an Accountant’s Opinion. Also, pension plans will attach Schedule SB or MB reporting actuarial information, if required, along with Schedule R reporting retirement plan information.

When to File

Form 5500 must be filed electronically by the last day of the seventh calendar month after the end of the plan year. However, a two and one-half months’ extension of time to file can be requested. Penalties may be assessed by both the IRS and the DOL for failure to file an annual Form 5500-series return. For 2020, the IRS penalty for late filing is $250 per day, up to a maximum of $150,000 (applies only to retirement plans), and the DOL penalty can run up to $2,233 per day, with no maximum. Therefore, it is very important to track participant counts and ensure compliance with filing deadlines.

If you have questions about your specific situation, please contact our employee benefit consulting team. We’re here to help.

Article
Form 5500: An overview

Read this if your organization has received assistance from the Provider Relief Fund.

On January 15, 2021 the US Department of Health & Human Services released updated guidance on the Provider Relief Fund (PRF) reporting requirements. Below, we outline what has changed and supersedes their last communication on November 2, 2020.

This amended guidance is in response to the Coronavirus Response and Relief Supplemental Appropriations Act (Act). The act was passed in December 2020 and added an additional $3 billion to the PRF along with new language regarding reporting requirements. 

Highlights

Please note this is a summary of information and additional detail and guidance that can be found on the Reporting Requirements and Auditing page at HHS.gov. See our helpful infographic for a summary of key deadlines and reporting requirements. 

  • On January 15, 2021 The Department of Health and Human Services (HHS) announced a delay in reporting of the PRF. Further details on the deadline for this reporting have not yet been communicated by HHS. Recipients of PRF payments greater than $10,000 may register to report on use of funds as of December 31, 2020 starting January 15, 2021. Providers should go into the portal and register and establish an account now so when the portal is open for reporting they are prepared to fulfil their reporting requirements.
  • Recipients who have not used all of the funds after December 31, 2020, have six more months from January 1 – June 30, 2021 to use remaining funds. Provider organizations will have to submit a second report before July 31, 2021 on how funds were utilized for that six-month period. 
  • The new guidelines further define the reporting entity and how to report if there is a parent company with subsidiaries for both general and targeted distributions:
     
    • Parent organizations with multiple TINs that either received general distributions or received them from parent organizations can report the usage of these funds even if the parent was not the entity that completed the attestation.
    • While a targeted distribution may now be transferred from the receiving subsidiary to another subsidiary by the parent organization, the original subsidiary must report any of the targeted distribution it received that was transferred.
       
  • The calculation of lost revenue has been modified by HHS through this new guidance. Lost revenue is calculated for the full year and can be calculated as follows:
     
    1. Difference between 2019 and 2020 actual client/resident/patient care revenue. The revenue must be submitted by client/resident/patient care mix and by quarter for the 2019 year.
    2. Difference between 2020 budgeted and 2020 actual. The budget must have been established and approved prior to March 27, 2020 and this budget, as well as an attestation from the CEO or CFO that this budget was submitted and approved prior to March 27, 2020, will have to be submitted.
    3. Reasonable method of estimating revenue. An explanation of the methodology, why it is reasonable and how the lost revenue was caused by coronavirus and not another source will need to be submitted. This method will likely fall under increased scrutiny through an audit by the Health Resources & Services Administration.
       
  • Recipients with unexpended PRF funds in full after the end of calendar year 2020, have an additional six months to utilize remaining funds for expenses or lost revenue attributable to coronavirus in an amount not to exceed the difference between:
     
    • 2019 Quarter 1 to Quarter 2 and 2021 Quarter 1 to Quarter 2 actual revenue,
    • 2020 Quarter 1 to Quarter 2 budgeted revenue and 2021 Quarter 1 to Quarter 2 actual revenue.

Next steps

In the wake of this new guidance, providers should undertake the following steps:

  • Register in the HHS portal and establish an account as soon as possible.
  • Revisit lost revenue calculations to determine if current methodology is appropriate or if an updated methodology would be more appropriate under the new guidance.
  • Understand the ability to transfer general and targeted distributions and the impact on reporting of these funds.
  • Develop reporting procedures for lost revenue and increased expense for reporting in the HHS portal.

If you have questions about accounting for, or reporting on, funds that you have received as a result of the COVID-19 pandemic, please contact a member of our team. We’re here to help.

Article
Coronavirus Response and Relief Act impacts on the HHS Provider Relief Fund

Read this if you are an employer looking for more information on the Employee Retention Credit (ERC).

As we previously wrote, the Consolidated Appropriations Act, 2021 expanded, retroactively to March 12th, 2020, the Employee Retention Credit (ERC) to include those otherwise eligible employers who also received Paycheck Protection Program (PPP) loans. For those employers, wages qualifying for the ERC include wages that were not paid for with proceeds from a forgiven PPP loan. 

IRS guidance released

Recently, the Internal Revenue Service (IRS) released guidance under Notice 2021-20 (the Notice) clarifying how eligible employers who also received a PPP loan during 2020 can retroactively claim the ERC. The Notice also formalizes and expands on prior IRS responses to FAQs and addresses changes made since the enactment of the Act; it contains 71 FAQs. The IRS has stated it will address calendar quarters in 2021 in later guidance.

Under the 2020 ERC rules, an eligible employer may receive a refundable credit equal to 50% of qualified wages and healthcare expenses (up to $10,000 of wages/health care expenses per employee in 2020) paid by a business or not-for-profit organization that experienced a full or partial suspension of their operations or a significant decline in gross receipts. For employers that received a PPP loan, Q&A 49 of the Notice outlines the IRS’ position on the interaction with the ERC for 2020. 

An eligible employer can elect which wages are used to calculate the ERC and which wages are used for PPP loan forgiveness. The Notice provides for a deemed election for any qualified wages  included in the amount reported as payroll costs on the PPP Loan Forgiveness Application, unless the included payroll costs exceed the amount needed for full forgiveness when considering only the entries on the application. The text of Q&A 49 appears to treat the minimum amount of payroll costs required for PPP loan forgiveness (i.e., 60%) as being the deemed election as long as there are other eligible non-payroll expenses reported on the application to account for the other 40% of loan forgiveness expenses.

Payroll costs reported on the PPP Loan Forgiveness Application: Examples

The examples make it clear the payroll costs reported on the PPP Loan Forgiveness Application and needed for loan forgiveness are generally excluded from the ERC calculations. The qualified wages included on the PPP Loan Forgiveness Application that may be included in the ERC calculations are partially impacted by the documented non-payroll expenses included in the PPP Loan Forgiveness Application. Following are a few examples from the Notice. Each example outlines the interaction between payroll costs reported on the PPP Loan Forgiveness Application and the qualified wages for the ERC.

Example #1: An employer received a PPP loan of $100,000 and has both payroll and non-payroll costs that far exceed the borrowed amount. The employer only reports payroll costs of $100,000 on the PPP Loan Forgiveness application to simplify the forgiveness process. The employer cannot use any of the $100,000 of payroll costs to claim the ERC. This is notwithstanding the fact that 100% forgiveness may have been achieved by reporting only $60,000 of payroll costs and the remaining $40,000 from non-payroll costs.   

Example #2: An employer received a PPP loan of $200,000. The employer submitted a PPP Loan Forgiveness Application and reported $250,000 of qualified wages as payroll costs in support of forgiveness of the entire PPP loan. The employer is deemed to have made an election not to take into account $200,000 of the qualified wages for purposes of the ERC, which was the amount of qualified wages included in the payroll costs reported on the PPP Loan Forgiveness Application up to (but not exceeding) the minimum amount of payroll costs. The employer is not treated as making a deemed election with respect to $50,000 of the qualified wages ($250,000 reported on the PPP Loan Forgiveness Application, minus the $200,000 PPP loan amount forgiven), and it may treat that amount as qualified wages for purposes of the ERC.

Example #3: An employer received a PPP loan of $200,000. The employer is an eligible employer and paid $200,000 of qualified wages that would qualify for the employee retention credit during the second and third quarters of 2020. The employer also paid other eligible expenses of $70,000. The employer submitted a PPP Loan Forgiveness Application and reported the $200,000 of qualified wages as payroll costs, as well as the $70,000 of other eligible expenses, in support of forgiveness of the entire PPP loan. In this case, the employer is deemed to have made an election not to take into account $130,000 of qualified wages for purposes of the ERC, which was the amount of qualified wages included in the payroll costs reported on the PPP Loan Forgiveness Application up to (but not exceeding) the minimum amount of payroll costs, together with the $70,000 of other eligible expenses reported on the PPP Loan Forgiveness Application, sufficient to support the amount of the PPP loan that was forgiven. As a result, $70,000 of the qualified wages reported as payroll costs may be treated as qualified wages for purposes of the ERC.

Key takeaway:

For purposes of PPP loan forgiveness, an employer must generally submit payroll expenses equal to at least 60% of the loan amount to maximize loan forgiveness and to maximize the available wages for the ERC. If an employer does not report non-payroll costs (or limits the amount it reports) on the PPP Loan Forgiveness Application then doing so will have a direct impact on the wages available for the ERC. 

An employer must also consider the payroll costs reported on the PPP Loan Forgiveness Application and the payroll costs necessary to maximize the ERC. For example, if an employer does not qualify for the ERC until the third quarter of 2020, it should consider limiting the amount of wages reported on the PPP Loan Forgiveness Application that are attributable to the third quarter in order to maximize the wages available for the ERC.

How to claim the Employee Retention Credit

An eligible employer that received a PPP loan and did not claim the ERC may file a Form 941-X, Adjusted Employer’s Quarterly Federal Tax Return for the relevant calendar quarters in which the employer paid qualified wages, but only for qualified wages for which no deemed election was made. 

Form 941-X may also be used by eligible employers who did not receive a PPP loan for 2020, but subsequently decide to claim any ERC to which they are entitled for 2020. 

The deadline for filing Form 941-X is generally within three years of the date Form 941 was filed or two years from the date you paid the tax reported on Form 941, whichever is later.

For more information

If you have more questions, or have a specific question about your situation, please call us. We’re here to help.

Article
IRS guidance: Retroactively claiming the 2020 ERC