Skip to Main Content

insightsarticles

Perspectives of an
Ex-CIO

05.24.19

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Related Industries

Related Services

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Article
COVID-19: Key considerations for IT leaders in Higher Ed

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Article
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Article
Cyberattacks in higher education—How prepared are you?

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Article
Cloud services 101: An almanac for higher education leaders

Read this if you are a plan sponsor of employee benefit plans.

This article is the seventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

The COVID-19 pandemic has challenged individuals and organizations to continue operating during a time where face-to-face interaction may not be plausible, and access to organizational resources may be restricted. However, life has not stopped, and participants in your employee benefit plan may continue to make important decisions based on their financial needs. 

To help you prepare for a potential IRS examination, we’ve listed some requirements for participants to receive Required Minimum Distributions (RMD), hardship distributions, and coronavirus-related distributions, recommendations of actions you can perform, and documentation to retain as added internal controls. 

Required Minimum Distributions

Recently, the IRS issued a memo regarding missing participants, beneficiaries, and RMDs for 403(b) plans. If an employee benefit plan is subject to the RMD rules of Code Section 401(a)(9), then distributions of a participant’s accrued benefits must commence April 1 of the calendar year following the later of 1) the participant attaining age 70½ or 2) the participant’s severance from employment. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, RMDs was temporarily waived for retirement plans for 2020. This change applied to defined contribution plans, such as 401(k), 403(b), 457(b) plans and IRAs. 

In addition, RMDs were waived for IRA owners who turned 70½ in 2019 and were required to take an RMD by April 1, 2020 and have not yet done so. Do note the waiver will not alter a participant’s required beginning date for purposes of applying the minimum distribution rules in future periods. Although you may be applying this waiver during 2020, it is important you prepare to make RMDs once the waiver period ends by verifying participants eligible to receive RMDs are not “missing.”

There are instances in which plans have been unable to make distributions to a terminated participant due to an inability to locate the participant. In this situation, the responsible plan fiduciary should take the following actions in applying the RMD rules:

  1. Search the plan and any related plan, sponsor and publicly available records and/or directories for alternative contact information;
  2. Use any of the following search methods to locate the participant: a commercial locator service, a credit reporting agency, or a proprietary internet search tool for locating individuals; and
  3. Attempt to initiate contact via certified mail sent to the participant’s last known mailing address, and/or through any other appropriate means for any known address(es) or contact information, including email addresses and telephone numbers.

If the plan is selected for audit by the IRS and the above actions have been taken and documented by the plan, the IRS instructs employee plan examiners not to challenge the plan for violation of the RMD rules. If the plan is unable to demonstrate that the above actions have been taken, the employee plan examiners may challenge the plan for violation of the RMD rules.

We typically recommend management review plan records to determine which participants have attained age 70½. Based on the guidelines outlined above, we recommend plans document the actions they have taken to contact these participants and/or their beneficiaries.

Hardship distribution rules

A common issue we identify during our employee benefit plan audits is that the rules for hardship distributions are not always followed by the plan sponsor. If the plan allows hardship withdrawals, they should only be provided if (1) the withdrawal is due to an immediate and heavy financial need, (2) the withdrawal must be necessary to satisfy the need (you have no other funds or ways to meet the need), and (3) the withdrawal must not exceed the amount needed. You may have noted we did not add the plan participant must have first obtained all distribution or nontaxable loans available under the plan to the list of requirements above. This is due to the recently enacted Bipartisan Budget Act of 2018 (the Act), which removed the requirement to obtain available plan loans prior to requesting a hardship. Thus, the removal of this requirement may increase the number of eligible participants to receive hardship withdrawals, if the three requirements noted are satisfied. The plan sponsor should maintain documentation the requirements for the hardship withdrawal have been met before issuing the hardship withdrawal.

The IRS considers the following as acceptable reasons for a hardship withdrawal:

  1. Un-reimbursed medical expenses for the employee, the employee’s spouse, dependents or beneficiary.
  2. Purchase of an employee's principal residence.
  3. Payment of college tuition and related educational costs such as room and board for the next 12 months for the employee, the employee’s spouse, dependents, beneficiary, or children who are no longer dependents.
  4. Payments necessary to prevent eviction of the employee from his/her home, or foreclosure on the mortgage of the principal residence.
  5. For funeral expenses for the employee, the employee’s spouse, children, dependents or beneficiary.
  6. Certain expenses for the repair of damage to the employee's principal residence.
  7. Expenses and losses incurred by the employee as a result of a disaster declared by the Federal Emergency Management Agency (FEMA), provided that the employee’s principal residence or principal place of employment at the time of the disaster was located in an area designated by FEMA for individual assistance with respect to the disaster.

Prior to the enactment of the Act, once a hardship withdrawal was taken, the plan participant would not be allowed to contribute to the plan for six months following the withdrawal. The Act repealed the six-month suspension of elective deferrals, thus plan participants are allowed to continue making contributions to the plan in the pay period following the hardship withdrawal. Prior to the Act we had seen instances where the plan participant was allowed to continue making contributions after the hardship withdrawal was taken. Now we would expect participants who received a hardship distribution to continue making elective deferrals following receipt of the distribution.

Coronavirus-related distributions

Under section 2202 of the CARES Act, qualified participants who are diagnosed with coronavirus, whose spouse or dependent is diagnosed with coronavirus, or who experience adverse financial consequences due to certain virus-related events including quarantine, furlough, or layoff, having hours reduced, or losing child care, are eligible to receive a coronavirus-related distribution. 

Distributions are considered coronavirus-related distributions if the participant or his/her spouse or dependent has experienced adverse effects noted above due to the coronavirus, the distributions do not exceed $100,000 in the aggregate, and the distributions were taken on or after January 1, 2020 and on or before December 30, 2020.  Such distributions are not subject to the 10% penalty tax under Internal Revenue Code (IRC) § 72(t), and participants have the option of including their distributions in income ratably over a three year period, or the entire amount, starting in the year the distribution was received. Such distributions are exempt from the IRC § 402(f) notice requirement, which explains rollover rules, as well as the effects of rolling a distribution to a qualifying IRA and the effects of not rolling it over. Also, participants can be exempt from owing federal taxes by repaying the coronavirus-related distribution. 

Participants receiving this distribution have a three-year window, starting on the distribution date, to contribute up to the full amount of the distribution to an eligible retirement plan as if the contribution were a timely rollover of an eligible rollover distribution. So, if a participant were to include the distribution amount ratably over the three-year period (2020 – 2022), and the full amount of the distribution was repaid to an eligible retirement plan in 2022, the participant may file amended federal income tax returns for 2020 and 2021 to claim a refund for taxes paid on the income included from the distributions, and the participant will not be required to include any amount in income in 2022. We recommend the plan sponsor maintain documentation supporting the participant was eligible to receive the coronavirus-related distribution. 

There is much uncertainty due to the current status of the COVID-19 pandemic, and this has forced many of our clients to review and alter their control environments to maintain effective operations. With this uncertainty comes changes to guidance and treatment of plan transactions. We have provided our current understanding of the guidance the IRS has provided for the treatment surrounding distributions, specifically RMDs, hardship distributions, and coronavirus-related distributions. If you and your team have any additional questions which may be specific to your organization or plan, an expert from our Employee Benefits Audit team will be gladly willing to assist you. 
 

Article
Defined contribution plan distributions: Considerations and recommendations

Read this if you are at a not-for-profit organization.

There is no question that cryptocurrency has been gaining in popularity over the past few years. It may be hard to believe, but Bitcoin, the first and most commonly known form of cryptocurrency, has been around since the good old days of 2009! What was once only seen as a quasi-asset traded solely on the dark web by a handful of private yet savvy investors has recently begun to step out into the light. With this newly found mainstream popularity come many questions from the not-for-profit (NFP) sector about how their organizations should proceed when it comes to donations of cryptocurrency, and how they might benefit (or not) from doing so. 

This article will answer some of the questions we’ve received from clients in this area and attempt to shed some light on the tax reporting and compliance requirements around cryptocurrency donations for not-for-profit organizations, as well as other topics not-for-profit organizations should consider before dipping their toes into the crypto current.

So, what exactly is cryptocurrency? 

Cryptocurrency is a digital asset. It generally has no physical form (no actual coins or paper money). Further, it is not issued by a central bank and is largely unregulated. Its value is dependent upon many factors, the largest being supply and demand.

Can a not-for-profit organization accept cryptocurrency as a donation?

Yes! For tax purposes, cryptocurrency is considered noncash property, and is perfectly acceptable for not-for-profit organizations to accept.

With that said, NFPs absolutely need to review and update their gift acceptance policies as necessary as to whether or not they are willing to accept cryptocurrency. Having a clear and established policy position in place one way or the other can mitigate any confusion or misunderstanding between the organization and a potential donor.

The organization may also want to consider adding language to the policy regarding its intent to either hold the asset or sell it as soon as administratively possible. A savvy donor may request that the organization hold the cryptocurrency donation for a period of time after the donation is made, so organizations will want to have clear policies in place.

What about acknowledging the donor’s gift?

Standard donor acknowledgement rules still apply. Any donation of $250 or more requires a standard “thank you” acknowledgement to the donor. Remember, the IRS has deemed cryptocurrency to be noncash property, which means a description of the donated property (but not its value) should be mentioned in the donor acknowledgement.

Are there any other forms I need to be aware of?

Yes. Forms 8283 & 8282 apply to donations of cryptocurrency. Where the donation is noncash, the donor should be providing the organization with Form 8283, Noncash Charitable Contributions, for a claimed value of more than $500. Further, if the claimed value is more than $5,000, the Form 8283 should be accompanied by a qualified appraisal report. Form 8283 should be signed by the donor, the qualified appraiser (if applicable), as well as the recipient organization upon acceptance.

NOTE: Form 8283, Part V, Donee Acknowledgement, contains a yes/no question asking if the organization intends to use the property for an unrelated use. Where the property in question is cryptocurrency, the answer to this question is likely always to be ‘yes’.

Should the organization sell the underlying cryptocurrency within three years of acceptance, the organization must complete Form 8282, Donee Information Return, and file a copy with the IRS as well as providing a copy to the original donor. Other rules apply if the organization transfers the property to a successor donee.

NOTE: Organizations may want to consider referencing the Forms 8283 & 8282 in their aforementioned gift acceptance policy.

How is a cryptocurrency donation reported on the financial statements and Form 990?

If donated and held by the organization as of the end of the year, it will be reported as an intangible asset on the balance sheet, and contribution revenue on the statement of activities. 

Similar reporting would follow for 990 purposes—the donation would be reported as part of noncash contribution revenue with additional reporting on 990, Schedule B, Schedule of Contributors, and Schedule M, Noncash Contributions, as necessary.

Why should I accept cryptocurrency?

This is by far the hardest question to answer, for a variety of reasons. There is no question that cryptocurrency has its risks. Cryptocurrency is known to be highly volatile. Bitcoin, which originally was valued at eight cents per coin in 2010 soared to an all-time high of over $63,000 back in April of 2021—and then two months later sold for around $34,000 per coin. And who could forget the recent Dogecoin (I’m still not sure how to pronounce that) phenomenon? It too in recent months became a sensation only to see its value plummet by almost 30% in a single day after an appearance by Elon Musk on Saturday Night Live (it did subsequently rebound after a Musk tweet).

The fact is no one really knows where the value of cryptocurrency is headed, so should a not-for-profit organization decide to proceed, you should be aware it may not be worth what it was when originally accepted, which could be either good or bad depending on the day. Ultimately, any value is still good for a not-for-profit organization, but the risks with cryptocurrency and its volatility are very real.

Other things to know about crypto

As of right now, cryptocurrency has its own trading platforms. Robinhood, a platform in the news recently when it halted trading of Gamestop’s stock when speculative traders got the price to soar to all new highs, being the most well known. Large investment firms are well on their way to creating their own platforms as cryptocurrency gains in popularity, so we certainly recommend speaking with your current investment advisors to find the platform that best suits your needs.

Cryptocurrency is held in a digital wallet, which can only be accessed by a password, or private keys. Digital wallets can be stored locally on a computer, but there are also web-based wallets.

There have been horror stories about people losing or forgetting passwords, ultimately rendering the cryptocurrency worthless because it cannot be accessed. Cryptocurrency, due to its private nature, is very desirable by hackers who could also potentially access the wallet and steal its contents. And if stored locally, the currency could be lost forever if the computer containing the wallet were to become corrupted or compromised.

Organizations holding cryptocurrency will need to ensure proper internal controls are in place to make sure the funds are secure and cannot be easily accessed or potentially stolen. Working with your internal IT department is a good strategy here. The questions above are not intended to be all inclusive. Cryptocurrency is still finding its way in the world and we’ll continue to keep an eye on any developments and keep clients up to date as cryptocurrency continues to expand its reach and as further guidance is issued.

If you have any questions, please contact me or another member of our not-for-profit tax services team. We're here to help.

Article
Cryptocurrency and the charitable contribution conundrum

Read this if you are a New Hampshire resident, or a business owner or manager with telecommuting employees (due to the COVID-19 pandemic).

In late January, the Supreme Court asked the Biden Administration for its views on a not-so-friendly neighborly dispute between the State of New Hampshire and the Commonwealth of Massachusetts. New Hampshire is famous amongst its neighboring states for its lack of sales tax and personal income tax. Because of the tax rules and other alluring features, thousands of employees commute daily from New Hampshire to Massachusetts. Overnight, like so many of us, those commuters were working at home and not crossing state boundaries.

As a result of the pandemic and stay-at-home orders, Massachusetts issued temporary and early guidance, directing employers to maintain the status quo. Keep withholding on your employees in the same manner that you were, even though they may not be physically coming into the state. New Hampshire was against this directive from day one and sought to sue Massachusetts over its COVID-19 telecommuting rules for employees who had previously been sitting in an office in the Bay State. The final nail in the coffin was an extension of the guidance in October. 

New Hampshire’s position
New Hampshire took particular issue because it does not impose an Individual Income Tax on wages and it believed that the temporary regulations issued by the Commonwealth overstepped or disregarded New Hampshire’s sovereignty—in violation of the both the Commerce and Due Process Clauses of the U.S. Constitution. Each clause has historically prohibited a state from taxing outside its borders and limits tax on non-residents. For Massachusetts employers to continue withholding on New Hampshire residents' wage earnings, New Hampshire argues, Massachusetts is imposing a tax within New Hampshire, contrary to the Constitution.

What makes the New Hampshire situation unique is that it does not impose an income tax on individuals, a “defining feature of its sovereignty”, the state argues. New Hampshire would say that its tax regime creates a competitive advantage in attracting new business and residents. Maine residents, subject to the same Massachusetts rules, would receive a corresponding tax credit on their Maine tax return, making them close to whole between the two states. Because there is no New Hampshire individual income tax, their residents are out of pocket for a tax that they wouldn’t be subject to, but for these regulations.

Massachusetts’ position
Massachusetts' intention behind the temporary regulations was to maintain pre-pandemic “status quo” to avoid uncertainty for employees and additional compliance burden on employers. This would ensure employers would not be responsible for determining when an employee was working, for example, at their Lake Winnipesaukee camp for a few weeks, or their relative’s home in Rhode Island. 

Additionally, states like New York and Connecticut have long had “convenience of the employer” laws on the books which imposed New York tax on telecommuting non-residents. Additionally, Massachusetts provided that a parallel treatment will be given to resident employees with income tax liabilities in other states who have adopted similar sourcing rules, i.e., a Massachusetts resident working for a Maine employer.

Other voices
The US Supreme Court requested a brief from the Biden administration. Additionally, many states wrote to the court on behalf of New Hampshire. To demonstrate the impact a decision against New Hampshire could have, New Jersey said that it expects to issue $1.2 Billion in tax credits to its residents because New York declined to loosen their strict telecommuting rules. In the final days before the Court recessed, it declined to hear the case brought by the State of New Hampshire against the Commonwealth of Massachusetts. Had the Court decided to move forward with the case, it stood to impact long-standing, pre-pandemic telecommuting rules by New York and others.

What now?
For Massachusetts employers specifically, you should review current withholdings and ensure compliance with the temporary regulations. The state of emergency has been lifted in Massachusetts, and the rules have an end date of September 19, 2021. Employers who haven’t been following the regulations will have a costly tax exposure to correct. 

Massachusetts’ temporary regulations were not unique as dozens of states issued temporary regulations asserting a “status quo” regime for those employees who would normally be commuting outside their home state. Unwinding from the pandemic is going to be a long road, and for all employers, it’s important that you review the rules in each state of operation and confirm that the proper withholding is made.

If you have questions about your specific situation, please contact the state and local tax consulting team. We’re here to help.

Article
New Hampshire v. Massachusetts: Sovereignty or status quo?

Read this if you are a business owner. 

Consider the value of the following two hypothetical companies. Roger owns Wag More, Bark Less (WMBL), a pet service company that employs 10 full-time dog walkers. Anita owns a very similar company, Happy Dog Walking Service (Happy Dog), which also happens to employ 10 full-time dog walkers. These companies are both almost identical, and last year, they generated the same amount of revenue and income. A key difference, however, is in the management styles of the owners. Roger is extremely disorganized and has difficulty with record retention, locating information, and tracking and analyzing data. He is relatively inexperienced as a manager. Anita, meanwhile, is very punctual and organized and has 15 years of management experience. She is very capable of monitoring dog-walking data to optimize routes, manage employee utilization, and track client satisfaction. Which company is more valuable? 

Despite being identical in terms of service offering and size, most people would identify Happy Dog as being more valuable. Alarm bells start to ring in a valuation analyst’s head when learning about the sloppy management style, lack of experience, and poor use of data at WMBL. The difference in value should be substantial. Despite generating the same amount of profit last year, Happy Dog could be worth twice as much as WMBL because these risk factors may jeopardize future profits.

In addition to the risk factors from the above example, there are many other drivers of business value.

Valuation formula

In its simplest form, the valuation of a business can be reduced to the following formula based on earnings before interest, taxes, depreciation, and amortization (EBITDA). Factors that affect value do so by affecting the valuation multiple. Companies such as WMBL would be worth a lower multiple of EBITDA, and a higher multiple would be justified for less risky companies such as Happy Dog. 

Estimating an EBITDA multiple

A generic multiple often thrown around is 5x EBITDA. EBITDA multiples from the DealStats database show a slightly lower average over time. From 2017 to 2019, the EBITDA multiples were around 5x, then declined in 2020 and 2021. The chart below shows trends in historical EBITDA multiples.1 

Median Selling Price/EBITDA with Trailing Three-Quarter Average


In reality, EBITDA multiples vary widely by industry. For example, in the DealStats database, the median EBITDA multiple for retail trade was 3.8x compared to 6.5x for manufacturing companies.2 The chart below presents EBITDA multiples by industry from the DealStats database.

Selling Price/EBITDA Interquartile Range by Industry Sector (Private Targets)


Even within a specific industry, multiples can vary dramatically. For example, from the chart above, the median wholesale trade multiple was slightly above 5.0x, but the 75th percentile multiple for this industry was approximately 10.0x. 

Factors affecting EBITDA multiples

Differences in valuation multiples from company to company reflect differences in risk profiles. High-risk companies command lower multiples than safe investments. The following chart illustrates how certain operational risk factors may affect the valuation multiple.

Other factors that affect valuation multiples include the following:

  • Access to capital
  • Supplier concentration 
  • Supplier pricing advantage 
  • Product or service diversification 
  • Life cycle of current products or services 
  • Geographical distribution 
  • Currency risk 
  • Internal controls 
  • Business owner reliance
  • Legal/litigation issues 
  • Years in operation
  • Location   
  • Demographics 
  • Availability of labor 
  • Employee stability 
  • Internal and external culture 
  • Economic factors 
  • Industry and government regulations 
  • Political factors 
  • Fixed asset age and condition 
  • Strength of intangible assets 
  • Distribution system 
  • IT systems 
  • Technology life cycle 

One model to assess risk and select an appropriate multiple is the exit and succession planning software prepared by MAUS Business Systems (“MAUS”). The MAUS Business Attractiveness model assists analysts in assessing and diagramming the risk profile of a company. This model was developed to assess business attractiveness to potential acquirers based on common risk factors. Analysts can use this software as part of their assessment of an appropriate valuation multiple. This model is also a helpful communication tool because it provides a visual representation of a company’s risk profile and highlights the areas in which a company can improve. 

Using this model, analysts assess a company’s risk profile regarding several key factors. MAUS then generates a report that includes a series of diagrams like the one below. Business attractiveness factors are positioned around the outside of a polygon. If a company performs well regarding a particular factor, a point is plotted towards the outside of the polygon. If the company performs poorly, a point is plotted towards the center of the shape. The points are then connected to visualize a company’s risk profile. 

Business Risk & Value Factors

         

The larger the colored shape is in the MAUS diagram, the higher the valuation multiple should be. However, these factors do not all affect the multiple equally. The valuation multiple may be highly responsive to some factors and less responsive to others. Additionally, each factor may not have a linear effect on the valuation multiple. For these reasons, formula-based estimates of valuation multiples are often inaccurate, although a great place to start for a ballpark indication of value. For matters of importance where accuracy is paramount, we strongly recommend consulting with a valuation professional. In addition to valuation expertise, an outside party provides an independent, unbiased assessment of value. 

Conclusion

The value of a business can be affected dramatically by its risk profile. Analysts value businesses based on a number of different factors that affect value. 

1,2 DealStats Value Index 2Q 2021, Business Valuation Resources, LLC (www.bvresources.com).

Article
Factors affecting the value of a company