Skip to Main Content

insightsarticles

Trusting privileged accounts in the age of data breaches

05.21.19

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Related Industries

Related Professionals

Principals

BerryDunn experts and consultants

Read this if your State Medicaid Agency is planning Medicaid Enterprise System enhancements.

Are you a system integrator (SI) or a State Medicaid Agency (SMA) implementing or enhancing a Medicaid system or specific module? Have you considered how decisions made during design and implementation could impact the federal Payment Error Rate Measurement (PERM) reviews for SMAs?

The goal of PERM is to measure and report an unbiased estimate of the true improper payment rate for Medicaid and Children’s Health Insurance Program (CHIP). Every state is reviewed once every three years using a sample that includes both fee for service (FFS) and managed care (MC) payments. A state assigned error rate is not the only consequence resulting from the PERM review; there are also financial implications.

Risk reduction from PERM review

Maintaining a focus on PERM review factors when making decisions during design and implementation can protect states by reducing the risk of:

  • Submitting change requests (CR) during implementation, which can result in additional cost and time
  • Implementing changes to existing Medicaid systems during maintenance and operations
  • Findings reported during certification efforts
  • Refunding federal dollars due to improperly paid claims
  • A reduction in federal match on all claims paid

It is also important to understand the benefits of a dedicated PERM team within the state organization that includes members from the system vendor and outside PERM experts. These benefits include providing states an additional level of security to help ensure a positive outcome to the federal PERM review, helping to protect federal funding.

Having a dedicated team will help ensure all decisions made during system updates and/or implementations are made while keeping focus on PERM requirements and the further impacts of PERM reviews, saving time and remaining compliant.

Plan ahead for best results

When planning for a new module or Medicaid system request for proposal (RFPs), consider PERM-related requirements to help ensure all PERM needs are met to prevent errors and repayment of federal funds. Including PERM requirements can also help your agency ensure federal compliance and successful PERM audits. Doing so will likely reduce the amount of time system integrators spend re-working earlier development decisions and help ensure claim payments are processed, and eligibility determinations are made in accordance with federal and state regulations.

If you have questions about PERM or your specific situation, please contact our Medicaid Consulting team. We’re here to help.

Article
PERM success for Medicaid agencies through system implementations

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Read this if you are a Chief Financial Officer, Chief Compliance Officer, FINOP, or charged with governance of a broker-dealer.

The results of the Public Company Accounting Oversight Board’s (PCAOB) 2020 inspections are included in its 2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. There were 65 audit firms inspected in 2020 by the PCAOB and, although deficiencies declined 11% from 2019, 51 firms still had deficiencies. This high level of deficiencies, as well as the nature of the deficiencies, provides insight into audit quality for broker-dealer stakeholders. Those charged with governance should be having conversations with their auditor to see how they are addressing these commonly found deficiencies and asking if the PCAOB identified any deficiencies in the auditor’s most recent examination. 

If there were deficiencies identified, what actions have been taken to eliminate these deficiencies going forward? Although the annual report on the Interim Inspection Program acts as an auditor report card, the results may have implications for the broker-dealer, as gaps in audit quality may mean internal control weaknesses or misstatements go undetected.

Attestation Standard (AT) No. 1 examination engagements test compliance with the financial responsibility rules and the internal controls surrounding compliance with the financial responsibility rules. The PCAOB examined 21 of these engagements and found 14 of them to have deficiencies. The PCAOB continued to find high deficiency rates in testing internal control over compliance (ICOC). They specifically found that many audit firms did not obtain sufficient, appropriate evidence about the operating effectiveness of controls important to the auditor’s conclusions regarding the effectiveness of ICOC. This insufficiency was widespread in all four areas of the financial responsibility rules: the Reserve Requirement rule, possession or control requirements of the Customer Protection Rule, Account Statement Rule, and the Quarterly Security Counts Rule.

The PCAOB also identified a firm that included a statement in its examination report that referred to an assertion by the broker-dealer that its ICOC was effective as of its fiscal year-end; however, the broker-dealer did not include that required assertion in its compliance report.

AT No. 2 review engagements test compliance with the broker-dealer’s exemption provisions. The PCAOB examined 83 AT No. 2 engagements and found 19 of them to have deficiencies. The most significant deficiencies were that audit firms:

  • Did not make required inquiries, including inquiries about controls in place to maintain compliance with the exemption provisions, and those involving the nature, frequency, and results of related monitoring activities.
  • Similar to AT No. 1 engagements, included a statement in their review reports that referred to an assertion by the broker-dealer that it met the identified exemption provisions throughout the most recent fiscal year without exception; however, the broker-dealers did not include that required assertion in their exemption reports.

The majority of the deficiencies found were in the audits of the financial statements. The PCAOB did not examine every aspect of the financial statement audit, but focused on key areas. These areas were: revenue, evaluating audit results, identifying and assessing risks of material misstatement, related party relationships and transactions, receivables and payables, consideration of an entity’s ability to continue as a going concern, consideration of materiality in planning and performing an audit, leases, and fair value measurements. Of these areas, revenue and evaluating audit results had the most deficiencies, with 45 and 27 deficiencies, or 47% and 26% of engagements examined, respectively.

Auditing standards indicate there is a rebuttable presumption that improper revenue recognition is a fraud risk. In the PCAOB’s examinations, most audit firms either identified a fraud risk related to revenue or did not rebut the presumption of revenue recognition as a fraud risk. These firms should have addressed the risk of material misstatement through appropriate substantive procedures that included tests of details. The PCAOB noted there were instances of firms that did not perform any procedures for one or more significant revenue accounts, or did not perform procedures to address the assessed risks of material misstatement for one or more relevant assertions for revenue. The PCAOB also identified deficiencies related to revenue in audit firms’ sampling methodologies and substantive analytical procedures. Other deficiencies of note, that were not revenue related, included:

  • Incomplete qualitative and quantitative disclosure information, specifically in regards to revenue from contracts with customers and leases.
  • Missing required elements from the auditor’s report.
  • Missing auditor communications:
    • Not inquiring of the audit committee (or equivalent body) about whether it was aware of matters relevant to the audit.
    • Not communicating the audit strategy and results of the audit to the audit committee (or equivalent body).
  • Engagement quality reviews were not performed for some audit and attestation engagements.
  • Audit firms assisted in the preparation of broker-dealer financial statements and supplemental information.

Although there have been improvements in the amounts of deficiencies found in the PCAOB’s examinations, the 2020 annual report shows that there is still work to be done by audit firms. Just like auditors should be inquiring of broker-dealer clients about the results of their most recent FINRA examination, broker-dealers should be inquiring of auditors about the results of their most recent PCAOB examination. Doing so will help broker-dealers identify where their auditor may reside on the audit quality spectrum. If you have any questions, please don’t hesitate to reach out to our broker-dealer services team.

Article
2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers

Read this if you are a plan sponsor of employee benefit plans.

This article is the eleventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

Most employee benefit plans have outsourced a significant portion of the internal controls to a service organization, such as a third-party administrator. The plan administrator has a fiduciary responsibility to monitor the internal controls of the service organization and to determine if the outsourced controls are suitably designed and effective.

SOC 1 reports: Internal controls and financial reporting

Generally, the most efficient way to obtain an understanding of the outsourced controls is to obtain a report on controls issued by the service organization’s auditor. Commonly referred to as a System and Organization Controls (SOC) report, the SOC report should be based on the American Institute of Certified Public Accountants’ (AICPA) attestation standards and should cover internal controls relevant to financial reporting, also known as a SOC 1 report (the “1” indicating it covers internal controls over financial reporting).

Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s significant service organizations. The documented review should include the plan sponsor’s assessment of the complementary user entity controls outlined in the SOC 1 report. The complementary user entity controls are internal control activities that should be in place at the plan sponsor to provide reasonable assurance that the controls tested at the service organization are operating effectively at your plan. If a service organization’s internal controls are operating effectively, but complementary user entity controls are not in place at your organization, the effectiveness of the service organization’s internal controls may not transfer to your plan’s operations.

Creditability and CPA firms: Considerations

Creditability of the CPA firm completing the SOC 1 report examination may impact the reliability of the CPA firm’s opinion and thus your reliability on the service organization’s internal controls. Unfamiliarity with the service auditor’s qualifications may be mitigated through additional research. Items to consider are: 

  • The firm’s expertise in SOC 1 reporting
    • Are they familiar with the service organization’s industry?
    • How many professionals do they have that perform SOC 1 examination services?
  • The evaluation of AICPA peer reviews 
    Audit firms are required to have a periodic peer review conducted. The results of the peer review are public knowledge and can be found on the AICPA’s website.
    • Did the service auditor receive a “pass” rating during their most recent peer review?
    • Did the peer review cover SOC 1 examination services?
  • Evaluation of the service organization’s due diligence procedures surrounding the selection of an auditor

Some of this information may be readily available via the service auditor’s website, while other information may need to be gathered through direct communication with the service organization. A qualified service auditor should be able to provide a SOC 1 report that contains sufficient detail, relevant transactional activity, relevant control objectives, and a timely reporting period.

SOC 1 reports may contain an unqualified, qualified, adverse, or disclaimer of opinion. The report determines if the controls in place are adequate for complete and accurate financial reporting. Report qualifications may affect the risk of relying on the service organization and may result in the need for additional procedures or safeguards to help ensure the plan’s financial statements are presented fairly. Even if the SOC 1 report received an unqualified opinion, you should review the controls tested by the service auditor and the results of such testing for any exceptions. Exceptions, even if they don’t result in a qualified opinion, may have an impact on the plan’s control environment. 

You should also review the scope of the audit to check that all significant transaction cycles, processes, and IT applications were properly assessed for their impact on the plan’s financial statements. Areas outside the scope of the SOC 1 report may require additional consideration, including the possibility of obtaining more than one SOC 1 report for subservice organizations whose functions were carved out from the service organization’s SOC 1 report.

Subservice organizations

Subservice organizations are frequently utilized to process certain transactions or perform certain functions at the service organization. Management of the service organization may identify certain transaction cycles and processes that are performed by a subservice organization and choose to exclude relevant control objectives and related controls from the SOC 1 report description and the scope of the auditor’s engagement. In such cases, multiple SOC 1 reports may need to be acquired to gain adequate coverage of all controls and objectives relevant to your plan. 

Furthermore, you need to consider the time period the SOC 1 report covers. Coverage should be obtained for your plan’s full fiscal year. For SOC 1 reports that lack coverage of your plan’s full fiscal year, a bridge letter should be obtained to help ensure that no significant changes in controls occurred between the SOC 1 report examination period and the end of your plan’s fiscal year.

Although plans commonly outsource a significant portion of their day-to-day operations to service organizations, plan fiduciaries cannot outsource their responsibilities surrounding the maintenance of a sound control environment. SOC 1 reports are a great resource to assess the control environments of service organizations. However, such reports can be lengthy and daunting to review. We hope this article provides some best practices in reviewing SOC 1 reports. If you have any questions, or would like to receive a copy of our SOC 1 report review template, please don’t hesitate to reach out to our Employee Benefits Audit team.

Article
Service organizations and review of SOC 1 reports: Considerations and recommendations

Read this if you are at a financial institution that uses FedLine® Solutions.

In response to an evolving security threat landscape, the Federal Reserve Bank has implemented a Security and Resiliency Assurance Program (“Assurance Program”). Financial institutions that use FedLine® Solutions will need to take action before year-end to comply with Assurance Program requirements. Here’s what you need to know.

Required assessment to be completed annually

Financial institutions are already required to implement, maintain, and assess technical and procedural security controls to safeguard their FedLine® connections. Starting in 2021, financial institutions must conduct an assessment of their compliance with the Federal Reserve Bank's FedLine® security requirements and submit an attestation that they have completed the assessment. The deadline for submitting the first attestation is December 31, 2021. Moving forward, this assessment and attestation must be completed annually.

This assessment can be performed internally by an independent internal department/function such as an internal audit or compliance department. The Federal Reserve Bank may, in its discretion, require the assessment be conducted or reviewed by an independent third party. End User Authorization Contacts (EUAC) for each organization were sent an Assurance Program kick-off packet with requirements and instructions in January 2021 to assist with the process. 

Immediate action 

Evaluate the requirements for your financial institution’s Assurance Program assessment as soon as possible. Planning for the 2021 assessment should be well underway. If you would like to discuss the Assurance Program requirements or you’ve been notified that your financial institution needs an independent third party review, contact us today.

Article
The Federal Reserve's FedLine® Solutions Security and Resiliency Assurance Program

Read this if you are a timber harvester, hauler, or timberland owner.

The USDA recently announced its Pandemic Assistance for Timber Harvesters and Haulers (PATHH) initiative to provide financial assistance to timber harvesting and hauling businesses as a result of the pandemic. Businesses may be eligible for up to $125,000 in financial assistance through this initiative. 

Who qualifies for the assistance?

To qualify for assistance under PATHH, the business must have experienced a loss of at least 10% of gross revenue from January, 1, 2020 through December 1, 2020 as compared to the same period in 2019. Also, individuals or legal entities must be a timber harvesting or timber hauling businesses where 50% or more of its revenue is derived from one of the following:

  • Cutting timber
  • Transporting timber
  • Processing wood on-site on the forest land

What is the timeline for applying for the assistance?

Timber harvesting or timber hauling businesses can apply for financial assistance through the USDA from July 22, 2021 through October 15, 2021

Visit the USDA website for more information on the program, requirements, and how to apply.
If you have any questions about your specific situation, please contact our Natural Resources team. We’re here to help. 

Article
Temporary USDA assistance program for timber harvesters and haulers

Read this if you are working with an auditor.

The standard report an auditor issues on an entity’s financial statements was created in 1988, and has only had minor tweaking since. Amazing when we think about how the world has changed since 1988! Back then:

  • The World Wide Web hadn’t been invented
  • The Simpsons wasn’t yet on TV, and neither was Seinfeld
  • The Berlin Wall was still standing
  • The Single Audit Act celebrated its fourth birthday

The Auditing Standards Board (ASB), an independent board of the American Institute of CPAs (AICPA) that establishes auditing rules for not-for-profit organizations (as well as private company and federal, state, and local governmental entities) has decided it was high time to revisit the auditor’s report, and update it to provide additional information about the audit process that stakeholders have been requesting.

In addition to serving as BerryDunn’s quality assurance principal for the past 23 years, I’ve been serving on the ASB since January 2017, and as chair since May 2020. (And thanks to the pandemic our meetings during my tenure as chair have been conducted from my dining room table.)  We thought you might be interested in a high-level overview of the coming changes to the auditor’s report, which will be effective starting with calendar 2021 audits, from an insider’s perspective.

So what’s changing?

The most significant changes you’ll be seeing, based on feedback from various users of auditor’s reports, are:

  1. Opinion first
    The opinion in an audit report is the auditor’s conclusion as to whether the financial statements are in accordance with the applicable accounting standards, in all material respects. People told us this is the most important part of the report, so we’ve moved it to the first section of the report.
  2. Auditor’s ethical responsibilities
    We’ve pointed out that an auditor is required to be independent of the organization being audited, and to meet certain other ethical responsibilities in the conduct of the audit.
  3. “Going concern” responsibilities
    We describe management’s responsibility, under U.S. generally accepted accounting principles, and the auditor’s responsibility, under the auditing rules, for determining whether “substantial doubt” exists about the organization’s ability to continue in existence for at least one year following the date the financial statements are approved for issuance.
  4. Emphasis on professional judgment and professional skepticism
    We explain how an audit requires the auditor to exercise professional judgment (for example, regarding how much testing to perform), and to maintain professional skepticism, i.e., a questioning mind that is alert to the possibility the financial statements may be materially misstated, whether due to error or fraud.
  5. Communications with the board of directors
    We point out that the auditor is required to communicate certain matters to the board, such as difficulties encountered during the audit, material adjustments identified during the audit process, and which areas the auditor treated as “significant risks” in planning and performing the audit.
  6. Responsibility related to the “annual report”
    If the organization issues an “annual report” containing or referring to the audited financial statements, we explain the auditor is required to review it for consistency with the financial statements, and for any known misstatements of fact.
  7. Discussion of “key audit matters”
    While not required, your organization may request the auditor to discuss how certain “key audit matters” (those most significant to the audit) were addressed as part of the audit process. These are similar to the “critical audit matters” publicly traded company auditor’s reports are now required to include.

Yes, this means the auditor’s report will be longer; however, stakeholders told us inclusion of this information will make it more informative, and useful, for them.

Uniform Guidance standards also changing

Is your organization required to have a compliance audit under the federal Uniform Guidance standards? That report is also changing to reflect the items listed above to the extent they’re relevant.

What should you do?

Some actions to consider as you get ready for the first audit to which the new report applies (calendar 2021, or fiscal years ending in 2022) include:

  1. Ask your auditor what your organization’s auditor’s report will look like
    Your auditor can provide examples of auditor’s reports under the new rules, or even draft a pro forma auditor’s report for your organization (subject, of course, to the results of the audit).
  2. Outline and communicate your process for developing your annual report
    If your organization prepares an annual report, it will be important to coordinate its timing with that of the issuance of the auditor’s report, due to the auditor’s new reporting responsibility related to the annual report.
  3. Discuss with your board whether you would like the auditor to include a discussion of “key audit matters” in the auditor’s report
    While not required for not-for-profits, some organizations may decide to request the auditor include a discussion of such matters in the report, from the standpoint of transparency “best practices.”

If you have any questions about the new auditor’s report or your specific situation, please contact us. We’re here to help.
 

Article
A new auditor's report: Seven changes to know

Read this if your facility or organization has received Provider Relief Funds.

The rules over the use of the HHS Provider Relief Funds (PRF) have been in a constant state of flux and interpretation since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of June 14, 2021 on HHS’ reporting requirements. Key highlights:

These requirements apply to:

  • PRF General and Targeted Distributions
  • the Skilled Nursing Facilities (SNF) and Nursing Home Infection Control Distribution
  • and exclude:
    • the Rural Health Clinic COVID-19 Testing Program
    • claims reimbursements from HRSA COVID-19 Uninsured Program and the HRSA COVID-19 Coverage Assistance Fund (CAF)

This notice supersedes the January 15, 2021 reporting requirements.
Deadline for Use of Funds:

Payment Received Period

Deadline to Use Funds

Reporting Time Period

Period 1

4/10/20-6/30/20

6/30/21

7/1/21-9/30/21

Period 2

7/1/20-12/31/20

12/31/21

1/1/22-3/31/22

Period 3

1/1/21-6/30/21

6/30/22

7/1/22-9/30/22

Period 4

7/1/21-12/31/21

12/31/22

1/1/21-3/31/23

Recipients who received one or more payments exceeding $10,000 in the aggregate during each Payment Received Period above (rather than the previous $10,000 cumulative across all PRF payments) are subject to the above reporting requirements 

Responsibility for reporting:

  • The Reporting Entity is the entity that registers its Tax Identification Number (TIN) and reports payments received by that TIN and its subsidiary TINs.
  • For Targeted Distributions, the Reporting Entity is always the original recipient; a parent entity cannot report on the subsidiary’s behalf and regardless of transfer of payment.

Steps for reporting use of funds:

  1. Interest earned on PRF payments
  2. Other assistance received
  3. Use of SNF and Nursing Home Control Distribution Payments if applicable (any interest earned reported here instead), with expenses by CY quarter
  4. Use of General and Other Targeted Distribution Payments, with expenses by CY quarter
  5. Net unreimbursed expenses attributable to Coronavirus, net after other assistance and PRF payments by quarter
  6. Lost revenues reimbursement (not applicable to PRF recipients that received only SNF and Nursing Home Infection Control Distribution payments)

PORTAL WILL OPEN ON JULY 1, 2021!

Access the full update from HHS: Provider Post-Payment Notice of Reporting Requirements.

Article
Provider Relief Funds: HHS Post-Payment Notice of Reporting Requirements

Read this is you are at a financial institution and concerned about fraud.

The numbers tell a story: Financial fraud 

Back in 2016, BerryDunn’s Todd Desjardins wrote about occupational fraud at financial institutions. This article mainly cited information from a 2016 Report to the Nations (2016 Report) published by the Association of Certified Fraud Examiners (ACFE). Fast forward to 2021, and ACFE’s 2020 Report to the Nations: Banking and Financial Services Edition (2020 Report) displays that occupational fraud continues to be a concern.

Financial institutions account for 19% of all occupational fraud worldwide, up from 16.8% in the 2016 Report. These fraud causes have a median loss of $100,000 per case—down from $192,000 per case in the 2016 Report. Cases had risen slightly from the 2016 Report to 386—up from 368 cases.

What does a fraudster look like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And, how can you strengthen an already robust anti-fraud program? These questions, raised in Todd’s 2016 article, remain relevant today. 

A profile in fraud: Who can it be? 

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2020 Report reveals a few commonalities between fraudsters. The amounts from the 2016 Report are shown in parentheses for comparison purposes:

  • 3% of fraudsters had no criminal background (3%)
  • Men committed 71% of frauds and women committed 29% (69%, 31%)
  • 56% of fraudsters were an employee, 27% worked as a manager, and 14% operated at the executive/owner level (3%, 31%, 20%)
  • The median loss for fraudsters who had been with their organizations for more than five years was $150,000 compared to $86,000 for fraudsters who had been with their organizations for five years or less ($230,000, $74,500)

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags in its 2020 Report:

  • Living beyond means: 42% (45.8%)
  • Financial difficulties: 33% (30%)
  • Unusually close association with vendor/customer: 15% (20.1%)
  • Divorce/family problems: 14% (13.4%)

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A commonsense approach that works

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

It all starts at the top: Leadership

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a top-down culture of zero-tolerance for fraud, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but frauds committed at the executive level had a median loss of $1,265,000 per case, compared to a median loss of $77,000 when an employee perpetrated the fraud. This is compared to a median loss of $500,000 and $54,000 per case, respectively, in the 2016 Report.

Improving your internal control culture

Every financial institution uses internal controls in its daily operations. Override of existing internal controls, lack of internal controls, and lack of management review were all cited in the 2020 Report as the most common internal control weaknesses that contribute to occupational fraud in the banking and financial services industry.

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened—even financial institutions with strong anti-fraud measures in place.

We have created a checklist of the top 10 controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud. 

Get the keys to prevent fraud—free fraud prevention white paper

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our white paper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers, and the general public. It’s a good investment for any financial institution. If you have any questions, please contact our team. We’re here to help. 
 

Article
In 2021, an anti-fraud plan is the best investment your financial institution can make