Sportsbook SOC 2 compliance: An introduction

Read this if you are working with an auditor.

The standard report an auditor issues on an entity’s financial statements was created in 1988, and has only had minor tweaking since. Amazing when we think about how the world has changed since 1988! Back then:

• The World Wide Web hadn’t been invented
• The Simpsons wasn’t yet on TV, and neither was Seinfeld
• The Berlin Wall was still standing
• The Single Audit Act celebrated its fourth birthday

The Auditing Standards Board (ASB), an independent board of the American Institute of CPAs (AICPA) that establishes auditing rules for not-for-profit organizations (as well as private company and federal, state, and local governmental entities) has decided it was high time to revisit the auditor’s report, and update it to provide additional information about the audit process that stakeholders have been requesting.

In addition to serving as BerryDunn’s quality assurance principal for the past 23 years, I’ve been serving on the ASB since January 2017, and as chair since May 2020. (And thanks to the pandemic our meetings during my tenure as chair have been conducted from my dining room table.)  We thought you might be interested in a high-level overview of the coming changes to the auditor’s report, which will be effective starting with calendar 2021 audits, from an insider’s perspective.

So what’s changing?

The most significant changes you’ll be seeing, based on feedback from various users of auditor’s reports, are:

1. Opinion first
   The opinion in an audit report is the auditor’s conclusion as to whether the financial statements are in accordance with the applicable accounting standards, in all material respects. People told us this is the most important part of the report, so we’ve moved it to the first section of the report.
2. Auditor’s ethical responsibilities
   We’ve pointed out that an auditor is required to be independent of the organization being audited, and to meet certain other ethical responsibilities in the conduct of the audit.
3. “Going concern” responsibilities
   We describe management’s responsibility, under U.S. generally accepted accounting principles, and the auditor’s responsibility, under the auditing rules, for determining whether “substantial doubt” exists about the organization’s ability to continue in existence for at least one year following the date the financial statements are approved for issuance.
4. Emphasis on professional judgment and professional skepticism
   We explain how an audit requires the auditor to exercise professional judgment (for example, regarding how much testing to perform), and to maintain professional skepticism, i.e., a questioning mind that is alert to the possibility the financial statements may be materially misstated, whether due to error or fraud.
5. Communications with the board of directors
   We point out that the auditor is required to communicate certain matters to the board, such as difficulties encountered during the audit, material adjustments identified during the audit process, and which areas the auditor treated as “significant risks” in planning and performing the audit.
6. Responsibility related to the “annual report”
   If the organization issues an “annual report” containing or referring to the audited financial statements, we explain the auditor is required to review it for consistency with the financial statements, and for any known misstatements of fact.
7. Discussion of “key audit matters”
   While not required, your organization may request the auditor to discuss how certain “key audit matters” (those most significant to the audit) were addressed as part of the audit process. These are similar to the “critical audit matters” publicly traded company auditor’s reports are now required to include.

Yes, this means the auditor’s report will be longer; however, stakeholders told us inclusion of this information will make it more informative, and useful, for them.

Uniform Guidance standards also changing

Is your organization required to have a compliance audit under the federal Uniform Guidance standards? That report is also changing to reflect the items listed above to the extent they’re relevant.

What should you do?

Some actions to consider as you get ready for the first audit to which the new report applies (calendar 2021, or fiscal years ending in 2022) include:

1. Ask your auditor what your organization’s auditor’s report will look like
   Your auditor can provide examples of auditor’s reports under the new rules, or even draft a pro forma auditor’s report for your organization (subject, of course, to the results of the audit).
2. Outline and communicate your process for developing your annual report
   If your organization prepares an annual report, it will be important to coordinate its timing with that of the issuance of the auditor’s report, due to the auditor’s new reporting responsibility related to the annual report.
3. Discuss with your board whether you would like the auditor to include a discussion of “key audit matters” in the auditor’s report
   While not required for not-for-profits, some organizations may decide to request the auditor include a discussion of such matters in the report, from the standpoint of transparency “best practices.”

If you have any questions about the new auditor’s report or your specific situation, please contact us. We’re here to help.
 

Read this if you are a business owner. 

Now that the Democrats have control of the Presidency, House of Representatives, and Senate, many in Washington, DC and around the country are asking “What is going to happen with business taxes?” 

While candidate Biden expressed interest in raising taxes on corporations and wealthy individuals, it is best to think of that as a framework for where the new administration intends to go, rather than a set-in-stone inevitability. We know his administration is likely to favor a paring back of some of the tax cuts made by the 2017 Tax Cuts and Jobs Act (TCJA). Biden has indicated his administration may consider changes to the corporate tax rate, capital gains rate, individual income tax rates, and the estate and gift tax exemption amount.

Procedurally, it is unclear how tax legislation would be formulated under the Biden administration. A tax package could be included as part of another COVID-19 relief bill. The TCJA could be modified, repealed, or replaced. It is also unclear how any package would proceed through Congress. Under current Senate rules, the legislative filibuster can limit the Senate’s ability to pass standalone tax legislation, thus leaving any such legislation to the budget reconciliation process, as was the case in 2017. It also remains unclear if the two parties will come together to work on any bill. Finally, it will be important to note who fills key Treasury tax positions in the Biden administration, as these individuals will have a strategic role in the development of administration priorities and the negotiation with Congress of any tax bill. Here are three ways tax changes could take shape:

1. Part of a COVID-19 relief package
   With the Biden administration eager to provide immediate relief to individuals and small- and medium-sized businesses affected by the coronavirus pandemic, some tax changes could be included as part of an additional relief bill on which the administration is likely to seek bipartisan support. Such changes could take the form of tax cuts for some businesses and individuals, tax credits, expanded retirement contributions, and/or other measures. If attached to a COVID-19 relief bill, these changes would likely go into effect immediately and would provide rapid relief to businesses and individuals that have been particularly hard hit during the pandemic and economic downturn.
2. Repeal and replace TCJA
   Another possibility is for Biden to pursue a full rollback of the TCJA and replace it with his own tax bill. This would be a challenge since the Democrats only have a slim majority in the Senate, meaning that Republicans could filibuster the bill unless Senate Democrats take steps to repeal the filibuster.
   
   Given that the Biden administration’s immediate priorities will be delivering financial assistance to individuals and businesses, ensuring the rollout of COVID-19 vaccines, and flattening the curve of cases, a repeal and replacement of the TCJA might not be voted on until at least late 2021 and likely would not go into effect until 2022 at the earliest.
3. Pare back or modify the TCJA
   An overall theme of Biden’s campaign was not sweeping, radical change but making incremental shifts that he views as improvements. This theme may come into play in Biden’s approach to tax legislation. He may choose not to repeal the TCJA completely (prompting a return to 2016 taxation levels), but instead pare back some of the tax changes enacted in 2017. In practice, this could mean raising the corporate tax rate by a few percentage points, which could garner bipartisan support. Again, this likely would not be a legislative priority until after the country has passed through the worst of the COVID-19 pandemic.

Factors that will influence potential tax changes

Senate legislative filibuster

Currently, the minority party in the Senate can delay a vote on an issue if fewer than 60 senators support bringing a measure to a vote. Thus, Republicans would be likely to filibuster any bill that contains more ambitious tax rate increases. The uptick in the use of the filibuster in recent decades is perhaps a symptom of congressional deadlock, and there are calls from many Democrats to eliminate the filibuster in order to pass more ambitious legislation without bipartisan support (in fact, in recent years, the filibuster has been removed for appointments and confirmations). While President Biden and Senate Majority Leader Chuck Schumer may be open to ending or further limiting the filibuster, every Democratic senator would have to agree. West Virginia Senator Joe Manchin has said repeatedly that he will not vote to end the legislative filibuster.

If the filibuster remains in place as it appears it will, tax legislation would likely be passed as part of the budget reconciliation process, which only requires a simple majority to pass. However, the tradeoff is that any changes generally would have to expire at the end of the budget window, which typically is 10 years. This is how both the 2001 Economic Growth and Tax Relief Reconciliation Act and the TCJA were passed.

Appetite for bipartisanship

President Biden has signaled that he wants to work for all Americans and seek to heal the partisan divides in the country. He may be looking to reach across the aisle on certain legislation and seek bipartisan support, even if such support is not necessary to pass a bill. Biden stated during his campaign that he wants to increase the corporate tax rate—not to the 2017 rate of 35%—but to 28%. Achieving this middle ground rate might be viewed as a compromise approach.

As the new government takes office, it remains to be seen how much bipartisanship is desired, or even possible.

What this may mean for your business

It is important to note that sweeping tax changes probably are not an immediate priority for the incoming Biden administration. The new administration’s immediate focus likely will be on addressing the current fragmented approach to COVID-19 vaccinations, accelerating the distribution of the vaccines, taking steps to bring the spread of COVID-19 under control, and providing much needed economic relief. As noted above, there could be some tax changes and impacts resulting from future COVID-19 relief bills.

Those will be the bills to watch for any early tax changes, including cuts or credits, that businesses may be able to take advantage of. Larger scale tax changes, particularly any tax increases, may not go into effect until 2022 at the earliest. Here are some of the current rules and how Biden is proposing to deal with them.

If you have questions about your particular situation, please contact our team. We’re here to help. 

Read this if your company is seeking guidance on PPP loans.

The Consolidated Appropriations Act, 2021 (H.R. 133) was signed into law on December 27, 2020. This bill contains guidance on the existing Paycheck Protection Program (PPP) and guidelines for the next round of PPP funding.

Updates on existing PPP loans

Income and expense treatment of PPP loans. Forgiven PPP loans will not be included in taxable income and eligible expenses paid with PPP funds will be tax-deductible. This tax treatment applies to both current and future PPP loans.

Tax attributes and basis adjustments. Tax attributes such as net operating losses and passive loss carryovers, and basis increases generated from the result of the PPP loans will not be reduced if the loans are forgiven.

Economic Injury Disaster Loans (EIDL). Any previous or future EIDL advance will not reduce PPP loan forgiveness. Any borrowers who already received forgiveness of their PPP loans and had their EIDL subtracted from the forgiveness amount will be able to file an amended forgiveness application to have their PPP forgiveness amount increased by the amount of the EIDL advance. The SBA has 15 days from the effective date of this bill to produce an amended forgiveness application. 

Simplified forgiveness application for loans under $150,000. Borrowers who received PPP loans for $150,000 or less will now be able to file a simplified one-page forgiveness application and will not be required to submit documentation with the application. The SBA has 24 days from the effective date of this bill to make this new forgiveness application available. 

Use of PPP funds. Congress expanded the types of expenses that may be paid with PPP funds. Prior eligible expenses were limited to payroll (including health benefits), rent, covered mortgage interest, and utilities. Additional expenses now include software and cloud computing services to support business operations, the purchase of essential goods from suppliers, and expenditures for complying with government guidance relating to COVID-19.

These additional expenses apply to both existing and new PPP loans, but they do not apply to existing loans if forgiveness has already been obtained.
 
In addition, the definition of "payroll costs" has been expanded to include costs for group life, disability, dental, and vision insurance. These additions also apply to both existing and new loans.

Information for new PPP loans

Application deadline. March 31, 2021 

Eligibility for first-time borrowers. A business that did not previously apply for or receive a PPP loan may apply for a new loan. The same requirements apply from the first round of loans. The business must employ fewer than 500 employees per physical location and the borrower must certify the loan is necessary due to economic uncertainty.

Eligibility for second-time borrowers. Businesses that received a prior PPP loan may apply for a second loan, however the eligibility requirements are a little more stringent. The business must have fewer than 300 employees per physical location (down from 500 previously) and it must have experienced a decline in gross revenue of at least 25% in any quarter in 2020 as compared to the same quarter in 2019. The business must have also expended (or will expend) their initial PPP loan proceeds. 

Maximum loan amount. Lesser of $2 million or 2.5x average monthly payroll for either calendar 2019 or the 12-month period prior to the date of the loan. Businesses operating in the accommodations and food service industry (NAICS code 72) can use a 3.5x average monthly payroll multiple. If the business previously received a loan less than the new amount allowed, or if it returned a portion or all of the previous loan, it can apply for additional funds up to the maximum loan amount. 

New types of businesses eligible for loans.

• Broadcast news stations, radio stations, and newspapers that will use the proceeds to support the production and distribution of local and emergency information 
• Certain 501(c)(6) organizations with fewer than 300 employees and that are not significantly involved in lobbying activities 
• Housing cooperatives with fewer than 300 employees 
• Companies in bankruptcy if the bankruptcy court approves

Ineligible businesses. A business that was ineligible to receive a PPP loan during the first round is still ineligible to receive a loan in the new round. The new legislation also prohibits the following businesses from receiving a loan in the second round:

• Publicly traded companies 
• Businesses owned 20% or more by a Chinese or Hong Kong entity or have a resident of China on its board 
• Businesses engaged primarily in political or lobbying activities
• Businesses required to register under the Foreign Agents Registration Act 
• Businesses not in operation on February 15, 2020 

Forgiveness qualifications. New PPP loans will be eligible for forgiveness if at least 60% of the proceeds are used on payroll costs. Partial forgiveness will still be available if less than 60% of the funds are used on payroll costs. 

Covered period. The borrower may choose a covered period (i.e., the amount of time in which the PPP funds must be spent) between 8 and 24 weeks from the date of the loan disbursement.

Employee Retention Tax Credit. The CARES Act prohibited a business from claiming the Employee Retention Tax Credit if they received a PPP loan. The new legislation retroactively repeals that prohibition, although it is unclear how an employer can claim retroactive relief. The new bill also expands the tax credit for 2021. 

Additional guidance is expected from the SBA in the coming weeks on many of these items and we will provide updates when the information is released.

We’re here to help.
If you have questions about PPP loans, contact a BerryDunn professional.

If you received PPP funds, read on.

The Treasury has released new information regarding Paycheck Program Protection forgiveness. 

Based on IRS guidance, if you intend to apply for forgiveness and have a reasonable expectation it will be granted, the expenses used to support forgiveness will not be permitted as a deduction in 2020. It is unclear whether this guidance would apply if a taxpayer is undecided with regard to their forgiveness application at year end. Here is what we know so far.

The CARES Act included provisions that stated PPP loan forgiveness would not be considered taxable income under the Internal Revenue Code (“IRC”). The CARES Act specifically provides the forgiveness is not taxable income under IRC Section 61.

However, the IRS has issued the following guidance on this matter, which relates to the expenses paid with the PPP loan funds.

• Notice 2020-32 , issued May 2, 2020
• Revenue Ruling 2020-27, issued November 18, 2020 
• Revenue Procedure 2020-51, issued November 18, 2020

Notice 2020-32, states IRC Section 265(a)(1) applies to disallow expenses that were included on and supported a taxpayer’s successful PPP loan forgiveness application. 

In general, this section states NO deductions are permitted for expenses that are directly attributable to tax exempt income. 

The IRS seems to have concluded, in this Notice, the PPP loan forgiveness is tax exempt income. Therefore, the salary and occupancy costs used to support forgiveness, under current IRS guidance, will not be tax deductible.

Unanswered questions

This notice, while somewhat informative, raises many unanswered questions. For example, what are the tax consequences if a PPP loan is forgiven in 2021 and the expenses supporting the forgiveness were incurred in 2020? Could the forgiveness be construed as something other than tax exempt income?

Revenue Ruling 2020-27 attempts to answer some of these questions and provides additional guidance with regard to IRS expectations. The Ruling seems to indicate there are two possible tax positions relative to expenses that qualify PPP loans for forgiveness:

• First, the loan forgiveness could be construed as tax exempt income and, pursuant to IRC Section 265 expenses directly attributable to the exempt income are not deductible.
• Second, loan forgiveness could be construed as the reimbursement of certain expenses, and not as tax exempt income. Under the reimbursement approach the IRS has stated if you intend to apply for forgiveness and reasonably expect to receive forgiveness the reimbursed expenses are not deductible, even if forgiveness is obtained in the following tax year. This position seems to be supported by several tax controversies which were litigated in favor of the IRS. 

Some taxpayers had anticipated using a rule known as the tax benefit rule to deduct expense in 2020 and report a recovery (income) in 2021 when the loan is forgiven. It appears the IRS is not willing to accept this filing position.

We are hoping Congress will revisit this issue and consider statutory changes which allow for the deduction of expenses. Some taxpayers are planning to extend their income tax returns, taking a wait and see approach, with the hopes Congress will amend the statutes and allow for a deduction.

Under current law, it appears the salary, interest, rent used to support a forgiveness application will not be permitted as a tax deduction on your 2020 tax returns. This could result in a significant change in your 2020 taxable income.

Final considerations

For estimated tax payment purposes, we believe it would be reasonable to attribute the lost deductions to the quarter in which you made your final determination to file for forgiveness. This could mitigate any underpayment of estimated income tax penalties. 

If you are making safe harbor quarter estimates and/or have sufficient withholdings any incremental tax would be due with your return on April 15, 2021. Generally, the IRS safe harbor is to pay 110% of prior year tax during the current year to be penalty proof.

If you have questions about your specific situation, please contact us. We’re here to help.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

If you received over $2 million in PPP funds, read on.

The Small Business Administration (SBA) has posted a new form to collect additional information on loan necessity from businesses that received over $2 million in PPP funds. The comment period is now open and closes on November 25, 2020. As we seek more clarity, here is what we know.

What is happening: 

The SBA released PPP Loan Necessity Questionnaires (Forms 3509 and 3510) for borrowers that received PPP loans of $2 million or more on October 30, 2020. The forms are not available at the SBA or Treasury websites, but were released through the PPP Loan Forgiveness portal to lenders.  

Here is an excellent description of what we know thus far. Here are our concerns: 

• The timing and lack of clarity. The 10-day turnaround is very tight. It could be very difficult to manage if it hits during a month or quarter close, or even worse at year-end.

• This is counter to what was described in the FAQs at the time, so it leaves us with many unanswered questions.
• It appears that information on the form might be subject to FOIA. There is a toggle to indicate what information you consider to be confidential. We recommend that you carefully review what information you have not flagged as confidential before submitting the form.

Other considerations and actions you can take in the meantime:

• We know that the questionnaire is triggered by submitting an application for forgiveness. Given some of the uncertainty of other program impacts and this additional information that is requested, it may be reasonable to wait to seek loan forgiveness until we determine the impact.
• You may wish to comment on the federal notice. See instructions for submitting comments below.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Instructions for submitting comments:
Agency Clearance Officer                  
Curtis Rich
Small Business Administration
409 3rd Street SW
5th Floor
Washington, DC 20416

and 

SBA Desk Officer
Office of Information and Regulatory Affairs
Office of Management and Budget
New Executive Office Building
Washington, DC  20503

Your comments should be titled as follows:
Title: Paycheck Protection Program
OMB Control Number: 3245-0407

Comments should include one or all of the following: 
(a) whether the collection of information is necessary, 
(b) whether the estimate of 1.6 hours to complete or review the proposed application form is accurate (42,000 applications, 67,833 annual hour burden), 
(c) whether there are ways to minimize this burden, and
(d) whether there are ways to enhance the quality, utility, and clarity of the information.

Read this if you are a Maine business or organization that has been affected by COVID-19. 

The State of Maine has released a $200 million Maine Economic Recovery Grant Program for companies and organizations affected by the COVID-19 pandemic. Here is a brief outline of the program from the state, and a list of eligibility requirements. 

“The State of Maine plans to use CARES Act relief funding to help our economy recover from the impacts of the global pandemic by supporting Maine-based businesses and non-profit organizations through an Economic Recovery Grant Program. The funding originates from the federal Coronavirus Relief Fund and will be awarded in the form of grants to directly alleviate the disruption of operations suffered by Maine’s small businesses and non-profits as a result of the COVID-19 pandemic. The Maine Department of Economic & Community Development has been working closely with affected Maine organizations since the beginning of this crisis and has gathered feedback from all sectors on the current challenges.”

Eligibility requirements for the program from the state

To qualify for a Maine Economic Recovery Grant your business/organization must: 

• Demonstrate a need for financial relief based on lost revenues minus expenses incurred since March 1, 2020 due to COVID-19 impacts or related public health response; 
• Employ a combined total of 50 or fewer employees and contract employees;
• Have significant operations in Maine (business/organization headquartered in Maine or have a minimum of 50% of employees and contract employees based in Maine); 
• Have been in operation for at least one year before August 1, 2020; 
• Be in good standing with the Maine Department of Labor; 
• Be current and in good standing with all Maine state payroll taxes, sales taxes, and state income taxes (as applicable) through July 31, 2020;
• Not be in bankruptcy; 
• Not have permanently ceased all operations; 
• Be in consistent compliance and not be under any current or past enforcement action with COVID-19 Prevention Checklist Requirements; and 
• Be a for-profit business or non-profit organization, except: 
  • Professional services 
  • 501(c)(4), 501(c)(6) organizations that lobby 
  • K-12 schools, including charter, public and private
  • Municipalities, municipal subdivisions, and other government agencies 
  • Assisted living and retirement communities 
  • Nursing homes
  • Foundations and charitable trusts 
  • Trade associations 
  • Credit unions
  • Insurance trusts
  • Scholarship funds and programs 
  • Gambling 
  • Adult entertainment 
  • Country clubs, golf clubs, other private clubs 
  • Cemetery trusts and associations 
  • Fraternal orders 
  • Hospitals, nursing facilities, institutions of higher education, and child care organizations (Alternate funding available through the Department of Education and Department of Health and Human Services for hospitals, nursing facilities, child care organizations, and institutions of higher education.)

For more information

If you feel you qualify, you can find more details and the application here. If you have questions about your eligibility, please contact us. We’re here to help. 

Read this if your company is seeking assistance under the PPP.

The rules surrounding PPP continue to rapidly evolve. As of June 22, 2020, we are anticipating some additional clarifications in the form of an interim final rule (or IFR) and additional answers to frequently asked questions (FAQ). The FAQs were last updated on May 27, 2020. For the latest information, please be sure to check our website or the Treasury website.

A few important changes:

1. The loan forgiveness application, and instructions, have been updated.
2. There is a new EZ form, designed to streamline the forgiveness process, if borrowers meet certain criteria.
3. Changes now allow for businesses to use 60% of the PPP loan proceeds on payroll costs, down from 75%.
4. Businesses now have 24 weeks to use the loan proceeds, rather than the original eight-week period (or by December 31, 2020, whichever comes earlier).
5. The rules around what is a full-time equivalent (FTE) employee and the safe harbors with respect to employment levels and forgiveness have been clarified.
6. Entities can defer payroll taxes through the ERC program, even if forgiveness is granted.

These changes are designed to make it easier to qualify for loan forgiveness. In the event you do not qualify for loan forgiveness, you may be able to extend the loan to five years, as opposed to the original two years.

The relaxation on FTE reductions is significant. The reductions will NOT count against you when calculating forgiveness, even if you haven’t restored the same employment level, if you can document that:

• you offered employment to people and they refused to come back, or
• HHS, CDC, OSHA or other government intervention causes an inability to “return to the same level of business activity” as of 2/15/2020.

As of June 20, 2020, there was still an additional $128 billion in available funds. The program is intended to fund new loans through June 30, 2020. 

We’re here to help.
If you have questions about the PPP, contact a BerryDunn professional.

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

• 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
• 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
• Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
• Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

• Require privileges granted be based on roles and responsibilities
• Require strong and complex passwords (exceeding those of normal users)
• Have passwords that expire often (30 days recommended)
• Implement multi-factor authentication
• Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.