Skip to Main Content

insightsarticles

Trusting privileged accounts in the age of data breaches

05.21.19

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Related Industries

Related Professionals

Principals

BerryDunn experts and consultants

Read this if your organization has to comply with HIPAA.

We have been monitoring HHS Office for Civil Rights (OCR) settlements as part of the HIPAA Right of Access Initiative (16 settlements and counting) and want to dispel some myths about HIPAA enforcement. Myths can be scary. It would be pretty frightening to run into Bigfoot while taking a stroll through the woods, but sometimes myths have the opposite effect, and we become complacent, thinking Bigfoot will never sneak up behind us. He’s just a myth, right?

As we offer our top five HIPAA myths, we invite you to decide whether to address gaps in compliance now, or wait until you are in the middle of the woods, facing Bigfoot, and wondering what to do next.

Myth #1: OCR doesn’t target organizations like mine.

The prevailing wisdom has been that the Office for Civil Rights only pursues settlements with large organizations. As we review the types of organizations that have been targeted in the recent past, we find that they include social services/behavioral health organizations, more than one primary care practice, a psychiatric medical group practice, and a few hospital/health systems. With settlements ranging from $10,000 to $200,000 plus up to two years of monitoring by the OCR, can you really afford to take a chance?

Myth #2: I have privacy policies, procedures, and training protocols documented, so I’m all set if OCR comes calling.

Are you really all set? When did you last review your policies and procedures? Are you sure what your staff actually does is HIPAA compliant? If you don’t regularly review your policies and procedures and train your staff, can you really say you’re all set?

Myth #3: HIPAA gives me 30 days to respond to a patient request, so it’s ok to wait to respond.

Did you try to ship a package during the 2020 holiday season? If so, do you remember checking your tracking number daily to see if your gift was any closer to its destination? Now imagine it was your health records you were waiting for. Frustration builds, goodwill wanes, and you start looking for a higher authority to get involved. 

And beware: if proposed Privacy Rule changes to HIPAA are finalized, the period of time covered entities will have to fulfill patient requests will be reduced from 30 to 15 days.

Myth #4: If I ignore the problem, it will go away.

Right of Access settlement #10 dispels this myth: A medical group was approached by OCR to resolve a complaint in March 2019. Then again in April 2019. This issue was not resolved until October 2020. Now, in addition to a monetary settlement, the group’s Corrective Action Plan (CAP) will be monitored by the OCR for two years. That’s a lot of time, energy, and money that could have been better spent if they worked to resolve the complaint quickly.

Myth #5: OCR will give me a “get out of jail free” card during the pandemic.

As one of our co-workers said, “Just because they are looking aside does not mean they are looking away.” The most recent settlement we have seen to OCR’s Right of Access Initiative was announced February 10, 2021, showing that the initiative is still a priority despite the pandemic.

Are you ready to assess or improve your compliance with HIPAA Right of Access rules now? Contact me and I will help you keep OCR settlements at bay. 

Article
Debunking the myths of HIPAA: Five steps to better compliance

Read this if you are a business owner. 

Now that the Democrats have control of the Presidency, House of Representatives, and Senate, many in Washington, DC and around the country are asking “What is going to happen with business taxes?” 

While candidate Biden expressed interest in raising taxes on corporations and wealthy individuals, it is best to think of that as a framework for where the new administration intends to go, rather than a set-in-stone inevitability. We know his administration is likely to favor a paring back of some of the tax cuts made by the 2017 Tax Cuts and Jobs Act (TCJA). Biden has indicated his administration may consider changes to the corporate tax rate, capital gains rate, individual income tax rates, and the estate and gift tax exemption amount.

Procedurally, it is unclear how tax legislation would be formulated under the Biden administration. A tax package could be included as part of another COVID-19 relief bill. The TCJA could be modified, repealed, or replaced. It is also unclear how any package would proceed through Congress. Under current Senate rules, the legislative filibuster can limit the Senate’s ability to pass standalone tax legislation, thus leaving any such legislation to the budget reconciliation process, as was the case in 2017. It also remains unclear if the two parties will come together to work on any bill. Finally, it will be important to note who fills key Treasury tax positions in the Biden administration, as these individuals will have a strategic role in the development of administration priorities and the negotiation with Congress of any tax bill. Here are three ways tax changes could take shape:

  1. Part of a COVID-19 relief package
    With the Biden administration eager to provide immediate relief to individuals and small- and medium-sized businesses affected by the coronavirus pandemic, some tax changes could be included as part of an additional relief bill on which the administration is likely to seek bipartisan support. Such changes could take the form of tax cuts for some businesses and individuals, tax credits, expanded retirement contributions, and/or other measures. If attached to a COVID-19 relief bill, these changes would likely go into effect immediately and would provide rapid relief to businesses and individuals that have been particularly hard hit during the pandemic and economic downturn.
  2. Repeal and replace TCJA
    Another possibility is for Biden to pursue a full rollback of the TCJA and replace it with his own tax bill. This would be a challenge since the Democrats only have a slim majority in the Senate, meaning that Republicans could filibuster the bill unless Senate Democrats take steps to repeal the filibuster.

    Given that the Biden administration’s immediate priorities will be delivering financial assistance to individuals and businesses, ensuring the rollout of COVID-19 vaccines, and flattening the curve of cases, a repeal and replacement of the TCJA might not be voted on until at least late 2021 and likely would not go into effect until 2022 at the earliest.
  3. Pare back or modify the TCJA
    An overall theme of Biden’s campaign was not sweeping, radical change but making incremental shifts that he views as improvements. This theme may come into play in Biden’s approach to tax legislation. He may choose not to repeal the TCJA completely (prompting a return to 2016 taxation levels), but instead pare back some of the tax changes enacted in 2017. In practice, this could mean raising the corporate tax rate by a few percentage points, which could garner bipartisan support. Again, this likely would not be a legislative priority until after the country has passed through the worst of the COVID-19 pandemic.

Factors that will influence potential tax changes

Senate legislative filibuster

Currently, the minority party in the Senate can delay a vote on an issue if fewer than 60 senators support bringing a measure to a vote. Thus, Republicans would be likely to filibuster any bill that contains more ambitious tax rate increases. The uptick in the use of the filibuster in recent decades is perhaps a symptom of congressional deadlock, and there are calls from many Democrats to eliminate the filibuster in order to pass more ambitious legislation without bipartisan support (in fact, in recent years, the filibuster has been removed for appointments and confirmations). While President Biden and Senate Majority Leader Chuck Schumer may be open to ending or further limiting the filibuster, every Democratic senator would have to agree. West Virginia Senator Joe Manchin has said repeatedly that he will not vote to end the legislative filibuster.

If the filibuster remains in place as it appears it will, tax legislation would likely be passed as part of the budget reconciliation process, which only requires a simple majority to pass. However, the tradeoff is that any changes generally would have to expire at the end of the budget window, which typically is 10 years. This is how both the 2001 Economic Growth and Tax Relief Reconciliation Act and the TCJA were passed.

Appetite for bipartisanship

President Biden has signaled that he wants to work for all Americans and seek to heal the partisan divides in the country. He may be looking to reach across the aisle on certain legislation and seek bipartisan support, even if such support is not necessary to pass a bill. Biden stated during his campaign that he wants to increase the corporate tax rate—not to the 2017 rate of 35%—but to 28%. Achieving this middle ground rate might be viewed as a compromise approach.

As the new government takes office, it remains to be seen how much bipartisanship is desired, or even possible.

What this may mean for your business

It is important to note that sweeping tax changes probably are not an immediate priority for the incoming Biden administration. The new administration’s immediate focus likely will be on addressing the current fragmented approach to COVID-19 vaccinations, accelerating the distribution of the vaccines, taking steps to bring the spread of COVID-19 under control, and providing much needed economic relief. As noted above, there could be some tax changes and impacts resulting from future COVID-19 relief bills.

Those will be the bills to watch for any early tax changes, including cuts or credits, that businesses may be able to take advantage of. Larger scale tax changes, particularly any tax increases, may not go into effect until 2022 at the earliest. Here are some of the current rules and how Biden is proposing to deal with them.

If you have questions about your particular situation, please contact our team. We’re here to help. 

Article
Biden's tax plan: Tax reform details remain unclear

Read this if you are a hospital or healthcare organization that has received Provider Relief Funds. 

The long-awaited Provider Relief Fund (PRF) Reporting Portal (the Portal) opened to providers on January 15, 2021. Unfortunately, the Portal is currently only open for the registration of providers. The home page for the Portal has information on what documentation is needed for registration as well as other frequently asked questions.

We recommend taking the time to review what is needed and register as soon as possible. Health Resources & Services Administration (HRSA) has suggested the registration process will take approximately 20 minutes and must be completed in one session. The good news is providers will not need to keep checking the Portal to see when additional data can be entered as the Portal home page states that registered providers will be notified when they should re-enter the portal to report on the use of PRF funds.

Access the portal

The Provider Relief Fund (PRF) Reporting Portal is only compatible with the most current stable version of Edge, Chrome and Mozilla Firefox.

Article
Provider Relief Fund (PRF) reporting portal

Read this if you are at a rural health clinic or are considering developing one.

Section 130 of H.R. 133, the Consolidated Appropriations Act of 2021 (Covid Relief Package) has become law. The law includes the most comprehensive reforms of the Medicare RHC payment methodology since the mid-1990s. Aimed at providing a payment increase to capped RHCs (freestanding and provider-based RHCs attached to hospitals greater than 50 beds), the provisions will simultaneously narrow the payment gap between capped and non-capped RHCs.

This will not obtain full “site neutrality” in payment, a goal of CMS and the Trump administration, but the new provisions will help maintain budget neutrality with savings derived from previously uncapped RHCs funding the increase to capped providers and other Medicare payment mechanisms.

Highlights of the Section 130 provision:

  • The limit paid to freestanding RHCs and those attached to hospitals greater than 50 beds will increase to $100 beginning April 1, 2021 and escalate to $190 by 2028.
  • Any RHC, both freestanding and provider-based, will be deemed “new” if certified after 12/31/19 and subject to the new per-visit cap.
  • Grandfathering would be in place for uncapped provider-based RHCs in existence as of 12/31/19. These providers would receive their current All-Inclusive Rate (AIR) adjusted annually for MEI (Medicare Economic Index) or their actual costs for the year.

If you have any questions about your specific situation, please contact us. We’re here to help.

Article
Section 130 Rural Health Clinic (RHC) modernization: Highlights

Read this if your company is seeking guidance on PPP loans.

The Consolidated Appropriations Act, 2021 (H.R. 133) was signed into law on December 27, 2020. This bill contains guidance on the existing Paycheck Protection Program (PPP) and guidelines for the next round of PPP funding.

Updates on existing PPP loans

Income and expense treatment of PPP loans. Forgiven PPP loans will not be included in taxable income and eligible expenses paid with PPP funds will be tax-deductible. This tax treatment applies to both current and future PPP loans.

Tax attributes and basis adjustments. Tax attributes such as net operating losses and passive loss carryovers, and basis increases generated from the result of the PPP loans will not be reduced if the loans are forgiven.

Economic Injury Disaster Loans (EIDL). Any previous or future EIDL advance will not reduce PPP loan forgiveness. Any borrowers who already received forgiveness of their PPP loans and had their EIDL subtracted from the forgiveness amount will be able to file an amended forgiveness application to have their PPP forgiveness amount increased by the amount of the EIDL advance. The SBA has 15 days from the effective date of this bill to produce an amended forgiveness application. 

Simplified forgiveness application for loans under $150,000. Borrowers who received PPP loans for $150,000 or less will now be able to file a simplified one-page forgiveness application and will not be required to submit documentation with the application. The SBA has 24 days from the effective date of this bill to make this new forgiveness application available. 

Use of PPP funds. Congress expanded the types of expenses that may be paid with PPP funds. Prior eligible expenses were limited to payroll (including health benefits), rent, covered mortgage interest, and utilities. Additional expenses now include software and cloud computing services to support business operations, the purchase of essential goods from suppliers, and expenditures for complying with government guidance relating to COVID-19.

These additional expenses apply to both existing and new PPP loans, but they do not apply to existing loans if forgiveness has already been obtained.
 
In addition, the definition of "payroll costs" has been expanded to include costs for group life, disability, dental, and vision insurance. These additions also apply to both existing and new loans.

Information for new PPP loans

Application deadline. March 31, 2021 

Eligibility for first-time borrowers. A business that did not previously apply for or receive a PPP loan may apply for a new loan. The same requirements apply from the first round of loans. The business must employ fewer than 500 employees per physical location and the borrower must certify the loan is necessary due to economic uncertainty.

Eligibility for second-time borrowers. Businesses that received a prior PPP loan may apply for a second loan, however the eligibility requirements are a little more stringent. The business must have fewer than 300 employees per physical location (down from 500 previously) and it must have experienced a decline in gross revenue of at least 25% in any quarter in 2020 as compared to the same quarter in 2019. The business must have also expended (or will expend) their initial PPP loan proceeds. 

Maximum loan amount. Lesser of $2 million or 2.5x average monthly payroll for either calendar 2019 or the 12-month period prior to the date of the loan. Businesses operating in the accommodations and food service industry (NAICS code 72) can use a 3.5x average monthly payroll multiple. If the business previously received a loan less than the new amount allowed, or if it returned a portion or all of the previous loan, it can apply for additional funds up to the maximum loan amount. 

New types of businesses eligible for loans.

  • Broadcast news stations, radio stations, and newspapers that will use the proceeds to support the production and distribution of local and emergency information 
  • Certain 501(c)(6) organizations with fewer than 300 employees and that are not significantly involved in lobbying activities 
  • Housing cooperatives with fewer than 300 employees 
  • Companies in bankruptcy if the bankruptcy court approves

Ineligible businesses. A business that was ineligible to receive a PPP loan during the first round is still ineligible to receive a loan in the new round. The new legislation also prohibits the following businesses from receiving a loan in the second round:

  • Publicly traded companies 
  • Businesses owned 20% or more by a Chinese or Hong Kong entity or have a resident of China on its board 
  • Businesses engaged primarily in political or lobbying activities
  • Businesses required to register under the Foreign Agents Registration Act 
  • Businesses not in operation on February 15, 2020 

Forgiveness qualifications. New PPP loans will be eligible for forgiveness if at least 60% of the proceeds are used on payroll costs. Partial forgiveness will still be available if less than 60% of the funds are used on payroll costs. 

Covered period. The borrower may choose a covered period (i.e., the amount of time in which the PPP funds must be spent) between 8 and 24 weeks from the date of the loan disbursement.

Employee Retention Tax Credit. The CARES Act prohibited a business from claiming the Employee Retention Tax Credit if they received a PPP loan. The new legislation retroactively repeals that prohibition, although it is unclear how an employer can claim retroactive relief. The new bill also expands the tax credit for 2021. 

Additional guidance is expected from the SBA in the coming weeks on many of these items and we will provide updates when the information is released.

We’re here to help.
If you have questions about PPP loans, contact a BerryDunn professional.

Article
Paycheck Protection Program: Updates on new and existing loans

If you received PPP funds, read on.

The Treasury has released new information regarding Paycheck Program Protection forgiveness. 

Based on IRS guidance, if you intend to apply for forgiveness and have a reasonable expectation it will be granted, the expenses used to support forgiveness will not be permitted as a deduction in 2020. It is unclear whether this guidance would apply if a taxpayer is undecided with regard to their forgiveness application at year end. Here is what we know so far.

The CARES Act included provisions that stated PPP loan forgiveness would not be considered taxable income under the Internal Revenue Code (“IRC”). The CARES Act specifically provides the forgiveness is not taxable income under IRC Section 61.

However, the IRS has issued the following guidance on this matter, which relates to the expenses paid with the PPP loan funds.

Notice 2020-32, states IRC Section 265(a)(1) applies to disallow expenses that were included on and supported a taxpayer’s successful PPP loan forgiveness application. 

In general, this section states NO deductions are permitted for expenses that are directly attributable to tax exempt income. 

The IRS seems to have concluded, in this Notice, the PPP loan forgiveness is tax exempt income. Therefore, the salary and occupancy costs used to support forgiveness, under current IRS guidance, will not be tax deductible.

Unanswered questions

This notice, while somewhat informative, raises many unanswered questions. For example, what are the tax consequences if a PPP loan is forgiven in 2021 and the expenses supporting the forgiveness were incurred in 2020? Could the forgiveness be construed as something other than tax exempt income?

Revenue Ruling 2020-27 attempts to answer some of these questions and provides additional guidance with regard to IRS expectations. The Ruling seems to indicate there are two possible tax positions relative to expenses that qualify PPP loans for forgiveness:

  • First, the loan forgiveness could be construed as tax exempt income and, pursuant to IRC Section 265 expenses directly attributable to the exempt income are not deductible.
  • Second, loan forgiveness could be construed as the reimbursement of certain expenses, and not as tax exempt income. Under the reimbursement approach the IRS has stated if you intend to apply for forgiveness and reasonably expect to receive forgiveness the reimbursed expenses are not deductible, even if forgiveness is obtained in the following tax year. This position seems to be supported by several tax controversies which were litigated in favor of the IRS. 

Some taxpayers had anticipated using a rule known as the tax benefit rule to deduct expense in 2020 and report a recovery (income) in 2021 when the loan is forgiven. It appears the IRS is not willing to accept this filing position.

We are hoping Congress will revisit this issue and consider statutory changes which allow for the deduction of expenses. Some taxpayers are planning to extend their income tax returns, taking a wait and see approach, with the hopes Congress will amend the statutes and allow for a deduction.

Under current law, it appears the salary, interest, rent used to support a forgiveness application will not be permitted as a tax deduction on your 2020 tax returns. This could result in a significant change in your 2020 taxable income.

Final considerations

For estimated tax payment purposes, we believe it would be reasonable to attribute the lost deductions to the quarter in which you made your final determination to file for forgiveness. This could mitigate any underpayment of estimated income tax penalties. 

If you are making safe harbor quarter estimates and/or have sufficient withholdings any incremental tax would be due with your return on April 15, 2021. Generally, the IRS safe harbor is to pay 110% of prior year tax during the current year to be penalty proof.

If you have questions about your specific situation, please contact us. We’re here to help.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Article
Update: Treasury issues a revenue ruling and revenue procedure regarding PPP forgiveness

If you received over $2 million in PPP funds, read on.

The Small Business Administration (SBA) has posted a new form to collect additional information on loan necessity from businesses that received over $2 million in PPP funds. The comment period is now open and closes on November 25, 2020. As we seek more clarity, here is what we know.

What is happening: 

The SBA released PPP Loan Necessity Questionnaires (Forms 3509 and 3510) for borrowers that received PPP loans of $2 million or more on October 30, 2020. The forms are not available at the SBA or Treasury websites, but were released through the PPP Loan Forgiveness portal to lenders.  

Here is an excellent description of what we know thus far. Here are our concerns: 

  • The timing and lack of clarity. The 10-day turnaround is very tight. It could be very difficult to manage if it hits during a month or quarter close, or even worse at year-end.

  • This is counter to what was described in the FAQs at the time, so it leaves us with many unanswered questions.
  • It appears that information on the form might be subject to FOIA. There is a toggle to indicate what information you consider to be confidential. We recommend that you carefully review what information you have not flagged as confidential before submitting the form.

Other considerations and actions you can take in the meantime:

  • We know that the questionnaire is triggered by submitting an application for forgiveness. Given some of the uncertainty of other program impacts and this additional information that is requested, it may be reasonable to wait to seek loan forgiveness until we determine the impact.
  • You may wish to comment on the federal notice. See instructions for submitting comments below.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Instructions for submitting comments:
Agency Clearance Officer                  
Curtis Rich
Small Business Administration
409 3rd Street SW
5th Floor
Washington, DC 20416

and 

SBA Desk Officer
Office of Information and Regulatory Affairs
Office of Management and Budget
New Executive Office Building
Washington, DC  20503

Your comments should be titled as follows:
Title: Paycheck Protection Program
OMB Control Number: 3245-0407

Comments should include one or all of the following: 
(a) whether the collection of information is necessary, 
(b) whether the estimate of 1.6 hours to complete or review the proposed application form is accurate (42,000 applications, 67,833 annual hour burden), 
(c) whether there are ways to minimize this burden, and
(d) whether there are ways to enhance the quality, utility, and clarity of the information.

Article
Paycheck Protection Program: New regulatory announcements

Read this if you are a bank with over $1 billion in assets.

It’s no secret COVID-19 has had a substantial impact on the economy. As unemployment soared and the economy teetered on the edge of collapse, unprecedented government stimulus attempted to stymie the COVID-19 tidal wave. One tool used by the government was the creation of the Paycheck Protection Program (PPP). Part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the PPP initially authorized the lending of $349 billion to encourage businesses to keep workers employed and cover certain operating expenses during the coronavirus pandemic. The PPP was then extended through August 8, 2020 with an additional $310 billion authorized.

Many financial institutions scrambled to free up resources and implement processes to handle the processing of PPP loan applications. However, such underwriting poses unique challenges for financial institutions. PPP loans are 100% guaranteed by the US Small Business Administration (SBA) if the borrowers meet certain criteria. Establishing appropriate controls over the loan approval and underwriting process is more a matter of ensuring compliance with the PPP, rather than ensuring the borrower can repay their loan.

Federal Deposit Insurance Corporation Improvement Act of 1991 compliance 

Banks with total assets over $1 billion as of the beginning of their fiscal year must comply with the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). Amongst other things, FDICIA requires management perform an assessment and provide a resulting attestation on the operating effectiveness of the bank’s internal controls over financial reporting (ICFR) as of the bank’s fiscal year-end. Although this attestation is as of year-end, management must perform testing of the bank’s ICFR throughout the bank’s fiscal year to obtain sufficient evidence regarding the operating effectiveness of ICFR as of year-end. Key controls over various transaction cycles are typically housed in a matrix, making it easy for management and other users, such as independent auditors, to review a bank’s key ICFR. 

Internal control documentation

If the process for originating PPP loans is different from the bank’s process for traditional loan products, it’s likely the internal controls surrounding this process is also different. Given that $659 billion in PPP loans have been granted to date, it is possible PPP loans may be material to individual banks’ balance sheets. If PPP loans are material to your bank’s balance sheet, you should consider the controls that were put in place. If the controls are deemed to be different from those already documented for other types of loans, you should document such controls as new controls in your FDICIA matrix and test accordingly.

As noted earlier, the risks a financial institution faces with PPP loans are likely different from traditional underwriting. If these unique risks could impact amounts reported in the financial statements, it’s smart to address them through the development of internal controls. Banks should assess their individual situations to identify any risks that may have not previously existed. For instance, given the volume of PPP loans originated in such a short period of time, quality control processes may have been stretched to their limits. The result could be PPP loans inaccurately set up in the loan accounting system or loan files missing key information. Depending on the segregation of duties, the risk could even be the creation of fictitious PPP loans. A detective internal control that could address inaccurate loan setup would be to scan a list of PPP loans for payment terms, maturity dates, or interest rates that appear to be outliers. Given the relatively uniform terms for PPP loans, any anomalies should be easily identifiable. 

Paycheck Protection Program loan fees

Aside from internal controls surrounding the origination of PPP loans, banks may also need to consider documenting internal controls surrounding PPP loan fees received by the SBA. Although the accounting for such fees is not unique, given the potential materiality to the income statement, documenting such a control, even if it is merely addressing the fees in an already existing control, exhibits that management has considered the impact PPP loan fees may have on their ICFR. 

The level of risk associated with PPP loan fees may differ from institution to institution. For instance, a bank that is calculating its PPP loan fees manually rather than relying on the loan accounting system to record and subsequently recognize income on these fees, inherently has more risk. This additional level of risk will need to be addressed in the development and documentation of internal controls. In this example, a periodic recalculation of PPP loan fees on a sample basis, including income recognition, may prove to be a sufficient internal control.

With the calendar year-end fast approaching, it is time to take a hard look at those FDICIA matrices, if you haven’t already done so:

  • Consider what has changed at your bank during the fiscal year and how those changes have impacted the design and operation of your internal controls. 
  • Ensure that what is happening in practice agrees to what is documented within your FDICIA matrix. 
  • Ensure that new activities, such as the origination of PPP loans, are adequately documented in your FDICIA matrix. 

With Congress considering another round of PPP loans, there is no time like the present to make sure your bank is ready from an ICFR perspective. If you have questions about your specific situation, or would like more information, please contact the FDICIA compliance team

Article
Do your FDICIA controls "CARES" about the Paycheck Protection Program?

Read this if you are a Maine business or organization that has been affected by COVID-19. 

The State of Maine has released a $200 million Maine Economic Recovery Grant Program for companies and organizations affected by the COVID-19 pandemic. Here is a brief outline of the program from the state, and a list of eligibility requirements. 

“The State of Maine plans to use CARES Act relief funding to help our economy recover from the impacts of the global pandemic by supporting Maine-based businesses and non-profit organizations through an Economic Recovery Grant Program. The funding originates from the federal Coronavirus Relief Fund and will be awarded in the form of grants to directly alleviate the disruption of operations suffered by Maine’s small businesses and non-profits as a result of the COVID-19 pandemic. The Maine Department of Economic & Community Development has been working closely with affected Maine organizations since the beginning of this crisis and has gathered feedback from all sectors on the current challenges.”

Eligibility requirements for the program from the state

To qualify for a Maine Economic Recovery Grant your business/organization must: 

  • Demonstrate a need for financial relief based on lost revenues minus expenses incurred since March 1, 2020 due to COVID-19 impacts or related public health response; 
  • Employ a combined total of 50 or fewer employees and contract employees;
  • Have significant operations in Maine (business/organization headquartered in Maine or have a minimum of 50% of employees and contract employees based in Maine); 
  • Have been in operation for at least one year before August 1, 2020; 
  • Be in good standing with the Maine Department of Labor; 
  • Be current and in good standing with all Maine state payroll taxes, sales taxes, and state income taxes (as applicable) through July 31, 2020;
  • Not be in bankruptcy; 
  • Not have permanently ceased all operations; 
  • Be in consistent compliance and not be under any current or past enforcement action with COVID-19 Prevention Checklist Requirements; and 
  • Be a for-profit business or non-profit organization, except
    • Professional services 
    • 501(c)(4), 501(c)(6) organizations that lobby 
    • K-12 schools, including charter, public and private
    • Municipalities, municipal subdivisions, and other government agencies 
    • Assisted living and retirement communities 
    • Nursing homes
    • Foundations and charitable trusts 
    • Trade associations 
    • Credit unions
    • Insurance trusts
    • Scholarship funds and programs 
    • Gambling 
    • Adult entertainment 
    • Country clubs, golf clubs, other private clubs 
    • Cemetery trusts and associations 
    • Fraternal orders 
    • Hospitals, nursing facilities, institutions of higher education, and child care organizations (Alternate funding available through the Department of Education and Department of Health and Human Services for hospitals, nursing facilities, child care organizations, and institutions of higher education.)

For more information

If you feel you qualify, you can find more details and the application here. If you have questions about your eligibility, please contact us. We’re here to help. 

Article
$200 Million Maine Economic Recovery Grant Program released