Financial

Article Dean Dorton

Anyone who hasn’t just arrived from the Stone Age recognizes the importance of maintaining a healthy cybersecurity program. Healthy things grow and so our cybersecurity efforts should be adapting to the ever-changing threats that are trying to push our organizations towards extinction.

Doing cybersecurity right isn’t cheap. Most colleges and universities have a dinoburger budget and can’t afford the brontosaurus ribs. How do you get the resources to protect your systems and data? One way is to communicate that some cybersecurity efforts are required and not doing them can result in loss of grant funding.

The Gramm-Leach-Bliley Act (GLBA) has been around for years, but only had a real impact on colleges and universities for the last 3 to 4 years. Like a cybersecurity program, data security laws have a need to evolve and adapt to changing threats. The standards for the safeguarding components of GLBA have been updated. Some of the updates revise prior rules while others are brand new.

Old Rule New Rule
Designate the employee(s) responsible for coordinating the information security program. A single “qualified individual” (QI) is designated to oversee, implement, and enforce the information security program. The QI may be an employee, affiliate, or service provider.
Perform a Risk Assessment Perform a risk assessment and update it periodically.
Risk assessment should include criteria for the evaluation and categorization of identifying risks. This is the use of a cyber security framework. I.E., NIST, ISO, CIS.
Risk Assessment should include criteria for the assessment of the confidentiality, integrity, and availability of information including adequacy of existing controls.
Risk assessment should include requirements identifying how risks will be mitigated based on the assessment and how the ISP will address risks.
Identify safeguards for each risk identified Identify safeguards for each risk identified.
Safeguards designed should cover – Access controls, Data inventory, Encryption, Secure application development, Multifactor authentication, Secure disposal, Change management and Monitoring and logging user activity
Annual penetration testing and vulnerability scanning*
Policies and procedures addressing – security awareness training and information security personnel are qualified and trained.
Proper oversight of service providers addressing – selevtion process, contract wording and periodic assessment.
Have a written incident response plan.*
QI to prepare and present a written report to the board of directors, at least annually, on the status of the compliance with the information security program. *

There is a new exemption rule for small organizations. If you maintain student financial aid information for less than 5,000 students, some new rules are not required. Rules marked with an asterisk (*) are applicable to the exemption rule.

The date for having these controls in place is December 9, 2022. At a minimum, you should be able to demonstrate the new rules are being met before your next Single Audit is performed in 2023.

Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit & Compliance Services

Kevin W. Cornwell, CPA | IT Audit Associate Director
kcornwell@deandorton.com
502.566.1011

Article Dean Dorton

Third party relationships have become more important as companies look to leverage outside expertise. As relationships evolve, management needs to keep a close eye to determine if the third party contractor has become an employee through the eyes of the IRS. The IRS provides guidance through Topic 762 (see below).

As discussed below, criteria exists to evaluate the contractor relationships; this area has drawn a lot of attention from the IRS. Companies should use caution in drafting service agreements — how much control a company has will go a long way in supporting the conclusion. The more autonomy a contractor can demonstrate in how he/she works will help support the contractor conclusion.

Please let us know if you want to discuss this situation with one of our subject matter experts.

Topic 762: Independent Contractor vs. Employee

For federal employment tax purposes, the usual common law rules are applicable to determine if a worker is an independent contractor or an employee. Under the common law, you must examine the relationship between the worker and the business. You should consider all evidence of the degree of control and independence in this relationship. The facts that provide this evidence fall into three categories: behavioral control, financial control, and the relationship of the parties.

Behavioral control covers facts that show if the business has a right to direct and control what work is accomplished and how the work is done, through instructions, training, or other means.

Financial control covers facts that show if the business has a right to direct or control the financial and business aspects of the worker’s job. This includes:

  • The extent to which the worker has unreimbursed business expenses
  • The extent of the worker’s investment in the facilities or tools used in performing services
  • The extent to which the worker makes his or her services available to the relevant market
  • How the business pays the worker
  • The extent to which the worker can realize a profit or incur a loss

Relationship of the parties covers facts that show the type of relationship the parties had. This includes:

  • Written contracts describing the relationship the parties intended to create
  • Whether the business provides the worker with employee-type benefits, such as insurance, a pension plan, vacation pay, or sick pay
  • The permanency of the relationship
  • The extent to which services performed by the worker are a key aspect of the regular business of the company

Source: https://www.irs.gov/taxtopics/tc762.html

Contact your Dean Dorton advisor or Gina Whitis at gwhitis@deandorton.com to learn more.

Article Dean Dorton

By: Crissy Fiscus

ITT Technical Institute is the latest school to close its doors after significant sanctions were placed upon the institution by the Department of Education (ED). ITT received a letter from the Department of Education on August 25, 2016 that outlined the sanctions including:

  • Increasing the line of credit to 40% Title IV funds received by the institution during its most recently completed fiscal year
  • Changing the method of payment to Heightened Cash Monitoring 2 (HCM2)
  • Notification and communication with the ED within 10 days of specifically identified financial and oversight events
  • Additional reporting requirements that required the school to provide information about operations, finances, and future plans
  • Additional operational requirements, which included that the school could not enroll new students that may receive federal student financial aid funds.

On September 5, 2016, just 11 days later, ITT announced that it would close its doors.

In reading the August 25, 2016 letter from the ED to ITT, I noticed that the very first sentence referenced prior communications from the ED from more than two years ago. In August 2014 ITT was cited by the ED for it late submission of annual compliance audited financial statements. As a result of this financial responsibility failure, ITT was permitted to continue participating in the Title IV program under a Provisional Program Participation Agreement for three award years. The letter went on to say that since August 2014 the ED had been actively monitoring ITT’s ongoing operations and finances.

Then in April 2016, the ED received notice from the Accrediting Council for Independent Colleges and Schools (ACICS) that ACICS had issued a directive to ITT asking the institution to prove why its accreditation should not be withdrawn. According to the ACICS Accreditation Criteria, this type of directive is issued when the Council determines that an institution is not in compliance, and is unlikely to become in compliance with the accreditation criteria. After much communication, including a hearing, another directive was issued by ACICS in August 2016, which continued to question ITT’s compliance with several accreditation standards:

  • Minimum eligibility requirements for compliance with all applicable laws and regulations
  • Requirements for student achievement, as measured by retention, placement, and licensure passage rate
  • Institutional integrity, a manifest in the efficiency and effectiveness of its overall administration of the institution
  • Financial stability, including having adequate revenues and assets to meet its responsibilities
  • Administrative capability, including overall management and record-keeping
  • ACICS admissions and recruitment standards
  • Federal and state student financial aid administration requirements

You will notice that I have bolded/highlighted several words throughout this article. Those words have very important meaning in the world of student financial aid, as they are the most common reasons the ED may place a school on a method of payment known as HCM1 or HCM2 (Heightened Cash Monitoring 1 or 2).

HCM1 requires the schools to make disbursements to students from its own funds, submit disbursement records to the Common Origination and Disbursement System, and then draw down the SFA funds. HCM1 is much less restrictive than HCM2.

HCM2 requires the school to disburse the money to the students and then submit a request for disbursement to the ED. The ED must approve the request before the funds will be disbursed to the school. Once on HCM2, very few schools survive – the cash flow squeeze is simply too much for them to overcome. I recently examined the list of schools which have been placed on HCM1 or HCM2 by the ED – 428 schools are on HCM1 and 65 schools are on HCM2. I also summarized the main reasons that schools were placed on HCM1 and HCM2:

Summary of top reasons schools are on HCM1:

  • Administrative capability – 17
  • Financial responsibility – 309
  • Audit late/missing – 84
  • Program review – severe findings – 1
  • Accreditation problems – 1
  • Other (CIO problems, eligibility) – 13

Summary of top reasons schools are on HCM2:

  • Administrative capability – 11
  • Financial responsibility – 6
  • Audit late/missing – 8
  • Program review – severe findings – 16
  • Accreditation problems – 12
  • Other (CIO problems, eligibility) –12

Go back and look at those bolded/highlighted words and compare them to the list of the top reasons that schools are placed on HCM1 or HCM2. As you can, see ITT had many of these issues for a period of years – beginning back in 2014, when the late audit captured the attention of the ED.

ITT is clearly not the first school that has closed due to being placed on HCM2 – honestly, very few schools survive that type of cash flow crunch. Compliance with the Department of Education’s requirements is not up to interpretation – it is absolutely required and the rules must be respected by those that wish to continue to award Title IV funds to their students. Understand the rules and create systems to make sure that they are followed. We make it our business to understand these rules and help schools to develop the policies and procedures to stay in compliance.

If your institution is interested in helping the ITT Tech students, the ED posted an electronic announcement with guidance, links, websites, and contact information surrounding the recent ITT closures.

If you would like to discuss further, contact your Dean Dorton advisor or Crissy Fiscus at cfiscus@deandorton.com.

Article Dean Dorton

Colleges and universities across the nation are being monitored closely amidst closings of high-profile institutions such as ITT Technical Institute and St. Catharine College, to name a few.

Join us for a webinar in conjunction with Jim Newberry of Steptoe & Johnson, PLLC, as we review some of the key factors that can cause your institution’s operations to be questioned and methods you can implement creating a path toward success. The webinar will cover:

  • The Perils of Heightened Cash Monitoring
  • Administrative Capability Required for FSA Participation
  • Financial Capability Required for FSA Participation
  • Avoiding the Most Frequently Occurring Audit and Program Review Findings

Avoiding Major Student Financial Aid Problems without Learning the Forms
Date: Wednesday, September 28, 2016
Time: Noon – 1:00 p.m. EDT
Cost: Free

Register NowAbout the Presenters

Crissy Fiscus (Dean Dorton Allen Ford, PLLC) provides audit, accounting, and consulting services to higher education institutions throughout Kentucky and leads Dean Dorton’s college and university team. Her client roster includes institutions with up to $1 billion in assets. Her audit experience includes both public and private institutions and affiliated entities. Crissy specializes in Student Financial Aid and her experience includes providing assistance with DOE program review, assistance with designing student financial aid policies and procedures, and performing agreed-upon procedures necessary for Economically Disadvantaged Appeals.

Jim Newberry (Steptoe & Johnson, PLLC) focuses his practice in the areas of higher education, government relations, and regulatory matters and is the leader of the law firm’s higher education practice. He has addressed multiple governance issues for nonprofit boards, drafted fundraising and gift acceptance policies, represented multiple institutions in investigating Title IX complaints, and represented multiple institutions in addressing Clery compliance issues throughout his career.