webinar slides: new and emerging business risks for not-for-profit and educational organizations

New and Emerging Business Risks for Not-for-Profit and Educational Institutions

Presented by: Shareholders Mike Burns, Scott Goldberg and Michelle Spriggs

November 7, 2013

1 #MHMwebinar

To view this webinar in full screen mode, click on view options in the upper right hand corner.

Click the Support tab for technical assistance.

If you have a question during the presentation, please use the Q&A feature at the bottom of your screen.

Before We Get Started…

2 #MHMwebinar

This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic polling questions throughout the webinar.

External participants will receive their CPE certificate via email immediately following the webinar.

CPE Credit

3 #MHMwebinar

Michael T. Burns, CPA Shareholder 617.761.0584 | [email protected] Mike is the Managing Director in Charge of the Firm’s National Not-For-Profit and Higher Education Practice. Additionally, Mike leads the New England Not-For-Profit and Higher Education Practice and provides services directly to a wide variety of educational, cultural and social service organizations. Mike has more than 25 years of audit experience and exclusively serves not-for-profit organizations. He assists clients in the areas of financial statement audits, audits under OMB Circular A-133, financial aid audits, internal control reviews and debt offerings, accounting matters, and related business concerns. Mike has built a reputation for quality service in the not-for-profit community and has been the lead partner on a wide array of New England-based organizations.

Today’s Presenters

Scott J. Goldberg, CPA Shareholder 212.790.5713 | [email protected]

Scott serves as the Not-for-Profit practice leader for the New York office and advises clients with best business approaches to diversified accounting and management issues. He has more than 18 years of experience serving nonprofit organizations including charter schools and charitable, cultural, and health and welfare organizations. Scott’s in-depth background encompasses audits of federal awards in accordance with OMB Circular A-133 and other third-party reimbursements. Scott shares his expertise as an instructor on topics related to nonprofit fiscal management and offers continuing education professional seminars in all areas of nonprofit accounting. In addition, Scott has delivered several presentations to various professional and industry associations.

Michelle E. Spriggs, CPA, MBA Shareholder 774.206.8336 | [email protected] Michelle is a Shareholder in the Firm’s Not-For-Profit and Higher Education Audit Practice. Michelle is the not-for-profit subject matter expert in the Firm’s National Professional Standards Group. She has over 20 years of audit experience and is solely dedicated to serving not-for-profit organizations. Her experience includes managing financial statement and OMB Circular A-133 audits; assisting in bond offerings; providing recommendations on internal controls; and training other accounting and auditing professionals to provide support to not-for-profit clients.

4 #MHMwebinar

The information in this Executive Education Series

course is a brief summary and may not include all the details relevant to your situation.

Please contact your MHM service provider to further

discuss the impact on your financial statements.

Disclaimer

5 #MHMwebinar

Today’s Agenda

1

2

3

4

Governance – Policies, Procedures and Protocol

Governance – Audit Committees: What We Are Seeing Governance – Effective Audit Committees

Management – What We Are Seeing

5 Health Care Reform

6 Questions and Answers

6 #MHMwebinar

Our objective today is to remind you about the various issues, trends and risks (and best practices) that we see impacting not-for-profit and educational organizations.

Our hope is that each of you will leave today with a few new thoughts, ideas or areas that might merit further attention and consideration at your organization.

New and Emerging Trends in Business Risks

GOVERNANCE

What We Are Seeing

8 #MHMwebinar

Our world demands good governance, accountability and transparency.

Our discussion is not intended to be exhaustive, but a primer to use as a reference of “best practices” Tailored to your individual organization Legal counsel review

Federally or State mandated vs. “strenuously advocated” Congress enacted SOX legislation:

whistle-blower (section 1107) document retention (destruction) (section 802)

Senators Charles Grassley/Max Baucus and Independent Sector

UPMIFA (state versions) Investment policies Endowment spending

Governance: Policies, Procedures and Protocol

8

9 #MHMwebinar

IRS redesigned form 990 (Red flags) Mission statement adoption by board Conflict of interest (and annual reaffirmation) Defining “conflict” Which steps to take to ensure

conflicts are handled properly Gift acceptance 990 review process Process for determining

compensation Intermediate sanctions –

Executive Compensation (IRC Section 4958)

Annually evaluate performance


9

10 #MHMwebinar

IRS redesigned form 990 (Red flags) Contemporaneous documentation of meeting held – board and

committees Process to make available – governing documents, conflict of

interest policy and financial statements Oversight of annual financial statement audit Selection of independent accountant Procedures for grant recipient selection Procedures for grant recipient monitoring Governance of local chapters, branches and affiliates


10

11 #MHMwebinar

Other policies: Expense reimbursement Travel Statement of Values and Code of Ethics

Formally adopted written code Often signed off by board, management, staff and volunteers

Familiarity with applicable federal, state and local laws and regulations Fiduciary responsibility Proactively staying current – on whom does the NFP rely?

Protection of assets Understand risks Establish and monitor controls


11

12 #MHMwebinar

Other policies: State solicitations and registrations Debt covenant compliance Review of organizing documents – articles of incorporation,

by-laws, etc. Review of board composition (talent, size, diversity and

structure) Experience Financial skills

Board education and communication


12

13 #MHMwebinar

Most audit committees have adopted fairly detailed charters to plot the agenda of their various meeting and activities they need to carry out to achieve their mission; if your organization does not have a detailed charter, that should be considered.

The AICPA has an excellent template available for free that can be tailored to your own needs.

Most audit committees are now at least asking to understand the results of benefit plan audits which we support given that sponsors are the “make whole” party for benefit plan defects. While often this does not rise to the inspection and oversight associated with the financial statement audit, this is a best practice.

Most audit committees now review IRS Form 990 prior to filing so as to answer questions most positively on that form; still others are reviewing IRS Form 990T. Some bring in their tax advisors for that meeting, while others do not.

Audit Committees - What We Are Seeing

14 #MHMwebinar

Many audit committees have insurance brokers and advisors present periodically about insurance trends, coverage, risk levels and related matter; we believe this is a wise consideration even if on a three-year cyclical basis.

Smaller organizations as seeking out more internal audit/special project support via firms or collaboratives that provide for such services on a outsourced basis.

Most commonly IT is a high exposure/high risk item that outside support is sought out to ensure best practices, good security and modern practices are being followed; this can make for a good road map to the future in IT which many organizations find valuable.

Some organizations now get a formal update from management annually on litigation and exposures which we believe is a best practice.


15 #MHMwebinar

Many audit committees have somewhat expanded their role to effectively become the “Risk Management Committee.”

Some of the activities already mentioned are evidence of this expanding role given that often oversight of these matters is not assigned to any other committee.

We have seen growth in organizations going through formal (consultant) driven enterprise risk assessments.

Still others have chosen to do it on a lower-cost, more-informal basis via tools and materials found on the Internet which can act as a guide to a methodology in such a process.

Those that have gone through this process have found that the role of the audit committee is to be the “risk quarterback”. Thus, the audit committee does not take over each risk, but ensures that a sufficient inventory of risks has been taken, that management has or will have mitigations in place and that oversight is assigned to various committees of the board.


16 #MHMwebinar

Thus, the audit committee assures itself that risk monitoring and oversight is reasonably understood by the committee taking on that charge.

Sometimes there is overlap with an objective. For example, the investment committee might be charged with achieving an investment return, but that needs to be in the context of the overall needs and risk tolerance of the organization; thus we have seen more joint meetings of board committees to calibrate competing demands such as financial conservatism with the need to take risks in the market or the level of need/demand for an endowment draw that is instructive to what committees carry out and recommend to the full board.

Thus committees seem to be increasingly aware that they cannot always carry out their work in isolation within the governance structure.


17 #MHMwebinar

Many audit committees have discussed the need to increase oversight over the CEO’s expenses which can cover two fronts: one expense reimbursements for business expenses and even expenses incurred by the office of the president or CEO.

This practice has emerged given the inherent conflict that exists in that without oversight the CEO’s expenses are effectively approved by subordinates.

In looking at NFP and educational organizations, CEO expenses have frequently been the cause of scandal and embarrassment causing risks to reputation and fundraising which cannot be afforded; often this resulted from the lack of oversight and monitoring.

Many boards now have their chair or audit committee chair review the expenses of the CEO on an after-the-fact basis to make sure they appear to be orderly, documented and reasonable.


18 #MHMwebinar

Increasingly we are seeing more legal talent as part of the audit committee in addition to the traditional financial expertise that has long been valued on the audit committee.

In our view, this is aligned with the evolving role of the audit committee in NFP governance.

We recommend that you consider where your organization is on this journey and consider what elements might make sense or be right to be considering in terms of best and emerging practices in corporate governance.


19 #MHMwebinar

An audit committee’s primary role is to instill confidence that the NFP has established sound internal controls that protect against reputational risk while securing procedures that ensure accountability and independence. Mitigate “headline” risk Manage business risks Avoid distractions Focus on mission Increase transparency

Governance: Effective Audit Committees

19

20 #MHMwebinar

Audit committee considerations Audit committee charter

Define member roles and responsibilities Annual review new laws, regulations, and best practices

Financial expertise considerations Invite individual possessing NFP expertise to join Education initiatives to improve the financial expertise of

the committee as a whole Membership

Independence Prohibit employee from serving


20

21 #MHMwebinar

Audit committee considerations Risk management

Inquire of management, general counsel, external counsel and the external auditors about significant risks or exposures facing the organization, as well as legal and regulatory issues that may have a material impact on the financial statements

Assess the steps management has taken or proposes to take to minimize such risks to the organization

Periodically review compliance with such steps


21

22 #MHMwebinar

Audit committee considerations Meetings

Scheduled as needed, but not less than twice each year Pre-audit

Engage external auditors Meet with external audit partner to discuss scope, timing, materiality,

the communications process, deliverables and fee If internal audit function exists, discuss the ability of the external

auditor to rely upon the results the internal audit team Review and execute engagement letter

Post-audit – Presentation from external auditors

Draft financial statements, including reports Communication with those charged with governance

Required communications Recommendations (“management letter”)

Oversee annual report to the board of directors/trustees Executive session


22

23 #MHMwebinar

Audit committee considerations Meetings

Other meetings/discussions during the year Critical accounting policies and practices used

by the organization If applicable, alternative treatments of financial information within

US GAAP discussed with management The ramifications of each alternative, and the treatment preferred

by the organization Any consultation with audit firms other than the external auditors,

including reasons for and results of the consultation


23

24 #MHMwebinar

Audit committee considerations “Findings” disclosed during annual audit

Discuss with management the course of action Request a timeframe in which these recommendations will be

addressed Set dates on calendar to assess progress


24

25 #MHMwebinar

Audit committee considerations Review various reports and policies annually with leadership

Interim financial statements with emphasis on changes in reporting, new and unusual transactions, and financial trends

Conflict of interest – reaffirmations Significant related party transactions Review all instances of fraud to determine enhancements to antifraud

programs and controls Major risk exposures to fraud and the programs and controls to aid in

its prevention and discovery Whistle-Blower Tracking – Review any complaints that might have

been received, current status and resolution if one has been reached Self-evaluation

Review the accomplishments Make recommendations for improving effectiveness


25

MANAGEMENT

What We Are Seeing

27 #MHMwebinar

Organizations are being assaulted with growing external requirements every day throughout the spectrum of types of NFPs.

Funders attach more strings, business jurisdictions impose local rules both nationally and internationally, more on-site inspections occur by funders and regulators, complexities of programs with federal or state dollars behind them are getting increasing challenging to carry out.

Most organizations continue to be highly decentralized relative to the responsibility and accountability for the managing of these operational complexities.

Larger organizations have long had offices of general counsel or compliance and regulatory affairs, but mid-sized and smaller places have not.

Management: What We Are Seeing

28 #MHMwebinar

Considering a Compliance Officer Role Increasingly non-giant organizations are establishing an internal corporate

counsel or chief compliance officer position. While budget challenges are a real issue here, many organizations have

concluded that the cost of not having this position is greater than the cost of having it.

This position will most often report directly to the CEO/president. This position most often has dotted-line oversight over the various aspects

of regulatory, contractual, human resources and related matters that are housed in various functional areas.

Part of the role of this function is to elevate risk awareness and to ensure uniformity and that best practices are followed across the organization to protect it from the risks and perils that may occur throughout operations.

If you embark on such a role, there will be some growing pains as traditional power centers need to share and collaborate on items.


29 #MHMwebinar

Use of Corporate Credit Cards We have seen heavy growth in the use of corporate credit cards, purchasing

cards and related changes in programs. We prefer the programs where the employee has responsibility to submit

expenses in order to be reimbursed rather than pay off of statements and having to follow up on documentation with the associate.

We prefer programs where the card is in fact a legal obligation of the employee rather than the employer.

We have seen increased use of outside software which allows for downloading of data from the credit card data which can lower the cost and increase the speed of transaction processing.

We are not big fans of corporate credit cards in general. We find many organizations have large quantities of cards floating around. In some cases, this may empower employees to feel a bit more entitled to spend funds than may really be necessary. There is also a cost of administrating these programs.


30 #MHMwebinar

Oversight of Decentralized Functions Many organizations have delegated or must delegate significant authority

to other departments to collect revenues on behalf of the organization. Some are very familiar — such as selling a ticket for entry, registering and

accepting payment for a service and other familiar revenue-generation functions.

Recent incidents of fraud suggest that decentralized functions are at a greater increased risk for fraud, the most common of which would be skimming.

Organizations large and small need to have more robust controls over being assured that revenue transactions are complete (thus ensuring that revenue events are recorded in the various systems).


31 #MHMwebinar

Oversight of Decentralized Functions Point-of-sale controls are the most common area, and probably the best

controlled. Often there is segregation between the sale of a ticket and the admission into a hall, event venue or exhibit. Also, point-of-sale systems tend to have good risk-reducing controls over voiding transactions, printing of tickets. Since accounting turns this function over to other departments in most cases, testing and monitoring by finance is advised.

Other areas do not have such systems. These have a much higher risk. Outside rentals of facilities is a common function run by various departments.

These groups tend to not think about systems, controls and records the way we might normally in accounting.

Often accounting has no role or duty in any aspect of the transaction but for depositing any revenues received which makes it ripe for skimming.


32 #MHMwebinar

Oversight of Decentralized Functions Here are some best practices with these cases:

Make sure there is a price list that must be followed that is signed off and approved by hopefully finance; require deposits in advance.

Require that contracts be issued in advance that outline terms. Make sure that finance is copied on all contracts so that expected cash flows can be monitored.

Do not allow a bank account. If one must be set up, make sure it carefully watched by accounting and that no checks can be written on the account.

Set a good and fair budget for the function. Get granular and understand the activity so budget to actual results have a reasonable chance to detect skim; get others involved (perhaps the supervisor) in the assumptions of that budget as the front-line person with control might have incentive to set that number low in order to reduce the ability to detect a negative trend.

Require that a log book or calendar publically post the use, and manage and monitor the utilization of such use. For example, in the case of athletic fields, periodically observe outside use and check that back to the outside use records. This could go a long way to help ensure that all rentals are reported – let folks know this is done.

Rotate this function and duty to different people over time so you limit the risk of one person being fully responsible for too long.


33 #MHMwebinar

Payment Controls False checks being presented on your bank account is the number one fraud

we are seeing with our clients. While this is most often not from within the organization, it nonetheless represents an ongoing risk.

Many organizations have partnered with their banks to upload payment data on issuance of checks so the bank can reject any presented items that are not on the authorized list. This service tends to check amount and check number. Payee data may still need to be checked on clearing to make sure the check was not altered/intercepted and replaced with a false payee so unless your bank assures you this payee info is checked as well, be cautious.

Reconciling vendor statements seems to have gone out of style, but this is still a valuable control to detect intercepted payments and routine errors. Ideally, somebody other than the payables clerk will work to reconcile these as the payables clerk could discard or otherwise manipulate vendor records to delay detection.


34 #MHMwebinar

Payment Controls The importance of keeping up with reconciliation of the main operating account

cannot be underestimated. False checks, altered payees, processing errors must be caught quickly for the bank to credit balances back. Again, someone other than the AP person needs to be assigned this duty.

Duplicate payments to vendors in error or to alter a check later to be diverted can be detected via a vendor statement and timely account reconciliation. This, along with the traditional review of checks and accounts payable back up before final approval of payment, continue to be very important to integrity in this process.

Too often organizations are too loose on authorization of a new vendor. Many organizations do not have approval procedures for this, but it remains important. Payments for fictitious vendors requested by those with spending authority is hard to detect if you do not have strong front-end vendor approval controls.


35 #MHMwebinar

Payment Controls Another issue we see in accounts payable is duplicate vendors. While often times needed

(for example a town might have a water department and an electric department that requires remittances to a different address), duplicate vendors should be justified on a cyclical basis.

We have also seen big growth in the use of ACH, wires and paperless invoicing. This places new challenges on the controls over disbursements that need to be considered.

With respect to wires and ACH transactions, most organizations have done a number of things such as requiring a second person to release such a transaction — sometimes the second party with have a perpetually changing password or other devise which avoids the risk of passwords being shared and thus segregation breaking down.

We have also seen that most banks will allow a pre-authorized list of parties that are eligible to receive such payments be cleared and approved in an effort to keep a check on the other end to reduce the risk of collusion of the parties who might be the preparer and releaser of such transaction.

Banks often do not stand behind these transactions in the same way they do with a falsely presented check. If there is theft here, it might have to be recovered via insurance rather than the traditional thinking we have relative to the bank.


36 #MHMwebinar

Payment Controls We have seen clients have their computers hacked where the hacker was able

to access the bank account and disburse funds. Care should be taken to protect against these threats in consult with IT, the bank and others knowledgeable in these matters.

Paperless invoicing presents its own set of hazards, particularly related to duplicate payment and payment alteration. For example, in traditional paper systems, invoices are often cancelled by stamp, hole punch or other means. That is harder to do paperless. Same for approvals. Manual signatures approving payment versus electronic signature make it easier for an invoice to be processed twice. While AP software always checks for duplicate invoice numbers, someone with mal intent has an easier time electronically.

The bottom line is that it is worth a look at these new methods of payment and invoicing to make sure that the traditional systems of controls more common in classical transactions somehow get adopted in a form needed in the evolved environment.


37 #MHMwebinar

Investment Controls We often see a lack of diligence over reconciliation of transfers into and out of

investments. This can take several forms: new money being transferred to investment managers, monies coming out of investment funds to the operating account or monies being transferred between existing investments.

The reason for this lack of diligence in our view is that investments are reported at market value and thus there can be a tendency to directly adjust the books to market value rather than taking the time to verify the transactional integrity of the ins, outs and transfers. Understandable, but a big risk.

Every organization should reconcile their investment accounts as if it was a checking account. Thus, transfers of all debits and credits to the investment account need to be 100% verified as coming into or going out of the investment funds to the GL control account. This makes sure that monies transferred to actually get there, and that funds transferred out actually come to the operating account. This is needed to make sure no errors happen or funds are absconded.


38 #MHMwebinar

Investment Controls An activity more difficult than checking transfers to or from the investment fund is

checking ins and outs between the funds. When a NFP sells a position, it will generally result in a liquidation and a deposit that

ends up in the checking account that the investment manager will use to fund future purchases. Both sides of this transaction should be checked to verify that the reduction of the position reported (say we sold half of something) is equal to the amount deposited into the central checking/money market fund of the investment funds. The same holds true for purchases – did the funds going out equal to new position posted?

Certainly many organizations would argue that a close watch on the overall investment return would catch any big issues here, which does have some merit, but that is much like saying reviewing budget to actual of operating expenses would be your only procedure to detect fraud. It is simply a bit too high level to prove the desired level of precision needed. Also, it would be like not reconciling your checking account because you know what you think the balance should be. Certainly we all know that is considered blasphemy in cash, so let’s hold the same truth with investments.


39 #MHMwebinar

Investment Controls The other area that we continue to see is that organizations tend to over-rely on

third parties with respect to the reliability of data. We just covered the reconciliation control aspect of that, but there is more to

this than just reconciliation. After the Bernie Madoff scandal, organizations are under more pressure than

ever to monitor their investments for existence and valuation. Alternatives are the challenge here as we tend to not have the comfort of a

third-party custodian who is telling us that the position exists, is owned and is linked up to the various markets to properly price the position. Thus, the alternative positions are where the heartburn resides.

While most organizations with any considerable endowment or investment portfolio have smart people on the investment committee and likely engage an investment management expert, this is only part of the due diligence needed.


40 #MHMwebinar

Investment Controls The main other control is to review and access the veracity of the investment

returns. We tend to see little to no documentation on this which means that the work done by the consultant and the good sense of the investment committee are the oversight elements relative to results.

Management should have some stake in this game; a review of actual reported returns to the proper benchmark should be carried out on each alternative investment position. The consultant will do this as part of their service. Importantly, they should document any significant variation from benchmark grounding their comments in how the alternative position would have done better or worse based on the specific investment nuances of the security. This is the area where some consultants fall short and they often can reasonably explain this.


41 #MHMwebinar

Investment Controls Management then can be in a position to evaluate that these considerations

where in fact looked at with due care by people with special expertise. This also allows management to make inquires of the expert after reviewing the

material and that review should be documented. This review does not require that you are an investment expert as much as it

requires that you are a business person taking a reasonable level of ownership of the data by exercising some surgical due diligence to the cause.

Many believe that with increased monitoring, ensuring that a third-party custodian is used when trading securities underlie the fund coupled with the use of a reputable audit firm would have caused the earlier detection (or even passing on the investment itself) of the Madoff Funds.

Perhaps you can be a hero in your organization by having enough diligence internally to avoid this from happening to you.


HEALTH CARE REFORM

43 #MHMwebinar

Health Care Reform

43

44 #MHMwebinar

Levies taxes and fees against health insurers and other groups to fund subsidies and risk management mechanisms

Institutes penalties for failing to purchase health insurance

Individual Mandate

Taxes and Fees

Key ACA provisions effective in

2014

Prohibits health plans from denying coverage or rating applicants based on their health status

Levels the playing field between health plans and mitigates the impact of guaranteed issue and pricing uncertainty in the short term

Institutes penalties for employers who fail to offer affordable comprehensive coverage (2015)

Lowers the cost of coverage for the low and middle income populations in the Individual market

Creates government regulated Individual and Small Group health insurance marketplaces

Risk Management Mechanisms

Employer Mandate

Guaranteed Issue (GI) and Rating

Changes

Tax Credits and Subsidies

Insurance Exchanges

PPACA provisions, effective in 2014, will have a significant impact on the health care market and significantly increase the number of insured individuals.

Source: Congressional Budget Office

Health Care Reform

45 #MHMwebinar

Questions?

46 #MHMwebinar

Recorded Webinar: What's New in Not-for-Profit Accounting and Auditing Standards?

Sign up for our Not-for-Profit Viewpoint e-newsletter

If You Enjoyed This Webinar…

http://www.mhmcpa.com/Resources/Webinars/Not-for-Profit-Accounting-Update.aspx�

http://www.mhmcpa.com/Resources/Webinars/Not-for-Profit-Accounting-Update.aspx�

http://www.mhmcpa.com/Industries/Not-for-Profit/NFP-Viewpoint-Newsletter.aspx�

47 #MHMwebinar

Connect with Mayer Hoffman McCann

linkedin.com/company/ mayer-hoffman-mccann-p.c.

@mhm_pc

youtube.com/ mayerhoffmanmccann

gplus.to/mhmpc

blog.mhmcpa.com

slideshare.net/mhmpc

facebook.com/mhmpc

http://linkedin.com/company/mayer-hoffman-mccann-p.c.�

http://linkedin.com/company/mayer-hoffman-mccann-p.c.�

http://twitter.com/mhm_pc�

http://youtube.com/mayerhoffmanmccann�

http://youtube.com/mayerhoffmanmccann�

http://gplus.to/mhmpc�

http://blog.mhmcpa.com/�

http://slideshare.net/mhmpc�

http://facebook.com/mhmpc�