Skip to Main Content

insightsarticles

Three paths to organizational
self-care
for state public health agency survival

11.11.20

The American Public Health Association annual conference’s thematic focus on preventing violence provided an illustration of the extent of the overwhelming demands on state public health agencies right now. Not only do you need to face the daily challenges of responding to the COVID-19 pandemic, you also need to address ongoing, complex issues like violence prevention.

The sheer breadth of sessions available at APHA shows the broad scope of public health’s reach and the need for multi-level, multi-sector interventions, all with a shrinking public health workforce. The conference’s sessions painted clear pictures of the critical public health issues our country currently faces, but did not showcase many solutions, perhaps leaving state health agency leaders wondering how to tackle these taxing demands coming from every direction with no end in sight.

BerryDunn has a suggestion: practice organizational self-care! It might seem antithetical to focus maxed-out resources on strengthening systems and infrastructure right now, but state public health agencies have little choice. You have to be healthy yourself in order to effectively protect the public’s health. Organizational health is driven by high-functioning systems, from disease surveillance and case investigation to performance management, and quality improvement to data-informed decision-making.  

State health agencies can use COVID-19 funding to support organizational self-care, prioritizing three areas: workforce, technology, and processes. Leveraging this funding to build organizational capacity can increase human resources, replace legacy data systems, and purchase equipment and supplies. 

  1. Funding new positions with COVID sources can create upward paths for existing staff as well as expanding the workforce
  2. Assessing the current functioning of public health data systems identifies and clarifies gaps that can be addressed by adopting new technology platforms, which can also be done with COVID funding.
  3. Examining the processes used for major functions like surveillance or case investigation can eliminate unproductive steps and introduce efficiencies. 

So what now? Where to start? BerryDunn brings expertise in process analysis and redesign, an accreditation readiness tool, and an approach to data systems planning and procurement―all of which are paths forward toward organizational self-care. 

  1. Process analysis and redesign can be applied to data systems or other areas of focus to prioritize incremental changes. Conduct process redesign on a broad or narrow scale to improve efficiency and effectiveness of your projects. 

  2. Accreditation readiness provides a lens to examine state health agency operations against best practices to focus development in areas with the most significant gaps. Evaluate gaps in your agency’s readiness for Public Health Accreditation Board (PHAB) review and track every piece of documentation needed to meet PHAB standards.
  3. Data system planning and procurement assistance incorporates process analysis to assess your current system functioning, define your desired future state, and address the gaps, and then find, source, and implement faster, more effective systems. 

Pursuing any of these three paths allows state health agency leaders to engage in organizational self-care in a realistic, productive manner so that the agency can meet the seemingly unceasing demands for public health action now and into the future.

Related Professionals

Principals

BerryDunn experts and consultants

Truly effective preventive health interventions require starting early, as evidenced by the large body of research and the growing federal focus on the role of Medicaid in addressing Social Determinants of Health (SDoH) and Adverse Childhood Experiences (ACEs).

Focusing on early identification of SDoH and ACEs, CMS recently announced its Integrated Care for Kids (InCK) model and will release the related Notice of Funding Opportunity this fall.

CMS describes InCK as a child-centered approach that uses community-based service delivery and alternative payment models (APMs) to improve and expand early identification, prevention, and treatment of priority health concerns, including behavioral health issues. The model’s goals are to improve child health, reduce avoidable inpatient stays and out-of-home placement, and create sustainable APMs. Such APMs would align payment with care quality and support provider/payer accountability for improved child health outcomes by using care coordination, case management, and mobile crisis response and stabilization services.

State Medicaid agencies have many things to consider when evaluating this funding opportunity. Building on current efforts and innovations, building or leveraging strong partnerships with community organizations, incentivizing evidence-based interventions, and creating risk stratification of the target population are critical parts of the InCK model. Here are three additional areas to consider:

1. Data. States will need information for early identification of children in the target population. State agencies?like housing, justice, child welfare, education, and public health have this information?and external organizations—such as childcare, faith-based, and recreation groups—are also good sources of early identification. It is immensely complicated to access data from these disparate sources. State Medicaid agencies will be required to support local implementation by providing population-level data for the targeted geographic service area.

  • Data collection challenges include a lack of standardized measures for SDoH and ACEs, common data field definitions, or consistent approaches to data classification; security and privacy of protected health information; and IT development costs.
  • Data-sharing agreements with internal and external sources will be critical for state Medicaid agencies to develop, while remaining mindful of protected health information regulations.
  • Once data-sharing agreements are in place, these disparate data sources, with differing file structures and nomenclature, will require integration. The integrated data must then be able to identify and risk-stratify the target population.

For any evaluative approach or any APM to be effective, clear quality and outcome measures must be developed and adopted across all relevant partner organizations.

2. Eligibility. Reliable, integrated eligibility and enrollment systems are crucial points of identification and make it easier to connect to needed services.

  • Applicants for one-benefit programs should be screened for eligibility for all programs they may need to achieve positive health outcomes.
  • Any agency at which potential beneficiaries appear should also have enrollment capability, so it is easier to access services.

3. Payment models. State Medicaid agencies may cover case management services and/or targeted case management as well as health homes; leverage Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) services; and modify managed care organization contract language to encourage, incent, and in some cases, require services related to the InCK model and SDoH. Value-based payment models, already under exploration in numerous states, include four basic approaches:

  • Pay for performance—provider payments are tied directly to specific quality or efficiency indicators, including health outcomes under the provider organization’s control. 
  • Shared savings/risk—some portion of the organization’s compensation depends on the managed care entity achieving cost savings for the targeted patient population, while realizing specific health outcomes or quality improvement.
  • Pay for success—payment is dependent upon achieving desired outcomes rather than underlying services.
  • Capitated or bundled payments—managed care entities pay an upfront per member per month lump sum payment to an organization for community care coordination activities and link that with fee-for-service reimbursement for delivering value-added services.

By focusing on upstream prevention, comprehensive service delivery, and alternative payment models, the InCK model is a promising vehicle to positively impact children’s health. Though its components require significant thought, strategy, coordination, and commitment from state Medicaid agencies and partners, there are early innovators providing helpful examples and entities with vast Section 1115 waiver development and Medicaid innovation experience available to assist.

As state Medicaid agencies develop and implement primary and secondary prevention, cost savings can be achieved while meaningful improvements are made in children’s lives.

Article
Three factors state medicaid agencies should consider when applying for InCK funding

Is your state Medicaid agency considering a Centers for Medicare and Medicaid Services (CMS) Section 1115 Waiver to fight the opioid epidemic in your state? States want the waiver because it provides flexibility to test different approaches to finance and deliver Medicaid services. The skyrocketing prevalence of substance use disorders nationwide calls for such flexibility and innovation to expand existing services for treatment and recovery. Although applying for an 1115 waiver can be daunting, here are some guidelines to help you succeed with implementation.

Be pragmatic
Be honest and pragmatic in planning discussions for the essential resources you need to have in place for a successful implementation. Ask yourselves who and how many people you need to involve to develop and execute each stage. Plan enough time to develop policies and agency protocols, make sure you have the right providers for your members, set provider rates, and then train the providers.

Ask hard questions
Once you identify key requirements to address first in your waiver, ask yourself what elements need to be in place to meet these requirements. Here are elements to consider and questions to answer:

  • Fee-for-service and managed care organization (MCO) rates — new services, such as adult residential treatment services aligned with care standards (e.g., American Society of Addiction Medicine (ASAM®) levels), may require changes to reimbursement rates. What needs to happen to develop new rates? What obstacles do you anticipate and how will you overcome them?
  • Care standards (e.g., ASAM® levels of care) and training your providers — consider what the levels mean given the range of providers in your state and the services your members receive. What is required to move to these standards? How you will work with providers to ensure adherence, including certification and training? What will this cost?
  • Policy changes — your state’s Medicaid agency will need to revamp and create policies to cover the service expansion and other changes. How will you complete all necessary policy and protocol changes early enough to inform MCO and provider actions?
  • MCO provider network adequacy — it’s worth investing the time in your application development to assess whether the MCOs serving Medicaid recipients in your state have the right mix of providers to ensure that you can fully implement the new service structure. How long should you give the MCOs for network expansion or recruitment?
  • MCO care coordination guidelines — each MCO will have its own approach. How are you going to ensure adherence to your waiver’s vision of care coordination?
  • Indicators — how will you evaluate the success of your program? How will you collect and analyze data? The earlier you determine how you will evaluate your program, the easier it will be to report on, and make improvements.

Get started
Applying for and implementing an SUD 1115 waiver is a complex and time-consuming process — but by dedicating the time up front to address the many details of time and resources, you’ll find implementation to be far smoother, and effective treatment and recovery services provided sooner for those who need it most. Our Medicaid team is here to help.

Article
Building a Strong Substance Use Disorder (SUD) 1115 waiver demonstration

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Read this if you are a Chief Financial Officer, Chief Compliance Officer, FINOP, or charged with governance of a broker-dealer.

The results of the Public Company Accounting Oversight Board’s (PCAOB) 2020 inspections are included in its 2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. There were 65 audit firms inspected in 2020 by the PCAOB and, although deficiencies declined 11% from 2019, 51 firms still had deficiencies. This high level of deficiencies, as well as the nature of the deficiencies, provides insight into audit quality for broker-dealer stakeholders. Those charged with governance should be having conversations with their auditor to see how they are addressing these commonly found deficiencies and asking if the PCAOB identified any deficiencies in the auditor’s most recent examination. 

If there were deficiencies identified, what actions have been taken to eliminate these deficiencies going forward? Although the annual report on the Interim Inspection Program acts as an auditor report card, the results may have implications for the broker-dealer, as gaps in audit quality may mean internal control weaknesses or misstatements go undetected.

Attestation Standard (AT) No. 1 examination engagements test compliance with the financial responsibility rules and the internal controls surrounding compliance with the financial responsibility rules. The PCAOB examined 21 of these engagements and found 14 of them to have deficiencies. The PCAOB continued to find high deficiency rates in testing internal control over compliance (ICOC). They specifically found that many audit firms did not obtain sufficient, appropriate evidence about the operating effectiveness of controls important to the auditor’s conclusions regarding the effectiveness of ICOC. This insufficiency was widespread in all four areas of the financial responsibility rules: the Reserve Requirement rule, possession or control requirements of the Customer Protection Rule, Account Statement Rule, and the Quarterly Security Counts Rule.

The PCAOB also identified a firm that included a statement in its examination report that referred to an assertion by the broker-dealer that its ICOC was effective as of its fiscal year-end; however, the broker-dealer did not include that required assertion in its compliance report.

AT No. 2 review engagements test compliance with the broker-dealer’s exemption provisions. The PCAOB examined 83 AT No. 2 engagements and found 19 of them to have deficiencies. The most significant deficiencies were that audit firms:

  • Did not make required inquiries, including inquiries about controls in place to maintain compliance with the exemption provisions, and those involving the nature, frequency, and results of related monitoring activities.
  • Similar to AT No. 1 engagements, included a statement in their review reports that referred to an assertion by the broker-dealer that it met the identified exemption provisions throughout the most recent fiscal year without exception; however, the broker-dealers did not include that required assertion in their exemption reports.

The majority of the deficiencies found were in the audits of the financial statements. The PCAOB did not examine every aspect of the financial statement audit, but focused on key areas. These areas were: revenue, evaluating audit results, identifying and assessing risks of material misstatement, related party relationships and transactions, receivables and payables, consideration of an entity’s ability to continue as a going concern, consideration of materiality in planning and performing an audit, leases, and fair value measurements. Of these areas, revenue and evaluating audit results had the most deficiencies, with 45 and 27 deficiencies, or 47% and 26% of engagements examined, respectively.

Auditing standards indicate there is a rebuttable presumption that improper revenue recognition is a fraud risk. In the PCAOB’s examinations, most audit firms either identified a fraud risk related to revenue or did not rebut the presumption of revenue recognition as a fraud risk. These firms should have addressed the risk of material misstatement through appropriate substantive procedures that included tests of details. The PCAOB noted there were instances of firms that did not perform any procedures for one or more significant revenue accounts, or did not perform procedures to address the assessed risks of material misstatement for one or more relevant assertions for revenue. The PCAOB also identified deficiencies related to revenue in audit firms’ sampling methodologies and substantive analytical procedures. Other deficiencies of note, that were not revenue related, included:

  • Incomplete qualitative and quantitative disclosure information, specifically in regards to revenue from contracts with customers and leases.
  • Missing required elements from the auditor’s report.
  • Missing auditor communications:
    • Not inquiring of the audit committee (or equivalent body) about whether it was aware of matters relevant to the audit.
    • Not communicating the audit strategy and results of the audit to the audit committee (or equivalent body).
  • Engagement quality reviews were not performed for some audit and attestation engagements.
  • Audit firms assisted in the preparation of broker-dealer financial statements and supplemental information.

Although there have been improvements in the amounts of deficiencies found in the PCAOB’s examinations, the 2020 annual report shows that there is still work to be done by audit firms. Just like auditors should be inquiring of broker-dealer clients about the results of their most recent FINRA examination, broker-dealers should be inquiring of auditors about the results of their most recent PCAOB examination. Doing so will help broker-dealers identify where their auditor may reside on the audit quality spectrum. If you have any questions, please don’t hesitate to reach out to our broker-dealer services team.

Article
2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers

Read this if you are working on ESG initiatives at your organization.

Whether you are a director or an executive well into the journey of developing and communicating your company’s strategic sustainability plans or in early stages, the rising public demand for environmental, social, and governance (ESG) reporting is becoming a force that cannot be ignored by boards and management teams.

ESG overview: reminders and FAQs

What does ESG information comprise? The term “ESG” reporting, used broadly, covers qualitative discussions of topics and quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies. ESG, sustainability, and corporate social responsibility are terms often used interchangeably to describe nonfinancial reporting being shared publicly by companies. Such information is not currently subject to a singular authoritative set of standards.

What are examples of ESG and sustainability information? The following do not represent all-inclusive lists and, while some ESG information may be measured quantitatively, there are often many means to calculate metrics or information that may be difficult to quantify and therefore may be expressed qualitatively and described as such: 

As corporate ESG activities increase in relevance and importance to stakeholders, companies are seeking to both understand the complex landscape of ESG disclosure and reporting and determine the best path forward. This includes identifying, collecting, sharing, and improving upon qualitative and quantitative metrics reflecting long-term, strategic ESG value creation.

Organizations are in various stages of readiness to report on such decision-useful information. Currently, a myriad of reporting frameworks and wide variations in how companies choose to publicly share ESG information exist, making the ESG landscape complex to navigate. However, two things are certain:

  1. The pressure for companies to publicly disclose their approach to sustainability and ESG reporting continues to mount from a broad variety of stakeholders, and 
  2. ESG is rapidly rising to the forefront of boardroom agendas.

We have prepared the following to provide useful reminders, FAQs, and insights for those charged with governance as they consider the rapidly changing current ESG reporting landscape and evolving regulatory developments.

Is there a single authoritative set of ESG reporting standards? 

There are currently several frameworks and standards in use globally by companies to report on ESG, many of which may be complementary and used in combination for external reporting. Some of the more commonly used frameworks are: Sustainability Accounting Standards Board (SASB); Global Reporting Initiative (GRI); Task Force on Climate-Related Financial Disclosures (TCFD); International Integrated Reporting Council (IIRC); and Climate Disclosures Standards Board (CDSB). While many of these may already be complementary to each other, there is also growing support for a singular, global set of reporting standards for ESG, though the timing to achieve the necessary convergence remains uncertain.

Are U.S. companies required to disclose ESG information? 

Outside of certain industry regulators, such as required reporting by the Environmental Protection Agency on greenhouse gas emissions, implementation by U.S. companies remains voluntary. However, pressure from institutional investors—BlackRock, State Street and Vanguard—is mounting in support of companies providing ESG disclosures that align with both the SASB and TCFD frameworks. Additionally, sustainability risk issues are increasingly integrated into organizational risk frameworks such as COSO’s Enterprise Risk Management (ERM) framework.

Companies must also assess whether other ESG information, such as climate risk disclosures, are required under current MD&A disclosure rules. For example, if the risk represents a known trend or uncertainty the company reasonably expects will have a material impact on the company’s results of operations or capital resources, additional disclosure would be required.

What companies are reporting, and what information are they reporting? 

ESG disclosures vary significantly depending on the nature of the business, geography, industry, and stakeholder base, as well as available resources to devote to ESG. The largest global public companies have led the way in external ESG reporting and engagement, but this reporting is rapidly expanding to encompass smaller public entities and private entities. Companies of all sizes are both feeling the pressure to produce ESG reporting and identifying it as a means to differentiate themselves in the market by proactively conveying their corporate stories and strategies.

As noted in a recent White & Case study of proxy statements and filed 10-Ks for the top 50 companies by revenue in the Fortune 100, the following ESG categories showed the most significant increase in disclosures from the prior year:

  • Human capital management (HCM)
  • Environmental
  • Corporate culture
  • Ethical business practices
  • Board oversight of environment & social (E&S) issues
  • Social impact/community
  • E&S issues in shareholder engagement

The study noted that a majority of E&S disclosures in the SEC filings were qualitative and did not provide quantitative metrics. However, disclosures pertaining to environmental, HCM, and E&S goals, along with social impact and community relations were more likely to contain quantitative metrics.

Where do companies report ESG information? The most common places companies are providing public ESG disclosures include:

  • Standalone reports including corporate social responsibility (CSR)/sustainability reports
  • Company websites and marketing materials
  • MD&A sections of annual and quarterly reports
  • Earnings calls
  • Proxy statements and 8-Ks

Evolving auditor ESG attestation

Many of the metrics and qualitative disclosures around ESG information are not “governed” by an established framework such as generally accepted accounting principles (GAAP), and thus, may not be subject to the same rigor of processes and controls over such processes to ensure the integrity and accuracy of the underlying data and the appropriateness of the decisions and judgments being made by management in reporting on such information. For example, the fear of corporate “green or impact washing”—the incentive to make stakeholders believe that a company is doing more to promote ESG activities, particularly environmental protections, than it actually is—has left many stakeholders questioning the reliability, consistency, and accuracy of company ESG reporting. As ESG reporting continues to evolve and become a significant consideration for boards, investors, employees, suppliers, lenders, regulators, and others in making business decisions, there is a growing focus on the value of assurance on such information provided by independent third parties.

Type of attestation services to be provided

Determining the scope and level of assurance to be provided will vary based on company objectives in presenting ESG information, management’s readiness, and intended users and uses of ESG information. Attest services may include:

  • Examination: Consists of an examination performed by an auditor resulting in an independent opinion indicating whether the ESG information is in accordance with the agreed upon criteria, in all material respects. An examination engagement is the closest equivalent to the reasonable assurance obtained in an audit of financial statements.
  • Review: Consists of limited procedures, performed by an auditor, that result in limited assurance. The objective of a review engagement is for the auditor to express a conclusion about whether any material modifications should be made to the ESG information in order for it to be in accordance with the agreed upon criteria. Review engagements are substantially less in scope than examination engagements.


The ESG journey: first steps for boards just beginning the ESG reporting journey

The AICPA and Center for Audit Quality (CAQ) have issued a roadmap for audit practitioners laying out initial steps for those organizations and their boards who are in the beginning phases of the ESG reporting journey:

  • Conduct a materiality or risk assessment to determine which ESG topics are prioritized as important or “material” to the organization, its investors and other stakeholders
  • Implement appropriate board oversight of material ESG matters
  • Integrate/align material ESG topics into the ERM process
  • Integrate ESG matters into the overall company strategy
  • Implement effective internal control over ESG data collection, processing, and reporting


For boards considering an attestation engagement

The CAQ has further prepared the following questions boards may consider for companies that have already started reporting on ESG and may be considering an attestation engagement:

  • What is the purpose and objective of the attestation engagement on ESG information?
  • Who are the intended users of the ESG information and related attestation report?
  • Why do the intended users want or need an attestation report on the ESG information?
  • What are the potential risks associated with a misstatement or omission in the ESG information?
  • Does the company have a clear understanding what ESG information the intended users want or need to be in the scope of the attestation engagement?
  • What level of attestation service (examination or review engagement) will help the company achieve its objective?

Additional questions for board members to consider regarding their company’s preparedness for reporting include:

  • Does management have well established controls, policies, and procedures for the collection of and disclosure of ESG information? Are there gaps to be addressed?
  • Has the board, along with management, set specific objectives and goals for external reporting of ESG information?
  • Is the information disclosed by the company consistent across its various communication channels?
  • Are the ESG responsibilities at the board level clearly defined among appropriate committees and are those responsibilities directly linked to corporate strategic ESG goals and external reporting needs?
  • Have the right advisors been identified to assist in preparing for reporting and/or to attest to the quality of reporting?

Next steps

We encourage management, audit committees, and other board members to continue to educate themselves on the evolving landscape of ESG and carefully consider the needs of various stakeholders broadly when mapping out their ESG reporting needs. Particular attention should be paid to regulatory developments in this area.

Article
ESG reporting: Considerations for boards and those charged with governance

Read this if you are a plan sponsor of employee benefit plans.

This article is the eleventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

Most employee benefit plans have outsourced a significant portion of the internal controls to a service organization, such as a third-party administrator. The plan administrator has a fiduciary responsibility to monitor the internal controls of the service organization and to determine if the outsourced controls are suitably designed and effective.

SOC 1 reports: Internal controls and financial reporting

Generally, the most efficient way to obtain an understanding of the outsourced controls is to obtain a report on controls issued by the service organization’s auditor. Commonly referred to as a System and Organization Controls (SOC) report, the SOC report should be based on the American Institute of Certified Public Accountants’ (AICPA) attestation standards and should cover internal controls relevant to financial reporting, also known as a SOC 1 report (the “1” indicating it covers internal controls over financial reporting).

Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s significant service organizations. The documented review should include the plan sponsor’s assessment of the complementary user entity controls outlined in the SOC 1 report. The complementary user entity controls are internal control activities that should be in place at the plan sponsor to provide reasonable assurance that the controls tested at the service organization are operating effectively at your plan. If a service organization’s internal controls are operating effectively, but complementary user entity controls are not in place at your organization, the effectiveness of the service organization’s internal controls may not transfer to your plan’s operations.

Creditability and CPA firms: Considerations

Creditability of the CPA firm completing the SOC 1 report examination may impact the reliability of the CPA firm’s opinion and thus your reliability on the service organization’s internal controls. Unfamiliarity with the service auditor’s qualifications may be mitigated through additional research. Items to consider are: 

  • The firm’s expertise in SOC 1 reporting
    • Are they familiar with the service organization’s industry?
    • How many professionals do they have that perform SOC 1 examination services?
  • The evaluation of AICPA peer reviews 
    Audit firms are required to have a periodic peer review conducted. The results of the peer review are public knowledge and can be found on the AICPA’s website.
    • Did the service auditor receive a “pass” rating during their most recent peer review?
    • Did the peer review cover SOC 1 examination services?
  • Evaluation of the service organization’s due diligence procedures surrounding the selection of an auditor

Some of this information may be readily available via the service auditor’s website, while other information may need to be gathered through direct communication with the service organization. A qualified service auditor should be able to provide a SOC 1 report that contains sufficient detail, relevant transactional activity, relevant control objectives, and a timely reporting period.

SOC 1 reports may contain an unqualified, qualified, adverse, or disclaimer of opinion. The report determines if the controls in place are adequate for complete and accurate financial reporting. Report qualifications may affect the risk of relying on the service organization and may result in the need for additional procedures or safeguards to help ensure the plan’s financial statements are presented fairly. Even if the SOC 1 report received an unqualified opinion, you should review the controls tested by the service auditor and the results of such testing for any exceptions. Exceptions, even if they don’t result in a qualified opinion, may have an impact on the plan’s control environment. 

You should also review the scope of the audit to check that all significant transaction cycles, processes, and IT applications were properly assessed for their impact on the plan’s financial statements. Areas outside the scope of the SOC 1 report may require additional consideration, including the possibility of obtaining more than one SOC 1 report for subservice organizations whose functions were carved out from the service organization’s SOC 1 report.

Subservice organizations

Subservice organizations are frequently utilized to process certain transactions or perform certain functions at the service organization. Management of the service organization may identify certain transaction cycles and processes that are performed by a subservice organization and choose to exclude relevant control objectives and related controls from the SOC 1 report description and the scope of the auditor’s engagement. In such cases, multiple SOC 1 reports may need to be acquired to gain adequate coverage of all controls and objectives relevant to your plan. 

Furthermore, you need to consider the time period the SOC 1 report covers. Coverage should be obtained for your plan’s full fiscal year. For SOC 1 reports that lack coverage of your plan’s full fiscal year, a bridge letter should be obtained to help ensure that no significant changes in controls occurred between the SOC 1 report examination period and the end of your plan’s fiscal year.

Although plans commonly outsource a significant portion of their day-to-day operations to service organizations, plan fiduciaries cannot outsource their responsibilities surrounding the maintenance of a sound control environment. SOC 1 reports are a great resource to assess the control environments of service organizations. However, such reports can be lengthy and daunting to review. We hope this article provides some best practices in reviewing SOC 1 reports. If you have any questions, or would like to receive a copy of our SOC 1 report review template, please don’t hesitate to reach out to our Employee Benefits Audit team.

Article
Service organizations and review of SOC 1 reports: Considerations and recommendations

Read this if you use QuickBooks online.

The money you spend to run your business must be recorded conscientiously for your taxes and reports. Here’s how to do it.

You undoubtedly keep a very close watch on the money coming into your business. You record payments as soon as they come in and deposit them in your company’s bank account. But are you as careful about your purchases?

It’s easy to go out to lunch with a client and forget to save the receipt. You figure it’s not that much money, anyway. Or you pick up a ream of printing paper and a cartridge at the office supply store and neglect to record the purchase. When you disregard even small expenses, you can have two problems. One, your books won’t be accurate. And two, you never know how an extra $42.21 under Meals and Entertainment might affect your income taxes.

QuickBooks Online provides two ways to enter expenses. You can create a record on the site itself. Or you can snap a photo with your phone using the QuickBooks Online mobile app to document the money spent. Here’s how these two methods work.

Documenting at your desk

Let’s say you just had lunch with a vendor to discuss some products you’re planning to buy for a project you’re doing for a customer. You charged it to your company credit card, which you track in QuickBooks Online. You still have to enter it as an expense on the site so that when your credit card statement comes, you can match the credit card transaction to the expense you recorded.

Hover over Expenses in the navigation toolbar and click on Expenses. Click the down arrow in the New transaction button and select Expense. Fill in the fields at the top of the screen with details like Payee, Payment date, and any Tags you want to specify. Under Category details, select the correct category from the drop-down list and enter a Description and Amount

QuickBooks Online allows you to thoroughly document expenses. You can attach a picture of a receipt if you’d like.

Since you’re going to bill this to the customer as a part of your project fee, click in the Billable box to create a checkmark. Select the Customer/Project. Add a Memo to remind yourself of the reason for the lunch (very important!) and attach a photo of the receipt if you take one. Click Save. Your record of the lunch will now appear on the Expense Transactions screen. It will also show up in the Expenses by Vendor Summary and Unbilled Charges reports, among others.

Recording with QuickBooks Online on the road

In the example we just went through, attaching a photo of the receipt was the last thing we did to record an expense in QuickBooks Online. There’s another way to document a purchase that starts with a photo of a receipt and should save you a bit of data entry: using the QuickBooks Online mobile app. The app uses Optical Character Recognition (OCR) to “read” the receipt and transfer some of its data to fields on an expense record. (If you haven’t installed the QBO app on your smartphone, you should. You can do a lot of your accounting work that synchronizes automatically with QBO. It’s free, too.)

Open the app and log in. On the opening screen, you’ll see an icon labeled Snap Receipt. Click on it, and your phone’s camera will open (you’ll be asked for permission to use it). Position your phone over the receipt and move it around until you see the blue box covering the content of the receipt.  Take the picture. You’ll see it displayed on the phone with a message saying, “Use this photo.” If it seems OK, click the link. 

A message on the screen will tell you that the upload is complete and that the app is extracting the information from it. Click “Got it!” It should only take about a minute for your receipt to appear in the list on the Receipt snap screen. You’ll see the details that the app has pulled from your receipt. Tap the matching expense and click Done on the next screen.

You can snap a photo of the receipt in the QuickBooks Online mobile app, and some fields will be automatically entered on a receipt form in QBO.

When you’re back at your computer, open QuickBooks Online and go to Transactions | Receipts. At the end of the row that contains your receipt, click the down arrow next to Delete and select Review. QBO will display the partially-completed receipt form next to the photo you took of the receipt. Fill in any missing fields and save the transaction. Click Create expense on the screen that opens. Then open the Expenses menu and select Expenses, and there should be an entry for the receipt you just added.

This tool isn’t perfect, of course. Every receipt has different fields in different places, and sometimes they’re just not very readable. But in our tests, the app picked up an average of four fields.

Documenting your expenses using one of these two methods is so important. It will help you remember why you stored the receipt and make your reports more accurate. As long as you’re categorizing each transaction correctly, it will also make your tax preparation easier and faster and ensure that you’re charging customers for billable expenses. And if you’re ever audited, your careful work will come in handy.

QuickBooks Online does expense management well, but there are enough moving parts in these recording tools that you may have some questions. Please contact our Outsourced Accounting team. We're here to help. 

Article
Record expenses in QuickBooks Online and on your phone

Read this if you are a director or manager at a Health and Human Services agency in charge of modernizing your state's Health and Human Services systems.

With stream-lined applications, online portals, text updates, and one-stop offices serving programs like Medicaid, SNAP, and Child Welfare, states are rapidly adopting integrated systems serving multiple programs. As state leaders collaborate on system design and functionality to meet federal and state requirements, it is equally important to create a human-centered design built for the whole family.

We know families are comprised of a variety of people with various levels of need, and blended families ranging from grandparents to infants may qualify for a variety of programs. We may connect with families who are on Medicaid, aged and disabled or SNAP, but also have cases within child support or with child welfare. 

If your state is considering updating a current system, or procuring for an innovative design, there are key strategies and concepts to consider when creating a fully integrated system for our most vulnerable populations. Below are a few advantages for building a human-centric system:

  • The sharing of demographic, contact, and financial information reduces duplication and improves communication between state entities and families seeking services
  • Improvement of business services and expedited eligibility determinations, as a human-centric model gathers information upfront to reduce a stream of verification requests
  • The cost of ownership decreases when multiple programs share design costs
  • Client portals and services align as a family-focused model

Collaboration and integrated design

How many states use a separate application for Medicaid and SNAP? More specifically, is the application process time consuming? Is the same information requested over and over for each program? 

How efficient (and wonderful) would it be for clients to complete task-based questions, and then each program could review the information separately for case-based eligibility? How can you design an integrated system that aligns with business and federal rules, and state policy?

Once your state has decided a human-centered design would be most beneficial, you can narrow your focus—whether you are already in the RFP process, or within requirements sessions. You can stop extraneous efforts, and change your perspective by asking the question: How can we build this for the entire family? The first step is to see beyond your specific program requirements and consider the families each program serves. 

Integrated design is usually most successful when leaders and subject matter experts from multiple programs can collaborate. If all personnel are engaged in an overarching vision of building a system for the family, the integrated design can be fundamentally successful, and transforming for your entire work environment across agencies and departments.

Begin with combining leadership and subject matter experts from each geographic region. Families in the far corners of our states may have unique needs or challenges only experts from those areas know about. These collaborative sessions provide streamlined communications and ideas, and empower staff to become actively involved and invested in an integrated system design. 

Next, delve into the core information required from each family member and utilize a checklist to determine if the information meets the requirements of the individual programs. Finally, decide which specific data can streamline across programs for benefit determinations. For example, name, address, age, employment, income, disability status, and family composition are standard pieces of information. However, two or more programs may also require documentation on housing, motor vehicle, or retirement accounts.

Maintaining your focus on the families you serve

When designing an integrated system, it is easy to lose focus on the family and return to program-specific requirements. Your leaders and subject matter experts know what their individual programs need, which can lead to debates over final decisions regarding design. It is perfectly normal to develop tunnel vision regarding our programs because we want to meet regulations and maintain funding.

Below are recommendations for maintaining your focus on building for the family, which can start as soon as the RFP. 

  • Emphasize RFP team accountability
    • Everyone should share an array of family household examples who benefit from the various programs (Medicaid, SNAP, TANF, etc.), to help determine how to deliver a full spectrum of services. 
    • Challenge each program with writing their program-specific sections of the RFP and have one person combine the responses for a review session.
  • If the integrated system design is in the requirements phase, brainstorm scenarios, like the benefit example provided in recommendation number one. When information is required by one program, but not another, can the team collaborate and include the information knowing it could benefit an entire family?
  • When considering required tasks, and special requests, always ask: Will this request/change/enhancement help a family, or help staff assist a family?
  • Consider a universal approach to case management. Can staff be cross trained to support multiple programs to reduce transferring clients to additional staff?

We understand adopting a human-centered design can be a challenging approach, but there are options and approaches to help you through the process. Just continue to ask yourself, when it comes to an integrated approach, are you building the system for the program or for the family?

Article
Integrated design and development for state agencies: Building for the family