Skip to Main Content

insightsarticles

PERM success for Medicaid agencies through system implementations

By: Hilary Moles,

As a senior consultant in the BerryDunn Government Consulting Group, Christy has valuable expertise in both Medicaid and the private insurance sector. Her experience and background with the Payment Error Rate Measurement (PERM) program has developed a passion for assisting states in identifying the need to prioritize the activities and resulting outcomes of a PERM cycle as well as offering and assisting with implementation of recommendations to mitigate known areas of concern that may otherwise result in PERM errors.

She has provided valuable contributions while working closely with states to evaluate and implement new processes and procedures to ensure federal compliance measures are in place before PERM reviews begin. Christy has a profound understanding of state and federal policies as they apply to PERM reviews and a broad experience working in and understanding the operation and limitation of many state eligibility systems.

Christy Schilling
01.11.22

Read this if your State Medicaid Agency is planning Medicaid Enterprise System enhancements.

Are you a system integrator (SI) or a State Medicaid Agency (SMA) implementing or enhancing a Medicaid system or specific module? Have you considered how decisions made during design and implementation could impact the federal Payment Error Rate Measurement (PERM) reviews for SMAs?

The goal of PERM is to measure and report an unbiased estimate of the true improper payment rate for Medicaid and Children’s Health Insurance Program (CHIP). Every state is reviewed once every three years using a sample that includes both fee for service (FFS) and managed care (MC) payments. A state assigned error rate is not the only consequence resulting from the PERM review; there are also financial implications.

Risk reduction from PERM review

Maintaining a focus on PERM review factors when making decisions during design and implementation can protect states by reducing the risk of:

  • Submitting change requests (CR) during implementation, which can result in additional cost and time
  • Implementing changes to existing Medicaid systems during maintenance and operations
  • Findings reported during certification efforts
  • Refunding federal dollars due to improperly paid claims
  • A reduction in federal match on all claims paid

It is also important to understand the benefits of a dedicated PERM team within the state organization that includes members from the system vendor and outside PERM experts. These benefits include providing states an additional level of security to help ensure a positive outcome to the federal PERM review, helping to protect federal funding.

Having a dedicated team will help ensure all decisions made during system updates and/or implementations are made while keeping focus on PERM requirements and the further impacts of PERM reviews, saving time and remaining compliant.

Plan ahead for best results

When planning for a new module or Medicaid system request for proposal (RFPs), consider PERM-related requirements to help ensure all PERM needs are met to prevent errors and repayment of federal funds. Including PERM requirements can also help your agency ensure federal compliance and successful PERM audits. Doing so will likely reduce the amount of time system integrators spend re-working earlier development decisions and help ensure claim payments are processed, and eligibility determinations are made in accordance with federal and state regulations.

If you have questions about PERM or your specific situation, please contact our Medicaid Consulting team. We’re here to help.

Related Industries

Related Services

Consulting

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are a state Medicaid or CHIP agency.

The Centers for Medicare & Medicaid Services (CMS) has temporarily suspended all Payment Error Rate Measurement (PERM) improper payment-related engagement/communication and data requests to providers and state agencies as a result of the COVID-19 nationwide public health emergency declaration. 

CMS has also adopted a temporary policy of relaxed enforcement regarding activities related to Medicaid Eligibility Quality Control (MEQC) until further notice.

CMS continues to provide state Medicaid and Children’s Health Insurance Program (CHIP) agencies with a number of methods to assist in each state’s approach and response to the COVID-19 pandemic. Some flexibilities offered to state Medicaid and CHIP agencies include:

  • Eligibility and enrollment 
  • Benefits 
  • Cost-sharing 
  • Financing 
  • Managed care 

While this has been communicated with state Medicaid and CHIP agencies, you should take some important steps to manage these flexibilities to ensure you don’t encounter issues when PERM and MEQC review activities resume. Reviews are conducted according to state and federal policies and regulations in force at the time of service on the sampled claims under review. 

CMS has issued guidance to identify whether or not each of the flexibilities requires an approved state plan amendment (SPA), waiver, or whether simply providing documentation in the individual case file will provide the required support when PERM and MEQC activities resume. 

Additionally, it is equally important to ensure the “pre-COVID” processes and procedures resume immediately upon expiration of the public health emergency declaration in order to remain in compliance with state and federal regulations. 

Here are a few key considerations to help reduce the number of errors identified once PERM resumes:

  • Management of new state-specific policies and procedures in effect during the COVID-19 pandemic is critical. You need to ensure all processes requiring CMS approval or notification have been enacted and that these temporary processes revert back to pre-COVID processes immediately upon termination of the public health emergency.
  • Continued training and guidance to Medicaid and CHIP staff during this time to ensure understanding of expectations and adherence to new processes. Applying and understanding eligibility and enrollment flexibilities for both members and providers is vital to meet all expectations and documentation requirements.

New updates continue to be announced by CMS to ensure Americans have access to the care they need during this time. This requires remaining diligent to the expectations of these flexibilities and preparing for the impact of PERM and MEQC outcomes when these activities resume. This is key to reducing improper payment error rates. 

For additional detailed information regarding the identified flexibilities above, please refer to the PERM cycle preparation tool we have prepared.

If you have questions regarding relaxed requirements or you would like to have an in-depth conversation with our PERM experts, please contact the Medicaid Consulting team.
 

Article
PERM is suspended―key considerations during COVID-19 

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, State Procurement Officer, or work in a State Medicaid Program Integrity Unit.

The Centers for Medicare & Medicaid Services (CMS) issued a Payment Error Rate Measurement (PERM) Final Rule on July 5, 2017, that made several changes to the PERM requirements. One important change was the updates to the Medicaid Eligibility Quality Control (MEQC) requirement. 

The Final Rule restructures the MEQC program into a pilot program that requires states to conduct eligibility reviews during the two years between PERM cycles. CMS has also introduced the potential for imposing disallowances or reductions in federal funding percentage (FFP) as a result of PERM eligibility error rates that do not meet the national standard. One measure states can use to lessen the chance of this happening is by successfully carrying out the requirements of the MEQC pilot. 

What states should know―important points to keep in mind regarding MEQC reviews:

  • Each state must have a team in place to conduct MEQC reviews. The individuals responsible for the MEQC reviews and associated activities must be separate from the state agencies and personnel responsible for Medicaid and Children’s Health Insurance Program (CHIP) policy and operations, including eligibility determinations.
  • States can apply for federal funding to help cover the costs of the MEQC activities. CMS encourages states to partner with a contractor in conducting the MEQC reviews.
  • The deadline to submit the state planning document to CMS is November 1 following the end of your state’s PERM cycle. If you are a Cycle 2 state, your MEQC planning document is due by November 1, 2019. 
  • If you are a Cycle 1 state, you are (or should be) currently undergoing the MEQC reviews.
  • There are minimum sample size requirements for the MEQC review period: 400 negative cases and 400 active cases (consisting of both Medicaid and CHIP cases) over a period of 12 months.
  • Upon conclusion of all MEQC reviews, states must submit a final findings report along with a corrective action plan that addresses all error findings identified during the MEQC review period.

CMS encourages states to utilize federal funding to carry out and fulfill MEQC requirements. BerryDunn has staff with experience in preparing Advanced Planning Documents (APD) and can assist your state in submitting an APD request to CMS for these MEQC activities. 

Check out the previously released blog, “PERM: Prepared or Not Prepared?” and stay tuned for upcoming blogs about specific PERM topics, including the financial impacts of PERM, and how each review phase will affect your state.   

For questions or to find out more, contact the team

Article
PERM: Does MEQC affect states?

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

  • Analyzing prior errors cited or known issues, along with the root cause of the error
  • Identifying remedies to reduce future errors
  • Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
  • Assisting federal contractors with current reviews and findings
  • Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
  • Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

  • Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
  • Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
  • Do you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
  • Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
  • Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
  • Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me
 

Article
PERM: Prepared or not prepared?

Is your Women, Infants, and Children (WIC) agency struggling with Maintenance and Enhancement (M&E) vendor management? Here are some approaches to help improve your situation: 

  • Product Management Office (PdMO): Product management can help you manage your WIC system by coordinating and planning releases with the M&E vendor, prioritizing enhancements, reviewing workflows, and providing overall vendor management.
  • Project Management Office (PMO): Project management can help with budgeting, resource management, risk management, and organization. 
  • A blend of product and project management is a great partnership that can relieve some of the responsibilities of WIC agency staff and allows a third party to provide support in all areas of product and project management.

Whether you are an independent WIC State Agency (SA) or a multi-state consortium (MSC), having a PMO and/or PdMO can help alleviate some of the challenges facing WIC today. While an MSC may present significant cost savings, managing an M&E contract for multiple states can be overwhelming. Independent state agencies (SAs) may not have multiple states to coordinate with, but having the staff resources for vendor facilitation and implementing federal changes can be challenging. A PMO/PdMO can aid in improving business and technology outcomes for SAs and MSCs by bringing a level of coordination and consistency that otherwise might not happen. 

As federal changes grow in complexity, evidenced by the many changes to WIC stemming from the American Rescue Plan Act, coupled with workforce challenges in government, the importance of a PMO/PdMO has never been greater. Here are six ways a PMO/PdMO can help you:

  1. Facilitate the vendor relationship
    A PMO/PdMO not only holds the vendor accountable but also takes some of the workload off the SA by facilitating meetings, providing meeting notes, and tracking action items and decisions.
  2. Manage centrally located data
    A PMO/PdMO keeps all documents and data in a centralized location, fostering a collaborative environment and ease of access to needed information. A centralized location of data allows SAs to be on the same page for consistency, quality control, and to support the state’s need for clean, reliable information that is current and accurate.
  3. Track and mitigate risks 
    Effective risk management requires a substantial commitment of time and resources. The PMO/PdMO identifies, tracks, and assesses the severity of risks and suggests approaches to manage those risks. Some PMO/PdMOs assess all risks based on a severity index to help clients determine which risks need immediate action and which need monitoring.
  4.  Assist in the creation of Implementation Advanced Planning Document Updates (IAPDUs) 
    Creating and implementing an IAPDU can be time-consuming, confusing, and requires attention to detail. A PMO/PdMO alleviates time and pressure on SAs by helping to ensure that an IAPDU or funding request clearly outlines a plan of action to accomplish the activities necessary to reach an organization’s goal. PMO/PdMOs can draft IAPDUs to determine the need, feasibility, and projected costs and benefits for service. 
  5. Provide an unbiased, third-party opinion 
    A PMO/PdMO will offer an unbiased, third-party opinion to help avoid misunderstanding and frustration, decision stalemates, inadequate solutions, and unpleasant relationships between WIC agencies and M&E vendors. 
  6. Provide the right combination of business and technical expertise
    Staffing challenges (exacerbated by COVID-19), difficulties finding expertise managing software change management for WIC, and a retiring workforce knowledgeable in WIC system implementation have in some cases left SAs without critical resources. Having the right combination of skills from a third party can resolve some of these challenges.

Independent SAs or MSCs would benefit from having a PMO/PdMO to help meet the challenges WIC agencies face today, whether it is an unplanned funding change or updates to the risk codes. With the help of a PMO/PdMO developing standard practices and methodologies, SAs and MSCs can deliver and implement high-quality services more consistently and efficiently. The role of the PMO/PdMO is far-reaching and positively impacts WIC by providing backbone support for WIC’s overarching goal, to “safeguard the health of low-income women, infants, and children who are at nutrition risk.”

If you have questions about PMOs or PdMOs and the impact they can have on your agency, please contact us. We're here to help.

Article
Product Management Office: Benefits for WIC state agencies

Read this if you are a behavioral health agency leader looking for solutions to manage mental health, substance misuse, and overdose crises.

As state health departments across the country continue to grapple with rising COVID-19 cases, stalling vaccination rates, and public heath workforce burnout, other crises in behavioral health may be looming. Diverted resources, disruption in treatment, and the mental stress of the COVID-19 pandemic have exacerbated mental health disorders, substance use, and drug overdoses.

State agencies need behavioral health solutions perhaps now more than ever. BerryDunn works with state agencies to mitigate the challenges of managing behavioral health and implement innovative strategies and solutions to better serve beneficiaries. Read on to understand how conducting a needs assessment, redesigning processes, and/or establishing a strategic plan can amplify the impact of your programs. 

Behavioral health in crisis

The prevalence of mental illness and substance use disorders has steadily increased over the past decade, and the pandemic has exacerbated these trends. A number of recently released studies show increases in symptoms of anxiety, depression, and suicidal ideation. One CDC study indicates that in June 2020 over 40% of adults reported an adverse mental or behavioral health condition, which includes about 13% who have started or increased substance use to cope with stress or emotions related to COVID-19.1 

The toll on behavioral health outcomes is compounded by the pandemic’s disruption to behavioral health services. According to the National Council for Behavioral Health, 65% of behavioral health organizations have had to cancel, reschedule, or turn away patients, even as organizations see a dramatic increase in the demand for services.2,3 Moreover, treatment facilities and harm reduction programs across the country have scaled back services or closed entirely due to social distancing requirements, insufficient personal protective equipment, budget shortfalls, and other challenges.4 These disruptions in access to care and service delivery are having a severe impact.

Several studies indicate that patients report new barriers to care or changes in treatment and support services after the onset of the pandemic.5, 6 Barriers to care are particularly disruptive for people with substance use disorders. Social isolation and mental illness, coupled with limited treatment options and harm reduction services, creates a higher risk of suicide ideation, substance misuse, and overdose deaths.

For example, the opioid epidemic was still surging when the pandemic began, and rates of overdose have since spiked or elevated in every state across the country.7 After a decline of overdose deaths in 2018 for the first time in two decades, the CDC reported 81,230 overdose deaths from June 2019 to May 2020, the highest number of overdose deaths ever recorded in a 12-month period.8 

These trends do not appear to be improving. On October 3, the CDC reported that from March 2020 to March 2021, overdose deaths have increased 29.6% compared to the previous year, and that number will only continue to climb as more data comes in.9  

As the country continues to experience an increase in mental illness, suicide, and substance use disorders, states are in need of capacity and support to identify and/or implement strategies to mitigate these challenges. 

Solutions for state agencies

Behavioral health has been recognized as a priority issue and service area that will require significant resources and innovation. In May, the US Department of Health and Human Services' (HHS) Secretary Xavier Becerra reestablished the Behavioral Health Coordinating Council to facilitate collaborative, innovative, transparent, equitable, and action-oriented approaches to address the HHS behavioral health agenda. The 2022 budget allocates $1.6 billion to the Community Mental Health Services Block Grant, which is more than double the Fiscal Year (FY) 2021 funding and $3.9 billion more than in FY 2020, to address the opioid epidemic in addition to other substance use disorders.10 

As COVID-19 continues to exacerbate behavioral health issues, states need innovative solutions to take on these challenges and leverage additional federal funding. COVID-19 is still consuming the time of many state leaders and staff, so states have a limited capacity to plan, implement, and manage the new initiatives to adequately address these issues. Here are three ways health departments can capitalize on the additional funding.

Conduct a needs assessment to identify opportunities to improve use of data and program outcomes

Despite meeting baseline reporting requirements, state agencies often lack sufficient quality data to assess program outcomes, identify underserved populations, and obtain a holistic view of the comprehensive system of care for behavioral health services. Although state agencies may be able to recognize challenges in the delivery or administration of behavioral health services, it can be difficult to identify solutions that result in sustained improvements.

By performing a structured needs assessment, health departments can evaluate their processes, systems, and resources to better understand how they are using data, and how to optimize programs to tailor behavioral health services and promote better health outcomes and a more equitable distribution of care. This analysis provides the insight for agencies to understand not only the strengths and challenges of the current environment, but also the desires and opportunities for a future solution that takes into account stakeholder needs, best practice, and emerging technologies. 

Some of the benefits we have seen our clients enjoy as a result of performing a needs assessment include: 

  • Discovering and validating strengths and challenges of current state operations through independent evaluation
  • Establishing a clear roadmap for future business and technological improvements
  • Determining costs and benefits of new, alternative, or enhanced systems and/or processes
  • Identifying the specific business and technical requirements to achieve and improve performance outcomes 

Timely, accurate, and comprehensive data is critical to improving behavioral health outcomes, and the information gathered during a needs assessment can inform further activities that support programmatic improvements. Further activities might include conducting a fit-gap analysis, performing business process redesign, establishing a prioritization matrix, and more. By identifying the greatest needs and implementing plans to address them, state agencies can better handle the impact on behavioral health services resulting from the COVID-19 pandemic and serve individuals with mental health or substance use disorders more efficiently and effectively.

Redesign processes to improve how individuals access treatment and services

Despite the availability of behavioral health services, inefficient business and technical processes can delay and frustrate individuals seeking care and in some cases, make them stop seeking care altogether. With limited resources and increasing demands, behavioral health agencies should analyze and redesign work flows to maximize efficiency, security, and efficacy. Here are a few examples of process improvements states can achieve through process redesign:

  • Streamlined data processes to reduce duplicative data entry 
  • Automated and aligned manual data collection processes 
  • Integrated siloed health information systems
  • Focused activities to maximize staff strengths
  • Increased process transparency to improve communication and collaboration 

By placing the consumer experience at the core of all services, state health departments can redesign business and technical processes to optimize the continuum of care. A comprehensive approach takes into account all aspects that contribute to the delivery of behavioral health services, including both administrative and financial processes. This helps ensure interconnected activities continue to be performed efficiently and effectively. Such improvements help consumers with co-occurring disorders (mental illness and substance use disorder) and/or developmental disorders find “no wrong door” when seeking care. 

Establish a strategic plan of action to address the impact of the COVID-19 pandemic

With the influx of available dollars resulting from the American Recovery Plan Act and other state and federal investments, health departments have a unique opportunity to fund specific initiatives to enhance the delivery and administration of behavioral health services. Understanding how to allocate the millions of newly awarded dollars in an impactful and sustainable way can be challenging. Furthermore, the additional reporting and compliance requirements linked to the funding can be difficult to navigate in addition to current monitoring obligations. 

The best way to begin using the available funding is to develop and implement strategic plans that optimize funds for behavioral health programs and services. You can establish priorities and identify sustainable solutions that build capacity, streamline operations, and promote the equitable distribution of care across populations. A few of the activities state health departments have undertaken resulting from the strategic planning initiatives include: 

  • Modernizing IT systems, including data management solutions and Electronic Health Records systems to support inpatient, outpatient, and community mental health and substance use programs 
  • Promoting organizational change management 
  • Establishing grant programs for community-driven solutions to promote health equity for the underserved population
  • Organizing, managing, and/or supporting stakeholder engagement efforts to effectively collaborate with internal and external stakeholders for a strong and comprehensive approach

The prevalence of mental illness and substance use disorder were areas of concern prior to COVID-19, and the pandemic has only made these issues worse, while adding more administrative challenges. State health departments have had to redirect their existing staff to work to address COVID-19, leaving a limited capacity to manage existing state-level programs and little to no capacity to plan and implement new initiatives. 

The federal administration and HHS are working to provide financial support to states to work to address these exacerbated health concerns; however, with the limited state capacity, states need additional support to plan, implement, and/or manage new initiatives. BerryDunn has a wide breadth of knowledge and experience in conducting needs assessments, redesigning processes, and establishing strategic plans that are aimed at amplifying the impact of state programs. Contact our behavioral health consulting team to learn more about how we can help. 

Sources:
Mental Health, Substance Use, and Suicidal Ideation During the COVID-19 Pandemic, CDC.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
National Council for Behavioral Health Polling Presentation, thenationalcouncil.org
The Impact of COVID-19 on Syringe Services Programs in the United States, nih.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
COVID-19-Related Treatment Service Disruptions Among People with Single- and Polysubstance Use Concerns, Journal of Substance Abuse Treatment
Issue Brief: Nation’s Drug-Related Overdose and Death Epidemic Continues to Worsen, American Medical Association
Increase in Fatal Drug Overdoses Across the United States Driven by Synthetic Opioids Before and During the COVID-19 Pandemic, CDC.gov
Provisional Drug Overdose Death Counts, CDC.gov
10 Fiscal Year 2022 Budget in Brief: Strengthening Health and Opportunity for All Americans, HHS.gov

Article
COVID's impact on behavioral health: Solutions for state agencies

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Read this if you are a Chief Financial Officer, Chief Compliance Officer, FINOP, or charged with governance of a broker-dealer.

The results of the Public Company Accounting Oversight Board’s (PCAOB) 2020 inspections are included in its 2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. There were 65 audit firms inspected in 2020 by the PCAOB and, although deficiencies declined 11% from 2019, 51 firms still had deficiencies. This high level of deficiencies, as well as the nature of the deficiencies, provides insight into audit quality for broker-dealer stakeholders. Those charged with governance should be having conversations with their auditor to see how they are addressing these commonly found deficiencies and asking if the PCAOB identified any deficiencies in the auditor’s most recent examination. 

If there were deficiencies identified, what actions have been taken to eliminate these deficiencies going forward? Although the annual report on the Interim Inspection Program acts as an auditor report card, the results may have implications for the broker-dealer, as gaps in audit quality may mean internal control weaknesses or misstatements go undetected.

Attestation Standard (AT) No. 1 examination engagements test compliance with the financial responsibility rules and the internal controls surrounding compliance with the financial responsibility rules. The PCAOB examined 21 of these engagements and found 14 of them to have deficiencies. The PCAOB continued to find high deficiency rates in testing internal control over compliance (ICOC). They specifically found that many audit firms did not obtain sufficient, appropriate evidence about the operating effectiveness of controls important to the auditor’s conclusions regarding the effectiveness of ICOC. This insufficiency was widespread in all four areas of the financial responsibility rules: the Reserve Requirement rule, possession or control requirements of the Customer Protection Rule, Account Statement Rule, and the Quarterly Security Counts Rule.

The PCAOB also identified a firm that included a statement in its examination report that referred to an assertion by the broker-dealer that its ICOC was effective as of its fiscal year-end; however, the broker-dealer did not include that required assertion in its compliance report.

AT No. 2 review engagements test compliance with the broker-dealer’s exemption provisions. The PCAOB examined 83 AT No. 2 engagements and found 19 of them to have deficiencies. The most significant deficiencies were that audit firms:

  • Did not make required inquiries, including inquiries about controls in place to maintain compliance with the exemption provisions, and those involving the nature, frequency, and results of related monitoring activities.
  • Similar to AT No. 1 engagements, included a statement in their review reports that referred to an assertion by the broker-dealer that it met the identified exemption provisions throughout the most recent fiscal year without exception; however, the broker-dealers did not include that required assertion in their exemption reports.

The majority of the deficiencies found were in the audits of the financial statements. The PCAOB did not examine every aspect of the financial statement audit, but focused on key areas. These areas were: revenue, evaluating audit results, identifying and assessing risks of material misstatement, related party relationships and transactions, receivables and payables, consideration of an entity’s ability to continue as a going concern, consideration of materiality in planning and performing an audit, leases, and fair value measurements. Of these areas, revenue and evaluating audit results had the most deficiencies, with 45 and 27 deficiencies, or 47% and 26% of engagements examined, respectively.

Auditing standards indicate there is a rebuttable presumption that improper revenue recognition is a fraud risk. In the PCAOB’s examinations, most audit firms either identified a fraud risk related to revenue or did not rebut the presumption of revenue recognition as a fraud risk. These firms should have addressed the risk of material misstatement through appropriate substantive procedures that included tests of details. The PCAOB noted there were instances of firms that did not perform any procedures for one or more significant revenue accounts, or did not perform procedures to address the assessed risks of material misstatement for one or more relevant assertions for revenue. The PCAOB also identified deficiencies related to revenue in audit firms’ sampling methodologies and substantive analytical procedures. Other deficiencies of note, that were not revenue related, included:

  • Incomplete qualitative and quantitative disclosure information, specifically in regards to revenue from contracts with customers and leases.
  • Missing required elements from the auditor’s report.
  • Missing auditor communications:
    • Not inquiring of the audit committee (or equivalent body) about whether it was aware of matters relevant to the audit.
    • Not communicating the audit strategy and results of the audit to the audit committee (or equivalent body).
  • Engagement quality reviews were not performed for some audit and attestation engagements.
  • Audit firms assisted in the preparation of broker-dealer financial statements and supplemental information.

Although there have been improvements in the amounts of deficiencies found in the PCAOB’s examinations, the 2020 annual report shows that there is still work to be done by audit firms. Just like auditors should be inquiring of broker-dealer clients about the results of their most recent FINRA examination, broker-dealers should be inquiring of auditors about the results of their most recent PCAOB examination. Doing so will help broker-dealers identify where their auditor may reside on the audit quality spectrum. If you have any questions, please don’t hesitate to reach out to our broker-dealer services team.

Article
2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers

Read this if you have not yet reported for Phase 1.

Phase 1 provider relief reporting portal

HRSA opened the Provider Relief Funds (PRF) reporting portal on July 1, 2021, for Phase 1 PRF reporting. In Phase 1, providers will be reporting on the use of PRF received prior to June 30, 2020. While Phase 1 reporting was originally due September 30, 2021, HRSA has provided a 60-day grace period for the reporting period. Providers will be considered out of compliance with the reporting requirements if they do not submit reporting by November 30, 2021. Providers can submit their reporting on the Provider Relief Fund portal. Please note:

  1. Providers must register for the reporting portal, as this is not the same portal as the application and attestation portal. The portal registration must be completed in one session. Follow the link to the Portal Registration User guide
  2. Providers can only report on eligible lost revenues and expenditures related to payments received before June 30, 2020. Providers are not yet allowed to report on payments received subsequent to June 30, 2020. See the June 11, 2021 Reporting Requirements Notice for more detail on reporting requirements.
  3. The period of availability for Phase 1 lost revenues and eligible expenditures is January 1, 2020 through June 30, 2021.
  4. It is extremely helpful to complete the HRSA provider portal worksheets prior to beginning the portal data entry. 
  5. Providers should return unused funds as soon as possible after submitting their report. All unused funds must be returned no later than 30 days after the end of the grace period. (December 31, 2021)
  6. Provider Relief Funds are considered federal awards under Assistance Listing Number (ALN) 93.948. Providers, both for-profit and not-for-profit, may be subject to a Uniform Guidance Audit if they expend more than $750,000 of federal awards during the provider’s fiscal year. 
  7. Providers are able to retrieve their data submission from the portal if a copy was not retained during the submission process.

Your BerryDunn Hospital team is here to help you navigate the Provider Relief Fund reporting and compliance requirements. Please contact us if you have any questions or would like to talk about your specific situation. 

Article
Provider Relief Funds: Highlights

Read this if you are not familiar with the expansion of eligibility for employee retention credits (ERC).

Are you familiar with the IRS’ recent additional, taxpayer-friendly guidance that provides some clarity in claiming the employee retention credit (ERC)? 

Employee Retention Credits in the CARES Act: Background

Congress originally enacted the ERC in the CARES Act in March of 2020 to encourage employers to hire and retain employees during the pandemic. At that time, the ERC applied to wages paid after March 12, 2020 and before January 1, 2021. However, Congress later modified and extended the ERC to apply to wages paid before July 1, 2021. Then with the American Rescue Plan Act (ARPA) signed into law on March 11, 2021, the ERC was modified to apply to wages paid through December 31, 2021. The recently passed infrastructure bill eliminates the ERC the quarter ending December 31, 2021.

The rules are complex but there may be some limited ability for your organization to benefit, based on some late changes to the rules. Originally, taxpayers who received PPP loans were not eligible, but the rules changed and now provide that employers who received PPP loans may qualify for the ERC with respect to wages that were not paid for with proceeds from a forgiven PPP loan. This change is retroactive to March 12, 2020. 

The ERC is a refundable payroll tax credit for wages paid and health coverage provided by an employer whose operations were either fully or partially suspended due to COVID-related governmental order or that experienced a significant reduction in gross receipts.  

Regarding the reduction in gross receipts, for any quarter in 2020, a greater than 50% reduction in gross receipts is required during the calendar quarter compared to the same quarter of 2019 in order to qualify. For 2021, the eligibility threshold for employers is reduced from a greater than 50% to a greater than 20% decline in gross receipts for the same quarter of 2019 in order to qualify for the ERC for any quarter. There is an alternative quarter election for 2021 that allows employers to use prior quarter gross receipts compared to the same quarter for 2019 to determine eligibility. For example, for the first calendar quarter of 2021, an employer may elect to use its gross receipts for the fourth quarter of 2020 compared to those for the fourth calendar quarter of 2019 to determine if the decline in gross receipts test is met.

The IRS recently clarified that in determining gross receipts an employer does not need to include forgiven PPP loans, shuttered venue operator grants, or restaurant revitalization grants as gross receipts. Gross receipts for exempt organizations are calculated in the same manner as gross receipts on page 1 of Form 990 in Box G, which includes proceeds from the sales of investments as well as all contribution, program and investment revenue.

The amount of the credit can be substantial. For 2020, the credit is 50% of the first $10,000 of qualified wages per employee for the qualifying period beginning as early as March 12, 2020 and ending December 31, 2020 (thus the max credit per employee is $5,000 in 2020). For 2021, the credit is 70% of the first $10,000 of qualified wages per employee, per qualifying quarter (thus the potential max credit is $21,000 per employee in 2021).  

For 2021, employers with 500 or fewer full-time employees in 2019 may include all wages and health plan expenses as qualified wages. For 2020, employers with 100 or fewer full-time employees in 2019 may include all wages and health plan expenses as qualified wages while employers with more than 100 full-time employees in 2019 may only claim the credit for qualified wages paid to employees who did not provide services. For purposes of determining full-time employees, an employer only needs to include those that work 30 hours a week or 130 hours a month in the calculation. Part-time employees working less than this would not be considered in the employee count.

There is additional interplay between claiming the ERC and the wages used for PPP loan forgiveness that will need to be considered.  

What should you do now? 

It makes sense to determine your eligibility for the ERC. We recommend that you compile your business gross receipts by calendar quarter for 2019, 2020, and the first three quarters of 2021. Let us know if you want a template to do this. We can then help you evaluate whether you have any quarters where you might qualify for the ERC.  

Keep in mind that if your business operations were either fully or partially suspended due to a COVID-related government order then you will likely already qualify for that quarter but the eligible wages will only be for the wages paid during the shutdown period.  

Please let us know if you have any questions or need any assistance.

Article
CARES Act: Eligibility for employee retention credits