Skip to Main Content

insightsarticles

Provider Relief Fund (PRF) reporting portal

01.28.21

Read this if you are a hospital or healthcare organization that has received Provider Relief Funds. 

The long-awaited Provider Relief Fund (PRF) Reporting Portal (the Portal) opened to providers on January 15, 2021. Unfortunately, the Portal is currently only open for the registration of providers. The home page for the Portal has information on what documentation is needed for registration as well as other frequently asked questions.

We recommend taking the time to review what is needed and register as soon as possible. Health Resources & Services Administration (HRSA) has suggested the registration process will take approximately 20 minutes and must be completed in one session. The good news is providers will not need to keep checking the Portal to see when additional data can be entered as the Portal home page states that registered providers will be notified when they should re-enter the portal to report on the use of PRF funds.

Access the portal

The Provider Relief Fund (PRF) Reporting Portal is only compatible with the most current stable version of Edge, Chrome and Mozilla Firefox.

Related Professionals

Principals

BerryDunn experts and consultants

Our senior living and long-term care professionals have compiled this guide to financial resources for senior living providers, segregated by federal and state programs.

In this guide, you will receive a breakdown of the critical components of each program, related compliance requirements, payment and accounting considerations, and the provider type for which the program is available.

Included on the guide is a publication date. Please check back regularly for updates.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact a member of our senior living consulting team.

Article
Senior living COVID-19 financial resources guide

Read is you use QuickBooks Online.

Your customers are your company’s lifeblood. Make sure their records are thorough and up-to-date.

When companies buy other companies, the customer list is often considered the most critical asset. When a business is damaged and data possibly lost, the customer list is the set of records do they most hope to recover.

You probably spend most of your time in QuickBooks Online working with transactions and reports, but your customer records deserve equal time. If they’re incomplete or otherwise not well maintained, you lose time filling in the blanks when you’re trying to complete a task that requires complete customer profiles. Your searches and reports may not tell the whole picture. Your relationships can suffer, and you may miss out on sales opportunities.

QuickBooks Online provides excellent tools for creating and maintaining comprehensive customer and sub-customer records. Here’s a look at how it all works.

Moving your customer data in

There are two ways to create customer records in QuickBooks Online. If you have an existing database in Outlook, Excel, Gmail, or Google Sheets, you can import it. This will save you an enormous amount of time, but it’s a challenging process. You select the file you want to import, and then you have to “map” it by matching the fields in your database to fields in QuickBooks Online. You’ll likely need our help with this.


To import a customer file into QuickBooks Online, you’ll have to “map” its fields. We can help you with this.

Your other option is to enter records manually. This is time-consuming, but the more information you can include about your customers from the start, the better. You can always edit your records to add, delete, or modify what you originally entered.

To get started, hover over Sales in the toolbar and click on Customers. Then click on New Customer in the upper right corner to open the Customer information window. The only field you’re required to complete is Display name as. You may want to do this if you have a new customer on the phone and you want to concentrate on the conversation. You can take notes about their contact information and fill in the record later, when you’re off the phone.

But wherever possible, as we’ve already said, complete as many fields as you can. You’ll enter name and billing and shipping address and phone number(s) on the opening screen. You can also supply contact details like fax number and website. 

Creating sub-customers

You’ll notice a checkbox that says Is sub-customer. QuickBooks Online lets you “nest” related records under the “parent” record. This can be an actual customer, but many people use it to document jobs they’re doing for the customer. So if you’re a contractor, for example, you might have sub-customers like Sun deck and Spa

If you want to set up such a record, enter the job name and click in the box next to Is sub-customer. Two fields will open below that allow you to select the parent customer and to indicate the sub-customer’s billing status. The remainder of the fields will automatically fill in with the parent customer’s contact information.


You can set up jobs as sub-customers in QuickBooks Online. 

Supplying details

When you’re setting up individual customers, you should add as much detail as you possibly can to each record, beyond basic contact information. QuickBooks Online’s record templates display a number of tabs running horizontally across the window. The most important of these are:

  • Tax info. Are the customers taxable or exempt? If taxable, what is his or her Default tax code? (If you haven’t set up sales taxes yet and need to, please let us help. It’s complicated.)
  • Payment and billing. Do they have preferred payment and/or delivery methods? Will you be assigning default payment terms, like Net 30 or Due on receipt? What is their Opening balance? If they’re brand-new customers who have never ordered from you, this will be $0.00. If they’re existing, active customers, enter any outstanding balance they have with you as of the date that you enter. This must be correct, to avoid any problems with the customers’ ongoing balances. Questions? Ask us.

Other tabs here are self-explanatory. When you’ve entered everything you can, click Save. The new record will now appear in the Customers list and will be available to select from the drop-down list in transactions.

There will be times when you have to refer back to these forms to answer questions. By maintaining detailed, accurate customer records, you’ll be ready to respond. If you have questions about any of the information requested, or about other elements of QuickBooks Online that are puzzling you, please contact our Outsourced Accounting team. so we can set up a consultation.

Article
How to maintain customer records in QuickBooks Online

Read this if you are at a financial institution.

Feeling stuck, or maybe even frozen, in your CECL readiness efforts? No matter where you are in the process, here are three things you can do right now to ensure your CECL implementation is on track:

  1. Create or re-visit your 2022 timeline
    With just under 12 months to the January 2023 CECL adoption date, it’s important to make every moment count. Consider CECL adoption your Olympic moment and, like every great Olympic athlete, you have interim events—a timeline of major milestones—to ensure you are ready for “Day 1” and beyond. One strategy to ensure you do not “run out of time” is to start at the end of your timeline and work backward.

    Tip: Whether it be 1/1/2023 (“Day 1” adoption), or the first date by which you want to start parallel runs, fix the date of that final must-hit milestone, and work backward. For example, in order to adopt CECL on 1/1/2023, what major milestone has to be achieved before then and how much time will you need for that? Setting milestones from the final date backward will help you fit the remaining major activities into the time you have left—you can’t “run out of time” this way!



     
  2. Assess where you are, tactically, and fill in the gaps
    What would an Olympic athlete be without a training schedule, and coaches, trainers, and other professionals to guide and push them? In order to make the most of each event (or milestone) in the countdown to CECL adoption, let’s fill in our training schedule. What key decisions still need to be made or documented? Who has the authority to approve them? What’s the right time and venue to obtain that approval? Will these be one-to-one, small group, or committee/board meetings? Will meetings be set up as-needed, or is the meeting schedule (e.g. quarterly executive/board) already set? Who are you engaging for model validation and key control review? What is the date of that review work? 

    Tip: Add those key approval, review, and validation dates to your timeline, and make sure the meeting time you need with decision-makers is booked in their calendars now. Scheduling this time in advance is a transparent and tangible sign that you’ve charted the course, helps ensure decision-makers are available to you when needed most, and incremental progress is being consistently made toward your ultimate goal. 
  3. Identify the top three tasks to complete this week, reserve the time in your calendar, and complete them!
    Like any athlete, you are now “in training”, and daily and weekly actions you take will ensure you reach your goal in as strong a position possible. Whether it’s scheduling those meetings, identifying subject matter experts you can rely upon for coaching, or putting the finishing touches on model documentation and internal control mapping, booking that time with yourself to complete these tasks is key to feeling prepared and ready for CECL adoption. 

    Tip: Set aside a few minutes at the end or start of each week to review your timeline/milestones and identify the next key actions to complete.

Would you like assistance with certain aspects of your CECL readiness efforts? Are you ready for some validation/review work, or need guidance on policy, governance, or internal/financial reporting controls?

Contact our Financial Institutions team. We'll help you get your CECL implementation over the finish line. 


 

Article
CECL implementation: Three steps for a medal-winning adoption 

The Centers for Medicare & Medicaid Services (CMS) issued the final rule for the PPS and consolidated billing for SNFs for FY 2022 (published in the Federal Register on August 4, 2021). The rule:

  • Updates the PPS payment rates for SNFs for FY 2022 using the market basket update and budget neutrality factors effective October 1, 2021.
  • Makes changes based on Section 134 of the Consolidated Appropriations Act, 2021—New Blood Clotting Factor Exclusion from SNF Consolidated Billing.
  • Updates the SNF Quality Reporting Program (QRP).
  • Makes changes to the SNF Value-Based Purchasing (VBP) program due to the public health emergency (PHE).
  • Adopts changes in Patient Driven Payment Model (PDPM) International Classification of Diseases, Version 10 (ICD-10) code mappings.
  • Updates the methodology for recalibrating the PDPM parity adjustment.

2022 PPS rate calculations

CMS rebased and revised the SNF market basket index to improve payment accuracy under the SNF PPS by using 2018 Medicare–allowable total cost data to update the PPS payment rates, instead of 2014 data. The final rule includes:

  • A 1.2% net market basket increase based on a 2.7% SNF market basket update, less a 0.8 percentage point forecast error adjustment and a 0.7 percentage point productivity adjustment.
  • A budget neutrality factor of 1.0006.
  • A decrease in the labor-related weight from 71.3% for FY 2021 to 70.4% for FY 2022.

CMS projects an overall impact of this final rule to be an estimated increase of $410 million in aggregate payments to SNFs during FY 2022. This reflects a $411 million increase from the update to the payment rates and a $1.2 million decrease due to the reduction to rates to account for the excluded blood-clotting factors. 

The final rule also estimates an increase in costs to SNFs of $6.63 million related to the FY 2022 SNF QRP changes and an estimated reduction of $191.64 million in aggregate payments to SNFs during FY 2022 as a result of the changes to the SNF VBP Program.

The projected overall impact to providers in urban and rural areas is an average increase of 1.1% and 1.6%, respectively, with a low of .2% for rural New England providers and a high of 2.6% for rural South Atlantic providers―actual impact will vary. 

The applicable wage index continues to be based on the hospital wage data, unadjusted for occupational mix, rural floor, or outmigration adjustment (from FY 2018) in the absence of SNF specific data.

Section 134 of the Consolidated Appropriations Act, 2021—New Blood Clotting Factor Exclusion from SNF Consolidated Billing

Section 134 in Division CC of the Consolidated Appropriations Act, 2021 added blood clotting factors used for the treatment of patients with hemophilia and other bleeding disorders and items and services related to the furnishing of such factors under section 1842(o)(5)(C) to the list of items and services excluded from the consolidated billing requirements under the SNF PPS effective for items and services furnished on or after October 1, 2021.

CMS is finalizing a reduction in the SNF rates to account for this new exclusion. This methodology will result in a proportional reduction of $0.02 in the unadjusted urban and rural rates which equates to an estimated decrease of approximately $1.2 million in aggregate Part A SNF spending to offset the increase in Part B spending that will occur due to these items and services being excluded from SNF consolidated billing.

SNF QRP update

CMS adopted two new measures beginning with FY2023; the SNF Healthcare-Associated Infections Requiring Hospitalization measure (SNF HAI) and the COVID-19 Vaccination Coverage among Healthcare Personnel (HCP) measure, and updated the calculation for another measure, the Transfer of Health (TOH) Information to the Patient—Post-Acute Care (PAC) measure. In addition, CMS made a modification to revise the number of quarters used for publicly reporting certain SNF quality measures due to the PHE. 

SNF VBP Program

CMS will suppress the SNF readmission measure for scoring and payment adjustment purposes for the FY 2022 SNF VBP Program Year because circumstances caused by the PHE for COVID-19 have significantly affected the measure and the ability to make fair, national comparisons of SNFs’ performance scores. As part of a special scoring policy for FY 2022, CMS will assign a performance score of zero to all participating SNFs, irrespective of how they perform using the previously finalized scoring methodology, to mitigate the effect that PHE-impacted measure results would otherwise have on SNF performance scores and incentive payment multipliers. CMS will also reduce the adjusted Federal per diem rate for each SNF by 2% and award SNFs 60% of that withhold, resulting in a 1.2% payback percentage for FY2022. Finally, SNFs that qualify for the low-volume adjustment will continue to receive 100% of that 2% withhold.

Finally, CMS revised the performance period for the FY 2022 SNF VBP program and finalized the performance period for the FY 2023 and FY 2024 SNF VBP Program.

BerryDunn created an interactive rate calculator to assist you with the calculation of your PPS rates for FY 2022, which has been updated and now reflects VBP adjustments. You can access the PPS interactive rate calculator now.

Download the 2022 SNF PPS Rate Calculator

If you have any specific questions about the Final Rule or how it might impact your facility, please contact Ashley Tkowski or Melissa Baez.

Article
FY 2022 Prospective Payment System (PPS) and Consolidated Billing for Skilled Nursing Facilities (SNFs) Final Rule

Read this if you use QuickBooks Online.

Are you finding that you need more flexibility in an area of QuickBooks Online? Maybe it’s time to try an integrated app.

When you first started using QuickBooks Online, you probably found it supplied the tools you needed to manage your accounting—and then some. But as your business grows or becomes more complex, you may need more functionality and flexibility in one or more areas, like time tracking and billing.

There are hundreds of add-on applications that integrate well with QuickBooks Online in the QuickBooks Apps store, which you can find here. Many of these apps are free, but most have subscription fees. They’re designed to amplify the power of QuickBooks Online’s own features. The site will remain your home base, but you’ll have to learn enough about the add-on apps to understand how they work and how they integrate with QuickBooks Online. Here are some of the most popular add-on solutions from the QuickBooks Apps site.

Expensify

QuickBooks Online allows you to record expenses. Its thorough form templates ask you for numerous details, like the vendor, product or service, amount, and billable status. Completed expenses appear in a table. You can run any of several related reports, like Expenses by Vendor Summary. If you use the QuickBooks Online mobile app, you can snap photos of receipts that are turned into expense forms by QuickBooks Online and partially completed with the receipt data.

Using the QuickBooks Online mobile app, you can snap photos of receipts and complete the expense forms provided.

But Expensify ($5-9 per month for one user) does more. It’s a robust expense management system that handles everything from receipt processing to next-day reimbursement. Where QuickBooks Online only supports basic expense tracking, Expensify allows you to create expense reports and follow them through multi-level approvals. It features automatic credit card reconciliation and expense policy enforcement, as well as bill pay and invoices/payments. Two-way synchronization with QuickBooks Online means you can work in either application and your data will be replicated in the other, as is the case with all of these integrated solutions.

QuickBooks Time

Formerly known as TSheets, this powerful time-tracking application builds on QuickBooks Online’s time management and payroll features. QuickBooks Time ($8-10 per user per month plus $20-40 monthly base fee) is now owned by Intuit, so it’s embedded directly in QuickBooks Online. 

Your employees can track their hours on any device, from any location, and they will instantly be available in QuickBooks Online so managers can review, edit, and approve timesheets. That data can then be used in areas like invoicing, job costing, and payroll. Advanced features include scheduling capabilities, overtime monitoring, GPS tracking, and real-time reports. The Who’s Working window shows you where your staff members are working and what they’re doing, in real time. 

Method:CRM

QuickBooks Online does a good job of helping you create profiles of customers and storing them for quick retrieval. But some businesses need more than that. They need true Customer Relationship Management (CRM). Method:CRM ($28-49 per month per user; discounts for annual subscriptions) is an excellent partner for QuickBooks Online in this area.

You can record and store customer details in QuickBooks Online, but Method:CRM adds true Customer Relationship management to the site.

When you integrate Method:CRM with QuickBooks Online, you no longer have to do duplicate data entry to keep track of your customers and their sales profiles and histories. You get a shared lead list and activity tracking (emails and phone calls), and your customer records contain the information a sales team needs, like customer details, interaction, transactions, and services performed. Leads are stored in Method:CRM until they’re customers, and you can track sales opportunities from a customer’s initial interest through the final sale. 

Two more advanced integrated apps

QuickBooks Online provides basic inventory-tracking capabilities, but if your business has more complex needs, an integrated application like SOS Inventory ($49.95-149.95 per user per month) should be able to meet them. Built for QuickBooks Online from the ground up, the application offers advanced features like sales orders and order management, assemblies, serial inventory, and multiple locations. And if you need more sophisticated bill pay, invoicing, and payment processing (with multiple automated approval levels) than QuickBooks Online offers, you might look into the highly-regarded Bill.com ($39-69 per user per month).

Growth Is good, but challenging

We wanted to introduce you to a few of the hundreds of integrated apps available for QuickBooks Online because you should know that there are options for expanding on the site’s built-in capabilities. As your business grows, so does your need for more sophisticated accounting. QuickBooks Online may still be able to serve you well with the help of one or more of these add-ons.

You may also want to explore the possibility of upgrading your version of QuickBooks Online. We encourage you to consult with us if you’re outgrowing QuickBooks Online. We can help you explore the options so you can spend your time planning for your company’s future instead of wrestling with your accounting application. Please contact our Outsourced Accounting team

Article
Expand QuickBooks Online's features: Use integrated apps

Read this if you are an employee benefit plan fiduciary.

Fiduciary risk management

This is the final article in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements. You can find the full series here.

If, as part of your involvement with an employee benefit plan, you have decision-making ability; you advise those with decision-making ability; or someone tasks you with decision-making related to the plan, you are more likely than not, a fiduciary. As discussed in the first article of the series, this status comes with responsibilities and, therefore, risks and consequences.

The general approach to handling risk is a cycle of identifying, assessing, controlling, and reviewing controls over risks. Based on the assessment of a given risk, there are four ways to manage it: you can avoid, reduce, transfer, or accept the risk. 

Identifying and assessing fiduciary risk1 

The risks facing a plan fiduciary include, but are not limited to, the following:

Removal of fiduciary

In appropriate cases, a fiduciary may be removed and permanently prohibited from acting as a fiduciary or from providing services to ERISA plans.

Civil penalties

Among other penalties, the DOL may assess a civil penalty equal to 20% of the amounts recovered for the plan through litigation or settlement.

Criminal prosecution

Upon a conviction for a willful violation of ERISA’s reporting and disclosure requirements, a fiduciary may be subject to fines and/or imprisonment for not more than ten years. There is also a provision in ERISA that applies to any person, not just ERISA fiduciaries, that makes coercive interference with ERISA rights a criminal offense punishable by fines and/or imprisonment for up to ten years. In addition, outside of ERISA, there are a number of criminal statutes that apply to any person, not just ERISA fiduciaries, including criminal statutes for embezzling from an ERISA plan, making false statements in ERISA documents, and taking illegal kickbacks in connection with an ERISA plan.

Participant lawsuits

Additionally, plan participants may file a lawsuit against the fiduciary for breach of their fiduciary duty. Over the past few years, this has become more common and has generally been related to the fiduciary’s failure to adequately negotiate and monitor plan fees. 

Co-fiduciary liability

ERISA's unique co-fiduciary liability provisions make each fiduciary responsible for the actions of the other plan fiduciaries but only under certain circumstances. As a general rule, fiduciaries aren’t responsible for the breach of another fiduciary unless:

  • They participate knowingly in, or knowingly undertake to conceal, an act or omission of such other fiduciary, knowing such act or omission is a breach;
  • Their failure to be prudent in the administration of their own fiduciary responsibilities enables the other fiduciary to commit a breach; or
  • They have knowledge of a breach by such other fiduciary and don’t make reasonable efforts under the circumstances to remedy the breach.

Controlling fiduciary risk

There are several ways to effectively manage fiduciary risk. When used together, they give you solid controls to greatly reduce your level of risk.

Plan documentation

A fiduciary and/or plan sponsor should reduce their exposure to the risks identified above and their first line of defense is through plan documentation (discussed in depth here). Broadly speaking, the organizers and fiduciaries of the plan should ensure that policies and procedures are laid out to ensure proper oversight and internal controls are in place to prevent any voluntary or involuntary noncompliance with ERISA and the DOL.

Oversight

Fiduciaries should meet formally on a regular basis to review the plan’s offerings, service providers, fees, and other issues that may affect the plan. A single individual who is the sole fiduciary for a plan may not have the knowledge or bandwidth to appropriately fulfill the responsibilities of the plan. Additionally, having an auditor come in and audit the plan can help identify some of the risks identified above, although an audit of the plan does not reduce your responsibility to monitor and review the plan’s activity on an ongoing basis.

Third Party Administrators (TPA) & recordkeepers

Fiduciaries may also be able to mitigate some of the risks identified above through use of a TPA and/or recordkeeper. While TPAs and recordkeepers are not generally considered fiduciaries or co-fiduciaries, TPAs have varying service offerings, including recordkeeping, that are powerful tools to plan administrators to review and operate the plan. For example, depending on the plan sponsor’s existing payroll and HR structure, inclusive of TPAs and recordkeepers, fiduciaries may be able to automate the transfer of contributions to ensure timeliness of deposits. The plan may also be able to add another layer of internal controls by incorporating the TPA’s or recordkeeper’s internal controls into the plan’s control environment assuming the fiduciary has gained an understanding and comfort around the controls present at the TPA and/or recordkeeper.

Professional investment advisors and co-fiduciaries

Employee benefit plans must meet certain requirements with regard to their investment offerings. For instance, the plan must allow participants to invest in a diversified portfolio. The plan may try to transfer some of these risks and employ the help of a professional investment advisor to help ensure the plan’s investment offerings meet such criteria. This could involve hiring either an ERISA 3(21) fiduciary or an ERISA 3(38) fiduciary. The former serves as an advisor and a co-fiduciary, but does not have any authority by themselves, while the latter is an investment manager and therefore authorized to select investments for the plan. Doing so may help demonstrate to regulators that a fiduciary has fulfilled their duty in this regard. Alternatively, a plan may hire a 3(16) Fiduciary. 3(16) Fiduciaries are individuals or organizations that are charged with running plans as the plan administrator. A company may be able to shift most of their fiduciary risk to such a fiduciary. 

In any case, the plan fiduciary must continue to monitor a 3(16), 3(21) or 3(38) advisor to make sure it is still prudent to use that advisor.

Bonding and fiduciary liability insurance

Bonding is required for most EB plans and does not protect the fiduciary from any risk. It does however protect the plan from fraud or dishonesty. On the other hand, fiduciary liability insurance can protect the fiduciary in the case of breach of fiduciary duty. This type of insurance is not required but is another option to transfer fiduciary risk.

As mentioned in our second article, much like owning a car, regular preventative maintenance can help you avoid the need for costly repairs. Plan fiduciaries should periodically refresh their understanding of ERISA requirements and re-evaluate their current and future business activities on an ongoing basis. Doing so will help mitigate any risks associated with non-compliance with the DOL and IRS and keep the plan running smoothly. 

Need help navigating the fiduciary road? Reach out to the BerryDunn employee benefit consulting team today.

1From Fidelity’s Plan Sponsor Webstation: Consequences of breach of fiduciary duties 

Article
Fiduciary risk: Five ways to control and reduce it

Read this if you are an employer that gives employee gifts.

The holiday season is officially in full swing! Unlike Ebenezer Scrooge, many employers are looking for ways to recognize the dedication and hard work of their employees. This gratitude often comes in the form of a holiday gift of some fashion. While this generosity is well-intended, gifts to employees can be fraught with potential tax consequences organizations should be aware of. This article will attempt to demystify the rules surrounding employee gifts to ensure organizations and their employees have a joyous holiday season.

Holiday gifts: Taxable or not?

So, are holiday gifts to employees taxable? The answer, as is so often the case with tax questions, is it depends. The IRS is very clear that cash and cash equivalents (specifically including gift cards) are always included as taxable income when they are provided by the employer, regardless of amount, with no exceptions. This means that if you plan to give your employees cash or a gift card this year, the value must be included in the employees’ wages and is subject to all payroll taxes. Bah humbug indeed!

Nontaxable gift options

There are however, a few ways to make nontaxable gifts to employees. In each instance the gift must be noncash (nor convertible to cash). IRS Publication 15 offers a variety of examples of de minimis (minimal) benefits, defined as any property or service you provide to an employee that has a minimal value, making the accounting for it unreasonable and administratively impracticable. Examples include holiday or birthday gifts with a low market value (a card and flowers, fruit baskets, a box of chocolates, etc.), or occasional tickets for theater or sporting events, among others. Again, cash and cash equivalents never qualify. The key is that the gift must be occasional or unusual in its frequency and must not be a form of disguised compensation. While de minimis benefits can be a gray area, the IRS has generally deemed items with a value exceeding $100 as too large to qualify as de minimis.

Holiday gifts can also be nontaxable if they are in the form of a gift coupon, if given for a specific item (with no redeemable cash value). A common example would be issuing a coupon to your employee for a free ham or turkey redeemable at the local grocery store. Nontaxable employee gifts can also come in the form of achievement awards, either for length of service or for safety achievements. The proverbial gold watch upon retirement is a classic example of such a gift. Here too, the award must always be tangible personal property—never cash or a cash equivalent. There are additional rules and value thresholds on any such gift. Please contact a member of your tax team to discuss these specific details further.

Whether employers are considering supplying gift cards, turkeys, or something in between, we hope all find this guidance helpful and still in the giving spirit! Coincidentally, at the end of A Christmas Carol, Ebenezer himself gives Bob Cratchit a turkey on Christmas day. Of course Mr. Scrooge would be aware of the potential tax consequences! We wish you all a very happy and healthy holiday season!

Not-for-profit resources

If you are a not-for-profit organization receiving charitable gifts, read Donor Acknowledgements: We have to file what?

Article
What employers need to know before making gifts to employees

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management