Skip to Main Content

insightsarticles

The mobile app labyrinth: Seven questions higher education institutions should ask

03.07.18

As a leader in a higher education institution, you'll be familiar with this paradox: Every solution can lead to more problems, and every answer can lead to more questions. It’s like navigating an endless maze. When it comes to mobile apps, the same holds true. So, the question: Should your institution have a mobile app? The Answer? Absolutely.

Devices, not computers, are how millenials communicate, gather, inform, and engage. Millennials, on average, spend 90 hours per month on mobile apps, not including web searches and website visits.

Students are no exception. A 2016 Nielsen study showed that 98% of millennials aged 18 – 24, and 97% of millennials aged 25 – 34, owned a smartphone, while a 2017 comScore report stated that one out of five millennials no longer use desktop devices, including laptops. Mobile apps have quickly filled the desktop void, and as students grow more reliant on mobile technology, colleges and universities are in the mix, creating apps to bolster student engagement.

So should you create an app? Here are some questions you should answer before creating a mobile app. Welcome to the labyrinth! But don’t be frustrated—answer these questions to help you avoid dead ends and overspending.

1. Is a mobile app part of your IT Strategy? Including a mobile app in your IT strategy minimizes confusion at all levels about the objectives of mobile app implementation. It also helps dictate whether an institution needs multiple mobile apps for various functions, or a primary app that connects users with other functionality. If an institution has multiple campuses, should you align all campuses with a single app, or if will each campus develop their own?

2. What will the app do? Mobile apps can perform a multitude of functions, but for the initial implementation, select a few key functions in one main area, such as academics or student life. Institutions can then add functionality in the future as mobile adoption grows, and demand for more functions increases.

3. Who will use the app? Mobile apps certainly improve engagement throughout the student life cycle—from prospect to student to alumni—but they also present opportunities for increased faculty, staff, and community engagement. And while institutions should identify the immediate audience of the app, they should also identify future users, based upon functionality.

4. Who will manage the app? Institutions should determine who is going to manage the mobile app, and how. The discussion should focus on access, content, and functionality. Is the institution going to manage everything in house, from development to release to support, or will a mobile app vendor provide this support under contract? Depending on your institution, these discussions will vary.

5. What data will the app use? Like any new software system, an app is only as good as its supporting data. It’s important to assess the systems to integrate with the mobile app, and determine if the systems’ data is up-to-date and ready for integration. Consider the use of application program interfaces, or APIs. APIs allow apps and platforms to interact with one another. They can enable social media, news, weather, and entertainment apps to connect with your institution’s app, enhancing the user experience with more content for users.

6. How much data security does your app need? Depending on the functionality of the app you create, you will need varying degrees of security, including user authentication safeguards and other protections to keep information safe.

7. How much can you spend for the app? Your institution should decide how much you will spend on initial app development, with an eye toward including maintenance and development costs for future functionality. Complexity increases costs, so you will need to  budget accordingly. Include budget planning for updates and functionality improvements after launch.

You will also need to establish a timeline for the project and roll out. And note that apps deployed toward the end of the academic year experience less adoption than apps deployed at the beginning of the academic year.

Once your institution answers these questions, you will be off to a good start. And as I stated earlier, every answer to a question can lead to more questions. If your institution needs help navigating the mobile app labyrinth, please reach out to me

Related Industries

Related Professionals

BerryDunn experts and consultants

Read this if you are at a not-for-profit organization.

There is no question the investment landscape is forever changing. Even before COVID-19 placed a vice grip on all aspects of society, many not-for-profit organizations were looking for ways to maximize the value of their current investment holdings. One such way of accomplishing this is through the use of alternative investments, defined for our purposes as investments outside of standard assets such as traditional stocks and bonds. Alternative investments have become increasingly specialized and are often seen in the form of foreign corporations or partnerships (often times domiciled in locales such as the Cayman Islands where tax laws are more favorable to investors) and are much more commonplace than ever before.

While promises of higher rates of return are received warmly by not-for-profit organizations, alternative investments often carry with them the potential for additional compliance costs in the form of tax filing obligations and substantial penalties should those filings be overlooked.

This article will highlight some of those potential foreign filings, as well as highlight potential consequences they carry and what you need to know in order to avoid the pitfalls. 

Potential foreign filings related to investment activities

Not-for profit organizations should be aware of the potential filings/disclosures required in regards to their ownership of investments located outside of the United States. The federal government uses a variety of forms to track transfers of property, ownership, and account balances related to foreign activity/investments. A list of some of the potential foreign filings are detailed below (not an all-inclusive list):

Form 926 – Return by a US Transferor of Property to a Foreign Corporation

This form is generally required when a US investor transfers more than $100,000 in a 12-month period, or any other contribution when the investor owns 10% or more of a foreign corporation. The requirement to file this form can be via a direct investment in the foreign corporation, or indirectly through another entity (such as a partnership interest). The penalty for failure to file is equal to 10 percent of the transfer amount, up to $100,000 per missed filing.

Form 8865 – Return of US Persons with Respect to Certain Foreign Partnerships

Similar to Form 926, this filing arises when a US person (which includes not-for-profit organizations) transfers $100,000 or more in a given year, or if they own 10% or more of the foreign partnership. There are different levels of disclosure required for different categories of filers. Filings are also triggered by both direct and indirect investments. The penalty for failure to file varies by category type, ranging from $10,000 to up to $100,000 per missed filing.

FinCEN Form 114 – Report of Foreign Bank and Financial Accounts

Commonly referred to as the FBAR, this form tracks assets that US taxpayers hold in offshore accounts, whether they be foreign bank accounts, brokerage accounts, or mutual funds. This form is required when the aggregate value of all foreign financial accounts exceeds $10,000 at any time during the calendar year. Further, any individual or entity that owns more than 50 percent of the account directly or indirectly must file the form. Lastly, individuals who have signature authority over accounts held by the organization are also required to file the FinCEN Form 114 with their individual income tax return. The penalty for failure to file can vary, but can be as high as 50 percent of the account’s value.

Please note: there is a specific definition of the term “foreign financial account” which excludes certain items from the definition. Organizations are encouraged to consult their tax advisors for more information.

Form 5471 – Information Return of US Persons with Respect to Certain Foreign Corporations

Form 5471 is required to be filed when ownership is at least 10% in a foreign corporation. There are different disclosures required for different categories of ownership. Organizations required to file Form 5471 are typically operating internationally and have ownership of a foreign corporation which triggers the filing, but this form would also apply to investments in foreign corporations if ownership is at least 10%. The penalty for failure to file is typically $10,000 per missed filing.

Recommendations to avoid the pitfalls of alternative investments

In order to avoid missed filing requirements, exempt organizations should ask their investment advisors if any investment will involve organizations outside of the United States. If the answer is “yes,” then your organization needs to understand any additional filing requirements up front in order to take into consideration any additional compliance costs related to foreign filings. You should review and share all relevant investment documentation and subsequent information (e.g., prospectus and any other offering materials) with your finance/accounting department, as well as your tax advisors—prior to investment.

We also recommend you engage in open and frequent communication with your investment managers and advisors (both within and outside the organization). Those who manage the entity’s investments should also stay in close contact with fund managers who can help communicate when assets are invested in a way that might trigger a foreign filing obligation.

As investment practices and strategies become increasingly complex, organizations need to stay vigilant and aware in this forever changing landscape. We’re here to help. If you have any questions or concerns about current investment holdings and potential foreign filings, please do not hesitate to reach out to a member of our not-for-profit tax team.

Article
Alternative investments: Potential pitfalls not-for-profit organizations need to know

Read this if you are an employee benefit plan fiduciary.

Fiduciary risk management

This is the final article in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements. You can find the full series here.

If, as part of your involvement with an employee benefit plan, you have decision-making ability; you advise those with decision-making ability; or someone tasks you with decision-making related to the plan, you are more likely than not, a fiduciary. As discussed in the first article of the series, this status comes with responsibilities and, therefore, risks and consequences.

The general approach to handling risk is a cycle of identifying, assessing, controlling, and reviewing controls over risks. Based on the assessment of a given risk, there are four ways to manage it: you can avoid, reduce, transfer, or accept the risk. 

Identifying and assessing fiduciary risk1 

The risks facing a plan fiduciary include, but are not limited to, the following:

Removal of fiduciary

In appropriate cases, a fiduciary may be removed and permanently prohibited from acting as a fiduciary or from providing services to ERISA plans.

Civil penalties

Among other penalties, the DOL may assess a civil penalty equal to 20% of the amounts recovered for the plan through litigation or settlement.

Criminal prosecution

Upon a conviction for a willful violation of ERISA’s reporting and disclosure requirements, a fiduciary may be subject to fines and/or imprisonment for not more than ten years. There is also a provision in ERISA that applies to any person, not just ERISA fiduciaries, that makes coercive interference with ERISA rights a criminal offense punishable by fines and/or imprisonment for up to ten years. In addition, outside of ERISA, there are a number of criminal statutes that apply to any person, not just ERISA fiduciaries, including criminal statutes for embezzling from an ERISA plan, making false statements in ERISA documents, and taking illegal kickbacks in connection with an ERISA plan.

Participant lawsuits

Additionally, plan participants may file a lawsuit against the fiduciary for breach of their fiduciary duty. Over the past few years, this has become more common and has generally been related to the fiduciary’s failure to adequately negotiate and monitor plan fees. 

Co-fiduciary liability

ERISA's unique co-fiduciary liability provisions make each fiduciary responsible for the actions of the other plan fiduciaries but only under certain circumstances. As a general rule, fiduciaries aren’t responsible for the breach of another fiduciary unless:

  • They participate knowingly in, or knowingly undertake to conceal, an act or omission of such other fiduciary, knowing such act or omission is a breach;
  • Their failure to be prudent in the administration of their own fiduciary responsibilities enables the other fiduciary to commit a breach; or
  • They have knowledge of a breach by such other fiduciary and don’t make reasonable efforts under the circumstances to remedy the breach.

Controlling fiduciary risk

There are several ways to effectively manage fiduciary risk. When used together, they give you solid controls to greatly reduce your level of risk.

Plan documentation

A fiduciary and/or plan sponsor should reduce their exposure to the risks identified above and their first line of defense is through plan documentation (discussed in depth here). Broadly speaking, the organizers and fiduciaries of the plan should ensure that policies and procedures are laid out to ensure proper oversight and internal controls are in place to prevent any voluntary or involuntary noncompliance with ERISA and the DOL.

Oversight

Fiduciaries should meet formally on a regular basis to review the plan’s offerings, service providers, fees, and other issues that may affect the plan. A single individual who is the sole fiduciary for a plan may not have the knowledge or bandwidth to appropriately fulfill the responsibilities of the plan. Additionally, having an auditor come in and audit the plan can help identify some of the risks identified above, although an audit of the plan does not reduce your responsibility to monitor and review the plan’s activity on an ongoing basis.

Third Party Administrators (TPA) & recordkeepers

Fiduciaries may also be able to mitigate some of the risks identified above through use of a TPA and/or recordkeeper. While TPAs and recordkeepers are not generally considered fiduciaries or co-fiduciaries, TPAs have varying service offerings, including recordkeeping, that are powerful tools to plan administrators to review and operate the plan. For example, depending on the plan sponsor’s existing payroll and HR structure, inclusive of TPAs and recordkeepers, fiduciaries may be able to automate the transfer of contributions to ensure timeliness of deposits. The plan may also be able to add another layer of internal controls by incorporating the TPA’s or recordkeeper’s internal controls into the plan’s control environment assuming the fiduciary has gained an understanding and comfort around the controls present at the TPA and/or recordkeeper.

Professional investment advisors and co-fiduciaries

Employee benefit plans must meet certain requirements with regard to their investment offerings. For instance, the plan must allow participants to invest in a diversified portfolio. The plan may try to transfer some of these risks and employ the help of a professional investment advisor to help ensure the plan’s investment offerings meet such criteria. This could involve hiring either an ERISA 3(21) fiduciary or an ERISA 3(38) fiduciary. The former serves as an advisor and a co-fiduciary, but does not have any authority by themselves, while the latter is an investment manager and therefore authorized to select investments for the plan. Doing so may help demonstrate to regulators that a fiduciary has fulfilled their duty in this regard. Alternatively, a plan may hire a 3(16) Fiduciary. 3(16) Fiduciaries are individuals or organizations that are charged with running plans as the plan administrator. A company may be able to shift most of their fiduciary risk to such a fiduciary. 

In any case, the plan fiduciary must continue to monitor a 3(16), 3(21) or 3(38) advisor to make sure it is still prudent to use that advisor.

Bonding and fiduciary liability insurance

Bonding is required for most EB plans and does not protect the fiduciary from any risk. It does however protect the plan from fraud or dishonesty. On the other hand, fiduciary liability insurance can protect the fiduciary in the case of breach of fiduciary duty. This type of insurance is not required but is another option to transfer fiduciary risk.

As mentioned in our second article, much like owning a car, regular preventative maintenance can help you avoid the need for costly repairs. Plan fiduciaries should periodically refresh their understanding of ERISA requirements and re-evaluate their current and future business activities on an ongoing basis. Doing so will help mitigate any risks associated with non-compliance with the DOL and IRS and keep the plan running smoothly. 

Need help navigating the fiduciary road? Reach out to the BerryDunn employee benefit consulting team today.

1From Fidelity’s Plan Sponsor Webstation: Consequences of breach of fiduciary duties 

Article
Fiduciary risk: Five ways to control and reduce it

Read this if you are an employer that gives employee gifts.

The holiday season is officially in full swing! Unlike Ebenezer Scrooge, many employers are looking for ways to recognize the dedication and hard work of their employees. This gratitude often comes in the form of a holiday gift of some fashion. While this generosity is well-intended, gifts to employees can be fraught with potential tax consequences organizations should be aware of. This article will attempt to demystify the rules surrounding employee gifts to ensure organizations and their employees have a joyous holiday season.

Holiday gifts: Taxable or not?

So, are holiday gifts to employees taxable? The answer, as is so often the case with tax questions, is it depends. The IRS is very clear that cash and cash equivalents (specifically including gift cards) are always included as taxable income when they are provided by the employer, regardless of amount, with no exceptions. This means that if you plan to give your employees cash or a gift card this year, the value must be included in the employees’ wages and is subject to all payroll taxes. Bah humbug indeed!

Nontaxable gift options

There are however, a few ways to make nontaxable gifts to employees. In each instance the gift must be noncash (nor convertible to cash). IRS Publication 15 offers a variety of examples of de minimis (minimal) benefits, defined as any property or service you provide to an employee that has a minimal value, making the accounting for it unreasonable and administratively impracticable. Examples include holiday or birthday gifts with a low market value (a card and flowers, fruit baskets, a box of chocolates, etc.), or occasional tickets for theater or sporting events, among others. Again, cash and cash equivalents never qualify. The key is that the gift must be occasional or unusual in its frequency and must not be a form of disguised compensation. While de minimis benefits can be a gray area, the IRS has generally deemed items with a value exceeding $100 as too large to qualify as de minimis.

Holiday gifts can also be nontaxable if they are in the form of a gift coupon, if given for a specific item (with no redeemable cash value). A common example would be issuing a coupon to your employee for a free ham or turkey redeemable at the local grocery store. Nontaxable employee gifts can also come in the form of achievement awards, either for length of service or for safety achievements. The proverbial gold watch upon retirement is a classic example of such a gift. Here too, the award must always be tangible personal property—never cash or a cash equivalent. There are additional rules and value thresholds on any such gift. Please contact a member of your tax team to discuss these specific details further.

Whether employers are considering supplying gift cards, turkeys, or something in between, we hope all find this guidance helpful and still in the giving spirit! Coincidentally, at the end of A Christmas Carol, Ebenezer himself gives Bob Cratchit a turkey on Christmas day. Of course Mr. Scrooge would be aware of the potential tax consequences! We wish you all a very happy and healthy holiday season!

Not-for-profit resources

If you are a not-for-profit organization receiving charitable gifts, read Donor Acknowledgements: We have to file what?

Article
What employers need to know before making gifts to employees

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Read this if you are working on ESG initiatives at your organization.

Whether you are a director or an executive well into the journey of developing and communicating your company’s strategic sustainability plans or in early stages, the rising public demand for environmental, social, and governance (ESG) reporting is becoming a force that cannot be ignored by boards and management teams.

ESG overview: reminders and FAQs

What does ESG information comprise? The term “ESG” reporting, used broadly, covers qualitative discussions of topics and quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies. ESG, sustainability, and corporate social responsibility are terms often used interchangeably to describe nonfinancial reporting being shared publicly by companies. Such information is not currently subject to a singular authoritative set of standards.

What are examples of ESG and sustainability information? The following do not represent all-inclusive lists and, while some ESG information may be measured quantitatively, there are often many means to calculate metrics or information that may be difficult to quantify and therefore may be expressed qualitatively and described as such: 

As corporate ESG activities increase in relevance and importance to stakeholders, companies are seeking to both understand the complex landscape of ESG disclosure and reporting and determine the best path forward. This includes identifying, collecting, sharing, and improving upon qualitative and quantitative metrics reflecting long-term, strategic ESG value creation.

Organizations are in various stages of readiness to report on such decision-useful information. Currently, a myriad of reporting frameworks and wide variations in how companies choose to publicly share ESG information exist, making the ESG landscape complex to navigate. However, two things are certain:

  1. The pressure for companies to publicly disclose their approach to sustainability and ESG reporting continues to mount from a broad variety of stakeholders, and 
  2. ESG is rapidly rising to the forefront of boardroom agendas.

We have prepared the following to provide useful reminders, FAQs, and insights for those charged with governance as they consider the rapidly changing current ESG reporting landscape and evolving regulatory developments.

Is there a single authoritative set of ESG reporting standards? 

There are currently several frameworks and standards in use globally by companies to report on ESG, many of which may be complementary and used in combination for external reporting. Some of the more commonly used frameworks are: Sustainability Accounting Standards Board (SASB); Global Reporting Initiative (GRI); Task Force on Climate-Related Financial Disclosures (TCFD); International Integrated Reporting Council (IIRC); and Climate Disclosures Standards Board (CDSB). While many of these may already be complementary to each other, there is also growing support for a singular, global set of reporting standards for ESG, though the timing to achieve the necessary convergence remains uncertain.

Are U.S. companies required to disclose ESG information? 

Outside of certain industry regulators, such as required reporting by the Environmental Protection Agency on greenhouse gas emissions, implementation by U.S. companies remains voluntary. However, pressure from institutional investors—BlackRock, State Street and Vanguard—is mounting in support of companies providing ESG disclosures that align with both the SASB and TCFD frameworks. Additionally, sustainability risk issues are increasingly integrated into organizational risk frameworks such as COSO’s Enterprise Risk Management (ERM) framework.

Companies must also assess whether other ESG information, such as climate risk disclosures, are required under current MD&A disclosure rules. For example, if the risk represents a known trend or uncertainty the company reasonably expects will have a material impact on the company’s results of operations or capital resources, additional disclosure would be required.

What companies are reporting, and what information are they reporting? 

ESG disclosures vary significantly depending on the nature of the business, geography, industry, and stakeholder base, as well as available resources to devote to ESG. The largest global public companies have led the way in external ESG reporting and engagement, but this reporting is rapidly expanding to encompass smaller public entities and private entities. Companies of all sizes are both feeling the pressure to produce ESG reporting and identifying it as a means to differentiate themselves in the market by proactively conveying their corporate stories and strategies.

As noted in a recent White & Case study of proxy statements and filed 10-Ks for the top 50 companies by revenue in the Fortune 100, the following ESG categories showed the most significant increase in disclosures from the prior year:

  • Human capital management (HCM)
  • Environmental
  • Corporate culture
  • Ethical business practices
  • Board oversight of environment & social (E&S) issues
  • Social impact/community
  • E&S issues in shareholder engagement

The study noted that a majority of E&S disclosures in the SEC filings were qualitative and did not provide quantitative metrics. However, disclosures pertaining to environmental, HCM, and E&S goals, along with social impact and community relations were more likely to contain quantitative metrics.

Where do companies report ESG information? The most common places companies are providing public ESG disclosures include:

  • Standalone reports including corporate social responsibility (CSR)/sustainability reports
  • Company websites and marketing materials
  • MD&A sections of annual and quarterly reports
  • Earnings calls
  • Proxy statements and 8-Ks

Evolving auditor ESG attestation

Many of the metrics and qualitative disclosures around ESG information are not “governed” by an established framework such as generally accepted accounting principles (GAAP), and thus, may not be subject to the same rigor of processes and controls over such processes to ensure the integrity and accuracy of the underlying data and the appropriateness of the decisions and judgments being made by management in reporting on such information. For example, the fear of corporate “green or impact washing”—the incentive to make stakeholders believe that a company is doing more to promote ESG activities, particularly environmental protections, than it actually is—has left many stakeholders questioning the reliability, consistency, and accuracy of company ESG reporting. As ESG reporting continues to evolve and become a significant consideration for boards, investors, employees, suppliers, lenders, regulators, and others in making business decisions, there is a growing focus on the value of assurance on such information provided by independent third parties.

Type of attestation services to be provided

Determining the scope and level of assurance to be provided will vary based on company objectives in presenting ESG information, management’s readiness, and intended users and uses of ESG information. Attest services may include:

  • Examination: Consists of an examination performed by an auditor resulting in an independent opinion indicating whether the ESG information is in accordance with the agreed upon criteria, in all material respects. An examination engagement is the closest equivalent to the reasonable assurance obtained in an audit of financial statements.
  • Review: Consists of limited procedures, performed by an auditor, that result in limited assurance. The objective of a review engagement is for the auditor to express a conclusion about whether any material modifications should be made to the ESG information in order for it to be in accordance with the agreed upon criteria. Review engagements are substantially less in scope than examination engagements.


The ESG journey: first steps for boards just beginning the ESG reporting journey

The AICPA and Center for Audit Quality (CAQ) have issued a roadmap for audit practitioners laying out initial steps for those organizations and their boards who are in the beginning phases of the ESG reporting journey:

  • Conduct a materiality or risk assessment to determine which ESG topics are prioritized as important or “material” to the organization, its investors and other stakeholders
  • Implement appropriate board oversight of material ESG matters
  • Integrate/align material ESG topics into the ERM process
  • Integrate ESG matters into the overall company strategy
  • Implement effective internal control over ESG data collection, processing, and reporting


For boards considering an attestation engagement

The CAQ has further prepared the following questions boards may consider for companies that have already started reporting on ESG and may be considering an attestation engagement:

  • What is the purpose and objective of the attestation engagement on ESG information?
  • Who are the intended users of the ESG information and related attestation report?
  • Why do the intended users want or need an attestation report on the ESG information?
  • What are the potential risks associated with a misstatement or omission in the ESG information?
  • Does the company have a clear understanding what ESG information the intended users want or need to be in the scope of the attestation engagement?
  • What level of attestation service (examination or review engagement) will help the company achieve its objective?

Additional questions for board members to consider regarding their company’s preparedness for reporting include:

  • Does management have well established controls, policies, and procedures for the collection of and disclosure of ESG information? Are there gaps to be addressed?
  • Has the board, along with management, set specific objectives and goals for external reporting of ESG information?
  • Is the information disclosed by the company consistent across its various communication channels?
  • Are the ESG responsibilities at the board level clearly defined among appropriate committees and are those responsibilities directly linked to corporate strategic ESG goals and external reporting needs?
  • Have the right advisors been identified to assist in preparing for reporting and/or to attest to the quality of reporting?

Next steps

We encourage management, audit committees, and other board members to continue to educate themselves on the evolving landscape of ESG and carefully consider the needs of various stakeholders broadly when mapping out their ESG reporting needs. Particular attention should be paid to regulatory developments in this area.

Article
ESG reporting: Considerations for boards and those charged with governance

Read this if you are a plan sponsor of employee benefit plans.

This article is the eleventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

Most employee benefit plans have outsourced a significant portion of the internal controls to a service organization, such as a third-party administrator. The plan administrator has a fiduciary responsibility to monitor the internal controls of the service organization and to determine if the outsourced controls are suitably designed and effective.

SOC 1 reports: Internal controls and financial reporting

Generally, the most efficient way to obtain an understanding of the outsourced controls is to obtain a report on controls issued by the service organization’s auditor. Commonly referred to as a System and Organization Controls (SOC) report, the SOC report should be based on the American Institute of Certified Public Accountants’ (AICPA) attestation standards and should cover internal controls relevant to financial reporting, also known as a SOC 1 report (the “1” indicating it covers internal controls over financial reporting).

Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s significant service organizations. The documented review should include the plan sponsor’s assessment of the complementary user entity controls outlined in the SOC 1 report. The complementary user entity controls are internal control activities that should be in place at the plan sponsor to provide reasonable assurance that the controls tested at the service organization are operating effectively at your plan. If a service organization’s internal controls are operating effectively, but complementary user entity controls are not in place at your organization, the effectiveness of the service organization’s internal controls may not transfer to your plan’s operations.

Creditability and CPA firms: Considerations

Creditability of the CPA firm completing the SOC 1 report examination may impact the reliability of the CPA firm’s opinion and thus your reliability on the service organization’s internal controls. Unfamiliarity with the service auditor’s qualifications may be mitigated through additional research. Items to consider are: 

  • The firm’s expertise in SOC 1 reporting
    • Are they familiar with the service organization’s industry?
    • How many professionals do they have that perform SOC 1 examination services?
  • The evaluation of AICPA peer reviews 
    Audit firms are required to have a periodic peer review conducted. The results of the peer review are public knowledge and can be found on the AICPA’s website.
    • Did the service auditor receive a “pass” rating during their most recent peer review?
    • Did the peer review cover SOC 1 examination services?
  • Evaluation of the service organization’s due diligence procedures surrounding the selection of an auditor

Some of this information may be readily available via the service auditor’s website, while other information may need to be gathered through direct communication with the service organization. A qualified service auditor should be able to provide a SOC 1 report that contains sufficient detail, relevant transactional activity, relevant control objectives, and a timely reporting period.

SOC 1 reports may contain an unqualified, qualified, adverse, or disclaimer of opinion. The report determines if the controls in place are adequate for complete and accurate financial reporting. Report qualifications may affect the risk of relying on the service organization and may result in the need for additional procedures or safeguards to help ensure the plan’s financial statements are presented fairly. Even if the SOC 1 report received an unqualified opinion, you should review the controls tested by the service auditor and the results of such testing for any exceptions. Exceptions, even if they don’t result in a qualified opinion, may have an impact on the plan’s control environment. 

You should also review the scope of the audit to check that all significant transaction cycles, processes, and IT applications were properly assessed for their impact on the plan’s financial statements. Areas outside the scope of the SOC 1 report may require additional consideration, including the possibility of obtaining more than one SOC 1 report for subservice organizations whose functions were carved out from the service organization’s SOC 1 report.

Subservice organizations

Subservice organizations are frequently utilized to process certain transactions or perform certain functions at the service organization. Management of the service organization may identify certain transaction cycles and processes that are performed by a subservice organization and choose to exclude relevant control objectives and related controls from the SOC 1 report description and the scope of the auditor’s engagement. In such cases, multiple SOC 1 reports may need to be acquired to gain adequate coverage of all controls and objectives relevant to your plan. 

Furthermore, you need to consider the time period the SOC 1 report covers. Coverage should be obtained for your plan’s full fiscal year. For SOC 1 reports that lack coverage of your plan’s full fiscal year, a bridge letter should be obtained to help ensure that no significant changes in controls occurred between the SOC 1 report examination period and the end of your plan’s fiscal year.

Although plans commonly outsource a significant portion of their day-to-day operations to service organizations, plan fiduciaries cannot outsource their responsibilities surrounding the maintenance of a sound control environment. SOC 1 reports are a great resource to assess the control environments of service organizations. However, such reports can be lengthy and daunting to review. We hope this article provides some best practices in reviewing SOC 1 reports. If you have any questions, or would like to receive a copy of our SOC 1 report review template, please don’t hesitate to reach out to our Employee Benefits Audit team.

Article
Service organizations and review of SOC 1 reports: Considerations and recommendations

Read this if you are a plan sponsor of employee benefit plans.

This article is the tenth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here

ERISA bonding requirements

Generally, every fiduciary of a plan and every person who handles funds or other property of the plan must be bonded. ERISA's bonding requirements are intended to protect employee benefit plans from risk of loss due to fraud or dishonesty on the part of persons who handle plan funds or other property. ERISA refers to persons who handle funds or other property of an employee benefit plan as plan officials. A plan official must be bonded for at least 10% of the amount of funds he or she handles, subject to a minimum bond amount of $1,000 per plan with respect to which the plan official has handling functions. In most instances, the maximum bond amount that can be required under ERISA with respect to any one plan official is $500,000 per plan. If the plan holds employer securities, the maximum required bond amount increases to $1,000,000. The bond must be fixed or estimated at the beginning of the plan's reporting year; that is, as soon after the date when such year begins as the necessary information from the preceding reporting year can practicably be ascertained. The amount of the bond must be based on the highest amount of funds handled by the person in the preceding plan year. Bonds must be placed with a surety or reinsurer that is named on the Department of the Treasury's Listing of Approved Sureties, Department Circular 570.

The US Department of Labor Field Assistance Bulletin No. 2008-04 provides answers to a number of questions that have been raised concerning the bonding rules.

Compliance testing

The Internal Revenue Code requires retirement plans to undergo certain non-discrimination and compliance testing on an annual basis to ensure contributions or benefits do not discriminate in favor of highly compensated employees and contributions are not in excess of amounts prescribed by the Internal Revenue Service (IRS).

The tests the plan should perform varies based on the plan’s provisions. However, some of the more common tests for defined contribution plans are:

Actual Deferral Percentage (ADP) Test: This test ensures employee salary deferrals made to the plan do not disproportionately benefit highly compensated employees (HCEs). If this test is failed, the most common correction method is distributing excess contributions to HCEs in the amount necessary to make the test pass. Corrections should be made no later than two-and-a-half months following the close of the plan year to avoid a 10% excise tax. The final deadline is 12 months following the close of the plan year.

Actual Contribution Percentage (ACP) Test: This test ensures the matching and voluntary employer contributions made to the plan do not disproportionately benefit HCEs. If this test is failed, the most common correction method is removing excess contributions from HCE’s accounts in the amount necessary to make the test pass. These excess contributions do not leave the plan. Rather, they are transferred into the forfeiture account of the plan, typically to be used to pay plan expenses or fund future employer contributions. Corrections should be made no later than two-and-a-half months following the close of the plan year to avoid a 10% excise tax. The final deadline is 12 months following the close of the plan year.

416 Top Heavy Test: This test ensures key employees do not represent a disproportionate percentage of plan assets. If this test is failed, the most common correction method is to allocate a 3% top heavy minimum contribution to non-key participants (any participant that is not a key employee). Other employer contributions can be used to offset the 3% contribution. Corrections should be made no later than 12 months following the close of the plan year in which the plan is top heavy.

The ADP, ACP, and Top Heavy Tests can be forgone if the plan qualifies for safe harbor status. Also, 403(b) plans are not required to perform the ADP nor the top-heavy test.

410(b) Minimum Coverage Test: This test ensures each contribution made to the plan benefits a sufficient percentage of non-HCEs. This test is performed for each different contribution type offered within the plan. If this test is failed, the most common correction method is to retroactively amend the plan to benefit more non-HCEs until the test passes. Corrections should be made no later than nine-and-a-half months following the close of the plan year in which the failure occurred.

402(g) Elective Deferral Limit: Participants are limited in the amount of elective deferrals they may contribute to qualified plans and thus exclude from taxable income each calendar year. If a participant contributes in excess of this limit, the most common correction method is to distribute the excess contribution amount. In 2021, the 402(g) Elective Deferral Limit is $19,500. Corrections should be made no later than April 15th following the close of the calendar year during which the excess deferral was made.

415(c) Annual Addition Limit: Participants are also limited in the amount of total contributions that can be credited to their account each limitation year (usually the plan year). If a participant receives total contributions in excess of this limit, the most common correction method is to first distribute elective contributions in excess of the limit. If an excess still remains, employer contributions should then be transferred to the plan’s forfeiture account. In 2021, the 415(c) Annual Addition Limit is $58,000. Corrections should be made no later than nine-and-a-half months following the close of the limitation year in which the failure occurred.

ERISA bonding requirements and compliance testing, although not necessarily related, are two of the compliance matters we, as auditors, commonly look at during our audits. For ERISA bonding requirements, we review to make sure the plan had adequate coverage and the bond is with an approved surety. For compliance testing, we look to make sure the testing has been performed and failed tests, if any, have been appropriately and timely resolved. Plan fiduciaries are not alone in addressing these matters—insurance carriers can help guide plan management in finding a fidelity bond appropriate for their plan and third-party administrators will typically perform compliance testing on behalf of the plan and guide plan management through any necessary corrections. However, it is still important for plan fiduciaries to be aware of the overall purpose of the bonding requirements and the compliance tests and be familiar with the correction methods and deadlines.

If you would like more information, or have specific questions about your specific situation, please contact our Employee Benefits Audit team.

Article
Other ERISA compliance matters: ERISA bonding requirements and compliance testing

Read this if you paid wages for qualified sick and family leave in 2021.

The IRS has issued guidance to employers on year-end reporting for sick and family leave wages that were paid in 2021 to eligible employees under recent federal legislation.

IRS Notice 2021-53, issued on September 7, 2021, provides that employers must report “qualified leave wages” either on a 2021 Form W-2 or on a separate statement, including:

  • Qualified leave wages paid from January 1, 2021 through March 31, 2021 (Q1) under the Families First Coronavirus Response Act (FFCRA), as amended by the Consolidated Appropriations Act, 2021 (CAA).
  • Qualified leave wages paid from April 1, 2021 through September 30, 2021 (Q2 and Q3) under the American Rescue Plan Act of 2021 (ARPA).

The notice also explains how employees who are also self-employed should report such paid leave. This guidance builds on IRS Notice 2020-54, issued in July 2020, which explained the reporting requirements for 2020 qualified leave wages.

Employers should work with their IT department and/or payroll service provider as soon as possible to review the payroll system, earnings codes configuration and W-2 mapping to ensure that these paid leave wages are captured timely and accurately for year-end W-2 reporting.

FFCRA and ARPA tax credits background

In March 2020, the FFCRA imposed a federal mandate requiring eligible employers to provide paid sick and family leave from April 1, 2020 to December 31, 2020, up to specified limits, to employees unable to work due to certain COVID-related circumstances. The FFCRA provided fully refundable tax credits to cover the cost of the mandatory leave.

In December 2020, the CAA extended the FFCRA tax credits through March 31, 2021, for paid leave that would have met the FFCRA requirements (except that the leave was optional, not mandatory). The ARPA further extended the credits for paid leave through September 30, 2021, if the leave would have met the FFCRA requirements.

In addition to employer tax credits, under the CAA, a self-employed individual may claim refundable qualified sick and family leave equivalent credits if the individual was unable to work during Q1 due to certain COVID-related circumstances. The ARPA extended the availability of the credits for self-employed individuals through September 30, 2021. However, an eligible self-employed individual may have to reduce the qualified leave equivalent credits by some (or all) of the qualified leave wages the individual received as an employee from an employer.

Reporting requirements to claim the refundable tax credits

Eligible employers who claim the refundable tax credits under the FFCRA or ARPA must separately report qualified sick and family leave wages to their employees. Employers who forgo claiming such credits are not subject to the reporting requirements.

Qualified leave wages paid in 2021 under the FFCRA and ARPA must be reported in Box 1 of the employee’s 2021 Form W-2. Qualified leave wages that are Social Security wages or Medicare wages must be included in boxes 3 and 5, respectively. To the extent the qualified leave wages are compensation subject to the Railroad Retirement Tax Act (RRTA), they must also be included in box 14 under the appropriate RRTA reporting labels.

In addition, employers must report to the employee the following types and amounts of wages that were paid, with each amount separately reported either in box 14 of the 2021 Form W-2 or on a separate statement:

  • The total amount of qualified sick leave wages paid for reasons described in paragraphs (1), (2), or (3) of Section 5102(a) of the Emergency Paid Sick Leave Act (EPSLA)1  with respect to leave provided to employees during the period beginning on January 1, 2021, through March 31, 2021. The following, or similar language, must be used to label this amount: “Sick leave wages subject to the $511 per day limit paid for leave taken after December 31, 2020, and before April 1, 2021.”
  • The total amount of qualified sick leave wages paid for reasons described in paragraphs (4), (5), or (6) of Section 5102(a) of the EPSLA with respect to leave provided to employees during the period beginning on January 1, 2021, through March 31, 2021. The following, or similar language, must be used to label this amount: “Sick leave wages subject to the $200 per day limit paid for leave taken after December 31, 2020, and before April 1, 2021.”
  • The total amount of qualified family leave wages paid to the employee under the Emergency Family and Medical Leave Expansion Act (EFMLEA) with respect to leave provided to employees during the period beginning on January 1, 2021, through March 31, 2021. The following, or similar language, must be used to label this amount: “Emergency family leave wages paid for leave taken after December 31, 2020, and before April 1, 2021.”
  • The total amount of qualified sick leave wages paid for reasons described in paragraphs (1), (2), or (3) of Section 5102(a) of the EPSLA with respect to leave provided to employees during the period beginning on April 1, 2021, through September 30, 2021. The following, or similar language, must be used to label this amount: “Sick leave wages subject to the $511 per day limit paid for leave taken after March 31, 2021, and before October 1, 2021.”
  • The total amount of qualified sick leave wages paid for reasons described in paragraphs (4), (5), and (6) of Section 5102(a) of the EPSLA with respect to leave provided to employees during the period beginning on April 1, 2021, through September 30, 2021. The following, or similar language, must be used to label this amount: “Sick leave wages subject to the $200 per day limit paid for leave taken after March 31, 2021, and before October 1, 2021.”
  • The total amount of qualified family leave wages paid to the employee under the EFMLEA with respect to leave provided to employees during the period beginning on April 1, 2021, through September 30, 2021. The following, or similar language, must be used to label this amount: Emergency family leave wages paid for leave taken after March 31, 2021, and before October 1, 2021.”

If an employer chooses to provide a separate statement and the employee receives a paper 2021 Form W-2, then the statement must be included with the Form W-2 sent to the employee. If the employee receives an electronic 2021 Form W-2, then the statement must be provided in the same manner and at the same time as the Form W-2.

In addition to the above required information, the notice also suggests that employers provide additional information about qualified sick and family leave wages that explains that these wages may limit the amount of the qualified sick leave equivalent or qualified family leave equivalent credits to which the employee may be entitled with respect to any self-employment income.

For more information

If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help.

 1Employees are eligible for qualified sick leave under EPSLA if the employee:

  • Was subject to a federal, state or local quarantine or isolation order related to COVID-19;
  • Had been advised by a health-care provider to self-quarantine due to concerns related to COVID-19;
  • Experienced symptoms of COVID-19 and was seeking a medical diagnosis;
  • Was caring for an individual who was subject to a quarantine order related to COVID-19, or had been advised by a health-care provider to self-quarantine due to concerns related to COVID-19;
  • Was caring for a son or daughter of such employee, if the school or place of care of the son or daughter had been closed, or the child-care provider of such son or daughter was unavailable, due to COVID-19; or
  • Was experiencing any other substantially similar condition specified by the Secretary of Health and Human Services.

Article
IRS guidance to employers: Year-end reporting requirements for qualified sick and family leave wages

Read this if you are a plan sponsor of employee benefit plans.

This article is the ninth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here

Employee benefit plan loan basics 

If your plan’s adoption agreement is set up to allow loans, participants can borrow against their account balance. Some participants may find this an attractive option as the interest they pay on the loan is returned to their retirement account as opposed to other loans where the interest is paid to the lender. 

Additionally, while interest is charged at the market rate, it may be lower than other options available to the participant, such as a credit card or other unsecured debt. Unlike hardship distributions, there are no restrictions on the circumstances under which a participant may take a loan. A potential downside is that if the borrower defaults on the loan or ends their employment and cannot repay the loan in full, it converts from a loan to a deemed distribution, potentially incurring taxes and penalties.

If a participant decides that an employee benefit plan loan is their best option, they will apply for the loan through your plan administrator. Loans are limited in both size and quantity. Participants may take loans up to 50% of their vested account balance with a maximum loan of $50,000. The provisions of a plan determine how many loans an employee may have at once; however, the combined loan balances cannot exceed 50% of the employee’s vested balance or $50,000. Furthermore, the $50,000 loan maximum must also consider payments made on loans within the previous 12 months.

Repayment of employee benefit plan loans

Repayment of employee benefit plan loans may be done through after tax payroll contributions, making it a relatively easy process for the participant. If a plan sponsor elects to provide this repayment option, they must ensure that repayments are remitted to the plan in a timely manner, just as they must with other employee funded contributions. The term of the loan is typically limited to five years and must be repaid in at least quarterly installments. However, a loan can be extended to as long as thirty years if specified within the plan’s loan policy. If the loan term is for longer than five years, the loan proceeds must be used to purchase a primary residence.

Like any source of debt, there are pros and cons to taking out an employee benefit plan loan, and it remains an important option for participants to understand. The benefits include the ease of applying for such a loan and loan interest that is then added to the participant’s retirement account balance. Potential pitfalls include lost earnings during the loan period and the risk of the loan becoming a deemed distribution if the participant is unable to repay within the allotted time. 

If you would like more information, or have specific questions about your specific situation, please contact our Employee Benefits Audit team.

Article
Retirement plan loans: A brief review