Skip to Main Content

insightsarticles

Trusting privileged accounts in the age of data breaches

05.21.19

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Related Industries

Related Professionals

Read this if your company is seeking guidance on PPP loans.

The Consolidated Appropriations Act, 2021 (H.R. 133) was signed into law on December 27, 2020. This bill contains guidance on the existing Paycheck Protection Program (PPP) and guidelines for the next round of PPP funding.

Updates on existing PPP loans

Income and expense treatment of PPP loans. Forgiven PPP loans will not be included in taxable income and eligible expenses paid with PPP funds will be tax-deductible. This tax treatment applies to both current and future PPP loans.

Tax attributes and basis adjustments. Tax attributes such as net operating losses and passive loss carryovers, and basis increases generated from the result of the PPP loans will not be reduced if the loans are forgiven.

Economic Injury Disaster Loans (EIDL). Any previous or future EIDL advance will not reduce PPP loan forgiveness. Any borrowers who already received forgiveness of their PPP loans and had their EIDL subtracted from the forgiveness amount will be able to file an amended forgiveness application to have their PPP forgiveness amount increased by the amount of the EIDL advance. The SBA has 15 days from the effective date of this bill to produce an amended forgiveness application. 

Simplified forgiveness application for loans under $150,000. Borrowers who received PPP loans for $150,000 or less will now be able to file a simplified one-page forgiveness application and will not be required to submit documentation with the application. The SBA has 24 days from the effective date of this bill to make this new forgiveness application available. 

Use of PPP funds. Congress expanded the types of expenses that may be paid with PPP funds. Prior eligible expenses were limited to payroll (including health benefits), rent, covered mortgage interest, and utilities. Additional expenses now include software and cloud computing services to support business operations, the purchase of essential goods from suppliers, and expenditures for complying with government guidance relating to COVID-19.

These additional expenses apply to both existing and new PPP loans, but they do not apply to existing loans if forgiveness has already been obtained.
 
In addition, the definition of "payroll costs" has been expanded to include costs for group life, disability, dental, and vision insurance. These additions also apply to both existing and new loans.

Information for new PPP loans

Application deadline. March 31, 2021 

Eligibility for first-time borrowers. A business that did not previously apply for or receive a PPP loan may apply for a new loan. The same requirements apply from the first round of loans. The business must employ fewer than 500 employees per physical location and the borrower must certify the loan is necessary due to economic uncertainty.

Eligibility for second-time borrowers. Businesses that received a prior PPP loan may apply for a second loan, however the eligibility requirements are a little more stringent. The business must have fewer than 300 employees per physical location (down from 500 previously) and it must have experienced a decline in gross revenue of at least 25% in any quarter in 2020 as compared to the same quarter in 2019. The business must have also expended (or will expend) their initial PPP loan proceeds. 

Maximum loan amount. Lesser of $2 million or 2.5x average monthly payroll for either calendar 2019 or the 12-month period prior to the date of the loan. Businesses operating in the accommodations and food service industry (NAICS code 72) can use a 3.5x average monthly payroll multiple. If the business previously received a loan less than the new amount allowed, or if it returned a portion or all of the previous loan, it can apply for additional funds up to the maximum loan amount. 

New types of businesses eligible for loans.

  • Broadcast news stations, radio stations, and newspapers that will use the proceeds to support the production and distribution of local and emergency information 
  • Certain 501(c)(6) organizations with fewer than 300 employees and that are not significantly involved in lobbying activities 
  • Housing cooperatives with fewer than 300 employees 
  • Companies in bankruptcy if the bankruptcy court approves

Ineligible businesses. A business that was ineligible to receive a PPP loan during the first round is still ineligible to receive a loan in the new round. The new legislation also prohibits the following businesses from receiving a loan in the second round:

  • Publicly traded companies 
  • Businesses owned 20% or more by a Chinese or Hong Kong entity or have a resident of China on its board 
  • Businesses engaged primarily in political or lobbying activities
  • Businesses required to register under the Foreign Agents Registration Act 
  • Businesses not in operation on February 15, 2020 

Forgiveness qualifications. New PPP loans will be eligible for forgiveness if at least 60% of the proceeds are used on payroll costs. Partial forgiveness will still be available if less than 60% of the funds are used on payroll costs. 

Covered period. The borrower may choose a covered period (i.e., the amount of time in which the PPP funds must be spent) between 8 and 24 weeks from the date of the loan disbursement.

Employee Retention Tax Credit. The CARES Act prohibited a business from claiming the Employee Retention Tax Credit if they received a PPP loan. The new legislation retroactively repeals that prohibition, although it is unclear how an employer can claim retroactive relief. The new bill also expands the tax credit for 2021. 

Additional guidance is expected from the SBA in the coming weeks on many of these items and we will provide updates when the information is released.

We’re here to help.
If you have questions about PPP loans, contact a BerryDunn professional.

Article
Paycheck Protection Program: Updates on new and existing loans

If you received PPP funds, read on.

The Treasury has released new information regarding Paycheck Program Protection forgiveness. 

Based on IRS guidance, if you intend to apply for forgiveness and have a reasonable expectation it will be granted, the expenses used to support forgiveness will not be permitted as a deduction in 2020. It is unclear whether this guidance would apply if a taxpayer is undecided with regard to their forgiveness application at year end. Here is what we know so far.

The CARES Act included provisions that stated PPP loan forgiveness would not be considered taxable income under the Internal Revenue Code (“IRC”). The CARES Act specifically provides the forgiveness is not taxable income under IRC Section 61.

However, the IRS has issued the following guidance on this matter, which relates to the expenses paid with the PPP loan funds.

Notice 2020-32, states IRC Section 265(a)(1) applies to disallow expenses that were included on and supported a taxpayer’s successful PPP loan forgiveness application. 

In general, this section states NO deductions are permitted for expenses that are directly attributable to tax exempt income. 

The IRS seems to have concluded, in this Notice, the PPP loan forgiveness is tax exempt income. Therefore, the salary and occupancy costs used to support forgiveness, under current IRS guidance, will not be tax deductible.

Unanswered questions

This notice, while somewhat informative, raises many unanswered questions. For example, what are the tax consequences if a PPP loan is forgiven in 2021 and the expenses supporting the forgiveness were incurred in 2020? Could the forgiveness be construed as something other than tax exempt income?

Revenue Ruling 2020-27 attempts to answer some of these questions and provides additional guidance with regard to IRS expectations. The Ruling seems to indicate there are two possible tax positions relative to expenses that qualify PPP loans for forgiveness:

  • First, the loan forgiveness could be construed as tax exempt income and, pursuant to IRC Section 265 expenses directly attributable to the exempt income are not deductible.
  • Second, loan forgiveness could be construed as the reimbursement of certain expenses, and not as tax exempt income. Under the reimbursement approach the IRS has stated if you intend to apply for forgiveness and reasonably expect to receive forgiveness the reimbursed expenses are not deductible, even if forgiveness is obtained in the following tax year. This position seems to be supported by several tax controversies which were litigated in favor of the IRS. 

Some taxpayers had anticipated using a rule known as the tax benefit rule to deduct expense in 2020 and report a recovery (income) in 2021 when the loan is forgiven. It appears the IRS is not willing to accept this filing position.

We are hoping Congress will revisit this issue and consider statutory changes which allow for the deduction of expenses. Some taxpayers are planning to extend their income tax returns, taking a wait and see approach, with the hopes Congress will amend the statutes and allow for a deduction.

Under current law, it appears the salary, interest, rent used to support a forgiveness application will not be permitted as a tax deduction on your 2020 tax returns. This could result in a significant change in your 2020 taxable income.

Final considerations

For estimated tax payment purposes, we believe it would be reasonable to attribute the lost deductions to the quarter in which you made your final determination to file for forgiveness. This could mitigate any underpayment of estimated income tax penalties. 

If you are making safe harbor quarter estimates and/or have sufficient withholdings any incremental tax would be due with your return on April 15, 2021. Generally, the IRS safe harbor is to pay 110% of prior year tax during the current year to be penalty proof.

If you have questions about your specific situation, please contact us. We’re here to help.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Article
Update: Treasury issues a revenue ruling and revenue procedure regarding PPP forgiveness

Read this if you are a member of a State Medicaid Agency’s leadership team.

Another National Association of Medicaid Directors (NAMD) fall conference is in the books. As usual, the sessions were excellent. And this year we had the luxury of being able to attend from the comfort of our homes. For BerryDunn’s consulting group, that enabled us to “send” a broader team to conference. On the flip side, it also meant we were not able to greet and meet our community in person. 

Matt Salo, the NAMD Executive Director, defined the underlying themes to the conference as Flexibility, Innovation, and Resilience. If one were to just look at the full agenda, it would be hard to tell that this was a virtual conference. The session schedule and opening reception looked very much like a traditional NAMD conference, although there were not the usual breaks with the ice cream jubilee and ballroom number assignments. Otherwise, it was business as usual. 

In checking in with State Medicaid Director attendees, Monday’s meetings went well and they appreciated coming together. State leadership across the country is working straight-out right now—seven days a week. It kind of reminds me of when I became a parent: I thought I knew how to handle sleep deprivation, and then I had a newborn, and realized the important work of parenting isn’t on a time clock, which is much like the work Medicaid agencies are dedicated to. The directors and their support staff’s commitment to serving members and tax payers in their respective states is inspiring, and we are privileged to work alongside them. 

I appreciated a subtle but deep reminder from Matt and the NAMD President Beth Kidder for us: remember our “true North.” Why are we here? What is our purpose as leaders and vendors in the Medicaid community? The work we do matters. We can improve lives. We can save lives. The members in Medicaid programs are the center of all we do. Here are some of the other highlights I absorbed during the conference. 

Plenary sessions

In Tuesday’s plenary, panelists shared their primary lessons and reflections on the year, including: 

  • Pace―we need a balance because the pandemic does not have a clear beginning or end. Pandemics do not simply blow over like a hurricane; it’s hard to tell the beginning, middle, and end. 
  • Steadiness in chaos: velocity and stability―leaders need to make timely decisions while also being an anchor for their teams. 
  • Prioritization―not everything needs an immediate response. We need to be deliberate about what we do. 
  • Roadmaps―we can still use the tools we created map out where we want to go. 

The panel also shared how telehealth, transparency, teamwork, focus, and reflecting on “whole lives” in policy making assisted them in navigating their teams and providing the best services possible. 

Keynote―health equity 

Dayna Bowen Matthew provided a solid argument on how Medicaid can be key to achieving true health equity in America. She discussed the four “Ps” that can make this possible: Population, Position, Payer, and Persuader. She used the COVID-19 pandemic as her example of how it hit the vulnerable population first, and how we could have learned from it. 

Instead, it is being unleashed on the broader population. The work must begin with us, expand to our teams, policies we can control, and then policies that need a collaborative approach to change and implement. If you attended the conference and have access but missed this talk, I highly recommend listening to it as she covered a lot of very pertinent material. 

Member perspectives 

Sprinkled through the entire conference were videos of Medicaid members’ perspectives. I appreciate the tradition of bringing the human element of Medicaid’s impact into the conference, as it reminds us of our purpose. The perspectives also underscore another important theme of Matt’s: “Medicaid is a program about people, not statistics.” Examples of stories we heard include how someone went from 28 years of incarceration due to an armed robbery conviction to graduating from a university and now working with people; a hockey coach’s accident that paralyzed him from the neck down; a homeless mother gaining security and stability; a foster parent with a son having a rare brittle bone disease and a Native American parent with health access issues. 

Economy 

There were a couple of sessions related the economy, and generally, the presenters thought the biggest impact to Medicaid is yet to come. They said that there is typically a lag between events and member enrollments and the surge is still coming. They also agreed there was strong federal support from outside of CMS that kept their enrollment down. Membership growth is likely coming as state budgets are constrained. There are hopes for additional federal assistance within Medicaid, including an extended FMAP, and a similar package from last spring. The lack of certainty in regards to consistent funding is causing the states to spend a lot of energy developing back up plans. 

The panelists think the biggest economic challenges are yet to come is based upon three main reasons: the high chance of a recession, the impending (third wave) virus impact, and the social unrest exacerbated by the pandemic and systemic racism. These are merging perfect storms causing directors to look for stability and relief. I think the best summary I heard of how to proceed was open the book of “good ideas for bad times” that were not well thought of during good times. 

Public health emergency―COVID-19 pandemic 

As would be expected, COVID was a recurring topic in almost every session. There was a very interesting panel discussion on how best to “unwind” the changes made once we arrive in the post-pandemic era. There will be lots of challenges, and it is worth discussing these now, while we are still in the midst of responding to the immediate needs to address the virus. We are aware there will be systemic and program reversals. However, it will not be as simple as just doing a rollback. States will need to develop their strategies for redeterminations of their member populations and the timing will need to be coordinated. CMS will need to prepare guidance on expectations for unwinding. Programs will need to be reviewed and decisions prioritized on what needs to be changed. 

Prior to getting to post-pandemic era, states know they will need to plan for managing vaccine distribution, which will be one tool to help bring the curve down. According to former senior officials from the Trump and Obama administrations, the worst pandemic phase is coming this winter. However, there is “light at the end of the tunnel” because of optimism on a vaccine and other tools. We know more in this upcoming wave than the first wave in March. According to these officials, the sciences cannot get us through without a human element. And the human element can save a lot of lives. 

As Scott Gottlieb, MD, former FDA Commissioner, said, “We just need to stop breathing on each other.” He was implying that we need to socially distance and wear masks, while we wait for the vaccine come around and be distributed. The challenge is, according to Andy Slavitt, Former Acting Administrator for CMS, that the vaccine will not be available to the majority of the population for two to three months, and by then, if humans do not continue to change behavior, the spread could go to 30-40% of the population. They predict the pandemic will be at its worst point when the vaccine is made available. 

Seema Verma, the CMS Administrator, said the PHE has shown that we have the ability to work faster. She wants to ensure we heed the lessons of the pandemic, and in particular the experiences with the spread and deaths in the nursing homes. She feels that the issues in the nursing facilities cannot be fixed at the federal level. She sees CMS’s role is to encourage innovation at the state level, while the federal government hold states accountable to costs and positive outcomes and quality. 

Other concerns panelists raised regarding the pandemic are the long-term and downstream ripple effects of responding to the pandemic. For example: 

  • States know their members have delayed, deferred, and simply foregone healthcare over these past several months. This will create a surge in treatment at a later date, causing increased demand to an already fatigued provider community.
  • The reduced health of the general population resulting from not receiving the right care now and delaying care will further harm the well-being of the population. 
  • Our education system has gone mostly online, adversely impacting students’ ability to learn. 
  • The overall mental health of our population is at risk—the pandemic has changed all of us, and we will learn to what extent it is harmed us over the next several years. 

Looking ahead―there is hope

Several of the panels spent time discussing what our future might look like. It was encouraging to hear how there is a vision for long-term care delivery changes, meeting behavioral health needs, emergency and pandemic preparedness approaches, and addressing workforce challenges and healthcare inequalities. When asked to name one or two words that will represent where we are in five years, the panelists said: 

  • Lead and Succeed (#leadandsucceed) 
  • Survive and Thrive (#surviveandthrive) 
  • Even Better Together (#evenbettertogether)

We are in this today, and we are together, keeping the eye on our “true North”. Doing so will help us remain together and make us stronger in the future. The key is that we remain together. The conference showed that even though we could not be together in the same geographic place, our minds, attention, and spirit are aligned. We experienced the spirit of NAMD from our homes. 

We know that the future holds opportunities for us to be physically together in the future. We missed being in DC this year, and are very hopeful we will see you next year. That will be icing on the cake, which we will savor and not take for granted. Until then, I am confident we will maintain our integrity and focus on our purpose. 
 

Article
NAMD 2020 reflections: Together towards the future

If you received over $2 million in PPP funds, read on.

The Small Business Administration (SBA) has posted a new form to collect additional information on loan necessity from businesses that received over $2 million in PPP funds. The comment period is now open and closes on November 25, 2020. As we seek more clarity, here is what we know.

What is happening: 

The SBA released PPP Loan Necessity Questionnaires (Forms 3509 and 3510) for borrowers that received PPP loans of $2 million or more on October 30, 2020. The forms are not available at the SBA or Treasury websites, but were released through the PPP Loan Forgiveness portal to lenders.  

Here is an excellent description of what we know thus far. Here are our concerns: 

  • The timing and lack of clarity. The 10-day turnaround is very tight. It could be very difficult to manage if it hits during a month or quarter close, or even worse at year-end.

  • This is counter to what was described in the FAQs at the time, so it leaves us with many unanswered questions.
  • It appears that information on the form might be subject to FOIA. There is a toggle to indicate what information you consider to be confidential. We recommend that you carefully review what information you have not flagged as confidential before submitting the form.

Other considerations and actions you can take in the meantime:

  • We know that the questionnaire is triggered by submitting an application for forgiveness. Given some of the uncertainty of other program impacts and this additional information that is requested, it may be reasonable to wait to seek loan forgiveness until we determine the impact.
  • You may wish to comment on the federal notice. See instructions for submitting comments below.

COVID-19 business support

We will continue to post updates as we uncover them. Let us know if you have questions. For more information regarding the Paycheck Protection Program, the CARES Act, or other COVID-19 resources, see our COVID-19 Resource Center.

Instructions for submitting comments:
Agency Clearance Officer                  
Curtis Rich
Small Business Administration
409 3rd Street SW
5th Floor
Washington, DC 20416

and 

SBA Desk Officer
Office of Information and Regulatory Affairs
Office of Management and Budget
New Executive Office Building
Washington, DC  20503

Your comments should be titled as follows:
Title: Paycheck Protection Program
OMB Control Number: 3245-0407

Comments should include one or all of the following: 
(a) whether the collection of information is necessary, 
(b) whether the estimate of 1.6 hours to complete or review the proposed application form is accurate (42,000 applications, 67,833 annual hour burden), 
(c) whether there are ways to minimize this burden, and
(d) whether there are ways to enhance the quality, utility, and clarity of the information.

Article
Paycheck Protection Program: New regulatory announcements

Read this if your agency is planning to procure a services vendor.

In our previous article, we looked at three primary areas we, or a potential vendor, consider when responding to a request for services. In this follow-up, we look at additional factors that influence the decision-making process on whether a potential vendor decides to respond to a request for services.

  • Relationship with this state/entity―Is this a state or client that we have worked with before? Do we understand their business and their needs?

    A continuing relationship allows us to understand the client’s culture and enables us to perform effectively and efficiently. By establishing a good relationship, we can assure the client that we can perform the services as outlined and at a fair cost.
  • Terms and conditions, performance bonds, or service level agreements―Are any of these items unacceptable? If there are concerns, can we request exceptions or negotiate with the state?

    When we review a request for services our legal and executive teams assess the risk of agreeing to the state’s terms and compare them against our existing contract language. States might consider requesting vendors provide exceptions to terms and conditions in their bid response to open the door for negotiations. Not allowing exceptions can result in vendors assuming that all terms are non-negotiable and may limit the amount of vendor bid responses received or increase the cost of the proposal.

    The inclusion of well-defined service level agreements (SLAs) in requests for proposals (RFPs) can be an effective way to manage resulting contracts. However, SLAs with undefined or punitive performance standards, compliance calculations, and remedies can also cause a vendor to consider whether to submit a bid response.

    RFPs for states that require performance bonds may result in significantly fewer proposals submitted, as the cost of a performance bond may make the total cost of the project too high to be successfully completed. If not required by law that vendors obtain performance bonds, states may want to explore other effective contractual protections that are more impactful than performance bonds, such as SLAs, warranties, and acceptance criteria.
  • Mandatory requirements―Are we able to meet the mandatory requirements? Does the cost of meeting these requirements keep us in a competitive range?

    Understanding the dichotomy between mandatory requirements and terms and conditions can be challenging, because in essence, mandatory requirements are non-negotiable terms and conditions. A state may consider organizing mandatory requirements into categories (e.g., system requirements, project requirements, state and federal regulations). This can help potential vendors determine whether all of the mandatory requirements are truly non-negotiable. Typically, vendors are prepared to meet all regulatory requirements, but not necessarily all project requirements.
  • Onsite/offsite requirements―Can we meet the onsite/offsite requirements? Do we already have nearby resources available? Are any location requirements negotiable?

    Onsite/offsite requirements have a direct impact on the project cost. Factors include accessibility of the onsite location, frequency of required onsite participation, and what positions/roles are required to be onsite or local. These requirements can make the resource pool much smaller when RFPs require staff to be located in the state office or require full-time onsite presence. And as a result, we may decide not to respond to the RFP.

    If the state specifies an onsite presence for general positions (e.g., project managers and business analysts), but is more flexible on onsite requirements for technical niche roles, the state may receive more responses to their request for services and/or more qualified consultants.
  • Due date of the proposal―Do we have the available proposal staff and subject matter experts to complete a quality proposal in the time given?

    We consider several factors when looking at the due date, including scope, the amount of work necessary to complete a quality response, and the proposal’s due date. A proposal with a very short due date that requires significant work presents a challenge and may result in less quality responses received.
  • Vendor available staffing―Do we have qualified staff available for this project? Do we need to work with subcontractors to get a complete team?

    We evaluate when the work is scheduled to begin to ensure we have the ability to provide qualified staff and obtain agreements with subcontractors. Overly strict qualifications that narrow the pool of qualified staff can affect whether we are able to respond. A state might consider whether key staff really needs a specific certification or skill or, instead, the proven ability to do the required work.

    For example, technical staff may not have worked on this particular type of project, but on a similar one with easily transferable skills. We have several long-term relationships with our subcontractors and find they can be an integral part of the services we propose. If carefully managed and vetted, we feel subcontractors can be an added value for the states.
  • Required certifications (e.g., Project Management Professional® (PMP®), Cybersecurity and Infrastructure Security Agency (CISA) certification)―Does our staff have the required certifications that are needed to complete this project?

    Many projects requests require specific certifications. On a small project, maybe other certifications can help ensure that we have the skills required for a successful project. Smaller vendors, particularly, might not have PMP®-certified staff and so may be prohibited from proposing on a project that they could perform with high quality.
  • Project timeline―Is the timeline to complete the project reasonable and is our staff available during the timeframe needed for each position for the length of the project?

    A realistic and reasonable timeline is critical for the success of a project. This is a factor we consider as we identify any clear or potential risks. A qualified vendor will not provide a proposal response to an unrealistic project timeline, without requesting either to negotiate the contract or requesting a change order later in the project. If the timeline is unrealistic, the state also runs the risk that the vendor will create many change requests, leading to a higher cost.

Other things we consider when responding to a request for services include: is there a reasonable published budget, what are the minority/women-owned business (M/WBE) requirements, and are these new services that we are interested in and do they fit within our company's overall business objectives?

Every vendor may have their own checklist and/or process that they go through before making a decision to propose on new services. We are aware that states and their agencies want a wide-variety of high-quality responses from which to choose. Understanding the key areas that a proposer evaluates may help states provide requirements that lead to more high-quality and better value proposals. If you would like to learn more about our process, or have specific questions, please contact the Medicaid Consulting team.

Article
What vendors want: Other factors that influence vendors when considering responding to a request for services

Read this if your agency is planning to procure a services vendor. 

Every published request for services aims to acquire the highest-quality services for the best value. Requests may be as simple as an email to a qualified vendor list or as formal as a request for proposal (RFP) published on a state’s procurement website. However big or small the request, upon receiving it, we, or a potential vendor, triages it using the following primary criteria:

  1. Scope of services―Are these services or solutions we can provide? If we can’t provide the entire scope of services, do we have partners that can?
    As a potential responding vendor, we review the scope of services to see if it is clearly defined and provides enough detail to help us make a decision to pursue the proposal. Part of this review is to check if there are specific requests for products or solutions, and if the requests are for products or solutions that we provide or that we can easily procure to support the scope of work. 
  2. Qualifications―What are the requirements and can we meet them?
    We verify that we can supply proofs of concept to validate experience and qualification requirements. We check to see if the requirements and required services/solutions are clearly defined and we confirm that we have the proof of experience to show the client. Strict or inflexible requirements may mean a new vendor is unable to propose new and innovative services and may not be the right fit.
  3. Value―Is this a service request that we can add value to? Will it provide fair compensation?
    We look to see if we can perform the services or provide the solution at a rate that meets the client’s budget. Sometimes, depending upon the scope of services, we can provide services at a rate typically lower than our competitors. Or, conversely, though we can perform the scope of services, the software/hardware we would have to purchase might make our cost lower in value to the client than a well-positioned competitor.

An answer of “no” on any of the above questions typically means that we will pass on responding to the opportunity. 

The above questions are primary considerations. There are other factors when we consider an opportunity, such as where the work is located in comparison to our available resources and if there is an incumbent vendor with a solid and successful history. We will consider these and other factors in our next article. If you would like to learn more about our process, or have specific questions, please contact the Medicaid Consulting team.
 

Article
What vendors want: Vendor decision process in answering requests for services

Read this if you are a bank with over $1 billion in assets.

It’s no secret COVID-19 has had a substantial impact on the economy. As unemployment soared and the economy teetered on the edge of collapse, unprecedented government stimulus attempted to stymie the COVID-19 tidal wave. One tool used by the government was the creation of the Paycheck Protection Program (PPP). Part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the PPP initially authorized the lending of $349 billion to encourage businesses to keep workers employed and cover certain operating expenses during the coronavirus pandemic. The PPP was then extended through August 8, 2020 with an additional $310 billion authorized.

Many financial institutions scrambled to free up resources and implement processes to handle the processing of PPP loan applications. However, such underwriting poses unique challenges for financial institutions. PPP loans are 100% guaranteed by the US Small Business Administration (SBA) if the borrowers meet certain criteria. Establishing appropriate controls over the loan approval and underwriting process is more a matter of ensuring compliance with the PPP, rather than ensuring the borrower can repay their loan.

Federal Deposit Insurance Corporation Improvement Act of 1991 compliance 

Banks with total assets over $1 billion as of the beginning of their fiscal year must comply with the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). Amongst other things, FDICIA requires management perform an assessment and provide a resulting attestation on the operating effectiveness of the bank’s internal controls over financial reporting (ICFR) as of the bank’s fiscal year-end. Although this attestation is as of year-end, management must perform testing of the bank’s ICFR throughout the bank’s fiscal year to obtain sufficient evidence regarding the operating effectiveness of ICFR as of year-end. Key controls over various transaction cycles are typically housed in a matrix, making it easy for management and other users, such as independent auditors, to review a bank’s key ICFR. 

Internal control documentation

If the process for originating PPP loans is different from the bank’s process for traditional loan products, it’s likely the internal controls surrounding this process is also different. Given that $659 billion in PPP loans have been granted to date, it is possible PPP loans may be material to individual banks’ balance sheets. If PPP loans are material to your bank’s balance sheet, you should consider the controls that were put in place. If the controls are deemed to be different from those already documented for other types of loans, you should document such controls as new controls in your FDICIA matrix and test accordingly.

As noted earlier, the risks a financial institution faces with PPP loans are likely different from traditional underwriting. If these unique risks could impact amounts reported in the financial statements, it’s smart to address them through the development of internal controls. Banks should assess their individual situations to identify any risks that may have not previously existed. For instance, given the volume of PPP loans originated in such a short period of time, quality control processes may have been stretched to their limits. The result could be PPP loans inaccurately set up in the loan accounting system or loan files missing key information. Depending on the segregation of duties, the risk could even be the creation of fictitious PPP loans. A detective internal control that could address inaccurate loan setup would be to scan a list of PPP loans for payment terms, maturity dates, or interest rates that appear to be outliers. Given the relatively uniform terms for PPP loans, any anomalies should be easily identifiable. 

Paycheck Protection Program loan fees

Aside from internal controls surrounding the origination of PPP loans, banks may also need to consider documenting internal controls surrounding PPP loan fees received by the SBA. Although the accounting for such fees is not unique, given the potential materiality to the income statement, documenting such a control, even if it is merely addressing the fees in an already existing control, exhibits that management has considered the impact PPP loan fees may have on their ICFR. 

The level of risk associated with PPP loan fees may differ from institution to institution. For instance, a bank that is calculating its PPP loan fees manually rather than relying on the loan accounting system to record and subsequently recognize income on these fees, inherently has more risk. This additional level of risk will need to be addressed in the development and documentation of internal controls. In this example, a periodic recalculation of PPP loan fees on a sample basis, including income recognition, may prove to be a sufficient internal control.

With the calendar year-end fast approaching, it is time to take a hard look at those FDICIA matrices, if you haven’t already done so:

  • Consider what has changed at your bank during the fiscal year and how those changes have impacted the design and operation of your internal controls. 
  • Ensure that what is happening in practice agrees to what is documented within your FDICIA matrix. 
  • Ensure that new activities, such as the origination of PPP loans, are adequately documented in your FDICIA matrix. 

With Congress considering another round of PPP loans, there is no time like the present to make sure your bank is ready from an ICFR perspective. If you have questions about your specific situation, or would like more information, please contact the FDICIA compliance team

Article
Do your FDICIA controls "CARES" about the Paycheck Protection Program?

Read this if you are a member of a State Medicaid Agency’s leadership team.

Monday’s NESCSO-hosted conversation was a breath of fresh air in our COVID-19 work-from-home experience. Seeing familiar faces presenting from their home offices reminded me that, yes, we are truly all in this together—working remotely, and focused on how best to foster an efficient and effective Medicaid program for our state clients and members. Over the past several years I have written a “Reflections” blog, summarizing the week-long MESC event while flying home. Today, I am posting my reflections on the first forum NESCSO sponsored in lieu of their August conference that was cancelled this year due to the global pandemic. Following are my major takeaways.

The main speakers were Karen Shields, Deputy Director from the Center for Medicaid and CHIP Services, and Julie Boughn, Director, Data Systems Group also for the Center for Medicaid and CHIP Services. There were several other guests that joined in this two-hour forum, some from the Data Systems Group, and some from the states.

Crisis as a learning tool

Karen Shields reinforced that we will be better and stronger as a result of the crisis that faces us, and encourages us to use the current crisis as a learning tool. She stressed the importance of how we are leveraging our creativity and innovation to keep moving forward. She said to start with the end in mind, be a team player, and keep in mind these three important points of focus for CMS:

  1. Share what works, share what doesn’t. Prioritize.
  2. Systems development needs to be agile. Partnership is critical. States needs to be “elbow deep” with others. Everyone is allowed to speak. 
  3. Re-usability is key! Push back on those who say we cannot reuse.

During the Q&A session, Karen discussed how to maintain consistency by turning to action and using lessons learned. Resist the urge to “fall back.” Let’s keep moving forward. She underscored how they will continue the all-state calls as there are lots of topics and conversations needed to explore deficits of need. 

Support systems and policies

Julie Boughn opened by stressing what an important layer of support systems provide policies. She said COVID is not a system issue—the systems supporting the approach to address the virus are working and a big part of contributing to helping alleviate the issues the pandemic presents. She noted an appropriate quip that “Without systems, policies are just interesting ideas on pieces of paper.”

She underscored that healthcare and all that goes with supporting it is never static. The Medicaid arena is in a world of increasing change, requiring the supporting systems to adapt to make payments correctly and facilitate the provision of benefits to the right people. CMS has been focused on, and continues to bring our focus to outcomes, especially in the IT investments being made. Promote sharing and re-use of those investments.

During the Q&A, Julie reinforced the priority on outcomes and spoke to outcomes-based certification (OBC). There was a question on “What happens to modularity in the context of OBC?” She said that they are completely compatible and naturally modular, and to think about how a house can be built but not be completely done. Build the house in chunks of work, and know what you’re achieving with each “chunk”. Outcomes are behind everything we do.

Engage with your federal partners

In the next presentation, CMS modeled a dialogue that demonstrated how states can engage with their federal partners. CMS wants to continue changing the relationship they have with states. They also reminded the audience of what CMS is looking for; as Ed Dolly, the Director for the Division of State Systems within the Data and Systems Group said during the conversation, “Do you understand the problem trying to be solved?” Define your final outcome, and understand that incremental change drives value. In addition to communicating the problem, focus on speed of delivery (timeliness), and engage in back and forth exchange on what best measures can be used, as well as the abilities to capture the measures to report progress. The bottom line?  “When in doubt, reach out!”

The remainder of the forum featured representatives from the State System Technology Advisory Group (S-TAG), Private Sector Technology Group (PSTG), and Human Services Information Technology IT Advisory Group (HSITAG). They discussed a variety of IT topics.

Technology outlook

The S-TAG had representation from an impressive list of states—West Virginia, Washington, Wyoming, Vermont, and Massachusetts. They spoke to how they envision their technology response to changes in policy now and in the next 12-18 months. There was too much to present here, and I recommend reviewing the recording once NESCSO posts it. Initiatives included: Provider enrollment, electronic asset verification, electronic visit verification, integrated eligibility systems, modularity implementations, migration to the cloud, pharmacy systems, system integrator, certification, strategic planning, electronic data interchange upgrades, payment reform, road map activities, case management, care management, T-MSIS, and HITECH.

HSITAG spoke about the view across the health and human services spectrum—Where are we today? Where will we be tomorrow? COVID has tested our IT infrastructure and policy. Is there an ability to quickly scale up? Weaknesses in interoperability became exposed and while it seemed Medicaid was spared in the headlines, the need to modernize is now much more apparent. Modularity showed its value in more timely implementations. There is concern over an upcoming increase in the Medicaid population. Are we equipped for the short term?

For the long-run, where we will be “tomorrow” in the 12-18 month view, there will be a bigger dependency on the interrelations between all programs. Medicaid Enterprise Systems can and should look at whole systems, focusing on social determinants of health. Data and program integrity will be key, as the increased potential of fraud in the midst of challenging state budgets. We will need to respond quickly with limited resources.

Keep relationships strong

PSTG spoke of how when COVID hit, it caused them, like the rest of us, to modify their goals. They spoke about relationships and the importance of maintaining them with clients and colleagues, questions of productivity, what things that we have learned will we carry into the post-pandemic era, will we remain flexible, and how will we “unwind” all the related changes that will not be carried forward. Looking forward, PSTG wants to support the growing of the outcomes-based culture, evolve the state self-assessment (currently an active workgroup), and how to be less prescriptive to allow for more flexibility on “how” vendors get to solutions.

I was grateful to be able to join this event, and hear that we are in this together—we will get through it and we will keep moving forward. I felt this was a good start to what I hope will be the first of many MESC 2020 forums. The session felt like it ended too quickly even though we covered a lot of ground. I am excited about the thought of hearing about new ideas, improving our understanding of upcoming changes CMS is sponsoring, and engaging in the innovative thought that will keep us moving toward a better tomorrow. Thanks to NESCSO for sponsoring this event and bringing us together.

Please contact our Medicaid Consulting team for more information on if you have any questions.

Article
MESC 2020: Where we are today and where we will be tomorrow

Read this if you are a Maine business or organization that has been affected by COVID-19. 

The State of Maine has released a $200 million Maine Economic Recovery Grant Program for companies and organizations affected by the COVID-19 pandemic. Here is a brief outline of the program from the state, and a list of eligibility requirements. 

“The State of Maine plans to use CARES Act relief funding to help our economy recover from the impacts of the global pandemic by supporting Maine-based businesses and non-profit organizations through an Economic Recovery Grant Program. The funding originates from the federal Coronavirus Relief Fund and will be awarded in the form of grants to directly alleviate the disruption of operations suffered by Maine’s small businesses and non-profits as a result of the COVID-19 pandemic. The Maine Department of Economic & Community Development has been working closely with affected Maine organizations since the beginning of this crisis and has gathered feedback from all sectors on the current challenges.”

Eligibility requirements for the program from the state

To qualify for a Maine Economic Recovery Grant your business/organization must: 

  • Demonstrate a need for financial relief based on lost revenues minus expenses incurred since March 1, 2020 due to COVID-19 impacts or related public health response; 
  • Employ a combined total of 50 or fewer employees and contract employees;
  • Have significant operations in Maine (business/organization headquartered in Maine or have a minimum of 50% of employees and contract employees based in Maine); 
  • Have been in operation for at least one year before August 1, 2020; 
  • Be in good standing with the Maine Department of Labor; 
  • Be current and in good standing with all Maine state payroll taxes, sales taxes, and state income taxes (as applicable) through July 31, 2020;
  • Not be in bankruptcy; 
  • Not have permanently ceased all operations; 
  • Be in consistent compliance and not be under any current or past enforcement action with COVID-19 Prevention Checklist Requirements; and 
  • Be a for-profit business or non-profit organization, except
    • Professional services 
    • 501(c)(4), 501(c)(6) organizations that lobby 
    • K-12 schools, including charter, public and private
    • Municipalities, municipal subdivisions, and other government agencies 
    • Assisted living and retirement communities 
    • Nursing homes
    • Foundations and charitable trusts 
    • Trade associations 
    • Credit unions
    • Insurance trusts
    • Scholarship funds and programs 
    • Gambling 
    • Adult entertainment 
    • Country clubs, golf clubs, other private clubs 
    • Cemetery trusts and associations 
    • Fraternal orders 
    • Hospitals, nursing facilities, institutions of higher education, and child care organizations (Alternate funding available through the Department of Education and Department of Health and Human Services for hospitals, nursing facilities, child care organizations, and institutions of higher education.)

For more information

If you feel you qualify, you can find more details and the application here. If you have questions about your eligibility, please contact us. We’re here to help. 

Article
$200 Million Maine Economic Recovery Grant Program released