Skip to Main Content

insightsarticles

Save time and effort—our list of tips to prepare for
year-end
reporting

06.23.22

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Related Services

Related Professionals

Principals

BerryDunn experts and consultants

The Centers for Medicare & Medicaid Services (CMS) has issued the final rule for FY 2023 SNF PPS which was published in the Federal Register on August 3, 2022. The rule:

  • Updates the PPS rates for SNFs for FY 2023 using the market basket update and budget neutrality factors effective October 1, 2022;
  • Recalibrates the Patient Driven Payment Model (PDPM) parity adjustment;
  • Establishes a permanent 5% cap on annual wage index decreases;
  • Finalizes proposed changes in PDPM International Classification of Diseases, Version 10 (ICD-10) code mappings;
  • Updates the SNF Quality Reporting Program (SNF QRP); and
  • Updates the SNF Value-Based Purchasing (SNF VBP) Program.

2023 PPS rate calculations

The final rule provides a net market basket increase for SNFs of 5.1 percent beginning October 1, 2022 which reflects:

  • An unadjusted market basket increase of 3.9 percent adjusted upward by 1.5 percent associated with a forecast error adjustment;
  • A reduction of 0.3 percentage points in accordance with the multifactor productivity adjustment required by Section 3401(b) of the Affordable Care Act (ACA).

In addition, as discussed in the Recalibration of the PDPM parity adjustment section below, the net market basket increase of 5.1 percent is further reduced by 2.3 percent related to accounting for year one of a two-year PDPM parity adjustment phase-in.

CMS projects an overall increase in Medicare Part A SNF payments of approximately 2.7 percent or $904 million in FY 2023 related to the payment rate updates. The final rule also estimates an increase in costs to SNFs of $31 million related to the FY 2023 SNF QRP changes and an estimated reduction of $186 million in aggregate payments to SNFs during FY 2023 as a result of the changes to the SNF VBP program.

The projected overall impact to providers in urban and rural areas is an average increase of 2.7% and 2.5%, respectively, with a low of 1.4% for urban outlying providers and a high of 3.6% for urban Pacific providers―actual impact will vary. 

The applicable wage index continues to be based on the hospital wage data, unadjusted for occupational mix, rural floor, or outmigration adjustment (from FY 2019) in the absence of SNF specific data.

Recalibration of the PDPM parity adjustment

When CMS finalized PDPM in October 2019 it also finalized that this new case-mix classification model would be implemented in a budget neutral manner. However, since PDPM implementation, CMS has closely monitored SNF utilization data which has indicated an unintended increase in payments to providers. In order to achieve budget neutrality under PDPM, CMS is finalizing their proposal to recalibrate the PDPM parity adjustment using a factor of 4.6 percent (an impact of $1.5 billion) using the combined methodology of a subset population that excludes patients whose stay utilized a coronavirus (COVID-19) public health emergency (PHE)-related waiver or who were diagnosed with COVID-19 and control period data using months with low COVID-19. CMS is finalizing the implementation of the parity adjustment with a two-year phase-in period (2.3 percent applied in FY 2023, and 2.3 percent in FY 2024), which means that, for each of the PDPM case-mix adjusted components, CMS will lower the PDPM parity adjustment factor from 46 percent to 42 percent in FY 2023 and would further lower the PDPM parity adjustment factor from 42 percent to 38 percent in FY 2024. CMS applied the parity adjustment equally across all components.

Permanent cap on wage index decreases

To mitigate instability in SNF PPS payments due to significant wage index decreases that may affect providers in any given year, CMS is finalizing a permanent 5% cap on annual wage index decreases to smooth year-to-year changes in providers’ wage index payments.

Changes in PDPM ICD-10 code mappings

Beginning with the updates for FY 2020 nonsubstantive changes to the ICD-10 codes included on the PDPM code mappings and lists are applied through a subregulatory process consisting of posting updated code mappings and lists on the PDPM website. Substantive changes will be proposed through notice and comment rulemaking. The final rule finalized several proposed changes to the PDPM ICD-10 mappings.

SNF QRP update

CMS is finalizing the adoption of a new process measure, the Centers for Disease Control and Prevention (CDC)-developed Influenza Vaccination Coverage Among Healthcare Personnel (HCP) (NQF#0431) measure, beginning with the FY 2024 SNF QRP. The measure is intended to increase influenza vaccination coverage in SNFs, promote patient safety, and increase the transparency of quality of care in the SNF setting. Residents of long-term care facilities have greater susceptibility for acquiring influenza. Therefore, monitoring and reporting influenza vaccination rates among HCP is important as HCP are at risk for acquiring influenza from residents and exposing residents to influenza. The measure reports the percentage of HCP who receive an influenza vaccine. SNFs will submit the measure data through the CDC National Healthcare Safety Network.

CMS is also revising the compliance date for certain SNF QRP reporting requirements, including the Transfer of Health Information measures and certain standardized patient assessment data elements to October 1, 2023. This will align the collection of data with the Inpatient Rehabilitation Facilities and Long-Term Care Hospitals and Home Health Agencies.

SNF VBP program

The rule finalizes a proposal to suppress the SNF 30-Day All-Cause Readmission Measure (SNFRM) as part of the performance scoring for the FY 2023 SNF VBP program year due to the combination of fewer admissions to SNFs, regional differences in the prevalence of COVID-19 throughout the PHE and changes in hospitalization patterns in FY 2021 which has impacted the ability to use the SNFRM to calculate payments for the FY 2023 program year. For FY 2023, CMS will assign a performance score of zero to all participating SNFs and will reduce the otherwise applicable adjusted Federal per diem rate for each SNF by 2% and award SNFs 60% of that withhold, resulting in a 1.2% payback. Any SNFs that do not report a minimum of 25 stays for the SNFRM will be excluded from the VBP program for FY 2023.

In addition, Section 111(a)(2) of the Consolidated Appropriations Act, 2021 allows the secretary to add up to an additional nine new measures with respect to payments beginning in FY 2023 to the VBP program, which may include measures of functional status, patient safety, care coordination, or patient experience. CMS is using this authority to finalize the adoption of three new measures into the VBP program—two measures in FY 2026 and one measure in FY 2027.

CMS is also finalizing a number of updates to its scoring methodology:

  • Updating the policy for scoring SNFs that do not have sufficient baseline period data beginning with the FY 2026 VBP Program year.
  • Adoption of a measure minimum policy beginning with the FY 2026 SNF VBP program year which will require a two-measure minimum for a SNF to receive a SNF performance score for FY 2026 and a three-measure minimum for FY 2027.
  • Adoption of a case minimum policy for the SNFRM that replaces the Low-Volume Adjustment policy beginning with the FY 2023 program year. 
  • Adoption of a case minimum policy for the SNF HAI, Total Nurse Staffing, and DTS PAC SNF Measures beginning between FY 2026 and FY 2027.

Our experts at BerryDunn have created an interactive rate calculator to assist you with the calculation of your PPS rates for FY 2023. You can access the PPS rate calculator now:

Click to download SNF PPS Rate Calculator

Please note: The rates per our calculator are prior to any FY 2023 VBP adjustment based on the final rule which includes special scoring and payment policies for FY 2023. When CMS releases the final VBP incentive payment multipliers for FY 2023 by facility, we will update the interactive rate calculator as necessary.

If you have any specific questions about the final rule or how it might impact your facility, please contact Ashley Tkowski or Melissa Baez.

Article
Fiscal Year (FY) 2023 Skilled Nursing Facility (SNF) Prospective Payment System (PPS) final rule

Read this if you are a Skilled Nursing Facility (SNF) providing services to Medicare beneficiaries.

Skilled Nursing Facility (SNF) bad debt expenses resulting from uncollectible Medicare Part A and Part B deductible and coinsurance amounts for covered services are reimbursable under the Medicare Program on a full-utilization Medicare cost report. SNF providers can report allowable Medicare bad debt expense on Worksheet E, form CMS-2540-10. Currently Medicare reimburses 65% of the allowable amount, less sequestration, if applicable.  

BerryDunn maintains a database of SNF as filed Medicare cost reports nation-wide. We analyze data annually, looking for trends and opportunities to help providers optimize available reimbursement. Cost reports data shows that in 2018–2020, on average, 75% of facilities nation-wide reported allowable bad debts, and claimed, on average, close to $63,000 of reimbursable bad debts for Medicare Part A. 

To compare facilities of different sizes and Medicare utilization rate, we also show bad debts on per Medicare patient day basis (figure 2). In FY 2020, all US regions experienced an increase in reimbursable Medicare Part A debt, averaging $19.43 per Medicare patient day.  

Understanding the requirements for bad debts and utilizing this reimbursing opportunity could help your facility’s bottom line. 

Medicare bad debt checklist now available

To support SNFs with reimbursement for these costs, BerryDunn’s healthcare consulting team has developed a checklist that provides insight into the Medicare cost report opportunities. 

Download the checklist, and please contact us if you have any questions about your specific situation or would like to learn more.

Article
Medicare bad debt: Review sample procedures for Skilled Nursing Facilities

Read this if your company is a benefit plan sponsor.

While plan sponsors have been able to amend their 401(k) plans to include a post-tax deferral contribution called Roth for more than a decade, only 86% of plan sponsors have made it available to participants, according to the Plan Sponsor Council of America. Meanwhile, despite the potential benefits of such plans, just a quarter of participants who have access to the Roth 401(k) option use it. Plan sponsors may want to consider adding a Roth 401(k) option to their lineup because of the potential tax benefits and other advantages for plan participants.

A well-designed Roth 401(k) may be an attractive option for many plan participants, and it is important for plan sponsors considering such a feature to design the plan with the needs of their workforce in mind. It is also critical to clearly communicate the differences from the pre-tax option, specific timing rules required, and the tax-free growth it offers. Additionally, plan sponsors should be mindful of potential administrative costs and other compliance requirements in connection with allowing the Roth option.

Roth 401(k)s: The basics

A Roth is a separate contribution source within a 401(k) or 403(b) plan that differs from traditional retirement accounts because it allows participants to contribute post-tax dollars. Since participants pay taxes on these contributions before they are invested in the account, plan participants may make qualified withdrawals of Roth monies on a tax-free basis, and their accounts grow tax-free as well.

Participants of any income level may participate in a Roth 401(k) and may contribute a maximum of $20,500 in 2022—the same limit as a pre-tax 401(k). Contributions and earnings in a Roth 401(k) may be withdrawn without paying taxes and penalties if participants are at least 59½ and it’s been at least five years since the first Roth contribution was made to the plan. Participants may make catch-up contributions after age 50, and they may split their contributions between Roth and pre-tax. Similar to pre-tax 401(k) accounts, Roth 401(k) assets are considered when determining minimum distributions required at age 72, or 70 ½ if they reached that age by Jan. 1, 2020.

Only employee elective deferrals may be contributed post-tax into Roth 401(k) accounts. Employer contributions made by the plan sponsor, such as matching and profit sharing, are always pre-tax contributions. If the plan allows, participants may convert pre-tax 401(k) assets into a Roth account, but it is critical to remember that doing so triggers taxable income and participants must be prepared to pay any required tax. In addition, plan sponsors must be careful to offer Roth 401(k)s equally to all participants rather than just a select group of employees.

Qualified distributions from a designated Roth account are excluded from gross income. A qualified distribution is one that occurs at least five years after the year of the employee’s first designated Roth contribution (counting the first year as part of the five) and is made on or after age 59½, on account of the employee’s disability, or on or after the employee’s death. Non-qualified distributions will be subject to tax on the earnings portion only, and the 10% penalty on early withdrawals may apply to the part of the distribution that is included in gross income. Participants may take out loans if permitted in the plan document. 

First steps for plan sponsors

A common misconception among plan sponsors is that a Roth offering requires a completely different investment vehicle. The feature is simply an added contribution option; therefore, no separate product is needed.

When considering the addition of a Roth 401(k) option, it is important for plan sponsors to check with service providers to determine whether payroll may be set up properly to add a separate deduction for the participant. Plan sponsors may also need to consider guidelines for conversions, withdrawals, loans, and other features associated with the Roth contribution source to ensure the plan document is prepared and followed accurately.

Education is an important component of any new plan feature or offering. Plan sponsors should check with service providers to see how they may help to explain the feature and optimize its rollout for the plan. One-on-one meetings with participants may be very helpful in educating them about a Roth account.

A word about conversions

If permitted by the plan document, participants may convert pre-tax 401(k) plan assets (deferrals and employer contributions) to the Roth source within their plan account. The plan document may allow for entire account conversions or just a stated portion. When assets are converted, participants must pay income taxes on the converted amount, and the additional 10% early withdrawal tax won’t apply to the rollover. Plan sponsors should educate participants on the benefits of converting to the Roth inside the company 401(k).

Collaborate with the right service providers to educate your participants

The right service providers may review your current plan design, set up accounts properly, actively engage and educate your participants, and offer financial planning based on individual circumstances to show how design features like a Roth account may benefit their situation. If you would like to start the conversation about adding a Roth option or enhancing your participant education program, contact our employee benefits team. We are here to help. 

Article
Plan sponsor alert: Roth 401(k) remains underutilized despite potential benefits

Read this if you are a Maine business or pay taxes in Maine.

Maine Revenue Services has created the new Maine Tax Portal, which makes paying, filing, and managing your state taxes faster, more efficient, convenient, and accessible. The portal replaces a number of outdated services and can be used for a number of tax filings, including:

  • Corporate income tax
  • Estate tax
  • Healthcare provider tax
  • Insurance premium tax
  • Withholding
  • Sales and use tax
  • Service provider tax
  • Pass-through entity withholding
  • BETR

The Maine Tax Portal is being rolled out in four phases, with two of the four phases already completed. Most tax filings for both businesses and individuals are now available. A complete listing can be found on maine.gov. Instructional videos and FAQs can also be found on this site.

In an effort to educate businesses and individuals on the use of the new portal, Maine Revenue Services has been hosting various training sessions. The upcoming schedule can be found on maine.gov

Article
New Maine Tax Portal: What you need to know

Read this if you are a broker-dealer. 

Effective January 1, 2023, the Financial Industry Regulatory Authority (FINRA) and other industry self-regulatory organizations adopted certain changes to the securities industry continuing education (CE) and registration rules to train registered persons more effectively.

These upcoming changes, which include the annual Regulatory Element for each registration category and the extension of the Firm Element to all registered persons, are expected to help make sure all registered persons receive timely and relevant training. See below for some of these changes.

Annual Regulatory Element for each registration category Extension of Firm Element
of all registered persons

Annually, by December 31st, registered persons will be required to complete the CE Regulatory Element

Registered persons will receive content tailored specifically to each representative or principal registration category they hold

Failure to complete the Regulatory Requirement annually will cause the registered person to be automatically designated as CE inactive by FINRA

The CE rules have been amended to:

  • Extend the annual Firm Element requirement to all registered persons
  • Allow firms to consider their training programs relating to the anti-money laundering compliance meeting toward satisfying an individual's annual Firm Element requirement

The current minimum Firm Element training criteria has been revised to require the training to cover topics related to professional responsibility and the role, activities, or responsibilities of the registered person


Firms should begin to prepare now for these changes. FINRA and the CE Council are committed to developing resources and guidance to support firms as they assess their education needs and develop their training requirements. FINRA is committed to providing more information as it becomes available. 

What can you do now to comply with these upcoming rule changes by January 1, 2023?
Review FINRA’s Regulatory Notice 21-41 and FINRA’s CE Transformation resource page to become familiar with upcoming changes. Review the 2023 Regulatory Element topics on FINRA’s website.

If you have any questions about your specific situation or would like more information, please contact our Broker-dealers team. We're here to help. 

Article
Important changes to securities industry continuing education

On November 8, 2022, Massachusetts voters approved a constitutional amendment to alter the state’s flat 5% income tax to add a 4% surtax on annual income exceeding $1 million. The so-called “millionaires tax,” also referred to as the “Fair Share Amendment,” is effective for tax years beginning on or after Jan. 1, 2023. The annual income level subject to the surtax would be adjusted yearly to reflect increases in the cost of living.

This measure is expected to bring in revenue of between $1.2 and $2 billion annually. The proceeds from the increased tax collections will support state budgets in the areas of education, roads, bridges, and public transportation. The measure passed with 52% voter support and is the sixth attempt to change the state’s flat income tax rate since 1962. This amendment is expected to affect about 0.6% of the state’s population, or about 20,000 taxpayers.

If you expect your income to exceed $1 million in 2023 and have questions regarding the recent legislation, please contact a member of our state and local tax team.

Article
Massachusetts voters pass "Millionaires tax"

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask

Read this if you think your organization may have to prepare an HRSA audit.

Many healthcare providers who have never done an audit before may be required by the Health Resources and Services Administration (HRSA) agency to do so this year because they received Provider Relief Funding (PRF). We’re helping you prepare by answering some common queries about the PRF audit:

Will my organization have to complete a PRF audit?

The HRSA requires organizations to complete a federal single audit when they expend more than $750,000 of federal funding in one year, regardless of whether those federally sourced funds came directly from the federal government or were passed from a state or local government. Healthcare providers who received $10,000 or more from the PRF during a given period must report on usage.

For many providers, this is the first time they’ve received over $750,000 in federal funding. As a result, these providers will need to complete the single audit for the first time.

Other providers, especially physician practices, may not meet the single audit expense threshold, but that doesn’t mean they’re free from audit obligations. While they may not have to complete a single audit, if they received funding from the PRF, they may need to complete a HRSA-required audit—and the data requests for these audits are, in some cases, more involved than those for the single audit.

What will the HRSA’s PRF audit look like?

The audit will address the data used by the providers to report on their usage of PRF money. That means they will need to provide support for lost revenue and expenses that justify the use of the funds that they received.

The HRSA is going to drill down on the revenue numbers, specifically looking at the general ledger (GL) and other select revenue tests. On the expenses side, they’re going to look at the GL, invoice dates, payments and more.

To complete this audit, HRSA will require a significant amount of supporting documentation. Ideally, most of these documents should already have been copied and set aside as support in anticipation of financial reporting requirements. Below is a partial list of items that could be requested during the audit:

  • General Ledger details
  • Listing of expenses reimbursed with PRF payments grouped into specified categories
  • Listing of patient care revenue by payer
  • Listing of other sources of assistance
  • Listing of expenses reimbursed with the other assistance received
  • Detailed inventory listing of IT supplies
  • Budget attestation from CEO or CFO and board minutes showing ratification of the budget before March 27, 2020
  • Documentation of lost revenue methodologies
  • Audit financial statements
  • CMS cost reports for Medicare and Medicaid
  • Other supporting documentation

If certain documentation isn’t available, providers will need to request copies from their vendors. Missing documentation may make it difficult to justify the use of funds, in which case, providers may have to repay a portion or all of their provider relief funding.

It’s possible that certain expenses were not allowable under PRF. However, that doesn’t necessarily mean providers will have to repay their funds. Providers may have other lost revenue or expenses that would be allowed under PRF—but only if they have the documentation to prove it. That’s why it’s crucial that providers have all relevant documentation for expenses and lost revenue over the periods they received provider relief funding.

What challenges should I anticipate when it comes to completing the audit?

According to the 2022 BDO Healthcare CFO Outlook Survey, 35% of respondents identified CARES Act/PRF reporting as a regulatory concern.

Much of this concern likely stems from a lack of resources as well as audit inexperience. Many providers who will have to complete an HRSA audit don’t have the necessary resources to dedicate to navigating the process. In addition, they may not know the type, scope, or time frame of documentation they need to pull. They may also struggle to locate certain documentation, especially documentation that’s more than two years old.

Finding the right people to sift through the information to ensure its accuracy can be extremely difficult, especially if the documents are not filed electronically. This problem is even greater right now, given the professional services labor shortage that makes it difficult to hire the right people for the job if they aren’t already employed at your organization.

What should my next steps be?

To get ready for a potential HRSA audit, there are at least three immediate steps you should take:

  1. Select a responsible point person. One person should be responsible for coordinating the process to ensure that nothing falls through the cracks or is overlooked.
  2. Keep your PRF filing reports on hand. Pull any related supporting documentation and collate it into one place if it isn’t already.
  3. Identify what support is needed by doing a gap analysis. Determine where you need additional support or expertise and seek to close these gaps before the notification of any audit process.

Insufficient documentation may result in the recapture of provider relief funding by the HRSA. Fortunately, a lack of documentation is preventable with the right support and resources in place.

Article
HRSA audit preparation: All you need to know