By Gail Spielberger, CIPM
Privacy in the age of modern technology is a major concern for individuals and, moreover, is the focus of laws and regulations directed at organizations that use personal data. The fast-moving digital landscape has not only challenged current lawmakers, but has also resulted in an erosion of public trust in how data is used, stored, transmitted and protected. As organizations, including nonprofits, adopt new technologies, services and business operations, they must be proactive about their data policies and practices to assure individuals their personal data is safe, and likewise reduce the likelihood of data loss, unauthorized disclosure or misuse.
What is Privacy by Design?
Privacy by Design (PbD) is an approach that considers privacy concepts from the moment a product, service or business process is designed or planned, from inception to implementation. This means that products, services and applications must be designed and developed to protect privacy from the beginning rather than applied later as an afterthought.
Some privacy laws and regulations, such as the General Data Protection Regulation, legally require organizations to apply PbD principles as part of their organizational data practices. As part of these regulations, organizations may be required to provide evidence that they have implemented PbD. This documentation not only demonstrates compliance to regulators, but it also allows your organization to recognize potential privacy issues so risks can be identified and mitigated as projects move forward. Further, these privacy implementations will provide your enterprise with a framework to comply with privacy and data protection laws and regulations, and can strengthen your reputation while differentiating your organization from the competition.
What does this mean in practice?
There are seven PbD principles that serve as an overarching framework for organizations to insert privacy and data protection early, effectively and credibly into information technologies, services or business practices. The information below provides the foundation for your organization to implement PbD principles for new projects where personal data will be collected, used, processed or stored.
Proactive not Reactive; Preventive not Remedial
Anticipate and prevent privacy events before they occur by:
- Creating individual awareness and adoption at the highest levels of the organization, mandating and enforcing high standards as it relates to data protection.
- Promoting a culture of accountability.
- Establishing methodologies and processes to identify data protection risks to ensure they are remediated in a timely and systematic manner.
Privacy as the Default
Build privacy into systems and processes so that personal data is protected automatically, by default, with no additional action required by the individual. This principle can be achieved by:
- Collecting only the minimum amount of data actually needed for specific business purposes and destroying or anonymizing data once it is no longer necessary for those purposes.
- Ensuring personal data is used only for a specific defined purpose and not repurposed unless proper notification and/or consent is provided.
- Not using personal data without a legal basis or consent from the individual .
- Applying reasonable technical and organizational security measures to safeguard against unauthorized access, loss, destruction, modification or disclosure of data.
Privacy Embedded into Design
Integrate privacy into technologies, operations and information architectures to evaluate risks early in the ideation and design processes. Privacy should be embedded in the design and development process, not just considered after the fact. Consider:
- Adopting a systematic approach to embedding privacy in the design and development phases of each project, technology or business process.
- Systematically conducting Privacy Impact Assessments, Data Protection Impact Assessments and Vendor Risk Assessments to clearly identify and assess privacy risks.
- Measuring the risks and considering alternatives or mitigating actions.
Full Functionality – Positive-Sum, not Zero-Sum
Accommodate all business objectives, not just privacy goals, to achieve practical results and benefits for all parties and business units involved by:
- Embedding privacy in a way that does not impair the intended functionality, technical capability or business need.
- Carefully considering all requirements to achieve the optimal multi-functionality of each product.
End-to-End Security – Lifecycle Protection
Personal data needs to be protected throughout the entire information lifecycle from initial collection through destruction. Aim to collect, process, use, share, maintain and destroy personal data in a secure and timely fashion. Consider:
- Building protections for the secure destruction and disposal of personal data when it is no longer needed.
- Monitoring data transfers and ensuring appropriate safeguards and contractual arrangements are in place prior to doing business with third parties.
- Adopting appropriate access controls, encryption standards, data backups and continuous monitoring to ensure personal data remains accurate, with its integrity and availability intact.
Visibility and Transparency
Establish accountability and trust through transparency by informing individuals what data will be collected, how it will be used, and with whom it will be shared. Transparency is not just displaying what the organization does, but also bridging the gap between expectations and reality. To meet this principle, consider:
- Making privacy notices easily accessible and written in clear and simple terms in order to avoid overwhelming the reader with information.
- Mandating and enforcing privacy-related policies for employees and ensuring that vendors are evaluated to identify and mitigate risk in a timely manner.
- Keeping accurate records of data, how it is being used, with whom it is being shared, where it is stored, how long is it being stored for and how the data will be destroyed when no longer necessary.
- Allowing individuals to access and correct their information.
Keep it User-Centric
Respect individual privacy and provide employees, customers and third parties with an effective privacy experience. This means providing them with clear choices about how and when your organization will communicate with them, as well as ways to opt out of having information shared with others and the right to have their data deleted. Consider the individual by:
- Obtaining consent to collect and use individual data in specific ways and allowing them the ability to modify or withdraw their consent if possible.
- Consciously designing products, systems and applications with the individual and their protection in mind.
- Limiting the amount of data your organization collects to reduce overall risk and liability for the individual and the organization alike.
As stated above, Privacy by Design is about examining how your organization uses personal data and what impact that use will have on individuals. By incorporating the aforementioned principles into your operations, your organization will be able to better: capture and mitigate risks, understand the data it possesses, demonstrate compliance to regulators and maintain respect for individual privacy.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com
By Michaela Kay, CPA
2020 was quite the year. While we started off with record highs in the stock market, by mid-March, we saw the fastest 30% decline in the S&P 500 in the history of the index. Since then, we have continued to see many ups and downs, but we still saw overall gains in the stock market.
What does this mean for your organization’s spending policy? Is it time for an update?
Most financial experts advise sticking to your plan during tumultuous financial times and embracing volatility, as it can be an organization’s best tool to beat inflation and maintain the spending power of invested funds.
However, the events of the past year have shed light on some reasons why an organization should consider updating its spending plan.
Here are a few examples of scenarios that might trigger a policy revision:
1. The investment fund is underwater.
Just as with your personal finances, an organization should not live paycheck to paycheck. If an organization has withdrawn all the income from an investment fund, it may want to consider revising the spending policy to decrease spending. It is healthy to have a cushion of accumulated earnings. That way, when future losses come, it will not be necessary to dip into the corpus in order to keep funding program services.
2. The spending policy doesn’t include a smoothing policy.
The most common type of smoothing policy is a simple moving average based on the average balance of the account over a specified period of time (often three years). This helps stabilize spending compared to a policy that focuses on fully spending the annual income or a fixed rate. It also helps to preserve the corpus in the long run.
3. The organization’s goals and needs have changed.
Depending on an organization’s mission, operations may have changed drastically in the past year. Some organizations, especially in arts and culture, have been shut down. Other organizations, especially those that serve basic needs, may have seen the biggest year in the organization’s history. All of these changes have likely led to shifts in financial needs. As a result, it may be necessary to adjust spending in order to use funds responsibly.
4. The organization received a financial windfall.
From time to time, organizations receive bequests or other large contributions. Often these gifts are hard to predict and come at unexpected times. While it is always tempting to spend money, executive management and the board should strongly consider the best use for the funds over the long term. If the contribution is invested, organizations may be able to support programs with very stable funding for years into the future.
Best Practices for Updating Your Organization’s Spending Policy
Investment committees should regularly review their organization’s investment and spending policies with help from a professional investment advisor. If organizations decide that it is time for a policy update, here are a few next steps:
1. Understand the organization’s needs.
When designing a new policy, it is best to start from the ground and work your way up. What are the organization’s needs? What is or is not working with the current policy? What is the primary goal for the investment fund? Don’t rush into a solution before carefully considering the needs and issues.
2. Seek professional guidance.
Even if the organization has board members or others within the organization with strong financial backgrounds, it may be helpful to seek guidance from a third-party investment advisor. An investment advisor, especially one with a strong background in serving nonprofit organizations, may be able to offer an alternative viewpoint or provide additional ideas about how to meet the organization’s objectives. An investment advisor may also be able to model investment and spending policies to give the organization a better idea of how these policies may play out in the future.
3. Start writing.
For any policy to be effective, it must be clear, consistent, specific and realistic. This will likely require several drafts and reviews from multiple people. When drafting, organizations should make sure to compare the new policy with other existing policies for consistency.
4. Seek approval from the board of directors.
Important policies, such as spending policies, should be approved by the board of directors prior to implementation. It’s important for organizations to document policy approval in the board of directors meeting minutes and save the policy in a place where it can easily be accessed.
That said, there is no one-size-fits-all spending policy or process to update policies. Each nonprofit is unique and has unique needs for its spending policy. Thus, organizations should consider their options carefully, seek advice and input from others and, if an update is needed, begin writing a new policy with their specific needs in mind.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com
By Mark Antalik
A data breach is one of the worst things that can happen to nonprofit organizations, their clients, donors and volunteers. When malicious perpetrators gain unauthorized access to financial information or other personal data, they can steal identities, exfiltrate intellectual property and can cause reputational damages that will affect the organization for years to come.
Information sharing is fundamental to virtually every aspect of business. As an organization grows, information sharing grows along with it—with vendors, contractors, partners and customers. And every one of these relationships present a new set of potential vulnerabilities.
Data breaches are increasing in frequency and can be potentially catastrophic to an organization; therefore, the need for data protection, as well as the way in which it is implemented, must be balanced thoughtfully against strategic and operational needs.
However, given that data breaches are virtually impossible to stop, it is imperative for organizations to build, maintain and follow a sound breach response program. To accomplish this, BDO developed a two-part series with step-by-step methodology to effectively respond to incidents and maintain a program that allows the organization to respond in the wake of crisis.
- Identify, Understand and Communicate – Processes to identify the potential threat, gain an understanding of the threat and its potential impact, and communicate with the appropriate agencies and other involved or impacted parties.
- Respond and Contain – Responses and efforts to contain or limit data breaches can have significant impacts on an organization’s ability to recover from the incident.
- Perpetuation – Preservation of evidence will assist in remediating the current breach and may aid in identifying future attempted breaches.
- Notification and Identity Monitoring – Through internal or third-party services, affected parties can be notified of any activity related to their personal information and efforts to remediate and reduce potential impact.
In this article we address the first series. We discuss identifying, understanding and communicating during a breach situation and how breaches should be managed. In the second series, we will elaborate on perpetuation through digital forensics, as well as outlining approaches to notification and identity monitoring. While it is impossible to eliminate all risk of a data breach, a well-designed program will minimize the negative impact on both short- and long-term business goals.
Identify, Understand and Communicate
There are numerous ways data breaches can occur. An organization’s data governance architecture is important for providing the most resilient defenses. When reviewing priorities of a network security program, one must understand that breaches can occur in the following formats:
- Criminal act by outsider (hacking; portable device theft; cloning; burglary)
- Technology failure (firewall or server compromise)
- Insider threat (theft; embezzlement; unauthorized disclosures; collusion; retaliation)
- Human error (lost mobile device; misdirected email or fax [yes…faxes are still in use]; improper configuration of security systems; improper trash disposal; failure to secure physical premises)
- Vendor error (misdirected data, packages or mail)
Given the interconnected nature of our business and personal environments, data breaches can be relatively simple for the persistent malicious perpetrator or discontented insider. Every computer, cellular device, networked system and unsecured Wi-Fi connection represents a potential point of entry.
Unfortunately, most organizations are unaware of how vulnerable they really are; some understand the threat landscape, but they may be focused on other revenue-generating areas of the business. IT professionals, with support from senior leadership, must understand that data breaches are responsible for $400 billion in global losses every year. The problem will only get worse, especially as individuals migrate more of their lives to online systems and resources.
Data breach threats are on the rise for organizations of all sizes and in all industries. Regulators, industry associations and the federal government have begun to act, issuing attestation guidelines and regulatory mandates surrounding organizational cybersecurity programs.
With concern growing among stakeholders, there is building pressure for organizations to prove they have effective controls in place. Organizations must be able to detect and mitigate data breaches that have the potential to disrupt business operations, damage their brand and cause significant financial losses.
Undertaking a comprehensive data protection and cyber risk assessment allows an organization to understand the current state of its program, identify potential gaps and risks and, ultimately, implement and operationalize an effective framework. At a minimum, risk assessments should evaluate:
- Application Security. Are your applications protected from outside threats?
- Data Protection. Do you know where your sensitive data is stored and how it is protected?
- Identity and Access Management. How well do you control who accesses your systems and data?
- Infrastructure Management. How well is your network protected?
- Event Management. Do you know what to do if there is a cyber breach?
- Vendor Management. What are the security practices of third-party vendors who have access to your systems and data?
- How aware is the employee population about their cyber responsibilities?
Respond and Contain
Having a plan to respond and contain a breach is a critical step in the breach preparation process. A well-planned response will provide explicit guidance for response resources, reduce emotional conflicts in tense breach situations and demonstrate to clients, donors and volunteers that organizations are in control of the situation and are concerned about protecting personal information.
Consider the following key data breach response-and-contain plan elements:
- Stay calm. The steps in dealing with a data breach are mostly common sense. A well-crafted data breach response plan helps avoid reckless decision-making.
- Assembling a team. Choose an organization spokesperson in advance such as the general counsel, chief executive officer or another senior leader. Identifying and training backup resources for each role is essential as well.
- Understanding of the law. Organizations are sometimes unaware that their public statements, including media appearances and communication with clients, donors and volunteers, may be admissible in court if a lawsuit is filed. Consulting with a privacy attorney and media relations expert can guide language and strategy while also helping to address regulatory and fiduciary responsibilities.
- Keep the risk within the organization. Organizations that have been breached can, in turn, unintentionally compromise other organizations by transmitting infected files or malware links. To prevent this, organizations should choose to spend resources and time to fully evaluate the risk and determine measures to reduce it. Measures to reduce risk may include soliciting the expertise of cybersecurity experts that can evaluate and address current and future risk levels for the organization.
- Deploying a cyber forensic team. A cyber forensic team will analyze the data breach and determine how the organization was breached, what areas of the enterprise were affected and what information may have been compromised. They can further investigate if the data breach was initiated by an insider, either unknowingly or by nefarious means.
- Involve legal counsel. Either internal or external counsel should be engaged for legal guidance and to maintain privilege through the breach response process. Assume that clients, donors, volunteers or other third parties may take legal action against the organization related to the data breach.
- For data breaches that require notification, a communications plan should include call center guidelines and training. The training might include the tone and message for responding to calls and how any frequently asked questions will be scripted. There will likely be additional notification obligations to regulators or other authorities where counsel and data privacy subject matter experts should be consulted.
- Communicate on all available channels. Use the organization’s corporate social media channels to frame the story rather than waiting for it to unfold in the media. The media may misinterpret or embellish facts, where the organization can control the narrative. Additionally, organizations should use plain language for these communications rather than potentially confusing technical and legal terminology to express what remediation efforts are being conducted to protect their information.
- Employee communications. Communicate with employees so they are aware of the data breach before they hear about it in the media. With knowledge of the breach, employees, with the appropriate approvals, can provide informed communications to their business contacts.
- Transfer risk to another entity. This is primarily done through obtaining insurance coverage that specifically addresses the impacts of a data breach. An insurance broker specializing in cyber risk, along with the expertise of forensic accounting and claims consultants experienced in measuring losses, is essential. Keep in mind that communications with insurance agencies do not typically fall under privilege. (See the Spring 2021 Issue of the Nonprofit Standard for an article on cybersecurity insurance.)
Even though customers and individuals are increasingly aware that organizations are at risk for data breach, a breach can be a real test of resiliency. Organizations must plan for a breach and be clear and transparent to clients, donors, volunteers and other third parties about what the organization is doing to protect data. Organizations who meet the crisis head on may even be able to emerge stronger, with a closer connection to their constituencies.
Stay tuned for a discussion of the Series Two topics.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com
By Matthew Cromwell, CPA
We find ourselves years into the implementation of Title 2 Code of Federal Regulations (CFR) 200 – Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). However, a few recurring matters continue to arise that lead to audit findings.
This article will discuss the following areas where we still see findings:
- Subrecipient monitoring
- Period of performance
Three areas where we see challenges on subrecipient monitoring are:
Vendor versus subrecipient analysis
In many instances, this line can be blurred depending on facts and circumstances. Depending on the final determination, different compliance requirements apply to vendors and subrecipients. CFR §200.331 considerations should be clearly documented for each entity engaged. Documentation of this analysis and the final determination should be retained by the organization.
CFR 200.332(b), Requirements for pass-through entities, state that an entity evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward. The pre-award assessment is designed to determine what level of monitoring is required once the subaward is granted as well as determining risk level to the granting organization. Decisions made here determine if the subrecipient is awarded funds in advance or on a cost reimbursement basis, how often program and financial reports are required, or how many site visits or other monitoring actions are required. A granting organization cannot use a blanket pre-award assessment based on the expected amount of grant funding. To be clear, a $20,000 subaward will not receive the same significant level of assessment as a $1 million subaward. For example, grants to subrecipients of less than $20,000 cannot all be labeled as “low risk” just because of a dollar threshold. Risk assessments need to consider such factors as whether:
- Work is being completed in a high risk location
- First time working as a subgrantee for the organization
- Strong financial controls (and how assessed)
These decisions are all based on the pre-award assessment and certainly it is not a one-size-fits all analysis.
Just as the word implies, the purpose is to monitor subrecipients but entities must also determine if monitoring is uncovering issues (audit findings, lack of financial wherewithal, programmatic departures, etc.). Entities who make subawards need to ensure their monitoring process also ensures subrecipients are addressing and correcting issues identified. Oftentimes, as auditors, we see a file full of single audit reports or financial reports submitted by subrecipients, but nothing has been documented as to the review of these documents. Pass-through entities need to review these items to determine:
- What was done by subrecipients—were audit findings corrected?
- Were the financial reports with missing receipts or approvals addressed?
Especially in this COVID environment where in-person monitoring site visits have been rare, the threat of issues is especially high, so take a moment to revisit how you are monitoring from afar and considering reports, calls and other factors that just don’t “feel right.”
Equipment requirements were one of the Uniform Guidance areas where there was little change from prior requirements. However, CFR §200.313, Equipment continues to be a challenge for many organizations. A few points or a “check the box” if you will:
- Property records must be maintained. These should include description, serial number and source of funding for each piece of equipment purchased with federal funds.
- An inventory and reconciliation of each piece of equipment is required, at a minimum, every two years. The Office of Management and Budget (OMB) did not issue any waivers for this requirement even during COVID. Advance approval would have had to be obtained from the federal awarding agency regarding the inability to perform physical inventory counts as required.
- Property is to be kept in suitable working order and maintenance performed. For entities working in remote and/or difficult operating environments, repair/operating costs should be adequately budgeted.
- And finally doing away with a “myth” that some organizations have in regard to equipment compliance testing. We get this question many times a year: If your current year federal expenditures do not include “material” equipment purchases in the current period under audit, the auditor doesn’t need to test, right? That is false. If you continue to hold property purchased with federal funds, and it has not yet been disposed, the auditor is still required to test various provisions such as 1) inventory is performed at least biannually; and 2) any disposals, if material, have been disposed in accordance with 200.313 – Equipment e) Disposition.
Period of Performance
An area we have seen regulators focusing on is the use of funds pre-award and costs incurred post award (often referred to as trailing or project closure costs). What is most likely the shortest compliance requirement in the OMB Compliance Supplement (it is literally one paragraph) is often one of the most difficult for organizations to comply with: how to fit all the costs into the actual grant agreement term, more commonly referred to as the “period of performance.” It takes significant coordination between all facets of an organization, the program team, the subgrant team and the administrative team to ensure all costs are incurred, including subgrantee costs, and reported correctly. Regulators have continued to raise points of emphasis and findings when identifying costs that occurred after the grant agreement term ends. Yes, they may provide no-cost extensions (see §200.308) for final report submissions. But the regulators have been clear, this does not allow for additional costs to be incurred, contrary to what was for many years seemingly a readily accepted industry practice.
In addition, the recent revisions to the Uniform Guidance have updated the definition of “period of performance” to be “the total estimated time interval between the start of an initial federal award and the planned end date, which may include one or more funded portions, or budget periods.” This change is effective for all contracts entered into after Nov. 30, 2020. Entities should stay tuned to see if OMB updates the period of performance audit objectives/procedures in the 2021 OMB Compliance Supplement.
SINGLE AUDIT SUBMISSION EXTENSION
The Office of Management and Budget (OMB) issued Memo M-20-21 (Memo) that instructs federal awarding agencies to allow recipients and subrecipients that have not yet filed their single audits with the Federal Audit Clearinghouse (FAC) as of Mar. 19, 2021 (the date of the Memo) with fiscal year ends through June 30, 2021, an extension to delay the completion and submission of their single audit reporting package for up to six months beyond the normal due date.
No action is needed by federal awarding agencies to enact this extension. Recipients and subrecipients do not need to obtain approval to utilize this extension. However, as with past extensions, recipients and subrecipients need to maintain documentation of the reason for the delayed filing.
Recipients and subrecipients who take advantage of this extension would still qualify as a “low-risk auditee” for their next year’s audit.
It is important to note that this new 6-month extension is longer than the 3-month extension included in the OMB Compliance Supplement Addendum (Addendum). In addition, this extension applies to all single audits. The prior extension noted in the Addendum was only available to those who received COVID-19 funds.
OMB Compliance Supplement Addendum
OMB issued the long awaited Addendum to the Compliance Supplement on Dec. 22, 2020. The Addendum includes information on certain COVID-19 stimulus funds including the Provider Relief Fund, Coronavirus Relief Fund and the Education Stabilization Fund.
FASB Approves Goodwill Alternative for Nonprofits
On Mar. 30, 2021 the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) 2021-03, Intangibles – Goodwill and Other (Topic 350) Accounting Alternatives for Evaluating Triggering Events. This ASU makes a change to the accounting rules for nonprofits and private businesses that will help reduce the costs and complexity for accounting for goodwill.
Goodwill is often recorded when one entity purchases another entity for more than the value of the existing physical assets. Under the current accounting rules, entities must monitor and evaluate whether what is known as a triggering event may have occurred that could result in the value of the goodwill recorded being impaired.
Issues around identifying triggering events has become more apparent during the pandemic because of ongoing economic uncertainty.
For the majority of nonprofits and private companies this analysis is likely only performed annually at the date that the financial statements are prepared. The current accounting guidance that requires the assessment of a potential impairment as of the interim date creates difficulties for these entities.
This ASU will permit all nonprofits and private companies to utilize the option to perform the identification and evaluation of a triggering event for goodwill impairment as required by Accounting Standards Codification (ASC) 350-20 to be completed at either the end of a quarterly or annual period in line with their standard reporting periods. An entity that elects this alternative would not be required to monitor the goodwill impairment triggering event in interim periods but would instead evaluate the facts and circumstances as of year-end to determine whether it is more likely than not that goodwill is impaired.
The ASU is effective on a prospective basis for annual reporting periods beginning after Dec. 15, 2019. Early adoption is permitted for financial statements that have not yet been issued or made available for issuance.
This ASU is separate from a larger goodwill project that the FASB is working on, in which it is considering a requirement that entities write down a set portion of goodwill each year, instead of testing for potential impairment annually.
FASB REMOVAL OF CONSOLIDATION OF A NOT-FOR-PROFIT ENTITY BY A FOR-PROFIT SPONSOR FROM TECHNICAL AGENDA
The FASB (the Board) decided to remove the project related to consolidation of a not-for-profit entity by a for-profit sponsor from its technical agenda. The Board’s research determined that this situation is not sufficiently pervasive to amend generally accepted accounting principles. The project was initially added to the agenda because based on initial research it was noted that there was diversity in practice and that for-profit sponsors predominantly do not consolidate sponsored not-for-profits in their financial statements.
Updates to IRS Mandatory E-filing Requirements for 2021
The IRS provided an update to mandatory e-filing requirements for 2021 in its Exempt Organizations (EO) Update. The updates noted are as follows:
- Tax year 2020 Forms 990-T and 4720 are being revised and will be available for e-filing in 2021.
- Transitional relief is available for Form 990-EZ for tax years ending before July 31, 2021.
- Forms 990 and 990-PF or tax years ending on and after July 31, 2020 must be filed electronically.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com
By Mark Millard
It’s 8 a.m. on Monday. You open the doors to the office, preoccupied with tasks for the week: grant applications that need review, donor phone calls to make, staff disagreements to manage, current program execution and strategy for the future. As you settle into your desk and turn on your computer, the startup screen displays a simple message: “Pay 100 Bitcoin to 123 account number in the next 12 hours or lose all of your data.” Panic sets in, your mind races, all thoughts from two minutes ago have disappeared. What do you do next?
These days, this type of scenario is all too common. Some make headlines, but most don’t and are dealt with quietly and quickly. The challenge with many nonprofits is they reside in a place of reaction when it comes to IT infrastructure, security and crisis management. Many nonprofits walk the tightrope of pressure to reduce administrative expenditures and improve programmatic spending. Often, donors look at operating percentages when choosing where they will make their gifts. This challenge creates difficulties in determining how much to spend on IT infrastructure and cybersecurity.
The exposure to cyber intrusion for a nonprofit is often not adequately understood and, as such, marginalized by thinking that because we do work for the “greater good,” the entity won’t be a target. Unfortunately, cybercrime focuses on the ease and reward of opportunity, thus making many nonprofits a perfect target. (See further discussion in the article on page 13.)
Before COVID, it was typical to find remote access driven by individual employees trying to find solutions to the work challenges and not organizationally driven by strategy. COVID and the exodus to a remote work environment have only exacerbated the issue. Many organizations have strung together technology solutions to meet the need for remote work. This rush to operationalize has been fraught with missteps and increased the risk for intrusion.
So what do you do with finite administrative dollars to spend? Do you spend the dollars on IT security and testing, training employees on proper cyber hygiene (e.g., “Don’t click on that link”), crisis management and business continuity planning, or insurance? The answer is all of the above, while strategically prioritizing where you can’t have everything on the shelf. Depending on your organization’s IT security maturity, the quickest and most reliable risk mitigation you can take will be insurance. When adequately structured, it will be your most crucial risk mitigation effort.
Cyber insurance has been one of the fastest-growing and evolving products in the insurance market during the past decade. News of the mega-breaches that readily come to everyone’s mind has driven this growth with many organizations recognizing the tremendous exposure to liability and business interruption resulting from a cyber intrusion. And what have we learned about cyber intrusions through the countless breaches we’ve read about over the years? They have many sources, are ever-evolving, impact organizations in different and unique ways and are challenging to stop, making a case for spending dollars on a cyber insurance policy that much more significant.
The problem we find with many organizations is their insurance approach and, more specifically, cyber insurance approach. Insurance is often a check the box mindset. Buy it once a year, pay a premium, receive an insurance policy and promptly place it in the drawer. This approach is always problematic, but less so for certain insurance types than others such as auto or workers’ compensation insurance policies. Cyber insurance is the exact opposite of these aforementioned policies where there are standard forms and definitions and decades of claims experience providing a guide to what is and is not insured. Cyber insurance is the new kid on the block that everyone is still figuring out.
The cyber insurance marketplace is a highly fractured space that lacks a standard definition set and coverage provisions. There are over 100 insurance companies that underwrite the product with common coverages but little standardization.
For cyber insurance, most start with a basic coverage form. However, that form’s value will depend on how well you understand your unique risk and negotiate the insurance policy’s appropriate coverage. We’ve encountered many clients who purchased cyber insurance, put it in the drawer, checked the box and moved on with their lives. Then the claim showed up. Surprise, coverage denied. The conversation from there is typical: “Denied?!? I bought insurance for this.” Yes, but you didn’t buy the right insurance. You didn’t understand your unique type and amount of risk, leading to the coverage gap. So what steps can you take to avoid this dreadful scenario and not spend precious funds doing so? Start by looking at the risk.
Broadly speaking, we bucket cyber risk into two categories; first-party and third-party losses. Or, in other words, damage to your organization’s property and ability to conduct business (first party), and injuries to others due to your negligence (third-party). When determining the type of cyber insurance needed, we begin with risk management 101, identify the risk.
Risk can originate from an insider, whether intentionally or not, criminal hackers, hacktivists or third-party compromise. To understand your threat areas, start with a simple whiteboarding session with the key stakeholders in your organization—CEO, chief financial officer, Operations lead, IT, HR and others, and play through a few what-if scenarios to determine what would happen and the resulting operational and financial impact. Areas to focus on can include:
- Computer system damage and loss
- Data loss
- Business shutdown
- Fines and penalties
- Liability associated with data loss
- Reputational damage
- Theft of funds
It is essential to understand where these risks can stem from as insurance policies will have exclusions that limit coverage due to cause. For instance, an insurance policy might require that you provide all IT vendors’ names that offer your organization services. The simple error of omitting one vendor can void coverage should the loss result from their services. Next, you will want to assign value to your risk areas to determine exposure to one or multiple impacts. Consider:
- The cost to replace your computer systems if required due to system bricking (damaged beyond repair, making the device unusable) for the first-party loss.
- Would you need to spend money to recreate data?
- Would you be subject to a business interruption where revenue generation would be reduced or ceased?
- Would you incur extra expenses to have temporary fixes or accelerate your recovery?
- How many personally identifiable information (PII) or protected health information (PHI) records do you maintain and what is the potential liability for losing these records?
As more and more entities are moving data to cloud storage, do not believe that this relieves you of liability exposure. In these instances, assessing risk transfer and protection through your contractual agreements will be important in addition to the protections you might take with insurance. Once you’ve built an understanding of individual risks and their value, you are ready to consider the type and amount of insurance to purchase.
Here is the good news. Cyber insurance options are plentiful, with broad coverage and reasonable prices compared to its early years. Obtaining a base cyber insurance policy for $1 million in limits can often be done for minimal cost. When purchasing cyber insurance, it will be critical to have a partner who understands the insurance coverage—further making this point. A recent advertisement from an insurer for NFP cyber insurance provided a listing of the policy coverages: Privacy Liability for release of PII or other corporate confidential data, network security liability, media liability and breach response costs. At first glance, this might look great. The policy will cover the third-party liability aspects. Also, it has coverage for breach response costs, which we will explore in a moment. But what is missing? There is limited first-party coverage and no coverage for system damage resulting from the breach. Given the check-the-box insurance approach discussed earlier, these insurance policies’ deficiencies often go unnoticed until a claim arises.
So what should you look out for in a well-structured cyber insurance policy?
- Privacy liability – coverage for damages associated with the release of personal information
- Network security liability – coverage for failure to prevent an attack against your network
- Media liability – coverage for liability associated with content you create and distribute
- Breach response costs – coverage for direct costs associated with a breach (This can include credit monitoring, forensic and remediation services, and public relations costs.)
- Property damage directly resulting from the breach – coverage for replacement and repair of systems damaged from the breach
- Income loss, extra expense and dependent business income– coverage that protects against lost revenue due to a service disruption or network outage
- Data recovery – coverage for costs associated with recreating data lost or stolen
- Extortion – coverage for payment for a demand placed by the cybercriminal
- System failure – coverage for unintentional outage resulting from an error
- Regulatory fines and penalties – coverage for payment of fines assessed by a governing body associated with a breach
In addition to these coverages, cyber insurance policies have evolved to provide liquidity relief and a service tool with crisis management, breach response and even some systems diagnostic services. Many cyber insurance policies offer a specific panel of specialists on call and available for the insured’s use in a breach. For the nonprofit community, these additional services can be worth as much as the insurance policy’s liquidity relief.
So as you look to spend your finite administrative dollars, a key part of your cyber risk mitigation strategy should focus on the purchase of a cyber insurance policy. When properly structured, it is the one protection you can count on when all other security measures put in place fail.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com
By Amy Guerra, CPA
New aid provided by federal agencies in response to the COVID-19 pandemic can impact the presentation of your organization’s Schedule of Expenditures of Federal Awards (SEFA), Notes to the SEFA, and Federal Audit Clearinghouse Data Collection Form (DCF). As you prepare for your audit, it is important to understand the funding you received and identify the COVID-19 related funds separately on the SEFA provided to the auditors to support an effective audit.
Various federal programs provided new aid in response to the COVID-19 pandemic. Certain funds are subject to single audit, which requires recipients to prepare an SEFA. Federal agencies may have incorporated COVID-19 funding into an existing program and CFDA number or established a new COVID-19 program with a unique CFDA number. Federal agencies are required to specifically identify COVID-19 awards, regardless of whether the funding was incorporated into an existing program or a new program.
If an entity receives COVID-19 funds and makes subawards, the information furnished to the subrecipients should distinguish the subawards of incremental COVID-19 funds from non-COVID-19 subawards existing under the program.
All COVID-19 funding is required to be identified as such per Appendix VII of the OMB 2020 Compliance Supplement (Supplement). To maximize the transparency and accountability of COVID-19 related award expenditures, non-federal entities should separately identify COVID-19 expenditures on the SEFA by presenting this funding on a separate line by CFDA number with “COVID-19” as a prefix to the program name. The following is an example of such presentation based on the OMB 2020 Compliance Supplement Appendix VII.
In addition to separately identifying COVID-19 expenditures on the SEFA, there are new disclosures related to COVID-19 assistance that needs to be incorporated in the notes to the SEFA. Federal sources may have donated personal protective equipment (PPE) to an organization for the COVID-19 response. Nonfederal entities that received this donated PPE should provide the fair market value at the time of receipt as a stand-alone footnote accompanying their SEFA. As the donated PPE does not impact the single audit, the stand-alone footnote may be marked as “unaudited.” PPE that is purchased using federal funds provided to the entity should be reported as federal expenditures.
The amount of donated PPE should not be counted for purposes of assessing whether your organization is over the $750,000 threshold of federal expenditures used to determine if a single audit is required. Donated PPE would also not count toward the Type A and Type B threshold for major program determination.
If a nonprofit organization is subject to single audit, it also requires a DCF submission to the Federal Audit Clearinghouse. At this time the instructions to the DCF have not been amended but entities should follow the OMB Compliance Supplement guidance to show the COVID-19 programs separately. The OMB Compliance Supplement recommends that the COVID funds should be entered on a separate row by CFDA number with “COVID-19” in the “Additional Award Identification” column. See example below:
As you prepare your internal SEFA be sure to follow this guidance.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com
By Marc Berger, CPA, JD, LLM
On Dec. 2, 2020 the U.S. Treasury and IRS published final regulations under Internal Revenue Code (IRC or Code) Section 512(a)(6), the provision requiring tax-exempt organizations with more than one unrelated trade or business to calculate unrelated business taxable income (UBTI) separately with respect to each trade or business. The provision, which was added to the Code by the 2017 tax law often referred to as the Tax Cuts and Jobs Act (TCJA), is known as the UBI “Silo” provision. The final regulations provide guidance on how an exempt organization determines if it has more than one unrelated trade or business and, if so, how the organization calculates UBTI under Section 512(a)(6).
The final regulations generally follow the approach taken in the proposed regulations (issued in April 2020), while making a few modifications based on comments received from tax-exempt organizations and practitioners.
Identifying Separate Unrelated Trades or Businesses
Similar to the proposed regulations, most unrelated business activities must be classified using the first two digits of the North American Industry Classification System (NAICS) code that most accurately describes the trade or business. The IRS considered one commenter’s view that the NAICS 2-digit codes be used as a safe harbor and that a facts and circumstances test be applied as the primary method of identifying separate unrelated trades or businesses. In rejecting that suggested change the IRS noted that adopting a facts and circumstances test would offer exempt organizations less certainty and likely result in inconsistency among exempt organizations conducting more than one unrelated trade or business because of differing approaches exempt organizations would take in applying such a test. It further stated that a facts and circumstances test would increase the administrative burden on the IRS which, upon examination, must perform the same fact-intensive analysis on each of the unrelated trades or businesses identified by the exempt organization.
In clarifying how an exempt organization should choose an NAICS 2-digit code, the IRS reiterated that the choice of the code must focus on the separate unrelated trade or business activity engaged in, and not the NAICS 2-digit code that describes the activities the conduct of which are substantially related to the exercise or performance of the organization’s exempt purpose or function. For example, a college or university exempt under Section 501(c)(3) cannot use the NAICS 2-digit code for educational services to identify all of its separate unrelated trades or businesses.
One area that the final regulations differed from the proposed regulations concerns the ability to change an NAICS 2-digit code once it has been selected and reported on Form 990-T. The proposed regulations generally provided that, once an organization has identified a separate unrelated trade or business using a particular NAICS 2-digit code, the organization cannot change the NAICS 2-digit code describing that separate unrelated trade or business unless two requirements are met. First, the exempt organization must show that the NAICS 2-digit code chosen was due to an unintentional error. Second, the exempt organization must show that another NAICS 2-digit code more accurately describes the unrelated trade or business. In response to numerous comments on this issue, the final regulations remove the restriction requirements for changing NAICS 2-digit code(s). Instead, the final regulations require an exempt organization that changes the identification of a separate unrelated trade or business to report the change in the taxable year of the change in accordance with forms and instructions. To report the change, the final regulations require an organization to provide certain information with respect to each separate unrelated trade or business the identification of which changes: (1) the identification of the separate unrelated trade or business in the previous taxable year, (2) the identification of the separate unrelated trade or business in the current taxable year, and (3) the reason for the change. The IRS anticipates that the instructions to the Form 990‑T will be revised to provide instructions regarding where and how changes in identification are reported.
Activities Deemed Separate Trades or Businesses
As provided under the proposed regulations, certain activities are treated as separate trades or businesses under the final regulations.
The proposed regulations provided an exclusive list of an exempt organization’s investment activities that may be treated as a separate unrelated trade or business for purposes of section 512(a)(6). Under the proposed regulations, for most exempt organizations, such investment activities are limited to: (i) qualifying partnership interests; (ii) qualifying S corporation interests; and (iii) debt-financed properties. Although commenters recommended modifications to the rules regarding the individual items included in this list, no commenters objected to the treatment of these items as investment activities. The final regulations adopt this list of investment activities without change.
Similar to the proposed regulations, the final regulations permit the aggregation of qualifying partnership interests (QPIs) into one separate unrelated trade or business in order to reduce the administrative burden of obtaining information from the partnership regarding its underlying trade or business activities where its percentage interest level indicates that the exempt organization does not significantly participate in the partnership. QPIs are generally defined as partnership interests that meet one of two tests: (1) A de minimis test, which the exempt organization satisfies if it holds directly or indirectly no more than 2% of the profits interest and no more than 2% of the capital interest of the partnership; or (2) A participation test (formerly known as the “control test” under the proposed regulations), which the exempt organization satisfies if it holds directly or indirectly no more than 20% of the capital interest and does not “significantly participate in” (formerly “control”) the partnership.
As modified by the final regulations, an exempt organization significantly participates in a partnership if:
- The exempt organization, by itself, may require the partnership to perform, or prevent the partnership from performing (other than through a unanimous voting requirement or through minority consent rights), any act that significantly affects the operations of the partnership;
- Any of the exempt organization’s officers, directors, trustees, or employees have rights to participate in the management of the partnership at any time;
- Any of the organization’s officers, directors, trustees, or employees have rights to conduct the partnership’s business at any time; or
- The organization, by itself, has the power to appoint or remove any of the partnership’s officers or employees or a majority of directors.
Similar to the proposed regulations, the final regulations require the interests of certain supporting organizations and controlled entities to be combined with those of the of the exempt organization in determining whether the organization’s interest crosses the participation test’s 20% threshold. One difference, however, is that the final regulations do not require an organization to combine the interests of a Type III supporting organization unless that supporting organization is the organization’s parent.
In making the determination whether an exempt organization’s interest in a partnership meets one of the two tests to be a QPI, the final regulations follow the rule in the proposed regulations that an exempt organization’s percentage interest is determined by averaging the organization’s percentage interest at the beginning of the partnership’s tax year with its percentage interest at the end of that same partnership tax year. The final regulations, however, now provide a grace period when a change in an organization’s percentage interest is due entirely to the actions of other partners. The grace period permits a partnership interest that fails to meet the requirements of either test because of an increase in the current year’s percentage interest may be treated as meeting the requirements of the de minimis test or the participation test that it met in the prior year for the taxable year of the change if: (1) the partnership interest met the requirements of the de minimis test or the participation test in the organization’s prior taxable year without application of the grace period; (2) the increase in percentage interest is due to the actions of one or more partners other than the exempt organization; and (3) in the case where a partnership interest met the participation test in the prior taxable year, the interest of the partner or partners that caused the increase in the current year was not one that was combined with the exempt organization’s interest as described in the preceding paragraph in either the prior or current year.
With respect to qualifying S corporation interests (QSIs), the final regulations clarify that the exempt organization can rely on the Schedule K-1 (Form 1120-S) that it received from the S corporation if the form lists information sufficient to determine the organization’s percentage of stock ownership for the year. For example, a Schedule K-1 that reports “zero” as the organization’s percentage interest in the S corporation is not sufficient to determine the organization’s percentage of stock ownership for the year. The IRS is considering whether revision of Schedule K-1 is needed to provide the information necessary to determine whether an S corporation interest is a QSI.
With respect to debt-financed income, several commenters suggested that this income should be reportable using an NAICS 2-digit code instead of as an investment activity. The final regulations rejected this suggestion and adopted the proposed regulations treatment as a separate investment activity.
Finally, the transition rule included in both IRS Notice 2018-67 and the proposed regulations, which permitted an organization to treat any partnership interest acquired prior to Aug. 21, 2018 as a single trade or business activity, will lapse as of the first day of the organization’s taxable year following the issuance of final regulations. Despite receiving several comments asking the Treasury Department and the IRS to adopt the transition rule as a grandfather rule, it was not so adopted in the final regulations.
Payments from Controlled Entities
Similar to the proposed regulations, all “specified payments” (i.e., interest, rents, royalties and annuity payments per Code Sec. 512(b)(13)) received by a controlling tax-exempt organization from an entity it controls (i.e., more than 50 percent controlled by the organization) are treated as gross income from a separate unrelated trade or business. Moreover, if a controlling organization receives specified payments from two different controlled entities, the payments from each controlled entity would be treated as a separate unrelated trade or business.
Certain Amounts from Controlled Foreign Corporations (CFCs)
Similar to the proposed regulations, amounts included in UBTI under Section 512(b)(17) are treated as income derived from a single separate unrelated trade or business.
Other Items of Note
Allocation of Expenses – Pending the publication of further guidance in a separate notice of proposed rulemaking, the final regulations continue to provide that an exempt organization with more than one unrelated trade or business must allocate deductions between separate unrelated trades or businesses using the reasonable basis standard described in Treas. Reg. Section 1.512(a)-1(c).
Net Operating Losses (NOLs) – Under Section 512(a)(6), NOLs arising in a tax year beginning before Jan. 1, 2018 (“pre‑2018 NOLs”) may be taken against aggregate or total UBTI, while NOLs arising in a tax year beginning after Dec. 31, 2017 (“post‑2017 NOLs”) may only be taken against UBTI from the same trade or business from which the post-2017 NOL arose. The final regulations require an organization with both pre-2018 NOLs and post-2017 NOLs to first deduct its pre-2018 NOLs from its total UBTI before deducting any post-2017 NOLs from the UBTI of the separate trade or business that gave rise to the NOL. The final regulations further provide that if a trade or business is terminated, sold, exchanged or disposed of, any NOLs remaining after offsetting any gain on the sale or disposition are suspended. Suspended NOLs may only be used if the previous business is later resumed or if a new business using the same NAICS 2-digit code is commenced or acquired. For this purpose, a business is considered “terminated” if the appropriate identification of the business changes from one NAICS code to a different NAICS code.
Charitable Contributions – Under Section 512(b)(10), tax-exempt corporations can take charitable contribution deductions under Section 170 up to 10% of UBTI (tax-exempt trusts look to Section 512(b)(11) for its percentage limitations). The final regulations provide that in applying these percentage limitations, exempt organizations would use total UBTI computed pursuant to Section 512(a)(6) and would not allocate the charitable contribution deduction among silos.
Public Support Tests – The final regulations address the fact that the calculation of public support on Form 990, Schedule A could be negatively impacted by the treatment of UBTI under the new silo rules. To address this issue, the final regulations allow exempt organizations to calculate public support tests using either UBTI as computed under Section 512(a)(6) or UBI calculated in the aggregate, whichever is least administratively burdensome or provides the highest ratio for the organization.
Subpart F and Global Intangible Low-Taxed Income – Similar to the proposed regulations, the final regulations clarify that inclusions of Subpart F income under Section 951(a)(1)(A) and global intangible low-taxed income (GILTI) under Section 951A(a) are treated in the same manner as dividends for purposes of Section 512(b)(1).
The final regulations are applicable to tax years beginning on or after Dec. 2, 2020 (date of publication in the Federal Register). For virtually all exempt organizations this means their 2021 tax years. Organizations should consult with their tax advisors to ensure the identification of any and all of their separate unrelated trades or businesses, especially those organizations with significant investment activities.
By Lee Klumpp, CPA, CGMA
In 2016, the Financial Accounting Standards Board (FASB) updated its lease accounting rules (ASC 842) and closed a diversity in practice in the previous standard. The major change is that organizations must now include lease assets and liabilities on their balance sheets. The upshot is that despite a recently granted extension that applies to private companies and nonprofits, the task of becoming compliant is urgent and challenging. Impacted nonprofits don’t have a moment to spare.
Under the previous standards, operating leases were off-balance sheet. That essentially allowed companies to omit certain lease assets and liabilities from their balance sheets, potentially skewing their debt-to-equity ratio. In 2016, the International Accounting Standards Board estimated that public companies using either the International Financial Reporting Standards or accounting principles generally accepted in the United States of America (U.S. GAAP) had around $3.3 trillion of lease commitments, 85% of which were not recorded on their balance sheets. This, of course, makes it difficult for shareholders (stakeholders), investors and lenders to get a true sense of an organization’s financial health. Under the previous ASC 840 standard, operating leases were only required to be disclosed in the footnotes of the financial statements. Under ASC 842, the only leases that may be omitted from financial statements are short-term leases with an original term of fewer than 12 months. ASC 842 increases transparency and comparability among organizations that enter into lease agreements and provides a clearer picture of an organization’s liabilities related to leasing obligations. ASC 842 also includes extensive disclosures intended to enable users of financial statements to understand the amount, timing and judgment related to an entity’s accounting for leases and the related cash flows as well as disclosure of both qualitative and quantitative information about leases.
But what it also does is implement a one-size-fits-all accounting standard that significantly increases the reporting burden on smaller, nonpublic companies, including nonprofits. Implementation will involve significant challenges and require major investments in time, money and other resources. Fortunately at its Oct. 16, 2019 meeting, FASB affirmed its decisions on two proposed Accounting Standards Updates (ASUs) – one of which extended the implementation deadline for the new standards on leases that were not yet effective for private companies and nonprofits to the first fiscal year after Dec. 15, 2020, instead of Dec. 15, 2019, as originally mandated.
Subsequently, in June 2020 the FASB decided to provide near-term relief for the adoption of the leasing standards based on feedback from stakeholders regarding challenges with the adoption as a result of the current business and capital disruptions caused by the coronavirus (COVID-19) pandemic. As a result, the FASB issued ASU 2020-05 which provides an additional one-year deferral of the effective date of the leasing standards. As a result, the leasing standards will now be effective for private companies and private nonprofits for fiscal years beginning after Dec. 15, 2021. Public nonprofits who had not issued their statements as of June 3, 2020, can also opt to defer adoption until fiscal years beginning after Dec. 15, 2019. This is an elective deferral so entities can still choose early adoption if they wish.
This is good news for nonprofits, which now have extra time to implement these changes. However, it should also serve as a wake-up call, as many organizations weren’t even aware of the change and the need to become compliant. Even within this updated timeline, ensuring compliance will be a significant effort.
Nonprofits face multiple significant implementation challenges such as:
- The number of business arrangements that were previously not identified as leases may now be identified as meeting the definition of a lease or embedded lease
- Existing systems and processes may need to be modified or enhanced in order to provide information necessary to address the new reporting and disclosure requirements
- Multiple departments across the organization will be affected by this standard, including information technology (IT), tax, legal, treasury, and financial planning and analysis, among others
- Ongoing efforts to remain compliant might be more significant than the initial implementation effort
It’s clear that complying with ASC 842 is a time-consuming process. Organizations should develop an implementation timeline keeping several factors top of mind, including existing lease commitments, data governance maturity and cross-function coordination needs.
To get started, organizations should first learn one of the key lessons from public companies that have already gone through this process: The standard requires the collection of significant data from every lease and business arrangement that could contain an embedded lease that exists on, or will exist after, the effective date. Analyzing leases and business arrangements to identify and extract those details for inclusion in the organization’s financial reports requires substantial time and resources. It is crucial to identify the full population of leases upon adoption of ASC 842.
Nonprofits should also consider adopting the following best practices:
Solicit the involvement of the entire organization: Although the implementation of ASC 842 is primarily the responsibility of the organization’s accounting department, successful implementation requires support from across the entity, especially when an organization has a large real estate portfolio or embedded leases. This may mean seeking assistance from IT, legal or procurement departments. Soliciting executive sponsorship to champion implementation will also help to streamline the process.
Use technology to your advantage: Under the stress of deadlines, the compilation of lease terms and data can be daunting, especially within larger nonprofits where leases may exist across departments – and possibly internationally if the organization has international operations. For organizations that have developed a robust data governance program or specific procedures to collect and manage enterprise data, implementation should be considerably easier. However, for the many organizations that have yet to build out these structures, there are off-the-shelf and purpose-built technology solutions that can help standardize and aggregate the information.
Keep an open line of communication: Organizations that maintain a large physical footprint are impacted the most. They should factor in extra time for both implementation and keeping stakeholders informed. Unexpected roadblocks, such as a delay in receiving necessary data from external sources, should also be accounted for in the timeline. Benchmarking the organization’s progress on implementation against its timeline throughout the process is paramount in keeping on task and meeting goals.
The bottom line is that even with the extension, it will take a concerted effort to become compliant in time. Nonprofits need to start the implementation process now.
Adapted from article in the Nonprofit Standard blog.
By Jibran Hussain, Andrew Tobel, J.D., CIPP/US, and Derrick King, CIPP/US
In this highly interconnected, digitized global economy, cross-border data flows are imperative in maintaining and enhancing strong ties between countries. On July 16, 2020, a pivotal component of European Union (EU)–United States (U.S.) data transfers, the EU-US Privacy Shield Framework (Privacy Shield), was declared invalid by the Court of Justice of the European Union (CJEU) with immediate effect. According to the CJEU, EU data transfers to the U.S. under the Privacy Shield arrangement are not safeguarded in a manner that are consistent with EU data privacy standards due to U.S. government surveillance programs.
GDPR Applicability Background
Any nonprofit that collects or processes any information relating directly or indirectly to identifiable individuals, in connection with the offer of goods and/or services or monitoring of EU residents, is subject to the General Data Protection Regulation (GDPR). This could include the collecting or processing of EU members’, benefactors’, grantees’, grantors’, or trustees’ Personal Data. Per the GDPR Personal Data are any data related to an identified or identifiable natural individual. Examples of Personal Data are first and last names, home address, Internet Protocol (IP) address, cookie identifiers and credit card numbers.
Nonprofits are not exempt from the GDPR, especially if they hold seminars or meetings in the EU, and/or monitor the online behavior of EU residents who visit their website, and/or maintain records on EU residents. Moreover, nonprofit activities that may also be in scope include the processing of Personal Data of volunteers, employees, donors, beneficiaries or fundraising activities. For example, if a U.S. nonprofit organization is aiding Yemeni refugees based in Germany – it would be required to comply with the GDPR as it is engaging in data processing activities pertaining to individuals in the EU. Lastly, the submission of grant reports to agencies or submission of accounting transactions from foreign office locations to U.S. home offices which include E.U. Personal Data may also have GDPR implications.
The CJEU’s decision is a major setback as it removes a commonly used method for transferring Personal Data from the EU to the U.S., i.e., the Privacy Shield. The Privacy Shield was administered by the Federal Trade Commission (FTC); however, 501(c)(3)s and other nonprofits, are not typically under the jurisdiction of the FTC and therefore likely could not participate in the Privacy Shield. Nonetheless, nonprofit organizations should be put on notice that transfer mechanisms are a requirement under the GDPR and subject to strict scrutiny by the courts. There are other data transfer mechanisms available should nonprofit organizations engage in EU-U.S. data transfers:
- Standard Contractual Clauses
- Binding Corporate Rules
- Adequacy Decisions
- Derogations for Specific Circumstances
- Certification Mechanism
Permissible Data Transfer Mechanisms
The GDPR permits EU data transfers to non-EU countries which are deemed by the EU Commission to provide an “adequate” level of data protection standards. However, if there is no “adequacy decision,” organizations can utilize other data transfer mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and Derogations for specific circumstances. Crucially, the CJEU upheld the validity of SCCs, but stated there must be supplemental measures and additional data protection safeguards in place with special attention to access by judicial and administrative authorities. In particular, SCCs should include sufficient data protection safeguard provisions when organizations engage in EU-U.S. data transfers. As a result, organizations should reassess their SCC provisions by:
- Reviewing the types of EU Personal Data subject to transfer and whether there is a risk of subpoenas by U.S. National Security agencies;
- Assessing if the transfer of EU Personal Data is necessary and, if not, reducing the scope of the data transfer;
- Including strong provisions that outline strong data retention practices (e.g., immediate deletion of EU Personal Data if no longer required);
- Implementing strong encryption to protect EU Personal Data.
Additionally, BCRs are also a permissible data transfer mechanism that require similar SCC data protection safeguard provisions but require the approval of EU supervisory authorities. While this can take several months for approval, BCRs are more flexible for organizations as they result in less administrative burden once they are implemented. However, they can be a costly and lengthy process to implement.
On the contrary, under Article 49 of the GDPR, if a nonprofit organization has exhausted the data transfer options including BCRs or SCCs, a data transfer can still take place for a limited number of data subjects under Derogations for specific circumstances:
- The data controller has assessed and provided sufficient safeguards pertaining to the protection of Personal Data of data subjects;
- The data subject has consented to the data transfer after being informed of the risks associated with the data transfer due to a no adequacy decision or sufficient data transfer safeguards;
- The data transfer is required for the performance of a contract between the data subject and the controller;
- The data transfer is required for public interest reasons;
- The data transfer is required to protect the vital interests of a data subject.
Nonprofit organizations, as the data controller, should inform the applicable data protection authority of the data transfer and subsequently inform the data subject.
Nonprofit organizations that fail to comply may risk fines by Data Protection Authorities (DPAs). As a Belgian nonprofit organization recently discovered, DPAs certainly have the appetite to punish organizations that fail to comply with data transfer requirements. The Belgian nonprofit organization was fined €1000 by the Belgian DPA, as it utilized a complainant’s Personal Data for direct marketing purposes and did not have a valid legal basis for processing the complainant’s Personal Data—which is a breach under the GDPR.
Given the CJEU’s ruling on Privacy Shield, U.S. nonprofit organizations engaging in cross-border data transfers can be under greater scrutiny by the EU Commission and will be subject to regulatory fines and reputational loss for violations. However, by bolstering or implementing the aforementioned data transfer mechanisms, nonprofit organizations will be better equipped to navigate and adapt to the evolving data privacy requirements, primarily EU data transfers.
By Tammy Ricciardella, CPA
On Sept. 17, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU), 2020-07, Presentation and Disclosures by Not-for-Profit Entities for Contributed Nonfinancial Assets. This ASU is intended to increase transparency on how contributed nonfinancial assets (also referred to as gifts-in-kind) received by nonprofits are to be used and how they are valued.
The ASU was issued to address stakeholder concerns about how nonprofit entities report contributed nonfinancial assets. Stakeholders expressed a need for additional transparency surrounding the amount of contributed nonfinancial assets and how they are used in a nonprofit’s programs and activities. Others noted the need for clarity in how these contributed nonfinancial assets were valued.
Though the update does not change the current recognition and measurement requirements in generally accepted accounting principles (GAAP), which is included in Accounting Standards Codification (ASC) 958-605, Revenue Recognition, the ASU is intended to improve current GAAP through enhancements to presentation and disclosures of contributed nonfinancial assets.
The scope of the ASU is limited to gifts of nonfinancial assets. The term nonfinancial assets includes fixed assets such as land, buildings and equipment; the use of fixed assets or utilities, materials and supplies such as food, clothing or pharmaceuticals; intangible assets; recognized contributed services; and unconditional promises of those assets. Many nonprofit organizations rely on these contributions to conduct their programs and mission-related activities.
The ASU requires that a nonprofit present contributed nonfinancial assets as a separate line item in the statement of activities apart from contributions of cash or other financial assets.
The ASU requires the following information be disclosed related to the contributed nonfinancial assets:
- The contributed nonfinancial assets recognized in the statement of activities disaggregated by categories that depict the type of contributed nonfinancial assets.
- Each category of contributed nonfinancial assets recognized as noted above should disclose the following:
- Qualitative information about whether the contributed nonfinancial assets were either monetized or utilized during the reporting period.
– If utilized, a description of the programs or other activities in which those assets were used.
- The nonprofit’s policy (if any) about monetizing rather than utilizing contributed nonfinancial assets.
- A description of any donor restrictions associated with the contributed nonfinancial assets. An example of this would be if an entity received contributed pharmaceuticals, and the donor restricted these for use outside of the United States.
- The valuation techniques and inputs used to arrive at a fair value measure in accordance with the requirements in ASC 820, Fair Value Measurements, at initial recognition.
- The principal market (or most advantageous market) used to arrive at a fair value measure if it is a market in which the recipient nonprofit is prohibited by a donor-imposed restriction from selling or using the contributed nonfinancial assets.
The amendments in the ASU should be applied on a retrospective basis and are effective for annual reporting periods beginning after June 15, 2021. Early adoption of the ASU is permitted.
Reprinted from the Nonprofit Standard blog.
By Michael Conover
“Are we paying our executives appropriately?” I am frequently asked this question by board members and these questions have become even more frequent in the current COVID-19 environment. Amidst all the uncertainty, the question seems more relevant than ever. Whether it is an organization taking its first formal look at executive pay, a new board member serving on a compensation committee or a question raised following our presentation of an annual compensation “checkup,” it is a key question that every board should be able to confidently answer. Regardless of the type of nonprofit organization, there is an expectation (and IRS regulations!) that board members must be good stewards of the organization’s assets. This is especially true regarding the most highly compensated members of management.
Board members are specifically charged with responsibility for managing the pay for top executives, but many have little to no experience with the subject. Those individuals with some compensation experience with other organizations, frequently have little to no experience directly related to the nonprofit board on which they serve. This is likely the explanation for the prevalence of “Are we paying our executives appropriately?” question.
It is a good question. And it is one that all boards, or at least their compensation committee, should be able to answer. If a board member does not know the answer, there should be no reluctance to ask the question. Unfortunately, people are sometimes hesitant to do so. People not familiar with the compensation topic or new to the organization’s board hold back. Whether unwilling to admit they have questions or feeling a need to “go along with others who seem to know what to do” or “continue to do things the way we’ve always done them”—the important question above just does not get asked. The path of least resistance is to simply chime in for the all too familiar “All those in favor, say Aye” board chorus.
In these COVID times there are, however, some new questions about executive compensation that need to be answered. Many of the familiar and essential factors normally included in board decisions about executive pay are no longer available or relevant. The disruption related to the virus has broadly impacted all sectors of the economy. The issue of competitiveness in terms of compensation is muted at least for the moment. Uncertainties abound and everyone is searching for answers about what they should do. For most organizations, the answers will come from within. Each must chart its own way for the foreseeable future. For this reason, I’d like to suggest the following three new questions to be considered to arrive at an answer for your organization related to whether executive pay is appropriate in these COVID times when unknowns seem to be the order of the day.
Do our current financial condition and outlook for the next 18 to 24 months allow us to continue our current methods and levels of compensation for staff members and our executives?
Affordability is a critical issue and. possibly the most urgent one. If there are concerns about finances, there are a series of progressively more stringent techniques that can be taken, including: discontinuation of “voluntary” plans / payments; salary freeze; salary reduction; furloughs; staff reduction, etc. Each of these must be carefully weighed to arrive at the best answer for your organization. The consideration is not solely financial. Retention of key personnel, staff morale / engagement, continuation of critical services, stakeholder reactions, etc. are also important factors to consider.
Once decisions have been made about any cost-saving actions, they should be fully communicated to all concerned with as much advance notice as possible. In particular, all the details about the duration of the change(s) should be included to the degree that they can confidently be set. Future communications should be made as conditions change, as well as to affirm that the subject has not been forgotten.
Under current conditions, should our competitive pay positioning policy be maintained?
Even if the organization’s financial condition can support holding current executive compensation at target levels in the competitive market, should they stay the same? There are several factors to consider.
COVID times have disrupted the availability and relevance of many sources of competitive compensation data. Newer IRS Form 990 filings are not being posted and are even more outdated than in normal times. Most compensation surveys are reporting on data collected pre-COVID and do not reflect current conditions. Reliable information on competitive compensation may not be available to guide pay decisions.
In some instances, competitive compensation levels have likely decreased due to temporary salary reductions, suspension of bonus / incentive plans, etc. The pressure to keep up with the market has decreased significantly for most organizations.
Finally, there are other factors that may weigh more heavily in executive compensation during these times such as: public / stakeholder perception of executive pay actions, equitable treatment of staff members vs. executives; etc.
For the next 12 to 18 months, executive compensation should be carefully considered as part of a thorough assessment of the organization’s situation and circumstances. As mentioned previously, competitiveness may not be as prominent a consideration now. Again, regular communication to all concerned about any change / moderation of traditional approaches to pay is critically important.
What factors should be considered in executive pay decisions that are needed for 2020 or 2021?
COVID times may have deprived the organization of its traditional benchmarks or made its performance metrics no longer relevant. For this reason, many organizations will need to make pay decisions on a largely discretionary basis. Discretionary should not imply a hastily made monetary “thanks for everything” at year end. I am suggesting a thoughtful approach, one that requires pre-planning and discussion by the compensation committee of the criteria that will be used for any pay-related decision making.
Rather than delaying a discretionary decision until the final compensation committee meeting for 2020, boards would be well-advised to begin discussions and planning now for the specific factors that will be considered when these decisions are made. Board members can exchange and consider ideas to arrive at a general consensus about several critical factors that will be used.
For example, boards may consider:
- How well has management cared for the organization’s employees?
- How have the organization’s stakeholders been treated?
- How have the organization’s vendors been treated?
These types of questions focus on the executives’ stewardship of the organization for the longer term. Once decided, the factors should be communicated to all concerned parties in advance. That information will highlight the behaviors and results that are important for moving forward through this time.
In summary, good answers to the three questions we’ve raised here are essential for a good answer to the “big” question—“Are we paying our executives appropriately?”—during these unprecedented times. Arriving at the right answer for your organization is critically important.
If you do not know the answer to “Are we paying our executives appropriately?” for your organization, please ask!
President Signs Protecting Nonprofits from Catastrophic Cash Flow Strain Act to Assist Nonprofit Organizations into Law
By Lee Klumpp, CPA, CGMA
On Aug. 3, 2020, President Trump signed the legislation to assist nonprofits and governmental entities into law.
The purpose of the legislation is noted as: “The Protecting Nonprofits from Catastrophic Cash Flow Strain Act aims to ensure that nonprofits, state and local governments, and federally recognized Tribes that operate as reimbursing employers under state unemployment insurance (UI) systems can receive the UI relief secured through the CARES Act (Coronavirus Aid, Relief, and Economic Security Act) without bearing onerous cash flow burdens that threaten liquidity.” State and local governments and federally recognized tribes have been able to remain financially viable during the COVID-19 pandemic by ensuring they receive federal help for unemployment payments upfront, instead of being reimbursed later. Nonprofits have not had these same benefits.
Nonprofit organizations, state and local governments, and federally recognized American Indian tribes generally have the option of operating as “reimbursing employers” (also known as “reimbursable employers”) under state unemployment insurance systems. This means that they make “payments in lieu of contributions” to finance unemployment benefits attributable to them. Most states periodically bill reimbursing employers for benefits paid out during that period to their former employees. In turn, employers who opt for this payment method are not obligated to pay unemployment insurance payroll taxes.
Section 2103 of the CARES Act, was intended to provide emergency relief to reimbursing employers by federally financing 50% of the UI obligations for these employers for the period beginning March 13, 2020 and ending Dec. 31, 2020. However, as interpreted by the Department of Labor (DOL) in guidance issued on April 27, reimbursing employers “must pay their bill in full” before they can receive reimbursement for one-half of their obligation. For many employers, the requirement to pay 100% of the UI bill before securing relief exacerbates the financial impact of historically high claims triggered by the pandemic, increasing the risk of further layoffs, closures or substantial reductions in services.
This new legislation would enable states to provide the CARES Act’s 50% emergency relief to reimbursing employers without requiring these nonprofits or other entities to pay their full bill first. While the net cost to the employer and the federal government would remain the same, as the employer would still be responsible for paying 50% of its bill and the federal government would still finance the remaining 50%, the procedural fix included in this legislation would significantly mitigate the cash flow concerns for reimbursing employers.
For states that have already begun administering Section 2103 relief under current law requirements, the legislation includes an explicit safe harbor for claim weeks prior to the date of enactment.
The following is an example that outlines how this process works under the current DOL guidance and how it would work under this new legislation.
Former and furloughed employees of a charitable nonprofit file UI claims collectively amounting to $50,000 in a given calendar quarter. The state workforce agency bills the nonprofit for $50,000 at the end of the quarter, at which point the nonprofit must pay the full bill or risk financial penalties. If the employer can pay the full bill, then the state can ultimately reimburse it for $25,000, provided by the federal government for this express purpose.
Under the new legislation, if the nonprofit pays any portion of its bill, the state workforce agency uses a federal transfer to the state unemployment trust fund to effectively reduce the bill to $25,000, which the nonprofit can pay without needing to pay the full $50,000 first.
Adapted from BDO Nonprofit Standard blog.
By Marc Berger, CPA, JD, LLM
The recently issued proposed regulations interpreting Internal Revenue Code (IRC) Section 512(a)(6) provide additional guidance and builds on Internal Revenue Service (IRS) Notice 2018-67.
On April 24, 2020, the U.S. Treasury Department and IRS published proposed regulations under IRC Section 512(a)(6) in the Federal Register, which was added to the tax law as part of the 2017 Tax Cuts and Jobs Act (TCJA). The provision requires tax-exempt organizations with more than one unrelated trade or business to calculate unrelated business taxable income (UBTI) separately with respect to each unrelated trade or business. The underlying purpose of the provision is to prevent a net loss from one activity from reducing the net income from a profitable activity. As a result of having to treat each unrelated activity separately, Section 512(a)(6) has become known as the “Silo” provision. The provision has been effective for tax years beginning on Jan. 1, 2018 and thereafter.
The IRS released Notice 2018-67 in August 2018 to provide organizations and their tax advisors some guidance on how to interpret Section 512(a)(6). The proposed regulations generally follow the guidance in the notice, although they make several modifications in response to comments received from the tax-exempt organization community.
The principal issue for organizations seeking to comply with Section 512(a)(6) is determining how many unrelated trade or business activities they have. Congress did not provide explicit criteria for determining whether an exempt organization has “more than one unrelated trade or business” or how to identify “separate” unrelated trades or businesses for purposes of computing UBTI in accordance with Section 512(a)(6). The proposed regulations seek to clarify these issues by establishing a method for determining whether an organization has more than one unrelated trade or business and by identifying separate unrelated trades or businesses. Most business activities will use the North American Industry Classification System (NAICS) business codes, and separate guidance is provided for investment activities. In each of these instances the proposed regulations start with the approach utilized in Notice 2018-67 but make some additional changes to this guidance based on the comments received.
Business Activities Other Than Investment Activities
The proposed regulations would classify most unrelated business activities pursuant to 2-digit NAICS codes, which differ from the more specific 6-digit NAICS codes proposed in Notice 2018-67. The 6-digit codes are described as follows: the first two digits designate the sector, each of which represents a general category of economic sector, e.g., real estate and rental and leasing (53), health care and social assistance (62), accommodation and food services (72); the third digit designates the subsector; the fourth digit designates the industry group; and the fifth digit designates the NAICS industry. When applicable, the sixth digit is used to designate the national industry, to reflect differences between the countries. A zero as the sixth digit generally indicates that the NAICS industry and the U.S. industry are the same.
After considering the comments received from its issuing Notice 2018-67, the Treasury Department and the IRS continue to view an identification method based on NAICS codes as administrable for exempt organizations and the IRS. However, in updating the guidance recommended in the notice, the proposed regulations provide that an exempt organization generally will identify its separate unrelated trades or businesses using the first two digits of the NAICS codes, i.e., by economic sector. While there are more than 1,000 NAICS 6-digit codes, the NAICS divides the economy into only 20 economic sectors. Using the 2-digit codes is expected to result in broader, less subjective identification of trades or businesses that would naturally permit the aggregation of similar activities. In addition, it was noted that the 2-digit codes are less likely to change over time because the codes are revised through notice and comment rulemaking (and OMB has historically not revised the codes at the 2-digit level).
Administratively, the proposed regulations provide that an exempt organization will report each NAICS 2-digit code only once. For example, a hospital organization may operate several hospital facilities in a geographic area (or multiple geographic areas), all of which include pharmacies that sell goods to the general public. Pharmacies are described under the NAICS 2-digit code for retail trade (44). Although each pharmacy potentially could be considered a “separate” trade or business under Section 512(a)(6), particularly if separate books and records exist for each pharmacy, the hospital organization would report all the pharmacies using the 2-digit code for retail trade (44), along with any other retail trades or businesses described by this code, on Form 990-T as one unrelated trade or business.
Finally, the proposed regulations provide that once an exempt organization has identified a separate unrelated trade or business using a particular 2-digit code, the organization may not change the 2-digit code describing that trade or business unless the organization can show that the 2-digit code chosen was due to unintentional error and that another 2-digit code more accurately describes the trade or business. This limitation will apply to codes reported on the first Form 990-T filed after final regulations under Section 512(a)(6) are published in the Federal Register. It is anticipated that the instructions to Form 990-T will be revised to describe how an exempt organization provides notification of such an error. In addition, the Treasury Department and the IRS are requesting comments regarding whether there are other circumstances in which an exempt organization should be permitted to change the selected 2-digit codes.
The proposed regulations provide that NAICS 2-digit codes are used to identify separate unrelated trades or businesses except to the extent provided in other paragraphs of the proposed regulations. An exempt organization’s investment activities fall under this exception as their rules are provided in other paragraphs of the proposed regulations.
The proposed regulations provide that exempt organizations may aggregate certain investment activities and treat them as one unrelated trade or business for purposes of Section 512(a)(6). For most exempt organizations those activities are limited to: (i) qualifying partnership interests (QPIs); (ii) debt-financed properties; and (iii) qualifying S corporation interests.
For partnership interests, Notice 2018-67 states that the category of “investment activities” should include only partnership interests in which the exempt organization does not significantly participate in any partnership trade or business. As in the notice, the proposed regulations define QPIs as partnership interests that meet one of two tests:
- A de minimis test, which the exempt organization satisfies if it holds directly no more than 2% of the profits interest and no more than 2% of the capital interest of the partnership; or,
- A control test, which the exempt organization satisfies if it directly holds no more than 20% of the capital interest and does not control the partnership, taking into account all facts and circumstances.
In response to comments received on the notice, the percentage interests held by disqualified persons (e.g., directors) do not need to be taken into account under the proposed regulations in applying the percentage thresholds of the de minimis and control tests. In addition, interests held by controlled entities and supporting organizations no longer need to be taken into account for the de minimis test (but do need to be combined for the control test).
With respect to the control test, the notice looked to whether the exempt organization had “control or influence” over the partnership, while the proposed regulations only look to “control.” The proposed regulations provide that control is shown if the exempt organization “by itself” has the ability to require the partnership to perform, or may prevent the partnership from performing, any act that significantly affects the operation of the partnership, or if it has the power to appoint or remove any of the partnership’s officers or employees or a majority of its directors. Like the notice, the proposed regulations also provide that control is shown if any of the exempt organization’s officers, directors, trustees or employees have rights to participate in the management of the partnership or conduct the partnership’s business at any time.
The proposed regulations allow exempt organizations to rely on the information in the annual Schedule K-1s provided to it for purposes of the de minimis and control tests. In addition, once an organization designates a partnership interest as a QPI, it cannot use the NAICS codes to subsequently identify trades or businesses of the partnership unless and until the partnership no longer qualifies as a QPI (in which case it would be required to use the NAICS codes).
Additionally, the proposed regulations temporarily maintain the “transition rule” that was provided in the notice, under which a partnership interest acquired prior to Aug. 21, 2018 may be treated as comprising a single trade or business under Section 512(a)(6). However, the proposed regulations state that an organization’s ability to rely on the transition rule ends at the beginning of the first day of its first taxable year beginning after the final regulations under Section 512(a)(6) are published in the Federal Register.
The proposed regulations provide that income from debt-financed properties includible in unrelated business income (UBI) under Section 512(b)(4) should be included in an organization’s trade or business from ‘investment activities’ for purposes of Section 512(a)(6). This treatment supports the IRS belief that debt-financed properties are generally held for investment purposes. In addition, an S corporation interest that meets either the de mininis or control test for QPIs is considered a “qualified S corporation interest” and would also be included as part of an organization’s ‘investment activities’ unrelated trade or business. An S corporation interest that is not a qualified S corporation interest would be treated as an interest in a separate unrelated trade or business.
The proposed regulations provide that all “specified payments” (i.e., interest, rents, royalties and annuities) received from controlled entities and includible in UBI under Section 512(b)(13) would be treated as a separate trade or business. Moreover, if a controlling organization receives these payments from two different controlled entities, the payment from each controlled entity would be treated as a separate unrelated trade or business.
The proposed regulations also provide that amounts received from controlled foreign corporations which are includible in UBI under Section 512(b)(17) would be treated as income from a separate unrelated trade or business. Finally, the proposed regulations clarify that inclusions of Subpart F income and global intangible low-taxed income (GILTI) are treated in the same manner as dividends for UBI purposes.
Net Operating Loss Deductions (NOLs)
As enacted, Section 512(a)(6) requires organizations with more than one unrelated trade or business to determine any NOL deduction separately for each trade or business. By limiting the reportable unrelated business taxable income from a separate trade or business to zero, the statute supports the underlying purpose of the provision to prevent a loss incurred from one trade or business to offset income generated from another trade or business. To preserve NOLs from tax years prior to the effective date of the TCJA, Congress created a special transition rule for NOLs arising in a taxable year beginning before Jan. 1, 2018 (pre-2018 NOLs). Section 13702(b)(2) of the TCJA provides that Section 512(a)(6)(A) does not apply to pre-2018 NOLs, i.e., that they may be used without regard to the Section 512(a)(6) limitation. For organizations with pre-2018 NOLs, and NOLs arising from years beginning after Dec. 31, 2017 (post-2017 NOLs), a question arose regarding the order in which such losses should be taken. Notice 2018-67 did not affirmatively answer that question, however the proposed regulations do.
The proposed regulations provide that an exempt organization with both pre-2018 NOLs and post-2017 NOLs will deduct its pre-2018 NOLs from its total UBTI before deducting any post-2017 NOLs with regard to a separate unrelated trade or business’s UBTI. Moreover, the proposed regulations state that pre-2018 NOLs are deducted from total UBTI in the manner that results in maximum utilization of the pre-2018 NOLs in a taxable year. This result is organization-friendly in that it allows for the maximum use of these NOLs before their expiration (pre-2018 NOLs expire after 20 years; post-2017 NOLs do not expire).
Charitable Contributions Deduction
For tax-exempt organizations that are corporations, Section 512(b)(10) limits the organization’s charitable contributions deduction to 10% of UBTI. The proposed regulations clarify that Section 512(b)(10)’s reference to ‘UBTI’ refers to UBTI after the application of 512(a)(6). This result is also organization-friendly in that activities with net losses will not lower UBTI for purposes of determining the 10% deduction limit since those loss activities will be limited to zero for purposes of Section 512(a)(6).
Allocation of Expenses
Regarding the issue of allocating expenses between separate unrelated trades or businesses, Notice 2018-67 stated that the Treasury and IRS were considering modifying the “reasonable allocation method” described in Treas. Reg. Sec. 1.512(a)-1(c) and providing specific standards for allocating expenses under Section 512(a)(6). The preamble to the proposed regulations state that Treasury and IRS are still considering the issue and intend to publish separate proposed regulations providing further guidance on this issue. Until these proposed regulations are issued organizations are instructed to allocate deductions in accordance with any reasonable allocation method. Per the IRS, utilizing gross revenues as a method of allocation is not reasonable as it overstates the deduction(s) in determining UBTI.
Proposed Applicability Dates and Approaches
The proposed regulations apply to taxable years beginning on or after the date they are published in the Federal Register as final regulations. For taxable years beginning before that effective date, exempt organizations may (1) rely on the proposed regulations in their entirety; (2) rely on the methods of aggregating or identifying separate trades or businesses provided in Notice 2018-67; or, (3) rely on a reasonable, good-faith interpretation of Sections 511 through 514, considering all of the facts and circumstances, when identifying separate unrelated trades or businesses under Section 512(a)(6).
While some important questions remain unanswered (e.g., allocation of expenses among various UBI silos), the proposed regulations should provide organizations some comfort in the potential aggregation of activities, which may help the determination of how many unrelated trades or businesses they have. However, this may not ease the inevitable result of increasing their unrelated business income tax liability exposure from a provision that tilts the proverbial “level playing field” towards their taxable entity competitors.
By Michael Conover
The novel coronavirus (COVID-19) crisis has affected all sizes and types of organizations including the nonprofit sector. Regardless of the type of nonprofit, they have been impacted by: forced office closures, dramatic swings (upward or downward) in demand for their services, actual or threatened loss of revenue, budgetary and staff cuts, etc. As the crisis has unfolded, each organization has struggled to respond as new information and guidelines for moving forward have changed. And there is no certainty as to when or how things will begin to change for the better.
Because compensation is generally the largest expense for most nonprofit organizations, it should come as no surprise that many have been forced to reduce or eliminate salaries, and discontinue any bonus and incentive plans. Over time, additional compensation reductions may become necessary if revenues fail to recover to needed levels.
With the struggles to manage day-to-day operational issues a full-time affair, a discussion of compensation would seem to be a pretty low priority in most organizations … particularly since there is likely no good news to report. Like most difficult topics, however, this does need to be raised.
While we cannot make many specific predictions about the future as far as compensation is concerned, I believe there are a few things we can expect as things move forward:
- Staff and salary reductions in response to the crisis will likely result in no or negligible wage growth for the year with possible negative growth in some cases.
- Interest normally devoted to surveys about salary increases for the coming year will likely be focused instead on surveys of trends for addressing the ”no growth” situation which can include plans for restoration of salary cuts, use of one-time bonuses/spot awards, “premium”/ hazard pay for essential personnel, etc.
- Boards will wrestle with decisions about compensation for the executive team managing the organization through the crisis period—pondering a basis for evaluation of performance and an appropriate means for rewarding steps taken for the organization’s survival versus a celebration of growth and profitability.
Under the best of circumstances, good advice for addressing an organization’s compensation needs is based on an understanding of the facts and circumstances associated with that organization. These uncertain times underscore the need for specific information, but very little is available. With little or no information about when or how things will begin to emerge from the crisis, it might be best to offer some general guidelines for managing compensation in the new normal. A few that come to mind follow:
- Prior to implementing changes in any compensation practices (if not already made), organizations must check with state regulations about required periods of notice before changes can be made. Similarly, plans for eliminating, delaying or changing the terms of payment under any formal plans or employment agreements should be thoroughly researched to avoid any adverse compliance issues.
- Communication about compensation is always important and often not done well. In difficult situations it is more important and must be done better. Information must be shared and provided in advance of change (when possible) by board and management to staff.
- Periodic updates on compensation, particularly in cases where salaries have been reduced, is important. Ideally, plans for restoration can be shared. Until that can occur, communication of assurances that the subject has not been dropped and a plan will be announced as soon as one can be developed should be made. While employees may be reluctant to raise the topic, it is a top-of-mind issue on the home front.
- While board members are likely absorbed in many other issues, the annual compensation discussion may be delayed, but its return to the agenda is a certainty. Management has the same interest in and need for information about compensation as staff members.
- The typical review of actuals in relation to budget, personal objectives met and/or missed, etc. will likely be moot at this point. Similarly, efforts to reset bonus or incentive plans will likely be a pointless effort under current circumstances.
- Rather than delay consideration of management compensation decisions until several days beforehand, board members might do well to devote some time to identifying and discussing some new and/or revised criteria for assessing management’s stewardship of the organization in the crisis. For example:
- How well were employees treated?
- How well were the organization’s clients/service recipients treated?
- How well were the organization’s vendors treated?
- How did the organization respond to the needs of the community?
- Explore some ideas and/or options for alternative compensation such as non-monetary alternatives for recognition, reward payments (e.g. one-time bonus / spot award, extra paid time off, etc.).
- As circumstances improve and plans for recovery begin to become clearer, communications with all parties about plans for compensation must be a priority. People should not be left in a position to wonder what will happen or be forced to ask. Proactive communication is the best approach.
We expect that in the weeks and months to come, there will be more information to share about trends that will impact compensation later in this year and into next. We will provide updates as they become available.
by Dick Larkin, CPA, MBA
This article is aimed at helping nonprofit organizations plan to cope with the new challenges imposed by the coronavirus pandemic. The first part of the article focuses on matters external to the organization, while the second part focuses on internal matters. The article is intended to raise questions and get people thinking, not to provide pat answers; such would require a book. These challenges are in some ways pervasive among all organizations; in others there will be different effects on different types of organizations, e.g., educational institutions, the performing arts, membership organizations, religious organizations, charitable organizations, healthcare, etc.
The coronavirus has changed our world in ways unimaginable a year ago. The events of Sept. 11, 2001 resulted in permanent changes to air travel. The coronavirus has resulted and will result in permanent changes to a much wider variety of aspects of our personal and business lives. Some of these changes affect both businesses and governments, as well as nonprofits. These articles will focus on those aspects unique to, or that will have a disproportionate effect on, nonprofits.
The most recent events of comparable nature, magnitude, and pervasiveness were the influenza pandemic of 1918-19, which killed tens of millions of people, and the Great Depression of the early 1930s. But, you are thinking: what about 9-11? World War II? 9-11 was over in a few hours; it directly affected only a small number of places and a limited number of people, and was unlikely to happen again. World War II, for most Americans—except those actually in battle and their close families—was not here; it was almost entirely “over there.” Yes there was rationing, and unavailability of some consumer products like new automobiles, but the daily impact of those was relatively small, and not dangerous for most people.
Coronavirus is here, it directly affects everybody everywhere, it is dangerous, and there is as yet no way to predict how long even its direct effects—much less the indirect effects—will last. Even if a preventive vaccine—and a cure for those already sick—were to be discovered tomorrow and made widely available next week, many of these changes still will not ever be completely reversed.
Effect on organizations’ revenue and financial health
Except for healthcare organizations (which of course are working overtime), the nonprofit sector is largely shut down. Educational institutions have closed their facilities and many are conducting classes online, but bookstore sales have largely ceased and athletic department income has completely dried up. Performing arts organizations are silent. Museums are closed, which reduces both admissions income and gift shop sales (some gift shops continue to sell online). Many houses of worship are conducting services online, which has resulted in a drop in “plate” collections. Membership organizations still have their dues income, for now, but meetings are canceled or postponed. Many charitable organizations are seeing increased need for their services, but trying to increase revenue to cover those added costs is challenging because many donors are themselves in financial distress. Many individuals have lost their jobs or seen a reduction in pay. The 2017 income tax act had already reduced the incentive for some to make charitable contributions by doubling the standard deduction for individuals. Now Congress has eliminated the year 2020 required minimum distribution from deferred compensation plans (IRAs and the like), so seniors over age 70½ will have less incentive to make direct charitable rollovers from those plans. On the more incentive side, there is now a $300 charitable deduction available to donors who do not itemize. Foundations have seen their investment portfolios lose value, so they have less available to make grants. State and local governments are seeing declines in sales, gasoline and income tax revenue, so they have less to distribute as support. Only the federal government is pumping money into the economy, some of which is flowing to nonprofits, but this cannot possibly make up for all the other revenue losses.
There are some offsets. It is well known that many performing arts organizations lose money on every performance they put on, so by cancelling performances, they may save more in expenses than they lose in revenue. The real losers there (besides the audiences) are the performers: actors, singers, orchestra musicians, etc., and the supporting staff: stagehands, technicians, ushers, etc. Those organizations that can afford to are doing what they can to keep some of these people on the payroll (there is a limited federal grant program expressly for that purpose), but that does not make everyone whole, and cannot go on indefinitely. Residential educational institutions have lost room and board revenue, but do not have to pay for food and kitchen staff (again a hardship for that staff), or pay for most dormitory current operating costs.
These are short-term effects. But what about the longer term? Will an orchestra or chorus or theater that has had to cancel the rest of its current season be able to attract its audience back when things are able to reopen? Will the performers still be available? (What will a choral concert sound like if all the singers are wearing face masks?) If half of this concert season has been canceled, will donors continue the same level of annual support next season? Will college students re-enroll next semester? Will individuals and companies that have had to cut back on expenditures due to lost income return to their previous levels of charitable giving? Will association members renew their memberships? Will people be willing to resume participating in and attending events in spaces with large numbers of other people, for example, classes, concerts, conferences?
Planning for how to survive these effects is made even more difficult by the current uncertainty about when things will return to anywhere close to normal, if ever. Mounting a museum exhibit or a theater production, or getting all the pieces of a college curriculum in place, or organizing the annual convention of a trade or professional association cannot be done in a week, but at this point no one can be certain when, for example, colleges will be able to fully reopen: This summer session? The coming fall semester? Next year? None of the above? The answer will likely vary by locality. And what if there is a resurgence of the virus during the flu season next fall, as some healthcare experts are predicting is possible?
Internal Effects on Nonprofits
Given the external effects discussed above, how will they affect the internal operations of nonprofits? The governing board and the CEO will take the lead here by first thoroughly understanding the organization’s current situation, then communicating that to the staff (including volunteers), donors, clients (members, students, etc.) and the community. For example, how many months of anticipated expenditures do we now have available in liquid assets?
Some things are obvious. With less income and greater uncertainty, organizations must manage their expenditures even more carefully than they normally do. Expense budgets must be pared; revenue, expense and cash flow budgets must be closely monitored on a timely basis. Difficult choices may have to be planned for and made:
Do we continue this program (academic department, publication, concert series, location) or that one? We no longer may be able to count on the availability of resources to do both.
Should we consider pursuing a merger with [other nearby organization whose programs are similar to ours]?
Do we have access to a line of credit? (If not, why did we not arrange for one before this crisis?)
Would [Major Donor X] be willing to convert a previous restricted gift into an unrestricted gift, or to allow re-purposing of the gift to what is now a more important program?
We are ok for the moment, but what are our Plans B, C, and D if next year’s revenue falls by 20%? 30%? 50%?
Donor and customer relations take on greater importance. Timely and clear communication is vital. Organizations must make every effort to keep the ones they have, motivate donors to increase their giving level, and to attract new donors to make up for the inevitable lost ones. Ditto for educational institutions (students), associations and houses of worship (members), museums (visitors), performing arts organizations (audiences), etc.
Management should become aware of all available governmental resources and take advantage of the ones that may pertain to the organization, such as the Paycheck Protection Program or the SBA Loan Program. Find out what insurance coverage is in place for things like cancelation of events. Would coverage be different depending on whether the cancelation was due to governmental quarantine regulations or the closure of a rented venue versus proactive action by management? Are there foundations which might be willing to help?
Many smaller nonprofits with few staff have always found it challenging to maintain adequate internal controls over their accounting and operational functions. With many staff now working off-site, this challenge is even greater. But the need for these controls is greater, not less. And remember, the responsibility for designing, implementing and monitoring these controls lies squarely with management, not with the auditors. Auditors will (and must under their own professional standards) continue to ask questions of management such as: “How do you satisfy yourself that (for example):
All revenue intended for the organization—especially contributions—has been collected and properly recorded?
All expenditures are for appropriate purposes, consistent with any applicable donor restrictions, in proper amounts, have been properly recorded, and that commensurate benefit has been (will be) received?
All assets that properly belong to the organization are adequately secured, managed, and properly valued and recorded?
All liabilities, and only true liabilities, of the organization are properly recorded and paid?
The organization is in compliance with applicable laws, regulations and funder (private or governmental) restrictions?
All of the organization’s activities are being conducted in an ethical manner? Another way to phrase this is, “Is there anything about the organization, its personnel, or its operations that would cause embarrassment if reported on the front page of tomorrow’s local newspaper?”
Auditors, in turn, are subject to various constraints in performing audit work. They may not have normal access to the client’s personnel, office or other facilities, and thus may be unable to examine hard copies of documents or observe inventory of gift shops or bookstores. Examination of documents and interviews with client staff may have to be conducted electronically, and extra steps taken to verify the authenticity of documents and the proper functioning of internal control procedures.
With the greater risk that staff (including volunteers) may become infected and unable to work at all, and/or infect others, organizations should be sure that every function is backed up by at least one other person or that outsourcing arrangements are in place if needed. Government healthcare privacy regulations probably forbid explanation to the rest of the staff as to why “Mary” is not going to be at work for the next month. But if a virus case is identified in the organization, quarantine regulations may require that that fact (alone—no names) be disclosed to those who may have had contact with the infected person. Legal advice may be needed here.
Some operational areas that may be affected include anything involving travel—especially international, such as students studying abroad, bringing visiting performing artists in from other cities, travel by athletic teams to away games, out-of-town speakers at conferences, members traveling to attend conventions, etc. Technology is already being used in some of these areas, and such use will likely increase. (Ok, technology will not work for team sports: football, soccer, basketball, hockey or racquet sports such as tennis; but maybe it could if golf or a racing-type event such as track and field, swimming or skiing could be contested simultaneously in both home facilities, so the race is effectively against the clock.)
Organizations such as homeless shelters and soup kitchens will need to rearrange their spaces to allow for more social distancing by their clients. Even after the immediate threat of infection has largely passed, would-be users of such facilities may want to feel comfortable that they are adequately separated from their neighbors. An extreme example would be a charity dental clinic, which will have to take extraordinary steps to keep both its patients and staff feeling safe. These and similar organizations should also be certain they have adequate insurance coverage to protect from claims by someone who has accidentally been exposed while in their facility.
Houses of worship have some special challenges: how do they handle group events (apart from regular services) that often involve close personal contact, such as weddings, funerals, baptisms, confirmations, bar/bat mitzvahs, etc.? Even when in-person group services can be safely resumed, should the communion ritual be altered? Should congregants still pass the peace during the service? (There should be an understanding so there will not be embarrassment if one person wants to shake hands or hug a neighbor, but the neighbor does not.)
Some facilities may need to be re-purposed. Convention centers and sports arenas are being used to help meet medical needs of cities. Now-empty college dormitories and dining facilities could be used for helping people in need due to job loss or homelessness.
Now is definitely the time to be thoughtful and creative.
By Barbara Finke, CPA
Most organizations have an established budgeting process. Whether the entity uses a robust performance management tool or a spreadsheet, there is likely a thoughtful process to predict the next year’s revenues and expenses. The budget is usually approved by the board of directors and/or other committee and memorialized in the meeting minutes. Once the budget is final, how an organization utilizes this tool varies. Most organizations utilize the budget as a tool for comparing actuals on a periodic basis while some revisit the budget and make changes based on certain events, and a rare few actually revisit the budget on a rolling schedule and update forecasts routinely.
Based on a survey conducted by KPMG in 2016 with the Economic Intelligence Unit (consisting of 544 global companies) only two-thirds of organizations surveyed incorporated rolling budgets. Although experts often say reforecasting or rolling budgets are important, many organizations continue to operate with a static budget, citing time or computer system limitations. A static or fixed budget occurs when the organization prepares an annual budget, which remains untouched for the fiscal year. The organization compares actual performance to the budget at periodic reporting intervals. This common type of budgeting is a good tool for keeping spending within a predetermined threshold. A static budget remains useful when spending is generally predictable and consistent. However, it can become cumbersome and unhelpful when the organization sees major changes, and the variances, while explainable, render the static budget meaningless.
Consider the current reality of our unprecedented economic and social times. On Jan. 30, 2020, the World Health Organization (WHO) announced a global health emergency because of a new strain of coronavirus originating in Wuhan, China (COVID-19), and the risks to the international community as the virus spread globally. In March 2020, the WHO classified COVID-19 as a pandemic, based on the rapid increase in global exposure. The world is still determining the ultimate impact of the global pandemic. In the United States, shelter-in-place orders seem to change daily and differ not only by state, but by county or even potentially by neighborhood. Economic stimulus packages were enacted on March 27, 2020, under the Coronavirus Aid, Relief and Economic Security Act, with new grant opportunities, tax changes, and ever evolving lending programs. In addition, we have seen historic stock market changes based on seemingly every announcement from the Centers for Disease Control and Prevention (CDC), the president and/or major corporations. Now, more than ever, organizations need to understand how to reforecast static budgets so that the executive teams can make real-time informed decisions.
Per an article from Kshitjil Dayal, Workday, “…from March 23 to 27, our [Workday] cloud planning platform processed up to 30 times more forecasts and build-out scenarios than in a typical week. Since the emergence of the COVID-19 pandemic, we’ve [Workday] seen an overall average increase of 15 times the amount of modeling and recalibrating as organizations everywhere attempt to make sense of the ripple effects.” Based on that evidence, organizations seem to be aware of the need to reforecast budgets for fiscal year 2020 and beyond. Was your organization ready?
Historically, the most common reason noted for using reforecasting or a rolling budget was the constantly changing nature of the business environment, whether it be technology innovations, stock market fluctuations or management changes, and the belief that a static budget would not provide organizations with a useful tool when making key decisions. In the past, your organization may have concluded your environment was not constantly changing, or that the headache of the reforecasting process was larger than the benefits. Now every organization is in a state of constant change, and reforecasting is critical.
Budgeting is a bit like road trip directions. In the past, you pulled out the road atlas, plotted your course and headed out. It was a surprise when you hit a major traffic jam or detour, and you were forced to wait patiently. Now, you put the destination into your favorite mapping app and start your route. As you drive, the app periodically notifies you of a shorter available route, or a major road blockage ahead that requires rerouting. Your mapping app provides all of the information you need to quickly make the decision to take a new course or stay on the original one. A budget that can be reforecast quickly gives your organization the same ability. If you want this capability for your organization, the next step is to decide whether you will use a reforecast or a rolling budget.
What is reforecasting?
Reforecasting means updating the entire budget based on new facts and circumstances, taking a holistic look at your original budget and updating any elements as necessary. In the end there is a separate, fully revised budget, not an adjustment to just a line or two. The reforecast allows the operational group to understand the new route to follow and what will be ahead on the new path. It provides a more relevant decision tool than the static budget.
When should an organization reforecast?
As noted above, a reforecast should happen whenever there is a large or unexpected trigger event, such as the COVID-19 pandemic. However, it doesn’t have to be that big of a trigger. It could be a large or unexpected change in one of the organization’s major revenue streams or cost drivers, such as winning (or losing) a major contract. When the main driver of your budget is expected to change as a result of the event, a reforecast should be completed.
Organizations should also consider reforecasting when trends show that the original budget was not accurate, and you start to see recurring, significant variances in line items between actual and budgeted amounts.
The key message is that a reforecast is needed when the main driver of your budget suffers a significant enough impact that it is necessary to consider a holistic change in your original static budget.
How should an organization reforecast?
Before you determine the next steps in reforecasting, consider the budget process in your organization. Do you have a zero-based budget? In a zero-based budget, the organization builds the budget from scratch, considering each expense driving the budget from the expense side and attempting to grow profit by reducing expenses, rather than increasing price per unit or units sold. Or, does the organization look at historical trends and adjust revenues and expenses according to expected growth or shrinkage? Either way, break down the assumptions to the original drivers, whether it is variable costs or variable revenue sources that drive the bottom-line budget. This may require more thought if your organization has not done a zero-based budget recently. If you are struggling to identify your organization’s drivers, consider what key performance indicators you report to the board of directors or what benchmarks you are tracking. These are likely the drivers to consider when you are reforecasting.
Once you have determined which costs or revenues are variable, then reforecast what impact the event will have on your variable drivers. If you budget based on costs, think about what costs are variable, such as operational payroll or supplies. Will these costs increase or decrease? If your costs increase, what will the organization need to do to increase revenues? Another approach is to start with the variable revenue drivers (such as patients served, units sold or students enrolled). Will the visit/unit sales rate increase or decrease? If the unit sales increase or decrease, what is the impact on costs? Will prices need to change? If prices change, what must the organization do in response? Remember as you change the cost driver, consider the impact on revenue, or vice versa.
Next, consider fixed costs and if there are any changes to these based on the trigger event. Typically, fixed costs would not be subject to change; however, in response to an event such as the COVID-19 pandemic, organizations may be renegotiating administrative payroll or rent expenses and, therefore, those fixed costs should be reforecast as well. Perhaps the original fixed-cost assumptions were not accurate in the first place. It is worth looking at all significant line items to ensure the accuracy of the forecast. Take this time to be critical of all original assumptions. Review future debt payments, rental agreements or other recurring charges to ensure that the terms of those contracts have not substantially changed since the budget was originally prepared.
The main drivers of the budget are always program/operational related. Therefore, it is critical that you speak with the managers of each division to understand what their projections entail. Accounting and finance personnel must understand if a change to the budget is realistic and if operations can function with the parameters that have been assigned. For example, if you cut expenses to balance the budget from anticipated revenue losses, make sure operational/program managers agree that there are enough expenses to produce whatever is needed to meet anticipated demands. Finance teams have noted that siloed operations or lack of integrations are main reasons for preparing only a static budget and finding a lack of value in other models.
While working on reforecasting, time is of the essence. The sooner the data is reforecast, the sooner the organization can use it as a tool for their decision making. It may be difficult the first time the organization works through a reforecast. Take notes on lessons learned and consider how you can set up the next period’s budget in a format that may be easier to reforecast in the future.
How do I predict the unpredictable?
Reforecasting for a trigger event, such as a new contract, is relatively straightforward. Program managers will understand how drivers will be impacted and what considerations should be made. However, what should organizations do with something like the COVID-19 pandemic? How can the future be predicted?
Financial analysts have made a living out of creating models that consider scenarios such as these. Those scenarios are then stress tested to see what happens if certain assumptions change. Using the same thought process can help you “predict” the future.
One way to create a model is to understand your organization’s cash burn. Most CFOs are acutely aware of cash trends. Look back at historical cash flows and calculate what your average spend rate is compared to your average collection rate. With this knowledge you could model a few scenarios.
Consider the worst case scenario first. If the organization is unable to collect cash from any revenue for an entire quarter what reforecast is needed on the budget? What happens if cash from revenue is only reduced a certain percentage over that same quarter? Essentially using this theory, you can start to build steps to respond to a prediction and implement those steps as necessary.
As an example, Organization Y has noted that the current cash position is $1 million, and that fixed costs requiring cash for the next quarter are $200,000. This leaves $800,000 of potential spending. If the organization’s variable expenses are $900,000 a quarter, what steps would need to be taken to cover the shortfall of $100,000 ($1.1 million of variable and fixed costs for the quarter less cash on hand of $1 million)? With a predicted shortfall number, the organization can decide if that means taking on new debt, curbing capital expenses or potentially cutting salaries.
The worst case scenario may not be the most likely. But rather if Organization Y forecasts that instead of the typical cash from revenue of $1 million a quarter, they anticipate $500,000 in cash from revenue this quarter. Now the organization has $1.5 million ($1 million of cash on hand plus the $500,000) to spend over the quarter. If the cash needs are $1.1 million, they know going into the next quarter that they have $400,000 of cash available.
It is easy to establish the worst case scenario. It is harder to picture a realistic scenario, especially during situations like the COVID-19 pandemic. To assist your organization in determining the most realistic scenarios when reforecasting, look at what is happening in your industry in particular. If you are a member of a trade organization, it is likely that they are polling members and publicizing what member organizations are experiencing. You can also look to other sources of benchmarking, such as public companies, to see what the quarterly earnings or filings look like.
Economic sources like IBISworld, Moody’s Analytics, Morgan Stanley Economic Outlook, Morningstar Economic Outlook, or Placer.ai on Retail Foot Traffic provide data and information on economic trends experts are seeing. Organizations often forget to look at external sources to help predict the course of the budget drivers, which can be detrimental when creating an accurate forecast. When preparing any kind of budget, looking at external data sources is critical.
Even if your organization struggles with defining the most realistic scenario, the reforecast is still a helpful tool as it starts to put parameters (Organization Y has somewhere between a shortfall of $100,000 or a surplus of $400,000 to consider) that management can work with to make informed decisions about the best next direction rather than driving blind.
What is a rolling budget?
A rolling budget is similar to a reforecast, except a rolling budget was never intended to remain static and has a set time of when it should be adjusted (rather than waiting for trigger events). A common example of a rolling budget is where an organization would budget four quarters ahead. Each quarter the organization updates the next three quarters and adds a new fourth. Meanwhile monthly comparisons would be made to the monthly budget planned in the rolling budget. The organization would set a time period at which point the budget will be reviewed and updated using the same techniques as noted above for reforecasting. The rolling period could always be adjusted if a trigger event occurred outside of the normal update period. The rolling budget is always anticipating change, so an organization is set up to continuously monitor the trends and update either revenue or cost predictions, or both, to stay nimble.
Which one is better?
The best budget method depends entirely on the attributes of your organization and the industry it operates in.
A static budget is likely the best option for a small organization with relatively small fluctuations year over year. It may also be helpful in organizations that are grant driven where the grant budgets will not change once adopted. While the budgeting process can be long, it only occurs once a year in this environment, which makes it easier for a small staff and limited software capabilities. If your organization utilizes a static budget, to ensure that the budget stays relevant, the organization should routinely compare actual results to budget.
Reforecasting is not always necessary, especially if there is no trigger event and no major variances from the static budget. However, because events like the COVID-19 pandemic are rarely foreseen, the ability to reforecast a static budget is beneficial for any organization. Right now, every organization should prepare a reforecast budget using the steps outlined above based on the impacts of the COVID-19 pandemic. While working on the reforecast, use this time to set up a process and policy of how and when to reforecast your budget in the future. For example, as a policy, an organization could define a trigger event. Try to use thresholds such as an event that would likely change the main budget driver by 20% . When a “roadblock” like the COVID -19 pandemic comes up, the organization needs the tools to create a new fiscal road map. It will likely also lead the organization to identify areas to improve in the static budget process.
If your organization is in a more volatile industry where the drivers are constantly changing and strategy is ever evolving, then the rolling budget is most likely the best method for your organization. Another benefit of a rolling budget is that it inherently pushes the organization to a forward-looking approach, as governance discussions center around how the budget was adjusted and why, versus the historical approach of comparing the static budget to actual and repeating oftentimes the same variances each time. To be successful, a rolling budget requires an ongoing assessment with quick changes to ensure that the periodic budget to actual reporting can be maintained. Reforecasting with a rolling budget also needs to be fairly quick since it is continuous.
If the organization adopts a rolling budget or a reforecasting model moving forward, it is important to make sure careful thought goes into preparing the original budget. Drivers should be clearly identified, and formulas used to show how the variable revenues and costs build from the drivers.
Does my Organization Need Budgeting Software?
A budget could be a simple spreadsheet or prepared using budgeting software. The team should consider how complex the organization’s drivers are when considering whether to utilize a spreadsheet or software. Organizations with multiple streams of revenue with different corresponding variable costs, may find it necessary to utilize software. Software often allows for more complex planning and reforecasting, allowing the organization to create various scenarios to see what an impact such as changing the price of a unit by 5% versus 7% would be. Software can aid collaboration amongst different teams or units, while using a spreadsheet could make maintaining version integrity when sharing with multiple users problematic.
Consider what the likely trend in budgeting will be for your organization to select a tool. In a study done by the Chartered Institute of Management Accountants in 2016, The Reforecasting Report, the authors note that “buying an increasingly complex software platform without full cooperation and negotiation may fail to reduce ‘noise’ in the planning and budgeting process.” In addition, bad data in, bad data out, no matter what the tool, so an organization should first make sure the budget basics are in place and reliable data can be easily obtained to ensure a software or spreadsheet’s ability to create a proper forecast is enhanced.
 Kothari, S.P et al. (2007, September) Forecasting With Confidence: Insights from Leading Finance Functions. Retrieved from https://home.kpmg/content/dam/kpmg/pdf/2016/07/forecasting-with-confidence.pdf
 Dayal, Kshitij (2020, April 15) How to Gain Business Agility in Uncertain Times. Retrieved from: https://blog.workday.com/en-us/2020/how-to-gain-business-agility-in-uncertain-times.html
 Jelly, Robert (2007, May 1). The Reforecasting Report, 2006 Survey of Current Practices in the UK. Retrieved from https://www.cimaglobal.com/Documents/ImportedDocuments/The_Reforecasting_Survey.pdf
Dayal, Kshitij (2020, April 15) How to Gain Business Agility in Uncertain Times. Retrieved from: https://blog.workday.com/en-us/2020/how-to-gain-business-agility-in-uncertain-times.html
 Jelly, Robert (2007, May 1). The Reforecasting Report, 2006 Survey of Current Practices in the UK. Retrieved from https://www.cimaglobal.com/Documents/ImportedDocuments/The_Reforecasting_Survey.pdf
By Tammy Ricciardella, CPA
Many nonprofit organizations receive a variety of gifts-in-kind (GIK) that provide them with resources to supplement their programming.
GIK represent a wide variety of non-cash items donated to nonprofits. Nonprofits must follow Accounting Standards Codification (ASC) Topic 820, Fair Value Measurement, to account for the GIK. This means that GIK must be recorded at fair value which is defined as “the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date.” This creates difficulties for many entities since they receive the goods as a contribution and not a market participant. This creates the question of how to value the items received. The entity must assess what market they would use if they were to sell the donated goods. This assessment must be performed in the process of determining the fair value even though the entity has no plans to actually sell the donated goods. Would the goods be sold in an exit market as a retailer, wholesaler or manufacturer, or in some other market? Once the market is determined, there can still be complications if the entity doesn’t have access to the valuation inputs in that market. The entity may have to use the inputs available to them to assess the fair value and then make an adjustment to the market they chose.
These are all complications faced by entities who receive GIK as they may not have prior transactions or the market experience to use as a resource for the fair value inputs. Under the ASC, entities must distinguish between the principal market and the distribution market. The principal market is defined as “the market in which the reporting entity would sell the asset or transfer the liability with the greatest volume and level of activity for the asset or liability.” Based on this definition, the actual location in which the donated goods may be distributed at no cost is not necessarily the principal market.
Determination of the fair value also has to take into consideration if there are any legal restrictions either on the entity or the donated assets. Asset restrictions may limit the legal sale of GIK to certain markets which would affect the determination of the principal market. Since these legal restrictions on the asset restrictions would be considered by a potential buyer, the entity has to take this into account in the fair value assessment.
It is important to note that the value assigned by the donor of the goods may not relate to the principal exit market of the nonprofit. In addition, the donor’s tax values are not equivalent to the fair value under accounting principles generally accepted in the United States. In many cases, the nonprofit will not have access to the same market as the donor. The nonprofit must value the GIK based on the principal exit market from their perspective.
To assist in addressing these complications, entities should have a documented policy on accepting GIK and a policy on how the fair value assessments will be performed. The determination of fair value for each type of GIK received should be clearly documented, including management’s assessments and factors considered and the final conclusion reached.
For more information, contact Tammy Ricciardella, Director, at firstname.lastname@example.org.
For more information from Blackman & Sloop, please contact Deetra B. Watson.
By Laurie De Armond, CPA, and Adam B. Cole, CPA
All nonprofits want to do good. Helping their constituents and driving impactful, positive change in communities is what propels their mission forward. Whether they’re on a quest to combat social injustice, poverty or climate change, nonprofits play a vital role in keeping our society moving forward. And yet, noble intentions are not enough for nonprofits to effectively fulfill their intended goals.
So, how can nonprofits successfully maximize good?
The answer can be borrowed from a classic adage: “Charity begins at home.” Just as a doctor cannot take care of others if he himself is ill, organizations cannot help their constituents if they’re unable to manage their own operations effectively and sustainably. As mentioned in our insight, “The Business of Impact,” nonprofits must balance good intentions with a business mindset.
This begins with learning how to balance external and internal needs. Too often, nonprofits, in a quest to save the world, fail to save themselves.
By taking these steps, nonprofits are poised to maximize their impact.
STEP 1: BALANCE PROGRAMMATIC & OPERATIONAL INVESTMENTS
Donor pressure may dictate high programmatic spending, but nonprofits must realize that underfunding overhead costs is dangerous and, ultimately, unsustainable. There are critical areas all nonprofits should keep in mind when making strategic spending choices, including:
Talent Management: Nonprofits need to support the people behind their mission and invest in recruiting and retention. Our Nonprofit Standards benchmarking survey found that keeping employees satisfied is a challenging task, with most respondents citing issues like compensation, technology, and training and development. By regularly reassessing the processes, programs and structures in place, nonprofits can understand what motivates—or demotivates—their employees.
Governance and Compliance: Nonprofits should think of good governance as an imperative, not simply a nice-to-have. Even with limited resources, they must take a proactive approach to regulatory compliance and risk mitigation. Earmarking funds to cover compliance costs may be painful initially, but the costs of noncompliance are even greater.
Technology, Equipment and Supplies: In addition to jeopardizing employee satisfaction, having outdated IT and equipment can drain already-limited resources by reinforcing operational inefficiencies, weakening impact reporting (58 percent of Nonprofit Standards survey participants cite inadequate technology as a barrier to impact reporting), increasing cyber and data privacy vulnerabilities and more. Nonprofits should invest in technology that can help them advance a larger goal—whether it’s empowering their employees to accomplish more, making their programs more accessible or amplifying their current fundraising efforts.
Cybersecurity and Data Privacy: Nonprofits must safeguard the data they possess, regardless of where it originated. Unfortunately, many fail to invest in cyber or data privacy programs, due to the assumption that they’re too small to be a viable target. However, this often makes them even more appealing and vulnerable to cyber attackers. Security needs to remain a key priority, even amid multiple projects.
Fundraising: Many investments in this category fall into similar buckets as those outlined above, especially people and technology. Whether it’s spending money to hire and train a fundraising team or purchasing new fundraising tools that can expand an organization’s reach, putting aside funds to improve visibility will pay off in the long run.
Balancing programmatic and operational spending isn’t easy and requires organizations to assess their operations with a critical business mindset. Altruism without an efficient infrastructure to support it won’t go far.
STEP 2: EMPHASIZE FINANCIAL DUE DILIGENCE
Financial due diligence for nonprofits extends beyond having enough liquidity to function effectively and investing with self-care in mind—it’s also managing finances with the same level of dedication as a for-profit business.
Maintain Sufficient Operating Reserves
When organizations encounter funding disruptions or lose a major donor, a healthy supply of operating reserves (liquid, unrestricted net assets) is a critical fiscal safety net to keep programs up and running.
The “right” amount of operating reserves varies according to organization size, sector and scope. However, establishing at least six months of operating reserves is a prudent target for the sector overall. More than half (51 percent) of organizations in Nonprofit Standards fall short of that goal.
Nonprofits should consider adopting a “reserve policy” (if they don’t already have one) based on a comprehensive risk analysis. This policy should provide guidance on how (and how much) money they should put into their reserves, under what circumstances the reserves should be used, as well any other restrictions or limitations that ought to be considered. Having a few months’ worth of operating funds can at least help nonprofits continue their programs if they’re facing revenue interruptions.
Stay Abreast of Regulatory, Tax & Financial Accounting Changes
Not only are legislative financial changes required, they also affect how nonprofits document their donations and financial statements to their stakeholders—including their board, donors, constituents and the general public. This, consequently, affects how the latter will assess an organization’s financial health.
When undergoing the compliance process, nonprofit leaders should be prepared to address any questions about how these changes affected their financial statements. Maximizing good requires organizations to not only mitigate compliance risk, but also to be able to clearly explain all facets of their financial situation.
STEP 3: INSPIRE & MAINTAIN TRUST
Donor and stakeholder needs and expectations are ever-evolving. Clear, frequent and open communication, on their terms, is essential to getting the support you need to accomplish your mission.
This is especially true now that the profile of the average donor is changing. Millennials currently make up the largest portion of the overall population and have begun to take on a key role in philanthropy worldwide. These donors differ significantly from their predecessors: They not only place a huge emphasis on trust, but also expect faster reporting times, thanks to social media and other technologies.
With such close scrutiny upon them, nonprofits need to get better at not only measuring impact, but reporting it. According to Nonprofit Standards, many are under increased pressure to demonstrate results and provide further transparency: 61 percent say that some portion of their funders have required more information than was previously required.
Nonprofits will need to go beyond traditional reporting tactics to meet donors on their turf and on their real-time timeline.
When impact reporting is effective, it really pays off—not only in donations, but in a currency much more valuable long term: loyalty and trust.
Adapted from article in the Nonprofit Standard blog.
For more information, contact Laurie De Armond, Partner, at email@example.com or Adam Cole, Partner at firstname.lastname@example.org.
For more information from Blackman & Sloop, please contact Deetra B. Watson.
By Marc Berger, CPA, JD, LLM and Katherine Gauntt
It’s been more than a year since the Supreme Court announced the landmark decision in the South Dakota v. Wayfair case, opening the door for states to require organizations to collect and remit sales tax even if the organization has no in-state physical presence. The impact of the decision has proven to be far-reaching.
Since that time, organizations selling goods and services across state lines, including nonprofits, have had to navigate the fallout. While we covered this decision in depth earlier this year, it’s important as we mark the one-year anniversary of Wayfair, to take a look at what’s changed and what challenges may still be on the horizon for nonprofits.
The Wayfair Domino Effect
Prior to the Wayfair decision, most nonprofits selling goods and services didn’t have a physical presence in states beyond their home states and, thus, did not collect sales tax.
But the Wayfair decision had a domino effect: States began adding or revising statutory language to accommodate an economic nexus standard for remote sellers. Several states already had laws on the books that automatically went into effect following the decision. As of this article’s publication, all but three states (Florida, Kansas and Missouri) have enacted economic nexus rules. Organizations selling things like promotional items, event tickets or other goods or services are likely affected in some way.
Each state has differing economic thresholds that require organizations to collect sales taxes, and the deadlines for compliance vary state-by-state as well. Even if no tax is collected, the requirement to file a return remains. This patchwork of regulations and deadlines may leave many nonprofits struggling to understand where their obligations lie, and how quickly they need to address them.
Complicating matters, the state thresholds vary in terms of dollar amount and number of transactions required to trigger economic nexus and the deadlines to comply also vary. For nonprofits, knowing where and when they’re required to administer sales tax is often half the battle.
For up-to-date information on state thresholds and effective dates, check out our interactive Wayfair map.
Automation Offers a Potential Solution
One possible option for monitoring the thousands of shifting tax rates that may apply in a post-Wayfair world is the use of automated software that monitors these changes in real time. Automated software solutions offer several benefits, including:
- Tracking tens of thousands of tax rates in real time
- Access to taxability information to determine how products and services are taxed in various jurisdictions
- A history of transaction data that can be used to compile tax returns and provide a single source of information in the event of a sales tax audit
- Assistance with managing exemption certificates for tax-exempt sales
For nonprofits, which typically have fewer resources than for-profit companies, a full-service automated solution might seem out of reach. However, there are many simple products that offer basic services—such as tax rate tracking—at a lower cost. Ultimately, while there are costs associated with these services, they may be eclipsed by the administrative and resource burden that comes with keeping pace with constant change without them.
For more information about how automation can assist with Wayfair compliance, read our recent Insight.
Marketplace Facilitator Laws, The Next Frontier
While Wayfair had obvious effects on the e-commerce sector, its impact also extends to the middlemen of retail sales transactions. New sales tax laws are now requiring marketplace facilitators—third-party entities that facilitate sales, such as Amazon—to collect and remit sales and use taxes on behalf of retailers. These laws help to substantially reduce the number of remote sellers that state tax authorities may seek to audit. We expect nearly all states will enact marketplace facilitator tax laws soon.
By nature, marketplace facilitators don’t have intimate knowledge of the goods or services being sold as the retailers themselves do. This lack of familiarity could result in a fair amount of under-collected sales tax if these sales are not properly accounted for or mapped to the correct taxability classification. This under-collecting is compounded by the fact that there is a lack of regulatory clarity around who should ultimately be responsible for the correct amount of sales taxes collected and reported to the taxing agencies, whether it’s the retailer or the company facilitating the sale.
While nonprofits might not seem like marketplace facilitators, there is still a lot of confusion about what constitutes a dealer or seller under these laws. It is possible that nonprofits that maintain online marketplaces or facilitate online auctions could be considered facilitators. With so much up in the air regarding these laws, it’s critical that organizations keep a close eye on the latest developments in any state where they do business.
Don’t Forget Purchasing Exemptions
While much of the commentary around Wayfair has focused on selling, it highlights the importance of purchasing considerations, as well. As sellers begin to increasingly collect sales tax on purchases, nonprofits should be sure to understand and maximize any exemptions they qualify for due to their nonprofit status.
While the details vary, many states exempt nonprofits from paying sales tax on purchases if they are made exclusively for charitable purposes. According to the National Council of Nonprofits, more than half of U.S. states give broad sales tax exemptions for purchases by nonprofits, and an additional 15 states allow limited exemptions by certain types of nonprofits or specific organizations.
For nonprofits to take advantage of these exemptions, they need to keep track of where they exist, and work with their vendors to ensure they either do not pay sales tax on purchases or receive sales tax credits on applicable purchases. Ideally, every time an organization begins to work with a new vendor, they should determine if the purchase is exempt from sales tax and provide the vendor with applicable exemption certificates. It’s also important to note that some types of nonprofit organizations, like associations, generally don’t qualify for these exemptions.
When Wayfair was first decided, many nonprofits assumed they wouldn’t be affected, but in the year since have had to come to the realization they may be responsible for collecting and remitting sales taxes in states where they have economic nexus. While this has created concerns about the administrative burden nonprofits might face to stay Wayfair-compliant, it’s important to remember that sales tax is ultimately a cost to the buyer, not the nonprofit seller. That is, of course, provided the nonprofit is compliant. If they fail to collect and remit the sales tax, there could be an actual liability in the form of an audit assessment to the organization.
As the impact of Wayfair continues to unfold, it’s crucial that nonprofits stay up to date on the latest developments and take proactive steps to get—and stay—compliant.
Adapted from article in the Nonprofit Standard blog.
For more information, contact Marc Berger, National Director, Nonprofit Tax Services, at email@example.com or Katherine Gauntt, Senior Manager, Specialized Tax Services – SALT Southeast Region, at firstname.lastname@example.org.
For more information from Blackman & Sloop, please contact Deetra B. Watson.
By Tammy Ricciardella, CPA
On Aug. 15, 2019, the Financial Accounting Standards Board (FASB) issued an exposure draft that would grant private companies and nonprofit organizations additional time to implement FASB standards. Comments on the exposure draft are due by Sept. 16, 2019.
The exposure draft describes a new FASB philosophy that extends and simplifies how effective dates for major standards would be staggered using a two-bucket approach. Bucket one would be only Securities and Exchange Commission (SEC) filers. Bucket two would encompass all other entities, including all nonprofit organizations, as well as nonprofit entities that have issued, or are conduit bond obligors for, securities that are traded, listed or quoted on an exchange or an over-the-counter market.
Under the proposed philosophy, a major standard would be effective for larger public companies first. For all other entities, FASB would establish an effective date that would be staggered at least two years later. Early adoption would still be permitted for all entities.
FASB is proposing that the two-bucket approach be applied to the effective dates of the following Accounting Standards Updates (ASU) if they have not yet been adopted by entities:
- ASU 2016-13, Financial Instruments – Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments (Credit Losses)
- ASU 2016-02, Leases (Topic 842) (Leases)
Under the proposal, the effective dates of the aforementioned standards would be as follows for entities with calendar year ends:
- Fiscal years beginning after Dec. 15, 2022 for all nonprofit entities.
- Fiscal years beginning after Dec. 15, 2018 for nonprofit entities that have issued, or are conduit bond obligors for, securities that are traded, listed or quoted on an exchange or an over-the-counter market. These nonprofits are still in bucket one because the Leases standard as currently written is effective for these types of entities.
- For all other nonprofit entities, Leases will be effective for fiscal years beginning after Dec. 15, 2020.
The effective dates for entities with fiscal year ends would be the first year that begins after the dates noted above.
The FASB believes that the proposed change in establishing effective dates for standards will permit smaller stakeholders to have additional time to implement major standards.
For more information, contact Tammy Ricciardella, Director, at email@example.com.
For more information from Blackman & Sloop, please contact Deetra B. Watson.
By Laurie De Armond, CPA
What is the audit committee self-assessment?
This is a tool designed to assist the audit committee in evaluating how well the audit committee is executing their responsibilities. Please refer to BDO’s Effective Audit Committees for Nonprofit Organizations audit committee self-assessment section to ensure that governance responsibilities are adequately aligned with the charter and are being fulfilled appropriately.
Why should audit committees perform a self‑assessment?
As there is always room for improving quality and performance, we recommend that this document be used in conjunction with your organization’s Audit Committee Charter (or similar document) to ensure that governance responsibilities are adequately aligned with the charter and are being fulfilled appropriately. You may choose to customize this self-assessment further to reflect specific attributes of your organization and develop specific action steps and estimated completion dates to enhance your audit committee’s performance.
Who should use this self-assessment?
This Audit Committee Self-Assessment may be used by those charged with governance (in particular, audit committees) in performing an annual self-assessment. The audit committee chair would generally compile the results, which may be obtained from individual committee members on a confidential basis, but should also contemplate feedback from other key stakeholders such as the board, internal and external audit, and management.
When should the audit committee use this self‑assessment?
The audit committee should perform a self-assessment at least annually with areas identified for improvement to be assessed throughout the year.
How should the audit committee use this self-assessment?
This self-assessment tool is to be used as a guide and in correlation with the responsibilities laid out within the audit committee charter approved by the full board. Thus, organizations may feel the need to tailor the self-assessment to their specific needs. At the discretion of the audit committee chair and members, an additional free-form commentary box could be included to allow for specific recommendations or observations to be captured for further consideration.
Areas of assessment
- Composition and Character
- Continuing Education
- Setting Tone at the Top
- Oversight of Internal Control Over Financial Reporting
- Evaluation of and Communication with Management
- Evaluation of and Communication with Internal Audit, if applicable
- Evaluation of and Communication with External Auditors
- Financial Statements and Other Information
- Ethics and Code of Conduct
- Authority and Funding
- Overall Assessment
Please see the full Effective Audit Committees for Nonprofit Organizations guide here.
For more information from Blackman & Sloop, please contact Deetra B. Watson.
By Tammy Ricciardella, CPA
As calendar-year-end nonprofits have worked through the implementation of Accounting Standards Update (ASU) 2016-14, Not-for-Profit Entities (Topic 958): Presentation of Financial Statements of Not-for-Profit Entities, we have seen quite a bit of diversity in the preparation of the liquidity and availability disclosure required by the ASU.
To improve the ability of financial statement users to assess a nonprofit entity’s available financial resources and the methods by which it manages liquidity and liquidity risk, the ASU requires specific disclosures including:
- Qualitative information that communicates how a nonprofit entity manages its liquid available resources to meet cash needs for general expenditures within one year of the statement of financial position (balance sheet) date
- Quantitative information that communicates the availability of a nonprofit’s financial assets to meet cash needs for general expenditures within one year of the statement of financial position date. Items that should be taken into consideration in this analysis are whether the availability of a financial asset is affected by its (1) nature, (2) external limits imposed by grantors, donors, laws and contracts with others, and (3) internal limits imposed by governing board decisions
The following information can be displayed either on the face of the statement of financial position, or in the notes to the financial statements, unless otherwise required to be on the face of the statement of financial position:
- Relevant information about the nature and amount of limitations on the use of cash and cash equivalents (such as cash held on deposit as a compensating balance)
- Contractual limitations on the use of particular assets. These include, for example, restricted cash or other assets set aside under debt agreements, assets set aside under collateral arrangements or assets set aside to satisfy reserve requirements that states may impose under charitable gift annuity arrangements
- Quantitative information and additional qualitative information in the notes, as necessary, about the availability of a nonprofit’s financial assets at the statement of financial position date
An entity can provide additional information about liquidity in any of the following ways:
- Sequencing assets according to their nearness of conversion to cash and sequencing liabilities according to the nearness of their maturity and resulting use of cash
- Classifying assets and liabilities as current and noncurrent
- Disclosing in the notes to financial statements any additional relevant information about the liquidity or maturity of assets or liabilities, including restrictions on the use of particular assets
Liquidity is defined in the Accounting Standards Codification (ASC) Master Glossary as “an asset’s or liability’s nearness to cash. Donor-imposed restrictions may influence the liquidity or cash flow patterns of certain assets. For example, a donor stipulation that donated cash be used to acquire land and buildings limits an entity’s ability to take effective actions to respond to unexpected opportunities or needs, such as emergency disaster relief. On the other hand, some donor-imposed restrictions have little or no influence on cash flow patterns or an entity’s financial flexibility. For example, a gift of cash with a donor stipulation that it be used for emergency-relief efforts has a negligible impact on an entity if emergency relief is one of its major programs.”
Based on this definition, an entity will have to carefully look at its assets and consider any donor-imposed restrictions that may exist when determining the presentation of liquidity.
A simple measure of liquidity per the ASU is the availability of resources to meet cash needs for general expenditures within one year of the date of the statement of financial position. The ASU does not define general expenditures but does provide some suggestions regarding limitations that would preclude financial assets from being available for general expenditures. Some of these items noted in the ASU include:
- Donor restrictions on the use of assets for particular programs or activities
- Donor restrictions on the time period in which assets are used
- Board designations that commit certain assets to a particular purpose
- Loan covenants that require certain reserves or collateralized assets to be kept on hand
- Compensating deposit balances required by financial institutions
To provide the liquidity and availability disclosure, entities should likely consider combining both a narrative description of their method for managing revenue with donor restrictions and a table that lists the dollar amounts expected to be released from various sources. Entities should develop a liquidity management program that allows them to determine what portions of donor restricted funds will be released from restriction and available for both direct program costs as well as shared expenses that support those programs.
In addition, entities should have a program in place to assess what resources are available. These should only include the portion of funding commitments that are expected to be received in the next year. To assist in this determination, as well as the overall liquidity management, entities should consider utilizing a rolling cash flow projection that covers at least a 12-month period.
Entities should also provide, in the qualitative component of the disclosure, information about other methods they use to manage liquidity and maintain financial flexibility. Examples of these could include:
- The use of lines of credit
- Established operating reserve policies
- Cash management process
It is important to develop this disclosure to present an accurate picture of the liquidity and availability of resources utilizing both financial information and supporting narrative to fully explain the financial health of the organization.
For more information from Blackman & Sloop, please contact Deetra B. Watson.
By Laurie De Armond, CPA, and Adam Cole, CPA
The world needs nonprofits to continue striving for meaningful impact on a wide range of social, economic and human rights issues, and it needs them to remain financially healthy. To do so, organizations need to balance a nonprofit heart with a business mindset.
Your mission is the heartbeat of your nonprofit. Just as the human heart sustains a body, your mission is the driving force of your organization’s work. But the heart can’t do it on its own. One clogged artery puts stress on another element of the system—and while it may go undetected for some time, eventually that stress starts to show. A healthy heart and a strong organization rely on fully functioning support systems.
Like the four chambers of the heart, following are four critical elements for sustainability that can take your mission from idea to impact:
1. People: From the Governing Board to the C-suite team to employees and volunteers, supporting the people behind the nonprofit is vital. While the typical nonprofit professional is highly motivated and engaged, it’s critical for the organization’s leadership team to ensure the skills of its people align with the present and future needs of the organization. If you don’t have the right people or maintain proper engagement and focus on the organization’s mission—or don’t treat your people well—it could ultimately harm your ability to fulfill your mission.
- Retention: Nonprofits who take a business mindset to their recruitment and retention policies will work with their best assets—highly impactful and rewarding work—to promote internally and externally the holistic value of a nonprofit career.
- Succession Planning: Successful organizations have strong leaders at the helm, but they also plan ahead for the inevitable day when a change in leadership must occur. Unfortunately, leadership succession planning can be neglected in the nonprofit world, where devoted leaders often stay for long tenures and can be hesitant to pass the reins to a new leader.
- CFO/Financial Leaders: While the CEO and executive director are critical leaders who set the tone and mission of the organization, nonprofits cannot overlook the importance of their financial leadership.
2. Operational & Financial Management: Nonprofits must look at their operations with a more critical business mindset to find the appropriate balance between programmatic spending and the investments (both capital and programmatic) required for continued growth and stability. Prioritizing programmatic spending is a given, but nonprofits that place equal focus on long-term scalability and sustainability will maximize their impact.
- Tackling the Overhead Myth: Charity rating sites have put additional pressure on organizations to minimize their overhead spending. The unfortunate consequence is that many donors now assume, incorrectly, that low overhead costs are a good measure of a nonprofit’s performance—what is commonly referred to as the “overhead myth.” Low overhead may serve as a nice, short-term talking point for donors, but it’s an unsustainable strategy.
- Avoid the Starvation Cycle: In reality, high ratios of programmatic spending could mean the organization is underfunding critical areas necessary for long-term growth—a phenomenon known as the “starvation cycle,” which creates an unhealthy environment for the organization. Failing to invest in infrastructure, such as new technology, security, employee training and fundraising capabilities, can be detrimental to organizational growth.
3. Transparency & Communication: Prospective donors are increasingly thinking like discerning shoppers—researching organizations as they would a major purchase. They are seeking convenience, and fewer clicks to donate. Meeting these demands requires new skill sets, enhanced training and education, and creates opportunities for automation to improve and streamline processes.
- Digitizing Donor Relations: It’s not enough to create an annual report and share it online, or to send regular email and mail communications on impact and outcomes. Donors expect near real-time reporting, with frequent updates. A large number of nonprofits already use social media to communicate with external stakeholders and that is only likely to increase.
- Communicating Clearly & Often: It’s no secret that budgets have been constrained by economic and donor and funding shifts. To mitigate surprises down the line, start the budgeting process early and make projections to give a realistic picture of how the organization’s financial situation could shake out. By planning ahead and communicating early and often, stakeholders will be better prepared to advise and respond.
4. Governance & Compliance: Lack of compliance with a regulation or insufficient board oversight on a key risk like cybersecurity can erase great mission-driven outcomes, sever trust with stakeholders and put the entire organization in jeopardy. The professionals in and outside of a nonprofit organization who proactively plan for risk, digest and implement new regulations, and prepare for compliance changes are unsung heroes who do behind-the-scenes, labor-intensive work to ensure the broader organization can focus on its mission without the worry of hitting costly roadblocks.
- Staying Cyber Secure: Nonprofits can’t maximize their impact if they are constantly responding to data privacy breaches or cyberattacks. A hack can take down a great organization by erasing trust and diverting resources from the mission. Nonprofits should think of these efforts as their secret weapon, not a financial anchor weighing them down. Even with limited resources, nonprofits must take a proactive approach to regulatory compliance and risk mitigation because the alternative could mean betraying donor and public trust and resulting in financial ruin.
- Managing Your Data Plan: Consider a holistic data privacy strategy as part of your data governance program. A Privacy Operational Life Cycle that helps keep employees apprised of new privacy requirements, embraces recordkeeping and sound data protection practices, and offers enhanced data privacy for stakeholders is crucial with the General Data Protection Regulation in effect and other state and national laws in motion.
- Tax-Exempt, not Tax-Blind: Nonprofits also know that tax-exempt doesn’t mean they can ignore taxes. Tax reform provided another significant shift in rules for nonprofits to address. Major changes to unrelated business income, executive compensation, endowment taxes for higher education institutions and changes to charitable giving deductions, among other items, impacted nonprofits and created significant compliance work for internal and external teams. Assessing guidance and understanding total tax liability is critical to strategic tax planning and maintaining operations. With changes to the tax code still a possibility in the future (including the release of additional guidance), this may be a moving target of sorts for nonprofit leaders, but it’s one that can’t be ignored.
When each of these elements, like the four chambers of the heart, are considered and given priority in setting and executing strategy, nonprofits are poised for greater success and long-term impact.
For more on how to balance a nonprofit heart with a business mindset for optimal, sustainable outcomes, read the first insight in our Nonprofit Heart, Business Mindset series: The Business of Impact.
By Amy Guerra, CPA
Historically there has been diversity in practice among nonprofits with regard to presentation of restricted cash and cash equivalents in the statement of cash flows.
To address this diversity, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) No. 2016‑18, Statement of Cash Flows (Topic 230): Restricted Cash. As a result of this ASU, a nonprofit will be required to present the total change in cash, cash equivalents, restricted cash and restricted cash equivalents for the period covered by the statement of cash flows. Thus, cash flows that directly affect restricted cash will be presented in the body of the statement of cash flows regardless of how they are classified in the statement of financial position and the timing of the establishment and release of the restrictions.
The ASU does not define restricted cash and restricted cash equivalents, so how a nonprofit defines these will not be impacted. What will be impacted is how these amounts are presented in the statement of cash flows. Oftentimes, a nonprofit will have these items presented in separate lines throughout its statement of financial position and may not even have them labeled as restricted cash or restricted cash equivalents.
Under the ASU, a nonprofit will show the net cash provided by or used in the operating, investing and financing activities of the nonprofit and the total increase or decrease as a result of these activities on the total of cash, cash equivalents and amounts considered restricted cash and restricted cash equivalents.
Internal transfers between cash and cash equivalents and amounts considered restricted cash and restricted cash equivalents are not deemed to be operating, investing or financing activities and thus the details of any transfers would not be presented in the statement of cash flows.
If a nonprofit identifies cash, cash equivalents, restricted cash and restricted cash equivalents in separate lines in the statement of financial position, these amounts should reconcile to the statement of cash flows. The nonprofit needs to present a reconciliation of the various cash and cash equivalents line items presented in the statement of financial position that shows the total that is presented in the statement of cash flows for each year presented. This reconciliation can be presented either on the face of the statement of cash flows or in the notes to the financial statements. The disclosure may be either in narrative or tabular format. The requirement to provide this reconciliation will allow users of the financial statements to identify where the restricted cash and restricted cash equivalents are included in the statement of financial position and how much is included in these line items.
In addition, a nonprofit must disclose information about the nature of the restrictions on its cash and cash equivalents.
For those nonprofits considered public business entities because they have issued or are a conduit bond obligor for securities that are traded, listed or quoted on an exchange or an over-the-counter market, the ASU is effective for fiscal years beginning after Dec. 15, 2017, and interim periods within those fiscal years. For all other entities, the ASU is effective for financial statements issued for fiscal years beginning after Dec. 15, 2018, and interim periods within fiscal years beginning after Dec. 15, 2019. The adoption of the ASU should be done on a retrospective basis. A nonprofit may opt to adopt the provisions of the ASU early.
For more information from Blackman & Sloop, please contact Deetra Watson.
Amy Guerra is an Assurance Senior Manager in BDO’s Rosemont office and is the Central Region Audit Quality Director for the Nonprofit practice. With more than 15 years in public accounting, she has extensive nonprofit experience in performing financial statement audits of human service organizations, trade associations, private and operating foundations, and other 501(c)(3) entities. She has extensive experience with Single Audits. Amy is experienced in addressing issues unique to nonprofits, ranging from tax-exempt status to endowments, pledge campaigns, and reserve levels. She understands the reporting and compliance requirements of Form 990 and its related complexities having prepared the Form 990 for several years. She has assisted clients with resolving issues related to board governance and fiduciary responsibility as well as the reconciliation of Form 990 to the audited financial statements. Amy approaches each engagement collaboratively with the client’s accounting department and BDO’s assurance and tax teams. Her responsibilities at BDO include planning, supervising and coordinating audit engagements as well as presenting audit reports and management letters to boards of directors and Finance and Audit Committees. Amy is a CPA in Illinois and a member of the AICPA. She is also a member of Association Forum of Chicagoland. Amy has a B.S. in Accounting from the University of Illinois at Urbana-Champaign.
By Laurie De Armond, CPA and Adam Cole, CPA
The nonprofit industry is anything but static. Many outside factors impact their daily operations. Following is a list of what we see as the top 10 trends that are currently impacting nonprofit organizations.
Protecting Nonprofit Nonpartisanship
The current political environment has created a lot of uncertainty. This impacts everything from legislation, such as tax reform, federal funding and government shutdown that in turn impact nonprofits. This is a struggle that nonprofits are trying to navigate. Nonprofits are focused on providing their services and focusing on their missions and are hopeful that the current political environment does not impact their missions.
Budget Cuts – Federal, State and Local Governments
Over the course of several years many nonprofit organizations have been faced with budget cuts that impact their programs at all levels of government. These budget cuts have put many organizations in financial hardship, particularly in the social services subsegment. The uncertainty of future budget cuts makes it difficult to prepare budgets and cash flow projections for the future. Many organizations are faced with more demand for their services and increased cash requirements for infrastructure while facing uncertainty in their funding sources from government entities. As a result, many are looking to expand their revenue streams to rely less on government funding.
Mergers, Partnerships and Joint Ventures
Many organizations are looking at the potential for a merger, or establishing a partnership or joint venture to accomplish their missions. Many organizations have historically tried to conduct all of the programs on their own. This has caused them to expand their operations into areas that are not their core strengths. Demographic and technology shifts have made it more expensive and more difficult to be successful. As a result many are looking to form partnerships or joint ventures to continue this work successfully. Other organizations are finding that mergers with either another nonprofit or a for-profit may be the best way to continue to serve their constituents.
Technology – Augmented Reality, Automation, Crowdfunding
There is a large push to increase technology used by organizations. The use of these technologies can save the organization money and resources in the long run but do require investment up front. Organizations are trying to implement these technologies but are faced with balancing this with potential decreases in funding.
This is a continued focus for all organizations – both large and small. The increasing complexity in the world of cybersecurity and the increased sophistication of cybersecurity breaches challenges many entities. The need to protect data, especially for health and human services organizations who maintain large amounts of personal data is critical.
It’s All About Engagement
How nonprofits engage their constituents and donors is more important than ever. Changes in technology and the way in which individuals absorb information are requiring nonprofits to be creative in the way that they use social media. Many organizations struggle to develop a constant stream of content to engage constituents and donors. With the proliferation of crowdfunding, engaging constituents on a regular basis and creating a sense of community are critical.
Changes in Charitable Giving Paradigm
With so many worthy nonprofits and the proliferation of crowdfunding platforms there are a lot of demands for donor dollars. As the charitable giving paradigm continues to evolve, nonprofits must monitor how their core donor base is changing and how they might be affected by these shifts. The good news for now is that the change in the tax law did not seem to have a large impact in 2018 as some had predicted, but some believe the major impact may occur in the coming year once people see the impact of the tax law changes on their tax situation and the charitable contributions they made.
Employee Engagement – As Retention Tool
Nonprofits find that employees are very interested in making an impact in the world. They have joined the organization to specifically make an impact. Employees who don’t see this coming to fruition are likely to leave. Organizations who regularly link employee performance to mission impact may well be more successful at employee retention.
Board Members as Advocates/Developers
An age long debate – should your board members be fundraisers? The Board should be comprised of various members who bring different skill sets to the Board. If board members are only selected because they can provide funds or act as fundraisers this can cause issues. However, it is important for many organizations that Board members be contributors and assist with fundraising efforts.
Not-for-profit Sustainability in the Social Services Space
Demand for services provided by social service organizations continues to increase. In addition, the evolution and sophistication of services is greater such as the ability to see a health care provider electronically. These evolutions in how services are provided are demanding more resources, making organizations look closely at how they can fund these changes to keep pace with these changes.
By Donna Bernardi Paul, SPHR, SHRM-SCP
Are differences in work and communication style in the workplace among the different generations the cause of leadership/supervisory challenges or is it something else?
There have been a plethora of articles, seminars, webinars and discussions around millennials in the workplace and the challenges of managing and working with them due to their different work style.
When we talk about the importance of differences in the workplace, sometimes we forget about one of the most prominent dimensions—age. There are three main generations in our workforce currently, and we are on the brink of adding a fourth. Understanding how to relate to each is critical to successfully keeping them motivated and engaged in their work.
The Baby Boomers: Born between the end of World War II and the early 1960s. Also known as the “Me Generation.” They grew up with television. Mothers were typically home waiting for their children to come home from school, and children were allowed outside of their homes unsupervised. Their relationships with their parents, teachers and others in authority were somewhat contentious.
Boomers came into the workforce in droves. They were the first “workaholics.” Their frame of reference at work was to spend as much time as possible working, sacrificing time with families, so that good things would come to them. Motivating them at work is typically done via the “carrot and stick” approach.
Generation “X”: Born between the early 1960s and the early 1980s. Also known as the “Latchkey Kids” or the “Sandwich Generation” because they are sandwiched between the huge baby boomer and millennial groups. They grew up in an era when more mothers entered the workforce and children came home from school to an empty home. They fended for themselves. They were instructed not to answer the door to anyone they didn’t know. As a result, they became independent and skeptical. They entered the workforce with the frame of reference they needed to have multiple careers so that they didn’t put all their eggs in one basket. They didn’t want to experience the disappointments of prior generations. They tend to be entrepreneurial and individualistic. Managing them at work became more complicated due to their supercilious attitude and resentment towards the boomers and millennials.
Many feel that they do not have career paths because the boomers aren’t leaving and the millennials are leapfrogging over them.
Generation “Y” (millennials): Born between the early 1980s and the early 2000s. Also known as “Echo Boomers.” They represent the largest generation in the workforce and its members generally have high levels of self-esteem. They are highly educated and technologically savvy. Their preferred communication style is text messaging. Their relationships with their parents tend to be that of friends or peers because their parents typically have moved away from the authoritarian style in which they were raised. As a result, they have grown up in an era where their lives are programmed and organized from birth, which doesn’t prepare them to cope with disappointment or help them to make decisions on their own. For example, their nurseries were monitored via the baby monitor. Their parents organized their social activities via “play dates” vs. allowing them to go outside unsupervised. Moreover, parents of millennials have instilled within their children entitlement attitudes vis-à-vis “everyone is right” and “everyone gets a trophy.” Many parents become advocates for their children with schools, their friends and even their workplaces. As a result, this generation has expectations that may not be realistic. They’ve entered the workplace with the expectation that they can work whenever and however works best for them. Managers from prior generations tend to have trouble supervising this group, even though they were probably the same parents who raised them, because this generation’s virtual style of working is very different from what older generations are used to.
Generation “Z”: Born between early 2000s to the present. This generation is extremely technologically savvy. Many had iPads as toddlers. They are now in high school and college.
Perhaps the upshot to all of this is that it doesn’t matter to which generation a person belongs since all workers tend to want the same things:
- Good bosses
- Career paths
If you think back on all the jobs you’ve ever had and all the bosses you’ve ever had, which boss would you choose as your favorite and why? Now, give yourself a rating against your favorite boss in order to determine where you would like to develop your supervisory skills. After all, how do people become bosses? Do they go to school to learn how to be a great boss? Not usually. Typically, they do something well from a technical perspective and then they are promoted out of what they do well and placed into a job (managing others) that they may not be familiar with, and for which they get no training. With proper training of its managers and supervisors, organizations have a better chance to have skilled employees who care and are productive regardless of which generation they fall in because people join companies—they quit bosses.
By Marc R. Berger, CPA, JD, LLM
The IRS Tax Exempt and Government Entities (TE/GE) division released its Fiscal Year 2019 Program Letter on Oct. 3, 2018. The Program Letter outlines its projects and priorities for fiscal year 2019 for tax-exempt organizations, employee plans, Indian tribal governments, and tax-exempt bonds. This article focuses on those projects and priorities relating to tax‑exempt organizations.
The TE/GE division will continue to refine its compliance strategy approach, which is designed to ensure that its examination programs are focused on the highest priority compliance areas to promote efficient tax administration. In this regard, TE/GE collaborates with its IRS business partners and various other groups and agencies, including the Advisory Committee on Tax Exempt and Government Entities, the U.S. Department of Labor, the Municipal Securities Rulemaking Board, and the Securities and Exchange Commission. TE/GE will continue to use advance data and data analytics to drive decisions about identifying and addressing high-risk areas of noncompliance.
The Tax Cuts and Jobs Act (TCJA) will remain a priority in fiscal year 2019. TE/GE has completed numerous form revisions, as well as guidance and training, and it anticipates more developments in these areas going forward. It plans on initiating additional education efforts in FY 2019 along with TCJA-related compliance strategies.
For the first time this decade, TE/GE is onboarding a significant number of new hires, and is cross-training employees to allow flexibility in directing resources to shifting needs. The increase in employees signals a potential increase in examination and enforcement action.
The bulk of the Program Letter focuses on six areas of its compliance program in an effort to become more effective and efficient. These six areas are:
Compliance strategies are issues approved by TE/GE’s Compliance Governance Board (Board) to identify, prioritize and allocate resources within the TE/GE taxpayer base. Using a web-based portal, TE/GE employees submit suggestions for consideration by the Board. Once approved, these issues are considered priority work. Strategies approved to date include:
- Tax-exempt social clubs under Internal Revenue Code (IRC) Section 501(c)(7) – The focus will be on investment income, non-member income, and non-filers of Form 990-T, Exempt Organization Business Income Tax Return.
- Non-Exempt Charitable Trusts under IRC Section
4947(a)(1) – The focus will be on organizations under-reporting income and over-reporting charitable contributions.
- Tax-exempt organizations that were previously for-profit – The focus will be on organizations formerly operated as for-profit entities prior to their conversion to IRC Section 501(c)(3) organizations.
- Self-dealing by private foundations – The focus will be on organizations with loans to disqualified persons.
- Early retirement incentive plans – Determining whether federal, state or local governmental entities that provide cash (and other) options to employees as an incentive for early retirement have applied proper tax treatment to these benefits.
- Forms W-2/1099 matches – Comparing payments reported on Form 1099-Misc., Miscellaneous Income, with wages reported on Form W-2.
- Notice CP 2100 (backup withholding) – Determining whether mismatched and/or missing taxpayer identification numbers on Form 1099 indicate a failure to comply with backup withholding requirements.
- Worker classification – Determining whether misclassified workers result in incorrectly treating employees as independent contractors.
Data-driven approaches use data, models and queries to select work based on quantitative criteria, which allows TE/GE to allocate resources that focus on issues that have the greatest impact. TE/GE integrates data into its processes and procedures, using return data and historical information to identify the highest risk areas of noncompliance.
With respect to models, this includes continuing to improve compliance models based on Forms 990, 990-EZ, and 990-PF, as well as testing the newly developed model for Form 5227 (Split Interest Trust Information return). In addition, identifying returns containing the highest risk of employment tax noncompliance will be a priority.
Referrals, Claims and Other Casework
Referrals allege noncompliance by a TE/GE entity and are received from internal and external sources. The public can submit a specialized exempt organization referral on Form 13909 (Tax-Exempt Organization Complaint). With respect to referrals, TE/GE will continue to pursue referrals received from all sources alleging noncompliance.
Claims are requests for refunds or credits of overpayments of amounts already assessed and paid, and can include tax, penalties and interest. TE/GE will continue to address claims requests, including high-dollar complex employment tax claims filed by federal, state and local governments.
Other casework includes examining entities that filed and received exemption using Form 1023-EZ, focusing on (1) filers who are ineligible to file Form 1023-EZ, (2) filers who donate to (or pay expenses for) individuals, and (3) filers operating bingo and other gaming activities.
Compliance units are employed to address potential noncompliance, primarily using correspondence contacts known as “compliance checks” and “soft letters”.
A compliance check is correspondence with organizations to inquire about an item on a filed return; to determine if specific reporting requirements have been met; or to determine whether an organization’s activities are consistent with its stated tax-exempt purpose. A compliance check is not an examination.
A soft letter is correspondence with organizations that provides notification of changes in tax-exempt law or compliance issues. A response to these letters is generally not expected.
TE/GE will continue to inform taxpayers via compliance checks and soft letters, in particular in the area of adhering to recordkeeping and information reporting requirements, including:
- Combined Annual Wage Reporting – Focusing on tax-exempt employers that had discrepancies between Form W-2 and either Form 941 or Form 944.
- Financial Assistance Policy – Whether tax-exempt hospitals are complying with IRC Section 501(r)(4).
- Form 990-T Non-filers – Looking for IRC Section 501(c)(7) organizations that reported investment income on Form 990 but did not file Form 990-T.
- Supporting Organizations – Entities that state that they are supporting organizations but have filed Form 990-N, which is not allowed.
TE/GE expects a continued increase in determination applications and will concentrate on identifying new strategies for reducing a filing burden and case processing time. The exempt organizations group expects to hire 40 new revenue agents to process determination applications to help offset application increases and workforce attrition.
Voluntary Compliance and Other Technical Programs
This area is focused primarily in the employee plans group of TE/GE, and enables a plan sponsor, at any time before audit, to pay a fee and receive IRS approval for correction of plan failures.
Management of exempt organizations should evaluate the potential implications of the areas identified in the Program Letter on their organizations and consult with their tax advisors.
By Katherine Gauntt
Sales tax is imposed upon retail sales of tangible personal property and taxable services in 45 states and the District of Columbia. Each state determines the circumstances under which a sales tax is imposed on the purchaser.
Purchases by nonprofit organizations are exempt in most of the states, if the tangible personal property or taxable services are used or consumed exclusively for the purposes for which the organization was established. The states usually require each legal entity to register as a nonprofit entity with the state to receive state tax-exempt status. Upon state authorization, the entity can provide a state-approved exemption certificate to its vendors in order to purchase goods and services without paying sales tax.
While nonprofit organizations can make purchases free of sales tax, their sales of goods and taxable services are usually taxable. One could argue that these sales ultimately benefit the organizations’ nonprofit activities but most states do not extend the nonprofit exemption. Many organizations selling promotional goods on their websites are registered in their home state but rarely are registered in multiple states to collect sales tax. Usually they have no “physical presence” in states beyond their home state and did not have to collect the sales tax. However, everything changed on June 21, 2018 when the U.S. Supreme Court held in South Dakota v. Wayfair that states can require a retailer to collect and remit sales tax even if the retailer lacks an in-state physical presence.
History of the Wayfair Case
Effective May 1, 2016, South Dakota passed a law requiring remote sellers to remit sales tax on all taxable sales if the seller’s gross revenue from the sale of products or taxable services delivered into South Dakota exceeded $100,000 or 200 or more separate transactions. Wayfair, Inc., Overstock.com, Inc. and Newegg Inc. refused to comply on the basis that they had no physical presence in South Dakota and, therefore, were not obligated to collect the sales tax. South Dakota filed a declaratory judgment action in state court. The case was fast-tracked through the South Dakota lower courts. Ultimately, the South Dakota Supreme Court, compelled by the 1992 U.S. Supreme Court decision in Quill, found in favor of the Wayfair, Inc. et al. The U.S. Supreme Court in Quill affirmed that “substantial nexus” under the U.S. Constitution’s Commerce Clause required a business to have a physical presence within a state before the state could impose tax or a tax collection obligation.
Nonetheless, the ultimate goal was a U.S. Supreme Court challenge to overturn Quill. On Jan. 12, 2018, the U.S. Supreme Court granted South Dakota’s petition for a Writ of Certiorari with respect to the Wayfair case. Oral argument was heard on April 17, 2018. And on June 21, 2018 the U.S. Supreme Court overruled Quill and the physical presence standard. The Court then ruled that South Dakota’s sales tax economic nexus statute was constitutional and “substantial nexus” under the Commerce Clause. In anticipation of the ruling, many states already had laws on the books which were designed to go into effect if the ruling was favorable. As of Oct. 15, 2018, 35 states have passed some form of economic nexus standard for sales tax purposes.
Wayfair Impact and Action Items for Nonprofits
All industries are likely to see an impact from the Wayfair decision, but industries selling goods and taxable services remotely over the internet at retail have the greatest exposure. Nonprofits carry the same burdens as for-profit e-commerce sellers for taxable goods and services, if their sales reach the economic thresholds established by the states. (For the latest information on thresholds by state go to: https://www.bdo.com/wayfair.) When it comes to Wayfair, it’s also important to keep in mind that all states aren’t equal. The following are areas that nonprofit organizations should review to mitigate their risk of overpaying or under-collecting the sales tax.
Most states require nonprofits to register with the state departments of revenue if they are eligible for a sales tax exemption on purchases. In addition, once the economic thresholds are reached, the nonprofit must register as a vendor with the state since its sales will likely be treated the same as for-profit vendors. Again, each state is different regarding its nonprofit tax registration requirements.
As a result of Wayfair, more sellers will be required to collect sales tax. Many of these sellers either “assume” everything they sell to nonprofits is exempt from tax or default all sales to taxable without consideration for nonprofit status. Either way, nonprofits must be proactive in informing their vendors when to charge them sales tax or they could end up overpaying sales tax on purchases or underpaying and creating a use tax assessment if they are audited. Each vendor’s sales should be reviewed to ensure that, if no sales tax is charged, the sale qualifies for the nonprofit exemption (i.e., the purchase benefits the organization’s nonprofit activities). It is important to establish an exemption certificate policy to ensure that only those vendors selling qualified goods and services are given an exemption certificate. Providing an exemption certificate to a vendor shifts the liability for the tax to the nonprofit even if it is provided in error. Areas where sales to nonprofits are generally taxable include sales of food, lodging, certain types of software and supplies such as uniforms, furniture and fixtures or any other type of sale unrelated to the purpose for which nonprofit status was granted by the state.
Nonprofits should examine their sales volumes in each state and compare it to the economic nexus thresholds established by each state. In general, measurement should be done at a legal entity level if there is more than one legal entity doing business in the state (although some states may combine sales of affiliated legal entities.) For tangible products, the state where sales occur is determined by the delivery address. However certain nonprofits, especially in healthcare, sell tangible goods, digital products (e.g., e-books) and services. In addition, some are part of an organization of affiliated companies consisting of nonprofit and for-profit entities. Nonprofits should consider the following when developing an action plan for determining nexus and potentially charging sales tax:
- Where are the tangible goods, digital products and services sold?
- Do the sales reach the threshold for economic nexus?
- If yes, what are the necessary actions needed for complying?
- Registration – Nonprofits should register as a vendor in each tax jurisdiction.
- Taxability of Products Sold – A determination of the tax status of each product sold should be made.
- Exemption Certificate Procedures – If products are sold to other nonprofits, a process to collect exemption certificates should be established.
- Billing Sales Tax – A process must be established to charge the correct sales tax on an invoice. To do so, the nonprofit must utilize the most current sales tax rates to charge its customers.
- Reporting – Depending on volumes, sales tax reporting can be in-house or outsourced through third parties. Most states have portals where tax returns can be filed by keying in the data manually if the nonprofit has established economic nexus in only a few states.
- In addition, nonprofits should consider their internal operational capabilities:
- Accounting – Do you have Sales Tax Liability Accounts set up that can undergo reconciliation and audits?
- Technology – Do you have the functionality in your billing system to charge the correct tax on taxable sales?
- Resources – Do you have enough resources in-house to administer exemption certificates and tax reporting?
- Document Retention – Most states require retention of all invoices, work papers, tax returns and other supporting documentation to support the taxes reported.
Wayfair has impacted every organization in the country in one form or another. Not all nonprofits sell goods and services, but they may see an uptick in the costs of the things they buy as a result. Those that do sell, must perform their own due diligence and incur the costs of compliance just like any other company dealing with the complexities of 46 different state tax jurisdictions with 46 different sets of rules. The rules are still evolving but one thing is certain: Unless Congress acts to change the economic nexus standards established by the Wayfair case, every entity, including nonprofit entities, that buys or sells will incur extra costs in its attempt to comply with current law.
 South Dakota v. Wayfair, Inc. 585 U.S.__(2018)
 Quill Corp. v. North Dakota, 504 U.S. 298 (1992)
 In addition to Quill, National Bellas Hess v. Department of Revenue, 386 U.S. 753, 87 S.Ct. 1389 (1967), was also overruled.
By Laurie De Armond, CPA, and Adam Cole, CPA
Nonprofit organizations are uniquely shaped by their mission, history, size, program goals and community.
But leaders of these organizations—whether a CFO at a global health services charity, a CIO of an education endowment or the executive director at a museum—share a common goal of advancing their organization’s mission. To drive forward progress, it’s essential that leaders understand where their organization sits in relation to its peers on objective measures of performance.
The BDO Institute for Nonprofit Excellence’s 2018 benchmarking survey, Nonprofit Standards, surveyed leaders at midrange organizations (those with less than $25 million in annual revenue), upper-midrange organizations ($25-$75 million in annual revenue), and large nonprofits (above $75 million in revenue) to reveal insights nonprofits can leverage to strengthen their organization. Across the spectrum, the report finds that upper-midrange organizations face more significant challenges than their smaller and larger peers.
Funding Challenges Amid Rising Costs
While 56 percent of upper-midrange nonprofits saw their revenues grow over the past year, this was dwarfed by the 69 percent of large nonprofits and 70 percent of midrange nonprofits that also saw some revenue growth. At the same time, nearly half (49 percent) say declining revenue and funding is at least a moderate challenge, compared to 45 percent of midrange and large organizations. Perhaps as a result of this challenge, 49 percent of organizations at this scale maintain six months or less of operating reserves, and one third cite maintaining adequate liquidity as a moderate or significant challenge—indicating a potential gap in the fiscal safety net for these organizations.
Some of the funding challenges upper-midrange nonprofits face may be attributable to the types of funding sources these organizations rely upon, including individual contributions (15 percent), government grants (12.6 percent), fundraising/special events (11.4 percent), and corporate contributions (7.8 percent)—all of which can be either cyclical in nature or impacted by regulatory changes, such as tax reform.
Nevertheless, amid these challenges in securing funding, upper-midrange nonprofits face the same challenges as all other organization sizes in addressing rising overhead costs: 58 percent of upper-midrange nonprofits and nonprofits overall say rising costs is at least a moderate challenge.
Program Growth Emphasizes Importance of Communicating Impact
Despite challenges in securing funding, upper-midrange nonprofits are working to expand their program offerings and deliver on their core mission. Organizations in the upper-midrange devote 80 percent of their total expenditures to program-related activities—compared to 78 percent for large nonprofits and 68 percent for midrange nonprofits. Forty-two percent of upper-midrange nonprofits also say the inability to meet demand for their services is a high or moderate challenge, and 58 percent are responding by planning to introduce new programs in the next year without eliminating others.
This program expansion makes demonstrating impact to stakeholders more important than ever. When it comes to making an impact, nearly all nonprofits surveyed (93 percent) communicate their impact outside of the organization; meanwhile, 72 percent of upper-midrange nonprofits say some portion of their donors have demanded more information about outcomes and impact than before.
But as nonprofit leaders know all too well, reporting impact to donors and other stakeholders is no easy task. Organizations in the upper-midrange are more likely than midrange or large nonprofits to say they face moderate or significant challenges in reporting impact, including having no consistent framework for measuring and reporting (66 percent vs. 56 and 53 percent, respectively), lacking clear program objectives and/or key performance indicators (55 percent vs. 43 and 41 percent, respectively), and inadequate financial resources devoted to reporting (55 percent vs. 31 and 33 percent, respectively).
Recruitment and Retention Challenge Upper-Midrange Organizations
Nonprofits derive their strength from dedicated and driven employees, yet recruitment and retention remain a high or moderate challenge for 6 in 10 nonprofit leaders. Upper-midrange nonprofits are the most concerned, with 70 percent citing recruitment and retention as a high or moderate challenge, compared to 61 percent of large organizations and only 35 percent of midrange organizations.
Key factors in keeping employees engaged and growing employee satisfaction levels for all organizations include having competitive compensation levels (59 percent), up-to-date technology (58 percent), internal communications (54 percent), and management-employee relations (51 percent). These challenges were all most pronounced among upper-midsized organizations. While 7 in 10 midrange nonprofits were able to provide at least a 3 percent increase in employee compensation levels within the last year, only 44 percent of upper-midrange and large nonprofits were able to do the same.
Overcoming Key Challenges: Planning Ahead
Do the data show that upper-midrange nonprofits are doomed? Not at all. Instead, this year’s Nonprofit Standards highlights the success of many nonprofits that were able to overcome these classic scaling challenges to grow successfully and expand their programs.
While not comprehensive, below are some best practices for organizations looking to overcome these challenges.
Fundraising Effectiveness: Nonprofits looking to increase their fundraising effectiveness should:
- Match their donor behavior. Nonprofits should consider what influences their donors to donate in general—and to their organization specifically—and tailor their messaging accordingly.
- Reduce their giving barriers. It’s critical that organizations regularly update and modernize their donation channels (including online and mobile giving platforms) to keep pace with changing consumer behavior.
- Leverage data analytics. Nonprofits should dig into their own data to understand the demographics of their core contributors and to identify new prospects. (See the article on page 10 entitled, How Predictive Analytics is Transforming NPO Fundraising.)
Donor Communications & Impact Reporting: To ensure smoother donor communications and reporting, nonprofits should:
- Start with the end in mind. Organizations should identify the story they want to tell their stakeholders and paint a vision of what the world could look like if their mission were achieved.
- Make reporting an ongoing process. Nonprofits should gather and report data on a quarterly or monthly basis to keep stakeholders in the loop and make year-end reports less daunting.
- Remain transparent. Nonprofit reports offer an unparalleled opportunity to contextualize an organization’s metrics and finances.
- Share their report widely. Organizations should distribute their report via multiple channels so both existing and prospective donors have a chance to see it.
Staffing and Recruiting: To maintain and attract top talent, nonprofits should:
- Stay competitive in their local market. Nonprofits should ensure their policies make their organization an attractive place for potential employees.
- Capitalize on flexible work options. Remote work arrangements can be both beneficial to employees and cost-effective for organizations.
- Remain proactive about succession planning. With 4 million baby boomers retiring each year, the need for a succession plan is a “when” rather than an “if” scenario.
The more upper-midrange nonprofits—and those of all sizes—can learn from benchmarking against their peers, the better prepared they will be to advance their mission and support continued growth. Gaining intelligence is vital to staying afloat.
Adapted from article originally published in NC State University’s Philanthropy Journal News.
By Michael Conover
I have previously discussed the inevitable transition of numerous baby boomers holding leadership posts in nonprofit organizations. The topic has been well-covered in a variety of publications for nearly a decade.
However, I believe the seismic shift that some have predicted has failed to materialize on a scale that was predicted. I attribute this to a variety of factors, including: delayed retirements out of financial need or resistance to change; belief that age 75 is the new 65; or just procrastination.
The slowdown in the rate of change will not soften its impact. It may intensify it. The delay on the part of these baby boomer executives and the boards to whom they report could increase the likelihood of an unexpected and disruptive leadership crisis. The problems can range from a noticeable decline in performance to an abrupt departure caused by sickness or death. Leadership changes under the best of circumstances are not 100 percent successful; thus, in crisis mode, the odds of success are much slimmer.
The other obstacle I allude to in my title is executive retirement arrangements (or lack of same). As organizations finally confront the departure of a long-tenured and critically important executive, the details of the retirement arrangements come to the forefront. This is the point at which many organizations and executives discover the price that will be paid for failing to address this important issue well in advance. Proper advance planning can not only minimize financial uncertainties for the executive and the organization that may interfere with retirement planning, but can prevent other potential and very expensive obstacles as well.
Many compensation committees have failed to proactively raise the subject of retirement plans and acknowledge the impact that they will have on an orderly retirement / leadership transition. There are a variety of reasons including: financial costs; reluctance to broach the subject of leadership change; mistaken assumptions that arrangements made many years ago will address the needs; embarrassment that arrangements are inadequate or have not been made; etc. Committee members must realize that time is not on their side for addressing retirement-related arrangements. Delaying can create many negative impacts for both the executive and the organization.
I would like to describe a few different scenarios that illustrate the types of situations we have discovered in “11th hour” reviews of retirement arrangements:
Plan Document Failures: Plan documents (e.g., employment contracts, deferred compensation arrangements, life insurance plans, etc.) developed many years ago and / or those that have been drafted without the benefit of needed expertise to ensure compliance with current requirements pose potential problems to the unwary.
The inclusion of what appear to be ordinary terms in the arrangements, or the failure to include critical details, can prove disastrous in terms of potential tax liability and penalties for the executive as well as the employer. Language included to ensure that retirement resources are secure may produce inadvertent vesting of a benefit and tax liability long before it is actually available. Similarly, incorrectly structuring payments can result in an unforeseen tax liability and punitive excise tax penalties.
If these issues are identified proactively or within a time period that corrective actions can be taken, the problems can be minimized. There is, however, a point at which it is simply too late.
Plan Administration Failures: In some instances, well-drafted plan documents are not adhered to from an administrative standpoint. Contributions, excess contributions, payment amounts and / or payment terms are made that fail to follow plan requirements. The failure to ensure compliance may result in adverse tax consequences to the executive and the organization.
Failure to properly recognize and report details of retirement arrangements are also common. The executive’s W-2 form, personal tax return and the organization’s Form 990 may all need to include information related to the plan arrangements as well as timely recognition of income when vesting occurs. Discovering these issues after the fact can necessitate amending prior year returns and also involve adverse tax consequences to the executive and the organization.
Improbable Catch Up: A compensation committee’s failure to establish a specific position on retirement benefits for the executive, as well as a specific objective for the level of benefits to be provided well in advance of the probable retirement event, drastically diminishes the likelihood of providing any level of benefit beyond that provided to all employees. Waiting until just a year or two prior to retirement will likely place an unreasonable financial burden on the organization to fund a benefit that might have been spread over many years of employment. Similarly, large contributions / payments toward the very end of employment may trigger an excess benefit situation, or the appearance of same, that may create adverse consequences for the executive and the organization.
The Wake-Up Call
Most compensation committees spend most of their time on decisions about current cash compensation (i.e., salary, bonus and incentive) matters for executives. Clearly, these are important matters and ones that require the committee’s attention in light of the disclosure of this information to external stakeholders and the public. I am not suggesting the committee members spend any less time on them.
I am however suggesting that compensation committees incorporate an immediate and recurring review of the organization’s retirement program to ensure that all documentation, administration and funding are in accordance with the organization’s policy, on track to meet stated objectives and fully compliant with pertinent regulatory and reporting requirements. Regular checkups may also be beneficial in helping the organization to be more attentive and proactive on succession / transition needs. As we have pointed out, delay on these matters is the enemy of effective solutions.
Executive management also has a role to play in this wake up call. Steps should be taken to ensure that the compensation committee has access to all internal and external information and advice that will assist them in their efforts to ensure that all steps have been taken to ensure that the retirement arrangements pose no obstacles to the inevitable retirement and leadership succession that every organization faces.
By Lee Klumpp, CPA, CGMA and Laura Kalick, JD, LLM in Taxation
The Financial Accounting Standards Board (FASB) recently posted a Q&A stating the FASB staff would not object to nonprofits applying guidance from the Securities and Exchange Commission (SEC) on the application of Topic 740, Income Taxes, in the reporting period that includes the date on which the new tax law was signed.
The SEC staff issues statements expressing a view on applying topics in the FASB Accounting Standards Codification (ASC) and/or disclosure requirements through staff accounting bulletins (SABs). These statements represent the practices and interpretations followed by the SEC staff. Historically even though the SEC staff’s views and interpretations aren’t directly applicable, nonprofits have chosen to apply the guidance in the SABs.
When the new tax law was signed, the SEC staff released SAB 118 for applying Topic 740, Income Taxes, as it relates to tax reform. SAB 118 outlines the approach entities may take if they determine that the necessary information is not available (in reasonable detail) to evaluate, compute and prepare accounting entries to recognize the effect(s) of the new tax law by the time the financial statements are required to be filed. Entities may use this approach when the timely determination of some or all of the income tax effect(s) from the tax law is incomplete by the due date of the financial statements. SAB 118 also prescribes disclosures that reporting entities must provide in these circumstances.
MAIN PROVISIONS OF THE FASB Q&A
The FASB staff would not object to nonprofits applying SAB 118, which the staff believes complies with generally accepted accounting principles (GAAP). This view is based upon the historical application of SABs by nonprofits.
The FASB staff also believes that a nonprofit opting to apply SAB 118 would need to do so in its entirety, including the disclosure requirements. Such reporting entity should also disclose its accounting policy of applying SAB 118, required by ASC paragraphs 235-10-50-1 through 50-3.3
For more information on nonprofit financial reporting, contact a Blackman & Sloop nonprofit advisor.
Article reprinted from the BDO Nonprofit Standard blog.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com.
By Ken Eye and Andrea Wilson
The internal audit (IA) function is vital to the health of any nonprofit, regardless of mission or scope. The audit committee and its individual members are crucial partners in safeguarding the integrity, purpose and, ultimately, the success of organizations.
But, they often face challenges navigating a strained regulatory environment, all while trying to do more with less. Adjusting to these new realities means that proper management is more important than ever. This article outlines the top 10 challenges keeping internal auditors up at night, and providing remedies to help them continue their critical work.
1. CHANGES TO OPERATIONS OR STRATEGY
For most nonprofit organizations, change is inevitable. As the needs of communities, internal dynamics, priorities and leadership transform, nonprofits adjust their mission and strategies. While this dynamism is essential for organizations to further their work, change can create strain for internal auditors. Whether its expanding operations to a new location, working with new donors or rolling out a new organizational structure, internal auditors are often left scrambling to ensure compliance.
THE REMEDY: Change is unavoidable, but compliance headaches don’t have to be. Nonprofits should be proactive about integrating internal audit into large scale organizational changes. This means allocating IA resources to evaluate emerging compliance and legal requirements, incorporating IA into the strategic decision-making process at the outset, revising policies and procedures with the new compliance environment, and developing succession plans to facilitate smooth personnel changes. And, IA should not just be involved in the change process—organizations should allow internal auditors to conduct post-implementation assessments to ensure ongoing compliance.
2. ORGANIZATIONAL CULTURE
The organizational culture of nonprofit organizations usually centers on a mission that employees are passionate about. This passion attracts staff personally motivated to help the overall organization succeed, but can come at the cost of internal controls. For nonprofits, “the cause” can often be promoted at any cost. Mid-level management professionals can be highly skilled in technical areas, but may lack knowledge in compliance, financial accountability and oversight. A lack of interactive communication between key administrative and program units within the organization can result in insufficient internal controls.
THE REMEDY: To balance maintaining organizational culture with proper operational management, communication is essential. Nonprofits should develop a sound communication strategy that brings the internal audit and compliance functions in regular contact with the rest of the staff. During these interactions, IA professionals should be sure to communicate how risk management practices align with overall organizational strategy and mission objectives. Bringing people together in this way helps make IA an integral part of an organization, rather than an afterthought.
Even when strong communications are in place, breakdowns are sometimes inevitable. Organizations should conduct regular assessments of business processes to determine where breakdowns in communication between business units occur. These assessments should help identify gaps that could pose significant risks to the organization.
Based on the results of these assessments, organizations should design and implement remediation plans, including scheduling necessary trainings for all employees and rolling out new process flows and accountability points to close any gaps.
3. NEW TECHNOLOGY
Technological advances help organizations store and share data, but new technology is often implemented without the knowledge or involvement of the internal audit function, to potentially disastrous and costly results. Ideally, internal auditors should assess new technology well before it’s utilized to review issues like control over sensitive data, continuity of the technologies between offices, and adherence to compliance and regulatory requirements. Without this review, nonprofits leave themselves open to a number of risky consequences, as well as operational inefficiencies.
THE REMEDY: Technology can be a huge boon to nonprofit organizations, but only when it’s used wisely. IA should
work with nonprofit leaders to first assess technology currently being used organization-wide, and then identify what the organization still needs to address. Internal auditors can assist with researching and proposing approved technologies for organization-wide usage, to facilitate cohesion and compliance and to help management improve system efficiencies.
Organizations also need to implement proper internal controls to ensure they’re mitigating technology risk as much as possible. IA can conduct a risk assessment of each technology used and implement policies to restrict or prevent the use of high-risk programs or devices. Organizations should also require similar checks and risk assessments for all new technology prior to usage.
With new technologies exploding in popularity, cybersecurity risks abound. Nonprofit organizations often mistakenly believe they aren’t of interest to cyber criminals, but the amount of personal data they store from donors and employees, and the tendency to underinvest in cybersecurity measures, make them an ideal target. It can be difficult for nonprofits to maintain up-to-date technology and hardware, keep pace with technological changes and navigate the shifting regulatory landscape with their limited funding. Nonprofits also frequently partner with technology suppliers and other contractors that leave them open to third-party cyber risks.
THE REMEDY: The first step to mitigating cyber risk is to conduct an organization-wide cybersecurity risk assessment that includes partner, contractor and technology supplier cybersecurity as part of the due diligence process. This assessment should shed light on where internal and external gaps exist. Following the assessment, organizations should implement additional controls by updating policies, procedures and internal controls to address identified gaps.
A startling number of cyber incidents arise from employees unknowingly exposing the organization to bad actors. Training staff to recognize these exposures is fundamental to their prevention. Nonprofits need to regularly communicate risks to employees and vendors to ensure everyone is adhering to established policies.
Monitoring cyber risk needs to be an ongoing effort. Nonprofits should develop a risk assessment schedule to examine internal partner, contractor and technology supplier cybersecurity on a quarterly or annual basis. Internal audit can assist with implementing these assessments.
5. COMPLIANCE WITH FUNDER REQUIREMENTS
Nonprofit organizations often have the unique challenge of negotiating compliance requirements across multiple funding sources including government entities, individuals, private foundations or other organizations. This challenge is only growing as budget cuts force organizations to focus on diversifying revenue streams and expanding donor pools, and with a recent increase in donor audits of specific grant activity at the materiality level. Further complicating the matter is a growing emphasis on international accounting standards (as opposed to relying on U.S. generally accepted accounting principles).
THE REMEDY: To clarify exactly what funding requirements an organization faces, it should conduct a compliance assessment, comparing requirements across all donor agreements to determine areas of overlap and areas of discontinuity. These agreements should then be compared against written policies and current practices to identify gaps.
Remediation plans can amend policies and procedures, and staff trainings should be conducted to ensure all levels and functions understand their role in maintaining compliance with funding requirements.
Staying current is critical. Nonprofits should develop a compliance assessment schedule, and IA and compliance departments need to stay on top of new funding streams and emerging trends so they can pivot when necessary.
6. FINANCIAL CONTROLS
Even though nonprofits are motivated by making an impact rather than money, organizations still face a host of hurdles when it comes to financial management. Many international nonprofits operate in countries with cash-based economies, making it tough to maintain adequate control of funds and sufficient supporting documentation. And new payment technologies, while enabling new and widespread operational tools, are often accompanied by verification and other control challenges. Nonprofits also face resource constraints and may have a limited number of finance staff to oversee financial management processes, which can be manual and prone to human error. For organizations with
several offices, branches often operate with little to no centralized oversight over their accounting and cash management procedures.
THE REMEDY: Nonprofits should review cash management procedures and evaluate typical expenditure cycles to identify potential risk areas across the entirety of an organization. Internal audit is central in assisting management in testing cash management controls.
- Organizations can then implement additional controls in keeping with best practices, like limiting cash handling or volume of cash transactions where possible. Nonprofit managers should consider investing in technologies and resources that limit high risk processes.
Standardizing procedures will help cut down on variance of practices between offices. All branches should centralize accounting and reporting procedures. At a minimum, each location should maintain copies of supporting documentation of all expenditures and financial reporting and should regularly review them with staff.
7. RELIANCE ON THIRD PARTIES
Vendor actions can create extremely adverse consequences for nonprofit organizations. Concerns range from reputation damage to the vendor’s illegal acts being attributed to the nonprofit organization. This risk applies to all types of organizational relationships with vendors and nonprofits, especially those administering federal grant programs given increased subrecipient monitoring and due diligence requirements.
Despite the risks, most nonprofits rely on partners or contractors for critical program functions. This makes it difficult to conduct due diligence reviews and monitoring activities, particularly when the partners/contractors are numerous, geographically dispersed or operating overseas. Partners are normally tasked with self-reporting, meaning frauds like ghost employee payments are easily hidden. Contractors also usually have access to organizational networks and information, creating an additional layer of risk.
THE REMEDY: Organizations should review current policies and procedures to ensure robust due diligence and monitoring processes are in place for all third-party relationships. This should include an assessment of partner/contractor access to project data, systems and networks, and the limitation of access where possible.
- Nonprofits need to implement additional monitoring and verification processes, including:
- Conducting regular spot reviews or investigations of reported data
- Requiring partners and contractors to certify financial and programmatic assertions
- Verifying number of partner/contractor staff and salary payment amounts
- Conducting unannounced site visits
- Considering third-party verification systems
These processes should be re-evaluated on a regular basis to ensure their effectiveness.
8. PROCUREMENT PROCEDURES
Nonprofit organizations rely heavily on non-competitive procurement processes due to several reasons. Often, procurement procedures, selection criteria and selection decisions are inadequately documented, leaving organizations unable to show that there was no bias in the selection process. Preferred vendor lists are rarely updated, and control of vendor solicitation, selection and site visits is often left with just a few individuals.
THE REMEDY: IA should review current procurement procedures against industry standards and donor requirements. They should also be transparent about their procurement policies including:
- Publicly announcing tenders as much as possible
- Updating vendor lists through open competition as frequently as possible
- Verifying vendors and prices through in-person or third-party checks
- Comparing bids against market prices
- Documenting criteria and selection procedures to bid samples with procurement files
- Ensuring procurement/selection committees are rotated on a regular basis
9. TRANSPORTATION AND DISTRIBUTION
For organizations that distribute goods, inventory management and oversight can prove to be major sources of stress for internal auditors. Often, nonprofits have difficulties verifying receipt of goods or services by their intended beneficiary, and confirming the goods provided are in the same quality and quantity as what was purchased. Diversion, theft and product substitution are especially difficult to identify. Despite resource and capacity issues, recent increased scrutiny of internal controls and supply chain management means that organizations need to address these issues sooner rather than later.
THE REMEDY: To help combat issues in the distribution chain, organizations need to shore up monitoring procedures by:
- Establishing monitoring teams for critical points along the supply chain
- Implementing two-step or three-step verification procedures at each critical stage
- Hiring a third party to conduct site visits and monitor transportation and distribution
- Using technology to assist in tracking and monitoring, including unique identifiers on products for inventory and tracking purposes and requiring distributors to take time-stamped photos/videos of deliveries
- Another effective risk mitigation strategy is to communicate directly with beneficiaries. Organizations can hold pre-distribution meetings with communities to review any past issues or concerns. Detailed packing lists and/or photographs of parcel contents should be inside packages. Nonprofits can include in the contract clauses with distributors to withhold payments to distributors until delivery is confirmed. This further ensures the distributor is holding up its end of the agreement.
10. FRAUD AND CORRUPTION
It’s the job of the internal audit function to uncover fraud, waste and abuse in nonprofit organizations, but often they are set up for failure. Due to a lack of communication between functional and program units within organizations, increased used of third parties, outdated systems, increased regulations (and the list goes on…), the opportunity to exploit a nonprofit’s controls is growing at a time when IA resources are shrinking and reputational risk for organizations is at an all-time high.
THE REMEDY: Preventing fraud starts within an organization itself. Stakeholders should evaluate current fraud prevention, detection and investigation measures against regulatory requirements and develop a plan to remediate any identified gaps. They should also be sure to provide accessible fraud reporting mechanisms for all employees, partners, grantees/beneficiaries and stakeholders.
- Despite resource constraints, organizations need to ensure IA has the appropriate level of resources to detect and investigate potential cases of fraud. Funds should also be set aside for visits to third parties and office locations and the establishment of a fraud hotline. Put a process in place to notify any impacted funders in a timely manner and in line with donor requirements to prevent exacerbating the impact when fraud does occur.
It’s also key to establish a fraud prevention and detection assessment schedule so practices can stay up-to-date and make sure nothing falls through the cracks.
Internal auditors at nonprofits have a tough, but essential job that’s key to keeping the organization focused on mission fulfillment. By assessing current practices, developing action plans and regularly monitoring activities, organizations can mitigate risk and serve their beneficiaries more effectively.
Article reprinted from the BDO Nonprofit Standard blog.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com.
By Lewis Sharpstone, CPA
The quality and completeness of the audit committee charters that I have seen typically range from very good to great. This is why there is no mention in this article, other than here, of core audit committee responsibilities such as auditor appointment, audit review, monitoring of whistleblowing incidents, or conflicts of interest reporting. However, here are my top five suggestions that should be considered for strengthening even a great audit committee charter.
- INCORPORATE ALL YOUR STATE AUDIT COMMITTEE REQUIREMENTS INTO THE CHARTER
For example, under California law there are stated guidelines as to who can and cannot serve on the audit committee. The most well-known California rule is that no more than 50 percent of the audit committee can comprise finance committee members. Most California audit committee charters I see cover this rule. But many California audit committee charters I see don’t include the lesser known but equally important rules. For example, in California the chair of the audit committee is also prohibited from serving on the finance committee. Make sure you know your state audit committee requirements, if any, and ensure that they are embedded into your charter.
- MINUTES OF MEETINGS
Part VI, Section A, question 8 of IRS Form 990 reminds us that as a best practice, organizations should memorialize all board meetings with documented minutes. This also applies to all meetings of subcommittees of the board. The audit committee is a subcommittee of the board, so documented minutes should be produced for each meeting. Accordingly, this should be stated in the charter.
- EXECUTIVE SESSIONS
Most audit committees build into their charter the notion that they can hold executive sessions with specific parties. In almost all cases it is either written or implied that executive session means organization staff members are excused from the meeting and the audit committee meets alone with the external auditors or other parties. However, executive sessions can be much broader than this and should probably be defined as such. For example, since the responsibility of audit committees includes a broad understanding of risk, and since a significant risk facing any organization today is cybersecurity, it is probably appropriate for the audit committee to want to meet in executive session with the chief information officer.
- THE AUTHORITY TO INDEPENDENTLY CONSULT WITH AND RETAIN OUTSIDE LEGAL COUNSEL
The audit committee should be collaborative most of the time but function objectively all the time. The authority of the audit committee to retain outside legal counsel, if needed, is recommended to be included in the charter. If the need arises, having this documented within the charter will be important to the audit committee in exercising its responsibilities. Conversely, it might prove almost impossible in certain circumstances for the audit committee to exercise its duties without this authority.
Self-review is a powerful and useful process if performed correctly and periodically. It provides an appropriate time and forum for members of a committee to voice suggestions to improve the effectiveness of the committee on which they serve. Certainly, the absence of an appropriate time and forum to voice these suggestions for improvement can lead to problems down the road. This is why embedding a periodic audit committee effectiveness self-review requirement and process into the charter is highly recommended. The audit committee charter should also be self-reviewed periodically.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Summer 2018). Copyright © 2018 BDO USA, LLP. All rights reserved. www.bdo.com.
By Laura Kalick, JD, LLM in Taxation
Does your tax-exempt organization provide transportation and parking benefits to employees? If so, you may have another commuter headache: a new tax. Under the Tax Cut and Jobs Act of 2017 (the Act), a provision was added to the Internal Revenue Code that is likely to require many tax-exempt organizations to pay unrelated business income tax (UBIT). Certain costs of qualified transportation, including transit passes, qualified parking and more, will now be taxed as unrelated business income at 21 percent.
The Act added the following provision to the Internal Revenue Code: Internal Revenue Code (IRC) Section 512(a)(7): Increase in unrelated business taxable income by disallowed fringe.
This provision was an attempt to put exempt organizations on the same footing as taxable organizations that will no longer be able to deduct these costs. The provision is effective for amounts paid or incurred after Dec. 31, 2017.
Under this provision, certain qualified transportation fringe benefits, including those relating to parking garages, must be reported as unrelated business income (UBI). All tax-exempt organizations (and a college or university owned and operated by a state or other governmental unit) will have to include as unrelated business taxable income any amounts paid or incurred for any qualified transportation fringe benefit, including the following:
- A ride in a commuter highway vehicle between the employee’s home and workplace.
- A transit pass.
- Qualified parking.
Qualified parking is parking you provide to your employees on or near your business premises. It includes parking on or near the location from which your employees commute to work using mass transit, commuter highway vehicles, or carpools. If an organization has its own garage that is used for parking that is already reported as UBI (e.g., parking for the general public), then the percentage of those costs attributable to the amount already included in its UBI does not have to be included in the amount treated as UBI under the new provision.
The UBIT on these employer costs is 21 percent at the federal level and state taxes may apply as well. Organizations should consider making estimated tax payments on these taxes.
These employee fringe benefits are still excluded from an employee’s income. Employers can generally exclude the value of transportation benefits provided to an employee during 2018 from the employee’s wages up to the following limits:
- $260 per month for combined commuter highway vehicle transportation and transit passes.
- $260 per month for qualified parking.
See IRS Publication 15-b for more information.
Even if the benefit is provided under a compensation reduction agreement, the payment will still result in UBIT for the organization. The only way the organization can avoid counting these benefits as UBI is to have the employee pay for the benefits with after-tax dollars.
COMPENSATION REDUCTION AGREEMENT EXAMPLE:
For 2018, the monthly limit on the amount that may be excluded from an employee’s income for qualified parking benefits is $260. Commuter employees can receive both the transit and parking benefits up to $520 per month tax-free.
On a per employee basis, for commuter and transit passes only, $260 monthly is $3,120 annually, and the UBI tax on this amount at 21 percent is $655 plus state taxes, if applicable. With 100 employees, the federal tax alone would be $655 per employee and approximately $65,500 in total. To the extent your organization provides a commuter benefit of up to $520 per month, the UBI tax can be much more.
- Organizations should determine whether they provide these transportation and parking benefits, and if so, to how many employees, what kind and how much?
- Calculate the estimated tax payments for Federal UBI and the state, if applicable.
- If your organization has not filed Form 990-T in the past, enroll the organization in the Electronic Federal Tax Payment System in order to remit the taxes.
By Karen Schuler, CFE, IGP, IGP and Taryn Crane, PMP
Notwithstanding the EU General Data Protection Regulation (GDPR)—the most sweeping change to data privacy in 20-plus years, with extraterritorial scope that went into effect on May 25, 2018—there are numerous privacy laws that are often overlooked.
Earlier this year companies like Facebook have come under fire for privacy violations while Congress is looking for ways to protect the privacy of American citizens. These movements are just the beginning of widespread change that we expect for privacy laws over the next several years.
As discussed in the Spring 2018 issue of the Nonprofit Standard in an article entitled “The Integration of Data Privacy into a Data Governance Program,” nonprofits can’t afford to ignore regulations like GDPR as many organizations are impacted due to their global reach. But now that May 25, 2018 has passed and GDPR officially went into effect, it’s time to think about your holistic privacy program—or implementing a Privacy Operational Life Cycle that helps your organization keep employees apprised of new privacy requirements, embraces recordkeeping and sound data protection practices while offering enhanced data privacy for your donors, employees, and constituents.
Think about these areas to develop a sound Privacy Operational Life Cycle:
- Develop an organizational privacy vision and mission, and document the program’s objectives.
- Identify legal and regulatory compliance challenges that are relevant to your organization.
- Locate and document where personal information resides throughout your organization or across third parties (e.g., hosting vendors, outsourced applications).
- Develop a privacy strategy that identifies stakeholders, leverages key functions throughout the organization, creates a process for interfacing within the organization, and outlines a data governance strategy.
- Conduct a privacy awareness workshop to highlight to the entire organization the goals of the program.
- And, finally, develop a structure for your privacy team with a governance model that is clear and consistent for the size of your organization.
The above-mentioned items are a starting point, but there is more to do after you develop your initial structure and communicate the purpose of the program. Below is a guide to developing the Privacy Operational Life Cycle.
DEVELOP AND IMPLEMENT A FRAMEWORK
The framework should provide you with an implementation road map that outlines your privacy procedures and processes. Developing a framework helps you identify high risk areas, reduce data loss, and provide a measurement against compliance to laws, regulations, and standards. Frameworks that provide initial guidance include the AICPA and CICA Privacy Framework, ISO 17779/BD7799, or OECD Privacy Guidelines.
DEVELOP PRIVACY POLICIES
Once you have selected an overall framework to govern your privacy program, look at your existing policies, procedures, and guidelines. During this phase you should evaluate the goals of the privacy program and determine what business initiatives are the baseline of the privacy program. Just remember, as you look to update policies, procedures and guidelines for the organization, ensure that there is a mechanism to enforce these policies. And don’t forget to review the current website privacy notice. This has become a critical target of privacy watchdogs to ensure that you can fulfill the commitment of the statements in that notice.
DEVELOP MECHANISMS TO MEASURE PERFORMANCE
Within your privacy life cycle, it will be important to develop the ability to measure performance of the program. To implement metrics, consider your audience—will it be the board, external parties, regulatory agencies, or the staff?
Determine how you will report on these metrics that you have identified. Decide what measurements you are interested in sharing with your audience and how this could impact funding positively or negatively. Next, determine how you will measure progress toward the organization’s business goals and objectives. Do your best to limit improper metrics that do not support the organization’s mission. And finally, determine the best methods to collect the data you need. Your goal is to demonstrate compliance while establishing the privacy program’s return on investment (ROI).
DEVELOP THE PRIVACY OPERATIONAL LIFE CYCLE
The Privacy Operational Life Cycle should consider measurement, improvements, and the ability to sustain and support the program. To effectively do this, develop an operational life cycle that considers the assessment, protection, governance, and response phases. Some tips to consider for each aspect of the life cycle:
- Assess – embed Privacy by Design (PbD) into the design of technology, business practices, and physical design of new programs. In addition to PbD, regularly evaluate third-party compliance, as well as internal program compliance.
- Protect – ensure that information life cycle management (ILM) is built into your data protection strategy. While it is important to ensure that your data protection strategies mitigate the risk of a data breach, you need to consider sound ILM practices to promote the organization’s data protection strategies. Remember, the less you have, the less you have to protect.
- Govern – while it’s important to be able to evaluate and protect information, you also need to monitor, audit, and communicate the privacy framework. Develop a strategy and operational procedures that allow your organization to maintain a transparent and visibly sound program. And don’t forget to monitor regulatory changes that impact your organization. Develop ongoing processes that allow you to measure the privacy program’s effectiveness.
- Respond – traditionally privacy and security teams viewed their ability to respond as responding to a security event. Today that has changed – it’s much broader and requires the ability to respond to complaints, requests for information, corrections of inaccurate data, clarifications of privacy matters and access requests. When developing your response capabilities, take into consideration these items in addition to your ability to respond to a security event.
Holistic privacy program development is the wave of the future, especially in a competitive world where data is at the core of every business or organization. Establish a program that fits your organization to ensure that you remain ahead of the curve and out of the sight of regulators.
PAY DATA FOR ‘SIMILARLY QUALIFIED PERSONS IN COMPARABLE POSITIONS AT SIMILARLY SITUATED ORGANIZATIONS’
By Michael Conover
Valid information on competitive pay levels and practices for “… similarly qualified persons in comparable positions at similarly situated organizations” has long been the basis for responsible management, and Internal Revenue Service (IRS) enforcement, of appropriate pay practices among all tax-exempt organizations.
When the IRS Intermediate Sanctions (Internal Revenue Code 4958) were enacted, the importance of good comparative data was underscored by its inclusion as one of the three elements of the protection offered in the Rebuttable Presumption of Reasonableness. The data provides a critical context for determining how much and how to pay a nonprofit’s executives.
Regardless of its importance, however, many organizations fail to devote the attention to this important element of their compensation program that it deserves. We regularly work with organizations that have difficulty describing or producing the data used as the basis for executive pay decisions. References are made to “a report done a while ago,” “a survey we had,” or “some Form 990s from organizations like us.” Examining the Form 990s and Schedule Js of these same organizations, we find they have checked all the appropriate boxes related to these data sources and yet there is little or nothing to be found.
Another group of organizations we find has a different competitive data issue. They have competitive data to offer as the basis of compensation decisions, but there are serious issues about the quality and comparability of the data being used. The data may be drawn from organizations that are not at all comparable, positions that are marginally similar or based on such a small sample that the data’s validity is very questionable. In these situations, this poor data may be as bad, or possibly worse, than having no data at all because it may lead to problematic pay decisions.
Obtaining and properly using good data for compensation purposes requires some thoughtful examination of your organization, its positions, and the requirements for individuals holding those positions. Only after accurately understanding your own circumstances can a search begin for the sources of valid data needed. Areas that need to be explored include:
- Details of your organization: This information includes the type of service(s) your organization performs as well as the broad organizational metrics that reflect its size and scope (e.g., revenue, operating budget, total assets, number of employees, etc.). These are usually among the factors most readily used for identifying similar organizations.
- Primary role(s) of your position(s): Competitive data sources (surveys, Form 990s, etc.) usually offer only brief descriptions of positions and generic titles for job-matching purposes so the focus here is on the central focus and impact of your position in terms of overall impact on the organization. The chief/principal executive officer and chief/principal financial officer positions tend to be very similar from one organization to another and are Disqualified Individuals from an Intermediate Sanctions perspective. Therefore, they are routinely included in competitive data needs. Ensure you note any significant difference in the role played by your position vs. the typical benchmark. The presence of an additional role not associated with the typical benchmark for the position (or the absence of some portion of the role commonly associated with it must be taken into account to ensure appropriate comparisons will be made.
- Position requirements: The emphasis on position requirements is intentional. The purpose is to focus on the essential education, expertise, and experience required to perform the role, not what the current incumbent happens to have or acquired in the role. For example, the fact that the current receptionist has five years of experience at the front desk does not mean that five years is a requirement for a qualified incumbent. On the other hand, your position may require a type of professional certification, education, or experience that is unique
and essential for successfully performing the role. For example, an individual holding the position of executive director in an association of athletic coaches and involved with external organizations regulating the conduct of the sport must have credible experience in the sport.
Armed with an accurate understanding of your own organization and the positions that will be examined in the competitive compensation assessment, attention now is focused on the identification of the data that will be sought for use in the analysis. The process follows the same criteria referenced above in the descriptors of your organization and positions, as follows:
- Organizations selected for inclusion in the analysis: Typically, these are organizations offering the same types of services that your organization provides. In some instances, there are other types of organizations, perhaps even for-profit ones that employ and compete for executive resources that are very similar to your specific organization. These can also be included in the search for competitive data. Compensation surveys are conducted among many different types of nonprofit organizations (e.g., higher education, social service organizations, professional/trade organizations, philanthropic foundations, etc.). In addition, Form 990 filings from other organizations like yours are also a source of competitive data. If necessary, a custom survey and/or consultant may be required to obtain data for specialized/hard-to-find sources of data.
The size and scope of organizations included in the analysis must be comparable to your organization. Revenue and budget levels for a group of organizations ranging from 50 percent to 200 percent of your size are typically viewed as reasonable for inclusion. Of course, care must be taken to avoid “skewing” the data in the direction of organizations much larger than your own.
I often explain the objective for identification of comparable organizations as comparing “apples to apples” but doesn’t necessarily need to be as specific as comparing McIntosh to Fuji.
- Selection of benchmark positions: Positions selected for comparisons should closely resemble the role described in your organization. Titles alone may not fully describe a position’s role or they may be misleading. A controller may be the chief/principal financial officer or a subordinate, depending on the data source in question. In those cases where a significant difference has been identified between your position and the external benchmark, it may be advisable to make adjustments (upward or downward) to competitive data to appropriately compare them.
- Special position requirements: Bona fide requirements for your organization’s position that are not typically associated with the benchmark position may also require an adjustment to competitive data in order to produce an appropriate comparison.
Collecting this information about your organization and the external benchmarks planned for use prior to an analysis of competitive compensation is not the end of this process. Two critical steps remain. First, it is important to engage the organization’s governing body (e.g., board, compensation committee) and involve them in a review of this information and affirmation/modification of it for use in the analysis. Involving the independent members of the organization in the process performs a very helpful educational role about compensation and the importance of good competitive data. It also enlists individuals with a critical oversight role in the governance of pay in an independent validation of the plan to secure the data before it is collected. A sound rationale has been prepared and ratified for the analysis of competitive data which board and management should view as valid for this purpose.
Second, this description of your organization and positions, as well as the external benchmark criteria or the comparative framework, should be documented. It will become part of the other important documents maintained to support the compensation program (e.g., board minutes, compensation strategy/guiding principles, etc.). The framework should be reviewed periodically and updated as needed to ensure its continued relevance to your organization as well as the external marketplace(s) in which you compete for executive resources.
By Joe Sremack, CFE
Robotic process automation is helping both for-profit and nonprofit organizations do more with less. Robotic Process Automation (RPA) is transforming the way organizations across different industries do business. It allows organizations to automate certain types of work processes to reduce the time spent on costly manual tasks and increase efforts to deliver mission-critical work. RPA is helping organizations do more with less, helping them automatically process and store data without having to perform manual data entry, generate financial status reports without spending considerable amounts of time in Excel, and execute outreach campaigns without spending hours in a customer relationship manager (CRM) program. These types of optimizations have been made a reality through RPA, with organizations just beginning to scratch the surface of the possibilities.
RPA is the use of software that automates manual tasks. It eliminates the need for employees to perform repetitive tasks by integrating software that performs the same set of steps the employee does. The software is designed to perform routine tasks across multiple applications and systems within an existing workflow. It performs specific tasks to automate the transfer, editing, reporting and/or saving of data.
At least some portion of white collar employees’ time is spent on repetitive computer tasks. That includes the CEO’s time–about 25 percent of the CEO’s tasks could be automated and RPA can help achieve this. Repetitive work typically involves the collection of data from one or more sources, performing a data manipulation—such as applying data formulas in Excel—and then exporting or saving the information to a readily available location. These are just some of the kinds of work that RPA automates.
One of the main differentiators of RPA from other solutions is that it performs tasks that do not require deep cognitive capabilities. RPA is the automation of a process, but the software is not improved or changed based on the inputs or its results. This is different from machine learning or artificial intelligence (AI) software, which can learn and improve based on the continuous evaluation of its inputs and results. Instead, RPA software simply repetitively performs the same task(s) based on business requirements.
RPA provides several major benefits. The most immediate impact from RPA is that routine tasks are performed in an error-free, consistent manner. RPA also provides an audit trail of work performed, which can be valuable in regulated industries or when the output of a process produces an unexpected result. In addition, RPA solutions can be configured to identify anomalies or red flags that may not be identifiable to an employee.
The long-term benefits are also valuable. Perhaps the most important benefit is increased job satisfaction. When employees are asked which parts of their jobs they dislike the most, the tasks they list usually involve a type of manual work that is a good candidate for an RPA solution. 1 This increased job satisfaction results in a better work environment and more productive employees. Moreover, the results of the formerly manual processes become better and the cost savings can be recognized.
APPLICATIONS OF RPA
The list of potential uses for RPA is robust. Most manual computer-based tasks performed by employees can be automated with RPA. RPA is often used for back office functions but can extend to customer relationship management, data analysis, and other key areas that involve manual work.
The best way to understand RPA is to learn about the kinds of problems RPA can solve. For example, an RPA program–called a “bot”–can be used to manage customer email inquiries. The bot monitors a sales inquiry email account and automatically imports the information into the CRM, sends alerts to the sales team, sends an automated message to the customer, and imports the information into other systems that are used to track employee availability and sales campaign successes. This works well when timely responses to customers are required.
An example of a nonprofit-specific use of an RPA solution is the management of fundraising campaigns. In many organizations, this process involves pulling past donor information, generating marketing materials, contacting past and new donors, collecting donor payment information, and entering it into an accounting software, updating financial information, and updating a donor database. Most of these steps are performed manually, slowing down the process and introducing the risk of error. With an RPA solution, most of this process can be automated, allowing the organization to spend more time interfacing with donors and working on other mission-critical tasks.
The following is a chart that lists several types of tasks that can be automated by department in most organizations:
While the list above appears to be limited to single-department tasks, many of these are cross-department tasks in nature. Consider a process where the finance department needs to work with IT and sales to request multiple data sets, get input, and share the results. Rather than emailing those departments to pull the same data set every quarter to develop an Excel-based report, an RPA solution automatically performs the data pull and generates the entire Excel report. This not only saves time and effort across the various departments, it also enables the finance team to spend more time doing meaningful analysis of the reports and develop projections and deeper insights.
RPA AND NONPROFITS
RPA is well-suited for solving problems encountered by nonprofits since they face many of the same challenges associated with reducing the time employees spend on manual tasks as for-profit organizations. Whether the work involves manually entering accounts receivable and accounts payable data in accounting software, generating compliance reports, or performing outreach campaigns, time is being spent by employees on less valuable work. Employees would agree that they would rather work on mission-specific tasks rather than repetitive tasks.2
Several examples of the types of nonprofit processes an RPA solution works well with are:
- Pledge campaigns.
- Recurring donation management.
- Digital and print marketing campaigns.
- Outreach campaigns.
- Government and regulatory issue tracking.
- Volunteer management.
Service providers and software developers have begun offering solutions geared toward nonprofits. Several major RPA software developers have recently launched commercial software solutions specifically designed for nonprofits, and service providers who understand the nonprofit sector are able to implement tailored RPA solutions.
RPA solutions can be implemented in several ways. The most common method for organizations is to implement individual bots. These are single programs that perform tasks automatically. The bot can be accessed through a desktop or web-based application. The second method is to implement a server that controls a set of bots within a department or across the organization. The server-based approach is a more robust system that is typically employed when there are a larger number of bots utilized throughout an organization that need to be managed centrally, whereas the individual bot method is appropriate when only several bots are used.
The cost of an RPA solution, a common concern for any organization, depends on these factors:
- Number of bots.
- Time to develop and implement.
- Level of customization.
An enterprise-wide RPA solution of hundreds of bots can be expensive. A smaller implementation with only ten 10 bots or less, however, can be implemented relatively inexpensively and within a short period of time. Companies who sell RPA solutions often have a suite of pre-built bots that can be quickly customized and implemented without requiring a new bot to be developed. As the RPA market matures, the cost will continue to decline.
The key steps for determining whether an RPA solution is appropriate are to:
- Identify where most time and effort is being expended on manual tasks.
- Identify bottlenecks of key processes—specifically identifying manual tasks.
- Implement a pilot program to tackle a high-value discrete task that can have immediate value.
RPA is an exciting new way for organizations to improve their operations while also improving employee job satisfaction. RPA solutions have become a widely adopted strategy for enhancing various parts of organizations’ operations by allowing employees to focus their time and efforts on more high-value and meaningful work. It has helped organizations do significantly more with less while reducing errors, increasing workforce job satisfaction, and better ensuring that deadlines are met. These benefits have been possible with relatively small capital investments and IT resources. While RPA is not applicable to all types of work, it is a good option for reducing hours spent on routine, manual tasks.
BENEFITS OF RPA
- Error-free, consistent results
- Employees can be utilized for higher-value work
- Increased job satisfaction (not spending time doing repetitive, low-value work)
- Faster, more predictable delivery timing
- Documented trail of work performed
- Identify anomalies or other red flags