Local. Trusted. Nationwide.
The nation’s leading provider of professional advisory services, CBIZ uniquely offers national resources paired with personal service.
CBIZ is one of the nation's top providers of accounting, tax and advisory services.
CBIZ helps you maximize your enterprise by minimizing risk, attracting the best talent, and promoting employee satisfaction.
Explore and search our insights, or subscribe and join over 60,000 others who receive the latest from our experts at CBIZ.
For much of 2020, internal audit departments have tested controls using attributes to facilitate work-from-home (WFH) arrangements. As the year and internal audit work for many organizations comes to a close, reconciling if the controls adjusted for remote work arrangements will pass external audit scrutiny is top of mind for many CFOs and internal audit professionals.
With all the other conversations CFOs may be having about the many ways that COVID-19 may have affected the organization, internal and external audit considerations may be lower on the priority list. The following are some ways to include the implications for financial statement audits and other compliance areas as part of the larger conversation about COVID-19 impact.
A meeting between accounting and external audit teams is a step to take now to help successfully address potential issues with WFH controls in the external audit. Facilitating a conversation between the two parties helps determine if the changes in controls and alternative testing strategies for testing the control structure in a remote environment during COVID-19 were effective will help resolve issues before they arise and lay the groundwork for remediation dialogue.
Remote testing has created a number of challenges for external auditors’ typical review of internal audit’s work. Three key areas in particular are emerging as challenges, and the following examples exemplify those issues:
Adjustments made to internal audit controls during WFH may have worked well enough in practice, but external auditors may question whether the adjustments made are evidence of protection from financial reporting and fraud risks. Ultimately, WFH audit adjustment may affect external audit’s ability to rely on the work done by the internal audit team.
A secondary factor affecting this conversation between internal accounting teams and external audit teams relates to changes that external auditors have enacted. For public companies, the testing of internal controls continues to be an area where audit failures have been identified through inspection processes of external auditors. The inherent challenges in testing internal controls, combined with the impact of WFH on the internal control processes and methods available to testing internal controls, will continue to make internal controls a key focus of audit firms. This may mean a more thorough approach and expansive scope for the current year, particularly for fourth quarter work. While this seems inconvenient and late in the year, changes to the audit should be on the radar for internal audit teams and finance management teams.
We are seeing great interest between audit committees and the C-suite in holding these conversations around how the 2020 financial statement audits may be different in years past. Early meetings often spark year-end audit discussions around timeframe and obstacles. Even teams that have collaborated together for a long time can disagree on what is sufficient in terms of scope, evidence, and information. Having preliminary meetings can help eliminate issues early and help avoid obstacles that could ultimately delay the issuance of audited financial statements.
For more information about how internal audit teams and CFOs can prepare for conversations with external auditors, please contact Mike Gallagher or a member of our team.
Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).
Not-for-profit boards play a key role in developing an organization’s potential by bringing expertise in a variety of fields, including accounting and risk management. The pandemic was extremely disruptive to not-for-profits, which underscores the importance of providing guidance and understanding the COVID-19 impact. All of these factors are also vital to conceptualizing future operational and endowment investment strategies. Management and board members should continue to work together to overcome any lingering repercussions from the pandemic and position the organization for the next chapter. The following are four elements of COVID-19 recovery initiatives that your board should understand.
Your board should fully understand the current financial position of your organization and the extent of the pandemic’s impact both in the short and long-term. One of the ways that management can help the board visualize the financial repercussions is to rework strategic financial planning and reporting dashboards to provide more clarity to non-technical stakeholders.
If your organization experienced a significant financial impact from the pandemic, keep in mind that traditional accrual-basis financial statements are often misleading during a cash crisis. A 13-week cash flow, monitored on a weekly basis, will provide your board with visibility of the near term survival of your organization. This is usually the gold standard reporting tool for businesses during periods of recovery, and for not-for-profit organizations the playbook should be no different. The concept is a simple diagram of all sources and uses of cash during the upcoming quarter.
Another key impact area to monitor during down times is the organization’s endowments. For example, were endowments heavily affected by the financial market disruption? External economic factors could affect the overall performance of endowments and underlying investments and may even cause some endowments to go underwater or otherwise become unavailable for use. Consider, too if your organization’s cash flows are taking hit, which is leading the organization to spend more from its unrestricted assets than in a typical operating year.
Keep in mind that your organization may not be totally out of the woods yet when it comes to financial repercussions. Significant declines may be coming in federal and state grant support that could affect the use of endowment funds. Many local governments are projected to suffer significant tax revenue shortfalls in 2020, which will likely dampen their ability to continue supporting community organizations. Boards should be working with management now to develop alternate strategies on how or whether programs can be sustained if these funding cuts are realized.
Boards should understand if the not-for-profit took advantage of any pandemic related stimulus measures. One of the most significant programs in response to COVID-19 was the Coronavirus, Aid, Relief, and Economic Security (CARES) Act’s enhancements to the Small Business Administration (SBA) loans. The Paycheck Protection Program (PPP) offered significant, potentially forgivable loans to help organizations maintain their headcount, but the program came with a lot of red tape. If your organization received a PPP loan, the board should consider whether the organization expects the PPP loan to be forgiven. Unforgiven PPP loan balances are due within two years after the loan origination and will accrue interest at a rate of 1%.
Employers that did not take advantage of the PPP could have also taken a payroll tax credit that incentivizes the retention of employees. Not-for-profit organizations should be carefully working with their tax preparer to ensure they are taking full advantage of that credit’s benefits.
One of the big strategy questions to address will be the “lessons learned” from the COVID-19 disaster in terms of continuity planning. Your not-for-profit should discuss with its board whether the pandemic response has so far highlighted needs for additional investments in remote technology or upgrades to employee management practices.
Organizations may have found that they had to create or update business continuity plans, which should be considered in terms of effectiveness as well as whether the same measures will be reliable for future concerns. In being tasked with helping the organization with risk management, boards should be part of those conversations. Board members may be able to share some additional insight about what worked and what didn’t during the pivot from routine operations to remote work and social distancing protocols.
The key to board communication is to keep channels open so that best practices can be shared between the two parties. Recovery from the COVID-19 pandemic will be an ongoing process as will the changes that may be needed to weather future business disruptions. For more information about COVID-19 Recovery, please contact us.
Recent guidance from the Small Business Administration (SBA) clarifies that Paycheck Protection Program (PPP) loan forgiveness applications will not be due by October 31 as early forgiveness application forms had indicated.
Timing of forgiveness applications is critical because the SBA measures the organization’s employee headcount to evaluate forgiveness on the application date. Originally, the loan forgiveness application forms indicated there was an Oct. 31, 2020 expiration date, but in a recent addition to the SBA’s frequently asked questions document, it clarified that borrowers may submit a loan forgiveness application any time before the maturity date of the loan. The PPP loans generally have a two or five year maturity date from origination based on loan structure. Loan payments are still deferred only until 10 months after the last day of the loan forgiveness covered period, however, so applicants are encouraged to apply for forgiveness much earlier than the maturity date. Unforgiven portions of the loans will accrue interest at 1% and may also be subject to tax restrictions.
The Paycheck Protection Program (PPP), which came about as part of the CARES Act, enables organizations to use the SBA’s small business lending program to receive loans of up to $10 million to use toward employee payroll (at least 60%) and other administrative expenses to help prevent organizations from having to furlough or lay off employees.
Simplifying the forgiveness application process is part of ongoing clarification from the SBA. For companies that borrowed $50,000 or less, there are now de minimis exemptions regarding the full-time equivalent (FTE) employee reduction penalty and the employee salary and wages reduction penalty. This should decrease the administrative burden on lenders who must process and submit the applications to the SBA, something that has been a large concern.
The SBA stopped accepting PPP loan applications on Aug. 8, 2020, with almost $134 billion of Congressionally approved funds remaining unspent. Allowing certain small businesses to access those funds is among several PPP proposals being discussed as Congress and the Trump administration continue to discuss another comprehensive COVID-19-related stimulus bill. Since these funds were already approved but unused, it would be easy to redirect them into new PPP loans without requiring Congressional approval.
Other components of the process remain vague as well. For example, it is still unclear to what extent lenders are responsible for verifying loan forgiveness application information or if they should be relying on descriptions of financials to count towards qualification. Organizations seeking loan forgiveness must have their bank or lender that facilitated the loan submit the forgiveness application and supporting documentation through an SBA portal, and then the SBA either accepts or denies the portion of the loan to be forgiven. The banks and lenders have up to 60 days to perform their review before submitting to the SBA. Once the SBA receives the PPP loan forgiveness application package, it has up to 90 days to review and approve PPP loan forgiveness.
Many lenders have not been submitting forgiveness applications even though the SBA portal is open because there are many questions about qualifications and details related to repayment as well as program eligibility and possible extensions in the next round of stimulus.
Another PPP loan issue that has still not been resolved involves taxes. If the loans are forgiven, the forgiven amounts also are not taxable income. However, expenses paid out of PPP loan proceeds are not tax deductible if the loan proceeds are forgiven. Absent Congressional action, expenses paid from forgiven portions of PPP loans are not tax deductible, which could leave PPP loan recipients with a higher tax bill than anticipated for 2020. There needs to be coordination and joint guidance issued from the U.S. Treasury, Internal Revenue Service and the SBA to resolve these open issues.
The SBA offers no guarantee about whether small loan recipients will have an automatic process for forgiveness. Continued support from Congress in the next stimulus bill may include enhanced guidance as well as a more streamlined loan forgiveness application process and possible loosening of guidelines or automatic forgiveness for PPP loans of $150,000 or less.
If you have fully utilized the PPP funds then you may want to submit for forgiveness as soon as possible if you have staffed operations sufficiently. Otherwise, you will be penalized for future staff reductions if layoffs will be an eventuality. There is also the safe harbor date of Dec. 31, 2020 to bring back employees to the necessary FTE levels to avoid penalty.
For more information, please contact a member of our COVID-19 loan and capital assistance team.
Get Cybersecurity Facts & Figures - What Every Business Needs to Know from CBIZ, Inc.
Are you protected from potential network and privacy exposures? Any business that uses technology to collect confidential customer information needs to know the facts – and risks – associated with data breach liability and not having proper Network Security, Privacy and Cyber Protection.
Recent cyber incidents tell us that information breaches are evolving in terms of both scale and variety. Your organization has most likely had to focus on the purpose and goal of preparing your workforce to help protect the company’s assets related to a data breach. Employees are the first line of defense when protecting sensitive information because they are often an entry point for cyber criminals attempting to gather information on a company.
This makes employee training on cybersecurity essential. Training should be a regularly recurring activity, reflect emerging trends in data security attack vectors, and address email phishing schemes. Fortunately, cybersecurity training does not need to be a costly venture. There are a number of strategies, when combined with formal training, that will help employees, and your organization overall, be best prepared for the threats they are encountering daily.
The human element involved in cybersecurity and other information security incidents is crucial to understand. Training should occur quarterly (at a minimum) in regards to policies for handling removable media and email protocols.
Internal training sessions should focus on signs of phishing, malware, and other cyber threats an employee may encounter on a networked device. Protocol should establish what happens if a device has been breached, compromised, lost, or stolen. It is important that training cover all levels of staff who have a device that connects to the network, not just departments that may handle specific information that has shown to be of interest to cyber criminals, such as financial information. Human resources (HR) teams can often be leveraged to help develop polices and gap-analysis related to security monitoring through surveys, web based training, and information gathering.
Coverage should also extend beyond basic email and device protocol. In the modern Internet of Things age, understanding and setting limits with regard to social media and cloud storage will also help limit exposure and make employees aware of sites that could compromise information.
Cybersecurity training challenges require an interdisciplinary approach to help your employees understand what information is at risk. It is not uncommon for HR specialists to help information technology teams evaluate end user risk mitigation, develop targeted role-specific training, and identify end user knowledge gaps with respect to current or updated policies.
Another step to consider would be to undertake a social engineering campaign to help your organization tests its policies in a simulated attack scenario. For example, email phishing tests help prepare users by offering a real case scenario of a phishing attempt. These tests will help you guide employees to recognize attempts to divulge information that will allow visibility to your network. Providing examples of common and trending email phishing schemes help employees recognize potential attacks as well as create data relevant to protocol. In addition, the results of phishing exercises can help your organization make needed adjustments to its response and breach remediation procedures.
Training is just one piece of the puzzle, but often it is the most cost-effective and lays the foundation for changing how employees understand their role in securing the control environment. Additional security measures may require investment or reconfiguration of existing measures when allowing for remote access to your network. Systems that account for a variety of personal devices should be especially cautious of information shared that is not restricted over a virtual private network (VPN) requiring multi-factor authentication to gain access. You know that cybersecurity criminals will seek to take advantage of system vulnerabilities that have been introduced by transitions between office and home workplaces.
Enhancing security can be costly, but the financial impact is often far less than the collateral damage resulting from an actual breach. Reputation damage, legal fees, as well as the necessity to upgrade security after a breach, are very important reasons for proactively addressing security measures on a regular basis. Both physical and electronic data need adequate oversight and being proactive in the approach to managing data risks can help position your organization for the new world of cyber risks.
For more information about cybersecurity, contact Kyle Konopasek or a member of our team.
As technology advances, many businesses are increasing their use of third-party platforms rather than investing in creating technology and building internal systems. Use of third-party data warehousing in particular has become more common as a third-party provider often delivers a more cost-efficient, secure and reliable option for storing information.
The COVID-19 pandemic, as with other types of business disruption, cast a light on protocols and practices involving the use of third party service providers. During disruption events, organizations must evaluate all facets of their operations to identify what has been impacted and what hasn’t. With data management, this becomes complicated given the increasing use of cloud architecture for data storage because data could be hosted in any number of places that may or may not be immediately known to the organization to which that data belongs. Knowing where your data is stored and how it’s managed can help your organization ensure it has adequate protection for its sensitive information and safeguards in place to mitigate the potential financial damage if data were to be compromised.
One of the reasons that security of data is so important to monitor is the growing understanding of the power of personal data. Even casual consumer products like social media applications have been called into question as users and governments ask what is being done with the giant caches of information that a user willingly submits.
Personal data can be catastrophic in the wrong hands. One of the most significant breaches in recent memory was the Equifax hack, in which cyber actors leaked names, addresses, dates of birth, Social Security numbers and credit data on numerous Americans. The breach led to identity theft and the creation of fraudulent financial accounts, among other consequences from the users’ whose data was compromised. The incident also came with steep consequences for Equifax, which was estimated to have spent $1.4 billion improving its information security structure after the incident.
Concerns around what data is being collected, where it’s being stored, and what’s being done with it will make transparency and data governance a more significant issue for organizations moving forward. More laws may be created in effort to bring more regulation to the nebulous concept of data privacy at the state, federal and international levels. For example, the General Data Protection Regulation is a legal framework adopted by the European Union that creates standards for privacy and the collection of data by companies on its citizens. Another example, the California Consumer Privacy Act is aimed at giving consumers more control of information that is collected from vendors.
Another emerging trend for data protection is the use of blockchain technology. Blockchain refers to a cryptographically linked set of data records, commonly called blocks. A distributed set of ledgers often numbering in the thousands monitor these blocks making them resistant to corruption and almost impervious to alteration. Because the information on the chain is coded (generally using an Advanced Encryption Standard (AES) with 128, 192, or 256 bit encryption), personal information is near impossible to crack. Medical practices, financial institutions and government offices are migrating their systems to (or at least starting to run in parallel) blockchain-based systems. It is likely that other sectors will give this technology a closer look because of their security, immutable data records and fast data transfer times.
Disruption and the possibility of further oversight make it critical that your organization look at its data infrastructure holistically and align safety mechanisms based on potential risk of exposure and financial impact. Consider building in contingency plans for if another physical location closure occurs. Often oversight of information security protocol requires a physical presence, and if 2020 has shown us anything, it’s that physical presence in a location may not always be possible.
If using third parties for data storage or transmission, ensure vendors’ protocol aligns with the standards your organization sets. Understand how your vendors’ breach communication works and how soon after an information security incident is detected that your organization is notified. Regardless of where the data is and who is responsible for physical protection, your organization has the ultimate responsibility for its oversight and would need to invest in information security upgrades should an incident occur.
It is a new world for data, and it’s important not to be caught off guard with questions around data security. Understanding the flow of information and how it could be comprised is something all organizations should have a better understanding of as we continually become integrated with various platforms to conduct business.
For more information about data protection, please contact Paul Wolff or a member of our team.
Operating budgets will be monitored with scrutiny for the near future as COVID-19 recovery remains uncertain. For many organizations, this may mean that traditional hiring practices will likely be greatly limited, and one of the functional areas that may be affected by hiring limitations is information security.
In the age of cyber threats and breaches, the importance of the information security function is starting to take root. It’s a sector that’s rapidly growing; the Federal Bureau of Labor Statistics anticipates that between 2019 and 2021, information security jobs will be growing at a rate of 31%, much faster than the average. A jobs report estimated that 3.5 million cybersecurity jobs would be available but unfilled by 2021.
An unfortunate consequence of COVID-19 related cash flows may be that competing for talent within the information security sector may become that much more difficult. Organizations that cannot fill the staff they need for information security protection may consider alternative solutions. Information security efforts can be enhanced through co-sourcing cybersecurity professionals, especially if your organization has a specific plan of action to meet the demand of your board or a specific oversight committee.
As operations leverage remote work capabilities and the technology sector continues to roll out unique virtual solutions to in-person functions, securing data will be an even greater facet of operational oversight. Now is not the time to undercut the importance of security protocol due to the level of risk associated with flexible work environments in terms of exchanging sensitive data, especially financial information.
Malicious actors are betting on companies making mistakes during the remote work migration and seeking to leverage their disingenuous positon based on your uncertainty. The spring saw several COVID-19 phishing fraud schemes seeking to gain personal information by posing as a legitimate agency.
In this elevated risk environment, controls encompassing information security are essential. It is important for your organization to revisit the nature of your security policy regarding data transfer and overall security standards surrounding completing regular business activities outside of the office. Best practices for IT security should be observed including use of a Virtual Private Network (VPN) and a reliable way to share and store information.
Understanding how to articulate your current information security position will also be important. Storage of sensitive information, general access to information systems, and modifications in protocol to adopt remote work practices will be priority concerns for regulatory authorities, stakeholders and clients, and financial statement auditors. Sound protocols can be seen as a means to assure stability as your business confronts to new challenges, such as bringing more of the workforce back into the office following extended remote work periods.
The advantage of having an in-house cybersecurity team is that it tasks a team with specifically reviewing and improving information security protocol and strategy, including data integrity, governance frameworks, security training, and third-party service provider services.
Building the team you need in-house, however, may not be feasible in the current environment given budgetary constraints and the highly competitive market. During the disruption from the pandemic, organizations may have been forced to combine security responsibilities such as rolling the Chief Information Security Officer (CISO) function into a Chief Information Officer (CIO) role or putting more CISO responsibility on a managed service provider to keep up with the demand of IT infrastructure concerns and day-to-day obstacles of hosting remote employees.
Some entities may be seeking to restructure their security teams and provide a more holistic approach by bringing in associates with ancillary backgrounds to fill vital roles. While this approach has its advantages in terms of addressing the skills gap, it might not be the most appropriate operational solution. Existing resources may not have the desired resumes to mitigate key security risk factors or be knowledgeable of the new threats associated with the changes in their environment.
Bringing in an external team to serve as a resource for your information security environment can help ensure key risks are addressed without the expense of hiring and onboarding new associates. These professionals can help bring information teams up to speed that have had their efforts refocused, or have been recently hired to ensure your organization has the appropriate information security framework.
Co-sourcing the cybersecurity function can also provide support for time-intensive reporting projects, such as reviewing and preparing information security controls for the next audit year, responding to security questionnaires from clients, or helping facilitate Systems and Organization Control (SOC) report requests.
For more information about how co-sourcing the information security function may benefit your organization, please contact Ray Gandy.
Mayor De Blasio signed amendments to the New York City’s Earned Safe and Sick Time Act (ESSTA) on September 28, 2020 (see our prior Benefit Beat article). These amendments align the ESSTA with the state’s paid sick leave law.
As a result of the amendments, employers of domestic workers, and employers with 100 or more employees are required to provide a notice of ESSTA rights to their employees by January 1, 2021. The notice must also be posted in the workplace in an area that is visible and accessible to employees.
To satisfy the workplace posting requirement, the New York Department of Consumer Affairs issued an updated “Notice of Employee Rights: Sick and Safe Leave” that can be used by an employer subject to the law. The model notice is currently only available in English but is expected to be available in additional languages in the near future.
Additional information about the City’s earned sick and safe leave law is available on the Department of Consumer Affair’s dedicated webpage.
The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.
The state of Maine enacted a broad paid personal leave law in May, 2019 (see prior Benefit Beat article). The law takes effect January 1, 2021. To implement the provisions of this law, the state’s Department of Labor issued final rules on September 14, 2020. Following are highlights of clarifications made by these rules.
Employers subject to the law. The law applies to any private employer who employs more than 10 employees in the state for more than 120 days in a calendar year. Seasonal businesses are exempt from the requirements of the law. The final rules clarify that if an individual is a covered employee for unemployment insurance purposes, then that individual is included in the 10-employee count, and is covered by the earned paid leave law.
Covered employee. A covered employee is one who is engaged in employment of the employer subject to the law, and includes employees who work full-time, part-time, temporary or per diem basis.
Amount, accrual, carry over and front-load of leave. An employee is entitled to accrue one hour of earned paid leave for every 40 hours worked, up to 40 hours in a defined year. For this purpose, a “year” is defined as a period of 365 consecutive days beginning with the employee’s date of hire, or any subsequent period of 365 consecutive days beginning on either the anniversary date of the employee’s date of hire, or such date as the employer may assign, provided that no loss of earned paid leave results for any employee.
Accrual begins at the start of employment, but employers can apply a 120-day wait period before employees can use accrued earned paid leave.
Employees can use up to 40 hours of earned paid leave in a defined year, and may carry over up to 40 hours of earned paid leave from one defined year to the next. Alternatively, an employer may frontload 40 hours of earned paid leave at the beginning of the year.
An employer is not required to pay out unused earned paid leave upon separation unless that is the employer’s established policy or practice. An employee who returns to work within one-year from separation with the same employer is entitled to any unused earned paid leave that was not paid out at the time of separation of employment.
Use of leave. An eligible employee can use his/her earned paid leave for any reason. Employees may use earned paid leave in increments of at least one hour, unless the employer chooses a smaller increment.
Notice Obligations. The employer can require an employee to provide up to 4 weeks advanced notice of the need to use earned paid leave, unless it is an emergency. The employer may place reasonable limits on the scheduling of earned paid leave to prevent an undue hardship on the employer.
Employer posting requirement. Employers have an existing obligation to display a workplace posting, known as the “Regulation of Employment” poster. The Maine Department of Labor has updated the poster to include the right to earned paid leave law (available here).
Enforcement. The state’s Labor Department is charged with enforcement of this law. Violation of the law could result in monetary penalty assessments of up to $1,000 per violation. Each denial of paid leave for each affected covered employee would constitute a separate violation.
Additional Information. To assist employers in their compliance with the law, the state’s Department of Labor has established a dedicated Earned Paid Leave webpage which provides additional information, the workplace poster and FAQs.
Coordination with employer’s existing PTO policy. An employer’s existing leave policy can satisfy the obligations of this law as long its earned paid time off policy is at least as generous as the law requires. With the fast approaching effective date, employers should review their existing leave policy to make certain they are prepared.
To assist health insurers, third party administrators, plan sponsors and employers in their compliance with the federal mental health parity laws, the Department of Labor’s Employee Benefit Security Administration (EBSA), in coordination with Departments of Health and Human Services and the Treasury, continue to provide tools and guidance.
As background, the Mental Health Parity Act enacted in 1996, as amended by the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act in 2008, require that if mental health benefits and substance use disorder benefits are to be provided under a plan, the benefits must be offered in parity with covered medical and surgical services. Notably, these laws do not require plans to offer mental health or substance use disorder services. For this purpose, parity refers to plan benefits including annual and lifetime limitations, as well as financial and treatment limitations relating to both quantitative and non-quantitative services.
In its bi-annual obligation to provide a compliance tool, EBSA released a revised version of the Self-Compliance Tool on October 26, 2020. The Compliance Tool reiterates the requirements of the mental health parity laws, and provides illustrations of parity as well as compliance tips. This advisory, initially released in 2018 (see our prior Benefit Beat article), has been modified as a result of public responses received by EBSA and as a result of its enforcement actions. Of particular note, the revised Tool broadens the following components:
Plan sponsors will want to work with their insurers, or third party administrators as applicable, to ensure compliance with the law, not only because it is the right thing to do but also because compliance with the law continues to be a priority for the Department of Labor, as evidenced in its 2019 Enforcement Action Fact Sheet and Compendium.
The Department of Labor’s Employee Benefit Security Administration (EBSA) enforces compliance with laws governing private sector retirement and welfare benefit plans. The agency recently published its annual Fact Sheet highlighting its enforcement actions accomplished in fiscal year 2020. Notably, EBSA recovered over $3.1 billion in direct payment to plans, participants and beneficiaries, and its criminal investigations led to the indictment of 70 individuals for crimes related to employee benefit plans.
As an example of its enforcement action, EBSA issued a recent press release that serves as a good reminder about proper handling of participant contributions and how essential it is to ensure that participant contributions are used for the exclusive purpose for which they are withheld. EBSA’s investigation revealed that a business owner withheld $32,317 in employee contributions from their paychecks but failed to remit said contributions to the 401(k) plan, and used the monies for his own company’s uses. Further, the owner failed to remit a month’s worth of its employee’s pre-tax health plan contributions ($2,758) to the group health plan. The owner was sentenced to 36 months in prison, 36 months of supervised release, and ordered to pay a $300 assessment and restitution in the amount of $640,638.
Get All video