For much of 2020, internal audit departments have tested controls using attributes to facilitate work-from-home (WFH) arrangements. As the year and internal audit work for many organizations comes to a close, reconciling if the controls adjusted for remote work arrangements will pass external audit scrutiny is top of mind for many CFOs and internal audit professionals.

With all the other conversations CFOs may be having about the many ways that COVID-19 may have affected the organization, internal and external audit considerations may be lower on the priority list. The following are some ways to include the implications for financial statement audits and other compliance areas as part of the larger conversation about COVID-19 impact.

Set a Preliminary Meeting with the External Audit Team

A meeting between accounting and external audit teams is a step to take now to help successfully address potential issues with WFH controls in the external audit. Facilitating a conversation between the two parties helps determine if the changes in controls and alternative testing strategies for testing the control structure in a remote environment during COVID-19 were effective will help resolve issues before they arise and lay the groundwork for remediation dialogue.

Evaluate Controls for Top Risk Factors

Remote testing has created a number of challenges for external auditors’ typical review of internal audit’s work.  Three key areas in particular are emerging as challenges, and the following examples exemplify those issues:

• Instances where wet signatures (documents physically signed) have been replaced by email sign offs indicating the review is complete
• In-person meetings where robust conversations around “month and quarter end entries and accruals” were had are now occurring over email or video conference
• Overall lack of documentation available for review and auditing

Adjustments made to internal audit controls during WFH may have worked well enough in practice, but external auditors may question whether the adjustments made are evidence of protection from financial reporting and fraud risks. Ultimately, WFH audit adjustment may affect external audit’s ability to rely on the work done by the internal audit team.

Prepare for Some Additional Challenges

A secondary factor affecting this conversation between internal accounting teams and external audit teams relates to changes that external auditors have enacted. For public companies, the testing of internal controls continues to be an area where audit failures have been identified through inspection processes of external auditors. The inherent challenges in testing internal controls, combined with the impact of WFH on the internal control processes and methods available to testing internal controls, will continue to make internal controls a key focus of audit firms. This may mean a more thorough approach and expansive scope for the current year, particularly for fourth quarter work. While this seems inconvenient and late in the year, changes to the audit should be on the radar for internal audit teams and finance management teams.

Plan for the Financial Statement Audit Impact

We are seeing great interest between audit committees and the C-suite in holding these conversations around how the 2020 financial statement audits may be different in years past. Early meetings often spark year-end audit discussions around timeframe and obstacles. Even teams that have collaborated together for a long time can disagree on what is sufficient in terms of scope, evidence, and information. Having preliminary meetings can help eliminate issues early and help avoid obstacles that could ultimately delay the issuance of audited financial statements.

For more information about how internal audit teams and CFOs can prepare for conversations with external auditors, please contact Mike Gallagher or a member of our team.

Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

Not-for-profit boards play a key role in developing an organization’s potential by bringing expertise in a variety of fields, including accounting and risk management. The pandemic was extremely disruptive to not-for-profits, which underscores the importance of providing guidance and understanding the COVID-19 impact. All of these factors are also vital to conceptualizing future operational and endowment investment strategies. Management and board members should continue to work together to overcome any lingering repercussions from the pandemic and position the organization for the next chapter. The following are four elements of COVID-19 recovery initiatives that your board should understand.

Extent of Financial Damage 

Your board should fully understand the current financial position of your organization and the extent of the pandemic’s impact both in the short and long-term. One of the ways that management can help the board visualize the financial repercussions is  to rework strategic financial planning and reporting dashboards to provide more clarity to non-technical stakeholders.

If your organization experienced a significant financial impact from the pandemic, keep in mind that traditional accrual-basis financial statements are often misleading during a cash crisis. A 13-week cash flow, monitored on a weekly basis, will provide your board with visibility of the near term survival of your organization. This is usually the gold standard reporting tool for businesses during periods of recovery, and for not-for-profit organizations the playbook should be no different. The concept is a simple diagram of all sources and uses of cash during the upcoming quarter.

Expected Impact on Endowments 

Another key impact area to monitor during down times is the organization’s endowments. For example, were endowments heavily affected by the financial market disruption? External economic factors could affect the overall performance of endowments and underlying investments and may even cause some endowments to go underwater or otherwise become unavailable for use. Consider, too if your organization’s cash flows are taking hit, which is leading the organization to spend more from its unrestricted assets than in a typical operating year.

Keep in mind that your organization may not be totally out of the woods yet when it comes to financial repercussions. Significant declines may be coming in federal and state grant support that could affect the use of endowment funds. Many local governments are projected to suffer significant tax revenue shortfalls in 2020, which will likely  dampen their ability to continue supporting  community organizations. Boards should be working with management now to develop alternate strategies on how or whether programs can be sustained if these funding cuts are realized.

COVID-19 Stimulus Opportunities Taken  

Boards should understand if the not-for-profit took advantage of any pandemic related stimulus measures. One of the most significant programs in response to COVID-19 was the Coronavirus, Aid, Relief, and Economic Security (CARES) Act’s enhancements to the Small Business Administration (SBA) loans. The Paycheck Protection Program (PPP) offered significant, potentially forgivable loans to help organizations maintain their headcount, but the program came with a lot of red tape. If your organization received a PPP loan, the board should consider whether the organization expects the PPP loan to be forgiven. Unforgiven PPP loan balances are due within two years after the loan origination and will accrue interest at a rate of 1%.

Employers that did not take advantage of the PPP could have also taken a payroll tax credit that incentivizes the retention of employees. Not-for-profit organizations should be carefully working with their tax preparer to ensure they are taking full advantage of that credit’s benefits.

How Future Disruption Plans Have Changed

One of the big strategy questions to address will be the “lessons learned” from the COVID-19 disaster in terms of continuity planning. Your not-for-profit should discuss with its board whether the pandemic response has so far highlighted needs for additional investments in remote technology or upgrades to employee management practices.

Organizations may have found that they had to create or update business continuity plans, which should be considered in terms of effectiveness as well as whether the same measures will be reliable for future concerns. In being tasked with helping the organization with risk management, boards should be part of those conversations. Board members may be able to share some additional insight about what worked and what didn’t during the pivot from routine operations to remote work and social distancing protocols.

Keep the Conversation Going

The key to board communication is to keep channels open so that best practices can be shared between the two parties. Recovery from the COVID-19 pandemic will be an ongoing process as will the changes that may be needed to weather future business disruptions. For more information about COVID-19 Recovery, please contact us. 

Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

Recent guidance from the Small Business Administration (SBA) clarifies that Paycheck Protection Program (PPP) loan forgiveness applications will not be due by October 31 as early forgiveness application forms had indicated.

Timing of forgiveness applications is critical because the SBA measures the organization’s employee headcount to evaluate forgiveness on the application date. Originally, the loan forgiveness application forms indicated there was an Oct. 31, 2020 expiration date, but in a recent addition to the SBA’s frequently asked questions document, it clarified that borrowers may submit a loan forgiveness application any time before the maturity date of the loan. The PPP loans generally have a two or five year maturity date from origination based on loan structure. Loan payments are still deferred only until 10 months after the last day of the loan forgiveness covered period, however, so applicants are encouraged to apply for forgiveness much earlier than the maturity date. Unforgiven portions of the loans will accrue interest at 1% and may also be subject to tax restrictions.   

Quick Recap of Where We are with the PPP

The Paycheck Protection Program (PPP), which came about as part of the CARES Act, enables organizations to use the SBA’s small business lending program to receive loans of up to $10 million to use toward employee payroll (at least 60%) and other administrative expenses to help prevent organizations from having to furlough or lay off employees.

Simplifying the forgiveness application process is part of ongoing clarification from the SBA. For companies that borrowed $50,000 or less, there are now de minimis exemptions regarding the full-time equivalent (FTE) employee reduction penalty and the employee salary and wages reduction penalty. This should decrease the administrative burden on lenders who must process and submit the applications to the SBA, something that has been a large concern.

Items to Watch: Forgiveness and Tax Liabilities

The SBA stopped accepting PPP loan applications on Aug. 8, 2020, with almost $134 billion of Congressionally approved funds remaining unspent. Allowing certain small businesses to access those funds is among several PPP proposals being discussed as Congress and the Trump administration continue to discuss another comprehensive COVID-19-related stimulus bill.  Since these funds were already approved but unused, it would be easy to redirect them into new PPP loans without requiring Congressional approval.

Other components of the process remain vague as well. For example, it is still unclear to what extent lenders are responsible for verifying loan forgiveness application information or if they should be relying on descriptions of financials to count towards qualification. Organizations seeking loan forgiveness must have their bank or lender that facilitated the loan submit the forgiveness application and supporting documentation through an SBA portal, and then the SBA either accepts or denies the portion of the loan to be forgiven.  The banks and lenders have up to 60 days to perform their review before submitting to the SBA. Once the SBA receives the PPP loan forgiveness application package, it has up to 90 days to review and approve PPP loan forgiveness.

Many lenders have not been submitting forgiveness applications even though the SBA portal is open because there are many questions about qualifications and details related to repayment as well as program eligibility and possible extensions in the next round of stimulus.

Another PPP loan issue that has still not been resolved involves taxes. If the loans are forgiven, the forgiven amounts also are not taxable income. However, expenses paid out of PPP loan proceeds are not tax deductible if the loan proceeds are forgiven. Absent Congressional action, expenses paid from forgiven portions of PPP loans are not tax deductible, which could leave PPP loan recipients with a higher tax bill than anticipated for 2020. There needs to be coordination and joint guidance issued from the U.S. Treasury, Internal Revenue Service and the SBA to resolve these open issues.

Questions Concerning Thresholds

The SBA offers no guarantee about whether small loan recipients will have an automatic process for forgiveness. Continued support from Congress in the next stimulus bill may include enhanced guidance as well as a more streamlined loan forgiveness application process and possible loosening of guidelines or automatic forgiveness for PPP loans of $150,000 or less.

If you have fully utilized the PPP funds then you may want to submit for forgiveness as soon as possible if you have staffed operations sufficiently. Otherwise, you will be penalized for future staff reductions if layoffs will be an eventuality.  There is also the safe harbor date of Dec. 31, 2020 to bring back employees to the necessary FTE levels to avoid penalty.

For more information, please contact a member of our COVID-19 loan and capital assistance team.

Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

Get Cybersecurity Facts & Figures - What Every Business Needs to Know from CBIZ, Inc.

Are you protected from potential network and privacy exposures? Any business that uses technology to collect confidential customer information needs to know the facts – and risks – associated with data breach liability and not having proper Network Security, Privacy and Cyber Protection.

Recent cyber incidents tell us that information breaches are evolving in terms of both scale and variety. Your organization has most likely had to focus on the purpose and goal of preparing your workforce to help protect the company’s assets related to a data breach. Employees are the first line of defense when protecting sensitive information because they are often an entry point for cyber criminals attempting to gather information on a company. 

This makes employee training on cybersecurity essential. Training should be a regularly recurring activity, reflect emerging trends in data security attack vectors, and address email phishing schemes.  Fortunately, cybersecurity training does not need to be a costly venture. There are a number of strategies, when combined with formal training, that will help employees, and your organization overall, be best prepared for the threats they are encountering daily.

Internal Training for All Staff

The human element involved in cybersecurity and other information security incidents is crucial to understand. Training should occur quarterly (at a minimum) in regards to policies for handling removable media and email protocols.

Internal training sessions should focus on signs of phishing, malware, and other cyber threats an employee may encounter on a networked device. Protocol should establish what happens if a device has been breached, compromised, lost, or stolen. It is important that training cover all levels of staff who have a device that connects to the network, not just departments that may handle specific information that has shown to be of interest to cyber criminals, such as financial information. Human resources (HR) teams can often be leveraged to help develop polices and gap-analysis related to security monitoring through surveys, web based training, and information gathering.

Coverage should also extend beyond basic email and device protocol. In the modern Internet of Things age, understanding and setting limits with regard to social media and cloud storage will also help limit exposure and make employees aware of sites that could compromise information.

Next Level Awareness 

Cybersecurity training challenges require an interdisciplinary approach to help your employees understand what information is at risk. It is not uncommon for HR specialists to help information technology teams evaluate end user risk mitigation, develop targeted role-specific training, and identify end user knowledge gaps with respect to current or updated policies.

Another step to consider would be to undertake a social engineering campaign to help your organization tests its policies in a simulated attack scenario. For example, email phishing tests help prepare users by offering a real case scenario of a phishing attempt. These tests will help you guide employees to recognize attempts to divulge information that will allow visibility to your network. Providing examples of common and trending email phishing schemes help employees recognize potential attacks as well as create data relevant to protocol. In addition, the results of phishing exercises can help your organization make needed adjustments to its response and breach remediation procedures.

Other Points to Consider

Training is just one piece of the puzzle, but often it is the most cost-effective and lays the foundation for changing how employees understand their role in securing the control environment. Additional security measures may require investment or reconfiguration of existing measures when allowing for remote access to your network. Systems that account for a variety of personal devices should be especially cautious of information shared that is not restricted over a virtual private network (VPN) requiring multi-factor authentication to gain access. You know that cybersecurity criminals will seek to take advantage of system vulnerabilities that have been introduced by transitions between office and home workplaces.

Here to Help

Enhancing security can be costly, but the financial impact is often far less than the collateral damage resulting from an actual breach. Reputation damage, legal fees, as well as the necessity to upgrade security after a breach, are very important reasons for proactively addressing security measures on a regular basis. Both physical and electronic data need adequate oversight and being proactive in the approach to managing data risks can help position your organization for the new world of cyber risks.

For more information about cybersecurity, contact Kyle Konopasek or a member of our team.

Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

As technology advances, many businesses are increasing their use of third-party platforms rather than investing in creating technology and building internal systems. Use of third-party data warehousing in particular has become more common as a third-party provider often delivers a more cost-efficient, secure and reliable option for storing information.

The COVID-19 pandemic, as with other types of business disruption, cast a light on protocols and practices involving the use of third party service providers. During disruption events, organizations must evaluate all facets of their operations to identify what has been impacted and what hasn’t. With data management, this becomes complicated given the increasing use of cloud architecture for data storage because data could be hosted in any number of places that may or may not be immediately known to the organization to which that data belongs. Knowing where your data is stored and how it’s managed can help your organization ensure it has adequate protection for its sensitive information and safeguards in place to mitigate the potential financial damage if data were to be compromised.

Power of Personal Data

One of the reasons that security of data is so important to monitor is the growing understanding of the power of personal data. Even casual consumer products like social media applications have been called into question as users and governments ask what is being done with the giant caches of information that a user willingly submits.

Personal data can be catastrophic in the wrong hands. One of the most significant breaches in recent memory was the Equifax hack, in which cyber actors leaked names, addresses, dates of birth, Social Security numbers and credit data on numerous Americans. The breach led to identity theft and the creation of fraudulent financial accounts, among other consequences from the users’ whose data was compromised. The incident also came with steep consequences for Equifax, which was estimated to have spent $1.4 billion improving its information security structure after the incident.

Trends in Privacy Laws and Protections

Concerns around what data is being collected, where it’s being stored, and what’s being done with it will make transparency and data governance a more significant issue for organizations moving forward. More laws may be created in effort to bring more regulation to the nebulous concept of data privacy at the state, federal and international levels. For example, the General Data Protection Regulation is a legal framework adopted by the European Union that creates standards for privacy and the collection of data by companies on its citizens. Another example, the California Consumer Privacy Act is aimed at giving consumers more control of information that is collected from vendors.

Blockchain and Emerging Record Keeping Technology

Another emerging trend for data protection is the use of blockchain technology. Blockchain refers to a cryptographically linked set of data records, commonly called blocks. A distributed set of ledgers often numbering in the thousands monitor these blocks making them resistant to corruption and almost impervious to alteration. Because the information on the chain is coded (generally using an Advanced Encryption Standard (AES) with 128, 192, or 256 bit encryption), personal information is near impossible to crack.  Medical practices, financial institutions and government offices are migrating their systems to (or at least starting to run in parallel) blockchain-based systems. It is likely that other sectors will give this technology a closer look because of their security, immutable data records and fast data transfer times.

What Organizations Can Do to Manage Risk

Disruption and the possibility of further oversight make it critical that your organization look at its data infrastructure holistically and align safety mechanisms based on potential risk of exposure and financial impact. Consider building in contingency plans for if another physical location closure occurs. Often oversight of information security protocol requires a physical presence, and if 2020 has shown us anything, it’s that physical presence in a location may not always be possible.

If using third parties for data storage or transmission, ensure vendors’ protocol aligns with the standards your organization sets. Understand how your vendors’ breach communication works and how soon after an information security incident is detected that your organization is notified. Regardless of where the data is and who is responsible for physical protection, your organization has the ultimate responsibility for its oversight and would need to invest in information security upgrades should an incident occur.

Final Thoughts

It is a new world for data, and it’s important not to be caught off guard with questions around data security. Understanding the flow of information and how it could be comprised is something all organizations should have a better understanding of as we continually become integrated with various platforms to conduct business.

For more information about data protection, please contact Paul Wolff or a member of our team. 

Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).

Operating budgets will be monitored with scrutiny for the near future as COVID-19 recovery remains uncertain. For many organizations, this may mean that traditional hiring practices will likely be greatly limited, and one of the functional areas that may be affected by hiring limitations is information security.

In the age of cyber threats and breaches, the importance of the information security function is starting to take root. It’s a sector that’s rapidly growing; the Federal Bureau of Labor Statistics anticipates that between 2019 and 2021, information security jobs will be growing at a rate of 31%, much faster than the average. A jobs report estimated that 3.5 million cybersecurity jobs would be available but unfilled by 2021.

An unfortunate consequence of COVID-19 related cash flows may be that competing for talent within the information security sector may become that much more difficult. Organizations that cannot fill the staff they need for information security protection may consider alternative solutions. Information security efforts can be enhanced through co-sourcing cybersecurity professionals, especially if your organization has a specific plan of action to meet the demand of your board or a specific oversight committee.

Risk Environment

As operations leverage remote work capabilities and the technology sector continues to roll out unique virtual solutions to in-person functions, securing data will be an even greater facet of operational oversight. Now is not the time to undercut the importance of security protocol due to the level of risk associated with flexible work environments in terms of exchanging sensitive data, especially financial information. 

Malicious actors are betting on companies making mistakes during the remote work migration and seeking to leverage their disingenuous positon based on your uncertainty. The spring saw several COVID-19 phishing fraud schemes seeking to gain personal information by posing as a legitimate agency.

The Growing Importance of the Cybersecurity Team

In this elevated risk environment, controls encompassing information security are essential. It is important for your organization to revisit the nature of your security policy regarding data transfer and overall security standards surrounding completing regular business activities outside of the office. Best practices for IT security should be observed including use of a Virtual Private Network (VPN) and a reliable way to share and store information.

Understanding how to articulate your current information security position will also be important. Storage of sensitive information, general access to information systems, and modifications in protocol to adopt remote work practices will be priority concerns for regulatory authorities, stakeholders and clients, and financial statement auditors. Sound protocols can be seen as a means to assure stability as your business confronts to new challenges, such as bringing more of the workforce back into the office following extended remote work periods.

The advantage of having an in-house cybersecurity team is that it tasks a team with specifically reviewing and improving information security protocol and strategy, including data integrity, governance frameworks, security training, and third-party service provider services.

Building the team you need in-house, however, may not be feasible in the current environment given budgetary constraints and the highly competitive market. During the disruption from the pandemic, organizations may have been forced to combine security responsibilities such as rolling the Chief Information Security Officer (CISO) function into a Chief Information Officer (CIO) role or putting more CISO responsibility on a managed service provider to keep up with the demand of IT infrastructure concerns and day-to-day obstacles of hosting remote employees.

Some entities may be seeking to restructure their security teams and provide a more holistic approach by bringing in associates with ancillary backgrounds to fill vital roles. While this approach has its advantages in terms of addressing the skills gap, it might not be the most appropriate operational solution. Existing resources may not have the desired resumes to mitigate key security risk factors or be knowledgeable of the new threats associated with the changes in their environment.

Bringing in an external team to serve as a resource for your information security environment can help ensure key risks are addressed without the expense of hiring and onboarding new associates. These professionals can help bring information teams up to speed that have had their efforts refocused, or have been recently hired to ensure your organization has the appropriate information security framework. 

Co-sourcing the cybersecurity function can also provide support for time-intensive reporting projects, such as reviewing and preparing information security controls for the next audit year, responding to security questionnaires from clients, or helping facilitate Systems and Organization Control (SOC) report requests. 

For More Information

For more information about how co-sourcing the information security function may benefit your organization, please contact Ray Gandy.

Copyright © 2020, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).