Skip to Main Content

insightsarticles

Provider Relief Funds: Highlights

11.22.21

Read this if you have not yet reported for Phase 1.

Phase 1 provider relief reporting portal

HRSA opened the Provider Relief Funds (PRF) reporting portal on July 1, 2021, for Phase 1 PRF reporting. In Phase 1, providers will be reporting on the use of PRF received prior to June 30, 2020. While Phase 1 reporting was originally due September 30, 2021, HRSA has provided a 60-day grace period for the reporting period. Providers will be considered out of compliance with the reporting requirements if they do not submit reporting by November 30, 2021. Providers can submit their reporting on the Provider Relief Fund portal. Please note:

  1. Providers must register for the reporting portal, as this is not the same portal as the application and attestation portal. The portal registration must be completed in one session. Follow the link to the Portal Registration User guide
  2. Providers can only report on eligible lost revenues and expenditures related to payments received before June 30, 2020. Providers are not yet allowed to report on payments received subsequent to June 30, 2020. See the June 11, 2021 Reporting Requirements Notice for more detail on reporting requirements.
  3. The period of availability for Phase 1 lost revenues and eligible expenditures is January 1, 2020 through June 30, 2021.
  4. It is extremely helpful to complete the HRSA provider portal worksheets prior to beginning the portal data entry. 
  5. Providers should return unused funds as soon as possible after submitting their report. All unused funds must be returned no later than 30 days after the end of the grace period. (December 31, 2021)
  6. Provider Relief Funds are considered federal awards under Assistance Listing Number (ALN) 93.948. Providers, both for-profit and not-for-profit, may be subject to a Uniform Guidance Audit if they expend more than $750,000 of federal awards during the provider’s fiscal year. 
  7. Providers are able to retrieve their data submission from the portal if a copy was not retained during the submission process.

Your BerryDunn Hospital team is here to help you navigate the Provider Relief Fund reporting and compliance requirements. Please contact us if you have any questions or would like to talk about your specific situation. 

Related Industries

Related Services

Consulting

Business Advisory

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are involved with financial statement audits or use audited financial statements. 

Almost as exciting as the look of a new outfit or (completion of) a renovation project, SAS 134 brings a new design to the auditor’s report accompanying your audited financials for periods ending on or after December 31, 2021. Why the new look, you ask? 

Users spoke and the AICPA Auditing Standards Board listened. The new standard significantly changes the layout and content of the report (including management’s responsibilities) and permits communication of key audit matters (areas of higher assessed risk of material misstatement, areas involving significant judgment, or significant events or transactions during the period). Implemented changes include: 

  • The auditor’s opinion is now at the beginning of the audit report and otherwise strengthens the transparency for the auditor’s opinion.
  • The standard clarifies the responsibilities of both management and the auditors, strengthening the financial audit. 

Sample auditor’s report

The simplest way to relay the changes is with an example. The following report is a basic illustration in which an unmodified opinion was issued and the auditor was not engaged to communicate key audit matters. 

If you have questions or would like to speak to us about your specific situation, please contact us. We’re here to help.

Article
Auditor's report redesigned for better communication

Read this if your facility or organization has received Provider Relief Funds.

The rules over the use of the HHS Provider Relief Funds (PRF) have been in a constant state of flux and interpretation since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of June 14, 2021 on HHS’ reporting requirements. Key highlights:

These requirements apply to:

  • PRF General and Targeted Distributions
  • the Skilled Nursing Facilities (SNF) and Nursing Home Infection Control Distribution
  • and exclude:
    • the Rural Health Clinic COVID-19 Testing Program
    • claims reimbursements from HRSA COVID-19 Uninsured Program and the HRSA COVID-19 Coverage Assistance Fund (CAF)

This notice supersedes the January 15, 2021 reporting requirements.
Deadline for Use of Funds:

Payment Received Period

Deadline to Use Funds

Reporting Time Period

Period 1

4/10/20-6/30/20

6/30/21

7/1/21-9/30/21

Period 2

7/1/20-12/31/20

12/31/21

1/1/22-3/31/22

Period 3

1/1/21-6/30/21

6/30/22

7/1/22-9/30/22

Period 4

7/1/21-12/31/21

12/31/22

1/1/21-3/31/23

Recipients who received one or more payments exceeding $10,000 in the aggregate during each Payment Received Period above (rather than the previous $10,000 cumulative across all PRF payments) are subject to the above reporting requirements 

Responsibility for reporting:

  • The Reporting Entity is the entity that registers its Tax Identification Number (TIN) and reports payments received by that TIN and its subsidiary TINs.
  • For Targeted Distributions, the Reporting Entity is always the original recipient; a parent entity cannot report on the subsidiary’s behalf and regardless of transfer of payment.

Steps for reporting use of funds:

  1. Interest earned on PRF payments
  2. Other assistance received
  3. Use of SNF and Nursing Home Control Distribution Payments if applicable (any interest earned reported here instead), with expenses by CY quarter
  4. Use of General and Other Targeted Distribution Payments, with expenses by CY quarter
  5. Net unreimbursed expenses attributable to Coronavirus, net after other assistance and PRF payments by quarter
  6. Lost revenues reimbursement (not applicable to PRF recipients that received only SNF and Nursing Home Infection Control Distribution payments)

PORTAL WILL OPEN ON JULY 1, 2021!

Access the full update from HHS: Provider Post-Payment Notice of Reporting Requirements.

Article
Provider Relief Funds: HHS Post-Payment Notice of Reporting Requirements

Read this is if you are at a healthcare organization and considering telehealth options. 

Given the COVID-19 emergency declaration, telehealth service regulations have been greatly modified to provide flexibility and payment. The guidance on telehealth is very dispersed and can be difficult to navigate. Here are some FAQs based on the many questions we have received. If you have questions related to your specific situation, please contact us. We're here to help.

UPDATED: Are RHCs and FQHCs now eligible as distant site providers for telehealth services? If so, how will they be paid by Medicare?
Yes, the CARES Act includes RHCs and FQHCs as distant sites during the COVID-19 Public Health Emergency (PHE). Distant site telehealth services can be provided by any health care practitioner of the RHC or FQHC within their scope of practice. The practitioners can provide any distant site telehealth service that is approved as a distant site telehealth service under the Physician Fee Schedule (PFS) and from any location, including from the practitioner’s home. CMS has approved an interim payment rate of $92 for RHCs and FQHCs for these services. The rate is based on the average payment for all PFS telehealth services, weighted by the volume of those services paid under the PFS. This rate will apply for services furnished between January 27, 2020 and June 30, 2020. Modifier “95” must be included on the claim. In July 2020, these claims will be automatically reprocessed and be paid at the RHC all-inclusive rate (AIR) and the FQHC prospective payment system (PPS) rate. Reprocessing will begin when the Medicare claims processing system is updated for the new payment rate.

For telehealth distant site services furnished between July 1, 2020 and the end of the COVID-19 PHE, RHCs and FQHCs will need to use RHC/FQHC specific G code, G2025, for services provided via telehealth. These claims will be paid at the $92 rate, not the AIR or PPS rates. If the COVID-19 PHE continues beyond December 31, 2020, the $92 will be updated based on the 2021 PFS average payment rate for these services, again weighted by the volume of those services.

For services in which the coinsurance is waived, RHCs and FQHCs must put the “CS” modifier on the service line. RHC and FQHC claims with the “CS” modifier will be paid with the coinsurance applied, and the Medicare Administrative Contractor (MAC) will automatically reprocess these claims beginning on July 1. Coinsurance should not be collected from beneficiaries if the coinsurance is waived.

UPDATED: Will telehealth visits of any kind affect my FQHC or RHC encounter rate?
Costs associated with telehealth will not affect the prospective payment system rate for FQHCs or the all-inclusive rate calculation for RHCs, but the costs will need to be reported on the cost report. Costs of originating and distant site telehealth services will be reported as follows:

  • Form CMS-222-17 on line 79 (Cost Other Than RHC Services) of Worksheet A for RHCs
  • Form CMS-224-14 on line 66 (Other FQHC Services) of Worksheet A for FQHCs.

What is telehealth versus telemedicine?
Telemedicine refers to a remote clinical service while telehealth is a broader term that embodies a consumer-based approach to medical care, incorporating both delivery of care and education of patients.

UPDATED: What types of service levels are available?
There are three main types of Medicare virtual services with different payment levels. Here are the key things to know for each type:

Telehealth visits

  1. These are considered the same as in-person visits and paid at the same PFS rates as regular, in-person visits.
  2. Pre-existing patient relationship requirements have been waived.
  3. The patient originating site can be any healthcare facility or the patient’s home.

Virtual check-ins

  1. These are brief communications in a variety of technology-based manners.
  2. They do require the patient to initiate and consent to the check-in.
  3. It cannot be preceded by a medical visit within the previous 7 days and cannot lead to a medical visit within the next 24 hours. 
  4. A pre-existing relationship with the patient is required.
  5. Common billing codes include HCPCS code G2012 (telephone) and G2010 (captured video or images).

E-visits:

  1. These also need to be initiated by the patient in order to be billable and would be conducted using online patient portals (no face-to-face), for example.
  2. A pre-existing relationship with the patient is required.
  3. Common billing codes include CPT codes 99421-99423 and HCPCS codes G2061-G2063. 

The payment rate for these services will be $24.76 beginning March 1, 2020, through the end of the PHE, instead of the CY 2020 rate of $13.53, and should be billed using code G0071. MACs will automatically reprocess any claims with G00771 furnished on or after March 1, 2020, that were not paid at the new rate.

What codes can be billed as telehealth services?
Here is the listing effective as of March 1, 2020. 

Since this time, 85 additional codes have been added. Click here for the list. 

Do we need to request an 1135 waiver or are these changes covered by a blanket waiver from CMS?
A blanket waiver is in effect, retroactive to March 1, 2020 though the end of the emergency declaration. 

Is patient consent required?
Yes, patients must verbally consent to services. This includes brief telecommunications (which currently have a cost share for Medicare). We recommend it for all payers as a best practice.

Is there additional information expected from Medicare?
Yes, Medicare, Medicaid, and other payers are continually updating their guidance. 

What can we bill for telehealth services for Medicaid and insurance carriers?
This is the most problematic to track as it is continually evolving and every state and carrier is different. Providers must understand each payor’s requirements around audio and video, allowable CPT/HCPCS codes, modifiers, and place of service codes. As you have questions, please reach out to us so we can be sure to provide the most current answer.

Resources
Given how quickly information related to telehealth is changing, please feel free to contact us for the latest resources. 

Article
Telehealth FAQs

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Read this if you are working on ESG initiatives at your organization.

Whether you are a director or an executive well into the journey of developing and communicating your company’s strategic sustainability plans or in early stages, the rising public demand for environmental, social, and governance (ESG) reporting is becoming a force that cannot be ignored by boards and management teams.

ESG overview: reminders and FAQs

What does ESG information comprise? The term “ESG” reporting, used broadly, covers qualitative discussions of topics and quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies. ESG, sustainability, and corporate social responsibility are terms often used interchangeably to describe nonfinancial reporting being shared publicly by companies. Such information is not currently subject to a singular authoritative set of standards.

What are examples of ESG and sustainability information? The following do not represent all-inclusive lists and, while some ESG information may be measured quantitatively, there are often many means to calculate metrics or information that may be difficult to quantify and therefore may be expressed qualitatively and described as such: 

As corporate ESG activities increase in relevance and importance to stakeholders, companies are seeking to both understand the complex landscape of ESG disclosure and reporting and determine the best path forward. This includes identifying, collecting, sharing, and improving upon qualitative and quantitative metrics reflecting long-term, strategic ESG value creation.

Organizations are in various stages of readiness to report on such decision-useful information. Currently, a myriad of reporting frameworks and wide variations in how companies choose to publicly share ESG information exist, making the ESG landscape complex to navigate. However, two things are certain:

  1. The pressure for companies to publicly disclose their approach to sustainability and ESG reporting continues to mount from a broad variety of stakeholders, and 
  2. ESG is rapidly rising to the forefront of boardroom agendas.

We have prepared the following to provide useful reminders, FAQs, and insights for those charged with governance as they consider the rapidly changing current ESG reporting landscape and evolving regulatory developments.

Is there a single authoritative set of ESG reporting standards? 

There are currently several frameworks and standards in use globally by companies to report on ESG, many of which may be complementary and used in combination for external reporting. Some of the more commonly used frameworks are: Sustainability Accounting Standards Board (SASB); Global Reporting Initiative (GRI); Task Force on Climate-Related Financial Disclosures (TCFD); International Integrated Reporting Council (IIRC); and Climate Disclosures Standards Board (CDSB). While many of these may already be complementary to each other, there is also growing support for a singular, global set of reporting standards for ESG, though the timing to achieve the necessary convergence remains uncertain.

Are U.S. companies required to disclose ESG information? 

Outside of certain industry regulators, such as required reporting by the Environmental Protection Agency on greenhouse gas emissions, implementation by U.S. companies remains voluntary. However, pressure from institutional investors—BlackRock, State Street and Vanguard—is mounting in support of companies providing ESG disclosures that align with both the SASB and TCFD frameworks. Additionally, sustainability risk issues are increasingly integrated into organizational risk frameworks such as COSO’s Enterprise Risk Management (ERM) framework.

Companies must also assess whether other ESG information, such as climate risk disclosures, are required under current MD&A disclosure rules. For example, if the risk represents a known trend or uncertainty the company reasonably expects will have a material impact on the company’s results of operations or capital resources, additional disclosure would be required.

What companies are reporting, and what information are they reporting? 

ESG disclosures vary significantly depending on the nature of the business, geography, industry, and stakeholder base, as well as available resources to devote to ESG. The largest global public companies have led the way in external ESG reporting and engagement, but this reporting is rapidly expanding to encompass smaller public entities and private entities. Companies of all sizes are both feeling the pressure to produce ESG reporting and identifying it as a means to differentiate themselves in the market by proactively conveying their corporate stories and strategies.

As noted in a recent White & Case study of proxy statements and filed 10-Ks for the top 50 companies by revenue in the Fortune 100, the following ESG categories showed the most significant increase in disclosures from the prior year:

  • Human capital management (HCM)
  • Environmental
  • Corporate culture
  • Ethical business practices
  • Board oversight of environment & social (E&S) issues
  • Social impact/community
  • E&S issues in shareholder engagement

The study noted that a majority of E&S disclosures in the SEC filings were qualitative and did not provide quantitative metrics. However, disclosures pertaining to environmental, HCM, and E&S goals, along with social impact and community relations were more likely to contain quantitative metrics.

Where do companies report ESG information? The most common places companies are providing public ESG disclosures include:

  • Standalone reports including corporate social responsibility (CSR)/sustainability reports
  • Company websites and marketing materials
  • MD&A sections of annual and quarterly reports
  • Earnings calls
  • Proxy statements and 8-Ks

Evolving auditor ESG attestation

Many of the metrics and qualitative disclosures around ESG information are not “governed” by an established framework such as generally accepted accounting principles (GAAP), and thus, may not be subject to the same rigor of processes and controls over such processes to ensure the integrity and accuracy of the underlying data and the appropriateness of the decisions and judgments being made by management in reporting on such information. For example, the fear of corporate “green or impact washing”—the incentive to make stakeholders believe that a company is doing more to promote ESG activities, particularly environmental protections, than it actually is—has left many stakeholders questioning the reliability, consistency, and accuracy of company ESG reporting. As ESG reporting continues to evolve and become a significant consideration for boards, investors, employees, suppliers, lenders, regulators, and others in making business decisions, there is a growing focus on the value of assurance on such information provided by independent third parties.

Type of attestation services to be provided

Determining the scope and level of assurance to be provided will vary based on company objectives in presenting ESG information, management’s readiness, and intended users and uses of ESG information. Attest services may include:

  • Examination: Consists of an examination performed by an auditor resulting in an independent opinion indicating whether the ESG information is in accordance with the agreed upon criteria, in all material respects. An examination engagement is the closest equivalent to the reasonable assurance obtained in an audit of financial statements.
  • Review: Consists of limited procedures, performed by an auditor, that result in limited assurance. The objective of a review engagement is for the auditor to express a conclusion about whether any material modifications should be made to the ESG information in order for it to be in accordance with the agreed upon criteria. Review engagements are substantially less in scope than examination engagements.


The ESG journey: first steps for boards just beginning the ESG reporting journey

The AICPA and Center for Audit Quality (CAQ) have issued a roadmap for audit practitioners laying out initial steps for those organizations and their boards who are in the beginning phases of the ESG reporting journey:

  • Conduct a materiality or risk assessment to determine which ESG topics are prioritized as important or “material” to the organization, its investors and other stakeholders
  • Implement appropriate board oversight of material ESG matters
  • Integrate/align material ESG topics into the ERM process
  • Integrate ESG matters into the overall company strategy
  • Implement effective internal control over ESG data collection, processing, and reporting


For boards considering an attestation engagement

The CAQ has further prepared the following questions boards may consider for companies that have already started reporting on ESG and may be considering an attestation engagement:

  • What is the purpose and objective of the attestation engagement on ESG information?
  • Who are the intended users of the ESG information and related attestation report?
  • Why do the intended users want or need an attestation report on the ESG information?
  • What are the potential risks associated with a misstatement or omission in the ESG information?
  • Does the company have a clear understanding what ESG information the intended users want or need to be in the scope of the attestation engagement?
  • What level of attestation service (examination or review engagement) will help the company achieve its objective?

Additional questions for board members to consider regarding their company’s preparedness for reporting include:

  • Does management have well established controls, policies, and procedures for the collection of and disclosure of ESG information? Are there gaps to be addressed?
  • Has the board, along with management, set specific objectives and goals for external reporting of ESG information?
  • Is the information disclosed by the company consistent across its various communication channels?
  • Are the ESG responsibilities at the board level clearly defined among appropriate committees and are those responsibilities directly linked to corporate strategic ESG goals and external reporting needs?
  • Have the right advisors been identified to assist in preparing for reporting and/or to attest to the quality of reporting?

Next steps

We encourage management, audit committees, and other board members to continue to educate themselves on the evolving landscape of ESG and carefully consider the needs of various stakeholders broadly when mapping out their ESG reporting needs. Particular attention should be paid to regulatory developments in this area.

Article
ESG reporting: Considerations for boards and those charged with governance

Read this if you are a plan sponsor of employee benefit plans.

This article is the eleventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

Most employee benefit plans have outsourced a significant portion of the internal controls to a service organization, such as a third-party administrator. The plan administrator has a fiduciary responsibility to monitor the internal controls of the service organization and to determine if the outsourced controls are suitably designed and effective.

SOC 1 reports: Internal controls and financial reporting

Generally, the most efficient way to obtain an understanding of the outsourced controls is to obtain a report on controls issued by the service organization’s auditor. Commonly referred to as a System and Organization Controls (SOC) report, the SOC report should be based on the American Institute of Certified Public Accountants’ (AICPA) attestation standards and should cover internal controls relevant to financial reporting, also known as a SOC 1 report (the “1” indicating it covers internal controls over financial reporting).

Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s significant service organizations. The documented review should include the plan sponsor’s assessment of the complementary user entity controls outlined in the SOC 1 report. The complementary user entity controls are internal control activities that should be in place at the plan sponsor to provide reasonable assurance that the controls tested at the service organization are operating effectively at your plan. If a service organization’s internal controls are operating effectively, but complementary user entity controls are not in place at your organization, the effectiveness of the service organization’s internal controls may not transfer to your plan’s operations.

Creditability and CPA firms: Considerations

Creditability of the CPA firm completing the SOC 1 report examination may impact the reliability of the CPA firm’s opinion and thus your reliability on the service organization’s internal controls. Unfamiliarity with the service auditor’s qualifications may be mitigated through additional research. Items to consider are: 

  • The firm’s expertise in SOC 1 reporting
    • Are they familiar with the service organization’s industry?
    • How many professionals do they have that perform SOC 1 examination services?
  • The evaluation of AICPA peer reviews 
    Audit firms are required to have a periodic peer review conducted. The results of the peer review are public knowledge and can be found on the AICPA’s website.
    • Did the service auditor receive a “pass” rating during their most recent peer review?
    • Did the peer review cover SOC 1 examination services?
  • Evaluation of the service organization’s due diligence procedures surrounding the selection of an auditor

Some of this information may be readily available via the service auditor’s website, while other information may need to be gathered through direct communication with the service organization. A qualified service auditor should be able to provide a SOC 1 report that contains sufficient detail, relevant transactional activity, relevant control objectives, and a timely reporting period.

SOC 1 reports may contain an unqualified, qualified, adverse, or disclaimer of opinion. The report determines if the controls in place are adequate for complete and accurate financial reporting. Report qualifications may affect the risk of relying on the service organization and may result in the need for additional procedures or safeguards to help ensure the plan’s financial statements are presented fairly. Even if the SOC 1 report received an unqualified opinion, you should review the controls tested by the service auditor and the results of such testing for any exceptions. Exceptions, even if they don’t result in a qualified opinion, may have an impact on the plan’s control environment. 

You should also review the scope of the audit to check that all significant transaction cycles, processes, and IT applications were properly assessed for their impact on the plan’s financial statements. Areas outside the scope of the SOC 1 report may require additional consideration, including the possibility of obtaining more than one SOC 1 report for subservice organizations whose functions were carved out from the service organization’s SOC 1 report.

Subservice organizations

Subservice organizations are frequently utilized to process certain transactions or perform certain functions at the service organization. Management of the service organization may identify certain transaction cycles and processes that are performed by a subservice organization and choose to exclude relevant control objectives and related controls from the SOC 1 report description and the scope of the auditor’s engagement. In such cases, multiple SOC 1 reports may need to be acquired to gain adequate coverage of all controls and objectives relevant to your plan. 

Furthermore, you need to consider the time period the SOC 1 report covers. Coverage should be obtained for your plan’s full fiscal year. For SOC 1 reports that lack coverage of your plan’s full fiscal year, a bridge letter should be obtained to help ensure that no significant changes in controls occurred between the SOC 1 report examination period and the end of your plan’s fiscal year.

Although plans commonly outsource a significant portion of their day-to-day operations to service organizations, plan fiduciaries cannot outsource their responsibilities surrounding the maintenance of a sound control environment. SOC 1 reports are a great resource to assess the control environments of service organizations. However, such reports can be lengthy and daunting to review. We hope this article provides some best practices in reviewing SOC 1 reports. If you have any questions, or would like to receive a copy of our SOC 1 report review template, please don’t hesitate to reach out to our Employee Benefits Audit team.

Article
Service organizations and review of SOC 1 reports: Considerations and recommendations

Read this if you are not familiar with the expansion of eligibility for employee retention credits (ERC).

Are you familiar with the IRS’ recent additional, taxpayer-friendly guidance that provides some clarity in claiming the employee retention credit (ERC)? 

Employee Retention Credits in the CARES Act: Background

Congress originally enacted the ERC in the CARES Act in March of 2020 to encourage employers to hire and retain employees during the pandemic. At that time, the ERC applied to wages paid after March 12, 2020 and before January 1, 2021. However, Congress later modified and extended the ERC to apply to wages paid before July 1, 2021. Then with the American Rescue Plan Act (ARPA) signed into law on March 11, 2021, the ERC was modified to apply to wages paid through December 31, 2021. The recently passed infrastructure bill eliminates the ERC the quarter ending December 31, 2021.

The rules are complex but there may be some limited ability for your organization to benefit, based on some late changes to the rules. Originally, taxpayers who received PPP loans were not eligible, but the rules changed and now provide that employers who received PPP loans may qualify for the ERC with respect to wages that were not paid for with proceeds from a forgiven PPP loan. This change is retroactive to March 12, 2020. 

The ERC is a refundable payroll tax credit for wages paid and health coverage provided by an employer whose operations were either fully or partially suspended due to COVID-related governmental order or that experienced a significant reduction in gross receipts.  

Regarding the reduction in gross receipts, for any quarter in 2020, a greater than 50% reduction in gross receipts is required during the calendar quarter compared to the same quarter of 2019 in order to qualify. For 2021, the eligibility threshold for employers is reduced from a greater than 50% to a greater than 20% decline in gross receipts for the same quarter of 2019 in order to qualify for the ERC for any quarter. There is an alternative quarter election for 2021 that allows employers to use prior quarter gross receipts compared to the same quarter for 2019 to determine eligibility. For example, for the first calendar quarter of 2021, an employer may elect to use its gross receipts for the fourth quarter of 2020 compared to those for the fourth calendar quarter of 2019 to determine if the decline in gross receipts test is met.

The IRS recently clarified that in determining gross receipts an employer does not need to include forgiven PPP loans, shuttered venue operator grants, or restaurant revitalization grants as gross receipts. Gross receipts for exempt organizations are calculated in the same manner as gross receipts on page 1 of Form 990 in Box G, which includes proceeds from the sales of investments as well as all contribution, program and investment revenue.

The amount of the credit can be substantial. For 2020, the credit is 50% of the first $10,000 of qualified wages per employee for the qualifying period beginning as early as March 12, 2020 and ending December 31, 2020 (thus the max credit per employee is $5,000 in 2020). For 2021, the credit is 70% of the first $10,000 of qualified wages per employee, per qualifying quarter (thus the potential max credit is $21,000 per employee in 2021).  

For 2021, employers with 500 or fewer full-time employees in 2019 may include all wages and health plan expenses as qualified wages. For 2020, employers with 100 or fewer full-time employees in 2019 may include all wages and health plan expenses as qualified wages while employers with more than 100 full-time employees in 2019 may only claim the credit for qualified wages paid to employees who did not provide services. For purposes of determining full-time employees, an employer only needs to include those that work 30 hours a week or 130 hours a month in the calculation. Part-time employees working less than this would not be considered in the employee count.

There is additional interplay between claiming the ERC and the wages used for PPP loan forgiveness that will need to be considered.  

What should you do now? 

It makes sense to determine your eligibility for the ERC. We recommend that you compile your business gross receipts by calendar quarter for 2019, 2020, and the first three quarters of 2021. Let us know if you want a template to do this. We can then help you evaluate whether you have any quarters where you might qualify for the ERC.  

Keep in mind that if your business operations were either fully or partially suspended due to a COVID-related government order then you will likely already qualify for that quarter but the eligible wages will only be for the wages paid during the shutdown period.  

Please let us know if you have any questions or need any assistance.

Article
CARES Act: Eligibility for employee retention credits