Higher Education

New Reporting Requirements For Higher Education Institutions

June 24, 2024

The U.S. Department of Education (the Department) has released Financial Responsibility, Administrative Capability, Certification Procedures, and Ability to Benefit Regulations that become effective on July 1, 2024. The goal of the revised financial responsibility portion of the regulations is to assist the Department in ensuring institutions of higher education (institutions) receiving federal student aid remain financially viable. The Department has observed abrupt closures that harm students and taxpayers. Students are less likely to obtain a degree after a school closes, and taxpayers may end up paying for outstanding student loans.

The new regulations include mandatory and discretionary reporting triggers that indicate financial risk. These triggers allow the Department to require institutions to obtain a letter of credit to ensure financial responsibility unless the entity is a public institution.  Public institutions backed by the full faith and credit of a government entity are considered financially responsible even if a triggering event occurs. Public institutions must submit a letter to the Department confirming the backing of a government entity. We recommend institutions that can qualify as public institutions submit the required letter to the Department as soon as possible.

The following are mandatory triggering events that must be reported to the Department:

  • Failing the financial responsibility composite score
  • Failing to satisfy a condition of federal aid participation such as a high cohort default rate, failing the 90/10 revenue requirement, or having a significant portion of aid input into failing gainful employment programs
  • Improperly manipulation of the composite score or otherwise discouraging Department oversight
  • Entering into debt covenants that could cause adverse conditions if the Department adds limitations to the institutions/ federal financial aid
  • Declaring federal exigency or entering into a receivership

Discretionary triggers to be reported to the Department include:

  • Adverse accreditor actions, including orders to show cause or imposing probationary status
  • Significant fluctuations in federal student aid volume
  • Closing programs of locations that enroll a significant number of students
  • Adverse actions by state and federal agencies

The new regulations also require enhanced disclosures of related party transactions. The goal of these new disclosure requirements is to protect students and taxpayers by strengthening the Department’s oversight of higher education institutions. The related party disclosures can also help users of financial statements understand the relationships between a reporting entity and its related parties and draw attention to the potential impact of related party transactions on the institution’s finances.

The related party requirements exceed reporting required under Generally Accepted Accounting Principles. Additional information required to be disclosed by the Department requirements include the name, location, and description of the related party. The transactions disclosed must include the nature and amount of any transactions between the related party and the institution (financial or otherwise) regardless of when they occurred. Furthermore, if there are no related party transactions during the audited fiscal year or related party outstanding balances reported in the financial statements, a footnote to that effect must be added.

The related party disclosures are required for financial statements issued after July 1, 2024, regardless of fiscal year. For example, December 2023 year-end financial statements issued after June 30, 2024, must include the new disclosures. Institutions will need to review systems in place and enhance them as necessary to ensure the necessary information needed to complete the disclosures is available.

The American Institute of Certified Public Accountants (AICPA), has provided the following examples of related party footnotes to comply with the new requirement:

Example 1 – Related Party Transactions Exist

Note Y, Related Party Disclosures Require by the U.S. Department of Education (Unaudited)

The following list of related party transactions is provided solely to comply with the Financial Responsibility, Administrative Capability, Certification Procedures, Ability to Benefit regulations promulgated by the U.S. Department of Education:

[Insert list or table that includes information required by the Department for all related party transactions.]

Example 2- No Related Party Transactions Exist

Note Y, Related Party Disclosures Required by the U.S. Department of Education (Unaudited)

To comply with the Financial Responsibility, Administrative Capability, Certification Procedures, Ability to Benefit regulations promulgated by the U.S. Department of Education, XYZ Entity Reports [Insert statement that there were no related party transactions during the audit period].

If the institution does not differentiate between the portion of the disclosures required by Generally Accepted Accounting Principles and by the Department, they would be covered by the opinion and not shown as unaudited. In situations when the auditor cannot obtain sufficient appropriate audit evidence about related party disclosures, modifications to the auditor’s opinion may be necessary.

Your audit team members will be contacting your personnel to inquire about these new triggers and disclosures to determine their applicability. If you have any questions regarding the new financial responsibility regulations and their impacts to your organization, please reach out to a member of your audit team.

Non-Profit Regulatory Update

CECL: An Important Reminder Regarding FASB ASU 2016-13 and Non-Profits

March 22, 2024

On June 16, 2016, the Financial Accounting Standards (Board) FASB issued ASU 2016-13, Financial Instruments-Credit Losses which is effective for fiscal years beginning after December 15, 2022. This standard introduces the current expected credit loss methodology (CECL) for estimating credit losses and impacts accounting for trade receivables, loan receivables, and debt securities. This blog addresses the changes you should be aware of for trade accounts receivable due within one year, which impacts most organizations.

Before implementation of CECL, organizations could calculate the allowance for doubtful accounts (allowance) based solely on past experience. CECL requires organizations to include forward- looking, or predictive information in calculating the allowance. Reliance on historical percentages is no longer sufficient.

To efficiently adopt CECL complete the following steps:

  1. Determine which receivables are the result of revenue transactions. Pledges and receivables resulting from contributions are scoped out of the standard and no change should be made to the method used to record allowances related to these transactions because of implementing CECL.
  2. Disaggregate receivables and consider whether there are government payors for which no allowance for doubtful accounts should be recorded based on government policies or practices. This could include instances such as when the government pays for required services for those with intellectual disabilities. Document the government payment policies and retain support showing there is no previous bad debt. This support could include details of bad debt accounts by payor for prior years.
  3. Group the remaining receivables into pools with similar risk characteristics (type of transaction, type of member, aging category, and new customers), determine the historical allowance for each pool, and complete the following:
    -Determine that the historical allowance approximates bad debt by comparing actual write offs to the allowance for prior year(s).
    -For each pool, consider any current information and/ or expectations that may increase or decrease the historical allowance, such as increase in pricing or rates, changes in payment polices, changes in the industry that your organization operates in and similar types of considerations.
    -Estimate any necessary increase in the allowance, and retain your calculation as well as supporting documentation.
    -Calculate the current year allowance based on the historical allowance as well as expected increases.

There are also changes to the financial statements required when CECL is adopted. You will also need to show the allowance for credit losses separately on the Statement of Financial Position (Balance Sheet) and remove the word “bad debts” from financial statements footnotes and replace it with “credit losses”.  In addition, you will need to create a roll forward of the allowance for credit losses including current year write offs and recoveries.

CECL should be adopted using the modified retrospective approach, meaning you will record a cumulative – effect adjustment to the Statement of Financial Position (Balance Sheet) as of the beginning of the first reporting period in which the guidance is effective. There is no requirement to retrospectively adopt for the earliest period presented.

Auditors are required to obtain and test supporting documentation for allowance calculations and will be requesting this information during audits. If tou have any questions regarding CECL please contact a member of your audit team.

 

Other News

Important Controls For ACH Payments

January 19, 2023

Lisa A. Ritter, CPA, CFE, CITP
Automated Clearing House (ACH) electronic payments are bank to bank payments made in batches and processed through the ACH network. They are generally used to pay vendors, make employee direct deposits, or receive money from other businesses. All ACH transactions are overseen by the National Automated Clearing House Association (NACHA).

As with all online payment and money transactions, ACH payments are a target of social engineers.  Social engineers manipulate employees into performing actions or divulging confidential information they should not. This is best countered with documented internal controls and training for employees. Employees should be trained at the time of hire and at least annually.  Internal controls for ACH transactions should include:

  • segregation of duties
  • information security
  • a payee verification process and
  • active monitoring

Segregation of duties for ACH payments includes having one person input the payment and having a separate person verify and approve the payment. Segregation between the accounting and approval functions should also be in place.

Restricted access to banking information is an important security measure. Any ACH related forms should not be publicly accessible, and sensitive material shared over emails should be encrypted.  The ability to edit banking information should be limited and have specific protocols in place.   Electronic payment files should be set to read only.  Dollar limits and ACH blocks on selected accounts are also important controls as well as multi-factor authentication.

Staff should always verify any account information given. This could be a video call if the payee or employee would be recognizable or by phone. Contact information should be on file and confirmed if changed. Active monitoring consists of checking the ACH payment remittance receipt, reviewing bank accounts daily, and reviewing payee lists for approved ACH payments.

ACH transactions are generally a safe and inexpensive way to pay vendor invoices and make direct deposits.  NACHA estimates that fewer than 0.03% of ACH transactions are returned as unauthorized. ACH payments were approximately $29 billion in 2021 according to NACHA.  While these transactions are relatively safe, errors can be made, and appropriate care should be taken.

An ACH payment can be reversed under certain circumstances, but NACHA has strict reversal rules.  Reversals must occur within 5 business days of the transaction, and a reversing file should be submitted to your bank within 24 hours of discovering the error.  Furthermore, only certain situations qualify for approval of the reversal.   Reversals can be approved if the payment was for the wrong amount, made to an incorrect payment recipient, or if a duplicate transaction occurred. Partial amount reversals are not permitted. Not all transactions can be reversed.   For example, if a fraudster impersonates an employee and asks for a change in bank routing number that your company inappropriately approves and processes, you may have difficulty recovering the funds.

You should review your bank’s policies regrading ACH transactions and fees. For example, your bank may not waive insufficient funds charges if an ACH to be reversed resulted in a negative balance.

If you have any questions about appropriate controls for ACH transactions, feel free to reach out to us for additional information.

Auditing Standards Board Update

These New Audit Standards May Require Your Attention

April 4, 2022

 

 

 

 

 

 

Partner Lisa Ritter has published an article in the Pennsylvania CPA Journal on SAS (Statements on Auditing Standards) Nos. 134 through 140. These standards are:

  • SAS No. 134 – Auditor Reporting
  • SAS No. 135 – Omnibus SAS
  • SAS No. 136 – Employee Benefit Plan ERISA Audits
  • SAS No. 137 – Other Information
  • SAS No. 138 – Amendements to the Description of the Concept of Materality
  • SAS No. 139 – Amendments to Incorporate Changes from SAS 134
  • SAS No. 140 – Amendments to Incorporate Changes from SAS 134 and 137

For more information you can review the article here: https://www.picpa.org/articles/journal-articles/article/a-a-article/2022/03/18/pa-cpa-journal-these-new-audit-standards-may-require-your-attention 

Information Technology

Cybersecurity Training Resources

March 24, 2022

 

 

 

 

 

 

Research suggests as much as 91% of cyber-attacks are via email directed at employees.  This statistic would suggest that employee training is one of the most effective ways to combat security threats.  Unfortunately, many organizations do not have in-house IT staff or other resources to provide that training.

In some cases, employee training may be available through cyber- security insurance that an organization has already purchased.  For those organizations that find the premiums for cybersecurity insurance are too high, they may find that mandatory security awareness training can reduce premiums along with the use of best practices like multi-factor authentication and data and device encryption.  It might be worthwhile to contact your insurance agent to find out what discounts might be available and to inquire about training.  This is an area that changes quickly so reviewing cybersecurity polices will need to be completed more frequently than traditional types of policies.

Other training options include purchasing solutions from companies such as KnowBe4, NINJIO and Barracuda.  KnowBe4 provides cybersecurity awareness training and simulated phishing attacks. There are also some free tools and resources available on the KnowBe4 website at www.knowbe4.com.  NINJIO provides cybersecurity training and encourages employee competition through quizzes and points awarded.  Barracuda provides an array of services including threat prevention as well as incident response solutions and security awareness training.

The Cybersecurity and Infrastructure Security Agency provides free resources including a ransomware guide with instructions on how to prevent a cyberattack at  CISA MS-ISAC Ransomware Guide. The guide links to a one page document entitled, “ Avoiding Social Engineering and Phishing Attacks”  that is written in plain English and could be provided to employees.  Other resources at this site include a guide on “Using Caution with Email Attachments”, and a Guide on “Good Security Habits”.

The Cyber Readiness Institute offers a free program and starter guide to help small and medium-size organizations prepare for attacks.  The site offers a series of flyers on topics such as “Managing the Relationship with Your Outside Cybersecurity Provider”, and videos on security education and Awareness at  Security Education & Awareness: Preventing Ransomware – Cyber Readiness Institute.

The United States Secret Service publishes several items including a one-page guide to business compromised e-mail accounts and guides on preparing for a cyber incident.   Materials include brochures on email compromise that could be provided to employees at the United States Secret Service.

Given the current risk, cyber security training is extremely important at this time.  Any progress you make in this area will benefit your organization.

Firm News

Passionate About Quality: A Quality Control Update

August 23, 2021

Lisa A. Ritter, CPA, CFE, CITP

 

 

 

 

 

 

 

Lisa A. Ritter, CPA, CFE, CITP
Quality Control Partner

Maher Duessel is in the middle of the annual test of our system of quality control.  We are passionate about providing quality services, and we expend significant resources ensuring that quality.  The elements of our quality control system include the following:

  • Leadership responsibilities including tone at the top
  • Compliance with relevant ethical requirements
  • Compliance with polices for acceptance and continuation of client relationships
  • Human Resources policies
  • Engagement performance including compliance with auditing and accounting standards
  • Monitoring of each element of quality control

I would like to thank a very talented team for assisting with the annual process this year including the following who assisted with the inspection:

  • Jennifer L., CruverKibi, CPA, Partner
  • Amy C. Lewis, CPA, Partner
  • Robert A. Belicose, Jr., CPA, Principal
  • Janet L. Feick, CPA, Senior Manager
  • Michelle L. Hoke, CPA, Senior Manager
  • Jonathan C. Mentzer, CPA, Senior Manager
  • Peggy Jo Revay, CPA, Senior Manager
  • Dustin D. Starr, CPA, Senior Manager
  • Natalie Caponi, CPA, Manager
  • James Contrella, CPA, Manager
  • Kristen E. Moss, CPA, Manager
  • Sara Reed, CPA, Manager
  • Allison R. Bozman, CPA, Manager
  • Patrick J. Kline, CPA, Senior Auditor

Michelle Buskey has taken the lead on this project.  Her contributions are invaluable. Partners Elizabeth (‘Betsy’) E. Krisher, CPA, CGFM, and Brian T. McCall, CPA, CGFM also provided significant support to the process, along with administrative support from Kim Phillips, and I am grateful for all of their assistance.

In addition to the annual testing we complete, every three years we engage an independent accounting firm to review the quality of our work.   We will undergo that process approximately one year from now. The results of external reviews are always located on our website here.