March 2017 Meeting: Information Security for Nonprofits

Information Security for Nonprofits

Dan Keleher from KPM Consulting gave a presentation on Information Security for Nonprofits. Dan Keleher is the Executive Director of KPM Consulting, LLC, the information technology consulting arm of the CPA firm, KPM. Prior to entering consulting Dan had a distinguished 18 year career with Liberty Mutual, where he was responsible for creating cohesive integration of business needs and information technology. Dan discussed some of the key ways data breaches can occur at a nonprofit organization and steps that every employee can take to help minimize exposure. He reviewed: the top risks for nonprofits after exposure to a data breach; how to identify spear phishing attempts; and tips for improved password security

What is the goal of information security? Everything that applies to business organizations also applies to an individual’s own computers and personal devices. Information security is designed to reduce or eliminate the risk of exposure from a data breaches and the ensuing damage to your company’s reputation. It is especially important to safeguard donor/customer/ and employee data: names, addresses, date of birth, phone numbers, social security numbers, bank account information, and much more. By law, companies have to report data breaches. Since January of this year, there have been over 100 data breaches in Massachusetts alone. Hackers often use “phishing” schemes where they trick workers to unknowingly reveal a password or download malicious software. The data thieves are not necessarily going after money – it is more likely that they are going after data.

How do businesses (and individuals) protect themselves? You can protect yourself from outside threats by installing very robust next generation firewalls. You also need to install very strong internal controls. You need to have access to data controls, both physical (locked doors, file cabinets) and logical. Logical Access involves authentication controls to ensure that persons logging into the system, are who they say they are. The best way to do this is to combine two or more types of authentication: username, password, code number, secret questions, biometrics, etc. You also need to restrict access to data based on job requirements, separation of duties, and by adopting the principle of least privilege: if you don’t need access to it, you don’t get it, and if you do need access to it, you only get access for the time you need it. Having strong passwords which are complex and are changed on a regular basis is very important.

Next, you need to have a 100% reliable back-up system. You need to back-up your hard drives, networks, software programs, everything. Back-ups need to be on-site or remote and either by tape, disk, or in the cloud. If you get hit with malware or ransomware, you will either need to pay the hackers to restore your system or you can completely flush the system and restore it with your backup. You need to have a formal plan for doing periodic restore tests and validations. Keep in mind that most hackers can get into any system, given enough time and money.

Finally, you need to educate your employees and users of your system to recognize threats to the system, to avoid letting those threats in (by not clicking on or opening suspicious emails and attachments), and by reporting suspicious activity to your system administrator or help desk. Education and training of users is your last line of defense. Also, you can create an incident response plan, periodically review your MA Data Privacy Written Information Security Plan, and run vulnerability scans on your network.

A summary of the keys steps to protected your IT system and prevent data breaches are as follows: 1) Defend the perimeter with a next generation firewall; 2) control access to your system with authorization controls; 3) have strong and complex passwords; 4) keep your software up to date; 5) secure your data with strong reliable back-up and recovery plans; 6) train you users and make them aware of potential threats; 7) train your staff to be aware of spear phishing and ransomware; and 8) report incidents to your administrator or help desk.

 

The presentation can be found here: KPM_InfoSecurity_03-30-2017-1

February 2017 Meeting: Meet the Massachusetts Attorney General’s Public Charities Division

Meet the Massachusetts Attorney General’s Public Charities Division

Is the sum total of your relationship with the Attorney General’s office the annual filing of the Form PC? Members of the AG’s Nonprofit Organizations/ Public Charities Division came to speak about the regulation of the nonprofit sector, their priorities to support a vibrant nonprofit sector, and how they hope to work with you, as nonprofit leaders, to prevent misuse of charitable funds and protect nonprofits and their donors from fraud and loss.

Assistant Attorneys General Courtney Aladro and Emily Gabrault, members of the AG’s Nonprofit Organizations/ Public Charities Division, gave a presentation about the regulation of the nonprofit sector, their priorities to support a vibrant nonprofit sector, and how they hope to work with nonprofit leaders to prevent misuse of charitable funds and protect nonprofits and their donors from fraud and loss. They spoke candidly about their work, including some real-life examples of cases their office has seen, current office priorities, and best practices for what to do when problems arise in your organization.  They discussed how to avoid common pitfalls and identify red flags to support a constructive relationship with the Division.

The AG’s Nonprofit Organizations/ Public Charities Division, which has a staff of 18 people, has as its major purpose to regulate the nonprofit sector, enforce regulations, and to provide a resource for the sector. In total, the Division oversees approximately 27,000 public charities in the Commonwealth of Massachusetts. The government regulations governing companies (nonprofit and for profits) are constantly changing: DOL regulations, the definition of exempt and nonexempt, IRS requirements, reporting requirements, etc. In addition, the political climate has changed drastically since the last election, so the AG’s office has started a hate crime hotline, which has received a lot of calls recently.

One area that the AG’s office examines is the whether the Board of Directors for a public charity performs its fiduciary duties in a responsible manner. Fiduciary duties include the following: sound fiscal policy; legal and regulatory compliance; sound policies and procedures; oversight of management; Board self-assessment; and safeguarding assets. Board members and management have a duty of loyalty including policies against conflicts of interest and personal financial gain from corporate decisions. Some of the common problems that the AG’s office has dealt with public charities are: “founders syndrome” where the charismatic, visionary, committed founders has become autocratic, distracted, weak, and too comfortable with a controllable Board; conflicts of interest in the Board and management; and a lack of structure and sound corporate processes, especially when it relates to checks and balances and separation of duties. Courtney and Emily reviewed the Fraud Triangle with the 3 points of the triangle being: motivation, rationalization, and opportunity.

How do issues involving public charities come to the attention of the AG’s office? Sometimes a Board member contacts the AG, sometimes issues are raised by other government agencies, sometimes from a consumer. The main goal of the Public Charities Division of the AG’s Office is not to penalize or punish an agency, but to assist the agency in correcting the problem and adopting preventive measures and sound policies. The AG can seek restitution and can assess penalties for various violations and can issue injunctive relief to prevent a “bad actor” from continuing in his/her nonprofit role. Courtney and Emily gave several examples of the types of issues the Division deals with. Example one involved a husband and wife team operating a nonprofit where the lines between personal and business activities became blurred. Example two involved a charity which purchased health insurance from a Board member who worked for the insurance company. Example number three involves a lack of segregation of duties, which led to fraud. A civil case is often easier to prosecute than a criminal case. Example four involved an agency who received a funding cut and as a result, cut back on its operational functions such as paying its employees and paying its debts in order to keep operating. In that case the agency has to maintain its operational functions as well as to continue to fulfill its mission. The agency should monitor its expenses and keep ahead of any potential funding issues. The AG’s office lists the best practices for a public charity as the following: have an independent Board; adopt sound documented policies and procedures; adopt good governance procedures; adopt solid disclosure, evaluation, discussion, and documentation procedures; and major decisions should be made by the independent Board.

A question was asked about changing the purpose of a restricted fund when the funder is no longer available. You can go to the AG’s office to try to get that resolved. You cannot borrow from restricted funds or an endowment fund to temporarily fund cash flow shortfalls. Courtney and Emily said that the enforcement priorities for the next year will be to curtail foundation self- dealing and to better monitor how organizations solicit donations.

 

January 2017 Meeting: Best Practices and What’s New with Procurement Compliance

Best Practices and What’s New with Procurement Compliance

The focal point of the presentation was new procurement requirements for organizations receiving federal grants. Explanation of the standards anchored a broader discussion of best practices for procurement.

The Uniform Guidance (“UG”) containing procurement and contract standards is under Title 2 of the U.S. Code of Federal Regulations (CFR), Part 200: “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.” (See Subpart D and Appendix II)

See also: Federal Register – notice regarding the final guidance, 12/26/13

The UG sets forth revised guidelines for the procurement of goods, services, and property using federal funds. The standards apply only to direct expense charged to federal awards, not to procurements allocated to a grant as part of indirect costs. The revision primarily affects grantees that are subject to A-110, namely, educational institutions and nonprofits.

One change is semantic: Under the new guidance, “must” signifies a requirement, whereas “should” (which formerly marked a requirement) now indicates a recommendation.

Major provisions and changes were highlighted:

  • New provision covering conflicts of interest with parent, affiliate or subsidiary organizations
  • Requirement for more detailed record-keeping around procurement (which may be construed as a nudge toward digital records; doing this on paper will likely prove onerous)
  • Focus on adequate competition for contracts
  • A new framework for cost and price evaluation, and new thresholds for mandated methods of procurement
  • Provisions for small and minority-owned businesses
  • Standards for contracts involving pass-through entities

Grantees were given a two-year grace period to implement the guidance on procurement, and the expiration of the grace period depends on your fiscal year. For December 31 year-ends, the grace period ended 12/31/16, and the standards should have been implemented by 1/1/17. If you have a June 30 fiscal year end, you need to implement the standards fully by 7/1/17. If you relied on the grace period, you should have documentation on file that your policy-making body (e.g., your board) elected to do so – it does not need to be submitted, just recorded.

If you receive federal grants, your written policy must comply with the guidance as of the deadline, and from that point on, you need to document compliance with your policy.

When procuring property or services with federal funds, states must follow the same policies they use for procurement with non-federal funds. Nonprofits using federal funds – including those receiving federal funds through the state – need to adhere to the new UG.

Under the new standards, there is an emphasis on adopting well-documented procedures that conform to the guidance, and maintaining oversight to ensure actual compliance with contracts and purchase orders. As part of an overall orientation toward cost containment, the guidance mandates avoidance of superfluous or redundant purchases. In addition, the conflict of interest provisions were strengthened and extended to related organizations, and the standards mandate disciplinary action when procurement standards are flouted or neglected.

The standards encourage the use of federal surplus property in place of new purchases. Also, grant recipients are asked to make use of value engineering clauses in major construction projects. Time and material contracts are acceptable only if other types of contracts are not suitable, and if used, require closer oversight. The overarching theme is cost containment.

The new standards reflect an effort to eliminate favoritism, and to ensure full and open competition. For example, if a contractor is involved in drafting standards or specifications for a contract, they are barred from competing for that contract. In general, organizations need to keep detailed records of the procurement process, including why a method was chosen, what drove particular decisions, and how costs were negotiated. Practices that unnecessarily restrict competition are to be avoided. Geographical preferences cannot be applied, except where mandated by federal standards, such as with architects and engineers who need local expertise. If you use prequalified lists of vendors or suppliers, the lists should include enough options to ensure competition, and should be reviewed regularly.

As a general rule, the scale of procurement dictates the method used. Note that the threshold applies to the aggregate amount directly allocated to a federal contract, and excludes charges from the contractor or supplier that do not involve federal funding.

  • Micro-purchases (under $3K, in the aggregate)
    • Should be distributed equitably among qualified suppliers, to the extent practical
    • If the price is reasonable, these purchases do not require competitive quotes
    • Cost analysis not required
  • Small purchases ($3K-$150K)
    • Must document that quotations were gotten from an “adequate number” of sources, which should be defined by your policy
    • Methods of obtaining quotes should be spelled out in your policy
    • Cost analysis not required
  • Sealed bids (over $150K)
    • Request for bids must be publicly advertised; must define deliverables; and must indicate when and where the bids will be opened.
    • Lowest responsible bidder wins fixed-price contract
    • Sealed bids are the preferred method for construction projects
  • Competitive proposals (over $150K)
    • RFPs must be publicized; must spell out all evaluation criteria; and must be submitted to an “adequate” number of sources, as defined in your policy.
    • Method of technical evaluation and selection must be recorded before process starts
    • Must be more than one source
    • Contract is awarded to proposal that is evaluated most advantageous; factors other than cost and price can be considered
    • Can be either fixed price or cost-reimbursement
    • Competitive proposals are used only when sealed bids are not appropriate
  • Noncompetitive proposals (sole source), regardless of size, must meet at least one of these conditions:
    • The product or service is only available from one source
    • A public exigency or emergency does not allow a competitive process
    • The federal department has approved a written request for a noncompetitive proposal
    • After multiple sources are solicited, competition is judged inadequate

There is more flexibility for purchases below the “Simplified Acquisition Threshold” of $150K. Above that level, you must record a cost or price analysis for every procurement, including modification. In the case of single bid contracts, you must negotiate profit as part of the price. Cost estimates must be reasonable, and are permitted only if allowed under the UG Cost Principle (Subpart E). Cost plus percentage and percentage of construction cost methods are not allowed.

Nonprofits must take affirmative steps to use small and minority businesses (SMB), women’s business enterprises (WBE), and labor surplus area firms.

  • Solicit qualified SMB and WBE whenever possible, and include them on any standing lists
  • Break requirements into smaller packages, to create more opportunities for participation
  • Set project schedules to encourage SMB and WBE participation
  • Tap agencies (e.g., SBA) that promote SMB and WBE businesses
  • Require the prime contractor to adopt these steps when subcontracting

Where pass-through entities are involved, the nonprofit must make technical specifications and procurement documents available to both the federal agency and the pass-through entity. If either the federal agency or the pass-through entity decides that your procurement system complies with the UG, your organization is exempt from pre-procurement review.

Best practices for procurement:

  • Familiarize yourself with the procurement requirements contained in:
  • Understand all contracts – not just federal – for your programs
  • Place procurement in the context of your organization’s culture and experience
  • Review and revise your policies in the context of the requirements flowing from all of your contracts
  • Clearly define roles and responsibilities in policy and practice
  • Train staff on the parts of the procurement process that they are involved in
  • After an implementation period, evaluate the effectiveness of your procedures
  • Ensure that your procurement policy covers all requirements discussed in this presentation in addition to other issues, such as evaluation, disputes, and claims. Some of the key policies and procedures in the context of federal standards are:
    • Conflict of Interest (§ 200.112)
    • Mandatory Disclosures (§ 200.113)
    • Financial Management (§ 200.302)
    • Internal Controls (§ 200.303)
    • Procurement Standards (§ 200.117)
    • Sub-recipient Monitoring (§ 200.331)
    • Personnel Compensation (§ 200.430)
  • Put a working system in place for documenting compliance with your procurement policy

Other resources provided at the presentation: Links to procurement resources, links to federal agency-specific requirements.

Carla McCall is co-managing partner of AAFCPAs and specializes in providing assurance, tax, and business consulting services to sophisticated nonprofit organizations and closely-held companies. Carla’s diverse client base includes health care, arts and cultural, affordable housing, manufacturing and distribution. Carla advises her clients in the specialty areas of revenue recognition, stock option plans, and government contract compliance. She has extensive experience with federal, state and other regulatory compliance requirements of nonprofit organizations.

Hui-Ting is a manager at AAFCPAs and has audit and tax experience with various types of nonprofit organizations, including community development corporations and their development projects with HUD and MHFA requirements, nursing homes, health centers, educational institutions, and social services and behavioral health agencies. She also provides audits in accordance with Uniform Guidance/Single Audit and Government Auditing Standards.

 

 

 

December 1 Meeting 2016: Common Errors in Financial Statement Preparation And how to Avoid Them

Alexandria Regan, Partner at Citrin Cooperman, gave a presentation  about some of the most common errors found in not-for-profit financial statements, the impact that these errors could have on financial statements, and how to avoid errors in financial reporting, including reduction of adjusting entries during your audit. Alex is a an auditor and has over 21 years of experience working with non-profits.

Financial Statements are the responsibility of the organization that is being audited. The number of audit adjusting journal entries that are included in the final audit documents is an indicator of the adequacy of the organization’s internal controls. During the planning stage of the audit, management should use the previous years’ audited statements as a guide. Ask your auditor for advice about any complicated transactions that you are unsure of and try to resolve any issues before you send the final trial balance to the auditors for the audit.

The first area that Alex discussed where mistakes are commonly made, is revenue recognition.  There are various forms of revenue and sometimes there is a grey area when it comes to categorizing the type of revenue.  One of those areas is   contributions versus exchange transitions.  A contribution involves the donor making a donation to support the recipient’s programs, the donor determines the amount and delivery method of the payment, and the recipient is not penalized for non-performance.  An exchange transaction is more of a fee for service arrangement.  A cost reimbursement contract is an exchange transaction.  The resource provider makes it clear that it is making payment in exchange for certain benefits or outcomes, determines the delivery method and amount of payment, and the recipient can be penalized for non-performance.

Contributions can be either unconditional or conditional.  The organizational will recognize unconditional contributions when they occur, but it can only recognize conditional contributions when the conditions are met.  Another distinction occurs between intentions to give and promises to give. Intentions to give are not recorded until the contribution is received (such as inclusion in a will). Promises to give are subject to a different standard.  An example would be if a grant is promised over a 5 year period, but you have to match it – then you should not book it until the match is achieved.  Contributions or pledges receivable that are paid by donor advised funds should not be recognized until payment is received. If an organization receives a 5 year unconditional pledge, then you can book it as a temporary restricted asset. You should use a risk adjusted discount rate (present value calculation). The rate should be determined at the date the promise is initially recognized and should not be subsequently revised.  Please be aware the multi-year pledges are subject to an implicit time restrictions even if the donation is unrestricted for general operations. Multiyear grants should be released according to the due date schedule included in the grant. If expenses are incurred for which both restricted and unrestricted revenue is available, you should book the restricted revenue first.  Also, it is not possible to release funds greater than the net asset class balance even if you anticipate future funds.  Board designated net assets are recorded as temporarily or permanently restricted net assets However, even if funds are designated or restricted for a purpose by the Board, they are still unrestricted for GAAP purposes. Keep in mind that only donors can impose restrictions that create temporary or permanently restricted net assets.

Other common mistakes on financial statement is the failure to account for an operating lease in a straight-line basis; failure to report fundraising expenses fully; failure to report gifts-in-kind; and the failure to include a statement of functional expenses when required.

The PDF of her presentation is here: npfm-presentation-12-1-16

October 2016 Meeting: Background Checks: the Who, What, When, Where, How & Why

What we covered:

  1. Why should you background check?
  2. Who should you background check?
  3. When should you do it in the hiring process?
  4. What should you check for?
  5. How should you go about it?
  6. What if you find negative information and don’t want to hire?

Dave Wilson, a partner at Hirsch Roberts Weinstein LLP, who advises businesses and non-profits on employment matters, gave a presentation on how to navigate the Commonwealth’s CORI and non-discrimination laws in the hiring process.  Kimberly Napoli from the same firm assisted with the presentation. He covered the following areas: 1) why should you background check?  2) Who should you background check?  3) When should you do it in the hiring process? 4) What should you check for? 5) How should you go about it? And 6) What if you find negative information and don’t want to hire?
According David and Kimberly, the new Massachusetts CORI Law went into effect in 2009, which triggered taking any kind of criminal record questions off the job application.  The new sequence of hiring is:  applicant fills out the initial written application form with no questions about criminal background, applicant takes skills assessment test (if applicable), and then applicant interviews for the job.  Doing a telephone screening first can save time. After an interview, you can have the applicant fill out a Supplemental Application Form, which can include questions about criminal background.   The next step is to make the job offer, conditional on a satisfactory CORI (Criminal Offender Record Information) check.  The employer then gets the applicant’s written permission for the CORI check and other background screening checks (such as a credit check).

ICORI is the on-line method for doing CORI checks.  If you use this site, you need to put in the exact name of the person you are checking.  In general, you can check the background of a prospective employee, but you cannot ask about salary history. You can ask what his/her preferred salary range is.  If you get a CORI back with an issue on it, the best practice is to give the applicant “Due Process” – ask them to explain the issue.  It could be something that happened a long time ago when they were a teenager, etc. You must provide a copy of the CORI to the applicant. If you are considering not proceeding with the employment based on negative information in the CORI, then your company should send out a “pre-adverse action disclosure letter” to the applicant.  A company is not allowed to make a negative hiring decision based on a CORI without discussing it with the applicant first.  So the next step is to have further discussion with the candidate, then make a decision, inform the candidate, send out a “post-adverse action disclosure” letter if you use an outside background check service, and then hire or no hire.  One helpful hint would be to have someone else besides the person doing the hiring, do a Google and Facebook search on the candidate for all those who will be called in for final interviews.

David and Kimberly pointed out some practices that are important.  It is very important to have applicant fill out a written formal application form.  The applicant by signing the document is stating that everything in the application is true, and if it turns out not to be true, then that is grounds for firing the person later on if necessary.  Also, even though it is more costly, it is a better practice to use a 3rd party vendors to do the background checks.  It is very important to do background checks, especially for some positions. It is better to screen unsuitable applicant out early in the process. It is also very important that an employer be fair and reasonable when dealing with applicants.   Always give applicants and employees due process. For references, you should ask the applicant for the names of their past supervisors and ask his/her permission to talk to them.  Better yet, you should ask the applicant to actually set-up the call with their former supervisors for you.  Also, when making the call, you should state your questions upfront.  Good reference questions are:  What did the person do at your company? What did the person do well?  What were some areas that needed improvements, and rate the persons as an effective employee form one to ten? If you have questions about using CORI, you can go to the DCJIS website (http://www.mass.gov/eopss/agencies/dcjis/ to access publications with step by step instructions.